[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 30 Oct 2012 18:38:43
Message-Id:	`1351621969.33523d3f5ee1b9ba8779c917d25fe1846a3703f0.SwifT@gentoo`

1

commit:     33523d3f5ee1b9ba8779c917d25fe1846a3703f0

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Tue Oct 30 09:05:59 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct 30 18:32:49 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=33523d3f

7

8

Changes to the tor policy module

9

10

Remove some tor_var_lib_t file transitions that do not make sense (no

11

file context specification)

12

13

Ported from Fedora with changes

14

15

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

16

17

---

18

 policy/modules/contrib/tor.fc |    4 ++-

19

 policy/modules/contrib/tor.if |   16 +++++-----

20

 policy/modules/contrib/tor.te |   65 ++++++++++++++++++----------------------

21

 3 files changed, 40 insertions(+), 45 deletions(-)

22

23

diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc

24

index 79e0a51..6b9d449 100644

25

--- a/policy/modules/contrib/tor.fc

26

+++ b/policy/modules/contrib/tor.fc

27

@@ -1,7 +1,9 @@

28

-/etc/rc\.d/init\.d/tor	--	gen_context(system_u:object_r:tor_initrc_exec_t,s0)

29

 /etc/tor(/.*)?	gen_context(system_u:object_r:tor_etc_t,s0)

30

31

+/etc/rc\.d/init\.d/tor	--	gen_context(system_u:object_r:tor_initrc_exec_t,s0)

32

+

33

 /usr/bin/tor	--	gen_context(system_u:object_r:tor_exec_t,s0)

34

+

35

 /usr/sbin/tor	--	gen_context(system_u:object_r:tor_exec_t,s0)

36

37

 /var/lib/tor(/.*)?	gen_context(system_u:object_r:tor_var_lib_t,s0)

38

39

diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if

40

index 904f13e..61c2e07 100644

41

--- a/policy/modules/contrib/tor.if

42

+++ b/policy/modules/contrib/tor.if

43

@@ -1,8 +1,8 @@

44

-## <summary>TOR, the onion router</summary>

45

+## <summary>The onion router.</summary>

46

47

 ########################################

48

 ## <summary>

49

-##	Execute a domain transition to run TOR.

50

+##	Execute a domain transition to run tor.

51

 ## </summary>

52

 ## <param name="domain">

53

 ##	<summary>

54

@@ -15,13 +15,14 @@ interface(`tor_domtrans',`

55

 		type tor_t, tor_exec_t;

56

')

57

58

+	corecmd_search_bin($1)

59

 	domtrans_pattern($1, tor_exec_t, tor_t)

60

')

61

62

 ########################################

63

 ## <summary>

64

-##	All of the rules required to administrate 

65

-##	an tor environment

66

+##	All of the rules required to

67

+##	administrate an tor environment.

68

 ## </summary>

69

 ## <param name="domain">

70

 ##	<summary>

71

@@ -30,7 +31,7 @@ interface(`tor_domtrans',`

72

 ## </param>

73

 ## <param name="role">

74

 ##	<summary>

75

-##	The role to be allowed to manage the tor domain.

76

+##	Role allowed access.

77

 ##	</summary>

78

 ## </param>

79

 ## <rolecap/>

80

@@ -38,11 +39,10 @@ interface(`tor_domtrans',`

81

 interface(`tor_admin',`

82

 	gen_require(`

83

 		type tor_t, tor_var_log_t, tor_etc_t;

84

-		type tor_var_lib_t, tor_var_run_t;

85

-		type tor_initrc_exec_t;

86

+		type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t;

87

')

88

89

-	allow $1 tor_t:process { ptrace signal_perms getattr };

90

+	allow $1 tor_t:process { ptrace signal_perms };

91

 	ps_process_pattern($1, tor_t)

92

93

 	init_labeled_script_domtrans($1, tor_initrc_exec_t)

94

95

diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te

96

index 76292d1..f5d1326 100644

97

--- a/policy/modules/contrib/tor.te

98

+++ b/policy/modules/contrib/tor.te

99

@@ -1,4 +1,4 @@

100

-policy_module(tor, 1.8.2)

101

+policy_module(tor, 1.8.3)

102

103

 ########################################

104

#

105

@@ -6,10 +6,10 @@ policy_module(tor, 1.8.2)

106

#

107

108

 ## <desc>

109

-## <p>

110

-## Allow tor daemon to bind

111

-## tcp sockets to all unreserved ports.

112

-## </p>

113

+##	<p>

114

+##	Determine whether tor can bind

115

+##	tcp sockets to all unreserved ports.

116

+##	</p>

117

 ## </desc>

118

 gen_tunable(tor_bind_all_unreserved_ports, false)

119

120

@@ -17,57 +17,49 @@ type tor_t;

121

 type tor_exec_t;

122

 init_daemon_domain(tor_t, tor_exec_t)

123

124

-# etc/tor

125

 type tor_etc_t;

126

 files_config_file(tor_etc_t)

127

128

 type tor_initrc_exec_t;

129

 init_script_file(tor_initrc_exec_t)

130

131

-# var/lib/tor

132

 type tor_var_lib_t;

133

 files_type(tor_var_lib_t)

134

135

-# log files

136

 type tor_var_log_t;

137

 logging_log_file(tor_var_log_t)

138

139

-# pid files

140

 type tor_var_run_t;

141

 files_pid_file(tor_var_run_t)

142

 init_daemon_run_dir(tor_var_run_t, "tor")

143

144

 ########################################

145

#

146

-# tor local policy

147

+# Local policy

148

#

149

150

 allow tor_t self:capability { setgid setuid sys_tty_config };

151

+allow tor_t self:process signal;

152

 allow tor_t self:fifo_file rw_fifo_file_perms;

153

-allow tor_t self:unix_stream_socket create_stream_socket_perms;

154

-allow tor_t self:netlink_route_socket r_netlink_socket_perms;

155

-allow tor_t self:tcp_socket create_stream_socket_perms;

156

+allow tor_t self:unix_stream_socket { accept listen };

157

+allow tor_t self:tcp_socket { accept listen };

158

159

-# configuration files

160

 allow tor_t tor_etc_t:dir list_dir_perms;

161

-read_files_pattern(tor_t, tor_etc_t, tor_etc_t)

162

-read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t)

163

+allow tor_t tor_etc_t:file read_file_perms;

164

+allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;

165

166

-# var/lib/tor files

167

 manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)

168

 manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)

169

 manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)

170

-files_usr_filetrans(tor_t, tor_var_lib_t, file)

171

-files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file })

172

-files_var_lib_filetrans(tor_t, tor_var_lib_t, file)

173

+files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)

174

175

-# log files

176

-allow tor_t tor_var_log_t:dir setattr;

177

-manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)

178

+allow tor_t tor_var_log_t:dir setattr_dir_perms;

179

+append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)

180

+create_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)

181

+setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)

182

 manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)

183

 logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })

184

185

-# pid file

186

 manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t)

187

 manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)

188

 manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)

189

@@ -76,34 +68,34 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })

190

 kernel_read_net_sysctls(tor_t)

191

 kernel_read_system_state(tor_t)

192

193

-# networking basics

194

 corenet_all_recvfrom_unlabeled(tor_t)

195

 corenet_all_recvfrom_netlabel(tor_t)

196

 corenet_tcp_sendrecv_generic_if(tor_t)

197

 corenet_udp_sendrecv_generic_if(tor_t)

198

 corenet_tcp_sendrecv_generic_node(tor_t)

199

 corenet_udp_sendrecv_generic_node(tor_t)

200

-corenet_tcp_sendrecv_all_ports(tor_t)

201

-corenet_udp_sendrecv_dns_port(tor_t)

202

-corenet_tcp_sendrecv_all_reserved_ports(tor_t)

203

 corenet_tcp_bind_generic_node(tor_t)

204

 corenet_udp_bind_generic_node(tor_t)

205

-corenet_tcp_bind_tor_port(tor_t)

206

+

207

+corenet_sendrecv_dns_server_packets(tor_t)

208

 corenet_udp_bind_dns_port(tor_t)

209

+corenet_udp_sendrecv_dns_port(tor_t)

210

+

211

 corenet_sendrecv_tor_server_packets(tor_t)

212

-corenet_sendrecv_dns_server_packets(tor_t)

213

-# TOR will need to connect to various ports

214

-corenet_tcp_connect_all_ports(tor_t)

215

+corenet_tcp_bind_tor_port(tor_t)

216

+corenet_tcp_sendrecv_tor_port(tor_t)

217

+

218

 corenet_sendrecv_all_client_packets(tor_t)

219

-# ... especially including port 80 and other privileged ports

220

+corenet_tcp_connect_all_ports(tor_t)

221

 corenet_tcp_connect_all_reserved_ports(tor_t)

222

+corenet_tcp_sendrecv_all_ports(tor_t)

223

+corenet_tcp_sendrecv_all_reserved_ports(tor_t)

224

225

-# tor uses crypto and needs random

226

+dev_read_sysfs(tor_t)

227

 dev_read_urand(tor_t)

228

229

 domain_use_interactive_fds(tor_t)

230

231

-files_read_etc_files(tor_t)

232

 files_read_etc_runtime_files(tor_t)

233

 files_read_usr_files(tor_t)

234

235

@@ -113,7 +105,8 @@ logging_send_syslog_msg(tor_t)

236

237

 miscfiles_read_localization(tor_t)

238

239

-tunable_policy(`tor_bind_all_unreserved_ports', `

240

+tunable_policy(`tor_bind_all_unreserved_ports',`

241

+	corenet_sendrecv_all_server_packets(tor_t)

242

 	corenet_tcp_bind_all_unreserved_ports(tor_t)

243

')

1	commit: 33523d3f5ee1b9ba8779c917d25fe1846a3703f0
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Tue Oct 30 09:05:59 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 30 18:32:49 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=33523d3f
7
8	Changes to the tor policy module
9
10	Remove some tor_var_lib_t file transitions that do not make sense (no
11	file context specification)
12
13	Ported from Fedora with changes
14
15	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
16
17	---
18	policy/modules/contrib/tor.fc \| 4 ++-
19	policy/modules/contrib/tor.if \| 16 +++++-----
20	policy/modules/contrib/tor.te \| 65 ++++++++++++++++++----------------------
21	3 files changed, 40 insertions(+), 45 deletions(-)
22
23	diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc
24	index 79e0a51..6b9d449 100644
25	--- a/policy/modules/contrib/tor.fc
26	+++ b/policy/modules/contrib/tor.fc
27	@@ -1,7 +1,9 @@
28	-/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
29	/etc/tor(/.*)? gen_context(system_u:object_r:tor_etc_t,s0)
30
31	+/etc/rc\.d/init\.d/tor -- gen_context(system_u:object_r:tor_initrc_exec_t,s0)
32	+
33	/usr/bin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
34	+
35	/usr/sbin/tor -- gen_context(system_u:object_r:tor_exec_t,s0)
36
37	/var/lib/tor(/.*)? gen_context(system_u:object_r:tor_var_lib_t,s0)
38
39	diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if
40	index 904f13e..61c2e07 100644
41	--- a/policy/modules/contrib/tor.if
42	+++ b/policy/modules/contrib/tor.if
43	@@ -1,8 +1,8 @@
44	-## <summary>TOR, the onion router</summary>
45	+## <summary>The onion router.</summary>
46
47	########################################
48	## <summary>
49	-## Execute a domain transition to run TOR.
50	+## Execute a domain transition to run tor.
51	## </summary>
52	## <param name="domain">
53	## <summary>
54	@@ -15,13 +15,14 @@ interface(`tor_domtrans',`
55	type tor_t, tor_exec_t;
56	')
57
58	+ corecmd_search_bin($1)
59	domtrans_pattern($1, tor_exec_t, tor_t)
60	')
61
62	########################################
63	## <summary>
64	-## All of the rules required to administrate
65	-## an tor environment
66	+## All of the rules required to
67	+## administrate an tor environment.
68	## </summary>
69	## <param name="domain">
70	## <summary>
71	@@ -30,7 +31,7 @@ interface(`tor_domtrans',`
72	## </param>
73	## <param name="role">
74	## <summary>
75	-## The role to be allowed to manage the tor domain.
76	+## Role allowed access.
77	## </summary>
78	## </param>
79	## <rolecap/>
80	@@ -38,11 +39,10 @@ interface(`tor_domtrans',`
81	interface(`tor_admin',`
82	gen_require(`
83	type tor_t, tor_var_log_t, tor_etc_t;
84	- type tor_var_lib_t, tor_var_run_t;
85	- type tor_initrc_exec_t;
86	+ type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t;
87	')
88
89	- allow $1 tor_t:process { ptrace signal_perms getattr };
90	+ allow $1 tor_t:process { ptrace signal_perms };
91	ps_process_pattern($1, tor_t)
92
93	init_labeled_script_domtrans($1, tor_initrc_exec_t)
94
95	diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
96	index 76292d1..f5d1326 100644
97	--- a/policy/modules/contrib/tor.te
98	+++ b/policy/modules/contrib/tor.te
99	@@ -1,4 +1,4 @@
100	-policy_module(tor, 1.8.2)
101	+policy_module(tor, 1.8.3)
102
103	########################################
104	#
105	@@ -6,10 +6,10 @@ policy_module(tor, 1.8.2)
106	#
107
108	## <desc>
109	-## <p>
110	-## Allow tor daemon to bind
111	-## tcp sockets to all unreserved ports.
112	-## </p>
113	+## <p>
114	+## Determine whether tor can bind
115	+## tcp sockets to all unreserved ports.
116	+## </p>
117	## </desc>
118	gen_tunable(tor_bind_all_unreserved_ports, false)
119
120	@@ -17,57 +17,49 @@ type tor_t;
121	type tor_exec_t;
122	init_daemon_domain(tor_t, tor_exec_t)
123
124	-# etc/tor
125	type tor_etc_t;
126	files_config_file(tor_etc_t)
127
128	type tor_initrc_exec_t;
129	init_script_file(tor_initrc_exec_t)
130
131	-# var/lib/tor
132	type tor_var_lib_t;
133	files_type(tor_var_lib_t)
134
135	-# log files
136	type tor_var_log_t;
137	logging_log_file(tor_var_log_t)
138
139	-# pid files
140	type tor_var_run_t;
141	files_pid_file(tor_var_run_t)
142	init_daemon_run_dir(tor_var_run_t, "tor")
143
144	########################################
145	#
146	-# tor local policy
147	+# Local policy
148	#
149
150	allow tor_t self:capability { setgid setuid sys_tty_config };
151	+allow tor_t self:process signal;
152	allow tor_t self:fifo_file rw_fifo_file_perms;
153	-allow tor_t self:unix_stream_socket create_stream_socket_perms;
154	-allow tor_t self:netlink_route_socket r_netlink_socket_perms;
155	-allow tor_t self:tcp_socket create_stream_socket_perms;
156	+allow tor_t self:unix_stream_socket { accept listen };
157	+allow tor_t self:tcp_socket { accept listen };
158
159	-# configuration files
160	allow tor_t tor_etc_t:dir list_dir_perms;
161	-read_files_pattern(tor_t, tor_etc_t, tor_etc_t)
162	-read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t)
163	+allow tor_t tor_etc_t:file read_file_perms;
164	+allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
165
166	-# var/lib/tor files
167	manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
168	manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
169	manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
170	-files_usr_filetrans(tor_t, tor_var_lib_t, file)
171	-files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file })
172	-files_var_lib_filetrans(tor_t, tor_var_lib_t, file)
173	+files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)
174
175	-# log files
176	-allow tor_t tor_var_log_t:dir setattr;
177	-manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
178	+allow tor_t tor_var_log_t:dir setattr_dir_perms;
179	+append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
180	+create_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
181	+setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
182	manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
183	logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
184
185	-# pid file
186	manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t)
187	manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
188	manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
189	@@ -76,34 +68,34 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
190	kernel_read_net_sysctls(tor_t)
191	kernel_read_system_state(tor_t)
192
193	-# networking basics
194	corenet_all_recvfrom_unlabeled(tor_t)
195	corenet_all_recvfrom_netlabel(tor_t)
196	corenet_tcp_sendrecv_generic_if(tor_t)
197	corenet_udp_sendrecv_generic_if(tor_t)
198	corenet_tcp_sendrecv_generic_node(tor_t)
199	corenet_udp_sendrecv_generic_node(tor_t)
200	-corenet_tcp_sendrecv_all_ports(tor_t)
201	-corenet_udp_sendrecv_dns_port(tor_t)
202	-corenet_tcp_sendrecv_all_reserved_ports(tor_t)
203	corenet_tcp_bind_generic_node(tor_t)
204	corenet_udp_bind_generic_node(tor_t)
205	-corenet_tcp_bind_tor_port(tor_t)
206	+
207	+corenet_sendrecv_dns_server_packets(tor_t)
208	corenet_udp_bind_dns_port(tor_t)
209	+corenet_udp_sendrecv_dns_port(tor_t)
210	+
211	corenet_sendrecv_tor_server_packets(tor_t)
212	-corenet_sendrecv_dns_server_packets(tor_t)
213	-# TOR will need to connect to various ports
214	-corenet_tcp_connect_all_ports(tor_t)
215	+corenet_tcp_bind_tor_port(tor_t)
216	+corenet_tcp_sendrecv_tor_port(tor_t)
217	+
218	corenet_sendrecv_all_client_packets(tor_t)
219	-# ... especially including port 80 and other privileged ports
220	+corenet_tcp_connect_all_ports(tor_t)
221	corenet_tcp_connect_all_reserved_ports(tor_t)
222	+corenet_tcp_sendrecv_all_ports(tor_t)
223	+corenet_tcp_sendrecv_all_reserved_ports(tor_t)
224
225	-# tor uses crypto and needs random
226	+dev_read_sysfs(tor_t)
227	dev_read_urand(tor_t)
228
229	domain_use_interactive_fds(tor_t)
230
231	-files_read_etc_files(tor_t)
232	files_read_etc_runtime_files(tor_t)
233	files_read_usr_files(tor_t)
234
235	@@ -113,7 +105,8 @@ logging_send_syslog_msg(tor_t)
236
237	miscfiles_read_localization(tor_t)
238
239	-tunable_policy(`tor_bind_all_unreserved_ports', `
240	+tunable_policy(`tor_bind_all_unreserved_ports',`
241	+ corenet_sendrecv_all_server_packets(tor_t)
242	corenet_tcp_bind_all_unreserved_ports(tor_t)
243	')

Gentoo Archives: gentoo-commits