From: lang@automata.rwth-aachen.de (Martin Lang)
Date: Mon, 3 Mar 2014 17:41:14 +0100
Subject: [refpolicy] Policy module for shibboleth authentication daemon
Message-ID: <5314B0AA.8080408@automata.rwth-aachen.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Hi
I designed a policy module for the shibboleth authentication daemon (see
http://shibboleth.internet2.edu/). Shibboleth is a single sign-on
service mainly used in academic environment. The service consists of an
apache module and a background daemon. The background daemon
communicates with the remote authentication server whereas the apache
only communicates locally with the authentication daemon via unix stream
socket.
I attached the policy files to this mail and would like the module to be
included in the reference policy. I tested the rules on a Debian wheezy
machine.
I'm open for improvements and other comments.
Regards,
Martin
-------------- next part --------------
/etc/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_etc_t,s0)
/usr/sbin/shibd -- gen_context(system_u:object_r:shibboleth_exec_t,s0)
/var/log/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_log_t,s0)
/var/run/shibboleth(/.*)? gen_context(system_u:object_r:shibboleth_var_run_t,s0)
-------------- next part --------------
## Shibboleth authentication deamon
########################################
##
## Allow your application domain to access
## config files from shibboleth
##
##
##
## The domain which should be enabled.
##
##
#
template(`shibboleth_read_config',`
gen_require(`
type shibboleth_etc_t;
')
read_files_pattern($1, shibboleth_etc_t, shibboleth_etc_t)
')
-------------- next part --------------
policy_module(shibboleth, 2.0.0)
########################################
#
# Declarations
#
type shibboleth_t;
type shibboleth_exec_t;
init_daemon_domain(shibboleth_t, shibboleth_exec_t)
type shibboleth_etc_t;
files_config_file(shibboleth_etc_t)
type shibboleth_log_t;
logging_log_file(shibboleth_log_t)
type shibboleth_var_run_t;
files_pid_file(shibboleth_var_run_t)
init_daemon_run_dir(shibboleth_var_run_t, "shibboleth")
########################################
#
# Local policy
#
# general process permissions
allow shibboleth_t self:process { signal_perms };
# networking:
# shibboleth uses tcp sockets for connecting to central
# authentication server and unix stream sockets
# to exchange information with the apache module
allow shibboleth_t self:tcp_socket create_stream_socket_perms;
allow shibboleth_t self:unix_stream_socket create_stream_socket_perms;
sysnet_dns_name_resolve(shibboleth_t)
corenet_all_recvfrom_unlabeled(shibboleth_t)
corenet_all_recvfrom_netlabel(shibboleth_t)
corenet_tcp_sendrecv_generic_if(shibboleth_t)
corenet_tcp_sendrecv_generic_node(shibboleth_t)
corenet_tcp_sendrecv_all_ports(shibboleth_t)
corenet_tcp_connect_http_port(shibboleth_t)
# permissions for the configuration files
files_read_etc_files(shibboleth_t)
read_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
read_lnk_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
files_search_etc(shibboleth_t)
# there is shared information between apache and shibboleth, e.g., certificates
apache_read_config(shibboleth_t)
# logging related permissions
manage_files_pattern(shibboleth_t, shibboleth_log_t, shibboleth_log_t)
logging_log_filetrans(shibboleth_t, shibboleth_log_t, { file dir })
logging_send_syslog_msg(shibboleth_t)
# permissions for /run
manage_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
manage_sock_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
# allow to read common data under /usr/share and timezone localization info
files_read_usr_files(shibboleth_t)
miscfiles_read_localization(shibboleth_t)
dev_read_urand(shibboleth_t)
term_dontaudit_search_ptys(shibboleth_t)
term_dontaudit_use_all_ptys(shibboleth_t)
term_dontaudit_use_all_ttys(shibboleth_t)
domain_dontaudit_use_interactive_fds(shibboleth_t)
# Allow the apache shibboleth module to connect to shibd
gen_require(`
type httpd_t;
')
stream_connect_pattern(httpd_t, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t)
# Allow apache module to read shibboleth configuration
shibboleth_read_config(httpd_t)