14.6. Complete IRC Daemon Module Listings For completeness, we conclude this chapter with complete listings of the IRC daemon modules for both the example and reference policy. Listing 14-11. Example Policy: IRC Daemon Policy Module File (ircd.te) 1 ################################################### 2 # 3 # ircd policy module 4 # 5 # file: ircd.te 6 # 7 8 ################################################### 9 # 10 # Type declarations 11 # 12 13 # ircd domain 14 type ircd_t, domain; 15 16 # ircd entrypoint 17 type ircd_exec_t, file_type, exec_type; 18 19 # PID file /var/run/ircd.pid 20 type ircd_var_run_t, file_type; 21 22 # configuration files 23 type ircd_conf_t, file_type, sysadmfile; 24 25 # log files 26 type ircd_log_t, file_type, sysadmfile, logfile; 27 28 # files and directories under /var/lib/ircd 29 type ircd_var_lib_t, file_type, sysadmfile; 30 31 ################################################### 32 # 33 # Ircd - core access 34 # 35 36 # allow ircd_t to fork copies of itself 37 allow ircd_t self : process fork; 38 # Log files - create, read, and append 39 allow ircd_t var_log_t : dir ra_dir_perms; 40 allow ircd_t ircd_log_t : dir ra_dir_perms; 41 allow ircd_t ircd_log_t : file { create ra_file_perms }; 42 type_transition ircd_t var_log_t : { file dir } ircd_log_t; 43 44 # Configuration files - read 45 allow ircd_t ircd_conf_t : dir r_dir_perms; 46 allow ircd_t ircd_conf_t : file r_file_perms; 47 allow ircd_t ircd_conf_t : lnk_file { getattr read }; 48 dontaudit ircd_t ircd_conf_t : file write; 49 50 # PID file - create, read, and write 51 file_type_auto_trans(ircd_t, var_run_t, ircd_var_run_t, file) 52 allow ircd_t var_t : dir search; 53 54 # /var/lib/ircd files/dirs - create, read, write 55 file_type_auto_trans(ircd_t, var_lib_t, ircd_var_lib_t, file) 56 allow ircd_t ircd_var_lib_t : dir rw_dir_perms; 57 58 # Network access - the ircd daemon is allowed to send 59 # and receive network data to all nodes and ports over 60 # all network interfaces (through the can_network_server 61 # macro). Additionally, it can name_bind to the ircd 62 # port (ircd_port_t). 63 allow ircd_t ircd_port_t:tcp_socket name_bind; 64 can_network_server(ircd_t) 65 66 # use shared libraries 67 uses_shlib(ircd_t) 68 69 # read localization data 70 read_locale(ircd_t) 71 72 # read common directories / files including 73 # * /etc/resolv.conf (etc_t) 74 # * proc 75 # * /dev/null 76 # * system variables 77 allow ircd_t etc_t : file r_file_perms; 78 allow ircd_t { self proc_t }:dir r_dir_perms; 79 allow ircd_t { self proc_t }:lnk_file { getattr read }; 80 allow ircd_t null_device_t:chr_file rw_file_perms; 81 allow ircd_t sysctl_type:dir r_dir_perms; 82 allow ircd_t sysctl_type:file r_file_perms; 83 allow ircd_t sysctl_t:dir search; 84 allow ircd_t sysctl_kernel_t:dir search; 85 allow ircd_t sysctl_kernel_t:file { getattr read }; 86 87 ################################################# 88 # 89 # Domain Transitions and Role Authorizations 90 # 91 92 role system_r types ircd_t; 93 94 # allow init to start ircd 95 domain_auto_trans(initrc_t, ircd_exec_t, ircd_t) 96 97 # allow sysadm_t to start ircd_t 98 domain_auto_trans(sysadm_t, ircd_exec_t, ircd_t) 99 role_transition sysadm_r ircd_exec_t system_r; 100 # dontaudit use of the sysadm_r terminal 101 dontaudit ircd_t sysadm_devpts_t : chr_file { getattr read write }; 102 103 ################################################# 104 # 105 # Integrate Into System Policy 106 # 107 108 ifdef(`logrotate.te', ` 109 allow logrotate_t ircd_var_run_t:dir search; 110 allow logrotate_t ircd_var_run_t:file { getattr read }; 111 ') | Listing 14-12. Example Policy: IRC Daemon File Contexts File (ircd.fc) 1 # ircd labeling policy 2 # file: ircd.fc 3 /usr/bin/ircd -- system_u:object_r:ircd_exec_t 4 /etc/ircd(/.*)? system_u:object_r:ircd_conf_t 5 /var/log/ircd(/.*)? system_u:object_r:ircd_log_t 6 /var/lib/ircd(/.*)? system_u:object_r:ircd_var_lib_t 7 /var/run/ircd(/.*)? system_u:object_r:ircd_var_run_t | Listing 14-13. Reference Policy: IRC Daemon Private Policy File (ircd.te) 1 ######################################## 2 # 3 # Reference Policy ircd policy module 4 # 5 # file: ircd.te 6 # 7 8 # Ircd policy module declaration 9 policy_module(ircd, 1.0) 10 11 ######################################## 12 # 13 # Type declarations 14 # 15 16 # ircd domain 17 type ircd_t; 18 19 # ircd entrypoint 20 type ircd_exec_t; 21 22 # mark ircd_t as a domain and ircd_exec_t 23 # as an entrypoint into that domain 24 init_daemon_domain(ircd_t, ircd_exec_t) 25 26 # PID file /var/run/ircd.pid 27 type ircd_var_run_t; 28 files_pid_file(ircd_var_run_t) 29 30 # configuration files 31 type ircd_conf_t; 32 files_config_file(ircd_conf_t) 33 34 # log files 35 type ircd_log_t; 36 logging_log_file(ircd_log_t) 37 38 # files and directories under /var/lib/ircd 39 type ircd_var_lib_t; 40 files_type(ircd_var_lib_t) 41 42 ########################################## 43 # 44 # Ircd - core access 45 # 46 47 # allow ircd_t to fork copies of itself 48 allow ircd_t self : process fork; 49 50 # Log files - create, read, and append 51 allow ircd_t ircd_log_t : dir ra_dir_perms; 52 allow ircd_t ircd_log_t : file { create ra_file_perms }; 53 logging_log_filetrans(ircd_t, ircd_log_t, file) 54 logging_search_logs(ircd_t) 55 56 # Configuration files - read 57 allow ircd_t ircd_conf_t : dir r_dir_perms; 58 allow ircd_t ircd_conf_t : file r_file_perms; 59 allow ircd_t ircd_conf_t : lnk_file { getattr read }; 60 dontaudit ircd_t ircd_conf_t : file write; 61 62 # PID file - create, read, and write 63 allow ircd_t ircd_var_run_t : dir rw_dir_perms; 64 allow ircd_t ircd_var_run_t : file create_file_perms; 65 files_pid_filetrans(ircd_t, ircd_var_run_t, file) 66 67 # /var/lib/ircd files/dirs - create, read, write 68 allow ircd_t ircd_var_lib_t : dir create_dir_perms; 69 allow ircd_t ircd_var_lib_t : file create_file_perms; 70 files_var_lib_filetrans(ircd_t, ircd_var_lib_t, { file dir }) 71 72 # Network access - the ircd daemon is allowed to send 73 # and receive network data to all nodes and ports over 74 # all network interfaces. Additionally, it can name_bind 75 # to the ircd port (ircd_port_t) 76 allow ircd_t self : tcp_socket create_stream_socket_perms; 77 corenet_tcp_sendrecv_all_if(ircd_t) 78 corenet_tcp_sendrecv_all_nodes(ircd_t) 79 corenet_tcp_sendrecv_all_ports(ircd_t) 80 corenet_non_ipsec_sendrecv(ircd_t) 81 corenet_tcp_bind_all_nodes(ircd_t) 82 corenet_tcp_bind_ircd_port(ircd_t) 83 sysnet_dns_name_resolve(ircd_t) 84 85 # use shared libraries 86 libs_use_ld_so(ircd_t) 87 libs_use_shared_libs(ircd_t) 88 89 # read localization data 90 miscfiles_read_localization(ircd_t) 91 92 # dontaudit use of the sysadm_r terminal 93 userdom_dontaudit_use_sysadm_ptys(ircd_t) 94 95 # read common directories / files including 96 # * /etc (search and read) 97 # * system variables 98 files_search_etc(ircd_t) 99 files_read_etc_files(ircd_t) 100 kernel_read_kernel_sysctls(ircd_t) 101 kernel_read_system_state(ircd_t) 102 kernel_read_all_sysctls(ircd_t) | Listing 14-14. Reference Policy: IRC Daemon Labeling Policy File (ircd.fc) 1 # ircd labeling policy 2 # file: ircd.fc 3 /usr/bin/ircd -- gen_context(system_u:object_r:ircd_exec_t, s0) 4 /etc/ircd(/.*)? gen_context(system_u:object_r:ircd_conf_t, s0) 5 /var/log/ircd(/.*)? gen_context(system_u:object_r:ircd_log_t, s0) 6 /var/lib/ircd(/.*)? gen_context(system_u:object_r:ircd_var_lib_t, s0) 7 /var/run/ircd(/.*)? gen_context(system_u:object_r:ircd_var_run_t, s0) | Listing 14-15. Reference Policy: IRC Daemon External Interface File (ircd.if) 1 ## <summary>IRC daemon</summary> 2 3 ######################################## 4 ## <summary> 5 ## Read IRC daemon log files. 6 ## </summary> 7 ## <param name="domain"> 8 ## Domain allowed access. 9 ## </param> 10 # 11 interface(`irc_read_log',` 12 gen_require(` 13 type ircd_log_t; 14 ') 15 16 files_search_var($1) 17 logging_search_logs($1) 18 allow $1 ircd_log_t:dir search_dir_perms; 19 allow $1 ircd_log_t:file r_file_perms; 20 ') | |