Christopher J. PeBenito | 1 Jun 15:04 2009

Re: [refpolicy] libjackserver.so file context

On Mon, 2009-06-01 at 08:35 -0400, Daniel J Walsh wrote:
> On 05/30/2009 04:46 AM, Stefan Schulze Frielinghaus wrote:
> > Hi,
> >
> > libjackserver.so needs text relocation. Attached file solves the
> > problem.
> >
> Please report this as a bug to the providers of libjackserver.so

I've added this to refpolicy.  But you definitely should also report
that bug as Dan says.

--

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

Daniel J Walsh | 1 Jun 14:35 2009
Picon

Re: [refpolicy] libjackserver.so file context

On 05/30/2009 04:46 AM, Stefan Schulze Frielinghaus wrote:
> Hi,
>
> libjackserver.so needs text relocation. Attached file solves the
> problem.
>
> cheers
> Stefan
Please report this as a bug to the providers of libjackserver.so

Rouse, Alan | 1 Jun 15:32 2009

SuSE 11

Has anyone been able to get selinux support working under OpenSuSE 11.1 or SLES 11? 

 

They’ve included selinux in the kernel and have added selinux extensions for the common utilities.  But so far I’ve been unable to get selinux out of the disabled state.  And since they are not officially supporting it, answers from Novell are hard to come by.

 

Thanks!

 

Alan

Stephen Smalley | 1 Jun 16:05 2009
Picon

Re: SuSE 11

On Mon, 2009-06-01 at 09:32 -0400, Rouse, Alan wrote:
> Has anyone been able to get selinux support working under OpenSuSE
> 11.1 or SLES 11?  
> 
>  
> 
> They’ve included selinux in the kernel and have added selinux
> extensions for the common utilities.  But so far I’ve been unable to
> get selinux out of the disabled state.  And since they are not
> officially supporting it, answers from Novell are hard to come by.

I haven't tried it myself, but this may be helpful:
http://thetoms-random-thoughts.blogspot.com/2008/12/selinux-on-opensuse-111.html

--

-- 
Stephen Smalley
National Security Agency

Nigel Rumens | 2 Jun 10:09 2009

A little more sctp and selinux

Just for information this is a first attempt (using standard 
system-config-selinux and audit2allow) at creating a policy for feng 
streaming server that will allow it to use sctp, as well as tcp and udp.

When I get a little time I will try again probably with SLIDE (when I 
get it installed) as it could probably do with some improvements. But it 
does actually work and allow me to stream over sctp.

Any comments/suggestions welcome

Nigel

feng.te
policy_module(feng,1.0.0)

########################################
#
# Declarations
#

type feng_t;
type feng_exec_t;
init_daemon_domain(feng_t, feng_exec_t)

permissive feng_t;

type feng_initrc_exec_t;
init_script_file(feng_initrc_exec_t)

type feng_rw_t;
files_type(feng_rw_t)

########################################
#
# feng local policy
#

# Init script handling
domain_use_interactive_fds(feng_t)

# internal communication is often done using fifo and unix sockets.
allow feng_t self:fifo_file rw_file_perms;
allow feng_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(feng_t)

miscfiles_read_localization(feng_t)

allow feng_t feng_rw_t:file manage_file_perms;
allow feng_t feng_rw_t:dir create_dir_perms;

sysnet_dns_name_resolve(feng_t)
corenet_all_recvfrom_unlabeled(feng_t)

allow feng_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(feng_t)
corenet_tcp_sendrecv_all_nodes(feng_t)
corenet_tcp_sendrecv_all_ports(feng_t)
corenet_tcp_bind_all_nodes(feng_t)
corenet_tcp_bind_all_ports(feng_t)
corenet_tcp_connect_all_ports(feng_t)

allow feng_t self:udp_socket { create_socket_perms listen };
corenet_udp_sendrecv_all_if(feng_t)
corenet_udp_sendrecv_all_nodes(feng_t)
corenet_udp_sendrecv_all_ports(feng_t)
corenet_udp_bind_all_nodes(feng_t)
corenet_udp_bind_all_unreserved_ports(feng_t)

require {
         type feng_t;
         type port_t;
         class process { execstack execmem getsched };
         class capability { setuid setgid };
         class rawip_socket { name_bind getattr setopt bind create listen };
}

#============= feng_t ==============
allow feng_t port_t:rawip_socket name_bind;
allow feng_t self:capability { setuid setgid };
allow feng_t self:process { execstack execmem getsched };
allow feng_t self:rawip_socket { getattr bind create setopt listen };
corenet_raw_bind_generic_node(feng_t)
files_manage_usr_files(feng_t)
fs_rw_anon_inodefs_files(feng_t)

require {
         type unlabeled_t;
         type feng_t;
         type feng_rw_t;
         type port_t;
         class process { execstack execmem getsched };
         class capability { setuid setgid };
         class unix_dgram_socket { write read create sendto };
         class dir search;
         class rawip_socket { name_bind setopt read bind create accept 
write getattr listen };
}

#============= feng_t ==============
allow feng_t feng_rw_t:dir search;
allow feng_t port_t:rawip_socket name_bind;
allow feng_t self:capability { setuid setgid };
allow feng_t self:process { execstack execmem getsched };
allow feng_t self:rawip_socket { getattr setopt bind create accept listen };
allow feng_t self:unix_dgram_socket { write read create sendto };
allow feng_t unlabeled_t:rawip_socket { read write getattr };
corenet_raw_bind_generic_node(feng_t)
dev_read_urand(feng_t)
files_manage_usr_files(feng_t)
fs_rw_anon_inodefs_files(feng_t)

require {
         type feng_rw_t;
         type feng_t;
         class lnk_file read;
}

#============= feng_t ==============
allow feng_t feng_rw_t:lnk_file read;
apache_read_sys_content(feng_t)
apache_search_sys_content(feng_t)
kernel_read_system_state(feng_t)

Eric Paris | 2 Jun 23:01 2009
Picon

[PATCH] SELinux: define audit permissions for audit tree netlink messages

Audit trees defined 2 new netlink messages but the netlink mapping tables for
selinux permissions were not set up.  This patch maps these 2 new operations
to AUDIT_WRITE.

Signed-off-by: Eric Paris <eparis <at> redhat.com>
---

 security/selinux/nlmsgtab.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index c6875fd..dd7cc6d 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
 <at>  <at>  -112,6 +112,8  <at>  <at>  static struct nlmsg_perm nlmsg_audit_perms[] =
 	{ AUDIT_DEL_RULE,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
 	{ AUDIT_USER,		NETLINK_AUDIT_SOCKET__NLMSG_RELAY    },
 	{ AUDIT_SIGNAL_INFO,	NETLINK_AUDIT_SOCKET__NLMSG_READ     },
+	{ AUDIT_TRIM,		NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
+	{ AUDIT_MAKE_EQUIV,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
 	{ AUDIT_TTY_GET,	NETLINK_AUDIT_SOCKET__NLMSG_READ     },
 	{ AUDIT_TTY_SET,	NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT	},
 };

James Morris | 2 Jun 23:45 2009

Re: [PATCH] SELinux: define audit permissions for audit tree netlink messages

On Tue, 2 Jun 2009, Eric Paris wrote:

> Audit trees defined 2 new netlink messages but the netlink mapping tables for
> selinux permissions were not set up.  This patch maps these 2 new operations
> to AUDIT_WRITE.
> 
> Signed-off-by: Eric Paris <eparis <at> redhat.com>

Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next

> ---
> 
>  security/selinux/nlmsgtab.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
> index c6875fd..dd7cc6d 100644
> --- a/security/selinux/nlmsgtab.c
> +++ b/security/selinux/nlmsgtab.c
>  <at>  <at>  -112,6 +112,8  <at>  <at>  static struct nlmsg_perm nlmsg_audit_perms[] =
>  	{ AUDIT_DEL_RULE,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
>  	{ AUDIT_USER,		NETLINK_AUDIT_SOCKET__NLMSG_RELAY    },
>  	{ AUDIT_SIGNAL_INFO,	NETLINK_AUDIT_SOCKET__NLMSG_READ     },
> +	{ AUDIT_TRIM,		NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
> +	{ AUDIT_MAKE_EQUIV,	NETLINK_AUDIT_SOCKET__NLMSG_WRITE    },
>  	{ AUDIT_TTY_GET,	NETLINK_AUDIT_SOCKET__NLMSG_READ     },
>  	{ AUDIT_TTY_SET,	NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT	},
>  };
> 

--

-- 
James Morris
<jmorris <at> namei.org>

Chad Sellers | 4 Jun 22:47 2009

Re: SELinux context patch

On 6/4/09 3:13 PM, "Caleb Case" <ccase@...> wrote:
> 
> I don't think it will adversely affect FCGlob integration.
> 
Very good.

<snip>
> 
> It doesn't support directories with spaces in them.

An excellent point, though it looks like file_contexts doesn't support
spaces right now either.

Thanks,
Chad

Daniel J Walsh | 4 Jun 23:07 2009
Picon

Re: SELinux context patch

On 06/04/2009 04:47 PM, Chad Sellers wrote:
> On 6/4/09 3:13 PM, "Caleb Case"<ccase@...>  wrote:
>>
>> I don't think it will adversely affect FCGlob integration.
>>
> Very good.
>
> <snip>
>>
>> It doesn't support directories with spaces in them.
>
> An excellent point, though it looks like file_contexts doesn't support
> spaces right now either.
>
> Thanks,
> Chad
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@... with
> the words "unsubscribe selinux" without quotes as the message.
Directories with spaces, are satanic.

Just say no to spaces in Directory names.

Chad Sellers | 4 Jun 23:14 2009

Re: SELinux context patch

On 5/18/09 2:16 PM, "Daniel J Walsh" <dwalsh@...> wrote:

> This patch adds context files for virtual_domain and virtual_image,
> these are both being used to locat the default context to be executed by
> svirt.
> 
> I also included the subs patch which I submitted before.  This patch
> allows us to substitute prefixes to matchpathcon.
> 
> So we can say /export/home == /home
> 
> and
> 
> /web == /var/www

The only problem I see with the patch is:

+                       sub->dst=strdup(dst);
+                       if (! sub->dst) {
+                               free(sub);
+                               free(sub->src);
+                               return -1;
+                       }

the free()'s should be reversed in order. Other than that the patch looks
fine. I'll fix this in the merge.

Acked-by: Chad Sellers <csellers@...>


Gmane