1 |
commit: 4caa328e7b867ee09452693062be5e48ea82b7d8 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Sep 28 08:01:31 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Sep 28 17:39:48 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4caa328e |
7 |
|
8 |
Changes to the ddclient policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/ddclient.fc | 8 ++++++-- |
16 |
policy/modules/contrib/ddclient.if | 21 +++++++++++++-------- |
17 |
policy/modules/contrib/ddclient.te | 31 ++++++++++++++++++++++--------- |
18 |
3 files changed, 41 insertions(+), 19 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/ddclient.fc b/policy/modules/contrib/ddclient.fc |
21 |
index 083c135..13c0c4a 100644 |
22 |
--- a/policy/modules/contrib/ddclient.fc |
23 |
+++ b/policy/modules/contrib/ddclient.fc |
24 |
@@ -1,12 +1,16 @@ |
25 |
/etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) |
26 |
/etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) |
27 |
-/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0) |
28 |
+ |
29 |
+/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0) |
30 |
|
31 |
/usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0) |
32 |
-/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) |
33 |
+/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) |
34 |
|
35 |
/var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0) |
36 |
+ |
37 |
/var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0) |
38 |
+ |
39 |
/var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) |
40 |
+ |
41 |
/var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) |
42 |
/var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) |
43 |
|
44 |
diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if |
45 |
index 0a1a61b..5606b40 100644 |
46 |
--- a/policy/modules/contrib/ddclient.if |
47 |
+++ b/policy/modules/contrib/ddclient.if |
48 |
@@ -1,4 +1,4 @@ |
49 |
-## <summary>Update dynamic IP address at DynDNS.org</summary> |
50 |
+## <summary>Update dynamic IP address at DynDNS.org.</summary> |
51 |
|
52 |
####################################### |
53 |
## <summary> |
54 |
@@ -21,7 +21,9 @@ interface(`ddclient_domtrans',` |
55 |
|
56 |
######################################## |
57 |
## <summary> |
58 |
-## Execute ddclient daemon on behalf of a user or staff type. |
59 |
+## Execute ddclient in the ddclient |
60 |
+## domain, and allow the specified |
61 |
+## role the ddclient domain. |
62 |
## </summary> |
63 |
## <param name="domain"> |
64 |
## <summary> |
65 |
@@ -37,17 +39,17 @@ interface(`ddclient_domtrans',` |
66 |
# |
67 |
interface(`ddclient_run',` |
68 |
gen_require(` |
69 |
- type ddclient_t; |
70 |
+ attribute_role ddclient_roles; |
71 |
') |
72 |
|
73 |
ddclient_domtrans($1) |
74 |
- role $2 types ddclient_t; |
75 |
+ roleattribute $2 ddclient_roles; |
76 |
') |
77 |
|
78 |
######################################## |
79 |
## <summary> |
80 |
-## All of the rules required to administrate |
81 |
-## an ddclient environment |
82 |
+## All of the rules required to |
83 |
+## administrate an ddclient environment. |
84 |
## </summary> |
85 |
## <param name="domain"> |
86 |
## <summary> |
87 |
@@ -56,7 +58,7 @@ interface(`ddclient_run',` |
88 |
## </param> |
89 |
## <param name="role"> |
90 |
## <summary> |
91 |
-## The role to be allowed to manage the ddclient domain. |
92 |
+## Role allowed access. |
93 |
## </summary> |
94 |
## </param> |
95 |
## <rolecap/> |
96 |
@@ -64,7 +66,7 @@ interface(`ddclient_run',` |
97 |
interface(`ddclient_admin',` |
98 |
gen_require(` |
99 |
type ddclient_t, ddclient_etc_t, ddclient_log_t; |
100 |
- type ddclient_var_t, ddclient_var_lib_t; |
101 |
+ type ddclient_var_t, ddclient_var_lib_t, ddclient_tmp_t; |
102 |
type ddclient_var_run_t, ddclient_initrc_exec_t; |
103 |
') |
104 |
|
105 |
@@ -90,4 +92,7 @@ interface(`ddclient_admin',` |
106 |
|
107 |
files_list_pids($1) |
108 |
admin_pattern($1, ddclient_var_run_t) |
109 |
+ |
110 |
+ files_list_tmp($1) |
111 |
+ admin_pattern($1, ddclient_tmp_t) |
112 |
') |
113 |
|
114 |
diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te |
115 |
index 24ba98a..3af769c 100644 |
116 |
--- a/policy/modules/contrib/ddclient.te |
117 |
+++ b/policy/modules/contrib/ddclient.te |
118 |
@@ -1,13 +1,16 @@ |
119 |
-policy_module(ddclient, 1.9.0) |
120 |
+policy_module(ddclient, 1.9.1) |
121 |
|
122 |
######################################## |
123 |
# |
124 |
# Declarations |
125 |
# |
126 |
|
127 |
+attribute_role ddclient_roles; |
128 |
+ |
129 |
type ddclient_t; |
130 |
type ddclient_exec_t; |
131 |
init_daemon_domain(ddclient_t, ddclient_exec_t) |
132 |
+role ddclient_roles types ddclient_t; |
133 |
|
134 |
type ddclient_etc_t; |
135 |
files_config_file(ddclient_etc_t) |
136 |
@@ -18,6 +21,9 @@ init_script_file(ddclient_initrc_exec_t) |
137 |
type ddclient_log_t; |
138 |
logging_log_file(ddclient_log_t) |
139 |
|
140 |
+type ddclient_tmp_t; |
141 |
+files_tmp_file(ddclient_tmp_t) |
142 |
+ |
143 |
type ddclient_var_t; |
144 |
files_type(ddclient_var_t) |
145 |
|
146 |
@@ -37,31 +43,37 @@ allow ddclient_t self:process signal_perms; |
147 |
allow ddclient_t self:fifo_file rw_fifo_file_perms; |
148 |
allow ddclient_t self:tcp_socket create_socket_perms; |
149 |
allow ddclient_t self:udp_socket create_socket_perms; |
150 |
+allow ddclient_t self:netlink_route_socket r_netlink_socket_perms; |
151 |
|
152 |
-allow ddclient_t ddclient_etc_t:file read_file_perms; |
153 |
+read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) |
154 |
+setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) |
155 |
|
156 |
-allow ddclient_t ddclient_log_t:file manage_file_perms; |
157 |
+allow ddclient_t ddclient_log_t:file append_file_perms; |
158 |
+allow ddclient_t ddclient_log_t:file create_file_perms; |
159 |
+allow ddclient_t ddclient_log_t:file setattr_file_perms; |
160 |
logging_log_filetrans(ddclient_t, ddclient_log_t, file) |
161 |
|
162 |
+manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t) |
163 |
+files_tmp_filetrans(ddclient_t, ddclient_tmp_t, file) |
164 |
+ |
165 |
manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) |
166 |
manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) |
167 |
manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) |
168 |
manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) |
169 |
manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) |
170 |
-files_var_filetrans(ddclient_t, ddclient_var_t, { file lnk_file sock_file fifo_file }) |
171 |
|
172 |
manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t) |
173 |
-files_var_lib_filetrans(ddclient_t, ddclient_var_lib_t, file) |
174 |
|
175 |
manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t) |
176 |
files_pid_filetrans(ddclient_t, ddclient_var_run_t, file) |
177 |
|
178 |
-kernel_read_system_state(ddclient_t) |
179 |
-kernel_read_network_state(ddclient_t) |
180 |
-kernel_read_software_raid_state(ddclient_t) |
181 |
kernel_getattr_core_if(ddclient_t) |
182 |
kernel_getattr_message_if(ddclient_t) |
183 |
kernel_read_kernel_sysctls(ddclient_t) |
184 |
+kernel_read_network_state(ddclient_t) |
185 |
+kernel_read_software_raid_state(ddclient_t) |
186 |
+kernel_read_system_state(ddclient_t) |
187 |
+kernel_search_network_sysctl(ddclient_t) |
188 |
|
189 |
corecmd_exec_shell(ddclient_t) |
190 |
corecmd_exec_bin(ddclient_t) |
191 |
@@ -74,8 +86,9 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) |
192 |
corenet_udp_sendrecv_generic_node(ddclient_t) |
193 |
corenet_tcp_sendrecv_all_ports(ddclient_t) |
194 |
corenet_udp_sendrecv_all_ports(ddclient_t) |
195 |
-corenet_tcp_connect_all_ports(ddclient_t) |
196 |
+ |
197 |
corenet_sendrecv_all_client_packets(ddclient_t) |
198 |
+corenet_tcp_connect_all_ports(ddclient_t) |
199 |
|
200 |
dev_read_sysfs(ddclient_t) |
201 |
dev_read_urand(ddclient_t) |