1 |
commit: 207d42276604017e964696c9e14e52b9d85dd13f |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sun Oct 28 12:51:21 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Sun Oct 28 17:58:50 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=207d4227 |
7 |
|
8 |
Changes to the smokeping policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/smokeping.if | 27 +++++++++++++++++---------- |
16 |
policy/modules/contrib/smokeping.te | 15 +++++++-------- |
17 |
2 files changed, 24 insertions(+), 18 deletions(-) |
18 |
|
19 |
diff --git a/policy/modules/contrib/smokeping.if b/policy/modules/contrib/smokeping.if |
20 |
index 8265278..1fa51c1 100644 |
21 |
--- a/policy/modules/contrib/smokeping.if |
22 |
+++ b/policy/modules/contrib/smokeping.if |
23 |
@@ -15,12 +15,14 @@ interface(`smokeping_domtrans',` |
24 |
type smokeping_t, smokeping_exec_t; |
25 |
') |
26 |
|
27 |
+ corecmd_search_bin($1) |
28 |
domtrans_pattern($1, smokeping_exec_t, smokeping_t) |
29 |
') |
30 |
|
31 |
######################################## |
32 |
## <summary> |
33 |
-## Execute smokeping server in the smokeping domain. |
34 |
+## Execute smokeping init scripts in |
35 |
+## the initrc domain. |
36 |
## </summary> |
37 |
## <param name="domain"> |
38 |
## <summary> |
39 |
@@ -38,7 +40,7 @@ interface(`smokeping_initrc_domtrans',` |
40 |
|
41 |
######################################## |
42 |
## <summary> |
43 |
-## Read smokeping PID files. |
44 |
+## Read smokeping pid files. |
45 |
## </summary> |
46 |
## <param name="domain"> |
47 |
## <summary> |
48 |
@@ -57,7 +59,8 @@ interface(`smokeping_read_pid_files',` |
49 |
|
50 |
######################################## |
51 |
## <summary> |
52 |
-## Manage smokeping PID files. |
53 |
+## Create, read, write, and delete |
54 |
+## smokeping pid files. |
55 |
## </summary> |
56 |
## <param name="domain"> |
57 |
## <summary> |
58 |
@@ -89,8 +92,8 @@ interface(`smokeping_getattr_lib_files',` |
59 |
type smokeping_var_lib_t; |
60 |
') |
61 |
|
62 |
- getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) |
63 |
files_search_var_lib($1) |
64 |
+ getattr_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t) |
65 |
') |
66 |
|
67 |
######################################## |
68 |
@@ -114,7 +117,8 @@ interface(`smokeping_read_lib_files',` |
69 |
|
70 |
######################################## |
71 |
## <summary> |
72 |
-## Manage smokeping lib files. |
73 |
+## Create, read, write, and delete |
74 |
+## smokeping lib files. |
75 |
## </summary> |
76 |
## <param name="domain"> |
77 |
## <summary> |
78 |
@@ -133,8 +137,8 @@ interface(`smokeping_manage_lib_files',` |
79 |
|
80 |
######################################## |
81 |
## <summary> |
82 |
-## All of the rules required to administrate |
83 |
-## a smokeping environment |
84 |
+## All of the rules required to |
85 |
+## administrate a smokeping environment. |
86 |
## </summary> |
87 |
## <param name="domain"> |
88 |
## <summary> |
89 |
@@ -150,7 +154,8 @@ interface(`smokeping_manage_lib_files',` |
90 |
# |
91 |
interface(`smokeping_admin',` |
92 |
gen_require(` |
93 |
- type smokeping_t, smokeping_initrc_exec_t; |
94 |
+ type smokeping_t, smokeping_initrc_exec_t, smokeping_var_lib_t; |
95 |
+ type smokeping_var_run_t; |
96 |
') |
97 |
|
98 |
allow $1 smokeping_t:process { ptrace signal_perms }; |
99 |
@@ -161,7 +166,9 @@ interface(`smokeping_admin',` |
100 |
role_transition $2 smokeping_initrc_exec_t system_r; |
101 |
allow $2 system_r; |
102 |
|
103 |
- smokeping_manage_pid_files($1) |
104 |
+ files_search_var_lib($1) |
105 |
+ admin_pattern($1, smokeping_var_lib_t) |
106 |
|
107 |
- smokeping_manage_lib_files($1) |
108 |
+ files_search_pids($1) |
109 |
+ admin_pattern($1, smokeping_var_run_t) |
110 |
') |
111 |
|
112 |
diff --git a/policy/modules/contrib/smokeping.te b/policy/modules/contrib/smokeping.te |
113 |
index 1b6f29d..a8b1aaf 100644 |
114 |
--- a/policy/modules/contrib/smokeping.te |
115 |
+++ b/policy/modules/contrib/smokeping.te |
116 |
@@ -1,4 +1,4 @@ |
117 |
-policy_module(smokeping, 1.1.1) |
118 |
+policy_module(smokeping, 1.1.2) |
119 |
|
120 |
######################################## |
121 |
# |
122 |
@@ -20,13 +20,12 @@ files_type(smokeping_var_lib_t) |
123 |
|
124 |
######################################## |
125 |
# |
126 |
-# smokeping local policy |
127 |
+# Local policy |
128 |
# |
129 |
|
130 |
dontaudit smokeping_t self:capability { dac_read_search dac_override }; |
131 |
allow smokeping_t self:fifo_file rw_fifo_file_perms; |
132 |
-allow smokeping_t self:udp_socket create_socket_perms; |
133 |
-allow smokeping_t self:unix_stream_socket create_stream_socket_perms; |
134 |
+allow smokeping_t self:unix_stream_socket { accept listen }; |
135 |
|
136 |
manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) |
137 |
manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t) |
138 |
@@ -34,13 +33,12 @@ files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir }) |
139 |
|
140 |
manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) |
141 |
manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t) |
142 |
-files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } ) |
143 |
+files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir }) |
144 |
|
145 |
-corecmd_read_bin_symlinks(smokeping_t) |
146 |
+corecmd_exec_bin(smokeping_t) |
147 |
|
148 |
dev_read_urand(smokeping_t) |
149 |
|
150 |
-files_read_etc_files(smokeping_t) |
151 |
files_read_usr_files(smokeping_t) |
152 |
files_search_tmp(smokeping_t) |
153 |
|
154 |
@@ -57,7 +55,7 @@ netutils_domtrans_ping(smokeping_t) |
155 |
|
156 |
####################################### |
157 |
# |
158 |
-# local policy for smokeping cgi scripts |
159 |
+# Cgi local policy |
160 |
# |
161 |
|
162 |
optional_policy(` |
163 |
@@ -68,6 +66,7 @@ optional_policy(` |
164 |
|
165 |
getattr_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_run_t, smokeping_var_run_t) |
166 |
|
167 |
+ files_read_etc_files(httpd_smokeping_cgi_script_t) |
168 |
files_search_tmp(httpd_smokeping_cgi_script_t) |
169 |
files_search_var_lib(httpd_smokeping_cgi_script_t) |