From: Dominick Grift <domg472@gmail.com>
To: Chris PeBenito <pebenito@gentoo.org>
Cc: selinux@tycho.nsa.gov
Subject: Re: [REFPOLICY PATCH] Added policy module for the oident daemon.
Date: Thu, 14 Aug 2008 13:37:05 +0200 [thread overview]
Message-ID: <1218713825.28416.2.camel@sulphur.notebook.internal> (raw)
In-Reply-To: <1218632939.5144.10.camel@defiant.pebenito.net>
[-- Attachment #1.1: Type: text/plain, Size: 519 bytes --]
On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
>
> The patch looks line-wrapped. Also a couple comments inline.
Tested and working. My previous attempt called the
userdom_search_homedirs template with the wrong parameters.
This cause Oident daemon to not be able to search home_root_t (home).
Attached modification fixes above issue.
--
Dominick Grift <domg472@gmail.com>
[-- Attachment #1.2: oidentd.patch.txt --]
[-- Type: text/x-patch, Size: 4414 bytes --]
diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..ee7fcc4
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,7 @@
+
+/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0)
+
+HOME_DIR/\.oidentd.conf -- gen_context(system_u:object_r:oidentd_home_t, s0)
diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..93f9ad0
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,61 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+## <p>
+## Oident daemon is a server that implements the TCP/IP
+## standard IDENT user identification protocol as
+## specified in the RFC 1413 document.
+## </p>
+## </desc>
+
+#######################################
+## <summary>
+## The per role template for the Oidentd module.
+## </summary>
+## <desc>
+## <p>
+## This template creates derived domains which are used
+## for Oident daemon.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="userdomain_prefix">
+## <summary>
+## The prefix of the user domain (e.g., user
+## is the prefix for user_t).
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+#
+template(`oidentd_per_role_template', `
+ gen_require(`
+ type oidentd_home_t;
+ ')
+
+ ########################################
+ #
+ # Declarations
+ #
+
+ userdom_user_home_content($1, oidentd_home_t)
+
+ ########################################
+ #
+ # Policy
+ #
+
+ allow $2 oidentd_home_t:file manage_file_perms;
+ allow $2 oidentd_home_t:file relabel_file_perms;
+')
diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..bd58474
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,71 @@
+
+policy_module(oidentd, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Oident daemon to read
+## unprivileged user home content files.
+## </p>
+## </desc>
+
+gen_tunable(oidentd_read_unprivileged_user_home_content_files, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+type oidentd_home_t;
+files_poly_member(oidentd_home_t)
+
+########################################
+#
+# Policy
+#
+
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+allow oidentd_t oidentd_home_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+userdom_search_user_home_dirs(user, oidentd_t)
+
+tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
+ userdom_read_unpriv_users_home_content_files(oidentd_t)
+')
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
next prev parent reply other threads:[~2008-08-14 11:37 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-26 13:07 [REFPOLICY PATCH] Added policy module for the oident daemon Dominick Grift
2008-08-13 13:08 ` Chris PeBenito
2008-08-13 14:25 ` Paul Howarth
2008-08-13 16:46 ` Dominick Grift
2008-08-13 16:50 ` Dominick Grift
2008-08-13 17:17 ` Dominick Grift
2008-08-13 17:35 ` Dominick Grift
2008-08-13 17:52 ` Dominick Grift
2008-08-14 11:37 ` Dominick Grift [this message]
2008-08-14 12:36 ` Dominick Grift
2008-08-14 13:28 ` Dominick Grift
2008-08-21 13:09 ` [refpolicy] " Christopher J. PeBenito
2008-08-21 14:55 ` Dominick Grift
2008-08-21 15:39 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1218713825.28416.2.camel@sulphur.notebook.internal \
--to=domg472@gmail.com \
--cc=pebenito@gentoo.org \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.