1 |
commit: 8584ffef08418a34cfbdc36a6521082f8f54299b |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Sep 28 09:51:05 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Sep 28 17:42:27 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8584ffef |
7 |
|
8 |
Changes tothe dictd policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/dictd.fc | 6 +++--- |
16 |
policy/modules/contrib/dictd.if | 8 ++++---- |
17 |
policy/modules/contrib/dictd.te | 39 +++++++++++---------------------------- |
18 |
3 files changed, 18 insertions(+), 35 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/dictd.fc b/policy/modules/contrib/dictd.fc |
21 |
index 54f88c8..8a5f235 100644 |
22 |
--- a/policy/modules/contrib/dictd.fc |
23 |
+++ b/policy/modules/contrib/dictd.fc |
24 |
@@ -1,9 +1,9 @@ |
25 |
-/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0) |
26 |
+/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0) |
27 |
|
28 |
/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0) |
29 |
|
30 |
-/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) |
31 |
+/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0) |
32 |
|
33 |
-/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) |
34 |
+/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0) |
35 |
|
36 |
/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0) |
37 |
|
38 |
diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if |
39 |
index a0d23ce..3cc3494 100644 |
40 |
--- a/policy/modules/contrib/dictd.if |
41 |
+++ b/policy/modules/contrib/dictd.if |
42 |
@@ -1,4 +1,4 @@ |
43 |
-## <summary>Dictionary daemon</summary> |
44 |
+## <summary>Dictionary daemon.</summary> |
45 |
|
46 |
######################################## |
47 |
## <summary> |
48 |
@@ -17,8 +17,8 @@ interface(`dictd_tcp_connect',` |
49 |
|
50 |
######################################## |
51 |
## <summary> |
52 |
-## All of the rules required to administrate |
53 |
-## an dictd environment |
54 |
+## All of the rules required to |
55 |
+## administrate an dictd environment. |
56 |
## </summary> |
57 |
## <param name="domain"> |
58 |
## <summary> |
59 |
@@ -27,7 +27,7 @@ interface(`dictd_tcp_connect',` |
60 |
## </param> |
61 |
## <param name="role"> |
62 |
## <summary> |
63 |
-## The role to be allowed to manage the dictd domain. |
64 |
+## Role allowed access. |
65 |
## </summary> |
66 |
## </param> |
67 |
## <rolecap/> |
68 |
|
69 |
diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te |
70 |
index d2d9359..fd4a602 100644 |
71 |
--- a/policy/modules/contrib/dictd.te |
72 |
+++ b/policy/modules/contrib/dictd.te |
73 |
@@ -1,4 +1,4 @@ |
74 |
-policy_module(dictd, 1.7.0) |
75 |
+policy_module(dictd, 1.7.1) |
76 |
|
77 |
######################################## |
78 |
# |
79 |
@@ -29,12 +29,10 @@ files_pid_file(dictd_var_run_t) |
80 |
allow dictd_t self:capability { setuid setgid }; |
81 |
dontaudit dictd_t self:capability sys_tty_config; |
82 |
allow dictd_t self:process { signal_perms setpgid }; |
83 |
-allow dictd_t self:unix_stream_socket create_stream_socket_perms; |
84 |
-allow dictd_t self:tcp_socket create_stream_socket_perms; |
85 |
-allow dictd_t self:udp_socket create_socket_perms; |
86 |
+allow dictd_t self:unix_stream_socket { accept listen }; |
87 |
+allow dictd_t self:tcp_socket { accept listen }; |
88 |
|
89 |
allow dictd_t dictd_etc_t:file read_file_perms; |
90 |
-files_search_etc(dictd_t) |
91 |
|
92 |
allow dictd_t dictd_var_lib_t:dir list_dir_perms; |
93 |
allow dictd_t dictd_var_lib_t:file read_file_perms; |
94 |
@@ -48,48 +46,33 @@ kernel_read_kernel_sysctls(dictd_t) |
95 |
corenet_all_recvfrom_unlabeled(dictd_t) |
96 |
corenet_all_recvfrom_netlabel(dictd_t) |
97 |
corenet_tcp_sendrecv_generic_if(dictd_t) |
98 |
-corenet_raw_sendrecv_generic_if(dictd_t) |
99 |
-corenet_udp_sendrecv_generic_if(dictd_t) |
100 |
corenet_tcp_sendrecv_generic_node(dictd_t) |
101 |
-corenet_udp_sendrecv_generic_node(dictd_t) |
102 |
-corenet_raw_sendrecv_generic_node(dictd_t) |
103 |
-corenet_tcp_sendrecv_all_ports(dictd_t) |
104 |
-corenet_udp_sendrecv_all_ports(dictd_t) |
105 |
corenet_tcp_bind_generic_node(dictd_t) |
106 |
-corenet_tcp_bind_dict_port(dictd_t) |
107 |
+ |
108 |
corenet_sendrecv_dict_server_packets(dictd_t) |
109 |
+corenet_tcp_bind_dict_port(dictd_t) |
110 |
+corenet_tcp_sendrecv_dict_port(dictd_t) |
111 |
|
112 |
dev_read_sysfs(dictd_t) |
113 |
|
114 |
-fs_getattr_xattr_fs(dictd_t) |
115 |
-fs_search_auto_mountpoints(dictd_t) |
116 |
- |
117 |
domain_use_interactive_fds(dictd_t) |
118 |
|
119 |
-files_read_etc_files(dictd_t) |
120 |
files_read_etc_runtime_files(dictd_t) |
121 |
files_read_usr_files(dictd_t) |
122 |
files_search_var_lib(dictd_t) |
123 |
-# for checking for nscd |
124 |
-files_dontaudit_search_pids(dictd_t) |
125 |
+ |
126 |
+fs_getattr_xattr_fs(dictd_t) |
127 |
+fs_search_auto_mountpoints(dictd_t) |
128 |
+ |
129 |
+auth_use_nsswitch(dictd_t) |
130 |
|
131 |
logging_send_syslog_msg(dictd_t) |
132 |
|
133 |
miscfiles_read_localization(dictd_t) |
134 |
|
135 |
-sysnet_read_config(dictd_t) |
136 |
- |
137 |
userdom_dontaudit_use_unpriv_user_fds(dictd_t) |
138 |
|
139 |
optional_policy(` |
140 |
- nis_use_ypbind(dictd_t) |
141 |
-') |
142 |
- |
143 |
-optional_policy(` |
144 |
- nscd_socket_use(dictd_t) |
145 |
-') |
146 |
- |
147 |
-optional_policy(` |
148 |
seutil_sigchld_newrole(dictd_t) |
149 |
') |