Strict policy on FC6 and F7

Fri Aug 10 15:16:12 UTC 2007

shintaro_fujiwara wrote:
> I think F7 strict policy is broken.
> Let's wait for a while until SELinux guys fix it.
> I decided to play with FC6 this time.
>
>
> 2007-08-08 (水) の 14:43 -0700 に Hal さんは書きました:
>   
>> Authentication failed again:(
>> but meanwhile I have checked firefox on strict policy on FC7 it does not work.
>>
>> --- shintaro_fujiwara <shin216 at xf7.so-net.ne.jp> wrote:
>>
>>     
>>> 2007-08-08 (æ°´) ã® 13:32 -0700 ã« Hal ã•ã‚“ã¯æ›¸ãã¾ã—ãŸ:
>>>       
>>>> Well
>>>> I manged to compile the module, but
>>>> it does not work for me. 
>>>> Compiled,loaded,set enforcing and: "authentication failed" again.
>>>>
>>>> I do not know if I am stupid, but I can not get a long with this Selinux...
>>>>         
>>>> Does this nodule work for you guys????
>>>>
>>>> hal
>>>>
>>>> --- "Christopher J. PeBenito" <cpebenito at tresys.com> wrote:
>>>>
>>>>         
>>>>> On Wed, 2007-08-08 at 12:39 -0700, Hal wrote:
>>>>>           
>>>>>> I have tryed with
>>>>>> logging_send_audit_msgs(local_login_t)
>>>>>>
>>>>>> But still:
>>>>>> [root at localhost hal]# make -f /usr/share/selinux/devel/Makefile
>>>>>>             
>>> local.pp
>>>       
>>>>>> Compiling strict local module
>>>>>> /usr/bin/checkmodule:  loading policy configuration from tmp/local.tmp
>>>>>> local.te:9:ERROR 'unknown class capability used in rule' at token ';'
>>>>>>             
>>> on
>>>       
>>>>> line
>>>>>           
>>>>>> 81105:
>>>>>> #line 9
>>>>>>         allow local_login_t self:capability audit_write;
>>>>>>             
>>> Because we did not write 
>>>
>>> class capability { audit_write };
>>>
>>> in require brace.
>>>
>>> write it and try again.
>>> Did you make it?
>>>
>>>
>>> As a matter of fact, I have another problem on strict policy.
>>> I ended up breaking F7 altogether eliminating libselinux with --nodeps.
>>> Now I'm trying to upgrade FC6 to F7.
>>> You can upgrade FC6 to F7, if you are tired of your process on F7.
>>> Do not stop trying strict policy.Never surrender.
>>> It's rewarding, and SELinux guys will guide you to the right place.
>>>
>>>
>>>       
>>>>>> /usr/bin/checkmodule:  error(s) encountered while parsing configuration
>>>>>> make: *** [tmp/local.mod] Error 1
>>>>>>
>>>>>> I really have no idea what all this means.
>>>>>> there is nowhere "allow" in local.te. if it is in this macros at the
>>>>>>             
>>> end...
>>>       
>>>>>> Do I need to install the policy source and edit it?
>>>>>>             
>>>>> It is in the interface.  You need to change this:
>>>>>
>>>>>           
>>>>>>>> module local 1.0;
>>>>>>>>                 
>>>>> to this:
>>>>>
>>>>> policy_module(local,1.0)
>>>>>
>>>>> It will automatically require all of the kernel object classes.
>>>>>
>>>>> -- 
>>>>> Chris PeBenito
>>>>> Tresys Technology, LLC
>>>>> (410) 290-1411 x150
>>>>>
>>>>>
>>>>>           
>>>>
>>>>      
>>>>         
>> ____________________________________________________________________________________
>>     
>>>> Luggage? GPS? Comic books? 
>>>> Check out fitting gifts for grads at Yahoo! Search
>>>> http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>>         
>>>       
>>
>>        
>> ____________________________________________________________________________________
>> Sick sense of humor? Visit Yahoo! TV's 
>> Comedy with an Edge to see what's on, when. 
>> http://tv.yahoo.com/collections/222
>>     
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   
I am not sure what is broken on Firefox on Strict policy as of Fedora 
7.  I have begun the merge of strict and targeted in rawhide Fedora Core 
8/Test1.  I have done some rewriting of the Mozilla/Firefox policy. 
There were several problems in the existing policy and several problems 
in the way the OS is designed.  Mainly these dealt with the use of the 
/tmp file system by gnome. 

I have rewritten the mozilla policy to use one of three booleans.

firefox no network access (r/only)
Firefox with network access (R/O on homedir)
Firefox with network access (r/w on homedir)

firefox currently transitions form the user domain to 
userdoman_mozilla_t.  So for example

user_t - > user_mozilla_t.  But I am allowing firefox to r/w user_tmp_t 
as well as user_mozilla_tmp_t.

This allows firefox to interact with X sockets, gdm_files, iceauth 
files, orbitz files.  Trying to lock this down does not
work.

So if you want to use a locked down firefox, I would recommend looking 
at Fedora 8 Test1, and setting up a xguest user. 

xguest users can only access the web via firefox and are totally locked 
down.