Hi, all:
Kup is a secure upload tool used by kernel developers to upload
cryptographically verified packages to kernel.org. It is included into
Fedora+EPEL, as well as a number of other distributions (Debian, Ubuntu,
etc).
Attached is the policy I wrote for running kup-server on RHEL6. It's
been running in enforcing mode for the past month, so I believe it is
ready to be considered for refpolicy.
Best regards,
--
Konstantin Ryabitsev
Systems Administrator, Kernel.org
Montr?al, Qu?bec
-------------- next part --------------
## <summary>policy for kup-server</summary>
########################################
## <summary>
## Execute a domain transition to run kup.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kup_server_domtrans',`
gen_require(`
type kup_server_t, kup_server_exec_t;
')
domtrans_pattern($1, kup_server_exec_t, kup_server_t)
')
########################################
## <summary>
## Read content uploaded via kup.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kup_server_read_content',`
gen_require(`
type kup_server_content_rw_t;
')
files_search_var_lib($1)
read_files_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
list_dirs_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
')
########################################
## <summary>
## Create, read, write, and delete
## content uploaded via kup.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`kup_server_manage_content',`
gen_require(`
type kup_server_content_rw_t;
')
files_search_var_lib($1)
manage_files_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
manage_dirs_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
')
########################################
## <summary>
## Execute kup in the kup domain, and
## allow the specified role the kup domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed the kup domain.
## </summary>
## </param>
#
interface(`kup_server_run',`
gen_require(`
type kup_server_t;
')
kup_server_domtrans($1)
role $2 types kup_server_t;
allow $1 kup_server_t:process { siginh noatsecure rlimitinh };
')
########################################
## <summary>
## Role access for kup
## </summary>
## <param name="role">
## <summary>
## Role allowed access
## </summary>
## </param>
## <param name="domain">
## <summary>
## User domain for the role
## </summary>
## </param>
#
interface(`kup_server_role',`
gen_require(`
type kup_server_t;
')
role $1 types kup_server_t;
kup_server_domtrans($2)
ps_process_pattern($2, kup_server_t)
allow $2 kup_server_t:process signal;
')
########################################
## <summary>
## All of the rules required to administrate
## an kup environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`kup_server_admin',`
gen_require(`
type kup_server_t;
type kup_server_etc_t;
type kup_server_var_lib_t;
type kup_server_content_rw_t;
type kup_server_var_run_t;
')
allow $1 kup_server_t:process { ptrace signal_perms };
ps_process_pattern($1, kup_server_t)
files_search_etc($1)
admin_pattern($1, kup_server_etc_t)
files_search_var_lib($1)
admin_pattern($1, kup_server_var_lib_t)
admin_pattern($1, kup_server_content_rw_t)
files_search_pids($1)
admin_pattern($1, kup_server_var_run_t)
')
-------------- next part --------------
/usr/bin/kup-server -- gen_context(system_u:object_r:kup_server_exec_t,s0)
/etc/kup(/.*)? gen_context(system_u:object_r:kup_server_etc_t,s0)
/var/lib/kup gen_context(system_u:object_r:kup_server_var_lib_t,s0)
/var/lib/kup/pgp(/.*)? gen_context(system_u:object_r:kup_server_var_lib_t,s0)
/var/lib/kup/pub(/.*)? gen_context(system_u:object_r:kup_server_content_rw_t,s0)
/var/lib/kup/tmp(/.*)? gen_context(system_u:object_r:kup_server_content_rw_t,s0)
/var/run/kup(/.*)? gen_context(system_u:object_r:kup_server_var_run_t,s0)
-------------- next part --------------
policy_module(kup,1.0.0)
########################################
#
# Declarations
#
type kup_server_t;
type kup_server_exec_t;
application_domain(kup_server_t, kup_server_exec_t)
role system_r types kup_server_t;
type kup_server_etc_t;
files_config_file(kup_server_etc_t);
type kup_server_var_lib_t;
files_type(kup_server_var_lib_t)
type kup_server_content_rw_t;
files_type(kup_server_content_rw_t)
type kup_server_var_run_t;
# not really a pid file, but the policy suits what we want to do
files_pid_file(kup_server_var_run_t)
########################################
#
# kup_server local policy
#
allow kup_server_t self:fifo_file manage_fifo_file_perms;
allow kup_server_t self:process setrlimit;
read_files_pattern(kup_server_t, kup_server_etc_t, kup_server_etc_t)
read_files_pattern(kup_server_t, kup_server_var_lib_t, kup_server_var_lib_t)
manage_files_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
manage_dirs_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
read_lnk_files_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
files_var_lib_filetrans(kup_server_t, kup_server_content_rw_t, { dir file })
manage_dirs_pattern(kup_server_t, kup_server_var_run_t, kup_server_var_run_t)
manage_files_pattern(kup_server_t, kup_server_var_run_t, kup_server_var_run_t)
files_pid_filetrans(kup_server_t, kup_server_var_run_t, { dir file })
domain_use_interactive_fds(kup_server_t)
# used internally by perl to load modules and localizations
files_read_usr_files(kup_server_t)
miscfiles_read_localization(kup_server_t)
# looking up user info
auth_use_nsswitch(kup_server_t)
# sending logs to syslog
logging_send_syslog_msg(kup_server_t)
# gathering entropy for uniqueness
dev_read_urand(kup_server_t)
# accessing git trees for kup put --tar and --diff
git_read_generic_system_content_files(kup_server_t)
# executing gzip, bzip2, xz
corecmd_exec_bin(kup_server_t)
# xz wants to read /proc/meminfo
kernel_read_system_state(kup_server_t)
# Temp.pm wants to stat bits in the userdir
files_search_home(kup_server_t)
userdom_search_user_home_dirs(kup_server_t)
userdom_getattr_user_home_dirs(kup_server_t)
# Allow passing signals to child processes
allow kup_server_t self:process signal;
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120214/b3783b1c/attachment.bin