1 |
commit: dda4d354bc1839e0e0a3e7b65c5768857ce62511 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Oct 29 11:52:45 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Mon Oct 29 14:51:29 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dda4d354 |
7 |
|
8 |
Changes to the tftp policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/tftp.if | 19 ++++++++++--------- |
16 |
policy/modules/contrib/tftp.te | 36 +++++++++++++++++------------------- |
17 |
2 files changed, 27 insertions(+), 28 deletions(-) |
18 |
|
19 |
diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if |
20 |
index d899263..f7c6ea3 100644 |
21 |
--- a/policy/modules/contrib/tftp.if |
22 |
+++ b/policy/modules/contrib/tftp.if |
23 |
@@ -1,8 +1,8 @@ |
24 |
-## <summary>Trivial file transfer protocol daemon</summary> |
25 |
+## <summary>Trivial file transfer protocol daemon.</summary> |
26 |
|
27 |
######################################## |
28 |
## <summary> |
29 |
-## Read tftp content |
30 |
+## Read tftp content files. |
31 |
## </summary> |
32 |
## <param name="domain"> |
33 |
## <summary> |
34 |
@@ -15,12 +15,14 @@ interface(`tftp_read_content',` |
35 |
type tftpdir_t; |
36 |
') |
37 |
|
38 |
+ files_search_var_lib($1) |
39 |
read_files_pattern($1, tftpdir_t, tftpdir_t) |
40 |
') |
41 |
|
42 |
######################################## |
43 |
## <summary> |
44 |
-## Manage tftp /var/lib files. |
45 |
+## Create, read, write, and delete |
46 |
+## tftp rw content. |
47 |
## </summary> |
48 |
## <param name="domain"> |
49 |
## <summary> |
50 |
@@ -143,8 +145,8 @@ interface(`tftp_filetrans_tftpdir',` |
51 |
|
52 |
######################################## |
53 |
## <summary> |
54 |
-## All of the rules required to administrate |
55 |
-## an tftp environment |
56 |
+## All of the rules required to |
57 |
+## administrate an tftp environment. |
58 |
## </summary> |
59 |
## <param name="domain"> |
60 |
## <summary> |
61 |
@@ -159,15 +161,14 @@ interface(`tftp_admin',` |
62 |
type tftpd_conf_t; |
63 |
') |
64 |
|
65 |
- allow $1 tftpd_t:process { ptrace signal_perms getattr }; |
66 |
+ allow $1 tftpd_t:process { ptrace signal_perms }; |
67 |
ps_process_pattern($1, tftpd_t) |
68 |
|
69 |
files_search_etc($1) |
70 |
admin_pattern($1, tftpd_conf_t) |
71 |
|
72 |
- admin_pattern($1, tftpdir_rw_t) |
73 |
- |
74 |
- admin_pattern($1, tftpdir_t) |
75 |
+ files_search_var_lib($1) |
76 |
+ admin_pattern($1, { tftpdir_t tftpdir_rw_t }) |
77 |
|
78 |
files_list_pids($1) |
79 |
admin_pattern($1, tftpd_var_run_t) |
80 |
|
81 |
diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te |
82 |
index b7c94be..0cebfd0 100644 |
83 |
--- a/policy/modules/contrib/tftp.te |
84 |
+++ b/policy/modules/contrib/tftp.te |
85 |
@@ -6,10 +6,12 @@ policy_module(tftp, 1.12.3) |
86 |
# |
87 |
|
88 |
## <desc> |
89 |
-## <p> |
90 |
-## Allow tftp to modify public files |
91 |
-## used for public file transfer services. |
92 |
-## </p> |
93 |
+## <p> |
94 |
+## Determine whether tftp can modify |
95 |
+## public files used for public file |
96 |
+## transfer services. Directories/Files must |
97 |
+## be labeled public_content_rw_t. |
98 |
+## </p> |
99 |
## </desc> |
100 |
gen_tunable(tftp_anon_write, false) |
101 |
|
102 |
@@ -43,15 +45,15 @@ files_type(tftpdir_rw_t) |
103 |
# |
104 |
|
105 |
allow tftpd_t self:capability { setgid setuid sys_chroot }; |
106 |
-allow tftpd_t self:tcp_socket create_stream_socket_perms; |
107 |
-allow tftpd_t self:udp_socket create_socket_perms; |
108 |
-allow tftpd_t self:unix_dgram_socket create_socket_perms; |
109 |
-allow tftpd_t self:unix_stream_socket create_stream_socket_perms; |
110 |
dontaudit tftpd_t self:capability sys_tty_config; |
111 |
+allow tftpd_t self:tcp_socket { accept listen }; |
112 |
+allow tftpd_t self:unix_stream_socket { accept listen }; |
113 |
+ |
114 |
+allow tftpd_t tftpd_conf_t:file read_file_perms; |
115 |
|
116 |
allow tftpd_t tftpdir_t:dir list_dir_perms; |
117 |
allow tftpd_t tftpdir_t:file read_file_perms; |
118 |
-allow tftpd_t tftpdir_t:lnk_file { getattr read }; |
119 |
+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms; |
120 |
|
121 |
manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) |
122 |
manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t) |
123 |
@@ -65,30 +67,26 @@ kernel_read_kernel_sysctls(tftpd_t) |
124 |
|
125 |
corenet_all_recvfrom_unlabeled(tftpd_t) |
126 |
corenet_all_recvfrom_netlabel(tftpd_t) |
127 |
-corenet_tcp_sendrecv_generic_if(tftpd_t) |
128 |
corenet_udp_sendrecv_generic_if(tftpd_t) |
129 |
-corenet_tcp_sendrecv_generic_node(tftpd_t) |
130 |
corenet_udp_sendrecv_generic_node(tftpd_t) |
131 |
-corenet_tcp_sendrecv_all_ports(tftpd_t) |
132 |
-corenet_udp_sendrecv_all_ports(tftpd_t) |
133 |
-corenet_tcp_bind_generic_node(tftpd_t) |
134 |
corenet_udp_bind_generic_node(tftpd_t) |
135 |
-corenet_udp_bind_tftp_port(tftpd_t) |
136 |
+ |
137 |
corenet_sendrecv_tftp_server_packets(tftpd_t) |
138 |
+corenet_udp_bind_tftp_port(tftpd_t) |
139 |
+corenet_udp_sendrecv_tftp_port(tftpd_t) |
140 |
|
141 |
dev_read_sysfs(tftpd_t) |
142 |
|
143 |
-fs_getattr_all_fs(tftpd_t) |
144 |
-fs_search_auto_mountpoints(tftpd_t) |
145 |
- |
146 |
domain_use_interactive_fds(tftpd_t) |
147 |
|
148 |
-files_read_etc_files(tftpd_t) |
149 |
files_read_etc_runtime_files(tftpd_t) |
150 |
files_read_var_files(tftpd_t) |
151 |
files_read_var_symlinks(tftpd_t) |
152 |
files_search_var(tftpd_t) |
153 |
|
154 |
+fs_getattr_all_fs(tftpd_t) |
155 |
+fs_search_auto_mountpoints(tftpd_t) |
156 |
+ |
157 |
auth_use_nsswitch(tftpd_t) |
158 |
|
159 |
logging_send_syslog_msg(tftpd_t) |