This set contains changes on various modules within the contrib/ module. It
contains a few updated patches from previous submits, including the at support,
now more documented (and tested).
Sven Vermeulen (9):
Fix typo in tunable declaration for fcron_crond
Introducing cron_manage_log_files interface
Introduce dontaudit interfaces for leaked fd and unix stream sockets
Dontaudit attempts by system_mail_t to use leaked fd or stream
sockets
Support at service
Additional postfix admin requirements
Reintroduce postfix_var_run_t for pid directory and fowner capability
Postfix deferred queue should not mark mails as
postfix_spool_maildrop_t
Running qemu with SDL support requires more xserver-related
privileges
cron.fc | 1 +
cron.if | 24 ++++++++++++++++++++++++
cron.te | 12 ++++++++++--
fail2ban.if | 38 ++++++++++++++++++++++++++++++++++++++
mta.te | 1 +
postfix.fc | 4 ++--
postfix.if | 3 +++
postfix.te | 8 ++++++--
qemu.te | 4 ++++
9 files changed, 89 insertions(+), 6 deletions(-)
--
1.7.8.6
Signed-off-by: Sven Vermeulen <[email protected]>
---
cron.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/cron.te b/cron.te
index fb3adc6..1e29735 100644
--- a/cron.te
+++ b/cron.te
@@ -30,7 +30,7 @@ gen_tunable(cron_userdomain_transition, false)
## <desc>
## <p>
## Determine whether extra rules
-## should beenabled to support fcron.
+## should be enabled to support fcron.
## </p>
## </desc>
gen_tunable(fcron_crond, false)
--
1.7.8.6
The metalog system logger also tackles rotation and clean-up of log files it
manages. Hence, it requires manage privileges on these log files. Cron log files
are an example of this, so we introduce the cron_manage_log_files interface.
Added a logging_search_logs() call as per Dominick's suggestion.
Signed-off-by: Sven Vermeulen <[email protected]>
---
cron.if | 21 +++++++++++++++++++++
1 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/cron.if b/cron.if
index a1ecb7f..51f372d 100644
--- a/cron.if
+++ b/cron.if
@@ -463,6 +463,27 @@ interface(`cron_write_log_files',`
########################################
## <summary>
+## Create, read, write and delete
+## cron log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`cron_manage_log_files',`
+ gen_require(`
+ type cron_log_t;
+ ')
+
+ manage_files_pattern($1, cron_log_t, cron_log_t)
+
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
## Create specified objects in generic
## log directories with the cron log file type.
## </summary>
--
1.7.8.6
The fail2ban application leaks file descriptors and unix stream sockets when it
invokes sendmail, so introduce the necessary dontaudit interfaces which will be
used in a later patch against the mta and postfix policies.
Signed-off-by: Sven Vermeulen <[email protected]>
---
fail2ban.if | 38 ++++++++++++++++++++++++++++++++++++++
1 files changed, 38 insertions(+), 0 deletions(-)
diff --git a/fail2ban.if b/fail2ban.if
index 733a689..275fb9e 100644
--- a/fail2ban.if
+++ b/fail2ban.if
@@ -107,6 +107,44 @@ interface(`fail2ban_rw_inherited_tmp_files',`
########################################
## <summary>
+## Do not audit attempts to use
+## fail2ban file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_use_fds',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ dontaudit $1 fail2ban_t:fd use;
+')
+
+########################################
+## <summary>
+## Do not audit read and write
+## fail2ban unix stream sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type fail2ban_t;
+ ')
+
+ dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
## Read and write fail2ban unix
## stream sockets.
## </summary>
--
1.7.8.6
When fail2ban invokes sendmail to send out a mail event, denials such as the
following ones occur, but without any consequence on the functioning itself (the
mails are sent out correctly, no errors in logs):
type=AVC msg=audit(1352348532.580:1313): avc: denied { read write } for
pid=28042 comm="sendmail" path="socket:[1480]" dev="sockfs" ino=1480
scontext=system_u:system_r:system_mail_t tcontext=system_u:system_r:fail2ban_t
tclass=unix_stream_socket
type=AVC msg=audit(1352348532.590:1314): avc: denied { use } for pid=28047
comm="postdrop" path="/dev/null" dev="devtmpfs" ino=3075
scontext=system_u:system_r:postfix_postdrop_t
tcontext=system_u:system_r:fail2ban_t tclass=fd
It looks like these are due to leaked file descriptors.
Signed-off-by: Sven Vermeulen <[email protected]>
---
mta.te | 1 +
postfix.te | 4 ++++
2 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/mta.te b/mta.te
index 712dbf5..9edcb31 100644
--- a/mta.te
+++ b/mta.te
@@ -249,6 +249,7 @@ optional_policy(`
')
optional_policy(`
+ fail2ban_dontaudit_rw_stream_sockets(system_mail_t)
fail2ban_append_log(system_mail_t)
fail2ban_rw_inherited_tmp_files(system_mail_t)
')
diff --git a/postfix.te b/postfix.te
index 45ebb39..c0e6ace 100644
--- a/postfix.te
+++ b/postfix.te
@@ -604,6 +604,10 @@ optional_policy(`
')
optional_policy(`
+ fail2ban_dontaudit_use_fds(postfix_postdrop_t)
+')
+
+optional_policy(`
fstools_read_pipes(postfix_postdrop_t)
')
--
1.7.8.6
The at daemon allows users and system administrators to define tasks to be
executed once on a particular time. The at service captures the current
session's environment and stores it as part of the task to be executed.
When ran, at "locks" the job (in the /var/spool/at/atjobs location) and executes
it, capturing its output in the /var/spool/at/atspool location.
Because of this log output capturing, it doesn't make sense to keep the atspool
location as user_cron_spool_t as any service ran through at needs to be able to
write to this location, and we don't want such services to have write access to
the user_cron_spool_t type. Hence we introduce the user_cron_spool_log_t type
for the logging output, allow it to be read by the system mailer (as it is
invoked to send the resulting output) and written by any service that is allowed
to be called by cron (through cron_system_entry).
The cron daemon requires manage privileges on the /var/spool/at/atjobs location
(labeled user_cron_spool_t) as it uses locking techniques on the at job scripts
themselves (lock files) and removes the scripts once executed.
The capability for the admin_crontab_t only seems to be needed for the
admin_crontab_t domain, using the regular crontab_t domain for users does not
exhibit this behavior.
Signed-off-by: Sven Vermeulen <[email protected]>
---
cron.fc | 1 +
cron.if | 3 +++
cron.te | 10 +++++++++-
3 files changed, 13 insertions(+), 1 deletions(-)
diff --git a/cron.fc b/cron.fc
index c542ac1..a7bfe6d 100644
--- a/cron.fc
+++ b/cron.fc
@@ -27,6 +27,7 @@
/var/spool/anacron(/.*)? gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/at(/.*)? gen_context(system_u:object_r:user_cron_spool_t,s0)
+/var/spool/at/atspool(/.*)? gen_context(system_u:object_r:user_cron_spool_log_t,s0)
/var/spool/cron -d gen_context(system_u:object_r:cron_spool_t,s0)
#/var/spool/cron/root -- gen_context(system_u:object_r:sysadm_cron_spool_t,s0)
diff --git a/cron.if b/cron.if
index 51f372d..01ba3ce 100644
--- a/cron.if
+++ b/cron.if
@@ -307,8 +307,11 @@ interface(`cron_admin_role',`
interface(`cron_system_entry',`
gen_require(`
type crond_t, system_cronjob_t;
+ type user_cron_spool_log_t;
')
+ rw_files_pattern($1, user_cron_spool_log_t, user_cron_spool_log_t)
+
domtrans_pattern(system_cronjob_t, $2, $1)
domtrans_pattern(crond_t, $2, $1)
diff --git a/cron.te b/cron.te
index 1e29735..64f2165 100644
--- a/cron.te
+++ b/cron.te
@@ -121,6 +121,11 @@ files_type(user_cron_spool_t)
ubac_constrained(user_cron_spool_t)
mta_system_content(user_cron_spool_t)
+type user_cron_spool_log_t;
+logging_log_file(user_cron_spool_log_t)
+ubac_constrained(user_cron_spool_log_t)
+mta_system_content(user_cron_spool_log_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(crond_t, crond_exec_t, s0 - mcs_systemhigh)
')
@@ -188,6 +193,7 @@ tunable_policy(`fcron_crond',`
# Admin local policy
#
+allow admin_crontab_t self:capability fsetid;
allow admin_crontab_t crond_t:process signal;
selinux_get_fs_mount(admin_crontab_t)
@@ -237,9 +243,11 @@ list_dirs_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
read_files_pattern(crond_t, system_cron_spool_t, system_cron_spool_t)
rw_dirs_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
-read_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+manage_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
manage_lnk_files_pattern(crond_t, user_cron_spool_t, user_cron_spool_t)
+manage_files_pattern(crond_t, user_cron_spool_log_t, user_cron_spool_log_t)
+
allow crond_t system_cronjob_t:process transition;
allow crond_t system_cronjob_t:fd use;
allow crond_t system_cronjob_t:key manage_key_perms;
--
1.7.8.6
When administering postfix, the admin also needs to be able to run master
(without transitioning - for instance for configuration file integrity
validation), postqueue (for handling the queues) as well as have stream-connect
rights towards the master (for the postfix clients that interact with a running
master daemon through a socket).
Adding those inside postfix_admin().
Signed-off-by: Sven Vermeulen <[email protected]>
---
postfix.if | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/postfix.if b/postfix.if
index 69cf332..2e23946 100644
--- a/postfix.if
+++ b/postfix.if
@@ -739,5 +739,8 @@ interface(`postfix_admin',`
files_search_tmp($1)
admin_pattern($1, { postfix_server_tmp_content postfix_map_tmp_t })
+ postfix_exec_master($1)
+ postfix_exec_postqueue($1)
+ postfix_stream_connect_master($1)
postfix_run_map($1, $2)
')
--
1.7.8.6
In August 21, a few changes were made to the postfix module that were reverted
somewhere in the last few months. Reintroducing these changes:
- Add in the fowner capability for the master domain, needed for running
chown on the queue's.
- Mark the pid directory as a pid directory
See http://oss.tresys.com/pipermail/refpolicy/2012-August/005475.html for more
information.
Signed-off-by: Sven Vermeulen <[email protected]>
---
postfix.fc | 2 +-
postfix.te | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/postfix.fc b/postfix.fc
index 5b315be..be8e880 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -50,7 +50,7 @@
/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
-/var/spool/postfix/pid/.* gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
diff --git a/postfix.te b/postfix.te
index c0e6ace..aed8d8e 100644
--- a/postfix.te
+++ b/postfix.te
@@ -123,7 +123,7 @@ allow postfix_domain postfix_master_t:process sigchld;
allow postfix_domain postfix_spool_t:dir list_dir_perms;
-allow postfix_domain postfix_var_run_t:file manage_file_perms;
+manage_files_pattern(postfix_domain, postfix_var_run_t, postfix_var_run_t)
files_pid_filetrans(postfix_domain, postfix_var_run_t, file)
kernel_read_system_state(postfix_domain)
@@ -194,7 +194,7 @@ domain_use_interactive_fds(postfix_user_domains)
# Master local policy
#
-allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t self:capability { chown dac_override kill fowner setgid setuid net_bind_service sys_tty_config };
allow postfix_master_t self:capability2 block_suspend;
allow postfix_master_t self:process setrlimit;
allow postfix_master_t self:tcp_socket create_stream_socket_perms;
--
1.7.8.6
Postfix /moves/ the mail files between the queues as they are processed. Mails
that cannot be delivered currently are pushed towards the deferred queue.
However, when this occurs, the mail file retains its context (as it is moved,
not copied) for postfix_spool_t.
If we would relabel the system or directory at that point, the mail gets labeled
postfix_spool_maildrop_t. When a new attempt is made to deliver, the postfix
daemons, like local, are not able to read (and process) the mail anymore since
they do not hold read rights on the postfix_spool_maildrop_t type.
Only mark the deferred directory as postfix_spool_maildrop_t solves this.
Signed-off-by: Sven Vermeulen <[email protected]>
---
postfix.fc | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/postfix.fc b/postfix.fc
index be8e880..c0e8785 100644
--- a/postfix.fc
+++ b/postfix.fc
@@ -47,7 +47,7 @@
/var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
/var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
-/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
/var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
--
1.7.8.6
When trying to start qemu with SDL, the qemu application just fails with the
following denial in the logs:
Nov 11 18:06:44 lain kernel: [20076.499347] type=1400
audit(1352653604.042:3987): avc: denied { read } for pid=28245
comm="qemu-system-x86" name=".Xauthority" dev="dm-0" ino=20709392
scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t
tclass=file
Although the application seems to run with just xserver_read_user_xauth(qemu_t)
set, it does still provide denials like the following:
Nov 14 20:58:51 lain kernel: [39885.690744] type=1400 audit(1352923131.430:154):
avc: denied { unix_read unix_write } for pid=1973 comm="X" key=0
scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm
As qemu is acting as an X11 application (when build with SDL support), it makes
sense to use xserver_user_x_domain_template.
Signed-off-by: Sven Vermeulen <[email protected]>
---
qemu.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/qemu.te b/qemu.te
index ce0bf86..6d167d7 100644
--- a/qemu.te
+++ b/qemu.te
@@ -37,6 +37,10 @@ tunable_policy(`qemu_full_network',`
corenet_tcp_connect_all_ports(qemu_t)
')
+optional_policy(`
+ xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
+')
+
########################################
#
# Unconfined local policy
--
1.7.8.6
On Sat, 2012-11-17 at 21:58 +0100, Sven Vermeulen wrote:
> This set contains changes on various modules within the contrib/ module. It
> contains a few updated patches from previous submits, including the at support,
> now more documented (and tested).
>
> Sven Vermeulen (9):
> Fix typo in tunable declaration for fcron_crond
> Introducing cron_manage_log_files interface
> Introduce dontaudit interfaces for leaked fd and unix stream sockets
> Dontaudit attempts by system_mail_t to use leaked fd or stream
> sockets
> Support at service
> Additional postfix admin requirements
> Reintroduce postfix_var_run_t for pid directory and fowner capability
> Postfix deferred queue should not mark mails as
> postfix_spool_maildrop_t
> Running qemu with SDL support requires more xserver-related
> privileges
>
> cron.fc | 1 +
> cron.if | 24 ++++++++++++++++++++++++
> cron.te | 12 ++++++++++--
> fail2ban.if | 38 ++++++++++++++++++++++++++++++++++++++
> mta.te | 1 +
> postfix.fc | 4 ++--
> postfix.if | 3 +++
> postfix.te | 8 ++++++--
> qemu.te | 4 ++++
> 9 files changed, 89 insertions(+), 6 deletions(-)
>
This patch set was merged, Thanks
On Sat, 2012-11-17 at 21:58 +0100, Sven Vermeulen wrote:
> Postfix /moves/ the mail files between the queues as they are processed. Mails
> that cannot be delivered currently are pushed towards the deferred queue.
> However, when this occurs, the mail file retains its context (as it is moved,
> not copied) for postfix_spool_t.
>
> If we would relabel the system or directory at that point, the mail gets labeled
> postfix_spool_maildrop_t. When a new attempt is made to deliver, the postfix
> daemons, like local, are not able to read (and process) the mail anymore since
> they do not hold read rights on the postfix_spool_maildrop_t type.
>
> Only mark the deferred directory as postfix_spool_maildrop_t solves this.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> postfix.fc | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/postfix.fc b/postfix.fc
> index be8e880..c0e8785 100644
> --- a/postfix.fc
> +++ b/postfix.fc
> @@ -47,7 +47,7 @@
> /var/lib/postfix.* gen_context(system_u:object_r:postfix_data_t,s0)
>
> /var/spool/postfix.* gen_context(system_u:object_r:postfix_spool_t,s0)
> -/var/spool/postfix/deferred(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
> +/var/spool/postfix/deferred(/.*)? -d gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
> /var/spool/postfix/defer(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
> /var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
> /var/spool/postfix/pid(/.*)? gen_context(system_u:object_r:postfix_var_run_t,s0)
"Only mark the deferred directory as postfix_spool_maildrop_t solves
this."
The file context spec does not apply to just the deferred dir but also
applies to all dirs below, just so that you are aware of that
Is anyone still working on fcron?
I have given up on patching it for SE Linux. Unless someone else has taken
that over you won't have fcron working on a SE Linux system anyway.
On Sun, 18 Nov 2012, Sven Vermeulen <[email protected]> wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> cron.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/cron.te b/cron.te
> index fb3adc6..1e29735 100644
> --- a/cron.te
> +++ b/cron.te
> @@ -30,7 +30,7 @@ gen_tunable(cron_userdomain_transition, false)
> ## <desc>
> ## <p>
> ## Determine whether extra rules
> -## should beenabled to support fcron.
> +## should be enabled to support fcron.
> ## </p>
> ## </desc>
> gen_tunable(fcron_crond, false)
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/