[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 02 Oct 2012 18:23:39
Message-Id:	`1349201153.96b4fba13ba34b1a70bbf39a8a374e34712d8bab.SwifT@gentoo`

1

commit:     96b4fba13ba34b1a70bbf39a8a374e34712d8bab

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Mon Oct  1 07:52:36 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:05:53 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=96b4fba1

7

8

Changes to the fetchmail policy module

9

10

Ported from Fedora with changes

11

Added init script file type

12

13

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

14

15

---

16

 policy/modules/contrib/fetchmail.fc |   22 +++++++------------

17

 policy/modules/contrib/fetchmail.if |   20 ++++++++++++++---

18

 policy/modules/contrib/fetchmail.te |   40 ++++++++++++++++------------------

19

 3 files changed, 43 insertions(+), 39 deletions(-)

20

21

diff --git a/policy/modules/contrib/fetchmail.fc b/policy/modules/contrib/fetchmail.fc

22

index 39928d5..5e3e57c 100644

23

--- a/policy/modules/contrib/fetchmail.fc

24

+++ b/policy/modules/contrib/fetchmail.fc

25

@@ -1,19 +1,13 @@

26

+HOME_DIR/\.fetchmailrc	--	gen_context(system_u:object_r:fetchmail_home_t,s0)

27

28

-#

29

-# /etc

30

-#

31

+/etc/fetchmailrc	--	gen_context(system_u:object_r:fetchmail_etc_t,s0)

32

33

-/etc/fetchmailrc		--	gen_context(system_u:object_r:fetchmail_etc_t,s0)

34

+/etc/rc\.d/init\.d/fetchmail	--	gen_context(system_u:object_r:fetchmail_initrc_exec_t,s0)

35

36

-#

37

-# /usr

38

-#

39

+/usr/bin/fetchmail	--	gen_context(system_u:object_r:fetchmail_exec_t,s0)

40

41

-/usr/bin/fetchmail		--	gen_context(system_u:object_r:fetchmail_exec_t,s0)

42

+/var/lib/fetchmail(/.*)?	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)

43

44

-#

45

-# /var

46

-#

47

-/var/lib/fetchmail(/.*)?		gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)

48

-/var/mail/\.fetchmail-UIDL-cache --	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)

49

-/var/run/fetchmail/.*		--	gen_context(system_u:object_r:fetchmail_var_run_t,s0)

50

+/var/mail/\.fetchmail-UIDL-cache	--	gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)

51

+

52

+/var/run/fetchmail/.*	--	gen_context(system_u:object_r:fetchmail_var_run_t,s0)

53

54

diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if

55

index 6537214..6ed7490 100644

56

--- a/policy/modules/contrib/fetchmail.if

57

+++ b/policy/modules/contrib/fetchmail.if

58

@@ -1,28 +1,40 @@

59

-## <summary>Remote-mail retrieval and forwarding utility</summary>

60

+## <summary>Remote-mail retrieval and forwarding utility.</summary>

61

62

 ########################################

63

 ## <summary>

64

-##	All of the rules required to administrate 

65

-##	an fetchmail environment

66

+##	All of the rules required to

67

+##	administrate an fetchmail environment.

68

 ## </summary>

69

 ## <param name="domain">

70

 ##	<summary>

71

 ##	Domain allowed access.

72

 ##	</summary>

73

 ## </param>

74

+## <param name="role">

75

+##	<summary>

76

+##	Role allowed access.

77

+##	</summary>

78

+## </param>

79

 ## <rolecap/>

80

#

81

 interface(`fetchmail_admin',`

82

 	gen_require(`

83

 		type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t;

84

-		type fetchmail_var_run_t;

85

+		type fetchmail_var_run_t, fetchmail_initrc_exec_t;

86

')

87

88

+	init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)

89

+	domain_system_change_exemption($1)

90

+	role_transition $2 fetchmail_initrc_exec_t system_r;

91

+	allow $2 system_r;

92

+

93

+	allow $1 fetchmail_t:process { ptrace signal_perms };

94

 	ps_process_pattern($1, fetchmail_t)

95

96

 	files_list_etc($1)

97

 	admin_pattern($1, fetchmail_etc_t)

98

99

+	files_search_var_lib($1)

100

 	admin_pattern($1, fetchmail_uidl_cache_t)

101

102

 	files_list_pids($1)

103

104

diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te

105

index ac6626e..e4706e2 100644

106

--- a/policy/modules/contrib/fetchmail.te

107

+++ b/policy/modules/contrib/fetchmail.te

108

@@ -1,4 +1,4 @@

109

-policy_module(fetchmail, 1.12.0)

110

+policy_module(fetchmail, 1.12.1)

111

112

 ########################################

113

#

114

@@ -10,12 +10,18 @@ type fetchmail_exec_t;

115

 init_daemon_domain(fetchmail_t, fetchmail_exec_t)

116

 application_executable_file(fetchmail_exec_t)

117

118

-type fetchmail_var_run_t;

119

-files_pid_file(fetchmail_var_run_t)

120

+type fetchmail_initrc_exec_t;

121

+init_script_file(fetchmail_initrc_exec_t)

122

123

 type fetchmail_etc_t;

124

 files_config_file(fetchmail_etc_t)

125

126

+type fetchmail_home_t;

127

+userdom_user_home_content(fetchmail_home_t)

128

+

129

+type fetchmail_var_run_t;

130

+files_pid_file(fetchmail_var_run_t)

131

+

132

 type fetchmail_uidl_cache_t;

133

 files_type(fetchmail_uidl_cache_t)

134

135

@@ -26,20 +32,18 @@ files_type(fetchmail_uidl_cache_t)

136

137

 dontaudit fetchmail_t self:capability sys_tty_config;

138

 allow fetchmail_t self:process { signal_perms setrlimit };

139

-allow fetchmail_t self:unix_dgram_socket create_socket_perms;

140

-allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;

141

-allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;

142

-allow fetchmail_t self:tcp_socket create_socket_perms;

143

-allow fetchmail_t self:udp_socket create_socket_perms;

144

+allow fetchmail_t self:unix_stream_socket { accept listen };

145

146

 allow fetchmail_t fetchmail_etc_t:file read_file_perms;

147

148

+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)

149

+

150

 allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;

151

 mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)

152

153

 manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)

154

 manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)

155

-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })

156

+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)

157

158

 kernel_read_kernel_sysctls(fetchmail_t)

159

 kernel_list_proc(fetchmail_t)

160

@@ -47,28 +51,22 @@ kernel_getattr_proc_files(fetchmail_t)

161

 kernel_read_proc_symlinks(fetchmail_t)

162

 kernel_dontaudit_read_system_state(fetchmail_t)

163

164

-#looks like it uses system command - calls uname

165

 corecmd_exec_bin(fetchmail_t)

166

 corecmd_exec_shell(fetchmail_t)

167

168

 corenet_all_recvfrom_unlabeled(fetchmail_t)

169

 corenet_all_recvfrom_netlabel(fetchmail_t)

170

 corenet_tcp_sendrecv_generic_if(fetchmail_t)

171

-corenet_udp_sendrecv_generic_if(fetchmail_t)

172

 corenet_tcp_sendrecv_generic_node(fetchmail_t)

173

-corenet_udp_sendrecv_generic_node(fetchmail_t)

174

-corenet_tcp_sendrecv_dns_port(fetchmail_t)

175

-corenet_udp_sendrecv_dns_port(fetchmail_t)

176

-corenet_tcp_sendrecv_pop_port(fetchmail_t)

177

-corenet_tcp_sendrecv_smtp_port(fetchmail_t)

178

-corenet_tcp_connect_all_ports(fetchmail_t)

179

+corenet_tcp_sendrecv_all_ports(fetchmail_t)

180

+

181

 corenet_sendrecv_all_client_packets(fetchmail_t)

182

+corenet_tcp_connect_all_ports(fetchmail_t)

183

184

 dev_read_sysfs(fetchmail_t)

185

 dev_read_rand(fetchmail_t)

186

 dev_read_urand(fetchmail_t)

187

188

-files_read_etc_files(fetchmail_t)

189

 files_read_etc_runtime_files(fetchmail_t)

190

 files_dontaudit_search_home(fetchmail_t)

191

192

@@ -77,15 +75,15 @@ fs_search_auto_mountpoints(fetchmail_t)

193

194

 domain_use_interactive_fds(fetchmail_t)

195

196

+auth_use_nsswitch(fetchmail_t)

197

+

198

 logging_send_syslog_msg(fetchmail_t)

199

200

 miscfiles_read_localization(fetchmail_t)

201

 miscfiles_read_generic_certs(fetchmail_t)

202

203

-sysnet_read_config(fetchmail_t)

204

-

205

 userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)

206

-userdom_dontaudit_search_user_home_dirs(fetchmail_t)

207

+userdom_search_user_home_dirs(fetchmail_t)

208

209

 optional_policy(`

210

 	procmail_domtrans(fetchmail_t)

1	commit: 96b4fba13ba34b1a70bbf39a8a374e34712d8bab
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Mon Oct 1 07:52:36 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 2 18:05:53 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=96b4fba1
7
8	Changes to the fetchmail policy module
9
10	Ported from Fedora with changes
11	Added init script file type
12
13	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14
15	---
16	policy/modules/contrib/fetchmail.fc \| 22 +++++++------------
17	policy/modules/contrib/fetchmail.if \| 20 ++++++++++++++---
18	policy/modules/contrib/fetchmail.te \| 40 ++++++++++++++++------------------
19	3 files changed, 43 insertions(+), 39 deletions(-)
20
21	diff --git a/policy/modules/contrib/fetchmail.fc b/policy/modules/contrib/fetchmail.fc
22	index 39928d5..5e3e57c 100644
23	--- a/policy/modules/contrib/fetchmail.fc
24	+++ b/policy/modules/contrib/fetchmail.fc
25	@@ -1,19 +1,13 @@
26	+HOME_DIR/\.fetchmailrc -- gen_context(system_u:object_r:fetchmail_home_t,s0)
27
28	-#
29	-# /etc
30	-#
31	+/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
32
33	-/etc/fetchmailrc -- gen_context(system_u:object_r:fetchmail_etc_t,s0)
34	+/etc/rc\.d/init\.d/fetchmail -- gen_context(system_u:object_r:fetchmail_initrc_exec_t,s0)
35
36	-#
37	-# /usr
38	-#
39	+/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0)
40
41	-/usr/bin/fetchmail -- gen_context(system_u:object_r:fetchmail_exec_t,s0)
42	+/var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
43
44	-#
45	-# /var
46	-#
47	-/var/lib/fetchmail(/.*)? gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
48	-/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
49	-/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
50	+/var/mail/\.fetchmail-UIDL-cache -- gen_context(system_u:object_r:fetchmail_uidl_cache_t,s0)
51	+
52	+/var/run/fetchmail/.* -- gen_context(system_u:object_r:fetchmail_var_run_t,s0)
53
54	diff --git a/policy/modules/contrib/fetchmail.if b/policy/modules/contrib/fetchmail.if
55	index 6537214..6ed7490 100644
56	--- a/policy/modules/contrib/fetchmail.if
57	+++ b/policy/modules/contrib/fetchmail.if
58	@@ -1,28 +1,40 @@
59	-## <summary>Remote-mail retrieval and forwarding utility</summary>
60	+## <summary>Remote-mail retrieval and forwarding utility.</summary>
61
62	########################################
63	## <summary>
64	-## All of the rules required to administrate
65	-## an fetchmail environment
66	+## All of the rules required to
67	+## administrate an fetchmail environment.
68	## </summary>
69	## <param name="domain">
70	## <summary>
71	## Domain allowed access.
72	## </summary>
73	## </param>
74	+## <param name="role">
75	+## <summary>
76	+## Role allowed access.
77	+## </summary>
78	+## </param>
79	## <rolecap/>
80	#
81	interface(`fetchmail_admin',`
82	gen_require(`
83	type fetchmail_t, fetchmail_etc_t, fetchmail_uidl_cache_t;
84	- type fetchmail_var_run_t;
85	+ type fetchmail_var_run_t, fetchmail_initrc_exec_t;
86	')
87
88	+ init_labeled_script_domtrans($1, fetchmail_initrc_exec_t)
89	+ domain_system_change_exemption($1)
90	+ role_transition $2 fetchmail_initrc_exec_t system_r;
91	+ allow $2 system_r;
92	+
93	+ allow $1 fetchmail_t:process { ptrace signal_perms };
94	ps_process_pattern($1, fetchmail_t)
95
96	files_list_etc($1)
97	admin_pattern($1, fetchmail_etc_t)
98
99	+ files_search_var_lib($1)
100	admin_pattern($1, fetchmail_uidl_cache_t)
101
102	files_list_pids($1)
103
104	diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te
105	index ac6626e..e4706e2 100644
106	--- a/policy/modules/contrib/fetchmail.te
107	+++ b/policy/modules/contrib/fetchmail.te
108	@@ -1,4 +1,4 @@
109	-policy_module(fetchmail, 1.12.0)
110	+policy_module(fetchmail, 1.12.1)
111
112	########################################
113	#
114	@@ -10,12 +10,18 @@ type fetchmail_exec_t;
115	init_daemon_domain(fetchmail_t, fetchmail_exec_t)
116	application_executable_file(fetchmail_exec_t)
117
118	-type fetchmail_var_run_t;
119	-files_pid_file(fetchmail_var_run_t)
120	+type fetchmail_initrc_exec_t;
121	+init_script_file(fetchmail_initrc_exec_t)
122
123	type fetchmail_etc_t;
124	files_config_file(fetchmail_etc_t)
125
126	+type fetchmail_home_t;
127	+userdom_user_home_content(fetchmail_home_t)
128	+
129	+type fetchmail_var_run_t;
130	+files_pid_file(fetchmail_var_run_t)
131	+
132	type fetchmail_uidl_cache_t;
133	files_type(fetchmail_uidl_cache_t)
134
135	@@ -26,20 +32,18 @@ files_type(fetchmail_uidl_cache_t)
136
137	dontaudit fetchmail_t self:capability sys_tty_config;
138	allow fetchmail_t self:process { signal_perms setrlimit };
139	-allow fetchmail_t self:unix_dgram_socket create_socket_perms;
140	-allow fetchmail_t self:unix_stream_socket create_stream_socket_perms;
141	-allow fetchmail_t self:netlink_route_socket r_netlink_socket_perms;
142	-allow fetchmail_t self:tcp_socket create_socket_perms;
143	-allow fetchmail_t self:udp_socket create_socket_perms;
144	+allow fetchmail_t self:unix_stream_socket { accept listen };
145
146	allow fetchmail_t fetchmail_etc_t:file read_file_perms;
147
148	+read_files_pattern(fetchmail_t, fetchmail_home_t, fetchmail_home_t)
149	+
150	allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
151	mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
152
153	manage_dirs_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
154	manage_files_pattern(fetchmail_t, fetchmail_var_run_t, fetchmail_var_run_t)
155	-files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, { dir file })
156	+files_pid_filetrans(fetchmail_t, fetchmail_var_run_t, dir)
157
158	kernel_read_kernel_sysctls(fetchmail_t)
159	kernel_list_proc(fetchmail_t)
160	@@ -47,28 +51,22 @@ kernel_getattr_proc_files(fetchmail_t)
161	kernel_read_proc_symlinks(fetchmail_t)
162	kernel_dontaudit_read_system_state(fetchmail_t)
163
164	-#looks like it uses system command - calls uname
165	corecmd_exec_bin(fetchmail_t)
166	corecmd_exec_shell(fetchmail_t)
167
168	corenet_all_recvfrom_unlabeled(fetchmail_t)
169	corenet_all_recvfrom_netlabel(fetchmail_t)
170	corenet_tcp_sendrecv_generic_if(fetchmail_t)
171	-corenet_udp_sendrecv_generic_if(fetchmail_t)
172	corenet_tcp_sendrecv_generic_node(fetchmail_t)
173	-corenet_udp_sendrecv_generic_node(fetchmail_t)
174	-corenet_tcp_sendrecv_dns_port(fetchmail_t)
175	-corenet_udp_sendrecv_dns_port(fetchmail_t)
176	-corenet_tcp_sendrecv_pop_port(fetchmail_t)
177	-corenet_tcp_sendrecv_smtp_port(fetchmail_t)
178	-corenet_tcp_connect_all_ports(fetchmail_t)
179	+corenet_tcp_sendrecv_all_ports(fetchmail_t)
180	+
181	corenet_sendrecv_all_client_packets(fetchmail_t)
182	+corenet_tcp_connect_all_ports(fetchmail_t)
183
184	dev_read_sysfs(fetchmail_t)
185	dev_read_rand(fetchmail_t)
186	dev_read_urand(fetchmail_t)
187
188	-files_read_etc_files(fetchmail_t)
189	files_read_etc_runtime_files(fetchmail_t)
190	files_dontaudit_search_home(fetchmail_t)
191
192	@@ -77,15 +75,15 @@ fs_search_auto_mountpoints(fetchmail_t)
193
194	domain_use_interactive_fds(fetchmail_t)
195
196	+auth_use_nsswitch(fetchmail_t)
197	+
198	logging_send_syslog_msg(fetchmail_t)
199
200	miscfiles_read_localization(fetchmail_t)
201	miscfiles_read_generic_certs(fetchmail_t)
202
203	-sysnet_read_config(fetchmail_t)
204	-
205	userdom_dontaudit_use_unpriv_user_fds(fetchmail_t)
206	-userdom_dontaudit_search_user_home_dirs(fetchmail_t)
207	+userdom_search_user_home_dirs(fetchmail_t)
208
209	optional_policy(`
210	procmail_domtrans(fetchmail_t)

Gentoo Archives: gentoo-commits