Hi,
This came from Russell Cokers policy for Debian systems.
manoj
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 96887cf..a14bfd1 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -94,6 +94,7 @@ network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, t
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(epmd, tcp,4369,s0)
network_port(fingerd, tcp,79,s0)
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
diff --git a/policy/modules/services/epmd.fc b/policy/modules/services/epmd.fc
new file mode 100644
index 0000000..c5925ef
--- /dev/null
+++ b/policy/modules/services/epmd.fc
@@ -0,0 +1 @@
+/usr/lib/erlang/erts-[^/]*/bin/epmd -- gen_context(system_u:object_r:epmd_exec_t,s0)
diff --git a/policy/modules/services/epmd.if b/policy/modules/services/epmd.if
new file mode 100644
index 0000000..1ce670c
--- /dev/null
+++ b/policy/modules/services/epmd.if
@@ -0,0 +1,29 @@
+## <summary>Erlang Port Mapper Daemon (epmd).</summary>
+
+########################################
+## <summary>
+## Execute epmd in the epmd domain, and
+## allow the specified role the epmd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the epmd domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`run_epmd',`
+ gen_require(`
+ type epmd_t, epmd_exec_t;
+ ')
+
+ domtrans_pattern($1, epmd_exec_t, epmd_t)
+ role $2 types epmd_t;
+ corenet_tcp_connect_epmd_port($1)
+')
+
diff --git a/policy/modules/services/epmd.te b/policy/modules/services/epmd.te
new file mode 100644
index 0000000..af3ca9e
--- /dev/null
+++ b/policy/modules/services/epmd.te
@@ -0,0 +1,52 @@
+
+policy_module(epmd, 1.7.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow the Erlang Port mapper to coordinate all nodes in distributed
+## computing. It also wants to run on single nodes so any daemon written in
+## Erlang will need it.
+## </p>
+## </desc>
+
+type epmd_t;
+type epmd_exec_t;
+init_daemon_domain(epmd_t,epmd_exec_t)
+role system_r types epmd_t;
+
+########################################
+#
+# epmd local policy
+#
+
+allow epmd_t self:tcp_socket create_stream_socket_perms;
+#allow epmd_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(epmd_t)
+corenet_all_recvfrom_netlabel(epmd_t)
+corenet_tcp_bind_epmd_port(epmd_t)
+corenet_tcp_sendrecv_all_if(epmd_t)
+#corenet_udp_sendrecv_all_if(epmd_t)
+corenet_tcp_sendrecv_all_nodes(epmd_t)
+#corenet_udp_sendrecv_all_nodes(epmd_t)
+corenet_tcp_sendrecv_all_ports(epmd_t)
+#corenet_udp_sendrecv_all_ports(epmd_t)
+corenet_tcp_bind_all_nodes(epmd_t)
+#corenet_udp_bind_all_nodes(epmd_t)
+#corenet_tcp_connect_all_ports(epmd_t)
+#corenet_udp_bind_all_unreserved_ports(epmd_t)
+
+files_read_etc_files(epmd_t)
+
+libs_use_ld_so(epmd_t)
+libs_use_shared_libs(epmd_t)
+
+logging_send_syslog_msg(epmd_t)
+
+miscfiles_read_localization(epmd_t)
+
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index cec9c76..d5d9ef5 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -83,6 +87,10 @@ userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
userdom_dontaudit_search_user_home_dirs(jabberd_t)
optional_policy(`
+ run_epmd(jabberd_t, system_r)
+')
+
+optional_policy(`
nis_use_ypbind(jabberd_t)
')
--
This is the tomorrow you worried about yesterday. And now you know why.
Manoj Srivastava <[email protected]> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
On Wed, 2009-07-01 at 11:54 -0400, Manoj Srivastava wrote:
> Hi,
>
> This came from Russell Cokers policy for Debian systems.
Is this complete? It seems short. Also the interface that is defined
has an improper name.
> diff --git a/policy/modules/kernel/corenetwork.te.in
> b/policy/modules/kernel/corenetwork.te.in
> index 96887cf..a14bfd1 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -94,6 +94,7 @@ network_port(dhcpd, udp,67,s0, tcp,647,s0,
> udp,647,s0, tcp,847,s0, udp,847,s0, t
> network_port(dict, tcp,2628,s0)
> network_port(distccd, tcp,3632,s0)
> network_port(dns, udp,53,s0, tcp,53,s0)
> +network_port(epmd, tcp,4369,s0)
> network_port(fingerd, tcp,79,s0)
> network_port(ftp_data, tcp,20,s0)
> network_port(ftp, tcp,21,s0)
> diff --git a/policy/modules/services/epmd.fc
> b/policy/modules/services/epmd.fc
> new file mode 100644
> index 0000000..c5925ef
> --- /dev/null
> +++ b/policy/modules/services/epmd.fc
> @@ -0,0 +1 @@
> +/usr/lib/erlang/erts-[^/]*/bin/epmd --
> gen_context(system_u:object_r:epmd_exec_t,s0)
> diff --git a/policy/modules/services/epmd.if
> b/policy/modules/services/epmd.if
> new file mode 100644
> index 0000000..1ce670c
> --- /dev/null
> +++ b/policy/modules/services/epmd.if
> @@ -0,0 +1,29 @@
> +## <summary>Erlang Port Mapper Daemon (epmd).</summary>
> +
> +########################################
> +## <summary>
> +## Execute epmd in the epmd domain, and
> +## allow the specified role the epmd domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## The role to be allowed the epmd domain.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`run_epmd',`
> + gen_require(`
> + type epmd_t, epmd_exec_t;
> + ')
> +
> + domtrans_pattern($1, epmd_exec_t, epmd_t)
> + role $2 types epmd_t;
> + corenet_tcp_connect_epmd_port($1)
> +')
> +
> diff --git a/policy/modules/services/epmd.te
> b/policy/modules/services/epmd.te
> new file mode 100644
> index 0000000..af3ca9e
> --- /dev/null
> +++ b/policy/modules/services/epmd.te
> @@ -0,0 +1,52 @@
> +
> +policy_module(epmd, 1.7.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow the Erlang Port mapper to coordinate all nodes in
> distributed
> +## computing. It also wants to run on single nodes so any daemon
> written in
> +## Erlang will need it.
> +## </p>
> +## </desc>
> +
> +type epmd_t;
> +type epmd_exec_t;
> +init_daemon_domain(epmd_t,epmd_exec_t)
> +role system_r types epmd_t;
> +
> +########################################
> +#
> +# epmd local policy
> +#
> +
> +allow epmd_t self:tcp_socket create_stream_socket_perms;
> +#allow epmd_t self:udp_socket create_socket_perms;
> +
> +corenet_all_recvfrom_unlabeled(epmd_t)
> +corenet_all_recvfrom_netlabel(epmd_t)
> +corenet_tcp_bind_epmd_port(epmd_t)
> +corenet_tcp_sendrecv_all_if(epmd_t)
> +#corenet_udp_sendrecv_all_if(epmd_t)
> +corenet_tcp_sendrecv_all_nodes(epmd_t)
> +#corenet_udp_sendrecv_all_nodes(epmd_t)
> +corenet_tcp_sendrecv_all_ports(epmd_t)
> +#corenet_udp_sendrecv_all_ports(epmd_t)
> +corenet_tcp_bind_all_nodes(epmd_t)
> +#corenet_udp_bind_all_nodes(epmd_t)
> +#corenet_tcp_connect_all_ports(epmd_t)
> +#corenet_udp_bind_all_unreserved_ports(epmd_t)
> +
> +files_read_etc_files(epmd_t)
> +
> +libs_use_ld_so(epmd_t)
> +libs_use_shared_libs(epmd_t)
> +
> +logging_send_syslog_msg(epmd_t)
> +
> +miscfiles_read_localization(epmd_t)
> +
> diff --git a/policy/modules/services/jabber.te
> b/policy/modules/services/jabber.te
> index cec9c76..d5d9ef5 100644
> --- a/policy/modules/services/jabber.te
> +++ b/policy/modules/services/jabber.te
> @@ -83,6 +87,10 @@ userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
> userdom_dontaudit_search_user_home_dirs(jabberd_t)
>
> optional_policy(`
> + run_epmd(jabberd_t, system_r)
> +')
> +
> +optional_policy(`
> nis_use_ypbind(jabberd_t)
> ')
>
>
>
> --
> This is the tomorrow you worried about yesterday. And now you know
> why.
> Manoj Srivastava <[email protected]> <http://www.golden-gryphon.com/>
> 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24
> 424C
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150