[refpolicy] [PATCH 6/9] Include policy for the iodine IP over DNS tunnel daemon

Dominick Grift dominick.grift at gmail.com
Tue Sep 4 17:03:28 CDT 2012


Just a quick review. comments in-line:

On Tue, 2012-09-04 at 23:37 +0200, Laurent Bigonville wrote:
> From: Russell Coker <russell at coker.com.au>
> 
> ---
>  contrib/iodine.fc |    1 +
>  contrib/iodine.if |    1 +
>  contrib/iodine.te |   26 ++++++++++++++++++++++++++
>  3 files changed, 28 insertions(+)
>  create mode 100644 contrib/iodine.fc
>  create mode 100644 contrib/iodine.if
>  create mode 100644 contrib/iodine.te
> 
> diff --git a/contrib/iodine.fc b/contrib/iodine.fc
> new file mode 100644
> index 0000000..4e144ea
> --- /dev/null
> +++ b/contrib/iodine.fc
> @@ -0,0 +1 @@
> +/usr/sbin/iodine.*	-- gen_context(system_u:object_r:iodine_exec_t,s0)
> diff --git a/contrib/iodine.if b/contrib/iodine.if
> new file mode 100644
> index 0000000..3eb6a30
> --- /dev/null
> +++ b/contrib/iodine.if
> @@ -0,0 +1 @@
> +## <summary></summary>
> diff --git a/contrib/iodine.te b/contrib/iodine.te
> new file mode 100644
> index 0000000..96a7de7
> --- /dev/null
> +++ b/contrib/iodine.te
> @@ -0,0 +1,26 @@
> +policy_module(iodine,1.0.0)
> +
> +# policy for the iodine IP over DNS tunneling daemon

the above description should be in the iodine.if between the
<summary></summary> tags

> +type iodine_t;
> +type iodine_exec_t;
> +files_type(iodine_exec_t)

The above line is redundant. it is already included with the line below

> +init_daemon_domain(iodine_t, iodine_exec_t)
> +

The first rules should be the rules wher the target is self, starting
with and rules where the object class is capability then process (if
theres any)

Then use alfa-numeric sorting of "self" rules

below that go rules where the target types are local to the module if
any.

Then the calls to external interface. starting with calls to kernel
layer, kernel interfaces, again

then other kernel layer interfaces in alfa numeric order

then calls to external interfaces in other layers in the following order

so after kernel layer interface calls:

system layer

others

then ifdefs, tunable then optional policy in that order

see:
http://oss.tresys.com/projects/refpolicy/wiki/StyleGuide

You might think why all these style rules? well consistency make policy
writing and maintaining much earier and intuitive. if done correctly
things start to make sense and one can get far by just following
intuition.

If you peruse the existing refpolicy and look for patterns youll see
that everything has a place and reason. if you look long enough things
start to make more sense.

> +logging_send_syslog_msg(iodine_t)

> +kernel_search_network_sysctl(iodine_t)
> +kernel_read_network_state(iodine_t)
> +kernel_request_load_module(iodine_t)
> +kernel_read_system_state(iodine_t)
> +files_read_etc_files(iodine_t)
> +corecmd_exec_shell(iodine_t)
> +allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot };
> +sysnet_domtrans_ifconfig(iodine_t)
> +
> +allow iodine_t self:rawip_socket { write read create };
> +allow iodine_t self:unix_dgram_socket { create connect };
> +corenet_raw_receive_generic_node(iodine_t)
> +corenet_rw_tun_tap_dev(iodine_t)
> +corenet_udp_bind_dns_port(iodine_t)
> +corenet_udp_bind_generic_node(iodine_t)
> +allow iodine_t self:udp_socket connected_socket_perms;
> +allow iodine_t self:tun_socket create;




More information about the refpolicy mailing list