From: dominick.grift@gmail.com (Dominick Grift)
Date: Wed, 14 Nov 2012 20:37:31 +0100
Subject: [refpolicy] [PATCH 3/5] Introduce dontaudits for leaked fd and
 unix stream sockets
In-Reply-To: <20121114192015.GA4196@siphos.be>
References: <1352566218-17772-1-git-send-email-sven.vermeulen@siphos.be>
	<1352566218-17772-4-git-send-email-sven.vermeulen@siphos.be>
	<1352916373.3654.3.camel@d30.localdomain>
	<20121114192015.GA4196@siphos.be>
Message-ID: <1352921851.3654.34.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On Wed, 2012-11-14 at 20:20 +0100, Sven Vermeulen wrote:
> On Wed, Nov 14, 2012 at 07:06:13PM +0100, Dominick Grift wrote:
> > > +interface(`fail2ban_dontaudit_rw_stream_sockets',`
> > > +	gen_require(`
> > > +		type fail2ban_t;
> > > +	')
> > > +
> > > +	dontaudit $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
> > > +')
> > 
> > We should read create a rw_inherited_socket_perms permission set and use
> > that instead in my honest opinion
> 
> Would a more generic "rw_inherited_perms" be sufficient (i.e. without
> referring to the class)? As far as I know, inherited file descriptors or
> sockets (or ...) are usually just { read write };

I do not agree. Many kinds of objects can be inherited (think files,
blk_files etc), And its often not just { read write };

I personally am interesting in just a inherited equivalent of any rw
permission set that is the same except that it lacks the open permission
(much like fedora does it)

But that is just my opinion

Inheritance gets more and more important and i think its important that
we properly support that (if some domain needs to rw some inherited
object then we should not allow/dontaudit open

Here is one example: 

https://bugzilla.redhat.com/show_bug.cgi?id=856216

in that casde it seems to only need { read write } but i have also seen
cases where it needs ioctl and so i rather allow a bit more but not open
than create a permission set with only { read write } because that
wouldnt be enough in some cases

So my suggestion (just a example)


> define(`rw_inherited_sock_file_perms',`{ getattr read write append }')
> define(`rw_sock_file_perms',`{ open rw_inherited_sock_file_perms }')


> define(`rw_inherited_fifo_file_perms',`{ getattr read write append ioctl lock }')
> define(`rw_fifo_file_perms',`{ open rw_inherited_fifo_file_perms }')

Oh and actually , seems this does not apply here anyways as sockets arent opened in the first place:


> define(`rw_socket_perms', `{ ioctl read getattr lock write setattr append bind connect getopt setopt shutdown }')

So.. i would in this case not use a permission set at all

just use the raw { read write } , example:


########################################
## <summary>
##     Do not audit read and write fail2ban
##     unix stream sockets.
## </summary>
## <param name="domain">
##     <summary>
##     Domain to not audit.
##     </summary>
## </param>
#
interface(`fail2ban_dontaudit_rw_stream_sockets',`
       gen_require(`
               type fail2ban_t;
       ')

       dontaudit $1 fail2ban_t:unix_stream_socket { read write };
')


> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy