[refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module

[refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module

[Dominick Grift]

The previous patch was bad.

Dominick Grift (6):
  Introduce ntp_conf_t config file type and use that instead of    
    net_conf_t so that ntp_admin() does not need access to network    
    configuration to be able to manage ntpd.
  There is no need for ntp_admin() to be able to get attributes of the 
       ntpd process.
  Allow ntp_admin() to manage ntp_drift_t content.
  Allow ntp_admin() to list etc_t directories to be able to list ntp   
     configuration content.
  Use "Role allowed access." for consistency
  Use permissions sets for compatibility.

 ntp.fc |  4 ++--
 ntp.if | 11 ++++++-----
 ntp.te |  7 ++++++-
 3 files changed, 14 insertions(+), 8 deletions(-)

-- 
1.7.11.2

[refpolicy] [PATCH v1 1/6] Introduce ntp_conf_t

[Dominick Grift]

Introduce ntp_conf_t config file type and use that
instead of net_conf_t so that ntp_admin() does not need
access to network configuration to be able to manage
ntpd.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 ntp.fc | 4 ++--
 ntp.if | 4 ++--
 ntp.te | 5 +++++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/ntp.fc b/ntp.fc
index e79dccc..05fa48d 100644
--- a/ntp.fc
+++ b/ntp.fc
@@ -2,11 +2,11 @@
 /etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
 /etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
 
-/etc/ntpd?\.conf.*		--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntpd?\.conf.*		--	gen_context(system_u:object_r:ntp_conf_t,s0)
 /etc/ntp/crypto(/.*)?			gen_context(system_u:object_r:ntpd_key_t,s0)
 /etc/ntp/data(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)
 /etc/ntp/keys			--	gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/step-tickers.*		--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp/step-tickers.*		--	gen_context(system_u:object_r:ntp_conf_t,s0)
 
 /etc/rc\.d/init\.d/ntpd		--	gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
 
diff --git a/ntp.if b/ntp.if
index e80f8c0..d56b635 100644
--- a/ntp.if
+++ b/ntp.if
@@ -140,7 +140,7 @@ interface(`ntp_rw_shm',`
 interface(`ntp_admin',`
 	gen_require(`
 		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
-		type ntpd_key_t, ntpd_var_run_t;
+		type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
 		type ntpd_initrc_exec_t;
 	')
 
@@ -152,7 +152,7 @@ interface(`ntp_admin',`
 	role_transition $2 ntpd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	admin_pattern($1, ntpd_key_t)
+	admin_pattern($1, { ntpd_key_t ntp_conf_t })
 
 	logging_list_logs($1)
 	admin_pattern($1, ntpd_log_t)
diff --git a/ntp.te b/ntp.te
index c61adc8..08bcd96 100644
--- a/ntp.te
+++ b/ntp.te
@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t)
 type ntpd_initrc_exec_t;
 init_script_file(ntpd_initrc_exec_t)
 
+type ntp_conf_t;
+files_config_file(ntp_conf_t)
+
 type ntpd_key_t;
 files_type(ntpd_key_t)
 
@@ -54,6 +57,8 @@ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
 
 can_exec(ntpd_t, ntpd_exec_t)
 
+allow ntpd_t ntp_conf_t:file read_file_perms;
+
 read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 
-- 
1.7.11.2

[refpolicy] [PATCH v1 2/6] Remove getattr permision from ntp_admin()

[Dominick Grift]

There is no need for ntp_admin() to be able to get
attributes of the ntpd process.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 ntp.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ntp.if b/ntp.if
index d56b635..b47bc35 100644
--- a/ntp.if
+++ b/ntp.if
@@ -144,7 +144,7 @@ interface(`ntp_admin',`
 		type ntpd_initrc_exec_t;
 	')
 
-	allow $1 ntpd_t:process { ptrace signal_perms getattr };
+	allow $1 ntpd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, ntpd_t)
 
 	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
-- 
1.7.11.2

[refpolicy] [PATCH v1 3/6] Allow ntp_admin() to manage ntp_drift_t content.

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 ntp.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ntp.if b/ntp.if
index b47bc35..07a45bf 100644
--- a/ntp.if
+++ b/ntp.if
@@ -141,7 +141,7 @@ interface(`ntp_admin',`
 	gen_require(`
 		type ntpd_t, ntpd_tmp_t, ntpd_log_t;
 		type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
-		type ntpd_initrc_exec_t;
+		type ntpd_initrc_exec_t, ntp_drift_t;
 	')
 
 	allow $1 ntpd_t:process { ptrace signal_perms };
@@ -152,7 +152,7 @@ interface(`ntp_admin',`
 	role_transition $2 ntpd_initrc_exec_t system_r;
 	allow $2 system_r;
 
-	admin_pattern($1, { ntpd_key_t ntp_conf_t })
+	admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t })
 
 	logging_list_logs($1)
 	admin_pattern($1, ntpd_log_t)
-- 
1.7.11.2

[refpolicy] [PATCH v1 4/6] List etc_t directories

[Dominick Grift]

Allow ntp_admin() to list etc_t directories to be able
to list ntp configuration content.

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 ntp.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ntp.if b/ntp.if
index 07a45bf..00752ec 100644
--- a/ntp.if
+++ b/ntp.if
@@ -152,6 +152,7 @@ interface(`ntp_admin',`
 	role_transition $2 ntpd_initrc_exec_t system_r;
 	allow $2 system_r;
 
+	files_list_etc($1)
 	admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t })
 
 	logging_list_logs($1)
-- 
1.7.11.2

[refpolicy] [PATCH v1 5/6] Use "Role allowed access." for consistency

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 ntp.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ntp.if b/ntp.if
index 00752ec..e4e72b1 100644
--- a/ntp.if
+++ b/ntp.if
@@ -132,7 +132,7 @@ interface(`ntp_rw_shm',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	The role to be allowed to manage the ntp domain.
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
-- 
1.7.11.2

[refpolicy] [PATCH v1 6/6] Use permissions sets for compatibility.

[Dominick Grift]

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
 ntp.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ntp.te b/ntp.te
index 08bcd96..997f393 100644
--- a/ntp.te
+++ b/ntp.te
@@ -62,7 +62,7 @@ allow ntpd_t ntp_conf_t:file read_file_perms;
 read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 
-allow ntpd_t ntpd_log_t:dir setattr;
+allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
 manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
 logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
 
-- 
1.7.11.2

[refpolicy] [PATCH v1 2/6] Remove getattr permision from ntp_admin()

[Christopher J. PeBenito]

On 08/13/12 06:52, Dominick Grift wrote:
> There is no need for ntp_admin() to be able to get
> attributes of the ntpd process.
> 
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
>  ntp.if | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ntp.if b/ntp.if
> index d56b635..b47bc35 100644
> --- a/ntp.if
> +++ b/ntp.if
> @@ -144,7 +144,7 @@ interface(`ntp_admin',`
>  		type ntpd_initrc_exec_t;
>  	')
>  
> -	allow $1 ntpd_t:process { ptrace signal_perms getattr };
> +	allow $1 ntpd_t:process { ptrace signal_perms };
>  	ps_process_pattern($1, ntpd_t)
>  
>  	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
 
I disagree, its reasonable to make sure its running in the right domain, which requires this permission to read /proc/pid/attr/current.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v1 2/6] Remove getattr permision from ntp_admin()

[Dominick Grift]

On Tue, 2012-08-14 at 08:40 -0400, Christopher J. PeBenito wrote:
> On 08/13/12 06:52, Dominick Grift wrote:
> > There is no need for ntp_admin() to be able to get
> > attributes of the ntpd process.
> > 
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > ---
> >  ntp.if | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/ntp.if b/ntp.if
> > index d56b635..b47bc35 100644
> > --- a/ntp.if
> > +++ b/ntp.if
> > @@ -144,7 +144,7 @@ interface(`ntp_admin',`
> >  		type ntpd_initrc_exec_t;
> >  	')
> >  
> > -	allow $1 ntpd_t:process { ptrace signal_perms getattr };
> > +	allow $1 ntpd_t:process { ptrace signal_perms };
> >  	ps_process_pattern($1, ntpd_t)
> >  
> >  	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
>  
> I disagree, its reasonable to make sure its running in the right domain, which requires this permission to read /proc/pid/attr/current.
> 

Its already allowed with

ps_process_pattern($1, ntpd_t)

[refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module

[Christopher J. PeBenito]

On 08/13/12 06:52, Dominick Grift wrote:
> The previous patch was bad.
> 
> Dominick Grift (6):
>   Introduce ntp_conf_t config file type and use that instead of    
>     net_conf_t so that ntp_admin() does not need access to network    
>     configuration to be able to manage ntpd.
>   There is no need for ntp_admin() to be able to get attributes of the 
>        ntpd process.
>   Allow ntp_admin() to manage ntp_drift_t content.
>   Allow ntp_admin() to list etc_t directories to be able to list ntp   
>      configuration content.
>   Use "Role allowed access." for consistency
>   Use permissions sets for compatibility.
> 
>  ntp.fc |  4 ++--
>  ntp.if | 11 ++++++-----
>  ntp.te |  7 ++++++-
>  3 files changed, 14 insertions(+), 8 deletions(-)
> 

patches 1, 3-6 merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH v1 2/6] Remove getattr permision from ntp_admin()

[Christopher J. PeBenito]

On 08/14/12 09:15, Dominick Grift wrote:
> 
> 
> On Tue, 2012-08-14 at 08:40 -0400, Christopher J. PeBenito wrote:
>> On 08/13/12 06:52, Dominick Grift wrote:
>>> There is no need for ntp_admin() to be able to get
>>> attributes of the ntpd process.
>>>
>>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>>> ---
>>>  ntp.if | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/ntp.if b/ntp.if
>>> index d56b635..b47bc35 100644
>>> --- a/ntp.if
>>> +++ b/ntp.if
>>> @@ -144,7 +144,7 @@ interface(`ntp_admin',`
>>>  		type ntpd_initrc_exec_t;
>>>  	')
>>>  
>>> -	allow $1 ntpd_t:process { ptrace signal_perms getattr };
>>> +	allow $1 ntpd_t:process { ptrace signal_perms };
>>>  	ps_process_pattern($1, ntpd_t)
>>>  
>>>  	init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
>>  
>> I disagree, its reasonable to make sure its running in the right domain, which requires this permission to read /proc/pid/attr/current.
>>
> 
> Its already allowed with
> 
> ps_process_pattern($1, ntpd_t)
 
My mistake. Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com