1 |
commit: 47a8f40ec73bd819767b06a155cdff7b5f756b4c |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Sep 28 09:32:16 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Sep 28 17:42:03 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=47a8f40e |
7 |
|
8 |
Changes to the dhcpd policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/dhcp.fc | 4 +- |
16 |
policy/modules/contrib/dhcp.if | 17 +++++++------- |
17 |
policy/modules/contrib/dhcp.te | 46 +++++++++++++++++---------------------- |
18 |
3 files changed, 31 insertions(+), 36 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc |
21 |
index 767e0c7..7956248 100644 |
22 |
--- a/policy/modules/contrib/dhcp.fc |
23 |
+++ b/policy/modules/contrib/dhcp.fc |
24 |
@@ -1,8 +1,8 @@ |
25 |
-/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) |
26 |
+/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) |
27 |
|
28 |
/usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) |
29 |
|
30 |
/var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) |
31 |
/var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) |
32 |
|
33 |
-/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) |
34 |
+/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) |
35 |
|
36 |
diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if |
37 |
index 5e2cea8..c697edb 100644 |
38 |
--- a/policy/modules/contrib/dhcp.if |
39 |
+++ b/policy/modules/contrib/dhcp.if |
40 |
@@ -1,8 +1,8 @@ |
41 |
-## <summary>Dynamic host configuration protocol (DHCP) server</summary> |
42 |
+## <summary>Dynamic host configuration protocol server.</summary> |
43 |
|
44 |
######################################## |
45 |
## <summary> |
46 |
-## Transition to dhcpd. |
47 |
+## Execute a domain transition to run dhcpd. |
48 |
## </summary> |
49 |
## <param name="domain"> |
50 |
## <summary> |
51 |
@@ -21,8 +21,8 @@ interface(`dhcpd_domtrans',` |
52 |
|
53 |
######################################## |
54 |
## <summary> |
55 |
-## Set the attributes of the DCHP |
56 |
-## server state files. |
57 |
+## Set attributes of dhcpd server |
58 |
+## state files. |
59 |
## </summary> |
60 |
## <param name="domain"> |
61 |
## <summary> |
62 |
@@ -60,8 +60,8 @@ interface(`dhcpd_initrc_domtrans',` |
63 |
|
64 |
######################################## |
65 |
## <summary> |
66 |
-## All of the rules required to administrate |
67 |
-## an dhcp environment |
68 |
+## All of the rules required to |
69 |
+## administrate an dhcpd environment. |
70 |
## </summary> |
71 |
## <param name="domain"> |
72 |
## <summary> |
73 |
@@ -70,14 +70,14 @@ interface(`dhcpd_initrc_domtrans',` |
74 |
## </param> |
75 |
## <param name="role"> |
76 |
## <summary> |
77 |
-## The role to be allowed to manage the dhcp domain. |
78 |
+## Role allowed access. |
79 |
## </summary> |
80 |
## </param> |
81 |
## <rolecap/> |
82 |
# |
83 |
interface(`dhcpd_admin',` |
84 |
gen_require(` |
85 |
- type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t; |
86 |
+ type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; |
87 |
type dhcpd_var_run_t, dhcpd_initrc_exec_t; |
88 |
') |
89 |
|
90 |
@@ -92,6 +92,7 @@ interface(`dhcpd_admin',` |
91 |
files_list_tmp($1) |
92 |
admin_pattern($1, dhcpd_tmp_t) |
93 |
|
94 |
+ files_list_var_lib($1) |
95 |
admin_pattern($1, dhcpd_state_t) |
96 |
|
97 |
files_list_pids($1) |
98 |
|
99 |
diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te |
100 |
index ed07b26..c93c3db 100644 |
101 |
--- a/policy/modules/contrib/dhcp.te |
102 |
+++ b/policy/modules/contrib/dhcp.te |
103 |
@@ -1,4 +1,4 @@ |
104 |
-policy_module(dhcp, 1.10.0) |
105 |
+policy_module(dhcp, 1.10.1) |
106 |
|
107 |
######################################## |
108 |
# |
109 |
@@ -6,9 +6,10 @@ policy_module(dhcp, 1.10.0) |
110 |
# |
111 |
|
112 |
## <desc> |
113 |
-## <p> |
114 |
-## Allow DHCP daemon to use LDAP backends |
115 |
-## </p> |
116 |
+## <p> |
117 |
+## Determine whether DHCP daemon |
118 |
+## can use LDAP backends. |
119 |
+## </p> |
120 |
## </desc> |
121 |
gen_tunable(dhcpd_use_ldap, false) |
122 |
|
123 |
@@ -33,30 +34,26 @@ files_pid_file(dhcpd_var_run_t) |
124 |
# Local policy |
125 |
# |
126 |
|
127 |
-allow dhcpd_t self:capability { net_raw sys_resource }; |
128 |
+allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource }; |
129 |
dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; |
130 |
-allow dhcpd_t self:process signal_perms; |
131 |
+allow dhcpd_t self:process { getcap setcap signal_perms }; |
132 |
allow dhcpd_t self:fifo_file rw_fifo_file_perms; |
133 |
-allow dhcpd_t self:unix_dgram_socket create_socket_perms; |
134 |
-allow dhcpd_t self:unix_stream_socket create_socket_perms; |
135 |
-allow dhcpd_t self:tcp_socket create_stream_socket_perms; |
136 |
-allow dhcpd_t self:udp_socket create_socket_perms; |
137 |
-# Allow dhcpd_t to use packet sockets |
138 |
+allow dhcpd_t self:tcp_socket { accept listen }; |
139 |
allow dhcpd_t self:packet_socket create_socket_perms; |
140 |
allow dhcpd_t self:rawip_socket create_socket_perms; |
141 |
|
142 |
-can_exec(dhcpd_t, dhcpd_exec_t) |
143 |
- |
144 |
manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t) |
145 |
sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file) |
146 |
|
147 |
manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) |
148 |
manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) |
149 |
-files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir }) |
150 |
+files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { dir file }) |
151 |
|
152 |
manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t) |
153 |
files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file) |
154 |
|
155 |
+can_exec(dhcpd_t, dhcpd_exec_t) |
156 |
+ |
157 |
kernel_read_system_state(dhcpd_t) |
158 |
kernel_read_kernel_sysctls(dhcpd_t) |
159 |
kernel_read_network_state(dhcpd_t) |
160 |
@@ -73,16 +70,21 @@ corenet_tcp_sendrecv_all_ports(dhcpd_t) |
161 |
corenet_udp_sendrecv_all_ports(dhcpd_t) |
162 |
corenet_tcp_bind_generic_node(dhcpd_t) |
163 |
corenet_udp_bind_generic_node(dhcpd_t) |
164 |
+ |
165 |
+corenet_sendrecv_dhcpd_server_packets(dhcpd_t) |
166 |
corenet_tcp_bind_dhcpd_port(dhcpd_t) |
167 |
corenet_udp_bind_dhcpd_port(dhcpd_t) |
168 |
-corenet_udp_bind_pxe_port(dhcpd_t) |
169 |
-corenet_tcp_connect_all_ports(dhcpd_t) |
170 |
-corenet_sendrecv_dhcpd_server_packets(dhcpd_t) |
171 |
+ |
172 |
corenet_sendrecv_pxe_server_packets(dhcpd_t) |
173 |
+corenet_udp_bind_pxe_port(dhcpd_t) |
174 |
+ |
175 |
corenet_sendrecv_all_client_packets(dhcpd_t) |
176 |
-# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan) |
177 |
+corenet_tcp_connect_all_ports(dhcpd_t) |
178 |
+ |
179 |
corenet_udp_bind_all_unreserved_ports(dhcpd_t) |
180 |
|
181 |
+corecmd_exec_bin(dhcpd_t) |
182 |
+ |
183 |
dev_read_sysfs(dhcpd_t) |
184 |
dev_read_rand(dhcpd_t) |
185 |
dev_read_urand(dhcpd_t) |
186 |
@@ -90,11 +92,8 @@ dev_read_urand(dhcpd_t) |
187 |
fs_getattr_all_fs(dhcpd_t) |
188 |
fs_search_auto_mountpoints(dhcpd_t) |
189 |
|
190 |
-corecmd_exec_bin(dhcpd_t) |
191 |
- |
192 |
domain_use_interactive_fds(dhcpd_t) |
193 |
|
194 |
-files_read_etc_files(dhcpd_t) |
195 |
files_read_usr_files(dhcpd_t) |
196 |
files_read_etc_runtime_files(dhcpd_t) |
197 |
files_search_var_lib(dhcpd_t) |
198 |
@@ -110,16 +109,11 @@ sysnet_read_dhcp_config(dhcpd_t) |
199 |
userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) |
200 |
userdom_dontaudit_search_user_home_dirs(dhcpd_t) |
201 |
|
202 |
-ifdef(`distro_gentoo',` |
203 |
- allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; |
204 |
-') |
205 |
- |
206 |
tunable_policy(`dhcpd_use_ldap',` |
207 |
sysnet_use_ldap(dhcpd_t) |
208 |
') |
209 |
|
210 |
optional_policy(` |
211 |
- # used for dynamic DNS |
212 |
bind_read_dnssec_keys(dhcpd_t) |
213 |
') |