From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 18 Sep 2008 14:08:57 -0400
Subject: [refpolicy] rpcbind policy update
In-Reply-To: <48BEA515.10107@redhat.com>
References: <48BEA515.10107@redhat.com>
Message-ID: <1221761337.24369.68.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Wed, 2008-09-03 at 10:54 -0400, Daniel J Walsh wrote:
> rpcbind needs dac_override, setgid, sys_tty_config
>
> Attempts to listen to udp_socket, I know it is a bug but I don't want
> the AVC.
>
> Reads system state.
>
> Add _admin interface.
>
> Add script handling.
Merged.
> plain text document attachment (services_rpcbind.patch)
> --- nsaserefpolicy/policy/modules/services/rpcbind.fc 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.6/policy/modules/services/rpcbind.fc 2008-09-03 10:41:55.000000000 -0400
> @@ -5,3 +5,5 @@
> /var/run/rpc.statd\.pid -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
> /var/run/rpcbind\.lock -- gen_context(system_u:object_r:rpcbind_var_run_t,s0)
> /var/run/rpcbind\.sock -s gen_context(system_u:object_r:rpcbind_var_run_t,s0)
> +
> +/etc/rc.d/init.d/rpcbind -- gen_context(system_u:object_r:rpcbind_script_exec_t,s0)
> --- nsaserefpolicy/policy/modules/services/rpcbind.if 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.6/policy/modules/services/rpcbind.if 2008-09-03 10:48:59.000000000 -0400
> @@ -95,3 +95,65 @@
> manage_files_pattern($1, rpcbind_var_lib_t, rpcbind_var_lib_t)
> files_search_var_lib($1)
> ')
> +
> +########################################
> +##
> +## Execute rpcbind server in the rpcbind domain.
> +##
> +##
> +##
> +## The type of the process performing this action.
> +##
> +##
> +#
> +#
> +interface(`rpcbind_script_domtrans',`
> + gen_require(`
> + type rpcbind_script_exec_t;
> + ')
> +
> + init_script_domtrans_spec($1, rpcbind_script_exec_t)
> +')
> +
> +########################################
> +##
> +## All of the rules required to administrate
> +## an rpcbind environment
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +##
> +## The role to be allowed to manage the rpcbind domain.
> +##
> +##
> +##
> +##
> +## The type of the user terminal.
> +##
> +##
> +##
> +#
> +interface(`rpcbind_admin',`
> + gen_require(`
> + type rpcbind_t, rpcbind_var_lib_t, rpcbind_var_run_t;
> + type rpcbind_script_exec_t;
> + ')
> +
> + allow $1 rpcbind_t:process { ptrace signal_perms};
> + ps_process_pattern($1, rpcbind_t)
> +
> + rpcbind_script_domtrans($1)
> + domain_system_change_exemption($1)
> + role_transition $2 rpcbind_script_exec_t system_r;
> + allow $2 system_r;
> +
> + files_list_var_lib($1)
> + admin_pattern($1, rpcbind_var_lib_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, rpcbind_var_run_t)
> +')
> --- nsaserefpolicy/policy/modules/services/rpcbind.te 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.6/policy/modules/services/rpcbind.te 2008-09-03 10:41:55.000000000 -0400
> @@ -16,16 +16,21 @@
> type rpcbind_var_lib_t;
> files_type(rpcbind_var_lib_t)
>
> +type rpcbind_script_exec_t;
> +init_script_file(rpcbind_script_exec_t)
> +
> ########################################
> #
> # rpcbind local policy
> #
>
> -allow rpcbind_t self:capability setuid;
> +allow rpcbind_t self:capability { dac_override setgid setuid sys_tty_config };
> allow rpcbind_t self:fifo_file rw_file_perms;
> allow rpcbind_t self:unix_stream_socket create_stream_socket_perms;
> allow rpcbind_t self:netlink_route_socket r_netlink_socket_perms;
> allow rpcbind_t self:udp_socket create_socket_perms;
> +# BROKEN ...
> +dontaudit rpcbind_t self:udp_socket listen;
> allow rpcbind_t self:tcp_socket create_stream_socket_perms;
>
> manage_files_pattern(rpcbind_t, rpcbind_var_run_t, rpcbind_var_run_t)
> @@ -37,6 +42,7 @@
> manage_sock_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
> files_var_lib_filetrans(rpcbind_t, rpcbind_var_lib_t, { file dir sock_file })
>
> +kernel_read_system_state(rpcbind_t)
> kernel_read_network_state(rpcbind_t)
>
> corenet_all_recvfrom_unlabeled(rpcbind_t)
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150