1 |
commit: 963d28045ce8acd550b2982533ffd79b737ff61c |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Sep 28 10:30:26 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Sep 28 17:47:36 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=963d2804 |
7 |
|
8 |
Changes to the djbdns policy module |
9 |
|
10 |
Use type attribute to group common policy for efficiency |
11 |
Module cleap up |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/djbdns.fc | 12 +++---- |
17 |
policy/modules/contrib/djbdns.if | 62 ++++++++++++++----------------------- |
18 |
policy/modules/contrib/djbdns.te | 61 ++++++++++++++++++++++-------------- |
19 |
3 files changed, 66 insertions(+), 69 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/djbdns.fc b/policy/modules/contrib/djbdns.fc |
22 |
index fdb6652..e9b1b32 100644 |
23 |
--- a/policy/modules/contrib/djbdns.fc |
24 |
+++ b/policy/modules/contrib/djbdns.fc |
25 |
@@ -1,9 +1,7 @@ |
26 |
- |
27 |
-/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0) |
28 |
+/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0) |
29 |
/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0) |
30 |
-/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0) |
31 |
- |
32 |
-/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0) |
33 |
-/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0) |
34 |
-/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0) |
35 |
+/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0) |
36 |
|
37 |
+/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0) |
38 |
+/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0) |
39 |
+/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0) |
40 |
|
41 |
diff --git a/policy/modules/contrib/djbdns.if b/policy/modules/contrib/djbdns.if |
42 |
index d53902d..671d3c0 100644 |
43 |
--- a/policy/modules/contrib/djbdns.if |
44 |
+++ b/policy/modules/contrib/djbdns.if |
45 |
@@ -1,63 +1,49 @@ |
46 |
-## <summary>small and secure DNS daemon</summary> |
47 |
+## <summary>Small and secure DNS daemon.</summary> |
48 |
|
49 |
-######################################## |
50 |
+####################################### |
51 |
## <summary> |
52 |
-## Create a set of derived types for djbdns |
53 |
-## components that are directly supervised by daemontools. |
54 |
+## The template to define a djbdns domain. |
55 |
## </summary> |
56 |
-## <param name="prefix"> |
57 |
+## <param name="domain_prefix"> |
58 |
## <summary> |
59 |
-## The prefix to be used for deriving type names. |
60 |
+## Domain prefix to be used. |
61 |
## </summary> |
62 |
## </param> |
63 |
# |
64 |
template(`djbdns_daemontools_domain_template',` |
65 |
+ gen_require(` |
66 |
+ attribute djbdns_domain; |
67 |
+ ') |
68 |
|
69 |
- type djbdns_$1_t; |
70 |
- type djbdns_$1_exec_t; |
71 |
- type djbdns_$1_conf_t; |
72 |
- files_config_file(djbdns_$1_conf_t) |
73 |
+ ######################################## |
74 |
+ # |
75 |
+ # Declarations |
76 |
+ # |
77 |
|
78 |
+ type djbdns_$1_t, djbdns_domain; |
79 |
+ type djbdns_$1_exec_t; |
80 |
domain_type(djbdns_$1_t) |
81 |
domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t) |
82 |
role system_r types djbdns_$1_t; |
83 |
|
84 |
+ type djbdns_$1_conf_t; |
85 |
+ files_config_file(djbdns_$1_conf_t) |
86 |
+ |
87 |
+ ######################################## |
88 |
+ # |
89 |
+ # Local policy |
90 |
+ # |
91 |
+ |
92 |
daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t) |
93 |
daemontools_read_svc(djbdns_$1_t) |
94 |
|
95 |
- allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot }; |
96 |
- allow djbdns_$1_t self:process signal; |
97 |
- allow djbdns_$1_t self:fifo_file rw_fifo_file_perms; |
98 |
- allow djbdns_$1_t self:tcp_socket create_stream_socket_perms; |
99 |
- allow djbdns_$1_t self:udp_socket create_socket_perms; |
100 |
- |
101 |
allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms; |
102 |
allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms; |
103 |
- |
104 |
- corenet_all_recvfrom_unlabeled(djbdns_$1_t) |
105 |
- corenet_all_recvfrom_netlabel(djbdns_$1_t) |
106 |
- corenet_tcp_sendrecv_generic_if(djbdns_$1_t) |
107 |
- corenet_udp_sendrecv_generic_if(djbdns_$1_t) |
108 |
- corenet_tcp_sendrecv_generic_node(djbdns_$1_t) |
109 |
- corenet_udp_sendrecv_generic_node(djbdns_$1_t) |
110 |
- corenet_tcp_sendrecv_all_ports(djbdns_$1_t) |
111 |
- corenet_udp_sendrecv_all_ports(djbdns_$1_t) |
112 |
- corenet_tcp_bind_generic_node(djbdns_$1_t) |
113 |
- corenet_udp_bind_generic_node(djbdns_$1_t) |
114 |
- corenet_tcp_bind_dns_port(djbdns_$1_t) |
115 |
- corenet_tcp_connect_dns_port(djbdns_$1_t) |
116 |
- corenet_udp_bind_dns_port(djbdns_$1_t) |
117 |
- corenet_tcp_bind_generic_port(djbdns_$1_t) |
118 |
- corenet_udp_bind_generic_port(djbdns_$1_t) |
119 |
- corenet_sendrecv_dns_server_packets(djbdns_$1_t) |
120 |
- corenet_sendrecv_generic_server_packets(djbdns_$1_t) |
121 |
- |
122 |
- files_search_var(djbdns_$1_t) |
123 |
') |
124 |
|
125 |
##################################### |
126 |
## <summary> |
127 |
-## Allow search the djbdns-tinydns key ring. |
128 |
+## Search djbdns-tinydns key ring. |
129 |
## </summary> |
130 |
## <param name="domain"> |
131 |
## <summary> |
132 |
@@ -75,7 +61,7 @@ interface(`djbdns_search_tinydns_keys',` |
133 |
|
134 |
##################################### |
135 |
## <summary> |
136 |
-## Allow link to the djbdns-tinydns key ring. |
137 |
+## Link djbdns-tinydns key ring. |
138 |
## </summary> |
139 |
## <param name="domain"> |
140 |
## <summary> |
141 |
|
142 |
diff --git a/policy/modules/contrib/djbdns.te b/policy/modules/contrib/djbdns.te |
143 |
index b8933a0..a195011 100644 |
144 |
--- a/policy/modules/contrib/djbdns.te |
145 |
+++ b/policy/modules/contrib/djbdns.te |
146 |
@@ -1,51 +1,64 @@ |
147 |
-policy_module(djbdns, 1.5.1) |
148 |
+policy_module(djbdns, 1.5.2) |
149 |
|
150 |
######################################## |
151 |
# |
152 |
# Declarations |
153 |
# |
154 |
|
155 |
-type djbdns_axfrdns_t; |
156 |
-type djbdns_axfrdns_exec_t; |
157 |
-domain_type(djbdns_axfrdns_t) |
158 |
-domain_entry_file(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) |
159 |
-role system_r types djbdns_axfrdns_t; |
160 |
+attribute djbdns_domain; |
161 |
|
162 |
-type djbdns_axfrdns_conf_t; |
163 |
-files_config_file(djbdns_axfrdns_conf_t) |
164 |
+djbdns_daemontools_domain_template(axfrdns) |
165 |
+ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) |
166 |
|
167 |
djbdns_daemontools_domain_template(dnscache) |
168 |
- |
169 |
djbdns_daemontools_domain_template(tinydns) |
170 |
|
171 |
######################################## |
172 |
# |
173 |
-# Local policy for axfrdns component |
174 |
+# Common local policy |
175 |
# |
176 |
|
177 |
-daemontools_ipc_domain(djbdns_axfrdns_t) |
178 |
-daemontools_read_svc(djbdns_axfrdns_t) |
179 |
+allow djbdns_domain self:capability { net_bind_service setgid setuid sys_chroot }; |
180 |
+allow djbdns_domain self:process signal; |
181 |
+allow djbdns_domain self:fifo_file rw_fifo_file_perms; |
182 |
+allow djbdns_domain self:tcp_socket create_stream_socket_perms; |
183 |
+allow djbdns_domain self:udp_socket create_socket_perms; |
184 |
+ |
185 |
+corenet_all_recvfrom_unlabeled(djbdns_domain) |
186 |
+corenet_all_recvfrom_netlabel(djbdns_domain) |
187 |
+corenet_tcp_sendrecv_generic_if(djbdns_domain) |
188 |
+corenet_udp_sendrecv_generic_if(djbdns_domain) |
189 |
+corenet_tcp_sendrecv_generic_node(djbdns_domain) |
190 |
+corenet_udp_sendrecv_generic_node(djbdns_domain) |
191 |
+corenet_tcp_sendrecv_all_ports(djbdns_domain) |
192 |
+corenet_udp_sendrecv_all_ports(djbdns_domain) |
193 |
+corenet_tcp_bind_generic_node(djbdns_domain) |
194 |
+corenet_udp_bind_generic_node(djbdns_domain) |
195 |
|
196 |
-allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot }; |
197 |
+corenet_sendrecv_dns_server_packets(djbdns_domain) |
198 |
+corenet_tcp_bind_dns_port(djbdns_domain) |
199 |
+corenet_udp_bind_dns_port(djbdns_domain) |
200 |
|
201 |
-allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms; |
202 |
-allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms; |
203 |
+corenet_sendrecv_dns_client_packets(djbdns_domain) |
204 |
+corenet_tcp_connect_dns_port(djbdns_domain) |
205 |
|
206 |
-allow djbdns_axfrdns_t djbdns_tinydns_t:dir list_dir_perms; |
207 |
-allow djbdns_axfrdns_t djbdns_tinydns_t:file read_file_perms; |
208 |
+corenet_sendrecv_generic_server_packets(djbdns_domain) |
209 |
+corenet_tcp_bind_generic_port(djbdns_domain) |
210 |
+corenet_udp_bind_generic_port(djbdns_domain) |
211 |
|
212 |
-allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir list_dir_perms; |
213 |
-allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms; |
214 |
+files_search_var(djbdns_domain) |
215 |
|
216 |
-files_search_var(djbdns_axfrdns_t) |
217 |
+######################################## |
218 |
+# |
219 |
+# axfrdns local policy |
220 |
+# |
221 |
|
222 |
-optional_policy(` |
223 |
- ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t) |
224 |
-') |
225 |
+allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:dir list_dir_perms; |
226 |
+allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:file read_file_perms; |
227 |
|
228 |
######################################## |
229 |
# |
230 |
-# Local policy for tinydns |
231 |
+# tinydns local policy |
232 |
# |
233 |
|
234 |
init_dontaudit_use_script_fds(djbdns_tinydns_t) |