[refpolicy] [PATCH v2 1/1] Support LDAP backend infrastructure

[refpolicy] [PATCH v2 1/1] Support LDAP backend infrastructure

[Sven Vermeulen]

The DHCP daemon supports LDAP backends (next to its file-based backend). 
This patch adds support for this through the dhcp_use_ldap boolean. We also
allow the DHCP daemon to bind to generic UDP ports (needed by ISC BIND proper
startup).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 dhcp.te |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/dhcp.te b/dhcp.te
index d4424ad..ab04a3d 100644
--- a/dhcp.te
+++ b/dhcp.te
@@ -4,6 +4,12 @@ policy_module(dhcp, 1.9.0)
 #
 # Declarations
 #
+## <desc>
+## <p>
+##	Enable LDAP backend support for DHCP daemon.
+## </p>
+## </desc>
+gen_tunable(dhcp_use_ldap, false)
 
 type dhcpd_t;
 type dhcpd_exec_t;
@@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
 corenet_udp_bind_generic_node(dhcpd_t)
 corenet_tcp_bind_dhcpd_port(dhcpd_t)
 corenet_udp_bind_dhcpd_port(dhcpd_t)
+corenet_udp_bind_generic_port(dhcpd_t)
 corenet_udp_bind_pxe_port(dhcpd_t)
 corenet_tcp_connect_all_ports(dhcpd_t)
 corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
@@ -105,6 +112,10 @@ ifdef(`distro_gentoo',`
 	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
 ')
 
+tunable_policy(`dhcp_use_ldap',`
+	sysnet_use_ldap(dhcpd_t)
+')
+
 optional_policy(`
 	# used for dynamic DNS
 	bind_read_dnssec_keys(dhcpd_t)
-- 
1.7.3.4

[refpolicy] [PATCH v2 1/1] Support LDAP backend infrastructure

[Christopher J. PeBenito]

On 03/01/12 15:02, Sven Vermeulen wrote:
> The DHCP daemon supports LDAP backends (next to its file-based backend). 
> This patch adds support for this through the dhcp_use_ldap boolean. We also
> allow the DHCP daemon to bind to generic UDP ports (needed by ISC BIND proper
> startup).
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  dhcp.te |   11 +++++++++++
>  1 files changed, 11 insertions(+), 0 deletions(-)
> 
> diff --git a/dhcp.te b/dhcp.te
> index d4424ad..ab04a3d 100644
> --- a/dhcp.te
> +++ b/dhcp.te
> @@ -4,6 +4,12 @@ policy_module(dhcp, 1.9.0)
>  #
>  # Declarations
>  #
> +## <desc>
> +## <p>
> +##	Enable LDAP backend support for DHCP daemon.
> +## </p>
> +## </desc>
> +gen_tunable(dhcp_use_ldap, false)
>  
>  type dhcpd_t;
>  type dhcpd_exec_t;
> @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
>  corenet_udp_bind_generic_node(dhcpd_t)
>  corenet_tcp_bind_dhcpd_port(dhcpd_t)
>  corenet_udp_bind_dhcpd_port(dhcpd_t)
> +corenet_udp_bind_generic_port(dhcpd_t)

Looks like a port needs to be defined.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v2 1/1] Support LDAP backend infrastructure

[Sven Vermeulen]

On Tue, Mar 06, 2012 at 09:06:27AM -0500, Christopher J. PeBenito wrote:
> On 03/01/12 15:02, Sven Vermeulen wrote:
> > The DHCP daemon supports LDAP backends (next to its file-based backend). 
> > This patch adds support for this through the dhcp_use_ldap boolean. We also
> > allow the DHCP daemon to bind to generic UDP ports (needed by ISC BIND proper
> > startup).
[...]
> > @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
> >  corenet_udp_bind_generic_node(dhcpd_t)
> >  corenet_tcp_bind_dhcpd_port(dhcpd_t)
> >  corenet_udp_bind_dhcpd_port(dhcpd_t)
> > +corenet_udp_bind_generic_port(dhcpd_t)
> 
> Looks like a port needs to be defined.

Not really, but the call should be corenet_udp_bind_all_unreserved_ports,
not corenet_udp_bind_generic_port. Guess I'll have to go for personal
testing more than to accept an "it works" on a bugreport :p

Mar  6 20:26:16 testsys kernel: [  933.044666] type=1400
audit(1331061976.847:95): avc:  denied  { name_bind } for  pid=15054
comm="dhcpd" src=10607 scontext=system_u:system_r:dhcpd_t
tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket

Mar  6 20:26:17 testsys kernel: [  933.484279] type=1400
audit(1331061977.287:100): avc:  denied  { name_bind } for  pid=15065
comm="dhcpd" src=31290 scontext=system_u:system_r:dhcpd_t
tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket

Mar  6 20:26:17 testsys kernel: [  933.484498] type=1400
audit(1331061977.287:101): avc:  denied  { name_bind } for  pid=15065
comm="dhcpd" src=14386 scontext=system_u:system_r:dhcpd_t
tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket

Etcetera. But I'm going to revoke this from the patch for now, because it
isn't fully reproduceable here: if I restart the DHCP daemon 10 times, it
fails 7 times and succeeds 3 times, without any changes to the policy, and
denials are not showing much useful info.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH v2 1/1] Support LDAP backend infrastructure

[Sven Vermeulen]

On Tue, Mar 06, 2012 at 09:10:22PM +0100, Sven Vermeulen wrote:
> > > @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
> > >  corenet_udp_bind_generic_node(dhcpd_t)
> > >  corenet_tcp_bind_dhcpd_port(dhcpd_t)
> > >  corenet_udp_bind_dhcpd_port(dhcpd_t)
> > > +corenet_udp_bind_generic_port(dhcpd_t)
> > 
> > Looks like a port needs to be defined.
> 
> Not really, but the call should be corenet_udp_bind_all_unreserved_ports,
> not corenet_udp_bind_generic_port. Guess I'll have to go for personal
> testing more than to accept an "it works" on a bugreport :p

And *poof* there it goes.

Apparently, pre-20120215 policy, the ports were labeled port_t, in 20120215
they are labeled unreserved_port_t, which is why
corenet_udp_bind_generic_port was correct previously.

It doesn't bind to a particular port though. The bind is used by DHCP to
detect the open number of interfaces (see
common/discover.c::begin_iface_scan in the DHCP sources):

        ifaces->sock = socket(local_family, SOCK_DGRAM, IPPROTO_UDP);
        if (ioctl(ifaces->sock, SIOCGLIFNUM, &lifnum) < 0) {
                log_error("Error finding total number of interfaces; %m");
                close(ifaces->sock);
                ifaces->sock = -1;
                return 0;
        }

Wkr,
	Sven Vermeulen

> Mar  6 20:26:16 testsys kernel: [  933.044666] type=1400
> audit(1331061976.847:95): avc:  denied  { name_bind } for  pid=15054
> comm="dhcpd" src=10607 scontext=system_u:system_r:dhcpd_t
> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
> 
> Mar  6 20:26:17 testsys kernel: [  933.484279] type=1400
> audit(1331061977.287:100): avc:  denied  { name_bind } for  pid=15065
> comm="dhcpd" src=31290 scontext=system_u:system_r:dhcpd_t
> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
> 
> Mar  6 20:26:17 testsys kernel: [  933.484498] type=1400
> audit(1331061977.287:101): avc:  denied  { name_bind } for  pid=15065
> comm="dhcpd" src=14386 scontext=system_u:system_r:dhcpd_t
> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
> 
> Etcetera. But I'm going to revoke this from the patch for now, because it
> isn't fully reproduceable here: if I restart the DHCP daemon 10 times, it
> fails 7 times and succeeds 3 times, without any changes to the policy, and
> denials are not showing much useful info.
> 
> Wkr,
> 	Sven Vermeulen

[refpolicy] [PATCH v2 1/1] Support LDAP backend infrastructure

[Christopher J. PeBenito]

On 03/06/12 15:54, Sven Vermeulen wrote:
> On Tue, Mar 06, 2012 at 09:10:22PM +0100, Sven Vermeulen wrote:
>>>> @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
>>>>  corenet_udp_bind_generic_node(dhcpd_t)
>>>>  corenet_tcp_bind_dhcpd_port(dhcpd_t)
>>>>  corenet_udp_bind_dhcpd_port(dhcpd_t)
>>>> +corenet_udp_bind_generic_port(dhcpd_t)
>>>
>>> Looks like a port needs to be defined.
>>
>> Not really, but the call should be corenet_udp_bind_all_unreserved_ports,
>> not corenet_udp_bind_generic_port. Guess I'll have to go for personal
>> testing more than to accept an "it works" on a bugreport :p

Sounds like the above is the change we need.  Please also add a comment that describes what you found below, so we can remember it next time this comes up.

> And *poof* there it goes.
> 
> Apparently, pre-20120215 policy, the ports were labeled port_t, in 20120215
> they are labeled unreserved_port_t, which is why
> corenet_udp_bind_generic_port was correct previously.
> 
> It doesn't bind to a particular port though. The bind is used by DHCP to
> detect the open number of interfaces (see
> common/discover.c::begin_iface_scan in the DHCP sources):
> 
>         ifaces->sock = socket(local_family, SOCK_DGRAM, IPPROTO_UDP);
>         if (ioctl(ifaces->sock, SIOCGLIFNUM, &lifnum) < 0) {
>                 log_error("Error finding total number of interfaces; %m");
>                 close(ifaces->sock);
>                 ifaces->sock = -1;
>                 return 0;
>         }
> 
> Wkr,
> 	Sven Vermeulen
> 
>> Mar  6 20:26:16 testsys kernel: [  933.044666] type=1400
>> audit(1331061976.847:95): avc:  denied  { name_bind } for  pid=15054
>> comm="dhcpd" src=10607 scontext=system_u:system_r:dhcpd_t
>> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
>>
>> Mar  6 20:26:17 testsys kernel: [  933.484279] type=1400
>> audit(1331061977.287:100): avc:  denied  { name_bind } for  pid=15065
>> comm="dhcpd" src=31290 scontext=system_u:system_r:dhcpd_t
>> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
>>
>> Mar  6 20:26:17 testsys kernel: [  933.484498] type=1400
>> audit(1331061977.287:101): avc:  denied  { name_bind } for  pid=15065
>> comm="dhcpd" src=14386 scontext=system_u:system_r:dhcpd_t
>> tcontext=system_u:object_r:unreserved_port_t tclass=udp_socket
>>
>> Etcetera. But I'm going to revoke this from the patch for now, because it
>> isn't fully reproduceable here: if I restart the DHCP daemon 10 times, it
>> fails 7 times and succeeds 3 times, without any changes to the policy, and
>> denials are not showing much useful info.
>>
>> Wkr,
>> 	Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v2 1/1] Support LDAP backend infrastructure

[Christopher J. PeBenito]

On 03/12/12 09:09, Christopher J. PeBenito wrote:
> On 03/06/12 15:54, Sven Vermeulen wrote:
>> On Tue, Mar 06, 2012 at 09:10:22PM +0100, Sven Vermeulen wrote:
>>>>> @@ -68,6 +74,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
>>>>>  corenet_udp_bind_generic_node(dhcpd_t)
>>>>>  corenet_tcp_bind_dhcpd_port(dhcpd_t)
>>>>>  corenet_udp_bind_dhcpd_port(dhcpd_t)
>>>>> +corenet_udp_bind_generic_port(dhcpd_t)
>>>>
>>>> Looks like a port needs to be defined.
>>>
>>> Not really, but the call should be corenet_udp_bind_all_unreserved_ports,
>>> not corenet_udp_bind_generic_port. Guess I'll have to go for personal
>>> testing more than to accept an "it works" on a bugreport :p
> 
> Sounds like the above is the change we need.  Please also add a comment that describes what you found below, so we can remember it next time this comes up.

To clarify: a comment in the policy, not just in the commit message.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com