1 |
commit: 40ed5e840cead0e4a47ea29d16133a505fc043d8 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Oct 30 08:52:45 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 30 18:32:45 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=40ed5e84 |
7 |
|
8 |
Changes to the tmpreaper policy module and relevant dependencies |
9 |
|
10 |
We need a user_home_type attribute to be able to allow tmpreaper to |
11 |
delete any and all user home content |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/apache.if | 18 ++++++++++++++++++ |
17 |
policy/modules/contrib/apache.te | 2 +- |
18 |
policy/modules/contrib/tmpreaper.fc | 2 -- |
19 |
policy/modules/contrib/tmpreaper.if | 3 +-- |
20 |
policy/modules/contrib/tmpreaper.te | 31 +++++++++++++++++-------------- |
21 |
5 files changed, 37 insertions(+), 19 deletions(-) |
22 |
|
23 |
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if |
24 |
index a3d2d09..81e541e 100644 |
25 |
--- a/policy/modules/contrib/apache.if |
26 |
+++ b/policy/modules/contrib/apache.if |
27 |
@@ -595,6 +595,24 @@ interface(`apache_rw_cache_files',` |
28 |
|
29 |
######################################## |
30 |
## <summary> |
31 |
+## Delete httpd cache directories. |
32 |
+## </summary> |
33 |
+## <param name="domain"> |
34 |
+## <summary> |
35 |
+## Domain allowed access. |
36 |
+## </summary> |
37 |
+## </param> |
38 |
+# |
39 |
+interface(`apache_delete_cache_dirs',` |
40 |
+ gen_require(` |
41 |
+ type httpd_cache_t; |
42 |
+ ') |
43 |
+ |
44 |
+ delete_dirs_pattern($1, httpd_cache_t, httpd_cache_t) |
45 |
+') |
46 |
+ |
47 |
+######################################## |
48 |
+## <summary> |
49 |
## Delete httpd cache files. |
50 |
## </summary> |
51 |
## <param name="domain"> |
52 |
|
53 |
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te |
54 |
index 00fee74..5ce752a 100644 |
55 |
--- a/policy/modules/contrib/apache.te |
56 |
+++ b/policy/modules/contrib/apache.te |
57 |
@@ -1,4 +1,4 @@ |
58 |
-policy_module(apache, 2.6.1) |
59 |
+policy_module(apache, 2.6.2) |
60 |
|
61 |
######################################## |
62 |
# |
63 |
|
64 |
diff --git a/policy/modules/contrib/tmpreaper.fc b/policy/modules/contrib/tmpreaper.fc |
65 |
index f081b72..ed08c94 100644 |
66 |
--- a/policy/modules/contrib/tmpreaper.fc |
67 |
+++ b/policy/modules/contrib/tmpreaper.fc |
68 |
@@ -1,7 +1,5 @@ |
69 |
-ifdef(`distro_debian',` |
70 |
/etc/rc\.d/init\.d/mountall-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) |
71 |
/etc/rc\.d/init\.d/mountnfs-bootclean.sh -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) |
72 |
-') |
73 |
|
74 |
/usr/sbin/tmpreaper -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) |
75 |
/usr/sbin/tmpwatch -- gen_context(system_u:object_r:tmpreaper_exec_t,s0) |
76 |
|
77 |
diff --git a/policy/modules/contrib/tmpreaper.if b/policy/modules/contrib/tmpreaper.if |
78 |
index 8dfbd80..f621a27 100644 |
79 |
--- a/policy/modules/contrib/tmpreaper.if |
80 |
+++ b/policy/modules/contrib/tmpreaper.if |
81 |
@@ -1,4 +1,4 @@ |
82 |
-## <summary>Manage temporary directory sizes and file ages</summary> |
83 |
+## <summary>Manage temporary directory sizes and file ages.</summary> |
84 |
|
85 |
######################################## |
86 |
## <summary> |
87 |
@@ -15,7 +15,6 @@ interface(`tmpreaper_exec',` |
88 |
type tmpreaper_exec_t; |
89 |
') |
90 |
|
91 |
- files_search_usr($1) |
92 |
corecmd_search_bin($1) |
93 |
can_exec($1, tmpreaper_exec_t) |
94 |
') |
95 |
|
96 |
diff --git a/policy/modules/contrib/tmpreaper.te b/policy/modules/contrib/tmpreaper.te |
97 |
index e4eadc0..ee33085 100644 |
98 |
--- a/policy/modules/contrib/tmpreaper.te |
99 |
+++ b/policy/modules/contrib/tmpreaper.te |
100 |
@@ -1,4 +1,4 @@ |
101 |
-policy_module(tmpreaper, 1.6.1) |
102 |
+policy_module(tmpreaper, 1.6.2) |
103 |
|
104 |
######################################## |
105 |
# |
106 |
@@ -7,39 +7,41 @@ policy_module(tmpreaper, 1.6.1) |
107 |
|
108 |
type tmpreaper_t; |
109 |
type tmpreaper_exec_t; |
110 |
-application_domain(tmpreaper_t, tmpreaper_exec_t) |
111 |
-role system_r types tmpreaper_t; |
112 |
+init_system_domain(tmpreaper_t, tmpreaper_exec_t) |
113 |
|
114 |
######################################## |
115 |
# |
116 |
# Local Policy |
117 |
# |
118 |
|
119 |
-allow tmpreaper_t self:process { fork sigchld }; |
120 |
allow tmpreaper_t self:capability { dac_override dac_read_search fowner }; |
121 |
|
122 |
+kernel_list_unlabeled(tmpreaper_t) |
123 |
+kernel_read_system_state(tmpreaper_t) |
124 |
+ |
125 |
dev_read_urand(tmpreaper_t) |
126 |
|
127 |
fs_getattr_xattr_fs(tmpreaper_t) |
128 |
+fs_list_all(tmpreaper_t) |
129 |
|
130 |
-files_read_etc_files(tmpreaper_t) |
131 |
+files_getattr_all_dirs(tmpreaper_t) |
132 |
+files_getattr_all_files(tmpreaper_t) |
133 |
files_read_var_lib_files(tmpreaper_t) |
134 |
files_purge_tmp(tmpreaper_t) |
135 |
-# why does it need setattr? |
136 |
files_setattr_all_tmp_dirs(tmpreaper_t) |
137 |
-files_getattr_all_dirs(tmpreaper_t) |
138 |
-files_getattr_all_files(tmpreaper_t) |
139 |
|
140 |
+mcs_file_read_all(tmpreaper_t) |
141 |
+mcs_file_write_all(tmpreaper_t) |
142 |
mls_file_read_all_levels(tmpreaper_t) |
143 |
mls_file_write_all_levels(tmpreaper_t) |
144 |
|
145 |
+auth_use_nsswitch(tmpreaper_t) |
146 |
+ |
147 |
logging_send_syslog_msg(tmpreaper_t) |
148 |
|
149 |
miscfiles_read_localization(tmpreaper_t) |
150 |
miscfiles_delete_man_pages(tmpreaper_t) |
151 |
|
152 |
-cron_system_entry(tmpreaper_t, tmpreaper_exec_t) |
153 |
- |
154 |
ifdef(`distro_redhat',` |
155 |
userdom_list_user_home_content(tmpreaper_t) |
156 |
userdom_delete_user_home_content_dirs(tmpreaper_t) |
157 |
@@ -53,22 +55,23 @@ optional_policy(` |
158 |
|
159 |
optional_policy(` |
160 |
apache_list_cache(tmpreaper_t) |
161 |
+ apache_delete_cache_dirs(tmpreaper_t) |
162 |
apache_delete_cache_files(tmpreaper_t) |
163 |
apache_setattr_cache_dirs(tmpreaper_t) |
164 |
') |
165 |
|
166 |
optional_policy(` |
167 |
- kismet_manage_log(tmpreaper_t) |
168 |
+ cron_system_entry(tmpreaper_t, tmpreaper_exec_t) |
169 |
') |
170 |
|
171 |
optional_policy(` |
172 |
- lpd_manage_spool(tmpreaper_t) |
173 |
+ kismet_manage_log(tmpreaper_t) |
174 |
') |
175 |
|
176 |
optional_policy(` |
177 |
- rpm_manage_cache(tmpreaper_t) |
178 |
+ lpd_manage_spool(tmpreaper_t) |
179 |
') |
180 |
|
181 |
optional_policy(` |
182 |
- unconfined_domain(tmpreaper_t) |
183 |
+ rpm_manage_cache(tmpreaper_t) |
184 |
') |