[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Fri, 28 Sep 2012 17:51:57
Message-Id:	`1348854147.8584ffef08418a34cfbdc36a6521082f8f54299b.SwifT@gentoo`

1

commit:     8584ffef08418a34cfbdc36a6521082f8f54299b

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Fri Sep 28 09:51:05 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Fri Sep 28 17:42:27 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8584ffef

7

8

Changes tothe dictd policy module

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/dictd.fc |    6 +++---

16

 policy/modules/contrib/dictd.if |    8 ++++----

17

 policy/modules/contrib/dictd.te |   39 +++++++++++----------------------------

18

 3 files changed, 18 insertions(+), 35 deletions(-)

19

20

diff --git a/policy/modules/contrib/dictd.fc b/policy/modules/contrib/dictd.fc

21

index 54f88c8..8a5f235 100644

22

--- a/policy/modules/contrib/dictd.fc

23

+++ b/policy/modules/contrib/dictd.fc

24

@@ -1,9 +1,9 @@

25

-/etc/rc\.d/init\.d/dictd --	gen_context(system_u:object_r:dictd_initrc_exec_t,s0)

26

+/etc/rc\.d/init\.d/dictd	--	gen_context(system_u:object_r:dictd_initrc_exec_t,s0)

27

28

 /etc/dictd\.conf	--	gen_context(system_u:object_r:dictd_etc_t,s0)

29

30

-/usr/sbin/dictd		--	gen_context(system_u:object_r:dictd_exec_t,s0)

31

+/usr/sbin/dictd	--	gen_context(system_u:object_r:dictd_exec_t,s0)

32

33

-/var/lib/dictd(/.*)?		gen_context(system_u:object_r:dictd_var_lib_t,s0)

34

+/var/lib/dictd(/.*)?	gen_context(system_u:object_r:dictd_var_lib_t,s0)

35

36

 /var/run/dictd\.pid	--	gen_context(system_u:object_r:dictd_var_run_t,s0)

37

38

diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if

39

index a0d23ce..3cc3494 100644

40

--- a/policy/modules/contrib/dictd.if

41

+++ b/policy/modules/contrib/dictd.if

42

@@ -1,4 +1,4 @@

43

-## <summary>Dictionary daemon</summary>

44

+## <summary>Dictionary daemon.</summary>

45

46

 ########################################

47

 ## <summary>

48

@@ -17,8 +17,8 @@ interface(`dictd_tcp_connect',`

49

50

 ########################################

51

 ## <summary>

52

-##	All of the rules required to administrate 

53

-##	an dictd environment

54

+##	All of the rules required to

55

+##	administrate an dictd environment.

56

 ## </summary>

57

 ## <param name="domain">

58

 ##	<summary>

59

@@ -27,7 +27,7 @@ interface(`dictd_tcp_connect',`

60

 ## </param>

61

 ## <param name="role">

62

 ##	<summary>

63

-##	The role to be allowed to manage the dictd domain.

64

+##	Role allowed access.

65

 ##	</summary>

66

 ## </param>

67

 ## <rolecap/>

68

69

diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te

70

index d2d9359..fd4a602 100644

71

--- a/policy/modules/contrib/dictd.te

72

+++ b/policy/modules/contrib/dictd.te

73

@@ -1,4 +1,4 @@

74

-policy_module(dictd, 1.7.0)

75

+policy_module(dictd, 1.7.1)

76

77

 ########################################

78

#

79

@@ -29,12 +29,10 @@ files_pid_file(dictd_var_run_t)

80

 allow dictd_t self:capability { setuid setgid };

81

 dontaudit dictd_t self:capability sys_tty_config;

82

 allow dictd_t self:process { signal_perms setpgid };

83

-allow dictd_t self:unix_stream_socket create_stream_socket_perms;

84

-allow dictd_t self:tcp_socket create_stream_socket_perms;

85

-allow dictd_t self:udp_socket create_socket_perms;

86

+allow dictd_t self:unix_stream_socket { accept listen };

87

+allow dictd_t self:tcp_socket { accept listen };

88

89

 allow dictd_t dictd_etc_t:file read_file_perms;

90

-files_search_etc(dictd_t)

91

92

 allow dictd_t dictd_var_lib_t:dir list_dir_perms;

93

 allow dictd_t dictd_var_lib_t:file read_file_perms;

94

@@ -48,48 +46,33 @@ kernel_read_kernel_sysctls(dictd_t)

95

 corenet_all_recvfrom_unlabeled(dictd_t)

96

 corenet_all_recvfrom_netlabel(dictd_t)

97

 corenet_tcp_sendrecv_generic_if(dictd_t)

98

-corenet_raw_sendrecv_generic_if(dictd_t)

99

-corenet_udp_sendrecv_generic_if(dictd_t)

100

 corenet_tcp_sendrecv_generic_node(dictd_t)

101

-corenet_udp_sendrecv_generic_node(dictd_t)

102

-corenet_raw_sendrecv_generic_node(dictd_t)

103

-corenet_tcp_sendrecv_all_ports(dictd_t)

104

-corenet_udp_sendrecv_all_ports(dictd_t)

105

 corenet_tcp_bind_generic_node(dictd_t)

106

-corenet_tcp_bind_dict_port(dictd_t)

107

+

108

 corenet_sendrecv_dict_server_packets(dictd_t)

109

+corenet_tcp_bind_dict_port(dictd_t)

110

+corenet_tcp_sendrecv_dict_port(dictd_t)

111

112

 dev_read_sysfs(dictd_t)

113

114

-fs_getattr_xattr_fs(dictd_t)

115

-fs_search_auto_mountpoints(dictd_t)

116

-

117

 domain_use_interactive_fds(dictd_t)

118

119

-files_read_etc_files(dictd_t)

120

 files_read_etc_runtime_files(dictd_t)

121

 files_read_usr_files(dictd_t)

122

 files_search_var_lib(dictd_t)

123

-# for checking for nscd

124

-files_dontaudit_search_pids(dictd_t)

125

+

126

+fs_getattr_xattr_fs(dictd_t)

127

+fs_search_auto_mountpoints(dictd_t)

128

+

129

+auth_use_nsswitch(dictd_t)

130

131

 logging_send_syslog_msg(dictd_t)

132

133

 miscfiles_read_localization(dictd_t)

134

135

-sysnet_read_config(dictd_t)

136

-

137

 userdom_dontaudit_use_unpriv_user_fds(dictd_t)

138

139

 optional_policy(`

140

-	nis_use_ypbind(dictd_t)

141

-')

142

-

143

-optional_policy(`

144

-	nscd_socket_use(dictd_t)

145

-')

146

-

147

-optional_policy(`

148

 	seutil_sigchld_newrole(dictd_t)

149

')

1	commit: 8584ffef08418a34cfbdc36a6521082f8f54299b
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Fri Sep 28 09:51:05 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Fri Sep 28 17:42:27 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8584ffef
7
8	Changes tothe dictd policy module
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/dictd.fc \| 6 +++---
16	policy/modules/contrib/dictd.if \| 8 ++++----
17	policy/modules/contrib/dictd.te \| 39 +++++++++++----------------------------
18	3 files changed, 18 insertions(+), 35 deletions(-)
19
20	diff --git a/policy/modules/contrib/dictd.fc b/policy/modules/contrib/dictd.fc
21	index 54f88c8..8a5f235 100644
22	--- a/policy/modules/contrib/dictd.fc
23	+++ b/policy/modules/contrib/dictd.fc
24	@@ -1,9 +1,9 @@
25	-/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0)
26	+/etc/rc\.d/init\.d/dictd -- gen_context(system_u:object_r:dictd_initrc_exec_t,s0)
27
28	/etc/dictd\.conf -- gen_context(system_u:object_r:dictd_etc_t,s0)
29
30	-/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
31	+/usr/sbin/dictd -- gen_context(system_u:object_r:dictd_exec_t,s0)
32
33	-/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
34	+/var/lib/dictd(/.*)? gen_context(system_u:object_r:dictd_var_lib_t,s0)
35
36	/var/run/dictd\.pid -- gen_context(system_u:object_r:dictd_var_run_t,s0)
37
38	diff --git a/policy/modules/contrib/dictd.if b/policy/modules/contrib/dictd.if
39	index a0d23ce..3cc3494 100644
40	--- a/policy/modules/contrib/dictd.if
41	+++ b/policy/modules/contrib/dictd.if
42	@@ -1,4 +1,4 @@
43	-## <summary>Dictionary daemon</summary>
44	+## <summary>Dictionary daemon.</summary>
45
46	########################################
47	## <summary>
48	@@ -17,8 +17,8 @@ interface(`dictd_tcp_connect',`
49
50	########################################
51	## <summary>
52	-## All of the rules required to administrate
53	-## an dictd environment
54	+## All of the rules required to
55	+## administrate an dictd environment.
56	## </summary>
57	## <param name="domain">
58	## <summary>
59	@@ -27,7 +27,7 @@ interface(`dictd_tcp_connect',`
60	## </param>
61	## <param name="role">
62	## <summary>
63	-## The role to be allowed to manage the dictd domain.
64	+## Role allowed access.
65	## </summary>
66	## </param>
67	## <rolecap/>
68
69	diff --git a/policy/modules/contrib/dictd.te b/policy/modules/contrib/dictd.te
70	index d2d9359..fd4a602 100644
71	--- a/policy/modules/contrib/dictd.te
72	+++ b/policy/modules/contrib/dictd.te
73	@@ -1,4 +1,4 @@
74	-policy_module(dictd, 1.7.0)
75	+policy_module(dictd, 1.7.1)
76
77	########################################
78	#
79	@@ -29,12 +29,10 @@ files_pid_file(dictd_var_run_t)
80	allow dictd_t self:capability { setuid setgid };
81	dontaudit dictd_t self:capability sys_tty_config;
82	allow dictd_t self:process { signal_perms setpgid };
83	-allow dictd_t self:unix_stream_socket create_stream_socket_perms;
84	-allow dictd_t self:tcp_socket create_stream_socket_perms;
85	-allow dictd_t self:udp_socket create_socket_perms;
86	+allow dictd_t self:unix_stream_socket { accept listen };
87	+allow dictd_t self:tcp_socket { accept listen };
88
89	allow dictd_t dictd_etc_t:file read_file_perms;
90	-files_search_etc(dictd_t)
91
92	allow dictd_t dictd_var_lib_t:dir list_dir_perms;
93	allow dictd_t dictd_var_lib_t:file read_file_perms;
94	@@ -48,48 +46,33 @@ kernel_read_kernel_sysctls(dictd_t)
95	corenet_all_recvfrom_unlabeled(dictd_t)
96	corenet_all_recvfrom_netlabel(dictd_t)
97	corenet_tcp_sendrecv_generic_if(dictd_t)
98	-corenet_raw_sendrecv_generic_if(dictd_t)
99	-corenet_udp_sendrecv_generic_if(dictd_t)
100	corenet_tcp_sendrecv_generic_node(dictd_t)
101	-corenet_udp_sendrecv_generic_node(dictd_t)
102	-corenet_raw_sendrecv_generic_node(dictd_t)
103	-corenet_tcp_sendrecv_all_ports(dictd_t)
104	-corenet_udp_sendrecv_all_ports(dictd_t)
105	corenet_tcp_bind_generic_node(dictd_t)
106	-corenet_tcp_bind_dict_port(dictd_t)
107	+
108	corenet_sendrecv_dict_server_packets(dictd_t)
109	+corenet_tcp_bind_dict_port(dictd_t)
110	+corenet_tcp_sendrecv_dict_port(dictd_t)
111
112	dev_read_sysfs(dictd_t)
113
114	-fs_getattr_xattr_fs(dictd_t)
115	-fs_search_auto_mountpoints(dictd_t)
116	-
117	domain_use_interactive_fds(dictd_t)
118
119	-files_read_etc_files(dictd_t)
120	files_read_etc_runtime_files(dictd_t)
121	files_read_usr_files(dictd_t)
122	files_search_var_lib(dictd_t)
123	-# for checking for nscd
124	-files_dontaudit_search_pids(dictd_t)
125	+
126	+fs_getattr_xattr_fs(dictd_t)
127	+fs_search_auto_mountpoints(dictd_t)
128	+
129	+auth_use_nsswitch(dictd_t)
130
131	logging_send_syslog_msg(dictd_t)
132
133	miscfiles_read_localization(dictd_t)
134
135	-sysnet_read_config(dictd_t)
136	-
137	userdom_dontaudit_use_unpriv_user_fds(dictd_t)
138
139	optional_policy(`
140	- nis_use_ypbind(dictd_t)
141	-')
142	-
143	-optional_policy(`
144	- nscd_socket_use(dictd_t)
145	-')
146	-
147	-optional_policy(`
148	seutil_sigchld_newrole(dictd_t)
149	')

Gentoo Archives: gentoo-commits