[refpolicy] [RFC/PATCH 1/1] system admin needs to use mdadm, but type is not allowed

[refpolicy] [RFC/PATCH 1/1] system admin needs to use mdadm, but type is not allowed

[Sven Vermeulen]

The system administrator (sysadm_r role) needs to use mdadm, but is not
allowed to use the mdadm_t nor mdadm_exec_t types.

Rather than extend raid_domtrans_mdadm to allow this as well, use a
raid_mdadm_role (a bit more conform other role usages).

The other users of raid_domtrans_mdadm are all domains that run in system_r
role, which does have this type allowed (as per the system/raid.te
definition), so it wouldn't hurt to use raid_domtrans_mdadm for this.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/roles/sysadm.te |    2 +-
 policy/modules/system/raid.if  |   23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4a8d146..47951d4 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -261,7 +261,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	raid_domtrans_mdadm(sysadm_t)
+	raid_mdadm_role(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
index c817fda..ff59e2c 100644
--- a/policy/modules/system/raid.if
+++ b/policy/modules/system/raid.if
@@ -47,3 +47,26 @@ interface(`raid_manage_mdadm_pid',`
 	# mdadm policy
 	allow $1 mdadm_var_run_t:file manage_file_perms;
 ')
+
+######################################
+## <summary>
+## 	Allow execution and transitioning into mdadm_t
+## </summary>
+## <param name="role">
+## 	<summary>
+##		Role allowed to access mdad_t domain
+##	</summary>
+## </param>
+## <param name="domain">
+## 	<summary>
+##		Domain allowed to transition
+##	</summary>
+## </param>
+#
+interface(`raid_mdadm_role',`
+	gen_require(`
+		type mdadm_t, mdadm_exec_t;
+	')
+	role $1 types { mdadm_t mdadm_exec_t };
+	raid_domtrans_mdadm($2)
+')
-- 
1.7.3.4

[refpolicy] [RFC/PATCH 1/1] system admin needs to use mdadm, but type is not allowed

[Sven Vermeulen]

After a quick discussion with dominique, new attempt due to two issues:

1. No need (or even forbidden) to have "role $1 types foo_exec_t"
2. Suggestion to use the raid_run_mdadm name instead of raid_mdadm_role. The
   idea here is to use raid_mdadm_role for prefixed domains (cfr. screen)
   whereas raid_run_mdadm is to transition and run into a specific domain

Without wanting to (re?)start any discussion on prefixed versus non-prefixed
domains, such a naming convention could help us to keep the reference policy
cleaner (and naming conventions easy).

Also, refpolicy InterfaceNaming document only talks about run, not role.

So, without much further ado... ;-)

  The system administrator (sysadm_r role) needs to use mdadm, but is not
  allowed to use the mdadm_t type.

  Rather than extend raid_domtrans_mdadm to allow this as well, use a
  raid_mdadm_role (a bit more conform other role usages).

  The other users of raid_domtrans_mdadm are all domains that run in system_r
  role, which does have this type allowed (as per the system/raid.te
  definition), so it wouldn't hurt to use raid_domtrans_mdadm for this.


Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/roles/sysadm.te |    2 +-
 policy/modules/system/raid.if  |   25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4a8d146..c22a7fb 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -261,7 +261,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	raid_domtrans_mdadm(sysadm_t)
+	raid_run_mdadm(sysadm_r, sysadm_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
index c817fda..893a341 100644
--- a/policy/modules/system/raid.if
+++ b/policy/modules/system/raid.if
@@ -47,3 +47,28 @@ interface(`raid_manage_mdadm_pid',`
 	# mdadm policy
 	allow $1 mdadm_var_run_t:file manage_file_perms;
 ')
+
+######################################
+## <summary>
+##      Execute a domain transition to mdadm_t for the
+##      specified role, allowing it to use the mdadm_t
+##      domain
+## </summary>
+## <param name="role">
+##     <summary>
+##             Role allowed to access mdadm_t domain
+##     </summary>
+## </param>
+## <param name="domain">
+##     <summary>
+##             Domain allowed to transition to mdadm_t
+##     </summary>
+## </param>
+#
+interface(`raid_run_mdadm',`
+       gen_require(`
+               type mdadm_t;
+       ')
+       role $1 types mdadm_t;
+       raid_domtrans_mdadm($2)
+')
-- 
1.7.3.4

[refpolicy] [RFC/PATCH 1/1] system admin needs to use mdadm, but type is not allowed

[Christopher J. PeBenito]

On 04/28/11 16:44, Sven Vermeulen wrote:
> After a quick discussion with dominique, new attempt due to two issues:
> 
> 1. No need (or even forbidden) to have "role $1 types foo_exec_t"
> 2. Suggestion to use the raid_run_mdadm name instead of raid_mdadm_role. The
>    idea here is to use raid_mdadm_role for prefixed domains (cfr. screen)
>    whereas raid_run_mdadm is to transition and run into a specific domain
> 
> Without wanting to (re?)start any discussion on prefixed versus non-prefixed
> domains, such a naming convention could help us to keep the reference policy
> cleaner (and naming conventions easy).
> 
> Also, refpolicy InterfaceNaming document only talks about run, not role.
> 
> So, without much further ado... ;-)
> 
>   The system administrator (sysadm_r role) needs to use mdadm, but is not
>   allowed to use the mdadm_t type.
> 
>   Rather than extend raid_domtrans_mdadm to allow this as well, use a
>   raid_mdadm_role (a bit more conform other role usages).
> 
>   The other users of raid_domtrans_mdadm are all domains that run in system_r
>   role, which does have this type allowed (as per the system/raid.te
>   definition), so it wouldn't hurt to use raid_domtrans_mdadm for this.

Merged.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/roles/sysadm.te |    2 +-
>  policy/modules/system/raid.if  |   25 +++++++++++++++++++++++++
>  2 files changed, 26 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 4a8d146..c22a7fb 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -261,7 +261,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> -	raid_domtrans_mdadm(sysadm_t)
> +	raid_run_mdadm(sysadm_r, sysadm_t)
>  ')
>  
>  optional_policy(`
> diff --git a/policy/modules/system/raid.if b/policy/modules/system/raid.if
> index c817fda..893a341 100644
> --- a/policy/modules/system/raid.if
> +++ b/policy/modules/system/raid.if
> @@ -47,3 +47,28 @@ interface(`raid_manage_mdadm_pid',`
>  	# mdadm policy
>  	allow $1 mdadm_var_run_t:file manage_file_perms;
>  ')
> +
> +######################################
> +## <summary>
> +##      Execute a domain transition to mdadm_t for the
> +##      specified role, allowing it to use the mdadm_t
> +##      domain
> +## </summary>
> +## <param name="role">
> +##     <summary>
> +##             Role allowed to access mdadm_t domain
> +##     </summary>
> +## </param>
> +## <param name="domain">
> +##     <summary>
> +##             Domain allowed to transition to mdadm_t
> +##     </summary>
> +## </param>
> +#
> +interface(`raid_run_mdadm',`
> +       gen_require(`
> +               type mdadm_t;
> +       ')
> +       role $1 types mdadm_t;
> +       raid_domtrans_mdadm($2)
> +')


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com