[REFPOLICY PATCH] Added policy module for the oident daemon.

[REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 3638 bytes --]

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
 policy/modules/services/oidentd.fc |    9 +++++
 policy/modules/services/oidentd.if |    7 ++++
 policy/modules/services/oidentd.te |   68
++++++++++++++++++++++++++++++++++++
 3 files changed, 84 insertions(+), 0 deletions(-)
 create mode 100644 policy/modules/services/oidentd.fc
 create mode 100644 policy/modules/services/oidentd.if
 create mode 100644 policy/modules/services/oidentd.te

diff --git a/policy/modules/services/oidentd.fc
b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..a9209dc
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,9 @@
+
+/etc/oidentd.conf		--
gen_context(system_u:object_r:oidentd_config_t,s0)
+/etc/oidentd_masq.conf	--
gen_context(system_u:object_r:oidentd_config_t,s0)
+
+ifdef(`distro_redhat', `
+/etc/rc\.d/init\.d/oidentd		--
gen_context(system_u:object_r:oidentd_script_exec_t,s0)
+')
+
+/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t,s0)
diff --git a/policy/modules/services/oidentd.if
b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..a745861
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,7 @@
+## <summary>SELinux policy for the oident daemon.</summary>
+## <desc>
+##	<p>
+##	Applies SELinux security to the oident daemon.
+##	</p>
+## </desc>
+
diff --git a/policy/modules/services/oidentd.te
b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..1b770cf
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,68 @@
+
+policy_module(oidentd, 0.0.1) 
+
+########################################
+#
+# oidentd private declarations
+#
+
+## <desc>
+## <p>
+## Allow the oident daemon to read
+## unprivileged user home content files.
+## </p>
+## </desc>
+gen_tunable(oidentd_read_unprivileged_user_home_content_files, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+ifdef(`distro_redhat', `
+type oidentd_script_exec_t;
+init_script_type(oidentd_script_exec_t)
+')
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+########################################
+#
+# oidentd private policy
+#
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind
create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create
nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write
getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t);
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
+	# ~/.oidentd.conf
+	userdom_read_unpriv_users_home_content_files(oidentd_t)
+')
-- 
1.5.5.2

-- 
Dominick Grift <domg472@gmail.com>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [REFPOLICY PATCH] Added policy module for the oident daemon.

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 4681 bytes --]

On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <domg472@gmail.com>

The patch looks line-wrapped.  Also a couple comments inline.

> ---
>  policy/modules/services/oidentd.fc |    9 +++++
>  policy/modules/services/oidentd.if |    7 ++++
>  policy/modules/services/oidentd.te |   68
> ++++++++++++++++++++++++++++++++++++
>  3 files changed, 84 insertions(+), 0 deletions(-)
>  create mode 100644 policy/modules/services/oidentd.fc
>  create mode 100644 policy/modules/services/oidentd.if
>  create mode 100644 policy/modules/services/oidentd.te
> 
> diff --git a/policy/modules/services/oidentd.fc
> b/policy/modules/services/oidentd.fc
> new file mode 100644
> index 0000000..a9209dc
> --- /dev/null
> +++ b/policy/modules/services/oidentd.fc
> @@ -0,0 +1,9 @@
> +
> +/etc/oidentd.conf		--
> gen_context(system_u:object_r:oidentd_config_t,s0)
> +/etc/oidentd_masq.conf	--
> gen_context(system_u:object_r:oidentd_config_t,s0)
> +
> +ifdef(`distro_redhat', `
> +/etc/rc\.d/init\.d/oidentd		--
> gen_context(system_u:object_r:oidentd_script_exec_t,s0)
> +')
> +
> +/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t,s0)
> diff --git a/policy/modules/services/oidentd.if
> b/policy/modules/services/oidentd.if
> new file mode 100644
> index 0000000..a745861
> --- /dev/null
> +++ b/policy/modules/services/oidentd.if
> @@ -0,0 +1,7 @@
> +## <summary>SELinux policy for the oident daemon.</summary>
> +## <desc>
> +##	<p>
> +##	Applies SELinux security to the oident daemon.
> +##	</p>
> +## </desc>

Better documentation please.  Its obvious that this is a policy for
oidentd.  It would be better to have a one line description of what
oidentd is, in the summary.  The desc should have that, plus more
information about what you can do with the policy.

> diff --git a/policy/modules/services/oidentd.te
> b/policy/modules/services/oidentd.te
> new file mode 100644
> index 0000000..1b770cf
> --- /dev/null
> +++ b/policy/modules/services/oidentd.te
> @@ -0,0 +1,68 @@
> +
> +policy_module(oidentd, 0.0.1) 
> +
> +########################################
> +#
> +# oidentd private declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow the oident daemon to read
> +## unprivileged user home content files.
> +## </p>
> +## </desc>
> +gen_tunable(oidentd_read_unprivileged_user_home_content_files, false)
> +
> +type oidentd_t;
> +type oidentd_exec_t;
> +init_daemon_domain(oidentd_t, oidentd_exec_t)
> +
> +ifdef(`distro_redhat', `
> +type oidentd_script_exec_t;
> +init_script_type(oidentd_script_exec_t)
> +')

This doesn't exist upstream yet.  Having the build option is
insufficient because upstream would fail to build if you set
DISTRO=redhat.

> +type oidentd_config_t;
> +files_config_file(oidentd_config_t)
> +
> +########################################
> +#
> +# oidentd private policy
> +#
> +allow oidentd_t self:capability { setuid setgid };
> +allow oidentd_t self:netlink_route_socket { write getattr read bind
> create nlmsg_read };
> +allow oidentd_t self:netlink_tcpdiag_socket { write read create
> nlmsg_read };
> +allow oidentd_t self:tcp_socket { setopt read bind create accept write
> getattr listen };
> +allow oidentd_t self:udp_socket { write read create connect getattr };
> +allow oidentd_t self:unix_dgram_socket { create connect };
> +
> +allow oidentd_t oidentd_config_t:file read_file_perms;
> +
> +corenet_all_recvfrom_unlabeled(oidentd_t)
> +corenet_all_recvfrom_netlabel(oidentd_t)
> +corenet_tcp_sendrecv_all_if(oidentd_t)
> +corenet_tcp_sendrecv_all_nodes(oidentd_t)
> +corenet_tcp_bind_all_nodes(oidentd_t)
> +corenet_tcp_bind_auth_port(oidentd_t);
> +
> +files_read_etc_files(oidentd_t)
> +
> +kernel_read_kernel_sysctls(oidentd_t)
> +kernel_read_network_state(oidentd_t)
> +kernel_read_network_state_symlinks(oidentd_t)
> +kernel_read_sysctl(oidentd_t)
> +
> +libs_use_ld_so(oidentd_t)
> +libs_use_shared_libs(oidentd_t)
> +
> +logging_send_syslog_msg(oidentd_t)
> +
> +miscfiles_read_localization(oidentd_t)
> +
> +sysnet_read_config(oidentd_t)
> +
> +tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
> +	# ~/.oidentd.conf
> +	userdom_read_unpriv_users_home_content_files(oidentd_t)
> +')

Why is this last bit needed?  Why would a system service be reading a
conf file from a user's home dir?

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [REFPOLICY PATCH] Added policy module for the oident daemon.

[Paul Howarth]

Chris PeBenito wrote:
> On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
>> Signed-off-by: Dominick Grift <domg472@gmail.com>
> 
> The patch looks line-wrapped.  Also a couple comments inline.

...

>> +tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
>> +	# ~/.oidentd.conf
>> +	userdom_read_unpriv_users_home_content_files(oidentd_t)
>> +')
> 
> Why is this last bit needed?  Why would a system service be reading a
> conf file from a user's home dir?

It's reading ~/.oidentd.conf, which allows a user great control over the 
responses the daemon returns when queried about connections related to 
that user.

http://linux.die.net/man/5/oidentd.conf

Paul.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: [REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 320 bytes --]

On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> 
> The patch looks line-wrapped.  Also a couple comments inline.

Attached are the modifications.

-- 
Dominick Grift <domg472@gmail.com>

[-- Attachment #1.2: oidentd.patch.txt --]
[-- Type: text/x-patch, Size: 3241 bytes --]

diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..327b896
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,7 @@
+
+/etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf	--	gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
+
+HOME_DIR/\.oidentd.conf		gen_context(system_u:object_r:oidentd_home_t, s0)
diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..e0ad34c
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,11 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+##	<p>
+##	Oident daemon is a server that implements the TCP/IP
+##	standard IDENT user identification protocol as
+##	specified in the RFC 1413 document.
+##	</p>
+## </desc>
+
+
+
diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..04d8ee2
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,71 @@
+
+policy_module(oidentd, 0.0.1) 
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Oident daemon to read
+## unprivileged user home content files.
+## </p>
+## </desc>
+
+gen_tunable(oidentd_read_unprivileged_user_home_content_files, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+type oidentd_home_t;
+files_poly_member(oidentd_home_t)
+userdom_user_home_content(user, oidentd_home_t)
+
+########################################
+#
+# Policy
+#
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+allow oidentd_t oidentd_home_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+userdom_search_user_home_dirs(user, oidentd_home_t)
+
+tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
+	userdom_read_unpriv_users_home_content_files(oidentd_t)
+')

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 396 bytes --]

On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> 
> The patch looks line-wrapped.  Also a couple comments inline.

My last attempt had an error in the file context entry for
oidentd_home_t.

Attached is a new attempt.


-- 
Dominick Grift <domg472@gmail.com>

[-- Attachment #1.2: oidentd.patch.txt --]
[-- Type: text/x-patch, Size: 3243 bytes --]

diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..ee7fcc4
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,7 @@
+
+/etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf	--	gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
+
+HOME_DIR/\.oidentd.conf	--	gen_context(system_u:object_r:oidentd_home_t, s0)
diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..e0ad34c
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,11 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+##	<p>
+##	Oident daemon is a server that implements the TCP/IP
+##	standard IDENT user identification protocol as
+##	specified in the RFC 1413 document.
+##	</p>
+## </desc>
+
+
+
diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..04d8ee2
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,71 @@
+
+policy_module(oidentd, 0.0.1) 
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Oident daemon to read
+## unprivileged user home content files.
+## </p>
+## </desc>
+
+gen_tunable(oidentd_read_unprivileged_user_home_content_files, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+type oidentd_home_t;
+files_poly_member(oidentd_home_t)
+userdom_user_home_content(user, oidentd_home_t)
+
+########################################
+#
+# Policy
+#
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+allow oidentd_t oidentd_home_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+userdom_search_user_home_dirs(user, oidentd_home_t)
+
+tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
+	userdom_read_unpriv_users_home_content_files(oidentd_t)
+')

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 408 bytes --]

On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> 
> The patch looks line-wrapped.  Also a couple comments inline.

Previous patch didnt have any policy for user domain interaction with
oidentd_home_t.

Attached is my new attempt.


-- 
Dominick Grift <domg472@gmail.com>

[-- Attachment #1.2: oidentd.patch.txt --]
[-- Type: text/x-patch, Size: 4436 bytes --]

diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..ee7fcc4
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,7 @@
+
+/etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf	--	gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
+
+HOME_DIR/\.oidentd.conf	--	gen_context(system_u:object_r:oidentd_home_t, s0)
diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..5b85665
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,63 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+##	<p>
+##	Oident daemon is a server that implements the TCP/IP
+##	standard IDENT user identification protocol as
+##	specified in the RFC 1413 document.
+##	</p>
+## </desc>
+
+#######################################
+## <summary>
+##  The per role template for the Oidentd module.
+## </summary>
+## <desc>
+## 	<p>
+## 	This template creates derived domains which are used
+## 	for Oident daemon.
+## 	</p>
+## 	<p>
+## 	This template is invoked automatically for each user, and
+## 	generally does not need to be invoked directly
+## 	by policy writers.
+## 	</p>
+## </desc>
+## <param name="userdomain_prefix">
+## 	<summary>
+## 	The prefix of the user domain (e.g., user
+## 	is the prefix for user_t).
+## 	</summary>
+## </param>
+## <param name="user_domain">
+## 	<summary>
+## 	The type of the user domain.
+## 	</summary>
+## 	</param>
+## 	<param name="user_role">
+## 	<summary>
+## 	The role associated with the user domain.
+## 	</summary>
+## </param>
+#
+template(`oidentd_per_role_template', `
+	gen_require(`
+		type oidentd_home_t;
+	')
+
+	########################################
+	#
+	#  Declarations
+	#
+
+	type oidentd_home_t;
+	files_poly_member(oidentd_home_t)
+	userdom_user_home_content($1, oidentd_home_t)
+	
+	########################################
+	#
+	#  Policy
+	#
+
+	manage_files_pattern($2, oidentd_home_t, oidentd_home_t)
+	relabel_files_pattern($2, oidentd_home_t, oidentd_home_t)
+')
diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..f049d58
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,68 @@
+
+policy_module(oidentd, 0.0.1) 
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Oident daemon to read
+## unprivileged user home content files.
+## </p>
+## </desc>
+
+gen_tunable(oidentd_read_unprivileged_user_home_content_files, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+########################################
+#
+# Policy
+#
+
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+allow oidentd_t oidentd_home_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+userdom_search_user_home_dirs(user, oidentd_home_t)
+
+tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
+	userdom_read_unpriv_users_home_content_files(oidentd_t)
+')

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 406 bytes --]

On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> 
> The patch looks line-wrapped.  Also a couple comments inline.

I guess i should not rush so much because again i made a mistake, and
found it too late.

Attached is a new try.


-- 
Dominick Grift <domg472@gmail.com>

[-- Attachment #1.2: oidentd.patch.txt --]
[-- Type: text/x-patch, Size: 4440 bytes --]

diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..ee7fcc4
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,7 @@
+
+/etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf	--	gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
+
+HOME_DIR/\.oidentd.conf	--	gen_context(system_u:object_r:oidentd_home_t, s0)
diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..bdf1796
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,64 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+##	<p>
+##	Oident daemon is a server that implements the TCP/IP
+##	standard IDENT user identification protocol as
+##	specified in the RFC 1413 document.
+##	</p>
+## </desc>
+
+#######################################
+## <summary>
+##  The per role template for the Oidentd module.
+## </summary>
+## <desc>
+## 	<p>
+## 	This template creates derived domains which are used
+## 	for Oident daemon.
+## 	</p>
+## 	<p>
+## 	This template is invoked automatically for each user, and
+## 	generally does not need to be invoked directly
+## 	by policy writers.
+## 	</p>
+## </desc>
+## <param name="userdomain_prefix">
+## 	<summary>
+## 	The prefix of the user domain (e.g., user
+## 	is the prefix for user_t).
+## 	</summary>
+## </param>
+## <param name="user_domain">
+## 	<summary>
+## 	The type of the user domain.
+## 	</summary>
+## 	</param>
+## 	<param name="user_role">
+## 	<summary>
+## 	The role associated with the user domain.
+## 	</summary>
+## </param>
+#
+template(`oidentd_per_role_template', `
+	gen_require(`
+		type oidentd_home_t;
+	')
+
+	########################################
+	#
+	#  Declarations
+	#
+
+	userdom_user_home_content($1, oidentd_home_t)
+	
+	########################################
+	#
+	#  Policy
+	#
+
+	manage_files_pattern($2, oidentd_home_t, oidentd_home_t)
+	
+	relabel_files_pattern($2, oidentd_home_t, oidentd_home_t)
+
+	userdom_search_user_home_dirs($1, oidentd_home_t)
+')
diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..0d466b7
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,69 @@
+
+policy_module(oidentd, 0.0.1) 
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Oident daemon to read
+## unprivileged user home content files.
+## </p>
+## </desc>
+
+gen_tunable(oidentd_read_unprivileged_user_home_content_files, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+type oidentd_home_t;
+files_poly_member(oidentd_home_t)
+
+########################################
+#
+# Policy
+#
+
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+allow oidentd_t oidentd_home_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
+	userdom_read_unpriv_users_home_content_files(oidentd_t)
+')

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 431 bytes --]

On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> 
> The patch looks line-wrapped.  Also a couple comments inline.
My previous commit did something not so smart. I had to revert it.
Also i replace the manage_file_pattern($2, ...) because it is too
coarse.


-- 
Dominick Grift <domg472@gmail.com>

[-- Attachment #1.2: oidentd.patch.txt --]
[-- Type: text/x-patch, Size: 4419 bytes --]

diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..ee7fcc4
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,7 @@
+
+/etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf	--	gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
+
+HOME_DIR/\.oidentd.conf	--	gen_context(system_u:object_r:oidentd_home_t, s0)
diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..93f9ad0
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,61 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+##	<p>
+##	Oident daemon is a server that implements the TCP/IP
+##	standard IDENT user identification protocol as
+##	specified in the RFC 1413 document.
+##	</p>
+## </desc>
+
+#######################################
+## <summary>
+##  The per role template for the Oidentd module.
+## </summary>
+## <desc>
+## 	<p>
+## 	This template creates derived domains which are used
+## 	for Oident daemon.
+## 	</p>
+## 	<p>
+## 	This template is invoked automatically for each user, and
+## 	generally does not need to be invoked directly
+## 	by policy writers.
+## 	</p>
+## </desc>
+## <param name="userdomain_prefix">
+## 	<summary>
+## 	The prefix of the user domain (e.g., user
+## 	is the prefix for user_t).
+## 	</summary>
+## </param>
+## <param name="user_domain">
+## 	<summary>
+## 	The type of the user domain.
+## 	</summary>
+## 	</param>
+## 	<param name="user_role">
+## 	<summary>
+## 	The role associated with the user domain.
+## 	</summary>
+## </param>
+#
+template(`oidentd_per_role_template', `
+	gen_require(`
+		type oidentd_home_t;
+	')
+
+	########################################
+	#
+	#  Declarations
+	#
+
+	userdom_user_home_content($1, oidentd_home_t)
+	
+	########################################
+	#
+	#  Policy
+	#
+
+	allow $2 oidentd_home_t:file manage_file_perms;
+	allow $2 oidentd_home_t:file relabel_file_perms;
+')
diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..a65e406
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,71 @@
+
+policy_module(oidentd, 0.0.1) 
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Oident daemon to read
+## unprivileged user home content files.
+## </p>
+## </desc>
+
+gen_tunable(oidentd_read_unprivileged_user_home_content_files, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+type oidentd_home_t;
+files_poly_member(oidentd_home_t)
+
+########################################
+#
+# Policy
+#
+
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+allow oidentd_t oidentd_home_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+userdom_search_user_home_dirs(user, oidentd_home_t)
+
+tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
+	userdom_read_unpriv_users_home_content_files(oidentd_t)
+')

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 519 bytes --]

On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> 
> The patch looks line-wrapped.  Also a couple comments inline.

Tested and working. My previous attempt called the
userdom_search_homedirs template with the wrong parameters.

This cause Oident daemon to not be able to search home_root_t (home).

Attached modification fixes above issue.


-- 
Dominick Grift <domg472@gmail.com>

[-- Attachment #1.2: oidentd.patch.txt --]
[-- Type: text/x-patch, Size: 4414 bytes --]

diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..ee7fcc4
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,7 @@
+
+/etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf	--	gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
+
+HOME_DIR/\.oidentd.conf	--	gen_context(system_u:object_r:oidentd_home_t, s0)
diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..93f9ad0
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,61 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+##	<p>
+##	Oident daemon is a server that implements the TCP/IP
+##	standard IDENT user identification protocol as
+##	specified in the RFC 1413 document.
+##	</p>
+## </desc>
+
+#######################################
+## <summary>
+##  The per role template for the Oidentd module.
+## </summary>
+## <desc>
+## 	<p>
+## 	This template creates derived domains which are used
+## 	for Oident daemon.
+## 	</p>
+## 	<p>
+## 	This template is invoked automatically for each user, and
+## 	generally does not need to be invoked directly
+## 	by policy writers.
+## 	</p>
+## </desc>
+## <param name="userdomain_prefix">
+## 	<summary>
+## 	The prefix of the user domain (e.g., user
+## 	is the prefix for user_t).
+## 	</summary>
+## </param>
+## <param name="user_domain">
+## 	<summary>
+## 	The type of the user domain.
+## 	</summary>
+## 	</param>
+## 	<param name="user_role">
+## 	<summary>
+## 	The role associated with the user domain.
+## 	</summary>
+## </param>
+#
+template(`oidentd_per_role_template', `
+	gen_require(`
+		type oidentd_home_t;
+	')
+
+	########################################
+	#
+	#  Declarations
+	#
+
+	userdom_user_home_content($1, oidentd_home_t)
+	
+	########################################
+	#
+	#  Policy
+	#
+
+	allow $2 oidentd_home_t:file manage_file_perms;
+	allow $2 oidentd_home_t:file relabel_file_perms;
+')
diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..bd58474
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,71 @@
+
+policy_module(oidentd, 0.0.1) 
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Oident daemon to read
+## unprivileged user home content files.
+## </p>
+## </desc>
+
+gen_tunable(oidentd_read_unprivileged_user_home_content_files, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+type oidentd_home_t;
+files_poly_member(oidentd_home_t)
+
+########################################
+#
+# Policy
+#
+
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+allow oidentd_t oidentd_home_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+userdom_search_user_home_dirs(user, oidentd_t)
+
+tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
+	userdom_read_unpriv_users_home_content_files(oidentd_t)
+')

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 514 bytes --]

On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> 
> The patch looks line-wrapped.  Also a couple comments inline.

This edition replaces oidentd_read_unprivileged_user_home_content_files
by allow_oidentd_read_oidentd_home_content. 

This complicates the policy a bit more and so i included a
oidentd_selinux manual page for clarity.

-- 
Dominick Grift <domg472@gmail.com>



[-- Attachment #1.2: oidentd.patch.txt --]
[-- Type: text/x-patch, Size: 5936 bytes --]

diff --git a/man/man8/oidentd_selinux.8 b/man/man8/oidentd_selinux.8
new file mode 100644
index 0000000..2c204aa
--- /dev/null
+++ b/man/man8/oidentd_selinux.8
@@ -0,0 +1,38 @@
+.TH  "oidentd_selinux"  "8"  "14 Aug 2008" "dgrift@gmail.com" "Oident deamon SELinux policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+oidentd_selinux \- Security-Enhanced Linux policy for Oident daemon.
+.SH "DESCRIPTION"
+.PP
+Security-Enhanced Linux provides security for Oidentd daemon via flexible mandatory access control.
+.SH FILE_CONTEXTS
+.PP
+SELinux requires files to have a files type. Users can use the chcon command to change certain files types.  Policy governs the access that daemons have to files.
+.TP
+Allow Oident daemon to read ~/.oidentd.conf by adding the oidentd_home_t files type to the file and by restoring the files type.  This also requires the allow_oidentd_read_oidentd_home_content boolean to be set.
+.PP
+.B
+chcon -t oidentd_home_t ~/.oidentd.conf
+.SH BOOLEANS
+.PP
+SELinux policy is based on least privilege required and may also be customizable by setting a boolean with the setsebool command.
+.TP
+Allow Oident daemon to read Oident daemon home content with the oidentd_home_t files type.
+.PP
+.B
+setsebool -P allow_oidentd_read_oidentd_home_content on
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+.PP
+This manual page was written by Dominick Grift <domg472@gmail.com>.
+.SH "SEE ALSO"
+.PP
+selinux(8), oidentd(8), oidentd.conf(8), setsebool(8), chcon(8)
diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..ee7fcc4
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,7 @@
+
+/etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf	--	gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
+
+HOME_DIR/\.oidentd.conf	--	gen_context(system_u:object_r:oidentd_home_t, s0)
diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..93f9ad0
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,61 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+##	<p>
+##	Oident daemon is a server that implements the TCP/IP
+##	standard IDENT user identification protocol as
+##	specified in the RFC 1413 document.
+##	</p>
+## </desc>
+
+#######################################
+## <summary>
+##  The per role template for the Oidentd module.
+## </summary>
+## <desc>
+## 	<p>
+## 	This template creates derived domains which are used
+## 	for Oident daemon.
+## 	</p>
+## 	<p>
+## 	This template is invoked automatically for each user, and
+## 	generally does not need to be invoked directly
+## 	by policy writers.
+## 	</p>
+## </desc>
+## <param name="userdomain_prefix">
+## 	<summary>
+## 	The prefix of the user domain (e.g., user
+## 	is the prefix for user_t).
+## 	</summary>
+## </param>
+## <param name="user_domain">
+## 	<summary>
+## 	The type of the user domain.
+## 	</summary>
+## 	</param>
+## 	<param name="user_role">
+## 	<summary>
+## 	The role associated with the user domain.
+## 	</summary>
+## </param>
+#
+template(`oidentd_per_role_template', `
+	gen_require(`
+		type oidentd_home_t;
+	')
+
+	########################################
+	#
+	#  Declarations
+	#
+
+	userdom_user_home_content($1, oidentd_home_t)
+	
+	########################################
+	#
+	#  Policy
+	#
+
+	allow $2 oidentd_home_t:file manage_file_perms;
+	allow $2 oidentd_home_t:file relabel_file_perms;
+')
diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..12c914e
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,68 @@
+
+policy_module(oidentd, 0.0.1) 
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Oident daemon to read
+## oidentd daemon home files.
+## </p>
+## </desc>
+
+gen_tunable(allow_oidentd_read_oidentd_home_content, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+type oidentd_home_t;
+files_poly_member(oidentd_home_t)
+
+########################################
+#
+# Policy
+#
+
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+tunable_policy(`allow_oidentd_read_oidentd_home_content', `
+	allow oidentd_t oidentd_home_t:file read_file_perms;
+	userdom_search_user_home_dirs(user, oidentd_t)
+')

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 335 bytes --]

On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <domg472@gmail.com>
> 
> The patch looks line-wrapped.  Also a couple comments inline.

This modification adds CIFS, NIS, NFS support.

-- 
Dominick Grift <domg472@gmail.com>

[-- Attachment #1.2: oidentd.patch.txt --]
[-- Type: text/x-patch, Size: 6866 bytes --]

diff --git a/man/man8/oidentd_selinux.8 b/man/man8/oidentd_selinux.8
new file mode 100644
index 0000000..a880437
--- /dev/null
+++ b/man/man8/oidentd_selinux.8
@@ -0,0 +1,48 @@
+.TH  "oidentd_selinux"  "8"  "14 Aug 2008" "domg472@gmail.com" "Oident deamon SELinux policy documentation"
+.de EX
+.nf
+.ft CW
+..
+.de EE
+.ft R
+.fi
+..
+.SH "NAME"
+oidentd_selinux \- Security-Enhanced Linux policy for Oident daemon.
+.SH "DESCRIPTION"
+.PP
+Security-Enhanced Linux provides security for Oident daemon via flexible mandatory access control.
+.SH FILE_CONTEXTS
+.PP
+SELinux requires files to have a files type. Users can use the chcon command to change certain files types.  Policy governs the access that daemons have to files.
+.TP
+Allow Oident daemon to read ~/.oidentd.conf by adding the oidentd_home_t files type to the file and by restoring the files type.  This also requires the allow_oidentd_read_oidentd_home_content boolean to be set.
+.PP
+.B
+chcon -t oidentd_home_t ~/.oidentd.conf
+.SH BOOLEANS
+.PP
+SELinux policy is based on least privilege required and may also be customizable by setting a boolean with the setsebool command.
+.TP
+Allow Oident daemon to read Oident daemon home content with the oidentd_home_t files type.
+.PP
+.B
+setsebool -P allow_oidentd_read_oidentd_home_content on
+.TP
+Allow Oident daemon to use CIFS for public file transfer services.
+.PP
+.B
+setsebool -P allow_oidentd_use_cifs on
+.TP
+Allow Oident daemon to use NFS for public file transfer services.
+.PP
+.B
+setsebool -P allow_oidentd_use_nfs on
+.TP
+system-config-selinux is a GUI tool available to customize SELinux policy settings.
+.SH AUTHOR
+.PP
+This manual page was written by Dominick Grift <domg472@gmail.com>.
+.SH "SEE ALSO"
+.PP
+selinux(8), oidentd(8), oidentd.conf(8), setsebool(8), chcon(8)
diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..ee7fcc4
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,7 @@
+
+/etc/oidentd\.conf		--	gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf	--	gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/usr/sbin/oidentd		--	gen_context(system_u:object_r:oidentd_exec_t, s0)
+
+HOME_DIR/\.oidentd.conf	--	gen_context(system_u:object_r:oidentd_home_t, s0)
diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..93f9ad0
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,61 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+##	<p>
+##	Oident daemon is a server that implements the TCP/IP
+##	standard IDENT user identification protocol as
+##	specified in the RFC 1413 document.
+##	</p>
+## </desc>
+
+#######################################
+## <summary>
+##  The per role template for the Oidentd module.
+## </summary>
+## <desc>
+## 	<p>
+## 	This template creates derived domains which are used
+## 	for Oident daemon.
+## 	</p>
+## 	<p>
+## 	This template is invoked automatically for each user, and
+## 	generally does not need to be invoked directly
+## 	by policy writers.
+## 	</p>
+## </desc>
+## <param name="userdomain_prefix">
+## 	<summary>
+## 	The prefix of the user domain (e.g., user
+## 	is the prefix for user_t).
+## 	</summary>
+## </param>
+## <param name="user_domain">
+## 	<summary>
+## 	The type of the user domain.
+## 	</summary>
+## 	</param>
+## 	<param name="user_role">
+## 	<summary>
+## 	The role associated with the user domain.
+## 	</summary>
+## </param>
+#
+template(`oidentd_per_role_template', `
+	gen_require(`
+		type oidentd_home_t;
+	')
+
+	########################################
+	#
+	#  Declarations
+	#
+
+	userdom_user_home_content($1, oidentd_home_t)
+	
+	########################################
+	#
+	#  Policy
+	#
+
+	allow $2 oidentd_home_t:file manage_file_perms;
+	allow $2 oidentd_home_t:file relabel_file_perms;
+')
diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..c8bcfc3
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,102 @@
+
+policy_module(oidentd, 0.0.1) 
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Oident daemon to read
+## oidentd daemon home files.
+## </p>
+## </desc>
+
+gen_tunable(allow_oidentd_read_oidentd_home_content, false)
+
+## <desc>
+## <p>
+## Allow Oident daemon to use cifs
+## used for public file transfer services.
+## </p>
+## </desc>
+
+gen_tunable(allow_oidentd_use_cifs, false)
+
+## <desc>
+## <p>
+## Allow Oident daemon to use nfs
+## used for public file transfer services.
+## </p>
+## </desc>
+
+gen_tunable(allow_oidentd_use_nfs, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+type oidentd_home_t;
+files_poly_member(oidentd_home_t)
+
+########################################
+#
+# Policy
+#
+
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+fs_search_auto_mountpoints(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+optional_policy(`
+	nis_use_ypbind(oidentd_t)
+')
+
+tunable_policy(`allow_oidentd_read_oidentd_home_content', `
+	allow oidentd_t oidentd_home_t:file read_file_perms;
+	userdom_search_user_home_dirs(user, oidentd_t)
+')
+
+tunable_policy(`allow_oidentd_use_cifs', `
+	fs_list_cifs(oidentd_t)
+ 	fs_read_cifs_files(oidentd_t)
+')
+
+tunable_policy(`allow_oidentd_use_nfs', `
+	fs_list_nfs(oidentd_t)
+ 	fs_read_nfs_files(oidentd_t)
+')

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

[refpolicy] [REFPOLICY PATCH] Added policy module for the oident daemon.

[Christopher J. PeBenito]

On Thu, 2008-08-14 at 15:28 +0200, Dominick Grift wrote:
> On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote:
> > On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote:
> > > Signed-off-by: Dominick Grift <domg472@gmail.com>
> > 
> > The patch looks line-wrapped.  Also a couple comments inline.
> 
> This modification adds CIFS, NIS, NFS support.

Do you really think that reading the ~/.oidentd.conf needs to be
tunable?  I was mainly concerned about oidentd reading user_home_t
files, for example, since it exposes the whole user's home directory.  A
config file explictly labeled for reading by oidentd should be ok.

The CIFS and NFS blocks should use the existing use_nfs_home_dirs and
use_samba_home_dirs tunables.

The per-role template should create a $1_oidentd_home_t type, so role
separation is preserved.

> diff --git a/man/man8/oidentd_selinux.8 b/man/man8/oidentd_selinux.8
> new file mode 100644
> index 0000000..a880437
> --- /dev/null
> +++ b/man/man8/oidentd_selinux.8
> @@ -0,0 +1,48 @@
> +.TH  "oidentd_selinux"  "8"  "14 Aug 2008" "domg472 at gmail.com" "Oident deamon SELinux policy documentation"
> +.de EX
> +.nf
> +.ft CW
> +..
> +.de EE
> +.ft R
> +.fi
> +..
> +.SH "NAME"
> +oidentd_selinux \- Security-Enhanced Linux policy for Oident daemon.
> +.SH "DESCRIPTION"
> +.PP
> +Security-Enhanced Linux provides security for Oident daemon via flexible mandatory access control.
> +.SH FILE_CONTEXTS
> +.PP
> +SELinux requires files to have a files type. Users can use the chcon command to change certain files types.  Policy governs the access that daemons have to files.
> +.TP
> +Allow Oident daemon to read ~/.oidentd.conf by adding the oidentd_home_t files type to the file and by restoring the files type.  This also requires the allow_oidentd_read_oidentd_home_content boolean to be set.
> +.PP
> +.B
> +chcon -t oidentd_home_t ~/.oidentd.conf
> +.SH BOOLEANS
> +.PP
> +SELinux policy is based on least privilege required and may also be customizable by setting a boolean with the setsebool command.
> +.TP
> +Allow Oident daemon to read Oident daemon home content with the oidentd_home_t files type.
> +.PP
> +.B
> +setsebool -P allow_oidentd_read_oidentd_home_content on
> +.TP
> +Allow Oident daemon to use CIFS for public file transfer services.
> +.PP
> +.B
> +setsebool -P allow_oidentd_use_cifs on
> +.TP
> +Allow Oident daemon to use NFS for public file transfer services.
> +.PP
> +.B
> +setsebool -P allow_oidentd_use_nfs on
> +.TP
> +system-config-selinux is a GUI tool available to customize SELinux policy settings.
> +.SH AUTHOR
> +.PP
> +This manual page was written by Dominick Grift <domg472@gmail.com>.
> +.SH "SEE ALSO"
> +.PP
> +selinux(8), oidentd(8), oidentd.conf(8), setsebool(8), chcon(8)
> diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
> new file mode 100644
> index 0000000..ee7fcc4
> --- /dev/null
> +++ b/policy/modules/services/oidentd.fc
> @@ -0,0 +1,7 @@
> +
> +/etc/oidentd\.conf             --      gen_context(system_u:object_r:oidentd_config_t, s0)
> +/etc/oidentd_masq\.conf        --      gen_context(system_u:object_r:oidentd_config_t, s0)
> +
> +/usr/sbin/oidentd              --      gen_context(system_u:object_r:oidentd_exec_t, s0)
> +
> +HOME_DIR/\.oidentd.conf        --      gen_context(system_u:object_r:oidentd_home_t, s0)
> diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
> new file mode 100644
> index 0000000..93f9ad0
> --- /dev/null
> +++ b/policy/modules/services/oidentd.if
> @@ -0,0 +1,61 @@
> +## <summary>SELinux policy for Oident daemon.</summary>
> +## <desc>
> +##     <p>
> +##     Oident daemon is a server that implements the TCP/IP
> +##     standard IDENT user identification protocol as
> +##     specified in the RFC 1413 document.
> +##     </p>
> +## </desc>
> +
> +#######################################
> +## <summary>
> +##  The per role template for the Oidentd module.
> +## </summary>
> +## <desc>
> +##     <p>
> +##     This template creates derived domains which are used
> +##     for Oident daemon.
> +##     </p>
> +##     <p>
> +##     This template is invoked automatically for each user, and
> +##     generally does not need to be invoked directly
> +##     by policy writers.
> +##     </p>
> +## </desc>
> +## <param name="userdomain_prefix">
> +##     <summary>
> +##     The prefix of the user domain (e.g., user
> +##     is the prefix for user_t).
> +##     </summary>
> +## </param>
> +## <param name="user_domain">
> +##     <summary>
> +##     The type of the user domain.
> +##     </summary>
> +##     </param>
> +##     <param name="user_role">
> +##     <summary>
> +##     The role associated with the user domain.
> +##     </summary>
> +## </param>
> +#
> +template(`oidentd_per_role_template', `
> +       gen_require(`
> +               type oidentd_home_t;
> +       ')
> +
> +       ########################################
> +       #
> +       #  Declarations
> +       #
> +
> +       userdom_user_home_content($1, oidentd_home_t)
> +       
> +       ########################################
> +       #
> +       #  Policy
> +       #
> +
> +       allow $2 oidentd_home_t:file manage_file_perms;
> +       allow $2 oidentd_home_t:file relabel_file_perms;
> +')
> diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
> new file mode 100644
> index 0000000..c8bcfc3
> --- /dev/null
> +++ b/policy/modules/services/oidentd.te
> @@ -0,0 +1,102 @@
> +
> +policy_module(oidentd, 0.0.1) 
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +## <p>
> +## Allow Oident daemon to read
> +## oidentd daemon home files.
> +## </p>
> +## </desc>
> +
> +gen_tunable(allow_oidentd_read_oidentd_home_content, false)
> +
> +## <desc>
> +## <p>
> +## Allow Oident daemon to use cifs
> +## used for public file transfer services.
> +## </p>
> +## </desc>
> +
> +gen_tunable(allow_oidentd_use_cifs, false)
> +
> +## <desc>
> +## <p>
> +## Allow Oident daemon to use nfs
> +## used for public file transfer services.
> +## </p>
> +## </desc>
> +
> +gen_tunable(allow_oidentd_use_nfs, false)
> +
> +type oidentd_t;
> +type oidentd_exec_t;
> +init_daemon_domain(oidentd_t, oidentd_exec_t)
> +
> +type oidentd_config_t;
> +files_config_file(oidentd_config_t)
> +
> +type oidentd_home_t;
> +files_poly_member(oidentd_home_t)
> +
> +########################################
> +#
> +# Policy
> +#
> +
> +allow oidentd_t self:capability { setuid setgid };
> +allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
> +allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
> +allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
> +allow oidentd_t self:udp_socket { write read create connect getattr };
> +allow oidentd_t self:unix_dgram_socket { create connect };
> +
> +allow oidentd_t oidentd_config_t:file read_file_perms;
> +
> +corenet_all_recvfrom_unlabeled(oidentd_t)
> +corenet_all_recvfrom_netlabel(oidentd_t)
> +corenet_tcp_sendrecv_all_if(oidentd_t)
> +corenet_tcp_sendrecv_all_nodes(oidentd_t)
> +corenet_tcp_bind_all_nodes(oidentd_t)
> +corenet_tcp_bind_auth_port(oidentd_t)
> +
> +files_read_etc_files(oidentd_t)
> +
> +fs_search_auto_mountpoints(oidentd_t)
> +
> +kernel_read_kernel_sysctls(oidentd_t)
> +kernel_read_network_state(oidentd_t)
> +kernel_read_network_state_symlinks(oidentd_t)
> +kernel_read_sysctl(oidentd_t)
> +
> +libs_use_ld_so(oidentd_t)
> +libs_use_shared_libs(oidentd_t)
> +
> +logging_send_syslog_msg(oidentd_t)
> +
> +miscfiles_read_localization(oidentd_t)
> +
> +sysnet_read_config(oidentd_t)
> +
> +optional_policy(`
> +       nis_use_ypbind(oidentd_t)
> +')
> +
> +tunable_policy(`allow_oidentd_read_oidentd_home_content', `
> +       allow oidentd_t oidentd_home_t:file read_file_perms;
> +       userdom_search_user_home_dirs(user, oidentd_t)
> +')
> +
> +tunable_policy(`allow_oidentd_use_cifs', `
> +       fs_list_cifs(oidentd_t)
> +       fs_read_cifs_files(oidentd_t)
> +')
> +
> +tunable_policy(`allow_oidentd_use_nfs', `
> +       fs_list_nfs(oidentd_t)
> +       fs_read_nfs_files(oidentd_t)
> +')
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] [REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift]

On Thu, 2008-08-21 at 09:09 -0400, Christopher J. PeBenito wrote:

> Do you really think that reading the ~/.oidentd.conf needs to be
> tunable?  I was mainly concerned about oidentd reading user_home_t
> files, for example, since it exposes the whole user's home directory.  A
> config file explictly labeled for reading by oidentd should be ok.

I did this in the spirit of least privilege. ~/.oidentd.conf is
optional. By implementing this boolean we give operators a choice to
fully disallow access to user home dirs.

Attached version has the requested changes applied.

-- 
Dominick Grift <domg472@gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oidentd.patch.txt
Type: text/x-patch
Size: 4998 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080821/668c2d37/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080821/668c2d37/attachment-0001.bin 

[refpolicy] [REFPOLICY PATCH] Added policy module for the oident daemon.

[Dominick Grift]

On Thu, 2008-08-21 at 09:09 -0400, Christopher J. PeBenito wrote:

> The per-role template should create a $1_oidentd_home_t type, so role
> separation is preserved.

Attached version attempts to implement oidentdhome and
user_oidentd_home_type attributes. It is compiled-tested however i am
not sure if i will be able to test this configuration with Fedora policy
without some modifications to the policy.



-- 
Dominick Grift <domg472@gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: oidentd.patch.txt
Type: text/x-patch
Size: 4968 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080821/0400f4b5/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080821/0400f4b5/attachment-0001.bin