1 |
commit: 173c3e3dc3581c5073a9be245f9ac79078f79573 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Oct 29 09:22:42 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Mon Oct 29 14:48:39 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=173c3e3d |
7 |
|
8 |
Changes to the stunnel policy module |
9 |
|
10 |
Module clean up |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/stunnel.if | 4 +- |
16 |
policy/modules/contrib/stunnel.te | 83 +++++++++++++++---------------------- |
17 |
2 files changed, 35 insertions(+), 52 deletions(-) |
18 |
|
19 |
diff --git a/policy/modules/contrib/stunnel.if b/policy/modules/contrib/stunnel.if |
20 |
index 6073656..47fea00 100644 |
21 |
--- a/policy/modules/contrib/stunnel.if |
22 |
+++ b/policy/modules/contrib/stunnel.if |
23 |
@@ -1,4 +1,4 @@ |
24 |
-## <summary>SSL Tunneling Proxy</summary> |
25 |
+## <summary>SSL Tunneling Proxy.</summary> |
26 |
|
27 |
######################################## |
28 |
## <summary> |
29 |
@@ -20,6 +20,6 @@ interface(`stunnel_service_domain',` |
30 |
type stunnel_t; |
31 |
') |
32 |
|
33 |
- domtrans_pattern(stunnel_t,$2,$1) |
34 |
+ domtrans_pattern(stunnel_t, $2, $1) |
35 |
allow $1 stunnel_t:tcp_socket rw_socket_perms; |
36 |
') |
37 |
|
38 |
diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te |
39 |
index f646c66..bdfee61 100644 |
40 |
--- a/policy/modules/contrib/stunnel.te |
41 |
+++ b/policy/modules/contrib/stunnel.te |
42 |
@@ -1,4 +1,4 @@ |
43 |
-policy_module(stunnel, 1.10.0) |
44 |
+policy_module(stunnel, 1.10.1) |
45 |
|
46 |
######################################## |
47 |
# |
48 |
@@ -6,17 +6,8 @@ policy_module(stunnel, 1.10.0) |
49 |
# |
50 |
|
51 |
type stunnel_t; |
52 |
-domain_type(stunnel_t) |
53 |
-role system_r types stunnel_t; |
54 |
- |
55 |
type stunnel_exec_t; |
56 |
-domain_entry_file(stunnel_t, stunnel_exec_t) |
57 |
- |
58 |
-ifdef(`distro_gentoo',` |
59 |
- init_daemon_domain(stunnel_t, stunnel_exec_t) |
60 |
-',` |
61 |
- inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) |
62 |
-') |
63 |
+init_daemon_domain(stunnel_t, stunnel_exec_t) |
64 |
|
65 |
type stunnel_etc_t; |
66 |
files_config_file(stunnel_etc_t) |
67 |
@@ -33,14 +24,15 @@ files_pid_file(stunnel_var_run_t) |
68 |
# |
69 |
|
70 |
allow stunnel_t self:capability { setgid setuid sys_chroot }; |
71 |
+dontaudit stunnel_t self:capability sys_tty_config; |
72 |
allow stunnel_t self:process signal_perms; |
73 |
allow stunnel_t self:fifo_file rw_fifo_file_perms; |
74 |
-allow stunnel_t self:tcp_socket create_stream_socket_perms; |
75 |
-allow stunnel_t self:udp_socket create_socket_perms; |
76 |
+allow stunnel_t self:tcp_socket { accept listen }; |
77 |
+allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms; |
78 |
|
79 |
allow stunnel_t stunnel_etc_t:dir list_dir_perms; |
80 |
allow stunnel_t stunnel_etc_t:file read_file_perms; |
81 |
-allow stunnel_t stunnel_etc_t:lnk_file { getattr read }; |
82 |
+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms; |
83 |
|
84 |
manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) |
85 |
manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t) |
86 |
@@ -59,15 +51,23 @@ corecmd_exec_bin(stunnel_t) |
87 |
corenet_all_recvfrom_unlabeled(stunnel_t) |
88 |
corenet_all_recvfrom_netlabel(stunnel_t) |
89 |
corenet_tcp_sendrecv_generic_if(stunnel_t) |
90 |
-corenet_udp_sendrecv_generic_if(stunnel_t) |
91 |
corenet_tcp_sendrecv_generic_node(stunnel_t) |
92 |
-corenet_udp_sendrecv_generic_node(stunnel_t) |
93 |
corenet_tcp_sendrecv_all_ports(stunnel_t) |
94 |
-corenet_udp_sendrecv_all_ports(stunnel_t) |
95 |
corenet_tcp_bind_generic_node(stunnel_t) |
96 |
+ |
97 |
+corenet_sendrecv_all_client_packets(stunnel_t) |
98 |
corenet_tcp_connect_all_ports(stunnel_t) |
99 |
|
100 |
+dev_read_sysfs(stunnel_t) |
101 |
+dev_read_urand(stunnel_t) |
102 |
+ |
103 |
+domain_use_interactive_fds(stunnel_t) |
104 |
+ |
105 |
+files_read_etc_runtime_files(stunnel_t) |
106 |
+files_search_home(stunnel_t) |
107 |
+ |
108 |
fs_getattr_all_fs(stunnel_t) |
109 |
+fs_search_auto_mountpoints(stunnel_t) |
110 |
|
111 |
auth_use_nsswitch(stunnel_t) |
112 |
|
113 |
@@ -75,44 +75,27 @@ logging_send_syslog_msg(stunnel_t) |
114 |
|
115 |
miscfiles_read_localization(stunnel_t) |
116 |
|
117 |
-sysnet_read_config(stunnel_t) |
118 |
- |
119 |
-ifdef(`distro_gentoo', ` |
120 |
- dontaudit stunnel_t self:capability sys_tty_config; |
121 |
- allow stunnel_t self:udp_socket create_socket_perms; |
122 |
- |
123 |
- dev_read_sysfs(stunnel_t) |
124 |
+userdom_dontaudit_use_unpriv_user_fds(stunnel_t) |
125 |
+userdom_dontaudit_search_user_home_dirs(stunnel_t) |
126 |
|
127 |
- fs_search_auto_mountpoints(stunnel_t) |
128 |
- |
129 |
- domain_use_interactive_fds(stunnel_t) |
130 |
- |
131 |
- userdom_dontaudit_use_unpriv_user_fds(stunnel_t) |
132 |
- userdom_dontaudit_search_user_home_dirs(stunnel_t) |
133 |
- |
134 |
- optional_policy(` |
135 |
- daemontools_service_domain(stunnel_t, stunnel_exec_t) |
136 |
- ') |
137 |
- |
138 |
- optional_policy(` |
139 |
- seutil_sigchld_newrole(stunnel_t) |
140 |
- ') |
141 |
+optional_policy(` |
142 |
+ daemontools_service_domain(stunnel_t, stunnel_exec_t) |
143 |
+') |
144 |
|
145 |
- optional_policy(` |
146 |
- udev_read_db(stunnel_t) |
147 |
- ') |
148 |
-',` |
149 |
- allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms; |
150 |
+optional_policy(` |
151 |
+ inetd_tcp_service_domain(stunnel_t, stunnel_exec_t) |
152 |
+') |
153 |
|
154 |
- dev_read_urand(stunnel_t) |
155 |
+optional_policy(` |
156 |
+ kerberos_use(stunnel_t) |
157 |
+') |
158 |
|
159 |
- files_read_etc_files(stunnel_t) |
160 |
- files_read_etc_runtime_files(stunnel_t) |
161 |
- files_search_home(stunnel_t) |
162 |
+optional_policy(` |
163 |
+ seutil_sigchld_newrole(stunnel_t) |
164 |
+') |
165 |
|
166 |
- optional_policy(` |
167 |
- kerberos_use(stunnel_t) |
168 |
- ') |
169 |
+optional_policy(` |
170 |
+ udev_read_db(stunnel_t) |
171 |
') |
172 |
|
173 |
# hack since this port has no interfaces since it doesnt |