From: mgrepl@redhat.com (Miroslav Grepl) Date: Mon, 23 Nov 2009 14:05:59 +0100 Subject: [refpolicy] services_nut.patch In-Reply-To: <1258901980.2423.16.camel@localhost> References: <4AFC823D.3090202@redhat.com> <1258381900.5120.16.camel@localhost> <4B019ACD.4010406@redhat.com> <1258901980.2423.16.camel@localhost> Message-ID: <4B0A88B7.1050903@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/22/2009 03:59 PM, Stefan Schulze Frielinghaus wrote: > On Mon, 2009-11-16 at 13:32 -0500, Daniel J Walsh wrote: > >> On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote: >> >>> On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote: >>> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch >>>> >>>> nut policy. >>>> >>> Some time ago I wrote a policy for NUT too (s. attachment). I guess you >>> tested your policy with a UPS connected via USB. Maybe we could merge >>> both policies because I tested my with the SNMP module of NUT. >>> >>> One note about your policy. Shouldn't we prefix all domains with "nut_"? >>> This would indicate that e.g. each executable comes from the NUT >>> project. Then we could also define one type for /var/run/nut (in my >>> policy it is just nut_var_run_t) because the three main domains >>> nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location, >>> share e.g. a socket file. >>> >>> I would also like to introduce a type for config files because clear >>> text passwords are saved in there. >>> >>> Your domain upsmon_t needs also to write to all terms because it >>> announces information via "wall". It also seems to miss the following >>> permissions which are needed if upsmon_t should execute /sbin/shutdown >>> (we still do not have a shutdown policy): >>> >>> files_rw_generic_pids(nut_upsmon_t) >>> init_exec(nut_upsmon_t) >>> init_rw_initctl(nut_upsmon_t) >>> init_write_utmp(nut_upsmon_t) >>> >>> What are your thoughts? >>> It tested my policy on CentOS 5.3 with a couple of dozen >>> restarts/shutdowns. Debugging restarts/shutdowns is hell ;-) >>> >>> cheers, >>> Stefan >>> >> Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies. >> >> I agree with your points and your naming is fine. >> > Hi Miroslav, > > attached is the merged policy. Hi Stefan, > Just a few questions left. In your > original policy you had the following rule > > corenet_tcp_connect_ups_port(upsmon_t) > > I can't find any such port definition in refpolicy. > > +network_port(ups, tcp,3493,s0) This is missing in the original patch. > Another question, what is the intention of the following > > permissive upsd_t; > permissive upsdrvctl_t; > permissive upsmon_t; > > Does that make the domain permissive by default? Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps. > I'm unsure about these > ones. > > cheers, > Stefan > Regards, Miroslav