[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Wed, 31 Oct 2012 18:11:11
Message-Id:	`1351706794.60bb96049811ee9d37e956b1980e04122faa12c7.SwifT@gentoo`

1

commit:     60bb96049811ee9d37e956b1980e04122faa12c7

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Wed Oct 31 10:06:10 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed Oct 31 18:06:34 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=60bb9604

7

8

Changes to the webalizer policy module

9

10

Remove webalizer ability to manage all http sys content and instead

11

implement httpd webalizer content type for /var/www/usage and give

12

webalizer permission to manage that

13

14

Label webazolver with webalizer exec type and allow webalizer to exec

15

webalizer exec type files

16

17

Role attribute

18

Module clean up

19

20

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

21

22

---

23

 policy/modules/contrib/webalizer.fc |   10 +++-----

24

 policy/modules/contrib/webalizer.if |   12 ++++++----

25

 policy/modules/contrib/webalizer.te |   40 +++++++++++-----------------------

26

 3 files changed, 24 insertions(+), 38 deletions(-)

27

28

diff --git a/policy/modules/contrib/webalizer.fc b/policy/modules/contrib/webalizer.fc

29

index 2f40f21..64baf67 100644

30

--- a/policy/modules/contrib/webalizer.fc

31

+++ b/policy/modules/contrib/webalizer.fc

32

@@ -1,11 +1,9 @@

33

+/etc/webalizer\.conf	--	gen_context(system_u:object_r:webalizer_etc_t,s0)

34

35

-#

36

-# /usr

37

-#

38

 /usr/bin/awffull	--	gen_context(system_u:object_r:webalizer_exec_t,s0)

39

 /usr/bin/webalizer	--	gen_context(system_u:object_r:webalizer_exec_t,s0)

40

+/usr/bin/webazolver	--	gen_context(system_u:object_r:webalizer_exec_t,s0)

41

42

-#

43

-# /var

44

-#

45

 /var/lib/webalizer(/.*)?	gen_context(system_u:object_r:webalizer_var_lib_t,s0)

46

+

47

+/var/www/usage(/.*)?	gen_context(system_u:object_r:httpd_webalizer_content_t,s0)

48

49

diff --git a/policy/modules/contrib/webalizer.if b/policy/modules/contrib/webalizer.if

50

index 3c78e7c..fa28353 100644

51

--- a/policy/modules/contrib/webalizer.if

52

+++ b/policy/modules/contrib/webalizer.if

53

@@ -1,4 +1,4 @@

54

-## <summary>Web server log analysis</summary>

55

+## <summary>Web server log analysis.</summary>

56

57

 ########################################

58

 ## <summary>

59

@@ -15,13 +15,15 @@ interface(`webalizer_domtrans',`

60

 		type webalizer_t, webalizer_exec_t;

61

')

62

63

+	corecmd_search_bin($1)

64

 	domtrans_pattern($1, webalizer_exec_t, webalizer_t)

65

')

66

67

 ########################################

68

 ## <summary>

69

-##	Execute webalizer in the webalizer domain, and

70

-##	allow the specified role the webalizer domain.

71

+##	Execute webalizer in the webalizer

72

+##	domain, and allow the specified

73

+##	role the webalizer domain.

74

 ## </summary>

75

 ## <param name="domain">

76

 ##	<summary>

77

@@ -37,9 +39,9 @@ interface(`webalizer_domtrans',`

78

#

79

 interface(`webalizer_run',`

80

 	gen_require(`

81

-		type webalizer_t;

82

+		attribute_role webalizer_roles;

83

')

84

85

 	webalizer_domtrans($1)

86

-	role $2 types webalizer_t;

87

+	roleattribute $2 webalizer_roles;

88

')

89

90

diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te

91

index 8ea7478..e66b661 100644

92

--- a/policy/modules/contrib/webalizer.te

93

+++ b/policy/modules/contrib/webalizer.te

94

@@ -1,14 +1,17 @@

95

-policy_module(webalizer, 1.12.0)

96

+policy_module(webalizer, 1.12.1)

97

98

 ########################################

99

#

100

 # Declarations

101

#

102

103

+attribute_role webalizer_roles;

104

+roleattribute system_r webalizer_roles;

105

+

106

 type webalizer_t;

107

 type webalizer_exec_t;

108

 application_domain(webalizer_t, webalizer_exec_t)

109

-role system_r types webalizer_t;

110

+role webalizer_roles types webalizer_t;

111

112

 type webalizer_etc_t;

113

 files_config_file(webalizer_etc_t)

114

@@ -34,18 +37,9 @@ allow webalizer_t self:capability dac_override;

115

 allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };

116

 allow webalizer_t self:fd use;

117

 allow webalizer_t self:fifo_file rw_fifo_file_perms;

118

-allow webalizer_t self:sock_file read_sock_file_perms;

119

-allow webalizer_t self:shm create_shm_perms;

120

-allow webalizer_t self:sem create_sem_perms;

121

-allow webalizer_t self:msgq create_msgq_perms;

122

-allow webalizer_t self:msg { send receive };

123

-allow webalizer_t self:unix_dgram_socket create_socket_perms;

124

-allow webalizer_t self:unix_stream_socket create_stream_socket_perms;

125

 allow webalizer_t self:unix_dgram_socket sendto;

126

-allow webalizer_t self:unix_stream_socket connectto;

127

-allow webalizer_t self:tcp_socket connected_stream_socket_perms;

128

-allow webalizer_t self:udp_socket { connect connected_socket_perms };

129

-allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;

130

+allow webalizer_t self:unix_stream_socket { accept connectto listen };

131

+allow webalizer_t self:tcp_socket { accept listen };

132

133

 allow webalizer_t webalizer_etc_t:file read_file_perms;

134

135

@@ -56,21 +50,18 @@ files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })

136

 manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)

137

 files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)

138

139

+can_exec(webalizer_t, webalizer_exec_t)

140

+

141

 kernel_read_kernel_sysctls(webalizer_t)

142

 kernel_read_system_state(webalizer_t)

143

144

-corenet_all_recvfrom_unlabeled(webalizer_t)

145

-corenet_all_recvfrom_netlabel(webalizer_t)

146

-corenet_tcp_sendrecv_generic_if(webalizer_t)

147

-corenet_tcp_sendrecv_generic_node(webalizer_t)

148

-corenet_tcp_sendrecv_all_ports(webalizer_t)

149

+files_read_etc_runtime_files(webalizer_t)

150

151

 fs_search_auto_mountpoints(webalizer_t)

152

 fs_getattr_xattr_fs(webalizer_t)

153

 fs_rw_anon_inodefs_files(webalizer_t)

154

155

-files_read_etc_files(webalizer_t)

156

-files_read_etc_runtime_files(webalizer_t)

157

+auth_use_nsswitch(webalizer_t)

158

159

 logging_list_logs(webalizer_t)

160

 logging_send_syslog_msg(webalizer_t)

161

@@ -78,9 +69,6 @@ logging_send_syslog_msg(webalizer_t)

162

 miscfiles_read_localization(webalizer_t)

163

 miscfiles_read_public_files(webalizer_t)

164

165

-sysnet_dns_name_resolve(webalizer_t)

166

-sysnet_read_config(webalizer_t)

167

-

168

 userdom_use_user_terminals(webalizer_t)

169

 userdom_use_unpriv_users_fds(webalizer_t)

170

 userdom_dontaudit_search_user_home_content(webalizer_t)

171

@@ -88,6 +76,8 @@ userdom_dontaudit_search_user_home_content(webalizer_t)

172

 optional_policy(`

173

 	apache_read_log(webalizer_t)

174

 	apache_manage_sys_content(webalizer_t)

175

+	manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)

176

+	manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)

177

')

178

179

 optional_policy(`

180

@@ -99,10 +89,6 @@ optional_policy(`

181

')

182

183

 optional_policy(`

184

-	nis_use_ypbind(webalizer_t)

185

-')

186

-

187

-optional_policy(`

188

 	nscd_socket_use(webalizer_t)

189

')

1	commit: 60bb96049811ee9d37e956b1980e04122faa12c7
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Wed Oct 31 10:06:10 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed Oct 31 18:06:34 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=60bb9604
7
8	Changes to the webalizer policy module
9
10	Remove webalizer ability to manage all http sys content and instead
11	implement httpd webalizer content type for /var/www/usage and give
12	webalizer permission to manage that
13
14	Label webazolver with webalizer exec type and allow webalizer to exec
15	webalizer exec type files
16
17	Role attribute
18	Module clean up
19
20	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
21
22	---
23	policy/modules/contrib/webalizer.fc \| 10 +++-----
24	policy/modules/contrib/webalizer.if \| 12 ++++++----
25	policy/modules/contrib/webalizer.te \| 40 +++++++++++-----------------------
26	3 files changed, 24 insertions(+), 38 deletions(-)
27
28	diff --git a/policy/modules/contrib/webalizer.fc b/policy/modules/contrib/webalizer.fc
29	index 2f40f21..64baf67 100644
30	--- a/policy/modules/contrib/webalizer.fc
31	+++ b/policy/modules/contrib/webalizer.fc
32	@@ -1,11 +1,9 @@
33	+/etc/webalizer\.conf -- gen_context(system_u:object_r:webalizer_etc_t,s0)
34
35	-#
36	-# /usr
37	-#
38	/usr/bin/awffull -- gen_context(system_u:object_r:webalizer_exec_t,s0)
39	/usr/bin/webalizer -- gen_context(system_u:object_r:webalizer_exec_t,s0)
40	+/usr/bin/webazolver -- gen_context(system_u:object_r:webalizer_exec_t,s0)
41
42	-#
43	-# /var
44	-#
45	/var/lib/webalizer(/.*)? gen_context(system_u:object_r:webalizer_var_lib_t,s0)
46	+
47	+/var/www/usage(/.*)? gen_context(system_u:object_r:httpd_webalizer_content_t,s0)
48
49	diff --git a/policy/modules/contrib/webalizer.if b/policy/modules/contrib/webalizer.if
50	index 3c78e7c..fa28353 100644
51	--- a/policy/modules/contrib/webalizer.if
52	+++ b/policy/modules/contrib/webalizer.if
53	@@ -1,4 +1,4 @@
54	-## <summary>Web server log analysis</summary>
55	+## <summary>Web server log analysis.</summary>
56
57	########################################
58	## <summary>
59	@@ -15,13 +15,15 @@ interface(`webalizer_domtrans',`
60	type webalizer_t, webalizer_exec_t;
61	')
62
63	+ corecmd_search_bin($1)
64	domtrans_pattern($1, webalizer_exec_t, webalizer_t)
65	')
66
67	########################################
68	## <summary>
69	-## Execute webalizer in the webalizer domain, and
70	-## allow the specified role the webalizer domain.
71	+## Execute webalizer in the webalizer
72	+## domain, and allow the specified
73	+## role the webalizer domain.
74	## </summary>
75	## <param name="domain">
76	## <summary>
77	@@ -37,9 +39,9 @@ interface(`webalizer_domtrans',`
78	#
79	interface(`webalizer_run',`
80	gen_require(`
81	- type webalizer_t;
82	+ attribute_role webalizer_roles;
83	')
84
85	webalizer_domtrans($1)
86	- role $2 types webalizer_t;
87	+ roleattribute $2 webalizer_roles;
88	')
89
90	diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
91	index 8ea7478..e66b661 100644
92	--- a/policy/modules/contrib/webalizer.te
93	+++ b/policy/modules/contrib/webalizer.te
94	@@ -1,14 +1,17 @@
95	-policy_module(webalizer, 1.12.0)
96	+policy_module(webalizer, 1.12.1)
97
98	########################################
99	#
100	# Declarations
101	#
102
103	+attribute_role webalizer_roles;
104	+roleattribute system_r webalizer_roles;
105	+
106	type webalizer_t;
107	type webalizer_exec_t;
108	application_domain(webalizer_t, webalizer_exec_t)
109	-role system_r types webalizer_t;
110	+role webalizer_roles types webalizer_t;
111
112	type webalizer_etc_t;
113	files_config_file(webalizer_etc_t)
114	@@ -34,18 +37,9 @@ allow webalizer_t self:capability dac_override;
115	allow webalizer_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
116	allow webalizer_t self:fd use;
117	allow webalizer_t self:fifo_file rw_fifo_file_perms;
118	-allow webalizer_t self:sock_file read_sock_file_perms;
119	-allow webalizer_t self:shm create_shm_perms;
120	-allow webalizer_t self:sem create_sem_perms;
121	-allow webalizer_t self:msgq create_msgq_perms;
122	-allow webalizer_t self:msg { send receive };
123	-allow webalizer_t self:unix_dgram_socket create_socket_perms;
124	-allow webalizer_t self:unix_stream_socket create_stream_socket_perms;
125	allow webalizer_t self:unix_dgram_socket sendto;
126	-allow webalizer_t self:unix_stream_socket connectto;
127	-allow webalizer_t self:tcp_socket connected_stream_socket_perms;
128	-allow webalizer_t self:udp_socket { connect connected_socket_perms };
129	-allow webalizer_t self:netlink_route_socket r_netlink_socket_perms;
130	+allow webalizer_t self:unix_stream_socket { accept connectto listen };
131	+allow webalizer_t self:tcp_socket { accept listen };
132
133	allow webalizer_t webalizer_etc_t:file read_file_perms;
134
135	@@ -56,21 +50,18 @@ files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
136	manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)
137	files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
138
139	+can_exec(webalizer_t, webalizer_exec_t)
140	+
141	kernel_read_kernel_sysctls(webalizer_t)
142	kernel_read_system_state(webalizer_t)
143
144	-corenet_all_recvfrom_unlabeled(webalizer_t)
145	-corenet_all_recvfrom_netlabel(webalizer_t)
146	-corenet_tcp_sendrecv_generic_if(webalizer_t)
147	-corenet_tcp_sendrecv_generic_node(webalizer_t)
148	-corenet_tcp_sendrecv_all_ports(webalizer_t)
149	+files_read_etc_runtime_files(webalizer_t)
150
151	fs_search_auto_mountpoints(webalizer_t)
152	fs_getattr_xattr_fs(webalizer_t)
153	fs_rw_anon_inodefs_files(webalizer_t)
154
155	-files_read_etc_files(webalizer_t)
156	-files_read_etc_runtime_files(webalizer_t)
157	+auth_use_nsswitch(webalizer_t)
158
159	logging_list_logs(webalizer_t)
160	logging_send_syslog_msg(webalizer_t)
161	@@ -78,9 +69,6 @@ logging_send_syslog_msg(webalizer_t)
162	miscfiles_read_localization(webalizer_t)
163	miscfiles_read_public_files(webalizer_t)
164
165	-sysnet_dns_name_resolve(webalizer_t)
166	-sysnet_read_config(webalizer_t)
167	-
168	userdom_use_user_terminals(webalizer_t)
169	userdom_use_unpriv_users_fds(webalizer_t)
170	userdom_dontaudit_search_user_home_content(webalizer_t)
171	@@ -88,6 +76,8 @@ userdom_dontaudit_search_user_home_content(webalizer_t)
172	optional_policy(`
173	apache_read_log(webalizer_t)
174	apache_manage_sys_content(webalizer_t)
175	+ manage_dirs_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
176	+ manage_files_pattern(webalizer_t, httpd_webalizer_content_t, httpd_webalizer_content_t)
177	')
178
179	optional_policy(`
180	@@ -99,10 +89,6 @@ optional_policy(`
181	')
182
183	optional_policy(`
184	- nis_use_ypbind(webalizer_t)
185	-')
186	-
187	-optional_policy(`
188	nscd_socket_use(webalizer_t)
189	')

Gentoo Archives: gentoo-commits