[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Fri, 28 Sep 2012 17:51:52
Message-Id:	`1348854123.47a8f40ec73bd819767b06a155cdff7b5f756b4c.SwifT@gentoo`

1

commit:     47a8f40ec73bd819767b06a155cdff7b5f756b4c

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Fri Sep 28 09:32:16 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Fri Sep 28 17:42:03 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=47a8f40e

7

8

Changes to the dhcpd policy module

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/dhcp.fc |    4 +-

16

 policy/modules/contrib/dhcp.if |   17 +++++++-------

17

 policy/modules/contrib/dhcp.te |   46 +++++++++++++++++----------------------

18

 3 files changed, 31 insertions(+), 36 deletions(-)

19

20

diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc

21

index 767e0c7..7956248 100644

22

--- a/policy/modules/contrib/dhcp.fc

23

+++ b/policy/modules/contrib/dhcp.fc

24

@@ -1,8 +1,8 @@

25

-/etc/rc\.d/init\.d/dhcpd	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)

26

+/etc/rc\.d/init\.d/dhcpd(6)?	--	gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)

27

28

 /usr/sbin/dhcpd.*		--	gen_context(system_u:object_r:dhcpd_exec_t,s0)

29

30

 /var/lib/dhcpd(/.*)?			gen_context(system_u:object_r:dhcpd_state_t,s0)

31

 /var/lib/dhcp(3)?/dhcpd\.leases.* --	gen_context(system_u:object_r:dhcpd_state_t,s0)

32

33

-/var/run/dhcpd\.pid		--	gen_context(system_u:object_r:dhcpd_var_run_t,s0)

34

+/var/run/dhcpd(6)?\.pid		--	gen_context(system_u:object_r:dhcpd_var_run_t,s0)

35

36

diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if

37

index 5e2cea8..c697edb 100644

38

--- a/policy/modules/contrib/dhcp.if

39

+++ b/policy/modules/contrib/dhcp.if

40

@@ -1,8 +1,8 @@

41

-## <summary>Dynamic host configuration protocol (DHCP) server</summary>

42

+## <summary>Dynamic host configuration protocol server.</summary>

43

44

 ########################################

45

 ## <summary>

46

-##	Transition to dhcpd.

47

+##	Execute a domain transition to run dhcpd.

48

 ## </summary>

49

 ## <param name="domain">

50

 ##	<summary>

51

@@ -21,8 +21,8 @@ interface(`dhcpd_domtrans',`

52

53

 ########################################

54

 ## <summary>

55

-##	Set the attributes of the DCHP

56

-##	server state files.

57

+##	Set attributes of dhcpd server

58

+##	state files.

59

 ## </summary>

60

 ## <param name="domain">

61

 ##	<summary>

62

@@ -60,8 +60,8 @@ interface(`dhcpd_initrc_domtrans',`

63

64

 ########################################

65

 ## <summary>

66

-##	All of the rules required to administrate 

67

-##	an dhcp environment

68

+##	All of the rules required to

69

+##	administrate an dhcpd environment.

70

 ## </summary>

71

 ## <param name="domain">

72

 ##	<summary>

73

@@ -70,14 +70,14 @@ interface(`dhcpd_initrc_domtrans',`

74

 ## </param>

75

 ## <param name="role">

76

 ##	<summary>

77

-##	The role to be allowed to manage the dhcp domain.

78

+##	Role allowed access.

79

 ##	</summary>

80

 ## </param>

81

 ## <rolecap/>

82

#

83

 interface(`dhcpd_admin',`

84

 	gen_require(`

85

-		type dhcpd_t; type dhcpd_tmp_t;	type dhcpd_state_t;

86

+		type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;

87

 		type dhcpd_var_run_t, dhcpd_initrc_exec_t;

88

')

89

90

@@ -92,6 +92,7 @@ interface(`dhcpd_admin',`

91

 	files_list_tmp($1)

92

 	admin_pattern($1, dhcpd_tmp_t)

93

94

+	files_list_var_lib($1)

95

 	admin_pattern($1, dhcpd_state_t)

96

97

 	files_list_pids($1)

98

99

diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te

100

index ed07b26..c93c3db 100644

101

--- a/policy/modules/contrib/dhcp.te

102

+++ b/policy/modules/contrib/dhcp.te

103

@@ -1,4 +1,4 @@

104

-policy_module(dhcp, 1.10.0)

105

+policy_module(dhcp, 1.10.1)

106

107

 ########################################

108

#

109

@@ -6,9 +6,10 @@ policy_module(dhcp, 1.10.0)

110

#

111

112

 ## <desc>

113

-## <p>

114

-## Allow DHCP daemon to use LDAP backends

115

-## </p>

116

+##	<p>

117

+##	Determine whether DHCP daemon

118

+##	can use LDAP backends.

119

+##	</p>

120

 ## </desc>

121

 gen_tunable(dhcpd_use_ldap, false)

122

123

@@ -33,30 +34,26 @@ files_pid_file(dhcpd_var_run_t)

124

 # Local policy

125

#

126

127

-allow dhcpd_t self:capability { net_raw sys_resource };

128

+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };

129

 dontaudit dhcpd_t self:capability { net_admin sys_tty_config };

130

-allow dhcpd_t self:process signal_perms;

131

+allow dhcpd_t self:process { getcap setcap signal_perms };

132

 allow dhcpd_t self:fifo_file rw_fifo_file_perms;

133

-allow dhcpd_t self:unix_dgram_socket create_socket_perms;

134

-allow dhcpd_t self:unix_stream_socket create_socket_perms;

135

-allow dhcpd_t self:tcp_socket create_stream_socket_perms;

136

-allow dhcpd_t self:udp_socket create_socket_perms;

137

-# Allow dhcpd_t to use packet sockets

138

+allow dhcpd_t self:tcp_socket { accept listen };

139

 allow dhcpd_t self:packet_socket create_socket_perms;

140

 allow dhcpd_t self:rawip_socket create_socket_perms;

141

142

-can_exec(dhcpd_t, dhcpd_exec_t)

143

-

144

 manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t)

145

 sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file)

146

147

 manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)

148

 manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)

149

-files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })

150

+files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { dir file })

151

152

 manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t)

153

 files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file)

154

155

+can_exec(dhcpd_t, dhcpd_exec_t)

156

+

157

 kernel_read_system_state(dhcpd_t)

158

 kernel_read_kernel_sysctls(dhcpd_t)

159

 kernel_read_network_state(dhcpd_t)

160

@@ -73,16 +70,21 @@ corenet_tcp_sendrecv_all_ports(dhcpd_t)

161

 corenet_udp_sendrecv_all_ports(dhcpd_t)

162

 corenet_tcp_bind_generic_node(dhcpd_t)

163

 corenet_udp_bind_generic_node(dhcpd_t)

164

+

165

+corenet_sendrecv_dhcpd_server_packets(dhcpd_t)

166

 corenet_tcp_bind_dhcpd_port(dhcpd_t)

167

 corenet_udp_bind_dhcpd_port(dhcpd_t)

168

-corenet_udp_bind_pxe_port(dhcpd_t)

169

-corenet_tcp_connect_all_ports(dhcpd_t)

170

-corenet_sendrecv_dhcpd_server_packets(dhcpd_t)

171

+

172

 corenet_sendrecv_pxe_server_packets(dhcpd_t)

173

+corenet_udp_bind_pxe_port(dhcpd_t)

174

+

175

 corenet_sendrecv_all_client_packets(dhcpd_t)

176

-# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan)

177

+corenet_tcp_connect_all_ports(dhcpd_t)

178

+

179

 corenet_udp_bind_all_unreserved_ports(dhcpd_t)

180

181

+corecmd_exec_bin(dhcpd_t)

182

+

183

 dev_read_sysfs(dhcpd_t)

184

 dev_read_rand(dhcpd_t)

185

 dev_read_urand(dhcpd_t)

186

@@ -90,11 +92,8 @@ dev_read_urand(dhcpd_t)

187

 fs_getattr_all_fs(dhcpd_t)

188

 fs_search_auto_mountpoints(dhcpd_t)

189

190

-corecmd_exec_bin(dhcpd_t)

191

-

192

 domain_use_interactive_fds(dhcpd_t)

193

194

-files_read_etc_files(dhcpd_t)

195

 files_read_usr_files(dhcpd_t)

196

 files_read_etc_runtime_files(dhcpd_t)

197

 files_search_var_lib(dhcpd_t)

198

@@ -110,16 +109,11 @@ sysnet_read_dhcp_config(dhcpd_t)

199

 userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)

200

 userdom_dontaudit_search_user_home_dirs(dhcpd_t)

201

202

-ifdef(`distro_gentoo',`

203

-	allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };

204

-')

205

-

206

 tunable_policy(`dhcpd_use_ldap',`

207

 	sysnet_use_ldap(dhcpd_t)

208

')

209

210

 optional_policy(`

211

-	# used for dynamic DNS

212

 	bind_read_dnssec_keys(dhcpd_t)

213

')

1	commit: 47a8f40ec73bd819767b06a155cdff7b5f756b4c
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Fri Sep 28 09:32:16 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Fri Sep 28 17:42:03 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=47a8f40e
7
8	Changes to the dhcpd policy module
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/dhcp.fc \| 4 +-
16	policy/modules/contrib/dhcp.if \| 17 +++++++-------
17	policy/modules/contrib/dhcp.te \| 46 +++++++++++++++++----------------------
18	3 files changed, 31 insertions(+), 36 deletions(-)
19
20	diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc
21	index 767e0c7..7956248 100644
22	--- a/policy/modules/contrib/dhcp.fc
23	+++ b/policy/modules/contrib/dhcp.fc
24	@@ -1,8 +1,8 @@
25	-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
26	+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0)
27
28	/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0)
29
30	/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0)
31	/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0)
32
33	-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
34	+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0)
35
36	diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if
37	index 5e2cea8..c697edb 100644
38	--- a/policy/modules/contrib/dhcp.if
39	+++ b/policy/modules/contrib/dhcp.if
40	@@ -1,8 +1,8 @@
41	-## <summary>Dynamic host configuration protocol (DHCP) server</summary>
42	+## <summary>Dynamic host configuration protocol server.</summary>
43
44	########################################
45	## <summary>
46	-## Transition to dhcpd.
47	+## Execute a domain transition to run dhcpd.
48	## </summary>
49	## <param name="domain">
50	## <summary>
51	@@ -21,8 +21,8 @@ interface(`dhcpd_domtrans',`
52
53	########################################
54	## <summary>
55	-## Set the attributes of the DCHP
56	-## server state files.
57	+## Set attributes of dhcpd server
58	+## state files.
59	## </summary>
60	## <param name="domain">
61	## <summary>
62	@@ -60,8 +60,8 @@ interface(`dhcpd_initrc_domtrans',`
63
64	########################################
65	## <summary>
66	-## All of the rules required to administrate
67	-## an dhcp environment
68	+## All of the rules required to
69	+## administrate an dhcpd environment.
70	## </summary>
71	## <param name="domain">
72	## <summary>
73	@@ -70,14 +70,14 @@ interface(`dhcpd_initrc_domtrans',`
74	## </param>
75	## <param name="role">
76	## <summary>
77	-## The role to be allowed to manage the dhcp domain.
78	+## Role allowed access.
79	## </summary>
80	## </param>
81	## <rolecap/>
82	#
83	interface(`dhcpd_admin',`
84	gen_require(`
85	- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t;
86	+ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t;
87	type dhcpd_var_run_t, dhcpd_initrc_exec_t;
88	')
89
90	@@ -92,6 +92,7 @@ interface(`dhcpd_admin',`
91	files_list_tmp($1)
92	admin_pattern($1, dhcpd_tmp_t)
93
94	+ files_list_var_lib($1)
95	admin_pattern($1, dhcpd_state_t)
96
97	files_list_pids($1)
98
99	diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te
100	index ed07b26..c93c3db 100644
101	--- a/policy/modules/contrib/dhcp.te
102	+++ b/policy/modules/contrib/dhcp.te
103	@@ -1,4 +1,4 @@
104	-policy_module(dhcp, 1.10.0)
105	+policy_module(dhcp, 1.10.1)
106
107	########################################
108	#
109	@@ -6,9 +6,10 @@ policy_module(dhcp, 1.10.0)
110	#
111
112	## <desc>
113	-## <p>
114	-## Allow DHCP daemon to use LDAP backends
115	-## </p>
116	+## <p>
117	+## Determine whether DHCP daemon
118	+## can use LDAP backends.
119	+## </p>
120	## </desc>
121	gen_tunable(dhcpd_use_ldap, false)
122
123	@@ -33,30 +34,26 @@ files_pid_file(dhcpd_var_run_t)
124	# Local policy
125	#
126
127	-allow dhcpd_t self:capability { net_raw sys_resource };
128	+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource };
129	dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
130	-allow dhcpd_t self:process signal_perms;
131	+allow dhcpd_t self:process { getcap setcap signal_perms };
132	allow dhcpd_t self:fifo_file rw_fifo_file_perms;
133	-allow dhcpd_t self:unix_dgram_socket create_socket_perms;
134	-allow dhcpd_t self:unix_stream_socket create_socket_perms;
135	-allow dhcpd_t self:tcp_socket create_stream_socket_perms;
136	-allow dhcpd_t self:udp_socket create_socket_perms;
137	-# Allow dhcpd_t to use packet sockets
138	+allow dhcpd_t self:tcp_socket { accept listen };
139	allow dhcpd_t self:packet_socket create_socket_perms;
140	allow dhcpd_t self:rawip_socket create_socket_perms;
141
142	-can_exec(dhcpd_t, dhcpd_exec_t)
143	-
144	manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t)
145	sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file)
146
147	manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
148	manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t)
149	-files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir })
150	+files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { dir file })
151
152	manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t)
153	files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file)
154
155	+can_exec(dhcpd_t, dhcpd_exec_t)
156	+
157	kernel_read_system_state(dhcpd_t)
158	kernel_read_kernel_sysctls(dhcpd_t)
159	kernel_read_network_state(dhcpd_t)
160	@@ -73,16 +70,21 @@ corenet_tcp_sendrecv_all_ports(dhcpd_t)
161	corenet_udp_sendrecv_all_ports(dhcpd_t)
162	corenet_tcp_bind_generic_node(dhcpd_t)
163	corenet_udp_bind_generic_node(dhcpd_t)
164	+
165	+corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
166	corenet_tcp_bind_dhcpd_port(dhcpd_t)
167	corenet_udp_bind_dhcpd_port(dhcpd_t)
168	-corenet_udp_bind_pxe_port(dhcpd_t)
169	-corenet_tcp_connect_all_ports(dhcpd_t)
170	-corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
171	+
172	corenet_sendrecv_pxe_server_packets(dhcpd_t)
173	+corenet_udp_bind_pxe_port(dhcpd_t)
174	+
175	corenet_sendrecv_all_client_packets(dhcpd_t)
176	-# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan)
177	+corenet_tcp_connect_all_ports(dhcpd_t)
178	+
179	corenet_udp_bind_all_unreserved_ports(dhcpd_t)
180
181	+corecmd_exec_bin(dhcpd_t)
182	+
183	dev_read_sysfs(dhcpd_t)
184	dev_read_rand(dhcpd_t)
185	dev_read_urand(dhcpd_t)
186	@@ -90,11 +92,8 @@ dev_read_urand(dhcpd_t)
187	fs_getattr_all_fs(dhcpd_t)
188	fs_search_auto_mountpoints(dhcpd_t)
189
190	-corecmd_exec_bin(dhcpd_t)
191	-
192	domain_use_interactive_fds(dhcpd_t)
193
194	-files_read_etc_files(dhcpd_t)
195	files_read_usr_files(dhcpd_t)
196	files_read_etc_runtime_files(dhcpd_t)
197	files_search_var_lib(dhcpd_t)
198	@@ -110,16 +109,11 @@ sysnet_read_dhcp_config(dhcpd_t)
199	userdom_dontaudit_use_unpriv_user_fds(dhcpd_t)
200	userdom_dontaudit_search_user_home_dirs(dhcpd_t)
201
202	-ifdef(`distro_gentoo',`
203	- allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
204	-')
205	-
206	tunable_policy(`dhcpd_use_ldap',`
207	sysnet_use_ldap(dhcpd_t)
208	')
209
210	optional_policy(`
211	- # used for dynamic DNS
212	bind_read_dnssec_keys(dhcpd_t)
213	')

Gentoo Archives: gentoo-commits