From: srivasta@golden-gryphon.com (Manoj Srivastava)
Date: Wed, 01 Jul 2009 10:54:48 -0500
Subject: [refpolicy] Initial Erlang Port Mapper Daemon (epmd) from Russell
Coker
Message-ID: <87zlboiek7.fsf@anzu.internal.golden-gryphon.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Hi,
This came from Russell Cokers policy for Debian systems.
manoj
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 96887cf..a14bfd1 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -94,6 +94,7 @@ network_port(dhcpd, udp,67,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, t
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(epmd, tcp,4369,s0)
network_port(fingerd, tcp,79,s0)
network_port(ftp_data, tcp,20,s0)
network_port(ftp, tcp,21,s0)
diff --git a/policy/modules/services/epmd.fc b/policy/modules/services/epmd.fc
new file mode 100644
index 0000000..c5925ef
--- /dev/null
+++ b/policy/modules/services/epmd.fc
@@ -0,0 +1 @@
+/usr/lib/erlang/erts-[^/]*/bin/epmd -- gen_context(system_u:object_r:epmd_exec_t,s0)
diff --git a/policy/modules/services/epmd.if b/policy/modules/services/epmd.if
new file mode 100644
index 0000000..1ce670c
--- /dev/null
+++ b/policy/modules/services/epmd.if
@@ -0,0 +1,29 @@
+## Erlang Port Mapper Daemon (epmd).
+
+########################################
+##
+## Execute epmd in the epmd domain, and
+## allow the specified role the epmd domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the epmd domain.
+##
+##
+##
+#
+interface(`run_epmd',`
+ gen_require(`
+ type epmd_t, epmd_exec_t;
+ ')
+
+ domtrans_pattern($1, epmd_exec_t, epmd_t)
+ role $2 types epmd_t;
+ corenet_tcp_connect_epmd_port($1)
+')
+
diff --git a/policy/modules/services/epmd.te b/policy/modules/services/epmd.te
new file mode 100644
index 0000000..af3ca9e
--- /dev/null
+++ b/policy/modules/services/epmd.te
@@ -0,0 +1,52 @@
+
+policy_module(epmd, 1.7.1)
+
+########################################
+#
+# Declarations
+#
+
+##
+##
+## Allow the Erlang Port mapper to coordinate all nodes in distributed
+## computing. It also wants to run on single nodes so any daemon written in
+## Erlang will need it.
+##
+##
+
+type epmd_t;
+type epmd_exec_t;
+init_daemon_domain(epmd_t,epmd_exec_t)
+role system_r types epmd_t;
+
+########################################
+#
+# epmd local policy
+#
+
+allow epmd_t self:tcp_socket create_stream_socket_perms;
+#allow epmd_t self:udp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(epmd_t)
+corenet_all_recvfrom_netlabel(epmd_t)
+corenet_tcp_bind_epmd_port(epmd_t)
+corenet_tcp_sendrecv_all_if(epmd_t)
+#corenet_udp_sendrecv_all_if(epmd_t)
+corenet_tcp_sendrecv_all_nodes(epmd_t)
+#corenet_udp_sendrecv_all_nodes(epmd_t)
+corenet_tcp_sendrecv_all_ports(epmd_t)
+#corenet_udp_sendrecv_all_ports(epmd_t)
+corenet_tcp_bind_all_nodes(epmd_t)
+#corenet_udp_bind_all_nodes(epmd_t)
+#corenet_tcp_connect_all_ports(epmd_t)
+#corenet_udp_bind_all_unreserved_ports(epmd_t)
+
+files_read_etc_files(epmd_t)
+
+libs_use_ld_so(epmd_t)
+libs_use_shared_libs(epmd_t)
+
+logging_send_syslog_msg(epmd_t)
+
+miscfiles_read_localization(epmd_t)
+
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index cec9c76..d5d9ef5 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -83,6 +87,10 @@ userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
userdom_dontaudit_search_user_home_dirs(jabberd_t)
optional_policy(`
+ run_epmd(jabberd_t, system_r)
+')
+
+optional_policy(`
nis_use_ypbind(jabberd_t)
')
--
This is the tomorrow you worried about yesterday. And now you know why.
Manoj Srivastava
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C