[DSE-User] Debian unstable, SELinux and Iceweasel
Andreas Kuckartz
a.kuckartz at ping.de
Tue Sep 17 12:36:41 UTC 2013
I am running a Debian unstable system with SELinux in permissive mode.
I have appended the result of
$ cat /var/log/audit/audit.log | audit2allow -l -R
There are quite a few missing type enforcement (TE) allow rules.
In addition to that Iceweasel requires allow_execstack and allow_execmem
- which is not good. I have researched that and found these two old open
Firefox issues:
SELinux is preventing JIT from changing memory segment access
https://bugzilla.mozilla.org/show_bug.cgi?id=506693
Firefox 3.6.4 will not start on Fedora 12+ due to SELinux permission error
https://bugzilla.mozilla.org/show_bug.cgi?id=574119
What do you suggest on how to proceed?
Cheers,
Andreas
-------------- next part --------------
require {
type apt_var_lib_t;
type pulseaudio_t;
type postgresql_t;
type cupsd_var_run_t;
type sysctl_vm_t;
type initrc_t;
type tmp_t;
type logrotate_t;
type dhcpc_t;
type mount_tmp_t;
type hostname_t;
type auditctl_t;
type var_run_t;
type udev_tbl_t;
type acct_t;
type ping_t;
type cupsd_t;
type sysctl_crypto_t;
type dpkg_exec_t;
type system_mail_t;
type crond_tmp_t;
type unconfined_t;
type gpg_t;
type lib_t;
type sysfs_t;
type system_dbusd_t;
type var_log_t;
type proc_net_t;
type exim_t;
type cron_log_t;
type kernel_t;
type removable_device_t;
type consolekit_t;
type mnt_t;
type dosfs_t;
type var_t;
type pcscd_t;
type var_lib_t;
type dpkg_var_lib_t;
type ntp_drift_t;
type fixed_disk_device_t;
type initrc_var_run_t;
type devicekit_disk_t;
type mount_exec_t;
class fifo_file write;
class process { execmem setfscreate getcap setcap };
class unix_stream_socket connectto;
class netlink_kobject_uevent_socket { getattr setopt read bind create };
class system module_request;
class capability sys_rawio;
class file { rename execute setattr read lock create execute_no_trans write getattr unlink open append };
class filesystem { mount unmount };
class sock_file { write create unlink };
class blk_file { ioctl read open getattr };
class dir { search read create mounton write getattr rmdir remove_name add_name };
}
#============= acct_t ==============
allow acct_t initrc_var_run_t:file { read lock open };
#============= auditctl_t ==============
allow auditctl_t var_t:file read;
#============= consolekit_t ==============
allow consolekit_t self:process setfscreate;
#============= cupsd_t ==============
allow cupsd_t var_run_t:sock_file unlink;
#============= devicekit_disk_t ==============
allow devicekit_disk_t udev_tbl_t:file { read open };
#============= dhcpc_t ==============
allow dhcpc_t ntp_drift_t:dir search;
#============= exim_t ==============
allow exim_t crond_tmp_t:file { read write };
allow exim_t dpkg_var_lib_t:file read;
allow exim_t sysctl_crypto_t:dir search;
allow exim_t sysctl_crypto_t:file { read getattr open };
allow exim_t sysfs_t:file { read open };
allow exim_t var_t:file read;
#============= gpg_t ==============
allow gpg_t cron_log_t:file { read getattr open };
#!!!! The source type 'gpg_t' can write to a 'dir' of the following types:
# gpg_secret_t, user_home_dir_t, gpg_agent_tmp_t, user_tmp_t, user_home_t, tmp_t
allow gpg_t var_log_t:dir { write add_name };
#!!!! The source type 'gpg_t' can write to a 'file' of the following types:
# gpg_secret_t, gpg_agent_tmp_t, user_tmp_t, user_home_t
allow gpg_t var_log_t:file { write create open };
#============= hostname_t ==============
allow hostname_t var_lib_t:file append;
#============= logrotate_t ==============
#!!!! The source type 'logrotate_t' can write to a 'dir' of the following types:
# var_log_t, var_lock_t, tmp_t, logrotate_var_lib_t, logrotate_tmp_t, logfile, acct_data_t, var_spool_t, var_lib_t
allow logrotate_t cupsd_var_run_t:dir { write remove_name add_name };
allow logrotate_t cupsd_var_run_t:file { write create unlink };
allow logrotate_t initrc_t:unix_stream_socket connectto;
allow logrotate_t sysfs_t:file { read open };
allow logrotate_t tmp_t:sock_file { create unlink };
allow logrotate_t var_run_t:sock_file write;
#============= pcscd_t ==============
allow pcscd_t self:netlink_kobject_uevent_socket read;
#============= ping_t ==============
allow ping_t self:process { getcap setcap };
#============= postgresql_t ==============
allow postgresql_t var_run_t:sock_file write;
#============= pulseaudio_t ==============
allow pulseaudio_t initrc_var_run_t:file { read getattr open };
#!!!! The source type 'pulseaudio_t' can write to a 'dir' of the following types:
# user_fonts_cache_t, user_tmp_t, pulseaudio_var_lib_t, pulseaudio_var_run_t, user_home_t, user_tmpfs_t, pulseaudio_home_t, var_lib_t, var_run_t, xdm_tmp_t
allow pulseaudio_t tmp_t:dir { write remove_name add_name };
allow pulseaudio_t tmp_t:file { write execute read create unlink open };
#============= system_dbusd_t ==============
allow system_dbusd_t apt_var_lib_t:dir getattr;
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t
allow system_dbusd_t dosfs_t:dir write;
allow system_dbusd_t dosfs_t:filesystem { mount unmount };
allow system_dbusd_t dpkg_exec_t:file { read execute open execute_no_trans };
allow system_dbusd_t fixed_disk_device_t:blk_file { read ioctl open getattr };
allow system_dbusd_t initrc_var_run_t:file { read getattr open };
allow system_dbusd_t kernel_t:system module_request;
allow system_dbusd_t lib_t:file execute_no_trans;
allow system_dbusd_t mnt_t:dir { write search rmdir remove_name create add_name mounton };
allow system_dbusd_t mount_exec_t:file { read execute open execute_no_trans };
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t
allow system_dbusd_t mount_tmp_t:dir { write remove_name add_name };
#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types:
# system_dbusd_tmp_t, system_dbusd_var_run_t
allow system_dbusd_t mount_tmp_t:file { rename setattr read lock create write getattr unlink open };
allow system_dbusd_t proc_net_t:file { read getattr open };
allow system_dbusd_t removable_device_t:blk_file { read ioctl open };
allow system_dbusd_t self:capability sys_rawio;
allow system_dbusd_t self:netlink_kobject_uevent_socket { read bind create setopt getattr };
allow system_dbusd_t sysctl_vm_t:dir search;
allow system_dbusd_t sysctl_vm_t:file { read open };
allow system_dbusd_t udev_tbl_t:file { read getattr open };
#!!!! The source type 'system_dbusd_t' can write to a 'dir' of the following types:
# system_dbusd_tmp_t, tmp_t, var_run_t, system_dbusd_var_run_t
allow system_dbusd_t var_lib_t:dir { write remove_name add_name };
#!!!! The source type 'system_dbusd_t' can write to a 'file' of the following types:
# system_dbusd_tmp_t, system_dbusd_var_run_t
allow system_dbusd_t var_lib_t:file { rename read lock create write getattr unlink open };
allow system_dbusd_t var_run_t:fifo_file write;
allow system_dbusd_t var_t:dir read;
#============= system_mail_t ==============
allow system_mail_t crond_tmp_t:file getattr;
allow system_mail_t dpkg_var_lib_t:file read;
allow system_mail_t sysctl_crypto_t:dir search;
allow system_mail_t sysctl_crypto_t:file { read getattr open };
allow system_mail_t var_lib_t:file { read getattr open };
#============= unconfined_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# allow_execstack, allow_execmem
allow unconfined_t self:process execmem;
More information about the Selinux-user
mailing list