Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Thu, 27 Sep 2012 18:07:56
Message-Id: 1348766133.89638269fa556ca96e63141e6fe6eda88b0e74a1.SwifT@gentoo
1 commit: 89638269fa556ca96e63141e6fe6eda88b0e74a1
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Mon Sep 24 09:51:20 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Thu Sep 27 17:15:33 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=89638269
7
8 Changes to the cobbler policy module
9
10 Ported from Fedora with changes
11
12 Left out some unsatisfied dependencies
13
14 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
15 Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
16
17 ---
18 policy/modules/contrib/cobbler.fc | 34 +++++++++--
19 policy/modules/contrib/cobbler.if | 29 +++++----
20 policy/modules/contrib/cobbler.te | 125 +++++++++++++++++++++++++++++++------
21 policy/modules/contrib/rsync.if | 49 ++++++++++++++
22 policy/modules/contrib/rsync.te | 2 +-
23 policy/modules/contrib/tftp.if | 83 ++++++++++++++++++++++++
24 policy/modules/contrib/tftp.te | 2 +-
25 7 files changed, 286 insertions(+), 38 deletions(-)
26
27 diff --git a/policy/modules/contrib/cobbler.fc b/policy/modules/contrib/cobbler.fc
28 index 1cf6c4e..cbeda66 100644
29 --- a/policy/modules/contrib/cobbler.fc
30 +++ b/policy/modules/contrib/cobbler.fc
31 @@ -1,7 +1,31 @@
32 -/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t, s0)
33 -/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t, s0)
34 +/etc/cobbler(/.*)? gen_context(system_u:object_r:cobbler_etc_t,s0)
35
36 -/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t, s0)
37 +/etc/rc\.d/init\.d/cobblerd -- gen_context(system_u:object_r:cobblerd_initrc_exec_t,s0)
38
39 -/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t, s0)
40 -/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t, s0)
41 +/usr/bin/cobblerd -- gen_context(system_u:object_r:cobblerd_exec_t,s0)
42 +
43 +/var/lib/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
44 +
45 +/var/lib/tftpboot/etc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
46 +/var/lib/tftpboot/grub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
47 +/var/lib/tftpboot/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
48 +/var/lib/tftpboot/memdisk -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
49 +/var/lib/tftpboot/menu\.c32 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
50 +/var/lib/tftpboot/ppc(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
51 +/var/lib/tftpboot/pxelinux\.0 -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
52 +/var/lib/tftpboot/pxelinux\.cfg(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
53 +/var/lib/tftpboot/s390x(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
54 +/var/lib/tftpboot/yaboot -- gen_context(system_u:object_r:cobbler_var_lib_t,s0)
55 +
56 +/var/log/cobbler(/.*)? gen_context(system_u:object_r:cobbler_var_log_t,s0)
57 +
58 +# This should removable when cobbler package installs /var/www/cobbler/rendered
59 +/var/www/cobbler(/.*)? gen_context(system_u:object_r:httpd_cobbler_content_t,s0)
60 +
61 +/var/www/cobbler/images(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
62 +/var/www/cobbler/ks_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
63 +/var/www/cobbler/links(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
64 +/var/www/cobbler/localmirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
65 +/var/www/cobbler/pub(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
66 +/var/www/cobbler/rendered(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
67 +/var/www/cobbler/repo_mirror(/.*)? gen_context(system_u:object_r:cobbler_var_lib_t,s0)
68
69 diff --git a/policy/modules/contrib/cobbler.if b/policy/modules/contrib/cobbler.if
70 index 116d60f..f304c68 100644
71 --- a/policy/modules/contrib/cobbler.if
72 +++ b/policy/modules/contrib/cobbler.if
73 @@ -143,8 +143,8 @@ interface(`cobbler_manage_lib_files',`
74
75 ########################################
76 ## <summary>
77 -## All of the rules required to administrate
78 -## an cobblerd environment
79 +## All of the rules required to
80 +## administrate an cobblerd environment.
81 ## </summary>
82 ## <param name="domain">
83 ## <summary>
84 @@ -161,25 +161,30 @@ interface(`cobbler_manage_lib_files',`
85 interface(`cobblerd_admin',`
86 gen_require(`
87 type cobblerd_t, cobbler_var_lib_t, cobbler_var_log_t;
88 - type cobbler_etc_t, cobblerd_initrc_exec_t;
89 + type cobbler_etc_t, cobblerd_initrc_exec_t, httpd_cobbler_content_t;
90 + type httpd_cobbler_content_ra_t, httpd_cobbler_content_rw_t, cobbler_tmp_t;
91 ')
92
93 - allow $1 cobblerd_t:process { ptrace signal_perms getattr };
94 - read_files_pattern($1, cobblerd_t, cobblerd_t)
95 + allow $1 cobblerd_t:process { ptrace signal_perms };
96 + ps_process_pattern($1, cobblerd_t)
97 +
98 + cobblerd_initrc_domtrans($1)
99 + domain_system_change_exemption($1)
100 + role_transition $2 cobblerd_initrc_exec_t system_r;
101 + allow $2 system_r;
102
103 files_search_etc($1)
104 admin_pattern($1, cobbler_etc_t)
105
106 - files_list_var_lib($1)
107 + files_search_tmp($1)
108 + admin_pattern($1, cobbler_tmp_t)
109 +
110 + files_search_var_lib($1)
111 admin_pattern($1, cobbler_var_lib_t)
112
113 logging_search_logs($1)
114 admin_pattern($1, cobbler_var_log_t)
115
116 - admin_pattern($1, httpd_cobbler_content_rw_t)
117 -
118 - cobblerd_initrc_domtrans($1)
119 - domain_system_change_exemption($1)
120 - role_transition $2 cobblerd_initrc_exec_t system_r;
121 - allow $2 system_r;
122 + apache_search_sys_content($1)
123 + admin_pattern($1, { httpd_cobbler_content_t httpd_cobbler_content_ra_t httpd_cobbler_content_rw_t })
124 ')
125
126 diff --git a/policy/modules/contrib/cobbler.te b/policy/modules/contrib/cobbler.te
127 index 0258b48..948cbcc 100644
128 --- a/policy/modules/contrib/cobbler.te
129 +++ b/policy/modules/contrib/cobbler.te
130 @@ -2,17 +2,43 @@ policy_module(cobbler, 1.1.0)
131
132 ########################################
133 #
134 -# Cobbler personal declarations.
135 +# Declarations
136 #
137
138 +
139 ## <desc>
140 -## <p>
141 -## Allow Cobbler to modify public files
142 -## used for public file transfer services.
143 -## </p>
144 +## <p>
145 +## Determine whether Cobbler can modify
146 +## public files used for public file
147 +## transfer services.
148 +## </p>
149 ## </desc>
150 gen_tunable(cobbler_anon_write, false)
151
152 +## <desc>
153 +## <p>
154 +## Determine whether Cobbler can connect
155 +## to the network using TCP.
156 +## </p>
157 +## </desc>
158 +gen_tunable(cobbler_can_network_connect, false)
159 +
160 +## <desc>
161 +## <p>
162 +## Determine whether Cobbler can access
163 +## cifs file systems.
164 +## </p>
165 +## </desc>
166 +gen_tunable(cobbler_use_cifs, false)
167 +
168 +## <desc>
169 +## <p>
170 +## Determine whether Cobbler can access
171 +## nfs file systems.
172 +## </p>
173 +## </desc>
174 +gen_tunable(cobbler_use_nfs, false)
175 +
176 type cobblerd_t;
177 type cobblerd_exec_t;
178 init_daemon_domain(cobblerd_t, cobblerd_exec_t)
179 @@ -26,25 +52,38 @@ files_config_file(cobbler_etc_t)
180 type cobbler_var_log_t;
181 logging_log_file(cobbler_var_log_t)
182
183 -type cobbler_var_lib_t;
184 +type cobbler_var_lib_t alias cobbler_content_t;
185 files_type(cobbler_var_lib_t)
186
187 +type cobbler_tmp_t;
188 +files_tmp_file(cobbler_tmp_t)
189 +
190 +apache_content_template(cobbler)
191 +
192 ########################################
193 #
194 -# Cobbler personal policy.
195 +# Local policy
196 #
197
198 -allow cobblerd_t self:capability { chown dac_override fowner sys_nice };
199 +allow cobblerd_t self:capability { chown dac_override fowner fsetid sys_nice };
200 +dontaudit cobblerd_t self:capability sys_tty_config;
201 allow cobblerd_t self:process { getsched setsched signal };
202 allow cobblerd_t self:fifo_file rw_fifo_file_perms;
203 +allow cobblerd_t self:netlink_route_socket create_netlink_socket_perms;
204 allow cobblerd_t self:tcp_socket create_stream_socket_perms;
205 +allow cobblerd_t self:udp_socket create_socket_perms;
206
207 list_dirs_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
208 read_files_pattern(cobblerd_t, cobbler_etc_t, cobbler_etc_t)
209
210 +manage_dirs_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
211 +manage_files_pattern(cobblerd_t, cobbler_tmp_t, cobbler_tmp_t)
212 +files_tmp_filetrans(cobblerd_t, cobbler_tmp_t, { dir file })
213 +
214 manage_dirs_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
215 manage_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
216 -files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, { dir file })
217 +manage_lnk_files_pattern(cobblerd_t, cobbler_var_lib_t, cobbler_var_lib_t)
218 +files_var_lib_filetrans(cobblerd_t, cobbler_var_lib_t, dir)
219
220 append_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
221 create_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
222 @@ -53,26 +92,45 @@ setattr_files_pattern(cobblerd_t, cobbler_var_log_t, cobbler_var_log_t)
223 logging_log_filetrans(cobblerd_t, cobbler_var_log_t, file)
224
225 kernel_read_system_state(cobblerd_t)
226 +kernel_dontaudit_search_network_state(cobblerd_t)
227
228 corecmd_exec_bin(cobblerd_t)
229 corecmd_exec_shell(cobblerd_t)
230
231 corenet_all_recvfrom_netlabel(cobblerd_t)
232 corenet_all_recvfrom_unlabeled(cobblerd_t)
233 -corenet_sendrecv_cobbler_server_packets(cobblerd_t)
234 -corenet_tcp_bind_cobbler_port(cobblerd_t)
235 -corenet_tcp_bind_generic_node(cobblerd_t)
236 corenet_tcp_sendrecv_generic_if(cobblerd_t)
237 corenet_tcp_sendrecv_generic_node(cobblerd_t)
238 -corenet_tcp_sendrecv_generic_port(cobblerd_t)
239 +corenet_tcp_bind_generic_node(cobblerd_t)
240 +
241 +corenet_sendrecv_cobbler_server_packets(cobblerd_t)
242 +corenet_tcp_bind_cobbler_port(cobblerd_t)
243 +corenet_tcp_sendrecv_cobbler_port(cobblerd_t)
244 +
245 +corenet_sendrecv_ftp_client_packets(cobblerd_t)
246 +corenet_tcp_connect_ftp_port(cobblerd_t)
247 +corenet_tcp_sendrecv_ftp_port(cobblerd_t)
248 +
249 +corenet_tcp_sendrecv_http_port(cobblerd_t)
250 +corenet_tcp_connect_http_port(cobblerd_t)
251 +corenet_sendrecv_http_client_packets(cobblerd_t)
252
253 dev_read_urand(cobblerd_t)
254
255 -files_read_usr_files(cobblerd_t)
256 files_list_boot(cobblerd_t)
257 files_list_tmp(cobblerd_t)
258 -# read /etc/nsswitch.conf
259 +files_read_boot_files(cobblerd_t)
260 files_read_etc_files(cobblerd_t)
261 +files_read_etc_runtime_files(cobblerd_t)
262 +files_read_usr_files(cobblerd_t)
263 +
264 +fs_read_iso9660_files(cobblerd_t)
265 +
266 +selinux_get_enforce_mode(cobblerd_t)
267 +
268 +term_use_console(cobblerd_t)
269 +
270 +logging_send_syslog_msg(cobblerd_t)
271
272 miscfiles_read_localization(cobblerd_t)
273 miscfiles_read_public_files(cobblerd_t)
274 @@ -85,6 +143,28 @@ tunable_policy(`cobbler_anon_write',`
275 miscfiles_manage_public_files(cobblerd_t)
276 ')
277
278 +tunable_policy(`cobbler_can_network_connect',`
279 + corenet_sendrecv_all_client_packets(cobblerd_t)
280 + corenet_tcp_connect_all_ports(cobblerd_t)
281 + corenet_tcp_sendrecv_all_ports(cobblerd_t)
282 +')
283 +
284 +tunable_policy(`cobbler_use_cifs',`
285 + fs_manage_cifs_dirs(cobblerd_t)
286 + fs_manage_cifs_files(cobblerd_t)
287 + fs_manage_cifs_symlinks(cobblerd_t)
288 +')
289 +
290 +tunable_policy(`cobbler_use_nfs',`
291 + fs_manage_nfs_dirs(cobblerd_t)
292 + fs_manage_nfs_files(cobblerd_t)
293 + fs_manage_nfs_symlinks(cobblerd_t)
294 +')
295 +
296 +optional_policy(`
297 + apache_search_sys_content(cobblerd_t)
298 +')
299 +
300 optional_policy(`
301 bind_read_config(cobblerd_t)
302 bind_write_config(cobblerd_t)
303 @@ -95,6 +175,10 @@ optional_policy(`
304 ')
305
306 optional_policy(`
307 + certmaster_exec(cobblerd_t)
308 +')
309 +
310 +optional_policy(`
311 dhcpd_domtrans(cobblerd_t)
312 dhcpd_initrc_domtrans(cobblerd_t)
313 ')
314 @@ -111,18 +195,21 @@ optional_policy(`
315
316 optional_policy(`
317 rsync_read_config(cobblerd_t)
318 - rsync_write_config(cobblerd_t)
319 + rsync_manage_config_files(cobblerd_t)
320 + rsync_etc_filetrans_config(cobblerd_t, file, "rsync.conf")
321 ')
322
323 optional_policy(`
324 - tftp_manage_rw_content(cobblerd_t)
325 + tftp_manage_config_files(cobblerd_t)
326 + tftp_etc_filetrans_config(cobblerd_t, file, "tftp")
327 + tftp_filetrans_tftpdir(cobblerd_t, cobbler_var_lib_t, { dir file })
328 ')
329
330 ########################################
331 #
332 -# Cobbler web local policy.
333 +# Web local policy
334 #
335
336 -apache_content_template(cobbler)
337 +list_dirs_pattern(cobblerd_t, httpd_cobbler_content_t, httpd_cobbler_content_t)
338 manage_dirs_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
339 manage_files_pattern(cobblerd_t, httpd_cobbler_content_rw_t, httpd_cobbler_content_rw_t)
340
341 diff --git a/policy/modules/contrib/rsync.if b/policy/modules/contrib/rsync.if
342 index 3386f29..a580523 100644
343 --- a/policy/modules/contrib/rsync.if
344 +++ b/policy/modules/contrib/rsync.if
345 @@ -141,3 +141,52 @@ interface(`rsync_write_config',`
346 allow $1 rsync_etc_t:file read_file_perms;
347 files_search_etc($1)
348 ')
349 +
350 +########################################
351 +## <summary>
352 +## Create, read, write, and delete
353 +## rsync config files.
354 +## </summary>
355 +## <param name="domain">
356 +## <summary>
357 +## Domain allowed access.
358 +## </summary>
359 +## </param>
360 +#
361 +interface(`rsync_manage_config_files',`
362 + gen_require(`
363 + type rsync_etc_t;
364 + ')
365 +
366 + manage_files_pattern($1, rsync_etc_t, rsync_etc_t)
367 + files_search_etc($1)
368 +')
369 +
370 +########################################
371 +## <summary>
372 +## Create objects in etc directories
373 +## with rsync etc type.
374 +## </summary>
375 +## <param name="domain">
376 +## <summary>
377 +## Domain allowed to transition.
378 +## </summary>
379 +## </param>
380 +## <param name="object_class">
381 +## <summary>
382 +## Class of the object being created.
383 +## </summary>
384 +## </param>
385 +## <param name="name" optional="true">
386 +## <summary>
387 +## The name of the object being created.
388 +## </summary>
389 +## </param>
390 +#
391 +interface(`rsync_etc_filetrans_config',`
392 + gen_require(`
393 + type rsync_etc_t;
394 + ')
395 +
396 + files_etc_filetrans($1, rsync_etc_t, $2, $3)
397 +')
398
399 diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
400 index 2834d86..d5e469e 100644
401 --- a/policy/modules/contrib/rsync.te
402 +++ b/policy/modules/contrib/rsync.te
403 @@ -1,4 +1,4 @@
404 -policy_module(rsync, 1.12.0)
405 +policy_module(rsync, 1.12.1)
406
407 ########################################
408 #
409
410 diff --git a/policy/modules/contrib/tftp.if b/policy/modules/contrib/tftp.if
411 index 38bb312..29b1bd9 100644
412 --- a/policy/modules/contrib/tftp.if
413 +++ b/policy/modules/contrib/tftp.if
414 @@ -40,6 +40,89 @@ interface(`tftp_manage_rw_content',`
415
416 ########################################
417 ## <summary>
418 +## Manage tftp config files.
419 +## </summary>
420 +## <param name="domain">
421 +## <summary>
422 +## Domain allowed access.
423 +## </summary>
424 +## </param>
425 +#
426 +interface(`tftp_manage_config_files',`
427 + gen_require(`
428 + type tftpd_etc_t;
429 + ')
430 +
431 + files_search_etc($1)
432 + manage_files_pattern($1, tftpd_etc_t, tftpd_etc_t)
433 +')
434 +
435 +########################################
436 +## <summary>
437 +## Create objects in etc directories
438 +## with tftp etc type.
439 +## </summary>
440 +## <param name="domain">
441 +## <summary>
442 +## Domain allowed to transition.
443 +## </summary>
444 +## </param>
445 +## <param name="object_class">
446 +## <summary>
447 +## Class of the object being created.
448 +## </summary>
449 +## </param>
450 +## <param name="name" optional="true">
451 +## <summary>
452 +## The name of the object being created.
453 +## </summary>
454 +## </param>
455 +#
456 +interface(`tftp_etc_filetrans_config',`
457 + gen_require(`
458 + type tftp_etc_t;
459 + ')
460 +
461 + files_etc_filetrans($1, tftp_etc_t, $2, $3)
462 +')
463 +
464 +########################################
465 +## <summary>
466 +## Create objects in tftpdir directories
467 +## with a private type.
468 +## </summary>
469 +## <param name="domain">
470 +## <summary>
471 +## Domain allowed access.
472 +## </summary>
473 +## </param>
474 +## <param name="private_type">
475 +## <summary>
476 +## Private file type.
477 +## </summary>
478 +## </param>
479 +## <param name="object_class">
480 +## <summary>
481 +## Class of the object being created.
482 +## </summary>
483 +## </param>
484 +## <param name="name" optional="true">
485 +## <summary>
486 +## The name of the object being created.
487 +## </summary>
488 +## </param>
489 +#
490 +interface(`tftp_filetrans_tftpdir',`
491 + gen_require(`
492 + type tftpdir_rw_t;
493 + ')
494 +
495 + files_search_var_lib($1)
496 + filetrans_pattern($1, tftpdir_rw_t, $2, $3, $4)
497 +')
498 +
499 +########################################
500 +## <summary>
501 ## All of the rules required to administrate
502 ## an tftp environment
503 ## </summary>
504
505 diff --git a/policy/modules/contrib/tftp.te b/policy/modules/contrib/tftp.te
506 index d50c10d..2fa2133 100644
507 --- a/policy/modules/contrib/tftp.te
508 +++ b/policy/modules/contrib/tftp.te
509 @@ -1,4 +1,4 @@
510 -policy_module(tftp, 1.12.0)
511 +policy_module(tftp, 1.12.1)
512
513 ########################################
514 #
Report Message
Find on MARC Find on Google Groups