/sbin/fixfiles bug (was Re: fixfile.cron added.

Daniel J Walsh dwalsh at redhat.com
Thu Jul 8 15:30:50 UTC 2004


Russell Coker wrote:

>On Sun, 4 Jul 2004 03:47, Valdis.Kletnieks at vt.edu wrote:
>  
>
>>/usr/sbin/setfiles:  labeling files under /var
>>/usr/sbin/setfiles:  relabeling /var/lib/scrollkeeper/TOC/464 from
>>root:object_r:rpm_var_lib_t to system_u:object_r:var_lib_t
>>/usr/sbin/setfiles:  relabeling /var/lib/scrollkeeper/index/464 from
>>root:object_r:rpm_var_lib_t to system_u:object_r:var_lib_t
>>    
>>
>
>It seems that rpm_var_lib_t doesn't differ much in access from var_lib_t.  I 
>think that it would be appropriate to remove the line var_lib_domain(rpm) and 
>allow the rpm files in question to have type var_lib_t.
>
>Dan, what do you think?
>  
>
I agree.

>Of course we have another problem in that rpm_t should not be creating such 
>files, the script which does so should run as rpm_script_t.
>
>  
>
Don't know why.

>>/usr/sbin/setfiles:  relabeling /var/run/lpd.515 from
>>system_u:object_r:lpd_var_run_t to system_u:object_r:var_run_t
>>    
>>
>
>What is this lpd.515 file?  Is that always the name for it?  We need to get a 
>matching entry in lpd.fc.
>  
>
Added

/var/run/lpd.*            system_u:object_r:lpd_var_run_t

>  
>
>>/usr/sbin/setfiles:  relabeling /var/run/lprng from
>>system_u:object_r:var_run_t to system_u:object_r:lpd_var_run_t
>>/usr/sbin/setfiles:  hash table stats: 1264 elements, 1264/65536 buckets
>>used, longest chain len
>>    
>>
>
>How is this created?  Does an init.d script run mkdir?
>
>  
>
>>OK... So I have 4 files with context issues on /var (which is an issue in
>>and of itself, but not the point here. badfilecontexts however contains:
>>
>>/var/lib/rpm/__db.001
>>/var/lib/rpm/__db.002
>>/var/lib/rpm/__db.003
>>    
>>
>
>What is the context of these?
>
>  
>
>------------------------------------------------------------------------
>
># bootloader
>/etc/lilo\.conf.*	--	system_u:object_r:bootloader_etc_t
>/initrd\.img.*		-l	system_u:object_r:boot_t
>/sbin/lilo.*		--	system_u:object_r:bootloader_exec_t
>/sbin/grub.*		--	system_u:object_r:bootloader_exec_t
>/vmlinuz.*		-l	system_u:object_r:boot_t
>/usr/sbin/mkinitrd	--	system_u:object_r:bootloader_exec_t
>/sbin/mkinitrd		--	system_u:object_r:bootloader_exec_t
>/etc/mkinitrd/scripts/.* --	system_u:object_r:bootloader_exec_t
>/sbin/ybin.*		--	system_u:object_r:bootloader_exec_t
>/etc/yaboot\.conf.*	--	system_u:object_r:bootloader_etc_t
>/boot/grub/menu.lst	--	system_u:object_r:boot_runtime_t
>  
>
>------------------------------------------------------------------------
>
>#DESC Initrc - System initialization scripts
>#
># Authors:  Stephen Smalley <sds at epoch.ncsc.mil> and Timothy Fraser  
># X-Debian-Packages: sysvinit policycoreutils
>#
>
>#################################
>#
># Rules for the initrc_t domain.
>#
># initrc_t is the domain of the init rc scripts.
># initrc_exec_t is the type of the init program.
>#
>ifdef(`sendmail.te', `
># do not use privmail for sendmail as it creates a type transition conflict
>type initrc_t, ifdef(`unlimitedServices', `admin, etc_writer, fs_domain, privmem, auth_write, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer;
>allow system_mail_t initrc_t:fd use;
>allow system_mail_t initrc_t:fifo_file write;
>', `
>type initrc_t, ifdef(`unlimitedServices', `admin, etc_writer, fs_domain, privmem,auth_write, ') domain, privlog, privowner, privmodule, sysctl_kernel_writer, privmail;
>')
>role system_r types initrc_t;
>uses_shlib(initrc_t);
>can_ypbind(initrc_t)
>type initrc_exec_t, file_type, sysadmfile, exec_type;
>
># for halt to down interfaces
>allow initrc_t self:udp_socket create_socket_perms;
>
># read files in /etc/init.d
>allow initrc_t etc_t:lnk_file r_file_perms;
>
>read_locale(initrc_t)
>
>r_dir_file(initrc_t, usr_t)
>
># Read system information files in /proc.
>allow initrc_t proc_t:dir r_dir_perms;
>allow initrc_t proc_t:{ file lnk_file } r_file_perms;
>
># Allow IPC with self
>allow initrc_t self:unix_dgram_socket create_socket_perms;
>allow initrc_t self:unix_stream_socket { connectto create_stream_socket_perms };
>allow initrc_t self:fifo_file rw_file_perms;
>
># Read the root directory of a usbdevfs filesystem, and
># the devices and drivers files.  Permit stating of the
># device nodes, but nothing else.
>allow initrc_t usbdevfs_t:dir r_dir_perms;
>allow initrc_t usbdevfs_t:lnk_file r_file_perms;
>allow initrc_t usbdevfs_t:file getattr;
>
># allow initrc to fork and renice itself
>allow initrc_t self:process { fork sigchld setsched setpgid setrlimit };
>
># Can create ptys for open_init_pty
>can_create_pty(initrc)
>
>tmp_domain(initrc)
>
>var_run_domain(initrc)
>allow initrc_t var_run_t:{ file sock_file lnk_file } unlink;
>allow initrc_t var_run_t:dir { create rmdir };
>
>allow initrc_t framebuf_device_t:chr_file r_file_perms;
>
># Use capabilities.
>allow initrc_t self:capability ~{ sys_admin sys_module };
>
># Use system operations.
>allow initrc_t kernel_t:system *;
>
># Set values in /proc/sys.
>can_sysctl(initrc_t)
>
># Run helper programs in the initrc_t domain.
>allow initrc_t {bin_t sbin_t }:dir r_dir_perms;
>allow initrc_t {bin_t sbin_t }:lnk_file read;
>can_exec(initrc_t, etc_t)
>can_exec(initrc_t, lib_t)
>can_exec(initrc_t, bin_t)
>can_exec(initrc_t, sbin_t)
>can_exec(initrc_t, exec_type)
>#
>#  These rules are here to allow init scripts to su
>#
>ifdef(`su.te', `
>su_restricted_domain(initrc,system)
>role system_r types initrc_su_t;
>')
>allow initrc_t self:passwd rootok;
>
># read /lib/modules
>allow initrc_t modules_object_t:dir { search read };
>
># Read conf.modules.
>allow initrc_t modules_conf_t:file r_file_perms;
>
># Run other rc scripts in the initrc_t domain.
>can_exec(initrc_t, initrc_exec_t)
>
># Run init (telinit) in the initrc_t domain.
>can_exec(initrc_t, init_exec_t)
>
># Communicate with the init process.
>allow initrc_t initctl_t:fifo_file rw_file_perms;
>
># Send messages to portmap and ypbind.
>ifdef(`portmap.te', `can_udp_send(initrc_t, portmap_t)')
>ifdef(`ypbind.te', `can_udp_send(initrc_t, ypbind_t)')
>
># Read /proc/PID directories for all domains.
>r_dir_file(initrc_t, domain)
>allow initrc_t domain:process { getattr getsession };
>
># Mount and unmount file systems.
>allow initrc_t fs_type:filesystem mount_fs_perms;
>allow initrc_t { file_t default_t }:dir { read search getattr mounton };
>
># Create runtime files in /etc, e.g. /etc/mtab, /etc/HOSTNAME.
>file_type_auto_trans(initrc_t, etc_t, etc_runtime_t, file)
>
># Update /etc/ld.so.cache.
>allow initrc_t ld_so_cache_t:file rw_file_perms;
>
>ifdef(`sendmail.te', `
># Update /etc/mail.
>allow initrc_t etc_mail_t:file { setattr rw_file_perms };
>')
>
>ifdef(`xfs.te', `
># Unlink the xfs socket.
>allow initrc_t xfs_tmp_t:dir rw_dir_perms;
>allow initrc_t xfs_tmp_t:dir rmdir;
>allow initrc_t xfs_tmp_t:sock_file { read getattr unlink };
>allow initrc_t fonts_t:dir create_dir_perms;
>allow initrc_t fonts_t:file create_file_perms;
>')
>
># Update /var/log/wtmp and /var/log/dmesg.
>allow initrc_t wtmp_t:file { setattr rw_file_perms };
>allow initrc_t var_log_t:file { setattr rw_file_perms };
>allow initrc_t lastlog_t:file { setattr rw_file_perms };
>
># remove old locks
>allow initrc_t lockfile:dir rw_dir_perms;
>allow initrc_t lockfile:file { getattr unlink };
>
># Access /var/lib/random-seed.
>allow initrc_t var_lib_t:file rw_file_perms;
>allow initrc_t var_lib_t:file unlink;
>
># Create lock file.
>allow initrc_t var_lock_t:dir create_dir_perms;
>allow initrc_t var_lock_t:file create_file_perms;
>
># Set the clock.
>allow initrc_t clock_device_t:devfile_class_set rw_file_perms;
>
># Kill all processes.
>allow initrc_t domain:process signal_perms;
>
># Read and unlink /var/run/*.pid files.
>allow initrc_t pidfile:file { getattr read unlink };
>
># Write to /dev/urandom.
>allow initrc_t urandom_device_t:chr_file rw_file_perms;
>
># Set device ownerships/modes.
>allow initrc_t framebuf_device_t:lnk_file read;
>allow initrc_t framebuf_device_t:devfile_class_set setattr;
>allow initrc_t misc_device_t:devfile_class_set setattr;
>allow initrc_t device_t:devfile_class_set setattr;
>allow initrc_t fixed_disk_device_t:devfile_class_set setattr;
>allow initrc_t removable_device_t:devfile_class_set setattr;
>allow initrc_t device_t:lnk_file read;
>
># Stat any file.
>allow initrc_t file_type:file_class_set getattr;
>allow initrc_t file_type:dir { search getattr };
>
># Read and write console and ttys.
>allow initrc_t devtty_t:chr_file rw_file_perms;
>allow initrc_t console_device_t:chr_file rw_file_perms;
>allow initrc_t tty_device_t:chr_file rw_file_perms;
>allow initrc_t ttyfile:chr_file rw_file_perms;
>allow initrc_t ptyfile:chr_file rw_file_perms;
>
># Reset tty labels.
>allow initrc_t ttyfile:chr_file relabelfrom;
>allow initrc_t tty_device_t:chr_file relabelto;
>
>ifdef(`rpm.te', `
># Create and read /boot/kernel.h and /boot/System.map.
># Redhat systems typically create this file at boot time.
>allow initrc_t boot_t:lnk_file rw_file_perms;
>file_type_auto_trans(initrc_t, boot_t, boot_runtime_t, file)
>')
>
>allow initrc_t system_map_t:{ file lnk_file } r_file_perms;
>
>ifdef(`rhgb.te', `
>allow initrc_t ramfs_t:dir search;
>allow initrc_t ramfs_t:sock_file write;
>allow initrc_t rhgb_t:unix_stream_socket { read write };
>')
>
># Unlink /halt.
># for /halt /.autofsck and other flag files
>file_type_auto_trans(initrc_t, root_t, etc_runtime_t, file)
>
>ifdef(`gpm.te', `allow initrc_t gpmctl_t:sock_file setattr;')
>
>allow initrc_t var_spool_t:file rw_file_perms;
>
># Allow access to the sysadm TTYs. Note that this will give access to the 
># TTYs to any process in the initrc_t domain. Therefore, daemons and such
># started from init should be placed in their own domain.
>allow initrc_t admin_tty_type:chr_file rw_file_perms;
>
># Access sound device and files.
>allow initrc_t sound_device_t:chr_file { setattr ioctl read write };
>ifdef(`sound.te', `allow initrc_t sound_file_t:file { setattr write };')
>
>ifdef(`rpm.te', `
># Access /var/lib/rpm.
>allow initrc_t var_lib_rpm_t:dir rw_dir_perms;
>allow initrc_t var_lib_rpm_t:file create_file_perms;
>')
>
>ifdef(`apmd.te',
>`# Access /dev/apm_bios.
>allow initrc_t apm_bios_t:chr_file { setattr getattr };')
>
>ifdef(`lpd.te',
>`# Read printconf files.
>allow initrc_t printconf_t:dir r_dir_perms;
>allow initrc_t printconf_t:file r_file_perms;')
>
># Read user home directories.
>allow initrc_t { home_root_t home_type }:dir r_dir_perms;
>allow initrc_t home_type:file r_file_perms;
>
># for system start scripts
>allow initrc_t pidfile:dir rw_dir_perms;
>allow initrc_t pidfile:sock_file unlink;
>rw_dir_create_file(initrc_t, var_lib_t)
>
># allow start scripts to clean /tmp
>allow initrc_t { unlabeled_t tmpfile }:dir { rw_dir_perms rmdir };
>allow initrc_t { unlabeled_t tmpfile }:notdevfile_class_set { getattr unlink };
>
># for lsof which is used by alsa shutdown
>dontaudit initrc_t domain:{ udp_socket tcp_socket fifo_file unix_dgram_socket } getattr;
>dontaudit initrc_t proc_kmsg_t:file getattr;
>
>#################################
>#
># Rules for the run_init_t domain.
>#
>run_program(sysadm_t, sysadm_r, init, initrc_exec_t, initrc_t)
>allow initrc_t privfd:fd use;
>
># Transition to system_r:initrc_t upon executing init scripts.
>ifdef(`direct_sysadm_daemon', `
>role_transition sysadm_r initrc_exec_t system_r;
>domain_auto_trans(sysadm_t, initrc_exec_t, initrc_t)
>')
>
>#
># Shutting down xinet causes these
>#
># Fam
>dontaudit initrc_t device_t:dir { read write };
># Rsync
>dontaudit initrc_t mail_spool_t:lnk_file read;
>
>allow initrc_t sysfs_t:dir { getattr read search };
>allow initrc_t sysfs_t:file { getattr read };
>allow initrc_t sysfs_t:lnk_file { getattr read };
>allow initrc_t udev_runtime_t:file rw_file_perms;
>allow initrc_t device_type:chr_file { setattr };
>allow initrc_t binfmt_misc_fs_t:dir { getattr search };
>allow initrc_t binfmt_misc_fs_t:file { getattr ioctl write };
>ifdef(`pam.te', `
>allow initrc_t pam_var_run_t:dir rw_dir_perms;
>allow initrc_t pam_var_run_t:file { getattr read unlink };
>')
>
># for lsof in shutdown scripts
>allow initrc_t security_t:dir getattr;
>allow initrc_t krb5_conf_t:file read;
>dontaudit initrc_t krb5_conf_t:file write;
>#
># Wants to remove udev.tbl
>#
>allow initrc_t device_t:dir rw_dir_perms;
>allow initrc_t device_t:lnk_file { unlink };
>allow initrc_t initrc_t:process { getsched };
>
>ifdef(`unlimitedServices', `
>unconfined_domain(initrc_t) 
>')
>  
>
>------------------------------------------------------------------------
>
># init rc scripts
>/etc/X11/prefdm		--	system_u:object_r:initrc_exec_t
>/etc/rc\.d/rc		--	system_u:object_r:initrc_exec_t
>/etc/rc\.d/rc\.sysinit	--	system_u:object_r:initrc_exec_t
>/etc/rc\.d/rc\.local	--	system_u:object_r:initrc_exec_t
>/etc/rc\.d/init\.d/.*	--	system_u:object_r:initrc_exec_t
>/etc/rc\.d/init\.d/functions -- system_u:object_r:etc_t
>/etc/init\.d/.*		--	system_u:object_r:initrc_exec_t
>/etc/init\.d/functions	--	system_u:object_r:etc_t
>/var/run/utmp		--	system_u:object_r:initrc_var_run_t
>/var/run/runlevel\.dir		system_u:object_r:initrc_var_run_t
>/var/run/random-seed	--	system_u:object_r:initrc_var_run_t
>/var/run/setmixer_flag	--	system_u:object_r:initrc_var_run_t
># run_init
>/usr/sbin/run_init	--	system_u:object_r:run_init_exec_t
>/usr/sbin/open_init_pty	--	system_u:object_r:initrc_exec_t
>/etc/nologin.*		--	system_u:object_r:etc_runtime_t
>/etc/nohotplug		--	system_u:object_r:etc_runtime_t
>/halt			--	system_u:object_r:etc_runtime_t
>/\.autofsck		--	system_u:object_r:etc_runtime_t
>  
>




More information about the selinux mailing list