From: Alexander Miroshnichenko <alex@millerson.name>
To: selinux-refpolicy@vger.kernel.org
Cc: pebenito@ieee.org, Alexander Miroshnichenko <alex@millerson.name>
Subject: [PATCH v2] Add lldpd policy
Date: Mon, 17 Jun 2019 15:42:08 +0300 [thread overview]
Message-ID: <20190617124207.25680-1-alex@millerson.name> (raw)
In-Reply-To: <749388e0-6da1-4b06-c62c-35302a5aba78@ieee.org>
New policy for lldpd ( http://vincentbernat.github.io/lldpd ).
Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
---
policy/modules/roles/sysadm.te | 4 ++
policy/modules/services/lldpd.fc | 9 ++++
policy/modules/services/lldpd.if | 83 ++++++++++++++++++++++++++++++++
policy/modules/services/lldpd.te | 79 ++++++++++++++++++++++++++++++
4 files changed, 175 insertions(+)
create mode 100644 policy/modules/services/lldpd.fc
create mode 100644 policy/modules/services/lldpd.if
create mode 100644 policy/modules/services/lldpd.te
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8f891c83865f..9a104fe8eb83 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -595,6 +595,10 @@ optional_policy(`
lldpad_admin(sysadm_t, sysadm_r)
')
+optional_policy(`
+ lldp_admin(sysadm_t, sysadm_r)
+')
+
optional_policy(`
lockdev_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
new file mode 100644
index 000000000000..19b66603add3
--- /dev/null
+++ b/policy/modules/services/lldpd.fc
@@ -0,0 +1,9 @@
+/etc/lldpd.conf -- gen_context(system_u:object_r:lldpd_conf_t,s0)
+/etc/lldpd.d(/.*)? gen_context(system_u:object_r:lldpd_conf_t,s0)
+
+/usr/sbin/lldpd -- gen_context(system_u:object_r:lldpd_exec_t,s0)
+/usr/sbin/lldpcli -- gen_context(system_u:object_r:lldp_cli_exec_t,s0)
+
+/run/lldpd -d gen_context(system_u:object_r:lldpd_runtime_t,s0)
+/run/lldpd(/.*)? gen_context(system_u:object_r:lldpd_runtime_t,s0)
+/run/lldpd.pid -- gen_context(system_u:object_r:lldpd_runtime_t,s0)
diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
new file mode 100644
index 000000000000..8859f8743ecf
--- /dev/null
+++ b/policy/modules/services/lldpd.if
@@ -0,0 +1,83 @@
+
+## <summary>policy for lldpd</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run lldpcli.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lldp_domtrans_cli',`
+ gen_require(`
+ type lldp_cli_t, lldp_cli_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
+')
+
+########################################
+## <summary>
+## Execute lldpcli in the lldp_cli domain,
+## and allow the specified role
+## the lldp_cli domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`lldp_cli_run',`
+ gen_require(`
+ type lldp_cli_t;
+ ')
+
+ lldp_domtrans_cli($1)
+ role $2 types lldp_cli_t;
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate
+## an lldpd environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lldp_admin',`
+ gen_require(`
+ type lldpd_t;
+ type lldpd_conf_t;
+ type lldpd_runtime_t;
+ ')
+
+ allow $1 lldpd_t:process { signal_perms };
+ ps_process_pattern($1, lldpd_t)
+
+ files_search_etc($1)
+ admin_pattern($1, lldpd_conf_t)
+
+ files_search_pids($1)
+ admin_pattern($1, lldpd_runtime_t)
+
+ lldp_cli_run($1, $2)
+')
diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
new file mode 100644
index 000000000000..457243b0112e
--- /dev/null
+++ b/policy/modules/services/lldpd.te
@@ -0,0 +1,79 @@
+policy_module(lldpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lldpd_t;
+type lldpd_exec_t;
+init_daemon_domain(lldpd_t, lldpd_exec_t)
+
+type lldp_cli_t;
+type lldp_cli_exec_t;
+init_system_domain(lldp_cli_t, lldp_cli_exec_t)
+application_domain(lldp_cli_t, lldp_cli_exec_t)
+
+type lldpd_conf_t;
+files_config_file(lldpd_conf_t)
+
+type lldpd_runtime_t;
+files_pid_file(lldpd_runtime_t)
+init_daemon_pid_file(lldpd_runtime_t, dir, "lldpd")
+
+########################################
+#
+# lldpd local policy
+#
+allow lldpd_t self:capability { chown dac_read_search dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
+allow lldpd_t self:process { fork signal_perms };
+allow lldpd_t self:fifo_file rw_fifo_file_perms;
+allow lldpd_t self:unix_stream_socket create_stream_socket_perms;
+allow lldpd_t self:packet_socket create_socket_perms;
+
+lldp_domtrans_cli(lldpd_t)
+
+kernel_read_net_sysctls(lldpd_t)
+
+list_dirs_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
+read_files_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
+
+manage_dirs_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+manage_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+manage_sock_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+manage_lnk_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
+files_pid_filetrans(lldpd_t, lldpd_runtime_t, {file dir sock_file})
+
+files_read_etc_files(lldpd_t)
+
+logging_send_syslog_msg(lldpd_t)
+
+miscfiles_read_localization(lldpd_t)
+
+sysnet_dns_name_resolve(lldpd_t)
+
+########################################
+#
+# lldp_cli local policy
+#
+allow lldp_cli_t self:capability dac_override;
+allow lldp_cli_t self:unix_dgram_socket { connect create };
+allow lldp_cli_t self:unix_stream_socket { connect create read write };
+allow lldp_cli_t self:process signal;
+
+allow lldp_cli_t lldpd_runtime_t:sock_file read_sock_file_perms;
+stream_connect_pattern(lldp_cli_t, lldpd_runtime_t, lldpd_runtime_t, lldpd_t)
+
+domain_use_interactive_fds(lldp_cli_t)
+
+files_search_etc(lldp_cli_t)
+list_dirs_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
+read_files_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
+
+logging_send_syslog_msg(lldp_cli_t)
+
+files_dontaudit_read_etc_files(lldp_cli_t)
+
+miscfiles_read_localization(lldp_cli_t)
+
+userdom_use_user_ptys(lldp_cli_t)
--
2.21.0
next prev parent reply other threads:[~2019-06-17 12:43 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-10 14:20 [PATCH] add lldpd policy Alexander Miroshnichenko
2019-06-15 16:08 ` Chris PeBenito
2019-06-15 17:58 ` Dominick Grift
2019-06-15 19:24 ` Chris PeBenito
2019-06-15 19:43 ` Dominick Grift
2019-06-17 12:23 ` Alexander Miroshnichenko
2019-06-17 12:42 ` Alexander Miroshnichenko [this message]
2019-06-24 1:15 ` [PATCH v2] Add " Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190617124207.25680-1-alex@millerson.name \
--to=alex@millerson.name \
--cc=pebenito@ieee.org \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.