Re: [REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift <domg472@gmail.com>]

[-- Attachment #1.1: Type: text/plain, Size: 514 bytes --]

On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> 
> The patch looks line-wrapped.  Also a couple comments inline.

This edition replaces oidentd_read_unprivileged_user_home_content_files
by allow_oidentd_read_oidentd_home_content. 

This complicates the policy a bit more and so i included a
oidentd_selinux manual page for clarity.

-- 
Dominick Grift <domg472@gmail.com>



[-- Attachment #1.2: oidentd.patch.txt --]
[-- Type: text/x-patch, Size: 5936 bytes --]

diff --git a/man/man8/oidentd_selinux.8 b/man/man8/oidentd_selinux.8
new file mode 100644
index 0000000..2c204aa
--- /dev/null
+++ b/man/man8/oidentd_selinux.8
@@ -0,0 +1,38 @@
+.TH  "oidentd_selinux"  "8"  "14 Aug 2008" "dgrift@gmail.com" "Oident deamon SELinux policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+oidentd_selinux \- Security-Enhanced Linux policy for Oident daemon.
+.SH "DESCRIPTION"
+.PP
+Security-Enhanced Linux provides security for Oidentd daemon via flexible mandatory access control.
+.SH FILE_CONTEXTS
+.PP
+SELinux requires files to have a files type. Users can use the chcon command to change certain files types.  Policy governs the access that daemons have to files.
+.TP
+Allow Oident daemon to read ~/.oidentd.conf by adding the oidentd_home_t files type to the file and by restoring the files type.  This also requires the allow_oidentd_read_oidentd_home_content boolean to be set.
+.PP
+.B
+chcon -t oidentd_home_t ~/.oidentd.conf
+.SH BOOLEANS
+.PP
+SELinux policy is based on least privilege required and may also be customizable by setting a boolean with the setsebool command.
+.TP
+Allow Oident daemon to read Oident daemon home content with the oidentd_home_t files type.
+.PP
+.B
+setsebool -P allow_oidentd_read_oidentd_home_content on
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+.PP
+This manual page was written by Dominick Grift <domg472@gmail.com>.
+.SH "SEE ALSO"
+.PP
+selinux(8), oidentd(8), oidentd.conf(8), setsebool(8), chcon(8)
diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..ee7fcc4
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,7 @@
+
+/etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf	--	gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
+
+HOME_DIR/\.oidentd.conf	--	gen_context(system_u:object_r:oidentd_home_t, s0)
diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..93f9ad0
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,61 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+##	<p>
+##	Oident daemon is a server that implements the TCP/IP
+##	standard IDENT user identification protocol as
+##	specified in the RFC 1413 document.
+##	</p>
+## </desc>
+
+#######################################
+## <summary>
+##  The per role template for the Oidentd module.
+## </summary>
+## <desc>
+## 	<p>
+## 	This template creates derived domains which are used
+## 	for Oident daemon.
+## 	</p>
+## 	<p>
+## 	This template is invoked automatically for each user, and
+## 	generally does not need to be invoked directly
+## 	by policy writers.
+## 	</p>
+## </desc>
+## <param name="userdomain_prefix">
+## 	<summary>
+## 	The prefix of the user domain (e.g., user
+## 	is the prefix for user_t).
+## 	</summary>
+## </param>
+## <param name="user_domain">
+## 	<summary>
+## 	The type of the user domain.
+## 	</summary>
+## 	</param>
+## 	<param name="user_role">
+## 	<summary>
+## 	The role associated with the user domain.
+## 	</summary>
+## </param>
+#
+template(`oidentd_per_role_template', `
+	gen_require(`
+		type oidentd_home_t;
+	')
+
+	########################################
+	#
+	#  Declarations
+	#
+
+	userdom_user_home_content($1, oidentd_home_t)
+	
+	########################################
+	#
+	#  Policy
+	#
+
+	allow $2 oidentd_home_t:file manage_file_perms;
+	allow $2 oidentd_home_t:file relabel_file_perms;
+')
diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..12c914e
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,68 @@
+
+policy_module(oidentd, 0.0.1) 
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Oident daemon to read
+## oidentd daemon home files.
+## </p>
+## </desc>
+
+gen_tunable(allow_oidentd_read_oidentd_home_content, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+type oidentd_home_t;
+files_poly_member(oidentd_home_t)
+
+########################################
+#
+# Policy
+#
+
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+tunable_policy(`allow_oidentd_read_oidentd_home_content', `
+	allow oidentd_t oidentd_home_t:file read_file_perms;
+	userdom_search_user_home_dirs(user, oidentd_t)
+')

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]