[refpolicy] [PATCH/RFC 0/2] Introduce minidlna policy

[refpolicy] [PATCH/RFC 0/2] Introduce minidlna policy

[Sven Vermeulen]

These two patches (one for the main repository, one for contrib when the
main one is accepted and applied) introduce the minidlna policy for the
similarly named daemon.

The policy provides the necessary capabilities for minidlna to serve media
files marked as public, but a boolean (minidlna_read_generic_user_content)
is available to allow the domain to serve user content as well.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH/RFC 1/2] Add trivnet1 port (8200)

[Sven Vermeulen]

Create the proper port types for trivnet1 (port 8200)

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/corenetwork.te.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index e78ee3b..060c7fc 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -261,6 +261,7 @@ network_port(tor, tcp,6969,s0, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0, tcp,9051,s
 network_port(traceroute, udp,64000-64010,s0)
 network_port(transproxy, tcp,8081,s0)
 network_port(trisoap, tcp,10200,s0, udp,10200,s0)
+network_port(trivnet1, tcp, 8200, s0, udp, 8200, s0)
 network_port(ups, tcp,3493,s0)
 network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
-- 
1.8.1.5

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Sven Vermeulen]

The minidlna policy allows the minidla server to listen on the ssdp and trivnet1
ports (ssdp is for the discovery, trivnet1 for serving the files) and serve
files marked as public_t.

If minidlna_read_generic_user_content is set, the server can also be used to
serve user content.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 minidlna.fc | 11 +++++++
 minidlna.if | 64 +++++++++++++++++++++++++++++++++++++++
 minidlna.te | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 174 insertions(+)
 create mode 100644 minidlna.fc
 create mode 100644 minidlna.if
 create mode 100644 minidlna.te

diff --git a/minidlna.fc b/minidlna.fc
new file mode 100644
index 0000000..05ad732
--- /dev/null
+++ b/minidlna.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/minidlna	--	gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
+
+/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_etc_t,s0)
+
+/usr/sbin/minidlna	--	gen_context(system_u:object_r:minidlna_exec_t,s0)
+
+/var/lib/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_db_t,s0)
+
+/var/log/minidlna\.log	--	gen_context(system_u:object_r:minidlna_log_t,s0)
+
+/var/run/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_var_run_t,s0)
diff --git a/minidlna.if b/minidlna.if
new file mode 100644
index 0000000..d27f634
--- /dev/null
+++ b/minidlna.if
@@ -0,0 +1,64 @@
+## <summary>MiniDLNA server</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an minidlna environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`minidlna_admin',`
+	gen_require(`
+		type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
+		type minidlna_etc_t, minidlna_log_t, minidlna_db_t;
+	')
+
+	allow $1 minidlna_t:process { ptrace signal_perms };
+	ps_process_pattern($1, minidlna_t)
+
+	minidlna_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 minidlna_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, minidlna_etc_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, minidlna_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, minidlna_db_t)
+
+	files_search_pids($1)
+	admin_pattern($1, minidlna_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute minidlna init scripts in
+##	the initrc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`minidlna_initrc_domtrans',`
+	gen_require(`
+		type minidlna_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, minidlna_initrc_exec_t)
+')
diff --git a/minidlna.te b/minidlna.te
new file mode 100644
index 0000000..06ab1c9
--- /dev/null
+++ b/minidlna.te
@@ -0,0 +1,99 @@
+policy_module(minidlna, 0.1)
+
+#############################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Allow minidlna to read generic user content
+##	</p>
+## </desc>
+gen_tunable(minidlna_read_generic_user_content, false)
+
+type minidlna_t;
+type minidlna_exec_t;
+init_daemon_domain(minidlna_t, minidlna_exec_t)
+
+type minidlna_initrc_exec_t;
+init_script_file(minidlna_initrc_exec_t)
+
+type minidlna_etc_t;
+files_config_file(minidlna_etc_t)
+
+type minidlna_log_t;
+logging_log_file(minidlna_log_t)
+
+type minidlna_db_t;
+files_type(minidlna_db_t)
+
+type minidlna_var_run_t;
+files_pid_file(minidlna_var_run_t)
+
+###############################################
+#
+# Local policy
+#
+
+allow minidlna_t self:process { setsched };
+allow minidlna_t self:tcp_socket create_stream_socket_perms;
+allow minidlna_t self:udp_socket { create_socket_perms node_bind };
+allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;
+allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };
+allow minidlna_t minidlna_etc_t:file read_file_perms;
+
+manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
+
+manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
+rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
+files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
+
+kernel_read_fs_sysctls(minidlna_t)
+kernel_read_system_state(minidlna_t)
+
+logging_log_filetrans(minidlna_t, minidlna_log_t, file)
+
+corecmd_exec_bin(minidlna_t)
+corecmd_exec_shell(minidlna_t)
+
+corenet_all_recvfrom_netlabel(minidlna_t)
+corenet_all_recvfrom_unlabeled(minidlna_t)
+
+corenet_sendrecv_ssdp_client_packets(minidlna_t)
+corenet_sendrecv_ssdp_server_packets(minidlna_t)
+
+corenet_tcp_bind_generic_node(minidlna_t)
+corenet_tcp_sendrecv_generic_if(minidlna_t)
+corenet_tcp_sendrecv_generic_node(minidlna_t)
+
+corenet_udp_bind_generic_node(minidlna_t)
+corenet_udp_bind_ssdp_port(minidlna_t)
+
+corenet_sendrecv_trivnet1_client_packets(minidlna_t)
+corenet_sendrecv_trivnet1_server_packets(minidlna_t)
+corenet_tcp_bind_trivnet1_port(minidlna_t)
+
+files_read_etc_files(minidlna_t)
+
+miscfiles_read_localization(minidlna_t)
+miscfiles_read_public_files(minidlna_t)
+
+tunable_policy(`minidlna_read_generic_user_content',`
+	userdom_list_user_tmp(minidlna_t)
+	userdom_read_user_home_content_files(minidlna_t)
+	userdom_read_user_home_content_symlinks(minidlna_t)
+	userdom_read_user_tmp_files(minidlna_t)
+	userdom_read_user_tmp_symlinks(minidlna_t)
+',`
+	files_dontaudit_list_home(minidlna_t)
+	files_dontaudit_list_tmp(minidlna_t)
+
+	userdom_dontaudit_list_user_home_dirs(minidlna_t)
+	userdom_dontaudit_list_user_tmp(minidlna_t)
+	userdom_dontaudit_read_user_home_content_files(minidlna_t)
+	userdom_dontaudit_read_user_tmp_files(minidlna_t)
+')
-- 
1.8.1.5

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Dominick Grift]

On Wed, 2013-05-01 at 20:38 +0200, Sven Vermeulen wrote:
> The minidlna policy allows the minidla server to listen on the ssdp and trivnet1
> ports (ssdp is for the discovery, trivnet1 for serving the files) and serve
> files marked as public_t.
> 
> If minidlna_read_generic_user_content is set, the server can also be used to
> serve user content.

Some comments in-line

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  minidlna.fc | 11 +++++++
>  minidlna.if | 64 +++++++++++++++++++++++++++++++++++++++
>  minidlna.te | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 174 insertions(+)
>  create mode 100644 minidlna.fc
>  create mode 100644 minidlna.if
>  create mode 100644 minidlna.te
> 
> diff --git a/minidlna.fc b/minidlna.fc
> new file mode 100644
> index 0000000..05ad732
> --- /dev/null
> +++ b/minidlna.fc
> @@ -0,0 +1,11 @@
> +/etc/rc\.d/init\.d/minidlna	--	gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
> +
> +/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_etc_t,s0)

Can we use type minidlna_conf_t instead for consistency?

> +
> +/usr/sbin/minidlna	--	gen_context(system_u:object_r:minidlna_exec_t,s0)
> +
> +/var/lib/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_db_t,s0)

Can add support /var/cache/minidlna(/.*)? as well for Fedora? (Fedora
installs the /var/cache/minidlna dir instead for this content 

> +
> +/var/log/minidlna\.log	--	gen_context(system_u:object_r:minidlna_log_t,s0)

This daemon runs as root on gentoo?

Can we do /var/log/minidlna.log.* instead? (in case someone uses
logrotate to maintain the log files)

Also add support for /var/log/minidlna(/.*)? as well for Fedora?
( Fedora installs the /var/log/minidlna dir instead )

> +
> +/var/run/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_var_run_t,s0)
> diff --git a/minidlna.if b/minidlna.if
> new file mode 100644
> index 0000000..d27f634
> --- /dev/null
> +++ b/minidlna.if
> @@ -0,0 +1,64 @@
> +## <summary>MiniDLNA server</summary>

Gimme a break ;)

Please use something a little more descriptive:

MiniDLNA lightweight DLNA/UPnP media server.

> +
> +########################################
> +## <summary>
> +##	All of the rules required to
> +##	administrate an minidlna environment.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`minidlna_admin',`
> +	gen_require(`
> +		type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
> +		type minidlna_etc_t, minidlna_log_t, minidlna_db_t;
> +	')
> +
> +	allow $1 minidlna_t:process { ptrace signal_perms };
> +	ps_process_pattern($1, minidlna_t)
> +
> +	minidlna_initrc_domtrans($1)
> +	domain_system_change_exemption($1)
> +	role_transition $2 minidlna_initrc_exec_t system_r;
> +	allow $2 system_r;
> +
> +	files_search_etc($1)
> +	admin_pattern($1, minidlna_etc_t)
> +
> +	logging_search_logs($1)
> +	admin_pattern($1, minidlna_log_t)
> +
> +	files_search_var_lib($1)
> +	admin_pattern($1, minidlna_db_t)
> +
> +	files_search_pids($1)
> +	admin_pattern($1, minidlna_var_run_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute minidlna init scripts in
> +##	the initrc domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`minidlna_initrc_domtrans',`
> +	gen_require(`
> +		type minidlna_initrc_exec_t;
> +	')
> +
> +	init_labeled_script_domtrans($1, minidlna_initrc_exec_t)
> +')
> diff --git a/minidlna.te b/minidlna.te
> new file mode 100644
> index 0000000..06ab1c9
> --- /dev/null
> +++ b/minidlna.te
> @@ -0,0 +1,99 @@
> +policy_module(minidlna, 0.1)
> +
> +#############################################
> +#
> +# Declarations
> +#
> +
> +## <desc>
> +##	<p>
> +##	Allow minidlna to read generic user content

Determine whether Minidlna can read generic user content. (i am trying
to be consistent)

> +##	</p>
> +## </desc>
> +gen_tunable(minidlna_read_generic_user_content, false)
> +
> +type minidlna_t;
> +type minidlna_exec_t;
> +init_daemon_domain(minidlna_t, minidlna_exec_t)
> +
> +type minidlna_initrc_exec_t;
> +init_script_file(minidlna_initrc_exec_t)
> +
> +type minidlna_etc_t;
> +files_config_file(minidlna_etc_t)
> +
> +type minidlna_log_t;
> +logging_log_file(minidlna_log_t)
> +
> +type minidlna_db_t;
> +files_type(minidlna_db_t)
> +
> +type minidlna_var_run_t;
> +files_pid_file(minidlna_var_run_t)
> +
> +###############################################
> +#
> +# Local policy
> +#
> +
> +allow minidlna_t self:process { setsched };

No need for brace expansion here (nothing to expand)

> +allow minidlna_t self:tcp_socket create_stream_socket_perms;
> +allow minidlna_t self:udp_socket { create_socket_perms node_bind };

Whats node_bind permission doing there?

> +allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;

Are you sure it needs to write the routing table? (show me the avc
denials)

> +allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };

Need support for adding dir entries to minidlna_log_t dirs (fedora
installs /var/log/minidlna dir) 

> +allow minidlna_t minidlna_etc_t:file read_file_perms;
> +
> +manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> +create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> +rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> +files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)

Are you saying that it does not actually install /var/lib/minidlna?
This can probably be done cleaner (use permission sets where possible
instead of patterns)

> +
> +manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
> +rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)

permission set is cleaner.

> +files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
> +
> +kernel_read_fs_sysctls(minidlna_t)
> +kernel_read_system_state(minidlna_t)
> +logging_log_filetrans(minidlna_t, minidlna_log_t, file)

This needs to go up (to where the other logging rules are

> +
> +corecmd_exec_bin(minidlna_t)
> +corecmd_exec_shell(minidlna_t)
> +
> +corenet_all_recvfrom_netlabel(minidlna_t)
> +corenet_all_recvfrom_unlabeled(minidlna_t)
> +
> +corenet_sendrecv_ssdp_client_packets(minidlna_t)
> +corenet_sendrecv_ssdp_server_packets(minidlna_t)
> +
> +corenet_tcp_bind_generic_node(minidlna_t)
> +corenet_tcp_sendrecv_generic_if(minidlna_t)
> +corenet_tcp_sendrecv_generic_node(minidlna_t)
> +
> +corenet_udp_bind_generic_node(minidlna_t)
> +corenet_udp_bind_ssdp_port(minidlna_t)
> +
> +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> +corenet_tcp_bind_trivnet1_port(minidlna_t)
> +
> +files_read_etc_files(minidlna_t)

Which file is that? /etc/nsswitch.conf?

> +
> +miscfiles_read_localization(minidlna_t)
> +miscfiles_read_public_files(minidlna_t)
> +
> +tunable_policy(`minidlna_read_generic_user_content',`
> +	userdom_list_user_tmp(minidlna_t)
> +	userdom_read_user_home_content_files(minidlna_t)
> +	userdom_read_user_home_content_symlinks(minidlna_t)
> +	userdom_read_user_tmp_files(minidlna_t)
> +	userdom_read_user_tmp_symlinks(minidlna_t)
> +',`
> +	files_dontaudit_list_home(minidlna_t)
> +	files_dontaudit_list_tmp(minidlna_t)
> +
> +	userdom_dontaudit_list_user_home_dirs(minidlna_t)
> +	userdom_dontaudit_list_user_tmp(minidlna_t)
> +	userdom_dontaudit_read_user_home_content_files(minidlna_t)
> +	userdom_dontaudit_read_user_tmp_files(minidlna_t)
> +')

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Sven Vermeulen]

On Wed, May 01, 2013 at 09:12:09PM +0200, Dominick Grift wrote:
> > +/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_etc_t,s0)
> 
> Can we use type minidlna_conf_t instead for consistency?

Ok... but in the contrib/ folder, I find more _etc_t definitions than
_conf_t ones:

$ grep '^type .*_conf_t' *.te | wc -l
36
$ grep '^type .*_etc_t' *.te | wc -l
89

> > +
> > +/usr/sbin/minidlna	--	gen_context(system_u:object_r:minidlna_exec_t,s0)
> > +
> > +/var/lib/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_db_t,s0)
> 
> Can add support /var/cache/minidlna(/.*)? as well for Fedora? (Fedora
> installs the /var/cache/minidlna dir instead for this content 

Of course

> > +
> > +/var/log/minidlna\.log	--	gen_context(system_u:object_r:minidlna_log_t,s0)
> 
> This daemon runs as root on gentoo?

No, but the package manager creates the log file with proper ownership
already here.

> Can we do /var/log/minidlna.log.* instead? (in case someone uses
> logrotate to maintain the log files)
> 
> Also add support for /var/log/minidlna(/.*)? as well for Fedora?
> ( Fedora installs the /var/log/minidlna dir instead )

Ok

> > +## <summary>MiniDLNA server</summary>
> 
> Gimme a break ;)
> 
> Please use something a little more descriptive:
> 
> MiniDLNA lightweight DLNA/UPnP media server.

Have a kitkat ;-)

Sorry about that.

> > +## <desc>
> > +##	<p>
> > +##	Allow minidlna to read generic user content
> 
> Determine whether Minidlna can read generic user content. (i am trying
> to be consistent)

Ok.

> > +allow minidlna_t self:tcp_socket create_stream_socket_perms;
> > +allow minidlna_t self:udp_socket { create_socket_perms node_bind };
> 
> Whats node_bind permission doing there?

Sorry about that, was from before I had the
corenet_udp_bind_generic_node(minidlna_t) set.

> > +allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;
> 
> Are you sure it needs to write the routing table? (show me the avc
> denials)

Ah yes, r_netlink_socket_perms is sufficient, my bad.

> > +allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };
> 
> Need support for adding dir entries to minidlna_log_t dirs (fedora
> installs /var/log/minidlna dir) 

Ok

> > +allow minidlna_t minidlna_etc_t:file read_file_perms;
> > +
> > +manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> > +create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> > +rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
> > +files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
> 
> Are you saying that it does not actually install /var/lib/minidlna?
> This can probably be done cleaner (use permission sets where possible
> instead of patterns)

I wasn't sure what to do here. Gentoo installs the /var/lib/minidlna
directory already as part of the software installation. But I noticed that
the majority of modules do have this set.

I'll change it to a files_search_var_lib(minidlna_t).

> > +
> > +manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
> > +rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
> 
> permission set is cleaner.

Ok

> > +files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
> > +
> > +kernel_read_fs_sysctls(minidlna_t)
> > +kernel_read_system_state(minidlna_t)
> > +logging_log_filetrans(minidlna_t, minidlna_log_t, file)
> 
> This needs to go up (to where the other logging rules are

Ok

> > +
> > +corecmd_exec_bin(minidlna_t)
> > +corecmd_exec_shell(minidlna_t)
> > +
> > +corenet_all_recvfrom_netlabel(minidlna_t)
> > +corenet_all_recvfrom_unlabeled(minidlna_t)
> > +
> > +corenet_sendrecv_ssdp_client_packets(minidlna_t)
> > +corenet_sendrecv_ssdp_server_packets(minidlna_t)
> > +
> > +corenet_tcp_bind_generic_node(minidlna_t)
> > +corenet_tcp_sendrecv_generic_if(minidlna_t)
> > +corenet_tcp_sendrecv_generic_node(minidlna_t)
> > +
> > +corenet_udp_bind_generic_node(minidlna_t)
> > +corenet_udp_bind_ssdp_port(minidlna_t)
> > +
> > +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> > +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> > +corenet_tcp_bind_trivnet1_port(minidlna_t)
> > +
> > +files_read_etc_files(minidlna_t)
> 
> Which file is that? /etc/nsswitch.conf?

nsswitch.conf and passwd.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Dominick Grift]

On Wed, 2013-05-01 at 22:09 +0200, Sven Vermeulen wrote:
> On Wed, May 01, 2013 at 09:12:09PM +0200, Dominick Grift wrote:
> > > +/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_etc_t,s0)
> > 
> > Can we use type minidlna_conf_t instead for consistency?
> 
> Ok... but in the contrib/ folder, I find more _etc_t definitions than
> _conf_t ones:
> 
> $ grep '^type .*_conf_t' *.te | wc -l
> 36
> $ grep '^type .*_etc_t' *.te | wc -l
> 89

Hmm, i see. I prefer conf in light of self-documenting policy

> 
> I wasn't sure what to do here. Gentoo installs the /var/lib/minidlna
> directory already as part of the software installation. But I noticed that
> the majority of modules do have this set.
> 
> I'll change it to a files_search_var_lib(minidlna_t).

Thanks. A file transition is not needed in that case

> > 
> > Which file is that? /etc/nsswitch.conf?
> 
> nsswitch.conf and passwd.
> 

Probably needs nsswitch support then

> Wkr,
> 	Sven Vermeulen

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Dominick Grift]

On Wed, 2013-05-01 at 22:09 +0200, Sven Vermeulen wrote:
> 
> > > +
> > > +/var/log/minidlna\.log	--	gen_context(system_u:object_r:minidlna_log_t,s0)
> > 
> > This daemon runs as root on gentoo?
> 
> No, but the package manager creates the log file with proper ownership
> already here.

In that case we do not need a file type transition for log files

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Dominick Grift]

On Wed, 2013-05-01 at 20:38 +0200, Sven Vermeulen wrote:

> +corenet_sendrecv_ssdp_client_packets(minidlna_t)
> +corenet_sendrecv_ssdp_server_packets(minidlna_t)
> +
> +corenet_tcp_bind_generic_node(minidlna_t)
> +corenet_tcp_sendrecv_generic_if(minidlna_t)
> +corenet_tcp_sendrecv_generic_node(minidlna_t)
> +
> +corenet_udp_bind_generic_node(minidlna_t)
> +corenet_udp_bind_ssdp_port(minidlna_t)
> +
> +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> +corenet_tcp_bind_trivnet1_port(minidlna_t)
> +

Another oversight

You do not need the "client_packets" interface calls if the domain does
not connect to the port

In this case minidlna domain only binds tcp sockets to trivnet1 ports,
and udp sockets to ssdp ports

i think we also need these:

corenet_tcp_sendrecv_trivnet1_port(minidlna_t)
corenet_udp_sendrecv_ssdp_port(minidlna_t)

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Christopher J. PeBenito]

On 05/01/13 16:14, Dominick Grift wrote:
> On Wed, 2013-05-01 at 22:09 +0200, Sven Vermeulen wrote:
>> On Wed, May 01, 2013 at 09:12:09PM +0200, Dominick Grift wrote:
>>>> +/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_etc_t,s0)
>>>
>>> Can we use type minidlna_conf_t instead for consistency?
>>
>> Ok... but in the contrib/ folder, I find more _etc_t definitions than
>> _conf_t ones:
>>
>> $ grep '^type .*_conf_t' *.te | wc -l
>> 36
>> $ grep '^type .*_etc_t' *.te | wc -l
>> 89
> 
> Hmm, i see. I prefer conf in light of self-documenting policy

I prefer it too, but I'd say its not a hard requirement.  I think it makes sense, since it ties the name to the concept of a configuration file, rather than a path, which is what _etc_t does.  /etc does not consist of only config files.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Sven Vermeulen]

On Thu, May 02, 2013 at 05:41:25PM +0200, Dominick Grift wrote:
> > +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> > +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> > +corenet_tcp_bind_trivnet1_port(minidlna_t)
> > +
> 
> Another oversight
> 
> You do not need the "client_packets" interface calls if the domain does
> not connect to the port
> 
> In this case minidlna domain only binds tcp sockets to trivnet1 ports,
> and udp sockets to ssdp ports

I must admit, I never understood (and still don't understand) the networking
aspects in more detail. The corenet_sendrecv_*_packets() interfaces are for
the SECMARK labeled usage, right?

The interfaces assume that iptables (or whatever you use) labels the packets
as trivnet1_client_packet_t or trivnet1_server_packet_t. Does that mean
that, in case of a daemon (which does not connect to remote ports, i.e. act
as a client) we assume that iptables marks it as trivnet1_server_packet_t?

And that, if we would connect to a remote site somehow, these packets would
be assumed to be marked trivnet1_client_packet_t?

Also, if a system would use SECMARK, are the following interfaces then no
longer needed (as these are the "old" ones)?
  - corenet_all_recvfrom_unlabeled
  - corenet_tcp_sendrecv_generic_if
  - corenet_tcp_sendrecv_generic_node
  - corenet_tcp_bind_generic_node 
  - corenet_tcp_bind_*_port
  - corenet_tcp_sendrecv_*_port

> i think we also need these:
> 
> corenet_tcp_sendrecv_trivnet1_port(minidlna_t)
> corenet_udp_sendrecv_ssdp_port(minidlna_t)

>From the looks of it, you're right, as minidlna_t currently doesn't have {
send_msg recv_msg } rights on the trivnet1_port_t's tcp_socket. The weird
thing is, my minidlna server is running just fine and my TV can connect and
play stuff from the server. I'm not running a firewall that labels the
packets either, so what gives?

# ps -efZ | grep minidlna
system_u:system_r:minidlna_t    minidlna 10236     1  0 21:08 ?  00:00:00 /usr/sbin/minidlna -P /var/run/minidlna/minidlna.pid -R -f /etc/minidlna.conf

# semanage port -l | grep 8200
trivnet1_port_t                tcp      8200
trivnet1_port_t                udp      8200

# sesearch -s minidlna_t -t trivnet1_port_t -c tcp_socket -Ad
Found 1 semantic av rules:
  allow minidlna_t trivnet1_port_t : tcp_socket name_bind ; 

# sesearch -s minidlna_t -c tcp_socket -p send_msg -A
#
   (no hits, just in case it was through an attribute)

# sestatus | grep mode
Current mode:			enforcing

# semanage permissive -l
# 
  (no permissive domains)

I'll add in the corenet_tcp_sendrecv_trivnet1_port(minidlna_t) and the
udp/ssdp one as, from online documentation, I think I understand that they
are needed. But I am wondering why my system doesn't mind working onwards
even without these rules :-(

Wkr,
  Sven Vermeulen

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Dominick Grift]

On Thu, 2013-05-02 at 21:23 +0200, Sven Vermeulen wrote:
> On Thu, May 02, 2013 at 05:41:25PM +0200, Dominick Grift wrote:
> > > +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> > > +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> > > +corenet_tcp_bind_trivnet1_port(minidlna_t)
> > > +
> > 
> > Another oversight
> > 
> > You do not need the "client_packets" interface calls if the domain does
> > not connect to the port
> > 
> > In this case minidlna domain only binds tcp sockets to trivnet1 ports,
> > and udp sockets to ssdp ports
> 
> I must admit, I never understood (and still don't understand) the networking
> aspects in more detail. The corenet_sendrecv_*_packets() interfaces are for
> the SECMARK labeled usage, right?

Good question, and i am not sure.

I just know/remember the behavior as i've experienced it. I just do not
remember if it was due to secmark or compat_net or something else.

Could be just how selinux network controls were previously configured by
default on fedora in the past (compat_net?). In that case it is still
good to support backwards compatibility.

I just remember that "client_packets" correspond to connecting to a
port, and "server_packets" correspond to binding sockets to a port.

> 
> The interfaces assume that iptables (or whatever you use) labels the packets
> as trivnet1_client_packet_t or trivnet1_server_packet_t. Does that mean
> that, in case of a daemon (which does not connect to remote ports, i.e. act
> as a client) we assume that iptables marks it as trivnet1_server_packet_t?
> 
> And that, if we would connect to a remote site somehow, these packets would
> be assumed to be marked trivnet1_client_packet_t?

I am just not sure, sorry. Maybe Chris or Paul Moore can shed some more
light on this.

> 
> Also, if a system would use SECMARK, are the following interfaces then no
> longer needed (as these are the "old" ones)?
>   - corenet_all_recvfrom_unlabeled
>   - corenet_tcp_sendrecv_generic_if
>   - corenet_tcp_sendrecv_generic_node
>   - corenet_tcp_bind_generic_node 
>   - corenet_tcp_bind_*_port
>   - corenet_tcp_sendrecv_*_port
> 
> > i think we also need these:
> > 
> > corenet_tcp_sendrecv_trivnet1_port(minidlna_t)
> > corenet_udp_sendrecv_ssdp_port(minidlna_t)
> 
> From the looks of it, you're right, as minidlna_t currently doesn't have {
> send_msg recv_msg } rights on the trivnet1_port_t's tcp_socket. The weird
> thing is, my minidlna server is running just fine and my TV can connect and
> play stuff from the server. I'm not running a firewall that labels the
> packets either, so what gives?
> 
> # ps -efZ | grep minidlna
> system_u:system_r:minidlna_t    minidlna 10236     1  0 21:08 ?  00:00:00 /usr/sbin/minidlna -P /var/run/minidlna/minidlna.pid -R -f /etc/minidlna.conf
> 
> # semanage port -l | grep 8200
> trivnet1_port_t                tcp      8200
> trivnet1_port_t                udp      8200
> 
> # sesearch -s minidlna_t -t trivnet1_port_t -c tcp_socket -Ad
> Found 1 semantic av rules:
>   allow minidlna_t trivnet1_port_t : tcp_socket name_bind ; 
> 
> # sesearch -s minidlna_t -c tcp_socket -p send_msg -A
> #
>    (no hits, just in case it was through an attribute)
> 
> # sestatus | grep mode
> Current mode:			enforcing
> 
> # semanage permissive -l
> # 
>   (no permissive domains)
> 
> I'll add in the corenet_tcp_sendrecv_trivnet1_port(minidlna_t) and the
> udp/ssdp one as, from online documentation, I think I understand that they
> are needed. But I am wondering why my system doesn't mind working onwards
> even without these rules :-(

Fedora shows the same behavior. I think it is related to "compat_net"
but i am not sure. I just know how it use to work, and i would like to
maintain backwards compatibility.

> Wkr,
>   Sven Vermeulen

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Dominick Grift]

On Thu, 2013-05-02 at 21:52 +0200, Dominick Grift wrote:
> On Thu, 2013-05-02 at 21:23 +0200, Sven Vermeulen wrote:
> > On Thu, May 02, 2013 at 05:41:25PM +0200, Dominick Grift wrote:
> > > > +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
> > > > +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
> > > > +corenet_tcp_bind_trivnet1_port(minidlna_t)
> > > > +
> > > 
> > > Another oversight
> > > 
> > > You do not need the "client_packets" interface calls if the domain does
> > > not connect to the port
> > > 
> > > In this case minidlna domain only binds tcp sockets to trivnet1 ports,
> > > and udp sockets to ssdp ports
> > 
> > I must admit, I never understood (and still don't understand) the networking
> > aspects in more detail. The corenet_sendrecv_*_packets() interfaces are for
> > the SECMARK labeled usage, right?
> 
> Good question, and i am not sure.

Looks like compat_net support may have been completely removed:

http://lists.openwall.net/netdev/2009/03/27/144

i think we need more and better, practical examples of how to use
secmark and how secmark can be configured to match the old compat_net
functionality

There is one nice how to by Dan Walsh on Linux.com, but other than that
documentation is lacking in my view

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Sven Vermeulen]

On May 3, 2013 9:08 AM, "Dominick Grift" <dominick.grift@gmail.com> wrote:
> Looks like compat_net support may have been completely removed:
>
> http://lists.openwall.net/netdev/2009/03/27/144

Now i'm completely lost. Does that mean that the "old", non-labeled
approach is not used anymore? I could've sworn that node_t and netif_t were
still used.

> i think we need more and better, practical examples of how to use
> secmark and how secmark can be configured to match the old compat_net
> functionality
>
> There is one nice how to by Dan Walsh on Linux.com, but other than that
> documentation is lacking in my view

Ack. And also how the default behavior is if no secmark/labeling is used...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130503/60918c90/attachment.html 

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Dominick Grift]

On Fri, 2013-05-03 at 14:02 +0200, Sven Vermeulen wrote:
> On May 3, 2013 9:08 AM, "Dominick Grift" <dominick.grift@gmail.com> wrote:
> > Looks like compat_net support may have been completely removed:
> >
> > http://lists.openwall.net/netdev/2009/03/27/144
> 
> Now i'm completely lost. Does that mean that the "old", non-labeled
> approach is not used anymore? I could've sworn that node_t and netif_t were
> still used.
> 

nodes and network interfaces can be labeled with semanage i believe.

but by default i think most domains can use only default network
interface and node types (so node_t and netif_t, not all types
classified node_type or netif_type)

# semanage interface -l
# semanage node -l

Seems no network interfaces or nodes are labeled by default

> > i think we need more and better, practical examples of how to use
> > secmark and how secmark can be configured to match the old compat_net
> > functionality
> >
> > There is one nice how to by Dan Walsh on Linux.com, but other than that
> > documentation is lacking in my view
> 
> Ack. And also how the default behavior is if no secmark/labeling is used...

what you see (avc denials) is what you get by default.

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Dominick Grift]

On Fri, 2013-05-03 at 14:02 +0200, Sven Vermeulen wrote:
> On May 3, 2013 9:08 AM, "Dominick Grift" <dominick.grift@gmail.com> wrote:
> > Looks like compat_net support may have been completely removed:
> >
> > http://lists.openwall.net/netdev/2009/03/27/144
> 
> Now i'm completely lost. Does that mean that the "old", non-labeled
> approach is not used anymore? 

Seems that way yes, at least part of the old approach

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Christopher J. PeBenito]

On 05/02/13 15:52, Dominick Grift wrote:
> On Thu, 2013-05-02 at 21:23 +0200, Sven Vermeulen wrote:
>> On Thu, May 02, 2013 at 05:41:25PM +0200, Dominick Grift wrote:
>>>> +corenet_sendrecv_trivnet1_client_packets(minidlna_t)
>>>> +corenet_sendrecv_trivnet1_server_packets(minidlna_t)
>>>> +corenet_tcp_bind_trivnet1_port(minidlna_t)
>>>> +
>>>
>>> Another oversight
>>>
>>> You do not need the "client_packets" interface calls if the domain does
>>> not connect to the port
>>>
>>> In this case minidlna domain only binds tcp sockets to trivnet1 ports,
>>> and udp sockets to ssdp ports
>>
>> I must admit, I never understood (and still don't understand) the networking
>> aspects in more detail. The corenet_sendrecv_*_packets() interfaces are for
>> the SECMARK labeled usage, right?
> 
> Good question, and i am not sure.

Yes, they are used for SECMARK.

> I just know/remember the behavior as i've experienced it. I just do not
> remember if it was due to secmark or compat_net or something else.
> 
> Could be just how selinux network controls were previously configured by
> default on fedora in the past (compat_net?). In that case it is still
> good to support backwards compatibility.

As you mentioned in a latter email, compat_net has been removed.  The SELinux network access controls are only SECMARK now.

> I just remember that "client_packets" correspond to connecting to a
> port, and "server_packets" correspond to binding sockets to a port.

Yes, the premise was to differentiate incoming and outgoing packets.  For example if you ssh out of a system that has a sshd, you want to separate the packets going to sshd from those going to the ssh client.

>> The interfaces assume that iptables (or whatever you use) labels the packets
>> as trivnet1_client_packet_t or trivnet1_server_packet_t. Does that mean
>> that, in case of a daemon (which does not connect to remote ports, i.e. act
>> as a client) we assume that iptables marks it as trivnet1_server_packet_t?
>>
>> And that, if we would connect to a remote site somehow, these packets would
>> be assumed to be marked trivnet1_client_packet_t?
> 
> I am just not sure, sorry. Maybe Chris or Paul Moore can shed some more
> light on this.

Yes.  I think what you're confused on is that SECMARK labels are local only.  They are not transferred over the network like labeled IPSEC or NetLabel/CIPSO.  The object class for those labels is peer.  The only remaining permissions on port types is name_bind and name_connect.

>> Also, if a system would use SECMARK, are the following interfaces then no
>> longer needed (as these are the "old" ones)?
>>   - corenet_all_recvfrom_unlabeled
>>   - corenet_tcp_sendrecv_generic_if
>>   - corenet_tcp_sendrecv_generic_node
>>   - corenet_tcp_bind_generic_node 
>>   - corenet_tcp_bind_*_port
>>   - corenet_tcp_sendrecv_*_port
>>
>>> i think we also need these:
>>>
>>> corenet_tcp_sendrecv_trivnet1_port(minidlna_t)
>>> corenet_udp_sendrecv_ssdp_port(minidlna_t)
>>
>> From the looks of it, you're right, as minidlna_t currently doesn't have {
>> send_msg recv_msg } rights on the trivnet1_port_t's tcp_socket. The weird
>> thing is, my minidlna server is running just fine and my TV can connect and
>> play stuff from the server. I'm not running a firewall that labels the
>> packets either, so what gives?

These permissions are no longer checked, as they are replaced by the SECMARK/packet permissions.


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Sven Vermeulen]

On Fri, May 03, 2013 at 09:47:26AM -0400, Christopher J. PeBenito wrote:
> As you mentioned in a latter email, compat_net has been removed.  The SELinux network access controls are only SECMARK now.
> 
[...]
> Yes.  I think what you're confused on is that SECMARK labels are local only.  They are not transferred over the network like labeled IPSEC or NetLabel/CIPSO.  The object class for those labels is peer.  The only remaining permissions on port types is name_bind and name_connect.

So for each port type that we declare, the corenet_{tcp,udp}_sendrecv_*_port
is actually void now? Only corenet_{tcp,udp}_{bind,connect}_*_port is then
used?

It starts making sense.

Even if SECMARK is used, the bind/connect is still needed, right?

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[Christopher J. PeBenito]

On 05/03/13 13:21, Sven Vermeulen wrote:
> On Fri, May 03, 2013 at 09:47:26AM -0400, Christopher J. PeBenito wrote:
>> As you mentioned in a latter email, compat_net has been removed.  The SELinux network access controls are only SECMARK now.
>>
> [...]
>> Yes.  I think what you're confused on is that SECMARK labels are local only.  They are not transferred over the network like labeled IPSEC or NetLabel/CIPSO.  The object class for those labels is peer.  The only remaining permissions on port types is name_bind and name_connect.
> 
> So for each port type that we declare, the corenet_{tcp,udp}_sendrecv_*_port
> is actually void now? Only corenet_{tcp,udp}_{bind,connect}_*_port is then
> used?

Yes.  In fact, I've been looking at removing the port send/recv and any other old, unused networking rules.

> It starts making sense.
> 
> Even if SECMARK is used, the bind/connect is still needed, right?

Yes.  Those permissions are always checked.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com