From: stefan@seekline.net (Stefan Schulze Frielinghaus)
Date: Mon, 16 Nov 2009 15:31:40 +0100
Subject: [refpolicy] services_nut.patch
In-Reply-To: <4AFC823D.3090202@redhat.com>
References: <4AFC823D.3090202@redhat.com>
Message-ID: <1258381900.5120.16.camel@localhost>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
> 
> nut policy.

Some time ago I wrote a policy for NUT too (s. attachment). I guess you
tested your policy with a UPS connected via USB. Maybe we could merge
both policies because I tested my with the SNMP module of NUT.

One note about your policy. Shouldn't we prefix all domains with "nut_"?
This would indicate that e.g. each executable comes from the NUT
project. Then we could also define one type for /var/run/nut (in my
policy it is just nut_var_run_t) because the three main domains
nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
share e.g. a socket file.

I would also like to introduce a type for config files because clear
text passwords are saved in there.

Your domain upsmon_t needs also to write to all terms because it
announces information via "wall". It also seems to miss the following
permissions which are needed if upsmon_t should execute /sbin/shutdown
(we still do not have a shutdown policy):

files_rw_generic_pids(nut_upsmon_t)
init_exec(nut_upsmon_t)
init_rw_initctl(nut_upsmon_t)
init_write_utmp(nut_upsmon_t)

What are your thoughts?
It tested my policy on CentOS 5.3 with a couple of dozen
restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)

cheers,
Stefan
-------------- next part --------------
/etc/ups(/.*)?			gen_context(system_u:object_r:nut_conf_t,s0)

/sbin/apcsmart		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkin		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkinunv		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestfcom		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestuferrups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_ser	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/cyberpower	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/dummy-ups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/etapro		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/everups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/gamatronic	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/genericups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/isbmex		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/liebert		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/masterguard	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/metasys		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-shut		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-utalk		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/microdowell	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/newmge-shut	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/oneac		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/optiups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powercom		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerman-pdu	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerpanel	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/rhino		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/richcomm_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/safenet		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/skel		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/snmp-ups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/solis		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplitesu	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upscode2		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upsdrvctl		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/usbhid-ups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/victronups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)

/usr/sbin/upsd		--	gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsmon	--	gen_context(system_u:object_r:nut_upsmon_exec_t,s0)

/var/run/nut(/.*)?		gen_context(system_u:object_r:nut_var_run_t,s0)

/var/www/nut-cgi-bin/upsimage.cgi	--	gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset.cgi		--	gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsstats.cgi	--	gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
-------------- next part --------------

policy_module(nut, 1.0.0)

########################################
#
# Declarations
#

type nut_upsdrvctl_t;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

type nut_upsd_t;
type nut_upsd_exec_t;
init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)

type nut_upsmon_t;
type nut_upsmon_exec_t;
init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)

type nut_conf_t;
files_config_file(nut_conf_t)

type nut_var_run_t;
files_pid_file(nut_var_run_t)

########################################
#
# Local policy for upsdrvctl
#

allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fd use;
allow nut_upsdrvctl_t self:unix_dgram_socket { connect create write };
allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
allow nut_upsdrvctl_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsdrvctl_t nut_var_run_t:sock_file { create unlink setattr };

# /sbin/upsdrvctl executes other drivers
can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)

# /etc/nsswitch.conf
files_read_etc_files(nut_upsdrvctl_t)
files_read_usr_files(nut_upsdrvctl_t)
files_search_pids(nut_upsdrvctl_t)
files_search_usr(nut_upsdrvctl_t)

miscfiles_read_localization(nut_upsdrvctl_t)

# /etc/resolv.conf
sysnet_read_config(nut_upsdrvctl_t)

corecmd_search_bin(nut_upsdrvctl_t)

libs_read_lib_files(nut_upsdrvctl_t)

kernel_read_kernel_sysctls(nut_upsdrvctl_t)
kernel_sendrecv_unlabeled_association(nut_upsdrvctl_t)

init_sigchld(nut_upsdrvctl_t)

dev_read_urand(nut_upsdrvctl_t)
dev_rw_null(nut_upsdrvctl_t)

logging_send_syslog_msg(nut_upsdrvctl_t)

########################################
#
# Local policy for upsd
#

allow nut_upsd_t self:capability { setgid setuid };
allow nut_upsd_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
allow nut_upsd_t nut_var_run_t:sock_file write;

read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)

# /etc/nsswitch.conf
files_read_etc_files(nut_upsd_t)

files_read_usr_files(nut_upsd_t)

miscfiles_read_localization(nut_upsd_t)

libs_read_lib_files(nut_upsd_t)

logging_send_syslog_msg(nut_upsd_t)

kernel_read_kernel_sysctls(nut_upsd_t)
kernel_sendrecv_unlabeled_association(nut_upsd_t)

corenet_tcp_bind_generic_port(nut_upsd_t)
corenet_tcp_bind_all_nodes(nut_upsd_t)

########################################
#
# Local policy for upsmon
#

allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
allow nut_upsmon_t self:unix_dgram_socket { connect create write };
allow nut_upsmon_t self:tcp_socket create_socket_perms;
allow nut_upsmon_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;

read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)

# creates /etc/killpower
files_manage_etc_files(nut_upsmon_t)

files_search_usr(nut_upsmon_t)

corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)

miscfiles_read_localization(nut_upsmon_t)

libs_read_lib_files(nut_upsmon_t)

logging_send_syslog_msg(nut_upsmon_t)

# /etc/resolv.conf
sysnet_read_config(nut_upsmon_t)

kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
kernel_sendrecv_unlabeled_association(nut_upsmon_t)

corenet_tcp_connect_generic_port(nut_upsmon_t)

# /usr/bin/wall
init_read_utmp(nut_upsmon_t)
term_write_all_terms(nut_upsmon_t)

# /sbin/shutdown
files_rw_generic_pids(nut_upsmon_t)
init_exec(nut_upsmon_t)
init_rw_initctl(nut_upsmon_t)
init_write_utmp(nut_upsmon_t)

########################################
#
# Local policy for upscgi scripts
#   requires httpd_enable_cgi and httpd_can_network_connect
#

apache_content_template(nut_upscgi)

read_files_pattern(httpd_nut_upscgi_script_t, nut_conf_t, nut_conf_t)

# /etc/resolv.conf
sysnet_read_config(httpd_nut_upscgi_script_t)