[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Wed, 31 Oct 2012 18:10:20
Message-Id:	`1351706673.b12b3d308210e6d247e745d6e4916900cdf8a713.SwifT@gentoo`

1

commit:     b12b3d308210e6d247e745d6e4916900cdf8a713

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Wed Oct 31 09:39:48 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed Oct 31 18:04:33 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b12b3d30

7

8

Changes to the watchdog policy module

9

10

Add init script file

11

Add watchdog_admin()

12

Module clean up

13

14

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

15

16

---

17

 policy/modules/contrib/watchdog.fc |    4 ++-

18

 policy/modules/contrib/watchdog.if |   40 +++++++++++++++++++++++++++++++++++-

19

 policy/modules/contrib/watchdog.te |   28 +++++++++---------------

20

 3 files changed, 53 insertions(+), 19 deletions(-)

21

22

diff --git a/policy/modules/contrib/watchdog.fc b/policy/modules/contrib/watchdog.fc

23

index 27ee394..eecd0e0 100644

24

--- a/policy/modules/contrib/watchdog.fc

25

+++ b/policy/modules/contrib/watchdog.fc

26

@@ -1,5 +1,7 @@

27

+/etc/rc\.d/init\.d/watchdog	--	gen_context(system_u:object_r:watchdog_initrc_exec_t,s0)

28

+

29

 /usr/sbin/watchdog	--	gen_context(system_u:object_r:watchdog_exec_t,s0)

30

31

-/var/log/watchdog(/.*)?	gen_context(system_u:object_r:watchdog_log_t,s0)

32

+/var/log/watchdog.*	gen_context(system_u:object_r:watchdog_log_t,s0)

33

34

 /var/run/watchdog\.pid	--	gen_context(system_u:object_r:watchdog_var_run_t,s0)

35

36

diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if

37

index f8acf10..6461a77 100644

38

--- a/policy/modules/contrib/watchdog.if

39

+++ b/policy/modules/contrib/watchdog.if

40

@@ -1 +1,39 @@

41

-## <summary>Software watchdog</summary>

42

+## <summary>Software watchdog.</summary>

43

+

44

+########################################

45

+## <summary>

46

+##	All of the rules required to

47

+##	administrate an watchdog environment.

48

+## </summary>

49

+## <param name="domain">

50

+##	<summary>

51

+##	Domain allowed access.

52

+##	</summary>

53

+## </param>

54

+## <param name="role">

55

+##	<summary>

56

+##	Role allowed access.

57

+##	</summary>

58

+## </param>

59

+## <rolecap/>

60

+#

61

+interface(`watchdog_admin',`

62

+	gen_require(`

63

+		type watchdog_t, watchdog_initrc_exec_t, watchdog_log_t;

64

+		type watchdog_var_run_t;

65

+	')

66

+

67

+	allow $1 watchdog_t:process { ptrace signal_perms };

68

+	ps_process_pattern($1, watchdog_t)

69

+

70

+	init_labeled_script_domtrans($1, watchdog_initrc_exec_t)

71

+	domain_system_change_exemption($1)

72

+	role_transition $2 watchdog_initrc_exec_t system_r;

73

+	allow $2 system_r;

74

+

75

+	logging_search_logs($1)

76

+	admin_pattern($1, watchdog_log_t)

77

+

78

+	files_search_pids($1)

79

+	admin_pattern($1, watchdog_var_run_t)

80

+')

81

82

diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te

83

index b10bb05..29f79e8 100644

84

--- a/policy/modules/contrib/watchdog.te

85

+++ b/policy/modules/contrib/watchdog.te

86

@@ -1,14 +1,17 @@

87

-policy_module(watchdog, 1.7.0)

88

+policy_module(watchdog, 1.7.1)

89

90

 #################################

91

#

92

-# Rules for the watchdog_t domain.

93

+# Declarations

94

#

95

96

 type watchdog_t;

97

 type watchdog_exec_t;

98

 init_daemon_domain(watchdog_t, watchdog_exec_t)

99

100

+type watchdog_initrc_exec_t;

101

+init_script_file(watchdog_initrc_exec_t)

102

+

103

 type watchdog_log_t;

104

 logging_log_file(watchdog_log_t)

105

106

@@ -17,18 +20,16 @@ files_pid_file(watchdog_var_run_t)

107

108

 ########################################

109

#

110

-# Declarations

111

+# Local policy

112

#

113

114

 allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };

115

 dontaudit watchdog_t self:capability sys_tty_config;

116

 allow watchdog_t self:process { setsched signal_perms };

117

 allow watchdog_t self:fifo_file rw_fifo_file_perms;

118

-allow watchdog_t self:unix_stream_socket create_socket_perms;

119

-allow watchdog_t self:tcp_socket create_stream_socket_perms;

120

-allow watchdog_t self:udp_socket create_socket_perms;

121

+allow watchdog_t self:tcp_socket { accept listen };

122

123

-allow watchdog_t watchdog_log_t:file manage_file_perms;

124

+allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };

125

 logging_log_filetrans(watchdog_t, watchdog_log_t, file)

126

127

 manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)

128

@@ -38,24 +39,19 @@ kernel_read_system_state(watchdog_t)

129

 kernel_read_kernel_sysctls(watchdog_t)

130

 kernel_unmount_proc(watchdog_t)

131

132

-# for orderly shutdown

133

 corecmd_exec_shell(watchdog_t)

134

135

-# cjp: why networking?

136

 corenet_all_recvfrom_unlabeled(watchdog_t)

137

 corenet_all_recvfrom_netlabel(watchdog_t)

138

 corenet_tcp_sendrecv_generic_if(watchdog_t)

139

-corenet_udp_sendrecv_generic_if(watchdog_t)

140

 corenet_tcp_sendrecv_generic_node(watchdog_t)

141

-corenet_udp_sendrecv_generic_node(watchdog_t)

142

 corenet_tcp_sendrecv_all_ports(watchdog_t)

143

-corenet_udp_sendrecv_all_ports(watchdog_t)

144

-corenet_tcp_connect_all_ports(watchdog_t)

145

+

146

 corenet_sendrecv_all_client_packets(watchdog_t)

147

+corenet_tcp_connect_all_ports(watchdog_t)

148

149

 dev_read_sysfs(watchdog_t)

150

 dev_write_watchdog(watchdog_t)

151

-# do not care about saving the random seed

152

 dev_dontaudit_read_rand(watchdog_t)

153

 dev_dontaudit_read_urand(watchdog_t)

154

155

@@ -68,7 +64,6 @@ domain_signal_all_domains(watchdog_t)

156

 domain_kill_all_domains(watchdog_t)

157

158

 files_read_etc_files(watchdog_t)

159

-# for updating mtab on umount

160

 files_manage_etc_runtime_files(watchdog_t)

161

 files_etc_filetrans_etc_runtime(watchdog_t, file)

162

163

@@ -76,14 +71,13 @@ fs_unmount_xattr_fs(watchdog_t)

164

 fs_getattr_all_fs(watchdog_t)

165

 fs_search_auto_mountpoints(watchdog_t)

166

167

-# record the fact that we are going down

168

 auth_append_login_records(watchdog_t)

169

170

 logging_send_syslog_msg(watchdog_t)

171

172

 miscfiles_read_localization(watchdog_t)

173

174

-sysnet_read_config(watchdog_t)

175

+sysnet_dns_name_resolve(watchdog_t)

176

177

 userdom_dontaudit_use_unpriv_user_fds(watchdog_t)

178

 userdom_dontaudit_search_user_home_dirs(watchdog_t)

1	commit: b12b3d308210e6d247e745d6e4916900cdf8a713
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Wed Oct 31 09:39:48 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed Oct 31 18:04:33 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b12b3d30
7
8	Changes to the watchdog policy module
9
10	Add init script file
11	Add watchdog_admin()
12	Module clean up
13
14	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
15
16	---
17	policy/modules/contrib/watchdog.fc \| 4 ++-
18	policy/modules/contrib/watchdog.if \| 40 +++++++++++++++++++++++++++++++++++-
19	policy/modules/contrib/watchdog.te \| 28 +++++++++---------------
20	3 files changed, 53 insertions(+), 19 deletions(-)
21
22	diff --git a/policy/modules/contrib/watchdog.fc b/policy/modules/contrib/watchdog.fc
23	index 27ee394..eecd0e0 100644
24	--- a/policy/modules/contrib/watchdog.fc
25	+++ b/policy/modules/contrib/watchdog.fc
26	@@ -1,5 +1,7 @@
27	+/etc/rc\.d/init\.d/watchdog -- gen_context(system_u:object_r:watchdog_initrc_exec_t,s0)
28	+
29	/usr/sbin/watchdog -- gen_context(system_u:object_r:watchdog_exec_t,s0)
30
31	-/var/log/watchdog(/.*)? gen_context(system_u:object_r:watchdog_log_t,s0)
32	+/var/log/watchdog.* gen_context(system_u:object_r:watchdog_log_t,s0)
33
34	/var/run/watchdog\.pid -- gen_context(system_u:object_r:watchdog_var_run_t,s0)
35
36	diff --git a/policy/modules/contrib/watchdog.if b/policy/modules/contrib/watchdog.if
37	index f8acf10..6461a77 100644
38	--- a/policy/modules/contrib/watchdog.if
39	+++ b/policy/modules/contrib/watchdog.if
40	@@ -1 +1,39 @@
41	-## <summary>Software watchdog</summary>
42	+## <summary>Software watchdog.</summary>
43	+
44	+########################################
45	+## <summary>
46	+## All of the rules required to
47	+## administrate an watchdog environment.
48	+## </summary>
49	+## <param name="domain">
50	+## <summary>
51	+## Domain allowed access.
52	+## </summary>
53	+## </param>
54	+## <param name="role">
55	+## <summary>
56	+## Role allowed access.
57	+## </summary>
58	+## </param>
59	+## <rolecap/>
60	+#
61	+interface(`watchdog_admin',`
62	+ gen_require(`
63	+ type watchdog_t, watchdog_initrc_exec_t, watchdog_log_t;
64	+ type watchdog_var_run_t;
65	+ ')
66	+
67	+ allow $1 watchdog_t:process { ptrace signal_perms };
68	+ ps_process_pattern($1, watchdog_t)
69	+
70	+ init_labeled_script_domtrans($1, watchdog_initrc_exec_t)
71	+ domain_system_change_exemption($1)
72	+ role_transition $2 watchdog_initrc_exec_t system_r;
73	+ allow $2 system_r;
74	+
75	+ logging_search_logs($1)
76	+ admin_pattern($1, watchdog_log_t)
77	+
78	+ files_search_pids($1)
79	+ admin_pattern($1, watchdog_var_run_t)
80	+')
81
82	diff --git a/policy/modules/contrib/watchdog.te b/policy/modules/contrib/watchdog.te
83	index b10bb05..29f79e8 100644
84	--- a/policy/modules/contrib/watchdog.te
85	+++ b/policy/modules/contrib/watchdog.te
86	@@ -1,14 +1,17 @@
87	-policy_module(watchdog, 1.7.0)
88	+policy_module(watchdog, 1.7.1)
89
90	#################################
91	#
92	-# Rules for the watchdog_t domain.
93	+# Declarations
94	#
95
96	type watchdog_t;
97	type watchdog_exec_t;
98	init_daemon_domain(watchdog_t, watchdog_exec_t)
99
100	+type watchdog_initrc_exec_t;
101	+init_script_file(watchdog_initrc_exec_t)
102	+
103	type watchdog_log_t;
104	logging_log_file(watchdog_log_t)
105
106	@@ -17,18 +20,16 @@ files_pid_file(watchdog_var_run_t)
107
108	########################################
109	#
110	-# Declarations
111	+# Local policy
112	#
113
114	allow watchdog_t self:capability { sys_admin net_admin sys_boot ipc_lock sys_pacct sys_nice sys_resource };
115	dontaudit watchdog_t self:capability sys_tty_config;
116	allow watchdog_t self:process { setsched signal_perms };
117	allow watchdog_t self:fifo_file rw_fifo_file_perms;
118	-allow watchdog_t self:unix_stream_socket create_socket_perms;
119	-allow watchdog_t self:tcp_socket create_stream_socket_perms;
120	-allow watchdog_t self:udp_socket create_socket_perms;
121	+allow watchdog_t self:tcp_socket { accept listen };
122
123	-allow watchdog_t watchdog_log_t:file manage_file_perms;
124	+allow watchdog_t watchdog_log_t:file { append_file_perms create_file_perms setattr_file_perms };
125	logging_log_filetrans(watchdog_t, watchdog_log_t, file)
126
127	manage_files_pattern(watchdog_t, watchdog_var_run_t, watchdog_var_run_t)
128	@@ -38,24 +39,19 @@ kernel_read_system_state(watchdog_t)
129	kernel_read_kernel_sysctls(watchdog_t)
130	kernel_unmount_proc(watchdog_t)
131
132	-# for orderly shutdown
133	corecmd_exec_shell(watchdog_t)
134
135	-# cjp: why networking?
136	corenet_all_recvfrom_unlabeled(watchdog_t)
137	corenet_all_recvfrom_netlabel(watchdog_t)
138	corenet_tcp_sendrecv_generic_if(watchdog_t)
139	-corenet_udp_sendrecv_generic_if(watchdog_t)
140	corenet_tcp_sendrecv_generic_node(watchdog_t)
141	-corenet_udp_sendrecv_generic_node(watchdog_t)
142	corenet_tcp_sendrecv_all_ports(watchdog_t)
143	-corenet_udp_sendrecv_all_ports(watchdog_t)
144	-corenet_tcp_connect_all_ports(watchdog_t)
145	+
146	corenet_sendrecv_all_client_packets(watchdog_t)
147	+corenet_tcp_connect_all_ports(watchdog_t)
148
149	dev_read_sysfs(watchdog_t)
150	dev_write_watchdog(watchdog_t)
151	-# do not care about saving the random seed
152	dev_dontaudit_read_rand(watchdog_t)
153	dev_dontaudit_read_urand(watchdog_t)
154
155	@@ -68,7 +64,6 @@ domain_signal_all_domains(watchdog_t)
156	domain_kill_all_domains(watchdog_t)
157
158	files_read_etc_files(watchdog_t)
159	-# for updating mtab on umount
160	files_manage_etc_runtime_files(watchdog_t)
161	files_etc_filetrans_etc_runtime(watchdog_t, file)
162
163	@@ -76,14 +71,13 @@ fs_unmount_xattr_fs(watchdog_t)
164	fs_getattr_all_fs(watchdog_t)
165	fs_search_auto_mountpoints(watchdog_t)
166
167	-# record the fact that we are going down
168	auth_append_login_records(watchdog_t)
169
170	logging_send_syslog_msg(watchdog_t)
171
172	miscfiles_read_localization(watchdog_t)
173
174	-sysnet_read_config(watchdog_t)
175	+sysnet_dns_name_resolve(watchdog_t)
176
177	userdom_dontaudit_use_unpriv_user_fds(watchdog_t)
178	userdom_dontaudit_search_user_home_dirs(watchdog_t)

Gentoo Archives: gentoo-commits