[yocto] [PATCH 1/1] refpolicy: make proftpd be able to work
Rongqing Li
rongqing.li at windriver.com
Thu Feb 13 00:13:25 PST 2014
On 02/11/2014 01:31 PM, rongqing.li at windriver.com wrote:
> From: Roy Li <rongqing.li at windriver.com>
>
> Signed-off-by: Roy Li <rongqing.li at windriver.com>
> ---
> ...y-policy-ftp-make-proftpd-be-able-to-work.patch | 85 ++++++++++++++++++++
> .../refpolicy/refpolicy_2.20130424.inc | 1 +
> 2 files changed, 86 insertions(+)
> create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
>
> diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
> new file mode 100644
> index 0000000..9521fcf
> --- /dev/null
> +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-ftp-make-proftpd-be-able-to-work.patch
> @@ -0,0 +1,85 @@
> +ftp: make proftpd be able to work
> +
> +Upstream-Status: pending
> +
> +1. proftpd need not to access and communicate with avahi, so dontaudit them
> +2. ftpd_t is transited to mls_systemhigh, the running created files under
> +/var/run is in mls_systemlow, so put ftpd_t to write_all_levels
> +
> +Signed-off-by: Roy Li <rongqing.li at windriver.com>
> +---
> + policy/modules/contrib/avahi.if | 40 +++++++++++++++++++++++++++++++++++++++
> + policy/modules/contrib/ftp.te | 6 ++++++
> + 2 files changed, 46 insertions(+)
> +
> +diff --git a/policy/modules/contrib/avahi.if b/policy/modules/contrib/avahi.if
> +index aebe7cb..0e7a748 100644
> +--- a/policy/modules/contrib/avahi.if
> ++++ b/policy/modules/contrib/avahi.if
> +@@ -135,6 +135,46 @@ interface(`avahi_dontaudit_search_pid',`
> +
> + ########################################
> + ## <summary>
> ++## Do not audit attempts to rw
> ++## avahi var directories.
> ++## </summary>
> ++## <param name="domain">
> ++## <summary>
> ++## Domain to not audit.
> ++## </summary>
> ++## </param>
> ++#
> ++interface(`avahi_dontaudit_rw_var',`
> ++ gen_require(`
> ++ type avahi_var_run_t;
> ++ ')
> ++
> ++ dontaudit $1 avahi_var_run_t:file rw_term_perms;
> ++')
> ++
> ++
> ++########################################
> ++## <summary>
> ++## Do not audit attempts to connectto
> ++## avahi unix socket.
> ++## </summary>
> ++## <param name="domain">
> ++## <summary>
> ++## Domain to not audit.
> ++## </summary>
> ++## </param>
> ++#
> ++interface(`avahi_dontaudit_connectto',`
> ++ gen_require(`
> ++ type avahi_t;
> ++ ')
> ++
> ++ dontaudit $1 avahi_t:unix_stream_socket connectto;
> ++')
> ++
> ++
> ++########################################
> ++## <summary>
> + ## All of the rules required to
> + ## administrate an avahi environment.
> + ## </summary>
> +diff --git a/policy/modules/contrib/ftp.te b/policy/modules/contrib/ftp.te
> +index 544c512..12492d2 100644
> +--- a/policy/modules/contrib/ftp.te
> ++++ b/policy/modules/contrib/ftp.te
> +@@ -144,6 +144,12 @@ role ftpdctl_roles types ftpdctl_t;
> + type ftpdctl_tmp_t;
> + files_tmp_file(ftpdctl_tmp_t)
> +
> ++mls_file_write_all_levels(ftpd_t)
> ++
> ++avahi_dontaudit_connectto(ftpd_t)
> ++
> ++avahi_dontaudit_rw_var(ftpd_t)
Please drop it, we should not donaudit ftpd_t to connect avahi.
we should allow this operation, since ftpd_t call libnss which
will create socket and connect these socket.
1846 open("/lib64/libnss_mdns4.so.2", O_RDONLY|O_CLOEXEC) = 3
1846 read(3,
"\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\260\v\0\0\0\0\0\0"
..., 832) = 832
1846 fstat(3, {st_mode=S_IFREG|0755, st_size=9904, ...}) = 0
1846 mmap(NULL, 2105160, PROT_READ|PROT_EXEC,
MAP_PRIVATE|MAP_DENYWRITE, 3, 0)
= 0x7f49e1a63000
1846 mprotect(0x7f49e1a65000, 2093056, PROT_NONE) = 0
1846 mmap(0x7f49e1c64000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP
_DENYWRITE, 3, 0x1000) = 0x7f49e1c64000
1846 close(3) = 0
1846 socket(PF_LOCAL, SOCK_STREAM, 0) = 3
1846 fcntl(3, F_GETFD) = 0
1846 fcntl(3, F_SETFD, FD_CLOEXEC) = 0
1846 connect(3, {sa_family=AF_LOCAL,
sun_path="/var/run/avahi-daemon/socket"},
110) = 0
-Roy
> ++
> + type sftpd_t;
> + domain_type(sftpd_t)
> + role system_r types sftpd_t;
> +--
> +1.7.10.4
> +
> diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
> index 5d55030..422c974 100644
> --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
> +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
> @@ -53,6 +53,7 @@ SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
> file://hostname-do-not-audit-attempts-by-hostname-to-read-a.patch \
> file://sysnetwork-dhcpc-binds-socket-to-random-high-udp-por.patch \
> file://portmap-allow-portmap-to-create-socket.patch \
> + file://poky-policy-ftp-make-proftpd-be-able-to-work.patch \
> "
>
> # Backport from upstream
>
--
Best Reagrds,
Roy | RongQing Li
More information about the yocto
mailing list