1 |
commit: 7c191c42c9c20586e7cf70ea3a6a627aee08d44a |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Oct 31 09:12:33 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Oct 31 18:04:26 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7c191c42 |
7 |
|
8 |
Changes to the vnstatd policy module |
9 |
|
10 |
Add init script file |
11 |
Add role attribute for client |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/vnstatd.fc | 4 ++- |
17 |
policy/modules/contrib/vnstatd.if | 50 +++++++++++++++++++++++++++++++++--- |
18 |
policy/modules/contrib/vnstatd.te | 24 +++++++++++------ |
19 |
3 files changed, 63 insertions(+), 15 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc |
22 |
index db1a018..24228b6 100644 |
23 |
--- a/policy/modules/contrib/vnstatd.fc |
24 |
+++ b/policy/modules/contrib/vnstatd.fc |
25 |
@@ -1,7 +1,9 @@ |
26 |
+/etc/rc\.d/init\.d/vnstat -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0) |
27 |
+ |
28 |
/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) |
29 |
|
30 |
/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) |
31 |
|
32 |
/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) |
33 |
|
34 |
-/var/run/vnstat\.pid gen_context(system_u:object_r:vnstatd_var_run_t,s0) |
35 |
+/var/run/vnstat.* gen_context(system_u:object_r:vnstatd_var_run_t,s0) |
36 |
|
37 |
diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if |
38 |
index 727fe95..137ac44 100644 |
39 |
--- a/policy/modules/contrib/vnstatd.if |
40 |
+++ b/policy/modules/contrib/vnstatd.if |
41 |
@@ -15,11 +15,38 @@ interface(`vnstatd_domtrans_vnstat',` |
42 |
type vnstat_t, vnstat_exec_t; |
43 |
') |
44 |
|
45 |
+ corecmd_search_bin($1) |
46 |
domtrans_pattern($1, vnstat_exec_t, vnstat_t) |
47 |
') |
48 |
|
49 |
######################################## |
50 |
## <summary> |
51 |
+## Execute vnstat in the vnstat domain, |
52 |
+## and allow the specified role |
53 |
+## the vnstat domain. |
54 |
+## </summary> |
55 |
+## <param name="domain"> |
56 |
+## <summary> |
57 |
+## Domain allowed to transition. |
58 |
+## </summary> |
59 |
+## </param> |
60 |
+## <param name="role"> |
61 |
+## <summary> |
62 |
+## Role allowed access. |
63 |
+## </summary> |
64 |
+## </param> |
65 |
+# |
66 |
+interface(`vnstatd_run_vnstat',` |
67 |
+ gen_require(` |
68 |
+ attribute_role vnstat_roles; |
69 |
+ ') |
70 |
+ |
71 |
+ vnstatd_domtrans_vnstat($1) |
72 |
+ roleattribute $2 vnstat_roles; |
73 |
+') |
74 |
+ |
75 |
+######################################## |
76 |
+## <summary> |
77 |
## Execute a domain transition to run vnstatd. |
78 |
## </summary> |
79 |
## <param name="domain"> |
80 |
@@ -33,6 +60,7 @@ interface(`vnstatd_domtrans',` |
81 |
type vnstatd_t, vnstatd_exec_t; |
82 |
') |
83 |
|
84 |
+ corecmd_search_bin($1) |
85 |
domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) |
86 |
') |
87 |
|
88 |
@@ -51,13 +79,14 @@ interface(`vnstatd_search_lib',` |
89 |
type vnstatd_var_lib_t; |
90 |
') |
91 |
|
92 |
- allow $1 vnstatd_var_lib_t:dir search_dir_perms; |
93 |
files_search_var_lib($1) |
94 |
+ allow $1 vnstatd_var_lib_t:dir search_dir_perms; |
95 |
') |
96 |
|
97 |
######################################## |
98 |
## <summary> |
99 |
-## Manage vnstatd lib dirs. |
100 |
+## Create, read, write, and delete |
101 |
+## vnstatd lib directories. |
102 |
## </summary> |
103 |
## <param name="domain"> |
104 |
## <summary> |
105 |
@@ -115,8 +144,8 @@ interface(`vnstatd_manage_lib_files',` |
106 |
|
107 |
######################################## |
108 |
## <summary> |
109 |
-## All of the rules required to administrate |
110 |
-## an vnstatd environment |
111 |
+## All of the rules required to |
112 |
+## administrate an vnstatd environment. |
113 |
## </summary> |
114 |
## <param name="domain"> |
115 |
## <summary> |
116 |
@@ -132,12 +161,23 @@ interface(`vnstatd_manage_lib_files',` |
117 |
# |
118 |
interface(`vnstatd_admin',` |
119 |
gen_require(` |
120 |
- type vnstatd_t, vnstatd_var_lib_t; |
121 |
+ type vnstatd_t, vnstatd_var_lib_t, vnstatd_initrc_exec_t; |
122 |
+ type vnstatd_var_run_t; |
123 |
') |
124 |
|
125 |
allow $1 vnstatd_t:process { ptrace signal_perms }; |
126 |
ps_process_pattern($1, vnstatd_t) |
127 |
|
128 |
+ init_labeled_script_domtrans($1, vnstatd_initrc_exec_t) |
129 |
+ domain_system_change_exemption($1) |
130 |
+ role_transition $2 vnstatd_initrc_exec_t system_r; |
131 |
+ allow $2 system_r; |
132 |
+ |
133 |
+ files_search_pids($1) |
134 |
+ admin_pattern($1, vnstatd_var_run_t) |
135 |
+ |
136 |
files_list_var_lib($1) |
137 |
admin_pattern($1, vnstatd_var_lib_t) |
138 |
+ |
139 |
+ vnstatd_run_vnstat($1, $2) |
140 |
') |
141 |
|
142 |
diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te |
143 |
index 8121937..febc3e5 100644 |
144 |
--- a/policy/modules/contrib/vnstatd.te |
145 |
+++ b/policy/modules/contrib/vnstatd.te |
146 |
@@ -1,18 +1,24 @@ |
147 |
-policy_module(vnstatd, 1.0.0) |
148 |
+policy_module(vnstatd, 1.0.1) |
149 |
|
150 |
######################################## |
151 |
# |
152 |
# Declarations |
153 |
# |
154 |
|
155 |
+attribute_role vnstat_roles; |
156 |
+ |
157 |
type vnstat_t; |
158 |
type vnstat_exec_t; |
159 |
application_domain(vnstat_t, vnstat_exec_t) |
160 |
+role vnstat_roles types vnstat_t; |
161 |
|
162 |
type vnstatd_t; |
163 |
type vnstatd_exec_t; |
164 |
init_daemon_domain(vnstatd_t, vnstatd_exec_t) |
165 |
|
166 |
+type vnstatd_initrc_exec_t; |
167 |
+init_script_file(vnstatd_initrc_exec_t) |
168 |
+ |
169 |
type vnstatd_var_lib_t; |
170 |
files_type(vnstatd_var_lib_t) |
171 |
|
172 |
@@ -21,12 +27,12 @@ files_pid_file(vnstatd_var_run_t) |
173 |
|
174 |
######################################## |
175 |
# |
176 |
-# vnstatd local policy |
177 |
+# Daemon local policy |
178 |
# |
179 |
|
180 |
allow vnstatd_t self:process signal; |
181 |
allow vnstatd_t self:fifo_file rw_fifo_file_perms; |
182 |
-allow vnstatd_t self:unix_stream_socket create_stream_socket_perms; |
183 |
+allow vnstatd_t self:unix_stream_socket { accept listen }; |
184 |
|
185 |
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) |
186 |
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) |
187 |
@@ -49,18 +55,14 @@ logging_send_syslog_msg(vnstatd_t) |
188 |
|
189 |
miscfiles_read_localization(vnstatd_t) |
190 |
|
191 |
-optional_policy(` |
192 |
- cron_system_entry(vnstat_t, vnstat_exec_t) |
193 |
-') |
194 |
- |
195 |
######################################## |
196 |
# |
197 |
-# vnstat local policy |
198 |
+# Client local policy |
199 |
# |
200 |
|
201 |
allow vnstat_t self:process signal; |
202 |
allow vnstat_t self:fifo_file rw_fifo_file_perms; |
203 |
-allow vnstat_t self:unix_stream_socket create_stream_socket_perms; |
204 |
+allow vnstat_t self:unix_stream_socket { accept listen }; |
205 |
|
206 |
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) |
207 |
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) |
208 |
@@ -78,3 +80,7 @@ fs_getattr_xattr_fs(vnstat_t) |
209 |
logging_send_syslog_msg(vnstat_t) |
210 |
|
211 |
miscfiles_read_localization(vnstat_t) |
212 |
+ |
213 |
+optional_policy(` |
214 |
+ cron_system_entry(vnstat_t, vnstat_exec_t) |
215 |
+') |