---
kerberos.if | 35 +++++++++++++++++++++++++++++++++++
1 file changed, 35 insertions(+)
diff --git a/kerberos.if b/kerberos.if
index c8c5a37..8b46c1b 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -425,6 +425,41 @@ interface(`kerberos_connect_524',`
########################################
## <summary>
+## Transition to kerberos named content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kerberos_filetrans_named_content',`
+ gen_require(`
+ type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+ type krb5kdc_principal_t;
+ ')
+
+ files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
+ filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
+
+ kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+
+ kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+ kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+ kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+ kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+ kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+########################################
+## <summary>
## All of the rules required to
## administrate an kerberos environment.
## </summary>
--
2.13.6
borrowed and modified from Fedora
---
gssproxy.fc | 8 +++
gssproxy.if | 199 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
gssproxy.te | 67 ++++++++++++++++++++
3 files changed, 274 insertions(+)
create mode 100644 gssproxy.fc
create mode 100644 gssproxy.if
create mode 100644 gssproxy.te
diff --git a/gssproxy.fc b/gssproxy.fc
new file mode 100644
index 0000000..a997015
--- /dev/null
+++ b/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
index 0000000..cebdb20
--- /dev/null
+++ b/gssproxy.if
@@ -0,0 +1,199 @@
+
+## <summary>policy for gssproxy</summary>
+
+########################################
+## <summary>
+## Execute gssproxy in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+########################################
+## <summary>
+## Execute gssproxy server in the gssproxy domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_systemctl',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_unit_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 gssproxy_unit_t:file read_file_perms;
+ allow $1 gssproxy_unit_t:service manage_service_perms;
+
+ ps_process_pattern($1, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Connect to gssproxy over an unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gssproxy environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_run_t;
+ type gssproxy_unit_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_run_t)
+
+ gssproxy_systemctl($1)
+ admin_pattern($1, gssproxy_unit_t)
+ allow $1 gssproxy_unit_t:service all_service_perms;
+ optional_policy(`
+ systemd_passwd_agent_exec($1)
+ systemd_read_fifo_file_passwd_run($1)
+ ')
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
index 0000000..466c700
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,67 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_run_t;
+files_pid_file(gssproxy_run_t)
+
+type gssproxy_unit_t;
+init_unit_file(gssproxy_unit_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ kerberos_filetrans_named_content(gssproxy_t)
+ kerberos_manage_host_rcache(gssproxy_t)
+ kerberos_read_keytab(gssproxy_t)
+ kerberos_use(gssproxy_t)
+')
--
2.13.6
---
rpc.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/rpc.te b/rpc.te
index 4a96ab2..baca79c 100644
--- a/rpc.te
+++ b/rpc.te
@@ -335,6 +335,9 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
--
2.13.6
On 10/31/2017 01:37 AM, Jason Zaman wrote:
> ---
> kerberos.if | 35 +++++++++++++++++++++++++++++++++++
> 1 file changed, 35 insertions(+)
>
> diff --git a/kerberos.if b/kerberos.if
> index c8c5a37..8b46c1b 100644
> --- a/kerberos.if
> +++ b/kerberos.if
> @@ -425,6 +425,41 @@ interface(`kerberos_connect_524',`
>
> ########################################
> ## <summary>
> +## Transition to kerberos named content
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kerberos_filetrans_named_content',`
> + gen_require(`
> + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
> + type krb5kdc_principal_t;
> + ')
> +
> + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
> + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
> + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
> + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
> + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
> +
> + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
> +
> + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
> + kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
> + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
> + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
> + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
> + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
> + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
> + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
> + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
> +')
Can we do something better than this? It's ugly. Are all the named
transitions really needed?
--
Chris PeBenito
On 10/31/2017 01:37 AM, Jason Zaman wrote:
> borrowed and modified from Fedora
> ---
> gssproxy.fc | 8 +++
> gssproxy.if | 199 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> gssproxy.te | 67 ++++++++++++++++++++
> 3 files changed, 274 insertions(+)
> create mode 100644 gssproxy.fc
> create mode 100644 gssproxy.if
> create mode 100644 gssproxy.te
>
> diff --git a/gssproxy.fc b/gssproxy.fc
> new file mode 100644
> index 0000000..a997015
> --- /dev/null
> +++ b/gssproxy.fc
> @@ -0,0 +1,8 @@
> +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
> +
> +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
> +
> +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
> +
> +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
> +/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
> diff --git a/gssproxy.if b/gssproxy.if
> new file mode 100644
> index 0000000..cebdb20
> --- /dev/null
> +++ b/gssproxy.if
> @@ -0,0 +1,199 @@
> +
> +## <summary>policy for gssproxy</summary>
Need something more descriptive.
> +########################################
> +## <summary>
> +## Execute gssproxy in the gssproxy domin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_domtrans',`
> + gen_require(`
> + type gssproxy_t, gssproxy_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
> +')
> +
> +########################################
> +## <summary>
> +## Search gssproxy lib directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_search_lib',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + allow $1 gssproxy_var_lib_t:dir search_dir_perms;
> + files_search_var_lib($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read gssproxy lib files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_read_lib_files',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage gssproxy lib files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_manage_lib_files',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage gssproxy lib directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_manage_lib_dirs',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read gssproxy PID files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_read_pid_files',`
> + gen_require(`
> + type gssproxy_run_t;
> + ')
> +
> + files_search_pids($1)
> + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute gssproxy server in the gssproxy domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_systemctl',`
> + gen_require(`
> + type gssproxy_t;
> + type gssproxy_unit_t;
> + ')
> +
> + systemd_exec_systemctl($1)
This doesn't exist.
> + init_reload_services($1)
> + allow $1 gssproxy_unit_t:file read_file_perms;
> + allow $1 gssproxy_unit_t:service manage_service_perms;
> +
> + ps_process_pattern($1, gssproxy_t)
> +')
This interface needs to be broken up into 3 or 4.
> +########################################
> +## <summary>
> +## Connect to gssproxy over an unix
> +## domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_stream_connect',`
> + gen_require(`
> + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
> + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
> +')
> +
> +########################################
> +## <summary>
> +## All of the rules required to administrate
> +## an gssproxy environment
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`gssproxy_admin',`
> + gen_require(`
> + type gssproxy_t;
> + type gssproxy_var_lib_t;
> + type gssproxy_run_t;
> + type gssproxy_unit_t;
> + ')
> +
> + allow $1 gssproxy_t:process { ptrace signal_perms };
> + ps_process_pattern($1, gssproxy_t)
> +
> + files_search_var_lib($1)
> + admin_pattern($1, gssproxy_var_lib_t)
> +
> + files_search_pids($1)
> + admin_pattern($1, gssproxy_run_t)
> +
> + gssproxy_systemctl($1)
> + admin_pattern($1, gssproxy_unit_t)
> + allow $1 gssproxy_unit_t:service all_service_perms;
> + optional_policy(`
> + systemd_passwd_agent_exec($1)
> + systemd_read_fifo_file_passwd_run($1)
More invalid interface usage.
> + ')
> +')
> diff --git a/gssproxy.te b/gssproxy.te
> new file mode 100644
> index 0000000..466c700
> --- /dev/null
> +++ b/gssproxy.te
> @@ -0,0 +1,67 @@
> +policy_module(gssproxy, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type gssproxy_t;
> +type gssproxy_exec_t;
> +init_daemon_domain(gssproxy_t, gssproxy_exec_t)
> +
> +type gssproxy_var_lib_t;
> +files_type(gssproxy_var_lib_t)
> +
> +type gssproxy_run_t;
> +files_pid_file(gssproxy_run_t)
> +
> +type gssproxy_unit_t;
> +init_unit_file(gssproxy_unit_t)
> +
> +########################################
> +#
> +# gssproxy local policy
> +#
> +allow gssproxy_t self:capability { setuid setgid };
> +allow gssproxy_t self:capability2 block_suspend;
> +allow gssproxy_t self:fifo_file rw_fifo_file_perms;
> +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
> +
> +manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
> +
> +manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
> +
> +kernel_rw_rpc_sysctls(gssproxy_t)
> +
> +domain_use_interactive_fds(gssproxy_t)
> +
> +files_read_etc_files(gssproxy_t)
> +
> +fs_getattr_all_fs(gssproxy_t)
> +
> +auth_use_nsswitch(gssproxy_t)
> +
> +dev_read_urand(gssproxy_t)
> +
> +logging_send_syslog_msg(gssproxy_t)
> +
> +miscfiles_read_localization(gssproxy_t)
> +
> +userdom_read_all_users_keys(gssproxy_t)
> +userdom_manage_user_tmp_dirs(gssproxy_t)
> +userdom_manage_user_tmp_files(gssproxy_t)
> +
> +optional_policy(`
> + kerberos_filetrans_named_content(gssproxy_t)
> + kerberos_manage_host_rcache(gssproxy_t)
> + kerberos_read_keytab(gssproxy_t)
> + kerberos_use(gssproxy_t)
> +')
>
--
Chris PeBenito
On Wed, Nov 01, 2017 at 06:54:25PM -0400, Chris PeBenito wrote:
> On 10/31/2017 01:37 AM, Jason Zaman wrote:
> > ---
> > kerberos.if | 35 +++++++++++++++++++++++++++++++++++
> > 1 file changed, 35 insertions(+)
> >
> > diff --git a/kerberos.if b/kerberos.if
> > index c8c5a37..8b46c1b 100644
> > --- a/kerberos.if
> > +++ b/kerberos.if
> > @@ -425,6 +425,41 @@ interface(`kerberos_connect_524',`
> >
> > ########################################
> > ## <summary>
> > +## Transition to kerberos named content
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`kerberos_filetrans_named_content',`
> > + gen_require(`
> > + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
> > + type krb5kdc_principal_t;
> > + ')
> > +
> > + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
> > + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
> > + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
> > + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
> > + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
> > +
> > + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
> > +
> > + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
> > +')
>
> Can we do something better than this? It's ugly. Are all the named
> transitions really needed?
There are actually a few similar things around in the NFS and kerberos
modules. it is kinda ugly tho yeah. I'll take a look at all the places
they're done and see if i can make them all the same and a bit less
ugly. it likely wont be that much better tho since NFS and kerberos like
to put stuff in /tmp a lot.
On Wed, Nov 01, 2017 at 06:58:33PM -0400, Chris PeBenito wrote:
> On 10/31/2017 01:37 AM, Jason Zaman wrote:
> > borrowed and modified from Fedora
> > ---
> > gssproxy.fc | 8 +++
> > gssproxy.if | 199 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > gssproxy.te | 67 ++++++++++++++++++++
> > 3 files changed, 274 insertions(+)
> > create mode 100644 gssproxy.fc
> > create mode 100644 gssproxy.if
> > create mode 100644 gssproxy.te
> >
> > diff --git a/gssproxy.fc b/gssproxy.fc
> > new file mode 100644
> > index 0000000..a997015
> > --- /dev/null
> > +++ b/gssproxy.fc
> > @@ -0,0 +1,8 @@
> > +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
> > +
> > +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
> > +
> > +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
> > +
> > +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
> > +/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
> > diff --git a/gssproxy.if b/gssproxy.if
> > new file mode 100644
> > index 0000000..cebdb20
> > --- /dev/null
> > +++ b/gssproxy.if
> > @@ -0,0 +1,199 @@
> > +
> > +## <summary>policy for gssproxy</summary>
>
> Need something more descriptive.
>
>
> > +########################################
> > +## <summary>
> > +## Execute gssproxy in the gssproxy domin.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gssproxy_domtrans',`
> > + gen_require(`
> > + type gssproxy_t, gssproxy_exec_t;
> > + ')
> > +
> > + corecmd_search_bin($1)
> > + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Search gssproxy lib directories.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gssproxy_search_lib',`
> > + gen_require(`
> > + type gssproxy_var_lib_t;
> > + ')
> > +
> > + allow $1 gssproxy_var_lib_t:dir search_dir_perms;
> > + files_search_var_lib($1)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Read gssproxy lib files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gssproxy_read_lib_files',`
> > + gen_require(`
> > + type gssproxy_var_lib_t;
> > + ')
> > +
> > + files_search_var_lib($1)
> > + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage gssproxy lib files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gssproxy_manage_lib_files',`
> > + gen_require(`
> > + type gssproxy_var_lib_t;
> > + ')
> > +
> > + files_search_var_lib($1)
> > + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Manage gssproxy lib directories.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gssproxy_manage_lib_dirs',`
> > + gen_require(`
> > + type gssproxy_var_lib_t;
> > + ')
> > +
> > + files_search_var_lib($1)
> > + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Read gssproxy PID files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gssproxy_read_pid_files',`
> > + gen_require(`
> > + type gssproxy_run_t;
> > + ')
> > +
> > + files_search_pids($1)
> > + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Execute gssproxy server in the gssproxy domain.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to transition.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gssproxy_systemctl',`
> > + gen_require(`
> > + type gssproxy_t;
> > + type gssproxy_unit_t;
> > + ')
> > +
> > + systemd_exec_systemctl($1)
>
> This doesn't exist.
>
> > + init_reload_services($1)
> > + allow $1 gssproxy_unit_t:file read_file_perms;
> > + allow $1 gssproxy_unit_t:service manage_service_perms;
> > +
> > + ps_process_pattern($1, gssproxy_t)
> > +')
>
> This interface needs to be broken up into 3 or 4.
Hmm. I dont actually use systemd so i'll just drop these completely for
now i guess since im not really sure what they should be and these were
from fedora.
Its weird that travis-ci didnt catch these unknown interfaces with
WERROR set. I'll double check them all again then.
>
> > +########################################
> > +## <summary>
> > +## Connect to gssproxy over an unix
> > +## domain stream socket.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gssproxy_stream_connect',`
> > + gen_require(`
> > + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
> > + ')
> > +
> > + files_search_pids($1)
> > + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
> > + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## All of the rules required to administrate
> > +## an gssproxy environment
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <rolecap/>
> > +#
> > +interface(`gssproxy_admin',`
> > + gen_require(`
> > + type gssproxy_t;
> > + type gssproxy_var_lib_t;
> > + type gssproxy_run_t;
> > + type gssproxy_unit_t;
> > + ')
> > +
> > + allow $1 gssproxy_t:process { ptrace signal_perms };
> > + ps_process_pattern($1, gssproxy_t)
> > +
> > + files_search_var_lib($1)
> > + admin_pattern($1, gssproxy_var_lib_t)
> > +
> > + files_search_pids($1)
> > + admin_pattern($1, gssproxy_run_t)
> > +
> > + gssproxy_systemctl($1)
> > + admin_pattern($1, gssproxy_unit_t)
> > + allow $1 gssproxy_unit_t:service all_service_perms;
> > + optional_policy(`
> > + systemd_passwd_agent_exec($1)
> > + systemd_read_fifo_file_passwd_run($1)
>
> More invalid interface usage.
>
> > + ')
> > +')
> > diff --git a/gssproxy.te b/gssproxy.te
> > new file mode 100644
> > index 0000000..466c700
> > --- /dev/null
> > +++ b/gssproxy.te
> > @@ -0,0 +1,67 @@
> > +policy_module(gssproxy, 1.0.0)
> > +
> > +########################################
> > +#
> > +# Declarations
> > +#
> > +
> > +type gssproxy_t;
> > +type gssproxy_exec_t;
> > +init_daemon_domain(gssproxy_t, gssproxy_exec_t)
> > +
> > +type gssproxy_var_lib_t;
> > +files_type(gssproxy_var_lib_t)
> > +
> > +type gssproxy_run_t;
> > +files_pid_file(gssproxy_run_t)
> > +
> > +type gssproxy_unit_t;
> > +init_unit_file(gssproxy_unit_t)
> > +
> > +########################################
> > +#
> > +# gssproxy local policy
> > +#
> > +allow gssproxy_t self:capability { setuid setgid };
> > +allow gssproxy_t self:capability2 block_suspend;
> > +allow gssproxy_t self:fifo_file rw_fifo_file_perms;
> > +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
> > +
> > +manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > +manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > +manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > +files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
> > +
> > +manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > +manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > +manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > +manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > +files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
> > +
> > +kernel_rw_rpc_sysctls(gssproxy_t)
> > +
> > +domain_use_interactive_fds(gssproxy_t)
> > +
> > +files_read_etc_files(gssproxy_t)
> > +
> > +fs_getattr_all_fs(gssproxy_t)
> > +
> > +auth_use_nsswitch(gssproxy_t)
> > +
> > +dev_read_urand(gssproxy_t)
> > +
> > +logging_send_syslog_msg(gssproxy_t)
> > +
> > +miscfiles_read_localization(gssproxy_t)
> > +
> > +userdom_read_all_users_keys(gssproxy_t)
> > +userdom_manage_user_tmp_dirs(gssproxy_t)
> > +userdom_manage_user_tmp_files(gssproxy_t)
> > +
> > +optional_policy(`
> > + kerberos_filetrans_named_content(gssproxy_t)
> > + kerberos_manage_host_rcache(gssproxy_t)
> > + kerberos_read_keytab(gssproxy_t)
> > + kerberos_use(gssproxy_t)
> > +')
> >
>
>
> --
> Chris PeBenito
On Thu, Nov 02, 2017 at 07:23:03PM +0800, Jason Zaman via refpolicy wrote:
> On Wed, Nov 01, 2017 at 06:58:33PM -0400, Chris PeBenito wrote:
> > On 10/31/2017 01:37 AM, Jason Zaman wrote:
> > > borrowed and modified from Fedora
> > > ---
> > > gssproxy.fc | 8 +++
> > > gssproxy.if | 199 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > gssproxy.te | 67 ++++++++++++++++++++
> > > 3 files changed, 274 insertions(+)
> > > create mode 100644 gssproxy.fc
> > > create mode 100644 gssproxy.if
> > > create mode 100644 gssproxy.te
> > >
> > > diff --git a/gssproxy.fc b/gssproxy.fc
> > > new file mode 100644
> > > index 0000000..a997015
> > > --- /dev/null
> > > +++ b/gssproxy.fc
> > > @@ -0,0 +1,8 @@
> > > +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
> > > +
> > > +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
> > > +
> > > +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
> > > +
> > > +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
> > > +/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
> > > diff --git a/gssproxy.if b/gssproxy.if
> > > new file mode 100644
> > > index 0000000..cebdb20
> > > --- /dev/null
> > > +++ b/gssproxy.if
> > > @@ -0,0 +1,199 @@
> > > +
> > > +## <summary>policy for gssproxy</summary>
> >
> > Need something more descriptive.
> >
> >
> > > +########################################
> > > +## <summary>
> > > +## Execute gssproxy in the gssproxy domin.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed to transition.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_domtrans',`
> > > + gen_require(`
> > > + type gssproxy_t, gssproxy_exec_t;
> > > + ')
> > > +
> > > + corecmd_search_bin($1)
> > > + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +## Search gssproxy lib directories.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_search_lib',`
> > > + gen_require(`
> > > + type gssproxy_var_lib_t;
> > > + ')
> > > +
> > > + allow $1 gssproxy_var_lib_t:dir search_dir_perms;
> > > + files_search_var_lib($1)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +## Read gssproxy lib files.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_read_lib_files',`
> > > + gen_require(`
> > > + type gssproxy_var_lib_t;
> > > + ')
> > > +
> > > + files_search_var_lib($1)
> > > + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +## Manage gssproxy lib files.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_manage_lib_files',`
> > > + gen_require(`
> > > + type gssproxy_var_lib_t;
> > > + ')
> > > +
> > > + files_search_var_lib($1)
> > > + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +## Manage gssproxy lib directories.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_manage_lib_dirs',`
> > > + gen_require(`
> > > + type gssproxy_var_lib_t;
> > > + ')
> > > +
> > > + files_search_var_lib($1)
> > > + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +## Read gssproxy PID files.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_read_pid_files',`
> > > + gen_require(`
> > > + type gssproxy_run_t;
> > > + ')
> > > +
> > > + files_search_pids($1)
> > > + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +## Execute gssproxy server in the gssproxy domain.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed to transition.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_systemctl',`
> > > + gen_require(`
> > > + type gssproxy_t;
> > > + type gssproxy_unit_t;
> > > + ')
> > > +
> > > + systemd_exec_systemctl($1)
> >
> > This doesn't exist.
> >
> > > + init_reload_services($1)
> > > + allow $1 gssproxy_unit_t:file read_file_perms;
> > > + allow $1 gssproxy_unit_t:service manage_service_perms;
> > > +
> > > + ps_process_pattern($1, gssproxy_t)
> > > +')
> >
> > This interface needs to be broken up into 3 or 4.
>
> Hmm. I dont actually use systemd so i'll just drop these completely for
> now i guess since im not really sure what they should be and these were
> from fedora.
>
> Its weird that travis-ci didnt catch these unknown interfaces with
> WERROR set. I'll double check them all again then.
It would have caught it if you called for example: gssproxy_admin(sysadm_t)
Point is that if the interfaces arent called, then they arent checked either.
> >
> > > +########################################
> > > +## <summary>
> > > +## Connect to gssproxy over an unix
> > > +## domain stream socket.
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +#
> > > +interface(`gssproxy_stream_connect',`
> > > + gen_require(`
> > > + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
> > > + ')
> > > +
> > > + files_search_pids($1)
> > > + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
> > > + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
> > > +')
> > > +
> > > +########################################
> > > +## <summary>
> > > +## All of the rules required to administrate
> > > +## an gssproxy environment
> > > +## </summary>
> > > +## <param name="domain">
> > > +## <summary>
> > > +## Domain allowed access.
> > > +## </summary>
> > > +## </param>
> > > +## <rolecap/>
> > > +#
> > > +interface(`gssproxy_admin',`
> > > + gen_require(`
> > > + type gssproxy_t;
> > > + type gssproxy_var_lib_t;
> > > + type gssproxy_run_t;
> > > + type gssproxy_unit_t;
> > > + ')
> > > +
> > > + allow $1 gssproxy_t:process { ptrace signal_perms };
> > > + ps_process_pattern($1, gssproxy_t)
> > > +
> > > + files_search_var_lib($1)
> > > + admin_pattern($1, gssproxy_var_lib_t)
> > > +
> > > + files_search_pids($1)
> > > + admin_pattern($1, gssproxy_run_t)
> > > +
> > > + gssproxy_systemctl($1)
> > > + admin_pattern($1, gssproxy_unit_t)
> > > + allow $1 gssproxy_unit_t:service all_service_perms;
> > > + optional_policy(`
> > > + systemd_passwd_agent_exec($1)
> > > + systemd_read_fifo_file_passwd_run($1)
> >
> > More invalid interface usage.
> >
> > > + ')
> > > +')
> > > diff --git a/gssproxy.te b/gssproxy.te
> > > new file mode 100644
> > > index 0000000..466c700
> > > --- /dev/null
> > > +++ b/gssproxy.te
> > > @@ -0,0 +1,67 @@
> > > +policy_module(gssproxy, 1.0.0)
> > > +
> > > +########################################
> > > +#
> > > +# Declarations
> > > +#
> > > +
> > > +type gssproxy_t;
> > > +type gssproxy_exec_t;
> > > +init_daemon_domain(gssproxy_t, gssproxy_exec_t)
> > > +
> > > +type gssproxy_var_lib_t;
> > > +files_type(gssproxy_var_lib_t)
> > > +
> > > +type gssproxy_run_t;
> > > +files_pid_file(gssproxy_run_t)
> > > +
> > > +type gssproxy_unit_t;
> > > +init_unit_file(gssproxy_unit_t)
> > > +
> > > +########################################
> > > +#
> > > +# gssproxy local policy
> > > +#
> > > +allow gssproxy_t self:capability { setuid setgid };
> > > +allow gssproxy_t self:capability2 block_suspend;
> > > +allow gssproxy_t self:fifo_file rw_fifo_file_perms;
> > > +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
> > > +
> > > +manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> > > +files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
> > > +
> > > +manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> > > +files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
> > > +
> > > +kernel_rw_rpc_sysctls(gssproxy_t)
> > > +
> > > +domain_use_interactive_fds(gssproxy_t)
> > > +
> > > +files_read_etc_files(gssproxy_t)
> > > +
> > > +fs_getattr_all_fs(gssproxy_t)
> > > +
> > > +auth_use_nsswitch(gssproxy_t)
> > > +
> > > +dev_read_urand(gssproxy_t)
> > > +
> > > +logging_send_syslog_msg(gssproxy_t)
> > > +
> > > +miscfiles_read_localization(gssproxy_t)
> > > +
> > > +userdom_read_all_users_keys(gssproxy_t)
> > > +userdom_manage_user_tmp_dirs(gssproxy_t)
> > > +userdom_manage_user_tmp_files(gssproxy_t)
> > > +
> > > +optional_policy(`
> > > + kerberos_filetrans_named_content(gssproxy_t)
> > > + kerberos_manage_host_rcache(gssproxy_t)
> > > + kerberos_read_keytab(gssproxy_t)
> > > + kerberos_use(gssproxy_t)
> > > +')
> > >
> >
> >
> > --
> > Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171102/e4ea947e/attachment.bin
On Wed, Nov 01, 2017 at 06:54:25PM -0400, Chris PeBenito wrote:
> On 10/31/2017 01:37 AM, Jason Zaman wrote:
> > ---
> > kerberos.if | 35 +++++++++++++++++++++++++++++++++++
> > 1 file changed, 35 insertions(+)
> >
> > diff --git a/kerberos.if b/kerberos.if
> > index c8c5a37..8b46c1b 100644
> > --- a/kerberos.if
> > +++ b/kerberos.if
> > @@ -425,6 +425,41 @@ interface(`kerberos_connect_524',`
> >
> > ########################################
> > ## <summary>
> > +## Transition to kerberos named content
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`kerberos_filetrans_named_content',`
> > + gen_require(`
> > + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
> > + type krb5kdc_principal_t;
> > + ')
> > +
> > + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
> > + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab")
> > + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal")
> > + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0")
> > + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1")
> > +
> > + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
> > +
> > + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
> > + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
> > +')
>
> Can we do something better than this? It's ugly. Are all the named
> transitions really needed?
Turns out they arnt needed for my usecase when i just tested again. I
dropped the whole thing and will add these filetrans if i run into
issues later.
-- Jason
>
>
> --
> Chris PeBenito