From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 18 Sep 2008 14:08:57 -0400
Subject: [refpolicy] rpcbind policy update
In-Reply-To: <48BEA515.10107@redhat.com>
References: <48BEA515.10107@redhat.com>
Message-ID: <1221761337.24369.68.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2008-09-03 at 10:54 -0400, Daniel J Walsh wrote:
> rpcbind needs dac_override, setgid, sys_tty_config
> 
> Attempts to listen to udp_socket, I know it is a bug but I don't want
> the AVC.
> 
> Reads system state.
> 
> Add _admin interface.
> 
> Add script handling.

Merged.

> plain text document attachment (services_rpcbind.patch)
> --- nsaserefpolicy/policy/modules/services/rpcbind.fc	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.6/policy/modules/services/rpcbind.fc	2008-09-03 10:41:55.000000000 -0400
> @@ -5,3 +5,5 @@
>  /var/run/rpc.statd\.pid	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
>  /var/run/rpcbind\.lock	--	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
>  /var/run/rpcbind\.sock	-s	gen_context(system_u:object_r:rpcbind_var_run_t,s0)
> +
> +/etc/rc.d/init.d/rpcbind	--	gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
> --- nsaserefpolicy/policy/modules/services/rpcbind.if	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.6/policy/modules/services/rpcbind.if	2008-09-03 10:48:59.000000000 -0400
> @@ -95,3 +95,65 @@
>  	manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
>  	files_search_var_lib($1)
>  ')
> +
> +########################################
> +## <summary>
> +##	Execute rpcbind server in the rpcbind domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +#
> +interface(`rpcbind_script_domtrans',`
> +	gen_require(`
> +		type rpcbind_script_exec_t;
> +	')
> +
> +	init_script_domtrans_spec($1, rpcbind_script_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	All of the rules required to administrate 
> +##	an rpcbind environment
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	The role to be allowed to manage the rpcbind domain.
> +##	</summary>
> +## </param>
> +## <param name="terminal">
> +##	<summary>
> +##	The type of the user terminal.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`rpcbind_admin',`
> +	gen_require(`
> +		type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t;
> +		type rpcbind_script_exec_t;
> +	')
> +
> +	allow $1 rpcbind_t:process { ptrace signal_perms};
> +	ps_process_pattern($1, rpcbind_t)
> +	        
> +	rpcbind_script_domtrans($1)
> +	domain_system_change_exemption($1)
> +	role_transition $2 rpcbind_script_exec_t system_r;
> +	allow $2 system_r;
> +
> +	files_list_var_lib($1)
> +        admin_pattern($1, rpcbind_var_lib_t)
> +
> +	files_list_pids($1)
> +        admin_pattern($1, rpcbind_var_run_t)
> +')
> --- nsaserefpolicy/policy/modules/services/rpcbind.te	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.6/policy/modules/services/rpcbind.te	2008-09-03 10:41:55.000000000 -0400
> @@ -16,16 +16,21 @@
>  type rpcbind_var_lib_t;
>  files_type(rpcbind_var_lib_t)
>  
> +type rpcbind_script_exec_t;
> +init_script_file(rpcbind_script_exec_t)
> +
>  ########################################
>  #
>  # rpcbind local policy
>  #
>  
> -allow rpcbind_t self:capability setuid;
> +allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
>  allow rpcbind_t self:fifo_file rw_file_perms;
>  allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
>  allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
>  allow rpcbind_t self:udp_socket create_socket_perms;
> +# BROKEN ...
> +dontaudit rpcbind_t self:udp_socket listen;
>  allow rpcbind_t self:tcp_socket create_stream_socket_perms;
>  
>  manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
> @@ -37,6 +42,7 @@
>  manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
>  files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file })
>  
> +kernel_read_system_state(rpcbind_t)
>  kernel_read_network_state(rpcbind_t)
>  
>  corenet_all_recvfrom_unlabeled(rpcbind_t)
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150