[refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom

[refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom

[chas williams - CONTRACTOR]

>From 55664436e0d88d7414b5a234bbe287c6739f4f35 Mon Sep 17 00:00:00 2001
From: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Date: Sun, 4 Jan 2015 19:19:15 -0500
Subject: [PATCH] afs: update labels, file contexts and allow access to urandom

Label the DAFS (demand attached) fileserver binaries afs_fsserver_exec_t.

Set the fcontext for the fileserver /vicep parititions and their contents.
Also set fcontext on the openafs-server init script.

Allow OpenAFS server binaries to access urandom.
---
 afs.fc | 14 +++++++++++---
 afs.te |  8 ++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/afs.fc b/afs.fc
index 8926c16..279b787 100644
--- a/afs.fc
+++ b/afs.fc
@@ -1,13 +1,18 @@
 /etc/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_config_t,s0)
 
 /etc/rc\.d/init\.d/openafs-client	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openafs-server	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/(open)?afs	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
 
 /usr/afs/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+/usr/afs/bin/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
 /usr/afs/bin/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
 /usr/afs/bin/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/salvageserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
 
@@ -22,10 +27,14 @@
 
 /usr/afs/logs(/.*)?	gen_context(system_u:object_r:afs_logfile_t,s0)
 
+/usr/libexec/openafs/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
 /usr/libexec/openafs/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
 /usr/libexec/openafs/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/salvagerserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
 
@@ -37,6 +46,5 @@
 
 /var/cache/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_cache_t,s0)
 
-/vicepa	gen_context(system_u:object_r:afs_files_t,s0)
-/vicepb	gen_context(system_u:object_r:afs_files_t,s0)
-/vicepc	gen_context(system_u:object_r:afs_files_t,s0)
+/vicep[a-z][a-z]?(/.*)? gen_context(system_u:object_r:afs_files_t,s0)
+
diff --git a/afs.te b/afs.te
index 90ce637..6ba667d 100644
--- a/afs.te
+++ b/afs.te
@@ -140,6 +140,8 @@ files_read_usr_files(afs_bosserver_t)
 
 seutil_read_config(afs_bosserver_t)
 
+dev_read_urand(afs_bosserver_t)
+
 ########################################
 #
 # fileserver local policy
@@ -206,6 +208,8 @@ seutil_read_config(afs_fsserver_t)
 
 userdom_dontaudit_use_user_terminals(afs_fsserver_t)
 
+dev_read_urand(afs_fsserver_t)
+
 ########################################
 #
 # kaserver local policy
@@ -276,6 +280,8 @@ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
 
 userdom_dontaudit_use_user_terminals(afs_ptserver_t)
 
+dev_read_urand(afs_ptserver_t)
+
 ########################################
 #
 # vlserver local policy
@@ -307,6 +313,8 @@ corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
 
 userdom_dontaudit_use_user_terminals(afs_vlserver_t)
 
+dev_read_urand(afs_vlserver_t)
+
 ########################################
 #
 # Global local policy
-- 
1.9.3

[refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom

[Dominick Grift]

On Mon, Jan 05, 2015 at 10:14:36AM -0500, chas williams - CONTRACTOR wrote:
> >From 55664436e0d88d7414b5a234bbe287c6739f4f35 Mon Sep 17 00:00:00 2001
> From: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
> Date: Sun, 4 Jan 2015 19:19:15 -0500
> Subject: [PATCH] afs: update labels, file contexts and allow access to urandom
> 
> Label the DAFS (demand attached) fileserver binaries afs_fsserver_exec_t.
> 
> Set the fcontext for the fileserver /vicep parititions and their contents.
> Also set fcontext on the openafs-server init script.
> 
> Allow OpenAFS server binaries to access urandom.

Thanks, this patch was applied. I made a minor style related change plus i removed a stray newline

I suspect that the urandom access is part of nsswitch functionality (getpw?) because i also see other rules that match that pattern.

1. reading etc_t files (nsswitch.conf)
2. create udp sockets (dns udp)
3. list pids (for stream connecting to nscd if the socket is there)
4. sysnet read config (reading resolv.conf)

When reviewing the afs policy i also noticed some obvious redundant and wrong rules which i removed in a different commit 8bc232786bb2f84054108c6b8d22e312d40c256f

> ---
>  afs.fc | 14 +++++++++++---
>  afs.te |  8 ++++++++
>  2 files changed, 19 insertions(+), 3 deletions(-)
> 
> diff --git a/afs.fc b/afs.fc
> index 8926c16..279b787 100644
> --- a/afs.fc
> +++ b/afs.fc
> @@ -1,13 +1,18 @@
>  /etc/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_config_t,s0)
>  
>  /etc/rc\.d/init\.d/openafs-client	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/openafs-server	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
>  /etc/rc\.d/init\.d/(open)?afs	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
>  
>  /usr/afs/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
> +/usr/afs/bin/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/afs/bin/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/afs/bin/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
>  /usr/afs/bin/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
>  /usr/afs/bin/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/afs/bin/salvageserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
>  
> @@ -22,10 +27,14 @@
>  
>  /usr/afs/logs(/.*)?	gen_context(system_u:object_r:afs_logfile_t,s0)
>  
> +/usr/libexec/openafs/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/libexec/openafs/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/libexec/openafs/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
>  /usr/libexec/openafs/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
>  /usr/libexec/openafs/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/libexec/openafs/salvagerserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
>  
> @@ -37,6 +46,5 @@
>  
>  /var/cache/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_cache_t,s0)
>  
> -/vicepa	gen_context(system_u:object_r:afs_files_t,s0)
> -/vicepb	gen_context(system_u:object_r:afs_files_t,s0)
> -/vicepc	gen_context(system_u:object_r:afs_files_t,s0)
> +/vicep[a-z][a-z]?(/.*)? gen_context(system_u:object_r:afs_files_t,s0)
> +
> diff --git a/afs.te b/afs.te
> index 90ce637..6ba667d 100644
> --- a/afs.te
> +++ b/afs.te
> @@ -140,6 +140,8 @@ files_read_usr_files(afs_bosserver_t)
>  
>  seutil_read_config(afs_bosserver_t)
>  
> +dev_read_urand(afs_bosserver_t)
> +
>  ########################################
>  #
>  # fileserver local policy
> @@ -206,6 +208,8 @@ seutil_read_config(afs_fsserver_t)
>  
>  userdom_dontaudit_use_user_terminals(afs_fsserver_t)
>  
> +dev_read_urand(afs_fsserver_t)
> +
>  ########################################
>  #
>  # kaserver local policy
> @@ -276,6 +280,8 @@ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
>  
>  userdom_dontaudit_use_user_terminals(afs_ptserver_t)
>  
> +dev_read_urand(afs_ptserver_t)
> +
>  ########################################
>  #
>  # vlserver local policy
> @@ -307,6 +313,8 @@ corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
>  
>  userdom_dontaudit_use_user_terminals(afs_vlserver_t)
>  
> +dev_read_urand(afs_vlserver_t)
> +
>  ########################################
>  #
>  # Global local policy
> -- 
> 1.9.3
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150105/b0ba8fda/attachment.bin 

[refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom

[chas williams - CONTRACTOR]

On Mon, 5 Jan 2015 19:10:45 +0100
Dominick Grift <dac.override@gmail.com> wrote:

> I suspect that the urandom access is part of nsswitch functionality (getpw?) because i also see other rules that match that pattern.

I suspect it is due to more recent versions of OpenAFS being linked
against heimdal (or your native krb5 libraries).  I suspect it is
possible that the libraries might attempt to read random but reading
allowing urandom should hopefully be sufficient.

>From hcrypto/rand-unix.c:

int
_hc_unix_device_fd(int flags, const char **fn)
{
    static const char *rnd_devices[] = {
        "/dev/urandom",
        "/dev/random",
        "/dev/srandom",
        "/dev/arandom",
        NULL
    };


> When reviewing the afs policy i also noticed some obvious redundant and wrong rules which i removed in a different commit 8bc232786bb2f84054108c6b8d22e312d40c256f

Thanks!