[refpolicy] services_nut.patch

[stefan@seekline.net (Stefan Schulze Frielinghaus)]

On Mi, 2010-02-24 at 12:14 -0500, Daniel J Walsh wrote:
> On 02/24/2010 10:53 AM, Stefan Schulze Frielinghaus wrote:
> > On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote:
> >    
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch
> >>
> >> Latest nut policy.
> >>      
> > The following rules are unnecessary because they are already included by
> > the interface apache_content_template as soon as the booleans
> > httpd_enable_cgi and httpd_can_network_connect are enabled:
> >
> > +	corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
> > +	corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
> > +	corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
> > +	corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
> > +	corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
> >   	corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
> > +	corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
> > +	corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
> > +	corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
> > +
> > +	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
> >
> >    
> Ok this is a difference between apache interface in upstream and mine.  
> I removed network access
> set by those booleans from the interface to httpd_sys_script_t 
> specific.  I don't believe those interfaces should be effected by 
> booleans.  I don't want my bugzilla cgi to suddenly have network access 
> just because httpd_sys_script_t needs it.

Yeah, I like this idea.

> > Is it really necessary to include the dac_override permissions for
> > nut_upsd_t? I thought that the upsd daemon runs as a non root user where
> > no dac_override permissions are used.
> >
> > -allow nut_upsd_t self:capability { setgid setuid };
> > +allow nut_upsd_t self:capability { setgid setuid dac_override };
> >
> > If you still have the AVC message and maybe some information of the
> > setup, then I would like to dig a bit deeper into this because I use nut
> > and would like to make it more secure ;-) Maybe the capabilities can
> > even be dropped.
> >
> > Guess the sbin rules are not necessary for refpolicy:
> >
> > +corecmd_exec_sbin(nut_upsdrvctl_t)
> >
> >    
> Oops that is a bug.
> 
> dac_override can come in because a file has bad ownership.

upsd runs per default as user nut on Fedora and EPEL. It should never
run as root.