1 |
commit: 44c7994f453c43349074368972d58e465e1f5d27 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Thu Jan 28 15:53:04 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 1 01:21:42 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44c7994f |
7 |
|
8 |
apache, mysql, postgrey, samba, squid: Apply new mmap_manage_files_pattern(). |
9 |
|
10 |
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> |
11 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
12 |
|
13 |
policy/modules/services/apache.if | 6 ++---- |
14 |
policy/modules/services/apache.te | 15 +++++---------- |
15 |
policy/modules/services/mysql.te | 6 ++---- |
16 |
policy/modules/services/postgrey.te | 3 +-- |
17 |
policy/modules/services/samba.te | 15 +++++---------- |
18 |
policy/modules/services/squid.te | 3 +-- |
19 |
6 files changed, 16 insertions(+), 32 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if |
22 |
index 44767359..1695af75 100644 |
23 |
--- a/policy/modules/services/apache.if |
24 |
+++ b/policy/modules/services/apache.if |
25 |
@@ -70,8 +70,7 @@ template(`apache_content_template',` |
26 |
allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms; |
27 |
|
28 |
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
29 |
- manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
30 |
- allow httpd_$1_script_t httpd_$1_rw_content_t:file map; |
31 |
+ mmap_manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
32 |
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
33 |
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
34 |
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) |
35 |
@@ -1025,8 +1024,7 @@ interface(`apache_manage_sys_rw_content',` |
36 |
|
37 |
apache_search_sys_content($1) |
38 |
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) |
39 |
- manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) |
40 |
- allow $1 httpd_sys_rw_content_t:file map; |
41 |
+ mmap_manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) |
42 |
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) |
43 |
') |
44 |
|
45 |
|
46 |
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te |
47 |
index da43a1d8..35fafe56 100644 |
48 |
--- a/policy/modules/services/apache.te |
49 |
+++ b/policy/modules/services/apache.te |
50 |
@@ -378,10 +378,9 @@ allow httpd_t self:unix_stream_socket { accept connectto listen }; |
51 |
allow httpd_t self:tcp_socket { accept listen }; |
52 |
|
53 |
manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
54 |
-manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
55 |
+mmap_manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
56 |
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) |
57 |
files_var_filetrans(httpd_t, httpd_cache_t, dir) |
58 |
-allow httpd_t httpd_cache_t:file map; |
59 |
|
60 |
allow httpd_t httpd_config_t:dir list_dir_perms; |
61 |
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) |
62 |
@@ -415,9 +414,8 @@ read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t) |
63 |
allow httpd_t httpd_rotatelogs_t:process signal_perms; |
64 |
|
65 |
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
66 |
-manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
67 |
+mmap_manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
68 |
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) |
69 |
-allow httpd_t httpd_squirrelmail_t:file map; |
70 |
|
71 |
allow httpd_t httpd_suexec_exec_t:file read_file_perms; |
72 |
|
73 |
@@ -441,8 +439,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t) |
74 |
fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
75 |
|
76 |
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
77 |
-manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
78 |
-allow httpd_t httpd_var_lib_t:file map; |
79 |
+mmap_manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
80 |
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) |
81 |
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) |
82 |
|
83 |
@@ -622,8 +619,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` |
84 |
domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t) |
85 |
|
86 |
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) |
87 |
- manage_files_pattern(httpd_t, httpdcontent, httpdcontent) |
88 |
- allow httpd_t httpdcontent:file map; |
89 |
+ mmap_manage_files_pattern(httpd_t, httpdcontent, httpdcontent) |
90 |
manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) |
91 |
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) |
92 |
manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) |
93 |
@@ -908,8 +904,7 @@ optional_policy(` |
94 |
# Helper local policy |
95 |
# |
96 |
|
97 |
-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) |
98 |
-allow httpd_t httpd_config_t:file map; |
99 |
+mmap_read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) |
100 |
|
101 |
append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) |
102 |
read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) |
103 |
|
104 |
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te |
105 |
index 5a264e2f..84a49b16 100644 |
106 |
--- a/policy/modules/services/mysql.te |
107 |
+++ b/policy/modules/services/mysql.te |
108 |
@@ -74,8 +74,7 @@ allow mysqld_t self:unix_stream_socket { connectto accept listen }; |
109 |
allow mysqld_t self:tcp_socket { accept listen }; |
110 |
|
111 |
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) |
112 |
-manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) |
113 |
-allow mysqld_t mysqld_db_t:file map; |
114 |
+mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) |
115 |
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) |
116 |
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) |
117 |
|
118 |
@@ -91,8 +90,7 @@ manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t) |
119 |
logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file }) |
120 |
|
121 |
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) |
122 |
-manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) |
123 |
-allow mysqld_t mysqld_tmp_t:file map; |
124 |
+mmap_manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) |
125 |
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) |
126 |
|
127 |
manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t) |
128 |
|
129 |
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te |
130 |
index a96e9dd9..da47d1e0 100644 |
131 |
--- a/policy/modules/services/postgrey.te |
132 |
+++ b/policy/modules/services/postgrey.te |
133 |
@@ -46,8 +46,7 @@ manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) |
134 |
manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) |
135 |
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) |
136 |
|
137 |
-manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) |
138 |
-allow postgrey_t postgrey_var_lib_t:file map; |
139 |
+mmap_manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) |
140 |
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) |
141 |
|
142 |
manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t) |
143 |
|
144 |
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te |
145 |
index 855d846d..40b6684c 100644 |
146 |
--- a/policy/modules/services/samba.te |
147 |
+++ b/policy/modules/services/samba.te |
148 |
@@ -217,8 +217,7 @@ manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t) |
149 |
files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir }) |
150 |
|
151 |
manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) |
152 |
-manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) |
153 |
-allow samba_net_t samba_var_t:file map; |
154 |
+mmap_manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) |
155 |
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) |
156 |
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") |
157 |
|
158 |
@@ -303,8 +302,7 @@ manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t) |
159 |
allow smbd_t samba_share_t:filesystem { getattr quotaget }; |
160 |
|
161 |
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) |
162 |
-manage_files_pattern(smbd_t, samba_var_t, samba_var_t) |
163 |
-allow smbd_t samba_var_t:file map; |
164 |
+mmap_manage_files_pattern(smbd_t, samba_var_t, samba_var_t) |
165 |
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) |
166 |
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) |
167 |
files_var_filetrans(smbd_t, samba_var_t, dir, "samba") |
168 |
@@ -314,8 +312,7 @@ manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t) |
169 |
files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir }) |
170 |
|
171 |
manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t) |
172 |
-manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) |
173 |
-allow smbd_t samba_runtime_t:file map; |
174 |
+mmap_manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) |
175 |
manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) |
176 |
files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file }) |
177 |
|
178 |
@@ -530,8 +527,7 @@ allow nmbd_t self:unix_dgram_socket sendto; |
179 |
allow nmbd_t self:unix_stream_socket { accept connectto listen }; |
180 |
|
181 |
manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) |
182 |
-manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) |
183 |
-allow nmbd_t samba_runtime_t:file map; |
184 |
+mmap_manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) |
185 |
manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) |
186 |
files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file }) |
187 |
|
188 |
@@ -543,8 +539,7 @@ append_files_pattern(nmbd_t, samba_log_t, samba_log_t) |
189 |
create_files_pattern(nmbd_t, samba_log_t, samba_log_t) |
190 |
setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) |
191 |
|
192 |
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
193 |
-allow nmbd_t samba_var_t:file map; |
194 |
+mmap_manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
195 |
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
196 |
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) |
197 |
files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") |
198 |
|
199 |
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te |
200 |
index f9890df1..263574f5 100644 |
201 |
--- a/policy/modules/services/squid.te |
202 |
+++ b/policy/modules/services/squid.te |
203 |
@@ -91,8 +91,7 @@ manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t) |
204 |
manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t) |
205 |
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) |
206 |
|
207 |
-manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) |
208 |
-allow squid_t squid_tmpfs_t:file map; |
209 |
+mmap_manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) |
210 |
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) |
211 |
|
212 |
manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t) |