Section 14.6. Complete IRC Daemon Module Listings


14.6. Complete IRC Daemon Module Listings

For completeness, we conclude this chapter with complete listings of the IRC daemon modules for both the example and reference policy.

Listing 14-11. Example Policy: IRC Daemon Policy Module File (ircd.te)

1      ################################################### 2      # 3      # ircd policy module 4      # 5      # file: ircd.te 6      # 7 8      ################################################### 9      # 10     # Type declarations 11     # 12 13     # ircd domain 14     type ircd_t, domain; 15 16     # ircd entrypoint 17     type ircd_exec_t, file_type, exec_type; 18 19     # PID file /var/run/ircd.pid 20     type ircd_var_run_t, file_type; 21 22     # configuration files 23     type ircd_conf_t, file_type, sysadmfile; 24 25     # log files 26     type ircd_log_t, file_type, sysadmfile, logfile; 27 28     # files and directories under /var/lib/ircd 29     type ircd_var_lib_t, file_type, sysadmfile; 30 31     ################################################### 32     # 33     # Ircd - core access 34     # 35 36     # allow ircd_t to fork copies of itself 37     allow ircd_t self : process fork; 38     # Log files - create, read, and append 39     allow ircd_t var_log_t : dir ra_dir_perms; 40     allow ircd_t ircd_log_t : dir ra_dir_perms; 41     allow ircd_t ircd_log_t : file { create ra_file_perms }; 42     type_transition ircd_t var_log_t : { file dir } ircd_log_t; 43 44     # Configuration files - read 45     allow ircd_t ircd_conf_t : dir r_dir_perms; 46     allow ircd_t ircd_conf_t : file r_file_perms; 47     allow ircd_t ircd_conf_t : lnk_file { getattr read }; 48     dontaudit ircd_t ircd_conf_t : file write; 49 50     # PID file - create, read, and write 51     file_type_auto_trans(ircd_t, var_run_t, ircd_var_run_t, file) 52     allow ircd_t var_t : dir search; 53 54     # /var/lib/ircd files/dirs - create, read, write 55     file_type_auto_trans(ircd_t, var_lib_t, ircd_var_lib_t, file) 56     allow ircd_t ircd_var_lib_t : dir rw_dir_perms; 57 58     # Network access - the ircd daemon is allowed to send 59     # and receive network data to all nodes and ports over 60     # all network interfaces (through the can_network_server 61     # macro). Additionally, it can name_bind to the ircd 62     # port (ircd_port_t). 63     allow ircd_t ircd_port_t:tcp_socket name_bind; 64     can_network_server(ircd_t) 65 66     # use shared libraries 67     uses_shlib(ircd_t) 68 69     # read localization data 70     read_locale(ircd_t) 71 72     # read common directories / files including 73     #    * /etc/resolv.conf (etc_t) 74     #     * proc 75     #     * /dev/null 76     #     * system variables 77     allow ircd_t etc_t : file r_file_perms; 78     allow ircd_t { self proc_t }:dir r_dir_perms; 79     allow ircd_t { self proc_t }:lnk_file { getattr read }; 80     allow ircd_t null_device_t:chr_file rw_file_perms; 81     allow ircd_t sysctl_type:dir r_dir_perms; 82     allow ircd_t sysctl_type:file r_file_perms; 83     allow ircd_t sysctl_t:dir search; 84     allow ircd_t sysctl_kernel_t:dir search; 85     allow ircd_t sysctl_kernel_t:file { getattr read }; 86 87     ################################################# 88     # 89     # Domain Transitions and Role Authorizations 90     # 91 92     role system_r types ircd_t; 93 94     # allow init to start ircd 95     domain_auto_trans(initrc_t, ircd_exec_t, ircd_t) 96 97     # allow sysadm_t to start ircd_t 98     domain_auto_trans(sysadm_t, ircd_exec_t, ircd_t) 99     role_transition sysadm_r ircd_exec_t system_r; 100    # dontaudit use of the sysadm_r terminal 101    dontaudit ircd_t sysadm_devpts_t : chr_file { getattr read write }; 102 103    ################################################# 104    # 105    # Integrate Into System Policy 106    # 107 108    ifdef(`logrotate.te', ` 109        allow logrotate_t ircd_var_run_t:dir search; 110        allow logrotate_t ircd_var_run_t:file { getattr read }; 111    ')

Listing 14-12. Example Policy: IRC Daemon File Contexts File (ircd.fc)

1      # ircd labeling policy 2      # file: ircd.fc 3      /usr/bin/ircd         --       system_u:object_r:ircd_exec_t 4      /etc/ircd(/.*)?               system_u:object_r:ircd_conf_t 5      /var/log/ircd(/.*)?           system_u:object_r:ircd_log_t 6      /var/lib/ircd(/.*)?           system_u:object_r:ircd_var_lib_t 7      /var/run/ircd(/.*)?           system_u:object_r:ircd_var_run_t

Listing 14-13. Reference Policy: IRC Daemon Private Policy File (ircd.te)

1      ######################################## 2      # 3      # Reference Policy ircd policy module 4      # 5      # file: ircd.te 6      # 7 8      # Ircd policy module declaration 9      policy_module(ircd, 1.0) 10 11     ######################################## 12     # 13     # Type declarations 14     # 15 16     # ircd domain 17     type ircd_t; 18 19     # ircd entrypoint 20     type ircd_exec_t; 21 22     # mark ircd_t as a domain and ircd_exec_t 23     # as an entrypoint into that domain 24     init_daemon_domain(ircd_t, ircd_exec_t) 25 26     # PID file /var/run/ircd.pid 27     type ircd_var_run_t; 28     files_pid_file(ircd_var_run_t) 29 30     # configuration files 31     type ircd_conf_t; 32     files_config_file(ircd_conf_t) 33 34     # log files 35     type ircd_log_t; 36     logging_log_file(ircd_log_t) 37 38     # files and directories under /var/lib/ircd 39     type ircd_var_lib_t; 40     files_type(ircd_var_lib_t) 41 42     ########################################## 43     # 44     # Ircd - core access 45     # 46 47     # allow ircd_t to fork copies of itself 48     allow ircd_t self : process fork; 49 50     # Log files - create, read, and append 51     allow ircd_t ircd_log_t : dir ra_dir_perms; 52     allow ircd_t ircd_log_t : file { create ra_file_perms }; 53     logging_log_filetrans(ircd_t, ircd_log_t, file) 54     logging_search_logs(ircd_t) 55 56     # Configuration files - read 57     allow ircd_t ircd_conf_t : dir r_dir_perms; 58     allow ircd_t ircd_conf_t : file r_file_perms; 59     allow ircd_t ircd_conf_t : lnk_file { getattr read }; 60     dontaudit ircd_t ircd_conf_t : file write; 61 62     # PID file - create, read, and write 63     allow ircd_t ircd_var_run_t : dir rw_dir_perms; 64     allow ircd_t ircd_var_run_t : file create_file_perms; 65     files_pid_filetrans(ircd_t, ircd_var_run_t, file) 66 67     # /var/lib/ircd files/dirs - create, read, write 68     allow ircd_t ircd_var_lib_t : dir create_dir_perms; 69     allow ircd_t ircd_var_lib_t : file create_file_perms; 70     files_var_lib_filetrans(ircd_t, ircd_var_lib_t, { file dir }) 71 72     # Network access - the ircd daemon is allowed to send 73     # and receive network data to all nodes and ports over 74     # all network interfaces. Additionally, it can name_bind 75     # to the ircd port (ircd_port_t) 76     allow ircd_t self : tcp_socket create_stream_socket_perms; 77     corenet_tcp_sendrecv_all_if(ircd_t) 78     corenet_tcp_sendrecv_all_nodes(ircd_t) 79     corenet_tcp_sendrecv_all_ports(ircd_t) 80     corenet_non_ipsec_sendrecv(ircd_t) 81     corenet_tcp_bind_all_nodes(ircd_t) 82     corenet_tcp_bind_ircd_port(ircd_t) 83     sysnet_dns_name_resolve(ircd_t) 84 85     # use shared libraries 86     libs_use_ld_so(ircd_t) 87     libs_use_shared_libs(ircd_t) 88 89     # read localization data 90     miscfiles_read_localization(ircd_t) 91 92     # dontaudit use of the sysadm_r terminal 93     userdom_dontaudit_use_sysadm_ptys(ircd_t) 94 95     # read common directories / files including 96     #    * /etc (search and read) 97     #    * system variables 98     files_search_etc(ircd_t) 99     files_read_etc_files(ircd_t) 100    kernel_read_kernel_sysctls(ircd_t) 101    kernel_read_system_state(ircd_t) 102    kernel_read_all_sysctls(ircd_t)

Listing 14-14. Reference Policy: IRC Daemon Labeling Policy File (ircd.fc)

1      # ircd labeling policy 2      # file: ircd.fc 3      /usr/bin/ircd    --     gen_context(system_u:object_r:ircd_exec_t, s0) 4      /etc/ircd(/.*)?        gen_context(system_u:object_r:ircd_conf_t, s0) 5      /var/log/ircd(/.*)?    gen_context(system_u:object_r:ircd_log_t, s0) 6      /var/lib/ircd(/.*)?    gen_context(system_u:object_r:ircd_var_lib_t, s0) 7      /var/run/ircd(/.*)?    gen_context(system_u:object_r:ircd_var_run_t, s0)

Listing 14-15. Reference Policy: IRC Daemon External Interface File (ircd.if)

1      ## <summary>IRC daemon</summary> 2 3      ######################################## 4      ## <summary> 5      ##        Read IRC daemon log files. 6      ## </summary> 7      ## <param name="domain"> 8      ##        Domain allowed access. 9      ## </param> 10     # 11     interface(`irc_read_log',` 12        gen_require(` 13          type ircd_log_t; 14        ') 15 16        files_search_var($1) 17        logging_search_logs($1) 18        allow $1 ircd_log_t:dir search_dir_perms; 19        allow $1 ircd_log_t:file r_file_perms; 20    ')




SELinux by Example(c) Using Security Enhanced Linux
SELinux by Example: Using Security Enhanced Linux
ISBN: 0131963694
EAN: 2147483647
Year: 2007
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net