From: stefan@seekline.net (Stefan Schulze Frielinghaus)
Date: Sun, 22 Nov 2009 15:59:40 +0100
Subject: [refpolicy] services_nut.patch
In-Reply-To: <4B019ACD.4010406@redhat.com>
References: <4AFC823D.3090202@redhat.com>
<1258381900.5120.16.camel@localhost> <4B019ACD.4010406@redhat.com>
Message-ID: <1258901980.2423.16.camel@localhost>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On Mon, 2009-11-16 at 13:32 -0500, Daniel J Walsh wrote:
> On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote:
> > On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
> >>
> >> nut policy.
> >
> > Some time ago I wrote a policy for NUT too (s. attachment). I guess you
> > tested your policy with a UPS connected via USB. Maybe we could merge
> > both policies because I tested my with the SNMP module of NUT.
> >
> > One note about your policy. Shouldn't we prefix all domains with "nut_"?
> > This would indicate that e.g. each executable comes from the NUT
> > project. Then we could also define one type for /var/run/nut (in my
> > policy it is just nut_var_run_t) because the three main domains
> > nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
> > share e.g. a socket file.
> >
> > I would also like to introduce a type for config files because clear
> > text passwords are saved in there.
> >
> > Your domain upsmon_t needs also to write to all terms because it
> > announces information via "wall". It also seems to miss the following
> > permissions which are needed if upsmon_t should execute /sbin/shutdown
> > (we still do not have a shutdown policy):
> >
> > files_rw_generic_pids(nut_upsmon_t)
> > init_exec(nut_upsmon_t)
> > init_rw_initctl(nut_upsmon_t)
> > init_write_utmp(nut_upsmon_t)
> >
> > What are your thoughts?
> > It tested my policy on CentOS 5.3 with a couple of dozen
> > restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)
> >
> > cheers,
> > Stefan
>
> Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies.
>
> I agree with your points and your naming is fine.
Hi Miroslav,
attached is the merged policy. Just a few questions left. In your
original policy you had the following rule
corenet_tcp_connect_ups_port(upsmon_t)
I can't find any such port definition in refpolicy.
Another question, what is the intention of the following
permissive upsd_t;
permissive upsdrvctl_t;
permissive upsmon_t;
Does that make the domain permissive by default? I'm unsure about these
ones.
cheers,
Stefan
-------------- next part --------------
/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
/sbin/apcsmart -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkin -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkinunv -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestfcom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestuferrups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_ser -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/cyberpower -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/dummy-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/etapro -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/everups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/gamatronic -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/genericups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/isbmex -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/liebert -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/masterguard -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/metasys -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-utalk -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/microdowell -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/newmge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/oneac -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/optiups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powercom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerman-pdu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerpanel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/rhino -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/richcomm_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/safenet -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/skel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/snmp-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/solis -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplitesu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upscode2 -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/usbhid-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/victronups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
-------------- next part --------------
## SELinux policy for NUT - Network UPS Tools
#####################################
##
## Execute a domain transition to run upsd.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`nut_upsd_domtrans',`
gen_require(`
type nut_upsd_t, nut_upsd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, nut_upsd_exec_t, nut_upsd_t)
')
####################################
##
## Execute a domain transition to run upsmon.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`nut_upsmon_domtrans',`
gen_require(`
type nut_upsmon_t, nut_upsmon_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, nut_upsmon_exec_t, nut_upsmon_t)
')
####################################
##
## Execute a domain transition to run upsdrvctl.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`nut_upsdrvctl_domtrans',`
gen_require(`
type nut_upsdrvctl_t, nut_upsdrvctl_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, nut_upsdrvctl_exec_t, nut_upsdrvctl_t)
')
-------------- next part --------------
policy_module(nut, 1.0.0)
########################################
#
# Declarations
#
type nut_upsdrvctl_t;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
type nut_upsd_t;
type nut_upsd_exec_t;
init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
type nut_upsmon_t;
type nut_upsmon_exec_t;
init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
type nut_conf_t;
files_config_file(nut_conf_t)
type nut_var_run_t;
files_pid_file(nut_var_run_t)
permissive nut_upsdrvctl_t;
permissive nut_upsd_t;
permissive nut_upsmon_t;
########################################
#
# Local policy for upsdrvctl
#
allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
allow nut_upsdrvctl_t self:fd use;
allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
allow nut_upsdrvctl_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsdrvctl_t nut_var_run_t:sock_file { create unlink setattr };
# /sbin/upsdrvctl executes other drivers
can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
# /etc/nsswitch.conf
files_read_etc_files(nut_upsdrvctl_t)
files_read_usr_files(nut_upsdrvctl_t)
files_search_pids(nut_upsdrvctl_t)
files_search_usr(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
miscfiles_read_localization(nut_upsdrvctl_t)
# /etc/resolv.conf
sysnet_read_config(nut_upsdrvctl_t)
corecmd_search_bin(nut_upsdrvctl_t)
libs_read_lib_files(nut_upsdrvctl_t)
kernel_read_kernel_sysctls(nut_upsdrvctl_t)
kernel_sendrecv_unlabeled_association(nut_upsdrvctl_t)
init_sigchld(nut_upsdrvctl_t)
dev_read_urand(nut_upsdrvctl_t)
dev_rw_null(nut_upsdrvctl_t)
logging_send_syslog_msg(nut_upsdrvctl_t)
########################################
#
# Local policy for upsd
#
allow nut_upsd_t self:capability { setgid setuid };
allow nut_upsd_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
allow nut_upsd_t nut_var_run_t:sock_file write;
read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
# /etc/nsswitch.conf
files_read_etc_files(nut_upsd_t)
files_read_usr_files(nut_upsd_t)
miscfiles_read_localization(nut_upsd_t)
libs_read_lib_files(nut_upsd_t)
logging_send_syslog_msg(nut_upsd_t)
kernel_read_kernel_sysctls(nut_upsd_t)
kernel_sendrecv_unlabeled_association(nut_upsd_t)
corenet_tcp_bind_generic_port(nut_upsd_t)
corenet_tcp_bind_all_nodes(nut_upsd_t)
########################################
#
# Local policy for upsmon
#
allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
allow nut_upsmon_t self:unix_dgram_socket { connect create write };
allow nut_upsmon_t self:tcp_socket create_socket_perms;
allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsmon_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
# creates /etc/killpower
files_manage_etc_files(nut_upsmon_t)
files_search_usr(nut_upsmon_t)
corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)
miscfiles_read_localization(nut_upsmon_t)
libs_read_lib_files(nut_upsmon_t)
logging_send_syslog_msg(nut_upsmon_t)
# /etc/resolv.conf
sysnet_read_config(nut_upsmon_t)
kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
kernel_sendrecv_unlabeled_association(nut_upsmon_t)
#corenet_tcp_connect_ups_port(nut_upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)
# /usr/bin/wall
init_read_utmp(nut_upsmon_t)
term_write_all_terms(nut_upsmon_t)
# /sbin/shutdown
files_rw_generic_pids(nut_upsmon_t)
init_exec(nut_upsmon_t)
init_rw_initctl(nut_upsmon_t)
init_write_utmp(nut_upsmon_t)
########################################
#
# Local policy for upscgi scripts
# requires httpd_enable_cgi and httpd_can_network_connect
#
apache_content_template(nut_upscgi)
read_files_pattern(httpd_nut_upscgi_script_t, nut_conf_t, nut_conf_t)
# /etc/resolv.conf
sysnet_read_config(httpd_nut_upscgi_script_t)