The zabbix agent should be confined within its own domain. We start with the
definition of a small(er) skeleton to work from. This includes proper file
context definitions, standard interdomain privileges (which are quite
similar to those of the server) and the proper log- and pid access
privileges.
Update: attempt to follow styleguide more closely
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix server uses a dedicated port (10051). We define it and allow the
zabbix server to bind/listen on it.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
On Mon, Jun 13, 2011 at 10:28:15AM +0200, Sven Vermeulen wrote:
> Zabbix servers use shared memory to keep common information and structures.
> This is implemented on tmpfs. We support this by introducing a
> zabbix_tmpfs_t type and allow the server proper access to it.
After a small discussion and a few more tests, drop the "dir" in
fs_tmpfs_filetrans.
For posterity's sake, this is the denial one gets when no tmpfs_t related
privileges are given:
Jun 13 11:24:06 build kernel: [ 213.054230] type=1400
audit(1307957046.001:106): avc: denied { read write } for pid=3162
comm="zabbix_agentd" path=2F535953563663303132323534202864656C6574656429
dev=tmpfs ino=32768 scontext=system_u:system_r:zabbix_agent_t
tcontext=system_u:object_r:tmpfs_t tclass=file
With fs_tmpfs_filetrans(..., file) the same denial is given, but as
tcontext=zabbix_tmpfs_t. Hence the rw_files_pattern() enhancement.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The zabbix server process is a multi-process system.
In order to, for instance, shut it down, signalling within the domain is
necessary. Otherwise, the processes remain running.
Also, since there are multiple processes trying to use the same log file,
the zabbix server uses semaphores to ensure proper access to the log files
(concurrency).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
On Wed, Mar 23, 2011 at 09:10:37AM -0400, Christopher J. PeBenito wrote:
> > userdom_use_user_ptys(mozilla_t)
> > +userdom_manage_user_tmp_files(mozilla_t)
> > +userdom_manage_user_tmp_sockets(mozilla_t)
>
> Do you have more info on these? Such as what files and sockets are
> being managed?
Not anymore apparently. Been running now for quite some time without these
privileges and I get no problems with it. Retry:
Mozilla/Firefox creates temporary files for its plugin support (for instance
while viewing flc streams), like /tmp/plugtmp/plugin-crossdomain.xml.
Update policy to allow it to create its own tmp type and perform a file
transition when creating a file or directory in a tmp_t location (like
/tmp).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
On Tue, Mar 22, 2011 at 08:44:49AM -0400, Christopher J. PeBenito wrote:
> > +manage_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
>
> It sounds like this should be create_dirs_pattern instead.
Indeed, create_dirs_pattern is sufficient here. Retry ;-)
During startup, authdaemon creates /var/lib/courier/authdaemon and creates a
socket for communication with courier imapd and pop3d daemons.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
After a quick discussion with dominique, new attempt due to two issues:
1. No need (or even forbidden) to have "role $1 types foo_exec_t"
2. Suggestion to use the raid_run_mdadm name instead of raid_mdadm_role. The
idea here is to use raid_mdadm_role for prefixed domains (cfr. screen)
whereas raid_run_mdadm is to transition and run into a specific domain
Without wanting to (re?)start any discussion on prefixed versus non-prefixed
domains, such a naming convention could help us to keep the reference policy
cleaner (and naming conventions easy).
Also, refpolicy InterfaceNaming document only talks about run, not role.
So, without much further ado... ;-)
The system administrator (sysadm_r role) needs to use mdadm, but is not
allowed to use the mdadm_t type.
Rather than extend raid_domtrans_mdadm to allow this as well, use a
raid_mdadm_role (a bit more conform other role usages).
The other users of raid_domtrans_mdadm are all domains that run in system_r
role, which does have this type allowed (as per the system/raid.te
definition), so it wouldn't hurt to use raid_domtrans_mdadm for this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
During the installation of for instance java-config, Portage wants to set
its default file creation context to root:object_r:portage_tmp_t which isn't
allowed:
creating /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/etc/revdep-rebuild
copying src/revdep-rebuild/60-java -> /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/etc/revdep-rebuild/
running install_egg_info
Writing /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/usr/lib64/python3.1/site-packages/java_config-2.1.11-py3.1.egg-info
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
...
ERROR: dev-java/java-config-2.1.11-r3 failed:
Merging of intermediate installation image for Python ABI '2.6 into installation image failed
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
During installation of system packages like python, ustr, ... the
portage_sandbox_t domain requires ptrace capabilities.
If not allowed, the following error is returned:
/sbin/ldconfig -n /var/tmp/portage/dev-libs/ustr-1.0.4-r1/image//usr/lib64
ISE:_do_ptrace ^[[0mptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Permission denied
/usr/lib/libsandbox.so(+0x3812)[0x7535af0ca812]
/usr/lib/libsandbox.so(+0x38a3)[0x7535af0ca8a3]
/usr/lib/libsandbox.so(+0x5595)[0x7535af0cc595]
/usr/lib/libsandbox.so(+0x5a87)[0x7535af0cca87]
/usr/lib/libsandbox.so(+0x68de)[0x7535af0cd8de]
/usr/lib/libsandbox.so(execvp+0x6c)[0x7535af0ceb3c]
make(+0x1159e)[0x337b918159e]
make(+0x11eec)[0x337b9181eec]
make(+0x12b34)[0x337b9182b34]
make(+0x1e759)[0x337b918e759]
/proc/5977/cmdline: make -j4 install
DESTDIR=/var/tmp/portage/dev-libs/ustr-1.0.4-r1/image/ HIDE=
libdir=/usr/lib64 mandir=/usr/share/man SHRDIR=/usr/share/doc/ustr-1.0.4-r1
DOCSHRDIR=/usr/share/doc/ustr-1.0.4-r1
This seems to be during a standard "make install" of the package but part of
Portage' sandbox usage (above error for ustr, but packages like python exhibit
the same problem.)
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The installation of the wireshark package (and perhaps others) requires
portage setting file capabilities (through the setcap binary).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The attached patch allows postgresql_t domain to read selabel definition files
(such as /etc/selinux/targeted/contexts/sepgsql_contexts).
The upcoming version (v9.1) uses selabel_lookup(3) to assign initial security context
of database objects, we need to allow this reference.
Thanks,
--
NEC Europe Ltd, SAP Global Competence Center
KaiGai Kohei <kohei.kaigai@eu.nec.com>
Allow mplayer to behave as a plugin for higher-level (interactive)
applications, such as browser plugins
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
In order to work with webcams, mplayer domain needs write access to the
v4l_device_t (updates and reconfiguration of the video device)
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Updates on the file contexts, supporting AMD64 multilib environment
( Patch 10 has been revoked a-la-last-minute, needs further testing )
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
postalias should stay bin_t, is manually executed (no role executes
postfix_master_exec_t as it is only to be launched through init scripts).
The postalias command is used to regenerate the aliases.db file from the
mail aliases and as such is a system administrative activity. However, by
default, no role has execute rights on any postfix_master_exec_t domains as
the domain is apparently meant only to be started from the run_init_t
domain.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Cyrus sasl by default looks in /var/lib/sasl2 for its PID file, socket
creation and lock files.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Update on the file contexts for courier-imap. Also fixes a few context
directives which didn't update the directory itself.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The alsactl binary is often installed in /usr/sbin instead of /sbin (not a
necessity to start up the system). Used in distributions such as Gentoo,
Slackware and Arch.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When starting the X server from the console (using the startx script
that is being shipped with package xinit from X.Org), a few more
permissions are needed from the reference policy.
The label is for a file created by the startx script (from X.Org) and
the module being requested is ipv6 (which can be disabled by other
means).
Allow xserver_restricted_role domains to call/start Xorg (using startx), fixes
15-second lag/timeout (needs siginh permission as provided by
xserver_domtrans).
Apparently, the 15-second lag (or some other behavior) was already detected
in the past, giving rise to the SIGINH permission in the xserver_domtrans()
interface.
However, domains that are given the xserver_(restricted_)role do not call
the xserver_domtrans but rather the "standard" domtrans_pattern.
The new patch suggests to use xserver_domtrans in the
xserver_restricted_role, which automatically includes the siginh permission
then.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This patch adds a new interface to the cpufreqselector module
to allow dbus chat. It then uses such interface to allow dbus chat
with system_dbusd_t and xdm_t. This patch also adds some other
permissions needed to run cpufreqselector.
As one of entrypoint application, crond_t should have had the
files_polyinstantiate_all() interface called so that pam_namespace.so
could work well in crond_t. Otherwise the crond_t lacks the sys_admin
permission to make use of pam_namespace.so
BTW, the allow_polyinstantiation boolean need to be toggled true
accordingly.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Entry point applications such as crond or atd use pam_loginuid.so for
the session phase of their PAM config files to set the process loginuid
attribute. Accordingly logging_set_loginuid interface should have been
called, otherwise we could run into below error message:
type=USER_START msg=audit(1296377641.212:213): user pid=2633 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=failed)'
type=USER_END msg=audit(1296377641.220:214): user pid=2633 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s15:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=failed)'
type=AVC msg=audit(1296377641.196:212): avc: denied { audit_control } for pid=2633 comm="crond" capability=30 scontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tcontext=system_u:system_r:crond_t:s0-s15:c0.c1023 tclass=capability
BTW, other entrypoint applications such as sshd/login/remote have had
this interface called for their domains.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
On my system, I use XFCE and start X from the commandline (using "startx")
rather than through a graphical DM. During the start-up, XFCE4 creates
temporary ICE files in /tmp (like /tmp/.xfsm-ICE-ABCDEF) which are later
read in by iceauth and at some point X.
I'm not that good at the entire ICE stuff, but without this, I was unable to
shut down my session ("log off").
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
I realized the policy wasn't complete for handling udev_tbl_t dirs, and
updating it wouldn't work because we couldn't make a filetrans on dirs,
since all the dirs in /dev would become udev_tbl_t. i.e. this would have
been required, but would make problems: dev_filetrans(udev_t, udev_tbl_t, dir);
As identified by Stephan Smalley, the current MLS constraint for the
contains permission of the context class should consider the current
level of a user along with the clearance level so that mls_systemlow
is no longer considered contained in mls_systemhigh.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
From 78d6e4acfc000b07dbf85b076fa523e95e72da3f Sun, 13 Feb 2011 18:55:53 +0100
From: Dominick Grift <domg472@gmail.com>
Date: Sun, 13 Feb 2011 18:55:09 +0100
Subject: [PATCH] Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
Users calling apache_role were not able to manage httpd_user_content_t files, directories and symbolic links.
Signed-off-by: Dominick Grift <domg472@gmail.com>
Various changes to the Xen userspace policy, including:
- Add gntdev and gntalloc device node labeling.
- Create separate domains for blktap and qemu-dm rather than leaving them in xend_t.
- No need to allow xen userspace to create its own device nodes anymore;
this is handled automatically by the kernel/udev.
- No need to allow xen userspace access to generic raw storage; even if
using dedicated partitions/LVs for disk images, you can just label them
with xen_image_t.
The blktap and qemu-dm domains are stubs and will likely need to be
further expanded, but they should definitely not be left in xend_t. Not
sure if I should try to use qemu_domain_template() instead for qemu-dm,
but I don't see any current users of that template (qemu_t uses
virt_domain_template instead), and qemu-dm has specific interactions
with Xen.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Since sudo 1.7.4, the timestamp directory has moved from /var/run/sudo to
/var/db/sudo, lib or adm (in that order). See also the sudo changeset
http://www.sudo.ws/repos/sudo/rev/8c9440423d98
Keeping the "old" one (/var/run/sudo) for a while for those systems where
sudo has not been updated yet (change is since 1.7.4, Jul 14 2010).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
On an Xorg 1.9 system with evdev driver (for keyboard InputClass), the
xserver_t domain needs to be able to read from the proper device nodes as
well as query the udev_tbl_t directory and udev itself.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The mdadm application will write into /sys/.../uevent whenever arrays are
assembled or disassembled.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The LVM subsystem uses system-wide semaphores for various activities.
Although the system boots properly without these (apart from the AVC denials
of course), I would assume that they are here to ensure no corruption of any
kind happens in case of concurrent execution / race conditions.
As such, I rather enable it explicitly in the security policy.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The modprobe utility is sometimes used (for instance for ALSA) to request
the Linux kernel to load a module (through aliases) rather than explicitly
loading the module.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The below patch changes a typo "directores" to "directories", and also
fixes a comment to sound more proper.
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Add the support to login and use the system from /dev/console.
1. Make gettty_t able to use the /dev/console;
2. Make local_login_t able to relabel /dev/console to user tty types;
3. Provide the type_change rule for relabeling /dev/console.
All above supports are controlled by the allow_console tunable.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
