From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Fri, 9 May 2014 08:33:38 -0400
Subject: [refpolicy] [PATCH 1/1] add module for the entropy key daemon
In-Reply-To: <1399497604-3278-1-git-send-email-petre.rodan@simplex.ro>
References: <1399497604-3278-1-git-send-email-petre.rodan@simplex.ro>
Message-ID: <536CCB22.3010207@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/07/2014 05:20 PM, Petre Rodan wrote:
> index 0000000..d2efb55
> --- /dev/null
> +++ b/ekeyd.te
> @@ -0,0 +1,82 @@
[...]
> +
> +type ekey_var_run_t;
> +files_pid_file(ekey_var_run_t)
> +
> +require {
> +	type unreserved_port_t;
> +}

This looks like it should be a new port type based on the rules below.

> +########################################
> +#
> +# Local policy
> +#
> +
> +# ekeyd - the Entropy Key Daemon
> +
> +allow ekeyd_t self:tcp_socket create_stream_socket_perms;
> +allow ekeyd_t self:unix_dgram_socket create_socket_perms;
> +allow ekeyd_t unreserved_port_t:tcp_socket name_connect;
> +
> +read_files_pattern(ekeyd_t, ekey_etc_t, ekey_etc_t)
> +manage_sock_files_pattern(ekeyd_t, ekey_var_run_t, ekey_var_run_t)
> +corenet_tcp_bind_generic_node(ekeyd_t)
> +term_use_unallocated_ttys(ekeyd_t)
> +logging_send_syslog_msg(ekeyd_t)
> +miscfiles_read_localization(ekeyd_t)
> +files_read_usr_files(ekeyd_t)
> +files_pid_filetrans(ekeyd_t, ekey_var_run_t, sock_file)
> +
> +# tools

Needs a bigger comment bock/header for the ekeyd_tool_t domain

> +allow ekey_tool_t self:fifo_file rw_fifo_file_perms;
> +allow ekey_tool_t ekeyd_t:unix_stream_socket connectto;
> +
> +manage_files_pattern(ekey_tool_t, ekey_etc_t, ekey_etc_t)
> +manage_sock_files_pattern(ekey_tool_t, ekey_var_run_t, ekey_var_run_t)
> +corecmd_exec_shell(ekey_tool_t)
> +can_exec(ekey_tool_t, ekey_tool_exec_t)
> +corecmd_exec_bin(ekey_tool_t)
> +userdom_use_user_terminals(ekey_tool_t)
> +miscfiles_read_localization(ekey_tool_t)
> +seutil_use_newrole_fds(ekey_tool_t)
> +files_read_usr_files(ekey_tool_t)
> +kernel_read_system_state(ekey_tool_t)
> +dev_read_sysfs(ekey_tool_t)
> +term_use_unallocated_ttys(ekey_tool_t)

Why is it using unallocated ttys?

> +# ekey-egd-linux - the EGD Entropy Daemon

Same thing regarding the header

> +allow ekey_egd_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ekey_egd_t self:tcp_socket create_socket_perms;
> +allow ekey_egd_t self:unix_dgram_socket create_socket_perms;
> +allow ekey_egd_t unreserved_port_t:tcp_socket name_connect;
> +
> +dev_write_rand(ekey_egd_t)
> +miscfiles_read_localization(ekey_egd_t)
> +logging_send_syslog_msg(ekey_egd_t)
> +
> +optional_policy(`
> +	daemontools_service_domain(ekeyd_t, ekeyd_exec_t)
> +	daemontools_service_domain(ekey_egd_t, ekey_egd_exec_t)
> +')
> +

Overall it could use more space between interface calls to different modules.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com