Bug 451948

Summary: prelude patch
Product: [Fedora] Fedora Reporter: Dominick Grift <domg444>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 9CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-11-17 22:04:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch1
none
patch2
none
prelude.fc
none
prelude.te
none
snort.te
none
snort.if
none
snort.fc none

Description Dominick Grift 2008-06-18 10:15:20 UTC 
Description of problem:
After doing this howto: http://people.redhat.com/sgrubb/audit/prelude.txt
i noticed some issues in prelude policy

some high lights are:
patch to prelude init script needed escape character
policy for prelude-lml was missing
policy for prewikka was coarse and didnt have a files config file

these patches are against 331-48 f9

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Dominick Grift 2008-06-18 10:15:20 UTC 
Created attachment 309716 [details]
patch1
Comment 2 Dominick Grift 2008-06-18 10:17:04 UTC 
Created attachment 309717 [details]
patch2
Comment 3 Daniel Walsh 2008-06-22 11:29:36 UTC 
Created attachment 309993 [details]
prelude.fc
Comment 4 Daniel Walsh 2008-06-22 11:29:58 UTC 
Created attachment 309994 [details]
prelude.te
Comment 5 Dominick Grift 2008-06-22 12:43:37 UTC 
Thanks. looks good. Although i wanted the files_config_file for prewikka because
it has a mysql password in there.

Also i noticed that you removed the gamin optional policy block for prelude-lml.
Not sure why but it seemed needed when i tried it.

Also i think (domain_use_interactive_fds(prelude_lml_t) may not be required
Comment 6 Daniel Walsh 2008-06-22 12:52:19 UTC 
So you are trying to prevent other domains from reading the config file?

In that case you might want to label it something like prewikka_secret_t and not
give it files_config, since files_config allows all domains to read, just like
etc_t.

gamin_ is a bad thing to use for a system service, since it is long running and
shared by other domains.  So it causes SELinux problems when it is run.  gamin
policy is not being shipped so this optional block will not be executed.

The gamin policy is also pretty broken right now.
Comment 7 Dominick Grift 2008-06-22 13:22:48 UTC 
understood, i also noticed you didnt declare a domain type for prelude-lml.
Interface admin_prelude needs update to reflect prelude-lml. 

also we need a prelude_manage_spool() for snort
Comment 8 Dominick Grift 2008-06-22 13:24:23 UTC 
Created attachment 309995 [details]
snort.te
Comment 9 Dominick Grift 2008-06-22 13:25:01 UTC 
Created attachment 309996 [details]
snort.if
Comment 10 Dominick Grift 2008-06-22 13:25:34 UTC 
Created attachment 309997 [details]
snort.fc
Comment 11 Dominick Grift 2008-06-22 13:56:48 UTC 
files_search_spool(snort_t) should be in that optional_policy block for prelude,
since any domain will need to be able to search spool to be able to append to
preludes spool files
Comment 12 Dominick Grift 2008-06-22 14:22:11 UTC 
########################################
## <summary>
##	Append to prelude-manager write files.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`prelude_write_spool_files',`
	gen_require(`
		type prelude_spool_t;
	')

	files_search_spool($1)
        allow $1 prelude_spool_t:dir { read search getattr };
	allow $1 prelude_spool_t:file { read lock getattr write append };
')
Comment 13 Daniel Walsh 2008-06-23 12:20:24 UTC 
Fixed in selinux-policy-3.3.1-70.fc9.noarch
Comment 14 Dominick Grift 2008-06-23 15:09:33 UTC 
thanks. one small issue left:

#============= snort_t ==============
allow snort_t prelude_spool_t:dir read;

and this, but you have explained why:

#============= prelude_lml_t ==============
allow prelude_lml_t gamin_exec_t:file { read execute };
Comment 15 Dominick Grift 2008-06-23 15:30:08 UTC 
By the way should, corenet_tcp_connect_prelude_port(snort_t), not be in the
optional policy block designated for prelude? I know the port is defined in
corenetwork but if there is no prelude module than there likely wont be a
prelude_port_type.
Comment 16 Daniel Walsh 2008-06-24 10:35:07 UTC 
No, Other policies might not include the prelude policy but would still define
the prelude port

Fixed in selinux-policy-3.3.1-71.fc9.noarch
Comment 17 Daniel Walsh 2008-11-17 22:04:41 UTC 
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.