From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 06 Oct 2008 10:05:32 -0400
Subject: [refpolicy] Another shot at Oident daemon.
In-Reply-To: <1220712598.30664.3.camel@sulphur.notebook.internal>
References: <1220712598.30664.3.camel@sulphur.notebook.internal>
Message-ID: <1223301932.2165.0.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, 2008-09-06 at 16:49 +0200, Dominick Grift wrote:
> Tested with F10
> 
> Please see attachment.

Merged, with a few tweaks.

> 
> 
> 
> 
> 
> differences
> between files
> attachment
> (oident.patch)
> 
> diff --git a/policy/modules/services/oident.fc
> b/policy/modules/services/oident.fc
> new file mode 100644
> index 0000000..fb02592
> --- /dev/null
> +++ b/policy/modules/services/oident.fc
> @@ -0,0 +1,8 @@
> +/etc/oidentd
> \.conf             --      gen_context(system_u:object_r:oidentd_config_t, s0)
> +/etc/oidentd_masq
> \.conf        --      gen_context(system_u:object_r:oidentd_config_t,
> s0)
> +
> +/etc/rc\.d/init
> \.d/oidentd     --      gen_context(system_u:object_r:oidentd_script_exec_t, s0)
> +
> +/usr/sbin/oidentd              --      gen_context(system_u:object_r:oidentd_exec_t, s0)
> +
> +HOME_DIR/\.oidentd.conf                gen_context(system_u:object_r:oidentd_ROLE_content_t, s0)
> diff --git a/policy/modules/services/oident.if
> b/policy/modules/services/oident.if
> new file mode 100644
> index 0000000..df6fe8c
> --- /dev/null
> +++ b/policy/modules/services/oident.if
> @@ -0,0 +1,86 @@
> +## <summary>SELinux policy for Oident daemon.</summary>
> +## <desc>
> +##     <p>
> +##     Oident daemon is a server that implements the TCP/IP
> +##     standard IDENT user identification protocol as
> +##     specified in the RFC 1413 document.
> +##     </p>
> +## </desc>
> +
> +#######################################
> +## <summary>
> +##  The per role template for the Oidentd module.
> +## </summary>
> +## <desc>
> +##     <p>
> +##     This template creates derived domains which are used
> +##     for Oident daemon.
> +##     </p>
> +##     <p>
> +##     This template is invoked automatically for each user, and
> +##     generally does not need to be invoked directly
> +##     by policy writers.
> +##     </p>
> +## </desc>
> +## <param name="userdomain_prefix">
> +##     <summary>
> +##     The prefix of the user domain (e.g., user
> +##     is the prefix for user_t).
> +##     </summary>
> +## </param>
> +## <param name="user_domain">
> +##     <summary>
> +##     The type of the user domain.
> +##     </summary>
> +##     </param>
> +##     <param name="user_role">
> +##     <summary>
> +##     The role associated with the user domain.
> +##     </summary>
> +## </param>
> +#
> +template(`oidentd_per_role_template', `
> +
> +       ########################################
> +       #
> +       #  Oident daemon shared declarations
> +       #
> +
> +       gen_require(`
> +               attribute oidentd_user_content_type;
> +       ')
> +
> +       type oidentd_$1_content_t, oidentd_user_content_type;
> +       files_type(oidentd_$1_content_t)
> +
> +       typeattribute oidentd_$1_content_t oidentd_user_content_type;
> +
> +       userdom_user_home_content($1, oidentd_$1_content_t)
> +
> +       ########################################
> +       #
> +       #  Oident daemon shared policy
> +       #
> +
> +       allow $2 oidentd_$1_content_t:file manage_file_perms; 
> +       allow $2 oidentd_$1_content_t:file relabel_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##     Allow the specified domain to read
> +##     Oidentd personal configuration files.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`oidentd_read_user_content', `
> +       gen_require(`
> +               attribute oidentd_user_content_type;
> +       ')
> +
> +       allow $1 oidentd_user_content_type:file read_file_perms;
> +')
> diff --git a/policy/modules/services/oident.te
> b/policy/modules/services/oident.te
> new file mode 100644
> index 0000000..2291f6c
> --- /dev/null
> +++ b/policy/modules/services/oident.te
> @@ -0,0 +1,74 @@
> +
> +policy_module(oident, 0.0.4) 
> +
> +########################################
> +#
> +# Oident daemon private declarations
> +#
> +
> +attribute oidentd_user_content_type;
> +
> +type oidentd_t;
> +type oidentd_exec_t;
> +init_daemon_domain(oidentd_t, oidentd_exec_t)
> +
> +type oidentd_script_exec_t;
> +init_script_file(oidentd_script_exec_t)
> +
> +type oidentd_config_t;
> +files_config_file(oidentd_config_t)
> +
> +########################################
> +#
> +# Oident daemon private policy
> +#
> +
> +allow oidentd_t self:capability { setuid setgid };
> +allow oidentd_t self:netlink_route_socket { write getattr read bind
> create nlmsg_read };
> +allow oidentd_t self:netlink_tcpdiag_socket { write read create
> nlmsg_read };
> +allow oidentd_t self:tcp_socket { setopt read bind create accept
> write getattr listen };
> +allow oidentd_t self:udp_socket { write read create connect getattr
> ioctl };
> +allow oidentd_t self:unix_dgram_socket { create connect };
> +
> +allow oidentd_t oidentd_config_t:file read_file_perms;
> +
> +corenet_all_recvfrom_unlabeled(oidentd_t)
> +corenet_all_recvfrom_netlabel(oidentd_t)
> +corenet_tcp_sendrecv_all_if(oidentd_t)
> +corenet_tcp_sendrecv_all_nodes(oidentd_t)
> +corenet_tcp_bind_all_nodes(oidentd_t)
> +corenet_tcp_bind_auth_port(oidentd_t);
> +
> +files_read_etc_files(oidentd_t)
> +
> +kernel_read_kernel_sysctls(oidentd_t)
> +kernel_read_network_state(oidentd_t)
> +kernel_read_network_state_symlinks(oidentd_t)
> +kernel_read_sysctl(oidentd_t)
> +
> +libs_use_ld_so(oidentd_t)
> +libs_use_shared_libs(oidentd_t)
> +
> +logging_send_syslog_msg(oidentd_t)
> +
> +miscfiles_read_localization(oidentd_t)
> +
> +oidentd_read_user_content(oidentd_t)
> +
> +sysnet_read_config(oidentd_t)
> +
> +userdom_search_all_users_home_dirs(oidentd_t)
> +
> +optional_policy(`
> +       nis_use_ypbind(oidentd_t)
> +')
> +
> +tunable_policy(`use_samba_home_dirs', `
> +       fs_list_cifs(oidentd_t)
> +       fs_read_cifs_files(oidentd_t)
> +')
> +
> +tunable_policy(`use_nfs_home_dirs', `
> +       fs_list_nfs(oidentd_t)
> +       fs_read_nfs_files(oidentd_t)
> +')
> diff --git a/policy/modules/system/userdomain.if
> b/policy/modules/system/userdomain.if
> index 6c01e3c..64398d4 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -1217,6 +1217,10 @@ template(`userdom_unpriv_user_template', `
>         ')
>  
>         optional_policy(`
> +               oidentd_per_role_template($1, $1_usertype, $1_r)
> +       ')
> +
> +       optional_policy(`
>                 polkit_per_role_template($1, $1_usertype, $1_r)
>         ')
>  
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150