[gentoo-commits] proj/hardened-refpolicy:master commit in: / - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: /
Date:	Tue, 02 Oct 2012 18:23:26
Message-Id:	`1349201163.126f937fbf4b9c5dc0a11d3fa5bddae6d8049851.SwifT@gentoo`

1

commit:     126f937fbf4b9c5dc0a11d3fa5bddae6d8049851

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Mon Oct  1 08:26:16 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:06:03 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=126f937f

7

8

Initial firewalld policy module

9

10

FirewallD is a service daemon with a D-BUS interface that provides a

11

dynamic managed firewall.

12

13

Ported from Fedora

14

15

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

16

17

---

18

 firewalld.fc |   10 +++++++

19

 firewalld.if |   43 +++++++++++++++++++++++++++++

20

 firewalld.te |   85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

21

 3 files changed, 138 insertions(+), 0 deletions(-)

22

23

diff --git a/firewalld.fc b/firewalld.fc

24

new file mode 100644

25

index 0000000..21d7b84

26

--- /dev/null

27

+++ b/firewalld.fc

28

@@ -0,0 +1,10 @@

29

+/etc/rc\.d/init\.d/firewalld	--	gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)

30

+

31

+/etc/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_etc_rw_t,s0)

32

+

33

+/usr/sbin/firewalld	--	gen_context(system_u:object_r:firewalld_exec_t,s0)

34

+

35

+/var/log/firewalld.*	--	gen_context(system_u:object_r:firewalld_var_log_t,s0)

36

+

37

+/var/run/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_var_run_t,s0)

38

+/var/run/firewalld\.pid	--	gen_context(system_u:object_r:firewalld_var_run_t,s0)

39

40

diff --git a/firewalld.if b/firewalld.if

41

new file mode 100644

42

index 0000000..82a225a

43

--- /dev/null

44

+++ b/firewalld.if

45

@@ -0,0 +1,43 @@

46

+## <summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary>

47

+

48

+########################################

49

+## <summary>

50

+##	All of the rules required to

51

+##	administrate an firewalld environment.

52

+## </summary>

53

+## <param name="domain">

54

+##	<summary>

55

+##	Domain allowed access.

56

+##	</summary>

57

+## </param>

58

+## <param name="role">

59

+##	<summary>

60

+##	Role allowed access.

61

+##	</summary>

62

+## </param>

63

+## <rolecap/>

64

+#

65

+interface(`firewalld_admin',`

66

+	gen_require(`

67

+		type firewalld_t, firewalld_initrc_exec_t;

68

+		type firewall_etc_rw_t, firewalld_var_run_t;

69

+		type firewalld_var_log_t;

70

+	')

71

+

72

+	allow $1 firewalld_t:process { ptrace signal_perms };

73

+	ps_process_pattern($1, firewalld_t)

74

+

75

+	init_labeled_script_domtrans($1, firewalld_initrc_exec_t)

76

+	domain_system_change_exemption($1)

77

+	role_transition $2 firewalld_initrc_exec_t system_r;

78

+	allow $2 system_r;

79

+

80

+	files_search_pids($1)

81

+	admin_pattern($1, firewalld_var_run_t)

82

+

83

+	logging_search_logs($1)

84

+	admin_pattern($1, firewalld_var_log_t)

85

+

86

+	files_search_etc($1)

87

+	admin_pattern($1, firewall_etc_rw_t)

88

+')

89

90

diff --git a/firewalld.te b/firewalld.te

91

new file mode 100644

92

index 0000000..0010122

93

--- /dev/null

94

+++ b/firewalld.te

95

@@ -0,0 +1,85 @@

96

+policy_module(firewalld, 1.0.0)

97

+

98

+########################################

99

+#

100

+# Declarations

101

+#

102

+

103

+type firewalld_t;

104

+type firewalld_exec_t;

105

+init_daemon_domain(firewalld_t, firewalld_exec_t)

106

+

107

+type firewalld_initrc_exec_t;

108

+init_script_file(firewalld_initrc_exec_t)

109

+

110

+type firewalld_etc_rw_t;

111

+files_config_file(firewalld_etc_rw_t)

112

+

113

+type firewalld_var_log_t;

114

+logging_log_file(firewalld_var_log_t)

115

+

116

+type firewalld_var_run_t;

117

+files_pid_file(firewalld_var_run_t)

118

+

119

+########################################

120

+#

121

+# Local policy

122

+#

123

+

124

+dontaudit firewalld_t self:capability sys_tty_config;

125

+allow firewalld_t self:fifo_file rw_fifo_file_perms;

126

+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;

127

+

128

+manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)

129

+manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)

130

+

131

+allow firewalld_t firewalld_var_log_t:file append_file_perms;

132

+allow firewalld_t firewalld_var_log_t:file create_file_perms;

133

+allow firewalld_t firewalld_var_log_t:file read_file_perms;

134

+allow firewalld_t firewalld_var_log_t:file setattr_file_perms;

135

+logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)

136

+

137

+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)

138

+files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)

139

+

140

+kernel_read_network_state(firewalld_t)

141

+kernel_read_system_state(firewalld_t)

142

+

143

+corecmd_exec_bin(firewalld_t)

144

+corecmd_exec_shell(firewalld_t)

145

+

146

+dev_read_urand(firewalld_t)

147

+

148

+domain_use_interactive_fds(firewalld_t)

149

+

150

+files_read_etc_files(firewalld_t)

151

+files_read_usr_files(firewalld_t)

152

+

153

+fs_getattr_xattr_fs(firewalld_t)

154

+

155

+logging_send_syslog_msg(firewalld_t)

156

+

157

+miscfiles_read_localization(firewalld_t)

158

+

159

+seutil_exec_setfiles(firewalld_t)

160

+seutil_read_file_contexts(firewalld_t)

161

+

162

+optional_policy(`

163

+	dbus_system_domain(firewalld_t, firewalld_exec_t)

164

+

165

+	optional_policy(`

166

+		policykit_dbus_chat(firewalld_t)

167

+	')

168

+

169

+	optional_policy(`

170

+		networkmanager_dbus_chat(firewalld_t)

171

+	')

172

+')

173

+

174

+optional_policy(`

175

+	iptables_domtrans(firewalld_t)

176

+')

177

+

178

+optional_policy(`

179

+	modutils_domtrans_insmod(firewalld_t)

180

+')

1	commit: 126f937fbf4b9c5dc0a11d3fa5bddae6d8049851
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Mon Oct 1 08:26:16 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 2 18:06:03 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=126f937f
7
8	Initial firewalld policy module
9
10	FirewallD is a service daemon with a D-BUS interface that provides a
11	dynamic managed firewall.
12
13	Ported from Fedora
14
15	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
16
17	---
18	firewalld.fc \| 10 +++++++
19	firewalld.if \| 43 +++++++++++++++++++++++++++++
20	firewalld.te \| 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
21	3 files changed, 138 insertions(+), 0 deletions(-)
22
23	diff --git a/firewalld.fc b/firewalld.fc
24	new file mode 100644
25	index 0000000..21d7b84
26	--- /dev/null
27	+++ b/firewalld.fc
28	@@ -0,0 +1,10 @@
29	+/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
30	+
31	+/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
32	+
33	+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
34	+
35	+/var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
36	+
37	+/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
38	+/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
39
40	diff --git a/firewalld.if b/firewalld.if
41	new file mode 100644
42	index 0000000..82a225a
43	--- /dev/null
44	+++ b/firewalld.if
45	@@ -0,0 +1,43 @@
46	+## <summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary>
47	+
48	+########################################
49	+## <summary>
50	+## All of the rules required to
51	+## administrate an firewalld environment.
52	+## </summary>
53	+## <param name="domain">
54	+## <summary>
55	+## Domain allowed access.
56	+## </summary>
57	+## </param>
58	+## <param name="role">
59	+## <summary>
60	+## Role allowed access.
61	+## </summary>
62	+## </param>
63	+## <rolecap/>
64	+#
65	+interface(`firewalld_admin',`
66	+ gen_require(`
67	+ type firewalld_t, firewalld_initrc_exec_t;
68	+ type firewall_etc_rw_t, firewalld_var_run_t;
69	+ type firewalld_var_log_t;
70	+ ')
71	+
72	+ allow $1 firewalld_t:process { ptrace signal_perms };
73	+ ps_process_pattern($1, firewalld_t)
74	+
75	+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
76	+ domain_system_change_exemption($1)
77	+ role_transition $2 firewalld_initrc_exec_t system_r;
78	+ allow $2 system_r;
79	+
80	+ files_search_pids($1)
81	+ admin_pattern($1, firewalld_var_run_t)
82	+
83	+ logging_search_logs($1)
84	+ admin_pattern($1, firewalld_var_log_t)
85	+
86	+ files_search_etc($1)
87	+ admin_pattern($1, firewall_etc_rw_t)
88	+')
89
90	diff --git a/firewalld.te b/firewalld.te
91	new file mode 100644
92	index 0000000..0010122
93	--- /dev/null
94	+++ b/firewalld.te
95	@@ -0,0 +1,85 @@
96	+policy_module(firewalld, 1.0.0)
97	+
98	+########################################
99	+#
100	+# Declarations
101	+#
102	+
103	+type firewalld_t;
104	+type firewalld_exec_t;
105	+init_daemon_domain(firewalld_t, firewalld_exec_t)
106	+
107	+type firewalld_initrc_exec_t;
108	+init_script_file(firewalld_initrc_exec_t)
109	+
110	+type firewalld_etc_rw_t;
111	+files_config_file(firewalld_etc_rw_t)
112	+
113	+type firewalld_var_log_t;
114	+logging_log_file(firewalld_var_log_t)
115	+
116	+type firewalld_var_run_t;
117	+files_pid_file(firewalld_var_run_t)
118	+
119	+########################################
120	+#
121	+# Local policy
122	+#
123	+
124	+dontaudit firewalld_t self:capability sys_tty_config;
125	+allow firewalld_t self:fifo_file rw_fifo_file_perms;
126	+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
127	+
128	+manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
129	+manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
130	+
131	+allow firewalld_t firewalld_var_log_t:file append_file_perms;
132	+allow firewalld_t firewalld_var_log_t:file create_file_perms;
133	+allow firewalld_t firewalld_var_log_t:file read_file_perms;
134	+allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
135	+logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
136	+
137	+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
138	+files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
139	+
140	+kernel_read_network_state(firewalld_t)
141	+kernel_read_system_state(firewalld_t)
142	+
143	+corecmd_exec_bin(firewalld_t)
144	+corecmd_exec_shell(firewalld_t)
145	+
146	+dev_read_urand(firewalld_t)
147	+
148	+domain_use_interactive_fds(firewalld_t)
149	+
150	+files_read_etc_files(firewalld_t)
151	+files_read_usr_files(firewalld_t)
152	+
153	+fs_getattr_xattr_fs(firewalld_t)
154	+
155	+logging_send_syslog_msg(firewalld_t)
156	+
157	+miscfiles_read_localization(firewalld_t)
158	+
159	+seutil_exec_setfiles(firewalld_t)
160	+seutil_read_file_contexts(firewalld_t)
161	+
162	+optional_policy(`
163	+ dbus_system_domain(firewalld_t, firewalld_exec_t)
164	+
165	+ optional_policy(`
166	+ policykit_dbus_chat(firewalld_t)
167	+ ')
168	+
169	+ optional_policy(`
170	+ networkmanager_dbus_chat(firewalld_t)
171	+ ')
172	+')
173	+
174	+optional_policy(`
175	+ iptables_domtrans(firewalld_t)
176	+')
177	+
178	+optional_policy(`
179	+ modutils_domtrans_insmod(firewalld_t)
180	+')

Gentoo Archives: gentoo-commits