From: lang@automata.rwth-aachen.de (Martin Lang)
Date: Mon, 3 Mar 2014 17:41:14 +0100
Subject: [refpolicy] Policy module for shibboleth authentication daemon
Message-ID: <5314B0AA.8080408@automata.rwth-aachen.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi

I designed a policy module for the shibboleth authentication daemon (see
http://shibboleth.internet2.edu/). Shibboleth is a single sign-on
service mainly used in academic environment. The service consists of an
apache module and a background daemon. The background daemon
communicates with the remote authentication server whereas the apache
only communicates locally with the authentication daemon via unix stream
socket.

I attached the policy files to this mail and would like the module to be
included in the reference policy. I tested the rules on a Debian wheezy
machine.

I'm open for improvements and other comments.

Regards,

Martin

-------------- next part --------------
/etc/shibboleth(/.*)?		gen_context(system_u:object_r:shibboleth_etc_t,s0)

/usr/sbin/shibd		 --	gen_context(system_u:object_r:shibboleth_exec_t,s0)

/var/log/shibboleth(/.*)?	gen_context(system_u:object_r:shibboleth_log_t,s0)
/var/run/shibboleth(/.*)?	gen_context(system_u:object_r:shibboleth_var_run_t,s0)
-------------- next part --------------
## <summary>Shibboleth authentication deamon</summary>


########################################
## <summary>
##	Allow your application domain to access
##	config files from shibboleth
## </summary>
## <param name="domain">
##	<summary>
##	The domain which should be enabled.
##	</summary>
## </param>
#
template(`shibboleth_read_config',`
	gen_require(`
		type shibboleth_etc_t;
	')
	read_files_pattern($1, shibboleth_etc_t, shibboleth_etc_t)
')
-------------- next part --------------
policy_module(shibboleth, 2.0.0)

########################################
#
# Declarations
#

type shibboleth_t;
type shibboleth_exec_t;
init_daemon_domain(shibboleth_t, shibboleth_exec_t)

type shibboleth_etc_t;
files_config_file(shibboleth_etc_t)

type shibboleth_log_t;
logging_log_file(shibboleth_log_t)

type shibboleth_var_run_t;
files_pid_file(shibboleth_var_run_t)
init_daemon_run_dir(shibboleth_var_run_t, "shibboleth")

########################################
#
# Local policy
#

# general process permissions
allow shibboleth_t self:process { signal_perms };


# networking:
# shibboleth uses tcp sockets for connecting to central
# authentication server and unix stream sockets
# to exchange information with the apache module
allow shibboleth_t self:tcp_socket create_stream_socket_perms;
allow shibboleth_t self:unix_stream_socket create_stream_socket_perms;

sysnet_dns_name_resolve(shibboleth_t)
corenet_all_recvfrom_unlabeled(shibboleth_t)
corenet_all_recvfrom_netlabel(shibboleth_t)
corenet_tcp_sendrecv_generic_if(shibboleth_t)
corenet_tcp_sendrecv_generic_node(shibboleth_t)
corenet_tcp_sendrecv_all_ports(shibboleth_t)
corenet_tcp_connect_http_port(shibboleth_t)

# permissions for the configuration files
files_read_etc_files(shibboleth_t)
read_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
read_lnk_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
files_search_etc(shibboleth_t)
# there is shared information between apache and shibboleth, e.g., certificates
apache_read_config(shibboleth_t)

# logging related permissions
manage_files_pattern(shibboleth_t, shibboleth_log_t, shibboleth_log_t)
logging_log_filetrans(shibboleth_t, shibboleth_log_t, { file dir })
logging_send_syslog_msg(shibboleth_t)

# permissions for /run
manage_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
manage_sock_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)


# allow to read common data under /usr/share and timezone localization info
files_read_usr_files(shibboleth_t)
miscfiles_read_localization(shibboleth_t)

dev_read_urand(shibboleth_t)

term_dontaudit_search_ptys(shibboleth_t)
term_dontaudit_use_all_ptys(shibboleth_t)
term_dontaudit_use_all_ttys(shibboleth_t)
domain_dontaudit_use_interactive_fds(shibboleth_t)

# Allow the apache shibboleth module to connect to shibd
gen_require(`
	type httpd_t;
')
stream_connect_pattern(httpd_t, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t)

# Allow apache module to read shibboleth configuration
shibboleth_read_config(httpd_t)