1 |
commit: 42ce27015d3cd70616f5f4c0e2b4b1b050372833 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Tue Jul 10 16:40:23 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Jul 10 16:40:23 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=42ce2701 |
7 |
|
8 |
Backporting bcfg2 |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/bcfg2.fc | 7 ++ |
12 |
policy/modules/contrib/bcfg2.if | 150 +++++++++++++++++++++++++++++++++++++++ |
13 |
policy/modules/contrib/bcfg2.te | 51 +++++++++++++ |
14 |
3 files changed, 208 insertions(+), 0 deletions(-) |
15 |
|
16 |
diff --git a/policy/modules/contrib/bcfg2.fc b/policy/modules/contrib/bcfg2.fc |
17 |
new file mode 100644 |
18 |
index 0000000..f5413da |
19 |
--- /dev/null |
20 |
+++ b/policy/modules/contrib/bcfg2.fc |
21 |
@@ -0,0 +1,7 @@ |
22 |
+/etc/rc\.d/init\.d/bcfg2 -- gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0) |
23 |
+ |
24 |
+/usr/sbin/bcfg2-server -- gen_context(system_u:object_r:bcfg2_exec_t,s0) |
25 |
+ |
26 |
+/var/lib/bcfg2(/.*)? gen_context(system_u:object_r:bcfg2_var_lib_t,s0) |
27 |
+ |
28 |
+/var/run/bcfg2-server\.pid -- gen_context(system_u:object_r:bcfg2_var_run_t,s0) |
29 |
|
30 |
diff --git a/policy/modules/contrib/bcfg2.if b/policy/modules/contrib/bcfg2.if |
31 |
new file mode 100644 |
32 |
index 0000000..b289d93 |
33 |
--- /dev/null |
34 |
+++ b/policy/modules/contrib/bcfg2.if |
35 |
@@ -0,0 +1,150 @@ |
36 |
+## <summary>bcfg2-server daemon which serves configurations to clients based on the data in its repository</summary> |
37 |
+ |
38 |
+######################################## |
39 |
+## <summary> |
40 |
+## Execute bcfg2 in the bcfg2 domain.. |
41 |
+## </summary> |
42 |
+## <param name="domain"> |
43 |
+## <summary> |
44 |
+## Domain allowed to transition. |
45 |
+## </summary> |
46 |
+## </param> |
47 |
+# |
48 |
+interface(`bcfg2_domtrans',` |
49 |
+ gen_require(` |
50 |
+ type bcfg2_t, bcfg2_exec_t; |
51 |
+ ') |
52 |
+ |
53 |
+ corecmd_search_bin($1) |
54 |
+ domtrans_pattern($1, bcfg2_exec_t, bcfg2_t) |
55 |
+') |
56 |
+ |
57 |
+######################################## |
58 |
+## <summary> |
59 |
+## Execute bcfg2 server in the bcfg2 domain. |
60 |
+## </summary> |
61 |
+## <param name="domain"> |
62 |
+## <summary> |
63 |
+## Domain allowed access. |
64 |
+## </summary> |
65 |
+## </param> |
66 |
+# |
67 |
+interface(`bcfg2_initrc_domtrans',` |
68 |
+ gen_require(` |
69 |
+ type bcfg2_initrc_exec_t; |
70 |
+ ') |
71 |
+ |
72 |
+ init_labeled_script_domtrans($1, bcfg2_initrc_exec_t) |
73 |
+') |
74 |
+ |
75 |
+######################################## |
76 |
+## <summary> |
77 |
+## Search bcfg2 lib directories. |
78 |
+## </summary> |
79 |
+## <param name="domain"> |
80 |
+## <summary> |
81 |
+## Domain allowed access. |
82 |
+## </summary> |
83 |
+## </param> |
84 |
+# |
85 |
+interface(`bcfg2_search_lib',` |
86 |
+ gen_require(` |
87 |
+ type bcfg2_var_lib_t; |
88 |
+ ') |
89 |
+ |
90 |
+ allow $1 bcfg2_var_lib_t:dir search_dir_perms; |
91 |
+ files_search_var_lib($1) |
92 |
+') |
93 |
+ |
94 |
+######################################## |
95 |
+## <summary> |
96 |
+## Read bcfg2 lib files. |
97 |
+## </summary> |
98 |
+## <param name="domain"> |
99 |
+## <summary> |
100 |
+## Domain allowed access. |
101 |
+## </summary> |
102 |
+## </param> |
103 |
+# |
104 |
+interface(`bcfg2_read_lib_files',` |
105 |
+ gen_require(` |
106 |
+ type bcfg2_var_lib_t; |
107 |
+ ') |
108 |
+ |
109 |
+ files_search_var_lib($1) |
110 |
+ read_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) |
111 |
+') |
112 |
+ |
113 |
+######################################## |
114 |
+## <summary> |
115 |
+## Manage bcfg2 lib files. |
116 |
+## </summary> |
117 |
+## <param name="domain"> |
118 |
+## <summary> |
119 |
+## Domain allowed access. |
120 |
+## </summary> |
121 |
+## </param> |
122 |
+# |
123 |
+interface(`bcfg2_manage_lib_files',` |
124 |
+ gen_require(` |
125 |
+ type bcfg2_var_lib_t; |
126 |
+ ') |
127 |
+ |
128 |
+ files_search_var_lib($1) |
129 |
+ manage_files_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) |
130 |
+') |
131 |
+ |
132 |
+######################################## |
133 |
+## <summary> |
134 |
+## Manage bcfg2 lib directories. |
135 |
+## </summary> |
136 |
+## <param name="domain"> |
137 |
+## <summary> |
138 |
+## Domain allowed access. |
139 |
+## </summary> |
140 |
+## </param> |
141 |
+# |
142 |
+interface(`bcfg2_manage_lib_dirs',` |
143 |
+ gen_require(` |
144 |
+ type bcfg2_var_lib_t; |
145 |
+ ') |
146 |
+ |
147 |
+ files_search_var_lib($1) |
148 |
+ manage_dirs_pattern($1, bcfg2_var_lib_t, bcfg2_var_lib_t) |
149 |
+') |
150 |
+ |
151 |
+######################################## |
152 |
+## <summary> |
153 |
+## All of the rules required to administrate |
154 |
+## an bcfg2 environment |
155 |
+## </summary> |
156 |
+## <param name="domain"> |
157 |
+## <summary> |
158 |
+## Domain allowed access. |
159 |
+## </summary> |
160 |
+## </param> |
161 |
+## <param name="role"> |
162 |
+## <summary> |
163 |
+## Role allowed access. |
164 |
+## </summary> |
165 |
+## </param> |
166 |
+## <rolecap/> |
167 |
+# |
168 |
+interface(`bcfg2_admin',` |
169 |
+ gen_require(` |
170 |
+ type bcfg2_t; |
171 |
+ type bcfg2_initrc_exec_t; |
172 |
+ type bcfg2_var_lib_t; |
173 |
+ ') |
174 |
+ |
175 |
+ allow $1 bcfg2_t:process { ptrace signal_perms }; |
176 |
+ ps_process_pattern($1, bcfg2_t) |
177 |
+ |
178 |
+ bcfg2_initrc_domtrans($1) |
179 |
+ domain_system_change_exemption($1) |
180 |
+ role_transition $2 bcfg2_initrc_exec_t system_r; |
181 |
+ allow $2 system_r; |
182 |
+ |
183 |
+ files_search_var_lib($1) |
184 |
+ admin_pattern($1, bcfg2_var_lib_t) |
185 |
+') |
186 |
|
187 |
diff --git a/policy/modules/contrib/bcfg2.te b/policy/modules/contrib/bcfg2.te |
188 |
new file mode 100644 |
189 |
index 0000000..cf8e59f |
190 |
--- /dev/null |
191 |
+++ b/policy/modules/contrib/bcfg2.te |
192 |
@@ -0,0 +1,51 @@ |
193 |
+policy_module(bcfg2, 1.0.0) |
194 |
+ |
195 |
+######################################## |
196 |
+# |
197 |
+# Declarations |
198 |
+# |
199 |
+ |
200 |
+type bcfg2_t; |
201 |
+type bcfg2_exec_t; |
202 |
+init_daemon_domain(bcfg2_t, bcfg2_exec_t) |
203 |
+ |
204 |
+type bcfg2_initrc_exec_t; |
205 |
+init_script_file(bcfg2_initrc_exec_t) |
206 |
+ |
207 |
+type bcfg2_var_lib_t; |
208 |
+files_type(bcfg2_var_lib_t) |
209 |
+ |
210 |
+type bcfg2_var_run_t; |
211 |
+files_pid_file(bcfg2_var_run_t) |
212 |
+ |
213 |
+######################################## |
214 |
+# |
215 |
+# bcfg2 local policy |
216 |
+# |
217 |
+ |
218 |
+allow bcfg2_t self:fifo_file rw_fifo_file_perms; |
219 |
+allow bcfg2_t self:tcp_socket create_stream_socket_perms; |
220 |
+allow bcfg2_t self:unix_stream_socket { connectto create_stream_socket_perms }; |
221 |
+ |
222 |
+manage_dirs_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t) |
223 |
+manage_files_pattern(bcfg2_t, bcfg2_var_lib_t, bcfg2_var_lib_t) |
224 |
+files_var_lib_filetrans(bcfg2_t, bcfg2_var_lib_t, dir ) |
225 |
+ |
226 |
+manage_files_pattern(bcfg2_t, bcfg2_var_run_t, bcfg2_var_run_t) |
227 |
+files_pid_filetrans(bcfg2_t, bcfg2_var_run_t, file ) |
228 |
+ |
229 |
+kernel_read_system_state(bcfg2_t) |
230 |
+ |
231 |
+corecmd_exec_bin(bcfg2_t) |
232 |
+ |
233 |
+dev_read_urand(bcfg2_t) |
234 |
+ |
235 |
+domain_use_interactive_fds(bcfg2_t) |
236 |
+ |
237 |
+files_read_usr_files(bcfg2_t) |
238 |
+ |
239 |
+auth_use_nsswitch(bcfg2_t) |
240 |
+ |
241 |
+logging_send_syslog_msg(bcfg2_t) |
242 |
+ |
243 |
+miscfiles_read_localization(bcfg2_t) |