From: p.chifflier@inl.fr (Pierre Chifflier)
Date: Mon, 20 Oct 2008 18:23:58 +0200
Subject: [refpolicy] request for comments: policy for nufw and nuauth
Message-ID: <20081020162358.GB30642@piche.inl.fr>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi,

I have tried to write policy modules for 2 applications I'm maintaining
(and contributing): nufw and nuauth.

Since this is my first policies, it would be great to have some feedback
on the contents. I would like to propose these modules for integration
in the standard policy, if possible.


If you don't know nufw or nuauth, a few words of description:

- nufw use the NFQUEUE target of iptables (and so, a nfnetlink socket)
  to receive packets in userspace. It will send the packets using a TLS
  connection to nuauth, the user authenticating daemon, wait for a
  decision, and apply it.
This is the simplest of the 2 daemons.

- nuauth is the authentication daemon. It has several roles:
  - wait for connections from nufw daemons, receive packets, apply ACL
    (see later), and return verdict
  - wait for connections from nutcpc (clients), validate login/pass
    using PAM, and communicate with them
  - check ACL in a plain text file, or a LDAP server
  - log messages to syslog, MySQL, or PostgreSQL (depending on the
    loaded modules, and the configuration).
  - nuauth and the clients use SASL for authentication, and TLS for all
    communications
The policy module for nuauth is not complete, I'm still working on it.

Any help/comment would be appreciated !

Thanks,
Pierre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nufw-selinux.tgz
Type: application/x-gtar
Size: 1914 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081020/b76fa12e/attachment.gtar