[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Wed, 31 Oct 2012 18:11:33
Message-Id:	`1351706666.7c191c42c9c20586e7cf70ea3a6a627aee08d44a.SwifT@gentoo`

1

commit:     7c191c42c9c20586e7cf70ea3a6a627aee08d44a

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Wed Oct 31 09:12:33 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed Oct 31 18:04:26 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7c191c42

7

8

Changes to the vnstatd policy module

9

10

Add init script file

11

Add role attribute for client

12

13

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

14

15

---

16

 policy/modules/contrib/vnstatd.fc |    4 ++-

17

 policy/modules/contrib/vnstatd.if |   50 +++++++++++++++++++++++++++++++++---

18

 policy/modules/contrib/vnstatd.te |   24 +++++++++++------

19

 3 files changed, 63 insertions(+), 15 deletions(-)

20

21

diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc

22

index db1a018..24228b6 100644

23

--- a/policy/modules/contrib/vnstatd.fc

24

+++ b/policy/modules/contrib/vnstatd.fc

25

@@ -1,7 +1,9 @@

26

+/etc/rc\.d/init\.d/vnstat	--	gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)

27

+

28

 /usr/bin/vnstat	--	gen_context(system_u:object_r:vnstat_exec_t,s0)

29

30

 /usr/sbin/vnstatd	--	gen_context(system_u:object_r:vnstatd_exec_t,s0)

31

32

 /var/lib/vnstat(/.*)?	gen_context(system_u:object_r:vnstatd_var_lib_t,s0)

33

34

-/var/run/vnstat\.pid	gen_context(system_u:object_r:vnstatd_var_run_t,s0)

35

+/var/run/vnstat.*	gen_context(system_u:object_r:vnstatd_var_run_t,s0)

36

37

diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if

38

index 727fe95..137ac44 100644

39

--- a/policy/modules/contrib/vnstatd.if

40

+++ b/policy/modules/contrib/vnstatd.if

41

@@ -15,11 +15,38 @@ interface(`vnstatd_domtrans_vnstat',`

42

 		type vnstat_t, vnstat_exec_t;

43

')

44

45

+	corecmd_search_bin($1)

46

 	domtrans_pattern($1, vnstat_exec_t, vnstat_t)

47

')

48

49

 ########################################

50

 ## <summary>

51

+##	Execute vnstat in the vnstat domain,

52

+##	and allow the specified role

53

+##	the vnstat domain.

54

+## </summary>

55

+## <param name="domain">

56

+##	<summary>

57

+##	Domain allowed to transition.

58

+##	</summary>

59

+## </param>

60

+## <param name="role">

61

+##	<summary>

62

+##	Role allowed access.

63

+##	</summary>

64

+## </param>

65

+#

66

+interface(`vnstatd_run_vnstat',`

67

+	gen_require(`

68

+		attribute_role vnstat_roles;

69

+	')

70

+

71

+	vnstatd_domtrans_vnstat($1)

72

+	roleattribute $2 vnstat_roles;

73

+')

74

+

75

+########################################

76

+## <summary>

77

 ##	Execute a domain transition to run vnstatd.

78

 ## </summary>

79

 ## <param name="domain">

80

@@ -33,6 +60,7 @@ interface(`vnstatd_domtrans',`

81

 		type vnstatd_t, vnstatd_exec_t;

82

')

83

84

+	corecmd_search_bin($1)

85

 	domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)

86

')

87

88

@@ -51,13 +79,14 @@ interface(`vnstatd_search_lib',`

89

 		type vnstatd_var_lib_t;

90

')

91

92

-	allow $1 vnstatd_var_lib_t:dir search_dir_perms;

93

 	files_search_var_lib($1)

94

+	allow $1 vnstatd_var_lib_t:dir search_dir_perms;

95

')

96

97

 ########################################

98

 ## <summary>

99

-##	Manage vnstatd lib dirs.

100

+##	Create, read, write, and delete

101

+##	vnstatd lib directories.

102

 ## </summary>

103

 ## <param name="domain">

104

 ##	<summary>

105

@@ -115,8 +144,8 @@ interface(`vnstatd_manage_lib_files',`

106

107

 ########################################

108

 ## <summary>

109

-##	All of the rules required to administrate

110

-##	an vnstatd environment

111

+##	All of the rules required to

112

+##	administrate an vnstatd environment.

113

 ## </summary>

114

 ## <param name="domain">

115

 ##	<summary>

116

@@ -132,12 +161,23 @@ interface(`vnstatd_manage_lib_files',`

117

#

118

 interface(`vnstatd_admin',`

119

 	gen_require(`

120

-		type vnstatd_t, vnstatd_var_lib_t;

121

+		type vnstatd_t, vnstatd_var_lib_t, vnstatd_initrc_exec_t;

122

+		type vnstatd_var_run_t;

123

')

124

125

 	allow $1 vnstatd_t:process { ptrace signal_perms };

126

 	ps_process_pattern($1, vnstatd_t)

127

128

+	init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)

129

+	domain_system_change_exemption($1)

130

+	role_transition $2 vnstatd_initrc_exec_t system_r;

131

+	allow $2 system_r;

132

+

133

+	files_search_pids($1)

134

+	admin_pattern($1, vnstatd_var_run_t)

135

+

136

 	files_list_var_lib($1)

137

 	admin_pattern($1, vnstatd_var_lib_t)

138

+

139

+	vnstatd_run_vnstat($1, $2)

140

')

141

142

diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te

143

index 8121937..febc3e5 100644

144

--- a/policy/modules/contrib/vnstatd.te

145

+++ b/policy/modules/contrib/vnstatd.te

146

@@ -1,18 +1,24 @@

147

-policy_module(vnstatd, 1.0.0)

148

+policy_module(vnstatd, 1.0.1)

149

150

 ########################################

151

#

152

 # Declarations

153

#

154

155

+attribute_role vnstat_roles;

156

+

157

 type vnstat_t;

158

 type vnstat_exec_t;

159

 application_domain(vnstat_t, vnstat_exec_t)

160

+role vnstat_roles types vnstat_t;

161

162

 type vnstatd_t;

163

 type vnstatd_exec_t;

164

 init_daemon_domain(vnstatd_t, vnstatd_exec_t)

165

166

+type vnstatd_initrc_exec_t;

167

+init_script_file(vnstatd_initrc_exec_t)

168

+

169

 type vnstatd_var_lib_t;

170

 files_type(vnstatd_var_lib_t)

171

172

@@ -21,12 +27,12 @@ files_pid_file(vnstatd_var_run_t)

173

174

 ########################################

175

#

176

-# vnstatd local policy

177

+# Daemon local policy

178

#

179

180

 allow vnstatd_t self:process signal;

181

 allow vnstatd_t self:fifo_file rw_fifo_file_perms;

182

-allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;

183

+allow vnstatd_t self:unix_stream_socket { accept listen };

184

185

 manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)

186

 manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)

187

@@ -49,18 +55,14 @@ logging_send_syslog_msg(vnstatd_t)

188

189

 miscfiles_read_localization(vnstatd_t)

190

191

-optional_policy(`

192

-	cron_system_entry(vnstat_t, vnstat_exec_t)

193

-')

194

-

195

 ########################################

196

#

197

-# vnstat local policy

198

+# Client local policy

199

#

200

201

 allow vnstat_t self:process signal;

202

 allow vnstat_t self:fifo_file rw_fifo_file_perms;

203

-allow vnstat_t self:unix_stream_socket create_stream_socket_perms;

204

+allow vnstat_t self:unix_stream_socket { accept listen };

205

206

 manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)

207

 manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)

208

@@ -78,3 +80,7 @@ fs_getattr_xattr_fs(vnstat_t)

209

 logging_send_syslog_msg(vnstat_t)

210

211

 miscfiles_read_localization(vnstat_t)

212

+

213

+optional_policy(`

214

+	cron_system_entry(vnstat_t, vnstat_exec_t)

215

+')

1	commit: 7c191c42c9c20586e7cf70ea3a6a627aee08d44a
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Wed Oct 31 09:12:33 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed Oct 31 18:04:26 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7c191c42
7
8	Changes to the vnstatd policy module
9
10	Add init script file
11	Add role attribute for client
12
13	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14
15	---
16	policy/modules/contrib/vnstatd.fc \| 4 ++-
17	policy/modules/contrib/vnstatd.if \| 50 +++++++++++++++++++++++++++++++++---
18	policy/modules/contrib/vnstatd.te \| 24 +++++++++++------
19	3 files changed, 63 insertions(+), 15 deletions(-)
20
21	diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc
22	index db1a018..24228b6 100644
23	--- a/policy/modules/contrib/vnstatd.fc
24	+++ b/policy/modules/contrib/vnstatd.fc
25	@@ -1,7 +1,9 @@
26	+/etc/rc\.d/init\.d/vnstat -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
27	+
28	/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
29
30	/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
31
32	/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
33
34	-/var/run/vnstat\.pid gen_context(system_u:object_r:vnstatd_var_run_t,s0)
35	+/var/run/vnstat.* gen_context(system_u:object_r:vnstatd_var_run_t,s0)
36
37	diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if
38	index 727fe95..137ac44 100644
39	--- a/policy/modules/contrib/vnstatd.if
40	+++ b/policy/modules/contrib/vnstatd.if
41	@@ -15,11 +15,38 @@ interface(`vnstatd_domtrans_vnstat',`
42	type vnstat_t, vnstat_exec_t;
43	')
44
45	+ corecmd_search_bin($1)
46	domtrans_pattern($1, vnstat_exec_t, vnstat_t)
47	')
48
49	########################################
50	## <summary>
51	+## Execute vnstat in the vnstat domain,
52	+## and allow the specified role
53	+## the vnstat domain.
54	+## </summary>
55	+## <param name="domain">
56	+## <summary>
57	+## Domain allowed to transition.
58	+## </summary>
59	+## </param>
60	+## <param name="role">
61	+## <summary>
62	+## Role allowed access.
63	+## </summary>
64	+## </param>
65	+#
66	+interface(`vnstatd_run_vnstat',`
67	+ gen_require(`
68	+ attribute_role vnstat_roles;
69	+ ')
70	+
71	+ vnstatd_domtrans_vnstat($1)
72	+ roleattribute $2 vnstat_roles;
73	+')
74	+
75	+########################################
76	+## <summary>
77	## Execute a domain transition to run vnstatd.
78	## </summary>
79	## <param name="domain">
80	@@ -33,6 +60,7 @@ interface(`vnstatd_domtrans',`
81	type vnstatd_t, vnstatd_exec_t;
82	')
83
84	+ corecmd_search_bin($1)
85	domtrans_pattern($1, vnstatd_exec_t, vnstatd_t)
86	')
87
88	@@ -51,13 +79,14 @@ interface(`vnstatd_search_lib',`
89	type vnstatd_var_lib_t;
90	')
91
92	- allow $1 vnstatd_var_lib_t:dir search_dir_perms;
93	files_search_var_lib($1)
94	+ allow $1 vnstatd_var_lib_t:dir search_dir_perms;
95	')
96
97	########################################
98	## <summary>
99	-## Manage vnstatd lib dirs.
100	+## Create, read, write, and delete
101	+## vnstatd lib directories.
102	## </summary>
103	## <param name="domain">
104	## <summary>
105	@@ -115,8 +144,8 @@ interface(`vnstatd_manage_lib_files',`
106
107	########################################
108	## <summary>
109	-## All of the rules required to administrate
110	-## an vnstatd environment
111	+## All of the rules required to
112	+## administrate an vnstatd environment.
113	## </summary>
114	## <param name="domain">
115	## <summary>
116	@@ -132,12 +161,23 @@ interface(`vnstatd_manage_lib_files',`
117	#
118	interface(`vnstatd_admin',`
119	gen_require(`
120	- type vnstatd_t, vnstatd_var_lib_t;
121	+ type vnstatd_t, vnstatd_var_lib_t, vnstatd_initrc_exec_t;
122	+ type vnstatd_var_run_t;
123	')
124
125	allow $1 vnstatd_t:process { ptrace signal_perms };
126	ps_process_pattern($1, vnstatd_t)
127
128	+ init_labeled_script_domtrans($1, vnstatd_initrc_exec_t)
129	+ domain_system_change_exemption($1)
130	+ role_transition $2 vnstatd_initrc_exec_t system_r;
131	+ allow $2 system_r;
132	+
133	+ files_search_pids($1)
134	+ admin_pattern($1, vnstatd_var_run_t)
135	+
136	files_list_var_lib($1)
137	admin_pattern($1, vnstatd_var_lib_t)
138	+
139	+ vnstatd_run_vnstat($1, $2)
140	')
141
142	diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te
143	index 8121937..febc3e5 100644
144	--- a/policy/modules/contrib/vnstatd.te
145	+++ b/policy/modules/contrib/vnstatd.te
146	@@ -1,18 +1,24 @@
147	-policy_module(vnstatd, 1.0.0)
148	+policy_module(vnstatd, 1.0.1)
149
150	########################################
151	#
152	# Declarations
153	#
154
155	+attribute_role vnstat_roles;
156	+
157	type vnstat_t;
158	type vnstat_exec_t;
159	application_domain(vnstat_t, vnstat_exec_t)
160	+role vnstat_roles types vnstat_t;
161
162	type vnstatd_t;
163	type vnstatd_exec_t;
164	init_daemon_domain(vnstatd_t, vnstatd_exec_t)
165
166	+type vnstatd_initrc_exec_t;
167	+init_script_file(vnstatd_initrc_exec_t)
168	+
169	type vnstatd_var_lib_t;
170	files_type(vnstatd_var_lib_t)
171
172	@@ -21,12 +27,12 @@ files_pid_file(vnstatd_var_run_t)
173
174	########################################
175	#
176	-# vnstatd local policy
177	+# Daemon local policy
178	#
179
180	allow vnstatd_t self:process signal;
181	allow vnstatd_t self:fifo_file rw_fifo_file_perms;
182	-allow vnstatd_t self:unix_stream_socket create_stream_socket_perms;
183	+allow vnstatd_t self:unix_stream_socket { accept listen };
184
185	manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
186	manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
187	@@ -49,18 +55,14 @@ logging_send_syslog_msg(vnstatd_t)
188
189	miscfiles_read_localization(vnstatd_t)
190
191	-optional_policy(`
192	- cron_system_entry(vnstat_t, vnstat_exec_t)
193	-')
194	-
195	########################################
196	#
197	-# vnstat local policy
198	+# Client local policy
199	#
200
201	allow vnstat_t self:process signal;
202	allow vnstat_t self:fifo_file rw_fifo_file_perms;
203	-allow vnstat_t self:unix_stream_socket create_stream_socket_perms;
204	+allow vnstat_t self:unix_stream_socket { accept listen };
205
206	manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
207	manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
208	@@ -78,3 +80,7 @@ fs_getattr_xattr_fs(vnstat_t)
209	logging_send_syslog_msg(vnstat_t)
210
211	miscfiles_read_localization(vnstat_t)
212	+
213	+optional_policy(`
214	+ cron_system_entry(vnstat_t, vnstat_exec_t)
215	+')

Gentoo Archives: gentoo-commits