1 |
commit: 1bccea5adbd272e37288bd91aef4ff6af0cd6a42 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Nov 2 12:55:01 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Nov 2 19:08:13 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1bccea5a |
7 |
|
8 |
Changes to the xguest policy module and relevant dependencies |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/gnomeclock.if | 22 ++++++++ |
16 |
policy/modules/contrib/gnomeclock.te | 4 +- |
17 |
policy/modules/contrib/xguest.if | 2 +- |
18 |
policy/modules/contrib/xguest.te | 97 +++++++++++++++++++++++++++++---- |
19 |
4 files changed, 110 insertions(+), 15 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/gnomeclock.if b/policy/modules/contrib/gnomeclock.if |
22 |
index 788ff46..3f55702 100644 |
23 |
--- a/policy/modules/contrib/gnomeclock.if |
24 |
+++ b/policy/modules/contrib/gnomeclock.if |
25 |
@@ -66,3 +66,25 @@ interface(`gnomeclock_dbus_chat',` |
26 |
allow $1 gnomeclock_t:dbus send_msg; |
27 |
allow gnomeclock_t $1:dbus send_msg; |
28 |
') |
29 |
+ |
30 |
+######################################## |
31 |
+## <summary> |
32 |
+## Do not audit attempts to send and |
33 |
+## receive messages from gnomeclock |
34 |
+## over dbus. |
35 |
+## </summary> |
36 |
+## <param name="domain"> |
37 |
+## <summary> |
38 |
+## Domain to not audit. |
39 |
+## </summary> |
40 |
+## </param> |
41 |
+# |
42 |
+interface(`gnomeclock_dontaudit_dbus_chat',` |
43 |
+ gen_require(` |
44 |
+ type gnomeclock_t; |
45 |
+ class dbus send_msg; |
46 |
+ ') |
47 |
+ |
48 |
+ dontaudit $1 gnomeclock_t:dbus send_msg; |
49 |
+ dontaudit gnomeclock_t $1:dbus send_msg; |
50 |
+') |
51 |
|
52 |
diff --git a/policy/modules/contrib/gnomeclock.te b/policy/modules/contrib/gnomeclock.te |
53 |
index 6ba981b..84e5f2f 100644 |
54 |
--- a/policy/modules/contrib/gnomeclock.te |
55 |
+++ b/policy/modules/contrib/gnomeclock.te |
56 |
@@ -1,4 +1,4 @@ |
57 |
-policy_module(gnomeclock, 1.0.3) |
58 |
+policy_module(gnomeclock, 1.0.4) |
59 |
|
60 |
######################################## |
61 |
# |
62 |
@@ -9,7 +9,7 @@ attribute_role gnomeclock_roles; |
63 |
|
64 |
type gnomeclock_t; |
65 |
type gnomeclock_exec_t; |
66 |
-init_daemon_domain(gnomeclock_t, gnomeclock_exec_t) |
67 |
+init_system_domain(gnomeclock_t, gnomeclock_exec_t) |
68 |
role gnomeclock_roles types gnomeclock_t; |
69 |
|
70 |
######################################## |
71 |
|
72 |
diff --git a/policy/modules/contrib/xguest.if b/policy/modules/contrib/xguest.if |
73 |
index d2234e3..4f1d07d 100644 |
74 |
--- a/policy/modules/contrib/xguest.if |
75 |
+++ b/policy/modules/contrib/xguest.if |
76 |
@@ -1,4 +1,4 @@ |
77 |
-## <summary>Least privledge xwindows user role</summary> |
78 |
+## <summary>Least privledge xwindows user role.</summary> |
79 |
|
80 |
######################################## |
81 |
## <summary> |
82 |
|
83 |
diff --git a/policy/modules/contrib/xguest.te b/policy/modules/contrib/xguest.te |
84 |
index b885bfc..2882821 100644 |
85 |
--- a/policy/modules/contrib/xguest.te |
86 |
+++ b/policy/modules/contrib/xguest.te |
87 |
@@ -1,4 +1,4 @@ |
88 |
-policy_module(xguest, 1.1.1) |
89 |
+policy_module(xguest, 1.1.2) |
90 |
|
91 |
######################################## |
92 |
# |
93 |
@@ -6,23 +6,26 @@ policy_module(xguest, 1.1.1) |
94 |
# |
95 |
|
96 |
## <desc> |
97 |
-## <p> |
98 |
-## Allow xguest users to mount removable media |
99 |
-## </p> |
100 |
+## <p> |
101 |
+## Determine whether xguest can |
102 |
+## mount removable media. |
103 |
+## </p> |
104 |
## </desc> |
105 |
gen_tunable(xguest_mount_media, false) |
106 |
|
107 |
## <desc> |
108 |
-## <p> |
109 |
-## Allow xguest to configure Network Manager |
110 |
-## </p> |
111 |
+## <p> |
112 |
+## Determine whether xguest can |
113 |
+## configure network manager. |
114 |
+## </p> |
115 |
## </desc> |
116 |
gen_tunable(xguest_connect_network, false) |
117 |
|
118 |
## <desc> |
119 |
-## <p> |
120 |
-## Allow xguest to use blue tooth devices |
121 |
-## </p> |
122 |
+## <p> |
123 |
+## Determine whether xguest can |
124 |
+## use blue tooth devices. |
125 |
+## </p> |
126 |
## </desc> |
127 |
gen_tunable(xguest_use_bluetooth, false) |
128 |
|
129 |
@@ -35,13 +38,14 @@ userdom_restricted_xwindows_user_template(xguest) |
130 |
# Local policy |
131 |
# |
132 |
|
133 |
+kernel_dontaudit_request_load_module(xguest_t) |
134 |
+ |
135 |
ifndef(`enable_mls',` |
136 |
fs_exec_noxattr(xguest_t) |
137 |
|
138 |
tunable_policy(`user_rw_noexattrfile',` |
139 |
fs_manage_noxattr_fs_files(xguest_t) |
140 |
fs_manage_noxattr_fs_dirs(xguest_t) |
141 |
- # Write floppies |
142 |
storage_raw_read_removable_device(xguest_t) |
143 |
storage_raw_write_removable_device(xguest_t) |
144 |
',` |
145 |
@@ -49,7 +53,6 @@ ifndef(`enable_mls',` |
146 |
') |
147 |
') |
148 |
|
149 |
-# Allow mounting of file systems |
150 |
optional_policy(` |
151 |
tunable_policy(`xguest_mount_media',` |
152 |
kernel_read_fs_sysctls(xguest_t) |
153 |
@@ -76,6 +79,20 @@ optional_policy(` |
154 |
') |
155 |
|
156 |
optional_policy(` |
157 |
+ tunable_policy(`xguest_use_bluetooth',` |
158 |
+ blueman_dbus_chat(xguest_t) |
159 |
+ ') |
160 |
+') |
161 |
+ |
162 |
+optional_policy(` |
163 |
+ apache_role(xguest_r, xguest_t) |
164 |
+') |
165 |
+ |
166 |
+optional_policy(` |
167 |
+ gnomeclock_dontaudit_dbus_chat(xguest_t) |
168 |
+') |
169 |
+ |
170 |
+optional_policy(` |
171 |
hal_dbus_chat(xguest_t) |
172 |
') |
173 |
|
174 |
@@ -89,10 +106,66 @@ optional_policy(` |
175 |
|
176 |
optional_policy(` |
177 |
tunable_policy(`xguest_connect_network',` |
178 |
+ kernel_read_network_state(xguest_t) |
179 |
+ |
180 |
networkmanager_dbus_chat(xguest_t) |
181 |
+ networkmanager_read_lib_files(xguest_t) |
182 |
+ |
183 |
+ corenet_all_recvfrom_unlabeled(xguest_t) |
184 |
+ corenet_all_recvfrom_netlabel(xguest_t) |
185 |
+ corenet_tcp_sendrecv_generic_if(xguest_t) |
186 |
+ corenet_raw_sendrecv_generic_if(xguest_t) |
187 |
+ corenet_tcp_sendrecv_generic_node(xguest_t) |
188 |
+ corenet_raw_sendrecv_generic_node(xguest_t) |
189 |
+ |
190 |
+ corenet_sendrecv_pulseaudio_client_packets(xguest_t) |
191 |
corenet_tcp_connect_pulseaudio_port(xguest_t) |
192 |
+ corenet_tcp_sendrecv_pulseaudio_port(xguest_t) |
193 |
+ |
194 |
+ corenet_sendrecv_http_client_packets(xguest_t) |
195 |
+ corenet_tcp_connect_http_port(xguest_t) |
196 |
+ corenet_tcp_sendrecv_http_port(xguest_t) |
197 |
+ |
198 |
+ corenet_sendrecv_http_cache_client_packets(xguest_t) |
199 |
+ corenet_tcp_connect_http_cache_port(xguest_t) |
200 |
+ corenet_tcp_sendrecv_http_cache_port(xguest_t) |
201 |
+ |
202 |
+ corenet_sendrecv_squid_client_packets(xguest_t) |
203 |
+ corenet_tcp_connect_squid_port(xguest_t) |
204 |
+ corenet_tcp_sendrecv_squid_port(xguest_t) |
205 |
+ |
206 |
+ corenet_sendrecv_ftp_client_packets(xguest_t) |
207 |
+ corenet_tcp_connect_ftp_port(xguest_t) |
208 |
+ corenet_tcp_sendrecv_ftp_port(xguest_t) |
209 |
+ |
210 |
+ corenet_sendrecv_ipp_client_packets(xguest_t) |
211 |
corenet_tcp_connect_ipp_port(xguest_t) |
212 |
+ corenet_tcp_sendrecv_ipp_port(xguest_t) |
213 |
+ |
214 |
+ corenet_sendrecv_generic_client_packets(xguest_t) |
215 |
+ corenet_tcp_connect_generic_port(xguest_t) |
216 |
+ corenet_tcp_sendrecv_generic_port(xguest_t) |
217 |
+ |
218 |
+ corenet_sendrecv_soundd_client_packets(xguest_t) |
219 |
+ corenet_tcp_connect_soundd_port(xguest_t) |
220 |
+ corenet_tcp_sendrecv_soundd_port(xguest_t) |
221 |
+ |
222 |
+ corenet_sendrecv_speech_client_packets(xguest_t) |
223 |
+ corenet_tcp_connect_speech_port(xguest_t) |
224 |
+ corenet_tcp_sendrecv_speech_port(xguest_t) |
225 |
+ |
226 |
+ corenet_sendrecv_transproxy_client_packets(xguest_t) |
227 |
+ corenet_tcp_connect_transproxy_port(xguest_t) |
228 |
+ corenet_tcp_sendrecv_transproxy_port(xguest_t) |
229 |
+ |
230 |
+ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_t) |
231 |
+ corenet_dontaudit_tcp_bind_generic_port(xguest_t) |
232 |
') |
233 |
') |
234 |
|
235 |
+optional_policy(` |
236 |
+ pcscd_read_pid_files(xguest_t) |
237 |
+ pcscd_stream_connect(xguest_t) |
238 |
+') |
239 |
+ |
240 |
#gen_user(xguest_u,, xguest_r, s0, s0) |