From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 09 Oct 2008 10:05:29 -0400
Subject: [refpolicy] services_kerberos.patch
In-Reply-To: <48ED5E29.3020900@redhat.com>
References: <48DAA2F1.2040806@redhat.com>
<1223496427.2165.121.camel@gorn.columbia.tresys.com>
<48ED5E29.3020900@redhat.com>
Message-ID: <1223561129.2165.133.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Wed, 2008-10-08 at 21:28 -0400, Daniel J Walsh wrote:
> admin interfaces
>
> kerberos_use changes to take care of library that tries to setfscreate
> and modify file context.
>
> New interface kerberos_keytab_template for all domains that use keytab files
>
> policy for kpropd
>
> kadmind needs setfscreate to label keytab files.
>
> Add handling of lock_files.
>
> kadmind needs access to usr and var files
>
> kadmind can use ldap
>
> kdc can also setfscreate
Merged, except for the tmpfs_t access in allow_kerberos tunable of
kerberos_use(); its the same thing about trying to use derived tmpfs_t
types. Didn't merge the kprop port access as its missing. Theres other
minor tweaks too.
> plain text document attachment (services_kerberos.patch)
> --- nsaserefpolicy/policy/modules/services/kerberos.fc 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.11/policy/modules/services/kerberos.fc 2008-10-08 21:20:50.000000000 -0400
> @@ -4,15 +4,24 @@
> /etc/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
> /etc/krb5kdc/kadm5\.keytab -- gen_context(system_u:object_r:krb5_keytab_t,s0)
> /etc/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
> +/etc/rc\.d/init\.d/kadmind -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/krb524d -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/kpropd -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/krb5kdc -- gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
>
> /usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
> /usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
> +/usr/kerberos/sbin/kadmin\.local -- gen_context(system_u:object_r:kadmind_exec_t,s0)
>
> /usr/local/var/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
> /usr/local/var/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
>
> /var/kerberos/krb5kdc(/.*)? gen_context(system_u:object_r:krb5kdc_conf_t,s0)
> /var/kerberos/krb5kdc/principal.* gen_context(system_u:object_r:krb5kdc_principal_t,s0)
> +/var/kerberos/krb5kdc/from_master.* gen_context(system_u:object_r:krb5kdc_lock_t,s0)
> +/var/kerberos/krb5kdc/principal\.ok gen_context(system_u:object_r:krb5kdc_lock_t,s0)
>
> /var/log/krb5kdc\.log gen_context(system_u:object_r:krb5kdc_log_t,s0)
> /var/log/kadmin(d)?\.log gen_context(system_u:object_r:kadmind_log_t,s0)
> +
> +/var/tmp/host_0 -- gen_context(system_u:object_r:krb5_host_rcache_t,s0)
> --- nsaserefpolicy/policy/modules/services/kerberos.if 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.11/policy/modules/services/kerberos.if 2008-10-08 21:22:20.000000000 -0400
> @@ -23,6 +23,43 @@
>
> ########################################
> ##
> +## Execute a kadmind_exec_t in the current domain
> +##
> +##
> +##
> +## Domain allowed to transition.
> +##
> +##
> +#
> +interface(`kerberos_exec_kadmind',`
> + gen_require(`
> + type kadmind_exec_t;
> + ')
> +
> + can_exec($1,kadmind_exec_t)
> +')
> +
> +########################################
> +##
> +## Execute a domain transition to run kpropd.
> +##
> +##
> +##
> +## Domain allowed to transition.
> +##
> +##
> +#
> +interface(`kerberos_domtrans_kpropd',`
> + gen_require(`
> + type kpropd_t;
> + type kpropd_exec_t;
> + ')
> +
> + domtrans_pattern($1, kpropd_exec_t, kpropd_t)
> +')
> +
> +########################################
> +##
> ## Use kerberos services
> ##
> ##
> @@ -42,7 +79,14 @@
> dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
> dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
>
> + #kerberos libraries are attempting to set the correct file context
> + dontaudit $1 self:process setfscreate;
> + selinux_dontaudit_validate_context($1)
> + seutil_dontaudit_read_file_contexts($1)
> +
> tunable_policy(`allow_kerberos',`
> + fs_rw_tmpfs_files($1)
> +
> allow $1 self:tcp_socket create_socket_perms;
> allow $1 self:udp_socket create_socket_perms;
>
> @@ -60,11 +104,7 @@
> corenet_tcp_connect_ocsp_port($1)
> corenet_sendrecv_kerberos_client_packets($1)
> corenet_sendrecv_ocsp_client_packets($1)
> -
> - sysnet_read_config($1)
> - sysnet_dns_name_resolve($1)
> ')
> -
> optional_policy(`
> tunable_policy(`allow_kerberos',`
> pcscd_stream_connect($1)
> @@ -153,6 +193,32 @@
>
> ########################################
> ##
> +## Create a derived type for kerberos keytab
> +##
> +##
> +##
> +## The prefix to be used for deriving type names.
> +##
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +template(`kerberos_keytab_template',`
> +
> + type $1_keytab_t;
> + files_type($1_keytab_t)
> +
> + allow $2 $1_keytab_t:file read_file_perms;
> +
> + kerberos_read_keytab($2)
> + kerberos_use($2)
> +')
> +
> +########################################
> +##
> ## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
> ##
> ##
> @@ -168,6 +234,123 @@
> ')
>
> files_search_etc($1)
> - allow $1 krb5kdc_conf_t:file read_file_perms;
> + read_files_pattern($1, krb5kdc_conf_t, krb5kdc_conf_t)
> +')
>
> +########################################
> +##
> +## Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +#
> +interface(`kerberos_manage_host_rcache',`
> + gen_require(`
> + type krb5_host_rcache_t;
> + ')
> +
> + tunable_policy(`allow_kerberos',`
> + files_search_tmp($1)
> + allow $1 self:process setfscreate;
> + selinux_validate_context($1)
> + seutil_read_file_contexts($1)
> + allow $1 krb5_host_rcache_t:file manage_file_perms;
> + ')
> + # creates files as system_u no matter what the selinux user
> + domain_obj_id_change_exemption($1)
> ')
> +
> +########################################
> +##
> +## Connect to krb524 service
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`kerberos_524_connect',`
> + tunable_policy(`allow_kerberos',`
> + allow $1 self:udp_socket create_socket_perms;
> + corenet_all_recvfrom_unlabeled($1)
> + corenet_udp_sendrecv_all_if($1)
> + corenet_udp_sendrecv_all_nodes($1)
> + corenet_udp_sendrecv_kerberos_master_port($1)
> + corenet_udp_bind_all_nodes($1)
> + ')
> +')
> +
> +########################################
> +##
> +## All of the rules required to administrate
> +## an kerberos environment
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> + ##
> +##
> +## The role to be allowed to manage the kerberos domain.
> +##
> +##
> +##
> +#
> +interface(`kerberos_admin',`
> + gen_require(`
> + type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
> + type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
> + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
> + type krb5kdc_principal_t, krb5kdc_tmp_t;
> + type krb5kdc_var_run_t, krb5_host_rcache_t;
> + type kadmind_spool_t, kadmind_var_lib_t, kpropd_t;
> + ')
> +
> + allow $1 kadmind_t:process { ptrace signal_perms };
> + ps_process_pattern($1, kadmind_t)
> +
> + allow $1 krb5kdc_t:process { ptrace signal_perms };
> + ps_process_pattern($1, krb5kdc_t)
> +
> + allow $1 kpropd_t:process { ptrace signal_perms };
> + ps_process_pattern($1, kpropd_t)
> +
> + init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
> + domain_system_change_exemption($1)
> + role_transition $2 kerberos_initrc_exec_t system_r;
> + allow $2 system_r;
> +
> + logging_list_logs($1)
> + admin_pattern($1, kadmind_log_t)
> +
> + files_list_spool($1)
> + admin_pattern($1, kadmind_spool_t)
> +
> + files_list_tmp($1)
> + admin_pattern($1, kadmind_tmp_t)
> +
> + files_list_var_lib($1)
> + admin_pattern($1, kadmind_var_lib_t)
> +
> + files_list_pids($1)
> + admin_pattern($1, kadmind_var_run_t)
> +
> + admin_pattern($1, krb5_conf_t)
> +
> + admin_pattern($1, krb5_host_rcache_t)
> +
> + admin_pattern($1, krb5_keytab_t)
> +
> + admin_pattern($1, krb5kdc_principal_t)
> +
> + admin_pattern($1, krb5kdc_tmp_t)
> +
> + admin_pattern($1, krb5kdc_var_run_t)
> +')
> +
> --- nsaserefpolicy/policy/modules/services/kerberos.te 2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.11/policy/modules/services/kerberos.te 2008-10-08 20:36:17.000000000 -0400
> @@ -16,6 +16,7 @@
> type kadmind_t;
> type kadmind_exec_t;
> init_daemon_domain(kadmind_t, kadmind_exec_t)
> +domain_obj_id_change_exemption(kadmind_t)
>
> type kadmind_log_t;
> logging_log_file(kadmind_log_t)
> @@ -37,6 +38,9 @@
> type krb5kdc_conf_t;
> files_type(krb5kdc_conf_t)
>
> +type krb5kdc_lock_t;
> +files_type(krb5kdc_lock_t)
> +
> # types for KDC principal file(s)
> type krb5kdc_principal_t;
> files_type(krb5kdc_principal_t)
> @@ -44,6 +48,7 @@
> type krb5kdc_t;
> type krb5kdc_exec_t;
> init_daemon_domain(krb5kdc_t, krb5kdc_exec_t)
> +domain_obj_id_change_exemption(krb5kdc_t)
>
> type krb5kdc_log_t;
> logging_log_file(krb5kdc_log_t)
> @@ -54,6 +59,16 @@
> type krb5kdc_var_run_t;
> files_pid_file(krb5kdc_var_run_t)
>
> +type krb5_host_rcache_t;
> +files_tmp_file(krb5_host_rcache_t)
> +
> +type kerberos_initrc_exec_t;
> +init_script_file(kerberos_initrc_exec_t)
> +
> +type kpropd_t;
> +type kpropd_exec_t;
> +init_daemon_domain(kpropd_t, kpropd_exec_t)
> +
> ########################################
> #
> # kadmind local policy
> @@ -62,7 +77,7 @@
> # Use capabilities. Surplus capabilities may be allowed.
> allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
> dontaudit kadmind_t self:capability sys_tty_config;
> -allow kadmind_t self:process signal_perms;
> +allow kadmind_t self:process { setfscreate signal_perms };
> allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
> allow kadmind_t self:unix_dgram_socket { connect create write };
> allow kadmind_t self:tcp_socket connected_stream_socket_perms;
> @@ -77,7 +92,9 @@
> read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
> dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
>
> -allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
> +allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
> +filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
> +allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
>
> can_exec(kadmind_t, kadmind_exec_t)
>
> @@ -91,6 +108,7 @@
> kernel_read_kernel_sysctls(kadmind_t)
> kernel_list_proc(kadmind_t)
> kernel_read_proc_symlinks(kadmind_t)
> +kernel_read_system_state(kadmind_t)
>
> corenet_all_recvfrom_unlabeled(kadmind_t)
> corenet_all_recvfrom_netlabel(kadmind_t)
> @@ -118,6 +136,12 @@
> domain_use_interactive_fds(kadmind_t)
>
> files_read_etc_files(kadmind_t)
> +files_read_usr_symlinks(kadmind_t)
> +files_read_usr_files(kadmind_t)
> +files_read_var_files(kadmind_t)
> +
> +selinux_validate_context(kadmind_t)
> +seutil_read_file_contexts(kadmind_t)
>
> libs_use_ld_so(kadmind_t)
> libs_use_shared_libs(kadmind_t)
> @@ -127,9 +151,9 @@
> miscfiles_read_localization(kadmind_t)
>
> sysnet_read_config(kadmind_t)
> +sysnet_use_ldap(kadmind_t)
>
> userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
> -
> sysadm_dontaudit_search_home_dirs(kadmind_t)
>
> optional_policy(`
> @@ -138,6 +162,7 @@
>
> optional_policy(`
> seutil_sigchld_newrole(kadmind_t)
> + seutil_read_file_contexts(kadmind_t)
> ')
>
> optional_policy(`
> @@ -152,7 +177,7 @@
> # Use capabilities. Surplus capabilities may be allowed.
> allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
> dontaudit krb5kdc_t self:capability sys_tty_config;
> -allow krb5kdc_t self:process { setsched getsched signal_perms };
> +allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
> allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
> allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
> allow krb5kdc_t self:udp_socket create_socket_perms;
> @@ -166,6 +191,8 @@
> read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
> dontaudit krb5kdc_t krb5kdc_conf_t:file write;
>
> +allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
> +
> allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
> logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
>
> @@ -216,6 +243,9 @@
> files_read_usr_symlinks(krb5kdc_t)
> files_read_var_files(krb5kdc_t)
>
> +selinux_validate_context(krb5kdc_t)
> +seutil_read_file_contexts(krb5kdc_t)
> +
> libs_use_ld_so(krb5kdc_t)
> libs_use_shared_libs(krb5kdc_t)
>
> @@ -224,9 +254,9 @@
> miscfiles_read_localization(krb5kdc_t)
>
> sysnet_read_config(krb5kdc_t)
> +sysnet_use_ldap(krb5kdc_t)
>
> userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
> -
> sysadm_dontaudit_search_home_dirs(krb5kdc_t)
>
> optional_policy(`
> @@ -235,8 +265,49 @@
>
> optional_policy(`
> seutil_sigchld_newrole(krb5kdc_t)
> + seutil_read_file_contexts(krb5kdc_t)
> ')
>
> optional_policy(`
> udev_read_db(krb5kdc_t)
> ')
> +
> +########################################
> +#
> +# kpropd local policy
> +#
> +
> +allow kpropd_t self:capability net_bind_service;
> +allow kpropd_t self:fifo_file rw_file_perms;
> +allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
> +allow kpropd_t self:tcp_socket create_stream_socket_perms;
> +
> +allow kpropd_t krb5_host_rcache_t:file rw_file_perms;
> +allow kpropd_t krb5_keytab_t:file read_file_perms;
> +
> +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
> +
> +corecmd_exec_bin(kpropd_t)
> +
> +corenet_all_recvfrom_unlabeled(kpropd_t)
> +corenet_tcp_sendrecv_all_if(kpropd_t)
> +corenet_tcp_sendrecv_all_nodes(kpropd_t)
> +corenet_tcp_sendrecv_all_ports(kpropd_t)
> +corenet_tcp_bind_all_nodes(kpropd_t)
> +corenet_tcp_bind_kprop_port(kpropd_t)
> +
> +files_read_etc_files(kpropd_t)
> +files_search_tmp(kpropd_t)
> +
> +dev_read_urand(kpropd_t)
> +
> +libs_use_ld_so(kpropd_t)
> +libs_use_shared_libs(kpropd_t)
> +
> +logging_send_syslog_msg(kpropd_t)
> +
> +miscfiles_read_localization(kpropd_t)
> +
> +sysnet_dns_name_resolve(kpropd_t)
> +
> +kerberos_use(kpropd_t)
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150