[refpolicy] request for comments: policy for nufw and nuauth

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] request for comments: policy for nufw and nuauth
@ 2008-10-20 16:23 Pierre Chifflier
  2008-10-20 18:57 ` Daniel J Walsh
  0 siblings, 1 reply; 5+ messages in thread
From: Pierre Chifflier @ 2008-10-20 16:23 UTC (permalink / raw)
  To: refpolicy

Hi,

I have tried to write policy modules for 2 applications I'm maintaining
(and contributing): nufw and nuauth.

Since this is my first policies, it would be great to have some feedback
on the contents. I would like to propose these modules for integration
in the standard policy, if possible.


If you don't know nufw or nuauth, a few words of description:

- nufw use the NFQUEUE target of iptables (and so, a nfnetlink socket)
  to receive packets in userspace. It will send the packets using a TLS
  connection to nuauth, the user authenticating daemon, wait for a
  decision, and apply it.
This is the simplest of the 2 daemons.

- nuauth is the authentication daemon. It has several roles:
  - wait for connections from nufw daemons, receive packets, apply ACL
    (see later), and return verdict
  - wait for connections from nutcpc (clients), validate login/pass
    using PAM, and communicate with them
  - check ACL in a plain text file, or a LDAP server
  - log messages to syslog, MySQL, or PostgreSQL (depending on the
    loaded modules, and the configuration).
  - nuauth and the clients use SASL for authentication, and TLS for all
    communications
The policy module for nuauth is not complete, I'm still working on it.

Any help/comment would be appreciated !

Thanks,
Pierre
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nufw-selinux.tgz
Type: application/x-gtar
Size: 1914 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20081020/b76fa12e/attachment.gtar 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] request for comments: policy for nufw and nuauth
  2008-10-20 16:23 [refpolicy] request for comments: policy for nufw and nuauth Pierre Chifflier
@ 2008-10-20 18:57 ` Daniel J Walsh
  2008-10-21  8:55   ` Pierre Chifflier
  0 siblings, 1 reply; 5+ messages in thread
From: Daniel J Walsh @ 2008-10-20 18:57 UTC (permalink / raw)
  To: refpolicy

Pierre Chifflier wrote:
> Hi,
> 
> I have tried to write policy modules for 2 applications I'm maintaining
> (and contributing): nufw and nuauth.
> 
> Since this is my first policies, it would be great to have some feedback
> on the contents. I would like to propose these modules for integration
> in the standard policy, if possible.
> 
> 
> If you don't know nufw or nuauth, a few words of description:
> 
> - nufw use the NFQUEUE target of iptables (and so, a nfnetlink socket)
>   to receive packets in userspace. It will send the packets using a TLS
>   connection to nuauth, the user authenticating daemon, wait for a
>   decision, and apply it.
> This is the simplest of the 2 daemons.
> 
> - nuauth is the authentication daemon. It has several roles:
>   - wait for connections from nufw daemons, receive packets, apply ACL
>     (see later), and return verdict
>   - wait for connections from nutcpc (clients), validate login/pass
>     using PAM, and communicate with them
>   - check ACL in a plain text file, or a LDAP server
>   - log messages to syslog, MySQL, or PostgreSQL (depending on the
>     loaded modules, and the configuration).
>   - nuauth and the clients use SASL for authentication, and TLS for all
>     communications
> The policy module for nuauth is not complete, I'm still working on it.
> 
> Any help/comment would be appreciated !
> 
> Thanks,
> Pierre
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
You should never (almost never) have a gen_requires interface in a te file.

You should use interfaces.

audit2allow -R

will attempt to find the correct interface for the AVC that was generated.

        type nufw_etc_t;
        type nufw_port_t;

Should have interfaces defined for them to be used by other domains.

files_pid_file(nuauth_var_run_t)
allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name };
allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink };
allow nuauth_t nuauth_var_run_t:sock_file { unlink create write };


Should probably be something like

manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)

> allow nuauth_t etc_t:file { getattr read };
Should be
files_read_etc(nuauth_t)


# allow clients to connect
allow unconfined_t nuauth_port_t:tcp_socket recv_msg;
allow unconfined_t nuauth_port_t:tcp_socket name_connect;

Not necessary. unconfined_t already can

>allow nuauth_t bin_t:dir search;
corecmd_search_bin(nuauth_t)

> allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg
recv_msg };

Look for corenetwork calls.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] request for comments: policy for nufw and nuauth
  2008-10-20 18:57 ` Daniel J Walsh
@ 2008-10-21  8:55   ` Pierre Chifflier
  2008-10-21 15:02     ` Daniel J Walsh
  0 siblings, 1 reply; 5+ messages in thread
From: Pierre Chifflier @ 2008-10-21  8:55 UTC (permalink / raw)
  To: refpolicy

On Mon, Oct 20, 2008 at 02:57:49PM -0400, Daniel J Walsh wrote:
> You should never (almost never) have a gen_requires interface in a te file.
> 
> You should use interfaces.

Hi,

Thanks for the review. I've re-written the policies from scratch, and
trying to use interfaces and macros when available (files attached, this
time not gzipped, to ease review).

> files_pid_file(nuauth_var_run_t)
> allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name };
> allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink };
> allow nuauth_t nuauth_var_run_t:sock_file { unlink create write };
> 
> 
> Should probably be something like
> 
> manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
> manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)

Fixed

> 
> > allow nuauth_t etc_t:file { getattr read };
> Should be
> files_read_etc(nuauth_t)

This one does not seems to work. I had to add:

allow $1 nufw_etc_t:dir list_dir_perms;
read_files_pattern($1,nufw_etc_t,nufw_etc_t)
read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t)

> 
> 
> # allow clients to connect
> allow unconfined_t nuauth_port_t:tcp_socket recv_msg;
> allow unconfined_t nuauth_port_t:tcp_socket name_connect;
> 
> Not necessary. unconfined_t already can

Not here. Maybe it's related to the way I add the port ?
I'm using:
semanage port -a -t nuauth_port_t -p tcp 4129

Maybe there is a boolean to allow connections ?

> 
> >allow nuauth_t bin_t:dir search;
> corecmd_search_bin(nuauth_t)
> 
> > allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg
> recv_msg };
> 
> Look for corenetwork calls.
> 

Fixed

Thanks for your help !

Pierre

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] request for comments: policy for nufw and nuauth
  2008-10-21  8:55   ` Pierre Chifflier
@ 2008-10-21 15:02     ` Daniel J Walsh
  2008-10-21 15:22       ` Pierre Chifflier
  0 siblings, 1 reply; 5+ messages in thread
From: Daniel J Walsh @ 2008-10-21 15:02 UTC (permalink / raw)
  To: refpolicy

Pierre Chifflier wrote:
> On Mon, Oct 20, 2008 at 02:57:49PM -0400, Daniel J Walsh wrote:
>> You should never (almost never) have a gen_requires interface in a te file.
>>
>> You should use interfaces.
> 
> Hi,
> 
> Thanks for the review. I've re-written the policies from scratch, and
> trying to use interfaces and macros when available (files attached, this
> time not gzipped, to ease review).
>

Nothing attached.

>> files_pid_file(nuauth_var_run_t)
>> allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name };
>> allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink };
>> allow nuauth_t nuauth_var_run_t:sock_file { unlink create write };
>>
>>
>> Should probably be something like
>>
>> manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
>> manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
> 
> Fixed
> 
>>> allow nuauth_t etc_t:file { getattr read };
>> Should be
>> files_read_etc(nuauth_t)
> 
> This one does not seems to work. I had to add:
> 
> allow $1 nufw_etc_t:dir list_dir_perms;
> read_files_pattern($1,nufw_etc_t,nufw_etc_t)
> read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t)
> 
>>
>> # allow clients to connect
>> allow unconfined_t nuauth_port_t:tcp_socket recv_msg;
>> allow unconfined_t nuauth_port_t:tcp_socket name_connect;
>>
>> Not necessary. unconfined_t already can
corenet_port(nuauth_port_t)  if ports will be >= 1024
corenet_reserved_port(nuauth_port_t)  if ports will can be < 1024
corenet_rpc_port(nuauth_port_t)  if ports will can be bewtween 600 and 1024.


> Not here. Maybe it's related to the way I add the port ?
> I'm using:
> semanage port -a -t nuauth_port_t -p tcp 4129
> 
> Maybe there is a boolean to allow connections ?
> 
>>> allow nuauth_t bin_t:dir search;
>> corecmd_search_bin(nuauth_t)
>>
>>> allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg
>> recv_msg };
>>
>> Look for corenetwork calls.
>>
> 
> Fixed
> 
> Thanks for your help !
> 
> Pierre
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [refpolicy] request for comments: policy for nufw and nuauth
  2008-10-21 15:02     ` Daniel J Walsh
@ 2008-10-21 15:22       ` Pierre Chifflier
  0 siblings, 0 replies; 5+ messages in thread
From: Pierre Chifflier @ 2008-10-21 15:22 UTC (permalink / raw)
  To: refpolicy

On Tue, Oct 21, 2008 at 11:02:39AM -0400, Daniel J Walsh wrote:
> Pierre Chifflier wrote:
> > On Mon, Oct 20, 2008 at 02:57:49PM -0400, Daniel J Walsh wrote:
> >> You should never (almost never) have a gen_requires interface in a te file.
> >>
> >> You should use interfaces.
> > 
> > Hi,
> > 
> > Thanks for the review. I've re-written the policies from scratch, and
> > trying to use interfaces and macros when available (files attached, this
> > time not gzipped, to ease review).
> >
> 
> Nothing attached.

Arg, sorry - I should remember to attach files _before_ writing the
contents of the mail

This time, attached.

Thanks,
Pierre

> 
> >> files_pid_file(nuauth_var_run_t)
> >> allow nuauth_t nuauth_var_run_t:dir { search write remove_name add_name };
> >> allow nuauth_t nuauth_var_run_t:file { create write read getattr unlink };
> >> allow nuauth_t nuauth_var_run_t:sock_file { unlink create write };
> >>
> >>
> >> Should probably be something like
> >>
> >> manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
> >> manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
> > 
> > Fixed
> > 
> >>> allow nuauth_t etc_t:file { getattr read };
> >> Should be
> >> files_read_etc(nuauth_t)
> > 
> > This one does not seems to work. I had to add:
> > 
> > allow $1 nufw_etc_t:dir list_dir_perms;
> > read_files_pattern($1,nufw_etc_t,nufw_etc_t)
> > read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t)
> > 
> >>
> >> # allow clients to connect
> >> allow unconfined_t nuauth_port_t:tcp_socket recv_msg;
> >> allow unconfined_t nuauth_port_t:tcp_socket name_connect;
> >>
> >> Not necessary. unconfined_t already can
> corenet_port(nuauth_port_t)  if ports will be >= 1024
> corenet_reserved_port(nuauth_port_t)  if ports will can be < 1024
> corenet_rpc_port(nuauth_port_t)  if ports will can be bewtween 600 and 1024.
> 
> 
> > Not here. Maybe it's related to the way I add the port ?
> > I'm using:
> > semanage port -a -t nuauth_port_t -p tcp 4129
> > 
> > Maybe there is a boolean to allow connections ?
> > 
> >>> allow nuauth_t bin_t:dir search;
> >> corecmd_search_bin(nuauth_t)
> >>
> >>> allow nuauth_t postgresql_port_t:tcp_socket { name_connect send_msg
> >> recv_msg };
> >>
> >> Look for corenetwork calls.
> >>
> > 
> > Fixed
> > 
> > Thanks for your help !
> > 
> > Pierre
> > 
-------------- next part --------------
# nuauth executable will have:
# label: system_u:object_r:nuauth_exec_t
# MLS sensitivity: s0
# MCS categories: <none>

/usr/sbin/nuauth		--	gen_context(system_u:object_r:nuauth_exec_t,s0)
/var/run/nuauth/nuauth.pid			gen_context(system_u:object_r:nuauth_var_run_t,s0)
-------------- next part --------------
## <summary>policy for nuauth</summary>

########################################
## <summary>
##	Execute a domain transition to run nuauth.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`nuauth_domtrans',`
	gen_require(`
		type nuauth_t, nuauth_exec_t;
	')

	domain_auto_trans($1,nuauth_exec_t,nuauth_t)

	allow $1 nuauth_t:fd use;
	allow nuauth_t $1:fd use;
	allow nuauth_t $1:fifo_file rw_file_perms;
	allow nuauth_t $1:process sigchld;
')

########################################
## <summary>
##	Allow nuauth to access nufw configuration files
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to access files.
## </summary>
## <param name="domain">
## </param>
#
interface(`nuauth_access_nufw_etc_t',`
	gen_require(`
		type nufw_etc_t;
	')

	allow $1 nufw_etc_t:dir list_dir_perms;
	read_files_pattern($1,nufw_etc_t,nufw_etc_t)
	read_lnk_files_pattern($1,nufw_etc_t,nufw_etc_t)
')

########################################
## <summary>
##      Bind TCP sockets to the nufw port.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_nufw_port',`
        gen_require(`
                type nufw_port_t;
        ')

        allow $1 nufw_port_t:tcp_socket name_bind;

')

########################################
## <summary>
##      Bind TCP sockets to the nuauth port.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_nuauth_port',`
        gen_require(`
                type nuauth_port_t;
        ')

        allow $1 nuauth_port_t:tcp_socket name_bind;

')

########################################
## <summary>
##      Send and receive TCP traffic on the nufw port.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_nufw_port',`
        gen_require(`
                type nufw_port_t;
        ')

        allow $1 nufw_port_t:tcp_socket { send_msg recv_msg };
')

########################################
## <summary>
##      Send and receive TCP traffic on the nuauth port.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_nuauth_port',`
        gen_require(`
                type nuauth_port_t;
        ')

        allow $1 nuauth_port_t:tcp_socket { send_msg recv_msg };
')

-------------- next part --------------
policy_module(nuauth,1.0.0)

# add nuauth_port_t using:
#   semanage port -a -t nuauth_port_t -p tcp 4129

########################################
#
# Declarations
#

type nuauth_t;
type nuauth_exec_t;
domain_type(nuauth_t)
init_daemon_domain(nuauth_t, nuauth_exec_t)

# pid files
type nuauth_var_run_t;
files_pid_file(nuauth_var_run_t)

# configuration files
nuauth_access_nufw_etc_t(nuauth_t)

########################################
#
# nuauth local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.

# Some common macros (you might be able to remove some)
files_read_etc_files(nuauth_t)
libs_use_ld_so(nuauth_t)
libs_use_shared_libs(nuauth_t)
miscfiles_read_localization(nuauth_t)

logging_send_syslog_msg(nuauth_t)

## internal communication is often done using fifo and unix sockets.
#allow nuauth_t self:fifo_file { read write };
allow nuauth_t self:unix_stream_socket create_stream_socket_perms;

# pid file
#allow nuauth_t nuauth_var_run_t:file manage_file_perms;
#allow nuauth_t nuauth_var_run_t:sock_file { unlink create write };
#allow nuauth_t nuauth_var_run_t:dir rw_dir_perms;

manage_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
manage_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)
delete_sock_files_pattern(nuauth_t, nuauth_var_run_t, nuauth_var_run_t)

files_pid_filetrans(nuauth_t,nuauth_var_run_t, { file sock_file })

## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(nuauth_t)
corenet_tcp_sendrecv_all_if(nuauth_t)
corenet_tcp_sendrecv_all_nodes(nuauth_t)
corenet_tcp_sendrecv_all_ports(nuauth_t)
corenet_non_ipsec_sendrecv(nuauth_t)
#corenet_tcp_connect_http_port(nuauth_t)
#corenet_tcp_connect_all_ports(nuauth_t)
## if it is a network daemon, consider these:
#corenet_tcp_bind_all_ports(nuauth_t)
corenet_tcp_bind_all_nodes(nuauth_t)
allow nuauth_t self:tcp_socket { listen accept };

allow nuauth_t self:unix_dgram_socket create_socket_perms;
allow nuauth_t self:netlink_route_socket rw_netlink_socket_perms;

type nuauth_port_t;
corenet_tcp_bind_nufw_port(nuauth_t);
corenet_tcp_bind_nuauth_port(nuauth_t);

corenet_port(nuauth_port_t)
gen_require(` type nufw_port_t; ')
corenet_port(nufw_port_t)

corenet_tcp_sendrecv_nufw_port(nuauth_t);
corenet_tcp_sendrecv_nuauth_port(nuauth_t);

# Init script handling
init_use_fds(nuauth_t)
init_use_script_ptys(nuauth_t)
domain_use_interactive_fds(nuauth_t)

# for crypto
dev_read_rand(nuauth_t)
dev_read_urand(nuauth_t)

allow nuauth_t self:process { signal getsched };
allow nuauth_t self:capability { dac_read_search dac_override setuid };

# for the "system" module
allow nuauth_t bin_t:dir search;
allow nuauth_t self:fifo_file write;
auth_use_nsswitch(nuauth_t)
auth_domtrans_chk_passwd(nuauth_t)

# postgresql logging
corenet_tcp_connect_postgresql_port(nuauth_t)
corenet_tcp_sendrecv_postgresql_port(nuauth_t)

# postgresql searches for file ~/.pgpass
files_dontaudit_search_home(nuauth_t)

# mysql logging
corenet_tcp_connect_mysqld_port(nuauth_t)
corenet_tcp_sendrecv_mysqld_port(nuauth_t)

-------------- next part --------------
# nufw executable will have:
# label: system_u:object_r:nufw_exec_t
# MLS sensitivity: s0
# MCS categories: <none>

/etc/nufw(/.*)?                       gen_context(system_u:object_r:nufw_etc_t,s0)
/usr/sbin/nufw		--	gen_context(system_u:object_r:nufw_exec_t,s0)
/var/run/nufw.pid			gen_context(system_u:object_r:nufw_var_run_t,s0)

-------------- next part --------------
## <summary>policy for nufw</summary>

########################################
## <summary>
##	Execute a domain transition to run nufw.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`nufw_domtrans',`
	gen_require(`
		type nufw_t, nufw_exec_t;
	')

	domain_auto_trans($1,nufw_exec_t,nufw_t)

	allow $1 nufw_t:fd use;
	allow nufw_t $1:fd use;
	allow nufw_t $1:fifo_file rw_file_perms;
	allow nufw_t $1:process sigchld;
')

########################################
## <summary>
##      Make a TCP connection to the nufw port.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`corenet_tcp_connect_nufw_port',`
        gen_require(`
                type nufw_port_t;
        ')

        allow $1 nufw_port_t:tcp_socket name_connect;
')

########################################
## <summary>
##      Send and receive TCP traffic on the nufw port.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_nufw_port',`
        gen_require(`
                type nufw_port_t;
        ')

        allow $1 nufw_port_t:tcp_socket { send_msg recv_msg };
')
-------------- next part --------------
policy_module(nufw,1.0.0)

# add nufw_port_t using:
#   semanage port -a -t nufw_port_t -p tcp 4128

########################################
#
# Declarations
#

type nufw_t;
type nufw_exec_t;
domain_type(nufw_t)
init_daemon_domain(nufw_t, nufw_exec_t)

# etc files
type nufw_etc_t;
files_type(nufw_etc_t)

# log files
type nufw_var_log_t;
logging_log_file(nufw_var_log_t)

# pid files
type nufw_var_run_t;
files_pid_file(nufw_var_run_t)

########################################
#
# nufw local policy
#
# Check in /etc/selinux/refpolicy/include for macros to use instead of allow rules.

# Some common macros (you might be able to remove some)
files_read_etc_files(nufw_t)
# configuration files
allow nufw_t nufw_etc_t:dir list_dir_perms;
read_files_pattern(nufw_t,nufw_etc_t,nufw_etc_t)
read_lnk_files_pattern(nufw_t,nufw_etc_t,nufw_etc_t)

libs_use_ld_so(nufw_t)
libs_use_shared_libs(nufw_t)
miscfiles_read_localization(nufw_t)

logging_send_syslog_msg(nufw_t)

## internal communication is often done using fifo and unix sockets.
#allow nufw_t self:fifo_file { read write };
allow nufw_t self:unix_stream_socket create_stream_socket_perms;

# pid file
allow nufw_t nufw_var_run_t:file manage_file_perms;
#allow nufw_t nufw_var_run_t:sock_file manage_file_perms;
allow nufw_t nufw_var_run_t:dir rw_dir_perms;
files_pid_filetrans(nufw_t,nufw_var_run_t, { file sock_file })

## Networking basics (adjust to your needs!)
sysnet_dns_name_resolve(nufw_t)
corenet_tcp_sendrecv_all_if(nufw_t)
corenet_tcp_sendrecv_all_nodes(nufw_t)
#corenet_tcp_sendrecv_all_ports(nufw_t)
#corenet_non_ipsec_sendrecv(nufw_t)

type nufw_port_t;
corenet_tcp_connect_nufw_port(nufw_t)
corenet_tcp_sendrecv_nufw_port(nufw_t)

#corenet_tcp_connect_all_ports(nufw_t)
## if it is a network daemon, consider these:
#corenet_tcp_bind_all_ports(nufw_t)
#corenet_tcp_bind_all_nodes(nufw_t)
allow nufw_t self:tcp_socket { listen accept };

allow nufw_t self:rawip_socket create_socket_perms;

allow nufw_t self:netlink_socket create_socket_perms;
allow nufw_t self:netlink_route_socket rw_netlink_socket_perms;

# Init script handling
init_use_fds(nufw_t)
init_use_script_ptys(nufw_t)
domain_use_interactive_fds(nufw_t)

# for crypto
dev_read_rand(nufw_t)
dev_read_urand(nufw_t)

# nufw wants sys_nice
allow nufw_t self:capability { sys_nice net_admin net_raw };
allow nufw_t self:process { setsched };

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2008-10-21 15:22 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-10-20 16:23 [refpolicy] request for comments: policy for nufw and nuauth Pierre Chifflier
2008-10-20 18:57 ` Daniel J Walsh
2008-10-21  8:55   ` Pierre Chifflier
2008-10-21 15:02     ` Daniel J Walsh
2008-10-21 15:22       ` Pierre Chifflier

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.