[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 02 Oct 2012 18:23:44
Message-Id:	`1349201162.1dfbff2d6056d16daa6033ffca02668b2699686f.SwifT@gentoo`

1

commit:     1dfbff2d6056d16daa6033ffca02668b2699686f

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Mon Oct  1 08:09:05 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:06:02 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1dfbff2d

7

8

Changes to the fingerd policy module

9

10

Module clean up

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/finger.fc |   21 +++++------------

16

 policy/modules/contrib/finger.if |    3 +-

17

 policy/modules/contrib/finger.te |   45 +++++++++++--------------------------

18

 3 files changed, 22 insertions(+), 47 deletions(-)

19

20

diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc

21

index c861192..843940b 100644

22

--- a/policy/modules/contrib/finger.fc

23

+++ b/policy/modules/contrib/finger.fc

24

@@ -1,19 +1,10 @@

25

-# fingerd

26

+/etc/cfingerd(/.*)?	gen_context(system_u:object_r:fingerd_etc_t,s0)

27

28

-#

29

-# /etc

30

-#

31

-/etc/cfingerd(/.*)?		gen_context(system_u:object_r:fingerd_etc_t,s0)

32

+/etc/cron\.weekly/(c)?fingerd	--	gen_context(system_u:object_r:fingerd_exec_t,s0)

33

34

-/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)

35

-

36

-#

37

-# /usr

38

-#

39

-/usr/sbin/in\.fingerd	--	gen_context(system_u:object_r:fingerd_exec_t,s0)

40

+/usr/sbin/in\.(x)?fingerd	--	gen_context(system_u:object_r:fingerd_exec_t,s0)

41

 /usr/sbin/[cef]fingerd	--	gen_context(system_u:object_r:fingerd_exec_t,s0)

42

43

-#

44

-# /var

45

-#

46

-/var/log/cfingerd\.log.* --	gen_context(system_u:object_r:fingerd_log_t,s0)

47

+/var/log/cfingerd\.log.*	--	gen_context(system_u:object_r:fingerd_log_t,s0)

48

+

49

+/var/run/*.fingerd\.pid	--	gen_context(system_u:object_r:fingerd_var_run_t,s0)

50

51

diff --git a/policy/modules/contrib/finger.if b/policy/modules/contrib/finger.if

52

index b5dd671..2656d2b 100644

53

--- a/policy/modules/contrib/finger.if

54

+++ b/policy/modules/contrib/finger.if

55

@@ -15,12 +15,13 @@ interface(`finger_domtrans',`

56

 		type fingerd_t, fingerd_exec_t;

57

')

58

59

+	corecmd_search_bin($1)

60

 	domtrans_pattern($1, fingerd_exec_t, fingerd_t)

61

')

62

63

 ########################################

64

 ## <summary>

65

-##	Allow the specified domain to connect to fingerd with a tcp socket.  (Deprecated)

66

+##	Connect to fingerd with a tcp socket.  (Deprecated)

67

 ## </summary>

68

 ## <param name="domain">

69

 ##	<summary>

70

71

diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te

72

index f60af2d..93f5d25 100644

73

--- a/policy/modules/contrib/finger.te

74

+++ b/policy/modules/contrib/finger.te

75

@@ -1,4 +1,4 @@

76

-policy_module(finger, 1.9.0)

77

+policy_module(finger, 1.9.1)

78

79

 ########################################

80

#

81

@@ -28,9 +28,6 @@ dontaudit fingerd_t self:capability { sys_tty_config fsetid };

82

 allow fingerd_t self:process signal_perms;

83

 allow fingerd_t self:fifo_file rw_fifo_file_perms;

84

 allow fingerd_t self:tcp_socket connected_stream_socket_perms;

85

-allow fingerd_t self:udp_socket create_socket_perms;

86

-allow fingerd_t self:unix_dgram_socket create_socket_perms;

87

-allow fingerd_t self:unix_stream_socket create_socket_perms;

88

89

 manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t)

90

 files_pid_filetrans(fingerd_t, fingerd_var_run_t, file)

91

@@ -39,7 +36,9 @@ allow fingerd_t fingerd_etc_t:dir list_dir_perms;

92

 read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)

93

 read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)

94

95

-allow fingerd_t fingerd_log_t:file manage_file_perms;

96

+allow fingerd_t fingerd_log_t:file append_file_perms;

97

+allow fingerd_t fingerd_log_t:file create_file_perms;

98

+allow fingerd_t fingerd_log_t:file setattr_file_perms;

99

 logging_log_filetrans(fingerd_t, fingerd_log_t, file)

100

101

 kernel_read_kernel_sysctls(fingerd_t)

102

@@ -48,16 +47,22 @@ kernel_read_system_state(fingerd_t)

103

 corenet_all_recvfrom_unlabeled(fingerd_t)

104

 corenet_all_recvfrom_netlabel(fingerd_t)

105

 corenet_tcp_sendrecv_generic_if(fingerd_t)

106

-corenet_udp_sendrecv_generic_if(fingerd_t)

107

 corenet_tcp_sendrecv_generic_node(fingerd_t)

108

-corenet_udp_sendrecv_generic_node(fingerd_t)

109

-corenet_tcp_sendrecv_all_ports(fingerd_t)

110

-corenet_udp_sendrecv_all_ports(fingerd_t)

111

 corenet_tcp_bind_generic_node(fingerd_t)

112

+

113

+corenet_sendrecv_fingerd_server_packets(fingerd_t)

114

 corenet_tcp_bind_fingerd_port(fingerd_t)

115

+corenet_tcp_sendrecv_fingerd_port(fingerd_t)

116

+

117

+corecmd_exec_bin(fingerd_t)

118

+corecmd_exec_shell(fingerd_t)

119

120

 dev_read_sysfs(fingerd_t)

121

122

+domain_use_interactive_fds(fingerd_t)

123

+

124

+files_read_etc_runtime_files(fingerd_t)

125

+

126

 fs_getattr_all_fs(fingerd_t)

127

 fs_search_auto_mountpoints(fingerd_t)

128

129

@@ -66,15 +71,6 @@ term_getattr_all_ptys(fingerd_t)

130

131

 auth_read_lastlog(fingerd_t)

132

133

-corecmd_exec_bin(fingerd_t)

134

-corecmd_exec_shell(fingerd_t)

135

-

136

-domain_use_interactive_fds(fingerd_t)

137

-

138

-files_search_home(fingerd_t)

139

-files_read_etc_files(fingerd_t)

140

-files_read_etc_runtime_files(fingerd_t)

141

-

142

 init_read_utmp(fingerd_t)

143

 init_dontaudit_write_utmp(fingerd_t)

144

145

@@ -82,13 +78,8 @@ logging_send_syslog_msg(fingerd_t)

146

147

 mta_getattr_spool(fingerd_t)

148

149

-sysnet_read_config(fingerd_t)

150

-

151

 miscfiles_read_localization(fingerd_t)

152

153

-# stop it accessing sub-directories, prevents checking a Maildir for new mail,

154

-# have to change this when we create a type for Maildir

155

-userdom_read_user_home_content_files(fingerd_t)

156

 userdom_dontaudit_use_unpriv_user_fds(fingerd_t)

157

158

 optional_policy(`

159

@@ -104,14 +95,6 @@ optional_policy(`

160

')

161

162

 optional_policy(`

163

-	nis_use_ypbind(fingerd_t)

164

-')

165

-

166

-optional_policy(`

167

-	nscd_socket_use(fingerd_t)

168

-')

169

-

170

-optional_policy(`

171

 	seutil_sigchld_newrole(fingerd_t)

172

')

1	commit: 1dfbff2d6056d16daa6033ffca02668b2699686f
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Mon Oct 1 08:09:05 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 2 18:06:02 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1dfbff2d
7
8	Changes to the fingerd policy module
9
10	Module clean up
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/finger.fc \| 21 +++++------------
16	policy/modules/contrib/finger.if \| 3 +-
17	policy/modules/contrib/finger.te \| 45 +++++++++++--------------------------
18	3 files changed, 22 insertions(+), 47 deletions(-)
19
20	diff --git a/policy/modules/contrib/finger.fc b/policy/modules/contrib/finger.fc
21	index c861192..843940b 100644
22	--- a/policy/modules/contrib/finger.fc
23	+++ b/policy/modules/contrib/finger.fc
24	@@ -1,19 +1,10 @@
25	-# fingerd
26	+/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0)
27
28	-#
29	-# /etc
30	-#
31	-/etc/cfingerd(/.*)? gen_context(system_u:object_r:fingerd_etc_t,s0)
32	+/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
33
34	-/etc/cron\.weekly/(c)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
35	-
36	-#
37	-# /usr
38	-#
39	-/usr/sbin/in\.fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
40	+/usr/sbin/in\.(x)?fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
41	/usr/sbin/[cef]fingerd -- gen_context(system_u:object_r:fingerd_exec_t,s0)
42
43	-#
44	-# /var
45	-#
46	-/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
47	+/var/log/cfingerd\.log.* -- gen_context(system_u:object_r:fingerd_log_t,s0)
48	+
49	+/var/run/*.fingerd\.pid -- gen_context(system_u:object_r:fingerd_var_run_t,s0)
50
51	diff --git a/policy/modules/contrib/finger.if b/policy/modules/contrib/finger.if
52	index b5dd671..2656d2b 100644
53	--- a/policy/modules/contrib/finger.if
54	+++ b/policy/modules/contrib/finger.if
55	@@ -15,12 +15,13 @@ interface(`finger_domtrans',`
56	type fingerd_t, fingerd_exec_t;
57	')
58
59	+ corecmd_search_bin($1)
60	domtrans_pattern($1, fingerd_exec_t, fingerd_t)
61	')
62
63	########################################
64	## <summary>
65	-## Allow the specified domain to connect to fingerd with a tcp socket. (Deprecated)
66	+## Connect to fingerd with a tcp socket. (Deprecated)
67	## </summary>
68	## <param name="domain">
69	## <summary>
70
71	diff --git a/policy/modules/contrib/finger.te b/policy/modules/contrib/finger.te
72	index f60af2d..93f5d25 100644
73	--- a/policy/modules/contrib/finger.te
74	+++ b/policy/modules/contrib/finger.te
75	@@ -1,4 +1,4 @@
76	-policy_module(finger, 1.9.0)
77	+policy_module(finger, 1.9.1)
78
79	########################################
80	#
81	@@ -28,9 +28,6 @@ dontaudit fingerd_t self:capability { sys_tty_config fsetid };
82	allow fingerd_t self:process signal_perms;
83	allow fingerd_t self:fifo_file rw_fifo_file_perms;
84	allow fingerd_t self:tcp_socket connected_stream_socket_perms;
85	-allow fingerd_t self:udp_socket create_socket_perms;
86	-allow fingerd_t self:unix_dgram_socket create_socket_perms;
87	-allow fingerd_t self:unix_stream_socket create_socket_perms;
88
89	manage_files_pattern(fingerd_t, fingerd_var_run_t, fingerd_var_run_t)
90	files_pid_filetrans(fingerd_t, fingerd_var_run_t, file)
91	@@ -39,7 +36,9 @@ allow fingerd_t fingerd_etc_t:dir list_dir_perms;
92	read_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
93	read_lnk_files_pattern(fingerd_t, fingerd_etc_t, fingerd_etc_t)
94
95	-allow fingerd_t fingerd_log_t:file manage_file_perms;
96	+allow fingerd_t fingerd_log_t:file append_file_perms;
97	+allow fingerd_t fingerd_log_t:file create_file_perms;
98	+allow fingerd_t fingerd_log_t:file setattr_file_perms;
99	logging_log_filetrans(fingerd_t, fingerd_log_t, file)
100
101	kernel_read_kernel_sysctls(fingerd_t)
102	@@ -48,16 +47,22 @@ kernel_read_system_state(fingerd_t)
103	corenet_all_recvfrom_unlabeled(fingerd_t)
104	corenet_all_recvfrom_netlabel(fingerd_t)
105	corenet_tcp_sendrecv_generic_if(fingerd_t)
106	-corenet_udp_sendrecv_generic_if(fingerd_t)
107	corenet_tcp_sendrecv_generic_node(fingerd_t)
108	-corenet_udp_sendrecv_generic_node(fingerd_t)
109	-corenet_tcp_sendrecv_all_ports(fingerd_t)
110	-corenet_udp_sendrecv_all_ports(fingerd_t)
111	corenet_tcp_bind_generic_node(fingerd_t)
112	+
113	+corenet_sendrecv_fingerd_server_packets(fingerd_t)
114	corenet_tcp_bind_fingerd_port(fingerd_t)
115	+corenet_tcp_sendrecv_fingerd_port(fingerd_t)
116	+
117	+corecmd_exec_bin(fingerd_t)
118	+corecmd_exec_shell(fingerd_t)
119
120	dev_read_sysfs(fingerd_t)
121
122	+domain_use_interactive_fds(fingerd_t)
123	+
124	+files_read_etc_runtime_files(fingerd_t)
125	+
126	fs_getattr_all_fs(fingerd_t)
127	fs_search_auto_mountpoints(fingerd_t)
128
129	@@ -66,15 +71,6 @@ term_getattr_all_ptys(fingerd_t)
130
131	auth_read_lastlog(fingerd_t)
132
133	-corecmd_exec_bin(fingerd_t)
134	-corecmd_exec_shell(fingerd_t)
135	-
136	-domain_use_interactive_fds(fingerd_t)
137	-
138	-files_search_home(fingerd_t)
139	-files_read_etc_files(fingerd_t)
140	-files_read_etc_runtime_files(fingerd_t)
141	-
142	init_read_utmp(fingerd_t)
143	init_dontaudit_write_utmp(fingerd_t)
144
145	@@ -82,13 +78,8 @@ logging_send_syslog_msg(fingerd_t)
146
147	mta_getattr_spool(fingerd_t)
148
149	-sysnet_read_config(fingerd_t)
150	-
151	miscfiles_read_localization(fingerd_t)
152
153	-# stop it accessing sub-directories, prevents checking a Maildir for new mail,
154	-# have to change this when we create a type for Maildir
155	-userdom_read_user_home_content_files(fingerd_t)
156	userdom_dontaudit_use_unpriv_user_fds(fingerd_t)
157
158	optional_policy(`
159	@@ -104,14 +95,6 @@ optional_policy(`
160	')
161
162	optional_policy(`
163	- nis_use_ypbind(fingerd_t)
164	-')
165	-
166	-optional_policy(`
167	- nscd_socket_use(fingerd_t)
168	-')
169	-
170	-optional_policy(`
171	seutil_sigchld_newrole(fingerd_t)
172	')

Gentoo Archives: gentoo-commits