From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 8 Aug 2012 10:52:04 +0200 Subject: [refpolicy] [PATCH] Initial BIRD Internet Routing Daemon policy Message-ID: <1344415924-27382-1-git-send-email-dominick.grift@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Dominick Grift diff --git a/bird.fc b/bird.fc new file mode 100644 index 0000000..7b63b8e --- /dev/null +++ b/bird.fc @@ -0,0 +1,11 @@ +/etc/bird\.conf -- gen_context(system_u:object_r:bird_etc_t,s0) + +/etc/default/bird -- gen_context(system_u:object_r:bird_etc_t,s0) + +/etc/rc\.d/init\.d/bird -- gen_context(system_u:object_r:bird_initrc_exec_t,s0) + +/usr/sbin/bird -- gen_context(system_u:object_r:bird_exec_t,s0) + +/var/log/bird\.log.* -- gen_context(system_u:object_r:bird_log_t,s0) + +/var/run/bird\.ctl -s gen_context(system_u:object_r:bird_var_run_t,s0) diff --git a/bird.if b/bird.if new file mode 100644 index 0000000..fae3f36 --- /dev/null +++ b/bird.if @@ -0,0 +1,42 @@ +## BIRD Internet Routing Daemon. + +######################################## +## +## All of the rules required to administrate +## an bird environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access.. +## +## +## +# +interface(`bird_admin',` + gen_require(` + type bird_t, bird_etc_t, bird_log_t; + type bird_var_run_t, bird_initrc_exec_t; + ') + + allow $1 bird_t:process { ptrace signal_perms }; + ps_process_pattern($1, bird_t) + + init_labeled_script_domtrans($1, bird_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bird_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, bird_etc_t) + + logging_list_logs($1) + admin_pattern($1, bird_log_t) + + files_list_pids($1) + admin_pattern($1, bird_var_run_t) +') diff --git a/bird.te b/bird.te new file mode 100644 index 0000000..9afd52b --- /dev/null +++ b/bird.te @@ -0,0 +1,57 @@ +policy_module(bird, 1.0.0) + +######################################## +# +# Declarations +# + +type bird_t; +type bird_exec_t; +init_daemon_domain(bird_t, bird_exec_t) + +type bird_initrc_exec_t; +init_script_file(bird_initrc_exec_t) + +type bird_etc_t; +files_config_file(bird_etc_t) + +type bird_log_t; +logging_log_file(bird_log_t) + +type bird_var_run_t; +files_pid_file(bird_var_run_t) + +######################################## +# +# Local policy +# + +allow bird_t self:capability { net_admin net_bind_service }; +allow bird_t self:netlink_route_socket create_netlink_socket_perms; +allow bird_t self:tcp_socket create_stream_socket_perms; + +allow bird_t bird_etc_t:file read_file_perms; + +allow bird_t bird_log_t:file { create_file_perms append_file_perms setattr_file_perms }; +logging_log_filetrans(bird_t, bird_log_t, file) + +allow bird_t bird_var_run_t:sock_file manage_sock_file_perms; +files_pid_filetrans(bird_t, bird_var_run_t, sock_file) + +corenet_all_recvfrom_unlabeled(bird_t) +corenet_all_recvfrom_netlabel(bird_t) +corenet_tcp_sendrecv_generic_if(bird_t) +corenet_tcp_bind_generic_node(bird_t) +corenet_tcp_sendrecv_generic_node(bird_t) +corenet_tcp_sendrecv_bgp_port(bird_t) +corenet_sendrecv_bgp_client_packets(bird_t) +corenet_tcp_connect_bgp_port(bird_t) +corenet_sendrecv_bgp_server_packets(bird_t) +corenet_tcp_bind_bgp_port(bird_t) + +# /etc/iproute2/rt_realms +files_read_etc_files(bird_t) + +logging_send_syslog_msg(bird_t) + +miscfiles_read_localization(bird_t)