1 |
commit: 9caabe581b7b6991b61229fd89880d66c813856b |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Nov 2 12:28:33 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Nov 2 19:08:11 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9caabe58 |
7 |
|
8 |
Changes to the xfs policy module |
9 |
|
10 |
Add init script file |
11 |
Add xfs_admin() |
12 |
Modules clean up |
13 |
|
14 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
15 |
|
16 |
--- |
17 |
policy/modules/contrib/xfs.fc | 3 ++ |
18 |
policy/modules/contrib/xfs.if | 50 ++++++++++++++++++++++++++++++++++++----- |
19 |
policy/modules/contrib/xfs.te | 27 ++++++++++----------- |
20 |
3 files changed, 60 insertions(+), 20 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/xfs.fc b/policy/modules/contrib/xfs.fc |
23 |
index b98d9ed..85b9c0f 100644 |
24 |
--- a/policy/modules/contrib/xfs.fc |
25 |
+++ b/policy/modules/contrib/xfs.fc |
26 |
@@ -1,3 +1,4 @@ |
27 |
+/etc/rc\.d/init\.d/xfs -- gen_context(system_u:object_r:xfs_initrc_exec_t,s0) |
28 |
|
29 |
/tmp/\.font-unix(/.*)? gen_context(system_u:object_r:xfs_tmp_t,s0) |
30 |
|
31 |
@@ -6,3 +7,5 @@ |
32 |
|
33 |
/usr/X11R6/bin/xfs -- gen_context(system_u:object_r:xfs_exec_t,s0) |
34 |
/usr/X11R6/bin/xfs-xtt -- gen_context(system_u:object_r:xfs_exec_t,s0) |
35 |
+ |
36 |
+/var/run/xfs.* -- gen_context(system_u:object_r:xfs_var_run_t,s0) |
37 |
|
38 |
diff --git a/policy/modules/contrib/xfs.if b/policy/modules/contrib/xfs.if |
39 |
index aa6e5a8..4570b86 100644 |
40 |
--- a/policy/modules/contrib/xfs.if |
41 |
+++ b/policy/modules/contrib/xfs.if |
42 |
@@ -1,8 +1,8 @@ |
43 |
-## <summary>X Windows Font Server </summary> |
44 |
+## <summary>X Windows Font Server.</summary> |
45 |
|
46 |
######################################## |
47 |
## <summary> |
48 |
-## Read a X font server named socket. |
49 |
+## Read xfs temporary sock files. |
50 |
## </summary> |
51 |
## <param name="domain"> |
52 |
## <summary> |
53 |
@@ -21,8 +21,8 @@ interface(`xfs_read_sockets',` |
54 |
|
55 |
######################################## |
56 |
## <summary> |
57 |
-## Connect to a X font server over |
58 |
-## a unix domain stream socket. |
59 |
+## Connect to xfs with a unix |
60 |
+## domain stream socket. |
61 |
## </summary> |
62 |
## <param name="domain"> |
63 |
## <summary> |
64 |
@@ -41,8 +41,7 @@ interface(`xfs_stream_connect',` |
65 |
|
66 |
######################################## |
67 |
## <summary> |
68 |
-## Allow the specified domain to execute xfs |
69 |
-## in the caller domain. |
70 |
+## Execute xfs in the caller domain. |
71 |
## </summary> |
72 |
## <param name="domain"> |
73 |
## <summary> |
74 |
@@ -55,5 +54,44 @@ interface(`xfs_exec',` |
75 |
type xfs_exec_t; |
76 |
') |
77 |
|
78 |
+ corecmd_search_bin($1) |
79 |
can_exec($1, xfs_exec_t) |
80 |
') |
81 |
+ |
82 |
+######################################## |
83 |
+## <summary> |
84 |
+## All of the rules required to |
85 |
+## administrate an xfs environment. |
86 |
+## </summary> |
87 |
+## <param name="domain"> |
88 |
+## <summary> |
89 |
+## Domain allowed access. |
90 |
+## </summary> |
91 |
+## </param> |
92 |
+## <param name="role"> |
93 |
+## <summary> |
94 |
+## Role allowed access. |
95 |
+## </summary> |
96 |
+## </param> |
97 |
+## <rolecap/> |
98 |
+# |
99 |
+interface(`xfs_admin',` |
100 |
+ gen_require(` |
101 |
+ type xfs_t, xfs_initrc_exec_t, xfs_var_run_t; |
102 |
+ type xfs_tmp_t; |
103 |
+ ') |
104 |
+ |
105 |
+ allow $1 xfs_t:process { ptrace signal_perms }; |
106 |
+ ps_process_pattern($1, xfs_t) |
107 |
+ |
108 |
+ init_labeled_script_domtrans($1, xfs_initrc_exec_t) |
109 |
+ domain_system_change_exemption($1) |
110 |
+ role_transition $2 xfs_initrc_exec_t system_r; |
111 |
+ allow $2 system_r; |
112 |
+ |
113 |
+ files_search_pids($1) |
114 |
+ admin_pattern($1, xfs_var_run_t) |
115 |
+ |
116 |
+ files_search_tmp($1) |
117 |
+ admin_pattern($1, xfs_tmp_t) |
118 |
+') |
119 |
|
120 |
diff --git a/policy/modules/contrib/xfs.te b/policy/modules/contrib/xfs.te |
121 |
index 11c1b12..0cea2cd 100644 |
122 |
--- a/policy/modules/contrib/xfs.te |
123 |
+++ b/policy/modules/contrib/xfs.te |
124 |
@@ -1,4 +1,4 @@ |
125 |
-policy_module(xfs, 1.6.0) |
126 |
+policy_module(xfs, 1.6.1) |
127 |
|
128 |
######################################## |
129 |
# |
130 |
@@ -9,6 +9,9 @@ type xfs_t; |
131 |
type xfs_exec_t; |
132 |
init_daemon_domain(xfs_t, xfs_exec_t) |
133 |
|
134 |
+type xfs_initrc_exec_t; |
135 |
+init_script_file(xfs_initrc_exec_t) |
136 |
+ |
137 |
type xfs_tmp_t; |
138 |
files_tmp_file(xfs_tmp_t) |
139 |
|
140 |
@@ -23,9 +26,8 @@ files_pid_file(xfs_var_run_t) |
141 |
allow xfs_t self:capability { dac_override setgid setuid }; |
142 |
dontaudit xfs_t self:capability sys_tty_config; |
143 |
allow xfs_t self:process { signal_perms setpgid }; |
144 |
-allow xfs_t self:unix_stream_socket create_stream_socket_perms; |
145 |
-allow xfs_t self:unix_dgram_socket create_socket_perms; |
146 |
-allow xfs_t self:tcp_socket create_stream_socket_perms; |
147 |
+allow xfs_t self:unix_stream_socket { accept listen }; |
148 |
+allow xfs_t self:tcp_socket { accept listen }; |
149 |
|
150 |
manage_dirs_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) |
151 |
manage_sock_files_pattern(xfs_t, xfs_tmp_t, xfs_tmp_t) |
152 |
@@ -34,6 +36,8 @@ files_tmp_filetrans(xfs_t, xfs_tmp_t, { sock_file dir }) |
153 |
manage_files_pattern(xfs_t, xfs_var_run_t, xfs_var_run_t) |
154 |
files_pid_filetrans(xfs_t, xfs_var_run_t, file) |
155 |
|
156 |
+can_exec(xfs_t, xfs_exec_t) |
157 |
+ |
158 |
kernel_read_kernel_sysctls(xfs_t) |
159 |
kernel_read_system_state(xfs_t) |
160 |
|
161 |
@@ -41,10 +45,11 @@ corenet_all_recvfrom_unlabeled(xfs_t) |
162 |
corenet_all_recvfrom_netlabel(xfs_t) |
163 |
corenet_tcp_sendrecv_generic_if(xfs_t) |
164 |
corenet_tcp_sendrecv_generic_node(xfs_t) |
165 |
-corenet_tcp_sendrecv_all_ports(xfs_t) |
166 |
corenet_tcp_bind_generic_node(xfs_t) |
167 |
-corenet_tcp_bind_xfs_port(xfs_t) |
168 |
+ |
169 |
corenet_sendrecv_xfs_server_packets(xfs_t) |
170 |
+corenet_tcp_bind_xfs_port(xfs_t) |
171 |
+corenet_tcp_sendrecv_xfs_port(xfs_t) |
172 |
|
173 |
corecmd_list_bin(xfs_t) |
174 |
|
175 |
@@ -57,12 +62,13 @@ fs_search_auto_mountpoints(xfs_t) |
176 |
|
177 |
domain_use_interactive_fds(xfs_t) |
178 |
|
179 |
-files_read_etc_files(xfs_t) |
180 |
files_read_etc_runtime_files(xfs_t) |
181 |
files_read_usr_files(xfs_t) |
182 |
|
183 |
auth_use_nsswitch(xfs_t) |
184 |
|
185 |
+init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file, "fs7100") |
186 |
+ |
187 |
logging_send_syslog_msg(xfs_t) |
188 |
|
189 |
miscfiles_read_localization(xfs_t) |
190 |
@@ -71,13 +77,6 @@ miscfiles_read_fonts(xfs_t) |
191 |
userdom_dontaudit_use_unpriv_user_fds(xfs_t) |
192 |
userdom_dontaudit_search_user_home_dirs(xfs_t) |
193 |
|
194 |
-xfs_exec(xfs_t) |
195 |
- |
196 |
-ifdef(`distro_debian',` |
197 |
- # for /tmp/.font-unix/fs7100 |
198 |
- init_script_tmp_filetrans(xfs_t, xfs_tmp_t, sock_file) |
199 |
-') |
200 |
- |
201 |
optional_policy(` |
202 |
seutil_sigchld_newrole(xfs_t) |
203 |
') |