[redhat-lspp] LSPP kickstart config v0.18 released

Mon Feb 12 16:53:49 UTC 2007

Linda Knippers wrote:
> Hi Klaus,
>
> I see that this verison of the ks rpm still has alot of stuff in the
> lspp policy module (attached for those not using the rpm).  Some of
> the policy changes reference bugzillas but not all of them.
>
> Has Dan pulled these changes into the mls policy?
>
> -- ljk
>   
> ------------------------------------------------------------------------
>
> ## Customized SELinux policy for LSPP evaluated configuration
>
> policy_module(lspp_policy,1.0)
>
> #############################################################################
> ### Additional audit
> #############################################################################
>
> gen_require(`
> 	attribute domain;
> ')
>
> # Audit setting of security relevant process attributes
> # These settings are OPTIONAL
> auditallow domain self:process setcurrent;
> auditallow domain self:process setexec;
> auditallow domain self:process setfscreate;
> #auditallow domain self:process setsocketcreate; # FIXME
> #auditallow domain self:process setipccreate; # FIXME
>
>   
This is specific to LSPP so it should be kept.
> # bug workaround: vsftpd can't write to tallylog which breaks non-anon login.
> # 
> # Fix proposed to RH 2006-12-18:
> # https://enterprise.redhat.com/issue-tracker/?module=issues&action=view&tid=107824
> # https://bugzilla.linux.ibm.com/show_bug.cgi?id=29661
> gen_require(`
>         type ftpd_t;
> ')
> auth_rw_faillog(ftpd_t)
>   
auth_append_faillog is the current policy does it need auth_rw_faillog?

> # for following, see:
> #
> # https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=220487
>
> ### sshd ##################################################
>
> gen_require(`
> 	type sshd_t, unlabeled_t, staff_ssh_t, user_ssh_t, port_t;
> ')
> kernel_tcp_recvfrom_unlabeled(sshd_t)
> kernel_tcp_recvfrom_unlabeled(staff_ssh_t)
> kernel_tcp_recvfrom_unlabeled(user_ssh_t)
> allow staff_ssh_t port_t:tcp_socket name_connect;
> allow user_ssh_t port_t:tcp_socket name_connect;
>
>   
Not sure how we should handle this.
> ### xinetd ################################################
>
> gen_require(`
> 	type inetd_t, bin_t, proc_t;
> 	type sshd_exec_t, sshd_t;
> ')
>
> # xinetd needs MLS override privileges to work
> mls_fd_use_all_levels(inetd_t)
> mls_fd_share_all_levels(inetd_t)
> mls_socket_read_to_clearance(inetd_t)
> mls_process_set_level(inetd_t)
>
>   
These are in the current policy and should be removed.

> # miscellaneous xinetd fixes
> allow inetd_t self:fd use;
> allow inetd_t proc_t:file read;
> kernel_read_system_state(inetd_t)
> selinux_validate_context(inetd_t)
> selinux_compute_create_context(inetd_t)
> kernel_tcp_recvfrom_unlabeled(inetd_t)
> allow inetd_t self:process { noatsecure rlimitinh setexec siginh transition };
>
>   
These are in the current policy and should be removed.
> ### xinetd running sshd ###################################
>
> # allow xinetd to transition to sshd_t via sshd_exec_t
> allow inetd_t bin_t:file { entrypoint execute getattr read };
> allow inetd_t sshd_exec_t:file { entrypoint execute getattr read };
> type_transition inetd_t sshd_exec_t : process sshd_t;
> domain_trans(inetd_t, sshd_exec_t, sshd_t)
>
> # various interactions
> allow sshd_t inetd_t:fd use;
> allow sshd_t inetd_t:process sigchld;
> allow sshd_t inetd_t:tcp_socket { getattr getopt ioctl read setopt write };
>
>   
Should be in current policy.
> ------------------------------------------------------------------------
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>