From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 8 Aug 2012 09:27:59 -0400
Subject: [refpolicy] [PATCH] Initial BIRD Internet Routing Daemon policy
In-Reply-To: <1344415924-27382-1-git-send-email-dominick.grift@gmail.com>
References: <1344415924-27382-1-git-send-email-dominick.grift@gmail.com>
Message-ID: <5022695F.6050606@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/08/12 04:52, Dominick Grift wrote:
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

Merged.


> diff --git a/bird.fc b/bird.fc
> new file mode 100644
> index 0000000..7b63b8e
> --- /dev/null
> +++ b/bird.fc
> @@ -0,0 +1,11 @@
> +/etc/bird\.conf	--	gen_context(system_u:object_r:bird_etc_t,s0)
> +
> +/etc/default/bird	--	gen_context(system_u:object_r:bird_etc_t,s0)
> +
> +/etc/rc\.d/init\.d/bird	--	gen_context(system_u:object_r:bird_initrc_exec_t,s0)
> +
> +/usr/sbin/bird	--	gen_context(system_u:object_r:bird_exec_t,s0)
> +
> +/var/log/bird\.log.*	--	gen_context(system_u:object_r:bird_log_t,s0)
> +
> +/var/run/bird\.ctl	-s	gen_context(system_u:object_r:bird_var_run_t,s0)
> diff --git a/bird.if b/bird.if
> new file mode 100644
> index 0000000..fae3f36
> --- /dev/null
> +++ b/bird.if
> @@ -0,0 +1,42 @@
> +## <summary>BIRD Internet Routing Daemon.</summary>
> +
> +########################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	an bird environment.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access..
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`bird_admin',`
> +	gen_require(`
> +		type bird_t, bird_etc_t, bird_log_t;
> +		type bird_var_run_t, bird_initrc_exec_t;
> +	')
> +
> +	allow $1 bird_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, bird_t)
> +
> +	init_labeled_script_domtrans($1, bird_initrc_exec_t)
> +	domain_system_change_exemption($1)
> +	role_transition $2 bird_initrc_exec_t system_r;
> +	allow $2 system_r;
> +
> +	files_list_etc($1)
> +	admin_pattern($1, bird_etc_t)
> +
> +	logging_list_logs($1)
> +	admin_pattern($1, bird_log_t)
> +
> +	files_list_pids($1)
> +	admin_pattern($1, bird_var_run_t)
> +')
> diff --git a/bird.te b/bird.te
> new file mode 100644
> index 0000000..9afd52b
> --- /dev/null
> +++ b/bird.te
> @@ -0,0 +1,57 @@
> +policy_module(bird, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type bird_t;
> +type bird_exec_t;
> +init_daemon_domain(bird_t, bird_exec_t)
> +
> +type bird_initrc_exec_t;
> +init_script_file(bird_initrc_exec_t)
> +
> +type bird_etc_t;
> +files_config_file(bird_etc_t)
> +
> +type bird_log_t;
> +logging_log_file(bird_log_t)
> +
> +type bird_var_run_t;
> +files_pid_file(bird_var_run_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow bird_t self:capability { net_admin net_bind_service };
> +allow bird_t self:netlink_route_socket create_netlink_socket_perms;
> +allow bird_t self:tcp_socket create_stream_socket_perms;
> +
> +allow bird_t bird_etc_t:file read_file_perms;
> +
> +allow bird_t bird_log_t:file { create_file_perms append_file_perms setattr_file_perms };
> +logging_log_filetrans(bird_t, bird_log_t, file)
> +
> +allow bird_t bird_var_run_t:sock_file manage_sock_file_perms;
> +files_pid_filetrans(bird_t, bird_var_run_t, sock_file)
> +
> +corenet_all_recvfrom_unlabeled(bird_t)
> +corenet_all_recvfrom_netlabel(bird_t)
> +corenet_tcp_sendrecv_generic_if(bird_t)
> +corenet_tcp_bind_generic_node(bird_t)
> +corenet_tcp_sendrecv_generic_node(bird_t)
> +corenet_tcp_sendrecv_bgp_port(bird_t)
> +corenet_sendrecv_bgp_client_packets(bird_t)
> +corenet_tcp_connect_bgp_port(bird_t)
> +corenet_sendrecv_bgp_server_packets(bird_t)
> +corenet_tcp_bind_bgp_port(bird_t)
> +
> +# /etc/iproute2/rt_realms
> +files_read_etc_files(bird_t)
> +
> +logging_send_syslog_msg(bird_t)
> +
> +miscfiles_read_localization(bird_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com