From d69d6a9db3e568b1d26699c09cc393a36bb0c9bd Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift@gmail.com>
Date: Oct 17 2012 12:23:40 +0000
Subject: Changes to the oident policy module


Ported from Fedora with changes
Add oident_role()
Add oident_admin()

Signed-off-by: Dominick Grift <dominick.grift@gmail.com>

---

diff --git a/oident.fc b/oident.fc
index 8763208..df3b975 100644
--- a/oident.fc
+++ b/oident.fc
@@ -1,8 +1,8 @@
-HOME_DIR/\.oidentd.conf	--	gen_context(system_u:object_r:oidentd_home_t, s0)
+HOME_DIR/\.oidentd\.conf	--	gen_context(system_u:object_r:oidentd_home_t,s0)
 
-/etc/oidentd\.conf	--	gen_context(system_u:object_r:oidentd_config_t, s0)
-/etc/oidentd_masq\.conf	--	gen_context(system_u:object_r:oidentd_config_t, s0)
+/etc/oidentd\.conf	--	gen_context(system_u:object_r:oidentd_config_t,s0)
+/etc/oidentd_masq\.conf	--	gen_context(system_u:object_r:oidentd_config_t,s0)
 
-/etc/rc\.d/init\.d/oidentd	--	gen_context(system_u:object_r:oidentd_initrc_exec_t, s0)
+/etc/rc\.d/init\.d/oidentd	--	gen_context(system_u:object_r:oidentd_initrc_exec_t,s0)
 
-/usr/sbin/oidentd	--	gen_context(system_u:object_r:oidentd_exec_t, s0)
+/usr/sbin/oidentd	--	gen_context(system_u:object_r:oidentd_exec_t,s0)
diff --git a/oident.if b/oident.if
index bb4fae5..bf9f912 100644
--- a/oident.if
+++ b/oident.if
@@ -1,16 +1,32 @@
-## <summary>SELinux policy for Oident daemon.</summary>
-## <desc>
-##	<p>
-##	Oident daemon is a server that implements the TCP/IP
-##	standard IDENT user identification protocol as
-##	specified in the RFC 1413 document.
-##	</p>
-## </desc>
+## <summary>An ident daemon with IP masq/NAT support and the ability to specify responses.</summary>
 
 ########################################
 ## <summary>
-##	Allow the specified domain to read
-##	Oidentd personal configuration files.
+##	Role access for oident.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+#
+interface(`oident_role',`
+	gen_require(`
+		type oidentd_home_t;
+	')
+
+	allow $2 oident_home_t:file { manage_file_perms relabel_file_perms };
+	userdom_user_home_dir_filetrans($2, oidentd_home_t, file, ".oidentd.conf")
+')
+
+########################################
+## <summary>
+##	Read oidentd user home content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -23,14 +39,14 @@ interface(`oident_read_user_content', `
 		type oidentd_home_t;
 	')
 
-	allow $1 oidentd_home_t:file read_file_perms;
 	userdom_search_user_home_dirs($1)
+	allow $1 oidentd_home_t:file read_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Allow the specified domain to create, read, write, and delete
-##	Oidentd personal configuration files.
+##	Create, read, write, and delete
+##	oidentd user home content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -43,14 +59,13 @@ interface(`oident_manage_user_content', `
 		type oidentd_home_t;
 	')
 
-	allow $1 oidentd_home_t:file manage_file_perms;
 	userdom_search_user_home_dirs($1)
+	allow $1 oidentd_home_t:file manage_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Allow the specified domain to relabel
-##	Oidentd personal configuration files.
+##	Relabel oidentd user home content.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -63,6 +78,40 @@ interface(`oident_relabel_user_content', `
 		type oidentd_home_t;
 	')
 
-	allow $1 oidentd_home_t:file relabel_file_perms;
 	userdom_search_user_home_dirs($1)
+	allow $1 oidentd_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an oident environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`oident_admin',`
+	gen_require(`
+		type oidentd_t, oidentd_initrc_exec_t, oidentd_config_t;
+	')
+
+	allow $1 oidentd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, oidentd_t)
+
+	init_labeled_script_domtrans($1, oidentd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 oidentd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_etc($1)
+	admin_pattern($1, oidentd_config_t)
 ')
diff --git a/oident.te b/oident.te
index 6e5be53..cd22d87 100644
--- a/oident.te
+++ b/oident.te
@@ -1,8 +1,8 @@
-policy_module(oident, 2.2.0)
+policy_module(oident, 2.2.1)
 
 ########################################
 #
-# Oident daemon private declarations
+# Declarations
 #
 
 type oidentd_t;
@@ -22,56 +22,50 @@ files_config_file(oidentd_config_t)
 
 ########################################
 #
-# Oident daemon private policy
+# Local policy
 #
 
 allow oidentd_t self:capability { setuid setgid };
-allow oidentd_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
-allow oidentd_t self:netlink_tcpdiag_socket { write read create nlmsg_read };
-allow oidentd_t self:tcp_socket { setopt read bind create accept write getattr listen };
-allow oidentd_t self:udp_socket { write read create connect getattr ioctl };
-allow oidentd_t self:unix_dgram_socket { create connect };
+allow oidentd_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+allow oidentd_t self:tcp_socket { accept listen };
 
 allow oidentd_t oidentd_config_t:file read_file_perms;
 
 allow oidentd_t oidentd_home_t:file read_file_perms;
 
+kernel_read_kernel_sysctls(oidentd_t)
+kernel_read_network_state(oidentd_t)
+kernel_read_network_state_symlinks(oidentd_t)
+kernel_read_sysctl(oidentd_t)
+kernel_request_load_module(oidentd_t)
+
 corenet_all_recvfrom_unlabeled(oidentd_t)
 corenet_all_recvfrom_netlabel(oidentd_t)
 corenet_tcp_sendrecv_generic_if(oidentd_t)
 corenet_tcp_sendrecv_generic_node(oidentd_t)
 corenet_tcp_bind_generic_node(oidentd_t)
-corenet_tcp_bind_auth_port(oidentd_t)
+
 corenet_sendrecv_auth_server_packets(oidentd_t)
+corenet_tcp_bind_auth_port(oidentd_t)
+corenet_tcp_sendrecv_auth_port(oidentd_t)
 
-files_read_etc_files(oidentd_t)
+fs_getattr_all_fs(oidentd_t)
+fs_search_auto_mountpoints(oidentd_t)
 
-kernel_read_kernel_sysctls(oidentd_t)
-kernel_read_network_state(oidentd_t)
-kernel_read_network_state_symlinks(oidentd_t)
-kernel_read_sysctl(oidentd_t)
-# oidentd requests the tcp_diag kernel module, otherwise
-# it will be stuck using the slow /proc/net/tcp interface
-kernel_request_load_module(oidentd_t)
+auth_use_nsswitch(oidentd_t)
 
 logging_send_syslog_msg(oidentd_t)
 
 miscfiles_read_localization(oidentd_t)
 
-sysnet_read_config(oidentd_t)
-
 userdom_search_user_home_dirs(oidentd_t)
 
-optional_policy(`
-	nis_use_ypbind(oidentd_t)
-')
-
-tunable_policy(`use_samba_home_dirs', `
+tunable_policy(`use_samba_home_dirs',`
 	fs_list_cifs(oidentd_t)
  	fs_read_cifs_files(oidentd_t)
 ')
 
-tunable_policy(`use_nfs_home_dirs', `
+tunable_policy(`use_nfs_home_dirs',`
 	fs_list_nfs(oidentd_t)
  	fs_read_nfs_files(oidentd_t)
 ')