[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Fri, 28 Sep 2012 17:51:48
Message-Id:	`1348854166.e8d04403970e4e7b8461e588b413b8769031e618.SwifT@gentoo`

1

commit:     e8d04403970e4e7b8461e588b413b8769031e618

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Fri Sep 28 10:09:59 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Fri Sep 28 17:42:46 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e8d04403

7

8

Changes to the discc policy module

9

10

Add init script file type

11

Add distcc_admin()

12

Add missing file contexts

13

Module clean up

14

15

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

16

17

---

18

 policy/modules/contrib/distcc.fc |    5 ++++

19

 policy/modules/contrib/distcc.if |   43 +++++++++++++++++++++++++++++++++++++-

20

 policy/modules/contrib/distcc.te |   31 +++++++++++---------------

21

 3 files changed, 60 insertions(+), 19 deletions(-)

22

23

diff --git a/policy/modules/contrib/distcc.fc b/policy/modules/contrib/distcc.fc

24

index 6ce6b00..7b9fb3f 100644

25

--- a/policy/modules/contrib/distcc.fc

26

+++ b/policy/modules/contrib/distcc.fc

27

@@ -1,2 +1,7 @@

28

+/etc/rc\.d/init\.d/distccd	--	gen_context(system_u:object_r:distccd_initrc_exec_t,s0)

29

30

 /usr/bin/distccd	--	gen_context(system_u:object_r:distccd_exec_t,s0)

31

+

32

+/var/log/distccd.*	--	gen_context(system_u:object_r:distccd_log_t,s0)

33

+

34

+/var/run/distccd\.pid	--	gen_context(system_u:object_r:distccd_var_run_t,s0)

35

36

diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if

37

index 926e959..24d8c74 100644

38

--- a/policy/modules/contrib/distcc.if

39

+++ b/policy/modules/contrib/distcc.if

40

@@ -1 +1,42 @@

41

-## <summary>Distributed compiler daemon</summary>

42

+## <summary>Distributed compiler daemon.</summary>

43

+

44

+########################################

45

+## <summary>

46

+##	All of the rules required to

47

+##	administrate an distcc environment.

48

+## </summary>

49

+## <param name="domain">

50

+##	<summary>

51

+##	Domain allowed access.

52

+##	</summary>

53

+## </param>

54

+## <param name="role">

55

+##	<summary>

56

+##	Role allowed access.

57

+##	</summary>

58

+## </param>

59

+## <rolecap/>

60

+#

61

+interface(`distcc_admin',`

62

+	gen_require(`

63

+		type distccd_t, distccd_t, distccd_log_t;

64

+		type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;

65

+	')

66

+

67

+	allow $1 distccd_t:process { ptrace signal_perms };

68

+	ps_process_pattern($1, distccd_t)

69

+

70

+	init_labeled_script_domtrans($1, distccd_initrc_exec_t)

71

+	domain_system_change_exemption($1)

72

+	role_transition $2 distccd_initrc_exec_t system_r;

73

+	allow $2 system_r;

74

+

75

+	logging_search_logs($1)

76

+	admin_pattern($1, distccd_log_t)

77

+

78

+	files_search_tmp($1)

79

+	admin_pattern($1, distccd_tmp_t)

80

+

81

+	files_search_pids($1)

82

+	admin_pattern($1, distccd_var_run_t)

83

+')

84

85

diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te

86

index 54d93e8..b441a4d 100644

87

--- a/policy/modules/contrib/distcc.te

88

+++ b/policy/modules/contrib/distcc.te

89

@@ -1,4 +1,4 @@

90

-policy_module(distcc, 1.8.0)

91

+policy_module(distcc, 1.8.2)

92

93

 ########################################

94

#

95

@@ -9,6 +9,9 @@ type distccd_t;

96

 type distccd_exec_t;

97

 init_daemon_domain(distccd_t, distccd_exec_t)

98

99

+type distccd_initrc_exec_t;

100

+init_script_file(distccd_initrc_exec_t)

101

+

102

 type distccd_log_t;

103

 logging_log_file(distccd_log_t)

104

105

@@ -27,11 +30,11 @@ allow distccd_t self:capability { setgid setuid };

106

 dontaudit distccd_t self:capability sys_tty_config;

107

 allow distccd_t self:process { signal_perms setsched };

108

 allow distccd_t self:fifo_file rw_fifo_file_perms;

109

-allow distccd_t self:netlink_route_socket r_netlink_socket_perms;

110

-allow distccd_t self:tcp_socket create_stream_socket_perms;

111

-allow distccd_t self:udp_socket create_socket_perms;

112

+allow distccd_t self:tcp_socket { accept listen };

113

114

-allow distccd_t distccd_log_t:file manage_file_perms;

115

+allow distccd_t distccd_log_t:file append_file_perms;

116

+allow distccd_t distccd_log_t:file create_file_perms;

117

+allow distccd_t distccd_log_t:file setattr_file_perms;

118

 logging_log_filetrans(distccd_t, distccd_log_t, file)

119

120

 manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t)

121

@@ -47,14 +50,12 @@ kernel_read_kernel_sysctls(distccd_t)

122

 corenet_all_recvfrom_unlabeled(distccd_t)

123

 corenet_all_recvfrom_netlabel(distccd_t)

124

 corenet_tcp_sendrecv_generic_if(distccd_t)

125

-corenet_udp_sendrecv_generic_if(distccd_t)

126

 corenet_tcp_sendrecv_generic_node(distccd_t)

127

-corenet_udp_sendrecv_generic_node(distccd_t)

128

-corenet_tcp_sendrecv_all_ports(distccd_t)

129

-corenet_udp_sendrecv_all_ports(distccd_t)

130

 corenet_tcp_bind_generic_node(distccd_t)

131

-corenet_tcp_bind_distccd_port(distccd_t)

132

+

133

 corenet_sendrecv_distccd_server_packets(distccd_t)

134

+corenet_tcp_bind_distccd_port(distccd_t)

135

+corenet_tcp_sendrecv_distccd_port(distccd_t)

136

137

 dev_read_sysfs(distccd_t)

138

139

@@ -62,29 +63,23 @@ fs_getattr_all_fs(distccd_t)

140

 fs_search_auto_mountpoints(distccd_t)

141

142

 corecmd_exec_bin(distccd_t)

143

-corecmd_read_bin_symlinks(distccd_t)

144

145

 domain_use_interactive_fds(distccd_t)

146

147

-files_read_etc_files(distccd_t)

148

 files_read_etc_runtime_files(distccd_t)

149

150

+auth_use_nsswitch(distccd_t)

151

+

152

 libs_exec_lib_files(distccd_t)

153

154

 logging_send_syslog_msg(distccd_t)

155

156

 miscfiles_read_localization(distccd_t)

157

158

-sysnet_read_config(distccd_t)

159

-

160

 userdom_dontaudit_use_unpriv_user_fds(distccd_t)

161

 userdom_dontaudit_search_user_home_dirs(distccd_t)

162

163

 optional_policy(`

164

-	nis_use_ypbind(distccd_t)

165

-')

166

-

167

-optional_policy(`

168

 	seutil_sigchld_newrole(distccd_t)

169

')

1	commit: e8d04403970e4e7b8461e588b413b8769031e618
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Fri Sep 28 10:09:59 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Fri Sep 28 17:42:46 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e8d04403
7
8	Changes to the discc policy module
9
10	Add init script file type
11	Add distcc_admin()
12	Add missing file contexts
13	Module clean up
14
15	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
16
17	---
18	policy/modules/contrib/distcc.fc \| 5 ++++
19	policy/modules/contrib/distcc.if \| 43 +++++++++++++++++++++++++++++++++++++-
20	policy/modules/contrib/distcc.te \| 31 +++++++++++---------------
21	3 files changed, 60 insertions(+), 19 deletions(-)
22
23	diff --git a/policy/modules/contrib/distcc.fc b/policy/modules/contrib/distcc.fc
24	index 6ce6b00..7b9fb3f 100644
25	--- a/policy/modules/contrib/distcc.fc
26	+++ b/policy/modules/contrib/distcc.fc
27	@@ -1,2 +1,7 @@
28	+/etc/rc\.d/init\.d/distccd -- gen_context(system_u:object_r:distccd_initrc_exec_t,s0)
29
30	/usr/bin/distccd -- gen_context(system_u:object_r:distccd_exec_t,s0)
31	+
32	+/var/log/distccd.* -- gen_context(system_u:object_r:distccd_log_t,s0)
33	+
34	+/var/run/distccd\.pid -- gen_context(system_u:object_r:distccd_var_run_t,s0)
35
36	diff --git a/policy/modules/contrib/distcc.if b/policy/modules/contrib/distcc.if
37	index 926e959..24d8c74 100644
38	--- a/policy/modules/contrib/distcc.if
39	+++ b/policy/modules/contrib/distcc.if
40	@@ -1 +1,42 @@
41	-## <summary>Distributed compiler daemon</summary>
42	+## <summary>Distributed compiler daemon.</summary>
43	+
44	+########################################
45	+## <summary>
46	+## All of the rules required to
47	+## administrate an distcc environment.
48	+## </summary>
49	+## <param name="domain">
50	+## <summary>
51	+## Domain allowed access.
52	+## </summary>
53	+## </param>
54	+## <param name="role">
55	+## <summary>
56	+## Role allowed access.
57	+## </summary>
58	+## </param>
59	+## <rolecap/>
60	+#
61	+interface(`distcc_admin',`
62	+ gen_require(`
63	+ type distccd_t, distccd_t, distccd_log_t;
64	+ type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
65	+ ')
66	+
67	+ allow $1 distccd_t:process { ptrace signal_perms };
68	+ ps_process_pattern($1, distccd_t)
69	+
70	+ init_labeled_script_domtrans($1, distccd_initrc_exec_t)
71	+ domain_system_change_exemption($1)
72	+ role_transition $2 distccd_initrc_exec_t system_r;
73	+ allow $2 system_r;
74	+
75	+ logging_search_logs($1)
76	+ admin_pattern($1, distccd_log_t)
77	+
78	+ files_search_tmp($1)
79	+ admin_pattern($1, distccd_tmp_t)
80	+
81	+ files_search_pids($1)
82	+ admin_pattern($1, distccd_var_run_t)
83	+')
84
85	diff --git a/policy/modules/contrib/distcc.te b/policy/modules/contrib/distcc.te
86	index 54d93e8..b441a4d 100644
87	--- a/policy/modules/contrib/distcc.te
88	+++ b/policy/modules/contrib/distcc.te
89	@@ -1,4 +1,4 @@
90	-policy_module(distcc, 1.8.0)
91	+policy_module(distcc, 1.8.2)
92
93	########################################
94	#
95	@@ -9,6 +9,9 @@ type distccd_t;
96	type distccd_exec_t;
97	init_daemon_domain(distccd_t, distccd_exec_t)
98
99	+type distccd_initrc_exec_t;
100	+init_script_file(distccd_initrc_exec_t)
101	+
102	type distccd_log_t;
103	logging_log_file(distccd_log_t)
104
105	@@ -27,11 +30,11 @@ allow distccd_t self:capability { setgid setuid };
106	dontaudit distccd_t self:capability sys_tty_config;
107	allow distccd_t self:process { signal_perms setsched };
108	allow distccd_t self:fifo_file rw_fifo_file_perms;
109	-allow distccd_t self:netlink_route_socket r_netlink_socket_perms;
110	-allow distccd_t self:tcp_socket create_stream_socket_perms;
111	-allow distccd_t self:udp_socket create_socket_perms;
112	+allow distccd_t self:tcp_socket { accept listen };
113
114	-allow distccd_t distccd_log_t:file manage_file_perms;
115	+allow distccd_t distccd_log_t:file append_file_perms;
116	+allow distccd_t distccd_log_t:file create_file_perms;
117	+allow distccd_t distccd_log_t:file setattr_file_perms;
118	logging_log_filetrans(distccd_t, distccd_log_t, file)
119
120	manage_dirs_pattern(distccd_t, distccd_tmp_t, distccd_tmp_t)
121	@@ -47,14 +50,12 @@ kernel_read_kernel_sysctls(distccd_t)
122	corenet_all_recvfrom_unlabeled(distccd_t)
123	corenet_all_recvfrom_netlabel(distccd_t)
124	corenet_tcp_sendrecv_generic_if(distccd_t)
125	-corenet_udp_sendrecv_generic_if(distccd_t)
126	corenet_tcp_sendrecv_generic_node(distccd_t)
127	-corenet_udp_sendrecv_generic_node(distccd_t)
128	-corenet_tcp_sendrecv_all_ports(distccd_t)
129	-corenet_udp_sendrecv_all_ports(distccd_t)
130	corenet_tcp_bind_generic_node(distccd_t)
131	-corenet_tcp_bind_distccd_port(distccd_t)
132	+
133	corenet_sendrecv_distccd_server_packets(distccd_t)
134	+corenet_tcp_bind_distccd_port(distccd_t)
135	+corenet_tcp_sendrecv_distccd_port(distccd_t)
136
137	dev_read_sysfs(distccd_t)
138
139	@@ -62,29 +63,23 @@ fs_getattr_all_fs(distccd_t)
140	fs_search_auto_mountpoints(distccd_t)
141
142	corecmd_exec_bin(distccd_t)
143	-corecmd_read_bin_symlinks(distccd_t)
144
145	domain_use_interactive_fds(distccd_t)
146
147	-files_read_etc_files(distccd_t)
148	files_read_etc_runtime_files(distccd_t)
149
150	+auth_use_nsswitch(distccd_t)
151	+
152	libs_exec_lib_files(distccd_t)
153
154	logging_send_syslog_msg(distccd_t)
155
156	miscfiles_read_localization(distccd_t)
157
158	-sysnet_read_config(distccd_t)
159	-
160	userdom_dontaudit_use_unpriv_user_fds(distccd_t)
161	userdom_dontaudit_search_user_home_dirs(distccd_t)
162
163	optional_policy(`
164	- nis_use_ypbind(distccd_t)
165	-')
166	-
167	-optional_policy(`
168	seutil_sigchld_newrole(distccd_t)
169	')

Gentoo Archives: gentoo-commits