* [refpolicy] [PATCH v1 1/6] Introduce ntp_conf_t
2012-08-13 10:52 [refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module Dominick Grift
@ 2012-08-13 10:52 ` Dominick Grift
2012-08-13 10:52 ` [refpolicy] [PATCH v1 2/6] Remove getattr permision from ntp_admin() Dominick Grift
` (5 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Dominick Grift @ 2012-08-13 10:52 UTC (permalink / raw)
To: refpolicy
Introduce ntp_conf_t config file type and use that
instead of net_conf_t so that ntp_admin() does not need
access to network configuration to be able to manage
ntpd.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
ntp.fc | 4 ++--
ntp.if | 4 ++--
ntp.te | 5 +++++
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/ntp.fc b/ntp.fc
index e79dccc..05fa48d 100644
--- a/ntp.fc
+++ b/ntp.fc
@@ -2,11 +2,11 @@
/etc/cron\.(daily|weekly)/ntp-simple -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/etc/cron\.(daily|weekly)/ntp-server -- gen_context(system_u:object_r:ntpd_exec_t,s0)
-/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntpd?\.conf.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
/etc/ntp/crypto(/.*)? gen_context(system_u:object_r:ntpd_key_t,s0)
/etc/ntp/data(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/etc/ntp/keys -- gen_context(system_u:object_r:ntpd_key_t,s0)
-/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/ntp/step-tickers.* -- gen_context(system_u:object_r:ntp_conf_t,s0)
/etc/rc\.d/init\.d/ntpd -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
diff --git a/ntp.if b/ntp.if
index e80f8c0..d56b635 100644
--- a/ntp.if
+++ b/ntp.if
@@ -140,7 +140,7 @@ interface(`ntp_rw_shm',`
interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
- type ntpd_key_t, ntpd_var_run_t;
+ type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
type ntpd_initrc_exec_t;
')
@@ -152,7 +152,7 @@ interface(`ntp_admin',`
role_transition $2 ntpd_initrc_exec_t system_r;
allow $2 system_r;
- admin_pattern($1, ntpd_key_t)
+ admin_pattern($1, { ntpd_key_t ntp_conf_t })
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
diff --git a/ntp.te b/ntp.te
index c61adc8..08bcd96 100644
--- a/ntp.te
+++ b/ntp.te
@@ -15,6 +15,9 @@ init_daemon_domain(ntpd_t, ntpd_exec_t)
type ntpd_initrc_exec_t;
init_script_file(ntpd_initrc_exec_t)
+type ntp_conf_t;
+files_config_file(ntp_conf_t)
+
type ntpd_key_t;
files_type(ntpd_key_t)
@@ -54,6 +57,8 @@ manage_files_pattern(ntpd_t, ntp_drift_t, ntp_drift_t)
can_exec(ntpd_t, ntpd_exec_t)
+allow ntpd_t ntp_conf_t:file read_file_perms;
+
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
--
1.7.11.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [refpolicy] [PATCH v1 2/6] Remove getattr permision from ntp_admin()
2012-08-13 10:52 [refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module Dominick Grift
2012-08-13 10:52 ` [refpolicy] [PATCH v1 1/6] Introduce ntp_conf_t Dominick Grift
@ 2012-08-13 10:52 ` Dominick Grift
2012-08-14 12:40 ` Christopher J. PeBenito
2012-08-13 10:52 ` [refpolicy] [PATCH v1 3/6] Allow ntp_admin() to manage ntp_drift_t content Dominick Grift
` (4 subsequent siblings)
6 siblings, 1 reply; 11+ messages in thread
From: Dominick Grift @ 2012-08-13 10:52 UTC (permalink / raw)
To: refpolicy
There is no need for ntp_admin() to be able to get
attributes of the ntpd process.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
ntp.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ntp.if b/ntp.if
index d56b635..b47bc35 100644
--- a/ntp.if
+++ b/ntp.if
@@ -144,7 +144,7 @@ interface(`ntp_admin',`
type ntpd_initrc_exec_t;
')
- allow $1 ntpd_t:process { ptrace signal_perms getattr };
+ allow $1 ntpd_t:process { ptrace signal_perms };
ps_process_pattern($1, ntpd_t)
init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
--
1.7.11.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [refpolicy] [PATCH v1 2/6] Remove getattr permision from ntp_admin()
2012-08-13 10:52 ` [refpolicy] [PATCH v1 2/6] Remove getattr permision from ntp_admin() Dominick Grift
@ 2012-08-14 12:40 ` Christopher J. PeBenito
2012-08-14 13:15 ` Dominick Grift
0 siblings, 1 reply; 11+ messages in thread
From: Christopher J. PeBenito @ 2012-08-14 12:40 UTC (permalink / raw)
To: refpolicy
On 08/13/12 06:52, Dominick Grift wrote:
> There is no need for ntp_admin() to be able to get
> attributes of the ntpd process.
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> ntp.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/ntp.if b/ntp.if
> index d56b635..b47bc35 100644
> --- a/ntp.if
> +++ b/ntp.if
> @@ -144,7 +144,7 @@ interface(`ntp_admin',`
> type ntpd_initrc_exec_t;
> ')
>
> - allow $1 ntpd_t:process { ptrace signal_perms getattr };
> + allow $1 ntpd_t:process { ptrace signal_perms };
> ps_process_pattern($1, ntpd_t)
>
> init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
I disagree, its reasonable to make sure its running in the right domain, which requires this permission to read /proc/pid/attr/current.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 11+ messages in thread* [refpolicy] [PATCH v1 2/6] Remove getattr permision from ntp_admin()
2012-08-14 12:40 ` Christopher J. PeBenito
@ 2012-08-14 13:15 ` Dominick Grift
2012-08-14 13:38 ` Christopher J. PeBenito
0 siblings, 1 reply; 11+ messages in thread
From: Dominick Grift @ 2012-08-14 13:15 UTC (permalink / raw)
To: refpolicy
On Tue, 2012-08-14 at 08:40 -0400, Christopher J. PeBenito wrote:
> On 08/13/12 06:52, Dominick Grift wrote:
> > There is no need for ntp_admin() to be able to get
> > attributes of the ntpd process.
> >
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > ---
> > ntp.if | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/ntp.if b/ntp.if
> > index d56b635..b47bc35 100644
> > --- a/ntp.if
> > +++ b/ntp.if
> > @@ -144,7 +144,7 @@ interface(`ntp_admin',`
> > type ntpd_initrc_exec_t;
> > ')
> >
> > - allow $1 ntpd_t:process { ptrace signal_perms getattr };
> > + allow $1 ntpd_t:process { ptrace signal_perms };
> > ps_process_pattern($1, ntpd_t)
> >
> > init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
>
> I disagree, its reasonable to make sure its running in the right domain, which requires this permission to read /proc/pid/attr/current.
>
Its already allowed with
ps_process_pattern($1, ntpd_t)
^ permalink raw reply [flat|nested] 11+ messages in thread* [refpolicy] [PATCH v1 2/6] Remove getattr permision from ntp_admin()
2012-08-14 13:15 ` Dominick Grift
@ 2012-08-14 13:38 ` Christopher J. PeBenito
0 siblings, 0 replies; 11+ messages in thread
From: Christopher J. PeBenito @ 2012-08-14 13:38 UTC (permalink / raw)
To: refpolicy
On 08/14/12 09:15, Dominick Grift wrote:
>
>
> On Tue, 2012-08-14 at 08:40 -0400, Christopher J. PeBenito wrote:
>> On 08/13/12 06:52, Dominick Grift wrote:
>>> There is no need for ntp_admin() to be able to get
>>> attributes of the ntpd process.
>>>
>>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>>> ---
>>> ntp.if | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/ntp.if b/ntp.if
>>> index d56b635..b47bc35 100644
>>> --- a/ntp.if
>>> +++ b/ntp.if
>>> @@ -144,7 +144,7 @@ interface(`ntp_admin',`
>>> type ntpd_initrc_exec_t;
>>> ')
>>>
>>> - allow $1 ntpd_t:process { ptrace signal_perms getattr };
>>> + allow $1 ntpd_t:process { ptrace signal_perms };
>>> ps_process_pattern($1, ntpd_t)
>>>
>>> init_labeled_script_domtrans($1, ntpd_initrc_exec_t)
>>
>> I disagree, its reasonable to make sure its running in the right domain, which requires this permission to read /proc/pid/attr/current.
>>
>
> Its already allowed with
>
> ps_process_pattern($1, ntpd_t)
My mistake. Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH v1 3/6] Allow ntp_admin() to manage ntp_drift_t content.
2012-08-13 10:52 [refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module Dominick Grift
2012-08-13 10:52 ` [refpolicy] [PATCH v1 1/6] Introduce ntp_conf_t Dominick Grift
2012-08-13 10:52 ` [refpolicy] [PATCH v1 2/6] Remove getattr permision from ntp_admin() Dominick Grift
@ 2012-08-13 10:52 ` Dominick Grift
2012-08-13 10:52 ` [refpolicy] [PATCH v1 4/6] List etc_t directories Dominick Grift
` (3 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Dominick Grift @ 2012-08-13 10:52 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
ntp.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ntp.if b/ntp.if
index b47bc35..07a45bf 100644
--- a/ntp.if
+++ b/ntp.if
@@ -141,7 +141,7 @@ interface(`ntp_admin',`
gen_require(`
type ntpd_t, ntpd_tmp_t, ntpd_log_t;
type ntpd_key_t, ntpd_var_run_t, ntp_conf_t;
- type ntpd_initrc_exec_t;
+ type ntpd_initrc_exec_t, ntp_drift_t;
')
allow $1 ntpd_t:process { ptrace signal_perms };
@@ -152,7 +152,7 @@ interface(`ntp_admin',`
role_transition $2 ntpd_initrc_exec_t system_r;
allow $2 system_r;
- admin_pattern($1, { ntpd_key_t ntp_conf_t })
+ admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t })
logging_list_logs($1)
admin_pattern($1, ntpd_log_t)
--
1.7.11.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [refpolicy] [PATCH v1 4/6] List etc_t directories
2012-08-13 10:52 [refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module Dominick Grift
` (2 preceding siblings ...)
2012-08-13 10:52 ` [refpolicy] [PATCH v1 3/6] Allow ntp_admin() to manage ntp_drift_t content Dominick Grift
@ 2012-08-13 10:52 ` Dominick Grift
2012-08-13 10:52 ` [refpolicy] [PATCH v1 5/6] Use "Role allowed access." for consistency Dominick Grift
` (2 subsequent siblings)
6 siblings, 0 replies; 11+ messages in thread
From: Dominick Grift @ 2012-08-13 10:52 UTC (permalink / raw)
To: refpolicy
Allow ntp_admin() to list etc_t directories to be able
to list ntp configuration content.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
ntp.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/ntp.if b/ntp.if
index 07a45bf..00752ec 100644
--- a/ntp.if
+++ b/ntp.if
@@ -152,6 +152,7 @@ interface(`ntp_admin',`
role_transition $2 ntpd_initrc_exec_t system_r;
allow $2 system_r;
+ files_list_etc($1)
admin_pattern($1, { ntpd_key_t ntp_conf_t ntp_drift_t })
logging_list_logs($1)
--
1.7.11.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [refpolicy] [PATCH v1 5/6] Use "Role allowed access." for consistency
2012-08-13 10:52 [refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module Dominick Grift
` (3 preceding siblings ...)
2012-08-13 10:52 ` [refpolicy] [PATCH v1 4/6] List etc_t directories Dominick Grift
@ 2012-08-13 10:52 ` Dominick Grift
2012-08-13 10:52 ` [refpolicy] [PATCH v1 6/6] Use permissions sets for compatibility Dominick Grift
2012-08-14 13:32 ` [refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module Christopher J. PeBenito
6 siblings, 0 replies; 11+ messages in thread
From: Dominick Grift @ 2012-08-13 10:52 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
ntp.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ntp.if b/ntp.if
index 00752ec..e4e72b1 100644
--- a/ntp.if
+++ b/ntp.if
@@ -132,7 +132,7 @@ interface(`ntp_rw_shm',`
## </param>
## <param name="role">
## <summary>
-## The role to be allowed to manage the ntp domain.
+## Role allowed access.
## </summary>
## </param>
## <rolecap/>
--
1.7.11.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [refpolicy] [PATCH v1 6/6] Use permissions sets for compatibility.
2012-08-13 10:52 [refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module Dominick Grift
` (4 preceding siblings ...)
2012-08-13 10:52 ` [refpolicy] [PATCH v1 5/6] Use "Role allowed access." for consistency Dominick Grift
@ 2012-08-13 10:52 ` Dominick Grift
2012-08-14 13:32 ` [refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module Christopher J. PeBenito
6 siblings, 0 replies; 11+ messages in thread
From: Dominick Grift @ 2012-08-13 10:52 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
ntp.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ntp.te b/ntp.te
index 08bcd96..997f393 100644
--- a/ntp.te
+++ b/ntp.te
@@ -62,7 +62,7 @@ allow ntpd_t ntp_conf_t:file read_file_perms;
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
-allow ntpd_t ntpd_log_t:dir setattr;
+allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
manage_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
--
1.7.11.2
^ permalink raw reply related [flat|nested] 11+ messages in thread* [refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module
2012-08-13 10:52 [refpolicy] [PATCH v1 0/6] Various fixes to the ntp policy module Dominick Grift
` (5 preceding siblings ...)
2012-08-13 10:52 ` [refpolicy] [PATCH v1 6/6] Use permissions sets for compatibility Dominick Grift
@ 2012-08-14 13:32 ` Christopher J. PeBenito
6 siblings, 0 replies; 11+ messages in thread
From: Christopher J. PeBenito @ 2012-08-14 13:32 UTC (permalink / raw)
To: refpolicy
On 08/13/12 06:52, Dominick Grift wrote:
> The previous patch was bad.
>
> Dominick Grift (6):
> Introduce ntp_conf_t config file type and use that instead of
> net_conf_t so that ntp_admin() does not need access to network
> configuration to be able to manage ntpd.
> There is no need for ntp_admin() to be able to get attributes of the
> ntpd process.
> Allow ntp_admin() to manage ntp_drift_t content.
> Allow ntp_admin() to list etc_t directories to be able to list ntp
> configuration content.
> Use "Role allowed access." for consistency
> Use permissions sets for compatibility.
>
> ntp.fc | 4 ++--
> ntp.if | 11 ++++++-----
> ntp.te | 7 ++++++-
> 3 files changed, 14 insertions(+), 8 deletions(-)
>
patches 1, 3-6 merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 11+ messages in thread