Add SELinux protection to Pure-FTPd

Daniel J Walsh dwalsh at redhat.com
Tue May 2 19:16:01 UTC 2006 

Paul Howarth wrote:
> Aurelien Bompard wrote:
>> Stephen Smalley wrote:
>>> policy_module(pureftpd, 1.0) is preferred syntax going forward.
>>> If you use policy_module() macro, you'll get the kernel class and
>>> permission requires as part of it, so you won't need to explicitly
>>> specify them each time.
>>
>> Yay ! Done that.
>>
>>> Does it truly need write access?  The library always tries to open rw
>>> first, then falls back to read-only if it cannot open rw, so even just
>>> reading utmp will show up in avc messages as a rw attempt.   Try just
>>> allowing read, and dontaudit'ing the write permission.
>>
>> That's right, it only needs read access. I've added:
>> init_read_utmp(ftpd_t)
>> init_dontaudit_write_utmp(ftpd_t)
>> to the module (picked from the policy sources)
>>  
>>> Macros aka interfaces are preferred, as they preserve
>>> modularity/encapsulation and thus make your module more portable to
>>> other base policies.
>>
>> OK. I'll use sysnet_use_ldap to allow LDAP access then.
>>
>>> I don't think you want to put it in /usr/share/selinux/targeted (as 
>>> that
>>> could conflict in the future with the policy package), but I would
>>> suggest putting it under /usr/share/selinux/<packagename> or similar to
>>> keep all policy modules under that selinux tree, unless that also
>>> presents some kind of conflict problem?
>>
>> Looks good to me, except I've placed it
>> in /usr/share/selinux/packages/<packagename> to avoid the base and 
>> targeted
>> dirs being buried under a ton of packages dirs in the future.
>
> I've been trying to take this sort of approach with a package I'm 
> developing. Two issues concern me at the moment:
>
> 1. I build the policy module from te/fc/if files during the package's 
> "build" script. I get output like this:
>
> + /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile
> make: Entering directory 
> `/nis-home/phowarth/BUILD/BUILD/contagged-0.3/SELinux'
> Compiling targeted contagged module
> /usr/bin/checkmodule:  loading policy configuration from 
> tmp/contagged.tmp
> /usr/bin/checkmodule:  policy configuration loaded
> /usr/bin/checkmodule:  writing binary representation (version 5) to 
> tmp/contagged.mod
> Creating targeted contagged.pp policy package
> make: Leaving directory 
> `/nis-home/phowarth/BUILD/BUILD/contagged-0.3/SELinux'
>
> This suggests to me that the resulting contagged.pp module is specific 
> to the targeted policy (which I'm running on the host system), so it 
> would presumably not work with other policies. Is that right? So would 
> it be better to build and install the policy at package install time 
> rather than package build time? Or could there be separate modules for 
> each policy? If so, how would they be built?
You can probably build policy agnostic at this time.  Your gen_requires 
should suck in all of the required types and the code should pretty much 
work the same on strict/targeted or mls machines.  Problems could arise 
in the future and on certain machines the semodule will fail.  We do not 
intend to build specific loadable policy for different policy types at 
this time.  So when/if we ship an apache.pp file it should work on 
targeted, strict, mls ... policies.
>
> 2. A mock build fails, presumably because mock does not mount /selinux?
>
> + /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile
> cat: /selinux/mls: No such file or directory
> make: Entering directory `/builddir/build/BUILD/contagged-0.3/SELinux'
> /usr/share/selinux/devel/Makefile:14: 
> /usr/share/selinux/targeted/include/Makefile: No such file or directory
> make: *** No rule to make target 
> `/usr/share/selinux/targeted/include/Makefile'.  Stop.
> make: Leaving directory `/builddir/build/BUILD/contagged-0.3/SELinux'
> error: Bad exit status from /var/tmp/rpm-tmp.42152 (%build)
>
> This also suggests that install-time module building is needed, at 
> least for anything intending to go into Fedora Extras, where mock is 
> used for the buildsystem. I guess that would present a problem if the 
> admin of the system wanted to change to a different policy - the 
> module would have to be rebuilt somehow.
>
We build policy all of the time on machines with out policy.  This is a 
bug in the Makefile, it should take a sensible default if /selinux/mnt 
does not exist. 

Please bugzilla.
> Paul.
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list