1 |
commit: 2d4b142e3ed58a18d2a7bb9301bbc35aab2982a1 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Oct 31 09:23:34 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Oct 31 18:04:28 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2d4b142e |
7 |
|
8 |
Changes to the vpnc policy module |
9 |
|
10 |
Module clean up |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/vpn.fc | 6 ----- |
16 |
policy/modules/contrib/vpn.if | 18 +++++++++------- |
17 |
policy/modules/contrib/vpn.te | 44 +++++++++++++++++++++++----------------- |
18 |
3 files changed, 35 insertions(+), 33 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/vpn.fc b/policy/modules/contrib/vpn.fc |
21 |
index 5e3cc6e..524ac2f 100644 |
22 |
--- a/policy/modules/contrib/vpn.fc |
23 |
+++ b/policy/modules/contrib/vpn.fc |
24 |
@@ -1,11 +1,5 @@ |
25 |
-# |
26 |
-# sbin |
27 |
-# |
28 |
/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) |
29 |
|
30 |
-# |
31 |
-# /usr |
32 |
-# |
33 |
/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0) |
34 |
|
35 |
/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0) |
36 |
|
37 |
diff --git a/policy/modules/contrib/vpn.if b/policy/modules/contrib/vpn.if |
38 |
index 7b93e07..7a7f342 100644 |
39 |
--- a/policy/modules/contrib/vpn.if |
40 |
+++ b/policy/modules/contrib/vpn.if |
41 |
@@ -1,8 +1,8 @@ |
42 |
-## <summary>Virtual Private Networking client</summary> |
43 |
+## <summary>Virtual Private Networking client.</summary> |
44 |
|
45 |
######################################## |
46 |
## <summary> |
47 |
-## Execute VPN clients in the vpnc domain. |
48 |
+## Execute vpn clients in the vpnc domain. |
49 |
## </summary> |
50 |
## <param name="domain"> |
51 |
## <summary> |
52 |
@@ -15,13 +15,15 @@ interface(`vpn_domtrans',` |
53 |
type vpnc_t, vpnc_exec_t; |
54 |
') |
55 |
|
56 |
+ corecmd_search_bin($1) |
57 |
domtrans_pattern($1, vpnc_exec_t, vpnc_t) |
58 |
') |
59 |
|
60 |
######################################## |
61 |
## <summary> |
62 |
-## Execute VPN clients in the vpnc domain, and |
63 |
-## allow the specified role the vpnc domain. |
64 |
+## Execute vpn clients in the vpnc |
65 |
+## domain, and allow the specified |
66 |
+## role the vpnc domain. |
67 |
## </summary> |
68 |
## <param name="domain"> |
69 |
## <summary> |
70 |
@@ -46,7 +48,7 @@ interface(`vpn_run',` |
71 |
|
72 |
######################################## |
73 |
## <summary> |
74 |
-## Send VPN clients the kill signal. |
75 |
+## Send kill signals to vpnc. |
76 |
## </summary> |
77 |
## <param name="domain"> |
78 |
## <summary> |
79 |
@@ -64,7 +66,7 @@ interface(`vpn_kill',` |
80 |
|
81 |
######################################## |
82 |
## <summary> |
83 |
-## Send generic signals to VPN clients. |
84 |
+## Send generic signals to vpnc. |
85 |
## </summary> |
86 |
## <param name="domain"> |
87 |
## <summary> |
88 |
@@ -82,7 +84,7 @@ interface(`vpn_signal',` |
89 |
|
90 |
######################################## |
91 |
## <summary> |
92 |
-## Send signull to VPN clients. |
93 |
+## Send null signals to vpnc. |
94 |
## </summary> |
95 |
## <param name="domain"> |
96 |
## <summary> |
97 |
@@ -101,7 +103,7 @@ interface(`vpn_signull',` |
98 |
######################################## |
99 |
## <summary> |
100 |
## Send and receive messages from |
101 |
-## Vpnc over dbus. |
102 |
+## vpnc over dbus. |
103 |
## </summary> |
104 |
## <param name="domain"> |
105 |
## <summary> |
106 |
|
107 |
diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te |
108 |
index 83a80ba..9329eae 100644 |
109 |
--- a/policy/modules/contrib/vpn.te |
110 |
+++ b/policy/modules/contrib/vpn.te |
111 |
@@ -1,4 +1,4 @@ |
112 |
-policy_module(vpn, 1.15.0) |
113 |
+policy_module(vpn, 1.15.1) |
114 |
|
115 |
######################################## |
116 |
# |
117 |
@@ -6,10 +6,10 @@ policy_module(vpn, 1.15.0) |
118 |
# |
119 |
|
120 |
attribute_role vpnc_roles; |
121 |
-roleattribute system_r vpnc_roles; |
122 |
|
123 |
type vpnc_t; |
124 |
type vpnc_exec_t; |
125 |
+init_system_domain(vpnc_t, vpnc_exec_t) |
126 |
application_domain(vpnc_t, vpnc_exec_t) |
127 |
role vpnc_roles types vpnc_t; |
128 |
|
129 |
@@ -24,17 +24,13 @@ files_pid_file(vpnc_var_run_t) |
130 |
# Local policy |
131 |
# |
132 |
|
133 |
-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw }; |
134 |
+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid }; |
135 |
allow vpnc_t self:process { getsched signal }; |
136 |
allow vpnc_t self:fifo_file rw_fifo_file_perms; |
137 |
allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms; |
138 |
-allow vpnc_t self:tcp_socket create_stream_socket_perms; |
139 |
-allow vpnc_t self:udp_socket create_socket_perms; |
140 |
+allow vpnc_t self:tcp_socket { accept listen }; |
141 |
allow vpnc_t self:rawip_socket create_socket_perms; |
142 |
-allow vpnc_t self:unix_dgram_socket create_socket_perms; |
143 |
-allow vpnc_t self:unix_stream_socket create_socket_perms; |
144 |
allow vpnc_t self:tun_socket { create_socket_perms relabelfrom }; |
145 |
-# cjp: this needs to be fixed |
146 |
allow vpnc_t self:socket create_socket_perms; |
147 |
|
148 |
manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t) |
149 |
@@ -62,36 +58,43 @@ corenet_raw_sendrecv_generic_node(vpnc_t) |
150 |
corenet_tcp_sendrecv_all_ports(vpnc_t) |
151 |
corenet_udp_sendrecv_all_ports(vpnc_t) |
152 |
corenet_udp_bind_generic_node(vpnc_t) |
153 |
+ |
154 |
+corenet_sendrecv_all_server_packets(vpnc_t) |
155 |
corenet_udp_bind_generic_port(vpnc_t) |
156 |
+ |
157 |
+corenet_sendrecv_isakmp_server_packets(vpnc_t) |
158 |
corenet_udp_bind_isakmp_port(vpnc_t) |
159 |
+ |
160 |
+corenet_sendrecv_generic_server_packets(vpnc_t) |
161 |
corenet_udp_bind_ipsecnat_port(vpnc_t) |
162 |
-corenet_tcp_connect_all_ports(vpnc_t) |
163 |
+ |
164 |
corenet_sendrecv_all_client_packets(vpnc_t) |
165 |
-corenet_sendrecv_isakmp_server_packets(vpnc_t) |
166 |
-corenet_sendrecv_generic_server_packets(vpnc_t) |
167 |
+corenet_tcp_connect_all_ports(vpnc_t) |
168 |
+ |
169 |
corenet_rw_tun_tap_dev(vpnc_t) |
170 |
|
171 |
+corecmd_exec_all_executables(vpnc_t) |
172 |
+ |
173 |
dev_read_rand(vpnc_t) |
174 |
dev_read_urand(vpnc_t) |
175 |
dev_read_sysfs(vpnc_t) |
176 |
|
177 |
domain_use_interactive_fds(vpnc_t) |
178 |
|
179 |
+files_exec_etc_files(vpnc_t) |
180 |
+files_read_etc_runtime_files(vpnc_t) |
181 |
+files_dontaudit_search_home(vpnc_t) |
182 |
+ |
183 |
fs_getattr_xattr_fs(vpnc_t) |
184 |
fs_getattr_tmpfs(vpnc_t) |
185 |
|
186 |
term_use_all_ptys(vpnc_t) |
187 |
term_use_all_ttys(vpnc_t) |
188 |
|
189 |
-corecmd_exec_all_executables(vpnc_t) |
190 |
- |
191 |
-files_exec_etc_files(vpnc_t) |
192 |
-files_read_etc_runtime_files(vpnc_t) |
193 |
-files_read_etc_files(vpnc_t) |
194 |
-files_dontaudit_search_home(vpnc_t) |
195 |
- |
196 |
auth_use_nsswitch(vpnc_t) |
197 |
|
198 |
+init_dontaudit_use_fds(vpnc_t) |
199 |
+ |
200 |
libs_exec_ld_so(vpnc_t) |
201 |
libs_exec_lib_files(vpnc_t) |
202 |
|
203 |
@@ -103,7 +106,6 @@ logging_dontaudit_search_logs(vpnc_t) |
204 |
miscfiles_read_localization(vpnc_t) |
205 |
|
206 |
seutil_dontaudit_search_config(vpnc_t) |
207 |
-seutil_use_newrole_fds(vpnc_t) |
208 |
|
209 |
sysnet_run_ifconfig(vpnc_t, vpnc_roles) |
210 |
sysnet_etc_filetrans_config(vpnc_t) |
211 |
@@ -123,3 +125,7 @@ optional_policy(` |
212 |
optional_policy(` |
213 |
networkmanager_attach_tun_iface(vpnc_t) |
214 |
') |
215 |
+ |
216 |
+optional_policy(` |
217 |
+ seutil_use_newrole_fds(vpnc_t) |
218 |
+') |