[gentoo-commits] proj/hardened-refpolicy:master commit in: / - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: /
Date:	Tue, 02 Oct 2012 18:25:52
Message-Id:	`1349201351.7833917670767f7c534363c93f0e22a06394ea90.SwifT@gentoo`

1

commit:     7833917670767f7c534363c93f0e22a06394ea90

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Tue Oct  2 12:23:04 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:09:11 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=78339176

7

8

Initial glusterfs policy module

9

10

Glusterfs binary, the glusterfsd daemon and the gluster command line,

11

libglusterfs and glusterfs translator modules common to both GlusterFS

12

server and client framework.

13

14

Ported from Fedora with changes

15

16

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

17

18

---

19

 glusterfs.fc |   16 +++++++++

20

 glusterfs.if |   49 ++++++++++++++++++++++++++++

21

 glusterfs.te |  102 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

22

 3 files changed, 167 insertions(+), 0 deletions(-)

23

24

diff --git a/glusterfs.fc b/glusterfs.fc

25

new file mode 100644

26

index 0000000..4bd6ade

27

--- /dev/null

28

+++ b/glusterfs.fc

29

@@ -0,0 +1,16 @@

30

+/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)

31

+

32

+/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)

33

+/etc/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)

34

+

35

+/usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)

36

+/usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)

37

+

38

+/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)

39

+

40

+/var/lib/gluster.*	gen_context(system_u:object_r:glusterd_var_lib_t,s0)

41

+

42

+/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)

43

+

44

+/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)

45

+/var/run/glusterd\.pid	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)

46

47

diff --git a/glusterfs.if b/glusterfs.if

48

new file mode 100644

49

index 0000000..bb2101d

50

--- /dev/null

51

+++ b/glusterfs.if

52

@@ -0,0 +1,49 @@

53

+## <summary>Cluster File System binary, daemon and command line.</summary>

54

+

55

+########################################

56

+## <summary>

57

+##	All of the rules required to

58

+##	administrate an glusterd environment.

59

+## </summary>

60

+## <param name="domain">

61

+##	<summary>

62

+##	Domain allowed access.

63

+##	</summary>

64

+## </param>

65

+## <param name="role">

66

+##	<summary>

67

+##	Role allowed access.

68

+##	</summary>

69

+## </param>

70

+## <rolecap/>

71

+#

72

+interface(`glusterd_admin',`

73

+	gen_require(`

74

+		type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;

75

+		type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;

76

+		type glusterd_var_run_t;

77

+	')

78

+

79

+	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)

80

+	domain_system_change_exemption($1)

81

+	role_transition $2 glusterd_initrc_exec_t system_r;

82

+	allow $2 system_r;

83

+

84

+	allow $1 glusterd_t:process { ptrace signal_perms };

85

+	ps_process_pattern($1, glusterd_t)

86

+

87

+	files_search_etc($1)

88

+	admin_pattern($1, glusterd_conf_t)

89

+

90

+	logging_search_logs($1)

91

+	admin_pattern($1, glusterd_log_t)

92

+

93

+	files_search_tmp($1)

94

+	admin_pattern($1, glusterd_tmp_t)

95

+

96

+	files_search_var_lib($1)

97

+	admin_pattern($1, glusterd_var_lib_t)

98

+

99

+	files_search_pids($1)

100

+	admin_pattern($1, glusterd_var_run_t)

101

+')

102

103

diff --git a/glusterfs.te b/glusterfs.te

104

new file mode 100644

105

index 0000000..6c815e1

106

--- /dev/null

107

+++ b/glusterfs.te

108

@@ -0,0 +1,102 @@

109

+policy_module(glusterfs, 1.0.0)

110

+

111

+########################################

112

+#

113

+# Declarations

114

+#

115

+

116

+type glusterd_t;

117

+type glusterd_exec_t;

118

+init_daemon_domain(glusterd_t, glusterd_exec_t)

119

+

120

+type glusterd_conf_t;

121

+files_type(glusterd_conf_t)

122

+

123

+type glusterd_initrc_exec_t;

124

+init_script_file(glusterd_initrc_exec_t)

125

+

126

+type glusterd_tmp_t;

127

+files_tmp_file(glusterd_tmp_t)

128

+

129

+type glusterd_log_t;

130

+logging_log_file(glusterd_log_t)

131

+

132

+type glusterd_var_run_t;

133

+files_pid_file(glusterd_var_run_t)

134

+

135

+type glusterd_var_lib_t;

136

+files_type(glusterd_var_lib_t);

137

+

138

+########################################

139

+#

140

+# Local policy

141

+#

142

+

143

+allow glusterd_t self:capability { net_bind_service sys_admin sys_resource dac_override chown dac_read_search fowner };

144

+allow glusterd_t self:process { setrlimit signal };

145

+allow glusterd_t self:fifo_file rw_fifo_file_perms;

146

+allow glusterd_t self:tcp_socket { accept listen };

147

+allow glusterd_t self:unix_stream_socket { accept listen };

148

+

149

+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)

150

+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)

151

+files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)

152

+

153

+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)

154

+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)

155

+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)

156

+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })

157

+

158

+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)

159

+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)

160

+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)

161

+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)

162

+logging_log_filetrans(glusterd_t, glusterd_log_t, dir)

163

+

164

+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)

165

+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)

166

+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })

167

+

168

+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)

169

+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)

170

+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)

171

+

172

+can_exec(glusterd_t, glusterd_exec_t)

173

+

174

+kernel_read_system_state(glusterd_t)

175

+

176

+corecmd_exec_bin(glusterd_t)

177

+corecmd_exec_shell(glusterd_t)

178

+

179

+corenet_all_recvfrom_unlabeled(glusterd_t)

180

+corenet_all_recvfrom_netlabel(glusterd_t)

181

+corenet_tcp_sendrecv_generic_if(glusterd_t)

182

+corenet_udp_sendrecv_generic_if(glusterd_t)

183

+corenet_tcp_sendrecv_generic_node(glusterd_t)

184

+corenet_udp_sendrecv_generic_node(glusterd_t)

185

+corenet_tcp_sendrecv_all_ports(glusterd_t)

186

+corenet_udp_sendrecv_all_ports(glusterd_t)

187

+corenet_tcp_bind_generic_node(glusterd_t)

188

+corenet_udp_bind_generic_node(glusterd_t)

189

+

190

+# Too coarse?

191

+corenet_sendrecv_all_server_packets(glusterd_t)

192

+corenet_tcp_bind_all_reserved_ports(glusterd_t)

193

+corenet_udp_bind_all_rpc_ports(glusterd_t)

194

+corenet_udp_bind_ipp_port(glusterd_t)

195

+

196

+corenet_sendrecv_all_client_packets(glusterd_t)

197

+corenet_tcp_connect_all_unreserved_ports(glusterd_t)

198

+

199

+dev_read_sysfs(glusterd_t)

200

+dev_read_urand(glusterd_t)

201

+

202

+domain_use_interactive_fds(glusterd_t)

203

+

204

+files_read_usr_files(glusterd_t)

205

+

206

+auth_use_nsswitch(glusterd_t)

207

+

208

+logging_send_syslog_msg(glusterd_t)

209

+

210

+miscfiles_read_localization(glusterd_t)

1	commit: 7833917670767f7c534363c93f0e22a06394ea90
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Tue Oct 2 12:23:04 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 2 18:09:11 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=78339176
7
8	Initial glusterfs policy module
9
10	Glusterfs binary, the glusterfsd daemon and the gluster command line,
11	libglusterfs and glusterfs translator modules common to both GlusterFS
12	server and client framework.
13
14	Ported from Fedora with changes
15
16	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
17
18	---
19	glusterfs.fc \| 16 +++++++++
20	glusterfs.if \| 49 ++++++++++++++++++++++++++++
21	glusterfs.te \| 102 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
22	3 files changed, 167 insertions(+), 0 deletions(-)
23
24	diff --git a/glusterfs.fc b/glusterfs.fc
25	new file mode 100644
26	index 0000000..4bd6ade
27	--- /dev/null
28	+++ b/glusterfs.fc
29	@@ -0,0 +1,16 @@
30	+/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
31	+
32	+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
33	+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
34	+
35	+/usr/sbin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
36	+/usr/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
37	+
38	+/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0)
39	+
40	+/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
41	+
42	+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
43	+
44	+/var/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_var_run_t,s0)
45	+/var/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_var_run_t,s0)
46
47	diff --git a/glusterfs.if b/glusterfs.if
48	new file mode 100644
49	index 0000000..bb2101d
50	--- /dev/null
51	+++ b/glusterfs.if
52	@@ -0,0 +1,49 @@
53	+## <summary>Cluster File System binary, daemon and command line.</summary>
54	+
55	+########################################
56	+## <summary>
57	+## All of the rules required to
58	+## administrate an glusterd environment.
59	+## </summary>
60	+## <param name="domain">
61	+## <summary>
62	+## Domain allowed access.
63	+## </summary>
64	+## </param>
65	+## <param name="role">
66	+## <summary>
67	+## Role allowed access.
68	+## </summary>
69	+## </param>
70	+## <rolecap/>
71	+#
72	+interface(`glusterd_admin',`
73	+ gen_require(`
74	+ type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
75	+ type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
76	+ type glusterd_var_run_t;
77	+ ')
78	+
79	+ init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
80	+ domain_system_change_exemption($1)
81	+ role_transition $2 glusterd_initrc_exec_t system_r;
82	+ allow $2 system_r;
83	+
84	+ allow $1 glusterd_t:process { ptrace signal_perms };
85	+ ps_process_pattern($1, glusterd_t)
86	+
87	+ files_search_etc($1)
88	+ admin_pattern($1, glusterd_conf_t)
89	+
90	+ logging_search_logs($1)
91	+ admin_pattern($1, glusterd_log_t)
92	+
93	+ files_search_tmp($1)
94	+ admin_pattern($1, glusterd_tmp_t)
95	+
96	+ files_search_var_lib($1)
97	+ admin_pattern($1, glusterd_var_lib_t)
98	+
99	+ files_search_pids($1)
100	+ admin_pattern($1, glusterd_var_run_t)
101	+')
102
103	diff --git a/glusterfs.te b/glusterfs.te
104	new file mode 100644
105	index 0000000..6c815e1
106	--- /dev/null
107	+++ b/glusterfs.te
108	@@ -0,0 +1,102 @@
109	+policy_module(glusterfs, 1.0.0)
110	+
111	+########################################
112	+#
113	+# Declarations
114	+#
115	+
116	+type glusterd_t;
117	+type glusterd_exec_t;
118	+init_daemon_domain(glusterd_t, glusterd_exec_t)
119	+
120	+type glusterd_conf_t;
121	+files_type(glusterd_conf_t)
122	+
123	+type glusterd_initrc_exec_t;
124	+init_script_file(glusterd_initrc_exec_t)
125	+
126	+type glusterd_tmp_t;
127	+files_tmp_file(glusterd_tmp_t)
128	+
129	+type glusterd_log_t;
130	+logging_log_file(glusterd_log_t)
131	+
132	+type glusterd_var_run_t;
133	+files_pid_file(glusterd_var_run_t)
134	+
135	+type glusterd_var_lib_t;
136	+files_type(glusterd_var_lib_t);
137	+
138	+########################################
139	+#
140	+# Local policy
141	+#
142	+
143	+allow glusterd_t self:capability { net_bind_service sys_admin sys_resource dac_override chown dac_read_search fowner };
144	+allow glusterd_t self:process { setrlimit signal };
145	+allow glusterd_t self:fifo_file rw_fifo_file_perms;
146	+allow glusterd_t self:tcp_socket { accept listen };
147	+allow glusterd_t self:unix_stream_socket { accept listen };
148	+
149	+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
150	+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
151	+files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
152	+
153	+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
154	+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
155	+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
156	+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
157	+
158	+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
159	+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
160	+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
161	+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
162	+logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
163	+
164	+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
165	+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
166	+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
167	+
168	+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
169	+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
170	+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
171	+
172	+can_exec(glusterd_t, glusterd_exec_t)
173	+
174	+kernel_read_system_state(glusterd_t)
175	+
176	+corecmd_exec_bin(glusterd_t)
177	+corecmd_exec_shell(glusterd_t)
178	+
179	+corenet_all_recvfrom_unlabeled(glusterd_t)
180	+corenet_all_recvfrom_netlabel(glusterd_t)
181	+corenet_tcp_sendrecv_generic_if(glusterd_t)
182	+corenet_udp_sendrecv_generic_if(glusterd_t)
183	+corenet_tcp_sendrecv_generic_node(glusterd_t)
184	+corenet_udp_sendrecv_generic_node(glusterd_t)
185	+corenet_tcp_sendrecv_all_ports(glusterd_t)
186	+corenet_udp_sendrecv_all_ports(glusterd_t)
187	+corenet_tcp_bind_generic_node(glusterd_t)
188	+corenet_udp_bind_generic_node(glusterd_t)
189	+
190	+# Too coarse?
191	+corenet_sendrecv_all_server_packets(glusterd_t)
192	+corenet_tcp_bind_all_reserved_ports(glusterd_t)
193	+corenet_udp_bind_all_rpc_ports(glusterd_t)
194	+corenet_udp_bind_ipp_port(glusterd_t)
195	+
196	+corenet_sendrecv_all_client_packets(glusterd_t)
197	+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
198	+
199	+dev_read_sysfs(glusterd_t)
200	+dev_read_urand(glusterd_t)
201	+
202	+domain_use_interactive_fds(glusterd_t)
203	+
204	+files_read_usr_files(glusterd_t)
205	+
206	+auth_use_nsswitch(glusterd_t)
207	+
208	+logging_send_syslog_msg(glusterd_t)
209	+
210	+miscfiles_read_localization(glusterd_t)

Gentoo Archives: gentoo-commits