Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
Date: Mon, 30 Sep 2013 19:04:08
Message-Id: 1380567783.55711c0625e3572f837117e46493b3601d40db2d.swift@gentoo
1 commit: 55711c0625e3572f837117e46493b3601d40db2d
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Fri Sep 27 11:05:57 2013 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Mon Sep 30 19:03:03 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=55711c06
7
8 Initial gdomap policy module
9
10 The gdomap daemon is used by GNUstep programs to look up distributed
11 objects of processes running across the network (and between different
12 user accounts on a single machine).
13
14 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
15
16 ---
17 gdomap.fc | 7 +++++++
18 gdomap.if | 39 +++++++++++++++++++++++++++++++++++++++
19 gdomap.te | 42 ++++++++++++++++++++++++++++++++++++++++++
20 3 files changed, 88 insertions(+)
21
22 diff --git a/gdomap.fc b/gdomap.fc
23 new file mode 100644
24 index 0000000..0735238
25 --- /dev/null
26 +++ b/gdomap.fc
27 @@ -0,0 +1,7 @@
28 +/etc/default/gdomap -- gen_context(system_u:object_r:gdomap_conf_t,s0)
29 +
30 +/etc/rc\.d/init\.d/gdomap -- gen_context(system_u:object_r:gdomap_initrc_exec_t,s0)
31 +
32 +/usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0)
33 +
34 +/var/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0)
35
36 diff --git a/gdomap.if b/gdomap.if
37 new file mode 100644
38 index 0000000..f2cf3ad
39 --- /dev/null
40 +++ b/gdomap.if
41 @@ -0,0 +1,39 @@
42 +## <summary>GNUstep distributed object mapper.</summary>
43 +
44 +########################################
45 +## <summary>
46 +## All of the rules required to
47 +## administrate an gdomap environment.
48 +## </summary>
49 +## <param name="domain">
50 +## <summary>
51 +## Domain allowed access.
52 +## </summary>
53 +## </param>
54 +## <param name="role">
55 +## <summary>
56 +## Role allowed access.
57 +## </summary>
58 +## </param>
59 +## <rolecap/>
60 +#
61 +interface(`gdomap_admin',`
62 + gen_require(`
63 + type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t;
64 + type gdomap_var_run_t;
65 + ')
66 +
67 + allow $1 gdomap_t:process { ptrace signal_perms };
68 + ps_process_pattern($1, gdomap_t)
69 +
70 + init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
71 + domain_system_change_exemption($1)
72 + role_transition $2 gdomap_initrc_exec_t system_r;
73 + allow $2 system_r;
74 +
75 + files_search_etc($1)
76 + admin_pattern($1, gdomap_conf_t)
77 +
78 + files_search_pids($1)
79 + admin_pattern($1, gdomap_var_run_t)
80 +')
81
82 diff --git a/gdomap.te b/gdomap.te
83 new file mode 100644
84 index 0000000..0d2c4f4
85 --- /dev/null
86 +++ b/gdomap.te
87 @@ -0,0 +1,42 @@
88 +policy_module(gdomap, 1.0.0)
89 +
90 +########################################
91 +#
92 +# Declarations
93 +#
94 +
95 +type gdomap_t;
96 +type gdomap_exec_t;
97 +init_daemon_domain(gdomap_t, gdomap_exec_t)
98 +
99 +type gdomap_initrc_exec_t;
100 +init_script_file(gdomap_initrc_exec_t)
101 +
102 +type gdomap_conf_t;
103 +files_config_file(gdomap_conf_t)
104 +
105 +type gdomap_var_run_t;
106 +files_pid_file(gdomap_var_run_t)
107 +
108 +########################################
109 +#
110 +# Local policy
111 +#
112 +
113 +allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid };
114 +allow gdomap_t self:tcp_socket { listen accept };
115 +
116 +allow gdomap_t gdomap_var_run_t:file manage_file_perms;
117 +files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
118 +
119 +# corenet_sendrecv_gdomap_server_packets(gdomap_t)
120 +# corenet_tcp_bind_gdomap_port(gdomap_t)
121 +# corenet_tcp_sendrecv_gdomap_port(gdomap_t)
122 +# corenet_udp_bind_gdomap_port(gdomap_t)
123 +# corenet_udp_sendrecv_gdomap_port(gdomap_t)
124 +
125 +domain_use_interactive_fds(gdomap_t)
126 +
127 +auth_use_nsswitch(gdomap_t)
128 +
129 +logging_send_syslog_msg(gdomap_t)