35654 – small basepolicy tweaks

Bug 35654 - small basepolicy tweaks

Summary: small basepolicy tweaks

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Chris PeBenito (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-12-12 04:14 UTC by petre rodan (RETIRED)
Modified:	2011-10-30 22:41 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description petre rodan (RETIRED) gentoo-dev

2003-12-12 04:14:13 UTC

# /usr/sbin/sendmail is a symlink, so ...
allow crond_t sendmail_exec_t:lnk_file { read };

# iptables-save also needs this:
allow iptables_t proc_net_t:dir { search };
allow iptables_t proc_net_t:file { read getattr };
read_locale(iptables_t)

# needed in order to upgrade a ssh daemon ;)
ifdef(`daemontools.te', `
allow sshd_t self:capability { kill };
allow sshd_t self:process { signal };
')

Comment 1 Chris PeBenito (RETIRED) gentoo-dev

2003-12-12 07:25:26 UTC

The 2nd and third blocks are committed, but not the first one.  The convention is that symlinks to binaries should only be bin_t or sbin_t, and the target of the symlink should have the transition type, sendmail_exec_t in this case.  Please adjust your qmail labeling.

Comment 2 petre rodan (RETIRED) gentoo-dev

2003-12-12 12:27:58 UTC

ok. i'm removing the /usr/sbin/sendmail definition from qmail.fc.
you are most welcome do the same in http://bugs.gentoo.org/attachment.cgi?id=21928&action=view  ;)

is there a public document that contains conventions like this?

bye,
peter

Comment 3 Chris PeBenito (RETIRED) gentoo-dev

2003-12-21 21:34:36 UTC

I dont know of any doc that has this or other conventions; there are few people that do much work on policy.