From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 21 Aug 2008 09:09:08 -0400 Subject: [refpolicy] [REFPOLICY PATCH] Added policy module for the oident daemon. In-Reply-To: <1218720525.28416.12.camel@sulphur.notebook.internal> References: <1217077669.8496.2.camel@sulphur.notebook.internal> <1218632939.5144.10.camel@defiant.pebenito.net> <1218720525.28416.12.camel@sulphur.notebook.internal> Message-ID: <1219324148.16398.59.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2008-08-14 at 15:28 +0200, Dominick Grift wrote: > On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote: > > On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote: > > > Signed-off-by: Dominick Grift > > > > The patch looks line-wrapped. Also a couple comments inline. > > This modification adds CIFS, NIS, NFS support. Do you really think that reading the ~/.oidentd.conf needs to be tunable? I was mainly concerned about oidentd reading user_home_t files, for example, since it exposes the whole user's home directory. A config file explictly labeled for reading by oidentd should be ok. The CIFS and NFS blocks should use the existing use_nfs_home_dirs and use_samba_home_dirs tunables. The per-role template should create a $1_oidentd_home_t type, so role separation is preserved. > diff --git a/man/man8/oidentd_selinux.8 b/man/man8/oidentd_selinux.8 > new file mode 100644 > index 0000000..a880437 > --- /dev/null > +++ b/man/man8/oidentd_selinux.8 > @@ -0,0 +1,48 @@ > +.TH "oidentd_selinux" "8" "14 Aug 2008" "domg472 at gmail.com" "Oident deamon SELinux policy documentation" > +.de EX > +.nf > +.ft CW > +.. > +.de EE > +.ft R > +.fi > +.. > +.SH "NAME" > +oidentd_selinux \- Security-Enhanced Linux policy for Oident daemon. > +.SH "DESCRIPTION" > +.PP > +Security-Enhanced Linux provides security for Oident daemon via flexible mandatory access control. > +.SH FILE_CONTEXTS > +.PP > +SELinux requires files to have a files type. Users can use the chcon command to change certain files types. Policy governs the access that daemons have to files. > +.TP > +Allow Oident daemon to read ~/.oidentd.conf by adding the oidentd_home_t files type to the file and by restoring the files type. This also requires the allow_oidentd_read_oidentd_home_content boolean to be set. > +.PP > +.B > +chcon -t oidentd_home_t ~/.oidentd.conf > +.SH BOOLEANS > +.PP > +SELinux policy is based on least privilege required and may also be customizable by setting a boolean with the setsebool command. > +.TP > +Allow Oident daemon to read Oident daemon home content with the oidentd_home_t files type. > +.PP > +.B > +setsebool -P allow_oidentd_read_oidentd_home_content on > +.TP > +Allow Oident daemon to use CIFS for public file transfer services. > +.PP > +.B > +setsebool -P allow_oidentd_use_cifs on > +.TP > +Allow Oident daemon to use NFS for public file transfer services. > +.PP > +.B > +setsebool -P allow_oidentd_use_nfs on > +.TP > +system-config-selinux is a GUI tool available to customize SELinux policy settings. > +.SH AUTHOR > +.PP > +This manual page was written by Dominick Grift . > +.SH "SEE ALSO" > +.PP > +selinux(8), oidentd(8), oidentd.conf(8), setsebool(8), chcon(8) > diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc > new file mode 100644 > index 0000000..ee7fcc4 > --- /dev/null > +++ b/policy/modules/services/oidentd.fc > @@ -0,0 +1,7 @@ > + > +/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) > +/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) > + > +/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0) > + > +HOME_DIR/\.oidentd.conf -- gen_context(system_u:object_r:oidentd_home_t, s0) > diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if > new file mode 100644 > index 0000000..93f9ad0 > --- /dev/null > +++ b/policy/modules/services/oidentd.if > @@ -0,0 +1,61 @@ > +## SELinux policy for Oident daemon. > +## > +##

> +## Oident daemon is a server that implements the TCP/IP > +## standard IDENT user identification protocol as > +## specified in the RFC 1413 document. > +##

> +## > + > +####################################### > +## > +## The per role template for the Oidentd module. > +## > +## > +##

> +## This template creates derived domains which are used > +## for Oident daemon. > +##

> +##

> +## This template is invoked automatically for each user, and > +## generally does not need to be invoked directly > +## by policy writers. > +##

> +## > +## > +## > +## The prefix of the user domain (e.g., user > +## is the prefix for user_t). > +## > +## > +## > +## > +## The type of the user domain. > +## > +## > +## > +## > +## The role associated with the user domain. > +## > +## > +# > +template(`oidentd_per_role_template', ` > + gen_require(` > + type oidentd_home_t; > + ') > + > + ######################################## > + # > + # Declarations > + # > + > + userdom_user_home_content($1, oidentd_home_t) > + > + ######################################## > + # > + # Policy > + # > + > + allow $2 oidentd_home_t:file manage_file_perms; > + allow $2 oidentd_home_t:file relabel_file_perms; > +') > diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te > new file mode 100644 > index 0000000..c8bcfc3 > --- /dev/null > +++ b/policy/modules/services/oidentd.te > @@ -0,0 +1,102 @@ > + > +policy_module(oidentd, 0.0.1) > + > +######################################## > +# > +# Declarations > +# > + > +## > +##

> +## Allow Oident daemon to read > +## oidentd daemon home files. > +##

> +## > + > +gen_tunable(allow_oidentd_read_oidentd_home_content, false) > + > +## > +##

> +## Allow Oident daemon to use cifs > +## used for public file transfer services. > +##

> +## > + > +gen_tunable(allow_oidentd_use_cifs, false) > + > +## > +##

> +## Allow Oident daemon to use nfs > +## used for public file transfer services. > +##

> +## > + > +gen_tunable(allow_oidentd_use_nfs, false) > + > +type oidentd_t; > +type oidentd_exec_t; > +init_daemon_domain(oidentd_t, oidentd_exec_t) > + > +type oidentd_config_t; > +files_config_file(oidentd_config_t) > + > +type oidentd_home_t; > +files_poly_member(oidentd_home_t) > + > +######################################## > +# > +# Policy > +# > + > +allow oidentd_t self:capability { setuid setgid }; > +allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; > +allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read }; > +allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen }; > +allow oidentd_t self:udp_socket { write read create connect getattr }; > +allow oidentd_t self:unix_dgram_socket { create connect }; > + > +allow oidentd_t oidentd_config_t:file read_file_perms; > + > +corenet_all_recvfrom_unlabeled(oidentd_t) > +corenet_all_recvfrom_netlabel(oidentd_t) > +corenet_tcp_sendrecv_all_if(oidentd_t) > +corenet_tcp_sendrecv_all_nodes(oidentd_t) > +corenet_tcp_bind_all_nodes(oidentd_t) > +corenet_tcp_bind_auth_port(oidentd_t) > + > +files_read_etc_files(oidentd_t) > + > +fs_search_auto_mountpoints(oidentd_t) > + > +kernel_read_kernel_sysctls(oidentd_t) > +kernel_read_network_state(oidentd_t) > +kernel_read_network_state_symlinks(oidentd_t) > +kernel_read_sysctl(oidentd_t) > + > +libs_use_ld_so(oidentd_t) > +libs_use_shared_libs(oidentd_t) > + > +logging_send_syslog_msg(oidentd_t) > + > +miscfiles_read_localization(oidentd_t) > + > +sysnet_read_config(oidentd_t) > + > +optional_policy(` > + nis_use_ypbind(oidentd_t) > +') > + > +tunable_policy(`allow_oidentd_read_oidentd_home_content', ` > + allow oidentd_t oidentd_home_t:file read_file_perms; > + userdom_search_user_home_dirs(user, oidentd_t) > +') > + > +tunable_policy(`allow_oidentd_use_cifs', ` > + fs_list_cifs(oidentd_t) > + fs_read_cifs_files(oidentd_t) > +') > + > +tunable_policy(`allow_oidentd_use_nfs', ` > + fs_list_nfs(oidentd_t) > + fs_read_nfs_files(oidentd_t) > +') -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150