SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] add lldpd policy
@ 2019-06-10 14:20 Alexander Miroshnichenko
  2019-06-15 16:08 ` Chris PeBenito
  0 siblings, 1 reply; 8+ messages in thread
From: Alexander Miroshnichenko @ 2019-06-10 14:20 UTC (permalink / raw)
  To: selinux-refpolicy; +Cc: Alexander Miroshnichenko

New policy for lldpd ( http://vincentbernat.github.io/lldpd ).

Signed-off-by: Alexander Miroshnichenko <alex@millerson.name>
---
 policy/modules/roles/sysadm.te   |   4 +
 policy/modules/services/lldpd.fc |   9 ++
 policy/modules/services/lldpd.if | 206 +++++++++++++++++++++++++++++++
 policy/modules/services/lldpd.te |  80 ++++++++++++
 4 files changed, 299 insertions(+)
 create mode 100644 policy/modules/services/lldpd.fc
 create mode 100644 policy/modules/services/lldpd.if
 create mode 100644 policy/modules/services/lldpd.te

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8f891c83865f..ea4e06a29e30 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -595,6 +595,10 @@ optional_policy(`
 	lldpad_admin(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+        lldp_admin(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	lockdev_role(sysadm_r, sysadm_t)
 ')
diff --git a/policy/modules/services/lldpd.fc b/policy/modules/services/lldpd.fc
new file mode 100644
index 000000000000..997a80a3baf9
--- /dev/null
+++ b/policy/modules/services/lldpd.fc
@@ -0,0 +1,9 @@
+/etc/lldpd.conf		--	gen_context(system_u:object_r:lldpd_etc_t,s0)
+/etc/lldpd.d(/.*)?		gen_context(system_u:object_r:lldpd_etc_t,s0)
+
+/usr/sbin/lldpd		--	gen_context(system_u:object_r:lldpd_exec_t,s0)
+/usr/sbin/lldpcli         --      gen_context(system_u:object_r:lldp_cli_exec_t,s0)
+
+/run/lldpd		-d      gen_context(system_u:object_r:lldpd_var_run_t,s0)
+/run/lldpd(/.*)?		gen_context(system_u:object_r:lldpd_var_run_t,s0)
+/run/lldpd.pid		--	gen_context(system_u:object_r:lldpd_var_run_t,s0)
diff --git a/policy/modules/services/lldpd.if b/policy/modules/services/lldpd.if
new file mode 100644
index 000000000000..f7030b1ead19
--- /dev/null
+++ b/policy/modules/services/lldpd.if
@@ -0,0 +1,206 @@
+
+## <summary>policy for lldpd</summary>
+
+########################################
+## <summary>
+##	Execute lldpd_exec_t in the lldpd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`lldpd_domtrans',`
+	gen_require(`
+		type lldpd_t, lldpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, lldpd_exec_t, lldpd_t)
+')
+
+########################################
+## <summary>
+##      Execute a domain transition to run lldpcli.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+#
+interface(`lldp_cli_domtrans',`
+        gen_require(`
+                type lldp_cli_t, lldp_cli_exec_t;
+        ')
+
+        corecmd_search_bin($1)
+        can_exec($1, lldp_cli_exec_t)
+        domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
+')
+
+########################################
+## <summary>
+##      Execute lldpcli in the lldp_cli domain,
+##      and allow the specified role
+##      the lldp_cli domain.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed to transition.
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      Role allowed access.
+##      </summary>
+## </param>
+#
+interface(`lldp_cli_run',`
+        gen_require(`
+                type lldp_cli_t;
+        ')
+
+        lldp_cli_domtrans($1)
+        role $2 types lldp_cli_t;
+')
+
+######################################
+## <summary>
+##	Execute lldpd in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lldpd_exec',`
+	gen_require(`
+		type lldpd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, lldpd_exec_t)
+')
+
+########################################
+## <summary>
+##	Search lldpd conf directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lldpd_search_conf',`
+	gen_require(`
+		type lldpd_etc_t;
+	')
+
+	allow $1 lldpd_etc_t:dir search_dir_perms;
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Read lldpd conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lldpd_read_conf_files',`
+	gen_require(`
+		type lldpd_etc_t;
+	')
+
+	allow $1 lldpd_etc_t:dir list_dir_perms;
+	read_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Manage lldpd conf files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lldpd_manage_conf_files',`
+	gen_require(`
+		type lldpd_etc_t;
+	')
+
+	manage_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##      lldpd PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lldpd_manage_pid_files',`
+	gen_require(`
+		type lldpd_var_run_t;
+	')
+
+	files_search_pids($1)
+	manage_files_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
+	manage_dirs_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an lldpd environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lldp_admin',`
+	gen_require(`
+		type lldpd_t;
+		type lldpd_etc_t;
+		type lldpd_var_run_t;
+	')
+
+	allow $1 lldpd_t:process { signal_perms };
+	ps_process_pattern($1, lldpd_t)
+
+    tunable_policy(`allow_ptrace',`
+        allow $1 lldpd_t:process ptrace;
+    ')
+
+	files_search_etc($1)
+	admin_pattern($1, lldpd_etc_t)
+
+	files_search_pids($1)
+	admin_pattern($1, lldpd_var_run_t)
+
+	lldp_cli_run($1, $2)
+')
diff --git a/policy/modules/services/lldpd.te b/policy/modules/services/lldpd.te
new file mode 100644
index 000000000000..9a0f68dc4b7b
--- /dev/null
+++ b/policy/modules/services/lldpd.te
@@ -0,0 +1,80 @@
+policy_module(lldpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type lldpd_t;
+type lldpd_exec_t;
+init_daemon_domain(lldpd_t, lldpd_exec_t)
+
+type lldp_cli_t;
+type lldp_cli_exec_t;
+init_system_domain(lldp_cli_t, lldp_cli_exec_t)
+application_domain(lldp_cli_t, lldp_cli_exec_t)
+
+type lldpd_etc_t;
+files_config_file(lldpd_etc_t)
+
+type lldpd_var_run_t;
+files_pid_file(lldpd_var_run_t)
+init_daemon_pid_file(lldpd_var_run_t, dir, "lldpd")
+typealias lldpd_var_run_t alias lldp_sock_t;
+
+########################################
+#
+# lldpd local policy
+#
+allow lldpd_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
+allow lldpd_t self:process { fork signal_perms };
+allow lldpd_t self:fifo_file rw_fifo_file_perms;
+allow lldpd_t self:unix_stream_socket { accept listen };
+allow lldpd_t lldp_sock_t:sock_file { create_sock_file_perms delete_sock_file_perms setattr };
+allow lldpd_t self:packet_socket create_socket_perms;
+
+lldp_cli_domtrans(lldpd_t)
+
+kernel_read_net_sysctls(lldpd_t)
+
+lldpd_read_conf_files(lldpd_t)
+
+lldpd_manage_pid_files(lldpd_t)
+manage_sock_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
+manage_lnk_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
+files_pid_filetrans(lldpd_t, lldpd_var_run_t, {file dir sock_file})
+
+domain_use_interactive_fds(lldpd_t)
+
+files_read_etc_files(lldpd_t)
+
+logging_send_syslog_msg(lldpd_t)
+
+miscfiles_read_localization(lldpd_t)
+
+sysnet_dns_name_resolve(lldpd_t)
+
+########################################
+#
+# lldp_cli local policy
+#
+allow lldp_cli_t self:capability dac_override;
+allow lldp_cli_t self:unix_dgram_socket { connect create };
+allow lldp_cli_t self:unix_stream_socket { connect create read write };
+allow lldp_cli_t self:process signal;
+
+allow lldp_cli_t lldpd_t:unix_stream_socket connectto;
+allow lldp_cli_t lldpd_var_run_t:sock_file { read write };
+
+lldpd_read_conf_files(lldp_cli_t)
+
+logging_send_syslog_msg(lldp_cli_t)
+
+files_dontaudit_read_etc_files(lldp_cli_t)
+
+miscfiles_read_localization(lldp_cli_t)
+
+domain_use_interactive_fds(lldp_cli_t)
+userdom_use_user_ptys(lldp_cli_t)
+
+init_dontaudit_use_script_ptys(lldp_cli_t)
-- 
2.21.0


^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, back to index

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-10 14:20 [PATCH] add lldpd policy Alexander Miroshnichenko
2019-06-15 16:08 ` Chris PeBenito
2019-06-15 17:58   ` Dominick Grift
2019-06-15 19:24     ` Chris PeBenito
2019-06-15 19:43       ` Dominick Grift
2019-06-17 12:23   ` Alexander Miroshnichenko
2019-06-17 12:42   ` [PATCH v2] Add " Alexander Miroshnichenko
2019-06-24  1:15     ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git