On Wed, 2008-08-13 at 09:08 -0400, Chris PeBenito wrote: > On Sat, 2008-07-26 at 15:07 +0200, Dominick Grift wrote: > > Signed-off-by: Dominick Grift <domg472@xxxxxxxxx> > > The patch looks line-wrapped. Also a couple comments inline. This edition replaces oidentd_read_unprivileged_user_home_content_files by allow_oidentd_read_oidentd_home_content. This complicates the policy a bit more and so i included a oidentd_selinux manual page for clarity. -- Dominick Grift <domg472@xxxxxxxxx>
diff --git a/man/man8/oidentd_selinux.8 b/man/man8/oidentd_selinux.8 new file mode 100644 index 0000000..2c204aa --- /dev/null +++ b/man/man8/oidentd_selinux.8 @@ -0,0 +1,38 @@ +.TH "oidentd_selinux" "8" "14 Aug 2008" "dgrift@xxxxxxxxx" "Oident deamon SELinux policy documentation" +.de EX +.nf +.ft CW +.. +.de EE +.ft R +.fi +.. +.SH "NAME" +oidentd_selinux \- Security-Enhanced Linux policy for Oident daemon. +.SH "DESCRIPTION" +.PP +Security-Enhanced Linux provides security for Oidentd daemon via flexible mandatory access control. +.SH FILE_CONTEXTS +.PP +SELinux requires files to have a files type. Users can use the chcon command to change certain files types. Policy governs the access that daemons have to files. +.TP +Allow Oident daemon to read ~/.oidentd.conf by adding the oidentd_home_t files type to the file and by restoring the files type. This also requires the allow_oidentd_read_oidentd_home_content boolean to be set. +.PP +.B +chcon -t oidentd_home_t ~/.oidentd.conf +.SH BOOLEANS +.PP +SELinux policy is based on least privilege required and may also be customizable by setting a boolean with the setsebool command. +.TP +Allow Oident daemon to read Oident daemon home content with the oidentd_home_t files type. +.PP +.B +setsebool -P allow_oidentd_read_oidentd_home_content on +.TP +system-config-selinux is a GUI tool available to customize SELinux policy settings. +.SH AUTHOR +.PP +This manual page was written by Dominick Grift <domg472@xxxxxxxxx>. +.SH "SEE ALSO" +.PP +selinux(8), oidentd(8), oidentd.conf(8), setsebool(8), chcon(8) diff --git a/policy/modules/services/oidentd.fc b/policy/modules/services/oidentd.fc new file mode 100644 index 0000000..ee7fcc4 --- /dev/null +++ b/policy/modules/services/oidentd.fc @@ -0,0 +1,7 @@ + +/etc/oidentd\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) +/etc/oidentd_masq\.conf -- gen_context(system_u:object_r:oidentd_config_t, s0) + +/usr/sbin/oidentd -- gen_context(system_u:object_r:oidentd_exec_t, s0) + +HOME_DIR/\.oidentd.conf -- gen_context(system_u:object_r:oidentd_home_t, s0) diff --git a/policy/modules/services/oidentd.if b/policy/modules/services/oidentd.if new file mode 100644 index 0000000..93f9ad0 --- /dev/null +++ b/policy/modules/services/oidentd.if @@ -0,0 +1,61 @@ +## <summary>SELinux policy for Oident daemon.</summary> +## <desc> +## <p> +## Oident daemon is a server that implements the TCP/IP +## standard IDENT user identification protocol as +## specified in the RFC 1413 document. +## </p> +## </desc> + +####################################### +## <summary> +## The per role template for the Oidentd module. +## </summary> +## <desc> +## <p> +## This template creates derived domains which are used +## for Oident daemon. +## </p> +## <p> +## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +## </p> +## </desc> +## <param name="userdomain_prefix"> +## <summary> +## The prefix of the user domain (e.g., user +## is the prefix for user_t). +## </summary> +## </param> +## <param name="user_domain"> +## <summary> +## The type of the user domain. +## </summary> +## </param> +## <param name="user_role"> +## <summary> +## The role associated with the user domain. +## </summary> +## </param> +# +template(`oidentd_per_role_template', ` + gen_require(` + type oidentd_home_t; + ') + + ######################################## + # + # Declarations + # + + userdom_user_home_content($1, oidentd_home_t) + + ######################################## + # + # Policy + # + + allow $2 oidentd_home_t:file manage_file_perms; + allow $2 oidentd_home_t:file relabel_file_perms; +') diff --git a/policy/modules/services/oidentd.te b/policy/modules/services/oidentd.te new file mode 100644 index 0000000..12c914e --- /dev/null +++ b/policy/modules/services/oidentd.te @@ -0,0 +1,68 @@ + +policy_module(oidentd, 0.0.1) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow Oident daemon to read +## oidentd daemon home files. +## </p> +## </desc> + +gen_tunable(allow_oidentd_read_oidentd_home_content, false) + +type oidentd_t; +type oidentd_exec_t; +init_daemon_domain(oidentd_t, oidentd_exec_t) + +type oidentd_config_t; +files_config_file(oidentd_config_t) + +type oidentd_home_t; +files_poly_member(oidentd_home_t) + +######################################## +# +# Policy +# + +allow oidentd_t self:capability { setuid setgid }; +allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; +allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read }; +allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen }; +allow oidentd_t self:udp_socket { write read create connect getattr }; +allow oidentd_t self:unix_dgram_socket { create connect }; + +allow oidentd_t oidentd_config_t:file read_file_perms; + +corenet_all_recvfrom_unlabeled(oidentd_t) +corenet_all_recvfrom_netlabel(oidentd_t) +corenet_tcp_sendrecv_all_if(oidentd_t) +corenet_tcp_sendrecv_all_nodes(oidentd_t) +corenet_tcp_bind_all_nodes(oidentd_t) +corenet_tcp_bind_auth_port(oidentd_t) + +files_read_etc_files(oidentd_t) + +kernel_read_kernel_sysctls(oidentd_t) +kernel_read_network_state(oidentd_t) +kernel_read_network_state_symlinks(oidentd_t) +kernel_read_sysctl(oidentd_t) + +libs_use_ld_so(oidentd_t) +libs_use_shared_libs(oidentd_t) + +logging_send_syslog_msg(oidentd_t) + +miscfiles_read_localization(oidentd_t) + +sysnet_read_config(oidentd_t) + +tunable_policy(`allow_oidentd_read_oidentd_home_content', ` + allow oidentd_t oidentd_home_t:file read_file_perms; + userdom_search_user_home_dirs(user, oidentd_t) +')
Attachment:
signature.asc
Description: This is a digitally signed message part