On 6/19/06, Daniel J Walsh dwalsh@redhat.com wrote:
Benjy Grogan wrote:
On 6/17/06, Daniel J Walsh dwalsh@redhat.com wrote:
Benjy Grogan wrote:
Hello:
On 6/15/06, Daniel J Walsh dwalsh@redhat.com wrote:
Benjy Grogan wrote:
Hello:
Would it be possible for the SELinux team at Red Hat to create an SELinux policy module for Google Earth and to show the step by step process for confining the application? I think these kind of
examples
would be useful to developers attempting to create SELinux policies for other rpm packages out there. I'm not interested so much in
the
actual policy module, but in creating it myself from step-by-step instructions. IMHO, that would be the best way to educate
developers
on how to use SELinux.
Google-earth is not the best example of this but
The way I would go about it would be to first use policygentool to create my initial fc/if/te files
#cd /tmp #mkdir googlearth #cd googleearth STEP 1 #policygentool googlearth /usr/local/google-earth/googleearth-bin answer some questions to the best of my ability
I answered the questions, but I had little idea as to what pidfiles were. As for logs, Google Earth doesn't use /var/log but I know it must log something in ~/.googleearth. That would be a directory that depends on which user is at the moment using Google Earth. There's probably a better way of specifying this after running policygentool.
I didn't know if there were any /var/lib files, so I left that alone. The module didn't have an init script, which is used by daemons/services, right? The module will be a heavy user of the network, so that was answered yes, but further restricting Google Earth's network access would be useful, such as no access 192.168.x.x.
STEP2 add the following lines to the te file to cause the transition form uncofined_t to googleearth cat >> googleearth.te << __EOF gen_require(` type unconfined_t; ')
First time I've seen ` and ' used.
domain_auto_trans(uncofined_t, googleearth_exec_t, googleearth_t)
This should be unconfined_t.
I had made this change. I was avoiding the policy completely by using /usr/local/google-earth/googleearth instead of /usr/local/google-earth/googleearth-bin.
When I do run googleearth-bin I get:
$ /usr/local/google-earth/googleearth-bin /usr/local/google-earth/googleearth-bin: error while loading shared libraries: ./libcomponent.so: cannot open shared object file: No such file or directory
You should be running in permissive mode and translating avc messages to allow rules via
audit2allow -R -i /var/log/messages
Okay, I created a policy from audit2allow and used as many macros as I could where it made sense. Below I have the TE file that I wrote. This policy works fine with setenforce 0 and doesn't generate many AVCs at all anymore, except when I navigate outside of the user's home directory when saving or opening a jpeg, and I've auditdenied some of that stuff. But when I turn enforcing on, setenforce 1, I get this error:
$ googleearth Xlib: connection to ":0.0" refused by server Xlib: No protocol specified
There are no AVCs to be found in /var/log/messages. I figured these lines should've handled any X server issues:
# XServer set-up
xserver_use_xdm_fds(googleearth_t) xserver_stream_connect_xdm(googleearth_t)
... but they don't.
So my Google Earth policy works in permissive mode but fails in enforcing mode without any AVCs to explain why not. Do you know how to fix this? Here's the TE I wrote:
policy_module(googleearth,1.0.7)
######################################## # # Declarations #
type googleearth_t; type googleearth_exec_t; domain_type(googleearth_t) init_daemon_domain(googleearth_t, googleearth_exec_t)
######################################## # # googleearth local policy # # Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.
# Some common macros (you might be able to remove some) files_read_etc_files(googleearth_t) libs_use_ld_so(googleearth_t) libs_use_shared_libs(googleearth_t) miscfiles_read_localization(googleearth_t) ## internal communication is often done using fifo and unix sockets. allow googleearth_t self:fifo_file { getattr read write }; allow googleearth_t self:unix_stream_socket create_stream_socket_perms;
allow googleearth_t self:tcp_socket { connect create getopt read write }; allow googleearth_t self:udp_socket { connect create getattr read write };
# Init script handling init_use_fds(googleearth_t) init_use_script_ptys(googleearth_t) domain_use_interactive_fds(googleearth_t)
gen_require(` type unconfined_t; ') domain_auto_trans(unconfined_t, googleearth_exec_t, googleearth_t)
# XServer set-up
xserver_use_xdm_fds(googleearth_t) xserver_stream_connect_xdm(googleearth_t)
# var_t stuff
gen_require(` type var_t; ')
allow googleearth_t var_t:file { getattr read };
# Connect to the unconfined domain using a unix domain stream socket. unconfined_stream_connect(googleearth_t)
# Send and receive messages from an unlabeled IPSEC association. kernel_sendrecv_unlabeled_association(googleearth_t)
allow googleearth_t devpts_t:chr_file { read write }; dev_rw_dri(googleearth_t)
# DISK ACCESS # allow reading of libcomponent.so et al in /usr/local/ allow googleearth_t usr_t:file { read execute getattr }; allow googleearth_t usr_t:lnk_file read;
# allow access to .googleearth in home directory
gen_require(` type user_home_dir_t; type user_home_t; type home_root_t; ') allow googleearth_t user_home_dir_t:dir { getattr search read write }; allow googleearth_t user_home_dir_t:file getattr; allow googleearth_t user_home_t:dir { add_name getattr remove_name search read write }; allow googleearth_t user_home_t:file { append getattr lock read write }; allow googleearth_t user_home_t:lnk_file { create read unlink };
# don't create AVCs outside of the user's home directory
auditdeny googleearth_t home_root_t:dir { getattr search };
# get extended attributes on files
fs_getattr_xattr_fs(googleearth_t)
# allow memory access
allow googleearth_t self:process { execmem execstack };
# kernel
gen_require(` type sysctl_kernel_t; type sysctl_t; ') allow googleearth_t sysctl_kernel_t:dir search; allow googleearth_t sysctl_kernel_t:file { getattr read };
allow googleearth_t sysctl_t:dir search;
# device proc
gen_require(` type proc_t; ') allow googleearth_t proc_t:dir search; allow googleearth_t proc_t:file { getattr read };
# temp dir
gen_require(` type tmp_t; ') allow googleearth_t tmp_t:file getattr; allow googleearth_t tmp_t:dir search; allow googleearth_t tmp_t:sock_file write;
# read fonts
miscfiles_read_fonts(googleearth_t)
# network stuff
corenet_tcp_sendrecv_all_if(googleearth_t) corenet_tcp_sendrecv_all_nodes(googleearth_t)
corenet_udp_sendrecv_all_if(googleearth_t) corenet_udp_sendrecv_all_nodes(googleearth_t)
corenet_tcp_connect_http_port(googleearth_t) corenet_tcp_sendrecv_http_port(googleearth_t)
corenet_udp_sendrecv_dns_port(googleearth_t)
sysnet_read_config(googleearth_t)
# unknown stuff
gen_require(` type ice_tmp_t; ') allow googleearth_t ice_tmp_t:dir search; allow googleearth_t ice_tmp_t:sock_file write;
gen_require(` type urandom_device_t; ') allow googleearth_t urandom_device_t:chr_file { getattr read };
Benjy