On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote: > On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote: > > Signed-off-by: Dominick Grift <domg472@xxxxxxxxx> > > The patch looks line-wrapped. Also a couple comments inline. My last attempt had an error in the file context entry for oidentd_home_t. Attached is a new attempt. -- Dominick Grift <domg472@xxxxxxxxx>
diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc
new file mode 100644
index 0000000..ee7fcc4
--- /dev/null
+++ b/policy/modules/services/oidentd.fc
@@ -0,0 +1,7 @@
+
+/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0)
+
+/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0)
+
+HOME_DIR/\.oidentd.conf -- gen_context(system_u:object_r:oidentd_home_t, s0)
diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if
new file mode 100644
index 0000000..e0ad34c
--- /dev/null
+++ b/policy/modules/services/oidentd.if
@@ -0,0 +1,11 @@
+## <summary>SELinux policy for Oident daemon.</summary>
+## <desc>
+## <p>
+## Oident daemon is a server that implements the TCP/IP
+## standard IDENT user identification protocol as
+## specified in the RFC 1413 document.
+## </p>
+## </desc>
+
+
+
diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te
new file mode 100644
index 0000000..04d8ee2
--- /dev/null
+++ b/policy/modules/services/oidentd.te
@@ -0,0 +1,71 @@
+
+policy_module(oidentd, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow Oident daemon to read
+## unprivileged user home content files.
+## </p>
+## </desc>
+
+gen_tunable(oidentd_read_unprivileged_user_home_content_files, false)
+
+type oidentd_t;
+type oidentd_exec_t;
+init_daemon_domain(oidentd_t, oidentd_exec_t)
+
+type oidentd_config_t;
+files_config_file(oidentd_config_t)
+
+type oidentd_home_t;
+files_poly_member(oidentd_home_t)
+userdom_user_home_content(user, oidentd_home_t)
+
+########################################
+#
+# Policy
+#
+allow oidentd_t self:capability { setuid setgid };
+allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
+allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
+allow oidentd_t self:udp_socket { write read create connect getattr };
+allow oidentd_t self:unix_dgram_socket { create connect };
+
+allow oidentd_t oidentd_config_t:file read_file_perms;
+
+allow oidentd_t oidentd_home_t:file read_file_perms;
+
+corenet_all_recvfrom_unlabeled(oidentd_t)
+corenet_all_recvfrom_netlabel(oidentd_t)
+corenet_tcp_sendrecv_all_if(oidentd_t)
+corenet_tcp_sendrecv_all_nodes(oidentd_t)
+corenet_tcp_bind_all_nodes(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+
+files_read_etc_files(oidentd_t)
+
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+
+libs_use_ld_so(oidentd_t)
+libs_use_shared_libs(oidentd_t)
+
+logging_send_syslog_msg(oidentd_t)
+
+miscfiles_read_localization(oidentd_t)
+
+sysnet_read_config(oidentd_t)
+
+userdom_search_user_home_dirs(user, oidentd_home_t)
+
+tunable_policy(`oidentd_read_unprivileged_user_home_content_files', `
+ userdom_read_unpriv_users_home_content_files(oidentd_t)
+')
Attachment:
signature.asc
Description: This is a digitally signed message part
