From: dominick.grift@gmail.com (Dominick Grift) Date: Sat, 08 Sep 2012 16:12:18 +0200 Subject: [refpolicy] [PATCH v2 6/9] Include policy for the iodine IP over DNS tunnel daemon In-Reply-To: <1347106944-4861-1-git-send-email-bigon@debian.org> References: <1346794648-27101-6-git-send-email-bigon@debian.org> <1347106944-4861-1-git-send-email-bigon@debian.org> Message-ID: <1347113538.15262.116.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Russell, Some questions with regard to this policy module. You labeled all of /usr/sbin/iodine.* type iodine_exec_t. I have reviewed the debian init script for iodine package and it only runs iodined and not the other iodine binaries in /usr/sbin How come? Am i looking at the wrong init script or am i missing something here? Also that same init script mentions a pid file and its not created by the init script. Therefore i asume it gets created by iodined. However the iodine policy module has no rules to allow iodine to create a pid file. In Fedora we also have iodine. The package is split into a server and a client. Both server and client get started by init. However, I suspect the client needs rules that are different from the rules that the server needs. Should there not, in that case, be a client domain as well as a server domain? I hope you can clarify the above On Sat, 2012-09-08 at 14:22 +0200, Laurent Bigonville wrote: > From: Russell Coker > > --- > iodine.fc | 1 + > iodine.if | 1 + > iodine.te | 29 +++++++++++++++++++++++++++++ > 3 files changed, 31 insertions(+) > create mode 100644 iodine.fc > create mode 100644 iodine.if > create mode 100644 iodine.te > > diff --git a/iodine.fc b/iodine.fc > new file mode 100644 > index 0000000..71c964d > --- /dev/null > +++ b/iodine.fc > @@ -0,0 +1 @@ > +/usr/sbin/iodine.* -- gen_context(system_u:object_r:iodine_exec_t, s0) > diff --git a/iodine.if b/iodine.if > new file mode 100644 > index 0000000..4bec253 > --- /dev/null > +++ b/iodine.if > @@ -0,0 +1 @@ > +## policy for the iodine IP over DNS tunneling daemon > diff --git a/iodine.te b/iodine.te > new file mode 100644 > index 0000000..c383ad4 > --- /dev/null > +++ b/iodine.te > @@ -0,0 +1,29 @@ > +policy_module(iodine,1.0.0) > + > +type iodine_t; > +type iodine_exec_t; > +init_daemon_domain(iodine_t, iodine_exec_t) > + > +allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot }; > +allow iodine_t self:rawip_socket { write read create }; > +allow iodine_t self:tun_socket create; > +allow iodine_t self:udp_socket connected_socket_perms; > +allow iodine_t self:unix_dgram_socket { create connect }; > + > +kernel_read_network_state(iodine_t) > +kernel_read_system_state(iodine_t) > +kernel_request_load_module(iodine_t) > +kernel_search_network_sysctl(iodine_t) > + > +corenet_raw_receive_generic_node(iodine_t) > +corenet_rw_tun_tap_dev(iodine_t) > +corenet_udp_bind_dns_port(iodine_t) > +corenet_udp_bind_generic_node(iodine_t) > + > +corecmd_exec_shell(iodine_t) > + > +files_read_etc_files(iodine_t) > + > +logging_send_syslog_msg(iodine_t) > + > +sysnet_domtrans_ifconfig(iodine_t)