2012-09-04 21:37:20

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/9] Mark use of deprecated interfaces that are not providing replacement as errors

From: Laurent Bigonville <[email protected]>

---
bind.if | 2 +-
bluetooth.if | 4 ++--
cups.if | 2 +-
dictd.if | 2 +-
finger.if | 2 +-
ftp.if | 2 +-
i18n_input.if | 2 +-
inetd.if | 4 ++--
jabber.if | 2 +-
ldap.if | 2 +-
mta.if | 2 +-
nessus.if | 2 +-
nis.if | 4 ++--
nsd.if | 4 ++--
perdition.if | 2 +-
portmap.if | 6 +++---
radius.if | 2 +-
rpc.if | 4 ++--
snmp.if | 4 ++--
soundserver.if | 2 +-
squid.if | 2 +-
21 files changed, 29 insertions(+), 29 deletions(-)

diff --git a/bind.if b/bind.if
index 44a1e3d..b5e0ea5 100644
--- a/bind.if
+++ b/bind.if
@@ -336,7 +336,7 @@ interface(`bind_manage_zone',`
## </param>
#
interface(`bind_udp_chat_named',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/bluetooth.if b/bluetooth.if
index 3e45431..f232b3b 100644
--- a/bluetooth.if
+++ b/bluetooth.if
@@ -126,7 +126,7 @@ interface(`bluetooth_dbus_chat',`
## </param>
#
interface(`bluetooth_domtrans_helper',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
@@ -152,7 +152,7 @@ interface(`bluetooth_domtrans_helper',`
## <rolecap/>
#
interface(`bluetooth_run_helper',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/cups.if b/cups.if
index 305ddf4..56cb53f 100644
--- a/cups.if
+++ b/cups.if
@@ -75,7 +75,7 @@ interface(`cups_stream_connect',`
## </param>
#
interface(`cups_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/dictd.if b/dictd.if
index a0d23ce..7650335 100644
--- a/dictd.if
+++ b/dictd.if
@@ -12,7 +12,7 @@
## </param>
#
interface(`dictd_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/finger.if b/finger.if
index b5dd671..9bbb169 100644
--- a/finger.if
+++ b/finger.if
@@ -29,5 +29,5 @@ interface(`finger_domtrans',`
## </param>
#
interface(`finger_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
diff --git a/ftp.if b/ftp.if
index 9d3201b..3d29482 100644
--- a/ftp.if
+++ b/ftp.if
@@ -29,7 +29,7 @@ interface(`ftp_dyntrans_anon_sftpd',`
## </param>
#
interface(`ftp_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/i18n_input.if b/i18n_input.if
index bc7de4f..bd85f3b 100644
--- a/i18n_input.if
+++ b/i18n_input.if
@@ -11,5 +11,5 @@
## </param>
#
interface(`i18n_use',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
diff --git a/inetd.if b/inetd.if
index df48e5e..75a7539 100644
--- a/inetd.if
+++ b/inetd.if
@@ -150,7 +150,7 @@ interface(`inetd_use_fds',`
## </param>
#
interface(`inetd_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
@@ -183,7 +183,7 @@ interface(`inetd_domtrans_child',`
## </param>
#
interface(`inetd_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/jabber.if b/jabber.if
index 9878499..00f78ed 100644
--- a/jabber.if
+++ b/jabber.if
@@ -11,7 +11,7 @@
## </param>
#
interface(`jabber_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/ldap.if b/ldap.if
index d6b7b2d..5585d7d 100644
--- a/ldap.if
+++ b/ldap.if
@@ -50,7 +50,7 @@ interface(`ldap_read_config',`
## </param>
#
interface(`ldap_use',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/mta.if b/mta.if
index 4e2a5ba..f5b7fcd 100644
--- a/mta.if
+++ b/mta.if
@@ -587,7 +587,7 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
## </param>
#
interface(`mta_tcp_connect_all_mailservers',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

#######################################
diff --git a/nessus.if b/nessus.if
index 6ec8003..edc4d91 100644
--- a/nessus.if
+++ b/nessus.if
@@ -11,5 +11,5 @@
## </param>
#
interface(`nessus_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
diff --git a/nis.if b/nis.if
index abe3f7f..1430352 100644
--- a/nis.if
+++ b/nis.if
@@ -205,7 +205,7 @@ interface(`nis_list_var_yp',`
## </param>
#
interface(`nis_udp_send_ypbind',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
@@ -219,7 +219,7 @@ interface(`nis_udp_send_ypbind',`
## </param>
#
interface(`nis_tcp_connect_ypbind',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/nsd.if b/nsd.if
index a1371d5..5142540 100644
--- a/nsd.if
+++ b/nsd.if
@@ -11,7 +11,7 @@
## </param>
#
interface(`nsd_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
@@ -25,5 +25,5 @@ interface(`nsd_udp_chat',`
## </param>
#
interface(`nsd_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
diff --git a/perdition.if b/perdition.if
index 2b0bd64..8919276 100644
--- a/perdition.if
+++ b/perdition.if
@@ -11,5 +11,5 @@
## </param>
#
interface(`perdition_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
diff --git a/portmap.if b/portmap.if
index 374afcf..f0484c3 100644
--- a/portmap.if
+++ b/portmap.if
@@ -57,7 +57,7 @@ interface(`portmap_run_helper',`
## </param>
#
interface(`portmap_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
@@ -71,7 +71,7 @@ interface(`portmap_udp_send',`
## </param>
#
interface(`portmap_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
@@ -85,5 +85,5 @@ interface(`portmap_udp_chat',`
## </param>
#
interface(`portmap_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')
diff --git a/radius.if b/radius.if
index 75e5dc4..9b35194 100644
--- a/radius.if
+++ b/radius.if
@@ -11,7 +11,7 @@
## </param>
#
interface(`radius_use',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/rpc.if b/rpc.if
index dddabcf..a8a31b7 100644
--- a/rpc.if
+++ b/rpc.if
@@ -133,7 +133,7 @@ template(`rpc_domain_template', `
## </param>
#
interface(`rpc_udp_send',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
@@ -374,7 +374,7 @@ interface(`rpc_udp_rw_nfs_sockets',`
## </param>
#
interface(`rpc_udp_send_nfs',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/snmp.if b/snmp.if
index 275f9fb..f143171 100644
--- a/snmp.if
+++ b/snmp.if
@@ -30,7 +30,7 @@ interface(`snmp_stream_connect',`
## </param>
#
interface(`snmp_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
@@ -44,7 +44,7 @@ interface(`snmp_tcp_connect',`
## </param>
#
interface(`snmp_udp_chat',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/soundserver.if b/soundserver.if
index 93fe7bf..d27ebc5 100644
--- a/soundserver.if
+++ b/soundserver.if
@@ -11,7 +11,7 @@
## </param>
#
interface(`soundserver_tcp_connect',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
diff --git a/squid.if b/squid.if
index d2496bd..de25872 100644
--- a/squid.if
+++ b/squid.if
@@ -184,7 +184,7 @@ interface(`squid_manage_logs',`
## </param>
#
interface(`squid_use',`
- refpolicywarn(`$0($*) has been deprecated.')
+ refpolicyerr(`$0($*) has been deprecated.')
')

########################################
--
1.7.10.4


2012-09-04 21:37:21

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/9] Allow saslauthd_t to talk to mysqld via TCP

From: Mika Pfl?ger <[email protected]>

---
sasl.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/sasl.te b/sasl.te
index 9d9f8ce..a066d33 100644
--- a/sasl.te
+++ b/sasl.te
@@ -99,6 +99,7 @@ optional_policy(`
optional_policy(`
mysql_search_db(saslauthd_t)
mysql_stream_connect(saslauthd_t)
+ mysql_tcp_connect(saslauthd_t)
')

optional_policy(`
--
1.7.10.4

2012-09-04 21:37:22

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/9] Policykit debian fixes

From: Mika Pfl?ger <[email protected]>

---
policykit.fc | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policykit.fc b/policykit.fc
index 63d0061..6bbd28c 100644
--- a/policykit.fc
+++ b/policykit.fc
@@ -4,6 +4,8 @@
/usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)

+/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
+
/usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
/usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
/usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)
--
1.7.10.4

2012-09-04 21:37:23

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/9] Quota policy adjustments: * Allow quota_t to load kernel modules

From: Mika Pfl?ger <[email protected]>

---
quota.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/quota.te b/quota.te
index 5dd42f5..5ec1cf3 100644
--- a/quota.te
+++ b/quota.te
@@ -20,6 +20,7 @@ files_type(quota_flag_t)
# Local policy
#

+kernel_request_load_module(quota_t)
allow quota_t self:capability { sys_admin dac_override };
dontaudit quota_t self:capability sys_tty_config;
allow quota_t self:process signal_perms;
--
1.7.10.4

2012-09-04 21:37:24

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 5/9] Label /usr/lib/udisks/udisks-helper-* with bin_t

From: Laurent Bigonville <[email protected]>

---
devicekit.fc | 1 +
1 file changed, 1 insertion(+)

diff --git a/devicekit.fc b/devicekit.fc
index 9af85c8..ae2d805 100644
--- a/devicekit.fc
+++ b/devicekit.fc
@@ -1,4 +1,5 @@
/usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
+/usr/lib/udisks/udisks-helper-.* -- gen_context(system_u:object_r:bin_t,s0)

/usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
/usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
--
1.7.10.4

2012-09-04 21:37:25

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 6/9] Include policy for the iodine IP over DNS tunnel daemon

From: Russell Coker <[email protected]>

---
contrib/iodine.fc | 1 +
contrib/iodine.if | 1 +
contrib/iodine.te | 26 ++++++++++++++++++++++++++
3 files changed, 28 insertions(+)
create mode 100644 contrib/iodine.fc
create mode 100644 contrib/iodine.if
create mode 100644 contrib/iodine.te

diff --git a/contrib/iodine.fc b/contrib/iodine.fc
new file mode 100644
index 0000000..4e144ea
--- /dev/null
+++ b/contrib/iodine.fc
@@ -0,0 +1 @@
+/usr/sbin/iodine.* -- gen_context(system_u:object_r:iodine_exec_t,s0)
diff --git a/contrib/iodine.if b/contrib/iodine.if
new file mode 100644
index 0000000..3eb6a30
--- /dev/null
+++ b/contrib/iodine.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/contrib/iodine.te b/contrib/iodine.te
new file mode 100644
index 0000000..96a7de7
--- /dev/null
+++ b/contrib/iodine.te
@@ -0,0 +1,26 @@
+policy_module(iodine,1.0.0)
+
+# policy for the iodine IP over DNS tunneling daemon
+type iodine_t;
+type iodine_exec_t;
+files_type(iodine_exec_t)
+init_daemon_domain(iodine_t, iodine_exec_t)
+
+logging_send_syslog_msg(iodine_t)
+kernel_search_network_sysctl(iodine_t)
+kernel_read_network_state(iodine_t)
+kernel_request_load_module(iodine_t)
+kernel_read_system_state(iodine_t)
+files_read_etc_files(iodine_t)
+corecmd_exec_shell(iodine_t)
+allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot };
+sysnet_domtrans_ifconfig(iodine_t)
+
+allow iodine_t self:rawip_socket { write read create };
+allow iodine_t self:unix_dgram_socket { create connect };
+corenet_raw_receive_generic_node(iodine_t)
+corenet_rw_tun_tap_dev(iodine_t)
+corenet_udp_bind_dns_port(iodine_t)
+corenet_udp_bind_generic_node(iodine_t)
+allow iodine_t self:udp_socket connected_socket_perms;
+allow iodine_t self:tun_socket create;
--
1.7.10.4

2012-09-04 21:37:26

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 7/9] Added new "lda" module for email local delivery agents such as maildrop and procmail

From: Russell Coker <[email protected]>

---
courier.if | 19 +++++++
lda.fc | 9 ++++
lda.if | 41 +++++++++++++++
lda.te | 162 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
postfix.te | 6 ++-
5 files changed, 236 insertions(+), 1 deletion(-)
create mode 100644 lda.fc
create mode 100644 lda.if
create mode 100644 lda.te

diff --git a/courier.if b/courier.if
index 9971337..be99138 100644
--- a/courier.if
+++ b/courier.if
@@ -106,6 +106,25 @@ interface(`courier_domtrans_authdaemon',`

########################################
## <summary>
+## Act as a client for the courier authdaemon
+## </summary>
+## <param name="prefix">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`courier_authdaemon_client',`
+ gen_require(`
+ type courier_authdaemon_t, courier_etc_t, courier_var_run_t;
+ ')
+ allow $1 courier_authdaemon_t:unix_stream_socket connectto;
+ allow $1 courier_etc_t:dir search;
+ allow $1 courier_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
## Execute the courier POP3 and IMAP server with
## a domain transition.
## </summary>
diff --git a/lda.fc b/lda.fc
new file mode 100644
index 0000000..f5745ae
--- /dev/null
+++ b/lda.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/procmail -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/bin/maildrop -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/sbin/deliverquota.maildrop -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/bin/mailbot -- gen_context(system_u:object_r:lda_exec_t,s0)
+
+/etc/courier/maildroprc -- gen_context(system_u:object_r:lda_etc_t,s0)
+/var/log/maildrop.log -- gen_context(system_u:object_r:lda_log_t,s0)
diff --git a/lda.if b/lda.if
new file mode 100644
index 0000000..ec97dc8
--- /dev/null
+++ b/lda.if
@@ -0,0 +1,41 @@
+## <summary>mail delivery agent</summary>
+
+########################################
+## <summary>
+## Execute lda with a domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lda_domtrans',`
+ gen_require(`
+ type lda_exec_t, lda_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domtrans_pattern($1,lda_exec_t,lda_t)
+')
+
+########################################
+## <summary>
+## Execute lda in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lda_exec',`
+ gen_require(`
+ type lda_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ can_exec($1,lda_exec_t)
+')
diff --git a/lda.te b/lda.te
new file mode 100644
index 0000000..d9bc95d
--- /dev/null
+++ b/lda.te
@@ -0,0 +1,162 @@
+
+policy_module(lda, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type lda_t;
+typealias lda_t alias procmail_t;
+type lda_exec_t;
+typealias lda_exec_t alias procmail_exec_t;
+application_domain(lda_t,lda_exec_t)
+role system_r types lda_t;
+
+type lda_tmp_t;
+typealias lda_tmp_t alias procmail_tmp_t;
+files_tmp_file(lda_tmp_t)
+
+type lda_etc_t;
+files_config_file(lda_etc_t)
+
+type lda_log_t;
+logging_log_file(lda_log_t)
+manage_files_pattern(lda_t,lda_log_t,lda_log_t)
+logging_log_filetrans(lda_t,lda_log_t,file)
+
+
+########################################
+#
+# Local policy
+#
+
+allow lda_t self:capability { sys_nice chown setuid setgid dac_override };
+allow lda_t self:process { setsched signal signull };
+allow lda_t self:fifo_file rw_fifo_file_perms;
+allow lda_t self:unix_stream_socket create_socket_perms;
+allow lda_t self:unix_dgram_socket create_socket_perms;
+allow lda_t self:tcp_socket create_stream_socket_perms;
+allow lda_t self:udp_socket create_socket_perms;
+read_files_pattern(lda_t,lda_etc_t,lda_etc_t)
+read_lnk_files_pattern(lda_t,lda_etc_t,lda_etc_t)
+
+can_exec(lda_t,lda_exec_t)
+
+allow lda_t lda_tmp_t:file manage_file_perms;
+files_tmp_filetrans(lda_t, lda_tmp_t, file)
+
+kernel_read_system_state(lda_t)
+kernel_read_kernel_sysctls(lda_t)
+
+corenet_all_recvfrom_unlabeled(lda_t)
+corenet_all_recvfrom_netlabel(lda_t)
+corenet_tcp_sendrecv_all_if(lda_t)
+corenet_udp_sendrecv_all_if(lda_t)
+corenet_tcp_sendrecv_all_nodes(lda_t)
+corenet_udp_sendrecv_all_nodes(lda_t)
+corenet_tcp_sendrecv_all_ports(lda_t)
+corenet_udp_sendrecv_all_ports(lda_t)
+corenet_udp_bind_all_nodes(lda_t)
+corenet_tcp_connect_spamd_port(lda_t)
+corenet_sendrecv_spamd_client_packets(lda_t)
+corenet_sendrecv_comsat_client_packets(lda_t)
+
+dev_read_urand(lda_t)
+
+fs_getattr_xattr_fs(lda_t)
+fs_search_auto_mountpoints(lda_t)
+fs_rw_anon_inodefs_files(lda_t)
+
+auth_use_nsswitch(lda_t)
+
+corecmd_exec_bin(lda_t)
+corecmd_exec_shell(lda_t)
+
+files_read_etc_files(lda_t)
+files_read_etc_runtime_files(lda_t)
+files_search_pids(lda_t)
+# for spamassasin
+files_read_usr_files(lda_t)
+
+libs_use_ld_so(lda_t)
+libs_use_shared_libs(lda_t)
+
+logging_send_syslog_msg(lda_t)
+
+miscfiles_read_localization(lda_t)
+
+# only works until we define a different type for maildir
+userdom_manage_user_home_content_dirs(lda_t)
+userdom_manage_user_home_content_files(lda_t)
+userdom_user_home_dir_filetrans_user_home_content(lda_t, { dir file })
+
+optional_policy(`
+ gen_require(`
+ bool daemon_access_unconfined_home;
+ ')
+# tunable_policy(`daemon_access_unconfined_home', `
+# unconfined_write_home_content_files(lda_t)
+# ')
+')
+
+mta_manage_spool(lda_t)
+
+ifdef(`hide_broken_symptoms',`
+ mta_dontaudit_rw_queue(lda_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(lda_t)
+ fs_manage_nfs_files(lda_t)
+ fs_manage_nfs_symlinks(lda_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_manage_cifs_dirs(lda_t)
+ fs_manage_cifs_files(lda_t)
+ fs_manage_cifs_symlinks(lda_t)
+')
+
+optional_policy(`
+ clamav_domtrans_clamscan(lda_t)
+ clamav_search_lib(lda_t)
+')
+
+optional_policy(`
+ courier_authdaemon_client(lda_t)
+')
+
+optional_policy(`
+ munin_dontaudit_search_lib(lda_t)
+')
+
+optional_policy(`
+ # for a bug in the postfix local program
+ postfix_dontaudit_rw_local_tcp_sockets(lda_t)
+ postfix_dontaudit_use_fds(lda_t)
+ postfix_read_spool_files(lda_t)
+ postfix_read_local_state(lda_t)
+ postfix_read_master_state(lda_t)
+')
+
+optional_policy(`
+ pyzor_domtrans(lda_t)
+')
+
+optional_policy(`
+ mta_read_config(lda_t)
+ sendmail_domtrans(lda_t)
+ sendmail_rw_tcp_sockets(lda_t)
+ sendmail_rw_unix_stream_sockets(lda_t)
+')
+
+optional_policy(`
+ corenet_udp_bind_generic_port(lda_t)
+ corenet_dontaudit_udp_bind_all_ports(lda_t)
+
+ spamassassin_exec(lda_t)
+ spamassassin_exec_client(lda_t)
+ spamassassin_read_lib_files(lda_t)
+')
+
diff --git a/postfix.te b/postfix.te
index f358c69..221a5d1 100644
--- a/postfix.te
+++ b/postfix.te
@@ -319,7 +319,7 @@ optional_policy(`
')

optional_policy(`
- procmail_domtrans(postfix_local_t)
+ lda_domtrans(postfix_local_t)
')

########################################
@@ -425,6 +425,10 @@ optional_policy(`
')

optional_policy(`
+ lda_domtrans(postfix_pipe_t)
+')
+
+optional_policy(`
mailman_domtrans_queue(postfix_pipe_t)
')

--
1.7.10.4

2012-09-04 21:37:27

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 8/9] Fix djbdns ports

From: Russell Coker <[email protected]>

---
djbdns.if | 2 ++
1 file changed, 2 insertions(+)

diff --git a/djbdns.if b/djbdns.if
index ade3079..d53902d 100644
--- a/djbdns.if
+++ b/djbdns.if
@@ -45,7 +45,9 @@ template(`djbdns_daemontools_domain_template',`
corenet_tcp_bind_generic_node(djbdns_$1_t)
corenet_udp_bind_generic_node(djbdns_$1_t)
corenet_tcp_bind_dns_port(djbdns_$1_t)
+ corenet_tcp_connect_dns_port(djbdns_$1_t)
corenet_udp_bind_dns_port(djbdns_$1_t)
+ corenet_tcp_bind_generic_port(djbdns_$1_t)
corenet_udp_bind_generic_port(djbdns_$1_t)
corenet_sendrecv_dns_server_packets(djbdns_$1_t)
corenet_sendrecv_generic_server_packets(djbdns_$1_t)
--
1.7.10.4

2012-09-04 21:37:28

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 9/9] Add dirmngr support

From: Russell Coker <[email protected]>

---
dirmngr.fc | 9 +++++++++
dirmngr.if | 1 +
dirmngr.te | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 67 insertions(+)
create mode 100644 dirmngr.fc
create mode 100644 dirmngr.if
create mode 100644 dirmngr.te

diff --git a/dirmngr.fc b/dirmngr.fc
new file mode 100644
index 0000000..f4a88e0
--- /dev/null
+++ b/dirmngr.fc
@@ -0,0 +1,9 @@
+/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
+
+/usr/bin/dirmngr -- gen_context(system_u:object_r:dirmngr_exec_t,s0)
+
+# labelling for PID file that is created by init script
+/var/run/dirmngr\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
+/var/log/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_log_t,s0)
+/var/lib/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_data_t,s0)
diff --git a/dirmngr.if b/dirmngr.if
new file mode 100644
index 0000000..3eb6a30
--- /dev/null
+++ b/dirmngr.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/dirmngr.te b/dirmngr.te
new file mode 100644
index 0000000..f7f7df3
--- /dev/null
+++ b/dirmngr.te
@@ -0,0 +1,57 @@
+policy_module(dirmngr, 1.10.0)
+
+########################################
+#
+# Declarations
+#
+
+type dirmngr_t;
+type dirmngr_exec_t;
+init_daemon_domain(dirmngr_t, dirmngr_exec_t)
+
+# type for /var/cache/dirmngr
+type dirmngr_data_t;
+files_type(dirmngr_data_t)
+
+type dirmngr_conf_t;
+files_type(dirmngr_conf_t)
+
+type dirmngr_initrc_exec_t;
+init_script_file(dirmngr_initrc_exec_t)
+
+type dirmngr_log_t;
+logging_log_file(dirmngr_log_t)
+
+type dirmngr_var_run_t;
+files_pid_file(dirmngr_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dirmngr_t dirmngr_var_run_t:sock_file manage_file_perms;
+allow dirmngr_t self:fifo_file rw_file_perms;
+files_list_var_lib(dirmngr_t)
+files_read_etc_files(dirmngr_t)
+files_read_var_files(dirmngr_t)
+kernel_read_crypto_sysctls(dirmngr_t)
+logging_read_generic_logs(dirmngr_t)
+miscfiles_read_localization(dirmngr_t)
+
+
+# Grant permissions to create, access, and delete cache files.
+manage_dirs_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t)
+manage_files_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t)
+manage_lnk_files_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t)
+
+allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
+read_files_pattern(dirmngr_t, dirmngr_conf_t, dirmngr_conf_t)
+read_lnk_files_pattern(dirmngr_t, dirmngr_conf_t, dirmngr_conf_t)
+
+manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
+manage_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
+logging_log_filetrans(dirmngr_t, dirmngr_log_t, { file dir })
+
+manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
+files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { file sock_file })
--
1.7.10.4

2012-09-04 22:03:28

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 6/9] Include policy for the iodine IP over DNS tunnel daemon

Just a quick review. comments in-line:

On Tue, 2012-09-04 at 23:37 +0200, Laurent Bigonville wrote:
> From: Russell Coker <[email protected]>
>
> ---
> contrib/iodine.fc | 1 +
> contrib/iodine.if | 1 +
> contrib/iodine.te | 26 ++++++++++++++++++++++++++
> 3 files changed, 28 insertions(+)
> create mode 100644 contrib/iodine.fc
> create mode 100644 contrib/iodine.if
> create mode 100644 contrib/iodine.te
>
> diff --git a/contrib/iodine.fc b/contrib/iodine.fc
> new file mode 100644
> index 0000000..4e144ea
> --- /dev/null
> +++ b/contrib/iodine.fc
> @@ -0,0 +1 @@
> +/usr/sbin/iodine.* -- gen_context(system_u:object_r:iodine_exec_t,s0)
> diff --git a/contrib/iodine.if b/contrib/iodine.if
> new file mode 100644
> index 0000000..3eb6a30
> --- /dev/null
> +++ b/contrib/iodine.if
> @@ -0,0 +1 @@
> +## <summary></summary>
> diff --git a/contrib/iodine.te b/contrib/iodine.te
> new file mode 100644
> index 0000000..96a7de7
> --- /dev/null
> +++ b/contrib/iodine.te
> @@ -0,0 +1,26 @@
> +policy_module(iodine,1.0.0)
> +
> +# policy for the iodine IP over DNS tunneling daemon

the above description should be in the iodine.if between the
<summary></summary> tags

> +type iodine_t;
> +type iodine_exec_t;
> +files_type(iodine_exec_t)

The above line is redundant. it is already included with the line below

> +init_daemon_domain(iodine_t, iodine_exec_t)
> +

The first rules should be the rules wher the target is self, starting
with and rules where the object class is capability then process (if
theres any)

Then use alfa-numeric sorting of "self" rules

below that go rules where the target types are local to the module if
any.

Then the calls to external interface. starting with calls to kernel
layer, kernel interfaces, again

then other kernel layer interfaces in alfa numeric order

then calls to external interfaces in other layers in the following order

so after kernel layer interface calls:

system layer

others

then ifdefs, tunable then optional policy in that order

see:
http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide

You might think why all these style rules? well consistency make policy
writing and maintaining much earier and intuitive. if done correctly
things start to make sense and one can get far by just following
intuition.

If you peruse the existing refpolicy and look for patterns youll see
that everything has a place and reason. if you look long enough things
start to make more sense.

> +logging_send_syslog_msg(iodine_t)

> +kernel_search_network_sysctl(iodine_t)
> +kernel_read_network_state(iodine_t)
> +kernel_request_load_module(iodine_t)
> +kernel_read_system_state(iodine_t)
> +files_read_etc_files(iodine_t)
> +corecmd_exec_shell(iodine_t)
> +allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot };
> +sysnet_domtrans_ifconfig(iodine_t)
> +
> +allow iodine_t self:rawip_socket { write read create };
> +allow iodine_t self:unix_dgram_socket { create connect };
> +corenet_raw_receive_generic_node(iodine_t)
> +corenet_rw_tun_tap_dev(iodine_t)
> +corenet_udp_bind_dns_port(iodine_t)
> +corenet_udp_bind_generic_node(iodine_t)
> +allow iodine_t self:udp_socket connected_socket_perms;
> +allow iodine_t self:tun_socket create;

2012-09-04 22:15:24

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 6/9] Include policy for the iodine IP over DNS tunnel daemon


oh and forgot one thing that caught my eye on short notice:

On Wed, 2012-09-05 at 00:03 +0200, Dominick Grift wrote:
> Just a quick review. comments in-line:
>
> On Tue, 2012-09-04 at 23:37 +0200, Laurent Bigonville wrote:
> > From: Russell Coker <[email protected]>
> >
> > ---
> > contrib/iodine.fc | 1 +
> > contrib/iodine.if | 1 +
> > contrib/iodine.te | 26 ++++++++++++++++++++++++++
> > 3 files changed, 28 insertions(+)
> > create mode 100644 contrib/iodine.fc
> > create mode 100644 contrib/iodine.if
> > create mode 100644 contrib/iodine.te
> >
> > diff --git a/contrib/iodine.fc b/contrib/iodine.fc
> > new file mode 100644
> > index 0000000..4e144ea
> > --- /dev/null
> > +++ b/contrib/iodine.fc
> > @@ -0,0 +1 @@
> > +/usr/sbin/iodine.* -- gen_context(system_u:object_r:iodine_exec_t,s0)
> > diff --git a/contrib/iodine.if b/contrib/iodine.if
> > new file mode 100644
> > index 0000000..3eb6a30
> > --- /dev/null
> > +++ b/contrib/iodine.if
> > @@ -0,0 +1 @@
> > +## <summary></summary>
> > diff --git a/contrib/iodine.te b/contrib/iodine.te
> > new file mode 100644
> > index 0000000..96a7de7
> > --- /dev/null
> > +++ b/contrib/iodine.te
> > @@ -0,0 +1,26 @@
> > +policy_module(iodine,1.0.0)
> > +
> > +# policy for the iodine IP over DNS tunneling daemon
>
> the above description should be in the iodine.if between the
> <summary></summary> tags
>
> > +type iodine_t;
> > +type iodine_exec_t;
> > +files_type(iodine_exec_t)
>
> The above line is redundant. it is already included with the line below
>
> > +init_daemon_domain(iodine_t, iodine_exec_t)
> > +
>
> The first rules should be the rules wher the target is self, starting
> with and rules where the object class is capability then process (if
> theres any)
>
> Then use alfa-numeric sorting of "self" rules
>
> below that go rules where the target types are local to the module if
> any.
>
> Then the calls to external interface. starting with calls to kernel
> layer, kernel interfaces, again
>
> then other kernel layer interfaces in alfa numeric order
>
> then calls to external interfaces in other layers in the following order
>
> so after kernel layer interface calls:
>
> system layer
>
> others
>
> then ifdefs, tunable then optional policy in that order
>
> see:
> http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide
>
> You might think why all these style rules? well consistency make policy
> writing and maintaining much earier and intuitive. if done correctly
> things start to make sense and one can get far by just following
> intuition.
>
> If you peruse the existing refpolicy and look for patterns youll see
> that everything has a place and reason. if you look long enough things
> start to make more sense.
>
> > +logging_send_syslog_msg(iodine_t)
>
> > +kernel_search_network_sysctl(iodine_t)
> > +kernel_read_network_state(iodine_t)
> > +kernel_request_load_module(iodine_t)
> > +kernel_read_system_state(iodine_t)
> > +files_read_etc_files(iodine_t)
> > +corecmd_exec_shell(iodine_t)
> > +allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot };
> > +sysnet_domtrans_ifconfig(iodine_t)
> > +
> > +allow iodine_t self:rawip_socket { write read create };
> > +allow iodine_t self:unix_dgram_socket { create connect };

above line is redundant i believe. logging_send_syslog_msg() already
provides this


> > +corenet_raw_receive_generic_node(iodine_t)
> > +corenet_rw_tun_tap_dev(iodine_t)
> > +corenet_udp_bind_dns_port(iodine_t)
> > +corenet_udp_bind_generic_node(iodine_t)
> > +allow iodine_t self:udp_socket connected_socket_perms;
> > +allow iodine_t self:tun_socket create;
>
>

2012-09-05 17:49:35

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/9] Mark use of deprecated interfaces that are not providing replacement as errors

On 09/04/12 17:37, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> bind.if | 2 +-
> bluetooth.if | 4 ++--
> cups.if | 2 +-
> dictd.if | 2 +-
> finger.if | 2 +-
> ftp.if | 2 +-
> i18n_input.if | 2 +-
> inetd.if | 4 ++--
> jabber.if | 2 +-
> ldap.if | 2 +-
> mta.if | 2 +-
> nessus.if | 2 +-
> nis.if | 4 ++--
> nsd.if | 4 ++--
> perdition.if | 2 +-
> portmap.if | 6 +++---
> radius.if | 2 +-
> rpc.if | 4 ++--
> snmp.if | 4 ++--
> soundserver.if | 2 +-
> squid.if | 2 +-
> 21 files changed, 29 insertions(+), 29 deletions(-)

I can see why you'd want to do this as a distribution, but for upstream, I'd prefer to keep it a warning. I'd be open to a patch that created a build option that would turn warnings into errors, like -Werror for gcc.

> diff --git a/bind.if b/bind.if
> index 44a1e3d..b5e0ea5 100644
> --- a/bind.if
> +++ b/bind.if
> @@ -336,7 +336,7 @@ interface(`bind_manage_zone',`
> ## </param>
> #
> interface(`bind_udp_chat_named',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/bluetooth.if b/bluetooth.if
> index 3e45431..f232b3b 100644
> --- a/bluetooth.if
> +++ b/bluetooth.if
> @@ -126,7 +126,7 @@ interface(`bluetooth_dbus_chat',`
> ## </param>
> #
> interface(`bluetooth_domtrans_helper',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> @@ -152,7 +152,7 @@ interface(`bluetooth_domtrans_helper',`
> ## <rolecap/>
> #
> interface(`bluetooth_run_helper',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/cups.if b/cups.if
> index 305ddf4..56cb53f 100644
> --- a/cups.if
> +++ b/cups.if
> @@ -75,7 +75,7 @@ interface(`cups_stream_connect',`
> ## </param>
> #
> interface(`cups_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/dictd.if b/dictd.if
> index a0d23ce..7650335 100644
> --- a/dictd.if
> +++ b/dictd.if
> @@ -12,7 +12,7 @@
> ## </param>
> #
> interface(`dictd_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/finger.if b/finger.if
> index b5dd671..9bbb169 100644
> --- a/finger.if
> +++ b/finger.if
> @@ -29,5 +29,5 @@ interface(`finger_domtrans',`
> ## </param>
> #
> interface(`finger_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
> diff --git a/ftp.if b/ftp.if
> index 9d3201b..3d29482 100644
> --- a/ftp.if
> +++ b/ftp.if
> @@ -29,7 +29,7 @@ interface(`ftp_dyntrans_anon_sftpd',`
> ## </param>
> #
> interface(`ftp_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/i18n_input.if b/i18n_input.if
> index bc7de4f..bd85f3b 100644
> --- a/i18n_input.if
> +++ b/i18n_input.if
> @@ -11,5 +11,5 @@
> ## </param>
> #
> interface(`i18n_use',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
> diff --git a/inetd.if b/inetd.if
> index df48e5e..75a7539 100644
> --- a/inetd.if
> +++ b/inetd.if
> @@ -150,7 +150,7 @@ interface(`inetd_use_fds',`
> ## </param>
> #
> interface(`inetd_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> @@ -183,7 +183,7 @@ interface(`inetd_domtrans_child',`
> ## </param>
> #
> interface(`inetd_udp_send',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/jabber.if b/jabber.if
> index 9878499..00f78ed 100644
> --- a/jabber.if
> +++ b/jabber.if
> @@ -11,7 +11,7 @@
> ## </param>
> #
> interface(`jabber_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/ldap.if b/ldap.if
> index d6b7b2d..5585d7d 100644
> --- a/ldap.if
> +++ b/ldap.if
> @@ -50,7 +50,7 @@ interface(`ldap_read_config',`
> ## </param>
> #
> interface(`ldap_use',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/mta.if b/mta.if
> index 4e2a5ba..f5b7fcd 100644
> --- a/mta.if
> +++ b/mta.if
> @@ -587,7 +587,7 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
> ## </param>
> #
> interface(`mta_tcp_connect_all_mailservers',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> #######################################
> diff --git a/nessus.if b/nessus.if
> index 6ec8003..edc4d91 100644
> --- a/nessus.if
> +++ b/nessus.if
> @@ -11,5 +11,5 @@
> ## </param>
> #
> interface(`nessus_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
> diff --git a/nis.if b/nis.if
> index abe3f7f..1430352 100644
> --- a/nis.if
> +++ b/nis.if
> @@ -205,7 +205,7 @@ interface(`nis_list_var_yp',`
> ## </param>
> #
> interface(`nis_udp_send_ypbind',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> @@ -219,7 +219,7 @@ interface(`nis_udp_send_ypbind',`
> ## </param>
> #
> interface(`nis_tcp_connect_ypbind',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/nsd.if b/nsd.if
> index a1371d5..5142540 100644
> --- a/nsd.if
> +++ b/nsd.if
> @@ -11,7 +11,7 @@
> ## </param>
> #
> interface(`nsd_udp_chat',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> @@ -25,5 +25,5 @@ interface(`nsd_udp_chat',`
> ## </param>
> #
> interface(`nsd_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
> diff --git a/perdition.if b/perdition.if
> index 2b0bd64..8919276 100644
> --- a/perdition.if
> +++ b/perdition.if
> @@ -11,5 +11,5 @@
> ## </param>
> #
> interface(`perdition_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
> diff --git a/portmap.if b/portmap.if
> index 374afcf..f0484c3 100644
> --- a/portmap.if
> +++ b/portmap.if
> @@ -57,7 +57,7 @@ interface(`portmap_run_helper',`
> ## </param>
> #
> interface(`portmap_udp_send',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> @@ -71,7 +71,7 @@ interface(`portmap_udp_send',`
> ## </param>
> #
> interface(`portmap_udp_chat',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> @@ -85,5 +85,5 @@ interface(`portmap_udp_chat',`
> ## </param>
> #
> interface(`portmap_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
> diff --git a/radius.if b/radius.if
> index 75e5dc4..9b35194 100644
> --- a/radius.if
> +++ b/radius.if
> @@ -11,7 +11,7 @@
> ## </param>
> #
> interface(`radius_use',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/rpc.if b/rpc.if
> index dddabcf..a8a31b7 100644
> --- a/rpc.if
> +++ b/rpc.if
> @@ -133,7 +133,7 @@ template(`rpc_domain_template', `
> ## </param>
> #
> interface(`rpc_udp_send',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> @@ -374,7 +374,7 @@ interface(`rpc_udp_rw_nfs_sockets',`
> ## </param>
> #
> interface(`rpc_udp_send_nfs',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/snmp.if b/snmp.if
> index 275f9fb..f143171 100644
> --- a/snmp.if
> +++ b/snmp.if
> @@ -30,7 +30,7 @@ interface(`snmp_stream_connect',`
> ## </param>
> #
> interface(`snmp_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> @@ -44,7 +44,7 @@ interface(`snmp_tcp_connect',`
> ## </param>
> #
> interface(`snmp_udp_chat',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/soundserver.if b/soundserver.if
> index 93fe7bf..d27ebc5 100644
> --- a/soundserver.if
> +++ b/soundserver.if
> @@ -11,7 +11,7 @@
> ## </param>
> #
> interface(`soundserver_tcp_connect',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
> diff --git a/squid.if b/squid.if
> index d2496bd..de25872 100644
> --- a/squid.if
> +++ b/squid.if
> @@ -184,7 +184,7 @@ interface(`squid_manage_logs',`
> ## </param>
> #
> interface(`squid_use',`
> - refpolicywarn(`$0($*) has been deprecated.')
> + refpolicyerr(`$0($*) has been deprecated.')
> ')
>
> ########################################
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2012-09-07 12:52:42

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/9] Policykit debian fixes

On 09/04/12 17:37, Laurent Bigonville wrote:
> From: Mika Pfl??ger <[email protected]>
>
> ---
> policykit.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policykit.fc b/policykit.fc
> index 63d0061..6bbd28c 100644
> --- a/policykit.fc
> +++ b/policykit.fc
> @@ -4,6 +4,8 @@
> /usr/lib/policykit/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
> /usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
>
> +/usr/lib/policykit-1/polkitd -- gen_context(system_u:object_r:policykit_exec_t,s0)
> +
> /usr/libexec/polkit-read-auth-helper -- gen_context(system_u:object_r:policykit_auth_exec_t,s0)
> /usr/libexec/polkit-grant-helper.* -- gen_context(system_u:object_r:policykit_grant_exec_t,s0)
> /usr/libexec/polkit-resolve-exe-helper.* -- gen_context(system_u:object_r:policykit_resolve_exec_t,s0)

Looks like a duplicate to me.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2012-09-07 12:54:12

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/9] Allow saslauthd_t to talk to mysqld via TCP

On 09/04/12 17:37, Laurent Bigonville wrote:
> From: Mika Pfl??ger <[email protected]>
>
> ---
> sasl.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/sasl.te b/sasl.te
> index 9d9f8ce..a066d33 100644
> --- a/sasl.te
> +++ b/sasl.te
> @@ -99,6 +99,7 @@ optional_policy(`
> optional_policy(`
> mysql_search_db(saslauthd_t)
> mysql_stream_connect(saslauthd_t)
> + mysql_tcp_connect(saslauthd_t)
> ')
>
> optional_policy(`
>

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2012-09-07 12:58:50

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/9] Quota policy adjustments: * Allow quota_t to load kernel modules

On 09/04/12 17:37, Laurent Bigonville wrote:
> From: Mika Pfl??ger <[email protected]>
>
> ---
> quota.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/quota.te b/quota.te
> index 5dd42f5..5ec1cf3 100644
> --- a/quota.te
> +++ b/quota.te
> @@ -20,6 +20,7 @@ files_type(quota_flag_t)
> # Local policy
> #
>
> +kernel_request_load_module(quota_t)
> allow quota_t self:capability { sys_admin dac_override };
> dontaudit quota_t self:capability sys_tty_config;
> allow quota_t self:process signal_perms;

Merged. Moved the line to the appropriate place.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2012-09-07 13:07:54

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 5/9] Label /usr/lib/udisks/udisks-helper-* with bin_t

On 09/04/12 17:37, Laurent Bigonville wrote:
> From: Laurent Bigonville <[email protected]>
>
> ---
> devicekit.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/devicekit.fc b/devicekit.fc
> index 9af85c8..ae2d805 100644
> --- a/devicekit.fc
> +++ b/devicekit.fc
> @@ -1,4 +1,5 @@
> /usr/lib/udisks/udisks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
> +/usr/lib/udisks/udisks-helper-.* -- gen_context(system_u:object_r:bin_t,s0)
>
> /usr/libexec/devkit-daemon -- gen_context(system_u:object_r:devicekit_exec_t,s0)
> /usr/libexec/devkit-disks-daemon -- gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
>

This belongs in corecommands, if bin_t is appropriate.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2012-09-07 13:12:08

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 7/9] Added new "lda" module for email local delivery agents such as maildrop and procmail

On 09/04/12 17:37, Laurent Bigonville wrote:
> From: Russell Coker <[email protected]>

I'm not adverse to something like this, but it would need some more work, since there already is a procmail policy. That policy would need to be removed and compatibility would have to be preserved.

> ---
> courier.if | 19 +++++++
> lda.fc | 9 ++++
> lda.if | 41 +++++++++++++++
> lda.te | 162 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> postfix.te | 6 ++-
> 5 files changed, 236 insertions(+), 1 deletion(-)
> create mode 100644 lda.fc
> create mode 100644 lda.if
> create mode 100644 lda.te
>
> diff --git a/courier.if b/courier.if
> index 9971337..be99138 100644
> --- a/courier.if
> +++ b/courier.if
> @@ -106,6 +106,25 @@ interface(`courier_domtrans_authdaemon',`
>
> ########################################
> ## <summary>
> +## Act as a client for the courier authdaemon
> +## </summary>
> +## <param name="prefix">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`courier_authdaemon_client',`
> + gen_require(`
> + type courier_authdaemon_t, courier_etc_t, courier_var_run_t;
> + ')
> + allow $1 courier_authdaemon_t:unix_stream_socket connectto;
> + allow $1 courier_etc_t:dir search;
> + allow $1 courier_var_run_t:sock_file write;
> +')
> +
> +########################################
> +## <summary>
> ## Execute the courier POP3 and IMAP server with
> ## a domain transition.
> ## </summary>
> diff --git a/lda.fc b/lda.fc
> new file mode 100644
> index 0000000..f5745ae
> --- /dev/null
> +++ b/lda.fc
> @@ -0,0 +1,9 @@
> +
> +/usr/bin/procmail -- gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/bin/maildrop -- gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/sbin/deliverquota.maildrop -- gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/lib/dovecot/deliver -- gen_context(system_u:object_r:lda_exec_t,s0)
> +/usr/bin/mailbot -- gen_context(system_u:object_r:lda_exec_t,s0)
> +
> +/etc/courier/maildroprc -- gen_context(system_u:object_r:lda_etc_t,s0)
> +/var/log/maildrop.log -- gen_context(system_u:object_r:lda_log_t,s0)
> diff --git a/lda.if b/lda.if
> new file mode 100644
> index 0000000..ec97dc8
> --- /dev/null
> +++ b/lda.if
> @@ -0,0 +1,41 @@
> +## <summary>mail delivery agent</summary>
> +
> +########################################
> +## <summary>
> +## Execute lda with a domain transition.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lda_domtrans',`
> + gen_require(`
> + type lda_exec_t, lda_t;
> + ')
> +
> + files_search_usr($1)
> + corecmd_search_bin($1)
> + domtrans_pattern($1,lda_exec_t,lda_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute lda in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`lda_exec',`
> + gen_require(`
> + type lda_exec_t;
> + ')
> +
> + files_search_usr($1)
> + corecmd_search_bin($1)
> + can_exec($1,lda_exec_t)
> +')
> diff --git a/lda.te b/lda.te
> new file mode 100644
> index 0000000..d9bc95d
> --- /dev/null
> +++ b/lda.te
> @@ -0,0 +1,162 @@
> +
> +policy_module(lda, 1.9.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type lda_t;
> +typealias lda_t alias procmail_t;
> +type lda_exec_t;
> +typealias lda_exec_t alias procmail_exec_t;
> +application_domain(lda_t,lda_exec_t)
> +role system_r types lda_t;
> +
> +type lda_tmp_t;
> +typealias lda_tmp_t alias procmail_tmp_t;
> +files_tmp_file(lda_tmp_t)
> +
> +type lda_etc_t;
> +files_config_file(lda_etc_t)
> +
> +type lda_log_t;
> +logging_log_file(lda_log_t)
> +manage_files_pattern(lda_t,lda_log_t,lda_log_t)
> +logging_log_filetrans(lda_t,lda_log_t,file)
> +
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow lda_t self:capability { sys_nice chown setuid setgid dac_override };
> +allow lda_t self:process { setsched signal signull };
> +allow lda_t self:fifo_file rw_fifo_file_perms;
> +allow lda_t self:unix_stream_socket create_socket_perms;
> +allow lda_t self:unix_dgram_socket create_socket_perms;
> +allow lda_t self:tcp_socket create_stream_socket_perms;
> +allow lda_t self:udp_socket create_socket_perms;
> +read_files_pattern(lda_t,lda_etc_t,lda_etc_t)
> +read_lnk_files_pattern(lda_t,lda_etc_t,lda_etc_t)
> +
> +can_exec(lda_t,lda_exec_t)
> +
> +allow lda_t lda_tmp_t:file manage_file_perms;
> +files_tmp_filetrans(lda_t, lda_tmp_t, file)
> +
> +kernel_read_system_state(lda_t)
> +kernel_read_kernel_sysctls(lda_t)
> +
> +corenet_all_recvfrom_unlabeled(lda_t)
> +corenet_all_recvfrom_netlabel(lda_t)
> +corenet_tcp_sendrecv_all_if(lda_t)
> +corenet_udp_sendrecv_all_if(lda_t)
> +corenet_tcp_sendrecv_all_nodes(lda_t)
> +corenet_udp_sendrecv_all_nodes(lda_t)
> +corenet_tcp_sendrecv_all_ports(lda_t)
> +corenet_udp_sendrecv_all_ports(lda_t)
> +corenet_udp_bind_all_nodes(lda_t)
> +corenet_tcp_connect_spamd_port(lda_t)
> +corenet_sendrecv_spamd_client_packets(lda_t)
> +corenet_sendrecv_comsat_client_packets(lda_t)
> +
> +dev_read_urand(lda_t)
> +
> +fs_getattr_xattr_fs(lda_t)
> +fs_search_auto_mountpoints(lda_t)
> +fs_rw_anon_inodefs_files(lda_t)
> +
> +auth_use_nsswitch(lda_t)
> +
> +corecmd_exec_bin(lda_t)
> +corecmd_exec_shell(lda_t)
> +
> +files_read_etc_files(lda_t)
> +files_read_etc_runtime_files(lda_t)
> +files_search_pids(lda_t)
> +# for spamassasin
> +files_read_usr_files(lda_t)
> +
> +libs_use_ld_so(lda_t)
> +libs_use_shared_libs(lda_t)
> +
> +logging_send_syslog_msg(lda_t)
> +
> +miscfiles_read_localization(lda_t)
> +
> +# only works until we define a different type for maildir
> +userdom_manage_user_home_content_dirs(lda_t)
> +userdom_manage_user_home_content_files(lda_t)
> +userdom_user_home_dir_filetrans_user_home_content(lda_t, { dir file })
> +
> +optional_policy(`
> + gen_require(`
> + bool daemon_access_unconfined_home;
> + ')
> +# tunable_policy(`daemon_access_unconfined_home', `
> +# unconfined_write_home_content_files(lda_t)
> +# ')
> +')
> +
> +mta_manage_spool(lda_t)
> +
> +ifdef(`hide_broken_symptoms',`
> + mta_dontaudit_rw_queue(lda_t)
> +')
> +
> +tunable_policy(`use_nfs_home_dirs',`
> + fs_manage_nfs_dirs(lda_t)
> + fs_manage_nfs_files(lda_t)
> + fs_manage_nfs_symlinks(lda_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs',`
> + fs_manage_cifs_dirs(lda_t)
> + fs_manage_cifs_files(lda_t)
> + fs_manage_cifs_symlinks(lda_t)
> +')
> +
> +optional_policy(`
> + clamav_domtrans_clamscan(lda_t)
> + clamav_search_lib(lda_t)
> +')
> +
> +optional_policy(`
> + courier_authdaemon_client(lda_t)
> +')
> +
> +optional_policy(`
> + munin_dontaudit_search_lib(lda_t)
> +')
> +
> +optional_policy(`
> + # for a bug in the postfix local program
> + postfix_dontaudit_rw_local_tcp_sockets(lda_t)
> + postfix_dontaudit_use_fds(lda_t)
> + postfix_read_spool_files(lda_t)
> + postfix_read_local_state(lda_t)
> + postfix_read_master_state(lda_t)
> +')
> +
> +optional_policy(`
> + pyzor_domtrans(lda_t)
> +')
> +
> +optional_policy(`
> + mta_read_config(lda_t)
> + sendmail_domtrans(lda_t)
> + sendmail_rw_tcp_sockets(lda_t)
> + sendmail_rw_unix_stream_sockets(lda_t)
> +')
> +
> +optional_policy(`
> + corenet_udp_bind_generic_port(lda_t)
> + corenet_dontaudit_udp_bind_all_ports(lda_t)
> +
> + spamassassin_exec(lda_t)
> + spamassassin_exec_client(lda_t)
> + spamassassin_read_lib_files(lda_t)
> +')
> +
> diff --git a/postfix.te b/postfix.te
> index f358c69..221a5d1 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -319,7 +319,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> - procmail_domtrans(postfix_local_t)
> + lda_domtrans(postfix_local_t)
> ')
>
> ########################################
> @@ -425,6 +425,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + lda_domtrans(postfix_pipe_t)
> +')
> +
> +optional_policy(`
> mailman_domtrans_queue(postfix_pipe_t)
> ')


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2012-09-07 13:12:16

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 5/9] Label /usr/lib/udisks/udisks-helper-* with bin_t

In light of the contrib split, perhaps we might want to consider allowing
these generic types that should be on everyone"s base policy within the
modules?
On Sep 7, 2012 3:08 PM, "Christopher J. PeBenito" <[email protected]>
wrote:

> On 09/04/12 17:37, Laurent Bigonville wrote:
> > From: Laurent Bigonville <[email protected]>
> >
> > ---
> > devicekit.fc | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/devicekit.fc b/devicekit.fc
> > index 9af85c8..ae2d805 100644
> > --- a/devicekit.fc
> > +++ b/devicekit.fc
> > @@ -1,4 +1,5 @@
> > /usr/lib/udisks/udisks-daemon --
> gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
> > +/usr/lib/udisks/udisks-helper-.* --
> gen_context(system_u:object_r:bin_t,s0)
> >
> > /usr/libexec/devkit-daemon --
> gen_context(system_u:object_r:devicekit_exec_t,s0)
> > /usr/libexec/devkit-disks-daemon --
> gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
> >
>
> This belongs in corecommands, if bin_t is appropriate.
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20120907/f3a69036/attachment.html

2012-09-07 13:15:07

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 8/9] Fix djbdns ports

On 09/04/12 17:37, Laurent Bigonville wrote:
> From: Russell Coker <[email protected]>
>
> ---
> djbdns.if | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/djbdns.if b/djbdns.if
> index ade3079..d53902d 100644
> --- a/djbdns.if
> +++ b/djbdns.if
> @@ -45,7 +45,9 @@ template(`djbdns_daemontools_domain_template',`
> corenet_tcp_bind_generic_node(djbdns_$1_t)
> corenet_udp_bind_generic_node(djbdns_$1_t)
> corenet_tcp_bind_dns_port(djbdns_$1_t)
> + corenet_tcp_connect_dns_port(djbdns_$1_t)
> corenet_udp_bind_dns_port(djbdns_$1_t)
> + corenet_tcp_bind_generic_port(djbdns_$1_t)
> corenet_udp_bind_generic_port(djbdns_$1_t)
> corenet_sendrecv_dns_server_packets(djbdns_$1_t)
> corenet_sendrecv_generic_server_packets(djbdns_$1_t)

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2012-09-07 13:23:59

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 9/9] Add dirmngr support

On 09/04/12 17:37, Laurent Bigonville wrote:
> From: Russell Coker <[email protected]>
>
> ---
> dirmngr.fc | 9 +++++++++
> dirmngr.if | 1 +
> dirmngr.te | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 67 insertions(+)
> create mode 100644 dirmngr.fc
> create mode 100644 dirmngr.if
> create mode 100644 dirmngr.te
>
> diff --git a/dirmngr.fc b/dirmngr.fc
> new file mode 100644
> index 0000000..f4a88e0
> --- /dev/null
> +++ b/dirmngr.fc
> @@ -0,0 +1,9 @@
> +/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
> +
> +/usr/bin/dirmngr -- gen_context(system_u:object_r:dirmngr_exec_t,s0)
> +
> +# labelling for PID file that is created by init script
> +/var/run/dirmngr\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)

Doesn't belong in this module.

> +/var/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
> +/var/log/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_log_t,s0)
> +/var/lib/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_data_t,s0)
> diff --git a/dirmngr.if b/dirmngr.if
> new file mode 100644
> index 0000000..3eb6a30
> --- /dev/null
> +++ b/dirmngr.if
> @@ -0,0 +1 @@
> +## <summary></summary>

Need a real summary.



--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2012-09-08 12:22:24

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 6/9] Include policy for the iodine IP over DNS tunnel daemon

From: Russell Coker <[email protected]>

---
iodine.fc | 1 +
iodine.if | 1 +
iodine.te | 29 +++++++++++++++++++++++++++++
3 files changed, 31 insertions(+)
create mode 100644 iodine.fc
create mode 100644 iodine.if
create mode 100644 iodine.te

diff --git a/iodine.fc b/iodine.fc
new file mode 100644
index 0000000..71c964d
--- /dev/null
+++ b/iodine.fc
@@ -0,0 +1 @@
+/usr/sbin/iodine.* -- gen_context(system_u:object_r:iodine_exec_t, s0)
diff --git a/iodine.if b/iodine.if
new file mode 100644
index 0000000..4bec253
--- /dev/null
+++ b/iodine.if
@@ -0,0 +1 @@
+## <summary>policy for the iodine IP over DNS tunneling daemon</summary>
diff --git a/iodine.te b/iodine.te
new file mode 100644
index 0000000..c383ad4
--- /dev/null
+++ b/iodine.te
@@ -0,0 +1,29 @@
+policy_module(iodine,1.0.0)
+
+type iodine_t;
+type iodine_exec_t;
+init_daemon_domain(iodine_t, iodine_exec_t)
+
+allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot };
+allow iodine_t self:rawip_socket { write read create };
+allow iodine_t self:tun_socket create;
+allow iodine_t self:udp_socket connected_socket_perms;
+allow iodine_t self:unix_dgram_socket { create connect };
+
+kernel_read_network_state(iodine_t)
+kernel_read_system_state(iodine_t)
+kernel_request_load_module(iodine_t)
+kernel_search_network_sysctl(iodine_t)
+
+corenet_raw_receive_generic_node(iodine_t)
+corenet_rw_tun_tap_dev(iodine_t)
+corenet_udp_bind_dns_port(iodine_t)
+corenet_udp_bind_generic_node(iodine_t)
+
+corecmd_exec_shell(iodine_t)
+
+files_read_etc_files(iodine_t)
+
+logging_send_syslog_msg(iodine_t)
+
+sysnet_domtrans_ifconfig(iodine_t)
--
1.7.10.4

2012-09-08 14:12:18

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 6/9] Include policy for the iodine IP over DNS tunnel daemon

Russell,

Some questions with regard to this policy module.

You labeled all of /usr/sbin/iodine.* type iodine_exec_t.

I have reviewed the debian init script for iodine package and it only
runs iodined and not the other iodine binaries in /usr/sbin

How come? Am i looking at the wrong init script or am i missing
something here?

Also that same init script mentions a pid file and its not created by
the init script. Therefore i asume it gets created by iodined.

However the iodine policy module has no rules to allow iodine to create
a pid file.

In Fedora we also have iodine. The package is split into a server and a
client. Both server and client get started by init.

However, I suspect the client needs rules that are different from the
rules that the server needs.

Should there not, in that case, be a client domain as well as a server
domain?

I hope you can clarify the above


On Sat, 2012-09-08 at 14:22 +0200, Laurent Bigonville wrote:
> From: Russell Coker <[email protected]>
>
> ---
> iodine.fc | 1 +
> iodine.if | 1 +
> iodine.te | 29 +++++++++++++++++++++++++++++
> 3 files changed, 31 insertions(+)
> create mode 100644 iodine.fc
> create mode 100644 iodine.if
> create mode 100644 iodine.te
>
> diff --git a/iodine.fc b/iodine.fc
> new file mode 100644
> index 0000000..71c964d
> --- /dev/null
> +++ b/iodine.fc
> @@ -0,0 +1 @@
> +/usr/sbin/iodine.* -- gen_context(system_u:object_r:iodine_exec_t, s0)
> diff --git a/iodine.if b/iodine.if
> new file mode 100644
> index 0000000..4bec253
> --- /dev/null
> +++ b/iodine.if
> @@ -0,0 +1 @@
> +## <summary>policy for the iodine IP over DNS tunneling daemon</summary>
> diff --git a/iodine.te b/iodine.te
> new file mode 100644
> index 0000000..c383ad4
> --- /dev/null
> +++ b/iodine.te
> @@ -0,0 +1,29 @@
> +policy_module(iodine,1.0.0)
> +
> +type iodine_t;
> +type iodine_exec_t;
> +init_daemon_domain(iodine_t, iodine_exec_t)
> +
> +allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot };
> +allow iodine_t self:rawip_socket { write read create };
> +allow iodine_t self:tun_socket create;
> +allow iodine_t self:udp_socket connected_socket_perms;
> +allow iodine_t self:unix_dgram_socket { create connect };
> +
> +kernel_read_network_state(iodine_t)
> +kernel_read_system_state(iodine_t)
> +kernel_request_load_module(iodine_t)
> +kernel_search_network_sysctl(iodine_t)
> +
> +corenet_raw_receive_generic_node(iodine_t)
> +corenet_rw_tun_tap_dev(iodine_t)
> +corenet_udp_bind_dns_port(iodine_t)
> +corenet_udp_bind_generic_node(iodine_t)
> +
> +corecmd_exec_shell(iodine_t)
> +
> +files_read_etc_files(iodine_t)
> +
> +logging_send_syslog_msg(iodine_t)
> +
> +sysnet_domtrans_ifconfig(iodine_t)

2012-09-09 12:06:27

by Guido Trentalancia

[permalink] [raw]
Subject: [refpolicy] [PATCH 5/9] Label /usr/lib/udisks/udisks-helper-* with bin_t

On 07/09/2012 15:12, Sven Vermeulen wrote:
> In light of the contrib split, perhaps we might want to consider
> allowing these generic types that should be on everyone"s base policy
> within the modules?
>
> On Sep 7, 2012 3:08 PM, "Christopher J. PeBenito" <[email protected]
> <mailto:[email protected]>> wrote:
>
> On 09/04/12 17:37, Laurent Bigonville wrote:
> > From: Laurent Bigonville <bigon at bigon.be <mailto:[email protected]>>
> >
> > ---
> > devicekit.fc | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/devicekit.fc b/devicekit.fc
> > index 9af85c8..ae2d805 100644
> > --- a/devicekit.fc
> > +++ b/devicekit.fc
> > @@ -1,4 +1,5 @@
> > /usr/lib/udisks/udisks-daemon --
> gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
> > +/usr/lib/udisks/udisks-helper-.* --
> gen_context(system_u:object_r:bin_t,s0)
> >
> > /usr/libexec/devkit-daemon --
> gen_context(system_u:object_r:devicekit_exec_t,s0)
> > /usr/libexec/devkit-disks-daemon --
> gen_context(system_u:object_r:devicekit_disk_exec_t,s0)
> >
>
> This belongs in corecommands, if bin_t is appropriate.

/usr/lib/udisks for udev version 1 (such as udisks-1.0.4) helpers is not
the standard location, as the standard location is /usr/libexec. So this
is a customization, which should eventually be enclosed in one or more
ifdef_distro blocks.

The standard location is the one produced by the raw execution of the
configure script (i.e. without options passed) or otherwise (where
autotools are not used) by an unedited Makefile (with the expection
perhaps of default Makefiles that install in /usr/local).

When the standard location is used, the udev1 helpers are labelled as bin_t.

Finally, udev version 2 is no longer going to have the helpers.

And, all types should stick in their appropriate place, as otherwise
they might sooner or later become unmanageable.

> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com <http://www.tresys.com> | oss.tresys.com
> <http://oss.tresys.com>

Regards,

Guido

2012-10-09 12:28:44

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH v2 6/9] Include policy for the iodine IP over DNS tunnel daemon



On Sat, 2012-09-08 at 14:22 +0200, Laurent Bigonville wrote:
> From: Russell Coker <[email protected]>
>
> ---
> iodine.fc | 1 +
> iodine.if | 1 +
> iodine.te | 29 +++++++++++++++++++++++++++++
> 3 files changed, 31 insertions(+)
> create mode 100644 iodine.fc
> create mode 100644 iodine.if
> create mode 100644 iodine.te
>
> diff --git a/iodine.fc b/iodine.fc
> new file mode 100644
> index 0000000..71c964d
> --- /dev/null
> +++ b/iodine.fc
> @@ -0,0 +1 @@
> +/usr/sbin/iodine.* -- gen_context(system_u:object_r:iodine_exec_t, s0)
> diff --git a/iodine.if b/iodine.if
> new file mode 100644
> index 0000000..4bec253
> --- /dev/null
> +++ b/iodine.if
> @@ -0,0 +1 @@
> +## <summary>policy for the iodine IP over DNS tunneling daemon</summary>
> diff --git a/iodine.te b/iodine.te
> new file mode 100644
> index 0000000..c383ad4
> --- /dev/null
> +++ b/iodine.te
> @@ -0,0 +1,29 @@
> +policy_module(iodine,1.0.0)
> +
> +type iodine_t;
> +type iodine_exec_t;
> +init_daemon_domain(iodine_t, iodine_exec_t)
> +
> +allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot };
> +allow iodine_t self:rawip_socket { write read create };
> +allow iodine_t self:tun_socket create;
> +allow iodine_t self:udp_socket connected_socket_perms;
> +allow iodine_t self:unix_dgram_socket { create connect };
> +
> +kernel_read_network_state(iodine_t)
> +kernel_read_system_state(iodine_t)
> +kernel_request_load_module(iodine_t)
> +kernel_search_network_sysctl(iodine_t)
> +
> +corenet_raw_receive_generic_node(iodine_t)
> +corenet_rw_tun_tap_dev(iodine_t)
> +corenet_udp_bind_dns_port(iodine_t)
> +corenet_udp_bind_generic_node(iodine_t)
> +
> +corecmd_exec_shell(iodine_t)
> +
> +files_read_etc_files(iodine_t)
> +
> +logging_send_syslog_msg(iodine_t)
> +
> +sysnet_domtrans_ifconfig(iodine_t)

Merged with changes, thanks

2012-10-09 12:53:55

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 9/9] Add dirmngr support



On Tue, 2012-09-04 at 23:37 +0200, Laurent Bigonville wrote:
> From: Russell Coker <[email protected]>
>
> ---
> dirmngr.fc | 9 +++++++++
> dirmngr.if | 1 +
> dirmngr.te | 57 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 67 insertions(+)
> create mode 100644 dirmngr.fc
> create mode 100644 dirmngr.if
> create mode 100644 dirmngr.te
>
> diff --git a/dirmngr.fc b/dirmngr.fc
> new file mode 100644
> index 0000000..f4a88e0
> --- /dev/null
> +++ b/dirmngr.fc
> @@ -0,0 +1,9 @@
> +/etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
> +
> +/usr/bin/dirmngr -- gen_context(system_u:object_r:dirmngr_exec_t,s0)
> +
> +# labelling for PID file that is created by init script
> +/var/run/dirmngr\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/var/run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
> +/var/log/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_log_t,s0)
> +/var/lib/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_data_t,s0)
> diff --git a/dirmngr.if b/dirmngr.if
> new file mode 100644
> index 0000000..3eb6a30
> --- /dev/null
> +++ b/dirmngr.if
> @@ -0,0 +1 @@
> +## <summary></summary>
> diff --git a/dirmngr.te b/dirmngr.te
> new file mode 100644
> index 0000000..f7f7df3
> --- /dev/null
> +++ b/dirmngr.te
> @@ -0,0 +1,57 @@
> +policy_module(dirmngr, 1.10.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type dirmngr_t;
> +type dirmngr_exec_t;
> +init_daemon_domain(dirmngr_t, dirmngr_exec_t)
> +
> +# type for /var/cache/dirmngr
> +type dirmngr_data_t;
> +files_type(dirmngr_data_t)
> +
> +type dirmngr_conf_t;
> +files_type(dirmngr_conf_t)
> +
> +type dirmngr_initrc_exec_t;
> +init_script_file(dirmngr_initrc_exec_t)
> +
> +type dirmngr_log_t;
> +logging_log_file(dirmngr_log_t)
> +
> +type dirmngr_var_run_t;
> +files_pid_file(dirmngr_var_run_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow dirmngr_t dirmngr_var_run_t:sock_file manage_file_perms;
> +allow dirmngr_t self:fifo_file rw_file_perms;
> +files_list_var_lib(dirmngr_t)
> +files_read_etc_files(dirmngr_t)
> +files_read_var_files(dirmngr_t)
> +kernel_read_crypto_sysctls(dirmngr_t)
> +logging_read_generic_logs(dirmngr_t)
> +miscfiles_read_localization(dirmngr_t)
> +
> +
> +# Grant permissions to create, access, and delete cache files.
> +manage_dirs_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t)
> +manage_files_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t)
> +manage_lnk_files_pattern(dirmngr_t, dirmngr_data_t, dirmngr_data_t)
> +
> +allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
> +read_files_pattern(dirmngr_t, dirmngr_conf_t, dirmngr_conf_t)
> +read_lnk_files_pattern(dirmngr_t, dirmngr_conf_t, dirmngr_conf_t)
> +
> +manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
> +manage_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
> +logging_log_filetrans(dirmngr_t, dirmngr_log_t, { file dir })
> +
> +manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
> +files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { file sock_file })


Merged with changes, thanks