[refpolicy] [PATCH] Add a policy module for shibboleth authentication

[refpolicy] [PATCH] Add a policy module for shibboleth authentication

[Martin Lang]

Signed-off-by: Martin Lang <lang@automata.rwth-aachen.de>
---
 apache.te     |    5 ++++
 shibboleth.fc |    6 +++++
 shibboleth.if |   40 ++++++++++++++++++++++++++++++
 shibboleth.te |   75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 126 insertions(+)
 create mode 100644 shibboleth.fc
 create mode 100644 shibboleth.if
 create mode 100644 shibboleth.te

diff --git a/apache.te b/apache.te
index 3ca9c1f..6ad78d4 100644
--- a/apache.te
+++ b/apache.te
@@ -867,6 +867,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	shibboleth_read_config(httpd_t)
+	shibboleth_stream_connect(httpd_t)
+')
+
+optional_policy(`
 	smokeping_read_lib_files(httpd_t)
 ')
 
diff --git a/shibboleth.fc b/shibboleth.fc
new file mode 100644
index 0000000..a0b9626
--- /dev/null
+++ b/shibboleth.fc
@@ -0,0 +1,6 @@
+/etc/shibboleth(/.*)?		gen_context(system_u:object_r:shibboleth_etc_t,s0)
+
+/usr/sbin/shibd		--		gen_context(system_u:object_r:shibboleth_exec_t,s0)
+
+/var/log/shibboleth(/.*)?	gen_context(system_u:object_r:shibboleth_log_t,s0)
+/var/run/shibboleth(/.*)?	gen_context(system_u:object_r:shibboleth_var_run_t,s0)
diff --git a/shibboleth.if b/shibboleth.if
new file mode 100644
index 0000000..4a3ba02
--- /dev/null
+++ b/shibboleth.if
@@ -0,0 +1,40 @@
+## <summary>Shibboleth authentication deamon</summary>
+
+########################################
+## <summary>
+##	Allow your application domain to access
+##	config files from shibboleth
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain which should be enabled.
+##	</summary>
+## </param>
+#
+interface(`shibboleth_read_config',`
+	gen_require(`
+		type shibboleth_etc_t;
+	')
+
+	read_files_pattern($1, shibboleth_etc_t, shibboleth_etc_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to connect to shibboleth with a unix socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`shibboleth_stream_connect',`
+	gen_require(`
+		type shibboleth_t;
+		type shibboleth_var_run_t;
+	')
+
+	stream_connect_pattern($1, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t)
+	files_search_pids($1)
+')
diff --git a/shibboleth.te b/shibboleth.te
new file mode 100644
index 0000000..d1f4212
--- /dev/null
+++ b/shibboleth.te
@@ -0,0 +1,75 @@
+policy_module(shibboleth, 2.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type shibboleth_t;
+type shibboleth_exec_t;
+init_daemon_domain(shibboleth_t, shibboleth_exec_t)
+
+type shibboleth_etc_t;
+files_config_file(shibboleth_etc_t)
+
+type shibboleth_log_t;
+logging_log_file(shibboleth_log_t)
+
+type shibboleth_var_run_t;
+files_pid_file(shibboleth_var_run_t)
+init_daemon_run_dir(shibboleth_var_run_t, "shibboleth")
+
+########################################
+#
+# Local policy
+#
+
+allow shibboleth_t self:process { signal_perms };
+
+# networking:
+# shibboleth uses tcp sockets for connecting to central
+# authentication server and unix stream sockets
+# to exchange information with the apache module
+allow shibboleth_t self:unix_stream_socket create_stream_socket_perms;
+allow shibboleth_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
+read_lnk_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
+
+manage_files_pattern(shibboleth_t, shibboleth_log_t, shibboleth_log_t)
+
+manage_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
+manage_sock_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
+
+
+corenet_all_recvfrom_netlabel(shibboleth_t)
+corenet_all_recvfrom_unlabeled(shibboleth_t)
+corenet_tcp_connect_http_port(shibboleth_t)
+corenet_tcp_sendrecv_all_ports(shibboleth_t)
+corenet_tcp_sendrecv_generic_if(shibboleth_t)
+corenet_tcp_sendrecv_generic_node(shibboleth_t)
+
+dev_read_urand(shibboleth_t)
+
+domain_dontaudit_use_interactive_fds(shibboleth_t)
+
+files_read_etc_files(shibboleth_t)
+files_read_usr_files(shibboleth_t)
+files_search_etc(shibboleth_t)
+
+term_dontaudit_search_ptys(shibboleth_t)
+term_dontaudit_use_all_ptys(shibboleth_t)
+term_dontaudit_use_all_ttys(shibboleth_t)
+
+
+logging_log_filetrans(shibboleth_t, shibboleth_log_t, { file dir })
+logging_send_syslog_msg(shibboleth_t)
+
+miscfiles_read_localization(shibboleth_t)
+
+sysnet_dns_name_resolve(shibboleth_t)
+
+
+# permissions for the configuration files
+# there is shared information between apache and shibboleth, e.g., certificates
+apache_read_config(shibboleth_t)
-- 
1.7.10.4

[refpolicy] [PATCH] Add a policy module for shibboleth authentication

[Christopher J. PeBenito]

On 03/15/2014 09:29 AM, Martin Lang wrote:
> Signed-off-by: Martin Lang <lang@automata.rwth-aachen.de>
> ---
>  apache.te     |    5 ++++
>  shibboleth.fc |    6 +++++
>  shibboleth.if |   40 ++++++++++++++++++++++++++++++
>  shibboleth.te |   75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 126 insertions(+)
>  create mode 100644 shibboleth.fc
>  create mode 100644 shibboleth.if
>  create mode 100644 shibboleth.te

Merged.


 
> diff --git a/apache.te b/apache.te
> index 3ca9c1f..6ad78d4 100644
> --- a/apache.te
> +++ b/apache.te
> @@ -867,6 +867,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	shibboleth_read_config(httpd_t)
> +	shibboleth_stream_connect(httpd_t)
> +')
> +
> +optional_policy(`
>  	smokeping_read_lib_files(httpd_t)
>  ')
>  
> diff --git a/shibboleth.fc b/shibboleth.fc
> new file mode 100644
> index 0000000..a0b9626
> --- /dev/null
> +++ b/shibboleth.fc
> @@ -0,0 +1,6 @@
> +/etc/shibboleth(/.*)?		gen_context(system_u:object_r:shibboleth_etc_t,s0)
> +
> +/usr/sbin/shibd		--		gen_context(system_u:object_r:shibboleth_exec_t,s0)
> +
> +/var/log/shibboleth(/.*)?	gen_context(system_u:object_r:shibboleth_log_t,s0)
> +/var/run/shibboleth(/.*)?	gen_context(system_u:object_r:shibboleth_var_run_t,s0)
> diff --git a/shibboleth.if b/shibboleth.if
> new file mode 100644
> index 0000000..4a3ba02
> --- /dev/null
> +++ b/shibboleth.if
> @@ -0,0 +1,40 @@
> +## <summary>Shibboleth authentication deamon</summary>
> +
> +########################################
> +## <summary>
> +##	Allow your application domain to access
> +##	config files from shibboleth
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The domain which should be enabled.
> +##	</summary>
> +## </param>
> +#
> +interface(`shibboleth_read_config',`
> +	gen_require(`
> +		type shibboleth_etc_t;
> +	')
> +
> +	read_files_pattern($1, shibboleth_etc_t, shibboleth_etc_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Allow the specified domain to connect to shibboleth with a unix socket.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`shibboleth_stream_connect',`
> +	gen_require(`
> +		type shibboleth_t;
> +		type shibboleth_var_run_t;
> +	')
> +
> +	stream_connect_pattern($1, shibboleth_var_run_t, shibboleth_var_run_t, shibboleth_t)
> +	files_search_pids($1)
> +')
> diff --git a/shibboleth.te b/shibboleth.te
> new file mode 100644
> index 0000000..d1f4212
> --- /dev/null
> +++ b/shibboleth.te
> @@ -0,0 +1,75 @@
> +policy_module(shibboleth, 2.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type shibboleth_t;
> +type shibboleth_exec_t;
> +init_daemon_domain(shibboleth_t, shibboleth_exec_t)
> +
> +type shibboleth_etc_t;
> +files_config_file(shibboleth_etc_t)
> +
> +type shibboleth_log_t;
> +logging_log_file(shibboleth_log_t)
> +
> +type shibboleth_var_run_t;
> +files_pid_file(shibboleth_var_run_t)
> +init_daemon_run_dir(shibboleth_var_run_t, "shibboleth")
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow shibboleth_t self:process { signal_perms };
> +
> +# networking:
> +# shibboleth uses tcp sockets for connecting to central
> +# authentication server and unix stream sockets
> +# to exchange information with the apache module
> +allow shibboleth_t self:unix_stream_socket create_stream_socket_perms;
> +allow shibboleth_t self:tcp_socket create_stream_socket_perms;
> +
> +read_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
> +read_lnk_files_pattern(shibboleth_t, shibboleth_etc_t, shibboleth_etc_t)
> +
> +manage_files_pattern(shibboleth_t, shibboleth_log_t, shibboleth_log_t)
> +
> +manage_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
> +manage_sock_files_pattern(shibboleth_t, shibboleth_var_run_t, shibboleth_var_run_t)
> +
> +
> +corenet_all_recvfrom_netlabel(shibboleth_t)
> +corenet_all_recvfrom_unlabeled(shibboleth_t)
> +corenet_tcp_connect_http_port(shibboleth_t)
> +corenet_tcp_sendrecv_all_ports(shibboleth_t)
> +corenet_tcp_sendrecv_generic_if(shibboleth_t)
> +corenet_tcp_sendrecv_generic_node(shibboleth_t)
> +
> +dev_read_urand(shibboleth_t)
> +
> +domain_dontaudit_use_interactive_fds(shibboleth_t)
> +
> +files_read_etc_files(shibboleth_t)
> +files_read_usr_files(shibboleth_t)
> +files_search_etc(shibboleth_t)
> +
> +term_dontaudit_search_ptys(shibboleth_t)
> +term_dontaudit_use_all_ptys(shibboleth_t)
> +term_dontaudit_use_all_ttys(shibboleth_t)
> +
> +
> +logging_log_filetrans(shibboleth_t, shibboleth_log_t, { file dir })
> +logging_send_syslog_msg(shibboleth_t)
> +
> +miscfiles_read_localization(shibboleth_t)
> +
> +sysnet_dns_name_resolve(shibboleth_t)
> +
> +
> +# permissions for the configuration files
> +# there is shared information between apache and shibboleth, e.g., certificates
> +apache_read_config(shibboleth_t)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com