Bug 451948 - prelude patch
prelude patch
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-18 06:15 EDT by Dominick Grift
Modified: 2008-11-17 17:04 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:04:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch1 (5.12 KB, application/octet-stream)
2008-06-18 06:15 EDT, Dominick Grift
no flags Details
patch2 (1.21 KB, application/octet-stream)
2008-06-18 06:17 EDT, Dominick Grift
no flags Details
prelude.fc (955 bytes, application/octet-stream)
2008-06-22 07:29 EDT, Daniel Walsh
no flags Details
prelude.te (6.92 KB, application/octet-stream)
2008-06-22 07:29 EDT, Daniel Walsh
no flags Details
snort.te (2.05 KB, application/octet-stream)
2008-06-22 09:24 EDT, Dominick Grift
no flags Details
snort.if (1.91 KB, application/octet-stream)
2008-06-22 09:25 EDT, Dominick Grift
no flags Details
snort.fc (589 bytes, application/octet-stream)
2008-06-22 09:25 EDT, Dominick Grift
no flags Details

  None (edit)
Description Dominick Grift 2008-06-18 06:15:20 EDT
Description of problem:
After doing this howto: http://people.redhat.com/sgrubb/audit/prelude.txt
i noticed some issues in prelude policy

some high lights are:
patch to prelude init script needed escape character
policy for prelude-lml was missing
policy for prewikka was coarse and didnt have a files config file

these patches are against 331-48 f9

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Dominick Grift 2008-06-18 06:15:20 EDT
Created attachment 309716 [details]
patch1
Comment 2 Dominick Grift 2008-06-18 06:17:04 EDT
Created attachment 309717 [details]
patch2
Comment 3 Daniel Walsh 2008-06-22 07:29:36 EDT
Created attachment 309993 [details]
prelude.fc
Comment 4 Daniel Walsh 2008-06-22 07:29:58 EDT
Created attachment 309994 [details]
prelude.te
Comment 5 Dominick Grift 2008-06-22 08:43:37 EDT
Thanks. looks good. Although i wanted the files_config_file for prewikka because
it has a mysql password in there.

Also i noticed that you removed the gamin optional policy block for prelude-lml.
Not sure why but it seemed needed when i tried it.

Also i think (domain_use_interactive_fds(prelude_lml_t) may not be required
Comment 6 Daniel Walsh 2008-06-22 08:52:19 EDT
So you are trying to prevent other domains from reading the config file?

In that case you might want to label it something like prewikka_secret_t and not
give it files_config, since files_config allows all domains to read, just like
etc_t.

gamin_ is a bad thing to use for a system service, since it is long running and
shared by other domains.  So it causes SELinux problems when it is run.  gamin
policy is not being shipped so this optional block will not be executed.

The gamin policy is also pretty broken right now.

Comment 7 Dominick Grift 2008-06-22 09:22:48 EDT
understood, i also noticed you didnt declare a domain type for prelude-lml.
Interface admin_prelude needs update to reflect prelude-lml. 

also we need a prelude_manage_spool() for snort

Comment 8 Dominick Grift 2008-06-22 09:24:23 EDT
Created attachment 309995 [details]
snort.te
Comment 9 Dominick Grift 2008-06-22 09:25:01 EDT
Created attachment 309996 [details]
snort.if
Comment 10 Dominick Grift 2008-06-22 09:25:34 EDT
Created attachment 309997 [details]
snort.fc
Comment 11 Dominick Grift 2008-06-22 09:56:48 EDT
files_search_spool(snort_t) should be in that optional_policy block for prelude,
since any domain will need to be able to search spool to be able to append to
preludes spool files
Comment 12 Dominick Grift 2008-06-22 10:22:11 EDT
########################################
## <summary>
##	Append to prelude-manager write files.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`prelude_write_spool_files',`
	gen_require(`
		type prelude_spool_t;
	')

	files_search_spool($1)
        allow $1 prelude_spool_t:dir { read search getattr };
	allow $1 prelude_spool_t:file { read lock getattr write append };
')
Comment 13 Daniel Walsh 2008-06-23 08:20:24 EDT
Fixed in selinux-policy-3.3.1-70.fc9.noarch
Comment 14 Dominick Grift 2008-06-23 11:09:33 EDT
thanks. one small issue left:

#============= snort_t ==============
allow snort_t prelude_spool_t:dir read;

and this, but you have explained why:

#============= prelude_lml_t ==============
allow prelude_lml_t gamin_exec_t:file { read execute };
Comment 15 Dominick Grift 2008-06-23 11:30:08 EDT
By the way should, corenet_tcp_connect_prelude_port(snort_t), not be in the
optional policy block designated for prelude? I know the port is defined in
corenetwork but if there is no prelude module than there likely wont be a
prelude_port_type.
Comment 16 Daniel Walsh 2008-06-24 06:35:07 EDT
No, Other policies might not include the prelude policy but would still define
the prelude port

Fixed in selinux-policy-3.3.1-71.fc9.noarch
Comment 17 Daniel Walsh 2008-11-17 17:04:41 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.