Bug 120117 - IIIMF doesn't work on SELinux
Summary: IIIMF doesn't work on SELinux
Alias: None
Product: Fedora
Classification: Fedora
Component: policy   
(Show other bugs)
Version: rawhide
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Russell Coker
QA Contact: Ben Levenson
Keywords: i18n, SELinux
Depends On:
Blocks: 122683 IIIMF
TreeView+ depends on / blocked
Reported: 2004-04-06 06:32 UTC by Lawrence Lim
Modified: 2014-03-26 00:50 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-05-10 12:13:34 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed patch (723 bytes, patch)
2005-04-27 13:26 UTC, Akira TAGOH
no flags Details | Diff
another patch for i18n_input.fc (430 bytes, patch)
2005-04-28 14:46 UTC, Akira TAGOH
no flags Details | Diff
patch for i18n_input.te (349 bytes, patch)
2005-04-28 14:47 UTC, Akira TAGOH
no flags Details | Diff

Description Lawrence Lim 2004-04-06 06:32:52 UTC
Description of problem:
Missing htt_server policy for SELinux

Version-Release number of selected component (if applicable):
FC2 Test 2

How reproducible:

Steps to Reproduce:
Actual results:
Dont have a policy available.

Expected results:
3)an update to net_contexts file

Additional info:
I'll prepare the first draft and send it to dwalsh and cc to tagoh.

Comment 1 Lawrence Lim 2004-04-15 10:22:34 UTC
Hi Russell,
I have create an initial version of security policy for the Input
Method (htt_server). Could you please review it and give me some
comment whether it is good or crap. :)

I have applied the policy on my test machine and a normal user is now
able to use Input Method under enforce mode. But I am a bit worried
that applying the policy could result in security expolit in some
other area. So I would really appreciate your feedback.


# htt_server.te
# Security Policy for IIIMF htt server
# Date: 2004, 12th April (Monday)

# Types for server port
type htt_server_port_t, port_type;
type htt_server_usr_lib_im_t, file_type;

# Establish htt_server as a daemon

# allow user domains to have read access to the LE in /var/lib/im
r_dir_file(htt_server_t, {shlib_t htt_server_usr_lib_im_t})

#can_exec(initrc_t, htt_server_etc_t)
can_exec(htt_server_t, htt_server_exec_t)


# No Unix Socket Connection at the moment
# can_unix_send( { htt_server_t sysadm_t }, { htt_server_t sysadm_t } )
# allow htt_server_t self:unix_dgram_socket create_socket_perms;
# allow htt_server_t self:unix_stream_socket create_stream_socket_perms;
# can_unix_connect(htt_server_t, self)

can_tcp_connect(domain, htt_server_t)

allow htt_server_t self:fifo_file rw_file_perms;
allow htt_server_t htt_server_port_t:tcp_socket name_bind;

allow htt_server_t self:capability { dac_override kill setgid setuid
net_bind_service };
allow htt_server_t self:process setsched;

allow htt_server_t { bin_t sbin_t }: dir search;

/usr/sbin/htt                   --     
/usr/sbin/htt_server            --     
/usr/bin/httx                   --     
/usr/bin/htt_xbe                --     
/usr/lib(64)?/im/.*\.so.*       --      system_u:object_r:shlib_t


Comment 2 Colin Walters 2004-04-16 21:45:41 UTC
Any domain can connect to this server?  Shouldn't that be userdomain?

What package is htt_server in?

Comment 3 Akira TAGOH 2004-04-19 14:00:04 UTC
htt_server is included in iiimf-server. and it provides the framework
to allow to input their native languages on the their environments.
htt_server will be connected from the gtk2 immodules, which is
provided by iiimf-gtk package, and the XIM client (to bridge IIIMF),
wihch is provided by iiimf-x. so in other words, htt_server will be
connected from userdomain, apparently.
Also, if the Input Method server is implemented as the server/client
model, htt_server (actually the language engine does) will connects to
their the IM server like Canna, otherwise the language engines
processes itself and/or uses the IM libraries.
Since IIIMF uses tcp/unix domain socket, it has possibility of
security issue. making the SELinux policy is needed to avoid a lot of
damage IMHO.

Comment 4 Akira TAGOH 2004-06-28 06:28:17 UTC
currently we have had i18n_input.{fc,te} in SELinux's policy. but even
if htt_server is running, no changes the role and htt_server is still
running as user_u:user_r:user_t.

Comment 5 Akira TAGOH 2004-09-30 07:09:15 UTC
updated the summary. im-sdk works on the enforcing mode with the
targeted policy. but it doesn't work on the enforcing mode with the
strict policy.

Comment 6 Daniel Walsh 2004-11-06 06:56:27 UTC
What AVC messages are you seeing?


Comment 10 Akira TAGOH 2005-04-27 13:03:06 UTC
Sorry for delay. this happened on even targetted policy. here is the AVC logs:
Apr 27 21:54:44 devel02 kernel: audit(1114606484.567:0): avc:  denied  { read }
for  pid=4203 exe=/usr/bin/iiimd name=default.cbp dev=hda5 ino=803749
scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:usr_t tclass=file
Apr 27 21:54:44 devel02 kernel: audit(1114606484.568:0): avc:  denied  { write }
for  pid=4203 exe=/usr/bin/iiimd name=IROHA dev=hda5 ino=3261720
scontext=root:system_r:i18n_input_t tcontext=root:object_r:var_run_t
Apr 27 21:54:44 devel02 kernel: audit(1114606484.568:0): avc:  denied  { search
} for  pid=4203 exe=/usr/bin/iiimd name=tmp dev=hda5 ino=2310145
scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:tmp_t tclass=dir

default.cbp is placed under /usr/share/canna and iiimd may reads any files from
there. so assuming it's only default.cbp isn't a good idea.

Comment 11 Akira TAGOH 2005-04-27 13:26:03 UTC
Created attachment 113714 [details]
proposed patch

it looks good after modifying i18n_input.fc and make reload and setfiles
file_contexts/file_contexts /usr for the targetted policy.

Comment 12 Daniel Walsh 2005-04-27 14:33:46 UTC
Added patch in selinux-policy-* 1.23.13-4

Comment 13 Akira TAGOH 2005-04-28 12:51:04 UTC
Hmm, sorry those AVC messages are still output. and after upgrading -4. BTW I
just noticed that canna.te was removed from the source. why/when was it removed?

Comment 14 Akira TAGOH 2005-04-28 12:59:39 UTC
erm, I mean those AVC messages are still output after even upgrading -4 and
still doesn't work properly.

Comment 15 Akira TAGOH 2005-04-28 13:22:45 UTC
I just added the below line to i18n_input.fc for allowing iiimd to connect to
/var/run/\.iroha_unix(/.*)?            system_u:object_r:i18n_input_var_run_t

added to i18n_input.te for allowing to read the canna's files:
allow i18n_input_t usr_t:file read;

and after this, I got these AVC messages and still doesn't work.
Apr 28 22:17:04 devel02 kernel: audit(1114694224.884:0): avc:  denied  {
connectto } for  pid=24587 exe=/usr/bin/iiimd path=/var/run/.iroha_unix/IROHA
scontext=root:system_r:i18n_input_t tcontext=root:system_r:initrc_t
Apr 28 22:17:04 devel02 kernel: audit(1114694224.887:0): avc:  denied  { search
} for  pid=24587 exe=/usr/bin/iiimd name=tmp dev=hda5 ino=2310145
scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:tmp_t tclass=dir
Apr 28 22:17:04 devel02 kernel: audit(1114694224.890:0): avc:  denied  { search
} for  pid=24587 exe=/usr/bin/iiimd name=/ dev=hda6 ino=2
scontext=root:system_r:i18n_input_t tcontext=system_u:object_r:default_t tclass=dir

The reason why it doesn't work is because of first AVC message. iiimd needs to
be allowed to connect to /var/run/.iroha_unix/IROHA which is a socket file which
is made by cannaserver.

Comment 16 Akira TAGOH 2005-04-28 13:25:33 UTC
For another problem, iiimd is going to read some user-specific information from
$HOME/.iiim/ but i18n_input_t looks like not allowing to do it.

Comment 17 Akira TAGOH 2005-04-28 14:46:54 UTC
Created attachment 113786 [details]
another patch for i18n_input.fc

Comment 18 Akira TAGOH 2005-04-28 14:47:28 UTC
Created attachment 113787 [details]
patch for i18n_input.te

Comment 19 Akira TAGOH 2005-04-28 14:52:13 UTC
I'm not sure if these patches are on the right way. so please review them.


Comment 20 Daniel Walsh 2005-04-28 14:56:50 UTC
Why is a daemon reading users home directories?

What process is iimd trying to communicate with that is running initrc_t?

The FC patch is fine.

Comment 21 Akira TAGOH 2005-04-28 16:57:28 UTC
Because iiimd is designed to be connected from multiple users and needs to
handle the user-specific data too.
/var/run/.iroha_unix/IROHA is created by cannaserver which is running from
/etc/init.d/canna. which is denied for connectto. I thought we had canna.te for
taking care of cannaserver. but I couldn't find any but only canna.fc is there,
but anyway. 

Comment 22 Akira TAGOH 2005-05-10 05:42:28 UTC
just tested on the latest tree, including 1.23.14-2. it looks good to me.

Note You need to log in before you can comment on or make changes to this bug.