Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155799 - Restricting ORBit socket rules
Summary: Restricting ORBit socket rules
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-23 13:06 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-29 18:09:33 UTC


Attachments (Terms of Use)

Description Ivan Gyurdiev 2005-04-23 13:06:25 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.0.3-2 Firefox/1.0.3

Description of problem:
ORBit socket rules are used presently in the mozilla and gift policy,
and are allowing those applications to interact with the ROLE_tmp_t
domain, which seems undesirable. They allow mozilla to write to a 
ROLE_tmp_t:file for example. GConf also requires such rules. 

This bug is to track fixing this issue - I do not understand how ORBit works well enough at this point to fix this. I think some change in labeling might be needed.

Here, for example, are the mozilla rules:

# ORBit sockets
file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_tmp_t)
can_unix_connect($1_t, $1_mozilla_t)
allow $1_t $1_mozilla_tmp_t:sock_file write;
allow $1_mozilla_t $1_tmp_t:file { getattr read write lock };
allow $1_mozilla_t $1_tmp_t:sock_file { read write };
dontaudit $1_mozilla_t $1_tmp_t:dir setattr;

Here are the gift rules:

# Tmp/ORBit
tmp_domain($1_gift)
file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
can_unix_connect($1_t, $1_gift_t)
can_unix_connect($1_gift_t, $1_t)
allow $1_t $1_gift_tmp_t:sock_file write;
allow $1_gift_t $1_tmp_t:file { getattr read write lock };
allow $1_gift_t $1_tmp_t:sock_file { read write };
dontaudit $1_gift_t $1_tmp_t:dir setattr;

Here are the rules GConf appears to require
(I've changed GConf to run in its own domain):

+# Unix sockets (/tmp/orbit-username)
+tmp_domain($1_gconfd)
+file_type_auto_trans($1_gconfd_t, $1_tmp_t, $1_gconfd_tmp_t)
+allow $1_gconfd_t $1_tmp_t:dir rw_dir_perms;
+allow $1_gconfd_t tmp_t:dir search;
+allow $1_gconfd_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_gconfd_t self:unix_dgram_socket create_socket_perms;
+can_unix_connect($1_gconfd_t, $1_t)
+allow $1_gconfd_t $1_tmp_t:sock_file write;
+allow $1_gconfd_t $1_tmp_t:file rw_file_perms;
+dontaudit $1_gconfd_t $1_tmp_t:dir setattr;


Version-Release number of selected component (if applicable):
selinux-policy-strict-1.23.12-1

How reproducible:
Didn't try

Steps to Reproduce:


Additional info:

Comment 1 Ivan Gyurdiev 2005-04-29 15:23:16 UTC
Does the following make any sense?

$1_orbit_tmp_t is the type of /tmp/orbit-USER 
(remember the USER expansion I wrote about on NSA-list)

# ORBit connections
define(`orbit_domain', `
type $1_orbit_tmp_t, file_type, sysadmfile;
file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t, sock_file)

allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;

allow $1_t $2_orbit_tmp_t:file { getattr read write lock };
dontaudit $1_t $1_orbit_tmp_t:dir setattr;
')

define(`orbit_connect', `
can_unix_connect($1_t, $2_t)
can_unix_connect($2_t, $1_t)
allow $1_t $2_orbit_tmp_t:sock_file { read write };
allow $2_t $1_orbit_tmp_t:sock_file { read write };
')

Then the user code looks like this - simple as possible,
and no more mixing w/ ROLE_tmp_t: 

# ORBit sockets
orbit_domain($1_mozilla, $1)
orbit_connect($1_mozilla, $1)

Comment 2 Ivan Gyurdiev 2005-04-29 15:25:21 UTC
dontaudit $1_t $1_orbit_tmp_t:dir setattr;

This should be dontaudit $1_t $2_orbit_tmp_t:dir setattr;
obviously. $2 is the ROLE prefix.


Comment 3 Ivan Gyurdiev 2005-04-29 18:09:33 UTC
Closing this bug - I think my scheme of doing things will work.
I've implemented it, and we get the following benefits:

- mozilla cannot write to ROLE_tmp_t
- mozilla cannot even write to ROLE_orbit_tmp_t

..same for gift

All it can do is connect to gconf over the ORBit socket.

I will submit fix as part of the restrict_home patch.


Note You need to log in before you can comment on or make changes to this bug.