1 |
After a few investigation during my freetime (SELInux is not part of |
2 |
my work, for the moment, I hope ;p), here are some points about what I |
3 |
said previously : |
4 |
|
5 |
In the base modules, we have : |
6 |
interface(`ldap_read_config',` |
7 |
gen_require(` |
8 |
type slapd_etc_t; |
9 |
') |
10 |
|
11 |
files_search_etc($1) |
12 |
allow $1 slapd_etc_t:file { getattr read }; |
13 |
') |
14 |
|
15 |
However, no module has the ldap_read_config rights (and no other |
16 |
occurences of slapd_etc_t in the SELinux sources). |
17 |
|
18 |
However, a ls -ZR | grep slapd_etc (on /) gives me |
19 |
-rw-r----- root ldap system_u:object_r:slapd_etc_t slapd.conf |
20 |
-rw-r----- root root system_u:object_r:slapd_etc_t slapd.conf.default |
21 |
-rw-r----- root ldap system_u:object_r:slapd_etc_t slapd.conf.tmp |
22 |
|
23 |
So, if we use slapd_etc_t for pam ldap data, we would |
24 |
allow accesses from |
25 |
- slapd allowded domains to pam ldap configuration files |
26 |
- pam ldap allowded domains to slapd configuration files |
27 |
|
28 |
which are according to me not required authorization. |
29 |
|
30 |
Best Regards. |
31 |
|
32 |
-- Julien Thomas |
33 |
|
34 |
PS: previous comment / questions are still relevant :D |
35 |
|
36 |
Julien Thomas <julien.thomas@×××××××××××××.fr> a écrit : |
37 |
|
38 |
> Yes, you are right for the etc_t rules redundancy. I have added this for |
39 |
> several reasons such as |
40 |
>> adding all the required rules if we consider the module as an |
41 |
> independent one, which means that is must be standalone. Thus, the |
42 |
> redundancy is present but may prevent possibly conflict in the future |
43 |
> (in the case of new domains adding) |
44 |
> |
45 |
> The slapd_etc_t, if I'm not wrong, is not dedicated to pamldap but more |
46 |
> to LDAP server and LDAP in general (openldap, ... which do not need to |
47 |
> access this file) ?. So, adding a new type dedicated to pamldap |
48 |
> engenders a more precise confinement. But I can not check this for the |
49 |
> moment. |
50 |
> |
51 |
> Otherwise, thanks for your greetings :D |
52 |
> |
53 |
> If you want a policy rebuilding for reference policy style compliance, |
54 |
> please tell me (at least if you agree with my previous comments). |
55 |
> |
56 |
> Julien Thomas |
57 |
> |
58 |
> |
59 |
> Chris PeBenito a écrit : |
60 |
>> On Mon, 2007-11-19 at 01:13 +0100, julien.thomas@×××××××××××××.fr wrote: |
61 |
>>> The main aspect of this SELinux module consists in defining a new |
62 |
>>> domain for the |
63 |
>>> confinement of the PAMLDAP module. I have created this module as when |
64 |
>>> I used the |
65 |
>>> PamLDAP extension for remote authentications, I discovered that it used |
66 |
>>> sensitive information for LDAP connexions. |
67 |
>>> |
68 |
>>> The module aims to protect these datas (security enhancement in order |
69 |
>>> to prevent to prevent root services from accessing these previously |
70 |
>>> etc_t labelled files). |
71 |
>> |
72 |
>> Thanks for your submission. I especially appreciate the design document |
73 |
>> you wrote. However, I don't think this particular action is required, |
74 |
>> but another. |
75 |
>> |
76 |
>> First, the specified domains already have access to etc_t, so these |
77 |
>> rules are redundant. You suggest adding a type for the ldap.conf |
78 |
>> because it has authentication data, which I agree with. However, the |
79 |
>> ldap policy already has a type which might be appropriate for this file, |
80 |
>> slapd_etc_t. |
81 |
>> |
82 |
>> As for the style, the reference policy style is preferred. Please see |
83 |
>> the website [1] for more details. |
84 |
>> |
85 |
>> [1] http://oss.tresys.com/projects/refpolicy/wiki/GettingStarted |
86 |
>> |
87 |
> |
88 |
> |
89 |
> -- |
90 |
> My RSA public key for email authentication is avaiblable at |
91 |
> http://www.rennes.enst-bretagne.fr/~jthomas2/ |
92 |
> |
93 |
|
94 |
|
95 |
|
96 |
-- |
97 |
gentoo-hardened@g.o mailing list |