From: stefan@seekline.net (Stefan Schulze Frielinghaus)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] services_nut.patch
Date: Mon, 16 Nov 2009 15:31:40 +0100 [thread overview]
Message-ID: <1258381900.5120.16.camel@localhost> (raw)
In-Reply-To: <4AFC823D.3090202@redhat.com>
On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
>
> nut policy.
Some time ago I wrote a policy for NUT too (s. attachment). I guess you
tested your policy with a UPS connected via USB. Maybe we could merge
both policies because I tested my with the SNMP module of NUT.
One note about your policy. Shouldn't we prefix all domains with "nut_"?
This would indicate that e.g. each executable comes from the NUT
project. Then we could also define one type for /var/run/nut (in my
policy it is just nut_var_run_t) because the three main domains
nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
share e.g. a socket file.
I would also like to introduce a type for config files because clear
text passwords are saved in there.
Your domain upsmon_t needs also to write to all terms because it
announces information via "wall". It also seems to miss the following
permissions which are needed if upsmon_t should execute /sbin/shutdown
(we still do not have a shutdown policy):
files_rw_generic_pids(nut_upsmon_t)
init_exec(nut_upsmon_t)
init_rw_initctl(nut_upsmon_t)
init_write_utmp(nut_upsmon_t)
What are your thoughts?
It tested my policy on CentOS 5.3 with a couple of dozen
restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)
cheers,
Stefan
-------------- next part --------------
/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
/sbin/apcsmart -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkin -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkinunv -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestfcom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestuferrups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_ser -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/cyberpower -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/dummy-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/etapro -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/everups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/gamatronic -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/genericups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/isbmex -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/liebert -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/masterguard -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/metasys -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-utalk -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/microdowell -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/newmge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/oneac -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/optiups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powercom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerman-pdu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerpanel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/rhino -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/richcomm_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/safenet -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/skel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/snmp-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/solis -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplitesu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upscode2 -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/usbhid-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/victronups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
/var/www/nut-cgi-bin/upsimage.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsstats.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
-------------- next part --------------
policy_module(nut, 1.0.0)
########################################
#
# Declarations
#
type nut_upsdrvctl_t;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
type nut_upsd_t;
type nut_upsd_exec_t;
init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
type nut_upsmon_t;
type nut_upsmon_exec_t;
init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
type nut_conf_t;
files_config_file(nut_conf_t)
type nut_var_run_t;
files_pid_file(nut_var_run_t)
########################################
#
# Local policy for upsdrvctl
#
allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fd use;
allow nut_upsdrvctl_t self:unix_dgram_socket { connect create write };
allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
allow nut_upsdrvctl_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsdrvctl_t nut_var_run_t:sock_file { create unlink setattr };
# /sbin/upsdrvctl executes other drivers
can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
# /etc/nsswitch.conf
files_read_etc_files(nut_upsdrvctl_t)
files_read_usr_files(nut_upsdrvctl_t)
files_search_pids(nut_upsdrvctl_t)
files_search_usr(nut_upsdrvctl_t)
miscfiles_read_localization(nut_upsdrvctl_t)
# /etc/resolv.conf
sysnet_read_config(nut_upsdrvctl_t)
corecmd_search_bin(nut_upsdrvctl_t)
libs_read_lib_files(nut_upsdrvctl_t)
kernel_read_kernel_sysctls(nut_upsdrvctl_t)
kernel_sendrecv_unlabeled_association(nut_upsdrvctl_t)
init_sigchld(nut_upsdrvctl_t)
dev_read_urand(nut_upsdrvctl_t)
dev_rw_null(nut_upsdrvctl_t)
logging_send_syslog_msg(nut_upsdrvctl_t)
########################################
#
# Local policy for upsd
#
allow nut_upsd_t self:capability { setgid setuid };
allow nut_upsd_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
allow nut_upsd_t nut_var_run_t:sock_file write;
read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
# /etc/nsswitch.conf
files_read_etc_files(nut_upsd_t)
files_read_usr_files(nut_upsd_t)
miscfiles_read_localization(nut_upsd_t)
libs_read_lib_files(nut_upsd_t)
logging_send_syslog_msg(nut_upsd_t)
kernel_read_kernel_sysctls(nut_upsd_t)
kernel_sendrecv_unlabeled_association(nut_upsd_t)
corenet_tcp_bind_generic_port(nut_upsd_t)
corenet_tcp_bind_all_nodes(nut_upsd_t)
########################################
#
# Local policy for upsmon
#
allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
allow nut_upsmon_t self:unix_dgram_socket { connect create write };
allow nut_upsmon_t self:tcp_socket create_socket_perms;
allow nut_upsmon_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
# creates /etc/killpower
files_manage_etc_files(nut_upsmon_t)
files_search_usr(nut_upsmon_t)
corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)
miscfiles_read_localization(nut_upsmon_t)
libs_read_lib_files(nut_upsmon_t)
logging_send_syslog_msg(nut_upsmon_t)
# /etc/resolv.conf
sysnet_read_config(nut_upsmon_t)
kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
kernel_sendrecv_unlabeled_association(nut_upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)
# /usr/bin/wall
init_read_utmp(nut_upsmon_t)
term_write_all_terms(nut_upsmon_t)
# /sbin/shutdown
files_rw_generic_pids(nut_upsmon_t)
init_exec(nut_upsmon_t)
init_rw_initctl(nut_upsmon_t)
init_write_utmp(nut_upsmon_t)
########################################
#
# Local policy for upscgi scripts
# requires httpd_enable_cgi and httpd_can_network_connect
#
apache_content_template(nut_upscgi)
read_files_pattern(httpd_nut_upscgi_script_t, nut_conf_t, nut_conf_t)
# /etc/resolv.conf
sysnet_read_config(httpd_nut_upscgi_script_t)
next prev parent reply other threads:[~2009-11-16 14:31 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-12 21:46 [refpolicy] services_nut.patch Daniel J Walsh
2009-11-16 14:31 ` Stefan Schulze Frielinghaus [this message]
2009-11-16 18:32 ` Daniel J Walsh
2009-11-22 14:59 ` Stefan Schulze Frielinghaus
2009-11-23 13:05 ` Miroslav Grepl
2009-11-23 14:36 ` Stefan Schulze Frielinghaus
2009-11-23 15:19 ` Christopher J. PeBenito
2009-11-23 16:04 ` Stefan Schulze Frielinghaus
2009-11-23 16:09 ` Stefan Schulze Frielinghaus
2009-11-23 17:17 ` Miroslav Grepl
2009-12-18 13:53 ` Christopher J. PeBenito
2009-12-21 10:14 ` Stefan Schulze Frielinghaus
2009-12-25 12:55 ` Stefan Schulze Frielinghaus
2010-01-29 16:20 ` Miroslav Grepl
2010-02-09 13:47 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2010-02-23 20:28 Daniel J Walsh
2010-02-24 15:53 ` Stefan Schulze Frielinghaus
2010-02-24 17:14 ` Daniel J Walsh
2010-02-26 9:00 ` Stefan Schulze Frielinghaus
2010-02-26 13:39 ` Daniel J Walsh
2010-02-26 14:23 ` Stefan Schulze Frielinghaus
2010-08-26 22:02 Daniel J Walsh
2010-09-15 13:16 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1258381900.5120.16.camel@localhost \
--to=stefan@seekline.net \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.