From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 14 Jul 2009 09:34:23 -0400
Subject: [refpolicy] Initial Erlang Port Mapper Daemon (epmd) from
 RussellCoker
In-Reply-To: <87zlboiek7.fsf@anzu.internal.golden-gryphon.com>
References: <87zlboiek7.fsf@anzu.internal.golden-gryphon.com>
Message-ID: <1247578463.31521.55.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 2009-07-01 at 11:54 -0400, Manoj Srivastava wrote:
> Hi,
> 
>         This came from Russell Cokers policy for Debian systems.

Is this complete?  It seems short.  Also the interface that is defined
has an improper name.

> diff --git a/policy/modules/kernel/corenetwork.te.in
> b/policy/modules/kernel/corenetwork.te.in
> index 96887cf..a14bfd1 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -94,6 +94,7 @@ network_port(dhcpd, udp,67,s0, tcp,647,s0,
> udp,647,s0, tcp,847,s0, udp,847,s0, t
>  network_port(dict, tcp,2628,s0)
>  network_port(distccd, tcp,3632,s0)
>  network_port(dns, udp,53,s0, tcp,53,s0)
> +network_port(epmd, tcp,4369,s0)
>  network_port(fingerd, tcp,79,s0)
>  network_port(ftp_data, tcp,20,s0)
>  network_port(ftp, tcp,21,s0)
> diff --git a/policy/modules/services/epmd.fc
> b/policy/modules/services/epmd.fc
> new file mode 100644
> index 0000000..c5925ef
> --- /dev/null
> +++ b/policy/modules/services/epmd.fc
> @@ -0,0 +1 @@
> +/usr/lib/erlang/erts-[^/]*/bin/epmd --
> gen_context(system_u:object_r:epmd_exec_t,s0)
> diff --git a/policy/modules/services/epmd.if
> b/policy/modules/services/epmd.if
> new file mode 100644
> index 0000000..1ce670c
> --- /dev/null
> +++ b/policy/modules/services/epmd.if
> @@ -0,0 +1,29 @@
> +## <summary>Erlang Port Mapper Daemon (epmd).</summary>
> +
> +########################################
> +## <summary>
> +##     Execute epmd in the epmd domain, and
> +##     allow the specified role the epmd domain.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +## <param name="role">
> +##     <summary>
> +##     The role to be allowed the epmd domain.
> +##     </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`run_epmd',`
> +       gen_require(`
> +               type epmd_t, epmd_exec_t;
> +       ')
> +
> +        domtrans_pattern($1, epmd_exec_t, epmd_t)
> +       role $2 types epmd_t;
> +       corenet_tcp_connect_epmd_port($1)
> +')
> +
> diff --git a/policy/modules/services/epmd.te
> b/policy/modules/services/epmd.te
> new file mode 100644
> index 0000000..af3ca9e
> --- /dev/null
> +++ b/policy/modules/services/epmd.te
> @@ -0,0 +1,52 @@
> +
> +policy_module(epmd, 1.7.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow the Erlang Port mapper to coordinate all nodes in
> distributed
> +## computing.  It also wants to run on single nodes so any daemon
> written in
> +## Erlang will need it.
> +## </p>
> +## </desc>
> +
> +type epmd_t;
> +type epmd_exec_t;
> +init_daemon_domain(epmd_t,epmd_exec_t)
> +role system_r types epmd_t;
> +
> +########################################
> +#
> +# epmd local policy
> +#
> +
> +allow epmd_t self:tcp_socket create_stream_socket_perms;
> +#allow epmd_t self:udp_socket create_socket_perms;
> +
> +corenet_all_recvfrom_unlabeled(epmd_t)
> +corenet_all_recvfrom_netlabel(epmd_t)
> +corenet_tcp_bind_epmd_port(epmd_t)
> +corenet_tcp_sendrecv_all_if(epmd_t)
> +#corenet_udp_sendrecv_all_if(epmd_t)
> +corenet_tcp_sendrecv_all_nodes(epmd_t)
> +#corenet_udp_sendrecv_all_nodes(epmd_t)
> +corenet_tcp_sendrecv_all_ports(epmd_t)
> +#corenet_udp_sendrecv_all_ports(epmd_t)
> +corenet_tcp_bind_all_nodes(epmd_t)
> +#corenet_udp_bind_all_nodes(epmd_t)
> +#corenet_tcp_connect_all_ports(epmd_t)
> +#corenet_udp_bind_all_unreserved_ports(epmd_t)
> +
> +files_read_etc_files(epmd_t)
> +
> +libs_use_ld_so(epmd_t)
> +libs_use_shared_libs(epmd_t)
> +
> +logging_send_syslog_msg(epmd_t)
> +
> +miscfiles_read_localization(epmd_t)
> +
> diff --git a/policy/modules/services/jabber.te
> b/policy/modules/services/jabber.te
> index cec9c76..d5d9ef5 100644
> --- a/policy/modules/services/jabber.te
> +++ b/policy/modules/services/jabber.te
> @@ -83,6 +87,10 @@ userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
>  userdom_dontaudit_search_user_home_dirs(jabberd_t)
> 
>  optional_policy(`
> +       run_epmd(jabberd_t, system_r)
> +')
> +
> +optional_policy(`
>         nis_use_ypbind(jabberd_t)
>  ')
> 
> 
> 
> --
> This is the tomorrow you worried about yesterday.  And now you know
> why.
> Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/> 
> 1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24
> 424C
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150