Hi
I designed a policy module for the shibboleth authentication daemon (see
http://shibboleth.internet2.edu/). Shibboleth is a single sign-on
service mainly used in academic environment. The service consists of an
apache module and a background daemon. The background daemon
communicates with the remote authentication server whereas the apache
only communicates locally with the authentication daemon via unix stream
socket.
I attached the policy files to this mail and would like the module to be
included in the reference policy. I tested the rules on a Debian wheezy
machine.
I'm open for improvements and other comments.
Regards,
Martin
-------------- next part --------------
/etc/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_etc_t,s0)
/usr/sbin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0)
/var/log/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_log_t,s0)
/var/run/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_var_run_t,s0)
-------------- next part --------------
## <summary>Shibboleth authentication deamon</summary>
########################################
## <summary>
## Allow your application domain to access
## config files from shibboleth
## </summary>
## <param name="domain">
## <summary>
## The domain which should be enabled.
## </summary>
## </param>
#
template(`shibboleth_read_config',`
gen_require(`
type shibboleth_etc_t;
')
read_files_pattern($1, shibboleth_etc_t, shibboleth_etc_t)
')
-------------- next part --------------
policy_module(shibboleth, 2.0.0)
########################################
#
# Declarations
#
type shibboleth_t;
type shibboleth_exec_t;
init_daemon_domain(shibboleth_t, shibboleth_exec_t)
type shibboleth_etc_t;
files_config_file(shibboleth_etc_t)
type shibboleth_log_t;
logging_log_file(shibboleth_log_t)
type shibboleth_var_run_t;
files_pid_file(shibboleth_var_run_t)
init_daemon_run_dir(shibboleth_var_run_t, "shibboleth")
########################################
#
# Local policy
#
# general process permissions
allow shibboleth_t self:process { signal_perms };
# networking:
# shibboleth uses tcp sockets for connecting to central
# authentication server and unix stream sockets
# to exchange information with the apache module
allow shibboleth_t self:tcp_socket create_stream_socket_perms;
allow shibboleth_t self:unix_stream_socket create_stream_socket_perms;
sysnet_dns_name_resolve(shibboleth_t)
corenet_all_recvfrom_unlabeled(shibboleth_t)
corenet_all_recvfrom_netlabel(shibboleth_t)
corenet_tcp_sendrecv_generic_if(shibboleth_t)
corenet_tcp_sendrecv_generic_node(shibboleth_t)
corenet_tcp_sendrecv_all_ports(shibboleth_t)
corenet_tcp_connect_http_port(shibboleth_t)
# permissions for the configuration files
files_read_etc_files(shibboleth_t)
read_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
read_lnk_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
files_search_etc(shibboleth_t)
# there is shared information between apache and shibboleth, e.g., certificates
apache_read_config(shibboleth_t)
# logging related permissions
manage_files_pattern(shibboleth_t, shibboleth_log_t, shibboleth_log_t)
logging_log_filetrans(shibboleth_t, shibboleth_log_t, { file dir })
logging_send_syslog_msg(shibboleth_t)
# permissions for /run
manage_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
manage_sock_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
# allow to read common data under /usr/share and timezone localization info
files_read_usr_files(shibboleth_t)
miscfiles_read_localization(shibboleth_t)
dev_read_urand(shibboleth_t)
term_dontaudit_search_ptys(shibboleth_t)
term_dontaudit_use_all_ptys(shibboleth_t)
term_dontaudit_use_all_ttys(shibboleth_t)
domain_dontaudit_use_interactive_fds(shibboleth_t)
# Allow the apache shibboleth module to connect to shibd
gen_require(`
type httpd_t;
')
stream_connect_pattern(httpd_t, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t)
# Allow apache module to read shibboleth configuration
shibboleth_read_config(httpd_t)
On 03/03/2014 11:41 AM, Martin Lang wrote:
> I designed a policy module for the shibboleth authentication daemon (see
> http://shibboleth.internet2.edu/). Shibboleth is a single sign-on
> service mainly used in academic environment. The service consists of an
> apache module and a background daemon. The background daemon
> communicates with the remote authentication server whereas the apache
> only communicates locally with the authentication daemon via unix stream
> socket.
>
> I attached the policy files to this mail and would like the module to be
> included in the reference policy. I tested the rules on a Debian wheezy
> machine.
>
> I'm open for improvements and other comments.
It looks like a good start. The big thing that prevents its inclusion is the httpd_t usage in the module:
> # Allow the apache shibboleth module to connect to shibd
> gen_require(`
> type httpd_t;
> ')
> stream_connect_pattern(httpd_t, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t)
>
> # Allow apache module to read shibboleth configuration
> shibboleth_read_config(httpd_t)
This access would need to go into the apache module.
The organization would need to be adjusted too[1], but that is minor.
[1] http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide
Finally, I'd prefer that you submit it via "git format-patch -n -s" and send via "git send-email". It's not required, but it makes it easier to commit.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com