[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date:	Thu, 25 May 2017 17:09:09
Message-Id:	`1495731839.4a876f4221ab4a0ac55a44712e6afe962bbc278d.perfinion@gentoo`

1

commit:     4a876f4221ab4a0ac55a44712e6afe962bbc278d

2

Author:     Jason Zaman <jason <AT> perfinion <DOT> com>

3

AuthorDate: Thu Mar 30 07:15:39 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Thu May 25 17:03:59 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a876f42

7

8

gssproxy: add policy

9

10

borrowed and modified from Fedora

11

12

 policy/modules/contrib/gssproxy.fc |   8 ++

13

 policy/modules/contrib/gssproxy.if | 199 +++++++++++++++++++++++++++++++++++++

14

 policy/modules/contrib/gssproxy.te |  67 +++++++++++++

15

 3 files changed, 274 insertions(+)

16

17

diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc

18

new file mode 100644

19

index 00000000..a9970159

20

--- /dev/null

21

+++ b/policy/modules/contrib/gssproxy.fc

22

@@ -0,0 +1,8 @@

23

+/usr/lib/systemd/system/gssproxy.service	--	gen_context(system_u:object_r:gssproxy_unit_t,s0)

24

+

25

+/usr/sbin/gssproxy				--	gen_context(system_u:object_r:gssproxy_exec_t,s0)

26

+

27

+/var/lib/gssproxy(/.*)?					gen_context(system_u:object_r:gssproxy_var_lib_t,s0)

28

+

29

+/run/gssproxy\.pid				--	gen_context(system_u:object_r:gssproxy_run_t,s0)

30

+/run/gssproxy\.sock				-s	gen_context(system_u:object_r:gssproxy_run_t,s0)

31

32

diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if

33

new file mode 100644

34

index 00000000..cebdb20b

35

--- /dev/null

36

+++ b/policy/modules/contrib/gssproxy.if

37

@@ -0,0 +1,199 @@

38

+

39

+## <summary>policy for gssproxy</summary>

40

+

41

+########################################

42

+## <summary>

43

+##	Execute gssproxy in the gssproxy domin.

44

+## </summary>

45

+## <param name="domain">

46

+## <summary>

47

+##	Domain allowed to transition.

48

+## </summary>

49

+## </param>

50

+#

51

+interface(`gssproxy_domtrans',`

52

+	gen_require(`

53

+		type gssproxy_t, gssproxy_exec_t;

54

+	')

55

+

56

+	corecmd_search_bin($1)

57

+	domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)

58

+')

59

+

60

+########################################

61

+## <summary>

62

+##	Search gssproxy lib directories.

63

+## </summary>

64

+## <param name="domain">

65

+##	<summary>

66

+##	Domain allowed access.

67

+##	</summary>

68

+## </param>

69

+#

70

+interface(`gssproxy_search_lib',`

71

+	gen_require(`

72

+		type gssproxy_var_lib_t;

73

+	')

74

+

75

+	allow $1 gssproxy_var_lib_t:dir search_dir_perms;

76

+	files_search_var_lib($1)

77

+')

78

+

79

+########################################

80

+## <summary>

81

+##	Read gssproxy lib files.

82

+## </summary>

83

+## <param name="domain">

84

+##	<summary>

85

+##	Domain allowed access.

86

+##	</summary>

87

+## </param>

88

+#

89

+interface(`gssproxy_read_lib_files',`

90

+	gen_require(`

91

+		type gssproxy_var_lib_t;

92

+	')

93

+

94

+	files_search_var_lib($1)

95

+	read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)

96

+')

97

+

98

+########################################

99

+## <summary>

100

+##	Manage gssproxy lib files.

101

+## </summary>

102

+## <param name="domain">

103

+##	<summary>

104

+##	Domain allowed access.

105

+##	</summary>

106

+## </param>

107

+#

108

+interface(`gssproxy_manage_lib_files',`

109

+	gen_require(`

110

+		type gssproxy_var_lib_t;

111

+	')

112

+

113

+	files_search_var_lib($1)

114

+	manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)

115

+')

116

+

117

+########################################

118

+## <summary>

119

+##	Manage gssproxy lib directories.

120

+## </summary>

121

+## <param name="domain">

122

+##	<summary>

123

+##	Domain allowed access.

124

+##	</summary>

125

+## </param>

126

+#

127

+interface(`gssproxy_manage_lib_dirs',`

128

+	gen_require(`

129

+		type gssproxy_var_lib_t;

130

+	')

131

+

132

+	files_search_var_lib($1)

133

+	manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)

134

+')

135

+

136

+########################################

137

+## <summary>

138

+##	Read gssproxy PID files.

139

+## </summary>

140

+## <param name="domain">

141

+##	<summary>

142

+##	Domain allowed access.

143

+##	</summary>

144

+## </param>

145

+#

146

+interface(`gssproxy_read_pid_files',`

147

+	gen_require(`

148

+		type gssproxy_run_t;

149

+	')

150

+

151

+	files_search_pids($1)

152

+	read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)

153

+')

154

+

155

+########################################

156

+## <summary>

157

+##	Execute gssproxy server in the gssproxy domain.

158

+## </summary>

159

+## <param name="domain">

160

+##	<summary>

161

+##	Domain allowed to transition.

162

+##	</summary>

163

+## </param>

164

+#

165

+interface(`gssproxy_systemctl',`

166

+	gen_require(`

167

+		type gssproxy_t;

168

+		type gssproxy_unit_t;

169

+	')

170

+

171

+	systemd_exec_systemctl($1)

172

+	init_reload_services($1)

173

+	allow $1 gssproxy_unit_t:file read_file_perms;

174

+	allow $1 gssproxy_unit_t:service manage_service_perms;

175

+

176

+	ps_process_pattern($1, gssproxy_t)

177

+')

178

+

179

+########################################

180

+## <summary>

181

+##	Connect to gssproxy over an unix

182

+##	domain stream socket.

183

+## </summary>

184

+## <param name="domain">

185

+##	<summary>

186

+##	Domain allowed access.

187

+##	</summary>

188

+## </param>

189

+#

190

+interface(`gssproxy_stream_connect',`

191

+	gen_require(`

192

+		type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;

193

+	')

194

+

195

+	files_search_pids($1)

196

+	stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)

197

+	stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)

198

+')

199

+

200

+########################################

201

+## <summary>

202

+##	All of the rules required to administrate

203

+##	an gssproxy environment

204

+## </summary>

205

+## <param name="domain">

206

+##	<summary>

207

+##	Domain allowed access.

208

+##	</summary>

209

+## </param>

210

+## <rolecap/>

211

+#

212

+interface(`gssproxy_admin',`

213

+	gen_require(`

214

+		type gssproxy_t;

215

+		type gssproxy_var_lib_t;

216

+		type gssproxy_run_t;

217

+		type gssproxy_unit_t;

218

+	')

219

+

220

+	allow $1 gssproxy_t:process { ptrace signal_perms };

221

+	ps_process_pattern($1, gssproxy_t)

222

+

223

+	files_search_var_lib($1)

224

+	admin_pattern($1, gssproxy_var_lib_t)

225

+

226

+	files_search_pids($1)

227

+	admin_pattern($1, gssproxy_run_t)

228

+

229

+	gssproxy_systemctl($1)

230

+	admin_pattern($1, gssproxy_unit_t)

231

+	allow $1 gssproxy_unit_t:service all_service_perms;

232

+	optional_policy(`

233

+		systemd_passwd_agent_exec($1)

234

+		systemd_read_fifo_file_passwd_run($1)

235

+	')

236

+')

237

238

diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te

239

new file mode 100644

240

index 00000000..20027689

241

--- /dev/null

242

+++ b/policy/modules/contrib/gssproxy.te

243

@@ -0,0 +1,67 @@

244

+policy_module(gssproxy, 1.0.0)

245

+

246

+########################################

247

+#

248

+# Declarations

249

+#

250

+

251

+type gssproxy_t;

252

+type gssproxy_exec_t;

253

+init_daemon_domain(gssproxy_t, gssproxy_exec_t)

254

+

255

+type gssproxy_var_lib_t;

256

+files_type(gssproxy_var_lib_t)

257

+

258

+type gssproxy_run_t;

259

+files_pid_file(gssproxy_run_t)

260

+

261

+type gssproxy_unit_t;

262

+init_unit_file(gssproxy_unit_t)

263

+

264

+########################################

265

+#

266

+# gssproxy local policy

267

+#

268

+allow gssproxy_t self:capability { setuid setgid };

269

+allow gssproxy_t self:capability2 block_suspend;

270

+allow gssproxy_t self:fifo_file rw_fifo_file_perms;

271

+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;

272

+

273

+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)

274

+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)

275

+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)

276

+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)

277

+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })

278

+

279

+manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)

280

+manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)

281

+manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)

282

+manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)

283

+files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })

284

+

285

+kernel_rw_rpc_sysctls(gssproxy_t)

286

+

287

+domain_use_interactive_fds(gssproxy_t)

288

+

289

+files_read_etc_files(gssproxy_t)

290

+

291

+fs_getattr_all_fs(gssproxy_t)

292

+

293

+auth_use_nsswitch(gssproxy_t)

294

+

295

+dev_read_urand(gssproxy_t)

296

+

297

+logging_send_syslog_msg(gssproxy_t)

298

+

299

+miscfiles_read_localization(gssproxy_t)

300

+

301

+#userdom_read_all_users_keys(gssproxy_t)

302

+userdom_manage_user_tmp_dirs(gssproxy_t)

303

+userdom_manage_user_tmp_files(gssproxy_t)

304

+

305

+optional_policy(`

306

+	kerberos_filetrans_named_content(gssproxy_t)

307

+	kerberos_manage_host_rcache(gssproxy_t)

308

+	kerberos_read_keytab(gssproxy_t)

309

+	kerberos_use(gssproxy_t)

310

+')

1	commit: 4a876f4221ab4a0ac55a44712e6afe962bbc278d
2	Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3	AuthorDate: Thu Mar 30 07:15:39 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Thu May 25 17:03:59 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a876f42
7
8	gssproxy: add policy
9
10	borrowed and modified from Fedora
11
12	policy/modules/contrib/gssproxy.fc \| 8 ++
13	policy/modules/contrib/gssproxy.if \| 199 +++++++++++++++++++++++++++++++++++++
14	policy/modules/contrib/gssproxy.te \| 67 +++++++++++++
15	3 files changed, 274 insertions(+)
16
17	diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc
18	new file mode 100644
19	index 00000000..a9970159
20	--- /dev/null
21	+++ b/policy/modules/contrib/gssproxy.fc
22	@@ -0,0 +1,8 @@
23	+/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0)
24	+
25	+/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0)
26	+
27	+/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
28	+
29	+/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0)
30	+/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0)
31
32	diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if
33	new file mode 100644
34	index 00000000..cebdb20b
35	--- /dev/null
36	+++ b/policy/modules/contrib/gssproxy.if
37	@@ -0,0 +1,199 @@
38	+
39	+## <summary>policy for gssproxy</summary>
40	+
41	+########################################
42	+## <summary>
43	+## Execute gssproxy in the gssproxy domin.
44	+## </summary>
45	+## <param name="domain">
46	+## <summary>
47	+## Domain allowed to transition.
48	+## </summary>
49	+## </param>
50	+#
51	+interface(`gssproxy_domtrans',`
52	+ gen_require(`
53	+ type gssproxy_t, gssproxy_exec_t;
54	+ ')
55	+
56	+ corecmd_search_bin($1)
57	+ domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
58	+')
59	+
60	+########################################
61	+## <summary>
62	+## Search gssproxy lib directories.
63	+## </summary>
64	+## <param name="domain">
65	+## <summary>
66	+## Domain allowed access.
67	+## </summary>
68	+## </param>
69	+#
70	+interface(`gssproxy_search_lib',`
71	+ gen_require(`
72	+ type gssproxy_var_lib_t;
73	+ ')
74	+
75	+ allow $1 gssproxy_var_lib_t:dir search_dir_perms;
76	+ files_search_var_lib($1)
77	+')
78	+
79	+########################################
80	+## <summary>
81	+## Read gssproxy lib files.
82	+## </summary>
83	+## <param name="domain">
84	+## <summary>
85	+## Domain allowed access.
86	+## </summary>
87	+## </param>
88	+#
89	+interface(`gssproxy_read_lib_files',`
90	+ gen_require(`
91	+ type gssproxy_var_lib_t;
92	+ ')
93	+
94	+ files_search_var_lib($1)
95	+ read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
96	+')
97	+
98	+########################################
99	+## <summary>
100	+## Manage gssproxy lib files.
101	+## </summary>
102	+## <param name="domain">
103	+## <summary>
104	+## Domain allowed access.
105	+## </summary>
106	+## </param>
107	+#
108	+interface(`gssproxy_manage_lib_files',`
109	+ gen_require(`
110	+ type gssproxy_var_lib_t;
111	+ ')
112	+
113	+ files_search_var_lib($1)
114	+ manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
115	+')
116	+
117	+########################################
118	+## <summary>
119	+## Manage gssproxy lib directories.
120	+## </summary>
121	+## <param name="domain">
122	+## <summary>
123	+## Domain allowed access.
124	+## </summary>
125	+## </param>
126	+#
127	+interface(`gssproxy_manage_lib_dirs',`
128	+ gen_require(`
129	+ type gssproxy_var_lib_t;
130	+ ')
131	+
132	+ files_search_var_lib($1)
133	+ manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
134	+')
135	+
136	+########################################
137	+## <summary>
138	+## Read gssproxy PID files.
139	+## </summary>
140	+## <param name="domain">
141	+## <summary>
142	+## Domain allowed access.
143	+## </summary>
144	+## </param>
145	+#
146	+interface(`gssproxy_read_pid_files',`
147	+ gen_require(`
148	+ type gssproxy_run_t;
149	+ ')
150	+
151	+ files_search_pids($1)
152	+ read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
153	+')
154	+
155	+########################################
156	+## <summary>
157	+## Execute gssproxy server in the gssproxy domain.
158	+## </summary>
159	+## <param name="domain">
160	+## <summary>
161	+## Domain allowed to transition.
162	+## </summary>
163	+## </param>
164	+#
165	+interface(`gssproxy_systemctl',`
166	+ gen_require(`
167	+ type gssproxy_t;
168	+ type gssproxy_unit_t;
169	+ ')
170	+
171	+ systemd_exec_systemctl($1)
172	+ init_reload_services($1)
173	+ allow $1 gssproxy_unit_t:file read_file_perms;
174	+ allow $1 gssproxy_unit_t:service manage_service_perms;
175	+
176	+ ps_process_pattern($1, gssproxy_t)
177	+')
178	+
179	+########################################
180	+## <summary>
181	+## Connect to gssproxy over an unix
182	+## domain stream socket.
183	+## </summary>
184	+## <param name="domain">
185	+## <summary>
186	+## Domain allowed access.
187	+## </summary>
188	+## </param>
189	+#
190	+interface(`gssproxy_stream_connect',`
191	+ gen_require(`
192	+ type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
193	+ ')
194	+
195	+ files_search_pids($1)
196	+ stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
197	+ stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t)
198	+')
199	+
200	+########################################
201	+## <summary>
202	+## All of the rules required to administrate
203	+## an gssproxy environment
204	+## </summary>
205	+## <param name="domain">
206	+## <summary>
207	+## Domain allowed access.
208	+## </summary>
209	+## </param>
210	+## <rolecap/>
211	+#
212	+interface(`gssproxy_admin',`
213	+ gen_require(`
214	+ type gssproxy_t;
215	+ type gssproxy_var_lib_t;
216	+ type gssproxy_run_t;
217	+ type gssproxy_unit_t;
218	+ ')
219	+
220	+ allow $1 gssproxy_t:process { ptrace signal_perms };
221	+ ps_process_pattern($1, gssproxy_t)
222	+
223	+ files_search_var_lib($1)
224	+ admin_pattern($1, gssproxy_var_lib_t)
225	+
226	+ files_search_pids($1)
227	+ admin_pattern($1, gssproxy_run_t)
228	+
229	+ gssproxy_systemctl($1)
230	+ admin_pattern($1, gssproxy_unit_t)
231	+ allow $1 gssproxy_unit_t:service all_service_perms;
232	+ optional_policy(`
233	+ systemd_passwd_agent_exec($1)
234	+ systemd_read_fifo_file_passwd_run($1)
235	+ ')
236	+')
237
238	diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te
239	new file mode 100644
240	index 00000000..20027689
241	--- /dev/null
242	+++ b/policy/modules/contrib/gssproxy.te
243	@@ -0,0 +1,67 @@
244	+policy_module(gssproxy, 1.0.0)
245	+
246	+########################################
247	+#
248	+# Declarations
249	+#
250	+
251	+type gssproxy_t;
252	+type gssproxy_exec_t;
253	+init_daemon_domain(gssproxy_t, gssproxy_exec_t)
254	+
255	+type gssproxy_var_lib_t;
256	+files_type(gssproxy_var_lib_t)
257	+
258	+type gssproxy_run_t;
259	+files_pid_file(gssproxy_run_t)
260	+
261	+type gssproxy_unit_t;
262	+init_unit_file(gssproxy_unit_t)
263	+
264	+########################################
265	+#
266	+# gssproxy local policy
267	+#
268	+allow gssproxy_t self:capability { setuid setgid };
269	+allow gssproxy_t self:capability2 block_suspend;
270	+allow gssproxy_t self:fifo_file rw_fifo_file_perms;
271	+allow gssproxy_t self:unix_stream_socket create_stream_socket_perms;
272	+
273	+manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
274	+manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
275	+manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
276	+manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t)
277	+files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file })
278	+
279	+manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
280	+manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
281	+manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
282	+manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t)
283	+files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file })
284	+
285	+kernel_rw_rpc_sysctls(gssproxy_t)
286	+
287	+domain_use_interactive_fds(gssproxy_t)
288	+
289	+files_read_etc_files(gssproxy_t)
290	+
291	+fs_getattr_all_fs(gssproxy_t)
292	+
293	+auth_use_nsswitch(gssproxy_t)
294	+
295	+dev_read_urand(gssproxy_t)
296	+
297	+logging_send_syslog_msg(gssproxy_t)
298	+
299	+miscfiles_read_localization(gssproxy_t)
300	+
301	+#userdom_read_all_users_keys(gssproxy_t)
302	+userdom_manage_user_tmp_dirs(gssproxy_t)
303	+userdom_manage_user_tmp_files(gssproxy_t)
304	+
305	+optional_policy(`
306	+ kerberos_filetrans_named_content(gssproxy_t)
307	+ kerberos_manage_host_rcache(gssproxy_t)
308	+ kerberos_read_keytab(gssproxy_t)
309	+ kerberos_use(gssproxy_t)
310	+')

Gentoo Archives: gentoo-commits