From: icon@fedoraproject.org (Konstantin Ryabitsev)
Date: Tue, 14 Feb 2012 13:41:13 -0500
Subject: [refpolicy] RFE: kup module
Message-ID: <1329244873.8039.20.camel@i5.mricon.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi, all:

Kup is a secure upload tool used by kernel developers to upload
cryptographically verified packages to kernel.org. It is included into
Fedora+EPEL, as well as a number of other distributions (Debian, Ubuntu,
etc).

Attached is the policy I wrote for running kup-server on RHEL6. It's
been running in enforcing mode for the past month, so I believe it is
ready to be considered for refpolicy.

Best regards,
-- 
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montr?al, Qu?bec
-------------- next part --------------

## <summary>policy for kup-server</summary>


########################################
## <summary>
##    Execute a domain transition to run kup.
## </summary>
## <param name="domain">
## <summary>
##    Domain allowed access.
## </summary>
## </param>
#
interface(`kup_server_domtrans',`
    gen_require(`
        type kup_server_t, kup_server_exec_t;
    ')

    domtrans_pattern($1, kup_server_exec_t, kup_server_t)
')


########################################
## <summary>
##    Read content uploaded via kup.
## </summary>
## <param name="domain">
##    <summary>
##    Domain allowed access.
##    </summary>
## </param>
#
interface(`kup_server_read_content',`
    gen_require(`
        type kup_server_content_rw_t;
    ')

    files_search_var_lib($1)
    read_files_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
    list_dirs_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
')

########################################
## <summary>
##    Create, read, write, and delete
##    content uploaded via kup.
## </summary>
## <param name="domain">
##    <summary>
##    Domain allowed access.
##    </summary>
## </param>
#
interface(`kup_server_manage_content',`
    gen_require(`
        type kup_server_content_rw_t;
    ')

    files_search_var_lib($1)
    manage_files_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
    manage_dirs_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
')


########################################
## <summary>
##    Execute kup in the kup domain, and
##    allow the specified role the kup domain.
## </summary>
## <param name="domain">
##    <summary>
##    Domain allowed access
##    </summary>
## </param>
## <param name="role">
##    <summary>
##    The role to be allowed the kup domain.
##    </summary>
## </param>
#
interface(`kup_server_run',`
    gen_require(`
        type kup_server_t;
    ')

    kup_server_domtrans($1)
    role $2 types kup_server_t;
    allow $1 kup_server_t:process { siginh noatsecure rlimitinh };
')

########################################
## <summary>
##    Role access for kup
## </summary>
## <param name="role">
##    <summary>
##    Role allowed access
##    </summary>
## </param>
## <param name="domain">
##    <summary>
##    User domain for the role
##    </summary>
## </param>
#
interface(`kup_server_role',`
    gen_require(`
              type kup_server_t;
    ')

    role $1 types kup_server_t;

    kup_server_domtrans($2)

    ps_process_pattern($2, kup_server_t)
    allow $2 kup_server_t:process signal;
')


########################################
## <summary>
##    All of the rules required to administrate
##    an kup environment
## </summary>
## <param name="domain">
##    <summary>
##    Domain allowed access.
##    </summary>
## </param>
## <param name="role">
##    <summary>
##    Role allowed access.
##    </summary>
## </param>
## <rolecap/>
#
interface(`kup_server_admin',`
    gen_require(`
        type kup_server_t;
        type kup_server_etc_t;
        type kup_server_var_lib_t;
        type kup_server_content_rw_t;
        type kup_server_var_run_t;
    ')

    allow $1 kup_server_t:process { ptrace signal_perms };
    ps_process_pattern($1, kup_server_t)

    files_search_etc($1)
    admin_pattern($1, kup_server_etc_t)

    files_search_var_lib($1)
    admin_pattern($1, kup_server_var_lib_t)
    admin_pattern($1, kup_server_content_rw_t)

    files_search_pids($1)
    admin_pattern($1, kup_server_var_run_t)

')
-------------- next part --------------
/usr/bin/kup-server        --    gen_context(system_u:object_r:kup_server_exec_t,s0)
/etc/kup(/.*)?                   gen_context(system_u:object_r:kup_server_etc_t,s0)
/var/lib/kup                     gen_context(system_u:object_r:kup_server_var_lib_t,s0)
/var/lib/kup/pgp(/.*)?           gen_context(system_u:object_r:kup_server_var_lib_t,s0)
/var/lib/kup/pub(/.*)?           gen_context(system_u:object_r:kup_server_content_rw_t,s0)
/var/lib/kup/tmp(/.*)?           gen_context(system_u:object_r:kup_server_content_rw_t,s0)
/var/run/kup(/.*)?               gen_context(system_u:object_r:kup_server_var_run_t,s0)

-------------- next part --------------
policy_module(kup,1.0.0)

########################################
#
# Declarations
#

type kup_server_t;
type kup_server_exec_t;
application_domain(kup_server_t, kup_server_exec_t)
role system_r types kup_server_t;

type kup_server_etc_t;
files_config_file(kup_server_etc_t);

type kup_server_var_lib_t;
files_type(kup_server_var_lib_t)

type kup_server_content_rw_t;
files_type(kup_server_content_rw_t)

type kup_server_var_run_t;
# not really a pid file, but the policy suits what we want to do
files_pid_file(kup_server_var_run_t)

########################################
#
# kup_server local policy
#

allow kup_server_t self:fifo_file manage_fifo_file_perms;
allow kup_server_t self:process setrlimit;

read_files_pattern(kup_server_t, kup_server_etc_t, kup_server_etc_t)
read_files_pattern(kup_server_t, kup_server_var_lib_t, kup_server_var_lib_t)

manage_files_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
manage_dirs_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
read_lnk_files_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
files_var_lib_filetrans(kup_server_t, kup_server_content_rw_t, { dir file })

manage_dirs_pattern(kup_server_t, kup_server_var_run_t, kup_server_var_run_t)
manage_files_pattern(kup_server_t, kup_server_var_run_t, kup_server_var_run_t)
files_pid_filetrans(kup_server_t, kup_server_var_run_t, { dir file })

domain_use_interactive_fds(kup_server_t)

# used internally by perl to load modules and localizations
files_read_usr_files(kup_server_t)
miscfiles_read_localization(kup_server_t)
# looking up user info
auth_use_nsswitch(kup_server_t)
# sending logs to syslog
logging_send_syslog_msg(kup_server_t)
# gathering entropy for uniqueness
dev_read_urand(kup_server_t)
# accessing git trees for kup put --tar and --diff
git_read_generic_system_content_files(kup_server_t)
# executing gzip, bzip2, xz
corecmd_exec_bin(kup_server_t)
# xz wants to read /proc/meminfo
kernel_read_system_state(kup_server_t)
# Temp.pm wants to stat bits in the userdir
files_search_home(kup_server_t)
userdom_search_user_home_dirs(kup_server_t)
userdom_getattr_user_home_dirs(kup_server_t)
# Allow passing signals to child processes
allow kup_server_t self:process signal;

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120214/b3783b1c/attachment.bin