Basic GUI on strict policy
Ken
mantaray_1 at cox.net
Fri Dec 29 04:08:46 UTC 2006
List members -
I have recently been working on setting up a strict policy (using
selinux-policy-2.4.6-1.fc6), and I thought I would make a post to share
the module I made which allows logging in and entering the GUI. The
module includes four user-defined types, which I use to limit program
access to my home directories, but which do not need to be included.
Some rules would need to be adapted for use without three of the four
user-defined types (which are for ".gnome", ".gnome2", and
".gnome2_private" in the user's home directory). I have not taken the
time to translate the "allow" statements into calls to "access
interfaces", but the module could be a starting point for someone
working on developing a personalized strict policy for their system. I
had several problems with mls while working on the policy, and this is
why the mls interfaces are included for "user_t" in the module. I did
not take the time to see exactly which statements were necessary, since
I am not particularly interested in using mls anyway. Without the
additional types, the ".fc" file could be blank, and the ".if" file
could simply contain a descriptive title such as: "## <summary>Rules
added for GUI access</summary>". I have included this module in the
"apps" folder on my system. To use the module, after placing the files
in the "apps" folder, run "make conf" and "make load".
I want to make it clear that I do not work with SELinux policy
professionally, and I am not an expert on policy creation or Linux
security. I may have included permissions that are not needed, and I
may have omitted permissions that are needed. I am making this post
because I want to share what I came up with while working on a policy
for my own system. In short: It works for my system, and it took a bit
of work for me to get to this point, so I want to share it.
Developers -
From my experience, I have a couple of comments I hope policy
developers will find helpful:
First, a strict policy without mls enabled that would function
essentially the same as the "strict-mls" option might be useful to some
users. I would have preferred to install "strict" rather than
"strict-mls" but my system would not even boot with the non-mls version.
I did not investigate this problem very carefully, but I found, for
example, that there is no "netifcon lo ..." statement for "strict",
while there is for "strict-mls".
Second, I found some of the permissions needed to successfully enter the
GUI were difficult to determine (without sorting through lots of extra
"denied" statements that resulted from disabling "dontaudit"
statements). Perhaps some time could be spent developing a policy
somewhere between "strict" and "targeted" that allows more access and
has less "dontaudit" statements written into the modules; or perhaps an
optional module could be included with the "strict" policy that has been
written by someone who knows exactly what is needed and what is not
needed (rather than by someone like myself), and that allows basic
access to the GUI.
-Ken-
*********************************
*********************************
policy_module(basic_use,1.0)
#########
#
# These rules are needed for basic operation using the strict policy.
#
require
{
class capability { fowner setgid setuid sys_tty_config };
class chr_file { getattr ioctl read write };
class dbus send_msg;
class dir { add_name getattr read remove_name search setattr write };
class fd use;
class fifo_file { getattr ioctl read write };
class file { create execute execute_no_trans getattr read setattr
unlink write };
class filesystem { associate getattr };
class netif { tcp_recv tcp_send };
class process { execheap execmem execstack getpgid getsched signal };
class shm { associate create destroy getattr read unix_read unix_write
write };
class sock_file { create unlink write };
class unix_stream_socket connectto;
#
role object_r;
role sysadm_r;
role system_r;
role user_r;
#
type alsa_etc_rw_t;
type apmd_t;
type autofs_t;
type bin_t;
type binfmt_misc_fs_t;
type boot_t;
type cupsd_t;
type cupsd_var_run_t;
type default_t;
type devpts_t;
type etc_runtime_t;
type fonts_t;
type fs_t;
type hostname_t;
type ice_tmp_t;
type initrc_t;
type inotifyfs_t;
type kernel_t;
type lo_netif_t;
type local_login_t;
type lost_found_t;
type lvm_control_t;
type mono_exec_t;
type net_conf_t;
type nscd_var_run_t;
type rpc_pipefs_t;
type shell_exec_t;
type sound_device_t;
type sysadm_dbusd_t;
type sysadm_gconf_tmp_t;
type sysadm_gconfd_t;
type sysadm_home_dir_t;
type sysadm_home_t;
type sysadm_t;
type sysadm_tmp_t;
type sysadm_tty_device_t;
type sysadm_xauth_home_t;
type sysadm_xserver_t;
type sysadm_xserver_tmp_t;
type sysctl_fs_t;
type sysfs_t;
type system_crond_t;
type system_dbusd_t;
type system_dbusd_var_run_t;
type tmpfs_t;
type usbfs_t;
type user_dbusd_t;
type user_gconf_tmp_t;
type user_gconfd_t;
type user_home_dir_t;
type user_home_t;
type user_t;
type user_tmp_t;
type user_tty_device_t;
type user_xauth_home_t;
type user_xserver_t;
type user_xserver_tmp_t;
type var_lib_nfs_t;
type var_lib_t;
type var_run_t;
type var_t;
type xdm_xserver_tmp_t;
}
#
# Types:
#
type file_transfer_t;
type gnome_t;
type gnome2_private_t;
type gnome2_t;
#
# mls:
#
mls_file_read_up(user_t)
mls_file_write_down(user_t)
mls_file_upgrade(user_t)
mls_file_downgrade(user_t)
mls_file_write_within_range(user_t)
mls_socket_read_all_levels(user_t)
mls_socket_read_to_clearance(user_t)
mls_socket_write_all_levels(user_t)
mls_net_receive_all_levels(user_t)
mls_sysvipc_read_all_levels(user_t)
mls_sysvipc_write_all_levels(user_t)
mls_rangetrans_source(user_t)
mls_rangetrans_target(user_t)
mls_process_read_up(user_t)
mls_process_write_down(user_t)
mls_process_set_level(user_t)
mls_xwin_read_all_levels(user_t)
mls_xwin_write_all_levels(user_t)
mls_colormap_read_all_levels(user_t)
mls_colormap_write_all_levels(user_t)
mls_trusted_object(user_t)
mls_fd_use_all_levels(user_t)
mls_fd_share_all_levels(user_t)
mls_context_translate_all_levels(user_t)
#
# Ability to login and enter the GUI:
#
allow apmd_t kernel_t:file read;
allow apmd_t user_tty_device_t:chr_file { getattr ioctl write };
allow gnome2_t fs_t:filesystem associate;
allow hostname_t nscd_var_run_t:dir search;
allow initrc_t lvm_control_t:chr_file write;
allow initrc_t var_t:file { setattr write };
allow sysadm_dbusd_t autofs_t:dir getattr;
allow sysadm_dbusd_t bin_t:file { execute execute_no_trans };
allow sysadm_dbusd_t binfmt_misc_fs_t:dir getattr;
allow sysadm_dbusd_t boot_t:dir getattr;
allow sysadm_dbusd_t devpts_t:dir getattr;
allow sysadm_dbusd_t etc_runtime_t:file { getattr read };
allow sysadm_dbusd_t fonts_t:dir { getattr search };
allow sysadm_dbusd_t fonts_t:file { getattr read };
allow sysadm_dbusd_t fs_t:filesystem getattr;
allow sysadm_dbusd_t inotifyfs_t:dir getattr;
allow sysadm_dbusd_t local_login_t:fd use;
allow sysadm_dbusd_t rpc_pipefs_t:dir getattr;
allow sysadm_dbusd_t self:capability { setgid setuid };
allow sysadm_dbusd_t self:fifo_file { getattr ioctl read write };
allow sysadm_dbusd_t self:process { execmem execstack getsched };
allow sysadm_dbusd_t self:shm { create destroy read unix_read unix_write
write };
allow sysadm_dbusd_t self:unix_stream_socket connectto;
allow sysadm_dbusd_t shell_exec_t:file { execute execute_no_trans
getattr read };
allow sysadm_dbusd_t sound_device_t:chr_file { ioctl read write };
allow sysadm_dbusd_t sysadm_gconf_tmp_t:file { getattr read };
allow sysadm_dbusd_t sysadm_gconfd_t:unix_stream_socket connectto;
allow sysadm_dbusd_t sysadm_home_dir_t:dir { getattr read search };
allow sysadm_dbusd_t sysadm_home_t:dir { getattr read search };
allow sysadm_dbusd_t sysadm_home_t:file { getattr read write };
allow sysadm_dbusd_t sysadm_t:dbus send_msg;
allow sysadm_dbusd_t sysadm_tmp_t:dir { add_name getattr remove_name
search setattr write };
allow sysadm_dbusd_t sysadm_tmp_t:sock_file { create write unlink };
allow sysadm_dbusd_t sysadm_tty_device_t:chr_file { read write };
allow sysadm_dbusd_t sysadm_xauth_home_t:file { getattr read };
allow sysadm_dbusd_t sysadm_xserver_t:unix_stream_socket connectto;
allow sysadm_dbusd_t sysadm_xserver_tmp_t:dir search;
allow sysadm_dbusd_t sysadm_xserver_tmp_t:sock_file write;
allow sysadm_dbusd_t sysctl_fs_t:dir search;
allow sysadm_dbusd_t sysfs_t:dir getattr;
allow sysadm_dbusd_t system_dbusd_t:dbus send_msg;
allow sysadm_dbusd_t system_dbusd_t:unix_stream_socket connectto;
allow sysadm_dbusd_t system_dbusd_var_run_t:dir search;
allow sysadm_dbusd_t system_dbusd_var_run_t:sock_file write;
allow sysadm_dbusd_t tmpfs_t:dir getattr;
allow sysadm_dbusd_t tmpfs_t:file { read write };
allow sysadm_dbusd_t usbfs_t:dir getattr;
allow sysadm_dbusd_t user_xserver_tmp_t:dir search;
allow sysadm_dbusd_t user_xserver_tmp_t:sock_file write;
allow sysadm_dbusd_t var_lib_nfs_t:dir search;
allow sysadm_dbusd_t var_lib_t:dir search;
allow sysadm_dbusd_t var_t:file { getattr read };
allow sysadm_gconfd_t local_login_t:fd use;
allow sysadm_gconfd_t sysadm_dbusd_t:unix_stream_socket connectto;
allow sysadm_gconfd_t sysadm_tty_device_t:chr_file { read write };
allow sysadm_t cupsd_t:unix_stream_socket connectto;
allow sysadm_t default_t:file execute;
allow sysadm_t lost_found_t:dir { read write };
allow sysadm_t mono_exec_t:file { execute execute_no_trans };
allow sysadm_t self:process { execmem execstack };
allow sysadm_xserver_t self:process { execmem execstack };
allow sysadm_xserver_t sysadm_dbusd_t:fd use;
allow sysadm_xserver_t sysadm_dbusd_t:shm { associate getattr read
unix_read unix_write write };
allow sysadm_xserver_t sysadm_home_t:dir search;
allow sysadm_xserver_t sysadm_home_t:file { getattr read };
allow sysadm_xserver_t sysadm_t:process getpgid;
allow sysadm_xserver_t tmpfs_t:file { read write };
allow sysadm_xserver_t user_xserver_tmp_t:dir { add_name getattr
remove_name search write };
allow sysadm_xserver_t user_xserver_tmp_t:sock_file { create unlink };
allow system_crond_t var_run_t:dir { add_name remove_name write };
allow system_crond_t var_run_t:file { create unlink write };
allow user_dbusd_t autofs_t:dir getattr;
allow user_dbusd_t bin_t:file { execute execute_no_trans };
allow user_dbusd_t binfmt_misc_fs_t:dir getattr;
allow user_dbusd_t boot_t:dir getattr;
allow user_dbusd_t devpts_t:dir getattr;
allow user_dbusd_t etc_runtime_t:file { getattr read };
allow user_dbusd_t fonts_t:dir { getattr search };
allow user_dbusd_t fonts_t:file { getattr read };
allow user_dbusd_t fs_t:filesystem getattr;
allow user_dbusd_t gnome2_private_t:dir getattr;
allow user_dbusd_t gnome2_t:dir { getattr read search };
allow user_dbusd_t gnome2_t:file { getattr read write };
allow user_dbusd_t inotifyfs_t:dir getattr;
allow user_dbusd_t local_login_t:fd use;
allow user_dbusd_t rpc_pipefs_t:dir getattr;
allow user_dbusd_t self:fifo_file { getattr ioctl read write };
allow user_dbusd_t self:process getsched;
allow user_dbusd_t self:shm { create destroy read unix_read unix_write
write };
allow user_dbusd_t self:unix_stream_socket connectto;
allow user_dbusd_t shell_exec_t:file { execute execute_no_trans getattr
read };
allow user_dbusd_t sound_device_t:chr_file { ioctl read write };
allow user_dbusd_t sysadm_xserver_tmp_t:dir search;
allow user_dbusd_t sysadm_xserver_tmp_t:sock_file write;
allow user_dbusd_t sysctl_fs_t:dir search;
allow user_dbusd_t sysfs_t:dir getattr;
allow user_dbusd_t system_dbusd_t:dbus send_msg;
allow user_dbusd_t system_dbusd_t:unix_stream_socket connectto;
allow user_dbusd_t system_dbusd_var_run_t:dir search;
allow user_dbusd_t system_dbusd_var_run_t:sock_file write;
allow user_dbusd_t tmpfs_t:dir getattr;
allow user_dbusd_t tmpfs_t:file { read write };
allow user_dbusd_t usbfs_t:dir getattr;
allow user_dbusd_t user_gconf_tmp_t:dir { getattr search };
allow user_dbusd_t user_gconf_tmp_t:file { getattr read };
allow user_dbusd_t user_gconfd_t:unix_stream_socket connectto;
allow user_dbusd_t user_home_dir_t:dir { getattr read search };
allow user_dbusd_t user_home_t:dir { read search };
allow user_dbusd_t user_home_t:file { getattr read };
allow user_dbusd_t user_t:dbus send_msg;
allow user_dbusd_t user_tmp_t:dir { add_name getattr remove_name search
setattr write };
allow user_dbusd_t user_tmp_t:sock_file { create unlink write };
allow user_dbusd_t user_tty_device_t:chr_file { read write };
allow user_dbusd_t user_xauth_home_t:file { getattr read };
allow user_dbusd_t user_xserver_t:unix_stream_socket connectto;
allow user_dbusd_t user_xserver_tmp_t:dir search;
allow user_dbusd_t user_xserver_tmp_t:sock_file write;
allow user_dbusd_t var_lib_nfs_t:dir search;
allow user_dbusd_t var_lib_t:dir search;
allow user_dbusd_t var_t:file { getattr read };
allow user_gconfd_t local_login_t:fd use;
allow user_gconfd_t user_dbusd_t:unix_stream_socket connectto;
allow user_gconfd_t user_tty_device_t:chr_file { read write };
allow user_t alsa_etc_rw_t:file read;
allow user_t cupsd_t:unix_stream_socket connectto;
allow user_t cupsd_var_run_t:sock_file write;
allow user_t gnome_t:dir { getattr search };
allow user_t gnome_t:file { getattr read write };
allow user_t gnome2_private_t:dir getattr;
allow user_t gnome2_t:dir { add_name getattr read remove_name search
write };
allow user_t gnome2_t:file { create getattr read unlink };
allow user_t ice_tmp_t:dir { add_name getattr remove_name search write };
allow user_t ice_tmp_t:sock_file { create unlink write };
allow user_t net_conf_t:file read;
allow user_t self:process { execheap execmem execstack };
allow user_t sysadm_xserver_tmp_t:sock_file write;
allow user_t sysctl_fs_t:file read;
allow user_t user_gconfd_t:process signal;
allow user_t user_gconf_tmp_t:dir { getattr search };
allow user_t user_gconf_tmp_t:file { getattr read };
allow user_t user_xserver_t:dir { getattr search };
allow user_t user_xserver_t:file read;
allow user_xserver_t gnome2_t:dir search;
allow user_xserver_t gnome2_t:file { getattr read };
allow user_xserver_t lo_netif_t:netif { tcp_recv tcp_send };
allow user_xserver_t self:capability fowner;
allow user_xserver_t self:process { execmem execstack };
allow user_xserver_t sysadm_xserver_tmp_t:dir { add_name getattr
remove_name search write };
allow user_xserver_t sysadm_xserver_tmp_t:sock_file { create unlink };
allow user_xserver_t tmpfs_t:file { read write };
allow user_xserver_t user_dbusd_t:fd use;
allow user_xserver_t user_dbusd_t:shm { associate getattr read unix_read
unix_write write };
allow user_xserver_t user_t:process getpgid;
allow user_xserver_t xdm_xserver_tmp_t:file read;
# End
More information about the fedora-selinux-list
mailing list