Bug 155799 - Restricting ORBit socket rules
Restricting ORBit socket rules
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-23 09:06 EDT by Ivan Gyurdiev
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-29 14:09:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ivan Gyurdiev 2005-04-23 09:06:25 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.7) Gecko/20050416 Fedora/1.0.3-2 Firefox/1.0.3

Description of problem:
ORBit socket rules are used presently in the mozilla and gift policy,
and are allowing those applications to interact with the ROLE_tmp_t
domain, which seems undesirable. They allow mozilla to write to a 
ROLE_tmp_t:file for example. GConf also requires such rules. 

This bug is to track fixing this issue - I do not understand how ORBit works well enough at this point to fix this. I think some change in labeling might be needed.

Here, for example, are the mozilla rules:

# ORBit sockets
file_type_auto_trans($1_mozilla_t, $1_tmp_t, $1_mozilla_tmp_t)
can_unix_connect($1_t, $1_mozilla_t)
allow $1_t $1_mozilla_tmp_t:sock_file write;
allow $1_mozilla_t $1_tmp_t:file { getattr read write lock };
allow $1_mozilla_t $1_tmp_t:sock_file { read write };
dontaudit $1_mozilla_t $1_tmp_t:dir setattr;

Here are the gift rules:

# Tmp/ORBit
tmp_domain($1_gift)
file_type_auto_trans($1_gift_t, $1_tmp_t, $1_gift_tmp_t)
can_unix_connect($1_t, $1_gift_t)
can_unix_connect($1_gift_t, $1_t)
allow $1_t $1_gift_tmp_t:sock_file write;
allow $1_gift_t $1_tmp_t:file { getattr read write lock };
allow $1_gift_t $1_tmp_t:sock_file { read write };
dontaudit $1_gift_t $1_tmp_t:dir setattr;

Here are the rules GConf appears to require
(I've changed GConf to run in its own domain):

+# Unix sockets (/tmp/orbit-username)
+tmp_domain($1_gconfd)
+file_type_auto_trans($1_gconfd_t, $1_tmp_t, $1_gconfd_tmp_t)
+allow $1_gconfd_t $1_tmp_t:dir rw_dir_perms;
+allow $1_gconfd_t tmp_t:dir search;
+allow $1_gconfd_t self:unix_stream_socket create_stream_socket_perms;
+allow $1_gconfd_t self:unix_dgram_socket create_socket_perms;
+can_unix_connect($1_gconfd_t, $1_t)
+allow $1_gconfd_t $1_tmp_t:sock_file write;
+allow $1_gconfd_t $1_tmp_t:file rw_file_perms;
+dontaudit $1_gconfd_t $1_tmp_t:dir setattr;


Version-Release number of selected component (if applicable):
selinux-policy-strict-1.23.12-1

How reproducible:
Didn't try

Steps to Reproduce:


Additional info:
Comment 1 Ivan Gyurdiev 2005-04-29 11:23:16 EDT
Does the following make any sense?

$1_orbit_tmp_t is the type of /tmp/orbit-USER 
(remember the USER expansion I wrote about on NSA-list)

# ORBit connections
define(`orbit_domain', `
type $1_orbit_tmp_t, file_type, sysadmfile;
file_type_auto_trans($1_t, $2_orbit_tmp_t, $1_orbit_tmp_t, sock_file)

allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket create_socket_perms;

allow $1_t $2_orbit_tmp_t:file { getattr read write lock };
dontaudit $1_t $1_orbit_tmp_t:dir setattr;
')

define(`orbit_connect', `
can_unix_connect($1_t, $2_t)
can_unix_connect($2_t, $1_t)
allow $1_t $2_orbit_tmp_t:sock_file { read write };
allow $2_t $1_orbit_tmp_t:sock_file { read write };
')

Then the user code looks like this - simple as possible,
and no more mixing w/ ROLE_tmp_t: 

# ORBit sockets
orbit_domain($1_mozilla, $1)
orbit_connect($1_mozilla, $1)
Comment 2 Ivan Gyurdiev 2005-04-29 11:25:21 EDT
dontaudit $1_t $1_orbit_tmp_t:dir setattr;

This should be dontaudit $1_t $2_orbit_tmp_t:dir setattr;
obviously. $2 is the ROLE prefix.
Comment 3 Ivan Gyurdiev 2005-04-29 14:09:33 EDT
Closing this bug - I think my scheme of doing things will work.
I've implemented it, and we get the following benefits:

- mozilla cannot write to ROLE_tmp_t
- mozilla cannot even write to ROLE_orbit_tmp_t

..same for gift

All it can do is connect to gconf over the ORBit socket.

I will submit fix as part of the restrict_home patch.

Note You need to log in before you can comment on or make changes to this bug.