[gentoo-commits] proj/hardened-refpolicy:secmodel commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <swift@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:secmodel commit in: policy/modules/contrib/
Date:	Sun, 08 Feb 2015 14:35:12
Message-Id:	`1423405907.ebeb0c3b30617f92a5e1ad7c4cfd5fab328c8673.swift@gentoo`

1

commit:     ebeb0c3b30617f92a5e1ad7c4cfd5fab328c8673

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Sun Feb  1 19:55:45 2015 +0000

4

Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>

5

CommitDate: Sun Feb  8 14:31:47 2015 +0000

6

URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ebeb0c3b

7

8

Add interfaces for Gentoo's security model

9

10

On https://wiki.gentoo.org/wiki/Project:SELinux/Development_policy the

11

basic security model that we want to support is documented.

12

13

To make support for this security model more applicable, we provide the

14

necessary interfaces for domains to (optionally or not) call.

15

16

See also http://thread.gmane.org/gmane.linux.gentoo.hardened/6292

17

18

---

19

 policy/modules/contrib/gentoo.if | 131 +++++++++++++++++++++++++++++++++++++++

20

 1 file changed, 131 insertions(+)

21

22

diff --git a/policy/modules/contrib/gentoo.if b/policy/modules/contrib/gentoo.if

23

new file mode 100644

24

index 0000000..db543a6

25

--- /dev/null

26

+++ b/policy/modules/contrib/gentoo.if

27

@@ -0,0 +1,131 @@

28

+## <summary>Gentoo specific interfaces for improving SELinux management</summary>

29

+

30

+#########################################

31

+## <summary>

32

+## 	Monitor the system

33

+## </summary>

34

+## <desc>

35

+##	<p>

36

+##	The system monitor privilege set allows for a system domain to read various

37

+##	file types, system state (like sysctl values), process states, etc. It is 

38

+##	a read-only set of privileges.

39

+##	</p>

40

+## </desc>

41

+## <param name="domain">

42

+##	<summary>

43

+##	Domain allowed access

44

+##	</summary>

45

+## </param>

46

+## <param name="role">

47

+##	<summary>

48

+##	Role allowed access

49

+##	</summary>

50

+## </param>

51

+#

52

+interface(`gentoo_secmodel_monitor_system',`

53

+

54

+')

55

+

56

+#########################################

57

+## <summary>

58

+## 	Administer services

59

+## </summary>

60

+## <desc>

61

+##	<p>

62

+##	The service administrator privilege set allows for a system domain to manage

63

+##	the state of services as well as perform administrative commands against

64

+##	those services (in other words, grant the _admin() interfaces of various

65

+##	services).

66

+##	</p>

67

+## </desc>

68

+## <param name="domain">

69

+##	<summary>

70

+##	Domain allowed access

71

+##	</summary>

72

+## </param>

73

+## <param name="role">

74

+##	<summary>

75

+##	Role allowed access

76

+##	</summary>

77

+## </param>

78

+#

79

+interface(`gentoo_secmodel_manage_services',`

80

+

81

+')

82

+

83

+#########################################

84

+## <summary>

85

+## 	Administer software

86

+## </summary>

87

+## <desc>

88

+##	<p>

89

+##	The software administrator privilege set allows for a system domain to manage

90

+##	various file types (but not, or only in a very controlled manner, security

91

+##	sensitive files).

92

+##	</p>

93

+## </desc>

94

+## <param name="domain">

95

+##	<summary>

96

+##	Domain allowed access

97

+##	</summary>

98

+## </param>

99

+## <param name="role">

100

+##	<summary>

101

+##	Role allowed access

102

+##	</summary>

103

+## </param>

104

+#

105

+interface(`gentoo_secmodel_manage_software',`

106

+

107

+')

108

+

109

+#########################################

110

+## <summary>

111

+## 	Administer system state

112

+## </summary>

113

+## <desc>

114

+##	<p>

115

+##	The system state administrator privilege set allows for system state

116

+##	handling, including sysctl values, network configuration settings, etc.

117

+##	</p>

118

+## </desc>

119

+## <param name="domain">

120

+##	<summary>

121

+##	Domain allowed access

122

+##	</summary>

123

+## </param>

124

+## <param name="role">

125

+##	<summary>

126

+##	Role allowed access

127

+##	</summary>

128

+## </param>

129

+#

130

+interface(`gentoo_secmodel_manage_system_state',`

131

+

132

+')

133

+

134

+#########################################

135

+## <summary>

136

+## 	Administer system security

137

+## </summary>

138

+## <desc>

139

+##	<p>

140

+##	The security administrator privilege set allows for security-sensitive types

141

+##	to be managed, including SELinux policy.

142

+##	</p>

143

+## </desc>

144

+## <param name="domain">

145

+##	<summary>

146

+##	Domain allowed access

147

+##	</summary>

148

+## </param>

149

+## <param name="role">

150

+##	<summary>

151

+##	Role allowed access

152

+##	</summary>

153

+## </param>

154

+#

155

+interface(`gentoo_secmodel_manage_system_security',`

156

+

157

+')

158

+

1	commit: ebeb0c3b30617f92a5e1ad7c4cfd5fab328c8673
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Sun Feb 1 19:55:45 2015 +0000
4	Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5	CommitDate: Sun Feb 8 14:31:47 2015 +0000
6	URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ebeb0c3b
7
8	Add interfaces for Gentoo's security model
9
10	On https://wiki.gentoo.org/wiki/Project:SELinux/Development_policy the
11	basic security model that we want to support is documented.
12
13	To make support for this security model more applicable, we provide the
14	necessary interfaces for domains to (optionally or not) call.
15
16	See also http://thread.gmane.org/gmane.linux.gentoo.hardened/6292
17
18	---
19	policy/modules/contrib/gentoo.if \| 131 +++++++++++++++++++++++++++++++++++++++
20	1 file changed, 131 insertions(+)
21
22	diff --git a/policy/modules/contrib/gentoo.if b/policy/modules/contrib/gentoo.if
23	new file mode 100644
24	index 0000000..db543a6
25	--- /dev/null
26	+++ b/policy/modules/contrib/gentoo.if
27	@@ -0,0 +1,131 @@
28	+## <summary>Gentoo specific interfaces for improving SELinux management</summary>
29	+
30	+#########################################
31	+## <summary>
32	+## Monitor the system
33	+## </summary>
34	+## <desc>
35	+## <p>
36	+## The system monitor privilege set allows for a system domain to read various
37	+## file types, system state (like sysctl values), process states, etc. It is
38	+## a read-only set of privileges.
39	+## </p>
40	+## </desc>
41	+## <param name="domain">
42	+## <summary>
43	+## Domain allowed access
44	+## </summary>
45	+## </param>
46	+## <param name="role">
47	+## <summary>
48	+## Role allowed access
49	+## </summary>
50	+## </param>
51	+#
52	+interface(`gentoo_secmodel_monitor_system',`
53	+
54	+')
55	+
56	+#########################################
57	+## <summary>
58	+## Administer services
59	+## </summary>
60	+## <desc>
61	+## <p>
62	+## The service administrator privilege set allows for a system domain to manage
63	+## the state of services as well as perform administrative commands against
64	+## those services (in other words, grant the _admin() interfaces of various
65	+## services).
66	+## </p>
67	+## </desc>
68	+## <param name="domain">
69	+## <summary>
70	+## Domain allowed access
71	+## </summary>
72	+## </param>
73	+## <param name="role">
74	+## <summary>
75	+## Role allowed access
76	+## </summary>
77	+## </param>
78	+#
79	+interface(`gentoo_secmodel_manage_services',`
80	+
81	+')
82	+
83	+#########################################
84	+## <summary>
85	+## Administer software
86	+## </summary>
87	+## <desc>
88	+## <p>
89	+## The software administrator privilege set allows for a system domain to manage
90	+## various file types (but not, or only in a very controlled manner, security
91	+## sensitive files).
92	+## </p>
93	+## </desc>
94	+## <param name="domain">
95	+## <summary>
96	+## Domain allowed access
97	+## </summary>
98	+## </param>
99	+## <param name="role">
100	+## <summary>
101	+## Role allowed access
102	+## </summary>
103	+## </param>
104	+#
105	+interface(`gentoo_secmodel_manage_software',`
106	+
107	+')
108	+
109	+#########################################
110	+## <summary>
111	+## Administer system state
112	+## </summary>
113	+## <desc>
114	+## <p>
115	+## The system state administrator privilege set allows for system state
116	+## handling, including sysctl values, network configuration settings, etc.
117	+## </p>
118	+## </desc>
119	+## <param name="domain">
120	+## <summary>
121	+## Domain allowed access
122	+## </summary>
123	+## </param>
124	+## <param name="role">
125	+## <summary>
126	+## Role allowed access
127	+## </summary>
128	+## </param>
129	+#
130	+interface(`gentoo_secmodel_manage_system_state',`
131	+
132	+')
133	+
134	+#########################################
135	+## <summary>
136	+## Administer system security
137	+## </summary>
138	+## <desc>
139	+## <p>
140	+## The security administrator privilege set allows for security-sensitive types
141	+## to be managed, including SELinux policy.
142	+## </p>
143	+## </desc>
144	+## <param name="domain">
145	+## <summary>
146	+## Domain allowed access
147	+## </summary>
148	+## </param>
149	+## <param name="role">
150	+## <summary>
151	+## Role allowed access
152	+## </summary>
153	+## </param>
154	+#
155	+interface(`gentoo_secmodel_manage_system_security',`
156	+
157	+')
158	+

Gentoo Archives: gentoo-commits