[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Mon, 29 Oct 2012 14:55:50
Message-Id:	`1351522292.aec7fe65c4b3c63438570f4e00109787fc3a1a0f.SwifT@gentoo`

1

commit:     aec7fe65c4b3c63438570f4e00109787fc3a1a0f

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Mon Oct 29 12:06:45 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Mon Oct 29 14:51:32 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=aec7fe65

7

8

Changes to the tgtd policy module

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/tgtd.fc |    4 ++

16

 policy/modules/contrib/tgtd.if |   78 ++++++++++++++++++++++++++++++++++------

17

 policy/modules/contrib/tgtd.te |   33 +++++++++++++----

18

 3 files changed, 96 insertions(+), 19 deletions(-)

19

20

diff --git a/policy/modules/contrib/tgtd.fc b/policy/modules/contrib/tgtd.fc

21

index 0ce7e61..38389e6 100644

22

--- a/policy/modules/contrib/tgtd.fc

23

+++ b/policy/modules/contrib/tgtd.fc

24

@@ -1,3 +1,7 @@

25

 /etc/rc\.d/init\.d/tgtd	--	gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)

26

+

27

 /usr/sbin/tgtd	--	gen_context(system_u:object_r:tgtd_exec_t,s0)

28

+

29

 /var/lib/tgtd(/.*)?	gen_context(system_u:object_r:tgtd_var_lib_t,s0)

30

+

31

+/var/run/tgtd.*	-s	gen_context(system_u:object_r:tgtd_var_run_t,s0)

32

33

diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if

34

index c2ed23a..5406b6e 100644

35

--- a/policy/modules/contrib/tgtd.if

36

+++ b/policy/modules/contrib/tgtd.if

37

@@ -1,17 +1,8 @@

38

 ## <summary>Linux Target Framework Daemon.</summary>

39

-## <desc>

40

-##	<p>

41

-##	Linux target framework (tgt) aims to simplify various

42

-##	SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation

43

-##	and maintenance. Our key goals are the clean integration into

44

-##	the scsi-mid layer and implementing a great portion of tgt

45

-##	in user space.

46

-##	</p>

47

-## </desc>

48

49

 #####################################

50

 ## <summary>

51

-##	Allow read and write access to tgtd semaphores.

52

+##	Read and write tgtd semaphores.

53

 ## </summary>

54

 ## <param name="domain">

55

 ##	<summary>

56

@@ -29,7 +20,8 @@ interface(`tgtd_rw_semaphores',`

57

58

 ######################################

59

 ## <summary>

60

-##	Manage tgtd sempaphores.

61

+##	Create, read, write, and delete

62

+##	tgtd sempaphores.

63

 ## </summary>

64

 ## <param name="domain">

65

 ##	<summary>

66

@@ -44,3 +36,67 @@ interface(`tgtd_manage_semaphores',`

67

68

 	allow $1 tgtd_t:sem create_sem_perms;

69

')

70

+

71

+######################################

72

+## <summary>

73

+##	Connect to tgtd with a unix

74

+##	domain stream socket.

75

+## </summary>

76

+## <param name="domain">

77

+##	<summary>

78

+##	Domain allowed access.

79

+##	</summary>

80

+## </param>

81

+#

82

+interface(`tgtd_stream_connect',`

83

+	gen_require(`

84

+		type tgtd_t, tgtd_var_run_t;

85

+	')

86

+

87

+	files_search_pids($1)

88

+	stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t)

89

+')

90

+

91

+########################################

92

+## <summary>

93

+##	All of the rules required to

94

+##	administrate an tgtd environment.

95

+## </summary>

96

+## <param name="domain">

97

+##	<summary>

98

+##	Domain allowed access.

99

+##	</summary>

100

+## </param>

101

+## <param name="role">

102

+##	<summary>

103

+##	Role allowed access.

104

+##	</summary>

105

+## </param>

106

+## <rolecap/>

107

+#

108

+interface(`tgtd_admin',`

109

+	gen_require(`

110

+		type tgtd_t, tgtd_initrc_exec_t, tgtd_var_lib_t;

111

+		type tgtd_var_run_t, tgtd_tmp_t, tgtd_tmpfs_t;

112

+	')

113

+

114

+	allow $1 tgtd_t:process { ptrace signal_perms };

115

+	ps_process_pattern($1, tgtd_t)

116

+

117

+	init_labeled_script_domtrans($1, tgtd_initrc_exec_t)

118

+	domain_system_change_exemption($1)

119

+	role_transition $2 tgtd_initrc_exec_t system_r;

120

+	allow $2 system_r;

121

+

122

+	files_search_var_lib($1)

123

+	admin_pattern($1, tgtd_var_lib_t)

124

+

125

+	files_search_pids($1)

126

+	admin_pattern($1, tgtd_var_run_t)

127

+

128

+	files_search_tmp($1)

129

+	admin_pattern($1, tgtd_tmp_t)

130

+

131

+	files_search_tmpfs($1)

132

+	admin_pattern($1, tgtd_tmpfs_t)

133

+')

134

135

diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te

136

index 80fe75c..dc22f11 100644

137

--- a/policy/modules/contrib/tgtd.te

138

+++ b/policy/modules/contrib/tgtd.te

139

@@ -1,8 +1,8 @@

140

-policy_module(tgtd, 1.2.0)

141

+policy_module(tgtd, 1.2.2)

142

143

 ########################################

144

#

145

-# TGTD personal declarations.

146

+# Declarations

147

#

148

149

 type tgtd_t;

150

@@ -21,23 +21,25 @@ files_tmpfs_file(tgtd_tmpfs_t)

151

 type tgtd_var_lib_t;

152

 files_type(tgtd_var_lib_t)

153

154

+type tgtd_var_run_t;

155

+files_pid_file(tgtd_var_run_t)

156

+

157

 ########################################

158

#

159

-# TGTD personal policy.

160

+# Local policy

161

#

162

163

 allow tgtd_t self:capability sys_resource;

164

 allow tgtd_t self:process { setrlimit signal };

165

 allow tgtd_t self:fifo_file rw_fifo_file_perms;

166

-allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };

167

+allow tgtd_t self:netlink_route_socket r_netlink_socket_perms;

168

 allow tgtd_t self:shm create_shm_perms;

169

 allow tgtd_t self:sem create_sem_perms;

170

 allow tgtd_t self:tcp_socket create_stream_socket_perms;

171

 allow tgtd_t self:udp_socket create_socket_perms;

172

-allow tgtd_t self:unix_dgram_socket create_socket_perms;

173

174

 manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)

175

-files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })

176

+files_tmp_filetrans(tgtd_t, tgtd_tmp_t, sock_file)

177

178

 manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)

179

 fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)

180

@@ -46,21 +48,36 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)

181

 manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)

182

 files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })

183

184

+manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)

185

+manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)

186

+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)

187

+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })

188

+

189

+kernel_read_system_state(tgtd_t)

190

 kernel_read_fs_sysctls(tgtd_t)

191

192

 corenet_all_recvfrom_netlabel(tgtd_t)

193

 corenet_all_recvfrom_unlabeled(tgtd_t)

194

 corenet_tcp_sendrecv_generic_if(tgtd_t)

195

 corenet_tcp_sendrecv_generic_node(tgtd_t)

196

-corenet_tcp_sendrecv_iscsi_port(tgtd_t)

197

 corenet_tcp_bind_generic_node(tgtd_t)

198

-corenet_tcp_bind_iscsi_port(tgtd_t)

199

+

200

 corenet_sendrecv_iscsi_server_packets(tgtd_t)

201

+corenet_tcp_bind_iscsi_port(tgtd_t)

202

+corenet_tcp_sendrecv_iscsi_port(tgtd_t)

203

+

204

+dev_read_sysfs(tgtd_t)

205

206

 files_read_etc_files(tgtd_t)

207

208

+fs_read_anon_inodefs_files(tgtd_t)

209

+

210

 storage_manage_fixed_disk(tgtd_t)

211

212

 logging_send_syslog_msg(tgtd_t)

213

214

 miscfiles_read_localization(tgtd_t)

215

+

216

+optional_policy(`

217

+	iscsi_manage_semaphores(tgtd_t)

218

+')

1	commit: aec7fe65c4b3c63438570f4e00109787fc3a1a0f
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Mon Oct 29 12:06:45 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Mon Oct 29 14:51:32 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=aec7fe65
7
8	Changes to the tgtd policy module
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/tgtd.fc \| 4 ++
16	policy/modules/contrib/tgtd.if \| 78 ++++++++++++++++++++++++++++++++++------
17	policy/modules/contrib/tgtd.te \| 33 +++++++++++++----
18	3 files changed, 96 insertions(+), 19 deletions(-)
19
20	diff --git a/policy/modules/contrib/tgtd.fc b/policy/modules/contrib/tgtd.fc
21	index 0ce7e61..38389e6 100644
22	--- a/policy/modules/contrib/tgtd.fc
23	+++ b/policy/modules/contrib/tgtd.fc
24	@@ -1,3 +1,7 @@
25	/etc/rc\.d/init\.d/tgtd -- gen_context(system_u:object_r:tgtd_initrc_exec_t,s0)
26	+
27	/usr/sbin/tgtd -- gen_context(system_u:object_r:tgtd_exec_t,s0)
28	+
29	/var/lib/tgtd(/.*)? gen_context(system_u:object_r:tgtd_var_lib_t,s0)
30	+
31	+/var/run/tgtd.* -s gen_context(system_u:object_r:tgtd_var_run_t,s0)
32
33	diff --git a/policy/modules/contrib/tgtd.if b/policy/modules/contrib/tgtd.if
34	index c2ed23a..5406b6e 100644
35	--- a/policy/modules/contrib/tgtd.if
36	+++ b/policy/modules/contrib/tgtd.if
37	@@ -1,17 +1,8 @@
38	## <summary>Linux Target Framework Daemon.</summary>
39	-## <desc>
40	-## <p>
41	-## Linux target framework (tgt) aims to simplify various
42	-## SCSI target driver (iSCSI, Fibre Channel, SRP, etc) creation
43	-## and maintenance. Our key goals are the clean integration into
44	-## the scsi-mid layer and implementing a great portion of tgt
45	-## in user space.
46	-## </p>
47	-## </desc>
48
49	#####################################
50	## <summary>
51	-## Allow read and write access to tgtd semaphores.
52	+## Read and write tgtd semaphores.
53	## </summary>
54	## <param name="domain">
55	## <summary>
56	@@ -29,7 +20,8 @@ interface(`tgtd_rw_semaphores',`
57
58	######################################
59	## <summary>
60	-## Manage tgtd sempaphores.
61	+## Create, read, write, and delete
62	+## tgtd sempaphores.
63	## </summary>
64	## <param name="domain">
65	## <summary>
66	@@ -44,3 +36,67 @@ interface(`tgtd_manage_semaphores',`
67
68	allow $1 tgtd_t:sem create_sem_perms;
69	')
70	+
71	+######################################
72	+## <summary>
73	+## Connect to tgtd with a unix
74	+## domain stream socket.
75	+## </summary>
76	+## <param name="domain">
77	+## <summary>
78	+## Domain allowed access.
79	+## </summary>
80	+## </param>
81	+#
82	+interface(`tgtd_stream_connect',`
83	+ gen_require(`
84	+ type tgtd_t, tgtd_var_run_t;
85	+ ')
86	+
87	+ files_search_pids($1)
88	+ stream_connect_pattern($1, tgtd_var_run_t, tgtd_var_run_t, tgtd_t)
89	+')
90	+
91	+########################################
92	+## <summary>
93	+## All of the rules required to
94	+## administrate an tgtd environment.
95	+## </summary>
96	+## <param name="domain">
97	+## <summary>
98	+## Domain allowed access.
99	+## </summary>
100	+## </param>
101	+## <param name="role">
102	+## <summary>
103	+## Role allowed access.
104	+## </summary>
105	+## </param>
106	+## <rolecap/>
107	+#
108	+interface(`tgtd_admin',`
109	+ gen_require(`
110	+ type tgtd_t, tgtd_initrc_exec_t, tgtd_var_lib_t;
111	+ type tgtd_var_run_t, tgtd_tmp_t, tgtd_tmpfs_t;
112	+ ')
113	+
114	+ allow $1 tgtd_t:process { ptrace signal_perms };
115	+ ps_process_pattern($1, tgtd_t)
116	+
117	+ init_labeled_script_domtrans($1, tgtd_initrc_exec_t)
118	+ domain_system_change_exemption($1)
119	+ role_transition $2 tgtd_initrc_exec_t system_r;
120	+ allow $2 system_r;
121	+
122	+ files_search_var_lib($1)
123	+ admin_pattern($1, tgtd_var_lib_t)
124	+
125	+ files_search_pids($1)
126	+ admin_pattern($1, tgtd_var_run_t)
127	+
128	+ files_search_tmp($1)
129	+ admin_pattern($1, tgtd_tmp_t)
130	+
131	+ files_search_tmpfs($1)
132	+ admin_pattern($1, tgtd_tmpfs_t)
133	+')
134
135	diff --git a/policy/modules/contrib/tgtd.te b/policy/modules/contrib/tgtd.te
136	index 80fe75c..dc22f11 100644
137	--- a/policy/modules/contrib/tgtd.te
138	+++ b/policy/modules/contrib/tgtd.te
139	@@ -1,8 +1,8 @@
140	-policy_module(tgtd, 1.2.0)
141	+policy_module(tgtd, 1.2.2)
142
143	########################################
144	#
145	-# TGTD personal declarations.
146	+# Declarations
147	#
148
149	type tgtd_t;
150	@@ -21,23 +21,25 @@ files_tmpfs_file(tgtd_tmpfs_t)
151	type tgtd_var_lib_t;
152	files_type(tgtd_var_lib_t)
153
154	+type tgtd_var_run_t;
155	+files_pid_file(tgtd_var_run_t)
156	+
157	########################################
158	#
159	-# TGTD personal policy.
160	+# Local policy
161	#
162
163	allow tgtd_t self:capability sys_resource;
164	allow tgtd_t self:process { setrlimit signal };
165	allow tgtd_t self:fifo_file rw_fifo_file_perms;
166	-allow tgtd_t self:netlink_route_socket { create_socket_perms nlmsg_read };
167	+allow tgtd_t self:netlink_route_socket r_netlink_socket_perms;
168	allow tgtd_t self:shm create_shm_perms;
169	allow tgtd_t self:sem create_sem_perms;
170	allow tgtd_t self:tcp_socket create_stream_socket_perms;
171	allow tgtd_t self:udp_socket create_socket_perms;
172	-allow tgtd_t self:unix_dgram_socket create_socket_perms;
173
174	manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t)
175	-files_tmp_filetrans(tgtd_t, tgtd_tmp_t, { sock_file })
176	+files_tmp_filetrans(tgtd_t, tgtd_tmp_t, sock_file)
177
178	manage_files_pattern(tgtd_t, tgtd_tmpfs_t, tgtd_tmpfs_t)
179	fs_tmpfs_filetrans(tgtd_t, tgtd_tmpfs_t, file)
180	@@ -46,21 +48,36 @@ manage_dirs_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
181	manage_files_pattern(tgtd_t, tgtd_var_lib_t, tgtd_var_lib_t)
182	files_var_lib_filetrans(tgtd_t, tgtd_var_lib_t, { dir file })
183
184	+manage_dirs_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
185	+manage_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
186	+manage_sock_files_pattern(tgtd_t, tgtd_var_run_t,tgtd_var_run_t)
187	+files_pid_filetrans(tgtd_t,tgtd_var_run_t, { file sock_file })
188	+
189	+kernel_read_system_state(tgtd_t)
190	kernel_read_fs_sysctls(tgtd_t)
191
192	corenet_all_recvfrom_netlabel(tgtd_t)
193	corenet_all_recvfrom_unlabeled(tgtd_t)
194	corenet_tcp_sendrecv_generic_if(tgtd_t)
195	corenet_tcp_sendrecv_generic_node(tgtd_t)
196	-corenet_tcp_sendrecv_iscsi_port(tgtd_t)
197	corenet_tcp_bind_generic_node(tgtd_t)
198	-corenet_tcp_bind_iscsi_port(tgtd_t)
199	+
200	corenet_sendrecv_iscsi_server_packets(tgtd_t)
201	+corenet_tcp_bind_iscsi_port(tgtd_t)
202	+corenet_tcp_sendrecv_iscsi_port(tgtd_t)
203	+
204	+dev_read_sysfs(tgtd_t)
205
206	files_read_etc_files(tgtd_t)
207
208	+fs_read_anon_inodefs_files(tgtd_t)
209	+
210	storage_manage_fixed_disk(tgtd_t)
211
212	logging_send_syslog_msg(tgtd_t)
213
214	miscfiles_read_localization(tgtd_t)
215	+
216	+optional_policy(`
217	+ iscsi_manage_semaphores(tgtd_t)
218	+')

Gentoo Archives: gentoo-commits