From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 08 Mar 2010 08:40:17 -0500 Subject: [refpolicy] [PATCH 1/1] Likewise policy In-Reply-To: <4B91B87B.9010001@likewise.com> References: <4B91B87B.9010001@likewise.com> Message-ID: <1268055617.4155.1.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2010-03-05 at 18:05 -0800, Scott Salley wrote: > Resubmitting Likewise policy with suggested changes. The likewise_daemon() interface should turn into a template like rpc_domain_template(). > Signed-off-by: Scott Salley > --- > policy/modules/services/likewise.fc | 65 ++++++++ > policy/modules/services/likewise.if | 231 ++++++++++++++++++++++++++++ > policy/modules/services/likewise.te | 286 +++++++++++++++++++++++++++++++++++ > policy/modules/system/authlogin.if | 4 + > 4 files changed, 586 insertions(+), 0 deletions(-) > create mode 100644 policy/modules/services/likewise.fc > create mode 100644 policy/modules/services/likewise.if > create mode 100644 policy/modules/services/likewise.te > > diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc > new file mode 100644 > index 0000000..d065e58 > --- /dev/null > +++ b/policy/modules/services/likewise.fc > @@ -0,0 +1,65 @@ > + > +/etc/rc\.d/init\.d/dcerpcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/eventlogd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/lsassd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/lwiod -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/lwregd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/lwsmd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/netlogond -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/srvsvcd -- gen_context(system_u:object_r:likewise_initrc_exec_t,s0) > + > +/etc/likewise-open(/.*)? gen_context(system_u:object_r:likewise_etc_t,s0) > + > + > +/usr/sbin/dcerpcd -- gen_context(system_u:object_r:dcerpcd_exec_t,s0) > +/usr/sbin/eventlogd -- gen_context(system_u:object_r:eventlogd_exec_t,s0) > +/usr/sbin/lsassd -- gen_context(system_u:object_r:lsassd_exec_t,s0) > +/usr/sbin/lwiod -- gen_context(system_u:object_r:lwiod_exec_t,s0) > +/usr/sbin/lwregd -- gen_context(system_u:object_r:lwregd_exec_t,s0) > +/usr/sbin/lwsmd -- gen_context(system_u:object_r:lwsmd_exec_t,s0) > +/usr/sbin/netlogond -- gen_context(system_u:object_r:netlogond_exec_t,s0) > +/usr/sbin/srvsvcd -- gen_context(system_u:object_r:srvsvcd_exec_t,s0) > + > + > +/var/lib/likewise-open(/.*)? gen_context(system_u:object_r:likewise_var_lib_t,s0) > +/var/lib/likewise-open/db -d gen_context(system_u:object_r:likewise_var_lib_t,s0) > +/var/lib/likewise-open/run -d gen_context(system_u:object_r:likewise_var_lib_t,s0) > +/var/lib/likewise-open/rpc -d gen_context(system_u:object_r:likewise_var_lib_t,s0) > + > +/var/lib/likewise-open/krb5-affinity.conf -- gen_context(system_u:object_r:netlogond_var_lib_t, s0) > + > +/var/lib/likewise-open/db/lwi_events.db -- gen_context(system_u:object_r:eventlogd_var_lib_t,s0) > + > +/var/lib/likewise-open/run/rpcdep.dat -- gen_context(system_u:object_r:dcerpcd_var_lib_t, s0) > + > +/var/lib/likewise-open/rpc/epmapper -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) > + > +/var/lib/likewise-open/rpc/lsass -s gen_context(system_u:object_r:lsassd_var_socket_t, s0) > + > +/var/lib/likewise-open/rpc/socket -s gen_context(system_u:object_r:dcerpcd_var_socket_t, s0) > + > + > +/var/run/lsassd.pid -- gen_context(system_u:object_r:lsassd_var_run_t,s0) > +/var/lib/likewise-open/db/sam\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) > +/var/lib/likewise-open/db/lsass-adcache\.db -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) > +/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) > +/var/lib/likewise-open/lsasd\.err -- gen_context(system_u:object_r:lsassd_var_lib_t,s0) > +/var/lib/likewise-open/\.lsassd -s gen_context(system_u:object_r:lsassd_var_socket_t,s0) > + > +/var/run/lwiod.pid -- gen_context(system_u:object_r:lwiod_var_run_t,s0) > +/var/lib/likewise-open/\.lwiod -s gen_context(system_u:object_r:lwiod_var_socket_t,s0) > + > +/var/run/lwregd.pid -- gen_context(system_u:object_r:lwregd_var_run_t,s0) > +/var/lib/likewise-open/\.regsd -s gen_context(system_u:object_r:lwregd_var_socket_t,s0) > +/var/lib/likewise-open/db/registry\.db -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) > +/var/lib/likewise-open/regsd\.err -- gen_context(system_u:object_r:lwregd_var_lib_t,s0) > + > +/var/lib/likewise-open/\.lwsm -s gen_context(system_u:object_r:lwsmd_var_socket_t,s0) > + > +/var/run/netlogond.pid -- gen_context(system_u:object_r:netlogond_var_run_t,s0) > +/var/lib/likewise-open/\.netlogond -s gen_context(system_u:object_r:netlogond_var_socket_t,s0) > +/var/lib/likewise-open/LWNetsd\.err -- gen_context(system_u:object_r:netlogond_var_lib_t,s0) > + > +/var/run/srvsvcd.pid -- gen_context(system_u:object_r:srvsvcd_var_run_t,s0) > + > +/etc/likewise-open/likewise-krb5-ad.conf -- gen_context(system_u:object_r:likewise_krb5_ad_t,s0) > diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if > new file mode 100644 > index 0000000..9294528 > --- /dev/null > +++ b/policy/modules/services/likewise.if > @@ -0,0 +1,231 @@ > +## Likewise policy. > + > +######################################## > +## > +## Execute daemon in the likewise domain. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_initrc_domtrans',` > + gen_require(` > + type likewise_initrc_exec_t; > + ') > + > + init_labeled_script_domtrans($1, likewise_initrc_exec_t) > +') > + > +######################################## > +## > +## Connect to dcerpcd. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_dcerpcd',` > + gen_require(` > + type likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, dcerpcd_var_socket_t, dcerpcd_t) > +') > + > +######################################## > +## > +## Connect to eventlogd. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_eventlogd',` > + gen_require(` > + type likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, eventlogd_var_socket_t, eventlogd_t) > +') > + > +######################################## > +## > +## Connect to lsassd. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_lsassd',` > + gen_require(` > + type likewise_var_lib_t, lsassd_var_socket_t, lsassd_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t) > +') > + > +######################################## > +## > +## Connect to lwiod. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_lwiod',` > + gen_require(` > + type likewise_var_lib_t, lwiod_var_socket_t, lwiod_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, lwiod_var_socket_t, lwiod_t) > +') > + > +######################################## > +## > +## Connect to netlogond. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_netlogond',` > + gen_require(` > + type likewise_var_lib_t, netlogond_var_socket_t, netlogond_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t) > +') > + > +######################################## > +## > +## Connect to lwregd. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_stream_connect_lwregd',` > + gen_require(` > + type likewise_var_lib_t, lwregd_var_socket_t, lwregd_t; > + ') > + > + files_search_pids($1) > + stream_connect_pattern($1, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t) > +') > + > +######################################## > +## > +## Manage /etc/likewise-open. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`likewise_manage_etc_files',` > + gen_require(` > + type likewise_etc_t; > + ') > + > + allow $1 likewise_etc_t:dir search_dir_perms; > + manage_files_pattern($1, likewise_etc_t, likewise_etc_t) > +') > + > +######################################## > +## > +## Grant likewise daemons a common set of rules > +## > +## > +## > +## Domain of daemon process. > +## > +## > +## > +## > +## Type of daemon executable files. > +## > +## > +## > +## > +## Type of pid file created by daemon. > +## > +## > +## > +## > +## Type of daemon communication socket. > +## > +## > +## > +## > +## Files managed by the daemon. > +## > +## > +interface(`likewise_daemon',` > + gen_require(` > + type likewise_etc_t, likewise_var_lib_t; > + ') > + > + # Mark $1 as domain and $2 as an entrypoint into that domain. > + init_daemon_domain($1, $2) > + > + # Mark $3 as a pid file and allow it to be creat/read/write by $1 > + files_pid_file($3) > + manage_files_pattern($1, $3, $3) > + files_pid_filetrans($1, $3, file) > + > + # Mark $4 as a socket for client access > + files_type($4) > + filetrans_pattern($1,likewise_var_lib_t,$4, sock_file) > + manage_sock_files_pattern($1,likewise_var_lib_t,$4) > + manage_files_pattern($1,$4,$4) > + > + # Mark $5 as files, privately managed under /var/lib/likewise-open > + files_type($5) > + allow $1 likewise_var_lib_t:dir setattr; > + allow $1 $5:file manage_file_perms; > + allow $1 $5:dir manage_dir_perms; > + allow $1 $5:sock_file manage_sock_file_perms; > + > + filetrans_pattern($1,likewise_var_lib_t,$5, {file dir}) > + > + allow $1 self:process { signal_perms getsched setsched }; > + allow $1 self:fifo_file rw_fifo_file_perms; > + allow $1 self:unix_dgram_socket create_socket_perms; > + allow $1 self:unix_stream_socket create_stream_socket_perms; > + allow $1 self:tcp_socket create_stream_socket_perms; > + allow $1 self:udp_socket create_socket_perms; > + > + # Read /etc > + files_read_etc_files($1) > + > + # Permit use of syslog > + logging_send_syslog_msg($1) > + > + # Permit use of locale > + miscfiles_read_localization($1) > + > + # Permit use of dev random/urandom > + dev_read_urand($1) > + dev_read_rand($1) > +') > + > diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te > new file mode 100644 > index 0000000..c4f2e19 > --- /dev/null > +++ b/policy/modules/services/likewise.te > @@ -0,0 +1,286 @@ > + > +policy_module(likewise, 1.0.0) > + > +################################# > +# > +# Declarations > +# > +type likewise_etc_t; > +files_config_file(likewise_etc_t) > + > +type likewise_initrc_exec_t; > +init_script_file(likewise_initrc_exec_t) > + > +type likewise_var_lib_t; > +files_type(likewise_var_lib_t) > + > +type likewise_pstore_lock_t; > +files_type(likewise_pstore_lock_t) > + > +type likewise_krb5_ad_t; > +files_type(likewise_krb5_ad_t) > + > +type likewise_krb5_affinity_t; > +files_type(likewise_krb5_affinity_t) > + > +################################# > +# > +# Declarations for dcerpcd > +# > +type dcerpcd_t; > +type dcerpcd_exec_t; > +type dcerpcd_var_run_t; > +type dcerpcd_var_socket_t; > +type dcerpcd_var_lib_t; > + > +################################# > +# > +# Declarations for eventlogd > +# > +type eventlogd_t; > +type eventlogd_exec_t; > +type eventlogd_var_run_t; > +type eventlogd_var_socket_t; > +type eventlogd_var_lib_t; > + > +################################# > +# > +# Declarations for lsassd > +# > +type lsassd_t; > +type lsassd_exec_t; > +type lsassd_var_run_t; > +type lsassd_var_socket_t; > +type lsassd_var_lib_t; > + > +################################# > +# > +# Declarations for lwiod > +# > +type lwiod_t; > +type lwiod_exec_t; > +type lwiod_var_run_t; > +type lwiod_var_socket_t; > +type lwiod_var_lib_t; > + > +################################# > +# > +# Declarations for lwregd > +# > +type lwregd_t; > +type lwregd_exec_t; > +type lwregd_var_run_t; > +type lwregd_var_socket_t; > +type lwregd_var_lib_t; > + > +################################# > +# > +# Declarations for lwsmd > +# > +type lwsmd_t; > +type lwsmd_exec_t; > +type lwsmd_var_run_t; > +type lwsmd_var_socket_t; > +type lwsmd_var_lib_t; > + > +################################# > +# > +# Declarations for netlogond > +# > +type netlogond_t; > +type netlogond_exec_t; > +type netlogond_var_run_t; > +type netlogond_var_socket_t; > +type netlogond_var_lib_t; > + > +################################# > +# > +# Declarations for srvsvcd > +# > +type srvsvcd_t; > +type srvsvcd_exec_t; > +type srvsvcd_var_run_t; > +type srvsvcd_var_socket_t; > +type srvsvcd_var_lib_t; > + > +################################# > +# > +# Likewise DCE/RPC service local policy > +# > + > +likewise_daemon(dcerpcd_t, dcerpcd_exec_t, dcerpcd_var_run_t,dcerpcd_var_socket_t,dcerpcd_var_lib_t) > + > +corenet_tcp_bind_generic_node(dcerpcd_t) > +corenet_tcp_bind_reserved_port(dcerpcd_t) > +corenet_tcp_connect_generic_port(dcerpcd_t) > +corenet_udp_bind_generic_node(dcerpcd_t) > +corenet_udp_bind_reserved_port(dcerpcd_t) > + > +likewise_stream_connect_lwregd(dcerpcd_t) > + > +################################# > +# > +# Likewise Auditing and Logging service policy > +# > + > +likewise_daemon(eventlogd_t,eventlogd_exec_t,eventlogd_var_run_t,eventlogd_var_socket_t,eventlogd_var_lib_t) > + > +corenet_tcp_bind_generic_node(eventlogd_t) > +corenet_tcp_bind_reserved_port(eventlogd_t) > +corenet_udp_bind_generic_node(eventlogd_t) > +corenet_udp_bind_reserved_port(eventlogd_t) > + > +likewise_stream_connect_lwregd(eventlogd_t) > +likewise_stream_connect_dcerpcd(eventlogd_t) > + > +################################# > +# > +# Likewise Authentication service local policy > +# > + > +likewise_daemon(lsassd_t,lsassd_exec_t,lsassd_var_run_t,lsassd_var_socket_t,lsassd_var_lib_t) > + > +allow lsassd_t self:capability {fowner chown fsetid dac_override sys_time}; > +allow lsassd_t self:unix_stream_socket {create_stream_socket_perms connectto}; > +allow lsassd_t self:netlink_route_socket rw_netlink_socket_perms; > +# Because lsassd calls access(), we need these two. It would be nice not to. > +corecmd_exec_bin(lsassd_t); > +corecmd_exec_shell(lsassd_t); > + > +kerberos_use(lsassd_t) > + > +corenet_tcp_connect_reserved_port(lsassd_t) > +corenet_tcp_sendrecv_all_reserved_ports(lsassd_t) > +sysnet_use_ldap(lsassd_t) > +sysnet_read_config(lsassd_t) > + > +kernel_read_system_state(lsassd_t) > +kernel_getattr_proc_files(lsassd_t) > +kernel_list_all_proc(lsassd_t) > +kernel_list_proc(lsassd_t) > + > +files_manage_generic_tmp_dirs(lsassd_t) > +files_manage_generic_tmp_files(lsassd_t) > + > +domain_obj_id_change_exemption(lsassd_t) > +selinux_get_fs_mount(lsassd_t) > +selinux_validate_context(lsassd_t) > +seutil_read_config(lsassd_t) > +seutil_read_default_contexts(lsassd_t) > +seutil_read_file_contexts(lsassd_t) > +seutil_run_semanage(lsassd_t, lsassd_t) > + > +userdom_home_filetrans_user_home_dir(lsassd_t) > +userdom_manage_home_role(system_r, lsassd_t) > + > +likewise_stream_connect_lwregd(lsassd_t) > +likewise_stream_connect_netlogond(lsassd_t) > +likewise_stream_connect_lwiod(lsassd_t) > +likewise_stream_connect_eventlogd(lsassd_t) > +likewise_stream_connect_dcerpcd(lsassd_t) > + > +likewise_manage_etc_files(lsassd_t) > +files_manage_etc_files(lsassd_t) > +files_manage_etc_symlinks(lsassd_t) > +files_manage_etc_runtime_files(lsassd_t) > +allow lsassd_t netlogond_var_lib_t:file read_file_perms; > +allow lsassd_t likewise_krb5_ad_t:file read_file_perms; > + > + > +################################# > +# > +# Likewise I/O service local policy > +# > + > +likewise_daemon(lwiod_t,lwiod_exec_t,lwiod_var_run_t,lwiod_var_socket_t,lwiod_var_lib_t) > + > +kerberos_rw_config(lwiod_t) > +kerberos_use(lwiod_t) > +allow lwiod_t likewise_krb5_ad_t:file read_file_perms; > +allow lwiod_t netlogond_var_lib_t:file read_file_perms; > + > +corenet_tcp_bind_generic_node(lwiod_t) > +corenet_tcp_bind_smbd_port(lwiod_t) > +corenet_tcp_connect_smbd_port(lwiod_t) > +allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms; > + > +sysnet_read_config(lwiod_t) > + > +likewise_stream_connect_lwregd(lwiod_t) > +likewise_stream_connect_lsassd(lwiod_t) > + > +################################# > +# > +# Likewise Registry server local policy > +# > + > +likewise_daemon(lwregd_t,lwregd_exec_t,lwregd_var_run_t,lwregd_var_socket_t,lwregd_var_lib_t) > + > +################################# > +# > +# Likewise Service Manager service local policy > +# > + > +likewise_daemon(lwsmd_t,lwsmd_exec_t,lwsmd_var_run_t,lwsmd_var_socket_t,lwsmd_var_lib_t) > + > +corenet_tcp_bind_generic_node(lwsmd_t) > +corenet_tcp_bind_reserved_port(lwsmd_t) > +corenet_tcp_bind_smbd_port(lwsmd_t) > +corenet_udp_bind_generic_node(lwsmd_t) > +corenet_udp_bind_reserved_port(lwsmd_t) > +likewise_manage_etc_files(lwsmd_t) > + > +likewise_stream_connect_lwiod(lwsmd_t) > +likewise_stream_connect_lwregd(lwsmd_t) > + > +# When lwsmd starts the daemons, transition to their context: > +domtrans_pattern(lwsmd_t,dcerpcd_exec_t,dcerpcd_t) > +domtrans_pattern(lwsmd_t,eventlogd_exec_t,eventlogd_t) > +domtrans_pattern(lwsmd_t,lsassd_exec_t,lsassd_t) > +domtrans_pattern(lwsmd_t,lwiod_exec_t,lwiod_t) > +domtrans_pattern(lwsmd_t,lwregd_exec_t,lwregd_t) > +domtrans_pattern(lwsmd_t,netlogond_exec_t,netlogond_t) > +domtrans_pattern(lwsmd_t,srvsvcd_exec_t,srvsvcd_t) > + > +allow lwsmd_t dcerpcd_t:process { signal siginh rlimitinh }; > +allow lwsmd_t eventlogd_t:process { signal siginh rlimitinh }; > +allow lwsmd_t lsassd_t:process { signal siginh rlimitinh }; > +allow lwsmd_t lwiod_t:process { signal siginh rlimitinh }; > +allow lwsmd_t lwregd_t:process { signal siginh rlimitinh }; > +allow lwsmd_t netlogond_t:process { signal siginh rlimitinh }; > +allow lwsmd_t srvsvcd_t:process { signal siginh rlimitinh }; > + > +################################# > +# > +# Likewise DC location service local policy > +# > + > +likewise_daemon(netlogond_t,netlogond_exec_t,netlogond_var_run_t,netlogond_var_socket_t,netlogond_var_lib_t) > + > +allow netlogond_t self:capability {dac_override}; > + > +sysnet_dns_name_resolve(netlogond_t) > +sysnet_use_ldap(netlogond_t) > + > +likewise_stream_connect_lwregd(netlogond_t) > +likewise_manage_etc_files(netlogond_t) > + > +################################# > +# > +# Likewise Srv service local policy > +# > + > +likewise_daemon(srvsvcd_t,srvsvcd_exec_t,srvsvcd_var_run_t,srvsvcd_var_socket_t,srvsvcd_var_lib_t) > + > +corenet_tcp_bind_generic_node(srvsvcd_t) > +corenet_tcp_bind_reserved_port(srvsvcd_t) > + > +kerberos_use(srvsvcd_t) > + > +allow srvsvcd_t likewise_etc_t:dir search_dir_perms; > + > +likewise_stream_connect_lwregd(srvsvcd_t) > +likewise_stream_connect_dcerpcd(srvsvcd_t) > +likewise_stream_connect_lwiod(srvsvcd_t) > + > + > diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if > index b193dd8..41d6517 100644 > --- a/policy/modules/system/authlogin.if > +++ b/policy/modules/system/authlogin.if > @@ -1403,6 +1403,10 @@ interface(`auth_use_nsswitch',` > ') > > optional_policy(` > + likewise_stream_connect_lsassd($1) > + ') > + > + optional_policy(` > nis_use_ypbind($1) > ') > -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150