Bug 155799
Summary: | Restricting ORBit socket rules | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ivan Gyurdiev <ivg231> |
Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED WORKSFORME | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-04-29 18:09:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ivan Gyurdiev
2005-04-23 13:06:25 UTC
Does the following make any sense? $1_orbit_tmp_t is the type of /tmp/orbit-USER (remember the USER expansion I wrote about on NSA-list) # ORBit connections define(`orbit_domain', ` type $1_orbit_tmp_t, file_type, sysadmfile; file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t, sock_file) allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t $2_orbit_tmp_t:file { getattr read write lock }; dontaudit $1_t $1_orbit_tmp_t:dir setattr; ') define(`orbit_connect', ` can_unix_connect($1_t, $2_t) can_unix_connect($2_t, $1_t) allow $1_t $2_orbit_tmp_t:sock_file { read write }; allow $2_t $1_orbit_tmp_t:sock_file { read write }; ') Then the user code looks like this - simple as possible, and no more mixing w/ ROLE_tmp_t: # ORBit sockets orbit_domain($1_mozilla, $1) orbit_connect($1_mozilla, $1) dontaudit $1_t $1_orbit_tmp_t:dir setattr; This should be dontaudit $1_t $2_orbit_tmp_t:dir setattr; obviously. $2 is the ROLE prefix. Closing this bug - I think my scheme of doing things will work. I've implemented it, and we get the following benefits: - mozilla cannot write to ROLE_tmp_t - mozilla cannot even write to ROLE_orbit_tmp_t ..same for gift All it can do is connect to gconf over the ORBit socket. I will submit fix as part of the restrict_home patch. |