* [refpolicy] services_nut.patch @ 2009-11-12 21:46 Daniel J Walsh 2009-11-16 14:31 ` Stefan Schulze Frielinghaus 0 siblings, 1 reply; 23+ messages in thread From: Daniel J Walsh @ 2009-11-12 21:46 UTC (permalink / raw) To: refpolicy http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch nut policy. ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-11-12 21:46 [refpolicy] services_nut.patch Daniel J Walsh @ 2009-11-16 14:31 ` Stefan Schulze Frielinghaus 2009-11-16 18:32 ` Daniel J Walsh 0 siblings, 1 reply; 23+ messages in thread From: Stefan Schulze Frielinghaus @ 2009-11-16 14:31 UTC (permalink / raw) To: refpolicy On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote: > http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch > > nut policy. Some time ago I wrote a policy for NUT too (s. attachment). I guess you tested your policy with a UPS connected via USB. Maybe we could merge both policies because I tested my with the SNMP module of NUT. One note about your policy. Shouldn't we prefix all domains with "nut_"? This would indicate that e.g. each executable comes from the NUT project. Then we could also define one type for /var/run/nut (in my policy it is just nut_var_run_t) because the three main domains nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location, share e.g. a socket file. I would also like to introduce a type for config files because clear text passwords are saved in there. Your domain upsmon_t needs also to write to all terms because it announces information via "wall". It also seems to miss the following permissions which are needed if upsmon_t should execute /sbin/shutdown (we still do not have a shutdown policy): files_rw_generic_pids(nut_upsmon_t) init_exec(nut_upsmon_t) init_rw_initctl(nut_upsmon_t) init_write_utmp(nut_upsmon_t) What are your thoughts? It tested my policy on CentOS 5.3 with a couple of dozen restarts/shutdowns. Debugging restarts/shutdowns is hell ;-) cheers, Stefan -------------- next part -------------- /etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) /sbin/apcsmart -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/bcmxcp -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/bcmxcp_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/belkin -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/belkinunv -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/bestfcom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/bestuferrups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/bestups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/blazer_ser -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/cyberpower -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/dummy-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/etapro -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/everups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/gamatronic -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/genericups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/isbmex -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/liebert -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/masterguard -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/megatec -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/megatec_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/metasys -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/mge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/mge-utalk -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/microdowell -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/newmge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/oneac -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/optiups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/powercom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/powerman-pdu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/powerpanel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/rhino -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/richcomm_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/safenet -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/skel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/snmp-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/solis -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/tripplite -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/tripplitesu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/tripplite_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/upscode2 -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/usbhid-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/victronups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) /usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) /var/www/nut-cgi-bin/upsimage.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0) /var/www/nut-cgi-bin/upsset.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0) /var/www/nut-cgi-bin/upsstats.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0) -------------- next part -------------- policy_module(nut, 1.0.0) ######################################## # # Declarations # type nut_upsdrvctl_t; type nut_upsdrvctl_exec_t; init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) type nut_upsd_t; type nut_upsd_exec_t; init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) type nut_upsmon_t; type nut_upsmon_exec_t; init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) type nut_conf_t; files_config_file(nut_conf_t) type nut_var_run_t; files_pid_file(nut_var_run_t) ######################################## # # Local policy for upsdrvctl # allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; allow nut_upsdrvctl_t self:process { sigchld signal signull }; allow nut_upsdrvctl_t self:fd use; allow nut_upsdrvctl_t self:unix_dgram_socket { connect create write }; allow nut_upsdrvctl_t self:udp_socket create_socket_perms; allow nut_upsdrvctl_t self:netlink_route_socket create_netlink_socket_perms; allow nut_upsdrvctl_t nut_var_run_t:sock_file { create unlink setattr }; # /sbin/upsdrvctl executes other drivers can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) # /etc/nsswitch.conf files_read_etc_files(nut_upsdrvctl_t) files_read_usr_files(nut_upsdrvctl_t) files_search_pids(nut_upsdrvctl_t) files_search_usr(nut_upsdrvctl_t) miscfiles_read_localization(nut_upsdrvctl_t) # /etc/resolv.conf sysnet_read_config(nut_upsdrvctl_t) corecmd_search_bin(nut_upsdrvctl_t) libs_read_lib_files(nut_upsdrvctl_t) kernel_read_kernel_sysctls(nut_upsdrvctl_t) kernel_sendrecv_unlabeled_association(nut_upsdrvctl_t) init_sigchld(nut_upsdrvctl_t) dev_read_urand(nut_upsdrvctl_t) dev_rw_null(nut_upsdrvctl_t) logging_send_syslog_msg(nut_upsdrvctl_t) ######################################## # # Local policy for upsd # allow nut_upsd_t self:capability { setgid setuid }; allow nut_upsd_t self:netlink_route_socket create_netlink_socket_perms; allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; allow nut_upsd_t nut_var_run_t:sock_file write; read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) # /etc/nsswitch.conf files_read_etc_files(nut_upsd_t) files_read_usr_files(nut_upsd_t) miscfiles_read_localization(nut_upsd_t) libs_read_lib_files(nut_upsd_t) logging_send_syslog_msg(nut_upsd_t) kernel_read_kernel_sysctls(nut_upsd_t) kernel_sendrecv_unlabeled_association(nut_upsd_t) corenet_tcp_bind_generic_port(nut_upsd_t) corenet_tcp_bind_all_nodes(nut_upsd_t) ######################################## # # Local policy for upsmon # allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; allow nut_upsmon_t self:unix_dgram_socket { connect create write }; allow nut_upsmon_t self:tcp_socket create_socket_perms; allow nut_upsmon_t self:netlink_route_socket create_netlink_socket_perms; allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) # creates /etc/killpower files_manage_etc_files(nut_upsmon_t) files_search_usr(nut_upsmon_t) corecmd_exec_bin(nut_upsmon_t) corecmd_exec_shell(nut_upsmon_t) miscfiles_read_localization(nut_upsmon_t) libs_read_lib_files(nut_upsmon_t) logging_send_syslog_msg(nut_upsmon_t) # /etc/resolv.conf sysnet_read_config(nut_upsmon_t) kernel_read_kernel_sysctls(nut_upsmon_t) kernel_read_system_state(nut_upsmon_t) kernel_sendrecv_unlabeled_association(nut_upsmon_t) corenet_tcp_connect_generic_port(nut_upsmon_t) # /usr/bin/wall init_read_utmp(nut_upsmon_t) term_write_all_terms(nut_upsmon_t) # /sbin/shutdown files_rw_generic_pids(nut_upsmon_t) init_exec(nut_upsmon_t) init_rw_initctl(nut_upsmon_t) init_write_utmp(nut_upsmon_t) ######################################## # # Local policy for upscgi scripts # requires httpd_enable_cgi and httpd_can_network_connect # apache_content_template(nut_upscgi) read_files_pattern(httpd_nut_upscgi_script_t, nut_conf_t, nut_conf_t) # /etc/resolv.conf sysnet_read_config(httpd_nut_upscgi_script_t) ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-11-16 14:31 ` Stefan Schulze Frielinghaus @ 2009-11-16 18:32 ` Daniel J Walsh 2009-11-22 14:59 ` Stefan Schulze Frielinghaus 0 siblings, 1 reply; 23+ messages in thread From: Daniel J Walsh @ 2009-11-16 18:32 UTC (permalink / raw) To: refpolicy On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote: > On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote: >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch >> >> nut policy. > > Some time ago I wrote a policy for NUT too (s. attachment). I guess you > tested your policy with a UPS connected via USB. Maybe we could merge > both policies because I tested my with the SNMP module of NUT. > > One note about your policy. Shouldn't we prefix all domains with "nut_"? > This would indicate that e.g. each executable comes from the NUT > project. Then we could also define one type for /var/run/nut (in my > policy it is just nut_var_run_t) because the three main domains > nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location, > share e.g. a socket file. > > I would also like to introduce a type for config files because clear > text passwords are saved in there. > > Your domain upsmon_t needs also to write to all terms because it > announces information via "wall". It also seems to miss the following > permissions which are needed if upsmon_t should execute /sbin/shutdown > (we still do not have a shutdown policy): > > files_rw_generic_pids(nut_upsmon_t) > init_exec(nut_upsmon_t) > init_rw_initctl(nut_upsmon_t) > init_write_utmp(nut_upsmon_t) > > What are your thoughts? > It tested my policy on CentOS 5.3 with a couple of dozen > restarts/shutdowns. Debugging restarts/shutdowns is hell ;-) > > cheers, > Stefan Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies. I agree with your points and your naming is fine. ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-11-16 18:32 ` Daniel J Walsh @ 2009-11-22 14:59 ` Stefan Schulze Frielinghaus 2009-11-23 13:05 ` Miroslav Grepl 0 siblings, 1 reply; 23+ messages in thread From: Stefan Schulze Frielinghaus @ 2009-11-22 14:59 UTC (permalink / raw) To: refpolicy On Mon, 2009-11-16 at 13:32 -0500, Daniel J Walsh wrote: > On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote: > > On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote: > >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch > >> > >> nut policy. > > > > Some time ago I wrote a policy for NUT too (s. attachment). I guess you > > tested your policy with a UPS connected via USB. Maybe we could merge > > both policies because I tested my with the SNMP module of NUT. > > > > One note about your policy. Shouldn't we prefix all domains with "nut_"? > > This would indicate that e.g. each executable comes from the NUT > > project. Then we could also define one type for /var/run/nut (in my > > policy it is just nut_var_run_t) because the three main domains > > nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location, > > share e.g. a socket file. > > > > I would also like to introduce a type for config files because clear > > text passwords are saved in there. > > > > Your domain upsmon_t needs also to write to all terms because it > > announces information via "wall". It also seems to miss the following > > permissions which are needed if upsmon_t should execute /sbin/shutdown > > (we still do not have a shutdown policy): > > > > files_rw_generic_pids(nut_upsmon_t) > > init_exec(nut_upsmon_t) > > init_rw_initctl(nut_upsmon_t) > > init_write_utmp(nut_upsmon_t) > > > > What are your thoughts? > > It tested my policy on CentOS 5.3 with a couple of dozen > > restarts/shutdowns. Debugging restarts/shutdowns is hell ;-) > > > > cheers, > > Stefan > > Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies. > > I agree with your points and your naming is fine. Hi Miroslav, attached is the merged policy. Just a few questions left. In your original policy you had the following rule corenet_tcp_connect_ups_port(upsmon_t) I can't find any such port definition in refpolicy. Another question, what is the intention of the following permissive upsd_t; permissive upsdrvctl_t; permissive upsmon_t; Does that make the domain permissive by default? I'm unsure about these ones. cheers, Stefan -------------- next part -------------- /etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) /sbin/apcsmart -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/bcmxcp -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/bcmxcp_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/belkin -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/belkinunv -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/bestfcom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/bestuferrups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/bestups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/blazer_ser -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/blazer_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/cyberpower -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/dummy-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/etapro -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/everups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/gamatronic -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/genericups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/isbmex -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/liebert -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/masterguard -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/megatec -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/megatec_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/metasys -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/mge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/mge-utalk -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/microdowell -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/newmge-shut -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/oneac -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/optiups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/powercom -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/powerman-pdu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/powerpanel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/rhino -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/richcomm_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/safenet -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/skel -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/snmp-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/solis -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/tripplite -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/tripplitesu -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/tripplite_usb -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/upscode2 -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/usbhid-ups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /sbin/victronups -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) /usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) /var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0) /var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0) /var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0) -------------- next part -------------- ## <summary>SELinux policy for NUT - Network UPS Tools </summary> ##################################### ## <summary> ## Execute a domain transition to run upsd. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`nut_upsd_domtrans',` gen_require(` type nut_upsd_t, nut_upsd_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, nut_upsd_exec_t, nut_upsd_t) ') #################################### ## <summary> ## Execute a domain transition to run upsmon. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`nut_upsmon_domtrans',` gen_require(` type nut_upsmon_t, nut_upsmon_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, nut_upsmon_exec_t, nut_upsmon_t) ') #################################### ## <summary> ## Execute a domain transition to run upsdrvctl. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed to transition. ## </summary> ## </param> # interface(`nut_upsdrvctl_domtrans',` gen_require(` type nut_upsdrvctl_t, nut_upsdrvctl_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, nut_upsdrvctl_exec_t, nut_upsdrvctl_t) ') -------------- next part -------------- policy_module(nut, 1.0.0) ######################################## # # Declarations # type nut_upsdrvctl_t; type nut_upsdrvctl_exec_t; init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) type nut_upsd_t; type nut_upsd_exec_t; init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) type nut_upsmon_t; type nut_upsmon_exec_t; init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) type nut_conf_t; files_config_file(nut_conf_t) type nut_var_run_t; files_pid_file(nut_var_run_t) permissive nut_upsdrvctl_t; permissive nut_upsd_t; permissive nut_upsmon_t; ######################################## # # Local policy for upsdrvctl # allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; allow nut_upsdrvctl_t self:process { sigchld signal signull }; allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; allow nut_upsdrvctl_t self:fd use; allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; allow nut_upsdrvctl_t self:udp_socket create_socket_perms; allow nut_upsdrvctl_t self:netlink_route_socket create_netlink_socket_perms; allow nut_upsdrvctl_t nut_var_run_t:sock_file { create unlink setattr }; # /sbin/upsdrvctl executes other drivers can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) # /etc/nsswitch.conf files_read_etc_files(nut_upsdrvctl_t) files_read_usr_files(nut_upsdrvctl_t) files_search_pids(nut_upsdrvctl_t) files_search_usr(nut_upsdrvctl_t) dev_rw_generic_usb_dev(nut_upsdrvctl_t) miscfiles_read_localization(nut_upsdrvctl_t) # /etc/resolv.conf sysnet_read_config(nut_upsdrvctl_t) corecmd_search_bin(nut_upsdrvctl_t) libs_read_lib_files(nut_upsdrvctl_t) kernel_read_kernel_sysctls(nut_upsdrvctl_t) kernel_sendrecv_unlabeled_association(nut_upsdrvctl_t) init_sigchld(nut_upsdrvctl_t) dev_read_urand(nut_upsdrvctl_t) dev_rw_null(nut_upsdrvctl_t) logging_send_syslog_msg(nut_upsdrvctl_t) ######################################## # # Local policy for upsd # allow nut_upsd_t self:capability { setgid setuid }; allow nut_upsd_t self:netlink_route_socket create_netlink_socket_perms; allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; allow nut_upsd_t nut_var_run_t:sock_file write; read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) # /etc/nsswitch.conf files_read_etc_files(nut_upsd_t) files_read_usr_files(nut_upsd_t) miscfiles_read_localization(nut_upsd_t) libs_read_lib_files(nut_upsd_t) logging_send_syslog_msg(nut_upsd_t) kernel_read_kernel_sysctls(nut_upsd_t) kernel_sendrecv_unlabeled_association(nut_upsd_t) corenet_tcp_bind_generic_port(nut_upsd_t) corenet_tcp_bind_all_nodes(nut_upsd_t) ######################################## # # Local policy for upsmon # allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; allow nut_upsmon_t self:unix_dgram_socket { connect create write }; allow nut_upsmon_t self:tcp_socket create_socket_perms; allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; allow nut_upsmon_t self:netlink_route_socket create_netlink_socket_perms; allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) # creates /etc/killpower files_manage_etc_files(nut_upsmon_t) files_search_usr(nut_upsmon_t) corecmd_exec_bin(nut_upsmon_t) corecmd_exec_shell(nut_upsmon_t) miscfiles_read_localization(nut_upsmon_t) libs_read_lib_files(nut_upsmon_t) logging_send_syslog_msg(nut_upsmon_t) # /etc/resolv.conf sysnet_read_config(nut_upsmon_t) kernel_read_kernel_sysctls(nut_upsmon_t) kernel_read_system_state(nut_upsmon_t) kernel_sendrecv_unlabeled_association(nut_upsmon_t) #corenet_tcp_connect_ups_port(nut_upsmon_t) corenet_tcp_connect_generic_port(nut_upsmon_t) # /usr/bin/wall init_read_utmp(nut_upsmon_t) term_write_all_terms(nut_upsmon_t) # /sbin/shutdown files_rw_generic_pids(nut_upsmon_t) init_exec(nut_upsmon_t) init_rw_initctl(nut_upsmon_t) init_write_utmp(nut_upsmon_t) ######################################## # # Local policy for upscgi scripts # requires httpd_enable_cgi and httpd_can_network_connect # apache_content_template(nut_upscgi) read_files_pattern(httpd_nut_upscgi_script_t, nut_conf_t, nut_conf_t) # /etc/resolv.conf sysnet_read_config(httpd_nut_upscgi_script_t) ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-11-22 14:59 ` Stefan Schulze Frielinghaus @ 2009-11-23 13:05 ` Miroslav Grepl 2009-11-23 14:36 ` Stefan Schulze Frielinghaus 0 siblings, 1 reply; 23+ messages in thread From: Miroslav Grepl @ 2009-11-23 13:05 UTC (permalink / raw) To: refpolicy On 11/22/2009 03:59 PM, Stefan Schulze Frielinghaus wrote: > On Mon, 2009-11-16 at 13:32 -0500, Daniel J Walsh wrote: > >> On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote: >> >>> On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote: >>> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch >>>> >>>> nut policy. >>>> >>> Some time ago I wrote a policy for NUT too (s. attachment). I guess you >>> tested your policy with a UPS connected via USB. Maybe we could merge >>> both policies because I tested my with the SNMP module of NUT. >>> >>> One note about your policy. Shouldn't we prefix all domains with "nut_"? >>> This would indicate that e.g. each executable comes from the NUT >>> project. Then we could also define one type for /var/run/nut (in my >>> policy it is just nut_var_run_t) because the three main domains >>> nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location, >>> share e.g. a socket file. >>> >>> I would also like to introduce a type for config files because clear >>> text passwords are saved in there. >>> >>> Your domain upsmon_t needs also to write to all terms because it >>> announces information via "wall". It also seems to miss the following >>> permissions which are needed if upsmon_t should execute /sbin/shutdown >>> (we still do not have a shutdown policy): >>> >>> files_rw_generic_pids(nut_upsmon_t) >>> init_exec(nut_upsmon_t) >>> init_rw_initctl(nut_upsmon_t) >>> init_write_utmp(nut_upsmon_t) >>> >>> What are your thoughts? >>> It tested my policy on CentOS 5.3 with a couple of dozen >>> restarts/shutdowns. Debugging restarts/shutdowns is hell ;-) >>> >>> cheers, >>> Stefan >>> >> Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies. >> >> I agree with your points and your naming is fine. >> > Hi Miroslav, > > attached is the merged policy. Hi Stefan, > Just a few questions left. In your > original policy you had the following rule > > corenet_tcp_connect_ups_port(upsmon_t) > > I can't find any such port definition in refpolicy. > > +network_port(ups, tcp,3493,s0) This is missing in the original patch. > Another question, what is the intention of the following > > permissive upsd_t; > permissive upsdrvctl_t; > permissive upsmon_t; > > Does that make the domain permissive by default? Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps. > I'm unsure about these > ones. > > cheers, > Stefan > Regards, Miroslav ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-11-23 13:05 ` Miroslav Grepl @ 2009-11-23 14:36 ` Stefan Schulze Frielinghaus 2009-11-23 15:19 ` Christopher J. PeBenito 0 siblings, 1 reply; 23+ messages in thread From: Stefan Schulze Frielinghaus @ 2009-11-23 14:36 UTC (permalink / raw) To: refpolicy On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote: [...] > > Another question, what is the intention of the following > > > > permissive upsd_t; > > permissive upsdrvctl_t; > > permissive upsmon_t; > > > > Does that make the domain permissive by default? > Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps. But not for refpolicy, right? I cannot find any such statement in the policy modules of refpolicy. At least I wouldn't expect such a behavior from modules of refpolicy. I guess we can remove those three lines. If you are fine with the merge of both policies then we can commit it (after the port change of course). cheers Stefan ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-11-23 14:36 ` Stefan Schulze Frielinghaus @ 2009-11-23 15:19 ` Christopher J. PeBenito 2009-11-23 16:04 ` Stefan Schulze Frielinghaus 0 siblings, 1 reply; 23+ messages in thread From: Christopher J. PeBenito @ 2009-11-23 15:19 UTC (permalink / raw) To: refpolicy On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote: > On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote: > [...] > > > Another question, what is the intention of the following > > > > > > permissive upsd_t; > > > permissive upsdrvctl_t; > > > permissive upsmon_t; > > > > > > Does that make the domain permissive by default? > > Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps. > > But not for refpolicy, right? I cannot find any such statement in the > policy modules of refpolicy. At least I wouldn't expect such a behavior > from modules of refpolicy. I guess we can remove those three lines. > > If you are fine with the merge of both policies then we can commit it > (after the port change of course). My policy is to not have permissive domains in upstream refpolicy. If the modules need more work the patch is dropped. Otherwise the permissive is dropped. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-11-23 15:19 ` Christopher J. PeBenito @ 2009-11-23 16:04 ` Stefan Schulze Frielinghaus 2009-11-23 16:09 ` Stefan Schulze Frielinghaus 0 siblings, 1 reply; 23+ messages in thread From: Stefan Schulze Frielinghaus @ 2009-11-23 16:04 UTC (permalink / raw) To: refpolicy On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote: > On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote: > > On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote: > > [...] > > > > Another question, what is the intention of the following > > > > > > > > permissive upsd_t; > > > > permissive upsdrvctl_t; > > > > permissive upsmon_t; > > > > > > > > Does that make the domain permissive by default? > > > Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps. > > > > But not for refpolicy, right? I cannot find any such statement in the > > policy modules of refpolicy. At least I wouldn't expect such a behavior > > from modules of refpolicy. I guess we can remove those three lines. > > > > If you are fine with the merge of both policies then we can commit it > > (after the port change of course). > > My policy is to not have permissive domains in upstream refpolicy. If > the modules need more work the patch is dropped. Otherwise the > permissive is dropped. Yes, this is what I thought. Since I use the NUT policy for about a year and it has some intersection with Miroslavs policy (he uses NUT with a ups attached via USB and my via SNMP), I would say it is stable enough. ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-11-23 16:04 ` Stefan Schulze Frielinghaus @ 2009-11-23 16:09 ` Stefan Schulze Frielinghaus 2009-11-23 17:17 ` Miroslav Grepl 0 siblings, 1 reply; 23+ messages in thread From: Stefan Schulze Frielinghaus @ 2009-11-23 16:09 UTC (permalink / raw) To: refpolicy On Mon, 2009-11-23 at 17:04 +0100, Stefan Schulze Frielinghaus wrote: > On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote: > > On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote: > > > On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote: > > > [...] > > > > > Another question, what is the intention of the following > > > > > > > > > > permissive upsd_t; > > > > > permissive upsdrvctl_t; > > > > > permissive upsmon_t; > > > > > > > > > > Does that make the domain permissive by default? > > > > Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps. > > > > > > But not for refpolicy, right? I cannot find any such statement in the > > > policy modules of refpolicy. At least I wouldn't expect such a behavior > > > from modules of refpolicy. I guess we can remove those three lines. > > > > > > If you are fine with the merge of both policies then we can commit it > > > (after the port change of course). > > > > My policy is to not have permissive domains in upstream refpolicy. If > > the modules need more work the patch is dropped. Otherwise the > > permissive is dropped. > > Yes, this is what I thought. Since I use the NUT policy for about a year > and it has some intersection with Miroslavs policy (he uses NUT with a > ups attached via USB and my via SNMP), I would say it is stable enough. Just to make it precise. In general it is stable but I will wait for an OK from Miroslav, then I'm going to rearrange some allow rules according to the style-guidelines and will submit the patch again. ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-11-23 16:09 ` Stefan Schulze Frielinghaus @ 2009-11-23 17:17 ` Miroslav Grepl 2009-12-18 13:53 ` Christopher J. PeBenito 0 siblings, 1 reply; 23+ messages in thread From: Miroslav Grepl @ 2009-11-23 17:17 UTC (permalink / raw) To: refpolicy On 11/23/2009 05:09 PM, Stefan Schulze Frielinghaus wrote: > On Mon, 2009-11-23 at 17:04 +0100, Stefan Schulze Frielinghaus wrote: > >> On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote: >> >>> On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote: >>> >>>> On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote: >>>> [...] >>>> >>>>>> Another question, what is the intention of the following >>>>>> >>>>>> permissive upsd_t; >>>>>> permissive upsdrvctl_t; >>>>>> permissive upsmon_t; >>>>>> >>>>>> Does that make the domain permissive by default? >>>>>> >>>>> Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps. >>>>> >>>> But not for refpolicy, right? Yes, I meant in Fedora. >>>> I cannot find any such statement in the >>>> policy modules of refpolicy. At least I wouldn't expect such a behavior >>>> from modules of refpolicy. I guess we can remove those three lines. >>>> >>>> If you are fine with the merge of both policies then we can commit it >>>> (after the port change of course). >>>> >>> My policy is to not have permissive domains in upstream refpolicy. If >>> the modules need more work the patch is dropped. Otherwise the >>> permissive is dropped. >>> >> Yes, this is what I thought. Since I use the NUT policy for about a year >> and it has some intersection with Miroslavs policy (he uses NUT with a >> ups attached via USB and my via SNMP), I would say it is stable enough. >> > Just to make it precise. In general it is stable but I will wait for an > OK from Miroslav, I will check it and let you know. > then I'm going to rearrange some allow rules according > to the style-guidelines and will submit the patch again. > > ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-11-23 17:17 ` Miroslav Grepl @ 2009-12-18 13:53 ` Christopher J. PeBenito 2009-12-21 10:14 ` Stefan Schulze Frielinghaus 0 siblings, 1 reply; 23+ messages in thread From: Christopher J. PeBenito @ 2009-12-18 13:53 UTC (permalink / raw) To: refpolicy On Mon, 2009-11-23 at 18:17 +0100, Miroslav Grepl wrote: > On 11/23/2009 05:09 PM, Stefan Schulze Frielinghaus wrote: > > On Mon, 2009-11-23 at 17:04 +0100, Stefan Schulze Frielinghaus wrote: > >> On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote: > >>> On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote: > >>>> On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote: > >>>> [...] > >>>> > >>>>>> Another question, what is the intention of the following > >>>>>> > >>>>>> permissive upsd_t; > >>>>>> permissive upsdrvctl_t; > >>>>>> permissive upsmon_t; > >>>>>> > >>>>>> Does that make the domain permissive by default? > >>>>>> > >>>>> Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps. > >>>>> > >>>> But not for refpolicy, right? > Yes, I meant in Fedora. > > >>>> I cannot find any such statement in the > >>>> policy modules of refpolicy. At least I wouldn't expect such a behavior > >>>> from modules of refpolicy. I guess we can remove those three lines. > >>>> > >>>> If you are fine with the merge of both policies then we can commit it > >>>> (after the port change of course). > >>>> > >>> My policy is to not have permissive domains in upstream refpolicy. If > >>> the modules need more work the patch is dropped. Otherwise the > >>> permissive is dropped. > >>> > >> Yes, this is what I thought. Since I use the NUT policy for about a year > >> and it has some intersection with Miroslavs policy (he uses NUT with a > >> ups attached via USB and my via SNMP), I would say it is stable enough. > >> > > Just to make it precise. In general it is stable but I will wait for an > > OK from Miroslav, > I will check it and let you know. Was there any resolution on this? -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-12-18 13:53 ` Christopher J. PeBenito @ 2009-12-21 10:14 ` Stefan Schulze Frielinghaus 2009-12-25 12:55 ` Stefan Schulze Frielinghaus 0 siblings, 1 reply; 23+ messages in thread From: Stefan Schulze Frielinghaus @ 2009-12-21 10:14 UTC (permalink / raw) To: refpolicy On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote: [...] > Was there any resolution on this? Yes, but I had no physical access to my UPS for the last two weeks. At the end of this week I will have physical access again and then I will check that the policy is really working fine. So I expect a tested/working policy in one to two weeks. ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-12-21 10:14 ` Stefan Schulze Frielinghaus @ 2009-12-25 12:55 ` Stefan Schulze Frielinghaus 2010-01-29 16:20 ` Miroslav Grepl 2010-02-09 13:47 ` Christopher J. PeBenito 0 siblings, 2 replies; 23+ messages in thread From: Stefan Schulze Frielinghaus @ 2009-12-25 12:55 UTC (permalink / raw) To: refpolicy On Mon, 2009-12-21 at 11:14 +0100, Stefan Schulze Frielinghaus wrote: > On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote: > [...] > > Was there any resolution on this? > > Yes, but I had no physical access to my UPS for the last two weeks. At > the end of this week I will have physical access again and then I will > check that the policy is really working fine. So I expect a > tested/working policy in one to two weeks. I take the discussion back on list. Miroslav, from the latest policy I did not change anything except I removed the duplicate policies for the cgi scripts and uncommented the *_ups_port() stuff. I'm fine with the attached policy (tested several times including a shutdown and cgi services). Is the policy OK for you too? -------------- next part -------------- A non-text attachment was scrubbed... Name: corenetwork.te.in.patch Type: text/x-patch Size: 745 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091225/276f25a8/attachment.bin -------------- next part -------------- /etc/ups(/.*)? gen_context(system_u:object_r:nut_conf_t,s0) /sbin/upsdrvctl -- gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0) /usr/sbin/upsd -- gen_context(system_u:object_r:nut_upsd_exec_t,s0) /usr/sbin/upsmon -- gen_context(system_u:object_r:nut_upsmon_exec_t,s0) /var/run/nut(/.*)? gen_context(system_u:object_r:nut_var_run_t,s0) /var/www/nut-cgi-bin/upsimage\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) /var/www/nut-cgi-bin/upsset\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) /var/www/nut-cgi-bin/upsstats\.cgi -- gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0) -------------- next part -------------- ## <summary>SELinux policy for nut - Network UPS Tools </summary> -------------- next part -------------- policy_module(nut, 1.0.0) ######################################## # # Declarations # type nut_upsd_t; type nut_upsd_exec_t; init_daemon_domain(nut_upsd_t, nut_upsd_exec_t) type nut_upsmon_t; type nut_upsmon_exec_t; init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t) type nut_upsdrvctl_t; type nut_upsdrvctl_exec_t; init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t) # conf files type nut_conf_t; files_config_file(nut_conf_t) # pid files type nut_var_run_t; files_pid_file(nut_var_run_t) ######################################## # # Local policy for upsd # allow nut_upsd_t self:capability { setgid setuid }; allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto }; allow nut_upsd_t self:tcp_socket connected_stream_socket_perms; allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto; read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t) # pid file manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t) files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file }) corenet_tcp_bind_ups_port(nut_upsd_t) corenet_tcp_bind_generic_port(nut_upsd_t) corenet_tcp_bind_all_nodes(nut_upsd_t) kernel_read_kernel_sysctls(nut_upsd_t) # /etc/nsswitch.conf auth_use_nsswitch(nut_upsd_t) files_read_usr_files(nut_upsd_t) logging_send_syslog_msg(nut_upsd_t) miscfiles_read_localization(nut_upsd_t) ######################################## # # Local policy for upsmon # allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid }; allow nut_upsmon_t self:fifo_file rw_fifo_file_perms; allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto }; allow nut_upsmon_t self:tcp_socket create_socket_perms; read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t) # pid file manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t) files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file }) corenet_tcp_connect_ups_port(upsmon_t) corenet_tcp_connect_generic_port(nut_upsmon_t) corecmd_exec_bin(nut_upsmon_t) corecmd_exec_shell(nut_upsmon_t) kernel_read_kernel_sysctls(nut_upsmon_t) kernel_read_system_state(nut_upsmon_t) # Creates /etc/killpower files_manage_etc_runtime_files(nut_upsmon_t) files_etc_filetrans_etc_runtime(nut_upsmon_t, file) auth_use_nsswitch(nut_upsmon_t) files_search_usr(nut_upsmon_t) logging_send_syslog_msg(nut_upsmon_t) miscfiles_read_localization(nut_upsmon_t) # /usr/bin/wall term_write_all_terms(nut_upsmon_t) # upsmon runs shutdown, probably need a shutdown domain init_rw_utmp(nut_upsmon_t) init_telinit(nut_upsmon_t) ######################################## # # Local policy for upsdrvctl # allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid }; allow nut_upsdrvctl_t self:process { sigchld signal signull }; allow nut_upsdrvctl_t self:fd use; allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms; allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto }; allow nut_upsdrvctl_t self:udp_socket create_socket_perms; read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t) # pid file manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t) files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file }) # /sbin/upsdrvctl executes other drivers corecmd_exec_bin(nut_upsdrvctl_t) corecmd_exec_sbin(nut_upsdrvctl_t) kernel_read_kernel_sysctls(nut_upsdrvctl_t) # /etc/nsswitch.conf auth_use_nsswitch(nut_upsdrvctl_t) dev_read_urand(nut_upsdrvctl_t) dev_rw_generic_usb_dev(nut_upsdrvctl_t) term_use_unallocated_ttys(nut_upsdrvctl_t) logging_send_syslog_msg(nut_upsdrvctl_t) miscfiles_read_localization(nut_upsdrvctl_t) init_sigchld(nut_upsdrvctl_t) ####################################### # # Local policy for upscgi scripts # requires httpd_enable_cgi and httpd_can_network_connect # optional_policy(` apache_content_template(nutups_cgi) read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t) corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) ') ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-12-25 12:55 ` Stefan Schulze Frielinghaus @ 2010-01-29 16:20 ` Miroslav Grepl 2010-02-09 13:47 ` Christopher J. PeBenito 1 sibling, 0 replies; 23+ messages in thread From: Miroslav Grepl @ 2010-01-29 16:20 UTC (permalink / raw) To: refpolicy On 12/25/2009 01:55 PM, Stefan Schulze Frielinghaus wrote: > On Mon, 2009-12-21 at 11:14 +0100, Stefan Schulze Frielinghaus wrote: > >> On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote: >> [...] >> >>> Was there any resolution on this? >>> >> Yes, but I had no physical access to my UPS for the last two weeks. At >> the end of this week I will have physical access again and then I will >> check that the policy is really working fine. So I expect a >> tested/working policy in one to two weeks. >> > I take the discussion back on list. Miroslav, from the latest policy I > did not change anything except I removed the duplicate policies for the > cgi scripts and uncommented the *_ups_port() stuff. > > I'm fine with the attached policy (tested several times including a > shutdown and cgi services). Is the policy OK for you too? > I apologize, but I missed this last post from Stefan. Actually we use this policy in Fedora so I believe the policy is ready. The following link includes the nut policy what we have in Fedora. http://mgrepl.fedorapeople.org/SELinux/F12/services_nut.patch Regards, Miroslav ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2009-12-25 12:55 ` Stefan Schulze Frielinghaus 2010-01-29 16:20 ` Miroslav Grepl @ 2010-02-09 13:47 ` Christopher J. PeBenito 1 sibling, 0 replies; 23+ messages in thread From: Christopher J. PeBenito @ 2010-02-09 13:47 UTC (permalink / raw) To: refpolicy On Fri, 2009-12-25 at 13:55 +0100, Stefan Schulze Frielinghaus wrote: > On Mon, 2009-12-21 at 11:14 +0100, Stefan Schulze Frielinghaus wrote: > > On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote: > > [...] > > > Was there any resolution on this? > > > > Yes, but I had no physical access to my UPS for the last two weeks. At > > the end of this week I will have physical access again and then I will > > check that the policy is really working fine. So I expect a > > tested/working policy in one to two weeks. > > I take the discussion back on list. Miroslav, from the latest policy I > did not change anything except I removed the duplicate policies for the > cgi scripts and uncommented the *_ups_port() stuff. > > I'm fine with the attached policy (tested several times including a > shutdown and cgi services). Is the policy OK for you too? Merged. -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch @ 2010-02-23 20:28 Daniel J Walsh 2010-02-24 15:53 ` Stefan Schulze Frielinghaus 0 siblings, 1 reply; 23+ messages in thread From: Daniel J Walsh @ 2010-02-23 20:28 UTC (permalink / raw) To: refpolicy http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch Latest nut policy. ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2010-02-23 20:28 Daniel J Walsh @ 2010-02-24 15:53 ` Stefan Schulze Frielinghaus 2010-02-24 17:14 ` Daniel J Walsh 0 siblings, 1 reply; 23+ messages in thread From: Stefan Schulze Frielinghaus @ 2010-02-24 15:53 UTC (permalink / raw) To: refpolicy On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote: > http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch > > Latest nut policy. The following rules are unnecessary because they are already included by the interface apache_content_template as soon as the booleans httpd_enable_cgi and httpd_can_network_connect are enabled: + corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) + corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) + corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) + corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) + + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) Is it really necessary to include the dac_override permissions for nut_upsd_t? I thought that the upsd daemon runs as a non root user where no dac_override permissions are used. -allow nut_upsd_t self:capability { setgid setuid }; +allow nut_upsd_t self:capability { setgid setuid dac_override }; If you still have the AVC message and maybe some information of the setup, then I would like to dig a bit deeper into this because I use nut and would like to make it more secure ;-) Maybe the capabilities can even be dropped. Guess the sbin rules are not necessary for refpolicy: +corecmd_exec_sbin(nut_upsdrvctl_t) ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2010-02-24 15:53 ` Stefan Schulze Frielinghaus @ 2010-02-24 17:14 ` Daniel J Walsh 2010-02-26 9:00 ` Stefan Schulze Frielinghaus 0 siblings, 1 reply; 23+ messages in thread From: Daniel J Walsh @ 2010-02-24 17:14 UTC (permalink / raw) To: refpolicy On 02/24/2010 10:53 AM, Stefan Schulze Frielinghaus wrote: > On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote: > >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch >> >> Latest nut policy. >> > The following rules are unnecessary because they are already included by > the interface apache_content_template as soon as the booleans > httpd_enable_cgi and httpd_can_network_connect are enabled: > > + corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) > + corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) > + corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) > + corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) > + corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) > corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) > + corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) > + corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) > + corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) > + > + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) > > Ok this is a difference between apache interface in upstream and mine. I removed network access set by those booleans from the interface to httpd_sys_script_t specific. I don't believe those interfaces should be effected by booleans. I don't want my bugzilla cgi to suddenly have network access just because httpd_sys_script_t needs it. > Is it really necessary to include the dac_override permissions for > nut_upsd_t? I thought that the upsd daemon runs as a non root user where > no dac_override permissions are used. > > -allow nut_upsd_t self:capability { setgid setuid }; > +allow nut_upsd_t self:capability { setgid setuid dac_override }; > > If you still have the AVC message and maybe some information of the > setup, then I would like to dig a bit deeper into this because I use nut > and would like to make it more secure ;-) Maybe the capabilities can > even be dropped. > > Guess the sbin rules are not necessary for refpolicy: > > +corecmd_exec_sbin(nut_upsdrvctl_t) > > Oops that is a bug. dac_override can come in because a file has bad ownership. ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2010-02-24 17:14 ` Daniel J Walsh @ 2010-02-26 9:00 ` Stefan Schulze Frielinghaus 2010-02-26 13:39 ` Daniel J Walsh 0 siblings, 1 reply; 23+ messages in thread From: Stefan Schulze Frielinghaus @ 2010-02-26 9:00 UTC (permalink / raw) To: refpolicy On Mi, 2010-02-24 at 12:14 -0500, Daniel J Walsh wrote: > On 02/24/2010 10:53 AM, Stefan Schulze Frielinghaus wrote: > > On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote: > > > >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch > >> > >> Latest nut policy. > >> > > The following rules are unnecessary because they are already included by > > the interface apache_content_template as soon as the booleans > > httpd_enable_cgi and httpd_can_network_connect are enabled: > > > > + corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) > > + corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) > > + corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) > > + corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) > > + corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) > > corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) > > + corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) > > + corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) > > + corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) > > + > > + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) > > > > > Ok this is a difference between apache interface in upstream and mine. > I removed network access > set by those booleans from the interface to httpd_sys_script_t > specific. I don't believe those interfaces should be effected by > booleans. I don't want my bugzilla cgi to suddenly have network access > just because httpd_sys_script_t needs it. Yeah, I like this idea. > > Is it really necessary to include the dac_override permissions for > > nut_upsd_t? I thought that the upsd daemon runs as a non root user where > > no dac_override permissions are used. > > > > -allow nut_upsd_t self:capability { setgid setuid }; > > +allow nut_upsd_t self:capability { setgid setuid dac_override }; > > > > If you still have the AVC message and maybe some information of the > > setup, then I would like to dig a bit deeper into this because I use nut > > and would like to make it more secure ;-) Maybe the capabilities can > > even be dropped. > > > > Guess the sbin rules are not necessary for refpolicy: > > > > +corecmd_exec_sbin(nut_upsdrvctl_t) > > > > > Oops that is a bug. > > dac_override can come in because a file has bad ownership. upsd runs per default as user nut on Fedora and EPEL. It should never run as root. ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2010-02-26 9:00 ` Stefan Schulze Frielinghaus @ 2010-02-26 13:39 ` Daniel J Walsh 2010-02-26 14:23 ` Stefan Schulze Frielinghaus 0 siblings, 1 reply; 23+ messages in thread From: Daniel J Walsh @ 2010-02-26 13:39 UTC (permalink / raw) To: refpolicy On 02/26/2010 04:00 AM, Stefan Schulze Frielinghaus wrote: > On Mi, 2010-02-24 at 12:14 -0500, Daniel J Walsh wrote: > >> On 02/24/2010 10:53 AM, Stefan Schulze Frielinghaus wrote: >> >>> On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote: >>> >>> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch >>>> >>>> Latest nut policy. >>>> >>>> >>> The following rules are unnecessary because they are already included by >>> the interface apache_content_template as soon as the booleans >>> httpd_enable_cgi and httpd_can_network_connect are enabled: >>> >>> + corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) >>> + corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) >>> + corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) >>> + corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) >>> + corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) >>> corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) >>> + corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) >>> + corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) >>> + corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) >>> + >>> + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) >>> >>> >>> >> Ok this is a difference between apache interface in upstream and mine. >> I removed network access >> set by those booleans from the interface to httpd_sys_script_t >> specific. I don't believe those interfaces should be effected by >> booleans. I don't want my bugzilla cgi to suddenly have network access >> just because httpd_sys_script_t needs it. >> > Yeah, I like this idea. > > >>> Is it really necessary to include the dac_override permissions for >>> nut_upsd_t? I thought that the upsd daemon runs as a non root user where >>> no dac_override permissions are used. >>> >>> -allow nut_upsd_t self:capability { setgid setuid }; >>> +allow nut_upsd_t self:capability { setgid setuid dac_override }; >>> >>> If you still have the AVC message and maybe some information of the >>> setup, then I would like to dig a bit deeper into this because I use nut >>> and would like to make it more secure ;-) Maybe the capabilities can >>> even be dropped. >>> >>> Guess the sbin rules are not necessary for refpolicy: >>> >>> +corecmd_exec_sbin(nut_upsdrvctl_t) >>> >>> >>> >> Oops that is a bug. >> >> dac_override can come in because a file has bad ownership. >> > upsd runs per default as user nut on Fedora and EPEL. It should never > run as root. > > Then why does the policy have setuid/setgid? ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2010-02-26 13:39 ` Daniel J Walsh @ 2010-02-26 14:23 ` Stefan Schulze Frielinghaus 0 siblings, 0 replies; 23+ messages in thread From: Stefan Schulze Frielinghaus @ 2010-02-26 14:23 UTC (permalink / raw) To: refpolicy On Fr, 2010-02-26 at 08:39 -0500, Daniel J Walsh wrote: > On 02/26/2010 04:00 AM, Stefan Schulze Frielinghaus wrote: > > On Mi, 2010-02-24 at 12:14 -0500, Daniel J Walsh wrote: > > > >> On 02/24/2010 10:53 AM, Stefan Schulze Frielinghaus wrote: > >> > >>> On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote: > >>> > >>> > >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch > >>>> > >>>> Latest nut policy. > >>>> > >>>> > >>> The following rules are unnecessary because they are already included by > >>> the interface apache_content_template as soon as the booleans > >>> httpd_enable_cgi and httpd_can_network_connect are enabled: > >>> > >>> + corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t) > >>> + corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t) > >>> + corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t) > >>> + corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t) > >>> + corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t) > >>> corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t) > >>> + corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t) > >>> + corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t) > >>> + corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t) > >>> + > >>> + sysnet_dns_name_resolve(httpd_nutups_cgi_script_t) > >>> > >>> > >>> > >> Ok this is a difference between apache interface in upstream and mine. > >> I removed network access > >> set by those booleans from the interface to httpd_sys_script_t > >> specific. I don't believe those interfaces should be effected by > >> booleans. I don't want my bugzilla cgi to suddenly have network access > >> just because httpd_sys_script_t needs it. > >> > > Yeah, I like this idea. > > > > > >>> Is it really necessary to include the dac_override permissions for > >>> nut_upsd_t? I thought that the upsd daemon runs as a non root user where > >>> no dac_override permissions are used. > >>> > >>> -allow nut_upsd_t self:capability { setgid setuid }; > >>> +allow nut_upsd_t self:capability { setgid setuid dac_override }; > >>> > >>> If you still have the AVC message and maybe some information of the > >>> setup, then I would like to dig a bit deeper into this because I use nut > >>> and would like to make it more secure ;-) Maybe the capabilities can > >>> even be dropped. > >>> > >>> Guess the sbin rules are not necessary for refpolicy: > >>> > >>> +corecmd_exec_sbin(nut_upsdrvctl_t) > >>> > >>> > >>> > >> Oops that is a bug. > >> > >> dac_override can come in because a file has bad ownership. > >> > > upsd runs per default as user nut on Fedora and EPEL. It should never > > run as root. > > > > > Then why does the policy have setuid/setgid? OK, I wasn't precise enough. upsd is started as root in the first place and then it drops its privileges and runs as user nut. This is even setup by the package maintainer: configure --with-user=%{name} --with-group= In the end it shouldn't hurt to allow dac_override because in most cases the daemon will/should drop its privileges right after startup. You can circumvent this by adding the option "-u root" for upsd. I was just wondering why this rules is needed. I guess the daemon was running as root in your case. I did a quick test with strace: setgid(475) = 0 setuid(57) = 0 chdir("/var/run/nut") /var/run/nut is owned by nut:nut and has mode 750. If the daemon runs as root then it would need dac_override permissions (before dropping privileges upsd only binds to two ports [IPv4/v6] and loads of course some libraries). Summarized it shouldn't hurt to allow dac_override because in the default case the daemon will drop its privileges which is recommended. I was just wondering because I haven't seen such a setup before. ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch @ 2010-08-26 22:02 Daniel J Walsh 2010-09-15 13:16 ` Christopher J. PeBenito 0 siblings, 1 reply; 23+ messages in thread From: Daniel J Walsh @ 2010-08-26 22:02 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_nut.patch handle tmpfs /var/run Executes shutdown uses unix_stream sockets. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkx25GcACgkQrlYvE4MpobN1LwCbBMV2GssMvQwBc5davURVqe4T bagAn3UaoBio39h8GEEBQQafSVt+IxiK =6xWC -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 23+ messages in thread
* [refpolicy] services_nut.patch 2010-08-26 22:02 Daniel J Walsh @ 2010-09-15 13:16 ` Christopher J. PeBenito 0 siblings, 0 replies; 23+ messages in thread From: Christopher J. PeBenito @ 2010-09-15 13:16 UTC (permalink / raw) To: refpolicy On 08/26/10 18:02, Daniel J Walsh wrote: > http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_nut.patch > > handle tmpfs /var/run > > Executes shutdown > > uses unix_stream sockets. Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 23+ messages in thread
end of thread, other threads:[~2010-09-15 13:16 UTC | newest] Thread overview: 23+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2009-11-12 21:46 [refpolicy] services_nut.patch Daniel J Walsh 2009-11-16 14:31 ` Stefan Schulze Frielinghaus 2009-11-16 18:32 ` Daniel J Walsh 2009-11-22 14:59 ` Stefan Schulze Frielinghaus 2009-11-23 13:05 ` Miroslav Grepl 2009-11-23 14:36 ` Stefan Schulze Frielinghaus 2009-11-23 15:19 ` Christopher J. PeBenito 2009-11-23 16:04 ` Stefan Schulze Frielinghaus 2009-11-23 16:09 ` Stefan Schulze Frielinghaus 2009-11-23 17:17 ` Miroslav Grepl 2009-12-18 13:53 ` Christopher J. PeBenito 2009-12-21 10:14 ` Stefan Schulze Frielinghaus 2009-12-25 12:55 ` Stefan Schulze Frielinghaus 2010-01-29 16:20 ` Miroslav Grepl 2010-02-09 13:47 ` Christopher J. PeBenito -- strict thread matches above, loose matches on Subject: below -- 2010-02-23 20:28 Daniel J Walsh 2010-02-24 15:53 ` Stefan Schulze Frielinghaus 2010-02-24 17:14 ` Daniel J Walsh 2010-02-26 9:00 ` Stefan Schulze Frielinghaus 2010-02-26 13:39 ` Daniel J Walsh 2010-02-26 14:23 ` Stefan Schulze Frielinghaus 2010-08-26 22:02 Daniel J Walsh 2010-09-15 13:16 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.