[refpolicy] [PATCH 1/1] add module for the entropy key daemon

[refpolicy] [PATCH 1/1] add module for the entropy key daemon

[Petre Rodan]

Signed-off-by: Petre Rodan <petre.rodan@simplex.ro>
---

policy module for http://www.entropykey.co.uk/download/
gentoo package name: app-crypt/ekeyd


 ekeyd.fc | 12 ++++++++++
 ekeyd.if | 45 +++++++++++++++++++++++++++++++++++
 ekeyd.te | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 139 insertions(+)
 create mode 100644 ekeyd.fc
 create mode 100644 ekeyd.if
 create mode 100644 ekeyd.te

diff --git a/ekeyd.fc b/ekeyd.fc
new file mode 100644
index 0000000..0e166af
--- /dev/null
+++ b/ekeyd.fc
@@ -0,0 +1,12 @@
+
+/etc/entropykey(/.*)?       gen_context(system_u:object_r:ekey_etc_t,s0)
+
+/usr/libexec/ekeyd      --  gen_context(system_u:object_r:ekeyd_exec_t,s0)
+/usr/libexec/ekey-egd-linux     --  gen_context(system_u:object_r:ekey_egd_exec_t,s0)
+
+/usr/sbin/ekey-setkey   --  gen_context(system_u:object_r:ekey_tool_exec_t,s0)
+/usr/sbin/ekey-rekey    --  gen_context(system_u:object_r:ekey_tool_exec_t,s0)
+/usr/sbin/ekeydctl      --  gen_context(system_u:object_r:ekey_tool_exec_t,s0)
+
+/var/run/ekeyd.sock		-s	gen_context(system_u:object_r:ekey_var_run_t,s0)
+
diff --git a/ekeyd.if b/ekeyd.if
new file mode 100644
index 0000000..4c004d4
--- /dev/null
+++ b/ekeyd.if
@@ -0,0 +1,45 @@
+## <summary>Entropy Key daemon</summary>
+
+########################################
+## <summary>
+##	Execute entropy key tools in the ekey_tool domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ekey_tool_domtrans',`
+	gen_require(`
+		type ekey_tool_t, ekey_tool_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ekey_tool_exec_t, ekey_tool_t)
+')
+
+############################################################
+## <summary>
+##	Role access for the entropy key tools.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`ekey_tool_run',`
+	gen_require(`
+		type ekey_tool_t;
+	')
+
+	ekey_tool_domtrans($1)
+	role $2 types ekey_tool_t;
+')
+
diff --git a/ekeyd.te b/ekeyd.te
new file mode 100644
index 0000000..d2efb55
--- /dev/null
+++ b/ekeyd.te
@@ -0,0 +1,82 @@
+policy_module(ekeyd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ekeyd_t;
+type ekeyd_exec_t;
+init_daemon_domain(ekeyd_t, ekeyd_exec_t)
+
+type ekey_egd_t;
+type ekey_egd_exec_t;
+init_daemon_domain(ekey_egd_t, ekey_egd_exec_t)
+
+type ekey_tool_t;
+type ekey_tool_exec_t;
+init_system_domain(ekey_tool_t, ekey_tool_exec_t)
+
+type ekey_etc_t;
+files_config_file(ekey_etc_t)
+
+type ekey_var_run_t;
+files_pid_file(ekey_var_run_t)
+
+require {
+	type unreserved_port_t;
+}
+
+########################################
+#
+# Local policy
+#
+
+# ekeyd - the Entropy Key Daemon
+
+allow ekeyd_t self:tcp_socket create_stream_socket_perms;
+allow ekeyd_t self:unix_dgram_socket create_socket_perms;
+allow ekeyd_t unreserved_port_t:tcp_socket name_connect;
+
+read_files_pattern(ekeyd_t, ekey_etc_t, ekey_etc_t)
+manage_sock_files_pattern(ekeyd_t, ekey_var_run_t, ekey_var_run_t)
+corenet_tcp_bind_generic_node(ekeyd_t)
+term_use_unallocated_ttys(ekeyd_t)
+logging_send_syslog_msg(ekeyd_t)
+miscfiles_read_localization(ekeyd_t)
+files_read_usr_files(ekeyd_t)
+files_pid_filetrans(ekeyd_t, ekey_var_run_t, sock_file)
+
+# tools
+allow ekey_tool_t self:fifo_file rw_fifo_file_perms;
+allow ekey_tool_t ekeyd_t:unix_stream_socket connectto;
+
+manage_files_pattern(ekey_tool_t, ekey_etc_t, ekey_etc_t)
+manage_sock_files_pattern(ekey_tool_t, ekey_var_run_t, ekey_var_run_t)
+corecmd_exec_shell(ekey_tool_t)
+can_exec(ekey_tool_t, ekey_tool_exec_t)
+corecmd_exec_bin(ekey_tool_t)
+userdom_use_user_terminals(ekey_tool_t)
+miscfiles_read_localization(ekey_tool_t)
+seutil_use_newrole_fds(ekey_tool_t)
+files_read_usr_files(ekey_tool_t)
+kernel_read_system_state(ekey_tool_t)
+dev_read_sysfs(ekey_tool_t)
+term_use_unallocated_ttys(ekey_tool_t)
+
+# ekey-egd-linux - the EGD Entropy Daemon
+
+allow ekey_egd_t self:netlink_route_socket create_netlink_socket_perms;
+allow ekey_egd_t self:tcp_socket create_socket_perms;
+allow ekey_egd_t self:unix_dgram_socket create_socket_perms;
+allow ekey_egd_t unreserved_port_t:tcp_socket name_connect;
+
+dev_write_rand(ekey_egd_t)
+miscfiles_read_localization(ekey_egd_t)
+logging_send_syslog_msg(ekey_egd_t)
+
+optional_policy(`
+	daemontools_service_domain(ekeyd_t, ekeyd_exec_t)
+	daemontools_service_domain(ekey_egd_t, ekey_egd_exec_t)
+')
+
-- 
1.8.5.5

[refpolicy] [PATCH 1/1] add ekeyd related rules

[Petre Rodan]

Signed-off-by: Petre Rodan <petre.rodan@simplex.ro>
---

ekey domain transitions

 policy/modules/roles/sysadm.te | 4 ++++
 policy/modules/system/udev.te  | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7e3d23e..2fee4d0 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -152,6 +152,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ekey_tool_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	firstboot_run(sysadm_t, sysadm_r)
 ')
 
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index b0aa655..741272f 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -262,6 +262,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ekey_tool_domtrans(udev_t)
+')
+
+optional_policy(`
 	lvm_domtrans(udev_t)
 ')
 
-- 
1.8.5.5

[refpolicy] [PATCH 1/1] add module for the entropy key daemon

[Christopher J. PeBenito]

On 05/07/2014 05:20 PM, Petre Rodan wrote:
> index 0000000..d2efb55
> --- /dev/null
> +++ b/ekeyd.te
> @@ -0,0 +1,82 @@
[...]
> +
> +type ekey_var_run_t;
> +files_pid_file(ekey_var_run_t)
> +
> +require {
> +	type unreserved_port_t;
> +}

This looks like it should be a new port type based on the rules below.

> +########################################
> +#
> +# Local policy
> +#
> +
> +# ekeyd - the Entropy Key Daemon
> +
> +allow ekeyd_t self:tcp_socket create_stream_socket_perms;
> +allow ekeyd_t self:unix_dgram_socket create_socket_perms;
> +allow ekeyd_t unreserved_port_t:tcp_socket name_connect;
> +
> +read_files_pattern(ekeyd_t, ekey_etc_t, ekey_etc_t)
> +manage_sock_files_pattern(ekeyd_t, ekey_var_run_t, ekey_var_run_t)
> +corenet_tcp_bind_generic_node(ekeyd_t)
> +term_use_unallocated_ttys(ekeyd_t)
> +logging_send_syslog_msg(ekeyd_t)
> +miscfiles_read_localization(ekeyd_t)
> +files_read_usr_files(ekeyd_t)
> +files_pid_filetrans(ekeyd_t, ekey_var_run_t, sock_file)
> +
> +# tools

Needs a bigger comment bock/header for the ekeyd_tool_t domain

> +allow ekey_tool_t self:fifo_file rw_fifo_file_perms;
> +allow ekey_tool_t ekeyd_t:unix_stream_socket connectto;
> +
> +manage_files_pattern(ekey_tool_t, ekey_etc_t, ekey_etc_t)
> +manage_sock_files_pattern(ekey_tool_t, ekey_var_run_t, ekey_var_run_t)
> +corecmd_exec_shell(ekey_tool_t)
> +can_exec(ekey_tool_t, ekey_tool_exec_t)
> +corecmd_exec_bin(ekey_tool_t)
> +userdom_use_user_terminals(ekey_tool_t)
> +miscfiles_read_localization(ekey_tool_t)
> +seutil_use_newrole_fds(ekey_tool_t)
> +files_read_usr_files(ekey_tool_t)
> +kernel_read_system_state(ekey_tool_t)
> +dev_read_sysfs(ekey_tool_t)
> +term_use_unallocated_ttys(ekey_tool_t)

Why is it using unallocated ttys?

> +# ekey-egd-linux - the EGD Entropy Daemon

Same thing regarding the header

> +allow ekey_egd_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ekey_egd_t self:tcp_socket create_socket_perms;
> +allow ekey_egd_t self:unix_dgram_socket create_socket_perms;
> +allow ekey_egd_t unreserved_port_t:tcp_socket name_connect;
> +
> +dev_write_rand(ekey_egd_t)
> +miscfiles_read_localization(ekey_egd_t)
> +logging_send_syslog_msg(ekey_egd_t)
> +
> +optional_policy(`
> +	daemontools_service_domain(ekeyd_t, ekeyd_exec_t)
> +	daemontools_service_domain(ekey_egd_t, ekey_egd_exec_t)
> +')
> +

Overall it could use more space between interface calls to different modules.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/1] add module for the entropy key daemon

[Petre Rodan]

Signed-off-by: Petre Rodan <petre.rodan@simplex.ro>
---

    Entropy Key daemon policy

 ekeyd.fc |  12 +++++++
 ekeyd.if |  45 ++++++++++++++++++++++++++
 ekeyd.te | 110 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 167 insertions(+)
 create mode 100644 ekeyd.fc
 create mode 100644 ekeyd.if
 create mode 100644 ekeyd.te

diff --git a/ekeyd.fc b/ekeyd.fc
new file mode 100644
index 0000000..0e166af
--- /dev/null
+++ b/ekeyd.fc
@@ -0,0 +1,12 @@
+
+/etc/entropykey(/.*)?       gen_context(system_u:object_r:ekey_etc_t,s0)
+
+/usr/libexec/ekeyd      --  gen_context(system_u:object_r:ekeyd_exec_t,s0)
+/usr/libexec/ekey-egd-linux     --  gen_context(system_u:object_r:ekey_egd_exec_t,s0)
+
+/usr/sbin/ekey-setkey   --  gen_context(system_u:object_r:ekey_tool_exec_t,s0)
+/usr/sbin/ekey-rekey    --  gen_context(system_u:object_r:ekey_tool_exec_t,s0)
+/usr/sbin/ekeydctl      --  gen_context(system_u:object_r:ekey_tool_exec_t,s0)
+
+/var/run/ekeyd.sock		-s	gen_context(system_u:object_r:ekey_var_run_t,s0)
+
diff --git a/ekeyd.if b/ekeyd.if
new file mode 100644
index 0000000..4c004d4
--- /dev/null
+++ b/ekeyd.if
@@ -0,0 +1,45 @@
+## <summary>Entropy Key daemon</summary>
+
+########################################
+## <summary>
+##	Execute entropy key tools in the ekey_tool domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ekey_tool_domtrans',`
+	gen_require(`
+		type ekey_tool_t, ekey_tool_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ekey_tool_exec_t, ekey_tool_t)
+')
+
+############################################################
+## <summary>
+##	Role access for the entropy key tools.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`ekey_tool_run',`
+	gen_require(`
+		type ekey_tool_t;
+	')
+
+	ekey_tool_domtrans($1)
+	role $2 types ekey_tool_t;
+')
+
diff --git a/ekeyd.te b/ekeyd.te
new file mode 100644
index 0000000..0c04f85
--- /dev/null
+++ b/ekeyd.te
@@ -0,0 +1,110 @@
+policy_module(ekeyd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ekeyd_t;
+type ekeyd_exec_t;
+init_daemon_domain(ekeyd_t, ekeyd_exec_t)
+
+type ekey_egd_t;
+type ekey_egd_exec_t;
+init_daemon_domain(ekey_egd_t, ekey_egd_exec_t)
+
+type ekey_tool_t;
+type ekey_tool_exec_t;
+init_system_domain(ekey_tool_t, ekey_tool_exec_t)
+
+type ekey_etc_t;
+files_config_file(ekey_etc_t)
+
+type ekey_var_run_t;
+files_pid_file(ekey_var_run_t)
+
+require {
+	type unreserved_port_t;
+}
+
+########################################
+#
+# Local policy
+#
+
+
+########################################
+#
+# ekeyd - the Entropy Key Daemon
+#
+
+allow ekeyd_t self:tcp_socket create_stream_socket_perms;
+allow ekeyd_t self:unix_dgram_socket create_socket_perms;
+allow ekeyd_t unreserved_port_t:tcp_socket name_connect;
+
+read_files_pattern(ekeyd_t, ekey_etc_t, ekey_etc_t)
+files_read_usr_files(ekeyd_t)
+files_pid_filetrans(ekeyd_t, ekey_var_run_t, sock_file)
+manage_sock_files_pattern(ekeyd_t, ekey_var_run_t, ekey_var_run_t)
+
+miscfiles_read_localization(ekeyd_t)
+
+corenet_tcp_bind_generic_node(ekeyd_t)
+
+term_use_unallocated_ttys(ekeyd_t)
+
+logging_send_syslog_msg(ekeyd_t)
+
+
+
+########################################
+#
+# tools: ekey-setkey ekey-rekey ekeydctl
+#
+
+allow ekey_tool_t self:fifo_file rw_fifo_file_perms;
+allow ekey_tool_t ekeyd_t:unix_stream_socket connectto;
+
+manage_files_pattern(ekey_tool_t, ekey_etc_t, ekey_etc_t)
+manage_sock_files_pattern(ekey_tool_t, ekey_var_run_t, ekey_var_run_t)
+
+can_exec(ekey_tool_t, ekey_tool_exec_t)
+corecmd_exec_shell(ekey_tool_t)
+corecmd_exec_bin(ekey_tool_t)
+
+files_read_usr_files(ekey_tool_t)
+miscfiles_read_localization(ekey_tool_t)
+
+kernel_read_system_state(ekey_tool_t)
+
+dev_read_sysfs(ekey_tool_t)
+
+userdom_use_user_terminals(ekey_tool_t)
+seutil_use_newrole_fds(ekey_tool_t)
+
+term_use_unallocated_ttys(ekey_tool_t)
+
+
+
+########################################
+#
+# ekey-egd-linux - the EGD Entropy Daemon
+#
+
+allow ekey_egd_t self:netlink_route_socket create_netlink_socket_perms;
+allow ekey_egd_t self:tcp_socket create_socket_perms;
+allow ekey_egd_t self:unix_dgram_socket create_socket_perms;
+allow ekey_egd_t self:capability sys_admin;
+allow ekey_egd_t unreserved_port_t:tcp_socket name_connect;
+
+dev_read_rand(ekey_egd_t)
+dev_write_rand(ekey_egd_t)
+
+miscfiles_read_localization(ekey_egd_t)
+logging_send_syslog_msg(ekey_egd_t)
+
+optional_policy(`
+	daemontools_service_domain(ekeyd_t, ekeyd_exec_t)
+	daemontools_service_domain(ekey_egd_t, ekey_egd_exec_t)
+')
+
-- 
1.8.5.5

[refpolicy] [PATCH 1/1] add module for the entropy key daemon

[Petre Rodan]

Hi Chris,

On Fri, May 09, 2014 at 08:33:38AM -0400, Christopher J. PeBenito wrote:
> On 05/07/2014 05:20 PM, Petre Rodan wrote:
> > index 0000000..d2efb55
> > --- /dev/null
> > +++ b/ekeyd.te
> > +require {
> > +	type unreserved_port_t;
> > +}
> 
> This looks like it should be a new port type based on the rules below.

well, there is no standard port for this application and there is no default set anywhere AFAICT.
the default is to send the random stream to the local machine only, but if the user needs to send entropy to more than a box that port needs to be set via EGDTCPSocket.

the man page looks like this: http://manpages.ubuntu.com/manpages/lucid/man5/ekeyd.conf.5.html

> > +term_use_unallocated_ttys(ekey_tool_t)
> 
> Why is it using unallocated ttys?

the entropy-generating device is a usb dongle and /dev/ttyACM[0-9] (tty_device_t) ends up being used as an interface between the dongle and the software.


please don't forget to merge the sysadm_t and udev_t domain transitions too from the other patch.


-- 
petre rodan
<petre.rodan@simplex.ro>
Technical Manager
Simplex SRL, Bucharest
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140525/57c3a4ac/attachment.bin 

[refpolicy] [PATCH 1/1] add module for the entropy key daemon

[Christopher J. PeBenito]

On 05/25/2014 11:53 AM, Petre Rodan wrote:
> 
> Hi Chris,
> 
> On Fri, May 09, 2014 at 08:33:38AM -0400, Christopher J. PeBenito wrote:
>> On 05/07/2014 05:20 PM, Petre Rodan wrote:
>>> index 0000000..d2efb55
>>> --- /dev/null
>>> +++ b/ekeyd.te
>>> +require {
>>> +	type unreserved_port_t;
>>> +}
>>
>> This looks like it should be a new port type based on the rules below.
> 
> well, there is no standard port for this application and there is no default set anywhere AFAICT.
> the default is to send the random stream to the local machine only, but if the user needs to send entropy to more than a box that port needs to be set via EGDTCPSocket.
> 
> the man page looks like this: http://manpages.ubuntu.com/manpages/lucid/man5/ekeyd.conf.5.html

Ok, then an interface needs to be created rather than requiring the type.

>>> +term_use_unallocated_ttys(ekey_tool_t)
>>
>> Why is it using unallocated ttys?
> 
> the entropy-generating device is a usb dongle and /dev/ttyACM[0-9] (tty_device_t) ends up being used as an interface between the dongle and the software.

Please add a comment about this.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com