[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Thu, 27 Sep 2012 18:06:44
Message-Id:	`1348768487.82b12f62f20f15f66de9c3ce3853b46349151992.SwifT@gentoo`

1

commit:     82b12f62f20f15f66de9c3ce3853b46349151992

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Tue Sep 25 13:55:55 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Thu Sep 27 17:54:47 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=82b12f62

7

8

Changes to the cron policy module and relevant dependencies

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

14

15

---

16

 policy/modules/contrib/cron.te |   55 ++++++++++++++++++++++++++++-----------

17

 1 files changed, 39 insertions(+), 16 deletions(-)

18

19

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te

20

index c48cc70..412d5fb 100644

21

--- a/policy/modules/contrib/cron.te

22

+++ b/policy/modules/contrib/cron.te

23

@@ -96,12 +96,12 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };

24

25

 type system_cron_spool_t, cron_spool_type;

26

 files_type(system_cron_spool_t)

27

+mta_system_content(system_cron_spool_t)

28

29

 type system_cronjob_t alias system_crond_t;

30

 init_daemon_domain(system_cronjob_t, anacron_exec_t)

31

 corecmd_shell_entry_type(system_cronjob_t)

32

 domain_interactive_fd(system_cronjob_t)

33

-role system_r types system_cronjob_t;

34

35

 type system_cronjob_lock_t alias system_crond_lock_t;

36

 files_lock_file(system_cronjob_lock_t)

37

@@ -366,6 +366,27 @@ optional_policy(`

38

')

39

40

 optional_policy(`

41

+	apache_search_sys_content(crond_t)

42

+')

43

+

44

+optional_policy(`

45

+	dbus_system_bus_client(crond_t)

46

+

47

+	optional_policy(`

48

+		hal_dbus_chat(crond_t)

49

+	')

50

+

51

+	optional_policy(`

52

+		unconfined_dbus_send(crond_t)

53

+	')

54

+')

55

+

56

+optional_policy(`

57

+	djbdns_search_tinydns_keys(crond_t)

58

+	djbdns_link_tinydns_keys(crond_t)

59

+')

60

+

61

+optional_policy(`

62

 	locallogin_search_keys(crond_t)

63

 	locallogin_link_keys(crond_t)

64

')

65

@@ -554,6 +575,18 @@ optional_policy(`

66

')

67

68

 optional_policy(`

69

+	dbus_system_bus_client(system_cronjob_t)

70

+

71

+	optional_policy(`

72

+		networkmanager_dbus_chat(system_cronjob_t)

73

+	')

74

+')

75

+

76

+optional_policy(`

77

+	exim_read_spool_files(system_cronjob_t)

78

+')

79

+

80

+optional_policy(`

81

 	ftp_read_log(system_cronjob_t)

82

')

83

84

@@ -568,6 +601,10 @@ optional_policy(`

85

')

86

87

 optional_policy(`

88

+	livecd_read_tmp_files(system_cronjob_t)

89

+')

90

+

91

+optional_policy(`

92

 	lpd_list_spool(system_cronjob_t)

93

')

94

95

@@ -627,23 +664,9 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;

96

 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;

97

 allow cronjob_t self:unix_dgram_socket create_socket_perms;

98

99

-# The entrypoint interface is not used as this is not

100

-# a regular entrypoint.  Since crontab files are

101

-# not directly executed, crond must ensure that

102

-# the crontab file has a type that is appropriate

103

-# for the domain of the user cron job.  It

104

-# performs an entrypoint permission check

105

-# for this purpose.

106

 allow cronjob_t user_cron_spool_t:file entrypoint;

107

108

-# Permit a transition from the crond_t domain to this domain.

109

-# The transition is requested explicitly by the modified crond 

110

-# via setexeccon.  There is no way to set up an automatic

111

-# transition, since crontabs are configuration files, not executables.

112

-allow crond_t cronjob_t:process transition;

113

-dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };

114

-allow crond_t cronjob_t:fd use;

115

-allow crond_t cronjob_t:key create;

116

+#allow crond_t cronjob_t:key create;

117

 allow cronjob_t crond_t:fd use;

118

 allow cronjob_t crond_t:fifo_file rw_file_perms;

119

 allow cronjob_t crond_t:process sigchld;

1	commit: 82b12f62f20f15f66de9c3ce3853b46349151992
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Tue Sep 25 13:55:55 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Thu Sep 27 17:54:47 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=82b12f62
7
8	Changes to the cron policy module and relevant dependencies
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13	Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
14
15	---
16	policy/modules/contrib/cron.te \| 55 ++++++++++++++++++++++++++++-----------
17	1 files changed, 39 insertions(+), 16 deletions(-)
18
19	diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
20	index c48cc70..412d5fb 100644
21	--- a/policy/modules/contrib/cron.te
22	+++ b/policy/modules/contrib/cron.te
23	@@ -96,12 +96,12 @@ typealias crontab_tmp_t alias { auditadm_crontab_tmp_t secadm_crontab_tmp_t };
24
25	type system_cron_spool_t, cron_spool_type;
26	files_type(system_cron_spool_t)
27	+mta_system_content(system_cron_spool_t)
28
29	type system_cronjob_t alias system_crond_t;
30	init_daemon_domain(system_cronjob_t, anacron_exec_t)
31	corecmd_shell_entry_type(system_cronjob_t)
32	domain_interactive_fd(system_cronjob_t)
33	-role system_r types system_cronjob_t;
34
35	type system_cronjob_lock_t alias system_crond_lock_t;
36	files_lock_file(system_cronjob_lock_t)
37	@@ -366,6 +366,27 @@ optional_policy(`
38	')
39
40	optional_policy(`
41	+ apache_search_sys_content(crond_t)
42	+')
43	+
44	+optional_policy(`
45	+ dbus_system_bus_client(crond_t)
46	+
47	+ optional_policy(`
48	+ hal_dbus_chat(crond_t)
49	+ ')
50	+
51	+ optional_policy(`
52	+ unconfined_dbus_send(crond_t)
53	+ ')
54	+')
55	+
56	+optional_policy(`
57	+ djbdns_search_tinydns_keys(crond_t)
58	+ djbdns_link_tinydns_keys(crond_t)
59	+')
60	+
61	+optional_policy(`
62	locallogin_search_keys(crond_t)
63	locallogin_link_keys(crond_t)
64	')
65	@@ -554,6 +575,18 @@ optional_policy(`
66	')
67
68	optional_policy(`
69	+ dbus_system_bus_client(system_cronjob_t)
70	+
71	+ optional_policy(`
72	+ networkmanager_dbus_chat(system_cronjob_t)
73	+ ')
74	+')
75	+
76	+optional_policy(`
77	+ exim_read_spool_files(system_cronjob_t)
78	+')
79	+
80	+optional_policy(`
81	ftp_read_log(system_cronjob_t)
82	')
83
84	@@ -568,6 +601,10 @@ optional_policy(`
85	')
86
87	optional_policy(`
88	+ livecd_read_tmp_files(system_cronjob_t)
89	+')
90	+
91	+optional_policy(`
92	lpd_list_spool(system_cronjob_t)
93	')
94
95	@@ -627,23 +664,9 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
96	allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
97	allow cronjob_t self:unix_dgram_socket create_socket_perms;
98
99	-# The entrypoint interface is not used as this is not
100	-# a regular entrypoint. Since crontab files are
101	-# not directly executed, crond must ensure that
102	-# the crontab file has a type that is appropriate
103	-# for the domain of the user cron job. It
104	-# performs an entrypoint permission check
105	-# for this purpose.
106	allow cronjob_t user_cron_spool_t:file entrypoint;
107
108	-# Permit a transition from the crond_t domain to this domain.
109	-# The transition is requested explicitly by the modified crond
110	-# via setexeccon. There is no way to set up an automatic
111	-# transition, since crontabs are configuration files, not executables.
112	-allow crond_t cronjob_t:process transition;
113	-dontaudit crond_t cronjob_t:process { noatsecure siginh rlimitinh };
114	-allow crond_t cronjob_t:fd use;
115	-allow crond_t cronjob_t:key create;
116	+#allow crond_t cronjob_t:key create;
117	allow cronjob_t crond_t:fd use;
118	allow cronjob_t crond_t:fifo_file rw_file_perms;
119	allow cronjob_t crond_t:process sigchld;

Gentoo Archives: gentoo-commits