Tested with F10
Please see attachment.
--
Dominick Grift <[email protected]>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oident.patch
Type: text/x-patch
Size: 5654 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080906/c74cddd2/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080906/c74cddd2/attachment-0001.bin
On Sat, 2008-09-06 at 16:49 +0200, Dominick Grift wrote:
> Tested with F10
>
> Please see attachment.
Merged, with a few tweaks.
>
>
>
>
>
> differences
> between files
> attachment
> (oident.patch)
>
> diff --git a/policy/modules/services/oident.fc
> b/policy/modules/services/oident.fc
> new file mode 100644
> index 0000000..fb02592
> --- /dev/null
> +++ b/policy/modules/services/oident.fc
> @@ -0,0 +1,8 @@
> +/etc/oidentd
> \.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
> +/etc/oidentd_masq
> \.conf -- gen_context(system_u:object_r:oidentd_config_t,
> s0)
> +
> +/etc/rc\.d/init
> \.d/oidentd -- gen_context(system_u:object_r:oidentd_script_exec_t, s0)
> +
> +/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0)
> +
> +HOME_DIR/\.oidentd.conf gen_context(system_u:object_r:oidentd_ROLE_content_t, s0)
> diff --git a/policy/modules/services/oident.if
> b/policy/modules/services/oident.if
> new file mode 100644
> index 0000000..df6fe8c
> --- /dev/null
> +++ b/policy/modules/services/oident.if
> @@ -0,0 +1,86 @@
> +## <summary>SELinux policy for Oident daemon.</summary>
> +## <desc>
> +## <p>
> +## Oident daemon is a server that implements the TCP/IP
> +## standard IDENT user identification protocol as
> +## specified in the RFC 1413 document.
> +## </p>
> +## </desc>
> +
> +#######################################
> +## <summary>
> +## The per role template for the Oidentd module.
> +## </summary>
> +## <desc>
> +## <p>
> +## This template creates derived domains which are used
> +## for Oident daemon.
> +## </p>
> +## <p>
> +## This template is invoked automatically for each user, and
> +## generally does not need to be invoked directly
> +## by policy writers.
> +## </p>
> +## </desc>
> +## <param name="userdomain_prefix">
> +## <summary>
> +## The prefix of the user domain (e.g., user
> +## is the prefix for user_t).
> +## </summary>
> +## </param>
> +## <param name="user_domain">
> +## <summary>
> +## The type of the user domain.
> +## </summary>
> +## </param>
> +## <param name="user_role">
> +## <summary>
> +## The role associated with the user domain.
> +## </summary>
> +## </param>
> +#
> +template(`oidentd_per_role_template', `
> +
> + ########################################
> + #
> + # Oident daemon shared declarations
> + #
> +
> + gen_require(`
> + attribute oidentd_user_content_type;
> + ')
> +
> + type oidentd_$1_content_t, oidentd_user_content_type;
> + files_type(oidentd_$1_content_t)
> +
> + typeattribute oidentd_$1_content_t oidentd_user_content_type;
> +
> + userdom_user_home_content($1, oidentd_$1_content_t)
> +
> + ########################################
> + #
> + # Oident daemon shared policy
> + #
> +
> + allow $2 oidentd_$1_content_t:file manage_file_perms;
> + allow $2 oidentd_$1_content_t:file relabel_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Allow the specified domain to read
> +## Oidentd personal configuration files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`oidentd_read_user_content', `
> + gen_require(`
> + attribute oidentd_user_content_type;
> + ')
> +
> + allow $1 oidentd_user_content_type:file read_file_perms;
> +')
> diff --git a/policy/modules/services/oident.te
> b/policy/modules/services/oident.te
> new file mode 100644
> index 0000000..2291f6c
> --- /dev/null
> +++ b/policy/modules/services/oident.te
> @@ -0,0 +1,74 @@
> +
> +policy_module(oident, 0.0.4)
> +
> +########################################
> +#
> +# Oident daemon private declarations
> +#
> +
> +attribute oidentd_user_content_type;
> +
> +type oidentd_t;
> +type oidentd_exec_t;
> +init_daemon_domain(oidentd_t, oidentd_exec_t)
> +
> +type oidentd_script_exec_t;
> +init_script_file(oidentd_script_exec_t)
> +
> +type oidentd_config_t;
> +files_config_file(oidentd_config_t)
> +
> +########################################
> +#
> +# Oident daemon private policy
> +#
> +
> +allow oidentd_t self:capability { setuid setgid };
> +allow oidentd_t self:netlink_route_socket { write getattr read bind
> create nlmsg_read };
> +allow oidentd_t self:netlink_tcpdiag_socket { write read create
> nlmsg_read };
> +allow oidentd_t self:tcp_socket { setopt read bind create accept
> write getattr listen };
> +allow oidentd_t self:udp_socket { write read create connect getattr
> ioctl };
> +allow oidentd_t self:unix_dgram_socket { create connect };
> +
> +allow oidentd_t oidentd_config_t:file read_file_perms;
> +
> +corenet_all_recvfrom_unlabeled(oidentd_t)
> +corenet_all_recvfrom_netlabel(oidentd_t)
> +corenet_tcp_sendrecv_all_if(oidentd_t)
> +corenet_tcp_sendrecv_all_nodes(oidentd_t)
> +corenet_tcp_bind_all_nodes(oidentd_t)
> +corenet_tcp_bind_auth_port(oidentd_t);
> +
> +files_read_etc_files(oidentd_t)
> +
> +kernel_read_kernel_sysctls(oidentd_t)
> +kernel_read_network_state(oidentd_t)
> +kernel_read_network_state_symlinks(oidentd_t)
> +kernel_read_sysctl(oidentd_t)
> +
> +libs_use_ld_so(oidentd_t)
> +libs_use_shared_libs(oidentd_t)
> +
> +logging_send_syslog_msg(oidentd_t)
> +
> +miscfiles_read_localization(oidentd_t)
> +
> +oidentd_read_user_content(oidentd_t)
> +
> +sysnet_read_config(oidentd_t)
> +
> +userdom_search_all_users_home_dirs(oidentd_t)
> +
> +optional_policy(`
> + nis_use_ypbind(oidentd_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs', `
> + fs_list_cifs(oidentd_t)
> + fs_read_cifs_files(oidentd_t)
> +')
> +
> +tunable_policy(`use_nfs_home_dirs', `
> + fs_list_nfs(oidentd_t)
> + fs_read_nfs_files(oidentd_t)
> +')
> diff --git a/policy/modules/system/userdomain.if
> b/policy/modules/system/userdomain.if
> index 6c01e3c..64398d4 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1217,6 +1217,10 @@ template(`userdom_unpriv_user_template', `
> ')
>
> optional_policy(`
> + oidentd_per_role_template($1, $1_usertype, $1_r)
> + ')
> +
> + optional_policy(`
> polkit_per_role_template($1, $1_usertype, $1_r)
> ')
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On Tuesday 07 October 2008 01:05, "Christopher J. PeBenito"
<[email protected]> wrote:
> > Please see attachment.
>
> Merged, with a few tweaks.
With the huge number of ident daemons, why does the policy need to be named
after this one?
Are we going to have pidentd_t, midentd_t, etc as well?
--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
On Tue, 2008-10-07 at 06:25 +1000, Russell Coker wrote:
> On Tuesday 07 October 2008 01:05, "Christopher J. PeBenito"
> <[email protected]> wrote:
> > > Please see attachment.
> >
> > Merged, with a few tweaks.
>
> With the huge number of ident daemons, why does the policy need to be named
> after this one?
>
> Are we going to have pidentd_t, midentd_t, etc as well?
Well if the policy works with little or no modification, I don't have a
problem renaming it to a generic name.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150