From: icon@fedoraproject.org (Konstantin Ryabitsev)
Date: Tue, 14 Feb 2012 15:20:00 -0500
Subject: [refpolicy] [PATCH 1/1] Add kup server utils module.
Message-ID: <1329250800.8039.24.camel@i5.mricon.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Reworking to match the style guide better.
I think I got the module order right this time.

Signed-off-by: Konstantin Ryabitsev <mricon@kernel.org>
---
 kup.fc |    8 ++++
 kup.if |  128 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 kup.te |   84 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 220 insertions(+), 0 deletions(-)
 create mode 100644 kup.fc
 create mode 100644 kup.if
 create mode 100644 kup.te

diff --git a/kup.fc b/kup.fc
new file mode 100644
index 0000000..e2e929f
--- /dev/null
+++ b/kup.fc
@@ -0,0 +1,8 @@
+/usr/bin/kup-server        --    gen_context(system_u:object_r:kup_server_exec_t,s0)
+/etc/kup(/.*)?                   gen_context(system_u:object_r:kup_server_etc_t,s0)
+/var/lib/kup               -d    gen_context(system_u:object_r:kup_server_var_lib_t,s0)
+/var/lib/kup/pgp(/.*)?           gen_context(system_u:object_r:kup_server_var_lib_t,s0)
+/var/lib/kup/pub(/.*)?           gen_context(system_u:object_r:kup_server_content_rw_t,s0)
+/var/lib/kup/tmp(/.*)?           gen_context(system_u:object_r:kup_server_content_rw_t,s0)
+/var/run/kup(/.*)?               gen_context(system_u:object_r:kup_server_var_run_t,s0)
+
diff --git a/kup.if b/kup.if
new file mode 100644
index 0000000..f55dffd
--- /dev/null
+++ b/kup.if
@@ -0,0 +1,128 @@
+## <summary>Kernel.org Uploader server utilities</summary>
+
+
+########################################
+## <summary>
+##    Execute a domain transition to run kup.
+## </summary>
+## <param name="domain">
+## <summary>
+##    Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`kup_server_domtrans',`
+    gen_require(`
+        type kup_server_t, kup_server_exec_t;
+    ')
+
+    domtrans_pattern($1, kup_server_exec_t, kup_server_t)
+')
+
+########################################
+## <summary>
+##    Read content uploaded via kup.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed to transition.
+##    </summary>
+## </param>
+#
+interface(`kup_server_read_content',`
+    gen_require(`
+        type kup_server_content_rw_t;
+    ')
+
+    files_search_var_lib($1)
+    read_files_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
+    list_dirs_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
+')
+
+########################################
+## <summary>
+##    Create, read, write, and delete
+##    content uploaded via kup.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed to transition.
+##    </summary>
+## </param>
+#
+interface(`kup_server_manage_content',`
+    gen_require(`
+        type kup_server_content_rw_t;
+    ')
+
+    files_search_var_lib($1)
+    manage_files_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
+    manage_dirs_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
+')
+
+
+########################################
+## <summary>
+##    Execute kup in the kup domain, and
+##    allow the specified role the kup domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed to transition.
+##    </summary>
+## </param>
+## <param name="role">
+##    <summary>
+##    The role to be allowed to transition.
+##    </summary>
+## </param>
+#
+interface(`kup_server_run',`
+    gen_require(`
+        type kup_server_t;
+    ')
+
+    kup_server_domtrans($1)
+    role $2 types kup_server_t;
+')
+
+########################################
+## <summary>
+##    All of the rules required to administrate
+##    an kup environment
+## </summary>
+## <param name="domain">
+##    <summary>
+##    Domain allowed access.
+##    </summary>
+## </param>
+## <param name="role">
+##    <summary>
+##    Role allowed access.
+##    </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kup_server_admin',`
+    gen_require(`
+        type kup_server_t;
+        type kup_server_etc_t;
+        type kup_server_var_lib_t;
+        type kup_server_content_rw_t;
+        type kup_server_var_run_t;
+    ')
+
+    allow $1 kup_server_t:process { ptrace signal_perms };
+    ps_process_pattern($1, kup_server_t)
+
+    files_search_etc($1)
+    admin_pattern($1, kup_server_etc_t)
+
+    files_search_var_lib($1)
+    admin_pattern($1, kup_server_var_lib_t)
+    admin_pattern($1, kup_server_content_rw_t)
+
+    files_search_pids($1)
+    admin_pattern($1, kup_server_var_run_t)
+
+')
diff --git a/kup.te b/kup.te
new file mode 100644
index 0000000..8e88b02
--- /dev/null
+++ b/kup.te
@@ -0,0 +1,84 @@
+policy_module(kup,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type kup_server_t;
+type kup_server_exec_t;
+application_domain(kup_server_t, kup_server_exec_t)
+
+type kup_server_content_rw_t;
+files_type(kup_server_content_rw_t)
+
+type kup_server_etc_t;
+files_config_file(kup_server_etc_t);
+
+type kup_server_var_lib_t;
+files_type(kup_server_var_lib_t)
+
+type kup_server_var_run_t;
+# not really a pid file, but the policy suits what we want to do
+files_pid_file(kup_server_var_run_t)
+
+########################################
+#
+# kup_server local policy
+#
+
+allow kup_server_t self:process { setrlimit signal };
+allow kup_server_t self:fifo_file manage_fifo_file_perms;
+
+manage_dirs_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
+manage_dirs_pattern(kup_server_t, kup_server_var_run_t, kup_server_var_run_t)
+manage_files_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
+manage_files_pattern(kup_server_t, kup_server_var_run_t, kup_server_var_run_t)
+
+read_files_pattern(kup_server_t, kup_server_etc_t, kup_server_etc_t)
+read_files_pattern(kup_server_t, kup_server_var_lib_t, kup_server_var_lib_t)
+read_lnk_files_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
+
+########################################
+#
+# Kernel layer modules
+#
+
+# xz wants to read /proc/meminfo
+kernel_read_system_state(kup_server_t)
+
+# executing gzip, bzip2, xz
+corecmd_exec_bin(kup_server_t)
+
+# gathering entropy for uniqueness
+dev_read_urand(kup_server_t)
+
+domain_use_interactive_fds(kup_server_t)
+
+files_read_usr_files(kup_server_t)
+
+files_pid_filetrans(kup_server_t, kup_server_var_run_t, { dir file })
+files_var_lib_filetrans(kup_server_t, kup_server_content_rw_t, { dir file })
+
+miscfiles_read_localization(kup_server_t)
+
+########################################
+#
+# System layer modules
+#
+
+# looking up user info
+auth_use_nsswitch(kup_server_t)
+
+logging_send_syslog_msg(kup_server_t)
+
+# Temp.pm wants to stat bits in the userdir
+userdom_getattr_user_home_dirs(kup_server_t)
+
+########################################
+#
+# Other modules
+#
+
+# accessing git trees for kup put --tar and --diff
+git_read_generic_system_content_files(kup_server_t)
-- 
1.7.7.6


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120214/6021b790/attachment.bin