From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 1 Nov 2017 18:58:33 -0400
Subject: [refpolicy] [PATCH 2/3] gssproxy: add policy
In-Reply-To: <20171031053758.7816-2-jason@perfinion.com>
References: <20171031053758.7816-1-jason@perfinion.com>
<20171031053758.7816-2-jason@perfinion.com>
Message-ID: <9dad30d3-4c62-8598-97fb-ee5438c04fa7@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 10/31/2017 01:37 AM, Jason Zaman wrote:
> borrowed and modified from Fedora
> ---
> gssproxy.fc | 8 +++
> gssproxy.if | 199 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> gssproxy.te | 67 ++++++++++++++++++++
> 3 files changed, 274 insertions(+)
> create mode 100644 gssproxy.fc
> create mode 100644 gssproxy.if
> create mode 100644 gssproxy.te
>
> diff --git a/gssproxy.fc b/gssproxy.fc
> new file mode 100644
> index 0000000..a997015
> --- /dev/null
> +++ b/gssproxy.fc
> @@ -0,0 +1,8 @@
> +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
> +
> +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
> +
> +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
> +
> +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
> +/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
> diff --git a/gssproxy.if b/gssproxy.if
> new file mode 100644
> index 0000000..cebdb20
> --- /dev/null
> +++ b/gssproxy.if
> @@ -0,0 +1,199 @@
> +
> +## policy for gssproxy
Need something more descriptive.
> +########################################
> +##
> +## Execute gssproxy in the gssproxy domin.
> +##
> +##
> +##
> +## Domain allowed to transition.
> +##
> +##
> +#
> +interface(`gssproxy_domtrans',`
> + gen_require(`
> + type gssproxy_t, gssproxy_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
> +')
> +
> +########################################
> +##
> +## Search gssproxy lib directories.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`gssproxy_search_lib',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + allow $1 gssproxy_var_lib_t:dir search_dir_perms;
> + files_search_var_lib($1)
> +')
> +
> +########################################
> +##
> +## Read gssproxy lib files.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`gssproxy_read_lib_files',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +')
> +
> +########################################
> +##
> +## Manage gssproxy lib files.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`gssproxy_manage_lib_files',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +')
> +
> +########################################
> +##
> +## Manage gssproxy lib directories.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`gssproxy_manage_lib_dirs',`
> + gen_require(`
> + type gssproxy_var_lib_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +')
> +
> +########################################
> +##
> +## Read gssproxy PID files.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`gssproxy_read_pid_files',`
> + gen_require(`
> + type gssproxy_run_t;
> + ')
> +
> + files_search_pids($1)
> + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
> +')
> +
> +########################################
> +##
> +## Execute gssproxy server in the gssproxy domain.
> +##
> +##
> +##
> +## Domain allowed to transition.
> +##
> +##
> +#
> +interface(`gssproxy_systemctl',`
> + gen_require(`
> + type gssproxy_t;
> + type gssproxy_unit_t;
> + ')
> +
> + systemd_exec_systemctl($1)
This doesn't exist.
> + init_reload_services($1)
> + allow $1 gssproxy_unit_t:file read_file_perms;
> + allow $1 gssproxy_unit_t:service manage_service_perms;
> +
> + ps_process_pattern($1, gssproxy_t)
> +')
This interface needs to be broken up into 3 or 4.
> +########################################
> +##
> +## Connect to gssproxy over an unix
> +## domain stream socket.
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`gssproxy_stream_connect',`
> + gen_require(`
> + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
> + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
> +')
> +
> +########################################
> +##
> +## All of the rules required to administrate
> +## an gssproxy environment
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +##
> +#
> +interface(`gssproxy_admin',`
> + gen_require(`
> + type gssproxy_t;
> + type gssproxy_var_lib_t;
> + type gssproxy_run_t;
> + type gssproxy_unit_t;
> + ')
> +
> + allow $1 gssproxy_t:process { ptrace signal_perms };
> + ps_process_pattern($1, gssproxy_t)
> +
> + files_search_var_lib($1)
> + admin_pattern($1, gssproxy_var_lib_t)
> +
> + files_search_pids($1)
> + admin_pattern($1, gssproxy_run_t)
> +
> + gssproxy_systemctl($1)
> + admin_pattern($1, gssproxy_unit_t)
> + allow $1 gssproxy_unit_t:service all_service_perms;
> + optional_policy(`
> + systemd_passwd_agent_exec($1)
> + systemd_read_fifo_file_passwd_run($1)
More invalid interface usage.
> + ')
> +')
> diff --git a/gssproxy.te b/gssproxy.te
> new file mode 100644
> index 0000000..466c700
> --- /dev/null
> +++ b/gssproxy.te
> @@ -0,0 +1,67 @@
> +policy_module(gssproxy, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type gssproxy_t;
> +type gssproxy_exec_t;
> +init_daemon_domain(gssproxy_t, gssproxy_exec_t)
> +
> +type gssproxy_var_lib_t;
> +files_type(gssproxy_var_lib_t)
> +
> +type gssproxy_run_t;
> +files_pid_file(gssproxy_run_t)
> +
> +type gssproxy_unit_t;
> +init_unit_file(gssproxy_unit_t)
> +
> +########################################
> +#
> +# gssproxy local policy
> +#
> +allow gssproxy_t self:capability { setuid setgid };
> +allow gssproxy_t self:capability2 block_suspend;
> +allow gssproxy_t self:fifo_file rw_fifo_file_perms;
> +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
> +
> +manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
> +files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
> +
> +manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
> +files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
> +
> +kernel_rw_rpc_sysctls(gssproxy_t)
> +
> +domain_use_interactive_fds(gssproxy_t)
> +
> +files_read_etc_files(gssproxy_t)
> +
> +fs_getattr_all_fs(gssproxy_t)
> +
> +auth_use_nsswitch(gssproxy_t)
> +
> +dev_read_urand(gssproxy_t)
> +
> +logging_send_syslog_msg(gssproxy_t)
> +
> +miscfiles_read_localization(gssproxy_t)
> +
> +userdom_read_all_users_keys(gssproxy_t)
> +userdom_manage_user_tmp_dirs(gssproxy_t)
> +userdom_manage_user_tmp_files(gssproxy_t)
> +
> +optional_policy(`
> + kerberos_filetrans_named_content(gssproxy_t)
> + kerberos_manage_host_rcache(gssproxy_t)
> + kerberos_read_keytab(gssproxy_t)
> + kerberos_use(gssproxy_t)
> +')
>
--
Chris PeBenito