Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.

Bug 155799

Summary: Restricting ORBit socket rules
Product: [Fedora] Fedora Reporter: Ivan Gyurdiev <ivg231>
Component: selinux-policy-strictAssignee: Daniel Walsh <dwalsh>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-29 18:09:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ivan Gyurdiev 2005-04-23 13:06:25 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.0.3-2 Firefox/1.0.3

Description of problem:
ORBit socket rules are used presently in the mozilla and gift policy,
and are allowing those applications to interact with the ROLE_tmp_t
domain, which seems undesirable. They allow mozilla to write to a 
ROLE_tmp_t:file for example. GConf also requires such rules. 

This bug is to track fixing this issue - I do not understand how ORBit works well enough at this point to fix this. I think some change in labeling might be needed.

Here, for example, are the mozilla rules:

# ORBit sockets
file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_tmp_t)
can_unix_connect($1_t, $1_mozilla_t)
allow $1_t $1_mozilla_tmp_t:sock_file write;
allow $1_mozilla_t $1_tmp_t:file { getattr read write lock };
allow $1_mozilla_t $1_tmp_t:sock_file { read write };
dontaudit $1_mozilla_t $1_tmp_t:dir setattr;

Here are the gift rules:

# Tmp/ORBit
file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
can_unix_connect($1_t, $1_gift_t)
can_unix_connect($1_gift_t, $1_t)
allow $1_t $1_gift_tmp_t:sock_file write;
allow $1_gift_t $1_tmp_t:file { getattr read write lock };
allow $1_gift_t $1_tmp_t:sock_file { read write };
dontaudit $1_gift_t $1_tmp_t:dir setattr;

Here are the rules GConf appears to require
(I've changed GConf to run in its own domain):

+# Unix sockets (/tmp/orbit-username)
+file_type_auto_trans($1_gconfd_t, $1_tmp_t, $1_gconfd_tmp_t)
+allow $1_gconfd_t $1_tmp_t:dir rw_dir_perms;
+allow $1_gconfd_t tmp_t:dir search;
+allow $1_gconfd_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_gconfd_t self:unix_dgram_socket create_socket_perms;
+can_unix_connect($1_gconfd_t, $1_t)
+allow $1_gconfd_t $1_tmp_t:sock_file write;
+allow $1_gconfd_t $1_tmp_t:file rw_file_perms;
+dontaudit $1_gconfd_t $1_tmp_t:dir setattr;

Version-Release number of selected component (if applicable):

How reproducible:
Didn't try

Steps to Reproduce:

Additional info:

Comment 1 Ivan Gyurdiev 2005-04-29 15:23:16 UTC
Does the following make any sense?

$1_orbit_tmp_t is the type of /tmp/orbit-USER 
(remember the USER expansion I wrote about on NSA-list)

# ORBit connections
define(`orbit_domain', `
type $1_orbit_tmp_t, file_type, sysadmfile;
file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t, sock_file)

allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;

allow $1_t $2_orbit_tmp_t:file { getattr read write lock };
dontaudit $1_t $1_orbit_tmp_t:dir setattr;

define(`orbit_connect', `
can_unix_connect($1_t, $2_t)
can_unix_connect($2_t, $1_t)
allow $1_t $2_orbit_tmp_t:sock_file { read write };
allow $2_t $1_orbit_tmp_t:sock_file { read write };

Then the user code looks like this - simple as possible,
and no more mixing w/ ROLE_tmp_t: 

# ORBit sockets
orbit_domain($1_mozilla, $1)
orbit_connect($1_mozilla, $1)

Comment 2 Ivan Gyurdiev 2005-04-29 15:25:21 UTC
dontaudit $1_t $1_orbit_tmp_t:dir setattr;

This should be dontaudit $1_t $2_orbit_tmp_t:dir setattr;
obviously. $2 is the ROLE prefix.

Comment 3 Ivan Gyurdiev 2005-04-29 18:09:33 UTC
Closing this bug - I think my scheme of doing things will work.
I've implemented it, and we get the following benefits:

- mozilla cannot write to ROLE_tmp_t
- mozilla cannot even write to ROLE_orbit_tmp_t

..same for gift

All it can do is connect to gconf over the ORBit socket.

I will submit fix as part of the restrict_home patch.