Systems that use LDAPS (LDAP over SSL/TLS) for their sysnet_* activities
currently fail since these domains do not allow proper access to the random
devices (needed for SSL/TLS). This patch adds this privilege to
sysnet_use_ldap.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The courier-imapd daemon is part of the courier package (and already supported
by the courier module in refpolicy), but uses a different location for its
configuration files (/etc/courier-imap) and persistent data
(/var/lib/courier-imap).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This small patch updates the dhcpc_t (DHCP client domain) to allow updating the
kernel's routing tables (as that is a primary purpose of a DHCP client) as well
as interact with the kernel through the net_sysctls.
Also, one client (dhcpcd) uses /var/run/dhcpcd so add that in the file context
definition as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Many XFCE4 helper applications are located in /usr/lib locations. This patch
marks those helpers as bin_t.
Recursively marking the directories bin_t does not work properly as these
locations also contain actual libraries.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Without the getattr privilege on the mountpoint directories, the checkdisk
plugin fails to capture the data unless nagios is reconfigured to directly
read the device files themselves.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Since april, the *-multi applications offered through iptables are combined
through a single binary called xtables-multi. The previous commands are now
symbolic links towards this application.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When audit subsystem is enabled, and setfiles works from root
dir, setfiles would send the AUDIT_FS_RELABEL information to
audit system, If no permission to send the information to audit
by netlink, setfiles would return error.
The test cases to reproduce this defect:
=> restorecon -R /
=> echo $?
255
=>
Signed-off-by: Roy.Li <rongqing.li@windriver.com>
The mysql_stream_connect interface, which is already in use, is only for local
MySQL databases (not through TCP/IP).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Currently, the nagios nrpe_t definition has no read access to its own
nrpe_etc_t. I suspect this to be a copy/paste problem. Since the nrpe
configuration file is stored in /etc/nagios (nagios_etc_t), NRPE does need
search privileges in nagios_etc_t. This is easily accomplished through
read_files_pattern.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The current consolekit policy definition has hal_ptrace(consolekit_t) in its
main body. However, HAL support within consolekit is not mandatory. As such,
this call should be within an optional_policy().
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Haveged by itself requires a few additional privileges (create a unix socket
and write access to some proc/sys/kernel files (like
/proc/sys/kernel/random/write_wakeup_threshold).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Introduce a tunable called "entropyd_use_audio". This boolean triggers the
privileges that are specific for audio support (both device access as well
as the alsa-specific ones).
The idea to use a boolean is to support other entropy management
applications/daemons which use different sources (like haveged using the
HAVEGE algorithm).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Portage supports the use of proxy systems (which usually run on port 8080)
for the fetching of software archives.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Portage supports the notion of "live ebuilds", which are packages that, when
installed, update a repository checkout on a specific location. This means
that a few portage-related domains need to have manage_* privileges on that
location whereas they usually have much more limited rights (when live
ebuilds aren't used).
To support live ebuilds, we introduce another label called portage_srcrepo_t
for those specific locations where the "higher" privileges are needed for,
and grant the proper permissions on the compile domains (like
portage_sandbox_t) to manage the checkouts.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When users want to use NFS mounted portage tree, distfiles, packages and
other locations, they need to use the proper context= mount option. However,
in the majority of cases, the users use a single NFS mount. In such
situation, context= cannot be used properly since it puts a label on the
entire mount (whereas we would then need other labels depending on
subdirectories).
Introducing a boolean "portage_use_nfs" which, when set (default off),
allows the necessary portage-related domains to manage files and directories
with the nfs_t label.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Create the rpc_tcp_rw_nfs_sockets() interface, allowing for the calling
domain to access the tcp_sockets managed by nfsd_t.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This is intended to label /run/udev, but I am assuming that everyone
will use file_contexts.subs(_dist)? to substitute /var/run for /run,
since there are currently no other fcs for /run in refpolicy.
The label is udev_tbl_t instead of udev_var_run_t, because /run/udev
contains the data which used to be in /dev/.udev.
Add read_lnk_file_perms to all interfaces giving access to var_run_t and
var_lock_t.
This is needed as on Debian /var/run and /var/lock are now symlinks to
/run and /run/lock.
When mozilla_role interface is called, 1st argument is the caller's
role and 2nd argument is the caller's domain, such as:
mozilla_role(staff_r, staff_t)
When mozilla_role calls mozilla_run_plugin, the passed 2nd argument
should be the caller's role rather than its domain, so $1 not $2 should
be used.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
The zabbix agent is responsible for collecting the system state and other
monitorable aspects. This include
- information from /proc
- read attributes of various files (tamper detection)
- connect to the ssh service (check if it is reachable)
- get file system information
- read login information
- ...
It should be noted that the agent can do a lot more, depending on the target
system (what is being monitored) and the running services. The allowed
privileges here will in the future expand more as more templates are
checked.
Update: follow styleguide
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix server also connects to the agents (this is called "active
monitoring" in the zabbix terms). So we create a zabbix_agent_tcp_connect
interface, use it for the zabbix_t domain and, since zabbix can use
hostname-based connections, allow DNS resolving for the zabbix server.
Update: Follow styleguide
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix agent has its own dedicated port (10050) on which it needs to
bind/listen.
Also, the agent connects to the server so we add the zabbix_tcp_connect
interface (shamelessly copied from mysql_tcp_connect) and use it for the
zabbix_agent_t domain.
Update: structure interface calls more closely to styleguide
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix agent should be confined within its own domain. We start with the
definition of a small(er) skeleton to work from. This includes proper file
context definitions, standard interdomain privileges (which are quite
similar to those of the server) and the proper log- and pid access
privileges.
Update: attempt to follow styleguide more closely
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix server uses a dedicated port (10051). We define it and allow the
zabbix server to bind/listen on it.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
On Mon, Jun 13, 2011 at 10:28:15AM +0200, Sven Vermeulen wrote:
> Zabbix servers use shared memory to keep common information and structures.
> This is implemented on tmpfs. We support this by introducing a
> zabbix_tmpfs_t type and allow the server proper access to it.
After a small discussion and a few more tests, drop the "dir" in
fs_tmpfs_filetrans.
For posterity's sake, this is the denial one gets when no tmpfs_t related
privileges are given:
Jun 13 11:24:06 build kernel: [ 213.054230] type=1400
audit(1307957046.001:106): avc: denied { read write } for pid=3162
comm="zabbix_agentd" path=2F535953563663303132323534202864656C6574656429
dev=tmpfs ino=32768 scontext=system_u:system_r:zabbix_agent_t
tcontext=system_u:object_r:tmpfs_t tclass=file
With fs_tmpfs_filetrans(..., file) the same denial is given, but as
tcontext=zabbix_tmpfs_t. Hence the rw_files_pattern() enhancement.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix server process is a multi-process system.
In order to, for instance, shut it down, signalling within the domain is
necessary. Otherwise, the processes remain running.
Also, since there are multiple processes trying to use the same log file,
the zabbix server uses semaphores to ensure proper access to the log files
(concurrency).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
On Wed, Mar 23, 2011 at 09:10:37AM -0400, Christopher J. PeBenito wrote:
> > userdom_use_user_ptys(mozilla_t)
> > +userdom_manage_user_tmp_files(mozilla_t)
> > +userdom_manage_user_tmp_sockets(mozilla_t)
>
> Do you have more info on these? Such as what files and sockets are
> being managed?
Not anymore apparently. Been running now for quite some time without these
privileges and I get no problems with it. Retry:
Mozilla/Firefox creates temporary files for its plugin support (for instance
while viewing flc streams), like /tmp/plugtmp/plugin-crossdomain.xml.
Update policy to allow it to create its own tmp type and perform a file
transition when creating a file or directory in a tmp_t location (like
/tmp).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
On Tue, Mar 22, 2011 at 08:44:49AM -0400, Christopher J. PeBenito wrote:
> > +manage_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
>
> It sounds like this should be create_dirs_pattern instead.
Indeed, create_dirs_pattern is sufficient here. Retry ;-)
During startup, authdaemon creates /var/lib/courier/authdaemon and creates a
socket for communication with courier imapd and pop3d daemons.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
After a quick discussion with dominique, new attempt due to two issues:
1. No need (or even forbidden) to have "role $1 types foo_exec_t"
2. Suggestion to use the raid_run_mdadm name instead of raid_mdadm_role. The
idea here is to use raid_mdadm_role for prefixed domains (cfr. screen)
whereas raid_run_mdadm is to transition and run into a specific domain
Without wanting to (re?)start any discussion on prefixed versus non-prefixed
domains, such a naming convention could help us to keep the reference policy
cleaner (and naming conventions easy).
Also, refpolicy InterfaceNaming document only talks about run, not role.
So, without much further ado... ;-)
The system administrator (sysadm_r role) needs to use mdadm, but is not
allowed to use the mdadm_t type.
Rather than extend raid_domtrans_mdadm to allow this as well, use a
raid_mdadm_role (a bit more conform other role usages).
The other users of raid_domtrans_mdadm are all domains that run in system_r
role, which does have this type allowed (as per the system/raid.te
definition), so it wouldn't hurt to use raid_domtrans_mdadm for this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
During the installation of for instance java-config, Portage wants to set
its default file creation context to root:object_r:portage_tmp_t which isn't
allowed:
creating /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/etc/revdep-rebuild
copying src/revdep-rebuild/60-java -> /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/etc/revdep-rebuild/
running install_egg_info
Writing /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/usr/lib64/python3.1/site-packages/java_config-2.1.11-py3.1.egg-info
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
...
ERROR: dev-java/java-config-2.1.11-r3 failed:
Merging of intermediate installation image for Python ABI '2.6 into installation image failed
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
During installation of system packages like python, ustr, ... the
portage_sandbox_t domain requires ptrace capabilities.
If not allowed, the following error is returned:
/sbin/ldconfig -n /var/tmp/portage/dev-libs/ustr-1.0.4-r1/image//usr/lib64
ISE:_do_ptrace ^[[0mptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Permission denied
/usr/lib/libsandbox.so(+0x3812)[0x7535af0ca812]
/usr/lib/libsandbox.so(+0x38a3)[0x7535af0ca8a3]
/usr/lib/libsandbox.so(+0x5595)[0x7535af0cc595]
/usr/lib/libsandbox.so(+0x5a87)[0x7535af0cca87]
/usr/lib/libsandbox.so(+0x68de)[0x7535af0cd8de]
/usr/lib/libsandbox.so(execvp+0x6c)[0x7535af0ceb3c]
make(+0x1159e)[0x337b918159e]
make(+0x11eec)[0x337b9181eec]
make(+0x12b34)[0x337b9182b34]
make(+0x1e759)[0x337b918e759]
/proc/5977/cmdline: make -j4 install
DESTDIR=/var/tmp/portage/dev-libs/ustr-1.0.4-r1/image/ HIDE=
libdir=/usr/lib64 mandir=/usr/share/man SHRDIR=/usr/share/doc/ustr-1.0.4-r1
DOCSHRDIR=/usr/share/doc/ustr-1.0.4-r1
This seems to be during a standard "make install" of the package but part of
Portage' sandbox usage (above error for ustr, but packages like python exhibit
the same problem.)
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The installation of the wireshark package (and perhaps others) requires
portage setting file capabilities (through the setcap binary).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The attached patch allows postgresql_t domain to read selabel definition files
(such as /etc/selinux/targeted/contexts/sepgsql_contexts).
The upcoming version (v9.1) uses selabel_lookup(3) to assign initial security context
of database objects, we need to allow this reference.
Thanks,
--
NEC Europe Ltd, SAP Global Competence Center
KaiGai Kohei <kohei.kaigai@eu.nec.com>
Allow mplayer to behave as a plugin for higher-level (interactive)
applications, such as browser plugins
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
In order to work with webcams, mplayer domain needs write access to the
v4l_device_t (updates and reconfiguration of the video device)
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Updates on the file contexts, supporting AMD64 multilib environment
( Patch 10 has been revoked a-la-last-minute, needs further testing )
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
postalias should stay bin_t, is manually executed (no role executes
postfix_master_exec_t as it is only to be launched through init scripts).
The postalias command is used to regenerate the aliases.db file from the
mail aliases and as such is a system administrative activity. However, by
default, no role has execute rights on any postfix_master_exec_t domains as
the domain is apparently meant only to be started from the run_init_t
domain.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Cyrus sasl by default looks in /var/lib/sasl2 for its PID file, socket
creation and lock files.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Update on the file contexts for courier-imap. Also fixes a few context
directives which didn't update the directory itself.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The alsactl binary is often installed in /usr/sbin instead of /sbin (not a
necessity to start up the system). Used in distributions such as Gentoo,
Slackware and Arch.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When starting the X server from the console (using the startx script
that is being shipped with package xinit from X.Org), a few more
permissions are needed from the reference policy.
The label is for a file created by the startx script (from X.Org) and
the module being requested is ipv6 (which can be disabled by other
means).
Allow xserver_restricted_role domains to call/start Xorg (using startx), fixes
15-second lag/timeout (needs siginh permission as provided by
xserver_domtrans).
Apparently, the 15-second lag (or some other behavior) was already detected
in the past, giving rise to the SIGINH permission in the xserver_domtrans()
interface.
However, domains that are given the xserver_(restricted_)role do not call
the xserver_domtrans but rather the "standard" domtrans_pattern.
The new patch suggests to use xserver_domtrans in the
xserver_restricted_role, which automatically includes the siginh permission
then.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
