2009-11-12 21:46:37

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch

nut policy.


2009-11-16 14:31:40

by stefan

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
>
> nut policy.

Some time ago I wrote a policy for NUT too (s. attachment). I guess you
tested your policy with a UPS connected via USB. Maybe we could merge
both policies because I tested my with the SNMP module of NUT.

One note about your policy. Shouldn't we prefix all domains with "nut_"?
This would indicate that e.g. each executable comes from the NUT
project. Then we could also define one type for /var/run/nut (in my
policy it is just nut_var_run_t) because the three main domains
nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
share e.g. a socket file.

I would also like to introduce a type for config files because clear
text passwords are saved in there.

Your domain upsmon_t needs also to write to all terms because it
announces information via "wall". It also seems to miss the following
permissions which are needed if upsmon_t should execute /sbin/shutdown
(we still do not have a shutdown policy):

files_rw_generic_pids(nut_upsmon_t)
init_exec(nut_upsmon_t)
init_rw_initctl(nut_upsmon_t)
init_write_utmp(nut_upsmon_t)

What are your thoughts?
It tested my policy on CentOS 5.3 with a couple of dozen
restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)

cheers,
Stefan
-------------- next part --------------
/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)

/sbin/apcsmart -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkin -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkinunv -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestfcom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestuferrups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_ser -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/cyberpower -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/dummy-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/etapro -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/everups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/gamatronic -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/genericups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/isbmex -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/liebert -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/masterguard -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/metasys -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-utalk -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/microdowell -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/newmge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/oneac -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/optiups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powercom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerman-pdu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerpanel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/rhino -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/richcomm_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/safenet -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/skel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/snmp-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/solis -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplitesu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upscode2 -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/usbhid-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/victronups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)

/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)

/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)

/var/www/nut-cgi-bin/upsimage.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsstats.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
-------------- next part --------------

policy_module(nut, 1.0.0)

########################################
#
# Declarations
#

type nut_upsdrvctl_t;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

type nut_upsd_t;
type nut_upsd_exec_t;
init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)

type nut_upsmon_t;
type nut_upsmon_exec_t;
init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)

type nut_conf_t;
files_config_file(nut_conf_t)

type nut_var_run_t;
files_pid_file(nut_var_run_t)

########################################
#
# Local policy for upsdrvctl
#

allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fd use;
allow nut_upsdrvctl_t self:unix_dgram_socket { connect create write };
allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
allow nut_upsdrvctl_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsdrvctl_t nut_var_run_t:sock_file { create unlink setattr };

# /sbin/upsdrvctl executes other drivers
can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)

# /etc/nsswitch.conf
files_read_etc_files(nut_upsdrvctl_t)
files_read_usr_files(nut_upsdrvctl_t)
files_search_pids(nut_upsdrvctl_t)
files_search_usr(nut_upsdrvctl_t)

miscfiles_read_localization(nut_upsdrvctl_t)

# /etc/resolv.conf
sysnet_read_config(nut_upsdrvctl_t)

corecmd_search_bin(nut_upsdrvctl_t)

libs_read_lib_files(nut_upsdrvctl_t)

kernel_read_kernel_sysctls(nut_upsdrvctl_t)
kernel_sendrecv_unlabeled_association(nut_upsdrvctl_t)

init_sigchld(nut_upsdrvctl_t)

dev_read_urand(nut_upsdrvctl_t)
dev_rw_null(nut_upsdrvctl_t)

logging_send_syslog_msg(nut_upsdrvctl_t)

########################################
#
# Local policy for upsd
#

allow nut_upsd_t self:capability { setgid setuid };
allow nut_upsd_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
allow nut_upsd_t nut_var_run_t:sock_file write;

read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)

# /etc/nsswitch.conf
files_read_etc_files(nut_upsd_t)

files_read_usr_files(nut_upsd_t)

miscfiles_read_localization(nut_upsd_t)

libs_read_lib_files(nut_upsd_t)

logging_send_syslog_msg(nut_upsd_t)

kernel_read_kernel_sysctls(nut_upsd_t)
kernel_sendrecv_unlabeled_association(nut_upsd_t)

corenet_tcp_bind_generic_port(nut_upsd_t)
corenet_tcp_bind_all_nodes(nut_upsd_t)

########################################
#
# Local policy for upsmon
#

allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
allow nut_upsmon_t self:unix_dgram_socket { connect create write };
allow nut_upsmon_t self:tcp_socket create_socket_perms;
allow nut_upsmon_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;

read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)

# creates /etc/killpower
files_manage_etc_files(nut_upsmon_t)

files_search_usr(nut_upsmon_t)

corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)

miscfiles_read_localization(nut_upsmon_t)

libs_read_lib_files(nut_upsmon_t)

logging_send_syslog_msg(nut_upsmon_t)

# /etc/resolv.conf
sysnet_read_config(nut_upsmon_t)

kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
kernel_sendrecv_unlabeled_association(nut_upsmon_t)

corenet_tcp_connect_generic_port(nut_upsmon_t)

# /usr/bin/wall
init_read_utmp(nut_upsmon_t)
term_write_all_terms(nut_upsmon_t)

# /sbin/shutdown
files_rw_generic_pids(nut_upsmon_t)
init_exec(nut_upsmon_t)
init_rw_initctl(nut_upsmon_t)
init_write_utmp(nut_upsmon_t)

########################################
#
# Local policy for upscgi scripts
# requires httpd_enable_cgi and httpd_can_network_connect
#

apache_content_template(nut_upscgi)

read_files_pattern(httpd_nut_upscgi_script_t, nut_conf_t, nut_conf_t)

# /etc/resolv.conf
sysnet_read_config(httpd_nut_upscgi_script_t)

2009-11-16 18:32:45

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote:
> On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
>>
>> nut policy.
>
> Some time ago I wrote a policy for NUT too (s. attachment). I guess you
> tested your policy with a UPS connected via USB. Maybe we could merge
> both policies because I tested my with the SNMP module of NUT.
>
> One note about your policy. Shouldn't we prefix all domains with "nut_"?
> This would indicate that e.g. each executable comes from the NUT
> project. Then we could also define one type for /var/run/nut (in my
> policy it is just nut_var_run_t) because the three main domains
> nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
> share e.g. a socket file.
>
> I would also like to introduce a type for config files because clear
> text passwords are saved in there.
>
> Your domain upsmon_t needs also to write to all terms because it
> announces information via "wall". It also seems to miss the following
> permissions which are needed if upsmon_t should execute /sbin/shutdown
> (we still do not have a shutdown policy):
>
> files_rw_generic_pids(nut_upsmon_t)
> init_exec(nut_upsmon_t)
> init_rw_initctl(nut_upsmon_t)
> init_write_utmp(nut_upsmon_t)
>
> What are your thoughts?
> It tested my policy on CentOS 5.3 with a couple of dozen
> restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)
>
> cheers,
> Stefan

Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies.

I agree with your points and your naming is fine.

2009-11-22 14:59:40

by stefan

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On Mon, 2009-11-16 at 13:32 -0500, Daniel J Walsh wrote:
> On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote:
> > On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
> >>
> >> nut policy.
> >
> > Some time ago I wrote a policy for NUT too (s. attachment). I guess you
> > tested your policy with a UPS connected via USB. Maybe we could merge
> > both policies because I tested my with the SNMP module of NUT.
> >
> > One note about your policy. Shouldn't we prefix all domains with "nut_"?
> > This would indicate that e.g. each executable comes from the NUT
> > project. Then we could also define one type for /var/run/nut (in my
> > policy it is just nut_var_run_t) because the three main domains
> > nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
> > share e.g. a socket file.
> >
> > I would also like to introduce a type for config files because clear
> > text passwords are saved in there.
> >
> > Your domain upsmon_t needs also to write to all terms because it
> > announces information via "wall". It also seems to miss the following
> > permissions which are needed if upsmon_t should execute /sbin/shutdown
> > (we still do not have a shutdown policy):
> >
> > files_rw_generic_pids(nut_upsmon_t)
> > init_exec(nut_upsmon_t)
> > init_rw_initctl(nut_upsmon_t)
> > init_write_utmp(nut_upsmon_t)
> >
> > What are your thoughts?
> > It tested my policy on CentOS 5.3 with a couple of dozen
> > restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)
> >
> > cheers,
> > Stefan
>
> Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies.
>
> I agree with your points and your naming is fine.

Hi Miroslav,

attached is the merged policy. Just a few questions left. In your
original policy you had the following rule

corenet_tcp_connect_ups_port(upsmon_t)

I can't find any such port definition in refpolicy.

Another question, what is the intention of the following

permissive upsd_t;
permissive upsdrvctl_t;
permissive upsmon_t;

Does that make the domain permissive by default? I'm unsure about these
ones.

cheers,
Stefan
-------------- next part --------------
/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)

/sbin/apcsmart -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkin -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkinunv -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestfcom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestuferrups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_ser -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/cyberpower -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/dummy-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/etapro -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/everups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/gamatronic -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/genericups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/isbmex -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/liebert -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/masterguard -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/metasys -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-utalk -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/microdowell -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/newmge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/oneac -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/optiups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powercom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerman-pdu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerpanel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/rhino -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/richcomm_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/safenet -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/skel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/snmp-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/solis -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplitesu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upscode2 -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/usbhid-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/victronups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)

/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)

/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)

/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
-------------- next part --------------
## <summary>SELinux policy for NUT - Network UPS Tools </summary>

#####################################
## <summary>
## Execute a domain transition to run upsd.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`nut_upsd_domtrans',`
gen_require(`
type nut_upsd_t, nut_upsd_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, nut_upsd_exec_t, nut_upsd_t)
')

####################################
## <summary>
## Execute a domain transition to run upsmon.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`nut_upsmon_domtrans',`
gen_require(`
type nut_upsmon_t, nut_upsmon_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, nut_upsmon_exec_t, nut_upsmon_t)
')

####################################
## <summary>
## Execute a domain transition to run upsdrvctl.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`nut_upsdrvctl_domtrans',`
gen_require(`
type nut_upsdrvctl_t, nut_upsdrvctl_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, nut_upsdrvctl_exec_t, nut_upsdrvctl_t)
')
-------------- next part --------------

policy_module(nut, 1.0.0)

########################################
#
# Declarations
#

type nut_upsdrvctl_t;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

type nut_upsd_t;
type nut_upsd_exec_t;
init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)

type nut_upsmon_t;
type nut_upsmon_exec_t;
init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)

type nut_conf_t;
files_config_file(nut_conf_t)

type nut_var_run_t;
files_pid_file(nut_var_run_t)

permissive nut_upsdrvctl_t;
permissive nut_upsd_t;
permissive nut_upsmon_t;

########################################
#
# Local policy for upsdrvctl
#

allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
allow nut_upsdrvctl_t self:fd use;
allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
allow nut_upsdrvctl_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsdrvctl_t nut_var_run_t:sock_file { create unlink setattr };

# /sbin/upsdrvctl executes other drivers
can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)

# /etc/nsswitch.conf
files_read_etc_files(nut_upsdrvctl_t)
files_read_usr_files(nut_upsdrvctl_t)
files_search_pids(nut_upsdrvctl_t)
files_search_usr(nut_upsdrvctl_t)

dev_rw_generic_usb_dev(nut_upsdrvctl_t)

miscfiles_read_localization(nut_upsdrvctl_t)

# /etc/resolv.conf
sysnet_read_config(nut_upsdrvctl_t)

corecmd_search_bin(nut_upsdrvctl_t)

libs_read_lib_files(nut_upsdrvctl_t)

kernel_read_kernel_sysctls(nut_upsdrvctl_t)
kernel_sendrecv_unlabeled_association(nut_upsdrvctl_t)

init_sigchld(nut_upsdrvctl_t)

dev_read_urand(nut_upsdrvctl_t)
dev_rw_null(nut_upsdrvctl_t)

logging_send_syslog_msg(nut_upsdrvctl_t)

########################################
#
# Local policy for upsd
#

allow nut_upsd_t self:capability { setgid setuid };
allow nut_upsd_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
allow nut_upsd_t nut_var_run_t:sock_file write;

read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)

# /etc/nsswitch.conf
files_read_etc_files(nut_upsd_t)

files_read_usr_files(nut_upsd_t)

miscfiles_read_localization(nut_upsd_t)

libs_read_lib_files(nut_upsd_t)

logging_send_syslog_msg(nut_upsd_t)

kernel_read_kernel_sysctls(nut_upsd_t)
kernel_sendrecv_unlabeled_association(nut_upsd_t)

corenet_tcp_bind_generic_port(nut_upsd_t)
corenet_tcp_bind_all_nodes(nut_upsd_t)

########################################
#
# Local policy for upsmon
#

allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
allow nut_upsmon_t self:unix_dgram_socket { connect create write };
allow nut_upsmon_t self:tcp_socket create_socket_perms;
allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsmon_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;

read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)

# creates /etc/killpower
files_manage_etc_files(nut_upsmon_t)

files_search_usr(nut_upsmon_t)

corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)

miscfiles_read_localization(nut_upsmon_t)

libs_read_lib_files(nut_upsmon_t)

logging_send_syslog_msg(nut_upsmon_t)

# /etc/resolv.conf
sysnet_read_config(nut_upsmon_t)

kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
kernel_sendrecv_unlabeled_association(nut_upsmon_t)

#corenet_tcp_connect_ups_port(nut_upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)

# /usr/bin/wall
init_read_utmp(nut_upsmon_t)
term_write_all_terms(nut_upsmon_t)

# /sbin/shutdown
files_rw_generic_pids(nut_upsmon_t)
init_exec(nut_upsmon_t)
init_rw_initctl(nut_upsmon_t)
init_write_utmp(nut_upsmon_t)

########################################
#
# Local policy for upscgi scripts
# requires httpd_enable_cgi and httpd_can_network_connect
#

apache_content_template(nut_upscgi)

read_files_pattern(httpd_nut_upscgi_script_t, nut_conf_t, nut_conf_t)

# /etc/resolv.conf
sysnet_read_config(httpd_nut_upscgi_script_t)

2009-11-23 13:05:59

by mgrepl

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On 11/22/2009 03:59 PM, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-11-16 at 13:32 -0500, Daniel J Walsh wrote:
>
>> On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote:
>>
>>> On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
>>>
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
>>>>
>>>> nut policy.
>>>>
>>> Some time ago I wrote a policy for NUT too (s. attachment). I guess you
>>> tested your policy with a UPS connected via USB. Maybe we could merge
>>> both policies because I tested my with the SNMP module of NUT.
>>>
>>> One note about your policy. Shouldn't we prefix all domains with "nut_"?
>>> This would indicate that e.g. each executable comes from the NUT
>>> project. Then we could also define one type for /var/run/nut (in my
>>> policy it is just nut_var_run_t) because the three main domains
>>> nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
>>> share e.g. a socket file.
>>>
>>> I would also like to introduce a type for config files because clear
>>> text passwords are saved in there.
>>>
>>> Your domain upsmon_t needs also to write to all terms because it
>>> announces information via "wall". It also seems to miss the following
>>> permissions which are needed if upsmon_t should execute /sbin/shutdown
>>> (we still do not have a shutdown policy):
>>>
>>> files_rw_generic_pids(nut_upsmon_t)
>>> init_exec(nut_upsmon_t)
>>> init_rw_initctl(nut_upsmon_t)
>>> init_write_utmp(nut_upsmon_t)
>>>
>>> What are your thoughts?
>>> It tested my policy on CentOS 5.3 with a couple of dozen
>>> restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)
>>>
>>> cheers,
>>> Stefan
>>>
>> Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies.
>>
>> I agree with your points and your naming is fine.
>>
> Hi Miroslav,
>
> attached is the merged policy.
Hi Stefan,


> Just a few questions left. In your
> original policy you had the following rule
>
> corenet_tcp_connect_ups_port(upsmon_t)
>
> I can't find any such port definition in refpolicy.
>
>
+network_port(ups, tcp,3493,s0)

This is missing in the original patch.

> Another question, what is the intention of the following
>
> permissive upsd_t;
> permissive upsdrvctl_t;
> permissive upsmon_t;
>
> Does that make the domain permissive by default?
Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.

> I'm unsure about these
> ones.
>
> cheers,
> Stefan
>
Regards,

Miroslav

2009-11-23 14:36:41

by stefan

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
[...]
> > Another question, what is the intention of the following
> >
> > permissive upsd_t;
> > permissive upsdrvctl_t;
> > permissive upsmon_t;
> >
> > Does that make the domain permissive by default?
> Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.

But not for refpolicy, right? I cannot find any such statement in the
policy modules of refpolicy. At least I wouldn't expect such a behavior
from modules of refpolicy. I guess we can remove those three lines.

If you are fine with the merge of both policies then we can commit it
(after the port change of course).

cheers
Stefan

2009-11-23 15:19:21

by cpebenito

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
> [...]
> > > Another question, what is the intention of the following
> > >
> > > permissive upsd_t;
> > > permissive upsdrvctl_t;
> > > permissive upsmon_t;
> > >
> > > Does that make the domain permissive by default?
> > Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.
>
> But not for refpolicy, right? I cannot find any such statement in the
> policy modules of refpolicy. At least I wouldn't expect such a behavior
> from modules of refpolicy. I guess we can remove those three lines.
>
> If you are fine with the merge of both policies then we can commit it
> (after the port change of course).

My policy is to not have permissive domains in upstream refpolicy. If
the modules need more work the patch is dropped. Otherwise the
permissive is dropped.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

2009-11-23 16:04:30

by stefan

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote:
> On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote:
> > On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
> > [...]
> > > > Another question, what is the intention of the following
> > > >
> > > > permissive upsd_t;
> > > > permissive upsdrvctl_t;
> > > > permissive upsmon_t;
> > > >
> > > > Does that make the domain permissive by default?
> > > Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.
> >
> > But not for refpolicy, right? I cannot find any such statement in the
> > policy modules of refpolicy. At least I wouldn't expect such a behavior
> > from modules of refpolicy. I guess we can remove those three lines.
> >
> > If you are fine with the merge of both policies then we can commit it
> > (after the port change of course).
>
> My policy is to not have permissive domains in upstream refpolicy. If
> the modules need more work the patch is dropped. Otherwise the
> permissive is dropped.

Yes, this is what I thought. Since I use the NUT policy for about a year
and it has some intersection with Miroslavs policy (he uses NUT with a
ups attached via USB and my via SNMP), I would say it is stable enough.

2009-11-23 16:09:06

by stefan

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On Mon, 2009-11-23 at 17:04 +0100, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote:
> > On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote:
> > > On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
> > > [...]
> > > > > Another question, what is the intention of the following
> > > > >
> > > > > permissive upsd_t;
> > > > > permissive upsdrvctl_t;
> > > > > permissive upsmon_t;
> > > > >
> > > > > Does that make the domain permissive by default?
> > > > Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.
> > >
> > > But not for refpolicy, right? I cannot find any such statement in the
> > > policy modules of refpolicy. At least I wouldn't expect such a behavior
> > > from modules of refpolicy. I guess we can remove those three lines.
> > >
> > > If you are fine with the merge of both policies then we can commit it
> > > (after the port change of course).
> >
> > My policy is to not have permissive domains in upstream refpolicy. If
> > the modules need more work the patch is dropped. Otherwise the
> > permissive is dropped.
>
> Yes, this is what I thought. Since I use the NUT policy for about a year
> and it has some intersection with Miroslavs policy (he uses NUT with a
> ups attached via USB and my via SNMP), I would say it is stable enough.

Just to make it precise. In general it is stable but I will wait for an
OK from Miroslav, then I'm going to rearrange some allow rules according
to the style-guidelines and will submit the patch again.

2009-11-23 17:17:37

by mgrepl

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On 11/23/2009 05:09 PM, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-11-23 at 17:04 +0100, Stefan Schulze Frielinghaus wrote:
>
>> On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote:
>>
>>> On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote:
>>>
>>>> On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
>>>> [...]
>>>>
>>>>>> Another question, what is the intention of the following
>>>>>>
>>>>>> permissive upsd_t;
>>>>>> permissive upsdrvctl_t;
>>>>>> permissive upsmon_t;
>>>>>>
>>>>>> Does that make the domain permissive by default?
>>>>>>
>>>>> Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.
>>>>>
>>>> But not for refpolicy, right?
Yes, I meant in Fedora.

>>>> I cannot find any such statement in the
>>>> policy modules of refpolicy. At least I wouldn't expect such a behavior
>>>> from modules of refpolicy. I guess we can remove those three lines.
>>>>
>>>> If you are fine with the merge of both policies then we can commit it
>>>> (after the port change of course).
>>>>
>>> My policy is to not have permissive domains in upstream refpolicy. If
>>> the modules need more work the patch is dropped. Otherwise the
>>> permissive is dropped.
>>>
>> Yes, this is what I thought. Since I use the NUT policy for about a year
>> and it has some intersection with Miroslavs policy (he uses NUT with a
>> ups attached via USB and my via SNMP), I would say it is stable enough.
>>
> Just to make it precise. In general it is stable but I will wait for an
> OK from Miroslav,
I will check it and let you know.

> then I'm going to rearrange some allow rules according
> to the style-guidelines and will submit the patch again.
>
>

2009-12-18 13:53:37

by cpebenito

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On Mon, 2009-11-23 at 18:17 +0100, Miroslav Grepl wrote:
> On 11/23/2009 05:09 PM, Stefan Schulze Frielinghaus wrote:
> > On Mon, 2009-11-23 at 17:04 +0100, Stefan Schulze Frielinghaus wrote:
> >> On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote:
> >>> On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote:
> >>>> On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
> >>>> [...]
> >>>>
> >>>>>> Another question, what is the intention of the following
> >>>>>>
> >>>>>> permissive upsd_t;
> >>>>>> permissive upsdrvctl_t;
> >>>>>> permissive upsmon_t;
> >>>>>>
> >>>>>> Does that make the domain permissive by default?
> >>>>>>
> >>>>> Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.
> >>>>>
> >>>> But not for refpolicy, right?
> Yes, I meant in Fedora.
>
> >>>> I cannot find any such statement in the
> >>>> policy modules of refpolicy. At least I wouldn't expect such a behavior
> >>>> from modules of refpolicy. I guess we can remove those three lines.
> >>>>
> >>>> If you are fine with the merge of both policies then we can commit it
> >>>> (after the port change of course).
> >>>>
> >>> My policy is to not have permissive domains in upstream refpolicy. If
> >>> the modules need more work the patch is dropped. Otherwise the
> >>> permissive is dropped.
> >>>
> >> Yes, this is what I thought. Since I use the NUT policy for about a year
> >> and it has some intersection with Miroslavs policy (he uses NUT with a
> >> ups attached via USB and my via SNMP), I would say it is stable enough.
> >>
> > Just to make it precise. In general it is stable but I will wait for an
> > OK from Miroslav,
> I will check it and let you know.

Was there any resolution on this?

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

2009-12-21 10:14:19

by stefan

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote:
[...]
> Was there any resolution on this?

Yes, but I had no physical access to my UPS for the last two weeks. At
the end of this week I will have physical access again and then I will
check that the policy is really working fine. So I expect a
tested/working policy in one to two weeks.

2009-12-25 12:55:00

by stefan

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On Mon, 2009-12-21 at 11:14 +0100, Stefan Schulze Frielinghaus wrote:
> On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote:
> [...]
> > Was there any resolution on this?
>
> Yes, but I had no physical access to my UPS for the last two weeks. At
> the end of this week I will have physical access again and then I will
> check that the policy is really working fine. So I expect a
> tested/working policy in one to two weeks.

I take the discussion back on list. Miroslav, from the latest policy I
did not change anything except I removed the duplicate policies for the
cgi scripts and uncommented the *_ups_port() stuff.

I'm fine with the attached policy (tested several times including a
shutdown and cgi services). Is the policy OK for you too?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: corenetwork.te.in.patch
Type: text/x-patch
Size: 745 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091225/276f25a8/attachment.bin
-------------- next part --------------
/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)

/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)

/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)

/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)

/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-------------- next part --------------
## <summary>SELinux policy for nut - Network UPS Tools </summary>
-------------- next part --------------

policy_module(nut, 1.0.0)

########################################
#
# Declarations
#

type nut_upsd_t;
type nut_upsd_exec_t;
init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)

type nut_upsmon_t;
type nut_upsmon_exec_t;
init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)

type nut_upsdrvctl_t;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

# conf files
type nut_conf_t;
files_config_file(nut_conf_t)

# pid files
type nut_var_run_t;
files_pid_file(nut_var_run_t)

########################################
#
# Local policy for upsd
#

allow nut_upsd_t self:capability { setgid setuid };

allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;

allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;

read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)

# pid file
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file })

corenet_tcp_bind_ups_port(nut_upsd_t)
corenet_tcp_bind_generic_port(nut_upsd_t)
corenet_tcp_bind_all_nodes(nut_upsd_t)

kernel_read_kernel_sysctls(nut_upsd_t)

# /etc/nsswitch.conf
auth_use_nsswitch(nut_upsd_t)

files_read_usr_files(nut_upsd_t)

logging_send_syslog_msg(nut_upsd_t)

miscfiles_read_localization(nut_upsd_t)

########################################
#
# Local policy for upsmon
#

allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };

allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsmon_t self:tcp_socket create_socket_perms;

read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)

# pid file
manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file })

corenet_tcp_connect_ups_port(upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)

corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)

kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)

# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)

auth_use_nsswitch(nut_upsmon_t)

files_search_usr(nut_upsmon_t)

logging_send_syslog_msg(nut_upsmon_t)

miscfiles_read_localization(nut_upsmon_t)

# /usr/bin/wall
term_write_all_terms(nut_upsmon_t)

# upsmon runs shutdown, probably need a shutdown domain
init_rw_utmp(nut_upsmon_t)
init_telinit(nut_upsmon_t)

########################################
#
# Local policy for upsdrvctl
#

allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fd use;

allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsdrvctl_t self:udp_socket create_socket_perms;

read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)

# pid file
manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })

# /sbin/upsdrvctl executes other drivers
corecmd_exec_bin(nut_upsdrvctl_t)
corecmd_exec_sbin(nut_upsdrvctl_t)

kernel_read_kernel_sysctls(nut_upsdrvctl_t)

# /etc/nsswitch.conf
auth_use_nsswitch(nut_upsdrvctl_t)

dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)

term_use_unallocated_ttys(nut_upsdrvctl_t)

logging_send_syslog_msg(nut_upsdrvctl_t)

miscfiles_read_localization(nut_upsdrvctl_t)

init_sigchld(nut_upsdrvctl_t)

#######################################
#
# Local policy for upscgi scripts
# requires httpd_enable_cgi and httpd_can_network_connect
#

optional_policy(`
apache_content_template(nutups_cgi)

read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)

corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
')

2010-01-29 16:20:23

by mgrepl

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On 12/25/2009 01:55 PM, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-12-21 at 11:14 +0100, Stefan Schulze Frielinghaus wrote:
>
>> On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote:
>> [...]
>>
>>> Was there any resolution on this?
>>>
>> Yes, but I had no physical access to my UPS for the last two weeks. At
>> the end of this week I will have physical access again and then I will
>> check that the policy is really working fine. So I expect a
>> tested/working policy in one to two weeks.
>>
> I take the discussion back on list. Miroslav, from the latest policy I
> did not change anything except I removed the duplicate policies for the
> cgi scripts and uncommented the *_ups_port() stuff.
>
> I'm fine with the attached policy (tested several times including a
> shutdown and cgi services). Is the policy OK for you too?
>
I apologize, but I missed this last post from Stefan. Actually we use
this policy in Fedora so I believe the policy is ready.

The following link includes the nut policy what we have in Fedora.

http://mgrepl.fedorapeople.org/SELinux/F12/services_nut.patch

Regards,
Miroslav

2010-02-09 13:47:37

by cpebenito

[permalink] [raw]
Subject: [refpolicy] services_nut.patch

On Fri, 2009-12-25 at 13:55 +0100, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-12-21 at 11:14 +0100, Stefan Schulze Frielinghaus wrote:
> > On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote:
> > [...]
> > > Was there any resolution on this?
> >
> > Yes, but I had no physical access to my UPS for the last two weeks. At
> > the end of this week I will have physical access again and then I will
> > check that the policy is really working fine. So I expect a
> > tested/working policy in one to two weeks.
>
> I take the discussion back on list. Miroslav, from the latest policy I
> did not change anything except I removed the duplicate policies for the
> cgi scripts and uncommented the *_ups_port() stuff.
>
> I'm fine with the attached policy (tested several times including a
> shutdown and cgi services). Is the policy OK for you too?

Merged.

--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150