From: ssalley@likewise.com (Scott Salley) Date: Fri, 05 Mar 2010 10:50:58 -0800 Subject: [refpolicy] [PATCH 1/1] Initial Likewise Open support Message-ID: <4B915292.4000702@likewise.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Likewise Open allows Linux,Unix, and Mac machines to join Active Directory and securely authenticate users. Signed-off-by: Scott Salley --- policy/modules/services/likewise.fc | 72 +++++++++ policy/modules/services/likewise.if | 220 ++++++++++++++++++++++++++++ policy/modules/services/likewise.te | 273 +++++++++++++++++++++++++++++++++++ policy/modules/system/authlogin.if | 4 + 4 files changed, 569 insertions(+), 0 deletions(-) create mode 100644 policy/modules/services/likewise.fc create mode 100644 policy/modules/services/likewise.if create mode 100644 policy/modules/services/likewise.te diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc new file mode 100644 index 0000000..2e4eb86 --- /dev/null +++ b/policy/modules/services/likewise.fc @@ -0,0 +1,72 @@ + +# +# /etc +# +/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) +/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) + +/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0) + +# +# /usr +# +/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) +/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) +/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) +/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) +/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) +/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) +/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) +/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) + +# +# /var +# +/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) +/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) + +/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0) + +/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) + +/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0) + +/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) + +/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) + +/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) + + +/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) +/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) +/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) + +/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) +/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) + +/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) +/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) +/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) +/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) + +/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) + +/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) +/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) +/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) + +/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) + +/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0) diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if new file mode 100644 index 0000000..cea6b44 --- /dev/null +++ b/policy/modules/services/likewise.if @@ -0,0 +1,220 @@ +## +## Likewise -- Active Directory support for UNIX +## + + +######################################## +## +## Execute daemon in the likewise domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`likewise_initrc_domtrans',` + gen_require(` + type likewise_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, likewise_initrc_exec_t) +') + +######################################## +## +## Connect to dcerpcd. +## +## +## +## Domain allowed access. +## +## +# +interface(`likewise_stream_connect_dcerpcd',` + gen_require(` + type likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t; + ') + + files_search_pids($1) + allow $1 likewise_var_lib_t:dir search_dir_perms; + allow $1 dcerpcd_var_socket_t:sock_file unlink; + stream_connect_pattern($1, dcerpcd_var_socket_t, dcerpcd_var_socket_t, dcerpcd_t) +') + +######################################## +## +## Connect to eventlogd. +## +## +## +## Domain allowed access. +## +## +# +interface(`likewise_stream_connect_eventlogd',` + gen_require(` + type likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t; + ') + + files_search_pids($1) + allow $1 likewise_var_lib_t:dir search_dir_perms; + stream_connect_pattern($1, eventlogd_var_socket_t, eventlogd_var_socket_t, eventlogd_t) +') + +######################################## +## +## Connect to lsassd. +## +## +## +## Domain allowed access. +## +## +# +interface(`likewise_stream_connect_lsassd',` + gen_require(` + type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t; + ') + + files_search_pids($1) + allow $1 likewise_var_lib_t:dir search_dir_perms; + stream_connect_pattern($1, lsassd_var_socket_t, lsassd_var_socket_t, lsassd_t) +') + +######################################## +## +## Connect to lwiod. +## +## +## +## Domain allowed access. +## +## +# +interface(`likewise_stream_connect_lwiod',` + gen_require(` + type likewise_var_lib_t, lwiod_var_socket_t, lwiod_t; + ') + + files_search_pids($1) + allow $1 likewise_var_lib_t:dir search_dir_perms; + stream_connect_pattern($1, lwiod_var_socket_t, lwiod_var_socket_t, lwiod_t) +') + +######################################## +## +## Connect to netlogond. +## +## +## +## Domain allowed access. +## +## +# +interface(`likewise_stream_connect_netlogond',` + gen_require(` + type likewise_var_lib_t, netlogond_var_socket_t, netlogond_t; + ') + + files_search_pids($1) + allow $1 likewise_var_lib_t:dir search_dir_perms; + stream_connect_pattern($1, netlogond_var_socket_t, netlogond_var_socket_t, netlogond_t) +') + +######################################## +## +## Connect to lwregd. +## +## +## +## Domain allowed access. +## +## +# +interface(`likewise_stream_connect_lwregd',` + gen_require(` + type likewise_var_lib_t, lwregd_var_socket_t, lwregd_t; + ') + + files_search_pids($1) + allow $1 likewise_var_lib_t:dir search_dir_perms; + stream_connect_pattern($1, lwregd_var_socket_t, lwregd_var_socket_t, lwregd_t) +') + +######################################## +## +## Read/write /etc/likewise-open. +## +## +## +## Domain allowed access. +## +## +# +interface(`likewise_rw_etc',` + gen_require(` + type likewise_etc_t; + ') + + allow $1 likewise_etc_t:dir search_dir_perms; + manage_files_pattern($1, likewise_etc_t, likewise_etc_t) +') + + +# This interace grants the likewise daemons a common set of rules. +# daemon domain (lwregd_t): $1 +# daemon executable (lwregd_exec_t): $2 +# daemon pid (lwregd_var_run_t): $3 +# daemon client socket (lwregd_var_socket_t): $4 +# daemon privately managed files in /var/lib/likewise-open: $5 +interface(`likewise_daemon',` + gen_require(` + type likewise_etc_t, likewise_var_lib_t; + ') + + # Mark $1 as domain and $2 as an entrypoint into that domain. + init_daemon_domain($1, $2) + + # Mark $3 as a pid file and allow it to be creat/read/write by $1 + files_pid_file($3) + manage_files_pattern($1, $3, $3) + files_pid_filetrans($1, $3, file) + + # Mark $4 as a socket for client access + files_type($4) + filetrans_pattern($1,likewise_var_lib_t,$4, sock_file) + manage_sock_files_pattern($1,likewise_var_lib_t,$4) + manage_files_pattern($1,$4,$4) + + # Mark $5 as files, privately managed under /var/lib/likewise-open + files_type($5) + allow $1 likewise_var_lib_t:dir manage_file_perms; + allow $1 $5:file manage_file_perms; + allow $1 $5:dir manage_dir_perms; + allow $1 $5:sock_file manage_sock_file_perms; + + filetrans_pattern($1,likewise_var_lib_t,$5, {file dir}) + + allow $1 self:process { signal_perms getsched setsched }; + allow $1 self:fifo_file rw_fifo_file_perms; + allow $1 self:unix_dgram_socket create_socket_perms; + allow $1 self:unix_stream_socket create_stream_socket_perms; + allow $1 $4:unix_stream_socket create_stream_socket_perms; + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; + + # Read /etc + files_read_etc_files($1) + + # Permit use of syslog + logging_send_syslog_msg($1) + + # Permit use of locale + miscfiles_read_localization($1) + + # Permit use of dev random/urandom + dev_read_urand($1) + dev_read_rand($1) +') + diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te new file mode 100644 index 0000000..cf59f42 --- /dev/null +++ b/policy/modules/services/likewise.te @@ -0,0 +1,273 @@ + +policy_module(likewise, 1.12.0) + +################################# +# +# Declarations +# + +# dcerpcd domain: +type dcerpcd_t; +# The type of the /usr/sbin/dcerpcd executable: +type dcerpcd_exec_t; +# PID file /var/run/dcerpcd.pid +type dcerpcd_var_run_t; +# Socket for client access /var/lib/likewise-open/. FIXME +type dcerpcd_var_socket_t; +# dcerpcd specific files +type dcerpcd_var_lib_t; + +likewise_daemon(dcerpcd_t, dcerpcd_exec_t, dcerpcd_var_run_t,dcerpcd_var_socket_t,dcerpcd_var_lib_t) + +corenet_tcp_bind_generic_node(dcerpcd_t) +corenet_tcp_bind_reserved_port(dcerpcd_t) +corenet_tcp_connect_generic_port(dcerpcd_t) +corenet_udp_bind_generic_node(dcerpcd_t) +corenet_udp_bind_reserved_port(dcerpcd_t) + +# Permit use of Likewise Open Registry +likewise_stream_connect_lwregd(dcerpcd_t) + + +# eventlogd domain: +type eventlogd_t; +# The type of the /usr/sbin/eventlogd executable: +type eventlogd_exec_t; +# PID file /var/run/eventlogd.pid +type eventlogd_var_run_t; +# Socket for client access /var/lib/likewise-open/. FIXME +type eventlogd_var_socket_t; +# dcerpcd specific files +type eventlogd_var_lib_t; + +likewise_daemon(eventlogd_t,eventlogd_exec_t,eventlogd_var_run_t,eventlogd_var_socket_t,eventlogd_var_lib_t) + +corenet_tcp_bind_generic_node(eventlogd_t) +corenet_tcp_bind_reserved_port(eventlogd_t) +corenet_udp_bind_generic_node(eventlogd_t) +corenet_udp_bind_reserved_port(eventlogd_t) + +likewise_stream_connect_lwregd(eventlogd_t) +likewise_stream_connect_dcerpcd(eventlogd_t) + + + +# lsassd domain: +type lsassd_t; +# The type of the /usr/sbin/lsassd executable: +type lsassd_exec_t; +# PID file /var/run/lsassd.pid +type lsassd_var_run_t; +# Socket for client access /var/lib/likewise-open/.lsassd +type lsassd_var_socket_t; +# lsassd specific files +type lsassd_var_lib_t; + +likewise_daemon(lsassd_t,lsassd_exec_t,lsassd_var_run_t,lsassd_var_socket_t,lsassd_var_lib_t) + +allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time}; +allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto}; +allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; +# Because lsassd calls access(), we need these two +corecmd_exec_bin(lsassd_t); +corecmd_exec_shell(lsassd_t); + +kerberos_use(lsassd_t) + +corenet_tcp_connect_reserved_port(lsassd_t) +corenet_tcp_sendrecv_all_reserved_ports(lsassd_t) +sysnet_use_ldap(lsassd_t) +sysnet_read_config(lsassd_t) + +kernel_read_system_state(lsassd_t) +kernel_getattr_proc_files(lsassd_t) +kernel_list_all_proc(lsassd_t) +kernel_list_proc(lsassd_t) + +files_manage_generic_tmp_dirs(lsassd_t) +files_manage_generic_tmp_files(lsassd_t) +gen_require(` + type krb5_keytab_t; +') +allow lsassd_t krb5_keytab_t:file {read lock getattr write open}; + +domain_obj_id_change_exemption(lsassd_t) +selinux_get_fs_mount(lsassd_t) +selinux_validate_context(lsassd_t) +seutil_read_config(lsassd_t) +seutil_read_default_contexts(lsassd_t) +seutil_read_file_contexts(lsassd_t) +seutil_run_semanage(lsassd_t, lsassd_t) + +userdom_home_filetrans_user_home_dir(lsassd_t) +userdom_manage_home_role(system_r, lsassd_t) +#gen_require(` +# type home_root_t; +#') +allow lsassd_t home_root_t:dir relabelto; + +likewise_stream_connect_lwregd(lsassd_t) +likewise_stream_connect_netlogond(lsassd_t) +likewise_stream_connect_lwiod(lsassd_t) +likewise_stream_connect_eventlogd(lsassd_t) +likewise_stream_connect_dcerpcd(lsassd_t) + +likewise_rw_etc(lsassd_t) +files_manage_etc_files(lsassd_t) +files_manage_etc_symlinks(lsassd_t) +files_manage_etc_runtime_files(lsassd_t) +allow lsassd_t netlogond_var_lib_t:file read_file_perms; +allow lsassd_t likewise_krb5_ad_t:file read_file_perms; + +# +# lwiod domain: +# +type lwiod_t; +# The type of the /usr/sbin/lwiod executable: +type lwiod_exec_t; +# PID file /var/run/lwiod.pid +type lwiod_var_run_t; +# Socket for client access /var/lib/likewise-open/.lwiod +type lwiod_var_socket_t; +# lwiod specific files +type lwiod_var_lib_t; + +likewise_daemon(lwiod_t,lwiod_exec_t,lwiod_var_run_t,lwiod_var_socket_t,lwiod_var_lib_t) + + +kerberos_rw_config(lwiod_t) +kerberos_use(lwiod_t) +allow lwiod_t likewise_krb5_ad_t:file read_file_perms; +allow lwiod_t netlogond_var_lib_t:file read_file_perms; + +corenet_tcp_bind_generic_node(lwiod_t) +corenet_tcp_bind_smbd_port(lwiod_t) +corenet_tcp_connect_smbd_port(lwiod_t) +allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; + +sysnet_read_config(lwiod_t) + +likewise_stream_connect_lwregd(lwiod_t) +likewise_stream_connect_lsassd(lwiod_t) + + +# lwregd domain +type lwregd_t; +# The type of the /usr/sbin/lwregd executable: +type lwregd_exec_t; +# PID file /var/run/lwregd.pid +type lwregd_var_run_t; +# Socket for client access /var/lib/likewise-open/.regsd +type lwregd_var_socket_t; +# Registry specific files, like /var/run/likewise-open/db/regcache.db +type lwregd_var_lib_t; + +likewise_daemon(lwregd_t,lwregd_exec_t,lwregd_var_run_t,lwregd_var_socket_t,lwregd_var_lib_t) + +# lwsmd domain: +type lwsmd_t; +# The type of the /usr/sbin/lwsmd executable: +type lwsmd_exec_t; +# PID file /var/run/??.pid +type lwsmd_var_run_t; +# Socket for client access /var/lib/likewise-open/.lwsm +type lwsmd_var_socket_t; +# Netlogond specific files +type lwsmd_var_lib_t; + +likewise_daemon(lwsmd_t,lwsmd_exec_t,lwsmd_var_run_t,lwsmd_var_socket_t,lwsmd_var_lib_t) + +corenet_tcp_bind_generic_node(lwsmd_t) +corenet_tcp_bind_reserved_port(lwsmd_t) +corenet_tcp_bind_smbd_port(lwsmd_t) +corenet_udp_bind_generic_node(lwsmd_t) +corenet_udp_bind_reserved_port(lwsmd_t) +likewise_rw_etc(lwsmd_t) + +likewise_stream_connect_lwiod(lwsmd_t) +likewise_stream_connect_lwregd(lwsmd_t) + +# When lwsmd starts the daemons, transition to their context: +domtrans_pattern(lwsmd_t,dcerpcd_exec_t,dcerpcd_t) +domtrans_pattern(lwsmd_t,eventlogd_exec_t,eventlogd_t) +domtrans_pattern(lwsmd_t,lsassd_exec_t,lsassd_t) +domtrans_pattern(lwsmd_t,lwiod_exec_t,lwiod_t) +domtrans_pattern(lwsmd_t,lwregd_exec_t,lwregd_t) +domtrans_pattern(lwsmd_t,netlogond_exec_t,netlogond_t) +domtrans_pattern(lwsmd_t,srvsvcd_exec_t,srvsvcd_t) + +allow lwsmd_t dcerpcd_t:process { signal siginh rlimitinh noatsecure }; +allow lwsmd_t eventlogd_t:process { signal siginh rlimitinh noatsecure }; +allow lwsmd_t lsassd_t:process { signal siginh rlimitinh noatsecure }; +allow lwsmd_t lwiod_t:process { signal siginh rlimitinh noatsecure }; +allow lwsmd_t lwregd_t:process { signal siginh rlimitinh noatsecure }; +allow lwsmd_t netlogond_t:process { signal siginh rlimitinh noatsecure }; +allow lwsmd_t srvsvcd_t:process { signal siginh rlimitinh noatsecure }; + +# netlogond domain: +type netlogond_t; +# The type of the /usr/sbin/netlogond executable: +type netlogond_exec_t; +# PID file /var/run/??.pid +type netlogond_var_run_t; +# Socket for client access /var/lib/likewise-open/.netlogond +type netlogond_var_socket_t; +# Netlogond specific files +type netlogond_var_lib_t; + +likewise_daemon(netlogond_t,netlogond_exec_t,netlogond_var_run_t,netlogond_var_socket_t,netlogond_var_lib_t) + +allow netlogond_t self:capability {dac_override}; + +sysnet_dns_name_resolve(netlogond_t) +sysnet_use_ldap(netlogond_t) + +likewise_stream_connect_lwregd(netlogond_t) + +likewise_rw_etc(netlogond_t) + +# +# srvsvcd domain: +# +type srvsvcd_t; +# The type of the /usr/sbin/srvsvcd executable: +type srvsvcd_exec_t; +# PID file /var/run/??.pid +type srvsvcd_var_run_t; +# Socket for client access /var/lib/likewise-open/. +type srvsvcd_var_socket_t; +# This may not actually exist +type srvsvcd_var_lib_t; + +likewise_daemon(srvsvcd_t,srvsvcd_exec_t,srvsvcd_var_run_t,srvsvcd_var_socket_t,srvsvcd_var_lib_t) + +corenet_tcp_bind_generic_node(srvsvcd_t) +corenet_tcp_bind_reserved_port(srvsvcd_t) + +kerberos_use(srvsvcd_t) + +allow srvsvcd_t likewise_etc_t:dir search_dir_perms; + +likewise_stream_connect_lwregd(srvsvcd_t) +likewise_stream_connect_dcerpcd(srvsvcd_t) +likewise_stream_connect_lwiod(srvsvcd_t) + + +type likewise_etc_t; +files_config_file(likewise_etc_t) + +type likewise_initrc_exec_t; +init_script_file(likewise_initrc_exec_t) + +type likewise_var_lib_t; +files_type(likewise_var_lib_t) + +type likewise_pstore_lock_t; +files_type(likewise_pstore_lock_t) + +type likewise_krb5_ad_t; +files_type(likewise_krb5_ad_t) + +type likewise_krb5_affinity_t; +files_type(likewise_krb5_affinity_t) + diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index b193dd8..499093a 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -1414,6 +1414,10 @@ interface(`auth_use_nsswitch',` samba_stream_connect_winbind($1) samba_read_var_files($1) ') + + optional_policy(` + likewise_stream_connect_lsassd($1) + ') ') ######################################## -- 1.6.3.3