From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 22 Feb 2012 09:14:07 -0500
Subject: [refpolicy] [PATCH 1/1] Add kup server utils module.
In-Reply-To: <1329250800.8039.24.camel@i5.mricon.com>
References: <1329250800.8039.24.camel@i5.mricon.com>
Message-ID: <4F44F82F.1060905@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/14/12 15:20, Konstantin Ryabitsev wrote:
> Reworking to match the style guide better.
> I think I got the module order right this time.

Overall it seems ok, but needs some style cleanup, as noted below.

> Signed-off-by: Konstantin Ryabitsev <mricon@kernel.org>
> ---
>  kup.fc |    8 ++++
>  kup.if |  128 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  kup.te |   84 ++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 220 insertions(+), 0 deletions(-)
>  create mode 100644 kup.fc
>  create mode 100644 kup.if
>  create mode 100644 kup.te
> 
> diff --git a/kup.fc b/kup.fc
> new file mode 100644
> index 0000000..e2e929f
> --- /dev/null
> +++ b/kup.fc
> @@ -0,0 +1,8 @@
> +/usr/bin/kup-server        --    gen_context(system_u:object_r:kup_server_exec_t,s0)
> +/etc/kup(/.*)?                   gen_context(system_u:object_r:kup_server_etc_t,s0)

/etc above /usr

> +/var/lib/kup               -d    gen_context(system_u:object_r:kup_server_var_lib_t,s0)
> +/var/lib/kup/pgp(/.*)?           gen_context(system_u:object_r:kup_server_var_lib_t,s0)
> +/var/lib/kup/pub(/.*)?           gen_context(system_u:object_r:kup_server_content_rw_t,s0)
> +/var/lib/kup/tmp(/.*)?           gen_context(system_u:object_r:kup_server_content_rw_t,s0)
> +/var/run/kup(/.*)?               gen_context(system_u:object_r:kup_server_var_run_t,s0)
> +
> diff --git a/kup.if b/kup.if
> new file mode 100644
> index 0000000..f55dffd
> --- /dev/null
> +++ b/kup.if
> @@ -0,0 +1,128 @@
> +## <summary>Kernel.org Uploader server utilities</summary>
> +
> +
> +########################################
> +## <summary>
> +##    Execute a domain transition to run kup.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##    Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`kup_server_domtrans',`
> +    gen_require(`
> +        type kup_server_t, kup_server_exec_t;
> +    ')
> +

These look like spaces rather than tabs.

> +    domtrans_pattern($1, kup_server_exec_t, kup_server_t)
> +')
> +
> +########################################
> +## <summary>
> +##    Read content uploaded via kup.
> +## </summary>
> +## <param name="domain">
> +##    <summary>
> +##    Domain allowed to transition.
> +##    </summary>
> +## </param>
> +#
> +interface(`kup_server_read_content',`
> +    gen_require(`
> +        type kup_server_content_rw_t;
> +    ')
> +
> +    files_search_var_lib($1)
> +    read_files_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
> +    list_dirs_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
> +')
> +
> +########################################
> +## <summary>
> +##    Create, read, write, and delete
> +##    content uploaded via kup.
> +## </summary>
> +## <param name="domain">
> +##    <summary>
> +##    Domain allowed to transition.
> +##    </summary>
> +## </param>
> +#
> +interface(`kup_server_manage_content',`
> +    gen_require(`
> +        type kup_server_content_rw_t;
> +    ')
> +
> +    files_search_var_lib($1)
> +    manage_files_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
> +    manage_dirs_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +##    Execute kup in the kup domain, and
> +##    allow the specified role the kup domain.
> +## </summary>
> +## <param name="domain">
> +##    <summary>
> +##    Domain allowed to transition.
> +##    </summary>
> +## </param>
> +## <param name="role">
> +##    <summary>
> +##    The role to be allowed to transition.
> +##    </summary>
> +## </param>
> +#
> +interface(`kup_server_run',`
> +    gen_require(`
> +        type kup_server_t;
> +    ')
> +
> +    kup_server_domtrans($1)
> +    role $2 types kup_server_t;
> +')
> +
> +########################################
> +## <summary>
> +##    All of the rules required to administrate
> +##    an kup environment
> +## </summary>
> +## <param name="domain">
> +##    <summary>
> +##    Domain allowed access.
> +##    </summary>
> +## </param>
> +## <param name="role">
> +##    <summary>
> +##    Role allowed access.
> +##    </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kup_server_admin',`
> +    gen_require(`
> +        type kup_server_t;
> +        type kup_server_etc_t;
> +        type kup_server_var_lib_t;
> +        type kup_server_content_rw_t;
> +        type kup_server_var_run_t;
> +    ')
> +
> +    allow $1 kup_server_t:process { ptrace signal_perms };
> +    ps_process_pattern($1, kup_server_t)
> +
> +    files_search_etc($1)
> +    admin_pattern($1, kup_server_etc_t)
> +
> +    files_search_var_lib($1)
> +    admin_pattern($1, kup_server_var_lib_t)
> +    admin_pattern($1, kup_server_content_rw_t)
> +
> +    files_search_pids($1)
> +    admin_pattern($1, kup_server_var_run_t)
> +
> +')
> diff --git a/kup.te b/kup.te
> new file mode 100644
> index 0000000..8e88b02
> --- /dev/null
> +++ b/kup.te
> @@ -0,0 +1,84 @@
> +policy_module(kup,1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type kup_server_t;
> +type kup_server_exec_t;
> +application_domain(kup_server_t, kup_server_exec_t)
> +
> +type kup_server_content_rw_t;
> +files_type(kup_server_content_rw_t)

Unless theres the possibility of having read-only content, kup_server_content_t would be fine.

> +type kup_server_etc_t;
> +files_config_file(kup_server_etc_t);
> +
> +type kup_server_var_lib_t;
> +files_type(kup_server_var_lib_t)
> +
> +type kup_server_var_run_t;
> +# not really a pid file, but the policy suits what we want to do
> +files_pid_file(kup_server_var_run_t)
> +
> +########################################
> +#
> +# kup_server local policy
> +#
> +
> +allow kup_server_t self:process { setrlimit signal };
> +allow kup_server_t self:fifo_file manage_fifo_file_perms;
> +
> +manage_dirs_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
> +manage_dirs_pattern(kup_server_t, kup_server_var_run_t, kup_server_var_run_t)
> +manage_files_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
> +manage_files_pattern(kup_server_t, kup_server_var_run_t, kup_server_var_run_t)

These should be grouped by type, so e.g. the two content lines should be grouped together

> +read_files_pattern(kup_server_t, kup_server_etc_t, kup_server_etc_t)
> +read_files_pattern(kup_server_t, kup_server_var_lib_t, kup_server_var_lib_t)
> +read_lnk_files_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
> +
> +########################################
> +#
> +# Kernel layer modules
> +#
> +
> +# xz wants to read /proc/meminfo
> +kernel_read_system_state(kup_server_t)
> +
> +# executing gzip, bzip2, xz
> +corecmd_exec_bin(kup_server_t)
> +
> +# gathering entropy for uniqueness
> +dev_read_urand(kup_server_t)
> +
> +domain_use_interactive_fds(kup_server_t)
> +
> +files_read_usr_files(kup_server_t)
> +
> +files_pid_filetrans(kup_server_t, kup_server_var_run_t, { dir file })
> +files_var_lib_filetrans(kup_server_t, kup_server_content_rw_t, { dir file })

These can go up, grouped with the appropriate manage_*_pattern for the target type.

> +miscfiles_read_localization(kup_server_t)
> +
> +########################################
> +#
> +# System layer modules
> +#

Comment blocks like the above are unnecessary.

> +# looking up user info
> +auth_use_nsswitch(kup_server_t)
> +
> +logging_send_syslog_msg(kup_server_t)
> +
> +# Temp.pm wants to stat bits in the userdir
> +userdom_getattr_user_home_dirs(kup_server_t)
> +
> +########################################
> +#
> +# Other modules
> +#
> +
> +# accessing git trees for kup put --tar and --diff
> +git_read_generic_system_content_files(kup_server_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com