1 |
commit: 1dfbff2d6056d16daa6033ffca02668b2699686f |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Oct 1 08:09:05 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:06:02 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1dfbff2d |
7 |
|
8 |
Changes to the fingerd policy module |
9 |
|
10 |
Module clean up |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/finger.fc | 21 +++++------------ |
16 |
policy/modules/contrib/finger.if | 3 +- |
17 |
policy/modules/contrib/finger.te | 45 +++++++++++-------------------------- |
18 |
3 files changed, 22 insertions(+), 47 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc |
21 |
index c861192..843940b 100644 |
22 |
--- a/policy/modules/contrib/finger.fc |
23 |
+++ b/policy/modules/contrib/finger.fc |
24 |
@@ -1,19 +1,10 @@ |
25 |
-# fingerd |
26 |
+/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0) |
27 |
|
28 |
-# |
29 |
-# /etc |
30 |
-# |
31 |
-/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0) |
32 |
+/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) |
33 |
|
34 |
-/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) |
35 |
- |
36 |
-# |
37 |
-# /usr |
38 |
-# |
39 |
-/usr/sbin/in\.fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) |
40 |
+/usr/sbin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) |
41 |
/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0) |
42 |
|
43 |
-# |
44 |
-# /var |
45 |
-# |
46 |
-/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0) |
47 |
+/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0) |
48 |
+ |
49 |
+/var/run/*.fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0) |
50 |
|
51 |
diff --git a/policy/modules/contrib/finger.if b/policy/modules/contrib/finger.if |
52 |
index b5dd671..2656d2b 100644 |
53 |
--- a/policy/modules/contrib/finger.if |
54 |
+++ b/policy/modules/contrib/finger.if |
55 |
@@ -15,12 +15,13 @@ interface(`finger_domtrans',` |
56 |
type fingerd_t, fingerd_exec_t; |
57 |
') |
58 |
|
59 |
+ corecmd_search_bin($1) |
60 |
domtrans_pattern($1, fingerd_exec_t, fingerd_t) |
61 |
') |
62 |
|
63 |
######################################## |
64 |
## <summary> |
65 |
-## Allow the specified domain to connect to fingerd with a tcp socket. (Deprecated) |
66 |
+## Connect to fingerd with a tcp socket. (Deprecated) |
67 |
## </summary> |
68 |
## <param name="domain"> |
69 |
## <summary> |
70 |
|
71 |
diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te |
72 |
index f60af2d..93f5d25 100644 |
73 |
--- a/policy/modules/contrib/finger.te |
74 |
+++ b/policy/modules/contrib/finger.te |
75 |
@@ -1,4 +1,4 @@ |
76 |
-policy_module(finger, 1.9.0) |
77 |
+policy_module(finger, 1.9.1) |
78 |
|
79 |
######################################## |
80 |
# |
81 |
@@ -28,9 +28,6 @@ dontaudit fingerd_t self:capability { sys_tty_config fsetid }; |
82 |
allow fingerd_t self:process signal_perms; |
83 |
allow fingerd_t self:fifo_file rw_fifo_file_perms; |
84 |
allow fingerd_t self:tcp_socket connected_stream_socket_perms; |
85 |
-allow fingerd_t self:udp_socket create_socket_perms; |
86 |
-allow fingerd_t self:unix_dgram_socket create_socket_perms; |
87 |
-allow fingerd_t self:unix_stream_socket create_socket_perms; |
88 |
|
89 |
manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t) |
90 |
files_pid_filetrans(fingerd_t, fingerd_var_run_t, file) |
91 |
@@ -39,7 +36,9 @@ allow fingerd_t fingerd_etc_t:dir list_dir_perms; |
92 |
read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) |
93 |
read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t) |
94 |
|
95 |
-allow fingerd_t fingerd_log_t:file manage_file_perms; |
96 |
+allow fingerd_t fingerd_log_t:file append_file_perms; |
97 |
+allow fingerd_t fingerd_log_t:file create_file_perms; |
98 |
+allow fingerd_t fingerd_log_t:file setattr_file_perms; |
99 |
logging_log_filetrans(fingerd_t, fingerd_log_t, file) |
100 |
|
101 |
kernel_read_kernel_sysctls(fingerd_t) |
102 |
@@ -48,16 +47,22 @@ kernel_read_system_state(fingerd_t) |
103 |
corenet_all_recvfrom_unlabeled(fingerd_t) |
104 |
corenet_all_recvfrom_netlabel(fingerd_t) |
105 |
corenet_tcp_sendrecv_generic_if(fingerd_t) |
106 |
-corenet_udp_sendrecv_generic_if(fingerd_t) |
107 |
corenet_tcp_sendrecv_generic_node(fingerd_t) |
108 |
-corenet_udp_sendrecv_generic_node(fingerd_t) |
109 |
-corenet_tcp_sendrecv_all_ports(fingerd_t) |
110 |
-corenet_udp_sendrecv_all_ports(fingerd_t) |
111 |
corenet_tcp_bind_generic_node(fingerd_t) |
112 |
+ |
113 |
+corenet_sendrecv_fingerd_server_packets(fingerd_t) |
114 |
corenet_tcp_bind_fingerd_port(fingerd_t) |
115 |
+corenet_tcp_sendrecv_fingerd_port(fingerd_t) |
116 |
+ |
117 |
+corecmd_exec_bin(fingerd_t) |
118 |
+corecmd_exec_shell(fingerd_t) |
119 |
|
120 |
dev_read_sysfs(fingerd_t) |
121 |
|
122 |
+domain_use_interactive_fds(fingerd_t) |
123 |
+ |
124 |
+files_read_etc_runtime_files(fingerd_t) |
125 |
+ |
126 |
fs_getattr_all_fs(fingerd_t) |
127 |
fs_search_auto_mountpoints(fingerd_t) |
128 |
|
129 |
@@ -66,15 +71,6 @@ term_getattr_all_ptys(fingerd_t) |
130 |
|
131 |
auth_read_lastlog(fingerd_t) |
132 |
|
133 |
-corecmd_exec_bin(fingerd_t) |
134 |
-corecmd_exec_shell(fingerd_t) |
135 |
- |
136 |
-domain_use_interactive_fds(fingerd_t) |
137 |
- |
138 |
-files_search_home(fingerd_t) |
139 |
-files_read_etc_files(fingerd_t) |
140 |
-files_read_etc_runtime_files(fingerd_t) |
141 |
- |
142 |
init_read_utmp(fingerd_t) |
143 |
init_dontaudit_write_utmp(fingerd_t) |
144 |
|
145 |
@@ -82,13 +78,8 @@ logging_send_syslog_msg(fingerd_t) |
146 |
|
147 |
mta_getattr_spool(fingerd_t) |
148 |
|
149 |
-sysnet_read_config(fingerd_t) |
150 |
- |
151 |
miscfiles_read_localization(fingerd_t) |
152 |
|
153 |
-# stop it accessing sub-directories, prevents checking a Maildir for new mail, |
154 |
-# have to change this when we create a type for Maildir |
155 |
-userdom_read_user_home_content_files(fingerd_t) |
156 |
userdom_dontaudit_use_unpriv_user_fds(fingerd_t) |
157 |
|
158 |
optional_policy(` |
159 |
@@ -104,14 +95,6 @@ optional_policy(` |
160 |
') |
161 |
|
162 |
optional_policy(` |
163 |
- nis_use_ypbind(fingerd_t) |
164 |
-') |
165 |
- |
166 |
-optional_policy(` |
167 |
- nscd_socket_use(fingerd_t) |
168 |
-') |
169 |
- |
170 |
-optional_policy(` |
171 |
seutil_sigchld_newrole(fingerd_t) |
172 |
') |