From: stefan@seekline.net (Stefan Schulze Frielinghaus) Date: Fri, 26 Feb 2010 10:00:22 +0100 Subject: [refpolicy] services_nut.patch In-Reply-To: <4B855E6B.7020308@redhat.com> References: <4B843A67.1020406@redhat.com> <1267026787.1964.24.camel@localhost> <4B855E6B.7020308@redhat.com> Message-ID: <1267174822.1936.22.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mi, 2010-02-24 at 12:14 -0500, Daniel J Walsh wrote: > On 02/24/2010 10:53 AM, Stefan Schulze Frielinghaus wrote: > > On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote: > > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch > >> > >> Latest nut policy. > >> > > The following rules are unnecessary because they are already included by > > the interface apache_content_template as soon as the booleans > > httpd_enable_cgi and httpd_can_network_connect are enabled: > > > > + corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) > > + corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) > > + corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) > > + corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) > > + corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) > > corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) > > + corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) > > + corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) > > + corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) > > + > > + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) > > > > > Ok this is a difference between apache interface in upstream and mine. > I removed network access > set by those booleans from the interface to httpd_sys_script_t > specific. I don't believe those interfaces should be effected by > booleans. I don't want my bugzilla cgi to suddenly have network access > just because httpd_sys_script_t needs it. Yeah, I like this idea. > > Is it really necessary to include the dac_override permissions for > > nut_upsd_t? I thought that the upsd daemon runs as a non root user where > > no dac_override permissions are used. > > > > -allow nut_upsd_t self:capability { setgid setuid }; > > +allow nut_upsd_t self:capability { setgid setuid dac_override }; > > > > If you still have the AVC message and maybe some information of the > > setup, then I would like to dig a bit deeper into this because I use nut > > and would like to make it more secure ;-) Maybe the capabilities can > > even be dropped. > > > > Guess the sbin rules are not necessary for refpolicy: > > > > +corecmd_exec_sbin(nut_upsdrvctl_t) > > > > > Oops that is a bug. > > dac_override can come in because a file has bad ownership. upsd runs per default as user nut on Fedora and EPEL. It should never run as root.