From: Dominick Grift <domg472@gmail.com>
To: selinux@tycho.nsa.gov
Subject: [REFPOLICY PATCH] Added policy module for the oident daemon.
Date: Sat, 26 Jul 2008 15:07:49 +0200 [thread overview]
Message-ID: <1217077669.8496.2.camel@sulphur.notebook.internal> (raw)
[-- Attachment #1: Type: text/plain, Size: 3638 bytes --]
Signed-off-by: Dominick Grift <domg472@gmail.com>
---
policy/modules/services/oidentd.fc | 9 +++++
policy/modules/services/oidentd.if | 7 ++++
policy/modules/services/oidentd.te | 68
++++++++++++++++++++++++++++++++++++
3 files changed, 84 insertions(+), 0 deletions(-)
create mode 100644 policy/modules/services/oidentd.fc
create mode 100644 policy/modules/services/oidentd.if
create mode 100644 policy/modules/services/oidentd.te
diff --git a/policy/modules/services/oidentd.fc
b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..a9209dc
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,9 @@
+
+/etc/oidentd.conf --
gen_context(system_u:object_r:oidentd_config_t,s0)
+/etc/oidentd_masq.conf --
gen_context(system_u:object_r:oidentd_config_t,s0)
+
+ifdef(`distro_redhat', `
+/etc/rc\.d/init\.d/oidentd --
gen_context(system_u:object_r:oidentd_script_exec_t,s0)
+')
+
+/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t,s0)
diff --git a/policy/modules/services/oidentd.if
b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..a745861
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,7 @@
+## <summary>SELinux policy for the oident daemon.</summary>
+## <desc>
+## <p>
+## Applies SELinux security to the oident daemon.
+## </p>
+## </desc>
+
diff --git a/policy/modules/services/oidentd.te
b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..1b770cf
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,68 @@
+
+policy_module(oidentd, 0.0.1)
+
+########################################
+#
+# oidentd private declarations
+#
+
+## <desc>
+## <p>
+## Allow the oident daemon to read
+## unprivileged user home content files.
+## </p>
+## </desc>
+gen_tunable(oidentd_read_unprivileged_user_home_content_files, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+ifdef(`distro_redhat', `
+type oidentd_script_exec_t;
+init_script_type(oidentd_script_exec_t)
+')
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+########################################
+#
+# oidentd private policy
+#
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind
create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create
nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write
getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t);
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
+ # ~/.oidentd.conf
+ userdom_read_unpriv_users_home_content_files(oidentd_t)
+')
--
1.5.5.2
--
Dominick Grift <domg472@gmail.com>
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
next reply other threads:[~2008-07-26 13:07 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-26 13:07 Dominick Grift [this message]
2008-08-13 13:08 ` [REFPOLICY PATCH] Added policy module for the oident daemon Chris PeBenito
2008-08-13 14:25 ` Paul Howarth
2008-08-13 16:46 ` Dominick Grift
2008-08-13 16:50 ` Dominick Grift
2008-08-13 17:17 ` Dominick Grift
2008-08-13 17:35 ` Dominick Grift
2008-08-13 17:52 ` Dominick Grift
2008-08-14 11:37 ` Dominick Grift
2008-08-14 12:36 ` Dominick Grift
2008-08-14 13:28 ` Dominick Grift
2008-08-21 13:09 ` [refpolicy] " Christopher J. PeBenito
2008-08-21 14:55 ` Dominick Grift
2008-08-21 15:39 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1217077669.8496.2.camel@sulphur.notebook.internal \
--to=domg472@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.