SElinux policy for pine

James Z. Li james.zheng.li at gmail.com
Mon Aug 1 01:04:01 UTC 2005 

I was wonder whether strict policy could solve this problem? 
Thanks a lot.

James

On 7/28/05, James Z. Li <james.zheng.li at gmail.com> wrote:
> Hi all,
> 
> First, sorry for my English.
> I wrote a set of SELinux policy rules for pine ( pine-4.63-1.i386.rpm)
> on FC4 (targeted).
> It works well IF no email attachments involved. As root, you are able
> to browse the
> whole filesystem: get a file from anywhere as the attachment or save
> the attachment
> to anywhere you like. Does this make the security policy totally broken?
> 
> At the same time, I was also evaluating LIDS (lids.org). As for pine
> under LIDS,
> it has same problem: it requires WRITE (including READ) permission to "/"
> (inode number of "/"). For SELinux, since the policy is based on
> domain/type, it is
> even worse in the sense of policy writing: it requires one rw_dir_file
> rule for each of
> several hundreds of types on the whole filesystem, so several hundreds
> of rules will
> be added.
> 
> I was thinking if there is a chroot mode for pine but I could not find
> any useful info.
> 
> Another potential way to solve this problem is that to create a
> directory under user's
> (root's) home direcroty, which is only used to store email
> attachments: you need
> copy files from everywhere else to this directory before you can upload them as
> outgoing attachments; and all incoming attachments will be saved to
> this directory
> first, then you can copy or move them to somewhere else. By doing this, we can
> write corresponding policy to label this directory and grant permissions.
> 
> Any suggestions?
> 
> James
> 
> Enclosed pls find my pine.fc and pine.te files
> 
> ################################
> #/etc/selinux/targeted/src/policy/file_contexts/program/pine.fc
> # pine.fc
> # Authors:  james.zheng.li at gmail.com
> ################################
> /usr/bin/mailutil       --      system_u:object_r:pine_exec_t
> /usr/bin/pico       --      system_u:object_r:pine_exec_t
> /usr/bin/pilot       --      system_u:object_r:pine_exec_t
> /usr/bin/pine       --      system_u:object_r:pine_exec_t
> /usr/bin/rpdump       --      system_u:object_r:pine_exec_t
> /usr/bin/rpload       --      system_u:object_r:pine_exec_t
> /usr/sbin/mlock       --      system_u:object_r:pine_exec_t
> 
> /etc/pine\.info       --      system_u:object_r:pine_etc_t
> /etc/pine\.conf       --      system_u:object_r:pine_etc_t
> /etc/pine\.conf\.fixed       --      system_u:object_r:pine_etc_t
> 
> HOME_DIR/mail(/.*)?             system_u:object_r:pine_user_home_t
> HOME_DIR/\.addressbook(\.lu)?   --      system_u:object_r:pine_user_home_t
> HOME_DIR/\.pine-debug[1-4]      --      system_u:object_r:pine_user_home_t
> HOME_DIR/\.pinerc       --      system_u:object_r:pine_user_home_t
> HOME_DIR/\.newsrc       --      system_u:object_r:pine_user_home_t
> HOME_DIR/\.signature    --      system_u:object_r:pine_user_home_t
> HOME_DIR/\.mailcap      --      system_u:object_r:pine_user_home_t
> HOME_DIR/\.mime\.types  --      system_u:object_r:pine_user_home_t
> HOME_DIR/\.pine-interrupted-mail        --
> system_u:object_r:pine_user_home_t
> HOME_DIR/dead\.letter   --      system_u:object_r:pine_user_home_t
> 
> #################################
> #/etc/selinux/targeted/src/policy/domains/program/pine.te
> # pine.te
> # Authors:  james.zheng.li at gmail.com
> #################################
> #
> # Rules for the pine domain.
> #
> # pine_t is the domain for the pine program
> # pine_exec_t is the type of the corresponding program.
> #
> type pine_t, domain,privmail,nscd_client_domain;
> type pine_exec_t, file_type, sysadmfile, exec_type;
> type pine_user_home_t, file_type, sysadmfile, customizable;
> type pine_etc_t, file_type, sysadmfile;
> 
> role sysadm_r types pine_t;
> role system_r types pine_t;
> #role user_r types pine_t;
> 
> domain_auto_trans(sysadm_t, pine_exec_t, pine_t)
> #domain_auto_trans(initrc_t, pine_exec_t, pine_t)
> 
> file_type_auto_trans(pine_t,user_home_dir_t,pine_user_home_t,dir_file_class_set)
> general_domain_access(pine_t)
> tmp_domain(pine)
> can_exec(pine_t, pine_exec_t)
> 
> read_sysctl(pine_t)
> uses_shlib(pine_t)
> allow pine_t devpts_t:chr_file create_file_perms;
> allow pine_t devpts_t:dir search;
> allow pine_t etc_t:file { getattr read };
> allow pine_t etc_t:lnk_file read;
> read_locale(pine_t)
> allow pine_t mail_spool_t:dir rw_dir_perms;
> allow pine_t mail_spool_t:file create_file_perms;
> allow pine_t proc_t:dir search;
> allow pine_t proc_t:lnk_file read;
> allow pine_t urandom_device_t:chr_file getattr;
> allow pine_t usr_t:file read;
> allow pine_t var_spool_t:dir search;
> allow pine_t fs_t:filesystem getattr;
> allow pine_t net_conf_t:file r_file_perms;
> allow pine_t sbin_t:dir search;
> allow pine_t sbin_t:lnk_file read;
> allow system_mail_t pine_tmp_t:file { read write };
> allow system_mail_t pine_user_home_t:file { read write };
> allow pine_t home_root_t:dir { getattr search };
> allow pine_t self:capability { fsetid fowner};
>

More information about the fedora-selinux-list mailing list