Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Fri, 02 Nov 2012 19:13:55
Message-Id: 1351883293.1bccea5adbd272e37288bd91aef4ff6af0cd6a42.SwifT@gentoo
1 commit: 1bccea5adbd272e37288bd91aef4ff6af0cd6a42
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Fri Nov 2 12:55:01 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Fri Nov 2 19:08:13 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1bccea5a
7
8 Changes to the xguest policy module and relevant dependencies
9
10 Ported from Fedora with changes
11
12 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14 ---
15 policy/modules/contrib/gnomeclock.if | 22 ++++++++
16 policy/modules/contrib/gnomeclock.te | 4 +-
17 policy/modules/contrib/xguest.if | 2 +-
18 policy/modules/contrib/xguest.te | 97 +++++++++++++++++++++++++++++----
19 4 files changed, 110 insertions(+), 15 deletions(-)
20
21 diff --git a/policy/modules/contrib/gnomeclock.if b/policy/modules/contrib/gnomeclock.if
22 index 788ff46..3f55702 100644
23 --- a/policy/modules/contrib/gnomeclock.if
24 +++ b/policy/modules/contrib/gnomeclock.if
25 @@ -66,3 +66,25 @@ interface(`gnomeclock_dbus_chat',`
26 allow $1 gnomeclock_t:dbus send_msg;
27 allow gnomeclock_t $1:dbus send_msg;
28 ')
29 +
30 +########################################
31 +## <summary>
32 +## Do not audit attempts to send and
33 +## receive messages from gnomeclock
34 +## over dbus.
35 +## </summary>
36 +## <param name="domain">
37 +## <summary>
38 +## Domain to not audit.
39 +## </summary>
40 +## </param>
41 +#
42 +interface(`gnomeclock_dontaudit_dbus_chat',`
43 + gen_require(`
44 + type gnomeclock_t;
45 + class dbus send_msg;
46 + ')
47 +
48 + dontaudit $1 gnomeclock_t:dbus send_msg;
49 + dontaudit gnomeclock_t $1:dbus send_msg;
50 +')
51
52 diff --git a/policy/modules/contrib/gnomeclock.te b/policy/modules/contrib/gnomeclock.te
53 index 6ba981b..84e5f2f 100644
54 --- a/policy/modules/contrib/gnomeclock.te
55 +++ b/policy/modules/contrib/gnomeclock.te
56 @@ -1,4 +1,4 @@
57 -policy_module(gnomeclock, 1.0.3)
58 +policy_module(gnomeclock, 1.0.4)
59
60 ########################################
61 #
62 @@ -9,7 +9,7 @@ attribute_role gnomeclock_roles;
63
64 type gnomeclock_t;
65 type gnomeclock_exec_t;
66 -init_daemon_domain(gnomeclock_t, gnomeclock_exec_t)
67 +init_system_domain(gnomeclock_t, gnomeclock_exec_t)
68 role gnomeclock_roles types gnomeclock_t;
69
70 ########################################
71
72 diff --git a/policy/modules/contrib/xguest.if b/policy/modules/contrib/xguest.if
73 index d2234e3..4f1d07d 100644
74 --- a/policy/modules/contrib/xguest.if
75 +++ b/policy/modules/contrib/xguest.if
76 @@ -1,4 +1,4 @@
77 -## <summary>Least privledge xwindows user role</summary>
78 +## <summary>Least privledge xwindows user role.</summary>
79
80 ########################################
81 ## <summary>
82
83 diff --git a/policy/modules/contrib/xguest.te b/policy/modules/contrib/xguest.te
84 index b885bfc..2882821 100644
85 --- a/policy/modules/contrib/xguest.te
86 +++ b/policy/modules/contrib/xguest.te
87 @@ -1,4 +1,4 @@
88 -policy_module(xguest, 1.1.1)
89 +policy_module(xguest, 1.1.2)
90
91 ########################################
92 #
93 @@ -6,23 +6,26 @@ policy_module(xguest, 1.1.1)
94 #
95
96 ## <desc>
97 -## <p>
98 -## Allow xguest users to mount removable media
99 -## </p>
100 +## <p>
101 +## Determine whether xguest can
102 +## mount removable media.
103 +## </p>
104 ## </desc>
105 gen_tunable(xguest_mount_media, false)
106
107 ## <desc>
108 -## <p>
109 -## Allow xguest to configure Network Manager
110 -## </p>
111 +## <p>
112 +## Determine whether xguest can
113 +## configure network manager.
114 +## </p>
115 ## </desc>
116 gen_tunable(xguest_connect_network, false)
117
118 ## <desc>
119 -## <p>
120 -## Allow xguest to use blue tooth devices
121 -## </p>
122 +## <p>
123 +## Determine whether xguest can
124 +## use blue tooth devices.
125 +## </p>
126 ## </desc>
127 gen_tunable(xguest_use_bluetooth, false)
128
129 @@ -35,13 +38,14 @@ userdom_restricted_xwindows_user_template(xguest)
130 # Local policy
131 #
132
133 +kernel_dontaudit_request_load_module(xguest_t)
134 +
135 ifndef(`enable_mls',`
136 fs_exec_noxattr(xguest_t)
137
138 tunable_policy(`user_rw_noexattrfile',`
139 fs_manage_noxattr_fs_files(xguest_t)
140 fs_manage_noxattr_fs_dirs(xguest_t)
141 - # Write floppies
142 storage_raw_read_removable_device(xguest_t)
143 storage_raw_write_removable_device(xguest_t)
144 ',`
145 @@ -49,7 +53,6 @@ ifndef(`enable_mls',`
146 ')
147 ')
148
149 -# Allow mounting of file systems
150 optional_policy(`
151 tunable_policy(`xguest_mount_media',`
152 kernel_read_fs_sysctls(xguest_t)
153 @@ -76,6 +79,20 @@ optional_policy(`
154 ')
155
156 optional_policy(`
157 + tunable_policy(`xguest_use_bluetooth',`
158 + blueman_dbus_chat(xguest_t)
159 + ')
160 +')
161 +
162 +optional_policy(`
163 + apache_role(xguest_r, xguest_t)
164 +')
165 +
166 +optional_policy(`
167 + gnomeclock_dontaudit_dbus_chat(xguest_t)
168 +')
169 +
170 +optional_policy(`
171 hal_dbus_chat(xguest_t)
172 ')
173
174 @@ -89,10 +106,66 @@ optional_policy(`
175
176 optional_policy(`
177 tunable_policy(`xguest_connect_network',`
178 + kernel_read_network_state(xguest_t)
179 +
180 networkmanager_dbus_chat(xguest_t)
181 + networkmanager_read_lib_files(xguest_t)
182 +
183 + corenet_all_recvfrom_unlabeled(xguest_t)
184 + corenet_all_recvfrom_netlabel(xguest_t)
185 + corenet_tcp_sendrecv_generic_if(xguest_t)
186 + corenet_raw_sendrecv_generic_if(xguest_t)
187 + corenet_tcp_sendrecv_generic_node(xguest_t)
188 + corenet_raw_sendrecv_generic_node(xguest_t)
189 +
190 + corenet_sendrecv_pulseaudio_client_packets(xguest_t)
191 corenet_tcp_connect_pulseaudio_port(xguest_t)
192 + corenet_tcp_sendrecv_pulseaudio_port(xguest_t)
193 +
194 + corenet_sendrecv_http_client_packets(xguest_t)
195 + corenet_tcp_connect_http_port(xguest_t)
196 + corenet_tcp_sendrecv_http_port(xguest_t)
197 +
198 + corenet_sendrecv_http_cache_client_packets(xguest_t)
199 + corenet_tcp_connect_http_cache_port(xguest_t)
200 + corenet_tcp_sendrecv_http_cache_port(xguest_t)
201 +
202 + corenet_sendrecv_squid_client_packets(xguest_t)
203 + corenet_tcp_connect_squid_port(xguest_t)
204 + corenet_tcp_sendrecv_squid_port(xguest_t)
205 +
206 + corenet_sendrecv_ftp_client_packets(xguest_t)
207 + corenet_tcp_connect_ftp_port(xguest_t)
208 + corenet_tcp_sendrecv_ftp_port(xguest_t)
209 +
210 + corenet_sendrecv_ipp_client_packets(xguest_t)
211 corenet_tcp_connect_ipp_port(xguest_t)
212 + corenet_tcp_sendrecv_ipp_port(xguest_t)
213 +
214 + corenet_sendrecv_generic_client_packets(xguest_t)
215 + corenet_tcp_connect_generic_port(xguest_t)
216 + corenet_tcp_sendrecv_generic_port(xguest_t)
217 +
218 + corenet_sendrecv_soundd_client_packets(xguest_t)
219 + corenet_tcp_connect_soundd_port(xguest_t)
220 + corenet_tcp_sendrecv_soundd_port(xguest_t)
221 +
222 + corenet_sendrecv_speech_client_packets(xguest_t)
223 + corenet_tcp_connect_speech_port(xguest_t)
224 + corenet_tcp_sendrecv_speech_port(xguest_t)
225 +
226 + corenet_sendrecv_transproxy_client_packets(xguest_t)
227 + corenet_tcp_connect_transproxy_port(xguest_t)
228 + corenet_tcp_sendrecv_transproxy_port(xguest_t)
229 +
230 + corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t)
231 + corenet_dontaudit_tcp_bind_generic_port(xguest_t)
232 ')
233 ')
234
235 +optional_policy(`
236 + pcscd_read_pid_files(xguest_t)
237 + pcscd_stream_connect(xguest_t)
238 +')
239 +
240 #gen_user(xguest_u,, xguest_r, s0, s0)
Report Message
Find on MARC Find on Google Groups