[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 02 Oct 2012 18:15:47
Message-Id:	`1349201285.515972fb2ea44f2c331f09bd61991e46976f1064.SwifT@gentoo`

1

commit:     515972fb2ea44f2c331f09bd61991e46976f1064

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Tue Oct  2 10:48:22 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:08:05 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=515972fb

7

8

Changes to the gitosis policy module

9

10

Ported from Fedora with changes

11

Use role attributes

12

13

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

14

15

---

16

 policy/modules/contrib/gitosis.fc |   10 ++++------

17

 policy/modules/contrib/gitosis.if |   17 +++++++++--------

18

 policy/modules/contrib/gitosis.te |   30 +++++++++++++++++++++++++++---

19

 3 files changed, 40 insertions(+), 17 deletions(-)

20

21

diff --git a/policy/modules/contrib/gitosis.fc b/policy/modules/contrib/gitosis.fc

22

index 93f5a72..a0d5662 100644

23

--- a/policy/modules/contrib/gitosis.fc

24

+++ b/policy/modules/contrib/gitosis.fc

25

@@ -1,9 +1,7 @@

26

-ifdef(`distro_debian',`

27

-/srv/lib/gitosis(/.*)?				gen_context(system_u:object_r:gitosis_var_lib_t,s0)

28

-')

29

+/srv/lib/gitosis(/.*)?	gen_context(system_u:object_r:gitosis_var_lib_t,s0)

30

31

-/usr/bin/gitosis-serve			--	gen_context(system_u:object_r:gitosis_exec_t,s0)

32

-/usr/bin/gl-auth-command		--	gen_context(system_u:object_r:gitosis_exec_t,s0)

33

+/usr/bin/gitosis-serve	--	gen_context(system_u:object_r:gitosis_exec_t,s0)

34

+/usr/bin/gl-auth-command	--	gen_context(system_u:object_r:gitosis_exec_t,s0)

35

36

-/var/lib/gitosis(/.*)?				gen_context(system_u:object_r:gitosis_var_lib_t,s0)

37

+/var/lib/gitosis(/.*)?	gen_context(system_u:object_r:gitosis_var_lib_t,s0)

38

 /var/lib/gitolite(3)?(/.*)?			gen_context(system_u:object_r:gitosis_var_lib_t,s0)

39

40

diff --git a/policy/modules/contrib/gitosis.if b/policy/modules/contrib/gitosis.if

41

index e898b91..f8ca38c 100644

42

--- a/policy/modules/contrib/gitosis.if

43

+++ b/policy/modules/contrib/gitosis.if

44

@@ -15,17 +15,19 @@ interface(`gitosis_domtrans',`

45

 		type gitosis_t, gitosis_exec_t;

46

')

47

48

+	corecmd_search_bin($1)

49

 	domtrans_pattern($1, gitosis_exec_t, gitosis_t)

50

')

51

52

 #######################################

53

 ## <summary>

54

-##	Execute gitosis-serve in the gitosis domain, and

55

-##	allow the specified role the gitosis domain.

56

+##	Execute gitosis-serve in the

57

+##	gitosis domain, and allow the

58

+##	specified role the gitosis domain.

59

 ## </summary>

60

 ## <param name="domain">

61

 ##	<summary>

62

-##	Domain allowed access

63

+##	Domain allowed to transition.

64

 ##	</summary>

65

 ## </param>

66

 ## <param name="role">

67

@@ -36,17 +38,16 @@ interface(`gitosis_domtrans',`

68

#

69

 interface(`gitosis_run',`

70

 	gen_require(`

71

-		type gitosis_t;

72

+		attribute_role gitosis_roles;

73

')

74

75

 	gitosis_domtrans($1)

76

-	role $2 types gitosis_t;

77

+	roleattribute $2 gitosis_roles;

78

')

79

80

 #######################################

81

 ## <summary>

82

-##	Allow the specified domain to read

83

-##	gitosis lib files.

84

+##	Read gitosis lib files.

85

 ## </summary>

86

 ## <param name="domain">

87

 ##	<summary>

88

@@ -67,7 +68,7 @@ interface(`gitosis_read_lib_files',`

89

90

 ######################################

91

 ## <summary>

92

-##	Allow the specified domain to manage

93

+##	Create, read, write, and delete

94

 ##	gitosis lib files.

95

 ## </summary>

96

 ## <param name="domain">

97

98

diff --git a/policy/modules/contrib/gitosis.te b/policy/modules/contrib/gitosis.te

99

index 5c99236..3194b76 100644

100

--- a/policy/modules/contrib/gitosis.te

101

+++ b/policy/modules/contrib/gitosis.te

102

@@ -1,21 +1,31 @@

103

-policy_module(gitosis, 1.3.1)

104

+policy_module(gitosis, 1.3.2)

105

106

 ########################################

107

#

108

 # Declarations

109

#

110

111

+## <desc>

112

+##	<p>

113

+##	Determine whether Gitosis can send mail.

114

+##	</p>

115

+## </desc>

116

+gen_tunable(gitosis_can_sendmail, false)

117

+

118

+attribute_role gitosis_roles;

119

+roleattribute system_r gitosis_roles;

120

+

121

 type gitosis_t;

122

 type gitosis_exec_t;

123

 application_domain(gitosis_t, gitosis_exec_t)

124

-role system_r types gitosis_t;

125

+role gitosis_roles types gitosis_t;

126

127

 type gitosis_var_lib_t;

128

 files_type(gitosis_var_lib_t)

129

130

 ########################################

131

#

132

-# gitosis local policy

133

+# Local policy

134

#

135

136

 allow gitosis_t self:fifo_file rw_fifo_file_perms;

137

@@ -27,6 +37,16 @@ manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)

138

139

 kernel_read_system_state(gitosis_t)

140

141

+corenet_all_recvfrom_unlabeled(gitosis_t)

142

+corenet_all_recvfrom_netlabel(gitosis_t)

143

+corenet_tcp_sendrecv_generic_if(gitosis_t)

144

+corenet_tcp_sendrecv_generic_node(gitosis_t)

145

+corenet_tcp_bind_generic_node(gitosis_t)

146

+

147

+corenet_sendrecv_ssh_server_packets(gitosis_t)

148

+corenet_tcp_bind_ssh_port(gitosis_t)

149

+corenet_tcp_sendrecv_ssh_port(gitosis_t)

150

+

151

 corecmd_exec_bin(gitosis_t)

152

 corecmd_exec_shell(gitosis_t)

153

154

@@ -39,3 +59,7 @@ files_search_var_lib(gitosis_t)

155

 miscfiles_read_localization(gitosis_t)

156

157

 sysnet_read_config(gitosis_t)

158

+

159

+tunable_policy(`gitosis_can_sendmail',`

160

+	mta_send_mail(gitosis_t)

161

+')

1	commit: 515972fb2ea44f2c331f09bd61991e46976f1064
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Tue Oct 2 10:48:22 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 2 18:08:05 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=515972fb
7
8	Changes to the gitosis policy module
9
10	Ported from Fedora with changes
11	Use role attributes
12
13	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14
15	---
16	policy/modules/contrib/gitosis.fc \| 10 ++++------
17	policy/modules/contrib/gitosis.if \| 17 +++++++++--------
18	policy/modules/contrib/gitosis.te \| 30 +++++++++++++++++++++++++++---
19	3 files changed, 40 insertions(+), 17 deletions(-)
20
21	diff --git a/policy/modules/contrib/gitosis.fc b/policy/modules/contrib/gitosis.fc
22	index 93f5a72..a0d5662 100644
23	--- a/policy/modules/contrib/gitosis.fc
24	+++ b/policy/modules/contrib/gitosis.fc
25	@@ -1,9 +1,7 @@
26	-ifdef(`distro_debian',`
27	-/srv/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
28	-')
29	+/srv/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
30
31	-/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
32	-/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
33	+/usr/bin/gitosis-serve -- gen_context(system_u:object_r:gitosis_exec_t,s0)
34	+/usr/bin/gl-auth-command -- gen_context(system_u:object_r:gitosis_exec_t,s0)
35
36	-/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
37	+/var/lib/gitosis(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
38	/var/lib/gitolite(3)?(/.*)? gen_context(system_u:object_r:gitosis_var_lib_t,s0)
39
40	diff --git a/policy/modules/contrib/gitosis.if b/policy/modules/contrib/gitosis.if
41	index e898b91..f8ca38c 100644
42	--- a/policy/modules/contrib/gitosis.if
43	+++ b/policy/modules/contrib/gitosis.if
44	@@ -15,17 +15,19 @@ interface(`gitosis_domtrans',`
45	type gitosis_t, gitosis_exec_t;
46	')
47
48	+ corecmd_search_bin($1)
49	domtrans_pattern($1, gitosis_exec_t, gitosis_t)
50	')
51
52	#######################################
53	## <summary>
54	-## Execute gitosis-serve in the gitosis domain, and
55	-## allow the specified role the gitosis domain.
56	+## Execute gitosis-serve in the
57	+## gitosis domain, and allow the
58	+## specified role the gitosis domain.
59	## </summary>
60	## <param name="domain">
61	## <summary>
62	-## Domain allowed access
63	+## Domain allowed to transition.
64	## </summary>
65	## </param>
66	## <param name="role">
67	@@ -36,17 +38,16 @@ interface(`gitosis_domtrans',`
68	#
69	interface(`gitosis_run',`
70	gen_require(`
71	- type gitosis_t;
72	+ attribute_role gitosis_roles;
73	')
74
75	gitosis_domtrans($1)
76	- role $2 types gitosis_t;
77	+ roleattribute $2 gitosis_roles;
78	')
79
80	#######################################
81	## <summary>
82	-## Allow the specified domain to read
83	-## gitosis lib files.
84	+## Read gitosis lib files.
85	## </summary>
86	## <param name="domain">
87	## <summary>
88	@@ -67,7 +68,7 @@ interface(`gitosis_read_lib_files',`
89
90	######################################
91	## <summary>
92	-## Allow the specified domain to manage
93	+## Create, read, write, and delete
94	## gitosis lib files.
95	## </summary>
96	## <param name="domain">
97
98	diff --git a/policy/modules/contrib/gitosis.te b/policy/modules/contrib/gitosis.te
99	index 5c99236..3194b76 100644
100	--- a/policy/modules/contrib/gitosis.te
101	+++ b/policy/modules/contrib/gitosis.te
102	@@ -1,21 +1,31 @@
103	-policy_module(gitosis, 1.3.1)
104	+policy_module(gitosis, 1.3.2)
105
106	########################################
107	#
108	# Declarations
109	#
110
111	+## <desc>
112	+## <p>
113	+## Determine whether Gitosis can send mail.
114	+## </p>
115	+## </desc>
116	+gen_tunable(gitosis_can_sendmail, false)
117	+
118	+attribute_role gitosis_roles;
119	+roleattribute system_r gitosis_roles;
120	+
121	type gitosis_t;
122	type gitosis_exec_t;
123	application_domain(gitosis_t, gitosis_exec_t)
124	-role system_r types gitosis_t;
125	+role gitosis_roles types gitosis_t;
126
127	type gitosis_var_lib_t;
128	files_type(gitosis_var_lib_t)
129
130	########################################
131	#
132	-# gitosis local policy
133	+# Local policy
134	#
135
136	allow gitosis_t self:fifo_file rw_fifo_file_perms;
137	@@ -27,6 +37,16 @@ manage_dirs_pattern(gitosis_t, gitosis_var_lib_t, gitosis_var_lib_t)
138
139	kernel_read_system_state(gitosis_t)
140
141	+corenet_all_recvfrom_unlabeled(gitosis_t)
142	+corenet_all_recvfrom_netlabel(gitosis_t)
143	+corenet_tcp_sendrecv_generic_if(gitosis_t)
144	+corenet_tcp_sendrecv_generic_node(gitosis_t)
145	+corenet_tcp_bind_generic_node(gitosis_t)
146	+
147	+corenet_sendrecv_ssh_server_packets(gitosis_t)
148	+corenet_tcp_bind_ssh_port(gitosis_t)
149	+corenet_tcp_sendrecv_ssh_port(gitosis_t)
150	+
151	corecmd_exec_bin(gitosis_t)
152	corecmd_exec_shell(gitosis_t)
153
154	@@ -39,3 +59,7 @@ files_search_var_lib(gitosis_t)
155	miscfiles_read_localization(gitosis_t)
156
157	sysnet_read_config(gitosis_t)
158	+
159	+tunable_policy(`gitosis_can_sendmail',`
160	+ mta_send_mail(gitosis_t)
161	+')

Gentoo Archives: gentoo-commits