From: dwalsh@redhat.com (Daniel J Walsh) Date: Fri, 26 Feb 2010 08:39:52 -0500 Subject: [refpolicy] services_nut.patch In-Reply-To: <1267174822.1936.22.camel@localhost> References: <4B843A67.1020406@redhat.com> <1267026787.1964.24.camel@localhost> <4B855E6B.7020308@redhat.com> <1267174822.1936.22.camel@localhost> Message-ID: <4B87CF28.5010904@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/26/2010 04:00 AM, Stefan Schulze Frielinghaus wrote: > On Mi, 2010-02-24 at 12:14 -0500, Daniel J Walsh wrote: > >> On 02/24/2010 10:53 AM, Stefan Schulze Frielinghaus wrote: >> >>> On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote: >>> >>> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch >>>> >>>> Latest nut policy. >>>> >>>> >>> The following rules are unnecessary because they are already included by >>> the interface apache_content_template as soon as the booleans >>> httpd_enable_cgi and httpd_can_network_connect are enabled: >>> >>> + corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) >>> + corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) >>> + corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) >>> + corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) >>> + corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) >>> corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) >>> + corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) >>> + corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) >>> + corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) >>> + >>> + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) >>> >>> >>> >> Ok this is a difference between apache interface in upstream and mine. >> I removed network access >> set by those booleans from the interface to httpd_sys_script_t >> specific. I don't believe those interfaces should be effected by >> booleans. I don't want my bugzilla cgi to suddenly have network access >> just because httpd_sys_script_t needs it. >> > Yeah, I like this idea. > > >>> Is it really necessary to include the dac_override permissions for >>> nut_upsd_t? I thought that the upsd daemon runs as a non root user where >>> no dac_override permissions are used. >>> >>> -allow nut_upsd_t self:capability { setgid setuid }; >>> +allow nut_upsd_t self:capability { setgid setuid dac_override }; >>> >>> If you still have the AVC message and maybe some information of the >>> setup, then I would like to dig a bit deeper into this because I use nut >>> and would like to make it more secure ;-) Maybe the capabilities can >>> even be dropped. >>> >>> Guess the sbin rules are not necessary for refpolicy: >>> >>> +corecmd_exec_sbin(nut_upsdrvctl_t) >>> >>> >>> >> Oops that is a bug. >> >> dac_override can come in because a file has bad ownership. >> > upsd runs per default as user nut on Fedora and EPEL. It should never > run as root. > > Then why does the policy have setuid/setgid?