From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.0.3-2 Firefox/1.0.3 Description of problem: ORBit socket rules are used presently in the mozilla and gift policy, and are allowing those applications to interact with the ROLE_tmp_t domain, which seems undesirable. They allow mozilla to write to a ROLE_tmp_t:file for example. GConf also requires such rules. This bug is to track fixing this issue - I do not understand how ORBit works well enough at this point to fix this. I think some change in labeling might be needed. Here, for example, are the mozilla rules: # ORBit sockets file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_tmp_t) can_unix_connect($1_t, $1_mozilla_t) allow $1_t $1_mozilla_tmp_t:sock_file write; allow $1_mozilla_t $1_tmp_t:file { getattr read write lock }; allow $1_mozilla_t $1_tmp_t:sock_file { read write }; dontaudit $1_mozilla_t $1_tmp_t:dir setattr; Here are the gift rules: # Tmp/ORBit tmp_domain($1_gift) file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t) can_unix_connect($1_t, $1_gift_t) can_unix_connect($1_gift_t, $1_t) allow $1_t $1_gift_tmp_t:sock_file write; allow $1_gift_t $1_tmp_t:file { getattr read write lock }; allow $1_gift_t $1_tmp_t:sock_file { read write }; dontaudit $1_gift_t $1_tmp_t:dir setattr; Here are the rules GConf appears to require (I've changed GConf to run in its own domain): +# Unix sockets (/tmp/orbit-username) +tmp_domain($1_gconfd) +file_type_auto_trans($1_gconfd_t, $1_tmp_t, $1_gconfd_tmp_t) +allow $1_gconfd_t $1_tmp_t:dir rw_dir_perms; +allow $1_gconfd_t tmp_t:dir search; +allow $1_gconfd_t self:unix_stream_socket create_stream_socket_perms; +allow $1_gconfd_t self:unix_dgram_socket create_socket_perms; +can_unix_connect($1_gconfd_t, $1_t) +allow $1_gconfd_t $1_tmp_t:sock_file write; +allow $1_gconfd_t $1_tmp_t:file rw_file_perms; +dontaudit $1_gconfd_t $1_tmp_t:dir setattr; Version-Release number of selected component (if applicable): selinux-policy-strict-1.23.12-1 How reproducible: Didn't try Steps to Reproduce: Additional info:
Does the following make any sense? $1_orbit_tmp_t is the type of /tmp/orbit-USER (remember the USER expansion I wrote about on NSA-list) # ORBit connections define(`orbit_domain', ` type $1_orbit_tmp_t, file_type, sysadmfile; file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t, sock_file) allow $1_t self:unix_stream_socket create_stream_socket_perms; allow $1_t self:unix_dgram_socket create_socket_perms; allow $1_t $2_orbit_tmp_t:file { getattr read write lock }; dontaudit $1_t $1_orbit_tmp_t:dir setattr; ') define(`orbit_connect', ` can_unix_connect($1_t, $2_t) can_unix_connect($2_t, $1_t) allow $1_t $2_orbit_tmp_t:sock_file { read write }; allow $2_t $1_orbit_tmp_t:sock_file { read write }; ') Then the user code looks like this - simple as possible, and no more mixing w/ ROLE_tmp_t: # ORBit sockets orbit_domain($1_mozilla, $1) orbit_connect($1_mozilla, $1)
dontaudit $1_t $1_orbit_tmp_t:dir setattr; This should be dontaudit $1_t $2_orbit_tmp_t:dir setattr; obviously. $2 is the ROLE prefix.
Closing this bug - I think my scheme of doing things will work. I've implemented it, and we get the following benefits: - mozilla cannot write to ROLE_tmp_t - mozilla cannot even write to ROLE_orbit_tmp_t ..same for gift All it can do is connect to gconf over the ORBit socket. I will submit fix as part of the restrict_home patch.