2019-06-10 16:10:24

by Alexander Miroshnichenko

[permalink] [raw]
Subject: [PATCH] add lldpd policy

New policy for lldpd ( http://vincentbernat.github.io/lldpd ).

Signed-off-by: Alexander Miroshnichenko <[email protected]>
---
policy/modules/roles/sysadm.te | 4 +
policy/modules/services/lldpd.fc | 9 ++
policy/modules/services/lldpd.if | 206 +++++++++++++++++++++++++++++++
policy/modules/services/lldpd.te | 80 ++++++++++++
4 files changed, 299 insertions(+)
create mode 100644 policy/modules/services/lldpd.fc
create mode 100644 policy/modules/services/lldpd.if
create mode 100644 policy/modules/services/lldpd.te

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8f891c83865f..ea4e06a29e30 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -595,6 +595,10 @@ optional_policy(`
lldpad_admin(sysadm_t, sysadm_r)
')

+optional_policy(`
+ lldp_admin(sysadm_t, sysadm_r)
+')
+
optional_policy(`
lockdev_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
new file mode 100644
index 000000000000..997a80a3baf9
--- /dev/null
+++ b/policy/modules/services/lldpd.fc
@@ -0,0 +1,9 @@
+/etc/lldpd.conf -- gen_context(system_u:object_r:lldpd_etc_t,s0)
+/etc/lldpd.d(/.*)? gen_context(system_u:object_r:lldpd_etc_t,s0)
+
+/usr/sbin/lldpd -- gen_context(system_u:object_r:lldpd_exec_t,s0)
+/usr/sbin/lldpcli -- gen_context(system_u:object_r:lldp_cli_exec_t,s0)
+
+/run/lldpd -d gen_context(system_u:object_r:lldpd_var_run_t,s0)
+/run/lldpd(/.*)? gen_context(system_u:object_r:lldpd_var_run_t,s0)
+/run/lldpd.pid -- gen_context(system_u:object_r:lldpd_var_run_t,s0)
diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
new file mode 100644
index 000000000000..f7030b1ead19
--- /dev/null
+++ b/policy/modules/services/lldpd.if
@@ -0,0 +1,206 @@
+
+## <summary>policy for lldpd</summary>
+
+########################################
+## <summary>
+## Execute lldpd_exec_t in the lldpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lldpd_domtrans',`
+ gen_require(`
+ type lldpd_t, lldpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lldpd_exec_t, lldpd_t)
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run lldpcli.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lldp_cli_domtrans',`
+ gen_require(`
+ type lldp_cli_t, lldp_cli_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, lldp_cli_exec_t)
+ domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
+')
+
+########################################
+## <summary>
+## Execute lldpcli in the lldp_cli domain,
+## and allow the specified role
+## the lldp_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`lldp_cli_run',`
+ gen_require(`
+ type lldp_cli_t;
+ ')
+
+ lldp_cli_domtrans($1)
+ role $2 types lldp_cli_t;
+')
+
+######################################
+## <summary>
+## Execute lldpd in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpd_exec',`
+ gen_require(`
+ type lldpd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, lldpd_exec_t)
+')
+
+########################################
+## <summary>
+## Search lldpd conf directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpd_search_conf',`
+ gen_require(`
+ type lldpd_etc_t;
+ ')
+
+ allow $1 lldpd_etc_t:dir search_dir_perms;
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Read lldpd conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpd_read_conf_files',`
+ gen_require(`
+ type lldpd_etc_t;
+ ')
+
+ allow $1 lldpd_etc_t:dir list_dir_perms;
+ read_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Manage lldpd conf files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpd_manage_conf_files',`
+ gen_require(`
+ type lldpd_etc_t;
+ ')
+
+ manage_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
+ files_search_etc($1)
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## lldpd PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lldpd_manage_pid_files',`
+ gen_require(`
+ type lldpd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_files_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
+ manage_dirs_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
+')
+
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an lldpd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lldp_admin',`
+ gen_require(`
+ type lldpd_t;
+ type lldpd_etc_t;
+ type lldpd_var_run_t;
+ ')
+
+ allow $1 lldpd_t:process { signal_perms };
+ ps_process_pattern($1, lldpd_t)
+
+ tunable_policy(`allow_ptrace',`
+ allow $1 lldpd_t:process ptrace;
+ ')
+
+ files_search_etc($1)
+ admin_pattern($1, lldpd_etc_t)
+
+ files_search_pids($1)
+ admin_pattern($1, lldpd_var_run_t)
+
+ lldp_cli_run($1, $2)
+')
diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
new file mode 100644
index 000000000000..9a0f68dc4b7b
--- /dev/null
+++ b/policy/modules/services/lldpd.te
@@ -0,0 +1,80 @@
+policy_module(lldpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lldpd_t;
+type lldpd_exec_t;
+init_daemon_domain(lldpd_t, lldpd_exec_t)
+
+type lldp_cli_t;
+type lldp_cli_exec_t;
+init_system_domain(lldp_cli_t, lldp_cli_exec_t)
+application_domain(lldp_cli_t, lldp_cli_exec_t)
+
+type lldpd_etc_t;
+files_config_file(lldpd_etc_t)
+
+type lldpd_var_run_t;
+files_pid_file(lldpd_var_run_t)
+init_daemon_pid_file(lldpd_var_run_t, dir, "lldpd")
+typealias lldpd_var_run_t alias lldp_sock_t;
+
+########################################
+#
+# lldpd local policy
+#
+allow lldpd_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
+allow lldpd_t self:process { fork signal_perms };
+allow lldpd_t self:fifo_file rw_fifo_file_perms;
+allow lldpd_t self:unix_stream_socket { accept listen };
+allow lldpd_t lldp_sock_t:sock_file { create_sock_file_perms delete_sock_file_perms setattr };
+allow lldpd_t self:packet_socket create_socket_perms;
+
+lldp_cli_domtrans(lldpd_t)
+
+kernel_read_net_sysctls(lldpd_t)
+
+lldpd_read_conf_files(lldpd_t)
+
+lldpd_manage_pid_files(lldpd_t)
+manage_sock_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
+manage_lnk_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
+files_pid_filetrans(lldpd_t, lldpd_var_run_t, {file dir sock_file})
+
+domain_use_interactive_fds(lldpd_t)
+
+files_read_etc_files(lldpd_t)
+
+logging_send_syslog_msg(lldpd_t)
+
+miscfiles_read_localization(lldpd_t)
+
+sysnet_dns_name_resolve(lldpd_t)
+
+########################################
+#
+# lldp_cli local policy
+#
+allow lldp_cli_t self:capability dac_override;
+allow lldp_cli_t self:unix_dgram_socket { connect create };
+allow lldp_cli_t self:unix_stream_socket { connect create read write };
+allow lldp_cli_t self:process signal;
+
+allow lldp_cli_t lldpd_t:unix_stream_socket connectto;
+allow lldp_cli_t lldpd_var_run_t:sock_file { read write };
+
+lldpd_read_conf_files(lldp_cli_t)
+
+logging_send_syslog_msg(lldp_cli_t)
+
+files_dontaudit_read_etc_files(lldp_cli_t)
+
+miscfiles_read_localization(lldp_cli_t)
+
+domain_use_interactive_fds(lldp_cli_t)
+userdom_use_user_ptys(lldp_cli_t)
+
+init_dontaudit_use_script_ptys(lldp_cli_t)
--
2.21.0


2019-06-15 16:08:32

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] add lldpd policy

On 6/10/19 10:20 AM, Alexander Miroshnichenko wrote:
> New policy for lldpd ( http://vincentbernat.github.io/lldpd ).
>
> Signed-off-by: Alexander Miroshnichenko <[email protected]>
> ---
> policy/modules/roles/sysadm.te | 4 +
> policy/modules/services/lldpd.fc | 9 ++
> policy/modules/services/lldpd.if | 206 +++++++++++++++++++++++++++++++
> policy/modules/services/lldpd.te | 80 ++++++++++++
> 4 files changed, 299 insertions(+)
> create mode 100644 policy/modules/services/lldpd.fc
> create mode 100644 policy/modules/services/lldpd.if
> create mode 100644 policy/modules/services/lldpd.te
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 8f891c83865f..ea4e06a29e30 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -595,6 +595,10 @@ optional_policy(`
> lldpad_admin(sysadm_t, sysadm_r)
> ')
>
> +optional_policy(`
> + lldp_admin(sysadm_t, sysadm_r)

A whitespace problem here (spaces instead of tab).

> +')
> +
> optional_policy(`
> lockdev_role(sysadm_r, sysadm_t)
> ')
> diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
> new file mode 100644
> index 000000000000..997a80a3baf9
> --- /dev/null
> +++ b/policy/modules/services/lldpd.fc
> @@ -0,0 +1,9 @@
> +/etc/lldpd.conf -- gen_context(system_u:object_r:lldpd_etc_t,s0)
> +/etc/lldpd.d(/.*)? gen_context(system_u:object_r:lldpd_etc_t,s0)
> +
> +/usr/sbin/lldpd -- gen_context(system_u:object_r:lldpd_exec_t,s0)
> +/usr/sbin/lldpcli -- gen_context(system_u:object_r:lldp_cli_exec_t,s0)
> +
> +/run/lldpd -d gen_context(system_u:object_r:lldpd_var_run_t,s0)
> +/run/lldpd(/.*)? gen_context(system_u:object_r:lldpd_var_run_t,s0)
> +/run/lldpd.pid -- gen_context(system_u:object_r:lldpd_var_run_t,s0)
> diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
> new file mode 100644
> index 000000000000..f7030b1ead19
> --- /dev/null
> +++ b/policy/modules/services/lldpd.if
> @@ -0,0 +1,206 @@
> +
> +## <summary>policy for lldpd</summary>
> +
> +########################################
> +## <summary>
> +## Execute lldpd_exec_t in the lldpd domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`lldpd_domtrans',`
> + gen_require(`
> + type lldpd_t, lldpd_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, lldpd_exec_t, lldpd_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute a domain transition to run lldpcli.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`lldp_cli_domtrans',`

Interface name should be lldp_domtrans_cli

> + gen_require(`
> + type lldp_cli_t, lldp_cli_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, lldp_cli_exec_t)

This can_exec should not be in a domtrans interface, as it provides
execute_no_trans, which isn't necessary for domtrans.

> + domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute lldpcli in the lldp_cli domain,
> +## and allow the specified role
> +## the lldp_cli domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lldp_cli_run',`

lldp_run_cli

> + gen_require(`
> + type lldp_cli_t;
> + ')
> +
> + lldp_cli_domtrans($1)
> + role $2 types lldp_cli_t;
> +')
> +
> +######################################
> +## <summary>
> +## Execute lldpd in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lldpd_exec',`
> + gen_require(`
> + type lldpd_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, lldpd_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +## Search lldpd conf directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lldpd_search_conf',`
> + gen_require(`
> + type lldpd_etc_t;
> + ')
> +
> + allow $1 lldpd_etc_t:dir search_dir_perms;
> + files_search_etc($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read lldpd conf files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lldpd_read_conf_files',`
> + gen_require(`
> + type lldpd_etc_t;
> + ')
> +
> + allow $1 lldpd_etc_t:dir list_dir_perms;
> + read_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
> + files_search_etc($1)
> +')
> +
> +########################################
> +## <summary>
> +## Manage lldpd conf files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lldpd_manage_conf_files',`
> + gen_require(`
> + type lldpd_etc_t;
> + ')
> +
> + manage_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
> + files_search_etc($1)
> +')
> +
> +########################################
> +## <summary>
> +## Create, read, write, and delete
> +## lldpd PID files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lldpd_manage_pid_files',`
> + gen_require(`
> + type lldpd_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + manage_files_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
> + manage_dirs_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +## All of the rules required to administrate
> +## an lldpd environment
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`lldp_admin',`
> + gen_require(`
> + type lldpd_t;
> + type lldpd_etc_t;
> + type lldpd_var_run_t;
> + ')
> +
> + allow $1 lldpd_t:process { signal_perms };
> + ps_process_pattern($1, lldpd_t)
> +
> + tunable_policy(`allow_ptrace',`
> + allow $1 lldpd_t:process ptrace;
> + ')

allow_ptrace is not a global tunable and cannot be used here. Also
there are whitespace problems.

> + files_search_etc($1)
> + admin_pattern($1, lldpd_etc_t)
> +
> + files_search_pids($1)
> + admin_pattern($1, lldpd_var_run_t)
> +
> + lldp_cli_run($1, $2)
> +')
> diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
> new file mode 100644
> index 000000000000..9a0f68dc4b7b
> --- /dev/null
> +++ b/policy/modules/services/lldpd.te
> @@ -0,0 +1,80 @@
> +policy_module(lldpd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type lldpd_t;
> +type lldpd_exec_t;
> +init_daemon_domain(lldpd_t, lldpd_exec_t)
> +
> +type lldp_cli_t;
> +type lldp_cli_exec_t;
> +init_system_domain(lldp_cli_t, lldp_cli_exec_t)
> +application_domain(lldp_cli_t, lldp_cli_exec_t)
> +
> +type lldpd_etc_t;

Please rename to lldpd_conf_t, as I'd like to try to get away from
encoding paths into type names.

> +files_config_file(lldpd_etc_t)
> +
> +type lldpd_var_run_t;

Same thing here, lldpd_runtime_t.


> +files_pid_file(lldpd_var_run_t)
> +init_daemon_pid_file(lldpd_var_run_t, dir, "lldpd")
> +typealias lldpd_var_run_t alias lldp_sock_t;

Not really a necessary alias. I'd prefer to keep aliases for backwards
compatibility situations.


> +
> +########################################
> +#
> +# lldpd local policy
> +#
> +allow lldpd_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
> +allow lldpd_t self:process { fork signal_perms };
> +allow lldpd_t self:fifo_file rw_fifo_file_perms;
> +allow lldpd_t self:unix_stream_socket { accept listen };

These perms should probably be create_stream_socket_perms.


> +allow lldpd_t lldp_sock_t:sock_file { create_sock_file_perms delete_sock_file_perms setattr };

This is not necessary, as there is a sock_file rule below.


> +allow lldpd_t self:packet_socket create_socket_perms;
> +
> +lldp_cli_domtrans(lldpd_t)

The daemon runs the cli tool?



> +kernel_read_net_sysctls(lldpd_t)
> +
> +lldpd_read_conf_files(lldpd_t)
> +
> +lldpd_manage_pid_files(lldpd_t)

Since there are other rules that explicitly operate on lldpd_var_run_t,
it would be clearer to do the same for files instead of calling its own
interface.

> +manage_sock_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
> +manage_lnk_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
> +files_pid_filetrans(lldpd_t, lldpd_var_run_t, {file dir sock_file})
> +
> +domain_use_interactive_fds(lldpd_t)

This does not seem likely since it is a daemon, not an interactive process.


> +files_read_etc_files(lldpd_t)
> +
> +logging_send_syslog_msg(lldpd_t)
> +
> +miscfiles_read_localization(lldpd_t)
> +
> +sysnet_dns_name_resolve(lldpd_t)
> +
> +########################################
> +#
> +# lldp_cli local policy
> +#
> +allow lldp_cli_t self:capability dac_override;
> +allow lldp_cli_t self:unix_dgram_socket { connect create };
> +allow lldp_cli_t self:unix_stream_socket { connect create read write };
> +allow lldp_cli_t self:process signal;
> +
> +allow lldp_cli_t lldpd_t:unix_stream_socket connectto;
> +allow lldp_cli_t lldpd_var_run_t:sock_file { read write };

Please use stream_connect_pattern()


> +
> +lldpd_read_conf_files(lldp_cli_t)
> +
> +logging_send_syslog_msg(lldp_cli_t)
> +
> +files_dontaudit_read_etc_files(lldp_cli_t)
> +
> +miscfiles_read_localization(lldp_cli_t)
> +
> +domain_use_interactive_fds(lldp_cli_t)

This line is in the wrong place.

> +userdom_use_user_ptys(lldp_cli_t)

> +init_dontaudit_use_script_ptys(lldp_cli_t)

This should not be necessary, as this is allowed via init_system_domain().



--
Chris PeBenito

2019-06-15 17:59:12

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH] add lldpd policy

On Sat, Jun 15, 2019 at 12:08:16PM -0400, Chris PeBenito wrote:
> On 6/10/19 10:20 AM, Alexander Miroshnichenko wrote:
> > New policy for lldpd ( http://vincentbernat.github.io/lldpd ).
> >
> > Signed-off-by: Alexander Miroshnichenko <[email protected]>
> > ---
> > policy/modules/roles/sysadm.te | 4 +
> > policy/modules/services/lldpd.fc | 9 ++
> > policy/modules/services/lldpd.if | 206 +++++++++++++++++++++++++++++++
> > policy/modules/services/lldpd.te | 80 ++++++++++++
> > 4 files changed, 299 insertions(+)
> > create mode 100644 policy/modules/services/lldpd.fc
> > create mode 100644 policy/modules/services/lldpd.if
> > create mode 100644 policy/modules/services/lldpd.te
> >
> > diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> > index 8f891c83865f..ea4e06a29e30 100644
> > --- a/policy/modules/roles/sysadm.te
> > +++ b/policy/modules/roles/sysadm.te
> > @@ -595,6 +595,10 @@ optional_policy(`
> > lldpad_admin(sysadm_t, sysadm_r)
> > ')
> > +optional_policy(`
> > + lldp_admin(sysadm_t, sysadm_r)
>
> A whitespace problem here (spaces instead of tab).
>
> > +')
> > +
> > optional_policy(`
> > lockdev_role(sysadm_r, sysadm_t)
> > ')
> > diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
> > new file mode 100644
> > index 000000000000..997a80a3baf9
> > --- /dev/null
> > +++ b/policy/modules/services/lldpd.fc
> > @@ -0,0 +1,9 @@
> > +/etc/lldpd.conf -- gen_context(system_u:object_r:lldpd_etc_t,s0)
> > +/etc/lldpd.d(/.*)? gen_context(system_u:object_r:lldpd_etc_t,s0)
> > +
> > +/usr/sbin/lldpd -- gen_context(system_u:object_r:lldpd_exec_t,s0)
> > +/usr/sbin/lldpcli -- gen_context(system_u:object_r:lldp_cli_exec_t,s0)
> > +
> > +/run/lldpd -d gen_context(system_u:object_r:lldpd_var_run_t,s0)
> > +/run/lldpd(/.*)? gen_context(system_u:object_r:lldpd_var_run_t,s0)
> > +/run/lldpd.pid -- gen_context(system_u:object_r:lldpd_var_run_t,s0)
> > diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
> > new file mode 100644
> > index 000000000000..f7030b1ead19
> > --- /dev/null
> > +++ b/policy/modules/services/lldpd.if
> > @@ -0,0 +1,206 @@
> > +
> > +## <summary>policy for lldpd</summary>
> > +
> > +########################################
> > +## <summary>
> > +## Execute lldpd_exec_t in the lldpd domain.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`lldpd_domtrans',`
> > + gen_require(`
> > + type lldpd_t, lldpd_exec_t;
> > + ')
> > +
> > + corecmd_search_bin($1)
> > + domtrans_pattern($1, lldpd_exec_t, lldpd_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Execute a domain transition to run lldpcli.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`lldp_cli_domtrans',`
>
> Interface name should be lldp_domtrans_cli
>
> > + gen_require(`
> > + type lldp_cli_t, lldp_cli_exec_t;
> > + ')
> > +
> > + corecmd_search_bin($1)
> > + can_exec($1, lldp_cli_exec_t)
>
> This can_exec should not be in a domtrans interface, as it provides
> execute_no_trans, which isn't necessary for domtrans.
>
> > + domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Execute lldpcli in the lldp_cli domain,
> > +## and allow the specified role
> > +## the lldp_cli domain.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`lldp_cli_run',`
>
> lldp_run_cli
>
> > + gen_require(`
> > + type lldp_cli_t;
> > + ')
> > +
> > + lldp_cli_domtrans($1)
> > + role $2 types lldp_cli_t;
> > +')
> > +
> > +######################################
> > +## <summary>
> > +## Execute lldpd in the caller domain.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`lldpd_exec',`
> > + gen_require(`
> > + type lldpd_exec_t;
> > + ')
> > +
> > + corecmd_search_bin($1)
> > + can_exec($1, lldpd_exec_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Search lldpd conf directories.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`lldpd_search_conf',`
> > + gen_require(`
> > + type lldpd_etc_t;
> > + ')
> > +
> > + allow $1 lldpd_etc_t:dir search_dir_perms;
> > + files_search_etc($1)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Read lldpd conf files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`lldpd_read_conf_files',`
> > + gen_require(`
> > + type lldpd_etc_t;
> > + ')
> > +
> > + allow $1 lldpd_etc_t:dir list_dir_perms;
> > + read_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
> > + files_search_etc($1)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage lldpd conf files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`lldpd_manage_conf_files',`
> > + gen_require(`
> > + type lldpd_etc_t;
> > + ')
> > +
> > + manage_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
> > + files_search_etc($1)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Create, read, write, and delete
> > +## lldpd PID files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`lldpd_manage_pid_files',`
> > + gen_require(`
> > + type lldpd_var_run_t;
> > + ')
> > +
> > + files_search_pids($1)
> > + manage_files_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
> > + manage_dirs_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
> > +')
> > +
> > +
> > +########################################
> > +## <summary>
> > +## All of the rules required to administrate
> > +## an lldpd environment
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="role">
> > +## <summary>
> > +## Role allowed access.
> > +## </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`lldp_admin',`
> > + gen_require(`
> > + type lldpd_t;
> > + type lldpd_etc_t;
> > + type lldpd_var_run_t;
> > + ')
> > +
> > + allow $1 lldpd_t:process { signal_perms };
> > + ps_process_pattern($1, lldpd_t)
> > +
> > + tunable_policy(`allow_ptrace',`
> > + allow $1 lldpd_t:process ptrace;
> > + ')
>
> allow_ptrace is not a global tunable and cannot be used here. Also there
> are whitespace problems.
>
> > + files_search_etc($1)
> > + admin_pattern($1, lldpd_etc_t)
> > +
> > + files_search_pids($1)
> > + admin_pattern($1, lldpd_var_run_t)
> > +
> > + lldp_cli_run($1, $2)
> > +')
> > diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
> > new file mode 100644
> > index 000000000000..9a0f68dc4b7b
> > --- /dev/null
> > +++ b/policy/modules/services/lldpd.te
> > @@ -0,0 +1,80 @@
> > +policy_module(lldpd, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +type lldpd_t;
> > +type lldpd_exec_t;
> > +init_daemon_domain(lldpd_t, lldpd_exec_t)
> > +
> > +type lldp_cli_t;
> > +type lldp_cli_exec_t;
> > +init_system_domain(lldp_cli_t, lldp_cli_exec_t)
> > +application_domain(lldp_cli_t, lldp_cli_exec_t)
> > +
> > +type lldpd_etc_t;
>
> Please rename to lldpd_conf_t, as I'd like to try to get away from encoding
> paths into type names.
>
> > +files_config_file(lldpd_etc_t)
> > +
> > +type lldpd_var_run_t;
>
> Same thing here, lldpd_runtime_t.
>
>
> > +files_pid_file(lldpd_var_run_t)
> > +init_daemon_pid_file(lldpd_var_run_t, dir, "lldpd")
> > +typealias lldpd_var_run_t alias lldp_sock_t;
>
> Not really a necessary alias. I'd prefer to keep aliases for backwards
> compatibility situations.
>
>
> > +
> > +########################################
> > +#
> > +# lldpd local policy
> > +#
> > +allow lldpd_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
> > +allow lldpd_t self:process { fork signal_perms };
> > +allow lldpd_t self:fifo_file rw_fifo_file_perms;
> > +allow lldpd_t self:unix_stream_socket { accept listen };
>
> These perms should probably be create_stream_socket_perms.

the other permissions are already provided with logging_send_syslog_msg() so would be reduntant

>
>
> > +allow lldpd_t lldp_sock_t:sock_file { create_sock_file_perms delete_sock_file_perms setattr };
>
> This is not necessary, as there is a sock_file rule below.
>
>
> > +allow lldpd_t self:packet_socket create_socket_perms;
> > +
> > +lldp_cli_domtrans(lldpd_t)
>
> The daemon runs the cli tool?
>
>
>
> > +kernel_read_net_sysctls(lldpd_t)
> > +
> > +lldpd_read_conf_files(lldpd_t)
> > +
> > +lldpd_manage_pid_files(lldpd_t)
>
> Since there are other rules that explicitly operate on lldpd_var_run_t, it
> would be clearer to do the same for files instead of calling its own
> interface.
>
> > +manage_sock_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
> > +manage_lnk_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
> > +files_pid_filetrans(lldpd_t, lldpd_var_run_t, {file dir sock_file})
> > +
> > +domain_use_interactive_fds(lldpd_t)
>
> This does not seem likely since it is a daemon, not an interactive process.
>
>
> > +files_read_etc_files(lldpd_t)
> > +
> > +logging_send_syslog_msg(lldpd_t)
> > +
> > +miscfiles_read_localization(lldpd_t)
> > +
> > +sysnet_dns_name_resolve(lldpd_t)
> > +
> > +########################################
> > +#
> > +# lldp_cli local policy
> > +#
> > +allow lldp_cli_t self:capability dac_override;
> > +allow lldp_cli_t self:unix_dgram_socket { connect create };
> > +allow lldp_cli_t self:unix_stream_socket { connect create read write };
> > +allow lldp_cli_t self:process signal;
> > +
> > +allow lldp_cli_t lldpd_t:unix_stream_socket connectto;
> > +allow lldp_cli_t lldpd_var_run_t:sock_file { read write };
>
> Please use stream_connect_pattern()
>
>
> > +
> > +lldpd_read_conf_files(lldp_cli_t)
> > +
> > +logging_send_syslog_msg(lldp_cli_t)
> > +
> > +files_dontaudit_read_etc_files(lldp_cli_t)
> > +
> > +miscfiles_read_localization(lldp_cli_t)
> > +
> > +domain_use_interactive_fds(lldp_cli_t)
>
> This line is in the wrong place.
>
> > +userdom_use_user_ptys(lldp_cli_t)
>
> > +init_dontaudit_use_script_ptys(lldp_cli_t)
>
> This should not be necessary, as this is allowed via init_system_domain().
>
>
>
> --
> Chris PeBenito

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


Attachments:
(No filename) (11.65 kB)
signature.asc (673.00 B)
Download all attachments

2019-06-15 19:24:14

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] add lldpd policy

On 6/15/19 1:58 PM, Dominick Grift wrote:
> On Sat, Jun 15, 2019 at 12:08:16PM -0400, Chris PeBenito wrote:
>> On 6/10/19 10:20 AM, Alexander Miroshnichenko wrote:

>>> +allow lldpd_t self:process { fork signal_perms };
>>> +allow lldpd_t self:fifo_file rw_fifo_file_perms;
>>> +allow lldpd_t self:unix_stream_socket { accept listen };
>>
>> These perms should probably be create_stream_socket_perms.
>
> the other permissions are already provided with logging_send_syslog_msg() so would be reduntant

This is true. However,the syslog socket is not the only socket in use.
Since it also listens on its own stream socket, the
create_stream_socket_perms more clearly shows the intent.


--
Chris PeBenito

2019-06-15 19:46:12

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH] add lldpd policy

On Sat, Jun 15, 2019 at 03:24:03PM -0400, Chris PeBenito wrote:
> On 6/15/19 1:58 PM, Dominick Grift wrote:
> > On Sat, Jun 15, 2019 at 12:08:16PM -0400, Chris PeBenito wrote:
> > > On 6/10/19 10:20 AM, Alexander Miroshnichenko wrote:
>
> > > > +allow lldpd_t self:process { fork signal_perms };
> > > > +allow lldpd_t self:fifo_file rw_fifo_file_perms;
> > > > +allow lldpd_t self:unix_stream_socket { accept listen };
> > >
> > > These perms should probably be create_stream_socket_perms.
> >
> > the other permissions are already provided with logging_send_syslog_msg() so would be reduntant
>
> This is true. However,the syslog socket is not the only socket in use.
> Since it also listens on its own stream socket, the
> create_stream_socket_perms more clearly shows the intent.

The compiler will remove the duplicate rules, and yes the intent is more clear.
It just feels strange writing and reading duplicate policy.

>
>
> --
> Chris PeBenito

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift


Attachments:
(No filename) (1.12 kB)
signature.asc (673.00 B)
Download all attachments

2019-06-17 12:44:11

by Alexander Miroshnichenko

[permalink] [raw]
Subject: [PATCH v2] Add lldpd policy

New policy for lldpd ( http://vincentbernat.github.io/lldpd ).

Signed-off-by: Alexander Miroshnichenko <[email protected]>
---
policy/modules/roles/sysadm.te | 4 ++
policy/modules/services/lldpd.fc | 9 ++++
policy/modules/services/lldpd.if | 83 ++++++++++++++++++++++++++++++++
policy/modules/services/lldpd.te | 79 ++++++++++++++++++++++++++++++
4 files changed, 175 insertions(+)
create mode 100644 policy/modules/services/lldpd.fc
create mode 100644 policy/modules/services/lldpd.if
create mode 100644 policy/modules/services/lldpd.te

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8f891c83865f..9a104fe8eb83 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -595,6 +595,10 @@ optional_policy(`
lldpad_admin(sysadm_t, sysadm_r)
')

+optional_policy(`
+ lldp_admin(sysadm_t, sysadm_r)
+')
+
optional_policy(`
lockdev_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
new file mode 100644
index 000000000000..19b66603add3
--- /dev/null
+++ b/policy/modules/services/lldpd.fc
@@ -0,0 +1,9 @@
+/etc/lldpd.conf -- gen_context(system_u:object_r:lldpd_conf_t,s0)
+/etc/lldpd.d(/.*)? gen_context(system_u:object_r:lldpd_conf_t,s0)
+
+/usr/sbin/lldpd -- gen_context(system_u:object_r:lldpd_exec_t,s0)
+/usr/sbin/lldpcli -- gen_context(system_u:object_r:lldp_cli_exec_t,s0)
+
+/run/lldpd -d gen_context(system_u:object_r:lldpd_runtime_t,s0)
+/run/lldpd(/.*)? gen_context(system_u:object_r:lldpd_runtime_t,s0)
+/run/lldpd.pid -- gen_context(system_u:object_r:lldpd_runtime_t,s0)
diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
new file mode 100644
index 000000000000..8859f8743ecf
--- /dev/null
+++ b/policy/modules/services/lldpd.if
@@ -0,0 +1,83 @@
+
+## <summary>policy for lldpd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run lldpcli.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lldp_domtrans_cli',`
+ gen_require(`
+ type lldp_cli_t, lldp_cli_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
+')
+
+########################################
+## <summary>
+## Execute lldpcli in the lldp_cli domain,
+## and allow the specified role
+## the lldp_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`lldp_cli_run',`
+ gen_require(`
+ type lldp_cli_t;
+ ')
+
+ lldp_domtrans_cli($1)
+ role $2 types lldp_cli_t;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an lldpd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lldp_admin',`
+ gen_require(`
+ type lldpd_t;
+ type lldpd_conf_t;
+ type lldpd_runtime_t;
+ ')
+
+ allow $1 lldpd_t:process { signal_perms };
+ ps_process_pattern($1, lldpd_t)
+
+ files_search_etc($1)
+ admin_pattern($1, lldpd_conf_t)
+
+ files_search_pids($1)
+ admin_pattern($1, lldpd_runtime_t)
+
+ lldp_cli_run($1, $2)
+')
diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
new file mode 100644
index 000000000000..457243b0112e
--- /dev/null
+++ b/policy/modules/services/lldpd.te
@@ -0,0 +1,79 @@
+policy_module(lldpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lldpd_t;
+type lldpd_exec_t;
+init_daemon_domain(lldpd_t, lldpd_exec_t)
+
+type lldp_cli_t;
+type lldp_cli_exec_t;
+init_system_domain(lldp_cli_t, lldp_cli_exec_t)
+application_domain(lldp_cli_t, lldp_cli_exec_t)
+
+type lldpd_conf_t;
+files_config_file(lldpd_conf_t)
+
+type lldpd_runtime_t;
+files_pid_file(lldpd_runtime_t)
+init_daemon_pid_file(lldpd_runtime_t, dir, "lldpd")
+
+########################################
+#
+# lldpd local policy
+#
+allow lldpd_t self:capability { chown dac_read_search dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
+allow lldpd_t self:process { fork signal_perms };
+allow lldpd_t self:fifo_file rw_fifo_file_perms;
+allow lldpd_t self:unix_stream_socket create_stream_socket_perms;
+allow lldpd_t self:packet_socket create_socket_perms;
+
+lldp_domtrans_cli(lldpd_t)
+
+kernel_read_net_sysctls(lldpd_t)
+
+list_dirs_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
+read_files_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
+
+manage_dirs_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+manage_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+manage_sock_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+manage_lnk_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+files_pid_filetrans(lldpd_t, lldpd_runtime_t, {file dir sock_file})
+
+files_read_etc_files(lldpd_t)
+
+logging_send_syslog_msg(lldpd_t)
+
+miscfiles_read_localization(lldpd_t)
+
+sysnet_dns_name_resolve(lldpd_t)
+
+########################################
+#
+# lldp_cli local policy
+#
+allow lldp_cli_t self:capability dac_override;
+allow lldp_cli_t self:unix_dgram_socket { connect create };
+allow lldp_cli_t self:unix_stream_socket { connect create read write };
+allow lldp_cli_t self:process signal;
+
+allow lldp_cli_t lldpd_runtime_t:sock_file read_sock_file_perms;
+stream_connect_pattern(lldp_cli_t, lldpd_runtime_t, lldpd_runtime_t, lldpd_t)
+
+domain_use_interactive_fds(lldp_cli_t)
+
+files_search_etc(lldp_cli_t)
+list_dirs_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
+read_files_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
+
+logging_send_syslog_msg(lldp_cli_t)
+
+files_dontaudit_read_etc_files(lldp_cli_t)
+
+miscfiles_read_localization(lldp_cli_t)
+
+userdom_use_user_ptys(lldp_cli_t)
--
2.21.0

2019-06-17 12:45:00

by Alexander Miroshnichenko

[permalink] [raw]
Subject: Re: [PATCH] add lldpd policy

>> +lldp_cli_domtrans(lldpd_t)
>
> The daemon runs the cli tool?

Yes.

>> +init_dontaudit_use_script_ptys(lldp_cli_t)
>
> This should not be necessary, as this is allowed via init_system_domain().

Without this rule I have such denies:
type=AVC msg=audit(1560772835.304:520336): avc: denied { read write } for
pid=20384 comm="lldpcli" path="/dev/pts/2" dev="devpts" ino=5
scontext=system_u:system_r:lldp_cli_t:s0
tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1560773162.058:520386): avc: denied { read write } for
pid=20583 comm="lldpcli" path="/dev/pts/2" dev="devpts" ino=5
scontext=system_u:system_r:lldp_cli_t:s0
tcontext=system_u:object_r:initrc_devpts_t:s0 tclass=chr_file permissive=0
It can be safely omitted.

--
Alexander Miroshnichenko

2019-06-24 01:46:12

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH v2] Add lldpd policy

On 6/17/19 8:42 AM, Alexander Miroshnichenko wrote:
> New policy for lldpd ( http://vincentbernat.github.io/lldpd ).

I was about to merge this, when I realized there's the Intel LLDP module
(lldpad) already in refpolicy. This has the CLI tool, but otherwise
they are very similar. Did you consider merging this into that module?


> Signed-off-by: Alexander Miroshnichenko <[email protected]>
> ---
> policy/modules/roles/sysadm.te | 4 ++
> policy/modules/services/lldpd.fc | 9 ++++
> policy/modules/services/lldpd.if | 83 ++++++++++++++++++++++++++++++++
> policy/modules/services/lldpd.te | 79 ++++++++++++++++++++++++++++++
> 4 files changed, 175 insertions(+)
> create mode 100644 policy/modules/services/lldpd.fc
> create mode 100644 policy/modules/services/lldpd.if
> create mode 100644 policy/modules/services/lldpd.te
>
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 8f891c83865f..9a104fe8eb83 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -595,6 +595,10 @@ optional_policy(`
> lldpad_admin(sysadm_t, sysadm_r)
> ')
>
> +optional_policy(`
> + lldp_admin(sysadm_t, sysadm_r)
> +')
> +
> optional_policy(`
> lockdev_role(sysadm_r, sysadm_t)
> ')
> diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
> new file mode 100644
> index 000000000000..19b66603add3
> --- /dev/null
> +++ b/policy/modules/services/lldpd.fc
> @@ -0,0 +1,9 @@
> +/etc/lldpd.conf -- gen_context(system_u:object_r:lldpd_conf_t,s0)
> +/etc/lldpd.d(/.*)? gen_context(system_u:object_r:lldpd_conf_t,s0)
> +
> +/usr/sbin/lldpd -- gen_context(system_u:object_r:lldpd_exec_t,s0)
> +/usr/sbin/lldpcli -- gen_context(system_u:object_r:lldp_cli_exec_t,s0)
> +
> +/run/lldpd -d gen_context(system_u:object_r:lldpd_runtime_t,s0)
> +/run/lldpd(/.*)? gen_context(system_u:object_r:lldpd_runtime_t,s0)
> +/run/lldpd.pid -- gen_context(system_u:object_r:lldpd_runtime_t,s0)
> diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
> new file mode 100644
> index 000000000000..8859f8743ecf
> --- /dev/null
> +++ b/policy/modules/services/lldpd.if
> @@ -0,0 +1,83 @@
> +
> +## <summary>policy for lldpd</summary>
> +
> +########################################
> +## <summary>
> +## Execute a domain transition to run lldpcli.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`lldp_domtrans_cli',`
> + gen_require(`
> + type lldp_cli_t, lldp_cli_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute lldpcli in the lldp_cli domain,
> +## and allow the specified role
> +## the lldp_cli domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lldp_cli_run',`
> + gen_require(`
> + type lldp_cli_t;
> + ')
> +
> + lldp_domtrans_cli($1)
> + role $2 types lldp_cli_t;
> +')
> +
> +########################################
> +## <summary>
> +## All of the rules required to administrate
> +## an lldpd environment
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`lldp_admin',`
> + gen_require(`
> + type lldpd_t;
> + type lldpd_conf_t;
> + type lldpd_runtime_t;
> + ')
> +
> + allow $1 lldpd_t:process { signal_perms };
> + ps_process_pattern($1, lldpd_t)
> +
> + files_search_etc($1)
> + admin_pattern($1, lldpd_conf_t)
> +
> + files_search_pids($1)
> + admin_pattern($1, lldpd_runtime_t)
> +
> + lldp_cli_run($1, $2)
> +')
> diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
> new file mode 100644
> index 000000000000..457243b0112e
> --- /dev/null
> +++ b/policy/modules/services/lldpd.te
> @@ -0,0 +1,79 @@
> +policy_module(lldpd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type lldpd_t;
> +type lldpd_exec_t;
> +init_daemon_domain(lldpd_t, lldpd_exec_t)
> +
> +type lldp_cli_t;
> +type lldp_cli_exec_t;
> +init_system_domain(lldp_cli_t, lldp_cli_exec_t)
> +application_domain(lldp_cli_t, lldp_cli_exec_t)
> +
> +type lldpd_conf_t;
> +files_config_file(lldpd_conf_t)
> +
> +type lldpd_runtime_t;
> +files_pid_file(lldpd_runtime_t)
> +init_daemon_pid_file(lldpd_runtime_t, dir, "lldpd")
> +
> +########################################
> +#
> +# lldpd local policy
> +#
> +allow lldpd_t self:capability { chown dac_read_search dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
> +allow lldpd_t self:process { fork signal_perms };
> +allow lldpd_t self:fifo_file rw_fifo_file_perms;
> +allow lldpd_t self:unix_stream_socket create_stream_socket_perms;
> +allow lldpd_t self:packet_socket create_socket_perms;
> +
> +lldp_domtrans_cli(lldpd_t)
> +
> +kernel_read_net_sysctls(lldpd_t)
> +
> +list_dirs_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
> +read_files_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
> +
> +manage_dirs_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
> +manage_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
> +manage_sock_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
> +manage_lnk_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
> +files_pid_filetrans(lldpd_t, lldpd_runtime_t, {file dir sock_file})
> +
> +files_read_etc_files(lldpd_t)
> +
> +logging_send_syslog_msg(lldpd_t)
> +
> +miscfiles_read_localization(lldpd_t)
> +
> +sysnet_dns_name_resolve(lldpd_t)
> +
> +########################################
> +#
> +# lldp_cli local policy
> +#
> +allow lldp_cli_t self:capability dac_override;
> +allow lldp_cli_t self:unix_dgram_socket { connect create };
> +allow lldp_cli_t self:unix_stream_socket { connect create read write };
> +allow lldp_cli_t self:process signal;
> +
> +allow lldp_cli_t lldpd_runtime_t:sock_file read_sock_file_perms;
> +stream_connect_pattern(lldp_cli_t, lldpd_runtime_t, lldpd_runtime_t, lldpd_t)
> +
> +domain_use_interactive_fds(lldp_cli_t)
> +
> +files_search_etc(lldp_cli_t)
> +list_dirs_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
> +read_files_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
> +
> +logging_send_syslog_msg(lldp_cli_t)
> +
> +files_dontaudit_read_etc_files(lldp_cli_t)
> +
> +miscfiles_read_localization(lldp_cli_t)
> +
> +userdom_use_user_ptys(lldp_cli_t)
>


--
Chris PeBenito