[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Fri, 02 Nov 2012 19:14:11
Message-Id:	`1351883308.912122431d7e0b53fb36ce19b56b0c31e9e75b1d.SwifT@gentoo`

1

commit:     912122431d7e0b53fb36ce19b56b0c31e9e75b1d

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Fri Nov  2 14:52:59 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Fri Nov  2 19:08:28 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91212243

7

8

Changes to the zebra policy module

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/zebra.fc |    9 +++---

16

 policy/modules/contrib/zebra.if |   20 +++++++-------

17

 policy/modules/contrib/zebra.te |   55 ++++++++++++++++++++-------------------

18

 3 files changed, 42 insertions(+), 42 deletions(-)

19

20

diff --git a/policy/modules/contrib/zebra.fc b/policy/modules/contrib/zebra.fc

21

index 32661df..28ee4ca 100644

22

--- a/policy/modules/contrib/zebra.fc

23

+++ b/policy/modules/contrib/zebra.fc

24

@@ -1,3 +1,6 @@

25

+/etc/quagga(/.*)?	gen_context(system_u:object_r:zebra_conf_t,s0)

26

+/etc/zebra(/.*)?	gen_context(system_u:object_r:zebra_conf_t,s0)

27

+

28

 /etc/rc\.d/init\.d/bgpd	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)

29

 /etc/rc\.d/init\.d/ospf6d	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)

30

 /etc/rc\.d/init\.d/ospfd	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)

31

@@ -6,13 +9,9 @@

32

 /etc/rc\.d/init\.d/zebra	--	gen_context(system_u:object_r:zebra_initrc_exec_t,s0)

33

34

 /usr/sbin/bgpd	--	gen_context(system_u:object_r:zebra_exec_t,s0)

35

-/usr/sbin/zebra	--	gen_context(system_u:object_r:zebra_exec_t,s0)

36

-

37

-/etc/quagga(/.*)?	gen_context(system_u:object_r:zebra_conf_t,s0)

38

-/etc/zebra(/.*)?	gen_context(system_u:object_r:zebra_conf_t,s0)

39

-

40

 /usr/sbin/ospf.*	--	gen_context(system_u:object_r:zebra_exec_t,s0)

41

 /usr/sbin/rip.*	--	gen_context(system_u:object_r:zebra_exec_t,s0)

42

+/usr/sbin/zebra	--	gen_context(system_u:object_r:zebra_exec_t,s0)

43

44

 /var/log/quagga(/.*)?	gen_context(system_u:object_r:zebra_log_t,s0)

45

 /var/log/zebra(/.*)?	gen_context(system_u:object_r:zebra_log_t,s0)

46

47

diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if

48

index 6b87605..3416401 100644

49

--- a/policy/modules/contrib/zebra.if

50

+++ b/policy/modules/contrib/zebra.if

51

@@ -1,8 +1,8 @@

52

-## <summary>Zebra border gateway protocol network routing service</summary>

53

+## <summary>Zebra border gateway protocol network routing service.</summary>

54

55

 ########################################

56

 ## <summary>

57

-##	Read the configuration files for zebra.

58

+##	Read zebra configuration content.

59

 ## </summary>

60

 ## <param name="domain">

61

 ##	<summary>

62

@@ -18,13 +18,14 @@ interface(`zebra_read_config',`

63

64

 	files_search_etc($1)

65

 	allow $1 zebra_conf_t:dir list_dir_perms;

66

-	read_files_pattern($1, zebra_conf_t, zebra_conf_t)

67

-	read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)

68

+	allow $1 zebra_conf_t:file read_file_perms;

69

+	allow $1 zebra_conf_t:lnk_file read_lnk_file_perms;

70

')

71

72

 ########################################

73

 ## <summary>

74

-##	Connect to zebra over an unix stream socket.

75

+##	Connect to zebra with a unix

76

+##	domain stream socket.

77

 ## </summary>

78

 ## <param name="domain">

79

 ##	<summary>

80

@@ -38,14 +39,13 @@ interface(`zebra_stream_connect',`

81

')

82

83

 	files_search_pids($1)

84

-	allow $1 zebra_var_run_t:sock_file write;

85

-	allow $1 zebra_t:unix_stream_socket connectto;

86

+	stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)

87

')

88

89

 ########################################

90

 ## <summary>

91

-##	All of the rules required to administrate

92

-##	an zebra environment

93

+##	All of the rules required to

94

+##	administrate an zebra environment.

95

 ## </summary>

96

 ## <param name="domain">

97

 ##	<summary>

98

@@ -54,7 +54,7 @@ interface(`zebra_stream_connect',`

99

 ## </param>

100

 ## <param name="role">

101

 ##	<summary>

102

-##	The role to be allowed to manage the zebra domain.

103

+##	Role allowed access.

104

 ##	</summary>

105

 ## </param>

106

 ## <rolecap/>

107

108

diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te

109

index ade6c2c..b0803c2 100644

110

--- a/policy/modules/contrib/zebra.te

111

+++ b/policy/modules/contrib/zebra.te

112

@@ -1,4 +1,4 @@

113

-policy_module(zebra, 1.12.0)

114

+policy_module(zebra, 1.12.1)

115

116

 ########################################

117

#

118

@@ -6,11 +6,11 @@ policy_module(zebra, 1.12.0)

119

#

120

121

 ## <desc>

122

-## <p>

123

-## Allow zebra daemon to write it configuration files

124

-## </p>

125

+##	<p>

126

+##	Determine whether zebra daemon can

127

+##	manage its configuration files.

128

+##	</p>

129

 ## </desc>

130

-#

131

 gen_tunable(allow_zebra_write_config, false)

132

133

 type zebra_t;

134

@@ -40,24 +40,24 @@ files_pid_file(zebra_var_run_t)

135

 allow zebra_t self:capability { setgid setuid net_admin net_raw };

136

 dontaudit zebra_t self:capability sys_tty_config;

137

 allow zebra_t self:process { signal_perms getcap setcap };

138

-allow zebra_t self:file rw_file_perms;

139

-allow zebra_t self:unix_dgram_socket create_socket_perms;

140

-allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };

141

+allow zebra_t self:fifo_file rw_fifo_file_perms;

142

+allow zebra_t self:unix_stream_socket { accept connectto listen };

143

 allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;

144

 allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };

145

 allow zebra_t self:udp_socket create_socket_perms;

146

 allow zebra_t self:rawip_socket create_socket_perms;

147

148

 allow zebra_t zebra_conf_t:dir list_dir_perms;

149

-read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)

150

-read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)

151

+allow zebra_t zebra_conf_t:file read_file_perms;

152

+allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms;

153

154

-allow zebra_t zebra_log_t:dir setattr;

155

-manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)

156

+allow zebra_t zebra_log_t:dir setattr_dir_perms;

157

+append_files_pattern(zebra_t, zebra_log_t, zebra_log_t)

158

+create_files_pattern(zebra_t, zebra_log_t, zebra_log_t)

159

+setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t)

160

 manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)

161

 logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })

162

163

-# /tmp/.bgpd is such a bad idea!

164

 allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;

165

 files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)

166

167

@@ -79,33 +79,38 @@ corenet_raw_sendrecv_generic_if(zebra_t)

168

 corenet_tcp_sendrecv_generic_node(zebra_t)

169

 corenet_udp_sendrecv_generic_node(zebra_t)

170

 corenet_raw_sendrecv_generic_node(zebra_t)

171

-corenet_tcp_sendrecv_all_ports(zebra_t)

172

-corenet_udp_sendrecv_all_ports(zebra_t)

173

 corenet_tcp_bind_generic_node(zebra_t)

174

 corenet_udp_bind_generic_node(zebra_t)

175

+

176

+corenet_sendrecv_bgp_server_packets(zebra_t)

177

 corenet_tcp_bind_bgp_port(zebra_t)

178

-corenet_tcp_bind_zebra_port(zebra_t)

179

-corenet_udp_bind_router_port(zebra_t)

180

+corenet_sendrecv_bgp_client_packets(zebra_t)

181

 corenet_tcp_connect_bgp_port(zebra_t)

182

+corenet_tcp_sendrecv_bgp_port(zebra_t)

183

+

184

 corenet_sendrecv_zebra_server_packets(zebra_t)

185

+corenet_tcp_bind_zebra_port(zebra_t)

186

+corenet_tcp_sendrecv_zebra_port(zebra_t)

187

+

188

 corenet_sendrecv_router_server_packets(zebra_t)

189

+corenet_udp_bind_router_port(zebra_t)

190

+corenet_udp_sendrecv_router_port(zebra_t)

191

192

 dev_associate_usbfs(zebra_var_run_t)

193

 dev_list_all_dev_nodes(zebra_t)

194

 dev_read_sysfs(zebra_t)

195

 dev_rw_zero(zebra_t)

196

197

-fs_getattr_all_fs(zebra_t)

198

-fs_search_auto_mountpoints(zebra_t)

199

-

200

-term_list_ptys(zebra_t)

201

-

202

 domain_use_interactive_fds(zebra_t)

203

204

-files_search_etc(zebra_t)

205

 files_read_etc_files(zebra_t)

206

 files_read_etc_runtime_files(zebra_t)

207

208

+fs_getattr_all_fs(zebra_t)

209

+fs_search_auto_mountpoints(zebra_t)

210

+

211

+term_list_ptys(zebra_t)

212

+

213

 logging_send_syslog_msg(zebra_t)

214

215

 miscfiles_read_localization(zebra_t)

216

@@ -134,7 +139,3 @@ optional_policy(`

217

 optional_policy(`

218

 	udev_read_db(zebra_t)

219

')

220

-

221

-optional_policy(`

222

-	unconfined_sigchld(zebra_t)

223

-')

1	commit: 912122431d7e0b53fb36ce19b56b0c31e9e75b1d
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Fri Nov 2 14:52:59 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Fri Nov 2 19:08:28 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91212243
7
8	Changes to the zebra policy module
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/zebra.fc \| 9 +++---
16	policy/modules/contrib/zebra.if \| 20 +++++++-------
17	policy/modules/contrib/zebra.te \| 55 ++++++++++++++++++++-------------------
18	3 files changed, 42 insertions(+), 42 deletions(-)
19
20	diff --git a/policy/modules/contrib/zebra.fc b/policy/modules/contrib/zebra.fc
21	index 32661df..28ee4ca 100644
22	--- a/policy/modules/contrib/zebra.fc
23	+++ b/policy/modules/contrib/zebra.fc
24	@@ -1,3 +1,6 @@
25	+/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
26	+/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
27	+
28	/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
29	/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
30	/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
31	@@ -6,13 +9,9 @@
32	/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0)
33
34	/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0)
35	-/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
36	-
37	-/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
38	-/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0)
39	-
40	/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
41	/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0)
42	+/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0)
43
44	/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
45	/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0)
46
47	diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if
48	index 6b87605..3416401 100644
49	--- a/policy/modules/contrib/zebra.if
50	+++ b/policy/modules/contrib/zebra.if
51	@@ -1,8 +1,8 @@
52	-## <summary>Zebra border gateway protocol network routing service</summary>
53	+## <summary>Zebra border gateway protocol network routing service.</summary>
54
55	########################################
56	## <summary>
57	-## Read the configuration files for zebra.
58	+## Read zebra configuration content.
59	## </summary>
60	## <param name="domain">
61	## <summary>
62	@@ -18,13 +18,14 @@ interface(`zebra_read_config',`
63
64	files_search_etc($1)
65	allow $1 zebra_conf_t:dir list_dir_perms;
66	- read_files_pattern($1, zebra_conf_t, zebra_conf_t)
67	- read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t)
68	+ allow $1 zebra_conf_t:file read_file_perms;
69	+ allow $1 zebra_conf_t:lnk_file read_lnk_file_perms;
70	')
71
72	########################################
73	## <summary>
74	-## Connect to zebra over an unix stream socket.
75	+## Connect to zebra with a unix
76	+## domain stream socket.
77	## </summary>
78	## <param name="domain">
79	## <summary>
80	@@ -38,14 +39,13 @@ interface(`zebra_stream_connect',`
81	')
82
83	files_search_pids($1)
84	- allow $1 zebra_var_run_t:sock_file write;
85	- allow $1 zebra_t:unix_stream_socket connectto;
86	+ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t)
87	')
88
89	########################################
90	## <summary>
91	-## All of the rules required to administrate
92	-## an zebra environment
93	+## All of the rules required to
94	+## administrate an zebra environment.
95	## </summary>
96	## <param name="domain">
97	## <summary>
98	@@ -54,7 +54,7 @@ interface(`zebra_stream_connect',`
99	## </param>
100	## <param name="role">
101	## <summary>
102	-## The role to be allowed to manage the zebra domain.
103	+## Role allowed access.
104	## </summary>
105	## </param>
106	## <rolecap/>
107
108	diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te
109	index ade6c2c..b0803c2 100644
110	--- a/policy/modules/contrib/zebra.te
111	+++ b/policy/modules/contrib/zebra.te
112	@@ -1,4 +1,4 @@
113	-policy_module(zebra, 1.12.0)
114	+policy_module(zebra, 1.12.1)
115
116	########################################
117	#
118	@@ -6,11 +6,11 @@ policy_module(zebra, 1.12.0)
119	#
120
121	## <desc>
122	-## <p>
123	-## Allow zebra daemon to write it configuration files
124	-## </p>
125	+## <p>
126	+## Determine whether zebra daemon can
127	+## manage its configuration files.
128	+## </p>
129	## </desc>
130	-#
131	gen_tunable(allow_zebra_write_config, false)
132
133	type zebra_t;
134	@@ -40,24 +40,24 @@ files_pid_file(zebra_var_run_t)
135	allow zebra_t self:capability { setgid setuid net_admin net_raw };
136	dontaudit zebra_t self:capability sys_tty_config;
137	allow zebra_t self:process { signal_perms getcap setcap };
138	-allow zebra_t self:file rw_file_perms;
139	-allow zebra_t self:unix_dgram_socket create_socket_perms;
140	-allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms };
141	+allow zebra_t self:fifo_file rw_fifo_file_perms;
142	+allow zebra_t self:unix_stream_socket { accept connectto listen };
143	allow zebra_t self:netlink_route_socket rw_netlink_socket_perms;
144	allow zebra_t self:tcp_socket { connect connected_stream_socket_perms };
145	allow zebra_t self:udp_socket create_socket_perms;
146	allow zebra_t self:rawip_socket create_socket_perms;
147
148	allow zebra_t zebra_conf_t:dir list_dir_perms;
149	-read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
150	-read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t)
151	+allow zebra_t zebra_conf_t:file read_file_perms;
152	+allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms;
153
154	-allow zebra_t zebra_log_t:dir setattr;
155	-manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
156	+allow zebra_t zebra_log_t:dir setattr_dir_perms;
157	+append_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
158	+create_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
159	+setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
160	manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t)
161	logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir })
162
163	-# /tmp/.bgpd is such a bad idea!
164	allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms;
165	files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file)
166
167	@@ -79,33 +79,38 @@ corenet_raw_sendrecv_generic_if(zebra_t)
168	corenet_tcp_sendrecv_generic_node(zebra_t)
169	corenet_udp_sendrecv_generic_node(zebra_t)
170	corenet_raw_sendrecv_generic_node(zebra_t)
171	-corenet_tcp_sendrecv_all_ports(zebra_t)
172	-corenet_udp_sendrecv_all_ports(zebra_t)
173	corenet_tcp_bind_generic_node(zebra_t)
174	corenet_udp_bind_generic_node(zebra_t)
175	+
176	+corenet_sendrecv_bgp_server_packets(zebra_t)
177	corenet_tcp_bind_bgp_port(zebra_t)
178	-corenet_tcp_bind_zebra_port(zebra_t)
179	-corenet_udp_bind_router_port(zebra_t)
180	+corenet_sendrecv_bgp_client_packets(zebra_t)
181	corenet_tcp_connect_bgp_port(zebra_t)
182	+corenet_tcp_sendrecv_bgp_port(zebra_t)
183	+
184	corenet_sendrecv_zebra_server_packets(zebra_t)
185	+corenet_tcp_bind_zebra_port(zebra_t)
186	+corenet_tcp_sendrecv_zebra_port(zebra_t)
187	+
188	corenet_sendrecv_router_server_packets(zebra_t)
189	+corenet_udp_bind_router_port(zebra_t)
190	+corenet_udp_sendrecv_router_port(zebra_t)
191
192	dev_associate_usbfs(zebra_var_run_t)
193	dev_list_all_dev_nodes(zebra_t)
194	dev_read_sysfs(zebra_t)
195	dev_rw_zero(zebra_t)
196
197	-fs_getattr_all_fs(zebra_t)
198	-fs_search_auto_mountpoints(zebra_t)
199	-
200	-term_list_ptys(zebra_t)
201	-
202	domain_use_interactive_fds(zebra_t)
203
204	-files_search_etc(zebra_t)
205	files_read_etc_files(zebra_t)
206	files_read_etc_runtime_files(zebra_t)
207
208	+fs_getattr_all_fs(zebra_t)
209	+fs_search_auto_mountpoints(zebra_t)
210	+
211	+term_list_ptys(zebra_t)
212	+
213	logging_send_syslog_msg(zebra_t)
214
215	miscfiles_read_localization(zebra_t)
216	@@ -134,7 +139,3 @@ optional_policy(`
217	optional_policy(`
218	udev_read_db(zebra_t)
219	')
220	-
221	-optional_policy(`
222	- unconfined_sigchld(zebra_t)
223	-')

Gentoo Archives: gentoo-commits