[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Wed, 31 Oct 2012 18:11:39
Message-Id:	`1351706668.2d4b142e3ed58a18d2a7bb9301bbc35aab2982a1.SwifT@gentoo`

1

commit:     2d4b142e3ed58a18d2a7bb9301bbc35aab2982a1

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Wed Oct 31 09:23:34 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed Oct 31 18:04:28 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2d4b142e

7

8

Changes to the vpnc policy module

9

10

Module clean up

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/vpn.fc |    6 -----

16

 policy/modules/contrib/vpn.if |   18 +++++++++-------

17

 policy/modules/contrib/vpn.te |   44 +++++++++++++++++++++++-----------------

18

 3 files changed, 35 insertions(+), 33 deletions(-)

19

20

diff --git a/policy/modules/contrib/vpn.fc b/policy/modules/contrib/vpn.fc

21

index 5e3cc6e..524ac2f 100644

22

--- a/policy/modules/contrib/vpn.fc

23

+++ b/policy/modules/contrib/vpn.fc

24

@@ -1,11 +1,5 @@

25

-#

26

-# sbin

27

-#

28

 /sbin/vpnc	--	gen_context(system_u:object_r:vpnc_exec_t,s0)

29

30

-#

31

-# /usr

32

-#

33

 /usr/bin/openconnect	--	gen_context(system_u:object_r:vpnc_exec_t,s0)

34

35

 /usr/sbin/vpnc	--	gen_context(system_u:object_r:vpnc_exec_t,s0)

36

37

diff --git a/policy/modules/contrib/vpn.if b/policy/modules/contrib/vpn.if

38

index 7b93e07..7a7f342 100644

39

--- a/policy/modules/contrib/vpn.if

40

+++ b/policy/modules/contrib/vpn.if

41

@@ -1,8 +1,8 @@

42

-## <summary>Virtual Private Networking client</summary>

43

+## <summary>Virtual Private Networking client.</summary>

44

45

 ########################################

46

 ## <summary>

47

-##	Execute VPN clients in the vpnc domain.

48

+##	Execute vpn clients in the vpnc domain.

49

 ## </summary>

50

 ## <param name="domain">

51

 ##	<summary>

52

@@ -15,13 +15,15 @@ interface(`vpn_domtrans',`

53

 		type vpnc_t, vpnc_exec_t;

54

')

55

56

+	corecmd_search_bin($1)

57

 	domtrans_pattern($1, vpnc_exec_t, vpnc_t)

58

')

59

60

 ########################################

61

 ## <summary>

62

-##	Execute VPN clients in the vpnc domain, and

63

-##	allow the specified role the vpnc domain.

64

+##	Execute vpn clients in the vpnc

65

+##	domain, and allow the specified

66

+##	role the vpnc domain.

67

 ## </summary>

68

 ## <param name="domain">

69

 ##	<summary>

70

@@ -46,7 +48,7 @@ interface(`vpn_run',`

71

72

 ########################################

73

 ## <summary>

74

-##	Send VPN clients the kill signal.

75

+##	Send kill signals to vpnc.

76

 ## </summary>

77

 ## <param name="domain">

78

 ##	<summary>

79

@@ -64,7 +66,7 @@ interface(`vpn_kill',`

80

81

 ########################################

82

 ## <summary>

83

-##	Send generic signals to VPN clients.

84

+##	Send generic signals to vpnc.

85

 ## </summary>

86

 ## <param name="domain">

87

 ##	<summary>

88

@@ -82,7 +84,7 @@ interface(`vpn_signal',`

89

90

 ########################################

91

 ## <summary>

92

-##	Send signull to VPN clients.

93

+##	Send null signals to vpnc.

94

 ## </summary>

95

 ## <param name="domain">

96

 ##	<summary>

97

@@ -101,7 +103,7 @@ interface(`vpn_signull',`

98

 ########################################

99

 ## <summary>

100

 ##	Send and receive messages from

101

-##	Vpnc over dbus.

102

+##	vpnc over dbus.

103

 ## </summary>

104

 ## <param name="domain">

105

 ##	<summary>

106

107

diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te

108

index 83a80ba..9329eae 100644

109

--- a/policy/modules/contrib/vpn.te

110

+++ b/policy/modules/contrib/vpn.te

111

@@ -1,4 +1,4 @@

112

-policy_module(vpn, 1.15.0)

113

+policy_module(vpn, 1.15.1)

114

115

 ########################################

116

#

117

@@ -6,10 +6,10 @@ policy_module(vpn, 1.15.0)

118

#

119

120

 attribute_role vpnc_roles;

121

-roleattribute system_r vpnc_roles;

122

123

 type vpnc_t;

124

 type vpnc_exec_t;

125

+init_system_domain(vpnc_t, vpnc_exec_t)

126

 application_domain(vpnc_t, vpnc_exec_t)

127

 role vpnc_roles types vpnc_t;

128

129

@@ -24,17 +24,13 @@ files_pid_file(vpnc_var_run_t)

130

 # Local policy

131

#

132

133

-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };

134

+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };

135

 allow vpnc_t self:process { getsched signal };

136

 allow vpnc_t self:fifo_file rw_fifo_file_perms;

137

 allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;

138

-allow vpnc_t self:tcp_socket create_stream_socket_perms;

139

-allow vpnc_t self:udp_socket create_socket_perms;

140

+allow vpnc_t self:tcp_socket { accept listen };

141

 allow vpnc_t self:rawip_socket create_socket_perms;

142

-allow vpnc_t self:unix_dgram_socket create_socket_perms;

143

-allow vpnc_t self:unix_stream_socket create_socket_perms;

144

 allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };

145

-# cjp: this needs to be fixed

146

 allow vpnc_t self:socket create_socket_perms;

147

148

 manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)

149

@@ -62,36 +58,43 @@ corenet_raw_sendrecv_generic_node(vpnc_t)

150

 corenet_tcp_sendrecv_all_ports(vpnc_t)

151

 corenet_udp_sendrecv_all_ports(vpnc_t)

152

 corenet_udp_bind_generic_node(vpnc_t)

153

+

154

+corenet_sendrecv_all_server_packets(vpnc_t)

155

 corenet_udp_bind_generic_port(vpnc_t)

156

+

157

+corenet_sendrecv_isakmp_server_packets(vpnc_t)

158

 corenet_udp_bind_isakmp_port(vpnc_t)

159

+

160

+corenet_sendrecv_generic_server_packets(vpnc_t)

161

 corenet_udp_bind_ipsecnat_port(vpnc_t)

162

-corenet_tcp_connect_all_ports(vpnc_t)

163

+

164

 corenet_sendrecv_all_client_packets(vpnc_t)

165

-corenet_sendrecv_isakmp_server_packets(vpnc_t)

166

-corenet_sendrecv_generic_server_packets(vpnc_t)

167

+corenet_tcp_connect_all_ports(vpnc_t)

168

+

169

 corenet_rw_tun_tap_dev(vpnc_t)

170

171

+corecmd_exec_all_executables(vpnc_t)

172

+

173

 dev_read_rand(vpnc_t)

174

 dev_read_urand(vpnc_t)

175

 dev_read_sysfs(vpnc_t)

176

177

 domain_use_interactive_fds(vpnc_t)

178

179

+files_exec_etc_files(vpnc_t)

180

+files_read_etc_runtime_files(vpnc_t)

181

+files_dontaudit_search_home(vpnc_t)

182

+

183

 fs_getattr_xattr_fs(vpnc_t)

184

 fs_getattr_tmpfs(vpnc_t)

185

186

 term_use_all_ptys(vpnc_t)

187

 term_use_all_ttys(vpnc_t)

188

189

-corecmd_exec_all_executables(vpnc_t)

190

-

191

-files_exec_etc_files(vpnc_t)

192

-files_read_etc_runtime_files(vpnc_t)

193

-files_read_etc_files(vpnc_t)

194

-files_dontaudit_search_home(vpnc_t)

195

-

196

 auth_use_nsswitch(vpnc_t)

197

198

+init_dontaudit_use_fds(vpnc_t)

199

+

200

 libs_exec_ld_so(vpnc_t)

201

 libs_exec_lib_files(vpnc_t)

202

203

@@ -103,7 +106,6 @@ logging_dontaudit_search_logs(vpnc_t)

204

 miscfiles_read_localization(vpnc_t)

205

206

 seutil_dontaudit_search_config(vpnc_t)

207

-seutil_use_newrole_fds(vpnc_t)

208

209

 sysnet_run_ifconfig(vpnc_t, vpnc_roles)

210

 sysnet_etc_filetrans_config(vpnc_t)

211

@@ -123,3 +125,7 @@ optional_policy(`

212

 optional_policy(`

213

 	networkmanager_attach_tun_iface(vpnc_t)

214

')

215

+

216

+optional_policy(`

217

+	seutil_use_newrole_fds(vpnc_t)

218

+')

1	commit: 2d4b142e3ed58a18d2a7bb9301bbc35aab2982a1
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Wed Oct 31 09:23:34 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed Oct 31 18:04:28 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2d4b142e
7
8	Changes to the vpnc policy module
9
10	Module clean up
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/vpn.fc \| 6 -----
16	policy/modules/contrib/vpn.if \| 18 +++++++++-------
17	policy/modules/contrib/vpn.te \| 44 +++++++++++++++++++++++-----------------
18	3 files changed, 35 insertions(+), 33 deletions(-)
19
20	diff --git a/policy/modules/contrib/vpn.fc b/policy/modules/contrib/vpn.fc
21	index 5e3cc6e..524ac2f 100644
22	--- a/policy/modules/contrib/vpn.fc
23	+++ b/policy/modules/contrib/vpn.fc
24	@@ -1,11 +1,5 @@
25	-#
26	-# sbin
27	-#
28	/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
29
30	-#
31	-# /usr
32	-#
33	/usr/bin/openconnect -- gen_context(system_u:object_r:vpnc_exec_t,s0)
34
35	/usr/sbin/vpnc -- gen_context(system_u:object_r:vpnc_exec_t,s0)
36
37	diff --git a/policy/modules/contrib/vpn.if b/policy/modules/contrib/vpn.if
38	index 7b93e07..7a7f342 100644
39	--- a/policy/modules/contrib/vpn.if
40	+++ b/policy/modules/contrib/vpn.if
41	@@ -1,8 +1,8 @@
42	-## <summary>Virtual Private Networking client</summary>
43	+## <summary>Virtual Private Networking client.</summary>
44
45	########################################
46	## <summary>
47	-## Execute VPN clients in the vpnc domain.
48	+## Execute vpn clients in the vpnc domain.
49	## </summary>
50	## <param name="domain">
51	## <summary>
52	@@ -15,13 +15,15 @@ interface(`vpn_domtrans',`
53	type vpnc_t, vpnc_exec_t;
54	')
55
56	+ corecmd_search_bin($1)
57	domtrans_pattern($1, vpnc_exec_t, vpnc_t)
58	')
59
60	########################################
61	## <summary>
62	-## Execute VPN clients in the vpnc domain, and
63	-## allow the specified role the vpnc domain.
64	+## Execute vpn clients in the vpnc
65	+## domain, and allow the specified
66	+## role the vpnc domain.
67	## </summary>
68	## <param name="domain">
69	## <summary>
70	@@ -46,7 +48,7 @@ interface(`vpn_run',`
71
72	########################################
73	## <summary>
74	-## Send VPN clients the kill signal.
75	+## Send kill signals to vpnc.
76	## </summary>
77	## <param name="domain">
78	## <summary>
79	@@ -64,7 +66,7 @@ interface(`vpn_kill',`
80
81	########################################
82	## <summary>
83	-## Send generic signals to VPN clients.
84	+## Send generic signals to vpnc.
85	## </summary>
86	## <param name="domain">
87	## <summary>
88	@@ -82,7 +84,7 @@ interface(`vpn_signal',`
89
90	########################################
91	## <summary>
92	-## Send signull to VPN clients.
93	+## Send null signals to vpnc.
94	## </summary>
95	## <param name="domain">
96	## <summary>
97	@@ -101,7 +103,7 @@ interface(`vpn_signull',`
98	########################################
99	## <summary>
100	## Send and receive messages from
101	-## Vpnc over dbus.
102	+## vpnc over dbus.
103	## </summary>
104	## <param name="domain">
105	## <summary>
106
107	diff --git a/policy/modules/contrib/vpn.te b/policy/modules/contrib/vpn.te
108	index 83a80ba..9329eae 100644
109	--- a/policy/modules/contrib/vpn.te
110	+++ b/policy/modules/contrib/vpn.te
111	@@ -1,4 +1,4 @@
112	-policy_module(vpn, 1.15.0)
113	+policy_module(vpn, 1.15.1)
114
115	########################################
116	#
117	@@ -6,10 +6,10 @@ policy_module(vpn, 1.15.0)
118	#
119
120	attribute_role vpnc_roles;
121	-roleattribute system_r vpnc_roles;
122
123	type vpnc_t;
124	type vpnc_exec_t;
125	+init_system_domain(vpnc_t, vpnc_exec_t)
126	application_domain(vpnc_t, vpnc_exec_t)
127	role vpnc_roles types vpnc_t;
128
129	@@ -24,17 +24,13 @@ files_pid_file(vpnc_var_run_t)
130	# Local policy
131	#
132
133	-allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw };
134	+allow vpnc_t self:capability { dac_read_search dac_override net_admin ipc_lock net_raw setuid };
135	allow vpnc_t self:process { getsched signal };
136	allow vpnc_t self:fifo_file rw_fifo_file_perms;
137	allow vpnc_t self:netlink_route_socket rw_netlink_socket_perms;
138	-allow vpnc_t self:tcp_socket create_stream_socket_perms;
139	-allow vpnc_t self:udp_socket create_socket_perms;
140	+allow vpnc_t self:tcp_socket { accept listen };
141	allow vpnc_t self:rawip_socket create_socket_perms;
142	-allow vpnc_t self:unix_dgram_socket create_socket_perms;
143	-allow vpnc_t self:unix_stream_socket create_socket_perms;
144	allow vpnc_t self:tun_socket { create_socket_perms relabelfrom };
145	-# cjp: this needs to be fixed
146	allow vpnc_t self:socket create_socket_perms;
147
148	manage_dirs_pattern(vpnc_t, vpnc_tmp_t, vpnc_tmp_t)
149	@@ -62,36 +58,43 @@ corenet_raw_sendrecv_generic_node(vpnc_t)
150	corenet_tcp_sendrecv_all_ports(vpnc_t)
151	corenet_udp_sendrecv_all_ports(vpnc_t)
152	corenet_udp_bind_generic_node(vpnc_t)
153	+
154	+corenet_sendrecv_all_server_packets(vpnc_t)
155	corenet_udp_bind_generic_port(vpnc_t)
156	+
157	+corenet_sendrecv_isakmp_server_packets(vpnc_t)
158	corenet_udp_bind_isakmp_port(vpnc_t)
159	+
160	+corenet_sendrecv_generic_server_packets(vpnc_t)
161	corenet_udp_bind_ipsecnat_port(vpnc_t)
162	-corenet_tcp_connect_all_ports(vpnc_t)
163	+
164	corenet_sendrecv_all_client_packets(vpnc_t)
165	-corenet_sendrecv_isakmp_server_packets(vpnc_t)
166	-corenet_sendrecv_generic_server_packets(vpnc_t)
167	+corenet_tcp_connect_all_ports(vpnc_t)
168	+
169	corenet_rw_tun_tap_dev(vpnc_t)
170
171	+corecmd_exec_all_executables(vpnc_t)
172	+
173	dev_read_rand(vpnc_t)
174	dev_read_urand(vpnc_t)
175	dev_read_sysfs(vpnc_t)
176
177	domain_use_interactive_fds(vpnc_t)
178
179	+files_exec_etc_files(vpnc_t)
180	+files_read_etc_runtime_files(vpnc_t)
181	+files_dontaudit_search_home(vpnc_t)
182	+
183	fs_getattr_xattr_fs(vpnc_t)
184	fs_getattr_tmpfs(vpnc_t)
185
186	term_use_all_ptys(vpnc_t)
187	term_use_all_ttys(vpnc_t)
188
189	-corecmd_exec_all_executables(vpnc_t)
190	-
191	-files_exec_etc_files(vpnc_t)
192	-files_read_etc_runtime_files(vpnc_t)
193	-files_read_etc_files(vpnc_t)
194	-files_dontaudit_search_home(vpnc_t)
195	-
196	auth_use_nsswitch(vpnc_t)
197
198	+init_dontaudit_use_fds(vpnc_t)
199	+
200	libs_exec_ld_so(vpnc_t)
201	libs_exec_lib_files(vpnc_t)
202
203	@@ -103,7 +106,6 @@ logging_dontaudit_search_logs(vpnc_t)
204	miscfiles_read_localization(vpnc_t)
205
206	seutil_dontaudit_search_config(vpnc_t)
207	-seutil_use_newrole_fds(vpnc_t)
208
209	sysnet_run_ifconfig(vpnc_t, vpnc_roles)
210	sysnet_etc_filetrans_config(vpnc_t)
211	@@ -123,3 +125,7 @@ optional_policy(`
212	optional_policy(`
213	networkmanager_attach_tun_iface(vpnc_t)
214	')
215	+
216	+optional_policy(`
217	+ seutil_use_newrole_fds(vpnc_t)
218	+')

Gentoo Archives: gentoo-commits