[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Add SELinux protection to Pure-FTPd

Paul Howarth wrote:
Aurelien Bompard wrote:
Stephen Smalley wrote:
policy_module(pureftpd, 1.0) is preferred syntax going forward.
If you use policy_module() macro, you'll get the kernel class and
permission requires as part of it, so you won't need to explicitly
specify them each time.

Yay ! Done that.

Does it truly need write access?  The library always tries to open rw
first, then falls back to read-only if it cannot open rw, so even just
reading utmp will show up in avc messages as a rw attempt.   Try just
allowing read, and dontaudit'ing the write permission.

That's right, it only needs read access. I've added:
to the module (picked from the policy sources)
Macros aka interfaces are preferred, as they preserve
modularity/encapsulation and thus make your module more portable to
other base policies.

OK. I'll use sysnet_use_ldap to allow LDAP access then.

I don't think you want to put it in /usr/share/selinux/targeted (as that
could conflict in the future with the policy package), but I would
suggest putting it under /usr/share/selinux/<packagename> or similar to
keep all policy modules under that selinux tree, unless that also
presents some kind of conflict problem?

Looks good to me, except I've placed it
in /usr/share/selinux/packages/<packagename> to avoid the base and targeted
dirs being buried under a ton of packages dirs in the future.

I've been trying to take this sort of approach with a package I'm developing. Two issues concern me at the moment:

1. I build the policy module from te/fc/if files during the package's "build" script. I get output like this:

+ /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile
make: Entering directory `/nis-home/phowarth/BUILD/BUILD/contagged-0.3/SELinux'
Compiling targeted contagged module
/usr/bin/checkmodule: loading policy configuration from tmp/contagged.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 5) to tmp/contagged.mod
Creating targeted contagged.pp policy package
make: Leaving directory `/nis-home/phowarth/BUILD/BUILD/contagged-0.3/SELinux'

This suggests to me that the resulting contagged.pp module is specific to the targeted policy (which I'm running on the host system), so it would presumably not work with other policies. Is that right? So would it be better to build and install the policy at package install time rather than package build time? Or could there be separate modules for each policy? If so, how would they be built?
You can probably build policy agnostic at this time. Your gen_requires should suck in all of the required types and the code should pretty much work the same on strict/targeted or mls machines. Problems could arise in the future and on certain machines the semodule will fail. We do not intend to build specific loadable policy for different policy types at this time. So when/if we ship an apache.pp file it should work on targeted, strict, mls ... policies.

2. A mock build fails, presumably because mock does not mount /selinux?

+ /usr/bin/make -C SELinux -f /usr/share/selinux/devel/Makefile
cat: /selinux/mls: No such file or directory
make: Entering directory `/builddir/build/BUILD/contagged-0.3/SELinux'
/usr/share/selinux/devel/Makefile:14: /usr/share/selinux/targeted/include/Makefile: No such file or directory make: *** No rule to make target `/usr/share/selinux/targeted/include/Makefile'. Stop.
make: Leaving directory `/builddir/build/BUILD/contagged-0.3/SELinux'
error: Bad exit status from /var/tmp/rpm-tmp.42152 (%build)

This also suggests that install-time module building is needed, at least for anything intending to go into Fedora Extras, where mock is used for the buildsystem. I guess that would present a problem if the admin of the system wanted to change to a different policy - the module would have to be rebuilt somehow.

We build policy all of the time on machines with out policy. This is a bug in the Makefile, it should take a sensible default if /selinux/mnt does not exist.
Please bugzilla.

fedora-selinux-list mailing list
fedora-selinux-list redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]