A little more sctp and selinux

Nigel Rumens <wooky@xxxxxxxxxxxxx> · Tue, 02 Jun 2009 09:09:50 +0100

Just for information this is a first attempt (using standard 
system-config-selinux and audit2allow) at creating a policy for feng 
streaming server that will allow it to use sctp, as well as tcp and udp.

When I get a little time I will try again probably with SLIDE (when I 
get it installed) as it could probably do with some improvements. But it 
does actually work and allow me to stream over sctp.

Any comments/suggestions welcome

Nigel

feng.te
policy_module(feng,1.0.0)

########################################
#
# Declarations
#

type feng_t;
type feng_exec_t;
init_daemon_domain(feng_t, feng_exec_t)

permissive feng_t;

type feng_initrc_exec_t;
init_script_file(feng_initrc_exec_t)

type feng_rw_t;
files_type(feng_rw_t)

########################################
#
# feng local policy
#

# Init script handling
domain_use_interactive_fds(feng_t)

# internal communication is often done using fifo and unix sockets.
allow feng_t self:fifo_file rw_file_perms;
allow feng_t self:unix_stream_socket create_stream_socket_perms;

files_read_etc_files(feng_t)

miscfiles_read_localization(feng_t)

allow feng_t feng_rw_t:file manage_file_perms;
allow feng_t feng_rw_t:dir create_dir_perms;

sysnet_dns_name_resolve(feng_t)
corenet_all_recvfrom_unlabeled(feng_t)

allow feng_t self:tcp_socket create_stream_socket_perms;
corenet_tcp_sendrecv_all_if(feng_t)
corenet_tcp_sendrecv_all_nodes(feng_t)
corenet_tcp_sendrecv_all_ports(feng_t)
corenet_tcp_bind_all_nodes(feng_t)
corenet_tcp_bind_all_ports(feng_t)
corenet_tcp_connect_all_ports(feng_t)

allow feng_t self:udp_socket { create_socket_perms listen };
corenet_udp_sendrecv_all_if(feng_t)
corenet_udp_sendrecv_all_nodes(feng_t)
corenet_udp_sendrecv_all_ports(feng_t)
corenet_udp_bind_all_nodes(feng_t)
corenet_udp_bind_all_unreserved_ports(feng_t)

require {
        type feng_t;
        type port_t;
        class process { execstack execmem getsched };
        class capability { setuid setgid };
        class rawip_socket { name_bind getattr setopt bind create listen };
}

#============= feng_t ==============
allow feng_t port_t:rawip_socket name_bind;
allow feng_t self:capability { setuid setgid };
allow feng_t self:process { execstack execmem getsched };
allow feng_t self:rawip_socket { getattr bind create setopt listen };
corenet_raw_bind_generic_node(feng_t)
files_manage_usr_files(feng_t)
fs_rw_anon_inodefs_files(feng_t)

require {
        type unlabeled_t;
        type feng_t;
        type feng_rw_t;
        type port_t;
        class process { execstack execmem getsched };
        class capability { setuid setgid };
        class unix_dgram_socket { write read create sendto };
        class dir search;
        class rawip_socket { name_bind setopt read bind create accept 
write getattr listen };
}

#============= feng_t ==============
allow feng_t feng_rw_t:dir search;
allow feng_t port_t:rawip_socket name_bind;
allow feng_t self:capability { setuid setgid };
allow feng_t self:process { execstack execmem getsched };
allow feng_t self:rawip_socket { getattr setopt bind create accept listen };
allow feng_t self:unix_dgram_socket { write read create sendto };
allow feng_t unlabeled_t:rawip_socket { read write getattr };
corenet_raw_bind_generic_node(feng_t)
dev_read_urand(feng_t)
files_manage_usr_files(feng_t)
fs_rw_anon_inodefs_files(feng_t)

require {
        type feng_rw_t;
        type feng_t;
        class lnk_file read;
}

#============= feng_t ==============
allow feng_t feng_rw_t:lnk_file read;
apache_read_sys_content(feng_t)
apache_search_sys_content(feng_t)
kernel_read_system_state(feng_t)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.