[refpolicy] services_ldap.patch

[refpolicy] services_ldap.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_ldap.patch

Add initrc script support

allow admin to start/stop service

Admin needs admin_pattern on all file types


ldap uses kerberos keytab files

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjaovEACgkQrlYvE4MpobNTMQCeJJeJtsUOWceks/IEpN/Am2PR
EEgAoNFmCn0foGTFd/j9U9K8TW+11rVf
=MjW3
-----END PGP SIGNATURE-----

[refpolicy] services_ldap.patch

[Christopher J. PeBenito]

On Wed, 2008-09-24 at 16:28 -0400, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F10/services_ldap.patch
> 
> Add initrc script support
> 
> allow admin to start/stop service
> 
> Admin needs admin_pattern on all file types
> 
> 
> ldap uses kerberos keytab files

Merged, except for the kerberos part as the interface is missing.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_kerberos.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

admin interfaces

kerberos_use changes to take care of library that tries to setfscreate
and modify file context.

New interface kerberos_keytab_template for all domains that use keytab files

policy for kpropd

kadmind needs setfscreate to label keytab files.

Add handling of lock_files.

kadmind needs access to usr and var files

kadmind can use ldap

kdc can also setfscreate
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkjtXikACgkQrlYvE4MpobMPTwCbBs575vRn//FErIBEmu8q8Zx/
u48An1xblOQil5+8GcHQqKqmZxe/hkTB
=1d+c
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: services_kerberos.patch
Url: http://oss.tresys.com/pipermail/refpolicy/attachments/20081008/ac5a64ec/attachment.pl 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: services_kerberos.patch.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081008/ac5a64ec/attachment.obj 

[refpolicy] services_kerberos.patch

[Christopher J. PeBenito]

On Wed, 2008-10-08 at 21:28 -0400, Daniel J Walsh wrote:
> admin interfaces
> 
> kerberos_use changes to take care of library that tries to setfscreate
> and modify file context.
> 
> New interface kerberos_keytab_template for all domains that use keytab files
> 
> policy for kpropd
> 
> kadmind needs setfscreate to label keytab files.
> 
> Add handling of lock_files.
> 
> kadmind needs access to usr and var files
> 
> kadmind can use ldap
> 
> kdc can also setfscreate

Merged, except for the tmpfs_t access in allow_kerberos tunable of
kerberos_use(); its the same thing about trying to use derived tmpfs_t
types.  Didn't merge the kprop port access as its missing.  Theres other
minor tweaks too.

> plain text document attachment (services_kerberos.patch)
> --- nsaserefpolicy/policy/modules/services/kerberos.fc	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.11/policy/modules/services/kerberos.fc	2008-10-08 21:20:50.000000000 -0400
> @@ -4,15 +4,24 @@
>  /etc/krb5kdc(/.*)?			gen_context(system_u:object_r:krb5kdc_conf_t,s0)
>  /etc/krb5kdc/kadm5\.keytab 	--	gen_context(system_u:object_r:krb5_keytab_t,s0)
>  /etc/krb5kdc/principal.*		gen_context(system_u:object_r:krb5kdc_principal_t,s0)
> +/etc/rc\.d/init\.d/kadmind	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/krb524d	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/kpropd		--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/krb5kdc	--	gen_context(system_u:object_r:kerberos_initrc_exec_t,s0)
>  
>  /usr/(local/)?(kerberos/)?sbin/krb5kdc -- gen_context(system_u:object_r:krb5kdc_exec_t,s0)
>  /usr/(local/)?(kerberos/)?sbin/kadmind -- gen_context(system_u:object_r:kadmind_exec_t,s0)
> +/usr/kerberos/sbin/kadmin\.local       -- gen_context(system_u:object_r:kadmind_exec_t,s0)
>  
>  /usr/local/var/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
>  /usr/local/var/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
>  
>  /var/kerberos/krb5kdc(/.*)?		gen_context(system_u:object_r:krb5kdc_conf_t,s0)
>  /var/kerberos/krb5kdc/principal.*	gen_context(system_u:object_r:krb5kdc_principal_t,s0)
> +/var/kerberos/krb5kdc/from_master.*	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
> +/var/kerberos/krb5kdc/principal\.ok	gen_context(system_u:object_r:krb5kdc_lock_t,s0)
>  
>  /var/log/krb5kdc\.log			gen_context(system_u:object_r:krb5kdc_log_t,s0)
>  /var/log/kadmin(d)?\.log		gen_context(system_u:object_r:kadmind_log_t,s0)
> +
> +/var/tmp/host_0			-- 	gen_context(system_u:object_r:krb5_host_rcache_t,s0)
> --- nsaserefpolicy/policy/modules/services/kerberos.if	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.11/policy/modules/services/kerberos.if	2008-10-08 21:22:20.000000000 -0400
> @@ -23,6 +23,43 @@
>  
>  ########################################
>  ## <summary>
> +##	Execute a kadmind_exec_t in the current domain
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`kerberos_exec_kadmind',`
> +	gen_require(`
> +                type kadmind_exec_t;
> +	')
> +
> +	can_exec($1,kadmind_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute a domain transition to run kpropd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`kerberos_domtrans_kpropd',`
> +	gen_require(`
> +		type kpropd_t;
> +                type kpropd_exec_t;
> +	')
> +
> +	domtrans_pattern($1, kpropd_exec_t, kpropd_t)
> +')
> +
> +########################################
> +## <summary>
>  ##	Use kerberos services
>  ## </summary>
>  ## <param name="domain">
> @@ -42,7 +79,14 @@
>  	dontaudit $1 krb5kdc_conf_t:dir list_dir_perms;
>  	dontaudit $1 krb5kdc_conf_t:file rw_file_perms;
>  
> +	#kerberos libraries are attempting to set the correct file context
> +	dontaudit $1 self:process setfscreate;
> +	selinux_dontaudit_validate_context($1)
> +	seutil_dontaudit_read_file_contexts($1)
> +
>  	tunable_policy(`allow_kerberos',`
> +		fs_rw_tmpfs_files($1)
> +	
>  		allow $1 self:tcp_socket create_socket_perms;
>  		allow $1 self:udp_socket create_socket_perms;
>  
> @@ -60,11 +104,7 @@
>  		corenet_tcp_connect_ocsp_port($1)
>  		corenet_sendrecv_kerberos_client_packets($1)
>  		corenet_sendrecv_ocsp_client_packets($1)
> -
> -		sysnet_read_config($1)
> -		sysnet_dns_name_resolve($1)
>  	')
> -
>  	optional_policy(`
>  		tunable_policy(`allow_kerberos',`
>  			pcscd_stream_connect($1)
> @@ -153,6 +193,32 @@
>  
>  ########################################
>  ## <summary>
> +##	Create a derived type for kerberos keytab
> +## </summary>
> +## <param name="prefix">
> +##	<summary>
> +##	The prefix to be used for deriving type names.
> +##	</summary>
> +## </param>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +template(`kerberos_keytab_template',`
> +
> +	type $1_keytab_t;
> +	files_type($1_keytab_t)
> +
> + 	allow $2 $1_keytab_t:file read_file_perms;
> +
> +	kerberos_read_keytab($2)
> +	kerberos_use($2)
> +')
> +
> +########################################
> +## <summary>
>  ##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
>  ## </summary>
>  ## <param name="domain">
> @@ -168,6 +234,123 @@
>  	')
>  
>  	files_search_etc($1)
> -	allow $1 krb5kdc_conf_t:file read_file_perms;
> +	read_files_pattern($1, krb5kdc_conf_t,  krb5kdc_conf_t)
> +')
>  
> +########################################
> +## <summary>
> +##	Read the kerberos kdc configuration file (/etc/krb5kdc.conf).
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kerberos_manage_host_rcache',`
> +	gen_require(`
> +		type krb5_host_rcache_t;
> +	')
> +
> +	tunable_policy(`allow_kerberos',`
> +		files_search_tmp($1)
> +		allow $1 self:process setfscreate;
> +		selinux_validate_context($1)
> +		seutil_read_file_contexts($1)
> +		allow $1 krb5_host_rcache_t:file manage_file_perms;
> +	')
> +	# creates files as system_u no matter what the selinux user
> +	domain_obj_id_change_exemption($1)
>  ')
> +
> +########################################
> +## <summary>
> +##	Connect to krb524 service
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`kerberos_524_connect',`
> +	tunable_policy(`allow_kerberos',`
> +		allow $1 self:udp_socket create_socket_perms;
> +                corenet_all_recvfrom_unlabeled($1)
> +		corenet_udp_sendrecv_all_if($1)
> +		corenet_udp_sendrecv_all_nodes($1)
> +		corenet_udp_sendrecv_kerberos_master_port($1)
> +		corenet_udp_bind_all_nodes($1)
> +	')
> +')
> +
> +########################################
> +## <summary>
> +##	All of the rules required to administrate 
> +##	an kerberos environment
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> + ## <param name="role">
> +##	<summary>
> +##	The role to be allowed to manage the kerberos domain.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kerberos_admin',`
> +	gen_require(`
> +		type kadmind_t, krb5kdc_t, kerberos_initrc_exec_t;
> +		type kadmind_log_t, kadmind_tmp_t, kadmind_var_run_t;
> +		type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
> +		type krb5kdc_principal_t, krb5kdc_tmp_t;
> +		type krb5kdc_var_run_t, krb5_host_rcache_t;
> +		type kadmind_spool_t, kadmind_var_lib_t, kpropd_t;
> +	')
> +
> +	allow $1 kadmind_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, kadmind_t)
> +	        
> +	allow $1 krb5kdc_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, krb5kdc_t)
> +	        
> +	allow $1 kpropd_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, kpropd_t)
> +	        
> +	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
> +	domain_system_change_exemption($1)
> +	role_transition $2 kerberos_initrc_exec_t system_r;
> +	allow $2 system_r;
> +
> +	logging_list_logs($1)
> +	admin_pattern($1, kadmind_log_t)
> +
> +	files_list_spool($1)
> +	admin_pattern($1, kadmind_spool_t)
> +
> +	files_list_tmp($1)
> +	admin_pattern($1, kadmind_tmp_t)
> +
> +	files_list_var_lib($1)
> +	admin_pattern($1, kadmind_var_lib_t)
> +
> +	files_list_pids($1)
> +	admin_pattern($1, kadmind_var_run_t)
> +
> +	admin_pattern($1, krb5_conf_t)
> +
> +	admin_pattern($1, krb5_host_rcache_t)
> +
> +	admin_pattern($1, krb5_keytab_t)
> +
> +	admin_pattern($1, krb5kdc_principal_t)
> +
> +	admin_pattern($1, krb5kdc_tmp_t)
> +
> +	admin_pattern($1, krb5kdc_var_run_t)
> +')
> +
> --- nsaserefpolicy/policy/modules/services/kerberos.te	2008-08-07 11:15:11.000000000 -0400
> +++ serefpolicy-3.5.11/policy/modules/services/kerberos.te	2008-10-08 20:36:17.000000000 -0400
> @@ -16,6 +16,7 @@
>  type kadmind_t;
>  type kadmind_exec_t;
>  init_daemon_domain(kadmind_t, kadmind_exec_t)
> +domain_obj_id_change_exemption(kadmind_t)
>  
>  type kadmind_log_t;
>  logging_log_file(kadmind_log_t)
> @@ -37,6 +38,9 @@
>  type krb5kdc_conf_t;
>  files_type(krb5kdc_conf_t)
>  
> +type krb5kdc_lock_t;
> +files_type(krb5kdc_lock_t)
> +
>  # types for KDC principal file(s)
>  type krb5kdc_principal_t;
>  files_type(krb5kdc_principal_t)
> @@ -44,6 +48,7 @@
>  type krb5kdc_t;
>  type krb5kdc_exec_t;
>  init_daemon_domain(krb5kdc_t, krb5kdc_exec_t)
> +domain_obj_id_change_exemption(krb5kdc_t)
>  
>  type krb5kdc_log_t;
>  logging_log_file(krb5kdc_log_t)
> @@ -54,6 +59,16 @@
>  type krb5kdc_var_run_t;
>  files_pid_file(krb5kdc_var_run_t)
>  
> +type krb5_host_rcache_t;
> +files_tmp_file(krb5_host_rcache_t)
> +
> +type kerberos_initrc_exec_t;
> +init_script_file(kerberos_initrc_exec_t)
> +
> +type kpropd_t;
> +type kpropd_exec_t;
> +init_daemon_domain(kpropd_t, kpropd_exec_t)
> +
>  ########################################
>  #
>  # kadmind local policy
> @@ -62,7 +77,7 @@
>  # Use capabilities. Surplus capabilities may be allowed.
>  allow kadmind_t self:capability { setuid setgid chown fowner dac_override sys_nice };
>  dontaudit kadmind_t self:capability sys_tty_config;
> -allow kadmind_t self:process signal_perms;
> +allow kadmind_t self:process { setfscreate signal_perms };
>  allow kadmind_t self:netlink_route_socket r_netlink_socket_perms;
>  allow kadmind_t self:unix_dgram_socket { connect create write };
>  allow kadmind_t self:tcp_socket connected_stream_socket_perms;
> @@ -77,7 +92,9 @@
>  read_files_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_conf_t)
>  dontaudit kadmind_t krb5kdc_conf_t:file { write setattr };
>  
> -allow kadmind_t krb5kdc_principal_t:file { getattr lock read write setattr };
> +allow kadmind_t krb5kdc_principal_t:file manage_file_perms;
> +filetrans_pattern(kadmind_t, krb5kdc_conf_t, krb5kdc_principal_t, file)
> +allow kadmind_t krb5kdc_lock_t:file { rw_file_perms setattr };
>  
>  can_exec(kadmind_t, kadmind_exec_t)
>  
> @@ -91,6 +108,7 @@
>  kernel_read_kernel_sysctls(kadmind_t)
>  kernel_list_proc(kadmind_t)
>  kernel_read_proc_symlinks(kadmind_t)
> +kernel_read_system_state(kadmind_t)
>  
>  corenet_all_recvfrom_unlabeled(kadmind_t)
>  corenet_all_recvfrom_netlabel(kadmind_t)
> @@ -118,6 +136,12 @@
>  domain_use_interactive_fds(kadmind_t)
>  
>  files_read_etc_files(kadmind_t)
> +files_read_usr_symlinks(kadmind_t)
> +files_read_usr_files(kadmind_t)
> +files_read_var_files(kadmind_t)
> +
> +selinux_validate_context(kadmind_t)
> +seutil_read_file_contexts(kadmind_t)
>  
>  libs_use_ld_so(kadmind_t)
>  libs_use_shared_libs(kadmind_t)
> @@ -127,9 +151,9 @@
>  miscfiles_read_localization(kadmind_t)
>  
>  sysnet_read_config(kadmind_t)
> +sysnet_use_ldap(kadmind_t)
>  
>  userdom_dontaudit_use_unpriv_user_fds(kadmind_t)
> -
>  sysadm_dontaudit_search_home_dirs(kadmind_t)
>  
>  optional_policy(`
> @@ -138,6 +162,7 @@
>  
>  optional_policy(`
>  	seutil_sigchld_newrole(kadmind_t)
> +	seutil_read_file_contexts(kadmind_t)
>  ')
>  
>  optional_policy(`
> @@ -152,7 +177,7 @@
>  # Use capabilities. Surplus capabilities may be allowed.
>  allow krb5kdc_t self:capability { setuid setgid net_admin chown fowner dac_override sys_nice };
>  dontaudit krb5kdc_t self:capability sys_tty_config;
> -allow krb5kdc_t self:process { setsched getsched signal_perms };
> +allow krb5kdc_t self:process { setfscreate setsched getsched signal_perms };
>  allow krb5kdc_t self:netlink_route_socket r_netlink_socket_perms;
>  allow krb5kdc_t self:tcp_socket create_stream_socket_perms;
>  allow krb5kdc_t self:udp_socket create_socket_perms;
> @@ -166,6 +191,8 @@
>  read_files_pattern(krb5kdc_t, krb5kdc_conf_t, krb5kdc_conf_t)
>  dontaudit krb5kdc_t krb5kdc_conf_t:file write;
>  
> +allow krb5kdc_t krb5kdc_lock_t:file { rw_file_perms setattr };
> +
>  allow krb5kdc_t krb5kdc_log_t:file manage_file_perms;
>  logging_log_filetrans(krb5kdc_t, krb5kdc_log_t, file)
>  
> @@ -216,6 +243,9 @@
>  files_read_usr_symlinks(krb5kdc_t)
>  files_read_var_files(krb5kdc_t)
>  
> +selinux_validate_context(krb5kdc_t)
> +seutil_read_file_contexts(krb5kdc_t)
> +
>  libs_use_ld_so(krb5kdc_t)
>  libs_use_shared_libs(krb5kdc_t)
>  
> @@ -224,9 +254,9 @@
>  miscfiles_read_localization(krb5kdc_t)
>  
>  sysnet_read_config(krb5kdc_t)
> +sysnet_use_ldap(krb5kdc_t)
>  
>  userdom_dontaudit_use_unpriv_user_fds(krb5kdc_t)
> -
>  sysadm_dontaudit_search_home_dirs(krb5kdc_t)
>  
>  optional_policy(`
> @@ -235,8 +265,49 @@
>  
>  optional_policy(`
>  	seutil_sigchld_newrole(krb5kdc_t)
> +	seutil_read_file_contexts(krb5kdc_t)
>  ')
>  
>  optional_policy(`
>  	udev_read_db(krb5kdc_t)
>  ')
> +
> +########################################
> +#
> +# kpropd local policy
> +#
> +
> +allow kpropd_t self:capability net_bind_service;
> +allow kpropd_t self:fifo_file rw_file_perms;
> +allow kpropd_t self:unix_stream_socket create_stream_socket_perms;
> +allow kpropd_t self:tcp_socket create_stream_socket_perms;
> +
> +allow kpropd_t krb5_host_rcache_t:file rw_file_perms;
> +allow kpropd_t krb5_keytab_t:file read_file_perms;
> +
> +manage_files_pattern(kpropd_t, krb5kdc_conf_t, krb5kdc_principal_t)
> +
> +corecmd_exec_bin(kpropd_t)
> +
> +corenet_all_recvfrom_unlabeled(kpropd_t)
> +corenet_tcp_sendrecv_all_if(kpropd_t)
> +corenet_tcp_sendrecv_all_nodes(kpropd_t)
> +corenet_tcp_sendrecv_all_ports(kpropd_t)
> +corenet_tcp_bind_all_nodes(kpropd_t)
> +corenet_tcp_bind_kprop_port(kpropd_t)
> +
> +files_read_etc_files(kpropd_t)
> +files_search_tmp(kpropd_t)
> +
> +dev_read_urand(kpropd_t)
> +
> +libs_use_ld_so(kpropd_t)
> +libs_use_shared_libs(kpropd_t)
> +
> +logging_send_syslog_msg(kpropd_t)
> +
> +miscfiles_read_localization(kpropd_t)
> +
> +sysnet_dns_name_resolve(kpropd_t)
> +
> +kerberos_use(kpropd_t)
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_ldap.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_ldap.patch

Fix initscrpt label



Fix _admin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx229QACgkQrlYvE4MpobMBWgCggsm99L7+HP7z995JUiLeQSMB
jxoAoJVs3nkihBtj/6eSbv9hfeD9PGlG
=ANmq
-----END PGP SIGNATURE-----