[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Mon, 29 Oct 2012 14:55:35
Message-Id:	`1351522289.dda4d354bc1839e0e0a3e7b65c5768857ce62511.SwifT@gentoo`

1

commit:     dda4d354bc1839e0e0a3e7b65c5768857ce62511

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Mon Oct 29 11:52:45 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Mon Oct 29 14:51:29 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dda4d354

7

8

Changes to the tftp policy module

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/tftp.if |   19 ++++++++++---------

16

 policy/modules/contrib/tftp.te |   36 +++++++++++++++++-------------------

17

 2 files changed, 27 insertions(+), 28 deletions(-)

18

19

diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if

20

index d899263..f7c6ea3 100644

21

--- a/policy/modules/contrib/tftp.if

22

+++ b/policy/modules/contrib/tftp.if

23

@@ -1,8 +1,8 @@

24

-## <summary>Trivial file transfer protocol daemon</summary>

25

+## <summary>Trivial file transfer protocol daemon.</summary>

26

27

 ########################################

28

 ## <summary>

29

-##	Read tftp content

30

+##	Read tftp content files.

31

 ## </summary>

32

 ## <param name="domain">

33

 ##	<summary>

34

@@ -15,12 +15,14 @@ interface(`tftp_read_content',`

35

 		type tftpdir_t;

36

')

37

38

+	files_search_var_lib($1)

39

 	read_files_pattern($1, tftpdir_t, tftpdir_t)

40

')

41

42

 ########################################

43

 ## <summary>

44

-##	Manage tftp /var/lib files.

45

+##	Create, read, write, and delete

46

+##	tftp rw content.

47

 ## </summary>

48

 ## <param name="domain">

49

 ##	<summary>

50

@@ -143,8 +145,8 @@ interface(`tftp_filetrans_tftpdir',`

51

52

 ########################################

53

 ## <summary>

54

-##	All of the rules required to administrate

55

-##	an tftp environment

56

+##	All of the rules required to

57

+##	administrate an tftp environment.

58

 ## </summary>

59

 ## <param name="domain">

60

 ##	<summary>

61

@@ -159,15 +161,14 @@ interface(`tftp_admin',`

62

 		type tftpd_conf_t;

63

')

64

65

-	allow $1 tftpd_t:process { ptrace signal_perms getattr };

66

+	allow $1 tftpd_t:process { ptrace signal_perms };

67

 	ps_process_pattern($1, tftpd_t)

68

69

 	files_search_etc($1)

70

 	admin_pattern($1, tftpd_conf_t)

71

72

-	admin_pattern($1, tftpdir_rw_t)

73

-

74

-	admin_pattern($1, tftpdir_t)

75

+	files_search_var_lib($1)

76

+	admin_pattern($1, { tftpdir_t tftpdir_rw_t })

77

78

 	files_list_pids($1)

79

 	admin_pattern($1, tftpd_var_run_t)

80

81

diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te

82

index b7c94be..0cebfd0 100644

83

--- a/policy/modules/contrib/tftp.te

84

+++ b/policy/modules/contrib/tftp.te

85

@@ -6,10 +6,12 @@ policy_module(tftp, 1.12.3)

86

#

87

88

 ## <desc>

89

-## <p>

90

-## Allow tftp to modify public files

91

-## used for public file transfer services.

92

-## </p>

93

+##	<p>

94

+##	Determine whether tftp can modify

95

+##	public files used for public file

96

+##	transfer services. Directories/Files must

97

+##	be labeled public_content_rw_t.

98

+##	</p>

99

 ## </desc>

100

 gen_tunable(tftp_anon_write, false)

101

102

@@ -43,15 +45,15 @@ files_type(tftpdir_rw_t)

103

#

104

105

 allow tftpd_t self:capability { setgid setuid sys_chroot };

106

-allow tftpd_t self:tcp_socket create_stream_socket_perms;

107

-allow tftpd_t self:udp_socket create_socket_perms;

108

-allow tftpd_t self:unix_dgram_socket create_socket_perms;

109

-allow tftpd_t self:unix_stream_socket create_stream_socket_perms;

110

 dontaudit tftpd_t self:capability sys_tty_config;

111

+allow tftpd_t self:tcp_socket { accept listen };

112

+allow tftpd_t self:unix_stream_socket { accept listen };

113

+

114

+allow tftpd_t tftpd_conf_t:file read_file_perms;

115

116

 allow tftpd_t tftpdir_t:dir list_dir_perms;

117

 allow tftpd_t tftpdir_t:file read_file_perms;

118

-allow tftpd_t tftpdir_t:lnk_file { getattr read };

119

+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;

120

121

 manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)

122

 manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)

123

@@ -65,30 +67,26 @@ kernel_read_kernel_sysctls(tftpd_t)

124

125

 corenet_all_recvfrom_unlabeled(tftpd_t)

126

 corenet_all_recvfrom_netlabel(tftpd_t)

127

-corenet_tcp_sendrecv_generic_if(tftpd_t)

128

 corenet_udp_sendrecv_generic_if(tftpd_t)

129

-corenet_tcp_sendrecv_generic_node(tftpd_t)

130

 corenet_udp_sendrecv_generic_node(tftpd_t)

131

-corenet_tcp_sendrecv_all_ports(tftpd_t)

132

-corenet_udp_sendrecv_all_ports(tftpd_t)

133

-corenet_tcp_bind_generic_node(tftpd_t)

134

 corenet_udp_bind_generic_node(tftpd_t)

135

-corenet_udp_bind_tftp_port(tftpd_t)

136

+

137

 corenet_sendrecv_tftp_server_packets(tftpd_t)

138

+corenet_udp_bind_tftp_port(tftpd_t)

139

+corenet_udp_sendrecv_tftp_port(tftpd_t)

140

141

 dev_read_sysfs(tftpd_t)

142

143

-fs_getattr_all_fs(tftpd_t)

144

-fs_search_auto_mountpoints(tftpd_t)

145

-

146

 domain_use_interactive_fds(tftpd_t)

147

148

-files_read_etc_files(tftpd_t)

149

 files_read_etc_runtime_files(tftpd_t)

150

 files_read_var_files(tftpd_t)

151

 files_read_var_symlinks(tftpd_t)

152

 files_search_var(tftpd_t)

153

154

+fs_getattr_all_fs(tftpd_t)

155

+fs_search_auto_mountpoints(tftpd_t)

156

+

157

 auth_use_nsswitch(tftpd_t)

158

159

 logging_send_syslog_msg(tftpd_t)

1	commit: dda4d354bc1839e0e0a3e7b65c5768857ce62511
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Mon Oct 29 11:52:45 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Mon Oct 29 14:51:29 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dda4d354
7
8	Changes to the tftp policy module
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/tftp.if \| 19 ++++++++++---------
16	policy/modules/contrib/tftp.te \| 36 +++++++++++++++++-------------------
17	2 files changed, 27 insertions(+), 28 deletions(-)
18
19	diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if
20	index d899263..f7c6ea3 100644
21	--- a/policy/modules/contrib/tftp.if
22	+++ b/policy/modules/contrib/tftp.if
23	@@ -1,8 +1,8 @@
24	-## <summary>Trivial file transfer protocol daemon</summary>
25	+## <summary>Trivial file transfer protocol daemon.</summary>
26
27	########################################
28	## <summary>
29	-## Read tftp content
30	+## Read tftp content files.
31	## </summary>
32	## <param name="domain">
33	## <summary>
34	@@ -15,12 +15,14 @@ interface(`tftp_read_content',`
35	type tftpdir_t;
36	')
37
38	+ files_search_var_lib($1)
39	read_files_pattern($1, tftpdir_t, tftpdir_t)
40	')
41
42	########################################
43	## <summary>
44	-## Manage tftp /var/lib files.
45	+## Create, read, write, and delete
46	+## tftp rw content.
47	## </summary>
48	## <param name="domain">
49	## <summary>
50	@@ -143,8 +145,8 @@ interface(`tftp_filetrans_tftpdir',`
51
52	########################################
53	## <summary>
54	-## All of the rules required to administrate
55	-## an tftp environment
56	+## All of the rules required to
57	+## administrate an tftp environment.
58	## </summary>
59	## <param name="domain">
60	## <summary>
61	@@ -159,15 +161,14 @@ interface(`tftp_admin',`
62	type tftpd_conf_t;
63	')
64
65	- allow $1 tftpd_t:process { ptrace signal_perms getattr };
66	+ allow $1 tftpd_t:process { ptrace signal_perms };
67	ps_process_pattern($1, tftpd_t)
68
69	files_search_etc($1)
70	admin_pattern($1, tftpd_conf_t)
71
72	- admin_pattern($1, tftpdir_rw_t)
73	-
74	- admin_pattern($1, tftpdir_t)
75	+ files_search_var_lib($1)
76	+ admin_pattern($1, { tftpdir_t tftpdir_rw_t })
77
78	files_list_pids($1)
79	admin_pattern($1, tftpd_var_run_t)
80
81	diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te
82	index b7c94be..0cebfd0 100644
83	--- a/policy/modules/contrib/tftp.te
84	+++ b/policy/modules/contrib/tftp.te
85	@@ -6,10 +6,12 @@ policy_module(tftp, 1.12.3)
86	#
87
88	## <desc>
89	-## <p>
90	-## Allow tftp to modify public files
91	-## used for public file transfer services.
92	-## </p>
93	+## <p>
94	+## Determine whether tftp can modify
95	+## public files used for public file
96	+## transfer services. Directories/Files must
97	+## be labeled public_content_rw_t.
98	+## </p>
99	## </desc>
100	gen_tunable(tftp_anon_write, false)
101
102	@@ -43,15 +45,15 @@ files_type(tftpdir_rw_t)
103	#
104
105	allow tftpd_t self:capability { setgid setuid sys_chroot };
106	-allow tftpd_t self:tcp_socket create_stream_socket_perms;
107	-allow tftpd_t self:udp_socket create_socket_perms;
108	-allow tftpd_t self:unix_dgram_socket create_socket_perms;
109	-allow tftpd_t self:unix_stream_socket create_stream_socket_perms;
110	dontaudit tftpd_t self:capability sys_tty_config;
111	+allow tftpd_t self:tcp_socket { accept listen };
112	+allow tftpd_t self:unix_stream_socket { accept listen };
113	+
114	+allow tftpd_t tftpd_conf_t:file read_file_perms;
115
116	allow tftpd_t tftpdir_t:dir list_dir_perms;
117	allow tftpd_t tftpdir_t:file read_file_perms;
118	-allow tftpd_t tftpdir_t:lnk_file { getattr read };
119	+allow tftpd_t tftpdir_t:lnk_file read_lnk_file_perms;
120
121	manage_dirs_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
122	manage_files_pattern(tftpd_t, tftpdir_rw_t, tftpdir_rw_t)
123	@@ -65,30 +67,26 @@ kernel_read_kernel_sysctls(tftpd_t)
124
125	corenet_all_recvfrom_unlabeled(tftpd_t)
126	corenet_all_recvfrom_netlabel(tftpd_t)
127	-corenet_tcp_sendrecv_generic_if(tftpd_t)
128	corenet_udp_sendrecv_generic_if(tftpd_t)
129	-corenet_tcp_sendrecv_generic_node(tftpd_t)
130	corenet_udp_sendrecv_generic_node(tftpd_t)
131	-corenet_tcp_sendrecv_all_ports(tftpd_t)
132	-corenet_udp_sendrecv_all_ports(tftpd_t)
133	-corenet_tcp_bind_generic_node(tftpd_t)
134	corenet_udp_bind_generic_node(tftpd_t)
135	-corenet_udp_bind_tftp_port(tftpd_t)
136	+
137	corenet_sendrecv_tftp_server_packets(tftpd_t)
138	+corenet_udp_bind_tftp_port(tftpd_t)
139	+corenet_udp_sendrecv_tftp_port(tftpd_t)
140
141	dev_read_sysfs(tftpd_t)
142
143	-fs_getattr_all_fs(tftpd_t)
144	-fs_search_auto_mountpoints(tftpd_t)
145	-
146	domain_use_interactive_fds(tftpd_t)
147
148	-files_read_etc_files(tftpd_t)
149	files_read_etc_runtime_files(tftpd_t)
150	files_read_var_files(tftpd_t)
151	files_read_var_symlinks(tftpd_t)
152	files_search_var(tftpd_t)
153
154	+fs_getattr_all_fs(tftpd_t)
155	+fs_search_auto_mountpoints(tftpd_t)
156	+
157	auth_use_nsswitch(tftpd_t)
158
159	logging_send_syslog_msg(tftpd_t)

Gentoo Archives: gentoo-commits