[refpolicy] services_nut.patch

[refpolicy] services_nut.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch

nut policy.

[refpolicy] services_nut.patch

[Stefan Schulze Frielinghaus]

On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
> 
> nut policy.

Some time ago I wrote a policy for NUT too (s. attachment). I guess you
tested your policy with a UPS connected via USB. Maybe we could merge
both policies because I tested my with the SNMP module of NUT.

One note about your policy. Shouldn't we prefix all domains with "nut_"?
This would indicate that e.g. each executable comes from the NUT
project. Then we could also define one type for /var/run/nut (in my
policy it is just nut_var_run_t) because the three main domains
nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
share e.g. a socket file.

I would also like to introduce a type for config files because clear
text passwords are saved in there.

Your domain upsmon_t needs also to write to all terms because it
announces information via "wall". It also seems to miss the following
permissions which are needed if upsmon_t should execute /sbin/shutdown
(we still do not have a shutdown policy):

files_rw_generic_pids(nut_upsmon_t)
init_exec(nut_upsmon_t)
init_rw_initctl(nut_upsmon_t)
init_write_utmp(nut_upsmon_t)

What are your thoughts?
It tested my policy on CentOS 5.3 with a couple of dozen
restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)

cheers,
Stefan
-------------- next part --------------
/etc/ups(/.*)?			gen_context(system_u:object_r:nut_conf_t,s0)

/sbin/apcsmart		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkin		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkinunv		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestfcom		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestuferrups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_ser	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/cyberpower	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/dummy-ups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/etapro		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/everups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/gamatronic	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/genericups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/isbmex		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/liebert		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/masterguard	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/metasys		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-shut		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-utalk		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/microdowell	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/newmge-shut	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/oneac		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/optiups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powercom		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerman-pdu	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerpanel	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/rhino		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/richcomm_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/safenet		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/skel		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/snmp-ups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/solis		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplitesu	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upscode2		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upsdrvctl		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/usbhid-ups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/victronups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)

/usr/sbin/upsd		--	gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsmon	--	gen_context(system_u:object_r:nut_upsmon_exec_t,s0)

/var/run/nut(/.*)?		gen_context(system_u:object_r:nut_var_run_t,s0)

/var/www/nut-cgi-bin/upsimage.cgi	--	gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset.cgi		--	gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsstats.cgi	--	gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
-------------- next part --------------

policy_module(nut, 1.0.0)

########################################
#
# Declarations
#

type nut_upsdrvctl_t;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

type nut_upsd_t;
type nut_upsd_exec_t;
init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)

type nut_upsmon_t;
type nut_upsmon_exec_t;
init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)

type nut_conf_t;
files_config_file(nut_conf_t)

type nut_var_run_t;
files_pid_file(nut_var_run_t)

########################################
#
# Local policy for upsdrvctl
#

allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fd use;
allow nut_upsdrvctl_t self:unix_dgram_socket { connect create write };
allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
allow nut_upsdrvctl_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsdrvctl_t nut_var_run_t:sock_file { create unlink setattr };

# /sbin/upsdrvctl executes other drivers
can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)

# /etc/nsswitch.conf
files_read_etc_files(nut_upsdrvctl_t)
files_read_usr_files(nut_upsdrvctl_t)
files_search_pids(nut_upsdrvctl_t)
files_search_usr(nut_upsdrvctl_t)

miscfiles_read_localization(nut_upsdrvctl_t)

# /etc/resolv.conf
sysnet_read_config(nut_upsdrvctl_t)

corecmd_search_bin(nut_upsdrvctl_t)

libs_read_lib_files(nut_upsdrvctl_t)

kernel_read_kernel_sysctls(nut_upsdrvctl_t)
kernel_sendrecv_unlabeled_association(nut_upsdrvctl_t)

init_sigchld(nut_upsdrvctl_t)

dev_read_urand(nut_upsdrvctl_t)
dev_rw_null(nut_upsdrvctl_t)

logging_send_syslog_msg(nut_upsdrvctl_t)

########################################
#
# Local policy for upsd
#

allow nut_upsd_t self:capability { setgid setuid };
allow nut_upsd_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
allow nut_upsd_t nut_var_run_t:sock_file write;

read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)

# /etc/nsswitch.conf
files_read_etc_files(nut_upsd_t)

files_read_usr_files(nut_upsd_t)

miscfiles_read_localization(nut_upsd_t)

libs_read_lib_files(nut_upsd_t)

logging_send_syslog_msg(nut_upsd_t)

kernel_read_kernel_sysctls(nut_upsd_t)
kernel_sendrecv_unlabeled_association(nut_upsd_t)

corenet_tcp_bind_generic_port(nut_upsd_t)
corenet_tcp_bind_all_nodes(nut_upsd_t)

########################################
#
# Local policy for upsmon
#

allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
allow nut_upsmon_t self:unix_dgram_socket { connect create write };
allow nut_upsmon_t self:tcp_socket create_socket_perms;
allow nut_upsmon_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;

read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)

# creates /etc/killpower
files_manage_etc_files(nut_upsmon_t)

files_search_usr(nut_upsmon_t)

corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)

miscfiles_read_localization(nut_upsmon_t)

libs_read_lib_files(nut_upsmon_t)

logging_send_syslog_msg(nut_upsmon_t)

# /etc/resolv.conf
sysnet_read_config(nut_upsmon_t)

kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
kernel_sendrecv_unlabeled_association(nut_upsmon_t)

corenet_tcp_connect_generic_port(nut_upsmon_t)

# /usr/bin/wall
init_read_utmp(nut_upsmon_t)
term_write_all_terms(nut_upsmon_t)

# /sbin/shutdown
files_rw_generic_pids(nut_upsmon_t)
init_exec(nut_upsmon_t)
init_rw_initctl(nut_upsmon_t)
init_write_utmp(nut_upsmon_t)

########################################
#
# Local policy for upscgi scripts
#   requires httpd_enable_cgi and httpd_can_network_connect
#

apache_content_template(nut_upscgi)

read_files_pattern(httpd_nut_upscgi_script_t, nut_conf_t, nut_conf_t)

# /etc/resolv.conf
sysnet_read_config(httpd_nut_upscgi_script_t)

[refpolicy] services_nut.patch

[Daniel J Walsh]

On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote:
> On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
>>
>> nut policy.
> 
> Some time ago I wrote a policy for NUT too (s. attachment). I guess you
> tested your policy with a UPS connected via USB. Maybe we could merge
> both policies because I tested my with the SNMP module of NUT.
> 
> One note about your policy. Shouldn't we prefix all domains with "nut_"?
> This would indicate that e.g. each executable comes from the NUT
> project. Then we could also define one type for /var/run/nut (in my
> policy it is just nut_var_run_t) because the three main domains
> nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
> share e.g. a socket file.
> 
> I would also like to introduce a type for config files because clear
> text passwords are saved in there.
> 
> Your domain upsmon_t needs also to write to all terms because it
> announces information via "wall". It also seems to miss the following
> permissions which are needed if upsmon_t should execute /sbin/shutdown
> (we still do not have a shutdown policy):
> 
> files_rw_generic_pids(nut_upsmon_t)
> init_exec(nut_upsmon_t)
> init_rw_initctl(nut_upsmon_t)
> init_write_utmp(nut_upsmon_t)
> 
> What are your thoughts?
> It tested my policy on CentOS 5.3 with a couple of dozen
> restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)
> 
> cheers,
> Stefan

Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies.

I agree with your points and your naming is fine.

[refpolicy] services_nut.patch

[Stefan Schulze Frielinghaus]

On Mon, 2009-11-16 at 13:32 -0500, Daniel J Walsh wrote:
> On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote:
> > On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
> >>
> >> nut policy.
> > 
> > Some time ago I wrote a policy for NUT too (s. attachment). I guess you
> > tested your policy with a UPS connected via USB. Maybe we could merge
> > both policies because I tested my with the SNMP module of NUT.
> > 
> > One note about your policy. Shouldn't we prefix all domains with "nut_"?
> > This would indicate that e.g. each executable comes from the NUT
> > project. Then we could also define one type for /var/run/nut (in my
> > policy it is just nut_var_run_t) because the three main domains
> > nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
> > share e.g. a socket file.
> > 
> > I would also like to introduce a type for config files because clear
> > text passwords are saved in there.
> > 
> > Your domain upsmon_t needs also to write to all terms because it
> > announces information via "wall". It also seems to miss the following
> > permissions which are needed if upsmon_t should execute /sbin/shutdown
> > (we still do not have a shutdown policy):
> > 
> > files_rw_generic_pids(nut_upsmon_t)
> > init_exec(nut_upsmon_t)
> > init_rw_initctl(nut_upsmon_t)
> > init_write_utmp(nut_upsmon_t)
> > 
> > What are your thoughts?
> > It tested my policy on CentOS 5.3 with a couple of dozen
> > restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)
> > 
> > cheers,
> > Stefan
> 
> Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies.
> 
> I agree with your points and your naming is fine.

Hi Miroslav,

attached is the merged policy. Just a few questions left. In your
original policy you had the following rule

corenet_tcp_connect_ups_port(upsmon_t)

I can't find any such port definition in refpolicy.

Another question, what is the intention of the following

permissive upsd_t;
permissive upsdrvctl_t;
permissive upsmon_t;

Does that make the domain permissive by default? I'm unsure about these
ones.

cheers,
Stefan
-------------- next part --------------
/etc/ups(/.*)?			gen_context(system_u:object_r:nut_conf_t,s0)

/sbin/apcsmart		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bcmxcp_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkin		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/belkinunv		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestfcom		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestuferrups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/bestups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_ser	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/blazer_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/cyberpower	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/dummy-ups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/etapro		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/everups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/gamatronic	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/genericups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/isbmex		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/liebert		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/masterguard	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/megatec_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/metasys		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-shut		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/mge-utalk		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/microdowell	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/newmge-shut	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/oneac		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/optiups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powercom		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerman-pdu	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/powerpanel	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/rhino		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/richcomm_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/safenet		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/skel		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/snmp-ups		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/solis		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplitesu	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/tripplite_usb	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upscode2		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/upsdrvctl		--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/usbhid-ups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)
/sbin/victronups	--	gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)

/usr/sbin/upsd		--	gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsmon	--	gen_context(system_u:object_r:nut_upsmon_exec_t,s0)

/var/run/nut(/.*)?		gen_context(system_u:object_r:nut_var_run_t,s0)

/var/www/nut-cgi-bin/upsimage\.cgi	--	gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset\.cgi	--	gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsstats\.cgi	--	gen_context(system_u:object_r:httpd_nut_upscgi_script_exec_t,s0)
-------------- next part --------------
## <summary>SELinux policy for NUT - Network UPS Tools </summary>

#####################################
## <summary>
##      Execute a domain transition to run upsd.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`nut_upsd_domtrans',`
	gen_require(`
		type nut_upsd_t, nut_upsd_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, nut_upsd_exec_t, nut_upsd_t)
')

####################################
## <summary>
##      Execute a domain transition to run upsmon.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`nut_upsmon_domtrans',`
	gen_require(`
		type nut_upsmon_t, nut_upsmon_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, nut_upsmon_exec_t, nut_upsmon_t)
')

####################################
## <summary>
##      Execute a domain transition to run upsdrvctl.
## </summary>
## <param name="domain">
## <summary>
##      Domain allowed to transition.
## </summary>
## </param>
#
interface(`nut_upsdrvctl_domtrans',`
	gen_require(`
		type nut_upsdrvctl_t, nut_upsdrvctl_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, nut_upsdrvctl_exec_t, nut_upsdrvctl_t)
')
-------------- next part --------------

policy_module(nut, 1.0.0)

########################################
#
# Declarations
#

type nut_upsdrvctl_t;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

type nut_upsd_t;
type nut_upsd_exec_t;
init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)

type nut_upsmon_t;
type nut_upsmon_exec_t;
init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)

type nut_conf_t;
files_config_file(nut_conf_t)

type nut_var_run_t;
files_pid_file(nut_var_run_t)

permissive nut_upsdrvctl_t;
permissive nut_upsd_t;
permissive nut_upsmon_t;

########################################
#
# Local policy for upsdrvctl
#

allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
allow nut_upsdrvctl_t self:fd use;
allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsdrvctl_t self:udp_socket create_socket_perms;
allow nut_upsdrvctl_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsdrvctl_t nut_var_run_t:sock_file { create unlink setattr };

# /sbin/upsdrvctl executes other drivers
can_exec(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)

# /etc/nsswitch.conf
files_read_etc_files(nut_upsdrvctl_t)
files_read_usr_files(nut_upsdrvctl_t)
files_search_pids(nut_upsdrvctl_t)
files_search_usr(nut_upsdrvctl_t)

dev_rw_generic_usb_dev(nut_upsdrvctl_t)

miscfiles_read_localization(nut_upsdrvctl_t)

# /etc/resolv.conf
sysnet_read_config(nut_upsdrvctl_t)

corecmd_search_bin(nut_upsdrvctl_t)

libs_read_lib_files(nut_upsdrvctl_t)

kernel_read_kernel_sysctls(nut_upsdrvctl_t)
kernel_sendrecv_unlabeled_association(nut_upsdrvctl_t)

init_sigchld(nut_upsdrvctl_t)

dev_read_urand(nut_upsdrvctl_t)
dev_rw_null(nut_upsdrvctl_t)

logging_send_syslog_msg(nut_upsdrvctl_t)

########################################
#
# Local policy for upsd
#

allow nut_upsd_t self:capability { setgid setuid };
allow nut_upsd_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;
allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;
allow nut_upsd_t nut_var_run_t:sock_file write;

read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)

# /etc/nsswitch.conf
files_read_etc_files(nut_upsd_t)

files_read_usr_files(nut_upsd_t)

miscfiles_read_localization(nut_upsd_t)

libs_read_lib_files(nut_upsd_t)

logging_send_syslog_msg(nut_upsd_t)

kernel_read_kernel_sysctls(nut_upsd_t)
kernel_sendrecv_unlabeled_association(nut_upsd_t)

corenet_tcp_bind_generic_port(nut_upsd_t)
corenet_tcp_bind_all_nodes(nut_upsd_t)

########################################
#
# Local policy for upsmon
#

allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };
allow nut_upsmon_t self:unix_dgram_socket { connect create write };
allow nut_upsmon_t self:tcp_socket create_socket_perms;
allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsmon_t self:netlink_route_socket create_netlink_socket_perms;
allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;

read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)
manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)

# creates /etc/killpower
files_manage_etc_files(nut_upsmon_t)

files_search_usr(nut_upsmon_t)

corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)

miscfiles_read_localization(nut_upsmon_t)

libs_read_lib_files(nut_upsmon_t)

logging_send_syslog_msg(nut_upsmon_t)

# /etc/resolv.conf
sysnet_read_config(nut_upsmon_t)

kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)
kernel_sendrecv_unlabeled_association(nut_upsmon_t)

#corenet_tcp_connect_ups_port(nut_upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)

# /usr/bin/wall
init_read_utmp(nut_upsmon_t)
term_write_all_terms(nut_upsmon_t)

# /sbin/shutdown
files_rw_generic_pids(nut_upsmon_t)
init_exec(nut_upsmon_t)
init_rw_initctl(nut_upsmon_t)
init_write_utmp(nut_upsmon_t)

########################################
#
# Local policy for upscgi scripts
#   requires httpd_enable_cgi and httpd_can_network_connect
#

apache_content_template(nut_upscgi)

read_files_pattern(httpd_nut_upscgi_script_t, nut_conf_t, nut_conf_t)

# /etc/resolv.conf
sysnet_read_config(httpd_nut_upscgi_script_t)

[refpolicy] services_nut.patch

[Miroslav Grepl]

On 11/22/2009 03:59 PM, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-11-16 at 13:32 -0500, Daniel J Walsh wrote:
>    
>> On 11/16/2009 09:31 AM, Stefan Schulze Frielinghaus wrote:
>>      
>>> On Thu, 2009-11-12 at 16:46 -0500, Daniel J Walsh wrote:
>>>        
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F12/services_nut.patch
>>>>
>>>> nut policy.
>>>>          
>>> Some time ago I wrote a policy for NUT too (s. attachment). I guess you
>>> tested your policy with a UPS connected via USB. Maybe we could merge
>>> both policies because I tested my with the SNMP module of NUT.
>>>
>>> One note about your policy. Shouldn't we prefix all domains with "nut_"?
>>> This would indicate that e.g. each executable comes from the NUT
>>> project. Then we could also define one type for /var/run/nut (in my
>>> policy it is just nut_var_run_t) because the three main domains
>>> nut_upsd_t, nut_upsdrvctl_t and nut_upsmon_t write to the same location,
>>> share e.g. a socket file.
>>>
>>> I would also like to introduce a type for config files because clear
>>> text passwords are saved in there.
>>>
>>> Your domain upsmon_t needs also to write to all terms because it
>>> announces information via "wall". It also seems to miss the following
>>> permissions which are needed if upsmon_t should execute /sbin/shutdown
>>> (we still do not have a shutdown policy):
>>>
>>> files_rw_generic_pids(nut_upsmon_t)
>>> init_exec(nut_upsmon_t)
>>> init_rw_initctl(nut_upsmon_t)
>>> init_write_utmp(nut_upsmon_t)
>>>
>>> What are your thoughts?
>>> It tested my policy on CentOS 5.3 with a couple of dozen
>>> restarts/shutdowns. Debugging restarts/shutdowns is hell ;-)
>>>
>>> cheers,
>>> Stefan
>>>        
>> Actually I believe Miroslav wrote this policy so I will forward this to hem and you and he can work on consolidating the policies.
>>
>> I agree with your points and your naming is fine.
>>      
> Hi Miroslav,
>
> attached is the merged policy.
Hi Stefan,


>   Just a few questions left. In your
> original policy you had the following rule
>
> corenet_tcp_connect_ups_port(upsmon_t)
>
> I can't find any such port definition in refpolicy.
>
>    
+network_port(ups, tcp,3493,s0)

This is missing in the original patch.

> Another question, what is the intention of the following
>
> permissive upsd_t;
> permissive upsdrvctl_t;
> permissive upsmon_t;
>
> Does that make the domain permissive by default?
Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.

> I'm unsure about these
> ones.
>
> cheers,
> Stefan
>    
Regards,

Miroslav

[refpolicy] services_nut.patch

[Stefan Schulze Frielinghaus]

On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
[...]
> > Another question, what is the intention of the following
> >
> > permissive upsd_t;
> > permissive upsdrvctl_t;
> > permissive upsmon_t;
> >
> > Does that make the domain permissive by default?
> Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.

But not for refpolicy, right? I cannot find any such statement in the
policy modules of refpolicy. At least I wouldn't expect such a behavior
from modules of refpolicy. I guess we can remove those three lines.

If you are fine with the merge of both policies then we can commit it
(after the port change of course).

cheers
Stefan

[refpolicy] services_nut.patch

[Christopher J. PeBenito]

On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
> [...]
> > > Another question, what is the intention of the following
> > >
> > > permissive upsd_t;
> > > permissive upsdrvctl_t;
> > > permissive upsmon_t;
> > >
> > > Does that make the domain permissive by default?
> > Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.
> 
> But not for refpolicy, right? I cannot find any such statement in the
> policy modules of refpolicy. At least I wouldn't expect such a behavior
> from modules of refpolicy. I guess we can remove those three lines.
> 
> If you are fine with the merge of both policies then we can commit it
> (after the port change of course).

My policy is to not have permissive domains in upstream refpolicy.  If
the modules need more work the patch is dropped.  Otherwise the
permissive is dropped.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_nut.patch

[Stefan Schulze Frielinghaus]

On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote:
> On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote:
> > On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
> > [...]
> > > > Another question, what is the intention of the following
> > > >
> > > > permissive upsd_t;
> > > > permissive upsdrvctl_t;
> > > > permissive upsmon_t;
> > > >
> > > > Does that make the domain permissive by default?
> > > Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.
> > 
> > But not for refpolicy, right? I cannot find any such statement in the
> > policy modules of refpolicy. At least I wouldn't expect such a behavior
> > from modules of refpolicy. I guess we can remove those three lines.
> > 
> > If you are fine with the merge of both policies then we can commit it
> > (after the port change of course).
> 
> My policy is to not have permissive domains in upstream refpolicy.  If
> the modules need more work the patch is dropped.  Otherwise the
> permissive is dropped.

Yes, this is what I thought. Since I use the NUT policy for about a year
and it has some intersection with Miroslavs policy (he uses NUT with a
ups attached via USB and my via SNMP), I would say it is stable enough.

[refpolicy] services_nut.patch

[Stefan Schulze Frielinghaus]

On Mon, 2009-11-23 at 17:04 +0100, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote:
> > On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote:
> > > On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
> > > [...]
> > > > > Another question, what is the intention of the following
> > > > >
> > > > > permissive upsd_t;
> > > > > permissive upsdrvctl_t;
> > > > > permissive upsmon_t;
> > > > >
> > > > > Does that make the domain permissive by default?
> > > > Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.
> > > 
> > > But not for refpolicy, right? I cannot find any such statement in the
> > > policy modules of refpolicy. At least I wouldn't expect such a behavior
> > > from modules of refpolicy. I guess we can remove those three lines.
> > > 
> > > If you are fine with the merge of both policies then we can commit it
> > > (after the port change of course).
> > 
> > My policy is to not have permissive domains in upstream refpolicy.  If
> > the modules need more work the patch is dropped.  Otherwise the
> > permissive is dropped.
> 
> Yes, this is what I thought. Since I use the NUT policy for about a year
> and it has some intersection with Miroslavs policy (he uses NUT with a
> ups attached via USB and my via SNMP), I would say it is stable enough.

Just to make it precise. In general it is stable but I will wait for an
OK from Miroslav, then I'm going to rearrange some allow rules according
to the style-guidelines and will submit the patch again.

[refpolicy] services_nut.patch

[Miroslav Grepl]

On 11/23/2009 05:09 PM, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-11-23 at 17:04 +0100, Stefan Schulze Frielinghaus wrote:
>    
>> On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote:
>>      
>>> On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote:
>>>        
>>>> On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
>>>> [...]
>>>>          
>>>>>> Another question, what is the intention of the following
>>>>>>
>>>>>> permissive upsd_t;
>>>>>> permissive upsdrvctl_t;
>>>>>> permissive upsmon_t;
>>>>>>
>>>>>> Does that make the domain permissive by default?
>>>>>>              
>>>>> Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.
>>>>>            
>>>> But not for refpolicy, right?
Yes, I meant in Fedora.

>>>> I cannot find any such statement in the
>>>> policy modules of refpolicy. At least I wouldn't expect such a behavior
>>>> from modules of refpolicy. I guess we can remove those three lines.
>>>>
>>>> If you are fine with the merge of both policies then we can commit it
>>>> (after the port change of course).
>>>>          
>>> My policy is to not have permissive domains in upstream refpolicy.  If
>>> the modules need more work the patch is dropped.  Otherwise the
>>> permissive is dropped.
>>>        
>> Yes, this is what I thought. Since I use the NUT policy for about a year
>> and it has some intersection with Miroslavs policy (he uses NUT with a
>> ups attached via USB and my via SNMP), I would say it is stable enough.
>>      
> Just to make it precise. In general it is stable but I will wait for an
> OK from Miroslav,
I will check it and let you know.

> then I'm going to rearrange some allow rules according
> to the style-guidelines and will submit the patch again.
>
>    

[refpolicy] services_nut.patch

[Christopher J. PeBenito]

On Mon, 2009-11-23 at 18:17 +0100, Miroslav Grepl wrote:
> On 11/23/2009 05:09 PM, Stefan Schulze Frielinghaus wrote:
> > On Mon, 2009-11-23 at 17:04 +0100, Stefan Schulze Frielinghaus wrote:
> >> On Mon, 2009-11-23 at 10:19 -0500, Christopher J. PeBenito wrote:
> >>> On Mon, 2009-11-23 at 15:36 +0100, Stefan Schulze Frielinghaus wrote:
> >>>> On Mon, 2009-11-23 at 14:05 +0100, Miroslav Grepl wrote:
> >>>> [...]
> >>>>          
> >>>>>> Another question, what is the intention of the following
> >>>>>>
> >>>>>> permissive upsd_t;
> >>>>>> permissive upsdrvctl_t;
> >>>>>> permissive upsmon_t;
> >>>>>>
> >>>>>> Does that make the domain permissive by default?
> >>>>>>              
> >>>>> Yes, it does. We add new domains to permissive so we can fix all the avc's without blocking of functionality apps.
> >>>>>            
> >>>> But not for refpolicy, right?
> Yes, I meant in Fedora.
> 
> >>>> I cannot find any such statement in the
> >>>> policy modules of refpolicy. At least I wouldn't expect such a behavior
> >>>> from modules of refpolicy. I guess we can remove those three lines.
> >>>>
> >>>> If you are fine with the merge of both policies then we can commit it
> >>>> (after the port change of course).
> >>>>          
> >>> My policy is to not have permissive domains in upstream refpolicy.  If
> >>> the modules need more work the patch is dropped.  Otherwise the
> >>> permissive is dropped.
> >>>        
> >> Yes, this is what I thought. Since I use the NUT policy for about a year
> >> and it has some intersection with Miroslavs policy (he uses NUT with a
> >> ups attached via USB and my via SNMP), I would say it is stable enough.
> >>      
> > Just to make it precise. In general it is stable but I will wait for an
> > OK from Miroslav,
> I will check it and let you know.

Was there any resolution on this?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_nut.patch

[Stefan Schulze Frielinghaus]

On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote:
[...]
> Was there any resolution on this?

Yes, but I had no physical access to my UPS for the last two weeks. At
the end of this week I will have physical access again and then I will
check that the policy is really working fine. So I expect a
tested/working policy in one to two weeks.

[refpolicy] services_nut.patch

[Stefan Schulze Frielinghaus]

On Mon, 2009-12-21 at 11:14 +0100, Stefan Schulze Frielinghaus wrote:
> On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote:
> [...]
> > Was there any resolution on this?
> 
> Yes, but I had no physical access to my UPS for the last two weeks. At
> the end of this week I will have physical access again and then I will
> check that the policy is really working fine. So I expect a
> tested/working policy in one to two weeks.

I take the discussion back on list. Miroslav, from the latest policy I
did not change anything except I removed the duplicate policies for the
cgi scripts and uncommented the *_ups_port() stuff.

I'm fine with the attached policy (tested several times including a
shutdown and cgi services). Is the policy OK for you too?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: corenetwork.te.in.patch
Type: text/x-patch
Size: 745 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20091225/276f25a8/attachment.bin 
-------------- next part --------------
/etc/ups(/.*)?          gen_context(system_u:object_r:nut_conf_t,s0)

/sbin/upsdrvctl     --  gen_context(system_u:object_r:nut_upsdrvctl_exec_t,s0)

/usr/sbin/upsd      --  gen_context(system_u:object_r:nut_upsd_exec_t,s0)
/usr/sbin/upsmon    --  gen_context(system_u:object_r:nut_upsmon_exec_t,s0)

/var/run/nut(/.*)?                  gen_context(system_u:object_r:nut_var_run_t,s0)

/var/www/nut-cgi-bin/upsimage\.cgi  --  gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsset\.cgi    --  gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
/var/www/nut-cgi-bin/upsstats\.cgi  --  gen_context(system_u:object_r:httpd_nutups_cgi_script_exec_t,s0)
-------------- next part --------------
## <summary>SELinux policy for nut - Network UPS Tools </summary>
-------------- next part --------------

policy_module(nut, 1.0.0)

########################################
#
# Declarations
#

type nut_upsd_t;
type nut_upsd_exec_t;
init_daemon_domain(nut_upsd_t, nut_upsd_exec_t)

type nut_upsmon_t;
type nut_upsmon_exec_t;
init_daemon_domain(nut_upsmon_t, nut_upsmon_exec_t)

type nut_upsdrvctl_t;
type nut_upsdrvctl_exec_t;
init_daemon_domain(nut_upsdrvctl_t, nut_upsdrvctl_exec_t)

# conf files
type nut_conf_t;
files_config_file(nut_conf_t)

# pid files
type nut_var_run_t;
files_pid_file(nut_var_run_t)

########################################
#
# Local policy for upsd
#

allow nut_upsd_t self:capability { setgid setuid };

allow nut_upsd_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsd_t self:tcp_socket connected_stream_socket_perms;

allow nut_upsd_t nut_upsdrvctl_t:unix_stream_socket connectto;

read_files_pattern(nut_upsd_t, nut_conf_t, nut_conf_t)

# pid file
manage_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsd_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsd_t, nut_var_run_t, { file sock_file })

corenet_tcp_bind_ups_port(nut_upsd_t)
corenet_tcp_bind_generic_port(nut_upsd_t)
corenet_tcp_bind_all_nodes(nut_upsd_t)

kernel_read_kernel_sysctls(nut_upsd_t)

# /etc/nsswitch.conf
auth_use_nsswitch(nut_upsd_t)

files_read_usr_files(nut_upsd_t)

logging_send_syslog_msg(nut_upsd_t)

miscfiles_read_localization(nut_upsd_t)

########################################
#
# Local policy for upsmon
#

allow nut_upsmon_t self:capability { dac_override dac_read_search setgid setuid };

allow nut_upsmon_t self:fifo_file rw_fifo_file_perms;
allow nut_upsmon_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsmon_t self:tcp_socket create_socket_perms;

read_files_pattern(nut_upsmon_t, nut_conf_t, nut_conf_t)

# pid file
manage_files_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsmon_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsmon_t, nut_var_run_t, { file })

corenet_tcp_connect_ups_port(upsmon_t)
corenet_tcp_connect_generic_port(nut_upsmon_t)

corecmd_exec_bin(nut_upsmon_t)
corecmd_exec_shell(nut_upsmon_t)

kernel_read_kernel_sysctls(nut_upsmon_t)
kernel_read_system_state(nut_upsmon_t)

# Creates /etc/killpower
files_manage_etc_runtime_files(nut_upsmon_t)
files_etc_filetrans_etc_runtime(nut_upsmon_t, file)

auth_use_nsswitch(nut_upsmon_t)

files_search_usr(nut_upsmon_t)

logging_send_syslog_msg(nut_upsmon_t)

miscfiles_read_localization(nut_upsmon_t)

# /usr/bin/wall
term_write_all_terms(nut_upsmon_t)

# upsmon runs shutdown, probably need a shutdown domain
init_rw_utmp(nut_upsmon_t)
init_telinit(nut_upsmon_t)

########################################
#
# Local policy for upsdrvctl
#

allow nut_upsdrvctl_t self:capability { dac_override kill setgid setuid };
allow nut_upsdrvctl_t self:process { sigchld signal signull };
allow nut_upsdrvctl_t self:fd use;

allow nut_upsdrvctl_t self:fifo_file rw_fifo_file_perms;
allow nut_upsdrvctl_t self:unix_dgram_socket { create_socket_perms sendto };
allow nut_upsdrvctl_t self:udp_socket create_socket_perms;

read_files_pattern(nut_upsdrvctl_t, nut_conf_t, nut_conf_t)

# pid file
manage_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
manage_dirs_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
manage_sock_files_pattern(nut_upsdrvctl_t, nut_var_run_t, nut_var_run_t)
files_pid_filetrans(nut_upsdrvctl_t, nut_var_run_t, { file sock_file })

# /sbin/upsdrvctl executes other drivers
corecmd_exec_bin(nut_upsdrvctl_t)
corecmd_exec_sbin(nut_upsdrvctl_t)

kernel_read_kernel_sysctls(nut_upsdrvctl_t)

# /etc/nsswitch.conf
auth_use_nsswitch(nut_upsdrvctl_t)

dev_read_urand(nut_upsdrvctl_t)
dev_rw_generic_usb_dev(nut_upsdrvctl_t)

term_use_unallocated_ttys(nut_upsdrvctl_t)

logging_send_syslog_msg(nut_upsdrvctl_t)

miscfiles_read_localization(nut_upsdrvctl_t)

init_sigchld(nut_upsdrvctl_t)

#######################################
#
# Local policy for upscgi scripts
# requires httpd_enable_cgi and httpd_can_network_connect
#

optional_policy(`
    apache_content_template(nutups_cgi)

    read_files_pattern(httpd_nutups_cgi_script_t, nut_conf_t, nut_conf_t)

    corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
')

[refpolicy] services_nut.patch

[Miroslav Grepl]

On 12/25/2009 01:55 PM, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-12-21 at 11:14 +0100, Stefan Schulze Frielinghaus wrote:
>    
>> On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote:
>> [...]
>>      
>>> Was there any resolution on this?
>>>        
>> Yes, but I had no physical access to my UPS for the last two weeks. At
>> the end of this week I will have physical access again and then I will
>> check that the policy is really working fine. So I expect a
>> tested/working policy in one to two weeks.
>>      
> I take the discussion back on list. Miroslav, from the latest policy I
> did not change anything except I removed the duplicate policies for the
> cgi scripts and uncommented the *_ups_port() stuff.
>
> I'm fine with the attached policy (tested several times including a
> shutdown and cgi services). Is the policy OK for you too?
>    
I apologize, but I missed this last post from Stefan. Actually we use 
this policy in Fedora so I believe the policy is ready.

The following link includes the nut policy what we have in Fedora.

http://mgrepl.fedorapeople.org/SELinux/F12/services_nut.patch

Regards,
Miroslav

[refpolicy] services_nut.patch

[Christopher J. PeBenito]

On Fri, 2009-12-25 at 13:55 +0100, Stefan Schulze Frielinghaus wrote:
> On Mon, 2009-12-21 at 11:14 +0100, Stefan Schulze Frielinghaus wrote:
> > On Fri, 2009-12-18 at 08:53 -0500, Christopher J. PeBenito wrote:
> > [...]
> > > Was there any resolution on this?
> > 
> > Yes, but I had no physical access to my UPS for the last two weeks. At
> > the end of this week I will have physical access again and then I will
> > check that the policy is really working fine. So I expect a
> > tested/working policy in one to two weeks.
> 
> I take the discussion back on list. Miroslav, from the latest policy I
> did not change anything except I removed the duplicate policies for the
> cgi scripts and uncommented the *_ups_port() stuff.
> 
> I'm fine with the attached policy (tested several times including a
> shutdown and cgi services). Is the policy OK for you too?

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] services_nut.patch

[Christopher J. PeBenito]

On 08/26/10 18:02, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_nut.patch
>
> handle tmpfs /var/run
>
> Executes shutdown
>
> uses unix_stream sockets.

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] services_nut.patch

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/services_nut.patch

handle tmpfs /var/run

Executes shutdown

uses unix_stream sockets.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx25GcACgkQrlYvE4MpobN1LwCbBMV2GssMvQwBc5davURVqe4T
bagAn3UaoBio39h8GEEBQQafSVt+IxiK
=6xWC
-----END PGP SIGNATURE-----

[refpolicy] services_nut.patch

[Stefan Schulze Frielinghaus]

On Fr, 2010-02-26 at 08:39 -0500, Daniel J Walsh wrote:
> On 02/26/2010 04:00 AM, Stefan Schulze Frielinghaus wrote:
> > On Mi, 2010-02-24 at 12:14 -0500, Daniel J Walsh wrote:
> >    
> >> On 02/24/2010 10:53 AM, Stefan Schulze Frielinghaus wrote:
> >>      
> >>> On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote:
> >>>
> >>>        
> >>>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch
> >>>>
> >>>> Latest nut policy.
> >>>>
> >>>>          
> >>> The following rules are unnecessary because they are already included by
> >>> the interface apache_content_template as soon as the booleans
> >>> httpd_enable_cgi and httpd_can_network_connect are enabled:
> >>>
> >>> +	corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
> >>> +	corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
> >>> +	corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
> >>> +	corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
> >>> +	corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
> >>>    	corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
> >>> +	corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
> >>> +	corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
> >>> +	corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
> >>> +
> >>> +	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
> >>>
> >>>
> >>>        
> >> Ok this is a difference between apache interface in upstream and mine.
> >> I removed network access
> >> set by those booleans from the interface to httpd_sys_script_t
> >> specific.  I don't believe those interfaces should be effected by
> >> booleans.  I don't want my bugzilla cgi to suddenly have network access
> >> just because httpd_sys_script_t needs it.
> >>      
> > Yeah, I like this idea.
> >
> >    
> >>> Is it really necessary to include the dac_override permissions for
> >>> nut_upsd_t? I thought that the upsd daemon runs as a non root user where
> >>> no dac_override permissions are used.
> >>>
> >>> -allow nut_upsd_t self:capability { setgid setuid };
> >>> +allow nut_upsd_t self:capability { setgid setuid dac_override };
> >>>
> >>> If you still have the AVC message and maybe some information of the
> >>> setup, then I would like to dig a bit deeper into this because I use nut
> >>> and would like to make it more secure ;-) Maybe the capabilities can
> >>> even be dropped.
> >>>
> >>> Guess the sbin rules are not necessary for refpolicy:
> >>>
> >>> +corecmd_exec_sbin(nut_upsdrvctl_t)
> >>>
> >>>
> >>>        
> >> Oops that is a bug.
> >>
> >> dac_override can come in because a file has bad ownership.
> >>      
> > upsd runs per default as user nut on Fedora and EPEL. It should never
> > run as root.
> >
> >    
> Then why does the policy have setuid/setgid?

OK, I wasn't precise enough. upsd is started as root in the first place
and then it drops its privileges and runs as user nut. This is even
setup by the package maintainer: configure --with-user=%{name}
--with-group=

In the end it shouldn't hurt to allow dac_override because in most cases
the daemon will/should drop its privileges right after startup. You can
circumvent this by adding the option "-u root" for upsd. I was just
wondering why this rules is needed. I guess the daemon was running as
root in your case. I did a quick test with strace:

setgid(475)                             = 0
setuid(57)                              = 0
chdir("/var/run/nut")

/var/run/nut is owned by nut:nut and has mode 750. If the daemon runs as
root then it would need dac_override permissions (before dropping
privileges upsd only binds to two ports [IPv4/v6] and loads of course
some libraries).

Summarized it shouldn't hurt to allow dac_override because in the
default case the daemon will drop its privileges which is recommended. I
was just wondering because I haven't seen such a setup before.

[refpolicy] services_nut.patch

[Daniel J Walsh]

On 02/26/2010 04:00 AM, Stefan Schulze Frielinghaus wrote:
> On Mi, 2010-02-24 at 12:14 -0500, Daniel J Walsh wrote:
>    
>> On 02/24/2010 10:53 AM, Stefan Schulze Frielinghaus wrote:
>>      
>>> On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote:
>>>
>>>        
>>>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch
>>>>
>>>> Latest nut policy.
>>>>
>>>>          
>>> The following rules are unnecessary because they are already included by
>>> the interface apache_content_template as soon as the booleans
>>> httpd_enable_cgi and httpd_can_network_connect are enabled:
>>>
>>> +	corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
>>> +	corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
>>> +	corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
>>> +	corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
>>> +	corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
>>>    	corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
>>> +	corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
>>> +	corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
>>> +	corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
>>> +
>>> +	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
>>>
>>>
>>>        
>> Ok this is a difference between apache interface in upstream and mine.
>> I removed network access
>> set by those booleans from the interface to httpd_sys_script_t
>> specific.  I don't believe those interfaces should be effected by
>> booleans.  I don't want my bugzilla cgi to suddenly have network access
>> just because httpd_sys_script_t needs it.
>>      
> Yeah, I like this idea.
>
>    
>>> Is it really necessary to include the dac_override permissions for
>>> nut_upsd_t? I thought that the upsd daemon runs as a non root user where
>>> no dac_override permissions are used.
>>>
>>> -allow nut_upsd_t self:capability { setgid setuid };
>>> +allow nut_upsd_t self:capability { setgid setuid dac_override };
>>>
>>> If you still have the AVC message and maybe some information of the
>>> setup, then I would like to dig a bit deeper into this because I use nut
>>> and would like to make it more secure ;-) Maybe the capabilities can
>>> even be dropped.
>>>
>>> Guess the sbin rules are not necessary for refpolicy:
>>>
>>> +corecmd_exec_sbin(nut_upsdrvctl_t)
>>>
>>>
>>>        
>> Oops that is a bug.
>>
>> dac_override can come in because a file has bad ownership.
>>      
> upsd runs per default as user nut on Fedora and EPEL. It should never
> run as root.
>
>    
Then why does the policy have setuid/setgid?

[refpolicy] services_nut.patch

[Stefan Schulze Frielinghaus]

On Mi, 2010-02-24 at 12:14 -0500, Daniel J Walsh wrote:
> On 02/24/2010 10:53 AM, Stefan Schulze Frielinghaus wrote:
> > On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote:
> >    
> >> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch
> >>
> >> Latest nut policy.
> >>      
> > The following rules are unnecessary because they are already included by
> > the interface apache_content_template as soon as the booleans
> > httpd_enable_cgi and httpd_can_network_connect are enabled:
> >
> > +	corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
> > +	corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
> > +	corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
> > +	corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
> > +	corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
> >   	corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
> > +	corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
> > +	corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
> > +	corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
> > +
> > +	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
> >
> >    
> Ok this is a difference between apache interface in upstream and mine.  
> I removed network access
> set by those booleans from the interface to httpd_sys_script_t 
> specific.  I don't believe those interfaces should be effected by 
> booleans.  I don't want my bugzilla cgi to suddenly have network access 
> just because httpd_sys_script_t needs it.

Yeah, I like this idea.

> > Is it really necessary to include the dac_override permissions for
> > nut_upsd_t? I thought that the upsd daemon runs as a non root user where
> > no dac_override permissions are used.
> >
> > -allow nut_upsd_t self:capability { setgid setuid };
> > +allow nut_upsd_t self:capability { setgid setuid dac_override };
> >
> > If you still have the AVC message and maybe some information of the
> > setup, then I would like to dig a bit deeper into this because I use nut
> > and would like to make it more secure ;-) Maybe the capabilities can
> > even be dropped.
> >
> > Guess the sbin rules are not necessary for refpolicy:
> >
> > +corecmd_exec_sbin(nut_upsdrvctl_t)
> >
> >    
> Oops that is a bug.
> 
> dac_override can come in because a file has bad ownership.

upsd runs per default as user nut on Fedora and EPEL. It should never
run as root.

[refpolicy] services_nut.patch

[Daniel J Walsh]

On 02/24/2010 10:53 AM, Stefan Schulze Frielinghaus wrote:
> On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote:
>    
>> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch
>>
>> Latest nut policy.
>>      
> The following rules are unnecessary because they are already included by
> the interface apache_content_template as soon as the booleans
> httpd_enable_cgi and httpd_can_network_connect are enabled:
>
> +	corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
> +	corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
> +	corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
> +	corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
> +	corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
>   	corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
> +	corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
> +	corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
> +	corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
> +
> +	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)
>
>    
Ok this is a difference between apache interface in upstream and mine.  
I removed network access
set by those booleans from the interface to httpd_sys_script_t 
specific.  I don't believe those interfaces should be effected by 
booleans.  I don't want my bugzilla cgi to suddenly have network access 
just because httpd_sys_script_t needs it.
> Is it really necessary to include the dac_override permissions for
> nut_upsd_t? I thought that the upsd daemon runs as a non root user where
> no dac_override permissions are used.
>
> -allow nut_upsd_t self:capability { setgid setuid };
> +allow nut_upsd_t self:capability { setgid setuid dac_override };
>
> If you still have the AVC message and maybe some information of the
> setup, then I would like to dig a bit deeper into this because I use nut
> and would like to make it more secure ;-) Maybe the capabilities can
> even be dropped.
>
> Guess the sbin rules are not necessary for refpolicy:
>
> +corecmd_exec_sbin(nut_upsdrvctl_t)
>
>    
Oops that is a bug.

dac_override can come in because a file has bad ownership.

[refpolicy] services_nut.patch

[Stefan Schulze Frielinghaus]

On Di, 2010-02-23 at 15:28 -0500, Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch
> 
> Latest nut policy.

The following rules are unnecessary because they are already included by
the interface apache_content_template as soon as the booleans
httpd_enable_cgi and httpd_can_network_connect are enabled:

+	corenet_all_recvfrom_unlabeled(httpd_nutups_cgi_script_t)
+	corenet_all_recvfrom_netlabel(httpd_nutups_cgi_script_t)
+	corenet_tcp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+	corenet_tcp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+	corenet_tcp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
 	corenet_tcp_connect_ups_port(httpd_nutups_cgi_script_t)
+	corenet_udp_sendrecv_generic_if(httpd_nutups_cgi_script_t)
+	corenet_udp_sendrecv_generic_node(httpd_nutups_cgi_script_t)
+	corenet_udp_sendrecv_all_ports(httpd_nutups_cgi_script_t)
+
+	sysnet_dns_name_resolve(httpd_nutups_cgi_script_t)

Is it really necessary to include the dac_override permissions for
nut_upsd_t? I thought that the upsd daemon runs as a non root user where
no dac_override permissions are used.

-allow nut_upsd_t self:capability { setgid setuid };
+allow nut_upsd_t self:capability { setgid setuid dac_override };

If you still have the AVC message and maybe some information of the
setup, then I would like to dig a bit deeper into this because I use nut
and would like to make it more secure ;-) Maybe the capabilities can
even be dropped.

Guess the sbin rules are not necessary for refpolicy:

+corecmd_exec_sbin(nut_upsdrvctl_t)

[refpolicy] services_nut.patch

[Daniel J Walsh]

http://people.fedoraproject.org/~dwalsh/SELinux/F13/services_nut.patch

Latest nut policy.