Commit Graph

3204 Commits

Author SHA1 Message Date
Chris PeBenito 2998ef21c2 Module load request patch for insmod from Sven Vermeulen. 2011-02-09 08:57:12 -05:00
Sven Vermeulen 9fda512c7b Allow modprobe to request module load
The modprobe utility is sometimes used (for instance for ALSA) to request
the Linux kernel to load a module (through aliases) rather than explicitly
loading the module.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-02-09 08:54:13 -05:00
Chris PeBenito 137bcf3200 Changelog for tcsd. 2011-02-07 08:51:41 -05:00
Chris PeBenito 26276c2434 Rearrange rules in tcsd. 2011-02-07 08:51:35 -05:00
Chris PeBenito dd978f6080 Remove redundant shared lib access in tcsd. 2011-02-07 08:39:51 -05:00
Chris PeBenito 74e4a5d4c1 Whitespace fixes in tcsd. 2011-02-07 08:37:53 -05:00
Stephen Smalley 5319bbf1c3 Add TSS Core Services (TCS) daemon (tcsd) policy
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2011-02-07 08:36:43 -05:00
Chris PeBenito 5188b333ad Changelog for cron default contexts fix from Harry Ciao. 2011-02-01 10:43:16 -05:00
Harry Ciao c1b9938e96 Fix cron job process' domain during system booting up.
When SELinux user system_u starts crond during system booting up, its
cron job process should be in the system_cronjob_t domain, which has
the required entrypoint permission on system crontab files labeled as
system_cron_spool_t. Otherwise we can run into below error messages:

Jan 31 08:40:53 QtCao crond[535]: (system_u) Unauthorized SELinux context (/etc/crontab)
Jan 31 08:40:53 QtCao crond[535]: (system_u) Unauthorized SELinux context (/etc/cron.d/sysstat)

The weird thing is that the getdefaultcon command even can not fetch
"system_r:cronjob_t:s0" but "system_r:logrotate_t:s0" ! After fixing
default_contexts files the getdefaultcon command could properly fetch
"system_r:system_cronjob_t:s0" :

root@QtCao:/root> getdefaultcon system_u system_u:system_r:crond_t:s0
system_u:system_r:logrotate_t:s0
root@QtCao:/root>
root@QtCao:/root> grep crond_t /etc/selinux/refpolicy-mls/contexts/default_contexts
system_r:crond_t:s0		user_r:cronjob_t:s0 staff_r:cronjob_t:s0 sysadm_r:cronjob_t:s0 system_r:system_cronjob_t:s0 unconfined_r:unconfined_cronjob_t:s0
root@QtCao:/root>
root@QtCao:/root> getdefaultcon system_u system_u:system_r:crond_t:s0
system_u:system_r:system_cronjob_t:s0
root@QtCao:/root>

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-02-01 10:41:43 -05:00
Chris PeBenito 7131cc7a20 Changelog for man page changes from Justin Mattock. 2011-02-01 09:12:27 -05:00
Justin P. Mattock dd74a2f442 policy/modules/system/lvm.te Typo change directores to directories, and also clean up a comment.
The below patch changes a typo "directores" to "directories", and also
fixes a comment to sound more proper.

Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
2011-02-01 09:09:26 -05:00
Justin P. Mattock 06893adecf man/man8 Change SElinux to SELinux.
The below patch, changes the workd SElinux to SELinux to match the rest
in the policy and outside.

Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
2011-02-01 09:09:20 -05:00
Chris PeBenito 756c96b541 Fix incorrect dependenices in init module interfaces (init_t as an attribute rather than type). 2011-01-31 14:08:11 -05:00
Chris PeBenito 640df09275 Add syslog capability. 2011-01-19 14:11:00 -05:00
Chris PeBenito 8d46bd3017 Module version bump and changelog for /dev/console login from Harry Ciao. 2011-01-14 14:41:15 -05:00
Chris PeBenito dedbfa4f97 Rename allow_console tunable to console_login. 2011-01-14 11:44:42 -05:00
Harry Ciao fc1ef4ac3b Enable login from /dev/console.
Add the support to login and use the system from /dev/console.

 1. Make gettty_t able to use the /dev/console;
 2. Make local_login_t able to relabel /dev/console to user tty types;
 3. Provide the type_change rule for relabeling /dev/console.

All above supports are controlled by the allow_console tunable.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-01-14 11:23:19 -05:00
Chris PeBenito 54e9d3ca75 Module version bump and changelog for KaiGai's database object classes patch. 2011-01-14 10:35:52 -05:00
Chris PeBenito 1f2b9082fd Add missing object class dependencies in postgresql. 2011-01-14 10:35:44 -05:00
Chris PeBenito c174d239d0 Move one block in postgresql. 2011-01-14 10:13:12 -05:00
KaiGai Kohei 82c32d5cf4 New database object classes
The attached patch adds a few database object classes, as follows:

* db_schema
------------
A schema object performs as a namespace in database; similar to
directories in filesystem.
It seems some of (but not all) database objects are stored within
a certain schema logically. We can qualify these objects using
schema name. For example, a table: "my_tbl" within a schema: "my_scm"
is identified by "my_scm.my_tbl". This table is completely different
from "your_scm.my_tbl" that it a table within a schema: "your_scm".
Its characteristics is similar to a directory in filesystem, so
it has similar permissions.
The 'search' controls to resolve object name within a schema.
The 'add_name' and 'remove_name' controls to add/remove an object
to/from a schema.
See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html

In the past discussion, a rubix folks concerned about no object
class definition for schema and catalog which is an upper level
namespace. Since I'm not certain whether we have a disadvantage
when 'db_schema' class is applied on catalog class, I don't add
this definition yet.

Default security context of 'db_table' and 'db_procedure' classes
get being computed using type_transition with 'db_schema' class,
instead of 'db_database' class. It reflects logical hierarchy of
database object more correctly.

* db_view
----------
A view object performs as a virtual table. We can run SELECT
statement on views, although it has no physical entities.
The definition of views are expanded in run-time, so it allows
us to describe complex queries with keeping readability.
This object class uniquely provides 'expand' permission that
controls whether user can expand this view, or not.
The default security context shall be computed by type transition
rule with a schema object that owning the view.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createview.html

* db_sequence
--------------
A sequence object is a sequential number generator.
This object class uniquely provides 'get_value', 'next_value' and
'set_value' permissions. The 'get_value' controls to reference the
sequence object. The 'next_value' controls to fetch and increment
the value of sequence object. The 'set_value' controls to set
an arbitrary value.
The default security context shall be computed by type transition
rule with a schema object that owning the sequence.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html

* db_language
--------------
A language object is an installed engine to execute procedures.
PostgreSQL supports to define SQL procedures using regular script
languages; such as Perl, Tcl, not only SQL or binary modules.
In addition, v9.0 or later supports DO statement. It allows us to
execute a script statement on server side without defining a SQL
procedure. It requires to control whether user can execute DO
statement on this language, or not.
This object class uniquely provides 'implement' and 'execute'
permissions. The 'implement' controls whether a procedure can
be implemented with this language, or not. So, it takes security
context of the procedure as subject. The 'execute' controls to
execute code block using DO statement.
The default security context shall be computed by type transition
rule with a database object, because it is not owned by a certain
schema.

In the default policy, we provide two types: 'sepgsql_lang_t' and
'sepgsql_safe_lang_t' that allows unpriv users to execute DO
statement. The default is 'sepgsql_leng_t'.
We assume newly installed language may be harm, so DBA has to relabel
it explicitly, if he want user defined procedures using the language.

See also,
  http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html
  http://developer.postgresql.org/pgdocs/postgres/sql-do.html

P.S)
I found a bug in MCS. It didn't constraint 'relabelfrom' permission
of 'db_procedure' class. IIRC, I fixed it before, but it might be
only MLS side. Sorry.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>

 policy/flask/access_vectors           |   29 ++++++++
 policy/flask/security_classes         |    6 ++
 policy/mcs                            |   16 ++++-
 policy/mls                            |   58 ++++++++++++++-
 policy/modules/kernel/kernel.if       |    8 ++
 policy/modules/services/postgresql.if |  125 +++++++++++++++++++++++++++++++--
 policy/modules/services/postgresql.te |  116 +++++++++++++++++++++++++++++-
 7 files changed, 342 insertions(+), 16 deletions(-)
2011-01-14 10:02:50 -05:00
Chris PeBenito 4f6f347d4c Module version bump and changelog for hadoop ipsec patch from Paul Nuzzi. 2011-01-13 13:50:47 -05:00
Chris PeBenito 530ad6fc6a Whitespace fixes in corenetwork and ipsec. 2011-01-13 13:37:04 -05:00
Chris PeBenito 2810bc1455 Rearrange new hadoop/ipsec interfaces. 2011-01-13 13:09:25 -05:00
Chris PeBenito 371908d1c8 Rename new hadoop ipsec interfaces. 2011-01-13 12:56:12 -05:00
Paul Nuzzi 6237b7241b hadoop: labeled ipsec
On 01/05/2011 08:48 AM, Christopher J. PeBenito wrote:
> On 12/16/10 12:32, Paul Nuzzi wrote:
>> On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote:
>>> On 12/10/10 18:22, Paul Nuzzi wrote:
>>>> Added labeled IPSec support to hadoop.  SELinux will be able to enforce what services are allowed to
>>>> connect to.  Labeled IPSec can enforce the range of services they can receive from.  This enforces
>>>> the architecture of Hadoop without having to modify any of the code.  This adds a level of
>>>> confidentiality, integrity, and authentication provided outside the software stack.
>>>
>>> A few things.
>>>
>>> The verb used in Reference Policy interfaces for peer recv is recvfrom
>>> (a holdover from previous labeled networking implementations).  So the
>>> interfaces are like hadoop_recvfrom_datanode().
>>
>> Easy change.
>>
>>> It seems like setkey should be able to setcontext any type used on ipsec
>>> associations.  I think the best thing would be to add additional support
>>> to either the ipsec or corenetwork modules (I haven't decided which one
>>> yet) for associations.  So, say we have an interface called
>>> ipsec_spd_type() which adds the parameter type to the attribute
>>> ipsec_spd_types.  Then we can have an allow setkey_t
>>> ipsec_spd_types:association setkey; rule and we don't have to update it
>>> every time more labeled network is added.
>>
>> That seems a lot less clunky than updating setkey every time we add a new association.
>>
>>> This is definitely wrong since its not a file:
>>> +files_type(hadoop_lan_t)
>>
>> Let me know how you would like to handle associations and I could update the
>> patch.
>
> Lets go with putting the associations in corenetwork.
>
>>  Will the files_type error be cleared up when we re-engineer this?
>
> I'm not sure what you mean.  The incorrect rule was added in your patch.
>

Adds labeled IPSec policy to hadoop to control the remote processes that are allowed to connect to the cloud's services.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
2011-01-13 08:22:32 -05:00
Chris PeBenito 17910a2a8c Module version bump and changelog for mount fixes from Harry Ciao. 2011-01-10 10:23:04 -05:00
Chris PeBenito a2307ca2b9 Move module request line in mount. 2011-01-10 10:22:05 -05:00
Harry Ciao 4d8e9ffcb3 Make mount_t able to request loading kernel module.
Make the mount domain able to request kernel to load a kernel module.
Otherwise the binfmt_misc kernel module won't be properly loaded
during system booting up.

type=1400 audit(1292850971.104:4): avc:  denied  { module_request } for  pid=87 comm="mount" kmod="devtmpfs" scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=system

type=1400 audit(1292851024.844:13): avc:  denied  { module_request } for  pid=409 comm="mount" kmod="binfmt_misc" scontext=system_u:system_r:mount_t:s0-s15:c0.c1023 tcontext=system_u:system_r:kernel_t:s15:c0.c1023 tclass=system

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-01-10 10:20:21 -05:00
Chris PeBenito decb7de030 Module version bump and changelog for semanage update from Harry Ciao. 2011-01-10 09:21:11 -05:00
Chris PeBenito 60a2ca249e Remove redundant semanage rule. 2011-01-10 09:20:39 -05:00
Harry Ciao f2b3338362 semanage_t able to read from user homedirs.
Make semanage_t able to read from user homedirs or /tmp. Otherwise it
would fail to upgrade a .pp installed in there with below error messages.

BTW, semanage_t should be able to upgrade existing pp no matter if the
MLS is enabled or not.

root@qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862875.298:60): avc:  denied  { search } for  pid=759 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
semodule:  Failed on selinuxutil.pp!
root@qemu-host:/root> setenforce 0
type=1404 audit(1288862957.386:61): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295
root@qemu-host:/root> semodule -u selinuxutil.pp
type=1400 audit(1288862959.494:62): avc:  denied  { search } for  pid=761 comm="semodule" name="root" dev=sda ino=81921 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0-s15:c0.c1023 tclass=dir
type=1400 audit(1288862959.498:63): avc:  denied  { read } for  pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.503:64): avc:  denied  { open } for  pid=761 comm="semodule" name="selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1400 audit(1288862959.507:65): avc:  denied  { getattr } for  pid=761 comm="semodule" path="/root/selinuxutil.pp" dev=sda ino=82505 scontext=root:secadm_r:semanage_t:s0-s15:c0.c1023 tcontext=root:object_r:user_home_t:s0 tclass=file
type=1403 audit(1288863419.918:66): policy loaded auid=4294967295 ses=4294967295
root@qemu-host:/root>

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-01-10 09:13:23 -05:00
Chris PeBenito 23083bb09e Module version bump and changelog for vlock patch from Harry Ciao. 2011-01-05 11:23:47 -05:00
Harry Ciao 3543bdda9f vlock_t only uses the relabeled terminal.
The login or ssh program will relabel a tty or pty device after users
log in, and the vlock domain would only need to use the relabeled tty
or pty device, rather than the whole ttynode or ptynode attribute.

Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
2011-01-05 11:22:42 -05:00
Chris PeBenito 1c2e52e43f Module version bump and changelog for hadoop CDH3 patchset. 2011-01-05 10:23:02 -05:00
Chris PeBenito 60ca2bd83b Rearrange some lines in hadoop. 2011-01-05 10:22:10 -05:00
Chris PeBenito a45657403b Whitespace fixes in hadoop. 2011-01-05 09:36:13 -05:00
Paul Nuzzi fcb67e8cef hadoop: update to CDH3
On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote:
> On 12/13/10 10:39, Paul Nuzzi wrote:
>> On 12/11/2010 04:01 AM, Dominick Grift wrote:
>> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>
>> Does hadoop depend on kerberos? If no then kerberos_use should probably
>> be optional.
>>
>>
>>> The new version of hadoop added Kerberos for authentication.
>
> So, to be explicit, its an unconditional requirement?

Yes.  I think all future versions of hadoop will be kerberos enabled.

> It seems like there should be a hadoop_home_t that is
> userdom_user_home_content()

Updated.

Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
2011-01-05 09:35:40 -05:00
Chris PeBenito a98e3bb8bd Changelog entry for KaiGai's sepgsql_contexts patch. 2011-01-04 13:33:23 -05:00
KaiGai Kohei b98aba85d9 Add sepgsql_contexts into appconfig-*
The attached patch adds sepgsql_contexts file into appconfig-*
directory. This configuration is used to initial labeling on
installation time for each database objects.
We can easily look up an appropriate label using selabel_loopup(3)
APIs. The 'sepgsql_contexts' is default for SE-PostgreSQL.

Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
2011-01-04 13:27:40 -05:00
Chris PeBenito 7c4fbeba94 Fixes for samhain init_system_domain() usage. 2010-12-16 09:03:51 -05:00
Chris PeBenito 7a15ba8bae Whitespace fixes in init. 2010-12-15 14:50:28 -05:00
Chris PeBenito 0233fc5126 Rearrange distro blocks in init.fc 2010-12-15 14:48:43 -05:00
Chris Richards f40d6d4915 Fix OpenRC status dir labeling for Gentoo
Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-12-15 14:44:51 -05:00
Chris Richards 9951061f90 Fix OpenRC status dir labeling for Gentoo
Current policy sets /lib(32|64)?/rc/init.d to lib_t.  This causes
problems for DHCP among other things, as the initrc domain does not
have permissions to perform some operations.  Changing to
initrc_state_t (the labeling used for /var/lib/init.d by
the older baselayout-1) resolves some of these issues.

Signed-off-by: Chris Richards <gizmo@giz-works.com>
2010-12-15 14:44:40 -05:00
Chris PeBenito e50a2becc6 Fix samhain range transitions for MLS/MCS and a type transition conflict. 2010-12-15 14:06:58 -05:00
Chris PeBenito aae6881065 Add changelog entry for samhain. 2010-12-15 11:28:52 -05:00
Chris PeBenito 5d8270c9e4 Cleanup samhain.if.
* Rearrange rules in the template.
* Remove samhain_etc_t:dir perms since there are no such dirs.
* Add extra docs in samhain_domtrans().
* Include samhaind_t in admin interface process perms.
2010-12-15 11:25:57 -05:00
Chris PeBenito e579703142 Move samhain domain declarations into its template. 2010-12-15 11:13:18 -05:00
Chris PeBenito ff449b62d7 Reorder samhain call in userdomain. 2010-12-15 11:02:29 -05:00