A set of changes on the fail2ban, shorewall and portage modules. Some of the
changes depend on the interfaces that are suggested earlier but have not been
applied to the tree, so please hold this patchset until applied.
Sending to the mailinglist already so eventual reviewing can occur in advance.
Sven Vermeulen (7):
Sandbox is an inherent part of the portage inner workings
Fix startup issue with fail2ban-client
Be able to get output from fail2ban-client
Ignore searches when ran from the user home directory
Fail2ban client checks state of log files before telling the server
Shorewall admins execute shorewall too
Shorewall needs sys_admin capability for manipulating network stack
fail2ban.te | 11 +++++++++++
portage.te | 3 +--
shorewall.if | 3 +++
shorewall.te | 2 +-
4 files changed, 16 insertions(+), 3 deletions(-)
--
1.7.8.6
Portage sandbox is used while building software; whenever a user has the right
to use portage, he needs the sandboxing as well.
We add portage_sandbox_t towards the portage_roles instead of the
portage_sandbox_roles, and remove the portage_sandbox_roles role attribute (as
there is no immediate need to support it besides portage_roles).
This also fixes the breakage in Portage not wanting to build anything (including
SELinux policies) as the users who have portage_run didn't have access to the
portage_sandbox_t domain (as introduced in commit
d3144af9dffa9d1d918c68b1598c871e0b5baaa2).
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.te | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/portage.te b/portage.te
index b4b3e9f..56e2e3c 100644
--- a/portage.te
+++ b/portage.te
@@ -16,7 +16,6 @@ gen_tunable(portage_use_nfs, false)
attribute_role gcc_config_roles;
attribute_role portage_roles;
attribute_role portage_fetch_roles;
-attribute_role portage_sandbox_roles;
type gcc_config_t;
type gcc_config_exec_t;
@@ -38,7 +37,7 @@ application_domain(portage_sandbox_t, portage_exec_t)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t)
-role portage_sandbox_roles types portage_sandbox_t;
+role portage_roles types portage_sandbox_t;
# portage package fetching domain
type portage_fetch_t;
--
1.7.8.6
The fail2ban-client application fails to start if it isn't allowed to create,
connect, read and write to its own unix_stream_socket.
Signed-off-by: Sven Vermeulen <[email protected]>
---
fail2ban.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/fail2ban.te b/fail2ban.te
index bd529c0..ed39236 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -124,6 +124,8 @@ optional_policy(`
# Client Local policy
#
+allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
--
1.7.8.6
fail2ban-client is a client-side, command-line utility used by the
administrators. It needs to use the user terminal (and interactive fds, for
instance when the admin is logged on through SSH) in order to provide output to
the user.
Signed-off-by: Sven Vermeulen <[email protected]>
---
fail2ban.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/fail2ban.te b/fail2ban.te
index ed39236..6d6cd0e 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -134,8 +134,12 @@ kernel_read_system_state(fail2ban_client_t)
corecmd_exec_bin(fail2ban_client_t)
+domain_use_interactive_fds(fail2ban_client_t)
+
files_read_etc_files(fail2ban_client_t)
files_read_usr_files(fail2ban_client_t)
files_search_pids(fail2ban_client_t)
miscfiles_read_localization(fail2ban_client_t)
+
+userdom_use_user_terminals(fail2ban_client_t)
--
1.7.8.6
When ran, fail2ban-client searches through the current working directory,
although this isn't used for anything. As in most cases, commands are ran from
within the user home directory, ignore such searches.
Signed-off-by: Sven Vermeulen <[email protected]>
---
fail2ban.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/fail2ban.te b/fail2ban.te
index 6d6cd0e..23b92bc 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -142,4 +142,5 @@ files_search_pids(fail2ban_client_t)
miscfiles_read_localization(fail2ban_client_t)
+userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
userdom_use_user_terminals(fail2ban_client_t)
--
1.7.8.6
When a (re)configuration occurs, fail2ban-client invokes an internal script
called jailreader which will look through the configured log files and check
their state before informing the server that these log files need to be
"watched".
During this operation, fail2ban-client requires dac_read_search capability (in
case the log file/directory isn't owned by the same user that fail2ban-client
runs as, which is a very common case) as well as getattr rights on all log files
(and search privileges on the directories).
Signed-off-by: Sven Vermeulen <[email protected]>
---
fail2ban.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/fail2ban.te b/fail2ban.te
index 23b92bc..1c54353 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -124,6 +124,7 @@ optional_policy(`
# Client Local policy
#
+allow fail2ban_client_t self:capability dac_read_search;
allow fail2ban_client_t self:unix_stream_socket { create connect write read };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -140,6 +141,9 @@ files_read_etc_files(fail2ban_client_t)
files_read_usr_files(fail2ban_client_t)
files_search_pids(fail2ban_client_t)
+logging_getattr_all_logs(fail2ban_client_t)
+logging_search_all_log_dirs(fail2ban_client_t)
+
miscfiles_read_localization(fail2ban_client_t)
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
--
1.7.8.6
The shorewall binary, labeled shorewall_exec_t, is also executed by shorewall
administrators (such as for validating the configuration file, showing
capabilities, updating configurations, etc.)
Add in this ability inside the shorewall_admin interface.
Signed-off-by: Sven Vermeulen <[email protected]>
---
shorewall.if | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/shorewall.if b/shorewall.if
index 781ad7e..9574bb5 100644
--- a/shorewall.if
+++ b/shorewall.if
@@ -173,6 +173,7 @@ interface(`shorewall_admin',`
gen_require(`
type shorewall_t, shorewall_lock_t;
type shorewall_log_t;
+ type shorewall_exec_t;
type shorewall_initrc_exec_t, shorewall_var_lib_t;
type shorewall_tmp_t, shorewall_etc_t;
')
@@ -185,6 +186,8 @@ interface(`shorewall_admin',`
role_transition $2 shorewall_initrc_exec_t system_r;
allow $2 system_r;
+ can_exec($1, shorewall_exec_t)
+
files_list_etc($1)
admin_pattern($1, shorewall_etc_t)
--
1.7.8.6
In order to manipulate the network stack (for instance, through the
/proc/sys/net/ipv4/conf/*/rp_filter file for reverse path filtering), shorewall
needs the sys_admin capability.
If not, it fails with the error message "write error: Operation not permitted".
Signed-off-by: Sven Vermeulen <[email protected]>
---
shorewall.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/shorewall.te b/shorewall.te
index 4723c6b..0f26ab1 100644
--- a/shorewall.te
+++ b/shorewall.te
@@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
# shorewall local policy
#
-allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
+allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
dontaudit shorewall_t self:capability sys_tty_config;
allow shorewall_t self:fifo_file rw_fifo_file_perms;
--
1.7.8.6
On Fri, 2012-10-19 at 20:54 +0200, Sven Vermeulen wrote:
> In order to manipulate the network stack (for instance, through the
> /proc/sys/net/ipv4/conf/*/rp_filter file for reverse path filtering), shorewall
> needs the sys_admin capability.
>
> If not, it fails with the error message "write error: Operation not permitted".
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> shorewall.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/shorewall.te b/shorewall.te
> index 4723c6b..0f26ab1 100644
> --- a/shorewall.te
> +++ b/shorewall.te
> @@ -37,7 +37,7 @@ logging_log_file(shorewall_log_t)
> # shorewall local policy
> #
>
> -allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_nice sys_ptrace };
> +allow shorewall_t self:capability { dac_override net_admin net_raw setuid setgid sys_admin sys_nice sys_ptrace };
> dontaudit shorewall_t self:capability sys_tty_config;
> allow shorewall_t self:fifo_file rw_fifo_file_perms;
>
This was merged, thanks
On Fri, 2012-10-19 at 20:53 +0200, Sven Vermeulen wrote:
> The shorewall binary, labeled shorewall_exec_t, is also executed by shorewall
> administrators (such as for validating the configuration file, showing
> capabilities, updating configurations, etc.)
>
> Add in this ability inside the shorewall_admin interface.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> shorewall.if | 3 +++
> 1 files changed, 3 insertions(+), 0 deletions(-)
>
> diff --git a/shorewall.if b/shorewall.if
> index 781ad7e..9574bb5 100644
> --- a/shorewall.if
> +++ b/shorewall.if
> @@ -173,6 +173,7 @@ interface(`shorewall_admin',`
> gen_require(`
> type shorewall_t, shorewall_lock_t;
> type shorewall_log_t;
> + type shorewall_exec_t;
> type shorewall_initrc_exec_t, shorewall_var_lib_t;
> type shorewall_tmp_t, shorewall_etc_t;
> ')
> @@ -185,6 +186,8 @@ interface(`shorewall_admin',`
> role_transition $2 shorewall_initrc_exec_t system_r;
> allow $2 system_r;
>
> + can_exec($1, shorewall_exec_t)
> +
> files_list_etc($1)
> admin_pattern($1, shorewall_etc_t)
>
This was merged , thanks
On Fri, 2012-10-19 at 20:53 +0200, Sven Vermeulen wrote:
> When ran, fail2ban-client searches through the current working directory,
> although this isn't used for anything. As in most cases, commands are ran from
> within the user home directory, ignore such searches.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> fail2ban.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/fail2ban.te b/fail2ban.te
> index 6d6cd0e..23b92bc 100644
> --- a/fail2ban.te
> +++ b/fail2ban.te
> @@ -142,4 +142,5 @@ files_search_pids(fail2ban_client_t)
>
> miscfiles_read_localization(fail2ban_client_t)
>
> +userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
> userdom_use_user_terminals(fail2ban_client_t)
This was merged, thanks
On Fri, 2012-10-19 at 20:53 +0200, Sven Vermeulen wrote:
> fail2ban-client is a client-side, command-line utility used by the
> administrators. It needs to use the user terminal (and interactive fds, for
> instance when the admin is logged on through SSH) in order to provide output to
> the user.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> fail2ban.te | 4 ++++
> 1 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/fail2ban.te b/fail2ban.te
> index ed39236..6d6cd0e 100644
> --- a/fail2ban.te
> +++ b/fail2ban.te
> @@ -134,8 +134,12 @@ kernel_read_system_state(fail2ban_client_t)
>
> corecmd_exec_bin(fail2ban_client_t)
>
> +domain_use_interactive_fds(fail2ban_client_t)
> +
> files_read_etc_files(fail2ban_client_t)
> files_read_usr_files(fail2ban_client_t)
> files_search_pids(fail2ban_client_t)
>
> miscfiles_read_localization(fail2ban_client_t)
> +
> +userdom_use_user_terminals(fail2ban_client_t)
This was merged, thanks
On Fri, 2012-10-19 at 20:53 +0200, Sven Vermeulen wrote:
> The fail2ban-client application fails to start if it isn't allowed to create,
> connect, read and write to its own unix_stream_socket.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> fail2ban.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/fail2ban.te b/fail2ban.te
> index bd529c0..ed39236 100644
> --- a/fail2ban.te
> +++ b/fail2ban.te
> @@ -124,6 +124,8 @@ optional_policy(`
> # Client Local policy
> #
>
> +allow fail2ban_client_t self:unix_stream_socket { create connect write read };
> +
> domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
>
> stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
This was merged ,thanks
On Fri, 2012-10-19 at 20:53 +0200, Sven Vermeulen wrote:
> Portage sandbox is used while building software; whenever a user has the right
> to use portage, he needs the sandboxing as well.
>
> We add portage_sandbox_t towards the portage_roles instead of the
> portage_sandbox_roles, and remove the portage_sandbox_roles role attribute (as
> there is no immediate need to support it besides portage_roles).
>
> This also fixes the breakage in Portage not wanting to build anything (including
> SELinux policies) as the users who have portage_run didn't have access to the
> portage_sandbox_t domain (as introduced in commit
> d3144af9dffa9d1d918c68b1598c871e0b5baaa2).
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> portage.te | 3 +--
> 1 files changed, 1 insertions(+), 2 deletions(-)
>
> diff --git a/portage.te b/portage.te
> index b4b3e9f..56e2e3c 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -16,7 +16,6 @@ gen_tunable(portage_use_nfs, false)
> attribute_role gcc_config_roles;
> attribute_role portage_roles;
> attribute_role portage_fetch_roles;
> -attribute_role portage_sandbox_roles;
>
> type gcc_config_t;
> type gcc_config_exec_t;
> @@ -38,7 +37,7 @@ application_domain(portage_sandbox_t, portage_exec_t)
> # the shell is the entrypoint if regular sandbox is disabled
> # portage_exec_t is the entrypoint if regular sandbox is enabled
> corecmd_shell_entry_type(portage_sandbox_t)
> -role portage_sandbox_roles types portage_sandbox_t;
> +role portage_roles types portage_sandbox_t;
>
> # portage package fetching domain
> type portage_fetch_t;
This was merged, thanks
would be nice if you could clean up this module a bit
maybe group some common policy using type attributes, etc?
Yes, a clean-up is long due here. I will take a stab at this later.
On Oct 19, 2012 9:34 PM, "Dominick Grift" <[email protected]> wrote:
>
>
> On Fri, 2012-10-19 at 20:53 +0200, Sven Vermeulen wrote:
> > Portage sandbox is used while building software; whenever a user has the
> right
> > to use portage, he needs the sandboxing as well.
> >
> > We add portage_sandbox_t towards the portage_roles instead of the
> > portage_sandbox_roles, and remove the portage_sandbox_roles role
> attribute (as
> > there is no immediate need to support it besides portage_roles).
> >
> > This also fixes the breakage in Portage not wanting to build anything
> (including
> > SELinux policies) as the users who have portage_run didn't have access
> to the
> > portage_sandbox_t domain (as introduced in commit
> > d3144af9dffa9d1d918c68b1598c871e0b5baaa2).
> >
> > Signed-off-by: Sven Vermeulen <[email protected]>
> > ---
> > portage.te | 3 +--
> > 1 files changed, 1 insertions(+), 2 deletions(-)
> >
> > diff --git a/portage.te b/portage.te
> > index b4b3e9f..56e2e3c 100644
> > --- a/portage.te
> > +++ b/portage.te
> > @@ -16,7 +16,6 @@ gen_tunable(portage_use_nfs, false)
> > attribute_role gcc_config_roles;
> > attribute_role portage_roles;
> > attribute_role portage_fetch_roles;
> > -attribute_role portage_sandbox_roles;
> >
> > type gcc_config_t;
> > type gcc_config_exec_t;
> > @@ -38,7 +37,7 @@ application_domain(portage_sandbox_t, portage_exec_t)
> > # the shell is the entrypoint if regular sandbox is disabled
> > # portage_exec_t is the entrypoint if regular sandbox is enabled
> > corecmd_shell_entry_type(portage_sandbox_t)
> > -role portage_sandbox_roles types portage_sandbox_t;
> > +role portage_roles types portage_sandbox_t;
> >
> > # portage package fetching domain
> > type portage_fetch_t;
> This was merged, thanks
>
> would be nice if you could clean up this module a bit
>
> maybe group some common policy using type attributes, etc?
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20121019/fe1feb47/attachment.html