[refpolicy] services_nut.patch

[mgrepl@redhat.com (Miroslav Grepl)]

On 11/22/2009 03:59 PM, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-11-16 at 13:32 -0500, Daniel J Walsh wrote:
>    
>> On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote:
>>      
>>> On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
>>>        
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
>>>>
>>>> nut policy.
>>>>          
>>> Some time ago I wrote a policy for NUT too (s. attachment). I guess you
>>> tested your policy with a UPS connected via USB. Maybe we could merge
>>> both policies because I tested my with the SNMP module of NUT.
>>>
>>> One note about your policy. Shouldn't we prefix all domains with "nut_"?
>>> This would indicate that e.g. each executable comes from the NUT
>>> project. Then we could also define one type for /var/run/nut (in my
>>> policy it is just nut_var_run_t) because the three main domains
>>> nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
>>> share e.g. a socket file.
>>>
>>> I would also like to introduce a type for config files because clear
>>> text passwords are saved in there.
>>>
>>> Your domain upsmon_t needs also to write to all terms because it
>>> announces information via "wall". It also seems to miss the following
>>> permissions which are needed if upsmon_t should execute /sbin/shutdown
>>> (we still do not have a shutdown policy):
>>>
>>> files_rw_generic_pids(nut_upsmon_t)
>>> init_exec(nut_upsmon_t)
>>> init_rw_initctl(nut_upsmon_t)
>>> init_write_utmp(nut_upsmon_t)
>>>
>>> What are your thoughts?
>>> It tested my policy on CentOS 5.3 with a couple of dozen
>>> restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)
>>>
>>> cheers,
>>> Stefan
>>>        
>> Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies.
>>
>> I agree with your points and your naming is fine.
>>      
> Hi Miroslav,
>
> attached is the merged policy.
Hi Stefan,


>   Just a few questions left. In your
> original policy you had the following rule
>
> corenet_tcp_connect_ups_port(upsmon_t)
>
> I can't find any such port definition in refpolicy.
>
>    
+network_port(ups, tcp,3493,s0)

This is missing in the original patch.

> Another question, what is the intention of the following
>
> permissive upsd_t;
> permissive upsdrvctl_t;
> permissive upsmon_t;
>
> Does that make the domain permissive by default?
Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.

> I'm unsure about these
> ones.
>
> cheers,
> Stefan
>    
Regards,

Miroslav