1 |
commit: 912122431d7e0b53fb36ce19b56b0c31e9e75b1d |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Nov 2 14:52:59 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Nov 2 19:08:28 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91212243 |
7 |
|
8 |
Changes to the zebra policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/zebra.fc | 9 +++--- |
16 |
policy/modules/contrib/zebra.if | 20 +++++++------- |
17 |
policy/modules/contrib/zebra.te | 55 ++++++++++++++++++++------------------- |
18 |
3 files changed, 42 insertions(+), 42 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/zebra.fc b/policy/modules/contrib/zebra.fc |
21 |
index 32661df..28ee4ca 100644 |
22 |
--- a/policy/modules/contrib/zebra.fc |
23 |
+++ b/policy/modules/contrib/zebra.fc |
24 |
@@ -1,3 +1,6 @@ |
25 |
+/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) |
26 |
+/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) |
27 |
+ |
28 |
/etc/rc\.d/init\.d/bgpd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) |
29 |
/etc/rc\.d/init\.d/ospf6d -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) |
30 |
/etc/rc\.d/init\.d/ospfd -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) |
31 |
@@ -6,13 +9,9 @@ |
32 |
/etc/rc\.d/init\.d/zebra -- gen_context(system_u:object_r:zebra_initrc_exec_t,s0) |
33 |
|
34 |
/usr/sbin/bgpd -- gen_context(system_u:object_r:zebra_exec_t,s0) |
35 |
-/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) |
36 |
- |
37 |
-/etc/quagga(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) |
38 |
-/etc/zebra(/.*)? gen_context(system_u:object_r:zebra_conf_t,s0) |
39 |
- |
40 |
/usr/sbin/ospf.* -- gen_context(system_u:object_r:zebra_exec_t,s0) |
41 |
/usr/sbin/rip.* -- gen_context(system_u:object_r:zebra_exec_t,s0) |
42 |
+/usr/sbin/zebra -- gen_context(system_u:object_r:zebra_exec_t,s0) |
43 |
|
44 |
/var/log/quagga(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) |
45 |
/var/log/zebra(/.*)? gen_context(system_u:object_r:zebra_log_t,s0) |
46 |
|
47 |
diff --git a/policy/modules/contrib/zebra.if b/policy/modules/contrib/zebra.if |
48 |
index 6b87605..3416401 100644 |
49 |
--- a/policy/modules/contrib/zebra.if |
50 |
+++ b/policy/modules/contrib/zebra.if |
51 |
@@ -1,8 +1,8 @@ |
52 |
-## <summary>Zebra border gateway protocol network routing service</summary> |
53 |
+## <summary>Zebra border gateway protocol network routing service.</summary> |
54 |
|
55 |
######################################## |
56 |
## <summary> |
57 |
-## Read the configuration files for zebra. |
58 |
+## Read zebra configuration content. |
59 |
## </summary> |
60 |
## <param name="domain"> |
61 |
## <summary> |
62 |
@@ -18,13 +18,14 @@ interface(`zebra_read_config',` |
63 |
|
64 |
files_search_etc($1) |
65 |
allow $1 zebra_conf_t:dir list_dir_perms; |
66 |
- read_files_pattern($1, zebra_conf_t, zebra_conf_t) |
67 |
- read_lnk_files_pattern($1, zebra_conf_t, zebra_conf_t) |
68 |
+ allow $1 zebra_conf_t:file read_file_perms; |
69 |
+ allow $1 zebra_conf_t:lnk_file read_lnk_file_perms; |
70 |
') |
71 |
|
72 |
######################################## |
73 |
## <summary> |
74 |
-## Connect to zebra over an unix stream socket. |
75 |
+## Connect to zebra with a unix |
76 |
+## domain stream socket. |
77 |
## </summary> |
78 |
## <param name="domain"> |
79 |
## <summary> |
80 |
@@ -38,14 +39,13 @@ interface(`zebra_stream_connect',` |
81 |
') |
82 |
|
83 |
files_search_pids($1) |
84 |
- allow $1 zebra_var_run_t:sock_file write; |
85 |
- allow $1 zebra_t:unix_stream_socket connectto; |
86 |
+ stream_connect_pattern($1, zebra_var_run_t, zebra_var_run_t, zebra_t) |
87 |
') |
88 |
|
89 |
######################################## |
90 |
## <summary> |
91 |
-## All of the rules required to administrate |
92 |
-## an zebra environment |
93 |
+## All of the rules required to |
94 |
+## administrate an zebra environment. |
95 |
## </summary> |
96 |
## <param name="domain"> |
97 |
## <summary> |
98 |
@@ -54,7 +54,7 @@ interface(`zebra_stream_connect',` |
99 |
## </param> |
100 |
## <param name="role"> |
101 |
## <summary> |
102 |
-## The role to be allowed to manage the zebra domain. |
103 |
+## Role allowed access. |
104 |
## </summary> |
105 |
## </param> |
106 |
## <rolecap/> |
107 |
|
108 |
diff --git a/policy/modules/contrib/zebra.te b/policy/modules/contrib/zebra.te |
109 |
index ade6c2c..b0803c2 100644 |
110 |
--- a/policy/modules/contrib/zebra.te |
111 |
+++ b/policy/modules/contrib/zebra.te |
112 |
@@ -1,4 +1,4 @@ |
113 |
-policy_module(zebra, 1.12.0) |
114 |
+policy_module(zebra, 1.12.1) |
115 |
|
116 |
######################################## |
117 |
# |
118 |
@@ -6,11 +6,11 @@ policy_module(zebra, 1.12.0) |
119 |
# |
120 |
|
121 |
## <desc> |
122 |
-## <p> |
123 |
-## Allow zebra daemon to write it configuration files |
124 |
-## </p> |
125 |
+## <p> |
126 |
+## Determine whether zebra daemon can |
127 |
+## manage its configuration files. |
128 |
+## </p> |
129 |
## </desc> |
130 |
-# |
131 |
gen_tunable(allow_zebra_write_config, false) |
132 |
|
133 |
type zebra_t; |
134 |
@@ -40,24 +40,24 @@ files_pid_file(zebra_var_run_t) |
135 |
allow zebra_t self:capability { setgid setuid net_admin net_raw }; |
136 |
dontaudit zebra_t self:capability sys_tty_config; |
137 |
allow zebra_t self:process { signal_perms getcap setcap }; |
138 |
-allow zebra_t self:file rw_file_perms; |
139 |
-allow zebra_t self:unix_dgram_socket create_socket_perms; |
140 |
-allow zebra_t self:unix_stream_socket { connectto create_stream_socket_perms }; |
141 |
+allow zebra_t self:fifo_file rw_fifo_file_perms; |
142 |
+allow zebra_t self:unix_stream_socket { accept connectto listen }; |
143 |
allow zebra_t self:netlink_route_socket rw_netlink_socket_perms; |
144 |
allow zebra_t self:tcp_socket { connect connected_stream_socket_perms }; |
145 |
allow zebra_t self:udp_socket create_socket_perms; |
146 |
allow zebra_t self:rawip_socket create_socket_perms; |
147 |
|
148 |
allow zebra_t zebra_conf_t:dir list_dir_perms; |
149 |
-read_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) |
150 |
-read_lnk_files_pattern(zebra_t, zebra_conf_t, zebra_conf_t) |
151 |
+allow zebra_t zebra_conf_t:file read_file_perms; |
152 |
+allow zebra_t zebra_conf_t:lnk_file read_lnk_file_perms; |
153 |
|
154 |
-allow zebra_t zebra_log_t:dir setattr; |
155 |
-manage_files_pattern(zebra_t, zebra_log_t, zebra_log_t) |
156 |
+allow zebra_t zebra_log_t:dir setattr_dir_perms; |
157 |
+append_files_pattern(zebra_t, zebra_log_t, zebra_log_t) |
158 |
+create_files_pattern(zebra_t, zebra_log_t, zebra_log_t) |
159 |
+setattr_files_pattern(zebra_t, zebra_log_t, zebra_log_t) |
160 |
manage_sock_files_pattern(zebra_t, zebra_log_t, zebra_log_t) |
161 |
logging_log_filetrans(zebra_t, zebra_log_t, { sock_file file dir }) |
162 |
|
163 |
-# /tmp/.bgpd is such a bad idea! |
164 |
allow zebra_t zebra_tmp_t:sock_file manage_sock_file_perms; |
165 |
files_tmp_filetrans(zebra_t, zebra_tmp_t, sock_file) |
166 |
|
167 |
@@ -79,33 +79,38 @@ corenet_raw_sendrecv_generic_if(zebra_t) |
168 |
corenet_tcp_sendrecv_generic_node(zebra_t) |
169 |
corenet_udp_sendrecv_generic_node(zebra_t) |
170 |
corenet_raw_sendrecv_generic_node(zebra_t) |
171 |
-corenet_tcp_sendrecv_all_ports(zebra_t) |
172 |
-corenet_udp_sendrecv_all_ports(zebra_t) |
173 |
corenet_tcp_bind_generic_node(zebra_t) |
174 |
corenet_udp_bind_generic_node(zebra_t) |
175 |
+ |
176 |
+corenet_sendrecv_bgp_server_packets(zebra_t) |
177 |
corenet_tcp_bind_bgp_port(zebra_t) |
178 |
-corenet_tcp_bind_zebra_port(zebra_t) |
179 |
-corenet_udp_bind_router_port(zebra_t) |
180 |
+corenet_sendrecv_bgp_client_packets(zebra_t) |
181 |
corenet_tcp_connect_bgp_port(zebra_t) |
182 |
+corenet_tcp_sendrecv_bgp_port(zebra_t) |
183 |
+ |
184 |
corenet_sendrecv_zebra_server_packets(zebra_t) |
185 |
+corenet_tcp_bind_zebra_port(zebra_t) |
186 |
+corenet_tcp_sendrecv_zebra_port(zebra_t) |
187 |
+ |
188 |
corenet_sendrecv_router_server_packets(zebra_t) |
189 |
+corenet_udp_bind_router_port(zebra_t) |
190 |
+corenet_udp_sendrecv_router_port(zebra_t) |
191 |
|
192 |
dev_associate_usbfs(zebra_var_run_t) |
193 |
dev_list_all_dev_nodes(zebra_t) |
194 |
dev_read_sysfs(zebra_t) |
195 |
dev_rw_zero(zebra_t) |
196 |
|
197 |
-fs_getattr_all_fs(zebra_t) |
198 |
-fs_search_auto_mountpoints(zebra_t) |
199 |
- |
200 |
-term_list_ptys(zebra_t) |
201 |
- |
202 |
domain_use_interactive_fds(zebra_t) |
203 |
|
204 |
-files_search_etc(zebra_t) |
205 |
files_read_etc_files(zebra_t) |
206 |
files_read_etc_runtime_files(zebra_t) |
207 |
|
208 |
+fs_getattr_all_fs(zebra_t) |
209 |
+fs_search_auto_mountpoints(zebra_t) |
210 |
+ |
211 |
+term_list_ptys(zebra_t) |
212 |
+ |
213 |
logging_send_syslog_msg(zebra_t) |
214 |
|
215 |
miscfiles_read_localization(zebra_t) |
216 |
@@ -134,7 +139,3 @@ optional_policy(` |
217 |
optional_policy(` |
218 |
udev_read_db(zebra_t) |
219 |
') |
220 |
- |
221 |
-optional_policy(` |
222 |
- unconfined_sigchld(zebra_t) |
223 |
-') |