From: domg472@gmail.com (Dominick Grift) Date: Tue, 26 Oct 2010 13:21:43 +0200 Subject: [refpolicy] Adding support for the vlock program In-Reply-To: References: Message-ID: <20101026112141.GC25458@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Oct 26, 2010 at 09:40:52AM +0000, TaurusHarry wrote: > > Hi refpolicy experts, > > I have tried to developed a vlock.pp in order to run the vlock program(2.2.2 version) on top of the latest refpolicy git tree, please see the attachment. > > I am testing on a qemu environment, the system administrator and unprivileged user could login from serial console or by ssh, both could use the vlock command to lock his current console successfully. > > How could I contribute it back to the refpolicy git tree? > > Any comment is greatly appreciated! > > Best regards, > Harry Hi, i have some suggestions inline > > From ad4692423bcb1e10d5b9f146eab86de09b37dbb3 Mon Sep 17 00:00:00 2001 > From: Harry Ciao > Date: Tue, 26 Oct 2010 14:34:11 +0800 > Subject: [PATCH] Adding support for the vlock program > > Adding support for the vlock program. > > Tested on vlock-2.2.2, both system administrator and unprivileged user > could make use of vlock to lock his console successfully. > > Signed-off-by: Harry Ciao > --- > policy/modules/apps/vlock.fc | 1 + > policy/modules/apps/vlock.if | 48 ++++++++++++++++++++++++++ > policy/modules/apps/vlock.te | 63 +++++++++++++++++++++++++++++++++++ > policy/modules/system/userdomain.if | 2 + > 4 files changed, 114 insertions(+), 0 deletions(-) > create mode 100644 policy/modules/apps/vlock.fc > create mode 100644 policy/modules/apps/vlock.if > create mode 100644 policy/modules/apps/vlock.te > > diff --git a/policy/modules/apps/vlock.fc b/policy/modules/apps/vlock.fc > new file mode 100644 > index 0000000..621d5fd > --- /dev/null > +++ b/policy/modules/apps/vlock.fc > @@ -0,0 +1 @@ > +/usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0) > diff --git a/policy/modules/apps/vlock.if b/policy/modules/apps/vlock.if > new file mode 100644 > index 0000000..259575e > --- /dev/null > +++ b/policy/modules/apps/vlock.if > @@ -0,0 +1,48 @@ > +## Policy for the vlock program. > + > +####################################### > +## > +## Execute vlock in the vlock domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`vlock_domtrans_vlock',` > + gen_require(` > + type vlock_t, vlock_exec_t; > + ') > + > + files_search_usr($1) The files_search_usr is redundant since all domains are allowed to search it (have a look in domain.te where attribute domain is allowed to interact with libs andthese interfaces provides search access to usr_t > + corecmd_search_bin($1) > + domtrans_pattern($1, vlock_exec_t, vlock_t) > +') > + > +######################################## > +## > +## Execute vlock in the vlock domain, and > +## allow the specified role the vlock domain, > +## and use the caller's terminal. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## The role to be allowed the vlock domain. > +## > +## > +## > +# > +interface(`vlock_run_vlock',` > + gen_require(` > + type vlock_t; > + ') > + > + vlock_domtrans_vlock($1) > + role $2 types vlock_t; > +') > diff --git a/policy/modules/apps/vlock.te b/policy/modules/apps/vlock.te > new file mode 100644 > index 0000000..f0fa315 > --- /dev/null > +++ b/policy/modules/apps/vlock.te > @@ -0,0 +1,63 @@ > +policy_module(vlock, 1.0.0) > + > +######################################## > +# > +# Declarations > +# > + > +type vlock_t; > +type vlock_exec_t; > +application_domain(vlock_t,vlock_exec_t) > + > + > +######################################## > +# > +# Vlock local policy > +# > + > +allow vlock_t self:fd use; > +allow vlock_t self:fifo_file rw_fifo_file_perms; > +allow vlock_t self:unix_dgram_socket { create connect }; > +allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; > + > +# dont audit the failed attempt of vlock_t to setuid/setgid, because > +# 1. we used --enable_pam for vlock to use PAM to authenticate passwd > +# 2. no guarantee that to make vlock setuid is safe > +dontaudit vlock_t self:capability { setuid setgid }; With inter process communication (interaction with self) we have interaction with class process and capability on top of the stack (there are also somestyle rules for where to put dontaudit rules (see the refpolicy style guide) > + > +kernel_read_system_state(vlock_t) > + > +corecmd_list_bin(vlock_t) > +corecmd_read_bin_symlinks(vlock_t) > + > +files_read_etc_files(vlock_t) > +files_read_var_files(vlock_t) > +files_read_var_symlinks(vlock_t) Any idea what generic var content it needs to read and why it is labeled with the generic var_t type? > + > +init_rw_utmp(vlock_t) We usually dont allow domain to write to utmp. What we do it allow read access but dontaudit write access to utmp > + > +term_use_all_user_ttys(vlock_t) > +term_use_all_user_ptys(vlock_t) > +userdom_use_user_terminals(vlock_t) > + > +# Must call this interface otherwise PAM session will fail > +# with message of "terminal=? res=failed" > +domain_use_interactive_fds(vlock_t) > + > +auth_domtrans_chk_passwd(vlock_t) > + > +miscfiles_read_localization(vlock_t) > + > +logging_send_syslog_msg(vlock_t) > + > +selinux_getattr_fs(vlock_t) i think refpolicy usually dontaudits access to get attributes of /selinux. i personally allow it because i like to keep dontaudits to a minimum and i dont see the big problem here but if you want this upstream then i think it probably should be dontaudited > + > +# When MLS enabled and vlock PAM config file using pam_tally2 module, > +# if the caller's security level is > s0, the vlock domain should be able > +# to write into /var/log/tallylog file which is s0. > +mls_file_write_all_levels(vlock_t) Not sure here but it looks a bit coarse. is there no write down only instead of all levels? > + > +# vlock could be used successfully without the search permissions on > +# home_root_t or user_home_dir_t, suppress the related error messages. > +files_dontaudit_search_home(vlock_t) > +userdom_dontaudit_search_user_home_dirs(vlock_t) I think the second rule is probably redundant because if it cannot search /home it can never get to /home/.* and so there should be no need to dontaudit it in my view. > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index 35f1476..d1bd453 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -565,6 +565,8 @@ template(`userdom_common_user_template',` > # to this one. > seutil_dontaudit_signal_newrole($1_t) > > + vlock_run_vlock($1_t,$1_r) > + Ithink we usually call "run" interfaces and role interfaces from the userdomain modules in the role layer instead. So suggest you add it to unprivuser.te, staff.te and sysadm.te instead > tunable_policy(`user_direct_mouse',` > dev_read_mouse($1_t) > ') > -- > 1.7.0.4 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20101026/4986d13b/attachment.bin