On Thu, 2008-08-14 at 15:28 +0200, Dominick Grift wrote:
> On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> > On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > > Signed-off-by: Dominick Grift <[email protected]>
> >
> > The patch looks line-wrapped. Also a couple comments inline.
>
> This modification adds CIFS, NIS, NFS support.
Do you really think that reading the ~/.oidentd.conf needs to be
tunable? I was mainly concerned about oidentd reading user_home_t
files, for example, since it exposes the whole user's home directory. A
config file explictly labeled for reading by oidentd should be ok.
The CIFS and NFS blocks should use the existing use_nfs_home_dirs and
use_samba_home_dirs tunables.
The per-role template should create a $1_oidentd_home_t type, so role
separation is preserved.
> diff --git a/man/man8/oidentd_selinux.8 b/man/man8/oidentd_selinux.8
> new file mode 100644
> index 0000000..a880437
> --- /dev/null
> +++ b/man/man8/oidentd_selinux.8
> @@ -0,0 +1,48 @@
> +.TH "oidentd_selinux" "8" "14 Aug 2008" "domg472 at gmail.com" "Oident deamon SELinux policy documentation"
> +.de EX
> +.nf
> +.ft CW
> +..
> +.de EE
> +.ft R
> +.fi
> +..
> +.SH "NAME"
> +oidentd_selinux \- Security-Enhanced Linux policy for Oident daemon.
> +.SH "DESCRIPTION"
> +.PP
> +Security-Enhanced Linux provides security for Oident daemon via flexible mandatory access control.
> +.SH FILE_CONTEXTS
> +.PP
> +SELinux requires files to have a files type. Users can use the chcon command to change certain files types. Policy governs the access that daemons have to files.
> +.TP
> +Allow Oident daemon to read ~/.oidentd.conf by adding the oidentd_home_t files type to the file and by restoring the files type. This also requires the allow_oidentd_read_oidentd_home_content boolean to be set.
> +.PP
> +.B
> +chcon -t oidentd_home_t ~/.oidentd.conf
> +.SH BOOLEANS
> +.PP
> +SELinux policy is based on least privilege required and may also be customizable by setting a boolean with the setsebool command.
> +.TP
> +Allow Oident daemon to read Oident daemon home content with the oidentd_home_t files type.
> +.PP
> +.B
> +setsebool -P allow_oidentd_read_oidentd_home_content on
> +.TP
> +Allow Oident daemon to use CIFS for public file transfer services.
> +.PP
> +.B
> +setsebool -P allow_oidentd_use_cifs on
> +.TP
> +Allow Oident daemon to use NFS for public file transfer services.
> +.PP
> +.B
> +setsebool -P allow_oidentd_use_nfs on
> +.TP
> +system-config-selinux is a GUI tool available to customize SELinux policy settings.
> +.SH AUTHOR
> +.PP
> +This manual page was written by Dominick Grift <[email protected]>.
> +.SH "SEE ALSO"
> +.PP
> +selinux(8), oidentd(8), oidentd.conf(8), setsebool(8), chcon(8)
> diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
> new file mode 100644
> index 0000000..ee7fcc4
> --- /dev/null
> +++ b/policy/modules/services/oidentd.fc
> @@ -0,0 +1,7 @@
> +
> +/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
> +/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
> +
> +/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0)
> +
> +HOME_DIR/\.oidentd.conf -- gen_context(system_u:object_r:oidentd_home_t, s0)
> diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
> new file mode 100644
> index 0000000..93f9ad0
> --- /dev/null
> +++ b/policy/modules/services/oidentd.if
> @@ -0,0 +1,61 @@
> +## <summary>SELinux policy for Oident daemon.</summary>
> +## <desc>
> +## <p>
> +## Oident daemon is a server that implements the TCP/IP
> +## standard IDENT user identification protocol as
> +## specified in the RFC 1413 document.
> +## </p>
> +## </desc>
> +
> +#######################################
> +## <summary>
> +## The per role template for the Oidentd module.
> +## </summary>
> +## <desc>
> +## <p>
> +## This template creates derived domains which are used
> +## for Oident daemon.
> +## </p>
> +## <p>
> +## This template is invoked automatically for each user, and
> +## generally does not need to be invoked directly
> +## by policy writers.
> +## </p>
> +## </desc>
> +## <param name="userdomain_prefix">
> +## <summary>
> +## The prefix of the user domain (e.g., user
> +## is the prefix for user_t).
> +## </summary>
> +## </param>
> +## <param name="user_domain">
> +## <summary>
> +## The type of the user domain.
> +## </summary>
> +## </param>
> +## <param name="user_role">
> +## <summary>
> +## The role associated with the user domain.
> +## </summary>
> +## </param>
> +#
> +template(`oidentd_per_role_template', `
> + gen_require(`
> + type oidentd_home_t;
> + ')
> +
> + ########################################
> + #
> + # Declarations
> + #
> +
> + userdom_user_home_content($1, oidentd_home_t)
> +
> + ########################################
> + #
> + # Policy
> + #
> +
> + allow $2 oidentd_home_t:file manage_file_perms;
> + allow $2 oidentd_home_t:file relabel_file_perms;
> +')
> diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
> new file mode 100644
> index 0000000..c8bcfc3
> --- /dev/null
> +++ b/policy/modules/services/oidentd.te
> @@ -0,0 +1,102 @@
> +
> +policy_module(oidentd, 0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow Oident daemon to read
> +## oidentd daemon home files.
> +## </p>
> +## </desc>
> +
> +gen_tunable(allow_oidentd_read_oidentd_home_content, false)
> +
> +## <desc>
> +## <p>
> +## Allow Oident daemon to use cifs
> +## used for public file transfer services.
> +## </p>
> +## </desc>
> +
> +gen_tunable(allow_oidentd_use_cifs, false)
> +
> +## <desc>
> +## <p>
> +## Allow Oident daemon to use nfs
> +## used for public file transfer services.
> +## </p>
> +## </desc>
> +
> +gen_tunable(allow_oidentd_use_nfs, false)
> +
> +type oidentd_t;
> +type oidentd_exec_t;
> +init_daemon_domain(oidentd_t, oidentd_exec_t)
> +
> +type oidentd_config_t;
> +files_config_file(oidentd_config_t)
> +
> +type oidentd_home_t;
> +files_poly_member(oidentd_home_t)
> +
> +########################################
> +#
> +# Policy
> +#
> +
> +allow oidentd_t self:capability { setuid setgid };
> +allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
> +allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
> +allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
> +allow oidentd_t self:udp_socket { write read create connect getattr };
> +allow oidentd_t self:unix_dgram_socket { create connect };
> +
> +allow oidentd_t oidentd_config_t:file read_file_perms;
> +
> +corenet_all_recvfrom_unlabeled(oidentd_t)
> +corenet_all_recvfrom_netlabel(oidentd_t)
> +corenet_tcp_sendrecv_all_if(oidentd_t)
> +corenet_tcp_sendrecv_all_nodes(oidentd_t)
> +corenet_tcp_bind_all_nodes(oidentd_t)
> +corenet_tcp_bind_auth_port(oidentd_t)
> +
> +files_read_etc_files(oidentd_t)
> +
> +fs_search_auto_mountpoints(oidentd_t)
> +
> +kernel_read_kernel_sysctls(oidentd_t)
> +kernel_read_network_state(oidentd_t)
> +kernel_read_network_state_symlinks(oidentd_t)
> +kernel_read_sysctl(oidentd_t)
> +
> +libs_use_ld_so(oidentd_t)
> +libs_use_shared_libs(oidentd_t)
> +
> +logging_send_syslog_msg(oidentd_t)
> +
> +miscfiles_read_localization(oidentd_t)
> +
> +sysnet_read_config(oidentd_t)
> +
> +optional_policy(`
> + nis_use_ypbind(oidentd_t)
> +')
> +
> +tunable_policy(`allow_oidentd_read_oidentd_home_content', `
> + allow oidentd_t oidentd_home_t:file read_file_perms;
> + userdom_search_user_home_dirs(user, oidentd_t)
> +')
> +
> +tunable_policy(`allow_oidentd_use_cifs', `
> + fs_list_cifs(oidentd_t)
> + fs_read_cifs_files(oidentd_t)
> +')
> +
> +tunable_policy(`allow_oidentd_use_nfs', `
> + fs_list_nfs(oidentd_t)
> + fs_read_nfs_files(oidentd_t)
> +')
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On Thu, 2008-08-21 at 09:09 -0400, Christopher J. PeBenito wrote:
> Do you really think that reading the ~/.oidentd.conf needs to be
> tunable? I was mainly concerned about oidentd reading user_home_t
> files, for example, since it exposes the whole user's home directory. A
> config file explictly labeled for reading by oidentd should be ok.
I did this in the spirit of least privilege. ~/.oidentd.conf is
optional. By implementing this boolean we give operators a choice to
fully disallow access to user home dirs.
Attached version has the requested changes applied.
--
Dominick Grift <[email protected]>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oidentd.patch.txt
Type: text/x-patch
Size: 4998 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080821/668c2d37/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080821/668c2d37/attachment-0001.bin
On Thu, 2008-08-21 at 09:09 -0400, Christopher J. PeBenito wrote:
> The per-role template should create a $1_oidentd_home_t type, so role
> separation is preserved.
Attached version attempts to implement oidentdhome and
user_oidentd_home_type attributes. It is compiled-tested however i am
not sure if i will be able to test this configuration with Fedora policy
without some modifications to the policy.
--
Dominick Grift <[email protected]>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oidentd.patch.txt
Type: text/x-patch
Size: 4968 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080821/0400f4b5/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080821/0400f4b5/attachment-0001.bin