[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Sun, 25 Mar 2018 10:29:28
Message-Id:	`1521970272.1100fd2c68b60b6ab5eb34baedb20a63a191f057.swift@gentoo`

1

commit:     1100fd2c68b60b6ab5eb34baedb20a63a191f057

2

Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>

3

AuthorDate: Mon Mar  5 14:03:02 2018 +0000

4

Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>

5

CommitDate: Sun Mar 25 09:31:12 2018 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1100fd2c

7

8

Allow execution of chronyc from commandline

9

10

 With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc_t domain.

11

12

Updated interface names based on suggestion, added missing permission to allow chronyc_t domain access to tty.

13

14

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

15

16

 policy/modules/contrib/chronyd.if | 46 +++++++++++++++++++++++++++++++++++++++

17

 policy/modules/contrib/chronyd.te |  8 +++++++

18

 2 files changed, 54 insertions(+)

19

20

diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if

21

index 32988914..bc4ba691 100644

22

--- a/policy/modules/contrib/chronyd.if

23

+++ b/policy/modules/contrib/chronyd.if

24

@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`

25

 	domtrans_pattern($1, chronyd_exec_t, chronyd_t)

26

')

27

28

+#####################################

29

+## <summary>

30

+##	Execute chronyc in the chronyc domain.

31

+## </summary>

32

+## <param name="domain">

33

+##	<summary>

34

+##	Domain allowed to transition.

35

+##	</summary>

36

+## </param>

37

+#

38

+interface(`chronyd_domtrans_cli',`

39

+	gen_require(`

40

+		type chronyc_t, chronyc_exec_t;

41

+	')

42

+

43

+	corecmd_search_bin($1)

44

+	domtrans_pattern($1, chronyc_exec_t, chronyc_t)

45

+')

46

+

47

 ########################################

48

 ## <summary>

49

 ##	Execute chronyd server in the

50

@@ -57,6 +76,33 @@ interface(`chronyd_exec',`

51

 	can_exec($1, chronyd_exec_t)

52

')

53

54

+########################################

55

+## <summary>

56

+##	Execute chronyc in the chronyc domain,

57

+##	and allow the specified roles the

58

+##	chronyc domain.

59

+## </summary>

60

+## <param name="domain">

61

+##	<summary>

62

+##	Domain allowed to transition.

63

+##	</summary>

64

+## </param>

65

+## <param name="role">

66

+##	<summary>

67

+##	Role allowed access.

68

+##	</summary>

69

+## </param>

70

+## <rolecap/>

71

+#

72

+interface(`chronyd_run_cli',`

73

+	gen_require(`

74

+		attribute_role chronyc_roles;

75

+	')

76

+

77

+	chronyd_domtrans_cli($1)

78

+	roleattribute $2 chronyc_roles;

79

+')

80

+

81

 #####################################

82

 ## <summary>

83

 ##	Read chronyd log files.

84

85

diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te

86

index 0634548d..8277ef81 100644

87

--- a/policy/modules/contrib/chronyd.te

88

+++ b/policy/modules/contrib/chronyd.te

89

@@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0)

90

 # Declarations

91

#

92

93

+attribute_role chronyc_roles;

94

+

95

 type chronyd_t;

96

 type chronyd_exec_t;

97

 init_daemon_domain(chronyd_t, chronyd_exec_t)

98

@@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)

99

 type chronyc_t;

100

 type chronyc_exec_t;

101

 init_daemon_domain(chronyc_t, chronyc_exec_t)

102

+application_domain(chronyc_t, chronyc_exec_t)

103

+role chronyc_roles types chronyc_t;

104

105

 type chronyd_conf_t;

106

 files_config_file(chronyd_conf_t)

107

@@ -132,6 +136,8 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)

108

 files_read_etc_files(chronyc_t)

109

 files_read_usr_files(chronyc_t)

110

111

+locallogin_use_fds(chronyc_t)

112

+

113

 logging_send_syslog_msg(chronyc_t)

114

115

 sysnet_read_config(chronyc_t)

116

@@ -139,6 +145,8 @@ sysnet_dns_name_resolve(chronyc_t)

117

118

 miscfiles_read_localization(chronyc_t)

119

120

+userdom_use_user_ttys(chronyc_t)

121

+

122

 chronyd_dgram_send(chronyc_t)

123

 chronyd_read_config(chronyc_t)

1	commit: 1100fd2c68b60b6ab5eb34baedb20a63a191f057
2	Author: Dave Sugar <dsugar <AT> tresys <DOT> com>
3	AuthorDate: Mon Mar 5 14:03:02 2018 +0000
4	Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5	CommitDate: Sun Mar 25 09:31:12 2018 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1100fd2c
7
8	Allow execution of chronyc from commandline
9
10	With the previous patch moving chronyc into a separate domain this adds interfaces to execute chronyc from the command line and have it run in the chronyc_t domain.
11
12	Updated interface names based on suggestion, added missing permission to allow chronyc_t domain access to tty.
13
14	Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
15
16	policy/modules/contrib/chronyd.if \| 46 +++++++++++++++++++++++++++++++++++++++
17	policy/modules/contrib/chronyd.te \| 8 +++++++
18	2 files changed, 54 insertions(+)
19
20	diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if
21	index 32988914..bc4ba691 100644
22	--- a/policy/modules/contrib/chronyd.if
23	+++ b/policy/modules/contrib/chronyd.if
24	@@ -19,6 +19,25 @@ interface(`chronyd_domtrans',`
25	domtrans_pattern($1, chronyd_exec_t, chronyd_t)
26	')
27
28	+#####################################
29	+## <summary>
30	+## Execute chronyc in the chronyc domain.
31	+## </summary>
32	+## <param name="domain">
33	+## <summary>
34	+## Domain allowed to transition.
35	+## </summary>
36	+## </param>
37	+#
38	+interface(`chronyd_domtrans_cli',`
39	+ gen_require(`
40	+ type chronyc_t, chronyc_exec_t;
41	+ ')
42	+
43	+ corecmd_search_bin($1)
44	+ domtrans_pattern($1, chronyc_exec_t, chronyc_t)
45	+')
46	+
47	########################################
48	## <summary>
49	## Execute chronyd server in the
50	@@ -57,6 +76,33 @@ interface(`chronyd_exec',`
51	can_exec($1, chronyd_exec_t)
52	')
53
54	+########################################
55	+## <summary>
56	+## Execute chronyc in the chronyc domain,
57	+## and allow the specified roles the
58	+## chronyc domain.
59	+## </summary>
60	+## <param name="domain">
61	+## <summary>
62	+## Domain allowed to transition.
63	+## </summary>
64	+## </param>
65	+## <param name="role">
66	+## <summary>
67	+## Role allowed access.
68	+## </summary>
69	+## </param>
70	+## <rolecap/>
71	+#
72	+interface(`chronyd_run_cli',`
73	+ gen_require(`
74	+ attribute_role chronyc_roles;
75	+ ')
76	+
77	+ chronyd_domtrans_cli($1)
78	+ roleattribute $2 chronyc_roles;
79	+')
80	+
81	#####################################
82	## <summary>
83	## Read chronyd log files.
84
85	diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te
86	index 0634548d..8277ef81 100644
87	--- a/policy/modules/contrib/chronyd.te
88	+++ b/policy/modules/contrib/chronyd.te
89	@@ -5,6 +5,8 @@ policy_module(chronyd, 1.5.0)
90	# Declarations
91	#
92
93	+attribute_role chronyc_roles;
94	+
95	type chronyd_t;
96	type chronyd_exec_t;
97	init_daemon_domain(chronyd_t, chronyd_exec_t)
98	@@ -12,6 +14,8 @@ init_daemon_domain(chronyd_t, chronyd_exec_t)
99	type chronyc_t;
100	type chronyc_exec_t;
101	init_daemon_domain(chronyc_t, chronyc_exec_t)
102	+application_domain(chronyc_t, chronyc_exec_t)
103	+role chronyc_roles types chronyc_t;
104
105	type chronyd_conf_t;
106	files_config_file(chronyd_conf_t)
107	@@ -132,6 +136,8 @@ corenet_udp_sendrecv_chronyd_port(chronyc_t)
108	files_read_etc_files(chronyc_t)
109	files_read_usr_files(chronyc_t)
110
111	+locallogin_use_fds(chronyc_t)
112	+
113	logging_send_syslog_msg(chronyc_t)
114
115	sysnet_read_config(chronyc_t)
116	@@ -139,6 +145,8 @@ sysnet_dns_name_resolve(chronyc_t)
117
118	miscfiles_read_localization(chronyc_t)
119
120	+userdom_use_user_ttys(chronyc_t)
121	+
122	chronyd_dgram_send(chronyc_t)
123	chronyd_read_config(chronyc_t)

Gentoo Archives: gentoo-commits