1 |
commit: 55711c0625e3572f837117e46493b3601d40db2d |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Sep 27 11:05:57 2013 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Sep 30 19:03:03 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=55711c06 |
7 |
|
8 |
Initial gdomap policy module |
9 |
|
10 |
The gdomap daemon is used by GNUstep programs to look up distributed |
11 |
objects of processes running across the network (and between different |
12 |
user accounts on a single machine). |
13 |
|
14 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
15 |
|
16 |
--- |
17 |
gdomap.fc | 7 +++++++ |
18 |
gdomap.if | 39 +++++++++++++++++++++++++++++++++++++++ |
19 |
gdomap.te | 42 ++++++++++++++++++++++++++++++++++++++++++ |
20 |
3 files changed, 88 insertions(+) |
21 |
|
22 |
diff --git a/gdomap.fc b/gdomap.fc |
23 |
new file mode 100644 |
24 |
index 0000000..0735238 |
25 |
--- /dev/null |
26 |
+++ b/gdomap.fc |
27 |
@@ -0,0 +1,7 @@ |
28 |
+/etc/default/gdomap -- gen_context(system_u:object_r:gdomap_conf_t,s0) |
29 |
+ |
30 |
+/etc/rc\.d/init\.d/gdomap -- gen_context(system_u:object_r:gdomap_initrc_exec_t,s0) |
31 |
+ |
32 |
+/usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0) |
33 |
+ |
34 |
+/var/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0) |
35 |
|
36 |
diff --git a/gdomap.if b/gdomap.if |
37 |
new file mode 100644 |
38 |
index 0000000..f2cf3ad |
39 |
--- /dev/null |
40 |
+++ b/gdomap.if |
41 |
@@ -0,0 +1,39 @@ |
42 |
+## <summary>GNUstep distributed object mapper.</summary> |
43 |
+ |
44 |
+######################################## |
45 |
+## <summary> |
46 |
+## All of the rules required to |
47 |
+## administrate an gdomap environment. |
48 |
+## </summary> |
49 |
+## <param name="domain"> |
50 |
+## <summary> |
51 |
+## Domain allowed access. |
52 |
+## </summary> |
53 |
+## </param> |
54 |
+## <param name="role"> |
55 |
+## <summary> |
56 |
+## Role allowed access. |
57 |
+## </summary> |
58 |
+## </param> |
59 |
+## <rolecap/> |
60 |
+# |
61 |
+interface(`gdomap_admin',` |
62 |
+ gen_require(` |
63 |
+ type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t; |
64 |
+ type gdomap_var_run_t; |
65 |
+ ') |
66 |
+ |
67 |
+ allow $1 gdomap_t:process { ptrace signal_perms }; |
68 |
+ ps_process_pattern($1, gdomap_t) |
69 |
+ |
70 |
+ init_labeled_script_domtrans($1, gdomap_initrc_exec_t) |
71 |
+ domain_system_change_exemption($1) |
72 |
+ role_transition $2 gdomap_initrc_exec_t system_r; |
73 |
+ allow $2 system_r; |
74 |
+ |
75 |
+ files_search_etc($1) |
76 |
+ admin_pattern($1, gdomap_conf_t) |
77 |
+ |
78 |
+ files_search_pids($1) |
79 |
+ admin_pattern($1, gdomap_var_run_t) |
80 |
+') |
81 |
|
82 |
diff --git a/gdomap.te b/gdomap.te |
83 |
new file mode 100644 |
84 |
index 0000000..0d2c4f4 |
85 |
--- /dev/null |
86 |
+++ b/gdomap.te |
87 |
@@ -0,0 +1,42 @@ |
88 |
+policy_module(gdomap, 1.0.0) |
89 |
+ |
90 |
+######################################## |
91 |
+# |
92 |
+# Declarations |
93 |
+# |
94 |
+ |
95 |
+type gdomap_t; |
96 |
+type gdomap_exec_t; |
97 |
+init_daemon_domain(gdomap_t, gdomap_exec_t) |
98 |
+ |
99 |
+type gdomap_initrc_exec_t; |
100 |
+init_script_file(gdomap_initrc_exec_t) |
101 |
+ |
102 |
+type gdomap_conf_t; |
103 |
+files_config_file(gdomap_conf_t) |
104 |
+ |
105 |
+type gdomap_var_run_t; |
106 |
+files_pid_file(gdomap_var_run_t) |
107 |
+ |
108 |
+######################################## |
109 |
+# |
110 |
+# Local policy |
111 |
+# |
112 |
+ |
113 |
+allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid }; |
114 |
+allow gdomap_t self:tcp_socket { listen accept }; |
115 |
+ |
116 |
+allow gdomap_t gdomap_var_run_t:file manage_file_perms; |
117 |
+files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid") |
118 |
+ |
119 |
+# corenet_sendrecv_gdomap_server_packets(gdomap_t) |
120 |
+# corenet_tcp_bind_gdomap_port(gdomap_t) |
121 |
+# corenet_tcp_sendrecv_gdomap_port(gdomap_t) |
122 |
+# corenet_udp_bind_gdomap_port(gdomap_t) |
123 |
+# corenet_udp_sendrecv_gdomap_port(gdomap_t) |
124 |
+ |
125 |
+domain_use_interactive_fds(gdomap_t) |
126 |
+ |
127 |
+auth_use_nsswitch(gdomap_t) |
128 |
+ |
129 |
+logging_send_syslog_msg(gdomap_t) |