'Re: policy for resmgrd'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: policy for resmgrd
From:       Thomas Bleher <bleher () informatik ! uni-muenchen ! de>
Date:       2004-09-30 13:07:57
Message-ID: 20040930130757.GD2773 () cip ! ifi ! lmu ! de
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


* Russell Coker <russell@coker.com.au> [2004-09-29 14:43]:
> On Mon, 27 Sep 2004 06:46, Thomas Bleher <bleher@informatik.uni-muenchen.de> 
> wrote:
> > Resmgrd is a daemon which is used on SuSE Linux to mediate access to
> > devices. Clients can ask resmgrd to open a specific device, resmgrd
> > checks if the app has appropriate permission and opens the device on
> > behalf of the client. Resmgrd should probably be a userspace SELinux
> > enforcer, but for now the attached policy allows it to work on a SELinux
> > system.
> 
> allow resmgrd_t self:unix_dgram_socket { connect create write };
> 
> I suggest that the above be replace by:
> 
> allow resmgrd_t self:unix_dgram_socket create_socket_perms;
> 
> There's no real reason to restrict it's unix domain socket access to itself.

Agreed.
New version of the patch attached.

Thomas

-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

["resmgrd.patch" (text/plain)]

diff -urN orig/domains/program/unused/resmgrd.te mod/domains/program/unused/resmgrd.te
--- orig/domains/program/unused/resmgrd.te	1970-01-01 01:00:00.000000000 +0100
+++ mod/domains/program/unused/resmgrd.te	2004-09-26 22:30:47.000000000 +0200
@@ -0,0 +1,25 @@
+# DESC resmgrd - resource manager daemon
+#
+# Author: Thomas Bleher <ThomasBleher@gmx.de>
+ 
+daemon_base_domain(resmgrd)
+var_run_domain(resmgrd, { file sock_file })
+etc_domain(resmgrd)
+read_locale(resmgrd_t)
+allow resmgrd_t self:capability { dac_override dac_read_search sys_admin sys_rawio };
+
+allow resmgrd_t etc_t:file { getattr read };
+allow resmgrd_t self:unix_stream_socket create_stream_socket_perms; 
+allow resmgrd_t self:unix_dgram_socket create_socket_perms;
+
+# hardware access
+allow resmgrd_t device_t:lnk_file { getattr read };
+# not sure if it needs write access, needs to be investigated further...
+allow resmgrd_t removable_device_t:blk_file { getattr ioctl read write };
+allow resmgrd_t scsi_generic_device_t:chr_file { getattr ioctl read };
+allow resmgrd_t scanner_device_t:chr_file { getattr };
+# I think a dontaudit should be enough there
+dontaudit resmgrd_t fixed_disk_device_t:blk_file { getattr ioctl read };
+
+# there is a macro can_resmgrd_connect() in macros/program/resmgrd_macros.te
+
diff -urN orig/domains/program/unused/xdm.te mod/domains/program/unused/xdm.te
--- orig/domains/program/unused/xdm.te	2004-09-11 14:31:47.000000000 +0200
+++ mod/domains/program/unused/xdm.te	2004-09-26 22:30:06.000000000 +0200
@@ -130,6 +130,7 @@
 allow xdm_t v4l_device_t:chr_file { setattr getattr };
 allow xdm_t scanner_device_t:chr_file { setattr getattr };
 allow xdm_t tty_device_t:chr_file { ioctl read write setattr getattr };
+can_resmgrd_connect(xdm_t)
 
 # Access xdm log files.
 file_type_auto_trans(xdm_t, var_log_t, xserver_log_t, file)
diff -urN orig/file_contexts/program/resmgrd.fc mod/file_contexts/program/resmgrd.fc
--- orig/file_contexts/program/resmgrd.fc	1970-01-01 01:00:00.000000000 +0100
+++ mod/file_contexts/program/resmgrd.fc	2004-09-26 22:30:38.000000000 +0200
@@ -0,0 +1,6 @@
+# resmgrd
+/sbin/resmgrd		--	system_u:object_r:resmgrd_exec_t
+/etc/resmgr\.conf	--	system_u:object_r:resmgrd_etc_t
+/var/run/resmgr\.pid	--	system_u:object_r:resmgrd_var_run_t
+/var/run/\.resmgr_socket	system_u:object_r:resmgrd_var_run_t
+
diff -urN orig/macros/base_user_macros.te mod/macros/base_user_macros.te
--- orig/macros/base_user_macros.te	2004-09-25 19:52:50.000000000 +0200
+++ mod/macros/base_user_macros.te	2004-09-26 22:30:22.000000000 +0200
@@ -177,6 +177,8 @@
 allow $1_t misc_device_t:{ chr_file blk_file } rw_file_perms;
 allow $1_t device_t:lnk_file { getattr read };
 
+can_resmgrd_connect($1_t)
+
 #
 # evolution and gnome-session try to create a netlink socket
 #
diff -urN orig/macros/program/resmgrd_macros.te mod/macros/program/resmgrd_macros.te
--- orig/macros/program/resmgrd_macros.te	1970-01-01 01:00:00.000000000 +0100
+++ mod/macros/program/resmgrd_macros.te	2004-09-26 22:33:31.000000000 +0200
@@ -0,0 +1,10 @@
+# Macro for resmgrd
+
+define(`can_resmgrd_connect', `
+ifdef(`resmgrd.te', ` 
+allow $1 resmgrd_t:unix_stream_socket connectto;
+allow $1 resmgrd_var_run_t:sock_file write;
+allow $1 resmgrd_t:fd use;
+')
+')
+

["signature.asc" (application/pgp-signature)]
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic