1 |
commit: 377c4727997c6c8ab8ad6b7c7db3bb7608506f75 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Sep 24 08:53:43 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Thu Sep 27 17:15:30 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=377c4727 |
7 |
|
8 |
Changes to the cmirrord policy module |
9 |
|
10 |
Module clean up |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/cmirrord.fc | 4 ++-- |
17 |
policy/modules/contrib/cmirrord.if | 15 +++++++++------ |
18 |
policy/modules/contrib/cmirrord.te | 9 ++++----- |
19 |
3 files changed, 15 insertions(+), 13 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/cmirrord.fc b/policy/modules/contrib/cmirrord.fc |
22 |
index 049e2b6..4d5ab0d 100644 |
23 |
--- a/policy/modules/contrib/cmirrord.fc |
24 |
+++ b/policy/modules/contrib/cmirrord.fc |
25 |
@@ -1,5 +1,5 @@ |
26 |
/etc/rc\.d/init\.d/cmirrord -- gen_context(system_u:object_r:cmirrord_initrc_exec_t,s0) |
27 |
|
28 |
-/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) |
29 |
+/usr/sbin/cmirrord -- gen_context(system_u:object_r:cmirrord_exec_t,s0) |
30 |
|
31 |
-/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) |
32 |
+/var/run/cmirrord\.pid -- gen_context(system_u:object_r:cmirrord_var_run_t,s0) |
33 |
|
34 |
diff --git a/policy/modules/contrib/cmirrord.if b/policy/modules/contrib/cmirrord.if |
35 |
index f8463c0..cc4e7cb 100644 |
36 |
--- a/policy/modules/contrib/cmirrord.if |
37 |
+++ b/policy/modules/contrib/cmirrord.if |
38 |
@@ -1,8 +1,9 @@ |
39 |
-## <summary>Cluster mirror log daemon</summary> |
40 |
+## <summary>Cluster mirror log daemon.</summary> |
41 |
|
42 |
######################################## |
43 |
## <summary> |
44 |
-## Execute a domain transition to run cmirrord. |
45 |
+## Execute a domain transition to |
46 |
+## run cmirrord. |
47 |
## </summary> |
48 |
## <param name="domain"> |
49 |
## <summary> |
50 |
@@ -15,12 +16,14 @@ interface(`cmirrord_domtrans',` |
51 |
type cmirrord_t, cmirrord_exec_t; |
52 |
') |
53 |
|
54 |
+ corecmd_search_bin($1) |
55 |
domtrans_pattern($1, cmirrord_exec_t, cmirrord_t) |
56 |
') |
57 |
|
58 |
######################################## |
59 |
## <summary> |
60 |
-## Execute cmirrord server in the cmirrord domain. |
61 |
+## Execute cmirrord server in the |
62 |
+## cmirrord domain. |
63 |
## </summary> |
64 |
## <param name="domain"> |
65 |
## <summary> |
66 |
@@ -57,7 +60,7 @@ interface(`cmirrord_read_pid_files',` |
67 |
|
68 |
####################################### |
69 |
## <summary> |
70 |
-## Read and write to cmirrord shared memory. |
71 |
+## Read and write cmirrord shared memory. |
72 |
## </summary> |
73 |
## <param name="domain"> |
74 |
## <summary> |
75 |
@@ -80,8 +83,8 @@ interface(`cmirrord_rw_shm',` |
76 |
|
77 |
######################################## |
78 |
## <summary> |
79 |
-## All of the rules required to administrate |
80 |
-## an cmirrord environment |
81 |
+## All of the rules required to |
82 |
+## administrate an cmirrord environment. |
83 |
## </summary> |
84 |
## <param name="domain"> |
85 |
## <summary> |
86 |
|
87 |
diff --git a/policy/modules/contrib/cmirrord.te b/policy/modules/contrib/cmirrord.te |
88 |
index 28fdd8a..d8e9958 100644 |
89 |
--- a/policy/modules/contrib/cmirrord.te |
90 |
+++ b/policy/modules/contrib/cmirrord.te |
91 |
@@ -1,4 +1,4 @@ |
92 |
-policy_module(cmirrord, 1.0.0) |
93 |
+policy_module(cmirrord, 1.0.1) |
94 |
|
95 |
######################################## |
96 |
# |
97 |
@@ -20,23 +20,22 @@ files_pid_file(cmirrord_var_run_t) |
98 |
|
99 |
######################################## |
100 |
# |
101 |
-# cmirrord local policy |
102 |
+# Local policy |
103 |
# |
104 |
|
105 |
allow cmirrord_t self:capability { net_admin kill }; |
106 |
dontaudit cmirrord_t self:capability sys_tty_config; |
107 |
-allow cmirrord_t self:process { setfscreate signal}; |
108 |
+allow cmirrord_t self:process { setfscreate signal }; |
109 |
allow cmirrord_t self:fifo_file rw_fifo_file_perms; |
110 |
allow cmirrord_t self:sem create_sem_perms; |
111 |
allow cmirrord_t self:shm create_shm_perms; |
112 |
allow cmirrord_t self:netlink_socket create_socket_perms; |
113 |
-allow cmirrord_t self:unix_stream_socket create_stream_socket_perms; |
114 |
+allow cmirrord_t self:unix_stream_socket { accept listen }; |
115 |
|
116 |
manage_dirs_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) |
117 |
manage_files_pattern(cmirrord_t, cmirrord_tmpfs_t, cmirrord_tmpfs_t) |
118 |
fs_tmpfs_filetrans(cmirrord_t, cmirrord_tmpfs_t, { dir file }) |
119 |
|
120 |
-manage_dirs_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) |
121 |
manage_files_pattern(cmirrord_t, cmirrord_var_run_t, cmirrord_var_run_t) |
122 |
files_pid_filetrans(cmirrord_t, cmirrord_var_run_t, file) |