1 |
commit: 0e55ec371ae7abf780d77b5a9bc98ee345b203c9 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Oct 1 08:46:42 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:07:10 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0e55ec37 |
7 |
|
8 |
Changes to the firstboot policy module |
9 |
|
10 |
Ported from Fedora |
11 |
Add init script file type |
12 |
Module clean up |
13 |
|
14 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
15 |
|
16 |
--- |
17 |
policy/modules/contrib/firstboot.fc | 6 ++- |
18 |
policy/modules/contrib/firstboot.if | 33 +++++++++-------- |
19 |
policy/modules/contrib/firstboot.te | 68 +++++++++++++++------------------- |
20 |
3 files changed, 51 insertions(+), 56 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/firstboot.fc b/policy/modules/contrib/firstboot.fc |
23 |
index ba614e4..12c782c 100644 |
24 |
--- a/policy/modules/contrib/firstboot.fc |
25 |
+++ b/policy/modules/contrib/firstboot.fc |
26 |
@@ -1,3 +1,5 @@ |
27 |
-/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) |
28 |
+/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0) |
29 |
|
30 |
-/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) |
31 |
+/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) |
32 |
+ |
33 |
+/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) |
34 |
|
35 |
diff --git a/policy/modules/contrib/firstboot.if b/policy/modules/contrib/firstboot.if |
36 |
index 8fa451c..280f875 100644 |
37 |
--- a/policy/modules/contrib/firstboot.if |
38 |
+++ b/policy/modules/contrib/firstboot.if |
39 |
@@ -1,7 +1,4 @@ |
40 |
-## <summary> |
41 |
-## Final system configuration run during the first boot |
42 |
-## after installation of Red Hat/Fedora systems. |
43 |
-## </summary> |
44 |
+## <summary>Initial system configuration utility.</summary> |
45 |
|
46 |
######################################## |
47 |
## <summary> |
48 |
@@ -18,13 +15,15 @@ interface(`firstboot_domtrans',` |
49 |
type firstboot_t, firstboot_exec_t; |
50 |
') |
51 |
|
52 |
+ corecmd_search_bin($1) |
53 |
domtrans_pattern($1, firstboot_exec_t, firstboot_t) |
54 |
') |
55 |
|
56 |
######################################## |
57 |
## <summary> |
58 |
-## Execute firstboot in the firstboot domain, and |
59 |
-## allow the specified role the firstboot domain. |
60 |
+## Execute firstboot in the firstboot |
61 |
+## domain, and allow the specified role |
62 |
+## the firstboot domain. |
63 |
## </summary> |
64 |
## <param name="domain"> |
65 |
## <summary> |
66 |
@@ -39,16 +38,16 @@ interface(`firstboot_domtrans',` |
67 |
# |
68 |
interface(`firstboot_run',` |
69 |
gen_require(` |
70 |
- type firstboot_t; |
71 |
+ attribute_role firstboot_roles; |
72 |
') |
73 |
|
74 |
firstboot_domtrans($1) |
75 |
- role $2 types firstboot_t; |
76 |
+ roleattribute $2 firstboot_roles; |
77 |
') |
78 |
|
79 |
######################################## |
80 |
## <summary> |
81 |
-## Inherit and use a file descriptor from firstboot. |
82 |
+## Inherit and use firstboot file descriptors. |
83 |
## </summary> |
84 |
## <param name="domain"> |
85 |
## <summary> |
86 |
@@ -66,8 +65,8 @@ interface(`firstboot_use_fds',` |
87 |
|
88 |
######################################## |
89 |
## <summary> |
90 |
-## Do not audit attempts to inherit a |
91 |
-## file descriptor from firstboot. |
92 |
+## Do not audit attempts to inherit |
93 |
+## firstboot file descriptors. |
94 |
## </summary> |
95 |
## <param name="domain"> |
96 |
## <summary> |
97 |
@@ -85,7 +84,7 @@ interface(`firstboot_dontaudit_use_fds',` |
98 |
|
99 |
######################################## |
100 |
## <summary> |
101 |
-## Write to a firstboot unnamed pipe. |
102 |
+## Write firstboot unnamed pipes. |
103 |
## </summary> |
104 |
## <param name="domain"> |
105 |
## <summary> |
106 |
@@ -103,7 +102,7 @@ interface(`firstboot_write_pipes',` |
107 |
|
108 |
######################################## |
109 |
## <summary> |
110 |
-## Read and Write to a firstboot unnamed pipe. |
111 |
+## Read and Write firstboot unnamed pipes. |
112 |
## </summary> |
113 |
## <param name="domain"> |
114 |
## <summary> |
115 |
@@ -121,7 +120,8 @@ interface(`firstboot_rw_pipes',` |
116 |
|
117 |
######################################## |
118 |
## <summary> |
119 |
-## Do not audit attemps to read and write to a firstboot unnamed pipe. |
120 |
+## Do not audit attemps to read and |
121 |
+## write firstboot unnamed pipes. |
122 |
## </summary> |
123 |
## <param name="domain"> |
124 |
## <summary> |
125 |
@@ -139,8 +139,9 @@ interface(`firstboot_dontaudit_rw_pipes',` |
126 |
|
127 |
######################################## |
128 |
## <summary> |
129 |
-## Do not audit attemps to read and write to a firstboot |
130 |
-## unix domain stream socket. |
131 |
+## Do not audit attemps to read and |
132 |
+## write firstboot unix domain |
133 |
+## stream sockets. |
134 |
## </summary> |
135 |
## <param name="domain"> |
136 |
## <summary> |
137 |
|
138 |
diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te |
139 |
index c4d8998..5640772 100644 |
140 |
--- a/policy/modules/contrib/firstboot.te |
141 |
+++ b/policy/modules/contrib/firstboot.te |
142 |
@@ -1,7 +1,7 @@ |
143 |
-policy_module(firstboot, 1.12.0) |
144 |
+policy_module(firstboot, 1.12.1) |
145 |
|
146 |
gen_require(` |
147 |
- class passwd rootok; |
148 |
+ class passwd { passwd chfn chsh rootok }; |
149 |
') |
150 |
|
151 |
######################################## |
152 |
@@ -9,12 +9,17 @@ gen_require(` |
153 |
# Declarations |
154 |
# |
155 |
|
156 |
+attribute_role firstboot_roles; |
157 |
+ |
158 |
type firstboot_t; |
159 |
type firstboot_exec_t; |
160 |
init_system_domain(firstboot_t, firstboot_exec_t) |
161 |
domain_obj_id_change_exemption(firstboot_t) |
162 |
domain_subj_id_change_exemption(firstboot_t) |
163 |
-role system_r types firstboot_t; |
164 |
+role firstboot_roles types firstboot_t; |
165 |
+ |
166 |
+type firstboot_initrc_exec_t; |
167 |
+init_script_file(firstboot_initrc_exec_t) |
168 |
|
169 |
type firstboot_etc_t; |
170 |
files_config_file(firstboot_etc_t) |
171 |
@@ -28,22 +33,28 @@ allow firstboot_t self:capability { dac_override setgid }; |
172 |
allow firstboot_t self:process setfscreate; |
173 |
allow firstboot_t self:fifo_file rw_fifo_file_perms; |
174 |
allow firstboot_t self:tcp_socket create_stream_socket_perms; |
175 |
-allow firstboot_t self:unix_stream_socket { connect create }; |
176 |
-allow firstboot_t self:passwd rootok; |
177 |
+allow firstboot_t self:unix_stream_socket create_socket_perms; |
178 |
+allow firstboot_t self:passwd { rootok passwd chfn chsh }; |
179 |
|
180 |
allow firstboot_t firstboot_etc_t:file read_file_perms; |
181 |
|
182 |
kernel_read_system_state(firstboot_t) |
183 |
kernel_read_kernel_sysctls(firstboot_t) |
184 |
|
185 |
-corenet_all_recvfrom_unlabeled(firstboot_t) |
186 |
-corenet_all_recvfrom_netlabel(firstboot_t) |
187 |
-corenet_tcp_sendrecv_generic_if(firstboot_t) |
188 |
-corenet_tcp_sendrecv_generic_node(firstboot_t) |
189 |
-corenet_tcp_sendrecv_all_ports(firstboot_t) |
190 |
+corecmd_exec_all_executables(firstboot_t) |
191 |
|
192 |
dev_read_urand(firstboot_t) |
193 |
|
194 |
+files_exec_etc_files(firstboot_t) |
195 |
+files_manage_etc_files(firstboot_t) |
196 |
+files_manage_etc_runtime_files(firstboot_t) |
197 |
+files_read_usr_files(firstboot_t) |
198 |
+files_manage_var_dirs(firstboot_t) |
199 |
+files_manage_var_files(firstboot_t) |
200 |
+files_manage_var_symlinks(firstboot_t) |
201 |
+files_create_boot_flag(firstboot_t) |
202 |
+files_delete_boot_flag(firstboot_t) |
203 |
+ |
204 |
selinux_get_fs_mount(firstboot_t) |
205 |
selinux_validate_context(firstboot_t) |
206 |
selinux_compute_access_vector(firstboot_t) |
207 |
@@ -53,16 +64,6 @@ selinux_compute_user_contexts(firstboot_t) |
208 |
|
209 |
auth_dontaudit_getattr_shadow(firstboot_t) |
210 |
|
211 |
-corecmd_exec_all_executables(firstboot_t) |
212 |
- |
213 |
-files_exec_etc_files(firstboot_t) |
214 |
-files_manage_etc_files(firstboot_t) |
215 |
-files_manage_etc_runtime_files(firstboot_t) |
216 |
-files_read_usr_files(firstboot_t) |
217 |
-files_manage_var_dirs(firstboot_t) |
218 |
-files_manage_var_files(firstboot_t) |
219 |
-files_manage_var_symlinks(firstboot_t) |
220 |
- |
221 |
init_domtrans_script(firstboot_t) |
222 |
init_rw_utmp(firstboot_t) |
223 |
|
224 |
@@ -75,13 +76,9 @@ logging_send_syslog_msg(firstboot_t) |
225 |
|
226 |
miscfiles_read_localization(firstboot_t) |
227 |
|
228 |
-modutils_domtrans_insmod(firstboot_t) |
229 |
-modutils_domtrans_depmod(firstboot_t) |
230 |
-modutils_read_module_config(firstboot_t) |
231 |
-modutils_read_module_deps(firstboot_t) |
232 |
+sysnet_dns_name_resolve(firstboot_t) |
233 |
|
234 |
userdom_use_user_terminals(firstboot_t) |
235 |
-# Add/remove user home directories |
236 |
userdom_manage_user_home_content_dirs(firstboot_t) |
237 |
userdom_manage_user_home_content_files(firstboot_t) |
238 |
userdom_manage_user_home_content_symlinks(firstboot_t) |
239 |
@@ -91,10 +88,6 @@ userdom_home_filetrans_user_home_dir(firstboot_t) |
240 |
userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) |
241 |
|
242 |
optional_policy(` |
243 |
- consoletype_domtrans(firstboot_t) |
244 |
-') |
245 |
- |
246 |
-optional_policy(` |
247 |
dbus_system_bus_client(firstboot_t) |
248 |
|
249 |
optional_policy(` |
250 |
@@ -103,6 +96,13 @@ optional_policy(` |
251 |
') |
252 |
|
253 |
optional_policy(` |
254 |
+ modutils_domtrans_insmod(firstboot_t) |
255 |
+ modutils_domtrans_depmod(firstboot_t) |
256 |
+ modutils_read_module_config(firstboot_t) |
257 |
+ modutils_read_module_deps(firstboot_t) |
258 |
+') |
259 |
+ |
260 |
+optional_policy(` |
261 |
nis_use_ypbind(firstboot_t) |
262 |
') |
263 |
|
264 |
@@ -112,19 +112,10 @@ optional_policy(` |
265 |
|
266 |
optional_policy(` |
267 |
unconfined_domtrans(firstboot_t) |
268 |
- # The big hammer |
269 |
unconfined_domain(firstboot_t) |
270 |
') |
271 |
|
272 |
optional_policy(` |
273 |
- usermanage_domtrans_chfn(firstboot_t) |
274 |
- usermanage_domtrans_groupadd(firstboot_t) |
275 |
- usermanage_domtrans_passwd(firstboot_t) |
276 |
- usermanage_domtrans_useradd(firstboot_t) |
277 |
- usermanage_domtrans_admin_passwd(firstboot_t) |
278 |
-') |
279 |
- |
280 |
-optional_policy(` |
281 |
gnome_manage_config(firstboot_t) |
282 |
') |
283 |
|
284 |
@@ -132,4 +123,5 @@ optional_policy(` |
285 |
xserver_domtrans(firstboot_t) |
286 |
xserver_rw_shm(firstboot_t) |
287 |
xserver_unconfined(firstboot_t) |
288 |
+ xserver_stream_connect(firstboot_t) |
289 |
') |