[refpolicy] [PATCH v2 6/9] Include policy for the iodine IP over DNS tunnel daemon

Dominick Grift dominick.grift at gmail.com
Sat Sep 8 09:12:18 CDT 2012


Russell,

Some questions with regard to this policy module.

You labeled all of /usr/sbin/iodine.* type iodine_exec_t.

I have reviewed the debian init script for iodine package and it only
runs iodined and not the other iodine binaries in /usr/sbin

How come? Am i looking at the wrong init script or am i missing
something here?

Also that same init script mentions a pid file and its not created by
the init script. Therefore i asume it gets created by iodined.

However the iodine policy module has no rules to allow iodine to create
a pid file.

In Fedora we also have iodine. The package is split into a server and a
client. Both server and client get started by init.

However, I suspect the client needs rules that are different from the
rules that the server needs.

Should there not, in that case, be a client domain as well as a server
domain?

I hope you can clarify the above


On Sat, 2012-09-08 at 14:22 +0200, Laurent Bigonville wrote:
> From: Russell Coker <russell at coker.com.au>
> 
> ---
>  iodine.fc |    1 +
>  iodine.if |    1 +
>  iodine.te |   29 +++++++++++++++++++++++++++++
>  3 files changed, 31 insertions(+)
>  create mode 100644 iodine.fc
>  create mode 100644 iodine.if
>  create mode 100644 iodine.te
> 
> diff --git a/iodine.fc b/iodine.fc
> new file mode 100644
> index 0000000..71c964d
> --- /dev/null
> +++ b/iodine.fc
> @@ -0,0 +1 @@
> +/usr/sbin/iodine.*	-- gen_context(system_u:object_r:iodine_exec_t, s0)
> diff --git a/iodine.if b/iodine.if
> new file mode 100644
> index 0000000..4bec253
> --- /dev/null
> +++ b/iodine.if
> @@ -0,0 +1 @@
> +## <summary>policy for the iodine IP over DNS tunneling daemon</summary>
> diff --git a/iodine.te b/iodine.te
> new file mode 100644
> index 0000000..c383ad4
> --- /dev/null
> +++ b/iodine.te
> @@ -0,0 +1,29 @@
> +policy_module(iodine,1.0.0)
> +
> +type iodine_t;
> +type iodine_exec_t;
> +init_daemon_domain(iodine_t, iodine_exec_t)
> +
> +allow iodine_t self:capability { setgid setuid net_bind_service net_admin net_raw sys_chroot };
> +allow iodine_t self:rawip_socket { write read create };
> +allow iodine_t self:tun_socket create;
> +allow iodine_t self:udp_socket connected_socket_perms;
> +allow iodine_t self:unix_dgram_socket { create connect };
> +
> +kernel_read_network_state(iodine_t)
> +kernel_read_system_state(iodine_t)
> +kernel_request_load_module(iodine_t)
> +kernel_search_network_sysctl(iodine_t)
> +
> +corenet_raw_receive_generic_node(iodine_t)
> +corenet_rw_tun_tap_dev(iodine_t)
> +corenet_udp_bind_dns_port(iodine_t)
> +corenet_udp_bind_generic_node(iodine_t)
> +
> +corecmd_exec_shell(iodine_t)
> +
> +files_read_etc_files(iodine_t)
> +
> +logging_send_syslog_msg(iodine_t)
> +
> +sysnet_domtrans_ifconfig(iodine_t)




More information about the refpolicy mailing list