[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Fri, 28 Sep 2012 17:51:12
Message-Id:	`1348853988.4caa328e7b867ee09452693062be5e48ea82b7d8.SwifT@gentoo`

1

commit:     4caa328e7b867ee09452693062be5e48ea82b7d8

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Fri Sep 28 08:01:31 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Fri Sep 28 17:39:48 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4caa328e

7

8

Changes to the ddclient policy module

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/ddclient.fc |    8 ++++++--

16

 policy/modules/contrib/ddclient.if |   21 +++++++++++++--------

17

 policy/modules/contrib/ddclient.te |   31 ++++++++++++++++++++++---------

18

 3 files changed, 41 insertions(+), 19 deletions(-)

19

20

diff --git a/policy/modules/contrib/ddclient.fc b/policy/modules/contrib/ddclient.fc

21

index 083c135..13c0c4a 100644

22

--- a/policy/modules/contrib/ddclient.fc

23

+++ b/policy/modules/contrib/ddclient.fc

24

@@ -1,12 +1,16 @@

25

 /etc/ddclient\.conf	--	gen_context(system_u:object_r:ddclient_etc_t,s0)

26

 /etc/ddtcd\.conf	--	gen_context(system_u:object_r:ddclient_etc_t,s0)

27

-/etc/rc\.d/init\.d/ddclient --	gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)

28

+

29

+/etc/rc\.d/init\.d/ddclient	--	gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)

30

31

 /usr/sbin/ddclient	--	gen_context(system_u:object_r:ddclient_exec_t,s0)

32

-/usr/sbin/ddtcd		--	gen_context(system_u:object_r:ddclient_exec_t,s0)

33

+/usr/sbin/ddtcd	--	gen_context(system_u:object_r:ddclient_exec_t,s0)

34

35

 /var/cache/ddclient(/.*)?	gen_context(system_u:object_r:ddclient_var_t,s0)

36

+

37

 /var/lib/ddt-client(/.*)?	gen_context(system_u:object_r:ddclient_var_lib_t,s0)

38

+

39

 /var/log/ddtcd\.log.*	--	gen_context(system_u:object_r:ddclient_log_t,s0)

40

+

41

 /var/run/ddclient\.pid	--	gen_context(system_u:object_r:ddclient_var_run_t,s0)

42

 /var/run/ddtcd\.pid	--	gen_context(system_u:object_r:ddclient_var_run_t,s0)

43

44

diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if

45

index 0a1a61b..5606b40 100644

46

--- a/policy/modules/contrib/ddclient.if

47

+++ b/policy/modules/contrib/ddclient.if

48

@@ -1,4 +1,4 @@

49

-## <summary>Update dynamic IP address at DynDNS.org</summary>

50

+## <summary>Update dynamic IP address at DynDNS.org.</summary>

51

52

 #######################################

53

 ## <summary>

54

@@ -21,7 +21,9 @@ interface(`ddclient_domtrans',`

55

56

 ########################################

57

 ## <summary>

58

-##	 Execute ddclient daemon on behalf of a user or staff type.

59

+##	Execute ddclient in the ddclient

60

+##	domain, and allow the specified

61

+##	role the ddclient domain.

62

 ## </summary>

63

 ## <param name="domain">

64

 ##	<summary>

65

@@ -37,17 +39,17 @@ interface(`ddclient_domtrans',`

66

#

67

 interface(`ddclient_run',`

68

 	gen_require(`

69

-		type ddclient_t;

70

+		attribute_role ddclient_roles;

71

')

72

73

 	ddclient_domtrans($1)

74

-	role $2 types ddclient_t;

75

+	roleattribute $2 ddclient_roles;

76

')

77

78

 ########################################

79

 ## <summary>

80

-##	All of the rules required to administrate

81

-##	an ddclient environment

82

+##	All of the rules required to

83

+##	administrate an ddclient environment.

84

 ## </summary>

85

 ## <param name="domain">

86

 ##	<summary>

87

@@ -56,7 +58,7 @@ interface(`ddclient_run',`

88

 ## </param>

89

 ## <param name="role">

90

 ##	<summary>

91

-##	The role to be allowed to manage the ddclient domain.

92

+##	Role allowed access.

93

 ##	</summary>

94

 ## </param>

95

 ## <rolecap/>

96

@@ -64,7 +66,7 @@ interface(`ddclient_run',`

97

 interface(`ddclient_admin',`

98

 	gen_require(`

99

 		type ddclient_t, ddclient_etc_t, ddclient_log_t;

100

-		type ddclient_var_t, ddclient_var_lib_t;

101

+		type ddclient_var_t, ddclient_var_lib_t, ddclient_tmp_t;

102

 		type ddclient_var_run_t, ddclient_initrc_exec_t;

103

')

104

105

@@ -90,4 +92,7 @@ interface(`ddclient_admin',`

106

107

 	files_list_pids($1)

108

 	admin_pattern($1, ddclient_var_run_t)

109

+

110

+	files_list_tmp($1)

111

+	admin_pattern($1, ddclient_tmp_t)

112

')

113

114

diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te

115

index 24ba98a..3af769c 100644

116

--- a/policy/modules/contrib/ddclient.te

117

+++ b/policy/modules/contrib/ddclient.te

118

@@ -1,13 +1,16 @@

119

-policy_module(ddclient, 1.9.0)

120

+policy_module(ddclient, 1.9.1)

121

122

 ########################################

123

#

124

 # Declarations

125

#

126

127

+attribute_role ddclient_roles;

128

+

129

 type ddclient_t;

130

 type ddclient_exec_t;

131

 init_daemon_domain(ddclient_t, ddclient_exec_t)

132

+role ddclient_roles types ddclient_t;

133

134

 type ddclient_etc_t;

135

 files_config_file(ddclient_etc_t)

136

@@ -18,6 +21,9 @@ init_script_file(ddclient_initrc_exec_t)

137

 type ddclient_log_t;

138

 logging_log_file(ddclient_log_t)

139

140

+type ddclient_tmp_t;

141

+files_tmp_file(ddclient_tmp_t)

142

+

143

 type ddclient_var_t;

144

 files_type(ddclient_var_t)

145

146

@@ -37,31 +43,37 @@ allow ddclient_t self:process signal_perms;

147

 allow ddclient_t self:fifo_file rw_fifo_file_perms;

148

 allow ddclient_t self:tcp_socket create_socket_perms;

149

 allow ddclient_t self:udp_socket create_socket_perms;

150

+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;

151

152

-allow ddclient_t ddclient_etc_t:file read_file_perms;

153

+read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)

154

+setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)

155

156

-allow ddclient_t ddclient_log_t:file manage_file_perms;

157

+allow ddclient_t ddclient_log_t:file append_file_perms;

158

+allow ddclient_t ddclient_log_t:file create_file_perms;

159

+allow ddclient_t ddclient_log_t:file setattr_file_perms;

160

 logging_log_filetrans(ddclient_t, ddclient_log_t, file)

161

162

+manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)

163

+files_tmp_filetrans(ddclient_t, ddclient_tmp_t, file)

164

+

165

 manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)

166

 manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)

167

 manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)

168

 manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)

169

 manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)

170

-files_var_filetrans(ddclient_t, ddclient_var_t, { file lnk_file sock_file fifo_file })

171

172

 manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t)

173

-files_var_lib_filetrans(ddclient_t, ddclient_var_lib_t, file)

174

175

 manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t)

176

 files_pid_filetrans(ddclient_t, ddclient_var_run_t, file)

177

178

-kernel_read_system_state(ddclient_t)

179

-kernel_read_network_state(ddclient_t)

180

-kernel_read_software_raid_state(ddclient_t)

181

 kernel_getattr_core_if(ddclient_t)

182

 kernel_getattr_message_if(ddclient_t)

183

 kernel_read_kernel_sysctls(ddclient_t)

184

+kernel_read_network_state(ddclient_t)

185

+kernel_read_software_raid_state(ddclient_t)

186

+kernel_read_system_state(ddclient_t)

187

+kernel_search_network_sysctl(ddclient_t)

188

189

 corecmd_exec_shell(ddclient_t)

190

 corecmd_exec_bin(ddclient_t)

191

@@ -74,8 +86,9 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)

192

 corenet_udp_sendrecv_generic_node(ddclient_t)

193

 corenet_tcp_sendrecv_all_ports(ddclient_t)

194

 corenet_udp_sendrecv_all_ports(ddclient_t)

195

-corenet_tcp_connect_all_ports(ddclient_t)

196

+

197

 corenet_sendrecv_all_client_packets(ddclient_t)

198

+corenet_tcp_connect_all_ports(ddclient_t)

199

200

 dev_read_sysfs(ddclient_t)

201

 dev_read_urand(ddclient_t)

1	commit: 4caa328e7b867ee09452693062be5e48ea82b7d8
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Fri Sep 28 08:01:31 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Fri Sep 28 17:39:48 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4caa328e
7
8	Changes to the ddclient policy module
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/ddclient.fc \| 8 ++++++--
16	policy/modules/contrib/ddclient.if \| 21 +++++++++++++--------
17	policy/modules/contrib/ddclient.te \| 31 ++++++++++++++++++++++---------
18	3 files changed, 41 insertions(+), 19 deletions(-)
19
20	diff --git a/policy/modules/contrib/ddclient.fc b/policy/modules/contrib/ddclient.fc
21	index 083c135..13c0c4a 100644
22	--- a/policy/modules/contrib/ddclient.fc
23	+++ b/policy/modules/contrib/ddclient.fc
24	@@ -1,12 +1,16 @@
25	/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
26	/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0)
27	-/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
28	+
29	+/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0)
30
31	/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0)
32	-/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
33	+/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0)
34
35	/var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0)
36	+
37	/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0)
38	+
39	/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0)
40	+
41	/var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
42	/var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0)
43
44	diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if
45	index 0a1a61b..5606b40 100644
46	--- a/policy/modules/contrib/ddclient.if
47	+++ b/policy/modules/contrib/ddclient.if
48	@@ -1,4 +1,4 @@
49	-## <summary>Update dynamic IP address at DynDNS.org</summary>
50	+## <summary>Update dynamic IP address at DynDNS.org.</summary>
51
52	#######################################
53	## <summary>
54	@@ -21,7 +21,9 @@ interface(`ddclient_domtrans',`
55
56	########################################
57	## <summary>
58	-## Execute ddclient daemon on behalf of a user or staff type.
59	+## Execute ddclient in the ddclient
60	+## domain, and allow the specified
61	+## role the ddclient domain.
62	## </summary>
63	## <param name="domain">
64	## <summary>
65	@@ -37,17 +39,17 @@ interface(`ddclient_domtrans',`
66	#
67	interface(`ddclient_run',`
68	gen_require(`
69	- type ddclient_t;
70	+ attribute_role ddclient_roles;
71	')
72
73	ddclient_domtrans($1)
74	- role $2 types ddclient_t;
75	+ roleattribute $2 ddclient_roles;
76	')
77
78	########################################
79	## <summary>
80	-## All of the rules required to administrate
81	-## an ddclient environment
82	+## All of the rules required to
83	+## administrate an ddclient environment.
84	## </summary>
85	## <param name="domain">
86	## <summary>
87	@@ -56,7 +58,7 @@ interface(`ddclient_run',`
88	## </param>
89	## <param name="role">
90	## <summary>
91	-## The role to be allowed to manage the ddclient domain.
92	+## Role allowed access.
93	## </summary>
94	## </param>
95	## <rolecap/>
96	@@ -64,7 +66,7 @@ interface(`ddclient_run',`
97	interface(`ddclient_admin',`
98	gen_require(`
99	type ddclient_t, ddclient_etc_t, ddclient_log_t;
100	- type ddclient_var_t, ddclient_var_lib_t;
101	+ type ddclient_var_t, ddclient_var_lib_t, ddclient_tmp_t;
102	type ddclient_var_run_t, ddclient_initrc_exec_t;
103	')
104
105	@@ -90,4 +92,7 @@ interface(`ddclient_admin',`
106
107	files_list_pids($1)
108	admin_pattern($1, ddclient_var_run_t)
109	+
110	+ files_list_tmp($1)
111	+ admin_pattern($1, ddclient_tmp_t)
112	')
113
114	diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te
115	index 24ba98a..3af769c 100644
116	--- a/policy/modules/contrib/ddclient.te
117	+++ b/policy/modules/contrib/ddclient.te
118	@@ -1,13 +1,16 @@
119	-policy_module(ddclient, 1.9.0)
120	+policy_module(ddclient, 1.9.1)
121
122	########################################
123	#
124	# Declarations
125	#
126
127	+attribute_role ddclient_roles;
128	+
129	type ddclient_t;
130	type ddclient_exec_t;
131	init_daemon_domain(ddclient_t, ddclient_exec_t)
132	+role ddclient_roles types ddclient_t;
133
134	type ddclient_etc_t;
135	files_config_file(ddclient_etc_t)
136	@@ -18,6 +21,9 @@ init_script_file(ddclient_initrc_exec_t)
137	type ddclient_log_t;
138	logging_log_file(ddclient_log_t)
139
140	+type ddclient_tmp_t;
141	+files_tmp_file(ddclient_tmp_t)
142	+
143	type ddclient_var_t;
144	files_type(ddclient_var_t)
145
146	@@ -37,31 +43,37 @@ allow ddclient_t self:process signal_perms;
147	allow ddclient_t self:fifo_file rw_fifo_file_perms;
148	allow ddclient_t self:tcp_socket create_socket_perms;
149	allow ddclient_t self:udp_socket create_socket_perms;
150	+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms;
151
152	-allow ddclient_t ddclient_etc_t:file read_file_perms;
153	+read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
154	+setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t)
155
156	-allow ddclient_t ddclient_log_t:file manage_file_perms;
157	+allow ddclient_t ddclient_log_t:file append_file_perms;
158	+allow ddclient_t ddclient_log_t:file create_file_perms;
159	+allow ddclient_t ddclient_log_t:file setattr_file_perms;
160	logging_log_filetrans(ddclient_t, ddclient_log_t, file)
161
162	+manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t)
163	+files_tmp_filetrans(ddclient_t, ddclient_tmp_t, file)
164	+
165	manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
166	manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
167	manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
168	manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
169	manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t)
170	-files_var_filetrans(ddclient_t, ddclient_var_t, { file lnk_file sock_file fifo_file })
171
172	manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t)
173	-files_var_lib_filetrans(ddclient_t, ddclient_var_lib_t, file)
174
175	manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t)
176	files_pid_filetrans(ddclient_t, ddclient_var_run_t, file)
177
178	-kernel_read_system_state(ddclient_t)
179	-kernel_read_network_state(ddclient_t)
180	-kernel_read_software_raid_state(ddclient_t)
181	kernel_getattr_core_if(ddclient_t)
182	kernel_getattr_message_if(ddclient_t)
183	kernel_read_kernel_sysctls(ddclient_t)
184	+kernel_read_network_state(ddclient_t)
185	+kernel_read_software_raid_state(ddclient_t)
186	+kernel_read_system_state(ddclient_t)
187	+kernel_search_network_sysctl(ddclient_t)
188
189	corecmd_exec_shell(ddclient_t)
190	corecmd_exec_bin(ddclient_t)
191	@@ -74,8 +86,9 @@ corenet_tcp_sendrecv_generic_node(ddclient_t)
192	corenet_udp_sendrecv_generic_node(ddclient_t)
193	corenet_tcp_sendrecv_all_ports(ddclient_t)
194	corenet_udp_sendrecv_all_ports(ddclient_t)
195	-corenet_tcp_connect_all_ports(ddclient_t)
196	+
197	corenet_sendrecv_all_client_packets(ddclient_t)
198	+corenet_tcp_connect_all_ports(ddclient_t)
199
200	dev_read_sysfs(ddclient_t)
201	dev_read_urand(ddclient_t)

Gentoo Archives: gentoo-commits