From: domg472@gmail.com (Dominick Grift) Date: Tue, 25 Jan 2011 10:28:47 +0100 Subject: [refpolicy] [PATCH/RFC 8/19]: patch set to update the git reference policy In-Reply-To: <1295913822.1665.28.camel@tesla.lan> References: <1295829851.3862.67.camel@tesla.lan> <4D3D8703.8040308@gmail.com> <1295913822.1665.28.camel@tesla.lan> Message-ID: <4D3E97CF.9090802@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/25/2011 01:03 AM, Guido Trentalancia wrote: > Hello Dominick ! > > Just a quick comment on the default_t label/permissions, as I still need > to check the rest of this [8/19] comment... > > On Mon, 24/01/2011 at 15.04 +0100, Dominick Grift wrote: >> On 01/24/2011 01:44 AM, Guido Trentalancia wrote: >>> --- refpolicy-git-18012011-dbus-messaging/policy/modules/services/dbus.te 2011-01-23 23:13:48.168284256 +0100 >>> +++ refpolicy-git-18012011-dbus/policy/modules/services/dbus.te 2011-01-23 23:11:46.430346876 +0100 >>> @@ -52,7 +52,7 @@ ifdef(`enable_mls',` >>> >>> # dac_override: /var/run/dbus is owned by messagebus on Debian >>> # cjp: dac_override should probably go in a distro_debian >>> -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; >>> +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace }; >>> dontaudit system_dbusd_t self:capability sys_tty_config; >>> allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; >>> allow system_dbusd_t self:fifo_file rw_fifo_file_perms; >>> @@ -111,13 +111,20 @@ auth_read_pam_console_data(system_dbusd_ >>> corecmd_list_bin(system_dbusd_t) >>> corecmd_read_bin_pipes(system_dbusd_t) >>> corecmd_read_bin_sockets(system_dbusd_t) >>> +# needed for system-tools-backends >>> +corecmd_exec_shell(system_dbusd_t) >>> >>> domain_use_interactive_fds(system_dbusd_t) >>> domain_read_all_domains_state(system_dbusd_t) >>> >>> +files_search_default(system_dbusd_t) >> >> There should not be able default_t type directories. Thus this shouldnt >> be allowed >> >>> +files_read_default_files(system_dbusd_t) >> >> there should not be any default_t type files. Thus this shouldnt be allowed > > The point here is that with the reference policy root's home directory > doesn't get its own label but rather fall back to default_t. This is why > I had created those permissions, although I wasn't completely sure about > it because of course it doesn't appear anywhere else. > What distro are you testing your policy on? this should not be happening. On non-redhat distros /root should be user_home_dir_t. It could be that youre using a redhat influence libsemanage. Or maybe that you need to edit semanage,conf Here is how i solve this issue: - - create a "super user" useradd $SUPERUSER passwd $SUPERUSER semanage login -a -s staff_u -r s0-s0:c0.c1023 $SUPERUSER - - fix the contexts for /root: semanage fcontext -a -e /home/$SUPERUSER /root restorecon -R -v /root - - use sudo to get to root shell: echo "$SUPERUSER ALL=(ALL) ROLE=sysadm_r TYPE=sysadm_t ALL" > /etc/sudoers.d/$SUPERUSER chmod 0440 /etc/sudoers.d/$SUPERUSER Again default_t types should not be there in a system. It means your system has locations unknown to selinux. > On Fedora, it's different as they have patched that as follows (taken > from F14 patch in this example): > > diff --exclude-from=exclude -N -u -r > nsaserefpolicy/policy/modules/system/userdomain.fc > serefpolicy-3.9.7/policy/modules/system/userdomain.fc > --- nsaserefpolicy/policy/modules/system/userdomain.fc 2010-10-12 > 22:42:50.000000000 +0200 > +++ serefpolicy-3.9.7/policy/modules/system/userdomain.fc > 2010-11-05 14:02:26.959899962 +0100 > @@ -1,4 +1,17 @@ > HOME_DIR -d > gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) > +HOME_DIR -l > gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh) > HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0) > - > /tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0) > +/root(/.*)? gen_context(system_u:object_r:admin_home_t,s0) > +/root/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) > +/root/\.debug(/.*)? <> > +/dev/shm/pulse-shm.* gen_context(system_u:object_r:user_tmpfs_t,s0) > +/dev/shm/mono.* > gen_context(system_u:object_r:user_tmpfs_t,s0) > +HOME_DIR/bin(/.*)? gen_context(system_u:object_r:home_bin_t,s0) > +HOME_DIR/local/bin(/.*)? > gen_context(system_u:object_r:home_bin_t,s0) > +HOME_DIR/Audio(/.*)? gen_context(system_u:object_r:audio_home_t,s0) > +HOME_DIR/Music(/.*)? gen_context(system_u:object_r:audio_home_t,s0) > +HOME_DIR/\.cert(/.*)? gen_context(system_u:object_r:home_cert_t,s0) > +HOME_DIR/\.pki(/.*)? > gen_context(system_u:object_r:home_cert_t,s0) > +HOME_DIR/\.gvfs(/.*)? <> > +HOME_DIR/\.debug(/.*)? <> > > On Debian, it's also being labelled user_home_t. But when I have > installed the plain reference policy, it didn't label any home directory > at all: the type *_home_t does not appear at all in the "standard" file > contexts. So I thought that was the intended behaviour for the reference > policy. I had just followed the INSTALL document... > > What do you say ? > > Regards, > > Guido > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0+l84ACgkQMlxVo39jgT/MhQCeO6YstSTYVmSrXkKVIOnUiYPJ NmkAoIdDuchef7qAju54fKsTswD1LIg0 =9ymO -----END PGP SIGNATURE-----