All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom
@ 2015-01-05 15:14 chas williams - CONTRACTOR
  2015-01-05 18:10 ` Dominick Grift
  0 siblings, 1 reply; 3+ messages in thread
From: chas williams - CONTRACTOR @ 2015-01-05 15:14 UTC (permalink / raw)
  To: refpolicy

>From 55664436e0d88d7414b5a234bbe287c6739f4f35 Mon Sep 17 00:00:00 2001
From: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
Date: Sun, 4 Jan 2015 19:19:15 -0500
Subject: [PATCH] afs: update labels, file contexts and allow access to urandom

Label the DAFS (demand attached) fileserver binaries afs_fsserver_exec_t.

Set the fcontext for the fileserver /vicep parititions and their contents.
Also set fcontext on the openafs-server init script.

Allow OpenAFS server binaries to access urandom.
---
 afs.fc | 14 +++++++++++---
 afs.te |  8 ++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/afs.fc b/afs.fc
index 8926c16..279b787 100644
--- a/afs.fc
+++ b/afs.fc
@@ -1,13 +1,18 @@
 /etc/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_config_t,s0)
 
 /etc/rc\.d/init\.d/openafs-client	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/openafs-server	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/(open)?afs	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
 
 /usr/afs/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
+/usr/afs/bin/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
 /usr/afs/bin/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
 /usr/afs/bin/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/afs/bin/salvageserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/afs/bin/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
 
@@ -22,10 +27,14 @@
 
 /usr/afs/logs(/.*)?	gen_context(system_u:object_r:afs_logfile_t,s0)
 
+/usr/libexec/openafs/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
 /usr/libexec/openafs/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
 /usr/libexec/openafs/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
+/usr/libexec/openafs/salvagerserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
 /usr/libexec/openafs/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
 
@@ -37,6 +46,5 @@
 
 /var/cache/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_cache_t,s0)
 
-/vicepa	gen_context(system_u:object_r:afs_files_t,s0)
-/vicepb	gen_context(system_u:object_r:afs_files_t,s0)
-/vicepc	gen_context(system_u:object_r:afs_files_t,s0)
+/vicep[a-z][a-z]?(/.*)? gen_context(system_u:object_r:afs_files_t,s0)
+
diff --git a/afs.te b/afs.te
index 90ce637..6ba667d 100644
--- a/afs.te
+++ b/afs.te
@@ -140,6 +140,8 @@ files_read_usr_files(afs_bosserver_t)
 
 seutil_read_config(afs_bosserver_t)
 
+dev_read_urand(afs_bosserver_t)
+
 ########################################
 #
 # fileserver local policy
@@ -206,6 +208,8 @@ seutil_read_config(afs_fsserver_t)
 
 userdom_dontaudit_use_user_terminals(afs_fsserver_t)
 
+dev_read_urand(afs_fsserver_t)
+
 ########################################
 #
 # kaserver local policy
@@ -276,6 +280,8 @@ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
 
 userdom_dontaudit_use_user_terminals(afs_ptserver_t)
 
+dev_read_urand(afs_ptserver_t)
+
 ########################################
 #
 # vlserver local policy
@@ -307,6 +313,8 @@ corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
 
 userdom_dontaudit_use_user_terminals(afs_vlserver_t)
 
+dev_read_urand(afs_vlserver_t)
+
 ########################################
 #
 # Global local policy
-- 
1.9.3

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom
  2015-01-05 15:14 [refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom chas williams - CONTRACTOR
@ 2015-01-05 18:10 ` Dominick Grift
  2015-01-05 18:58   ` chas williams - CONTRACTOR
  0 siblings, 1 reply; 3+ messages in thread
From: Dominick Grift @ 2015-01-05 18:10 UTC (permalink / raw)
  To: refpolicy

On Mon, Jan 05, 2015 at 10:14:36AM -0500, chas williams - CONTRACTOR wrote:
> >From 55664436e0d88d7414b5a234bbe287c6739f4f35 Mon Sep 17 00:00:00 2001
> From: Chas Williams - CONTRACTOR <chas@cmf.nrl.navy.mil>
> Date: Sun, 4 Jan 2015 19:19:15 -0500
> Subject: [PATCH] afs: update labels, file contexts and allow access to urandom
> 
> Label the DAFS (demand attached) fileserver binaries afs_fsserver_exec_t.
> 
> Set the fcontext for the fileserver /vicep parititions and their contents.
> Also set fcontext on the openafs-server init script.
> 
> Allow OpenAFS server binaries to access urandom.

Thanks, this patch was applied. I made a minor style related change plus i removed a stray newline

I suspect that the urandom access is part of nsswitch functionality (getpw?) because i also see other rules that match that pattern.

1. reading etc_t files (nsswitch.conf)
2. create udp sockets (dns udp)
3. list pids (for stream connecting to nscd if the socket is there)
4. sysnet read config (reading resolv.conf)

When reviewing the afs policy i also noticed some obvious redundant and wrong rules which i removed in a different commit 8bc232786bb2f84054108c6b8d22e312d40c256f

> ---
>  afs.fc | 14 +++++++++++---
>  afs.te |  8 ++++++++
>  2 files changed, 19 insertions(+), 3 deletions(-)
> 
> diff --git a/afs.fc b/afs.fc
> index 8926c16..279b787 100644
> --- a/afs.fc
> +++ b/afs.fc
> @@ -1,13 +1,18 @@
>  /etc/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_config_t,s0)
>  
>  /etc/rc\.d/init\.d/openafs-client	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/openafs-server	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
>  /etc/rc\.d/init\.d/(open)?afs	--	gen_context(system_u:object_r:afs_initrc_exec_t,s0)
>  
>  /usr/afs/bin/bosserver	--	gen_context(system_u:object_r:afs_bosserver_exec_t,s0)
> +/usr/afs/bin/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/afs/bin/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/afs/bin/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
>  /usr/afs/bin/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
>  /usr/afs/bin/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/afs/bin/salvageserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/afs/bin/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
>  
> @@ -22,10 +27,14 @@
>  
>  /usr/afs/logs(/.*)?	gen_context(system_u:object_r:afs_logfile_t,s0)
>  
> +/usr/libexec/openafs/dafileserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/libexec/openafs/dasalvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/libexec/openafs/davolserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/fileserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/kaserver	--	gen_context(system_u:object_r:afs_kaserver_exec_t,s0)
>  /usr/libexec/openafs/ptserver	--	gen_context(system_u:object_r:afs_ptserver_exec_t,s0)
>  /usr/libexec/openafs/salvager	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
> +/usr/libexec/openafs/salvagerserver --	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/volserver	--	gen_context(system_u:object_r:afs_fsserver_exec_t,s0)
>  /usr/libexec/openafs/vlserver	--	gen_context(system_u:object_r:afs_vlserver_exec_t,s0)
>  
> @@ -37,6 +46,5 @@
>  
>  /var/cache/(open)?afs(/.*)?	gen_context(system_u:object_r:afs_cache_t,s0)
>  
> -/vicepa	gen_context(system_u:object_r:afs_files_t,s0)
> -/vicepb	gen_context(system_u:object_r:afs_files_t,s0)
> -/vicepc	gen_context(system_u:object_r:afs_files_t,s0)
> +/vicep[a-z][a-z]?(/.*)? gen_context(system_u:object_r:afs_files_t,s0)
> +
> diff --git a/afs.te b/afs.te
> index 90ce637..6ba667d 100644
> --- a/afs.te
> +++ b/afs.te
> @@ -140,6 +140,8 @@ files_read_usr_files(afs_bosserver_t)
>  
>  seutil_read_config(afs_bosserver_t)
>  
> +dev_read_urand(afs_bosserver_t)
> +
>  ########################################
>  #
>  # fileserver local policy
> @@ -206,6 +208,8 @@ seutil_read_config(afs_fsserver_t)
>  
>  userdom_dontaudit_use_user_terminals(afs_fsserver_t)
>  
> +dev_read_urand(afs_fsserver_t)
> +
>  ########################################
>  #
>  # kaserver local policy
> @@ -276,6 +280,8 @@ corenet_sendrecv_afs_pt_server_packets(afs_ptserver_t)
>  
>  userdom_dontaudit_use_user_terminals(afs_ptserver_t)
>  
> +dev_read_urand(afs_ptserver_t)
> +
>  ########################################
>  #
>  # vlserver local policy
> @@ -307,6 +313,8 @@ corenet_sendrecv_afs_vl_server_packets(afs_vlserver_t)
>  
>  userdom_dontaudit_use_user_terminals(afs_vlserver_t)
>  
> +dev_read_urand(afs_vlserver_t)
> +
>  ########################################
>  #
>  # Global local policy
> -- 
> 1.9.3
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150105/b0ba8fda/attachment.bin 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom
  2015-01-05 18:10 ` Dominick Grift
@ 2015-01-05 18:58   ` chas williams - CONTRACTOR
  0 siblings, 0 replies; 3+ messages in thread
From: chas williams - CONTRACTOR @ 2015-01-05 18:58 UTC (permalink / raw)
  To: refpolicy

On Mon, 5 Jan 2015 19:10:45 +0100
Dominick Grift <dac.override@gmail.com> wrote:

> I suspect that the urandom access is part of nsswitch functionality (getpw?) because i also see other rules that match that pattern.

I suspect it is due to more recent versions of OpenAFS being linked
against heimdal (or your native krb5 libraries).  I suspect it is
possible that the libraries might attempt to read random but reading
allowing urandom should hopefully be sufficient.

>From hcrypto/rand-unix.c:

int
_hc_unix_device_fd(int flags, const char **fn)
{
    static const char *rnd_devices[] = {
        "/dev/urandom",
        "/dev/random",
        "/dev/srandom",
        "/dev/arandom",
        NULL
    };


> When reviewing the afs policy i also noticed some obvious redundant and wrong rules which i removed in a different commit 8bc232786bb2f84054108c6b8d22e312d40c256f

Thanks!

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-01-05 18:58 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-05 15:14 [refpolicy] [PATCH] afs: update labels, file contexts and allow access to urandom chas williams - CONTRACTOR
2015-01-05 18:10 ` Dominick Grift
2015-01-05 18:58   ` chas williams - CONTRACTOR

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.