2014-12-03 12:28:44

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

Lots of the foo_admin() interfaces were not applied to sysadm. This
patch adds all the ones that were missing. Interfaces are added together
with the matching _role() interface if it was already present.

Make all && make validate passes, but anyone else that can run any test
suites on this would be appreciated too.
---
policy/modules/roles/sysadm.te | 784 ++++++++++++++++++++++++++++++++++++++++-
1 file changed, 783 insertions(+), 1 deletion(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index aeac0ff..da7f18a 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -66,10 +66,47 @@ tunable_policy(`allow_ptrace',`
')

optional_policy(`
+ abrt_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ accountsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ acct_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ afs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aiccu_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aide_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ aisexecd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
amanda_run_recover(sysadm_t, sysadm_r)
')

optional_policy(`
+ amavis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ amtu_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ apache_admin(sysadm_t, sysadm_r)
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
@@ -77,6 +114,11 @@ optional_policy(`
')

optional_policy(`
+ apcupsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ apm_admin(sysadm_t, sysadm_r)
# cjp: why is this not apm_run_client
apm_domtrans_client(sysadm_t)
')
@@ -86,6 +128,11 @@ optional_policy(`
')

optional_policy(`
+ arpwatch_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ asterisk_admin(sysadm_t, sysadm_r)
asterisk_stream_connect(sysadm_t)
')

@@ -94,26 +141,104 @@ optional_policy(`
')

optional_policy(`
+ automount_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ avahi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
backup_run(sysadm_t, sysadm_r)
')

optional_policy(`
+ bacula_admin(sysadm_t, sysadm_r)
bacula_run_admin(sysadm_t, sysadm_r)
')

optional_policy(`
+ bcfg2_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bind_admin(sysadm_t, sysadm_r)
bind_run_ndc(sysadm_t, sysadm_r)
')

optional_policy(`
+ bird_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ bitlbee_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ boinc_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
bootloader_run(sysadm_t, sysadm_r)
')

optional_policy(`
+ bugzilla_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cachefilesd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ calamaris_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ callweaver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ canna_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ccs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ certmaster_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ certmonger_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
certwatch_run(sysadm_t, sysadm_r)
')

optional_policy(`
+ cfengine_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cgroup_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ chronyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cipe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ clamav_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
clock_run(sysadm_t, sysadm_r)
')

@@ -122,24 +247,101 @@ optional_policy(`
')

optional_policy(`
+ cmirrord_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cobbler_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ collectd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ condor_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
consoletype_run(sysadm_t, sysadm_r)
')

optional_policy(`
+ corosync_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ couchdb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ctdb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cups_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cvs_admin(sysadm_t, sysadm_r)
cvs_exec(sysadm_t)
')

optional_policy(`
+ cyphesis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ cyrus_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dante_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
dcc_run_cdcc(sysadm_t, sysadm_r)
dcc_run_client(sysadm_t, sysadm_r)
dcc_run_dbclean(sysadm_t, sysadm_r)
')

optional_policy(`
+ ddclient_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
ddcprobe_run(sysadm_t, sysadm_r)
')

optional_policy(`
+ denyhosts_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ devicekit_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dhcpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dictd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dirmngr_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ distcc_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dkim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
dmesg_exec(sysadm_t)
')

@@ -148,10 +350,54 @@ optional_policy(`
')

optional_policy(`
+ dnsmasq_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dnssectrigger_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dovecot_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
dpkg_run(sysadm_t, sysadm_r)
')

optional_policy(`
+ drbd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ dspam_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ entropyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ exim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fail2ban_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fcoe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ fetchmail_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ firewalld_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
firstboot_run(sysadm_t, sysadm_r)
')

@@ -160,14 +406,75 @@ optional_policy(`
')

optional_policy(`
- hostname_run(sysadm_t, sysadm_r)
+ ftp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gatekeeper_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gdomap_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ glance_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ glusterfs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gpm_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ gpsd_admin(sysadm_t, sysadm_r)
')

optional_policy(`
+ hadoop_admin(sysadm_t, sysadm_r)
hadoop_role(sysadm_r, sysadm_t)
')

optional_policy(`
+ hddtemp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ hostname_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ howl_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ hypervkvp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ i18n_input_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ icecast_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ifplugd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ inn_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ iodine_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
# allow system administrator to use the ipsec script to look
# at things (e.g., ipsec auto --status)
# probably should create an ipsec_admin role for this kind of thing
@@ -182,14 +489,79 @@ optional_policy(`
')

optional_policy(`
+ irqbalance_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ iscsi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ isnsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ jabber_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kdump_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kerberos_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kerneloops_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ keystone_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kismet_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ksmtuned_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ kudzu_admin(sysadm_t, sysadm_r)
kudzu_run(sysadm_t, sysadm_r)
')

optional_policy(`
+ l2tp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ldap_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
libs_run_ldconfig(sysadm_t, sysadm_r)
')

optional_policy(`
+ lightsquid_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ likewise_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lircd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ lldpad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
lockdev_role(sysadm_r, sysadm_t)
')

@@ -203,16 +575,48 @@ optional_policy(`
')

optional_policy(`
+ lsmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
lvm_run(sysadm_t, sysadm_r)
')

optional_policy(`
+ mandb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mcelog_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ memcached_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ minidlna_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ minissdpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
modutils_run_depmod(sysadm_t, sysadm_r)
modutils_run_insmod(sysadm_t, sysadm_r)
modutils_run_update_mods(sysadm_t, sysadm_r)
')

optional_policy(`
+ mongodb_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ monop_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
mount_run(sysadm_t, sysadm_r)
')

@@ -221,59 +625,234 @@ optional_policy(`
')

optional_policy(`
+ mpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
mplayer_role(sysadm_r, sysadm_t)
')

optional_policy(`
+ mrtg_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ mscan_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
mta_role(sysadm_r, sysadm_t)
')

optional_policy(`
+ munin_admin(sysadm_t, sysadm_r)
munin_stream_connect(sysadm_t)
')

optional_policy(`
+ mysql_admin(sysadm_t, sysadm_r)
mysql_stream_connect(sysadm_t)
')

optional_policy(`
+ nagios_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nessus_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
netutils_run(sysadm_t, sysadm_r)
netutils_run_ping(sysadm_t, sysadm_r)
netutils_run_traceroute(sysadm_t, sysadm_r)
')

optional_policy(`
+ networkmanager_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nscd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nslcd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ntop_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ntp_admin(sysadm_t, sysadm_r)
ntp_stub()
corenet_udp_bind_ntp_port(sysadm_t)
')

optional_policy(`
+ numad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ nut_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
oav_run_update(sysadm_t, sysadm_r)
')

optional_policy(`
+ oident_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openct_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openhpi_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openvpn_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ openvswitch_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pacemaker_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pads_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
pcmcia_run_cardctl(sysadm_t, sysadm_r)
')

optional_policy(`
+ pcscd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pegasus_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ perdition_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pingd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pkcs_admin_slotd(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ plymouthd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ polipo_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
portage_run(sysadm_t, sysadm_r)
portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')

optional_policy(`
+ portmap_admin(sysadm_t, sysadm_r)
portmap_run_helper(sysadm_t, sysadm_r)
')

optional_policy(`
+ portreserve_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ postfix_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ postfixpolicyd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ postgrey_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ppp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ prelude_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ privoxy_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ psad_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ puppet_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pxe_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pyicqt_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ pyzor_admin(sysadm_t, sysadm_r)
pyzor_role(sysadm_r, sysadm_t)
')

optional_policy(`
+ qpidd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ quantum_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ quota_admin(sysadm_t, sysadm_r)
quota_run(sysadm_t, sysadm_r)
')

optional_policy(`
+ rabbitmq_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ radius_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ radvd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ raid_admin_mdadm(sysadm_t, sysadm_r)
raid_run_mdadm(sysadm_r, sysadm_t)
')

@@ -282,10 +861,48 @@ optional_policy(`
')

optional_policy(`
+ redis_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ resmgr_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rgmanager_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rhcs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rhsmcertd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ ricci_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rngd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ roundup_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rpc_admin(sysadm_t, sysadm_r)
rpc_domtrans_nfsd(sysadm_t)
')

optional_policy(`
+ rpcbind_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rpm_admin(sysadm_t, sysadm_r)
rpm_run(sysadm_t, sysadm_r)
')

@@ -294,10 +911,20 @@ optional_policy(`
')

optional_policy(`
+ rsync_admin(sysadm_t, sysadm_r)
rsync_exec(sysadm_t)
')

optional_policy(`
+ rtkit_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ rwho_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ samba_admin(sysadm_t, sysadm_r)
samba_run_net(sysadm_t, sysadm_r)
samba_run_winbind_helper(sysadm_t, sysadm_r)
')
@@ -307,6 +934,18 @@ optional_policy(`
')

optional_policy(`
+ sanlock_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ sasl_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ sblim_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
screen_role_template(sysadm, sysadm_r, sysadm_t)
')

@@ -315,11 +954,52 @@ optional_policy(`
')

optional_policy(`
+ sensord_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ setroubleshoot_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
seutil_run_setfiles(sysadm_t, sysadm_r)
seutil_run_runinit(sysadm_t, sysadm_r)
')

optional_policy(`
+ shorewall_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ slpd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smartmon_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smokeping_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ smstools_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ snmp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ snort_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ soundserver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ spamassassin_admin(sysadm_t, sysadm_r)
spamassassin_role(sysadm_r, sysadm_t)
')

@@ -328,10 +1008,18 @@ optional_policy(`
')

optional_policy(`
+ sssd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
staff_role_change(sysadm_r)
')

optional_policy(`
+ stapserver_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
su_role_template(sysadm, sysadm_r, sysadm_t)
')

@@ -340,15 +1028,43 @@ optional_policy(`
')

optional_policy(`
+ svnserve_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
sysnet_run_ifconfig(sysadm_t, sysadm_r)
sysnet_run_dhcpc(sysadm_t, sysadm_r)
')

optional_policy(`
+ sysstat_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tcsd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tftp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ tgtd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
thunderbird_role(sysadm_r, sysadm_t)
')

optional_policy(`
+ tor_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ transproxy_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
tripwire_run_siggen(sysadm_t, sysadm_r)
tripwire_run_tripwire(sysadm_t, sysadm_r)
tripwire_run_twadmin(sysadm_t, sysadm_r)
@@ -364,6 +1080,10 @@ optional_policy(`
')

optional_policy(`
+ ulogd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
uml_role(sysadm_r, sysadm_t)
')

@@ -376,6 +1096,10 @@ optional_policy(`
')

optional_policy(`
+ uptime_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
usbmodules_run(sysadm_t, sysadm_r)
')

@@ -390,6 +1114,31 @@ optional_policy(`
')

optional_policy(`
+ uucp_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ uuidd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ varnishd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ varnishd_admin_varnishlog(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ vdagent_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ vhostmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ virt_admin(sysadm_t, sysadm_r)
virt_stream_connect(sysadm_t)
')

@@ -398,10 +1147,22 @@ optional_policy(`
')

optional_policy(`
+ vnstatd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
vpn_run(sysadm_t, sysadm_r)
')

optional_policy(`
+ watchdog_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ wdmd_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
webalizer_run(sysadm_t, sysadm_r)
')

@@ -418,15 +1179,32 @@ optional_policy(`
')

optional_policy(`
+ xfs_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
yam_run(sysadm_t, sysadm_r)
')

+optional_policy(`
+ zabbix_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ zarafa_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
+ zebra_admin(sysadm_t, sysadm_r)
+')
+
ifndef(`distro_redhat',`
optional_policy(`
auth_role(sysadm_r, sysadm_t)
')

optional_policy(`
+ bluetooth_admin(sysadm_t, sysadm_r)
bluetooth_role(sysadm_r, sysadm_t)
')

@@ -467,6 +1245,10 @@ ifndef(`distro_redhat',`
')

optional_policy(`
+ ircd_admin(sysadm_t, sysadm_r)
+ ')
+
+ optional_policy(`
java_role(sysadm_r, sysadm_t)
')
')
--
2.0.4


2014-12-03 13:18:46

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On 12/3/2014 7:28 AM, Jason Zaman wrote:
> Lots of the foo_admin() interfaces were not applied to sysadm. This
> patch adds all the ones that were missing. Interfaces are added together
> with the matching _role() interface if it was already present.
>
> Make all && make validate passes, but anyone else that can run any test
> suites on this would be appreciated too.

I'm not opposed to this change, but I wonder about cases like these:

> +
> +optional_policy(`
> + asterisk_admin(sysadm_t, sysadm_r)
> asterisk_stream_connect(sysadm_t)
> ')

> optional_policy(`
> + bacula_admin(sysadm_t, sysadm_r)
> bacula_run_admin(sysadm_t, sysadm_r)
> ')

Since I would assume that the admin interface would already include the
existing rule.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2014-12-03 13:42:21

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito wrote:
> On 12/3/2014 7:28 AM, Jason Zaman wrote:
> > Lots of the foo_admin() interfaces were not applied to sysadm. This
> > patch adds all the ones that were missing. Interfaces are added together
> > with the matching _role() interface if it was already present.
> >
> > Make all && make validate passes, but anyone else that can run any test
> > suites on this would be appreciated too.
>
> I'm not opposed to this change, but I wonder about cases like these:
>
> > +
> > +optional_policy(`
> > + asterisk_admin(sysadm_t, sysadm_r)
> > asterisk_stream_connect(sysadm_t)
> > ')
>
> > optional_policy(`
> > + bacula_admin(sysadm_t, sysadm_r)
> > bacula_run_admin(sysadm_t, sysadm_r)
> > ')
>
> Since I would assume that the admin interface would already include the
> existing rule.

Bacula_admin does indeed call _run_admin so i'll take that away,
asterisk does not call _stream_connect so that one is correct. I will
fix up all the others like this in the patch and send again.

Could you perhaps also shed some light on:

optional_policy(`
+ apache_admin(sysadm_t, sysadm_r)
apache_run_helper(sysadm_t, sysadm_r)
#apache_run_all_scripts(sysadm_t, sysadm_r)
#apache_domtrans_sys_script(sysadm_t)
apache_role(sysadm_r, sysadm_t)
')

It looks like _admin calls _run_helper so that can be removed no
problem. Why are the other ones commented out? should i remove the
comments to clean it up in v2 of the patch then?

Also:
optional_policy(`
+ apm_admin(sysadm_t, sysadm_r)
# cjp: why is this not apm_run_client
apm_domtrans_client(sysadm_t)
')
apm_admin calls apm_run_client which then calls _domtrans_, so if
that what it should be (like the comment mentions) then this can
be cleaned up too.

-- Jason

2014-12-03 13:56:31

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On 12/3/2014 8:42 AM, Jason Zaman wrote:
> On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito wrote:
>> On 12/3/2014 7:28 AM, Jason Zaman wrote:
>>> Lots of the foo_admin() interfaces were not applied to sysadm. This
>>> patch adds all the ones that were missing. Interfaces are added together
>>> with the matching _role() interface if it was already present.
>>>
>>> Make all && make validate passes, but anyone else that can run any test
>>> suites on this would be appreciated too.
>>
>> I'm not opposed to this change, but I wonder about cases like these:
>>
>>> +
>>> +optional_policy(`
>>> + asterisk_admin(sysadm_t, sysadm_r)
>>> asterisk_stream_connect(sysadm_t)
>>> ')
>>
>>> optional_policy(`
>>> + bacula_admin(sysadm_t, sysadm_r)
>>> bacula_run_admin(sysadm_t, sysadm_r)
>>> ')
>>
>> Since I would assume that the admin interface would already include the
>> existing rule.
>
> Bacula_admin does indeed call _run_admin so i'll take that away,
> asterisk does not call _stream_connect so that one is correct. I will

I think there is still the question, should the stream connect be added
to the admin interface?

> fix up all the others like this in the patch and send again.
>
> Could you perhaps also shed some light on:
>
> optional_policy(`
> + apache_admin(sysadm_t, sysadm_r)
> apache_run_helper(sysadm_t, sysadm_r)
> #apache_run_all_scripts(sysadm_t, sysadm_r)
> #apache_domtrans_sys_script(sysadm_t)
> apache_role(sysadm_r, sysadm_t)
> ')
>
> It looks like _admin calls _run_helper so that can be removed no
> problem. Why are the other ones commented out? should i remove the
> comments to clean it up in v2 of the patch then?

>From what I can tell from git blame, those have been commented out since
at least mid 2008, so they can be removed.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2014-12-03 14:27:27

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote:
> On 12/3/2014 8:42 AM, Jason Zaman wrote:
> > On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito wrote:
> >> On 12/3/2014 7:28 AM, Jason Zaman wrote:
> >>> Lots of the foo_admin() interfaces were not applied to sysadm. This
> >>> patch adds all the ones that were missing. Interfaces are added together
> >>> with the matching _role() interface if it was already present.
> >>>
> >>> Make all && make validate passes, but anyone else that can run any test
> >>> suites on this would be appreciated too.
> >>
> >> I'm not opposed to this change, but I wonder about cases like these:
> >>
> >>> +
> >>> +optional_policy(`
> >>> + asterisk_admin(sysadm_t, sysadm_r)
> >>> asterisk_stream_connect(sysadm_t)
> >>> ')
> >>
> >>> optional_policy(`
> >>> + bacula_admin(sysadm_t, sysadm_r)
> >>> bacula_run_admin(sysadm_t, sysadm_r)
> >>> ')
> >>
> >> Since I would assume that the admin interface would already include the
> >> existing rule.
> >
> > Bacula_admin does indeed call _run_admin so i'll take that away,
> > asterisk does not call _stream_connect so that one is correct. I will
>
> I think there is still the question, should the stream connect be added
> to the admin interface?
>

I would argue, no

The application use to stream connect should instead be confined and
_admin should run that application with a domain transition instead

2014-12-03 15:29:13

by Jason Zaman

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On 3 Dec 2014 18:27, "Dominick Grift" <[email protected]> wrote:
>
> On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote:
> > On 12/3/2014 8:42 AM, Jason Zaman wrote:
> > > On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito
wrote:
> > >> On 12/3/2014 7:28 AM, Jason Zaman wrote:
> > >>> Lots of the foo_admin() interfaces were not applied to sysadm. This
> > >>> patch adds all the ones that were missing. Interfaces are added
together
> > >>> with the matching _role() interface if it was already present.
> > >>>
> > >>> Make all && make validate passes, but anyone else that can run any
test
> > >>> suites on this would be appreciated too.
> > >>
> > >> I'm not opposed to this change, but I wonder about cases like these:
> > >>
> > >>> +
> > >>> +optional_policy(`
> > >>> + asterisk_admin(sysadm_t, sysadm_r)
> > >>> asterisk_stream_connect(sysadm_t)
> > >>> ')
> > >>
> > >>> optional_policy(`
> > >>> + bacula_admin(sysadm_t, sysadm_r)
> > >>> bacula_run_admin(sysadm_t, sysadm_r)
> > >>> ')
> > >>
> > >> Since I would assume that the admin interface would already include
the
> > >> existing rule.
> > >
> > > Bacula_admin does indeed call _run_admin so i'll take that away,
> > > asterisk does not call _stream_connect so that one is correct. I will
> >
> > I think there is still the question, should the stream connect be added
> > to the admin interface?
> >
>
> I would argue, no
>
> The application use to stream connect should instead be confined and
> _admin should run that application with a domain transition instead
>
I think admining something and using it are not necessarily the same so I
agree with Dominick, they should be separate.

Along with stream connect, should _admin always call _role? It makes things
complicated and was the reason I removed in the earlier patches.

The problem with having things in the admin interface is that if someone
wants to give foo_admin to staff_t which already has foo_role applied then
there are problems cuz named filetrans can't be applied twice and a number
of role interfaces have them.

-- Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/c431d564/attachment.html

2014-12-03 15:39:43

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On Wed, Dec 03, 2014 at 08:56:31AM -0500, Christopher J. PeBenito wrote:
> >>
> >> I'm not opposed to this change, but I wonder about cases like these:
> >>
> >>> +
> >>> +optional_policy(`
> >>> + asterisk_admin(sysadm_t, sysadm_r)
> >>> asterisk_stream_connect(sysadm_t)
> >>> ')
> >>
> >> Since I would assume that the admin interface would already include the
> >> existing rule.
> >
> > Bacula_admin does indeed call _run_admin so i'll take that away,
> > asterisk does not call _stream_connect so that one is correct. I will
>
> I think there is still the question, should the stream connect be added
> to the admin interface?
>

In my opinion where refpolicy went wrong is by allowing confined user domains this low level access in the first place
shells do not stream connect, applications do.sysadm is a strict domain and so it should run the app that stream connects in the apps domain with a domain transition if that makes sense.

That is strict. Anything else is "drunken unconfined" in my view, or at least a compromise.

In my vision confined users should be strictly enforced (least privilege) or at least as much as possible

This will inflate the policy in a huge way, i see that. However the policy should be modular anyway. One should only have installed what one needs (which is another things that in practice proves to be currently not working well)

Ask yourself do you know anyone that disables modules that he doesnt need when it installs a system? (i tried it once and its a huge pain, i gave up trying. The toolchain (semodule) cant tell you the dependencies, so it just fails an you wont know why or where it fails))

if you run a asterisk server and you want it strict then you should be able to have it strict.

But thats where other decisions were made, now we have a huge policy that "tries to do everything, but does nothing right". well its not that dramatic but it is not perfect either (although nothing ever is)

In my view a huge policy is not a problem but the policy that is there should at least be applicable.

There would be room for compromise though. for example confined admins wouldnt run apps like systemctl with a domain transition because that wouldnt work either, but there should be finer line than there currently is in my view (systemd ctl commands are an exception)

--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/462d60a0/attachment.bin

2014-12-03 15:41:45

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On Wed, Dec 03, 2014 at 07:29:13PM +0400, Jason Zaman wrote:
> On 3 Dec 2014 18:27, "Dominick Grift" <[email protected]> wrote:
> >
> > On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote:
> > > On 12/3/2014 8:42 AM, Jason Zaman wrote:
> > > > On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito
> wrote:
> > > >> On 12/3/2014 7:28 AM, Jason Zaman wrote:
> > > >>> Lots of the foo_admin() interfaces were not applied to sysadm. This
> > > >>> patch adds all the ones that were missing. Interfaces are added
> together
> > > >>> with the matching _role() interface if it was already present.
> > > >>>
> > > >>> Make all && make validate passes, but anyone else that can run any
> test
> > > >>> suites on this would be appreciated too.
> > > >>
> > > >> I'm not opposed to this change, but I wonder about cases like these:
> > > >>
> > > >>> +
> > > >>> +optional_policy(`
> > > >>> + asterisk_admin(sysadm_t, sysadm_r)
> > > >>> asterisk_stream_connect(sysadm_t)
> > > >>> ')
> > > >>
> > > >>> optional_policy(`
> > > >>> + bacula_admin(sysadm_t, sysadm_r)
> > > >>> bacula_run_admin(sysadm_t, sysadm_r)
> > > >>> ')
> > > >>
> > > >> Since I would assume that the admin interface would already include
> the
> > > >> existing rule.
> > > >
> > > > Bacula_admin does indeed call _run_admin so i'll take that away,
> > > > asterisk does not call _stream_connect so that one is correct. I will
> > >
> > > I think there is still the question, should the stream connect be added
> > > to the admin interface?
> > >
> >
> > I would argue, no
> >
> > The application use to stream connect should instead be confined and
> > _admin should run that application with a domain transition instead
> >
> I think admining something and using it are not necessarily the same so I
> agree with Dominick, they should be separate.
>
> Along with stream connect, should _admin always call _role? It makes things
> complicated and was the reason I removed in the earlier patches.
>
> The problem with having things in the admin interface is that if someone
> wants to give foo_admin to staff_t which already has foo_role applied then
> there are problems cuz named filetrans can't be applied twice and a number
> of role interfaces have them.
>

I think you misunderstood me. in my view there should not be a asterisk_stream_connect() called directly by a strict user domain at all

be it admin user domain or otherwise

--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/02c4d895/attachment-0001.bin

2014-12-03 15:44:53

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On 12/3/2014 10:29 AM, Jason Zaman wrote:
>
> On 3 Dec 2014 18:27, "Dominick Grift" <[email protected]
> <mailto:[email protected]>> wrote:
>>
>> On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote:
>> > On 12/3/2014 8:42 AM, Jason Zaman wrote:
>> > > On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito
> wrote:
>> > >> On 12/3/2014 7:28 AM, Jason Zaman wrote:
>> > >>> Lots of the foo_admin() interfaces were not applied to sysadm. This
>> > >>> patch adds all the ones that were missing. Interfaces are added
> together
>> > >>> with the matching _role() interface if it was already present.
>> > >>>
>> > >>> Make all && make validate passes, but anyone else that can run
> any test
>> > >>> suites on this would be appreciated too.
>> > >>
>> > >> I'm not opposed to this change, but I wonder about cases like these:
>> > >>
>> > >>> +
>> > >>> +optional_policy(`
>> > >>> + asterisk_admin(sysadm_t, sysadm_r)
>> > >>> asterisk_stream_connect(sysadm_t)
>> > >>> ')
>> > >>
>> > >>> optional_policy(`
>> > >>> + bacula_admin(sysadm_t, sysadm_r)
>> > >>> bacula_run_admin(sysadm_t, sysadm_r)
>> > >>> ')
>> > >>
>> > >> Since I would assume that the admin interface would already
> include the
>> > >> existing rule.
>> > >
>> > > Bacula_admin does indeed call _run_admin so i'll take that away,
>> > > asterisk does not call _stream_connect so that one is correct. I will
>> >
>> > I think there is still the question, should the stream connect be added
>> > to the admin interface?
>> >
>>
>> I would argue, no
>>
>> The application use to stream connect should instead be confined and
>> _admin should run that application with a domain transition instead
>>
> I think admining something and using it are not necessarily the same so
> I agree with Dominick, they should be separate.

I also agree. The admin interfaces should have all of the rules needed
to admin the service, and that's it. If that socket connect is not
related to an admin function, then it should remain separate. I asked
the question since I was unsure why there was a stream connect.


> Along with stream connect, should _admin always call _role? It makes
> things complicated and was the reason I removed in the earlier patches.

No, the admin interfaces should probably never call role, since using a
service (in an unprivileged/client sense) is something different than
admining a service.


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2014-12-03 15:50:39

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On Wed, Dec 03, 2014 at 04:39:43PM +0100, Dominick Grift wrote:
> On Wed, Dec 03, 2014 at 08:56:31AM -0500, Christopher J. PeBenito wrote:
> > >>
> > >> I'm not opposed to this change, but I wonder about cases like these:
> > >>
> > >>> +
> > >>> +optional_policy(`
> > >>> + asterisk_admin(sysadm_t, sysadm_r)
> > >>> asterisk_stream_connect(sysadm_t)
> > >>> ')
> > >>
> > >> Since I would assume that the admin interface would already include the
> > >> existing rule.
> > >
> > > Bacula_admin does indeed call _run_admin so i'll take that away,
> > > asterisk does not call _stream_connect so that one is correct. I will
> >
> > I think there is still the question, should the stream connect be added
> > to the admin interface?
> >
>
> In my opinion where refpolicy went wrong is by allowing confined user domains this low level access in the first place
> shells do not stream connect, applications do.sysadm is a strict domain and so it should run the app that stream connects in the apps domain with a domain transition if that makes sense.
>
> That is strict. Anything else is "drunken unconfined" in my view, or at least a compromise.
>
> In my vision confined users should be strictly enforced (least privilege) or at least as much as possible
>
> This will inflate the policy in a huge way, i see that. However the policy should be modular anyway. One should only have installed what one needs (which is another things that in practice proves to be currently not working well)
>
> Ask yourself do you know anyone that disables modules that he doesnt need when it installs a system? (i tried it once and its a huge pain, i gave up trying. The toolchain (semodule) cant tell you the dependencies, so it just fails an you wont know why or where it fails))
>
> if you run a asterisk server and you want it strict then you should be able to have it strict.
>
> But thats where other decisions were made, now we have a huge policy that "tries to do everything, but does nothing right". well its not that dramatic but it is not perfect either (although nothing ever is)
>
> In my view a huge policy is not a problem but the policy that is there should at least be applicable.
>
> There would be room for compromise though. for example confined admins wouldnt run apps like systemctl with a domain transition because that wouldnt work either, but there should be finer line than there currently is in my view (systemd ctl commands are an exception)
>


By the way: Walsh once dubbed the term "drunken unconfined_t" but i doubt that he meant the same as i do.

I am borrowing the term for identifying domains that have excessive permissions


--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/b5abf1bc/attachment.bin

2014-12-03 15:50:34

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On 12/3/2014 10:44 AM, Christopher J. PeBenito wrote:
> On 12/3/2014 10:29 AM, Jason Zaman wrote:
>>
>> On 3 Dec 2014 18:27, "Dominick Grift" <[email protected]
>> <mailto:[email protected]>> wrote:
>>>
>>> On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote:
>>>> On 12/3/2014 8:42 AM, Jason Zaman wrote:
>>>>> On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito
>> wrote:
>>>>>> On 12/3/2014 7:28 AM, Jason Zaman wrote:
>>>>>>> Lots of the foo_admin() interfaces were not applied to sysadm. This
>>>>>>> patch adds all the ones that were missing. Interfaces are added
>> together
>>>>>>> with the matching _role() interface if it was already present.
>>>>>>>
>>>>>>> Make all && make validate passes, but anyone else that can run
>> any test
>>>>>>> suites on this would be appreciated too.
>>>>>>
>>>>>> I'm not opposed to this change, but I wonder about cases like these:
>>>>>>
>>>>>>> +
>>>>>>> +optional_policy(`
>>>>>>> + asterisk_admin(sysadm_t, sysadm_r)
>>>>>>> asterisk_stream_connect(sysadm_t)
>>>>>>> ')

>>>> I think there is still the question, should the stream connect be added
>>>> to the admin interface?
>>>>
>>>
>>> I would argue, no
>>>
>>> The application use to stream connect should instead be confined and
>>> _admin should run that application with a domain transition instead
>>>
>> I think admining something and using it are not necessarily the same so
>> I agree with Dominick, they should be separate.
>
> I also agree. The admin interfaces should have all of the rules needed
> to admin the service, and that's it. If that socket connect is not
> related to an admin function, then it should remain separate. I asked
> the question since I was unsure why there was a stream connect.

>From the commit, Sven said:

>Author: Sven Vermeulen
>Date: Mon Oct 3 21:24:38 2011 +0200
>
>Allow sysadm to interact with asterisk
>
>When administering asterisk, one often ran command is "asterisk -r"
>which yields the asterisk CLI (when the asterisk server is running). To
>be able to run this, you need asterisk_stream_connect privileges.
>
>Assign these privileges to the sysadm_r


Which tells me that the stream connect should be added to the admin
interface.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2014-12-03 15:55:22

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On Wed, Dec 03, 2014 at 10:50:34AM -0500, Christopher J. PeBenito wrote:
> On 12/3/2014 10:44 AM, Christopher J. PeBenito wrote:
> > On 12/3/2014 10:29 AM, Jason Zaman wrote:
> >>
> >> On 3 Dec 2014 18:27, "Dominick Grift" <[email protected]
> >> <mailto:[email protected]>> wrote:
> >>>
> >>> On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote:
> >>>> On 12/3/2014 8:42 AM, Jason Zaman wrote:
> >>>>> On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito
> >> wrote:
> >>>>>> On 12/3/2014 7:28 AM, Jason Zaman wrote:
> >>>>>>> Lots of the foo_admin() interfaces were not applied to sysadm. This
> >>>>>>> patch adds all the ones that were missing. Interfaces are added
> >> together
> >>>>>>> with the matching _role() interface if it was already present.
> >>>>>>>
> >>>>>>> Make all && make validate passes, but anyone else that can run
> >> any test
> >>>>>>> suites on this would be appreciated too.
> >>>>>>
> >>>>>> I'm not opposed to this change, but I wonder about cases like these:
> >>>>>>
> >>>>>>> +
> >>>>>>> +optional_policy(`
> >>>>>>> + asterisk_admin(sysadm_t, sysadm_r)
> >>>>>>> asterisk_stream_connect(sysadm_t)
> >>>>>>> ')
>
> >>>> I think there is still the question, should the stream connect be added
> >>>> to the admin interface?
> >>>>
> >>>
> >>> I would argue, no
> >>>
> >>> The application use to stream connect should instead be confined and
> >>> _admin should run that application with a domain transition instead
> >>>
> >> I think admining something and using it are not necessarily the same so
> >> I agree with Dominick, they should be separate.
> >
> > I also agree. The admin interfaces should have all of the rules needed
> > to admin the service, and that's it. If that socket connect is not
> > related to an admin function, then it should remain separate. I asked
> > the question since I was unsure why there was a stream connect.
>
> From the commit, Sven said:
>
> >Author: Sven Vermeulen
> >Date: Mon Oct 3 21:24:38 2011 +0200
> >
> >Allow sysadm to interact with asterisk
> >
> >When administering asterisk, one often ran command is "asterisk -r"
> >which yields the asterisk CLI (when the asterisk server is running). To
> >be able to run this, you need asterisk_stream_connect privileges.
> >
> >Assign these privileges to the sysadm_r
>
>
> Which tells me that the stream connect should be added to the admin
> interface.
>

Where do you draw the line, are you now also adding all the permissions to sysadm_t that asterisk cli needs to run?

You dont see them now because sysadm_t is virtually unconfined_t already, but i bet the app needs permissions that a normal confined shell session does not need

why not just run the asterisk cli with a domain transition and associate these permission with at domain instead of sysadm_t?

--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/ea442cbf/attachment.bin

2014-12-03 16:07:56

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On 12/3/2014 10:39 AM, Dominick Grift wrote:
> On Wed, Dec 03, 2014 at 08:56:31AM -0500, Christopher J. PeBenito
> wrote:
>>>>
>>>> I'm not opposed to this change, but I wonder about cases
>>>> like these:
>>>>
>>>>> + +optional_policy(` + asterisk_admin(sysadm_t, sysadm_r)
>>>>> asterisk_stream_connect(sysadm_t) ')
>>>>
>>>> Since I would assume that the admin interface would already
>>>> include the existing rule.
>>>
>>> Bacula_admin does indeed call _run_admin so i'll take that
>>> away, asterisk does not call _stream_connect so that one is
>>> correct. I will
>>
>> I think there is still the question, should the stream connect
>> be added to the admin interface?
>>
>
> In my opinion where refpolicy went wrong is by allowing confined
> user domains this low level access in the first place shells do
> not stream connect, applications do.sysadm is a strict domain and
> so it should run the app that stream connects in the apps domain
> with a domain transition if that makes sense.
>
> That is strict. Anything else is "drunken unconfined" in my view,
> or at least a compromise.
>
> In my vision confined users should be strictly enforced (least
> privilege) or at least as much as possible

I understand your position, but I believe the (IMO modest) gains don't
outweigh the additional complexity cost. In this case, if your admin
is abusing their privileges, then there is a worse problem. I think a
more effective confinement would be eliminating sysadm's blanket
manage access on basically the entire filesystem. If all these admin
interfaces work well, all that access won't be necessary.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2014-12-03 16:12:00

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On 12/3/2014 10:55 AM, Dominick Grift wrote:
> On Wed, Dec 03, 2014 at 10:50:34AM -0500, Christopher J. PeBenito wrote:
>> On 12/3/2014 10:44 AM, Christopher J. PeBenito wrote:
>>> On 12/3/2014 10:29 AM, Jason Zaman wrote:
>>>>
>>>> On 3 Dec 2014 18:27, "Dominick Grift" <[email protected]
>>>> <mailto:[email protected]>> wrote:
>>>>>
>>>>> On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote:
>>>>>> On 12/3/2014 8:42 AM, Jason Zaman wrote:
>>>>>>> On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito
>>>> wrote:
>>>>>>>> On 12/3/2014 7:28 AM, Jason Zaman wrote:
>>>>>>>>> Lots of the foo_admin() interfaces were not applied to sysadm. This
>>>>>>>>> patch adds all the ones that were missing. Interfaces are added
>>>> together
>>>>>>>>> with the matching _role() interface if it was already present.
>>>>>>>>>
>>>>>>>>> Make all && make validate passes, but anyone else that can run
>>>> any test
>>>>>>>>> suites on this would be appreciated too.
>>>>>>>>
>>>>>>>> I'm not opposed to this change, but I wonder about cases like these:
>>>>>>>>
>>>>>>>>> +
>>>>>>>>> +optional_policy(`
>>>>>>>>> + asterisk_admin(sysadm_t, sysadm_r)
>>>>>>>>> asterisk_stream_connect(sysadm_t)
>>>>>>>>> ')
>>
>>>>>> I think there is still the question, should the stream connect be added
>>>>>> to the admin interface?
>>>>>>
>>>>>
>>>>> I would argue, no
>>>>>
>>>>> The application use to stream connect should instead be confined and
>>>>> _admin should run that application with a domain transition instead
>>>>>
>>>> I think admining something and using it are not necessarily the same so
>>>> I agree with Dominick, they should be separate.
>>>
>>> I also agree. The admin interfaces should have all of the rules needed
>>> to admin the service, and that's it. If that socket connect is not
>>> related to an admin function, then it should remain separate. I asked
>>> the question since I was unsure why there was a stream connect.
>>
>> From the commit, Sven said:
>>
>>> Author: Sven Vermeulen
>>> Date: Mon Oct 3 21:24:38 2011 +0200
>>>
>>> Allow sysadm to interact with asterisk
>>>
>>> When administering asterisk, one often ran command is "asterisk -r"
>>> which yields the asterisk CLI (when the asterisk server is running). To
>>> be able to run this, you need asterisk_stream_connect privileges.
>>>
>>> Assign these privileges to the sysadm_r
>>
>>
>> Which tells me that the stream connect should be added to the admin
>> interface.
>>
>
> Where do you draw the line, are you now also adding all the permissions to sysadm_t that asterisk cli needs to run?
>
> You dont see them now because sysadm_t is virtually unconfined_t already, but i bet the app needs permissions that a normal confined shell session does not need
>
> why not just run the asterisk cli with a domain transition and associate these permission with at domain instead of sysadm_t?

See my other email. If we further constrain sysadm_t, it may make more
sense to do that, but at this time I don't think it's warranted.


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2014-12-03 16:19:50

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On Wed, Dec 03, 2014 at 11:12:00AM -0500, Christopher J. PeBenito wrote:
> On 12/3/2014 10:55 AM, Dominick Grift wrote:
> > On Wed, Dec 03, 2014 at 10:50:34AM -0500, Christopher J. PeBenito wrote:
> >> On 12/3/2014 10:44 AM, Christopher J. PeBenito wrote:
> >>> On 12/3/2014 10:29 AM, Jason Zaman wrote:
> >>>>
> >>>> On 3 Dec 2014 18:27, "Dominick Grift" <[email protected]
> >>>> <mailto:[email protected]>> wrote:
> >>>>>
> >>>>> On Wed, 2014-12-03 at 08:56 -0500, Christopher J. PeBenito wrote:
> >>>>>> On 12/3/2014 8:42 AM, Jason Zaman wrote:
> >>>>>>> On Wed, Dec 03, 2014 at 08:18:46AM -0500, Christopher J. PeBenito
> >>>> wrote:
> >>>>>>>> On 12/3/2014 7:28 AM, Jason Zaman wrote:
> >>>>>>>>> Lots of the foo_admin() interfaces were not applied to sysadm. This
> >>>>>>>>> patch adds all the ones that were missing. Interfaces are added
> >>>> together
> >>>>>>>>> with the matching _role() interface if it was already present.
> >>>>>>>>>
> >>>>>>>>> Make all && make validate passes, but anyone else that can run
> >>>> any test
> >>>>>>>>> suites on this would be appreciated too.
> >>>>>>>>
> >>>>>>>> I'm not opposed to this change, but I wonder about cases like these:
> >>>>>>>>
> >>>>>>>>> +
> >>>>>>>>> +optional_policy(`
> >>>>>>>>> + asterisk_admin(sysadm_t, sysadm_r)
> >>>>>>>>> asterisk_stream_connect(sysadm_t)
> >>>>>>>>> ')
> >>
> >>>>>> I think there is still the question, should the stream connect be added
> >>>>>> to the admin interface?
> >>>>>>
> >>>>>
> >>>>> I would argue, no
> >>>>>
> >>>>> The application use to stream connect should instead be confined and
> >>>>> _admin should run that application with a domain transition instead
> >>>>>
> >>>> I think admining something and using it are not necessarily the same so
> >>>> I agree with Dominick, they should be separate.
> >>>
> >>> I also agree. The admin interfaces should have all of the rules needed
> >>> to admin the service, and that's it. If that socket connect is not
> >>> related to an admin function, then it should remain separate. I asked
> >>> the question since I was unsure why there was a stream connect.
> >>
> >> From the commit, Sven said:
> >>
> >>> Author: Sven Vermeulen
> >>> Date: Mon Oct 3 21:24:38 2011 +0200
> >>>
> >>> Allow sysadm to interact with asterisk
> >>>
> >>> When administering asterisk, one often ran command is "asterisk -r"
> >>> which yields the asterisk CLI (when the asterisk server is running). To
> >>> be able to run this, you need asterisk_stream_connect privileges.
> >>>
> >>> Assign these privileges to the sysadm_r
> >>
> >>
> >> Which tells me that the stream connect should be added to the admin
> >> interface.
> >>
> >
> > Where do you draw the line, are you now also adding all the permissions to sysadm_t that asterisk cli needs to run?
> >
> > You dont see them now because sysadm_t is virtually unconfined_t already, but i bet the app needs permissions that a normal confined shell session does not need
> >
> > why not just run the asterisk cli with a domain transition and associate these permission with at domain instead of sysadm_t?
>
> See my other email. If we further constrain sysadm_t, it may make more
> sense to do that, but at this time I don't think it's warranted.
>
>

Then it does not make sense to add all those _admin() interface calls to sysadm either in my view.

sysadm can already do all (most) those things on a lower level

So its pretty much just dupes; overhead

--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/aa026d3b/attachment-0001.bin

2014-12-03 16:28:54

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On Wed, Dec 03, 2014 at 11:07:56AM -0500, Christopher J. PeBenito wrote:
> On 12/3/2014 10:39 AM, Dominick Grift wrote:
> > On Wed, Dec 03, 2014 at 08:56:31AM -0500, Christopher J. PeBenito
> > wrote:
> >>>>
> >>>> I'm not opposed to this change, but I wonder about cases
> >>>> like these:
> >>>>
> >>>>> + +optional_policy(` + asterisk_admin(sysadm_t, sysadm_r)
> >>>>> asterisk_stream_connect(sysadm_t) ')
> >>>>
> >>>> Since I would assume that the admin interface would already
> >>>> include the existing rule.
> >>>
> >>> Bacula_admin does indeed call _run_admin so i'll take that
> >>> away, asterisk does not call _stream_connect so that one is
> >>> correct. I will
> >>
> >> I think there is still the question, should the stream connect
> >> be added to the admin interface?
> >>
> >
> > In my opinion where refpolicy went wrong is by allowing confined
> > user domains this low level access in the first place shells do
> > not stream connect, applications do.sysadm is a strict domain and
> > so it should run the app that stream connects in the apps domain
> > with a domain transition if that makes sense.
> >
> > That is strict. Anything else is "drunken unconfined" in my view,
> > or at least a compromise.
> >
> > In my vision confined users should be strictly enforced (least
> > privilege) or at least as much as possible
>
> I understand your position, but I believe the (IMO modest) gains don't
> outweigh the additional complexity cost. In this case, if your admin
> is abusing their privileges, then there is a worse problem. I think a
> more effective confinement would be eliminating sysadm's blanket
> manage access on basically the entire filesystem. If all these admin
> interfaces work well, all that access won't be necessary.

Its not just about abuse its about containing processes. Programs have flaws

If you run those programs in one big privileged domain than those processes can affect everything else it has access to.

I rather have a highly complex policy that does what it say's on the label and is applicable, than a slighty less highly complex policy that is basically a compromise that sets a sub-optimal precedence.

Anyhow you made your point, and i made my point. Lets just agree to disagree.

--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/ec0ed892/attachment.bin

2014-12-03 16:47:17

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On 12/3/2014 11:28 AM, Dominick Grift wrote:
> On Wed, Dec 03, 2014 at 11:07:56AM -0500, Christopher J. PeBenito
> wrote:
>> On 12/3/2014 10:39 AM, Dominick Grift wrote:
>>> On Wed, Dec 03, 2014 at 08:56:31AM -0500, Christopher J.
>>> PeBenito wrote:
>>>>>>
>>>>>> I'm not opposed to this change, but I wonder about cases
>>>>>> like these:
>>>>>>
>>>>>>> + +optional_policy(` + asterisk_admin(sysadm_t,
>>>>>>> sysadm_r) asterisk_stream_connect(sysadm_t) ')
>>>>>>
>>>>>> Since I would assume that the admin interface would
>>>>>> already include the existing rule.
>>>>>
>>>>> Bacula_admin does indeed call _run_admin so i'll take that
>>>>> away, asterisk does not call _stream_connect so that one
>>>>> is correct. I will
>>>>
>>>> I think there is still the question, should the stream
>>>> connect be added to the admin interface?
>>>>
>>>
>>> In my opinion where refpolicy went wrong is by allowing
>>> confined user domains this low level access in the first place
>>> shells do not stream connect, applications do.sysadm is a
>>> strict domain and so it should run the app that stream connects
>>> in the apps domain with a domain transition if that makes
>>> sense.
>>>
>>> That is strict. Anything else is "drunken unconfined" in my
>>> view, or at least a compromise.
>>>
>>> In my vision confined users should be strictly enforced (least
>>> privilege) or at least as much as possible
>>
>> I understand your position, but I believe the (IMO modest) gains
>> don't outweigh the additional complexity cost. In this case, if
>> your admin is abusing their privileges, then there is a worse
>> problem. I think a more effective confinement would be
>> eliminating sysadm's blanket manage access on basically the
>> entire filesystem. If all these admin interfaces work well, all
>> that access won't be necessary.
>
> Its not just about abuse its about containing processes. Programs
> have flaws
>
> If you run those programs in one big privileged domain than those
> processes can affect everything else it has access to.
>
> I rather have a highly complex policy that does what it say's on
> the label and is applicable, than a slighty less highly complex
> policy that is basically a compromise that sets a sub-optimal
> precedence.
>
> Anyhow you made your point, and i made my point. Lets just agree to
> disagree.

I don't think we actually disagree in the long term. I've always
wanted to remove access from sysadm_t. Once that happens, it probably
will be much more obvious and compelling to add more domains for admin
programs. Since further constraining sysadm_t is a massive change,
adding calls to the admin interfaces will be necessary to ensure
expected behavior. It's a multi-step process.


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2015-04-03 14:29:38

by mgrepl

[permalink] [raw]
Subject: [refpolicy] [PATCH] Add all the missing _admin interfaces to sysadm

On 12/03/2014 05:47 PM, Christopher J. PeBenito wrote:
> On 12/3/2014 11:28 AM, Dominick Grift wrote:
>> On Wed, Dec 03, 2014 at 11:07:56AM -0500, Christopher J. PeBenito
>> wrote:
>>> On 12/3/2014 10:39 AM, Dominick Grift wrote:
>>>> On Wed, Dec 03, 2014 at 08:56:31AM -0500, Christopher J.
>>>> PeBenito wrote:
>>>>>>>
>>>>>>> I'm not opposed to this change, but I wonder about cases
>>>>>>> like these:
>>>>>>>
>>>>>>>> + +optional_policy(` + asterisk_admin(sysadm_t,
>>>>>>>> sysadm_r) asterisk_stream_connect(sysadm_t) ')
>>>>>>>
>>>>>>> Since I would assume that the admin interface would
>>>>>>> already include the existing rule.
>>>>>>
>>>>>> Bacula_admin does indeed call _run_admin so i'll take that
>>>>>> away, asterisk does not call _stream_connect so that one
>>>>>> is correct. I will
>>>>>
>>>>> I think there is still the question, should the stream
>>>>> connect be added to the admin interface?
>>>>>
>>>>
>>>> In my opinion where refpolicy went wrong is by allowing
>>>> confined user domains this low level access in the first place
>>>> shells do not stream connect, applications do.sysadm is a
>>>> strict domain and so it should run the app that stream connects
>>>> in the apps domain with a domain transition if that makes
>>>> sense.
>>>>
>>>> That is strict. Anything else is "drunken unconfined" in my
>>>> view, or at least a compromise.
>>>>
>>>> In my vision confined users should be strictly enforced (least
>>>> privilege) or at least as much as possible
>>>
>>> I understand your position, but I believe the (IMO modest) gains
>>> don't outweigh the additional complexity cost. In this case, if
>>> your admin is abusing their privileges, then there is a worse
>>> problem. I think a more effective confinement would be
>>> eliminating sysadm's blanket manage access on basically the
>>> entire filesystem. If all these admin interfaces work well, all
>>> that access won't be necessary.
>>
>> Its not just about abuse its about containing processes. Programs
>> have flaws
>>
>> If you run those programs in one big privileged domain than those
>> processes can affect everything else it has access to.
>>
>> I rather have a highly complex policy that does what it say's on
>> the label and is applicable, than a slighty less highly complex
>> policy that is basically a compromise that sets a sub-optimal
>> precedence.
>>
>> Anyhow you made your point, and i made my point. Lets just agree to
>> disagree.
>
> I don't think we actually disagree in the long term. I've always
> wanted to remove access from sysadm_t. Once that happens, it probably
> will be much more obvious and compelling to add more domains for admin
> programs. Since further constraining sysadm_t is a massive change,
> adding calls to the admin interfaces will be necessary to ensure
> expected behavior. It's a multi-step process.
>
>

I believe both of you are right. But you will have always CLI tools
which need to have access from sysadm_t to a domain. We would need to
take care also about these tools.

--
Miroslav Grepl
Software Engineering, SELinux Solutions
Red Hat, Inc.