[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Sun, 10 Feb 2019 04:14:56
Message-Id:	`1549771885.1463b90ab62ddfcfa18e9a08f04e7dd3a7e200a5.perfinion@gentoo`

1

commit:     1463b90ab62ddfcfa18e9a08f04e7dd3a7e200a5

2

Author:     Alexander Miroshnichenko <alex <AT> millerson <DOT> name>

3

AuthorDate: Tue Jan 29 19:01:52 2019 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Feb 10 04:11:25 2019 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1463b90a

7

8

Add hostapd service module

9

10

Add a SELinux Reference Policy module for the hostapd

11

IEEE 802.11 wireless LAN Host AP daemon.

12

13

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

14

15

 policy/modules/services/hostapd.fc |  7 +++++

16

 policy/modules/services/hostapd.if |  1 +

17

 policy/modules/services/hostapd.te | 56 ++++++++++++++++++++++++++++++++++++++

18

 3 files changed, 64 insertions(+)

19

20

diff --git a/policy/modules/services/hostapd.fc b/policy/modules/services/hostapd.fc

21

new file mode 100644

22

index 00000000..83583a77

23

--- /dev/null

24

+++ b/policy/modules/services/hostapd.fc

25

@@ -0,0 +1,7 @@

26

+/usr/sbin/hostapd               --      gen_context(system_u:object_r:hostapd_exec_t,s0)

27

+

28

+/var/run/hostapd(/.*)?          gen_context(system_u:object_r:hostapd_var_run_t,s0)

29

+

30

+/etc/hostapd(/.*)?          gen_context(system_u:object_r:hostapd_conf_t,s0)

31

+

32

+/run/hostapd.pid                --      gen_context(system_u:object_r:hostapd_var_run_t,s0)

33

34

diff --git a/policy/modules/services/hostapd.if b/policy/modules/services/hostapd.if

35

new file mode 100644

36

index 00000000..fce874d2

37

--- /dev/null

38

+++ b/policy/modules/services/hostapd.if

39

@@ -0,0 +1 @@

40

+## <summary>IEEE 802.11 wireless LAN Host AP daemon.</summary>

41

42

diff --git a/policy/modules/services/hostapd.te b/policy/modules/services/hostapd.te

43

new file mode 100644

44

index 00000000..2db1e7de

45

--- /dev/null

46

+++ b/policy/modules/services/hostapd.te

47

@@ -0,0 +1,56 @@

48

+policy_module(hostapd, 1.0.0)

49

+

50

+########################################

51

+#

52

+# Declarations

53

+#

54

+

55

+type hostapd_t;

56

+type hostapd_exec_t;

57

+init_daemon_domain(hostapd_t, hostapd_exec_t)

58

+

59

+type hostapd_var_run_t;

60

+files_pid_file(hostapd_var_run_t)

61

+

62

+type hostapd_conf_t;

63

+files_type(hostapd_conf_t)

64

+

65

+########################################

66

+#

67

+# hostapd local policy

68

+#

69

+

70

+allow hostapd_t self:capability { fsetid chown net_admin net_raw dac_read_search dac_override };

71

+allow hostapd_t self:fifo_file rw_fifo_file_perms;

72

+allow hostapd_t self:unix_stream_socket create_stream_socket_perms;

73

+allow hostapd_t self:netlink_socket create_socket_perms;

74

+allow hostapd_t self:netlink_generic_socket create_socket_perms;

75

+allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;

76

+allow hostapd_t self:packet_socket create_socket_perms;

77

+

78

+manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)

79

+manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)

80

+manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)

81

+manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)

82

+files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file })

83

+

84

+read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t)

85

+

86

+kernel_read_system_state(hostapd_t)

87

+kernel_read_network_state(hostapd_t)

88

+kernel_request_load_module(hostapd_t)

89

+kernel_rw_net_sysctls(hostapd_t)

90

+dev_rw_sysfs(hostapd_t)

91

+

92

+dev_read_rand(hostapd_t)

93

+dev_read_urand(hostapd_t)

94

+dev_read_sysfs(hostapd_t)

95

+dev_rw_wireless(hostapd_t)

96

+

97

+domain_use_interactive_fds(hostapd_t)

98

+

99

+auth_use_nsswitch(hostapd_t)

100

+

101

+logging_send_syslog_msg(hostapd_t)

102

+

103

+miscfiles_read_localization(hostapd_t)

1	commit: 1463b90ab62ddfcfa18e9a08f04e7dd3a7e200a5
2	Author: Alexander Miroshnichenko <alex <AT> millerson <DOT> name>
3	AuthorDate: Tue Jan 29 19:01:52 2019 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Feb 10 04:11:25 2019 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1463b90a
7
8	Add hostapd service module
9
10	Add a SELinux Reference Policy module for the hostapd
11	IEEE 802.11 wireless LAN Host AP daemon.
12
13	Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
14
15	policy/modules/services/hostapd.fc \| 7 +++++
16	policy/modules/services/hostapd.if \| 1 +
17	policy/modules/services/hostapd.te \| 56 ++++++++++++++++++++++++++++++++++++++
18	3 files changed, 64 insertions(+)
19
20	diff --git a/policy/modules/services/hostapd.fc b/policy/modules/services/hostapd.fc
21	new file mode 100644
22	index 00000000..83583a77
23	--- /dev/null
24	+++ b/policy/modules/services/hostapd.fc
25	@@ -0,0 +1,7 @@
26	+/usr/sbin/hostapd -- gen_context(system_u:object_r:hostapd_exec_t,s0)
27	+
28	+/var/run/hostapd(/.*)? gen_context(system_u:object_r:hostapd_var_run_t,s0)
29	+
30	+/etc/hostapd(/.*)? gen_context(system_u:object_r:hostapd_conf_t,s0)
31	+
32	+/run/hostapd.pid -- gen_context(system_u:object_r:hostapd_var_run_t,s0)
33
34	diff --git a/policy/modules/services/hostapd.if b/policy/modules/services/hostapd.if
35	new file mode 100644
36	index 00000000..fce874d2
37	--- /dev/null
38	+++ b/policy/modules/services/hostapd.if
39	@@ -0,0 +1 @@
40	+## <summary>IEEE 802.11 wireless LAN Host AP daemon.</summary>
41
42	diff --git a/policy/modules/services/hostapd.te b/policy/modules/services/hostapd.te
43	new file mode 100644
44	index 00000000..2db1e7de
45	--- /dev/null
46	+++ b/policy/modules/services/hostapd.te
47	@@ -0,0 +1,56 @@
48	+policy_module(hostapd, 1.0.0)
49	+
50	+########################################
51	+#
52	+# Declarations
53	+#
54	+
55	+type hostapd_t;
56	+type hostapd_exec_t;
57	+init_daemon_domain(hostapd_t, hostapd_exec_t)
58	+
59	+type hostapd_var_run_t;
60	+files_pid_file(hostapd_var_run_t)
61	+
62	+type hostapd_conf_t;
63	+files_type(hostapd_conf_t)
64	+
65	+########################################
66	+#
67	+# hostapd local policy
68	+#
69	+
70	+allow hostapd_t self:capability { fsetid chown net_admin net_raw dac_read_search dac_override };
71	+allow hostapd_t self:fifo_file rw_fifo_file_perms;
72	+allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
73	+allow hostapd_t self:netlink_socket create_socket_perms;
74	+allow hostapd_t self:netlink_generic_socket create_socket_perms;
75	+allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
76	+allow hostapd_t self:packet_socket create_socket_perms;
77	+
78	+manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
79	+manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
80	+manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
81	+manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
82	+files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file })
83	+
84	+read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t)
85	+
86	+kernel_read_system_state(hostapd_t)
87	+kernel_read_network_state(hostapd_t)
88	+kernel_request_load_module(hostapd_t)
89	+kernel_rw_net_sysctls(hostapd_t)
90	+dev_rw_sysfs(hostapd_t)
91	+
92	+dev_read_rand(hostapd_t)
93	+dev_read_urand(hostapd_t)
94	+dev_read_sysfs(hostapd_t)
95	+dev_rw_wireless(hostapd_t)
96	+
97	+domain_use_interactive_fds(hostapd_t)
98	+
99	+auth_use_nsswitch(hostapd_t)
100	+
101	+logging_send_syslog_msg(hostapd_t)
102	+
103	+miscfiles_read_localization(hostapd_t)

Gentoo Archives: gentoo-commits