please review my firefox policy?

Fri Sep 15 16:37:50 UTC 2006

Peter Pun wrote:
> Hi Everyone,
>
> I created this firefox policy; it is probably allowing too many 
> unecessary things. If anyone could comment on it, I'd appreciate it.
> The matter is, someone was able to break out to unconfined and disable 
> a 000 ACL on /bin/su. This is a surf machine, with no listening 
> daemons, postfix is blocked by firewall and unconfigured, not even 
> cups is running. So I think the hole must be through firefox.
>
>
Did you look at mozilla.te, mozilla.if, and mozilla.fc?

These policies already do most of what you want here.
> ------------------------------------------------------------
>
> policy_module(foxpol,1.0.5)
>
> ########################################
> #
> # Declarations
> #
> require {
>           type fonts_t;
>       type inotifyfs_t;
>           type proc_net_t;
>       type proc_t;
>       type urandom_device_t;
>       type user_home_dir_t;
>       type user_home_t;
>       type xdm_t;
>       type sysctl_kernel_t;
>       type sysctl_net_t;
>       type sysctl_t;
>       type home_root_t;
>       type fs_t;
>       type autofs_t;
>          type unconfined_execmem_t;
>         };
>
If you use module interfaces you will not need this section.

/usr/share/selinux/devel/include
> type foxpol_t;
> type foxpol_exec_t;
> domain_type(foxpol_t)
> init_daemon_domain(foxpol_t, foxpol_exec_t)
>
> # log files
> type foxpol_var_log_t;
> logging_log_file(foxpol_var_log_t)
>
> # download dir, which firefox has write access to
> type foxpol_down_t;
>
files_type(foxpol_down_t)
> # private_t dir - a labled dir which fox cannot read, made because
> #             - fox has read access to home dir
> type private_t;
>
> ########################################
> #
> # foxpol local policy
> #
> # Check in /etc/selinux/refpolicy/include for macros to use instead of 
> allow rules.
>
> # Some common macros (you might be able to remove some)
> files_read_etc_files(foxpol_t)
> libs_use_ld_so(foxpol_t)
> libs_use_shared_libs(foxpol_t)
> miscfiles_read_localization(foxpol_t)
> ## internal communication is often done using fifo and unix sockets.
> allow foxpol_t self:fifo_file { read write };
> allow foxpol_t self:unix_stream_socket create_stream_socket_perms;
>
> # log files
> allow foxpol_t foxpol_var_log_t:file create_file_perms;
> allow foxpol_t foxpol_var_log_t:sock_file create_file_perms;
> allow foxpol_t foxpol_var_log_t:dir { rw_dir_perms setattr };
> logging_log_filetrans(foxpol_t,foxpol_var_log_t,{ sock_file file dir })
>
> ## Networking basics (adjust to your needs!)
> sysnet_dns_name_resolve(foxpol_t)
> corenet_tcp_sendrecv_all_if(foxpol_t)
> corenet_tcp_sendrecv_all_nodes(foxpol_t)
> corenet_tcp_sendrecv_all_ports(foxpol_t)
> corenet_non_ipsec_sendrecv(foxpol_t)
> corenet_tcp_connect_http_port(foxpol_t)
> #corenet_tcp_connect_all_ports(foxpol_t)
> ## if it is a network daemon, consider these:
> #corenet_tcp_bind_all_ports(foxpol_t)
> #corenet_tcp_bind_all_nodes(foxpol_t)
> allow foxpol_t self:tcp_socket { listen accept };
>
> # Init script handling
> init_use_fds(foxpol_t)
> init_use_script_ptys(foxpol_t)
> domain_use_interactive_fds(foxpol_t)
>
> # ok copy files to download dir
> allow unconfined_t foxpol_down_t:dir { add_name getattr setattr read 
> relabelto remove_name search write rmdir };
> allow unconfined_t foxpol_down_t:file { execute create getattr setattr 
> read write append rename link unlink ioctl lock };
>
You should not need these rules unconfined_domains can do anything they 
want to the system, although you probably want a transition from 
unconfined_*t to foxpol_t
> # ok unconfined processes to open files in download dir
> allow unconfined_execmem_t foxpol_down_t:dir { create getattr setattr 
> read write link unlink rename search add_name remove_name reparent 
> rmdir lock ioctl } ;
> allow unconfined_execmem_t foxpol_down_t:file { create getattr setattr 
> read write append rename link unlink ioctl lock };
>
> # ok fox to write to download dir
> allow foxpol_t foxpol_down_t:dir { add_name create getattr read search 
> write remove_name };
> allow foxpol_t foxpol_down_t:file { create setattr getattr read write 
> rename unlink append };
>
Please use define statements like rw_dir_perms and create_file_perms.  
Makes the policy easier to read.
> # ok unconfined process to open files in private dir
> allow unconfined_execmem_t private_t:dir { create getattr setattr read 
> write link unlink rename search add_name remove_name reparent rmdir 
> lock ioctl };
> allow unconfined_execmem_t private_t:file { create getattr setattr 
> read write append rename link unlink ioctl lock };
> allow unconfined_t private_t:dir { create getattr setattr read write 
> link unlink rename search add_name remove_name reparent relabelfrom 
> relabelto rmdir lock ioctl };
> allow unconfined_t private_t:file {  relabelto create getattr setattr 
> read write append rename link unlink ioctl lock };
> allow private_t fs_t:filesystem associate;
>
> # ok fox to create new stuff in .mozilla
> allow foxpol_t foxpol_var_log_t:dir create;
>
>
>
> #
> # audit2allow says it wants all the stuff below,  it also wanted exec 
> rights to bin_t which I removed
> #
You might want to try audit2allow -R for these and try to use reference 
policy.
> allow foxpol_down_t fs_t:filesystem associate;
> allow foxpol_t autofs_t:dir getattr;
> allow foxpol_t fonts_t:dir { getattr read search };
> allow foxpol_t fonts_t:file { getattr read };
> allow foxpol_t foxpol_down_t:dir { add_name create getattr read search 
> write };
> allow foxpol_t foxpol_down_t:file { create getattr write };
> allow foxpol_t self:fifo_file getattr;
> allow foxpol_t self:netlink_route_socket { bind create getattr 
> nlmsg_read read write };
> allow foxpol_t self:process { getsched setsched signal };
> allow foxpol_t self:shm { create destroy read unix_read unix_write 
> write };
> allow foxpol_t self:unix_dgram_socket create;
> allow foxpol_t foxpol_var_log_t:lnk_file { create unlink };
> allow foxpol_t home_root_t:dir { getattr read search };
> allow foxpol_t inotifyfs_t:dir { getattr read };
> allow foxpol_t proc_net_t:dir { read search };
> allow foxpol_t proc_net_t:file { getattr read };
> allow foxpol_t proc_t:file { getattr read };
> allow foxpol_t sysctl_kernel_t:dir search;
> allow foxpol_t sysctl_kernel_t:file read;
> allow foxpol_t sysctl_net_t:dir search;
> allow foxpol_t sysctl_t:dir search;
> allow foxpol_t tmp_t:dir { add_name getattr read remove_name search 
> setattr write };
> allow foxpol_t tmp_t:file { create getattr lock read unlink write };
> allow foxpol_t tmp_t:sock_file { create unlink write };
> allow foxpol_t tmpfs_t:file { read write };
> # allow foxpol_t unconfined_t:unix_stream_socket connectto;
> allow foxpol_t urandom_device_t:chr_file { getattr ioctl read };
> allow foxpol_t user_home_dir_t:dir { getattr read search };
> allow foxpol_t user_home_t:dir { getattr read search };
> allow foxpol_t user_home_t:file { getattr read };
> allow foxpol_t usr_t:file { getattr read };
> allow foxpol_t usr_t:lnk_file read;
> allow foxpol_t xdm_t:unix_stream_socket connectto;
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list