From: a.kuckartz@ping.de (Andreas Kuckartz) Date: 18 Sep 2013 15:47:43 +0200 Subject: [refpolicy] Fwd: Debian unstable, SELinux and Iceweasel In-Reply-To: <52384CD9.60604@ping.de> References: <52384CD9.60604@ping.de> Message-ID: <5239AEFF.6000902@ping.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Any suggestions from here? Cheers, Andreas -------- Original Message -------- Date: Tue, 17 Sep 2013 14:36:41 +0200 From: Andreas Kuckartz To: selinux-user at lists.alioth.debian.org I am running a Debian unstable system with SELinux in permissive mode. I have appended the result of $ cat /var/log/audit/audit.log | audit2allow -l -R There are quite a few missing type enforcement (TE) allow rules. In addition to that Iceweasel requires allow_execstack and allow_execmem - which is not good. I have researched that and found these two old open Firefox issues: SELinux is preventing JIT from changing memory segment access https://bugzilla.mozilla.org/show_bug.cgi?id=506693 Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error https://bugzilla.mozilla.org/show_bug.cgi?id=574119 What do you suggest on how to proceed? Cheers, Andreas -------------- next part -------------- require { type apt_var_lib_t; type pulseaudio_t; type postgresql_t; type cupsd_var_run_t; type sysctl_vm_t; type initrc_t; type tmp_t; type logrotate_t; type dhcpc_t; type mount_tmp_t; type hostname_t; type auditctl_t; type var_run_t; type udev_tbl_t; type acct_t; type ping_t; type cupsd_t; type sysctl_crypto_t; type dpkg_exec_t; type system_mail_t; type crond_tmp_t; type unconfined_t; type gpg_t; type lib_t; type sysfs_t; type system_dbusd_t; type var_log_t; type proc_net_t; type exim_t; type cron_log_t; type kernel_t; type removable_device_t; type consolekit_t; type mnt_t; type dosfs_t; type var_t; type pcscd_t; type var_lib_t; type dpkg_var_lib_t; type ntp_drift_t; type fixed_disk_device_t; type initrc_var_run_t; type devicekit_disk_t; type mount_exec_t; class fifo_file write; class process { execmem setfscreate getcap setcap }; class unix_stream_socket connectto; class netlink_kobject_uevent_socket { getattr setopt read bind create }; class system module_request; class capability sys_rawio; class file { rename execute setattr read lock create execute_no_trans write getattr unlink open append }; class filesystem { mount unmount }; class sock_file { write create unlink }; class blk_file { ioctl read open getattr }; class dir { search read create mounton write getattr rmdir remove_name add_name }; } #============= acct_t ============== allow acct_t initrc_var_run_t:file { read lock open }; #============= auditctl_t ============== allow auditctl_t var_t:file read; #============= consolekit_t ============== allow consolekit_t self:process setfscreate; #============= cupsd_t ============== allow cupsd_t var_run_t:sock_file unlink; #============= devicekit_disk_t ============== allow devicekit_disk_t udev_tbl_t:file { read open }; #============= dhcpc_t ============== allow dhcpc_t ntp_drift_t:dir search; #============= exim_t ============== allow exim_t crond_tmp_t:file { read write }; allow exim_t dpkg_var_lib_t:file read; allow exim_t sysctl_crypto_t:dir search; allow exim_t sysctl_crypto_t:file { read getattr open }; allow exim_t sysfs_t:file { read open }; allow exim_t var_t:file read; #============= gpg_t ============== allow gpg_t cron_log_t:file { read getattr open }; #!!!! The source type 'gpg_t' can write to a 'dir' of the following types: # gpg_secret_t, user_home_dir_t, gpg_agent_tmp_t, user_tmp_t, user_home_t, tmp_t allow gpg_t var_log_t:dir { write add_name }; #!!!! The source type 'gpg_t' can write to a 'file' of the following types: # gpg_secret_t, gpg_agent_tmp_t, user_tmp_t, user_home_t allow gpg_t var_log_t:file { write create open }; #============= hostname_t ============== allow hostname_t var_lib_t:file append; #============= logrotate_t ============== #!!!! The source type 'logrotate_t' can write to a 'dir' of the following types: # var_log_t, var_lock_t, tmp_t, logrotate_var_lib_t, logrotate_tmp_t, logfile, acct_data_t, var_spool_t, var_lib_t allow logrotate_t cupsd_var_run_t:dir { write remove_name add_name }; allow logrotate_t cupsd_var_run_t:file { write create unlink }; allow logrotate_t initrc_t:unix_stream_socket connectto; allow logrotate_t sysfs_t:file { read open }; allow logrotate_t tmp_t:sock_file { create unlink }; allow logrotate_t var_run_t:sock_file write; #============= pcscd_t ============== allow pcscd_t self:netlink_kobject_uevent_socket read; #============= ping_t ============== allow ping_t self:process { getcap setcap }; #============= postgresql_t ============== allow postgresql_t var_run_t:sock_file write; #============= pulseaudio_t ============== allow pulseaudio_t initrc_var_run_t:file { read getattr open }; #!!!! The source type 'pulseaudio_t' can write to a 'dir' of the following types: # user_fonts_cache_t, user_tmp_t, pulseaudio_var_lib_t, pulseaudio_var_run_t, user_home_t, user_tmpfs_t, pulseaudio_home_t, var_lib_t, var_run_t, xdm_tmp_t allow pulseaudio_t tmp_t:dir { write remove_name add_name }; allow pulseaudio_t tmp_t:file { write execute read create unlink open }; #============= system_dbusd_t ============== allow system_dbusd_t apt_var_lib_t:dir getattr; #!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types: # system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t allow system_dbusd_t dosfs_t:dir write; allow system_dbusd_t dosfs_t:filesystem { mount unmount }; allow system_dbusd_t dpkg_exec_t:file { read execute open execute_no_trans }; allow system_dbusd_t fixed_disk_device_t:blk_file { read ioctl open getattr }; allow system_dbusd_t initrc_var_run_t:file { read getattr open }; allow system_dbusd_t kernel_t:system module_request; allow system_dbusd_t lib_t:file execute_no_trans; allow system_dbusd_t mnt_t:dir { write search rmdir remove_name create add_name mounton }; allow system_dbusd_t mount_exec_t:file { read execute open execute_no_trans }; #!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types: # system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t allow system_dbusd_t mount_tmp_t:dir { write remove_name add_name }; #!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types: # system_dbusd_tmp_t, system_dbusd_var_run_t allow system_dbusd_t mount_tmp_t:file { rename setattr read lock create write getattr unlink open }; allow system_dbusd_t proc_net_t:file { read getattr open }; allow system_dbusd_t removable_device_t:blk_file { read ioctl open }; allow system_dbusd_t self:capability sys_rawio; allow system_dbusd_t self:netlink_kobject_uevent_socket { read bind create setopt getattr }; allow system_dbusd_t sysctl_vm_t:dir search; allow system_dbusd_t sysctl_vm_t:file { read open }; allow system_dbusd_t udev_tbl_t:file { read getattr open }; #!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types: # system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t allow system_dbusd_t var_lib_t:dir { write remove_name add_name }; #!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types: # system_dbusd_tmp_t, system_dbusd_var_run_t allow system_dbusd_t var_lib_t:file { rename read lock create write getattr unlink open }; allow system_dbusd_t var_run_t:fifo_file write; allow system_dbusd_t var_t:dir read; #============= system_mail_t ============== allow system_mail_t crond_tmp_t:file getattr; allow system_mail_t dpkg_var_lib_t:file read; allow system_mail_t sysctl_crypto_t:dir search; allow system_mail_t sysctl_crypto_t:file { read getattr open }; allow system_mail_t var_lib_t:file { read getattr open }; #============= unconfined_t ============== #!!!! This avc can be allowed using one of the these booleans: # allow_execstack, allow_execmem allow unconfined_t self:process execmem;