From: stefan@seekline.net (Stefan Schulze Frielinghaus)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] services_nut.patch
Date: Fri, 25 Dec 2009 13:55:00 +0100 [thread overview]
Message-ID: <1261745700.2157.6.camel@localhost> (raw)
In-Reply-To: <1261390459.2952.2.camel@localhost>
On Mon, 2009-12-21 at 11:14 +0100, Stefan Schulze Frielinghaus wrote:
> On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote:
> [...]
> > Was there any resolution on this?
>
> Yes, but I had no physical access to my UPS for the last two weeks. At
> the end of this week I will have physical access again and then I will
> check that the policy is really working fine. So I expect a
> tested/working policy in one to two weeks.
I take the discussion back on list. Miroslav, from the latest policy I
did not change anything except I removed the duplicate policies for the
cgi scripts and uncommented the *_ups_port() stuff.
I'm fine with the attached policy (tested several times including a
shutdown and cgi services). Is the policy OK for you too?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: corenetwork.te.in.patch
Type: text/x-patch
Size: 745 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091225/276f25a8/attachment.bin
-------------- next part --------------
/etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0)
/sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0)
/var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0)
/var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-------------- next part --------------
## <summary>SELinux policy for nut - Network UPS Tools </summary>
-------------- next part --------------
policy_module(nut, 1.0.0)
########################################
#
# Declarations
#
type nut_upsd_t;
type nut_upsd_exec_t;
init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)
type nut_upsmon_t;
type nut_upsmon_exec_t;
init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)
type nut_upsdrvctl_t;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)
# conf files
type nut_conf_t;
files_config_file(nut_conf_t)
# pid files
type nut_var_run_t;
files_pid_file(nut_var_run_t)
########################################
#
# Local policy for upsd
#
allow nut_upsd_t self:capability { setgid setuid };
allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
# pid file
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file })
corenet_tcp_bind_ups_port(nut_upsd_t)
corenet_tcp_bind_generic_port(nut_upsd_t)
corenet_tcp_bind_all_nodes(nut_upsd_t)
kernel_read_kernel_sysctls(nut_upsd_t)
# /etc/nsswitch.conf
auth_use_nsswitch(nut_upsd_t)
files_read_usr_files(nut_upsd_t)
logging_send_syslog_msg(nut_upsd_t)
miscfiles_read_localization(nut_upsd_t)
########################################
#
# Local policy for upsmon
#
allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsmon_t self:tcp_socket create_socket_perms;
read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
# pid file
manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file })
corenet_tcp_connect_ups_port(upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)
corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)
kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)
auth_use_nsswitch(nut_upsmon_t)
files_search_usr(nut_upsmon_t)
logging_send_syslog_msg(nut_upsmon_t)
miscfiles_read_localization(nut_upsmon_t)
# /usr/bin/wall
term_write_all_terms(nut_upsmon_t)
# upsmon runs shutdown, probably need a shutdown domain
init_rw_utmp(nut_upsmon_t)
init_telinit(nut_upsmon_t)
########################################
#
# Local policy for upsdrvctl
#
allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fd use;
allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
# pid file
manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })
# /sbin/upsdrvctl executes other drivers
corecmd_exec_bin(nut_upsdrvctl_t)
corecmd_exec_sbin(nut_upsdrvctl_t)
kernel_read_kernel_sysctls(nut_upsdrvctl_t)
# /etc/nsswitch.conf
auth_use_nsswitch(nut_upsdrvctl_t)
dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)
term_use_unallocated_ttys(nut_upsdrvctl_t)
logging_send_syslog_msg(nut_upsdrvctl_t)
miscfiles_read_localization(nut_upsdrvctl_t)
init_sigchld(nut_upsdrvctl_t)
#######################################
#
# Local policy for upscgi scripts
# requires httpd_enable_cgi and httpd_can_network_connect
#
optional_policy(`
apache_content_template(nutups_cgi)
read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)
corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
')
next prev parent reply other threads:[~2009-12-25 12:55 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-12 21:46 [refpolicy] services_nut.patch Daniel J Walsh
2009-11-16 14:31 ` Stefan Schulze Frielinghaus
2009-11-16 18:32 ` Daniel J Walsh
2009-11-22 14:59 ` Stefan Schulze Frielinghaus
2009-11-23 13:05 ` Miroslav Grepl
2009-11-23 14:36 ` Stefan Schulze Frielinghaus
2009-11-23 15:19 ` Christopher J. PeBenito
2009-11-23 16:04 ` Stefan Schulze Frielinghaus
2009-11-23 16:09 ` Stefan Schulze Frielinghaus
2009-11-23 17:17 ` Miroslav Grepl
2009-12-18 13:53 ` Christopher J. PeBenito
2009-12-21 10:14 ` Stefan Schulze Frielinghaus
2009-12-25 12:55 ` Stefan Schulze Frielinghaus [this message]
2010-01-29 16:20 ` Miroslav Grepl
2010-02-09 13:47 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2010-02-23 20:28 Daniel J Walsh
2010-02-24 15:53 ` Stefan Schulze Frielinghaus
2010-02-24 17:14 ` Daniel J Walsh
2010-02-26 9:00 ` Stefan Schulze Frielinghaus
2010-02-26 13:39 ` Daniel J Walsh
2010-02-26 14:23 ` Stefan Schulze Frielinghaus
2010-08-26 22:02 Daniel J Walsh
2010-09-15 13:16 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1261745700.2157.6.camel@localhost \
--to=stefan@seekline.net \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.