Dan Walsh [Mon, 17 Jan 2011 22:23:29 +0000 (17:23 -0500)]
Merge branch 'master' of ssh://git.fedorahosted.org/git/selinux-policy; branches 'master', 'master', 'master' and 'master' of http://oss.tresys.com/git/refpolicy
Harry Ciao [Mon, 10 Jan 2011 10:09:22 +0000 (18:09 +0800)]
Enable login from /dev/console.
Add the support to login and use the system from /dev/console.
1. Make gettty_t able to use the /dev/console;
2. Make local_login_t able to relabel /dev/console to user tty types;
3. Provide the type_change rule for relabeling /dev/console.
All above supports are controlled by the allow_console tunable.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
KaiGai Kohei [Fri, 10 Dec 2010 09:49:24 +0000 (18:49 +0900)]
New database object classes
The attached patch adds a few database object classes, as follows:
* db_schema
------------
A schema object performs as a namespace in database; similar to
directories in filesystem.
It seems some of (but not all) database objects are stored within
a certain schema logically. We can qualify these objects using
schema name. For example, a table: "my_tbl" within a schema: "my_scm"
is identified by "my_scm.my_tbl". This table is completely different
from "your_scm.my_tbl" that it a table within a schema: "your_scm".
Its characteristics is similar to a directory in filesystem, so
it has similar permissions.
The 'search' controls to resolve object name within a schema.
The 'add_name' and 'remove_name' controls to add/remove an object
to/from a schema.
See also,
http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html
In the past discussion, a rubix folks concerned about no object
class definition for schema and catalog which is an upper level
namespace. Since I'm not certain whether we have a disadvantage
when 'db_schema' class is applied on catalog class, I don't add
this definition yet.
Default security context of 'db_table' and 'db_procedure' classes
get being computed using type_transition with 'db_schema' class,
instead of 'db_database' class. It reflects logical hierarchy of
database object more correctly.
* db_view
----------
A view object performs as a virtual table. We can run SELECT
statement on views, although it has no physical entities.
The definition of views are expanded in run-time, so it allows
us to describe complex queries with keeping readability.
This object class uniquely provides 'expand' permission that
controls whether user can expand this view, or not.
The default security context shall be computed by type transition
rule with a schema object that owning the view.
See also,
http://developer.postgresql.org/pgdocs/postgres/sql-createview.html
* db_sequence
--------------
A sequence object is a sequential number generator.
This object class uniquely provides 'get_value', 'next_value' and
'set_value' permissions. The 'get_value' controls to reference the
sequence object. The 'next_value' controls to fetch and increment
the value of sequence object. The 'set_value' controls to set
an arbitrary value.
The default security context shall be computed by type transition
rule with a schema object that owning the sequence.
See also,
http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html
* db_language
--------------
A language object is an installed engine to execute procedures.
PostgreSQL supports to define SQL procedures using regular script
languages; such as Perl, Tcl, not only SQL or binary modules.
In addition, v9.0 or later supports DO statement. It allows us to
execute a script statement on server side without defining a SQL
procedure. It requires to control whether user can execute DO
statement on this language, or not.
This object class uniquely provides 'implement' and 'execute'
permissions. The 'implement' controls whether a procedure can
be implemented with this language, or not. So, it takes security
context of the procedure as subject. The 'execute' controls to
execute code block using DO statement.
The default security context shall be computed by type transition
rule with a database object, because it is not owned by a certain
schema.
In the default policy, we provide two types: 'sepgsql_lang_t' and
'sepgsql_safe_lang_t' that allows unpriv users to execute DO
statement. The default is 'sepgsql_leng_t'.
We assume newly installed language may be harm, so DBA has to relabel
it explicitly, if he want user defined procedures using the language.
See also,
http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html
http://developer.postgresql.org/pgdocs/postgres/sql-do.html
P.S)
I found a bug in MCS. It didn't constraint 'relabelfrom' permission
of 'db_procedure' class. IIRC, I fixed it before, but it might be
only MLS side. Sorry.
Paul Nuzzi [Thu, 6 Jan 2011 16:33:39 +0000 (11:33 -0500)]
hadoop: labeled ipsec
On 01/05/2011 08:48 AM, Christopher J. PeBenito wrote:
> On 12/16/10 12:32, Paul Nuzzi wrote:
>> On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote:
>>> On 12/10/10 18:22, Paul Nuzzi wrote:
>>>> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to
>>>> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces
>>>> the architecture of Hadoop without having to modify any of the code. This adds a level of
>>>> confidentiality, integrity, and authentication provided outside the software stack.
>>>
>>> A few things.
>>>
>>> The verb used in Reference Policy interfaces for peer recv is recvfrom
>>> (a holdover from previous labeled networking implementations). So the
>>> interfaces are like hadoop_recvfrom_datanode().
>>
>> Easy change.
>>
>>> It seems like setkey should be able to setcontext any type used on ipsec
>>> associations. I think the best thing would be to add additional support
>>> to either the ipsec or corenetwork modules (I haven't decided which one
>>> yet) for associations. So, say we have an interface called
>>> ipsec_spd_type() which adds the parameter type to the attribute
>>> ipsec_spd_types. Then we can have an allow setkey_t
>>> ipsec_spd_types:association setkey; rule and we don't have to update it
>>> every time more labeled network is added.
>>
>> That seems a lot less clunky than updating setkey every time we add a new association.
>>
>>> This is definitely wrong since its not a file:
>>> +files_type(hadoop_lan_t)
>>
>> Let me know how you would like to handle associations and I could update the
>> patch.
>
> Lets go with putting the associations in corenetwork.
>
>> Will the files_type error be cleared up when we re-engineer this?
>
> I'm not sure what you mean. The incorrect rule was added in your patch.
>
Adds labeled IPSec policy to hadoop to control the remote processes that are allowed to connect to the cloud's services.
Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
Harry Ciao [Tue, 21 Dec 2010 03:31:20 +0000 (11:31 +0800)]
Make mount_t able to request loading kernel module.
Make the mount domain able to request kernel to load a kernel module.
Otherwise the binfmt_misc kernel module won't be properly loaded
during system booting up.
Miroslav Grepl [Fri, 7 Jan 2011 14:50:23 +0000 (14:50 +0000)]
- Make kernel_t domain MLS trusted for lowering the level of file.
- Add label for /var/lib/tftpboot/grub directory
- Fixes for mpd policy
- Fix amanda_search_lib interface
Harry Ciao [Mon, 20 Dec 2010 08:02:38 +0000 (16:02 +0800)]
vlock_t only uses the relabeled terminal.
The login or ssh program will relabel a tty or pty device after users
log in, and the vlock domain would only need to use the relabeled tty
or pty device, rather than the whole ttynode or ptynode attribute.
Signed-off-by: Harry Ciao <qingtao.cao@windriver.com>
Paul Nuzzi [Thu, 16 Dec 2010 17:33:07 +0000 (12:33 -0500)]
hadoop: update to CDH3
On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote:
> On 12/13/10 10:39, Paul Nuzzi wrote:
>> On 12/11/2010 04:01 AM, Dominick Grift wrote:
>> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>
>> Does hadoop depend on kerberos? If no then kerberos_use should probably
>> be optional.
>>
>>
>>> The new version of hadoop added Kerberos for authentication.
>
> So, to be explicit, its an unconditional requirement?
Yes. I think all future versions of hadoop will be kerberos enabled.
> It seems like there should be a hadoop_home_t that is
> userdom_user_home_content()
Updated.
Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
Dominick Grift [Wed, 5 Jan 2011 09:52:29 +0000 (10:52 +0100)]
Screen only creates directories and pipes in /var/run/screen, thus the user owning a directory and pipe there should only be able to manage that. Since screen is not allowed to create lnk_files and files in /var/run/screen, users should not be able to manage files and lnk_files there either.
Dan Walsh [Tue, 4 Jan 2011 21:21:16 +0000 (16:21 -0500)]
Label /var/lock/subsys/shorewall as shorewall_lock_t
Allow users to communicate with the gpg_agent_t
Dontaudit mozilla_plugin_t using the inherited terminal
Allow sambagui to read files in /usr
webalizer manages squid log files
Allow unconfined domains to bind ports to raw_ip_sockets
Allow abrt to manage rpm logs when running yum
Need labels for /var/run/bittlebee
Label .ssh under amanda
Remove unused genrequires for virt_domain_template
Allow virt_domain to use fd inherited from virtd_t
Allow iptables to read shorewall config
KaiGai Kohei [Thu, 16 Dec 2010 08:40:29 +0000 (17:40 +0900)]
Add sepgsql_contexts into appconfig-*
The attached patch adds sepgsql_contexts file into appconfig-*
directory. This configuration is used to initial labeling on
installation time for each database objects.
We can easily look up an appropriate label using selabel_loopup(3)
APIs. The 'sepgsql_contexts' is default for SE-PostgreSQL.
Dan Walsh [Tue, 28 Dec 2010 19:52:31 +0000 (14:52 -0500)]
Gnome apps list config_home_t
mpd creates lnk files in homedir
apache leaks write to mail apps on tmp files
/var/stockmaniac/templates_cache contains log files
Abrt list the connects of mount_tmp_t dirs
projects / people / stevee / selinux-policy.git / log
