[refpolicy] [PATCH 00/11] Contrib changes

[refpolicy] [PATCH 00/11] Contrib changes

[Sven Vermeulen]

Some changes all over the place. Most of them can be merged without dependency
on the others. The patch on stunnel_read_config is needed for a change that will
be pushed for the main repo later.

Most patches are small and easy to review; the initial policies for logsentry
and makewhatis might be a bit more to chew on.

Wkr,
	Sven Vermeulen


Sven Vermeulen (11):
  Moving sandbox code to sandbox section (v2)
  Allow sandbox to log violations
  Initial policy for logsentry
  Initial policy for makewhatis
  Use rw_fifo_file_perms
  Apache should not depend on gpg
  Mark make.profile entry as portage_conf_t
  Named init script creates rundir
  Add ~/.maildir as a valid maildir destination
  Support stunnel_read_config for startup
  Updates on stunnel policy

 apache.te     |   18 +++++++++------
 bind.te       |    1 +
 cron.if       |    2 +-
 logsentry.fc  |    8 +++++++
 logsentry.if  |   33 +++++++++++++++++++++++++++++
 logsentry.te  |   65 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 makewhatis.fc |    1 +
 makewhatis.if |    1 +
 makewhatis.te |   35 ++++++++++++++++++++++++++++++
 mta.fc        |    1 +
 mta.if        |    1 +
 mta.te        |    1 +
 portage.fc    |    1 +
 portage.te    |   16 +++++++-------
 stunnel.if    |   19 ++++++++++++++++
 stunnel.te    |    2 +
 16 files changed, 189 insertions(+), 16 deletions(-)
 create mode 100644 logsentry.fc
 create mode 100644 logsentry.if
 create mode 100644 logsentry.te
 create mode 100644 makewhatis.fc
 create mode 100644 makewhatis.if
 create mode 100644 makewhatis.te

-- 
1.7.8.6

[refpolicy] [PATCH 01/11] Moving sandbox code to sandbox section (v2)

[Sven Vermeulen]

Some portage_sandbox_t code is sitting in the main portage_t section. Moving
this to its own sandbox location. Also switch a domain_trans towards
spec_domtrans_pattern as this cleans the policy up a little bit.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.te |   13 +++++--------
 1 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/portage.te b/portage.te
index 7d2fc08..f9b9ce8 100644
--- a/portage.te
+++ b/portage.te
@@ -150,8 +150,7 @@ optional_policy(`
 #
 
 # - setfscreate for merging to live fs
-# - setexec to run portage fetch
-allow portage_t self:process { setfscreate setexec };
+allow portage_t self:process { setfscreate };
 # - kill for mysql merging, at least
 allow portage_t self:capability { sys_nice kill setfcap };
 dontaudit portage_t self:capability { dac_read_search };
@@ -174,13 +173,8 @@ allow portage_fetch_t portage_t:process sigchld;
 dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
 
 # transition to sandbox for compiling
-domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
+spec_domtrans_pattern(portage_t, portage_exec_t, portage_sandbox_t)
 corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
-allow portage_sandbox_t portage_t:fd use;
-allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
-allow portage_sandbox_t portage_t:process sigchld;
-allow portage_sandbox_t self:process ptrace;
-dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
 
 # run scripts out of the build directory
 can_exec(portage_t, portage_tmp_t)
@@ -338,6 +332,9 @@ optional_policy(`
 # - SELinux-enforced sandbox
 #
 
+allow portage_sandbox_t self:process ptrace;
+dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
+
 portage_compile_domain(portage_sandbox_t)
 
 auth_use_nsswitch(portage_sandbox_t)
-- 
1.7.8.6

[refpolicy] [PATCH 01/11] Moving sandbox code to sandbox section (v2)

[grift]

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> Some portage_sandbox_t code is sitting in the main portage_t section. Moving
> this to its own sandbox location. Also switch a domain_trans towards
> spec_domtrans_pattern as this cleans the policy up a little bit.
> 

This was merged, thanks

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  portage.te |   13 +++++--------
>  1 files changed, 5 insertions(+), 8 deletions(-)
> 
> diff --git a/portage.te b/portage.te
> index 7d2fc08..f9b9ce8 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -150,8 +150,7 @@ optional_policy(`
>  #
>  
>  # - setfscreate for merging to live fs
> -# - setexec to run portage fetch
> -allow portage_t self:process { setfscreate setexec };
> +allow portage_t self:process { setfscreate };
>  # - kill for mysql merging, at least
>  allow portage_t self:capability { sys_nice kill setfcap };
>  dontaudit portage_t self:capability { dac_read_search };
> @@ -174,13 +173,8 @@ allow portage_fetch_t portage_t:process sigchld;
>  dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
>  
>  # transition to sandbox for compiling
> -domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
> +spec_domtrans_pattern(portage_t, portage_exec_t, portage_sandbox_t)
>  corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
> -allow portage_sandbox_t portage_t:fd use;
> -allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
> -allow portage_sandbox_t portage_t:process sigchld;
> -allow portage_sandbox_t self:process ptrace;
> -dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  # run scripts out of the build directory
>  can_exec(portage_t, portage_tmp_t)
> @@ -338,6 +332,9 @@ optional_policy(`
>  # - SELinux-enforced sandbox
>  #
>  
> +allow portage_sandbox_t self:process ptrace;
> +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
> +
>  portage_compile_domain(portage_sandbox_t)
>  
>  auth_use_nsswitch(portage_sandbox_t)

[refpolicy] [PATCH 02/11] Allow sandbox to log violations

[Sven Vermeulen]

When the sandbox (running in portage_sandbox_t) detects a violation, it will try
to log this into /var/log/sandbox. However, the portage_sandbox_t domain
currently is not allowed to do anything with this logs. As a result, the
violations are not logged.

Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well
as clean them up (sandbox will remove older violation logs if the process id
of the current violation would result in an existing log file to be
overwritten).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/portage.te b/portage.te
index f9b9ce8..40e16c3 100644
--- a/portage.te
+++ b/portage.te
@@ -335,6 +335,9 @@ optional_policy(`
 allow portage_sandbox_t self:process ptrace;
 dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
 
+allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms };
+logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
+
 portage_compile_domain(portage_sandbox_t)
 
 auth_use_nsswitch(portage_sandbox_t)
-- 
1.7.8.6

[refpolicy] [PATCH 02/11] Allow sandbox to log violations

[grift]

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> When the sandbox (running in portage_sandbox_t) detects a violation, it will try
> to log this into /var/log/sandbox. However, the portage_sandbox_t domain
> currently is not allowed to do anything with this logs. As a result, the
> violations are not logged.
> 
> Allow the portage_sandbox_t domain to generate logs (as portage_log_t) as well
> as clean them up (sandbox will remove older violation logs if the process id
> of the current violation would result in an existing log file to be
> overwritten).

I merged this but you need to also do a corresponding file context spec
for /var/log/sandbox. please


Thanks


> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  portage.te |    3 +++
>  1 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/portage.te b/portage.te
> index f9b9ce8..40e16c3 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -335,6 +335,9 @@ optional_policy(`
>  allow portage_sandbox_t self:process ptrace;
>  dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>  
> +allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms };
> +logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
> +
>  portage_compile_domain(portage_sandbox_t)
>  
>  auth_use_nsswitch(portage_sandbox_t)

[refpolicy] [PATCH 03/11] Initial policy for logsentry

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 logsentry.fc |    8 +++++++
 logsentry.if |   33 +++++++++++++++++++++++++++++
 logsentry.te |   65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 106 insertions(+), 0 deletions(-)
 create mode 100644 logsentry.fc
 create mode 100644 logsentry.if
 create mode 100644 logsentry.te

diff --git a/logsentry.fc b/logsentry.fc
new file mode 100644
index 0000000..6327e1e
--- /dev/null
+++ b/logsentry.fc
@@ -0,0 +1,8 @@
+/usr/bin/logtail	--	gen_context(system_u:object_r:logsentry_exec_t,s0)
+/etc/logcheck/logcheck\.sh	--	gen_context(system_u:object_r:logsentry_exec_t,s0)
+
+/etc/logcheck(/.*)?	--	gen_context(system_u:object_r:logsentry_etc_t,s0)
+
+/etc/logcheck/tmp(/.*)?	gen_context(system_u:object_r:logsentry_tmp_t,s0)
+
+/etc/logcheck/logcheck\..*	--	gen_context(system_u:object_r:logsentry_filter_t,s0)
diff --git a/logsentry.if b/logsentry.if
new file mode 100644
index 0000000..2109f42
--- /dev/null
+++ b/logsentry.if
@@ -0,0 +1,33 @@
+## <summary>Log file monitoring tool</summary>
+
+#######################################
+## <summary>
+##	All of the rules required to administrate
+##	a logsentry environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`logsentry_admin',`
+	gen_require(`
+		type logsentry_t, logsentry_etc_t, logsentry_tmp_t, logsentry_filter_t;
+	')
+
+	allow $1 logsentry_t:process { ptrace signal_perms };
+	ps_process_pattern($1, logsentry_t)
+
+	files_list_etc($1)
+	admin_pattern($1, logsentry_etc_t)
+	admin_pattern($1, logsentry_filter_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, logsentry_tmp_t)
+')
diff --git a/logsentry.te b/logsentry.te
new file mode 100644
index 0000000..3cdfcbe
--- /dev/null
+++ b/logsentry.te
@@ -0,0 +1,65 @@
+policy_module(logsentry, 0.2)
+
+#######################################
+# 
+# Declarations
+#
+
+type logsentry_t;
+type logsentry_exec_t;
+application_domain(logsentry_t, logsentry_exec_t)
+role system_r types logsentry_t;
+
+type logsentry_etc_t;
+files_type(logsentry_etc_t);
+
+type logsentry_tmp_t;
+files_tmp_file(logsentry_tmp_t);
+
+type logsentry_filter_t;
+files_type(logsentry_filter_t)
+
+#######################################
+#
+# Local Policy
+#
+
+allow logsentry_t self:fifo_file { read write getattr ioctl };
+allow logsentry_t self:capability { setuid setgid };
+allow logsentry_t logsentry_exec_t:file execute_no_trans;
+
+manage_dirs_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t)
+manage_files_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t)
+
+files_tmp_filetrans(logsentry_t, logsentry_tmp_t, file)
+
+manage_files_pattern(logsentry_t, logsentry_filter_t, logsentry_filter_t)
+
+files_read_etc_files(logsentry_t)
+
+logging_search_logs(logsentry_t)
+logging_manage_generic_logs(logsentry_t)
+
+kernel_read_system_state(logsentry_t)
+
+corecmd_exec_shell(logsentry_t)
+corecmd_exec_bin(logsentry_t)
+
+miscfiles_read_localization(logsentry_t)
+
+mta_send_mail(logsentry_t)
+
+userdom_dontaudit_search_user_home_dirs(logsentry_t)
+
+optional_policy(`
+  logging_manage_audit_log(logsentry_t)
+')
+
+optional_policy(`
+  hostname_exec(logsentry_t)
+')
+
+optional_policy(`
+  cron_system_entry(logsentry_t, logsentry_exec_t)
+')
+
-- 
1.7.8.6

[refpolicy] [PATCH 03/11] Initial policy for logsentry

[grift]

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  logsentry.fc |    8 +++++++
>  logsentry.if |   33 +++++++++++++++++++++++++++++
>  logsentry.te |   65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 106 insertions(+), 0 deletions(-)
>  create mode 100644 logsentry.fc
>  create mode 100644 logsentry.if
>  create mode 100644 logsentry.te
> 
> diff --git a/logsentry.fc b/logsentry.fc
> new file mode 100644
> index 0000000..6327e1e
> --- /dev/null
> +++ b/logsentry.fc
> @@ -0,0 +1,8 @@
> +/usr/bin/logtail	--	gen_context(system_u:object_r:logsentry_exec_t,s0)
> +/etc/logcheck/logcheck\.sh	--	gen_context(system_u:object_r:logsentry_exec_t,s0)

Same as with makewhatis

I would rather have the actual cron script labeled with the executable
file type and leave /usr/bin/logtail generic since only a domain
transition from crond is supported in this policy

Then probably add a fc spec for /etc/logcheck/logcheck\.sh (bin_t) to
corecommands.if


> +
> +/etc/logcheck(/.*)?	--	gen_context(system_u:object_r:logsentry_etc_t,s0)
> +
> +/etc/logcheck/tmp(/.*)?	gen_context(system_u:object_r:logsentry_tmp_t,s0)

I would probably label above logsentry_etc_rw_t instead

> +
> +/etc/logcheck/logcheck\..*	--	gen_context(system_u:object_r:logsentry_filter_t,s0)

> diff --git a/logsentry.if b/logsentry.if
> new file mode 100644
> index 0000000..2109f42
> --- /dev/null
> +++ b/logsentry.if
> @@ -0,0 +1,33 @@
> +## <summary>Log file monitoring tool</summary>
> +
> +#######################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	a logsentry environment.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`logsentry_admin',`
> +	gen_require(`
> +		type logsentry_t, logsentry_etc_t, logsentry_tmp_t, logsentry_filter_t;
> +	')
> +
> +	allow $1 logsentry_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, logsentry_t)
> +
> +	files_list_etc($1)
> +	admin_pattern($1, logsentry_etc_t)
> +	admin_pattern($1, logsentry_filter_t)
> +
> +	files_list_tmp($1)
> +	admin_pattern($1, logsentry_tmp_t)
> +')
> diff --git a/logsentry.te b/logsentry.te
> new file mode 100644
> index 0000000..3cdfcbe
> --- /dev/null
> +++ b/logsentry.te
> @@ -0,0 +1,65 @@
> +policy_module(logsentry, 0.2)
> +
> +#######################################
> +# 
> +# Declarations
> +#
> +
> +type logsentry_t;
> +type logsentry_exec_t;
> +application_domain(logsentry_t, logsentry_exec_t)
> +role system_r types logsentry_t;
> +
> +type logsentry_etc_t;
> +files_type(logsentry_etc_t);
> +
> +type logsentry_tmp_t;
> +files_tmp_file(logsentry_tmp_t);
> +
> +type logsentry_filter_t;
> +files_type(logsentry_filter_t)
> +
> +#######################################
> +#
> +# Local Policy
> +#
> +
> +allow logsentry_t self:fifo_file { read write getattr ioctl };
> +allow logsentry_t self:capability { setuid setgid };
> +allow logsentry_t logsentry_exec_t:file execute_no_trans;
> +
> +manage_dirs_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t)
> +manage_files_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t)
> +
> +files_tmp_filetrans(logsentry_t, logsentry_tmp_t, file)
> +
> +manage_files_pattern(logsentry_t, logsentry_filter_t, logsentry_filter_t)
> +
> +files_read_etc_files(logsentry_t)
> +
> +logging_search_logs(logsentry_t)
> +logging_manage_generic_logs(logsentry_t)
> +
> +kernel_read_system_state(logsentry_t)
> +
> +corecmd_exec_shell(logsentry_t)
> +corecmd_exec_bin(logsentry_t)
> +
> +miscfiles_read_localization(logsentry_t)
> +
> +mta_send_mail(logsentry_t)
> +
> +userdom_dontaudit_search_user_home_dirs(logsentry_t)
> +
> +optional_policy(`
> +  logging_manage_audit_log(logsentry_t)
> +')
> +
> +optional_policy(`
> +  hostname_exec(logsentry_t)
> +')
> +
> +optional_policy(`
> +  cron_system_entry(logsentry_t, logsentry_exec_t)
> +')
> +

[refpolicy] [PATCH 03/11] Initial policy for logsentry

[Dominick Grift]

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

I see that this is a system cron job. Where is the cronjob
located? /etc/cron.daily/logcheck?

> ---
>  logsentry.fc |    8 +++++++
>  logsentry.if |   33 +++++++++++++++++++++++++++++
>  logsentry.te |   65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 106 insertions(+), 0 deletions(-)
>  create mode 100644 logsentry.fc
>  create mode 100644 logsentry.if
>  create mode 100644 logsentry.te
> 
> diff --git a/logsentry.fc b/logsentry.fc
> new file mode 100644
> index 0000000..6327e1e
> --- /dev/null
> +++ b/logsentry.fc
> @@ -0,0 +1,8 @@
> +/usr/bin/logtail	--	gen_context(system_u:object_r:logsentry_exec_t,s0)
> +/etc/logcheck/logcheck\.sh	--	gen_context(system_u:object_r:logsentry_exec_t,s0)
> +
> +/etc/logcheck(/.*)?	--	gen_context(system_u:object_r:logsentry_etc_t,s0)
> +
> +/etc/logcheck/tmp(/.*)?	gen_context(system_u:object_r:logsentry_tmp_t,s0)
> +
> +/etc/logcheck/logcheck\..*	--	gen_context(system_u:object_r:logsentry_filter_t,s0)
> diff --git a/logsentry.if b/logsentry.if
> new file mode 100644
> index 0000000..2109f42
> --- /dev/null
> +++ b/logsentry.if
> @@ -0,0 +1,33 @@
> +## <summary>Log file monitoring tool</summary>
> +
> +#######################################
> +## <summary>
> +##	All of the rules required to administrate
> +##	a logsentry environment.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`logsentry_admin',`
> +	gen_require(`
> +		type logsentry_t, logsentry_etc_t, logsentry_tmp_t, logsentry_filter_t;
> +	')
> +
> +	allow $1 logsentry_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, logsentry_t)
> +
> +	files_list_etc($1)
> +	admin_pattern($1, logsentry_etc_t)
> +	admin_pattern($1, logsentry_filter_t)
> +
> +	files_list_tmp($1)
> +	admin_pattern($1, logsentry_tmp_t)
> +')
> diff --git a/logsentry.te b/logsentry.te
> new file mode 100644
> index 0000000..3cdfcbe
> --- /dev/null
> +++ b/logsentry.te
> @@ -0,0 +1,65 @@
> +policy_module(logsentry, 0.2)
> +
> +#######################################
> +# 
> +# Declarations
> +#
> +
> +type logsentry_t;
> +type logsentry_exec_t;
> +application_domain(logsentry_t, logsentry_exec_t)
> +role system_r types logsentry_t;
> +
> +type logsentry_etc_t;
> +files_type(logsentry_etc_t);
> +
> +type logsentry_tmp_t;
> +files_tmp_file(logsentry_tmp_t);
> +
> +type logsentry_filter_t;
> +files_type(logsentry_filter_t)
> +
> +#######################################
> +#
> +# Local Policy
> +#
> +
> +allow logsentry_t self:fifo_file { read write getattr ioctl };
> +allow logsentry_t self:capability { setuid setgid };
> +allow logsentry_t logsentry_exec_t:file execute_no_trans;
> +
> +manage_dirs_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t)
> +manage_files_pattern(logsentry_t, logsentry_tmp_t, logsentry_tmp_t)
> +
> +files_tmp_filetrans(logsentry_t, logsentry_tmp_t, file)
> +
> +manage_files_pattern(logsentry_t, logsentry_filter_t, logsentry_filter_t)
> +
> +files_read_etc_files(logsentry_t)
> +
> +logging_search_logs(logsentry_t)
> +logging_manage_generic_logs(logsentry_t)
> +
> +kernel_read_system_state(logsentry_t)
> +
> +corecmd_exec_shell(logsentry_t)
> +corecmd_exec_bin(logsentry_t)
> +
> +miscfiles_read_localization(logsentry_t)
> +
> +mta_send_mail(logsentry_t)
> +
> +userdom_dontaudit_search_user_home_dirs(logsentry_t)
> +
> +optional_policy(`
> +  logging_manage_audit_log(logsentry_t)
> +')
> +
> +optional_policy(`
> +  hostname_exec(logsentry_t)
> +')
> +
> +optional_policy(`
> +  cron_system_entry(logsentry_t, logsentry_exec_t)
> +')
> +

[refpolicy] [PATCH 04/11] Initial policy for makewhatis

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 makewhatis.fc |    1 +
 makewhatis.if |    1 +
 makewhatis.te |   35 +++++++++++++++++++++++++++++++++++
 3 files changed, 37 insertions(+), 0 deletions(-)
 create mode 100644 makewhatis.fc
 create mode 100644 makewhatis.if
 create mode 100644 makewhatis.te

diff --git a/makewhatis.fc b/makewhatis.fc
new file mode 100644
index 0000000..5ddf136
--- /dev/null
+++ b/makewhatis.fc
@@ -0,0 +1 @@
+/usr/sbin/makewhatis	--	gen_context(system_u:object_r:makewhatis_exec_t,s0)
diff --git a/makewhatis.if b/makewhatis.if
new file mode 100644
index 0000000..17d948a
--- /dev/null
+++ b/makewhatis.if
@@ -0,0 +1 @@
+## <summary>Build whatis database from man pages</summary>
diff --git a/makewhatis.te b/makewhatis.te
new file mode 100644
index 0000000..7c5c356
--- /dev/null
+++ b/makewhatis.te
@@ -0,0 +1,35 @@
+policy_module(makewhatis, 0.1)
+
+type makewhatis_t;
+type makewhatis_exec_t;
+application_domain(makewhatis_t, makewhatis_exec_t)
+
+type makewhatis_tmp_t;
+files_tmp_file(makewhatis_tmp_t)
+
+####################
+#
+# Local policy
+#
+
+allow makewhatis_t self:process getsched;
+allow makewhatis_t self:unix_stream_socket rw_stream_socket_perms;
+allow makewhatis_t self:fifo_file rw_fifo_file_perms;
+
+manage_files_pattern(makewhatis_t, makewhatis_tmp_t, makewhatis_tmp_t)
+manage_dirs_pattern(makewhatis_t, makewhatis_tmp_t, makewhatis_tmp_t)
+files_tmp_filetrans(makewhatis_t, makewhatis_tmp_t, dir)
+
+kernel_read_system_state(makewhatis_t)
+
+corecmd_exec_bin(makewhatis_t)
+corecmd_exec_shell(makewhatis_t)
+
+auth_use_nsswitch(makewhatis_t)
+
+miscfiles_read_localization(makewhatis_t)
+miscfiles_manage_man_pages(makewhatis_t)
+
+optional_policy(`
+	cron_system_entry(makewhatis_t, makewhatis_exec_t)
+')
-- 
1.7.8.6

[refpolicy] [PATCH 04/11] Initial policy for makewhatis

[grift]

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  makewhatis.fc |    1 +
>  makewhatis.if |    1 +
>  makewhatis.te |   35 +++++++++++++++++++++++++++++++++++
>  3 files changed, 37 insertions(+), 0 deletions(-)
>  create mode 100644 makewhatis.fc
>  create mode 100644 makewhatis.if
>  create mode 100644 makewhatis.te
> 
> diff --git a/makewhatis.fc b/makewhatis.fc
> new file mode 100644
> index 0000000..5ddf136
> --- /dev/null
> +++ b/makewhatis.fc
> @@ -0,0 +1 @@
> +/usr/sbin/makewhatis	--	gen_context(system_u:object_r:makewhatis_exec_t,s0)

I would rather have the actual cron script labeled and leave this file
generic instead since this policy only supports a domain transition from
crond anyway.

> diff --git a/makewhatis.if b/makewhatis.if
> new file mode 100644
> index 0000000..17d948a
> --- /dev/null
> +++ b/makewhatis.if
> @@ -0,0 +1 @@
> +## <summary>Build whatis database from man pages</summary>
> diff --git a/makewhatis.te b/makewhatis.te
> new file mode 100644
> index 0000000..7c5c356
> --- /dev/null
> +++ b/makewhatis.te
> @@ -0,0 +1,35 @@
> +policy_module(makewhatis, 0.1)
> +
> +type makewhatis_t;
> +type makewhatis_exec_t;
> +application_domain(makewhatis_t, makewhatis_exec_t)
> +
> +type makewhatis_tmp_t;
> +files_tmp_file(makewhatis_tmp_t)
> +
> +####################
> +#
> +# Local policy
> +#
> +
> +allow makewhatis_t self:process getsched;
> +allow makewhatis_t self:unix_stream_socket rw_stream_socket_perms;
> +allow makewhatis_t self:fifo_file rw_fifo_file_perms;
> +
> +manage_files_pattern(makewhatis_t, makewhatis_tmp_t, makewhatis_tmp_t)
> +manage_dirs_pattern(makewhatis_t, makewhatis_tmp_t, makewhatis_tmp_t)
> +files_tmp_filetrans(makewhatis_t, makewhatis_tmp_t, dir)
> +
> +kernel_read_system_state(makewhatis_t)
> +
> +corecmd_exec_bin(makewhatis_t)
> +corecmd_exec_shell(makewhatis_t)
> +
> +auth_use_nsswitch(makewhatis_t)
> +
> +miscfiles_read_localization(makewhatis_t)
> +miscfiles_manage_man_pages(makewhatis_t)
> +
> +optional_policy(`
> +	cron_system_entry(makewhatis_t, makewhatis_exec_t)
> +')

[refpolicy] [PATCH 04/11] Initial policy for makewhatis

[Sven Vermeulen]

On Sat, Dec 08, 2012 at 10:57:54PM +0100, grift wrote:
[... About makewhatis and logsentry policies ...]
> I would rather have the actual cron script labeled and leave this file
> generic instead since this policy only supports a domain transition from
> crond anyway.

What's the rational behind that? The application is marked as an
application_domain, so regular user domains can execute it. Also, other
policies like tmpreaper, which are also meant to just be triggered through a
cronjob, are setup the same way (i.e. /usr/sbin/tmp{reaper,watch} are marked
as tmpreaper_exec_t).

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 04/11] Initial policy for makewhatis

[grift]

On Sun, 2012-12-09 at 10:44 +0100, Sven Vermeulen wrote:
> On Sat, Dec 08, 2012 at 10:57:54PM +0100, grift wrote:
> [... About makewhatis and logsentry policies ...]
> > I would rather have the actual cron script labeled and leave this file
> > generic instead since this policy only supports a domain transition from
> > crond anyway.
> 
> What's the rational behind that? The application is marked as an
> application_domain, so regular user domains can execute it. Also, other
> policies like tmpreaper, which are also meant to just be triggered through a
> cronjob, are setup the same way (i.e. /usr/sbin/tmp{reaper,watch} are marked
> as tmpreaper_exec_t).
> 

Yes regular users may be able to execute it but there is currently no
other domain transition specified.

The rationale is the following.

If you look at the prelink policy i will use that as a reference to back
up my suggesting:

if you transition on the actual cron script you will be generally safer
that things work if you have unconfined disabled:

# seinfo -xaunconfined_domain_type | grep cron
      unconfined_cronjob_t
      system_cronjob_t
      crond_t

this shows that a bunch of cron domains are unconfined in fedora at
least so all cron scripts by default run fine.

However stuff *might* break if you disable the unconfined domain,

For example if the cron script does something that is currently not
allowed.

Some stupid example: lets say the cron script creates a file in the
makewhatis tmp location. or it actually creates it.

Then you have crond_t creating the makewhatis tmp location (on top of
that with a non-optimal type if you do not specify a proper type
transition.

if you do the transition on the script then you will avoid any of those
issues currently and in the future (you never know when a script may get
updated to do something you dont want crond to do)

Basically it ensures that stuff will keep working even if you have
unconfined disabled if done right.

If you would have enclosed a valid use case for why users should
directly transition on the actually executable file rather than the cron
script then i would be more convinced but currently you only transition
on cron and so i prefer that you then do it on the script and leave the
executable file generic,

I hope my reasoning made sense to you

> Wkr,
> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH 05/11] Use rw_fifo_file_perms

[Sven Vermeulen]

The cron_rw_pipes interface should use rw_fifo_file_perms, otherwise the ioctl
privilege is not granted.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 cron.if |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/cron.if b/cron.if
index 01ba3ce..1303b30 100644
--- a/cron.if
+++ b/cron.if
@@ -566,7 +566,7 @@ interface(`cron_rw_pipes',`
 		type crond_t;
 	')
 
-	allow $1 crond_t:fifo_file { getattr read write };
+	allow $1 crond_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
-- 
1.7.8.6

[refpolicy] [PATCH 05/11] Use rw_fifo_file_perms

[grift]

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> The cron_rw_pipes interface should use rw_fifo_file_perms, otherwise the ioctl
> privilege is not granted.

This was merged thanks

although the better fix would have been to rename this interface to
cron_rw_inherited_pipes and to create an additional cron_rw_pipes
probably

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  cron.if |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/cron.if b/cron.if
> index 01ba3ce..1303b30 100644
> --- a/cron.if
> +++ b/cron.if
> @@ -566,7 +566,7 @@ interface(`cron_rw_pipes',`
>  		type crond_t;
>  	')
>  
> -	allow $1 crond_t:fifo_file { getattr read write };
> +	allow $1 crond_t:fifo_file rw_fifo_file_perms;
>  ')
>  
>  ########################################

[refpolicy] [PATCH 06/11] Apache should not depend on gpg

[Sven Vermeulen]

Currently, a few calls to gpg functions are without optional_policy statements.
This makes the gpg module a hard requirement for apache, something which
shouldn't be the case.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 apache.te |   18 +++++++++++-------
 1 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/apache.te b/apache.te
index 940256e..8fec985 100644
--- a/apache.te
+++ b/apache.te
@@ -357,7 +357,6 @@ role system_r types httpd_passwd_t;
 
 type httpd_gpg_t;
 domain_type(httpd_gpg_t)
-gpg_entry_type(httpd_gpg_t)
 role system_r types httpd_gpg_t;
 
 optional_policy(`
@@ -581,10 +580,6 @@ tunable_policy(`httpd_enable_cgi',`
 	allow httpd_t httpd_script_exec_type:dir list_dir_perms;
 ')
 
-tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
-	gpg_spec_domtrans(httpd_t, httpd_gpg_t)
-')
-
 tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
 	fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
 ')
@@ -672,6 +667,12 @@ tunable_policy(`httpd_graceful_shutdown',`
 ')
 
 optional_policy(`
+	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
+		gpg_spec_domtrans(httpd_t, httpd_gpg_t)
+	')
+')
+
+optional_policy(`
 	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
 		samba_domtrans_winbind_helper(httpd_t)
 	')
@@ -1393,8 +1394,6 @@ files_read_usr_files(httpd_gpg_t)
 
 miscfiles_read_localization(httpd_gpg_t)
 
-gpg_exec(httpd_gpg_t)
-
 tunable_policy(`httpd_gpg_anon_write',`
 	miscfiles_manage_public_files(httpd_gpg_t)
 ')
@@ -1402,3 +1401,8 @@ tunable_policy(`httpd_gpg_anon_write',`
 optional_policy(`
 	apache_manage_sys_rw_content(httpd_gpg_t)
 ')
+
+optional_policy(`
+	gpg_entry_type(httpd_gpg_t)
+	gpg_exec(httpd_gpg_t)
+')
-- 
1.7.8.6

[refpolicy] [PATCH 06/11] Apache should not depend on gpg

[grift]

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> Currently, a few calls to gpg functions are without optional_policy statements.
> This makes the gpg module a hard requirement for apache, something which
> shouldn't be the case.

This was merged, thanks

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  apache.te |   18 +++++++++++-------
>  1 files changed, 11 insertions(+), 7 deletions(-)
> 
> diff --git a/apache.te b/apache.te
> index 940256e..8fec985 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -357,7 +357,6 @@ role system_r types httpd_passwd_t;
>  
>  type httpd_gpg_t;
>  domain_type(httpd_gpg_t)
> -gpg_entry_type(httpd_gpg_t)
>  role system_r types httpd_gpg_t;
>  
>  optional_policy(`
> @@ -581,10 +580,6 @@ tunable_policy(`httpd_enable_cgi',`
>  	allow httpd_t httpd_script_exec_type:dir list_dir_perms;
>  ')
>  
> -tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
> -	gpg_spec_domtrans(httpd_t, httpd_gpg_t)
> -')
> -
>  tunable_policy(`httpd_enable_cgi && httpd_use_nfs',`
>  	fs_nfs_domtrans(httpd_t, httpd_sys_script_t)
>  ')
> @@ -672,6 +667,12 @@ tunable_policy(`httpd_graceful_shutdown',`
>  ')
>  
>  optional_policy(`
> +	tunable_policy(`httpd_enable_cgi && httpd_use_gpg',`
> +		gpg_spec_domtrans(httpd_t, httpd_gpg_t)
> +	')
> +')
> +
> +optional_policy(`
>  	tunable_policy(`httpd_mod_auth_ntlm_winbind',`
>  		samba_domtrans_winbind_helper(httpd_t)
>  	')
> @@ -1393,8 +1394,6 @@ files_read_usr_files(httpd_gpg_t)
>  
>  miscfiles_read_localization(httpd_gpg_t)
>  
> -gpg_exec(httpd_gpg_t)
> -
>  tunable_policy(`httpd_gpg_anon_write',`
>  	miscfiles_manage_public_files(httpd_gpg_t)
>  ')
> @@ -1402,3 +1401,8 @@ tunable_policy(`httpd_gpg_anon_write',`
>  optional_policy(`
>  	apache_manage_sys_rw_content(httpd_gpg_t)
>  ')
> +
> +optional_policy(`
> +	gpg_entry_type(httpd_gpg_t)
> +	gpg_exec(httpd_gpg_t)
> +')

[refpolicy] [PATCH 07/11] Mark make.profile entry as portage_conf_t

[Sven Vermeulen]

Although the /etc/make.profile symlink is going to be removed in a matter of
time, it is currently still very much in use and should be marked as
portage_conf_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.fc |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/portage.fc b/portage.fc
index d044552..50ac5a1 100644
--- a/portage.fc
+++ b/portage.fc
@@ -1,5 +1,6 @@
 /etc/make\.conf	--	gen_context(system_u:object_r:portage_conf_t,s0)
 /etc/make\.globals	--	gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/make\.profile	-s	gen_context(system_u:object_r:portage_conf_t,s0)
 /etc/portage(/.*)?	gen_context(system_u:object_r:portage_conf_t,s0)
 /etc/portage/gpg(/.*)?	gen_context(system_u:object_r:portage_gpg_t,s0)
 
-- 
1.7.8.6

[refpolicy] [PATCH 07/11] Mark make.profile entry as portage_conf_t

[grift]

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> Although the /etc/make.profile symlink is going to be removed in a matter of
> time, it is currently still very much in use and should be marked as
> portage_conf_t.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  portage.fc |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/portage.fc b/portage.fc
> index d044552..50ac5a1 100644
> --- a/portage.fc
> +++ b/portage.fc
> @@ -1,5 +1,6 @@
>  /etc/make\.conf	--	gen_context(system_u:object_r:portage_conf_t,s0)
>  /etc/make\.globals	--	gen_context(system_u:object_r:portage_conf_t,s0)
> +/etc/make\.profile	-s	gen_context(system_u:object_r:portage_conf_t,s0)
>  /etc/portage(/.*)?	gen_context(system_u:object_r:portage_conf_t,s0)
>  /etc/portage/gpg(/.*)?	gen_context(system_u:object_r:portage_gpg_t,s0)
>  
 
-s means sock_file , use -l instead

[refpolicy] [PATCH 08/11] Named init script creates rundir

[Sven Vermeulen]

Add in the proper init_daemon_run_dir call as the named init script creates the
/run/named location.

See also bug #445196

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 bind.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/bind.te b/bind.te
index 4d7ccc3..b1067de 100644
--- a/bind.te
+++ b/bind.te
@@ -52,6 +52,7 @@ files_tmp_file(named_tmp_t)
 
 type named_var_run_t;
 files_pid_file(named_var_run_t)
+init_daemon_run_dir(named_var_run_t, "named")
 
 # for primary zone files
 type named_zone_t;
-- 
1.7.8.6

[refpolicy] [PATCH 08/11] Named init script creates rundir

[grift]

On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote:
> Add in the proper init_daemon_run_dir call as the named init script creates the
> /run/named location.

This was merged, thanks

> See also bug #445196
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  bind.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/bind.te b/bind.te
> index 4d7ccc3..b1067de 100644
> --- a/bind.te
> +++ b/bind.te
> @@ -52,6 +52,7 @@ files_tmp_file(named_tmp_t)
>  
>  type named_var_run_t;
>  files_pid_file(named_var_run_t)
> +init_daemon_run_dir(named_var_run_t, "named")
>  
>  # for primary zone files
>  type named_zone_t;

[refpolicy] [PATCH 09/11] Add ~/.maildir as a valid maildir destination

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 mta.fc |    1 +
 mta.if |    1 +
 mta.te |    1 +
 3 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/mta.fc b/mta.fc
index 4fed862..f42896c 100644
--- a/mta.fc
+++ b/mta.fc
@@ -3,6 +3,7 @@ HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/\.mailrc	--	gen_context(system_u:object_r:mail_home_t,s0)
 HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
+HOME_DIR/\.maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 
 /bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
 
diff --git a/mta.if b/mta.if
index 99e64cd..ed81cac 100644
--- a/mta.if
+++ b/mta.if
@@ -105,6 +105,7 @@ interface(`mta_role',`
 	allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
 	allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
+	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
 
 	allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms };
diff --git a/mta.te b/mta.te
index f6b8c2d..fd5814e 100644
--- a/mta.te
+++ b/mta.te
@@ -344,6 +344,7 @@ userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forwar
 userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc")
 userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter")
 userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir")
+userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir")
 
 read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
 
-- 
1.7.8.6

[refpolicy] [PATCH 09/11] Add ~/.maildir as a valid maildir destination

[grift]

On Sat, 2012-12-08 at 21:57 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

This was merged , thanks

But you are probably overlooking some named file type transitions

grep -r "Maildir" repolicy/

> ---
>  mta.fc |    1 +
>  mta.if |    1 +
>  mta.te |    1 +
>  3 files changed, 3 insertions(+), 0 deletions(-)
> 
> diff --git a/mta.fc b/mta.fc
> index 4fed862..f42896c 100644
> --- a/mta.fc
> +++ b/mta.fc
> @@ -3,6 +3,7 @@ HOME_DIR/\.forward[^/]*	--	gen_context(system_u:object_r:mail_home_t,s0)
>  HOME_DIR/dead\.letter	--	gen_context(system_u:object_r:mail_home_t,s0)
>  HOME_DIR/\.mailrc	--	gen_context(system_u:object_r:mail_home_t,s0)
>  HOME_DIR/Maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
> +HOME_DIR/\.maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
>  
>  /bin/mail(x)?	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
>  
> diff --git a/mta.if b/mta.if
> index 99e64cd..ed81cac 100644
> --- a/mta.if
> +++ b/mta.if
> @@ -105,6 +105,7 @@ interface(`mta_role',`
>  	allow $2 mail_home_rw_t:file { manage_file_perms relabel_file_perms };
>  	allow $2 mail_home_rw_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
>  	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, "Maildir")
> +	userdom_user_home_dir_filetrans($2, mail_home_rw_t, dir, ".maildir")
>  
>  	allow $2 user_mail_tmp_t:dir { manage_dir_perms relabel_dir_perms };
>  	allow $2 user_mail_tmp_t:file { manage_file_perms relabel_file_perms };
> diff --git a/mta.te b/mta.te
> index f6b8c2d..fd5814e 100644
> --- a/mta.te
> +++ b/mta.te
> @@ -344,6 +344,7 @@ userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".forwar
>  userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, ".mailrc")
>  userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_t, file, "dead.letter")
>  userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, "Maildir")
> +userdom_user_home_dir_filetrans(mailserver_delivery, mail_home_rw_t, dir, ".maildir")
>  
>  read_files_pattern(mailserver_delivery, system_mail_tmp_t, system_mail_tmp_t)
>  

[refpolicy] [PATCH 10/11] Support stunnel_read_config for startup

[Sven Vermeulen]

When stunnel starts up, the init script reads in the configuration file to find
the location of the PID file. As such, we need to provide initrc_t with read
access to the stunnel configuration.

Create a stunnel_read_config() interface for this purpose.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 stunnel.if |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/stunnel.if b/stunnel.if
index 47fea00..882db16 100644
--- a/stunnel.if
+++ b/stunnel.if
@@ -23,3 +23,22 @@ interface(`stunnel_service_domain',`
 	domtrans_pattern(stunnel_t, $2, $1)
 	allow $1 stunnel_t:tcp_socket rw_socket_perms;
 ')
+
+########################################
+## <summary>
+##	Read the stunnel configuration
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`stunnel_read_config',`
+	gen_require(`
+		type stunnel_etc_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, stunnel_etc_t, stunnel_etc_t)
+')
-- 
1.7.8.6

[refpolicy] [PATCH 10/11] Support stunnel_read_config for startup

[grift]

On Sat, 2012-12-08 at 21:57 +0100, Sven Vermeulen wrote:
> When stunnel starts up, the init script reads in the configuration file to find
> the location of the PID file. As such, we need to provide initrc_t with read
> access to the stunnel configuration.

This was merged thanks

I made changes to it though to include listing of stunnel config dirs
and reading of stunnel config symlinks additionally for consistency

> Create a stunnel_read_config() interface for this purpose.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  stunnel.if |   19 +++++++++++++++++++
>  1 files changed, 19 insertions(+), 0 deletions(-)
> 
> diff --git a/stunnel.if b/stunnel.if
> index 47fea00..882db16 100644
> --- a/stunnel.if
> +++ b/stunnel.if
> @@ -23,3 +23,22 @@ interface(`stunnel_service_domain',`
>  	domtrans_pattern(stunnel_t, $2, $1)
>  	allow $1 stunnel_t:tcp_socket rw_socket_perms;
>  ')
> +
> +########################################
> +## <summary>
> +##	Read the stunnel configuration
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`stunnel_read_config',`
> +	gen_require(`
> +		type stunnel_etc_t;
> +	')
> +
> +	files_search_etc($1)
> +	read_files_pattern($1, stunnel_etc_t, stunnel_etc_t)
> +')

[refpolicy] [PATCH 11/11] Updates on stunnel policy

[Sven Vermeulen]

Allow the stunnel domain to bind on any port (its primary purpose is to provide
encrypted tunnel services regardless of the underlying service).

Allow the stunnel domain to read generic certs (be it for the mutual
authentication, for which the CA certificate needs to be provided, or for its
own certificates if placed in /etc/ssl).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 stunnel.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/stunnel.te b/stunnel.te
index bdfee61..da05f13 100644
--- a/stunnel.te
+++ b/stunnel.te
@@ -53,6 +53,7 @@ corenet_all_recvfrom_netlabel(stunnel_t)
 corenet_tcp_sendrecv_generic_if(stunnel_t)
 corenet_tcp_sendrecv_generic_node(stunnel_t)
 corenet_tcp_sendrecv_all_ports(stunnel_t)
+corenet_tcp_bind_all_ports(stunnel_t)
 corenet_tcp_bind_generic_node(stunnel_t)
 
 corenet_sendrecv_all_client_packets(stunnel_t)
@@ -73,6 +74,7 @@ auth_use_nsswitch(stunnel_t)
 
 logging_send_syslog_msg(stunnel_t)
 
+miscfiles_read_generic_certs(stunnel_t)
 miscfiles_read_localization(stunnel_t)
 
 userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
-- 
1.7.8.6

[refpolicy] [PATCH 11/11] Updates on stunnel policy

[grift]

On Sat, 2012-12-08 at 21:57 +0100, Sven Vermeulen wrote:
> Allow the stunnel domain to bind on any port (its primary purpose is to provide
> encrypted tunnel services regardless of the underlying service).
> 
> Allow the stunnel domain to read generic certs (be it for the mutual
> authentication, for which the CA certificate needs to be provided, or for its
> own certificates if placed in /etc/ssl).

This was merged, thanks

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  stunnel.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/stunnel.te b/stunnel.te
> index bdfee61..da05f13 100644
> --- a/stunnel.te
> +++ b/stunnel.te
> @@ -53,6 +53,7 @@ corenet_all_recvfrom_netlabel(stunnel_t)
>  corenet_tcp_sendrecv_generic_if(stunnel_t)
>  corenet_tcp_sendrecv_generic_node(stunnel_t)
>  corenet_tcp_sendrecv_all_ports(stunnel_t)
> +corenet_tcp_bind_all_ports(stunnel_t)
>  corenet_tcp_bind_generic_node(stunnel_t)
>  
>  corenet_sendrecv_all_client_packets(stunnel_t)
> @@ -73,6 +74,7 @@ auth_use_nsswitch(stunnel_t)
>  
>  logging_send_syslog_msg(stunnel_t)
>  
> +miscfiles_read_generic_certs(stunnel_t)
>  miscfiles_read_localization(stunnel_t)
>  
>  userdom_dontaudit_use_unpriv_user_fds(stunnel_t)