[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Fri, 28 Sep 2012 17:52:08
Message-Id:	`1348854456.963d28045ce8acd550b2982533ffd79b737ff61c.SwifT@gentoo`

1

commit:     963d28045ce8acd550b2982533ffd79b737ff61c

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Fri Sep 28 10:30:26 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Fri Sep 28 17:47:36 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=963d2804

7

8

Changes to the djbdns policy module

9

10

Use type attribute to group common policy for efficiency

11

Module cleap up

12

13

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

14

15

---

16

 policy/modules/contrib/djbdns.fc |   12 +++----

17

 policy/modules/contrib/djbdns.if |   62 ++++++++++++++-----------------------

18

 policy/modules/contrib/djbdns.te |   61 ++++++++++++++++++++++--------------

19

 3 files changed, 66 insertions(+), 69 deletions(-)

20

21

diff --git a/policy/modules/contrib/djbdns.fc b/policy/modules/contrib/djbdns.fc

22

index fdb6652..e9b1b32 100644

23

--- a/policy/modules/contrib/djbdns.fc

24

+++ b/policy/modules/contrib/djbdns.fc

25

@@ -1,9 +1,7 @@

26

-

27

-/usr/bin/axfrdns		--	gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0)

28

+/usr/bin/axfrdns	--	gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0)

29

 /usr/bin/dnscache	--	gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0)

30

-/usr/bin/tinydns		--	gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0)

31

-

32

-/var/axfrdns/root(/.*)?		gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0)

33

-/var/dnscache/root(/.*)?		gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0)

34

-/var/tinydns/root(/.*)?		gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0)

35

+/usr/bin/tinydns	--	gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0)

36

37

+/var/axfrdns/root(/.*)?	gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0)

38

+/var/dnscache/root(/.*)?	gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0)

39

+/var/tinydns/root(/.*)?	gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0)

40

41

diff --git a/policy/modules/contrib/djbdns.if b/policy/modules/contrib/djbdns.if

42

index d53902d..671d3c0 100644

43

--- a/policy/modules/contrib/djbdns.if

44

+++ b/policy/modules/contrib/djbdns.if

45

@@ -1,63 +1,49 @@

46

-## <summary>small and secure DNS daemon</summary>

47

+## <summary>Small and secure DNS daemon.</summary>

48

49

-########################################

50

+#######################################

51

 ## <summary>

52

-##	Create a set of derived types for djbdns

53

-##	components that are directly supervised by daemontools.

54

+##	The template to define a djbdns domain.

55

 ## </summary>

56

-## <param name="prefix">

57

+## <param name="domain_prefix">

58

 ##	<summary>

59

-##	The prefix to be used for deriving type names.

60

+##	Domain prefix to be used.

61

 ##	</summary>

62

 ## </param>

63

#

64

 template(`djbdns_daemontools_domain_template',`

65

+	gen_require(`

66

+		attribute djbdns_domain;

67

+	')

68

69

-	type djbdns_$1_t;

70

-	type djbdns_$1_exec_t;

71

-	type djbdns_$1_conf_t;

72

-	files_config_file(djbdns_$1_conf_t)

73

+	########################################

74

+	#

75

+	# Declarations

76

+	#

77

78

+	type djbdns_$1_t, djbdns_domain;

79

+	type djbdns_$1_exec_t;

80

 	domain_type(djbdns_$1_t)

81

 	domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t)

82

 	role system_r types djbdns_$1_t;

83

84

+	type djbdns_$1_conf_t;

85

+	files_config_file(djbdns_$1_conf_t)

86

+

87

+	########################################

88

+	#

89

+	# Local policy

90

+	#

91

+

92

 	daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t)

93

 	daemontools_read_svc(djbdns_$1_t)

94

95

-	allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };

96

-	allow djbdns_$1_t self:process signal;

97

-	allow djbdns_$1_t self:fifo_file rw_fifo_file_perms;

98

-	allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;

99

-	allow djbdns_$1_t self:udp_socket create_socket_perms;

100

-

101

 	allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;

102

 	allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;

103

-

104

-	corenet_all_recvfrom_unlabeled(djbdns_$1_t)

105

-	corenet_all_recvfrom_netlabel(djbdns_$1_t)

106

-	corenet_tcp_sendrecv_generic_if(djbdns_$1_t)

107

-	corenet_udp_sendrecv_generic_if(djbdns_$1_t)

108

-	corenet_tcp_sendrecv_generic_node(djbdns_$1_t)

109

-	corenet_udp_sendrecv_generic_node(djbdns_$1_t)

110

-	corenet_tcp_sendrecv_all_ports(djbdns_$1_t)

111

-	corenet_udp_sendrecv_all_ports(djbdns_$1_t)

112

-	corenet_tcp_bind_generic_node(djbdns_$1_t)

113

-	corenet_udp_bind_generic_node(djbdns_$1_t)

114

-	corenet_tcp_bind_dns_port(djbdns_$1_t)

115

-	corenet_tcp_connect_dns_port(djbdns_$1_t)

116

-	corenet_udp_bind_dns_port(djbdns_$1_t)

117

-	corenet_tcp_bind_generic_port(djbdns_$1_t)

118

-	corenet_udp_bind_generic_port(djbdns_$1_t)

119

-	corenet_sendrecv_dns_server_packets(djbdns_$1_t)

120

-	corenet_sendrecv_generic_server_packets(djbdns_$1_t)

121

-

122

-	files_search_var(djbdns_$1_t)

123

')

124

125

 #####################################

126

 ## <summary>

127

-##	Allow search the djbdns-tinydns key ring.

128

+##	Search djbdns-tinydns key ring.

129

 ## </summary>

130

 ## <param name="domain">

131

 ##	<summary>

132

@@ -75,7 +61,7 @@ interface(`djbdns_search_tinydns_keys',`

133

134

 #####################################

135

 ## <summary>

136

-##	Allow link to the djbdns-tinydns key ring.

137

+##	Link djbdns-tinydns key ring.

138

 ## </summary>

139

 ## <param name="domain">

140

 ##	<summary>

141

142

diff --git a/policy/modules/contrib/djbdns.te b/policy/modules/contrib/djbdns.te

143

index b8933a0..a195011 100644

144

--- a/policy/modules/contrib/djbdns.te

145

+++ b/policy/modules/contrib/djbdns.te

146

@@ -1,51 +1,64 @@

147

-policy_module(djbdns, 1.5.1)

148

+policy_module(djbdns, 1.5.2)

149

150

 ########################################

151

#

152

 # Declarations

153

#

154

155

-type djbdns_axfrdns_t;

156

-type djbdns_axfrdns_exec_t;

157

-domain_type(djbdns_axfrdns_t)

158

-domain_entry_file(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)

159

-role system_r types djbdns_axfrdns_t;

160

+attribute djbdns_domain;

161

162

-type djbdns_axfrdns_conf_t;

163

-files_config_file(djbdns_axfrdns_conf_t)

164

+djbdns_daemontools_domain_template(axfrdns)

165

+ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)

166

167

 djbdns_daemontools_domain_template(dnscache)

168

-

169

 djbdns_daemontools_domain_template(tinydns)

170

171

 ########################################

172

#

173

-# Local policy for axfrdns component

174

+# Common local policy

175

#

176

177

-daemontools_ipc_domain(djbdns_axfrdns_t)

178

-daemontools_read_svc(djbdns_axfrdns_t)

179

+allow djbdns_domain self:capability { net_bind_service setgid setuid sys_chroot };

180

+allow djbdns_domain self:process signal;

181

+allow djbdns_domain self:fifo_file rw_fifo_file_perms;

182

+allow djbdns_domain self:tcp_socket create_stream_socket_perms;

183

+allow djbdns_domain self:udp_socket create_socket_perms;

184

+

185

+corenet_all_recvfrom_unlabeled(djbdns_domain)

186

+corenet_all_recvfrom_netlabel(djbdns_domain)

187

+corenet_tcp_sendrecv_generic_if(djbdns_domain)

188

+corenet_udp_sendrecv_generic_if(djbdns_domain)

189

+corenet_tcp_sendrecv_generic_node(djbdns_domain)

190

+corenet_udp_sendrecv_generic_node(djbdns_domain)

191

+corenet_tcp_sendrecv_all_ports(djbdns_domain)

192

+corenet_udp_sendrecv_all_ports(djbdns_domain)

193

+corenet_tcp_bind_generic_node(djbdns_domain)

194

+corenet_udp_bind_generic_node(djbdns_domain)

195

196

-allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };

197

+corenet_sendrecv_dns_server_packets(djbdns_domain)

198

+corenet_tcp_bind_dns_port(djbdns_domain)

199

+corenet_udp_bind_dns_port(djbdns_domain)

200

201

-allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;

202

-allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms;

203

+corenet_sendrecv_dns_client_packets(djbdns_domain)

204

+corenet_tcp_connect_dns_port(djbdns_domain)

205

206

-allow djbdns_axfrdns_t djbdns_tinydns_t:dir list_dir_perms;

207

-allow djbdns_axfrdns_t djbdns_tinydns_t:file read_file_perms;

208

+corenet_sendrecv_generic_server_packets(djbdns_domain)

209

+corenet_tcp_bind_generic_port(djbdns_domain)

210

+corenet_udp_bind_generic_port(djbdns_domain)

211

212

-allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir list_dir_perms;

213

-allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;

214

+files_search_var(djbdns_domain)

215

216

-files_search_var(djbdns_axfrdns_t)

217

+########################################

218

+#

219

+# axfrdns local policy

220

+#

221

222

-optional_policy(`

223

-	ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)

224

-')

225

+allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:dir list_dir_perms;

226

+allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:file read_file_perms;

227

228

 ########################################

229

#

230

-# Local policy for tinydns

231

+# tinydns local policy

232

#

233

234

 init_dontaudit_use_script_fds(djbdns_tinydns_t)

1	commit: 963d28045ce8acd550b2982533ffd79b737ff61c
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Fri Sep 28 10:30:26 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Fri Sep 28 17:47:36 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=963d2804
7
8	Changes to the djbdns policy module
9
10	Use type attribute to group common policy for efficiency
11	Module cleap up
12
13	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14
15	---
16	policy/modules/contrib/djbdns.fc \| 12 +++----
17	policy/modules/contrib/djbdns.if \| 62 ++++++++++++++-----------------------
18	policy/modules/contrib/djbdns.te \| 61 ++++++++++++++++++++++--------------
19	3 files changed, 66 insertions(+), 69 deletions(-)
20
21	diff --git a/policy/modules/contrib/djbdns.fc b/policy/modules/contrib/djbdns.fc
22	index fdb6652..e9b1b32 100644
23	--- a/policy/modules/contrib/djbdns.fc
24	+++ b/policy/modules/contrib/djbdns.fc
25	@@ -1,9 +1,7 @@
26	-
27	-/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0)
28	+/usr/bin/axfrdns -- gen_context(system_u:object_r:djbdns_axfrdns_exec_t,s0)
29	/usr/bin/dnscache -- gen_context(system_u:object_r:djbdns_dnscache_exec_t,s0)
30	-/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0)
31	-
32	-/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0)
33	-/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0)
34	-/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0)
35	+/usr/bin/tinydns -- gen_context(system_u:object_r:djbdns_tinydns_exec_t,s0)
36
37	+/var/axfrdns/root(/.*)? gen_context(system_u:object_r:djbdns_axfrdns_conf_t,s0)
38	+/var/dnscache/root(/.*)? gen_context(system_u:object_r:djbdns_dnscache_conf_t,s0)
39	+/var/tinydns/root(/.*)? gen_context(system_u:object_r:djbdns_tinydns_conf_t,s0)
40
41	diff --git a/policy/modules/contrib/djbdns.if b/policy/modules/contrib/djbdns.if
42	index d53902d..671d3c0 100644
43	--- a/policy/modules/contrib/djbdns.if
44	+++ b/policy/modules/contrib/djbdns.if
45	@@ -1,63 +1,49 @@
46	-## <summary>small and secure DNS daemon</summary>
47	+## <summary>Small and secure DNS daemon.</summary>
48
49	-########################################
50	+#######################################
51	## <summary>
52	-## Create a set of derived types for djbdns
53	-## components that are directly supervised by daemontools.
54	+## The template to define a djbdns domain.
55	## </summary>
56	-## <param name="prefix">
57	+## <param name="domain_prefix">
58	## <summary>
59	-## The prefix to be used for deriving type names.
60	+## Domain prefix to be used.
61	## </summary>
62	## </param>
63	#
64	template(`djbdns_daemontools_domain_template',`
65	+ gen_require(`
66	+ attribute djbdns_domain;
67	+ ')
68
69	- type djbdns_$1_t;
70	- type djbdns_$1_exec_t;
71	- type djbdns_$1_conf_t;
72	- files_config_file(djbdns_$1_conf_t)
73	+ ########################################
74	+ #
75	+ # Declarations
76	+ #
77
78	+ type djbdns_$1_t, djbdns_domain;
79	+ type djbdns_$1_exec_t;
80	domain_type(djbdns_$1_t)
81	domain_entry_file(djbdns_$1_t, djbdns_$1_exec_t)
82	role system_r types djbdns_$1_t;
83
84	+ type djbdns_$1_conf_t;
85	+ files_config_file(djbdns_$1_conf_t)
86	+
87	+ ########################################
88	+ #
89	+ # Local policy
90	+ #
91	+
92	daemontools_service_domain(djbdns_$1_t, djbdns_$1_exec_t)
93	daemontools_read_svc(djbdns_$1_t)
94
95	- allow djbdns_$1_t self:capability { net_bind_service setgid setuid sys_chroot };
96	- allow djbdns_$1_t self:process signal;
97	- allow djbdns_$1_t self:fifo_file rw_fifo_file_perms;
98	- allow djbdns_$1_t self:tcp_socket create_stream_socket_perms;
99	- allow djbdns_$1_t self:udp_socket create_socket_perms;
100	-
101	allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
102	allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
103	-
104	- corenet_all_recvfrom_unlabeled(djbdns_$1_t)
105	- corenet_all_recvfrom_netlabel(djbdns_$1_t)
106	- corenet_tcp_sendrecv_generic_if(djbdns_$1_t)
107	- corenet_udp_sendrecv_generic_if(djbdns_$1_t)
108	- corenet_tcp_sendrecv_generic_node(djbdns_$1_t)
109	- corenet_udp_sendrecv_generic_node(djbdns_$1_t)
110	- corenet_tcp_sendrecv_all_ports(djbdns_$1_t)
111	- corenet_udp_sendrecv_all_ports(djbdns_$1_t)
112	- corenet_tcp_bind_generic_node(djbdns_$1_t)
113	- corenet_udp_bind_generic_node(djbdns_$1_t)
114	- corenet_tcp_bind_dns_port(djbdns_$1_t)
115	- corenet_tcp_connect_dns_port(djbdns_$1_t)
116	- corenet_udp_bind_dns_port(djbdns_$1_t)
117	- corenet_tcp_bind_generic_port(djbdns_$1_t)
118	- corenet_udp_bind_generic_port(djbdns_$1_t)
119	- corenet_sendrecv_dns_server_packets(djbdns_$1_t)
120	- corenet_sendrecv_generic_server_packets(djbdns_$1_t)
121	-
122	- files_search_var(djbdns_$1_t)
123	')
124
125	#####################################
126	## <summary>
127	-## Allow search the djbdns-tinydns key ring.
128	+## Search djbdns-tinydns key ring.
129	## </summary>
130	## <param name="domain">
131	## <summary>
132	@@ -75,7 +61,7 @@ interface(`djbdns_search_tinydns_keys',`
133
134	#####################################
135	## <summary>
136	-## Allow link to the djbdns-tinydns key ring.
137	+## Link djbdns-tinydns key ring.
138	## </summary>
139	## <param name="domain">
140	## <summary>
141
142	diff --git a/policy/modules/contrib/djbdns.te b/policy/modules/contrib/djbdns.te
143	index b8933a0..a195011 100644
144	--- a/policy/modules/contrib/djbdns.te
145	+++ b/policy/modules/contrib/djbdns.te
146	@@ -1,51 +1,64 @@
147	-policy_module(djbdns, 1.5.1)
148	+policy_module(djbdns, 1.5.2)
149
150	########################################
151	#
152	# Declarations
153	#
154
155	-type djbdns_axfrdns_t;
156	-type djbdns_axfrdns_exec_t;
157	-domain_type(djbdns_axfrdns_t)
158	-domain_entry_file(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
159	-role system_r types djbdns_axfrdns_t;
160	+attribute djbdns_domain;
161
162	-type djbdns_axfrdns_conf_t;
163	-files_config_file(djbdns_axfrdns_conf_t)
164	+djbdns_daemontools_domain_template(axfrdns)
165	+ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
166
167	djbdns_daemontools_domain_template(dnscache)
168	-
169	djbdns_daemontools_domain_template(tinydns)
170
171	########################################
172	#
173	-# Local policy for axfrdns component
174	+# Common local policy
175	#
176
177	-daemontools_ipc_domain(djbdns_axfrdns_t)
178	-daemontools_read_svc(djbdns_axfrdns_t)
179	+allow djbdns_domain self:capability { net_bind_service setgid setuid sys_chroot };
180	+allow djbdns_domain self:process signal;
181	+allow djbdns_domain self:fifo_file rw_fifo_file_perms;
182	+allow djbdns_domain self:tcp_socket create_stream_socket_perms;
183	+allow djbdns_domain self:udp_socket create_socket_perms;
184	+
185	+corenet_all_recvfrom_unlabeled(djbdns_domain)
186	+corenet_all_recvfrom_netlabel(djbdns_domain)
187	+corenet_tcp_sendrecv_generic_if(djbdns_domain)
188	+corenet_udp_sendrecv_generic_if(djbdns_domain)
189	+corenet_tcp_sendrecv_generic_node(djbdns_domain)
190	+corenet_udp_sendrecv_generic_node(djbdns_domain)
191	+corenet_tcp_sendrecv_all_ports(djbdns_domain)
192	+corenet_udp_sendrecv_all_ports(djbdns_domain)
193	+corenet_tcp_bind_generic_node(djbdns_domain)
194	+corenet_udp_bind_generic_node(djbdns_domain)
195
196	-allow djbdns_axfrdns_t self:capability { setuid setgid sys_chroot };
197	+corenet_sendrecv_dns_server_packets(djbdns_domain)
198	+corenet_tcp_bind_dns_port(djbdns_domain)
199	+corenet_udp_bind_dns_port(djbdns_domain)
200
201	-allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:dir list_dir_perms;
202	-allow djbdns_axfrdns_t djbdns_axfrdns_conf_t:file read_file_perms;
203	+corenet_sendrecv_dns_client_packets(djbdns_domain)
204	+corenet_tcp_connect_dns_port(djbdns_domain)
205
206	-allow djbdns_axfrdns_t djbdns_tinydns_t:dir list_dir_perms;
207	-allow djbdns_axfrdns_t djbdns_tinydns_t:file read_file_perms;
208	+corenet_sendrecv_generic_server_packets(djbdns_domain)
209	+corenet_tcp_bind_generic_port(djbdns_domain)
210	+corenet_udp_bind_generic_port(djbdns_domain)
211
212	-allow djbdns_axfrdns_t djbdns_tinydns_conf_t:dir list_dir_perms;
213	-allow djbdns_axfrdns_t djbdns_tinydns_conf_t:file read_file_perms;
214	+files_search_var(djbdns_domain)
215
216	-files_search_var(djbdns_axfrdns_t)
217	+########################################
218	+#
219	+# axfrdns local policy
220	+#
221
222	-optional_policy(`
223	- ucspitcp_service_domain(djbdns_axfrdns_t, djbdns_axfrdns_exec_t)
224	-')
225	+allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:dir list_dir_perms;
226	+allow djbdns_axfrdns_t { djbdns_tinydns_t djbdns_tinydns_conf_t }:file read_file_perms;
227
228	########################################
229	#
230	-# Local policy for tinydns
231	+# tinydns local policy
232	#
233
234	init_dontaudit_use_script_fds(djbdns_tinydns_t)

Gentoo Archives: gentoo-commits