[DSE-User] Debian unstable, SELinux and Iceweasel

Tue Sep 17 12:36:41 UTC 2013

I am running a Debian unstable system with SELinux in permissive mode.

I have appended the result of
$ cat /var/log/audit/audit.log | audit2allow -l -R

There are quite a few missing type enforcement (TE) allow rules.

In addition to that Iceweasel requires allow_execstack and allow_execmem
- which is not good. I have researched that and found these two old open
Firefox issues:

SELinux is preventing JIT from changing memory segment access
https://bugzilla.mozilla.org/show_bug.cgi?id=506693

Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error
https://bugzilla.mozilla.org/show_bug.cgi?id=574119

What do you suggest on how to proceed?

Cheers,
Andreas
-------------- next part --------------

require {
	type apt_var_lib_t;
	type pulseaudio_t;
	type postgresql_t;
	type cupsd_var_run_t;
	type sysctl_vm_t;
	type initrc_t;
	type tmp_t;
	type logrotate_t;
	type dhcpc_t;
	type mount_tmp_t;
	type hostname_t;
	type auditctl_t;
	type var_run_t;
	type udev_tbl_t;
	type acct_t;
	type ping_t;
	type cupsd_t;
	type sysctl_crypto_t;
	type dpkg_exec_t;
	type system_mail_t;
	type crond_tmp_t;
	type unconfined_t;
	type gpg_t;
	type lib_t;
	type sysfs_t;
	type system_dbusd_t;
	type var_log_t;
	type proc_net_t;
	type exim_t;
	type cron_log_t;
	type kernel_t;
	type removable_device_t;
	type consolekit_t;
	type mnt_t;
	type dosfs_t;
	type var_t;
	type pcscd_t;
	type var_lib_t;
	type dpkg_var_lib_t;
	type ntp_drift_t;
	type fixed_disk_device_t;
	type initrc_var_run_t;
	type devicekit_disk_t;
	type mount_exec_t;
	class fifo_file write;
	class process { execmem setfscreate getcap setcap };
	class unix_stream_socket connectto;
	class netlink_kobject_uevent_socket { getattr setopt read bind create };
	class system module_request;
	class capability sys_rawio;
	class file { rename execute setattr read lock create execute_no_trans write getattr unlink open append };
	class filesystem { mount unmount };
	class sock_file { write create unlink };
	class blk_file { ioctl read open getattr };
	class dir { search read create mounton write getattr rmdir remove_name add_name };
}

#============= acct_t ==============
allow acct_t initrc_var_run_t:file { read lock open };

#============= auditctl_t ==============
allow auditctl_t var_t:file read;

#============= consolekit_t ==============
allow consolekit_t self:process setfscreate;

#============= cupsd_t ==============
allow cupsd_t var_run_t:sock_file unlink;

#============= devicekit_disk_t ==============
allow devicekit_disk_t udev_tbl_t:file { read open };

#============= dhcpc_t ==============
allow dhcpc_t ntp_drift_t:dir search;

#============= exim_t ==============
allow exim_t crond_tmp_t:file { read write };
allow exim_t dpkg_var_lib_t:file read;
allow exim_t sysctl_crypto_t:dir search;
allow exim_t sysctl_crypto_t:file { read getattr open };
allow exim_t sysfs_t:file { read open };
allow exim_t var_t:file read;

#============= gpg_t ==============
allow gpg_t cron_log_t:file { read getattr open };
#!!!! The source type 'gpg_t' can write to a 'dir' of the following types:
# gpg_secret_t, user_home_dir_t, gpg_agent_tmp_t, user_tmp_t, user_home_t, tmp_t

allow gpg_t var_log_t:dir { write add_name };
#!!!! The source type 'gpg_t' can write to a 'file' of the following types:
# gpg_secret_t, gpg_agent_tmp_t, user_tmp_t, user_home_t

allow gpg_t var_log_t:file { write create open };

#============= hostname_t ==============
allow hostname_t var_lib_t:file append;

#============= logrotate_t ==============
#!!!! The source type 'logrotate_t' can write to a 'dir' of the following types:
# var_log_t, var_lock_t, tmp_t, logrotate_var_lib_t, logrotate_tmp_t, logfile, acct_data_t, var_spool_t, var_lib_t

allow logrotate_t cupsd_var_run_t:dir { write remove_name add_name };
allow logrotate_t cupsd_var_run_t:file { write create unlink };
allow logrotate_t initrc_t:unix_stream_socket connectto;
allow logrotate_t sysfs_t:file { read open };
allow logrotate_t tmp_t:sock_file { create unlink };
allow logrotate_t var_run_t:sock_file write;

#============= pcscd_t ==============
allow pcscd_t self:netlink_kobject_uevent_socket read;

#============= ping_t ==============
allow ping_t self:process { getcap setcap };

#============= postgresql_t ==============
allow postgresql_t var_run_t:sock_file write;

#============= pulseaudio_t ==============
allow pulseaudio_t initrc_var_run_t:file { read getattr open };
#!!!! The source type 'pulseaudio_t' can write to a 'dir' of the following types:
# user_fonts_cache_t, user_tmp_t, pulseaudio_var_lib_t, pulseaudio_var_run_t, user_home_t, user_tmpfs_t, pulseaudio_home_t, var_lib_t, var_run_t, xdm_tmp_t

allow pulseaudio_t tmp_t:dir { write remove_name add_name };
allow pulseaudio_t tmp_t:file { write execute read create unlink open };

#============= system_dbusd_t ==============
allow system_dbusd_t apt_var_lib_t:dir getattr;
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t

allow system_dbusd_t dosfs_t:dir write;
allow system_dbusd_t dosfs_t:filesystem { mount unmount };
allow system_dbusd_t dpkg_exec_t:file { read execute open execute_no_trans };
allow system_dbusd_t fixed_disk_device_t:blk_file { read ioctl open getattr };
allow system_dbusd_t initrc_var_run_t:file { read getattr open };
allow system_dbusd_t kernel_t:system module_request;
allow system_dbusd_t lib_t:file execute_no_trans;
allow system_dbusd_t mnt_t:dir { write search rmdir remove_name create add_name mounton };
allow system_dbusd_t mount_exec_t:file { read execute open execute_no_trans };
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t

allow system_dbusd_t mount_tmp_t:dir { write remove_name add_name };
#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types:
# system_dbusd_tmp_t, system_dbusd_var_run_t

allow system_dbusd_t mount_tmp_t:file { rename setattr read lock create write getattr unlink open };
allow system_dbusd_t proc_net_t:file { read getattr open };
allow system_dbusd_t removable_device_t:blk_file { read ioctl open };
allow system_dbusd_t self:capability sys_rawio;
allow system_dbusd_t self:netlink_kobject_uevent_socket { read bind create setopt getattr };
allow system_dbusd_t sysctl_vm_t:dir search;
allow system_dbusd_t sysctl_vm_t:file { read open };
allow system_dbusd_t udev_tbl_t:file { read getattr open };
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t

allow system_dbusd_t var_lib_t:dir { write remove_name add_name };
#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types:
# system_dbusd_tmp_t, system_dbusd_var_run_t

allow system_dbusd_t var_lib_t:file { rename read lock create write getattr unlink open };
allow system_dbusd_t var_run_t:fifo_file write;
allow system_dbusd_t var_t:dir read;

#============= system_mail_t ==============
allow system_mail_t crond_tmp_t:file getattr;
allow system_mail_t dpkg_var_lib_t:file read;
allow system_mail_t sysctl_crypto_t:dir search;
allow system_mail_t sysctl_crypto_t:file { read getattr open };
allow system_mail_t var_lib_t:file { read getattr open };

#============= unconfined_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     allow_execstack, allow_execmem

allow unconfined_t self:process execmem;