[refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom

From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom
Date: Mon, 5 Jan 2015 19:10:45 +0100	[thread overview]
Message-ID: <20150105181043.GA12231@bigboy.network2> (raw)
In-Reply-To: <20150105101436.71aed0fd@thirdoffive.cmf.nrl.navy.mil>

On Mon, Jan 05, 2015 at 10:14:36AM -0500, chas williams - CONTRACTOR wrote:
> >From 55664436e0d88d7414b5a234bbe287c6739f4f35 Mon Sep 17 00:00:00 2001
> From: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
> Date: Sun, 4 Jan 2015 19:19:15 -0500
> Subject: [PATCH] afs: update labels, file contexts and allow access to urandom
> 
> Label the DAFS (demand attached) fileserver binaries afs_fsserver_exec_t.
> 
> Set the fcontext for the fileserver /vicep parititions and their contents.
> Also set fcontext on the openafs-server init script.
> 
> Allow OpenAFS server binaries to access urandom.

Thanks, this patch was applied. I made a minor style related change plus i removed a stray newline

I suspect that the urandom access is part of nsswitch functionality (getpw?) because i also see other rules that match that pattern.

1. reading etc_t files (nsswitch.conf)
2. create udp sockets (dns udp)
3. list pids (for stream connecting to nscd if the socket is there)
4. sysnet read config (reading resolv.conf)

When reviewing the afs policy i also noticed some obvious redundant and wrong rules which i removed in a different commit 8bc232786bb2f84054108c6b8d22e312d40c256f

> ---
>  afs.fc | 14 +++++++++++---
>  afs.te |  8 ++++++++
>  2 files changed, 19 insertions(+), 3 deletions(-)
> 
> diff --git a/afs.fc b/afs.fc
> index 8926c16..279b787 100644
> --- a/afs.fc
> +++ b/afs.fc
> @@ -1,13 +1,18 @@
>  /etc/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_config_t,s0)
>  
>  /etc/rc\.d/init\.d/openafs-client	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/openafs-server	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
>  /etc/rc\.d/init\.d/(open)?afs	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
>  
>  /usr/afs/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
> +/usr/afs/bin/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/afs/bin/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/afs/bin/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
>  /usr/afs/bin/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
>  /usr/afs/bin/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/afs/bin/salvageserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
>  
> @@ -22,10 +27,14 @@
>  
>  /usr/afs/logs(/.*)?	gen_context(system_u:object_r:afs_logfile_t,s0)
>  
> +/usr/libexec/openafs/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/libexec/openafs/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/libexec/openafs/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
>  /usr/libexec/openafs/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
>  /usr/libexec/openafs/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/libexec/openafs/salvagerserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
>  
> @@ -37,6 +46,5 @@
>  
>  /var/cache/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_cache_t,s0)
>  
> -/vicepa	gen_context(system_u:object_r:afs_files_t,s0)
> -/vicepb	gen_context(system_u:object_r:afs_files_t,s0)
> -/vicepc	gen_context(system_u:object_r:afs_files_t,s0)
> +/vicep[a-z][a-z]?(/.*)? gen_context(system_u:object_r:afs_files_t,s0)
> +
> diff --git a/afs.te b/afs.te
> index 90ce637..6ba667d 100644
> --- a/afs.te
> +++ b/afs.te
> @@ -140,6 +140,8 @@ files_read_usr_files(afs_bosserver_t)
>  
>  seutil_read_config(afs_bosserver_t)
>  
> +dev_read_urand(afs_bosserver_t)
> +
>  ########################################
>  #
>  # fileserver local policy
> @@ -206,6 +208,8 @@ seutil_read_config(afs_fsserver_t)
>  
>  userdom_dontaudit_use_user_terminals(afs_fsserver_t)
>  
> +dev_read_urand(afs_fsserver_t)
> +
>  ########################################
>  #
>  # kaserver local policy
> @@ -276,6 +280,8 @@ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
>  
>  userdom_dontaudit_use_user_terminals(afs_ptserver_t)
>  
> +dev_read_urand(afs_ptserver_t)
> +
>  ########################################
>  #
>  # vlserver local policy
> @@ -307,6 +313,8 @@ corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
>  
>  userdom_dontaudit_use_user_terminals(afs_vlserver_t)
>  
> +dev_read_urand(afs_vlserver_t)
> +
>  ########################################
>  #
>  # Global local policy
> -- 
> 1.9.3
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150105/b0ba8fda/attachment.bin 