| 1 |
commit: 9caabe581b7b6991b61229fd89880d66c813856b |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Fri Nov 2 12:28:33 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Fri Nov 2 19:08:11 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9caabe58 |
| 7 |
|
| 8 |
Changes to the xfs policy module |
| 9 |
|
| 10 |
Add init script file |
| 11 |
Add xfs_admin() |
| 12 |
Modules clean up |
| 13 |
|
| 14 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 15 |
|
| 16 |
--- |
| 17 |
policy/modules/contrib/xfs.fc | 3 ++ |
| 18 |
policy/modules/contrib/xfs.if | 50 ++++++++++++++++++++++++++++++++++++----- |
| 19 |
policy/modules/contrib/xfs.te | 27 ++++++++++----------- |
| 20 |
3 files changed, 60 insertions(+), 20 deletions(-) |
| 21 |
|
| 22 |
diff --git a/policy/modules/contrib/xfs.fc b/policy/modules/contrib/xfs.fc |
| 23 |
index b98d9ed..85b9c0f 100644 |
| 24 |
--- a/policy/modules/contrib/xfs.fc |
| 25 |
+++ b/policy/modules/contrib/xfs.fc |
| 26 |
@@ -1,3 +1,4 @@ |
| 27 |
+/etc/rc\.d/init\.d/xfs -- gen_context(system_u:object_r:xfs_initrc_exec_t,s0) |
| 28 |
|
| 29 |
/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0) |
| 30 |
|
| 31 |
@@ -6,3 +7,5 @@ |
| 32 |
|
| 33 |
/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) |
| 34 |
/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0) |
| 35 |
+ |
| 36 |
+/var/run/xfs.* -- gen_context(system_u:object_r:xfs_var_run_t,s0) |
| 37 |
|
| 38 |
diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if |
| 39 |
index aa6e5a8..4570b86 100644 |
| 40 |
--- a/policy/modules/contrib/xfs.if |
| 41 |
+++ b/policy/modules/contrib/xfs.if |
| 42 |
@@ -1,8 +1,8 @@ |
| 43 |
-## <summary>X Windows Font Server </summary> |
| 44 |
+## <summary>X Windows Font Server.</summary> |
| 45 |
|
| 46 |
######################################## |
| 47 |
## <summary> |
| 48 |
-## Read a X font server named socket. |
| 49 |
+## Read xfs temporary sock files. |
| 50 |
## </summary> |
| 51 |
## <param name="domain"> |
| 52 |
## <summary> |
| 53 |
@@ -21,8 +21,8 @@ interface(`xfs_read_sockets',` |
| 54 |
|
| 55 |
######################################## |
| 56 |
## <summary> |
| 57 |
-## Connect to a X font server over |
| 58 |
-## a unix domain stream socket. |
| 59 |
+## Connect to xfs with a unix |
| 60 |
+## domain stream socket. |
| 61 |
## </summary> |
| 62 |
## <param name="domain"> |
| 63 |
## <summary> |
| 64 |
@@ -41,8 +41,7 @@ interface(`xfs_stream_connect',` |
| 65 |
|
| 66 |
######################################## |
| 67 |
## <summary> |
| 68 |
-## Allow the specified domain to execute xfs |
| 69 |
-## in the caller domain. |
| 70 |
+## Execute xfs in the caller domain. |
| 71 |
## </summary> |
| 72 |
## <param name="domain"> |
| 73 |
## <summary> |
| 74 |
@@ -55,5 +54,44 @@ interface(`xfs_exec',` |
| 75 |
type xfs_exec_t; |
| 76 |
') |
| 77 |
|
| 78 |
+ corecmd_search_bin($1) |
| 79 |
can_exec($1, xfs_exec_t) |
| 80 |
') |
| 81 |
+ |
| 82 |
+######################################## |
| 83 |
+## <summary> |
| 84 |
+## All of the rules required to |
| 85 |
+## administrate an xfs environment. |
| 86 |
+## </summary> |
| 87 |
+## <param name="domain"> |
| 88 |
+## <summary> |
| 89 |
+## Domain allowed access. |
| 90 |
+## </summary> |
| 91 |
+## </param> |
| 92 |
+## <param name="role"> |
| 93 |
+## <summary> |
| 94 |
+## Role allowed access. |
| 95 |
+## </summary> |
| 96 |
+## </param> |
| 97 |
+## <rolecap/> |
| 98 |
+# |
| 99 |
+interface(`xfs_admin',` |
| 100 |
+ gen_require(` |
| 101 |
+ type xfs_t, xfs_initrc_exec_t, xfs_var_run_t; |
| 102 |
+ type xfs_tmp_t; |
| 103 |
+ ') |
| 104 |
+ |
| 105 |
+ allow $1 xfs_t:process { ptrace signal_perms }; |
| 106 |
+ ps_process_pattern($1, xfs_t) |
| 107 |
+ |
| 108 |
+ init_labeled_script_domtrans($1, xfs_initrc_exec_t) |
| 109 |
+ domain_system_change_exemption($1) |
| 110 |
+ role_transition $2 xfs_initrc_exec_t system_r; |
| 111 |
+ allow $2 system_r; |
| 112 |
+ |
| 113 |
+ files_search_pids($1) |
| 114 |
+ admin_pattern($1, xfs_var_run_t) |
| 115 |
+ |
| 116 |
+ files_search_tmp($1) |
| 117 |
+ admin_pattern($1, xfs_tmp_t) |
| 118 |
+') |
| 119 |
|
| 120 |
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te |
| 121 |
index 11c1b12..0cea2cd 100644 |
| 122 |
--- a/policy/modules/contrib/xfs.te |
| 123 |
+++ b/policy/modules/contrib/xfs.te |
| 124 |
@@ -1,4 +1,4 @@ |
| 125 |
-policy_module(xfs, 1.6.0) |
| 126 |
+policy_module(xfs, 1.6.1) |
| 127 |
|
| 128 |
######################################## |
| 129 |
# |
| 130 |
@@ -9,6 +9,9 @@ type xfs_t; |
| 131 |
type xfs_exec_t; |
| 132 |
init_daemon_domain(xfs_t, xfs_exec_t) |
| 133 |
|
| 134 |
+type xfs_initrc_exec_t; |
| 135 |
+init_script_file(xfs_initrc_exec_t) |
| 136 |
+ |
| 137 |
type xfs_tmp_t; |
| 138 |
files_tmp_file(xfs_tmp_t) |
| 139 |
|
| 140 |
@@ -23,9 +26,8 @@ files_pid_file(xfs_var_run_t) |
| 141 |
allow xfs_t self:capability { dac_override setgid setuid }; |
| 142 |
dontaudit xfs_t self:capability sys_tty_config; |
| 143 |
allow xfs_t self:process { signal_perms setpgid }; |
| 144 |
-allow xfs_t self:unix_stream_socket create_stream_socket_perms; |
| 145 |
-allow xfs_t self:unix_dgram_socket create_socket_perms; |
| 146 |
-allow xfs_t self:tcp_socket create_stream_socket_perms; |
| 147 |
+allow xfs_t self:unix_stream_socket { accept listen }; |
| 148 |
+allow xfs_t self:tcp_socket { accept listen }; |
| 149 |
|
| 150 |
manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) |
| 151 |
manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) |
| 152 |
@@ -34,6 +36,8 @@ files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir }) |
| 153 |
manage_files_pattern(xfs_t, xfs_var_run_t, xfs_var_run_t) |
| 154 |
files_pid_filetrans(xfs_t, xfs_var_run_t, file) |
| 155 |
|
| 156 |
+can_exec(xfs_t, xfs_exec_t) |
| 157 |
+ |
| 158 |
kernel_read_kernel_sysctls(xfs_t) |
| 159 |
kernel_read_system_state(xfs_t) |
| 160 |
|
| 161 |
@@ -41,10 +45,11 @@ corenet_all_recvfrom_unlabeled(xfs_t) |
| 162 |
corenet_all_recvfrom_netlabel(xfs_t) |
| 163 |
corenet_tcp_sendrecv_generic_if(xfs_t) |
| 164 |
corenet_tcp_sendrecv_generic_node(xfs_t) |
| 165 |
-corenet_tcp_sendrecv_all_ports(xfs_t) |
| 166 |
corenet_tcp_bind_generic_node(xfs_t) |
| 167 |
-corenet_tcp_bind_xfs_port(xfs_t) |
| 168 |
+ |
| 169 |
corenet_sendrecv_xfs_server_packets(xfs_t) |
| 170 |
+corenet_tcp_bind_xfs_port(xfs_t) |
| 171 |
+corenet_tcp_sendrecv_xfs_port(xfs_t) |
| 172 |
|
| 173 |
corecmd_list_bin(xfs_t) |
| 174 |
|
| 175 |
@@ -57,12 +62,13 @@ fs_search_auto_mountpoints(xfs_t) |
| 176 |
|
| 177 |
domain_use_interactive_fds(xfs_t) |
| 178 |
|
| 179 |
-files_read_etc_files(xfs_t) |
| 180 |
files_read_etc_runtime_files(xfs_t) |
| 181 |
files_read_usr_files(xfs_t) |
| 182 |
|
| 183 |
auth_use_nsswitch(xfs_t) |
| 184 |
|
| 185 |
+init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100") |
| 186 |
+ |
| 187 |
logging_send_syslog_msg(xfs_t) |
| 188 |
|
| 189 |
miscfiles_read_localization(xfs_t) |
| 190 |
@@ -71,13 +77,6 @@ miscfiles_read_fonts(xfs_t) |
| 191 |
userdom_dontaudit_use_unpriv_user_fds(xfs_t) |
| 192 |
userdom_dontaudit_search_user_home_dirs(xfs_t) |
| 193 |
|
| 194 |
-xfs_exec(xfs_t) |
| 195 |
- |
| 196 |
-ifdef(`distro_debian',` |
| 197 |
- # for /tmp/.font-unix/fs7100 |
| 198 |
- init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file) |
| 199 |
-') |
| 200 |
- |
| 201 |
optional_policy(` |
| 202 |
seutil_sigchld_newrole(xfs_t) |
| 203 |
') |
Archives