1 |
commit: e8d04403970e4e7b8461e588b413b8769031e618 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Sep 28 10:09:59 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Sep 28 17:42:46 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e8d04403 |
7 |
|
8 |
Changes to the discc policy module |
9 |
|
10 |
Add init script file type |
11 |
Add distcc_admin() |
12 |
Add missing file contexts |
13 |
Module clean up |
14 |
|
15 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
16 |
|
17 |
--- |
18 |
policy/modules/contrib/distcc.fc | 5 ++++ |
19 |
policy/modules/contrib/distcc.if | 43 +++++++++++++++++++++++++++++++++++++- |
20 |
policy/modules/contrib/distcc.te | 31 +++++++++++--------------- |
21 |
3 files changed, 60 insertions(+), 19 deletions(-) |
22 |
|
23 |
diff --git a/policy/modules/contrib/distcc.fc b/policy/modules/contrib/distcc.fc |
24 |
index 6ce6b00..7b9fb3f 100644 |
25 |
--- a/policy/modules/contrib/distcc.fc |
26 |
+++ b/policy/modules/contrib/distcc.fc |
27 |
@@ -1,2 +1,7 @@ |
28 |
+/etc/rc\.d/init\.d/distccd -- gen_context(system_u:object_r:distccd_initrc_exec_t,s0) |
29 |
|
30 |
/usr/bin/distccd -- gen_context(system_u:object_r:distccd_exec_t,s0) |
31 |
+ |
32 |
+/var/log/distccd.* -- gen_context(system_u:object_r:distccd_log_t,s0) |
33 |
+ |
34 |
+/var/run/distccd\.pid -- gen_context(system_u:object_r:distccd_var_run_t,s0) |
35 |
|
36 |
diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if |
37 |
index 926e959..24d8c74 100644 |
38 |
--- a/policy/modules/contrib/distcc.if |
39 |
+++ b/policy/modules/contrib/distcc.if |
40 |
@@ -1 +1,42 @@ |
41 |
-## <summary>Distributed compiler daemon</summary> |
42 |
+## <summary>Distributed compiler daemon.</summary> |
43 |
+ |
44 |
+######################################## |
45 |
+## <summary> |
46 |
+## All of the rules required to |
47 |
+## administrate an distcc environment. |
48 |
+## </summary> |
49 |
+## <param name="domain"> |
50 |
+## <summary> |
51 |
+## Domain allowed access. |
52 |
+## </summary> |
53 |
+## </param> |
54 |
+## <param name="role"> |
55 |
+## <summary> |
56 |
+## Role allowed access. |
57 |
+## </summary> |
58 |
+## </param> |
59 |
+## <rolecap/> |
60 |
+# |
61 |
+interface(`distcc_admin',` |
62 |
+ gen_require(` |
63 |
+ type distccd_t, distccd_t, distccd_log_t; |
64 |
+ type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t; |
65 |
+ ') |
66 |
+ |
67 |
+ allow $1 distccd_t:process { ptrace signal_perms }; |
68 |
+ ps_process_pattern($1, distccd_t) |
69 |
+ |
70 |
+ init_labeled_script_domtrans($1, distccd_initrc_exec_t) |
71 |
+ domain_system_change_exemption($1) |
72 |
+ role_transition $2 distccd_initrc_exec_t system_r; |
73 |
+ allow $2 system_r; |
74 |
+ |
75 |
+ logging_search_logs($1) |
76 |
+ admin_pattern($1, distccd_log_t) |
77 |
+ |
78 |
+ files_search_tmp($1) |
79 |
+ admin_pattern($1, distccd_tmp_t) |
80 |
+ |
81 |
+ files_search_pids($1) |
82 |
+ admin_pattern($1, distccd_var_run_t) |
83 |
+') |
84 |
|
85 |
diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te |
86 |
index 54d93e8..b441a4d 100644 |
87 |
--- a/policy/modules/contrib/distcc.te |
88 |
+++ b/policy/modules/contrib/distcc.te |
89 |
@@ -1,4 +1,4 @@ |
90 |
-policy_module(distcc, 1.8.0) |
91 |
+policy_module(distcc, 1.8.2) |
92 |
|
93 |
######################################## |
94 |
# |
95 |
@@ -9,6 +9,9 @@ type distccd_t; |
96 |
type distccd_exec_t; |
97 |
init_daemon_domain(distccd_t, distccd_exec_t) |
98 |
|
99 |
+type distccd_initrc_exec_t; |
100 |
+init_script_file(distccd_initrc_exec_t) |
101 |
+ |
102 |
type distccd_log_t; |
103 |
logging_log_file(distccd_log_t) |
104 |
|
105 |
@@ -27,11 +30,11 @@ allow distccd_t self:capability { setgid setuid }; |
106 |
dontaudit distccd_t self:capability sys_tty_config; |
107 |
allow distccd_t self:process { signal_perms setsched }; |
108 |
allow distccd_t self:fifo_file rw_fifo_file_perms; |
109 |
-allow distccd_t self:netlink_route_socket r_netlink_socket_perms; |
110 |
-allow distccd_t self:tcp_socket create_stream_socket_perms; |
111 |
-allow distccd_t self:udp_socket create_socket_perms; |
112 |
+allow distccd_t self:tcp_socket { accept listen }; |
113 |
|
114 |
-allow distccd_t distccd_log_t:file manage_file_perms; |
115 |
+allow distccd_t distccd_log_t:file append_file_perms; |
116 |
+allow distccd_t distccd_log_t:file create_file_perms; |
117 |
+allow distccd_t distccd_log_t:file setattr_file_perms; |
118 |
logging_log_filetrans(distccd_t, distccd_log_t, file) |
119 |
|
120 |
manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t) |
121 |
@@ -47,14 +50,12 @@ kernel_read_kernel_sysctls(distccd_t) |
122 |
corenet_all_recvfrom_unlabeled(distccd_t) |
123 |
corenet_all_recvfrom_netlabel(distccd_t) |
124 |
corenet_tcp_sendrecv_generic_if(distccd_t) |
125 |
-corenet_udp_sendrecv_generic_if(distccd_t) |
126 |
corenet_tcp_sendrecv_generic_node(distccd_t) |
127 |
-corenet_udp_sendrecv_generic_node(distccd_t) |
128 |
-corenet_tcp_sendrecv_all_ports(distccd_t) |
129 |
-corenet_udp_sendrecv_all_ports(distccd_t) |
130 |
corenet_tcp_bind_generic_node(distccd_t) |
131 |
-corenet_tcp_bind_distccd_port(distccd_t) |
132 |
+ |
133 |
corenet_sendrecv_distccd_server_packets(distccd_t) |
134 |
+corenet_tcp_bind_distccd_port(distccd_t) |
135 |
+corenet_tcp_sendrecv_distccd_port(distccd_t) |
136 |
|
137 |
dev_read_sysfs(distccd_t) |
138 |
|
139 |
@@ -62,29 +63,23 @@ fs_getattr_all_fs(distccd_t) |
140 |
fs_search_auto_mountpoints(distccd_t) |
141 |
|
142 |
corecmd_exec_bin(distccd_t) |
143 |
-corecmd_read_bin_symlinks(distccd_t) |
144 |
|
145 |
domain_use_interactive_fds(distccd_t) |
146 |
|
147 |
-files_read_etc_files(distccd_t) |
148 |
files_read_etc_runtime_files(distccd_t) |
149 |
|
150 |
+auth_use_nsswitch(distccd_t) |
151 |
+ |
152 |
libs_exec_lib_files(distccd_t) |
153 |
|
154 |
logging_send_syslog_msg(distccd_t) |
155 |
|
156 |
miscfiles_read_localization(distccd_t) |
157 |
|
158 |
-sysnet_read_config(distccd_t) |
159 |
- |
160 |
userdom_dontaudit_use_unpriv_user_fds(distccd_t) |
161 |
userdom_dontaudit_search_user_home_dirs(distccd_t) |
162 |
|
163 |
optional_policy(` |
164 |
- nis_use_ypbind(distccd_t) |
165 |
-') |
166 |
- |
167 |
-optional_policy(` |
168 |
seutil_sigchld_newrole(distccd_t) |
169 |
') |