borrowed and modified from Fedora
---
gssproxy.fc | 8 +++
gssproxy.if | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
gssproxy.te | 66 ++++++++++++++++++++++++
3 files changed, 242 insertions(+)
create mode 100644 gssproxy.fc
create mode 100644 gssproxy.if
create mode 100644 gssproxy.te
diff --git a/gssproxy.fc b/gssproxy.fc
new file mode 100644
index 0000000..a997015
--- /dev/null
+++ b/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
diff --git a/gssproxy.if b/gssproxy.if
new file mode 100644
index 0000000..1f8a446
--- /dev/null
+++ b/gssproxy.if
@@ -0,0 +1,168 @@
+## <summary>policy for gssproxy - daemon to proxy GSSAPI context establishment and channel handling</summary>
+
+########################################
+## <summary>
+## Execute gssproxy in the gssproxy domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gssproxy_domtrans',`
+ gen_require(`
+ type gssproxy_t, gssproxy_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## Search gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_search_lib',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Read gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_files',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Manage gssproxy lib directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_manage_lib_dirs',`
+ gen_require(`
+ type gssproxy_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+########################################
+## <summary>
+## Read gssproxy PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_read_pid_files',`
+ gen_require(`
+ type gssproxy_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+########################################
+## <summary>
+## Connect to gssproxy over an unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gssproxy_stream_connect',`
+ gen_require(`
+ type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an gssproxy environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`gssproxy_admin',`
+ gen_require(`
+ type gssproxy_t;
+ type gssproxy_var_lib_t;
+ type gssproxy_run_t;
+ type gssproxy_unit_t;
+ ')
+
+ allow $1 gssproxy_t:process { ptrace signal_perms };
+ ps_process_pattern($1, gssproxy_t)
+
+ files_search_var_lib($1)
+ admin_pattern($1, gssproxy_var_lib_t)
+
+ files_search_pids($1)
+ admin_pattern($1, gssproxy_run_t)
+
+ admin_pattern($1, gssproxy_unit_t)
+')
diff --git a/gssproxy.te b/gssproxy.te
new file mode 100644
index 0000000..c1dcc55
--- /dev/null
+++ b/gssproxy.te
@@ -0,0 +1,66 @@
+policy_module(gssproxy, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gssproxy_t;
+type gssproxy_exec_t;
+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
+
+type gssproxy_var_lib_t;
+files_type(gssproxy_var_lib_t)
+
+type gssproxy_run_t;
+files_pid_file(gssproxy_run_t)
+
+type gssproxy_unit_t;
+init_unit_file(gssproxy_unit_t)
+
+########################################
+#
+# gssproxy local policy
+#
+allow gssproxy_t self:capability { setuid setgid };
+allow gssproxy_t self:capability2 block_suspend;
+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
+
+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
+
+manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
+files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
+
+kernel_rw_rpc_sysctls(gssproxy_t)
+
+domain_use_interactive_fds(gssproxy_t)
+
+files_read_etc_files(gssproxy_t)
+
+fs_getattr_all_fs(gssproxy_t)
+
+auth_use_nsswitch(gssproxy_t)
+
+dev_read_urand(gssproxy_t)
+
+logging_send_syslog_msg(gssproxy_t)
+
+miscfiles_read_localization(gssproxy_t)
+
+userdom_read_all_users_keys(gssproxy_t)
+userdom_manage_user_tmp_dirs(gssproxy_t)
+userdom_manage_user_tmp_files(gssproxy_t)
+
+optional_policy(`
+ kerberos_manage_host_rcache(gssproxy_t)
+ kerberos_read_keytab(gssproxy_t)
+ kerberos_use(gssproxy_t)
+')
--
2.13.6
---
rpc.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/rpc.te b/rpc.te
index 4a96ab2..baca79c 100644
--- a/rpc.te
+++ b/rpc.te
@@ -335,6 +335,9 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
--
2.13.6
commit 96ac8920f55e5a652c20aba99a599ce23a4d3c0d
(gpg: manage user runtime socket files and directories)
moved /run/user/UID/gnupg/ to gpg_runtime_t. this updates the interface
so it grants search perms on the dir too.
---
gpg.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gpg.if b/gpg.if
index c4b7c4c..6266019 100644
--- a/gpg.if
+++ b/gpg.if
@@ -191,11 +191,11 @@ interface(`gpg_rw_agent_pipes',`
interface(`gpg_stream_connect_agent',`
gen_require(`
type gpg_agent_t, gpg_agent_tmp_t;
- type gpg_secret_t;
+ type gpg_secret_t, gpg_runtime_t;
')
stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
- allow $1 gpg_secret_t:dir search_dir_perms;
+ allow $1 { gpg_secret_t gpg_runtime_t }:dir search_dir_perms;
userdom_search_user_runtime($1)
userdom_search_user_home_dirs($1)
')
--
2.13.6
On 11/02/2017 01:31 PM, Jason Zaman wrote:
> borrowed and modified from Fedora
> ---
> gssproxy.fc | 8 +++
> gssproxy.if | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> gssproxy.te | 66 ++++++++++++++++++++++++
> 3 files changed, 242 insertions(+)
> create mode 100644 gssproxy.fc
> create mode 100644 gssproxy.if
> create mode 100644 gssproxy.te
>
> diff --git a/gssproxy.fc b/gssproxy.fc
> new file mode 100644
> index 0000000..a997015
> --- /dev/null
> +++ b/gssproxy.fc
> @@ -0,0 +1,8 @@
> +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
> +
> +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
> +
> +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
> +
> +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
> +/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
> diff --git a/gssproxy.if b/gssproxy.if
> new file mode 100644
> index 0000000..1f8a446
> --- /dev/null
> +++ b/gssproxy.if
> @@ -0,0 +1,168 @@
> +## <summary>policy for gssproxy - daemon to proxy GSSAPI context establishment and channel handling</summary>
> +
> +########################################
> +## <summary>
> +## Execute gssproxy in the gssproxy domin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_domtrans',`
> + gen_require(`
> + type gssproxy_t, gssproxy_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
> +')
> +
> +########################################
> +## <summary>
> +## Search gssproxy lib directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_search_lib',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + allow $1 gssproxy_var_lib_t:dir search_dir_perms;
> + files_search_var_lib($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read gssproxy lib files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_read_lib_files',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage gssproxy lib files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_manage_lib_files',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +## Manage gssproxy lib directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_manage_lib_dirs',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read gssproxy PID files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_read_pid_files',`
> + gen_require(`
> + type gssproxy_run_t;
> + ')
> +
> + files_search_pids($1)
> + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
> +')
> +
> +########################################
> +## <summary>
> +## Connect to gssproxy over an unix
> +## domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gssproxy_stream_connect',`
> + gen_require(`
> + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
> + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
> +')
> +
> +########################################
> +## <summary>
> +## All of the rules required to administrate
> +## an gssproxy environment
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`gssproxy_admin',`
> + gen_require(`
> + type gssproxy_t;
> + type gssproxy_var_lib_t;
> + type gssproxy_run_t;
> + type gssproxy_unit_t;
> + ')
> +
> + allow $1 gssproxy_t:process { ptrace signal_perms };
> + ps_process_pattern($1, gssproxy_t)
> +
> + files_search_var_lib($1)
> + admin_pattern($1, gssproxy_var_lib_t)
> +
> + files_search_pids($1)
> + admin_pattern($1, gssproxy_run_t)
> +
> + admin_pattern($1, gssproxy_unit_t)
> +')
> diff --git a/gssproxy.te b/gssproxy.te
> new file mode 100644
> index 0000000..c1dcc55
> --- /dev/null
> +++ b/gssproxy.te
> @@ -0,0 +1,66 @@
> +policy_module(gssproxy, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type gssproxy_t;
> +type gssproxy_exec_t;
> +init_daemon_domain(gssproxy_t, gssproxy_exec_t)
> +
> +type gssproxy_var_lib_t;
> +files_type(gssproxy_var_lib_t)
> +
> +type gssproxy_run_t;
> +files_pid_file(gssproxy_run_t)
> +
> +type gssproxy_unit_t;
> +init_unit_file(gssproxy_unit_t)
> +
> +########################################
> +#
> +# gssproxy local policy
> +#
> +allow gssproxy_t self:capability { setuid setgid };
> +allow gssproxy_t self:capability2 block_suspend;
> +allow gssproxy_t self:fifo_file rw_fifo_file_perms;
> +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
> +
> +manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
> +
> +manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
> +
> +kernel_rw_rpc_sysctls(gssproxy_t)
> +
> +domain_use_interactive_fds(gssproxy_t)
> +
> +files_read_etc_files(gssproxy_t)
> +
> +fs_getattr_all_fs(gssproxy_t)
> +
> +auth_use_nsswitch(gssproxy_t)
> +
> +dev_read_urand(gssproxy_t)
> +
> +logging_send_syslog_msg(gssproxy_t)
> +
> +miscfiles_read_localization(gssproxy_t)
> +
> +userdom_read_all_users_keys(gssproxy_t)
> +userdom_manage_user_tmp_dirs(gssproxy_t)
> +userdom_manage_user_tmp_files(gssproxy_t)
> +
> +optional_policy(`
> + kerberos_manage_host_rcache(gssproxy_t)
> + kerberos_read_keytab(gssproxy_t)
> + kerberos_use(gssproxy_t)
> +')
Merged.
--
Chris PeBenito
On 11/02/2017 01:31 PM, Jason Zaman wrote:
> ---
> rpc.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/rpc.te b/rpc.te
> index 4a96ab2..baca79c 100644
> --- a/rpc.te
> +++ b/rpc.te
> @@ -335,6 +335,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + gssproxy_stream_connect(gssd_t)
> +')
> +optional_policy(`
> kerberos_manage_host_rcache(gssd_t)
> kerberos_read_keytab(gssd_t)
> kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
Merged.
--
Chris PeBenito
On 11/02/2017 01:31 PM, Jason Zaman wrote:
> commit 96ac8920f55e5a652c20aba99a599ce23a4d3c0d
> (gpg: manage user runtime socket files and directories)
> moved /run/user/UID/gnupg/ to gpg_runtime_t. this updates the interface
> so it grants search perms on the dir too.
> ---
> gpg.if | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/gpg.if b/gpg.if
> index c4b7c4c..6266019 100644
> --- a/gpg.if
> +++ b/gpg.if
> @@ -191,11 +191,11 @@ interface(`gpg_rw_agent_pipes',`
> interface(`gpg_stream_connect_agent',`
> gen_require(`
> type gpg_agent_t, gpg_agent_tmp_t;
> - type gpg_secret_t;
> + type gpg_secret_t, gpg_runtime_t;
> ')
>
> stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t)
> - allow $1 gpg_secret_t:dir search_dir_perms;
> + allow $1 { gpg_secret_t gpg_runtime_t }:dir search_dir_perms;
> userdom_search_user_runtime($1)
> userdom_search_user_home_dirs($1)
> ')
Merged.
--
Chris PeBenito