Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Wed, 31 Oct 2012 18:11:18
Message-Id: 1351706661.d4d11f3557da94e00e1295c44b347236368d4001.SwifT@gentoo
1 commit: d4d11f3557da94e00e1295c44b347236368d4001
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Wed Oct 31 08:29:25 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Wed Oct 31 18:04:21 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d4d11f35
7
8 Changes to the vlock policy module
9
10 Uses PAM
11 Role attribute
12 Add file context spec
13
14 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
15
16 ---
17 policy/modules/contrib/vlock.fc | 2 ++
18 policy/modules/contrib/vlock.if | 9 +++++----
19 policy/modules/contrib/vlock.te | 19 +++++--------------
20 3 files changed, 12 insertions(+), 18 deletions(-)
21
22 diff --git a/policy/modules/contrib/vlock.fc b/policy/modules/contrib/vlock.fc
23 index 621d5fd..f84b61a 100644
24 --- a/policy/modules/contrib/vlock.fc
25 +++ b/policy/modules/contrib/vlock.fc
26 @@ -1 +1,3 @@
27 +/usr/bin/vlock -- gen_context(system_u:object_r:vlock_exec_t,s0)
28 +
29 /usr/sbin/vlock-main -- gen_context(system_u:object_r:vlock_exec_t,s0)
30
31 diff --git a/policy/modules/contrib/vlock.if b/policy/modules/contrib/vlock.if
32 index c5eeea0..d5fc09a 100644
33 --- a/policy/modules/contrib/vlock.if
34 +++ b/policy/modules/contrib/vlock.if
35 @@ -21,8 +21,9 @@ interface(`vlock_domtrans',`
36
37 ########################################
38 ## <summary>
39 -## Execute vlock in the vlock domain, and
40 -## allow the specified role the vlock domain.
41 +## Execute vlock in the vlock domain,
42 +## and allow the specified role
43 +## the vlock domain.
44 ## </summary>
45 ## <param name="domain">
46 ## <summary>
47 @@ -38,9 +39,9 @@ interface(`vlock_domtrans',`
48 #
49 interface(`vlock_run',`
50 gen_require(`
51 - type vlock_t;
52 + attribute_role vlock_roles;
53 ')
54
55 vlock_domtrans($1)
56 - role $2 types vlock_t;
57 + roleattribute $2 vlock_roles;
58 ')
59
60 diff --git a/policy/modules/contrib/vlock.te b/policy/modules/contrib/vlock.te
61 index 2511093..9ead775 100644
62 --- a/policy/modules/contrib/vlock.te
63 +++ b/policy/modules/contrib/vlock.te
64 @@ -1,52 +1,43 @@
65 -policy_module(vlock, 1.1.0)
66 +policy_module(vlock, 1.1.1)
67
68 ########################################
69 #
70 # Declarations
71 #
72
73 +attribute_role vlock_roles;
74 +
75 type vlock_t;
76 type vlock_exec_t;
77 application_domain(vlock_t, vlock_exec_t)
78 +role vlock_roles types vlock_t;
79
80 ########################################
81 #
82 # Local policy
83 #
84
85 -# --enable-pam is recommended when configuring vlock, making it
86 -# unnecessary to be a setuid program.
87 dontaudit vlock_t self:capability { setuid setgid };
88 allow vlock_t self:fd use;
89 allow vlock_t self:fifo_file rw_fifo_file_perms;
90 -allow vlock_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
91 -allow vlock_t self:unix_dgram_socket { create connect };
92
93 kernel_read_system_state(vlock_t)
94
95 corecmd_list_bin(vlock_t)
96 corecmd_read_bin_symlinks(vlock_t)
97
98 -# Must call this interface otherwise PAM session will fail
99 -# with message of "terminal=? res=failed"
100 domain_use_interactive_fds(vlock_t)
101
102 files_dontaudit_search_home(vlock_t)
103 -files_read_etc_files(vlock_t)
104
105 -# pam_tally2 module could be used by vlock for authentication,
106 -# /var/log/tallylog's SL is usually s0, while the caller's SL could
107 -# be higher than s0.
108 mls_file_write_all_levels(vlock_t)
109
110 selinux_dontaudit_getattr_fs(vlock_t)
111
112 -auth_domtrans_chk_passwd(vlock_t)
113 +auth_use_pam(vlock_t)
114
115 init_dontaudit_rw_utmp(vlock_t)
116
117 -logging_send_syslog_msg(vlock_t)
118 -
119 miscfiles_read_localization(vlock_t)
120
121 userdom_dontaudit_search_user_home_dirs(vlock_t)