1 |
commit: 8725e760d87969766e0353cd32e814b28ef92fb5 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Oct 2 08:06:58 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:07:27 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8725e760 |
7 |
|
8 |
Changes to the games policy module |
9 |
|
10 |
Use role attributes |
11 |
Module clean up |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/games.fc | 66 +++++++++++++++++--------------------- |
17 |
policy/modules/contrib/games.if | 20 ++++++----- |
18 |
policy/modules/contrib/games.te | 21 ++++++------ |
19 |
3 files changed, 51 insertions(+), 56 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/games.fc b/policy/modules/contrib/games.fc |
22 |
index 78dc515..5e2e4f2 100644 |
23 |
--- a/policy/modules/contrib/games.fc |
24 |
+++ b/policy/modules/contrib/games.fc |
25 |
@@ -1,33 +1,18 @@ |
26 |
-# |
27 |
-# /usr |
28 |
-# |
29 |
-/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0) |
30 |
-/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0) |
31 |
- |
32 |
-# |
33 |
-# /var |
34 |
-# |
35 |
-/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) |
36 |
-/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) |
37 |
- |
38 |
-ifndef(`distro_debian',` |
39 |
-/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0) |
40 |
+/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0) |
41 |
/usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0) |
42 |
-/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0) |
43 |
-/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0) |
44 |
-/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0) |
45 |
+/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0) |
46 |
+/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0) |
47 |
+/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0) |
48 |
+/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0) |
49 |
+/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0) |
50 |
/usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0) |
51 |
/usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0) |
52 |
/usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0) |
53 |
/usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0) |
54 |
/usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0) |
55 |
/usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0) |
56 |
-/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0) |
57 |
-/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0) |
58 |
-/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0) |
59 |
-/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0) |
60 |
-/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0) |
61 |
-/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0) |
62 |
+/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0) |
63 |
+/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0) |
64 |
/usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0) |
65 |
/usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0) |
66 |
/usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0) |
67 |
@@ -39,28 +24,37 @@ ifndef(`distro_debian',` |
68 |
/usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0) |
69 |
/usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0) |
70 |
/usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0) |
71 |
-/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0) |
72 |
+/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0) |
73 |
/usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0) |
74 |
-/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0) |
75 |
-/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0) |
76 |
+/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0) |
77 |
+/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0) |
78 |
/usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0) |
79 |
-/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0) |
80 |
-/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0) |
81 |
+/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0) |
82 |
+/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0) |
83 |
/usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0) |
84 |
-/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0) |
85 |
+/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0) |
86 |
/usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0) |
87 |
/usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0) |
88 |
/usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0) |
89 |
-/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0) |
90 |
+/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0) |
91 |
/usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0) |
92 |
/usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0) |
93 |
-/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0) |
94 |
+/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0) |
95 |
/usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0) |
96 |
-/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0) |
97 |
+/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0) |
98 |
/usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0) |
99 |
-/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0) |
100 |
+/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0) |
101 |
/usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0) |
102 |
/usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0) |
103 |
-/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0) |
104 |
-/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0) |
105 |
-')dnl end non-Debian section |
106 |
+/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0) |
107 |
+/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0) |
108 |
+/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0) |
109 |
+/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0) |
110 |
+ |
111 |
+/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0) |
112 |
+ |
113 |
+/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0) |
114 |
+ |
115 |
+/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) |
116 |
+ |
117 |
+/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) |
118 |
|
119 |
diff --git a/policy/modules/contrib/games.if b/policy/modules/contrib/games.if |
120 |
index 7ac736d..f6fc226 100644 |
121 |
--- a/policy/modules/contrib/games.if |
122 |
+++ b/policy/modules/contrib/games.if |
123 |
@@ -1,39 +1,40 @@ |
124 |
-## <summary>Games</summary> |
125 |
+## <summary>Various games.</summary> |
126 |
|
127 |
-############################################################ |
128 |
+######################################## |
129 |
## <summary> |
130 |
-## Role access for games |
131 |
+## Role access for games. |
132 |
## </summary> |
133 |
## <param name="role"> |
134 |
## <summary> |
135 |
-## Role allowed access |
136 |
+## Role allowed access. |
137 |
## </summary> |
138 |
## </param> |
139 |
## <param name="domain"> |
140 |
## <summary> |
141 |
-## User domain for the role |
142 |
+## User domain for the role. |
143 |
## </summary> |
144 |
## </param> |
145 |
# |
146 |
interface(`games_role',` |
147 |
gen_require(` |
148 |
+ attribute_role games_roles; |
149 |
type games_t, games_exec_t; |
150 |
') |
151 |
|
152 |
- role $1 types games_t; |
153 |
+ roleattribute $1 games_roles; |
154 |
|
155 |
domtrans_pattern($2, games_exec_t, games_t) |
156 |
+ |
157 |
allow $2 games_t:unix_stream_socket connectto; |
158 |
allow games_t $2:unix_stream_socket connectto; |
159 |
|
160 |
- # Allow the user domain to signal/ps. |
161 |
ps_process_pattern($2, games_t) |
162 |
- allow $2 games_t:process signal_perms; |
163 |
+ allow $2 games_t:process { ptrace signal_perms }; |
164 |
') |
165 |
|
166 |
######################################## |
167 |
## <summary> |
168 |
-## Allow the specified domain to read/write |
169 |
+## Read and write games data files. |
170 |
## games data. |
171 |
## </summary> |
172 |
## <param name="domain"> |
173 |
@@ -47,5 +48,6 @@ interface(`games_rw_data',` |
174 |
type games_data_t; |
175 |
') |
176 |
|
177 |
+ files_search_var_lib($1) |
178 |
rw_files_pattern($1, games_data_t, games_data_t) |
179 |
') |
180 |
|
181 |
diff --git a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te |
182 |
index b73d33c..0c08250 100644 |
183 |
--- a/policy/modules/contrib/games.te |
184 |
+++ b/policy/modules/contrib/games.te |
185 |
@@ -1,15 +1,18 @@ |
186 |
-policy_module(games, 2.2.0) |
187 |
+policy_module(games, 2.2.1) |
188 |
|
189 |
######################################## |
190 |
# |
191 |
# Declarations |
192 |
# |
193 |
|
194 |
+attribute_role games_roles; |
195 |
+ |
196 |
type games_t; |
197 |
type games_exec_t; |
198 |
typealias games_t alias { user_games_t staff_games_t sysadm_games_t }; |
199 |
typealias games_t alias { auditadm_games_t secadm_games_t }; |
200 |
userdom_user_application_domain(games_t, games_exec_t) |
201 |
+role games_roles types games_t; |
202 |
|
203 |
type games_data_t; |
204 |
typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t }; |
205 |
@@ -23,8 +26,6 @@ typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t } |
206 |
term_pty(games_devpts_t) |
207 |
ubac_constrained(games_devpts_t) |
208 |
|
209 |
-# games_srv_t is for system operation of games, generic games daemons and |
210 |
-# games recovery scripts |
211 |
type games_srv_t; |
212 |
init_system_domain(games_srv_t, games_exec_t) |
213 |
|
214 |
@@ -91,7 +92,7 @@ optional_policy(` |
215 |
|
216 |
######################################## |
217 |
# |
218 |
-# Local policy |
219 |
+# Client local policy |
220 |
# |
221 |
|
222 |
allow games_t self:sem create_sem_perms; |
223 |
@@ -123,22 +124,21 @@ corecmd_exec_bin(games_t) |
224 |
corenet_all_recvfrom_unlabeled(games_t) |
225 |
corenet_all_recvfrom_netlabel(games_t) |
226 |
corenet_tcp_sendrecv_generic_if(games_t) |
227 |
-corenet_udp_sendrecv_generic_if(games_t) |
228 |
corenet_tcp_sendrecv_generic_node(games_t) |
229 |
-corenet_udp_sendrecv_generic_node(games_t) |
230 |
corenet_tcp_sendrecv_all_ports(games_t) |
231 |
-corenet_udp_sendrecv_all_ports(games_t) |
232 |
corenet_tcp_bind_generic_node(games_t) |
233 |
+ |
234 |
+corenet_sendrecv_generic_server_packets(games_t) |
235 |
corenet_tcp_bind_generic_port(games_t) |
236 |
-corenet_tcp_connect_generic_port(games_t) |
237 |
+ |
238 |
corenet_sendrecv_generic_client_packets(games_t) |
239 |
-corenet_sendrecv_generic_server_packets(games_t) |
240 |
+corenet_tcp_connect_generic_port(games_t) |
241 |
|
242 |
dev_read_sound(games_t) |
243 |
-dev_write_sound(games_t) |
244 |
dev_read_input(games_t) |
245 |
dev_read_mouse(games_t) |
246 |
dev_read_urand(games_t) |
247 |
+dev_write_sound(games_t) |
248 |
|
249 |
files_list_var(games_t) |
250 |
files_search_var_lib(games_t) |
251 |
@@ -160,7 +160,6 @@ userdom_manage_user_tmp_dirs(games_t) |
252 |
userdom_manage_user_tmp_files(games_t) |
253 |
userdom_manage_user_tmp_symlinks(games_t) |
254 |
userdom_manage_user_tmp_sockets(games_t) |
255 |
-# Suppress .icons denial until properly implemented |
256 |
userdom_dontaudit_read_user_home_content_files(games_t) |
257 |
|
258 |
tunable_policy(`allow_execmem',` |