From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/1] Add kup server utils module.
Date: Wed, 22 Feb 2012 09:14:07 -0500 [thread overview]
Message-ID: <4F44F82F.1060905@tresys.com> (raw)
In-Reply-To: <1329250800.8039.24.camel@i5.mricon.com>
On 02/14/12 15:20, Konstantin Ryabitsev wrote:
> Reworking to match the style guide better.
> I think I got the module order right this time.
Overall it seems ok, but needs some style cleanup, as noted below.
> Signed-off-by: Konstantin Ryabitsev <mricon@kernel.org>
> ---
> kup.fc | 8 ++++
> kup.if | 128 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> kup.te | 84 ++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 220 insertions(+), 0 deletions(-)
> create mode 100644 kup.fc
> create mode 100644 kup.if
> create mode 100644 kup.te
>
> diff --git a/kup.fc b/kup.fc
> new file mode 100644
> index 0000000..e2e929f
> --- /dev/null
> +++ b/kup.fc
> @@ -0,0 +1,8 @@
> +/usr/bin/kup-server -- gen_context(system_u:object_r:kup_server_exec_t,s0)
> +/etc/kup(/.*)? gen_context(system_u:object_r:kup_server_etc_t,s0)
/etc above /usr
> +/var/lib/kup -d gen_context(system_u:object_r:kup_server_var_lib_t,s0)
> +/var/lib/kup/pgp(/.*)? gen_context(system_u:object_r:kup_server_var_lib_t,s0)
> +/var/lib/kup/pub(/.*)? gen_context(system_u:object_r:kup_server_content_rw_t,s0)
> +/var/lib/kup/tmp(/.*)? gen_context(system_u:object_r:kup_server_content_rw_t,s0)
> +/var/run/kup(/.*)? gen_context(system_u:object_r:kup_server_var_run_t,s0)
> +
> diff --git a/kup.if b/kup.if
> new file mode 100644
> index 0000000..f55dffd
> --- /dev/null
> +++ b/kup.if
> @@ -0,0 +1,128 @@
> +## <summary>Kernel.org Uploader server utilities</summary>
> +
> +
> +########################################
> +## <summary>
> +## Execute a domain transition to run kup.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`kup_server_domtrans',`
> + gen_require(`
> + type kup_server_t, kup_server_exec_t;
> + ')
> +
These look like spaces rather than tabs.
> + domtrans_pattern($1, kup_server_exec_t, kup_server_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read content uploaded via kup.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`kup_server_read_content',`
> + gen_require(`
> + type kup_server_content_rw_t;
> + ')
> +
> + files_search_var_lib($1)
> + read_files_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
> + list_dirs_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
> +')
> +
> +########################################
> +## <summary>
> +## Create, read, write, and delete
> +## content uploaded via kup.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`kup_server_manage_content',`
> + gen_require(`
> + type kup_server_content_rw_t;
> + ')
> +
> + files_search_var_lib($1)
> + manage_files_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
> + manage_dirs_pattern($1, kup_server_content_rw_t, kup_server_content_rw_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +## Execute kup in the kup domain, and
> +## allow the specified role the kup domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## The role to be allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`kup_server_run',`
> + gen_require(`
> + type kup_server_t;
> + ')
> +
> + kup_server_domtrans($1)
> + role $2 types kup_server_t;
> +')
> +
> +########################################
> +## <summary>
> +## All of the rules required to administrate
> +## an kup environment
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`kup_server_admin',`
> + gen_require(`
> + type kup_server_t;
> + type kup_server_etc_t;
> + type kup_server_var_lib_t;
> + type kup_server_content_rw_t;
> + type kup_server_var_run_t;
> + ')
> +
> + allow $1 kup_server_t:process { ptrace signal_perms };
> + ps_process_pattern($1, kup_server_t)
> +
> + files_search_etc($1)
> + admin_pattern($1, kup_server_etc_t)
> +
> + files_search_var_lib($1)
> + admin_pattern($1, kup_server_var_lib_t)
> + admin_pattern($1, kup_server_content_rw_t)
> +
> + files_search_pids($1)
> + admin_pattern($1, kup_server_var_run_t)
> +
> +')
> diff --git a/kup.te b/kup.te
> new file mode 100644
> index 0000000..8e88b02
> --- /dev/null
> +++ b/kup.te
> @@ -0,0 +1,84 @@
> +policy_module(kup,1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type kup_server_t;
> +type kup_server_exec_t;
> +application_domain(kup_server_t, kup_server_exec_t)
> +
> +type kup_server_content_rw_t;
> +files_type(kup_server_content_rw_t)
Unless theres the possibility of having read-only content, kup_server_content_t would be fine.
> +type kup_server_etc_t;
> +files_config_file(kup_server_etc_t);
> +
> +type kup_server_var_lib_t;
> +files_type(kup_server_var_lib_t)
> +
> +type kup_server_var_run_t;
> +# not really a pid file, but the policy suits what we want to do
> +files_pid_file(kup_server_var_run_t)
> +
> +########################################
> +#
> +# kup_server local policy
> +#
> +
> +allow kup_server_t self:process { setrlimit signal };
> +allow kup_server_t self:fifo_file manage_fifo_file_perms;
> +
> +manage_dirs_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
> +manage_dirs_pattern(kup_server_t, kup_server_var_run_t, kup_server_var_run_t)
> +manage_files_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
> +manage_files_pattern(kup_server_t, kup_server_var_run_t, kup_server_var_run_t)
These should be grouped by type, so e.g. the two content lines should be grouped together
> +read_files_pattern(kup_server_t, kup_server_etc_t, kup_server_etc_t)
> +read_files_pattern(kup_server_t, kup_server_var_lib_t, kup_server_var_lib_t)
> +read_lnk_files_pattern(kup_server_t, kup_server_content_rw_t, kup_server_content_rw_t)
> +
> +########################################
> +#
> +# Kernel layer modules
> +#
> +
> +# xz wants to read /proc/meminfo
> +kernel_read_system_state(kup_server_t)
> +
> +# executing gzip, bzip2, xz
> +corecmd_exec_bin(kup_server_t)
> +
> +# gathering entropy for uniqueness
> +dev_read_urand(kup_server_t)
> +
> +domain_use_interactive_fds(kup_server_t)
> +
> +files_read_usr_files(kup_server_t)
> +
> +files_pid_filetrans(kup_server_t, kup_server_var_run_t, { dir file })
> +files_var_lib_filetrans(kup_server_t, kup_server_content_rw_t, { dir file })
These can go up, grouped with the appropriate manage_*_pattern for the target type.
> +miscfiles_read_localization(kup_server_t)
> +
> +########################################
> +#
> +# System layer modules
> +#
Comment blocks like the above are unnecessary.
> +# looking up user info
> +auth_use_nsswitch(kup_server_t)
> +
> +logging_send_syslog_msg(kup_server_t)
> +
> +# Temp.pm wants to stat bits in the userdir
> +userdom_getattr_user_home_dirs(kup_server_t)
> +
> +########################################
> +#
> +# Other modules
> +#
> +
> +# accessing git trees for kup put --tar and --diff
> +git_read_generic_system_content_files(kup_server_t)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2012-02-22 14:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-14 20:20 [refpolicy] [PATCH 1/1] Add kup server utils module Konstantin Ryabitsev
2012-02-22 14:14 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F44F82F.1060905@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.