1 |
commit: 79bc0312e32c580b2d05fab4f194886cc9f9e0af |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Oct 2 09:57:54 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:07:47 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=79bc0312 |
7 |
|
8 |
Changes to the gift policy module |
9 |
|
10 |
Use role attributes |
11 |
Module clean up |
12 |
|
13 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
14 |
|
15 |
--- |
16 |
policy/modules/contrib/gift.fc | 10 +++++----- |
17 |
policy/modules/contrib/gift.if | 22 ++++++++++------------ |
18 |
policy/modules/contrib/gift.te | 28 +++++++++++++++------------- |
19 |
3 files changed, 30 insertions(+), 30 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/contrib/gift.fc b/policy/modules/contrib/gift.fc |
22 |
index df7ced4..e27fa51 100644 |
23 |
--- a/policy/modules/contrib/gift.fc |
24 |
+++ b/policy/modules/contrib/gift.fc |
25 |
@@ -1,6 +1,6 @@ |
26 |
-HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0) |
27 |
+HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0) |
28 |
|
29 |
-/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) |
30 |
-/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) |
31 |
-/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0) |
32 |
-/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0) |
33 |
+/usr/bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) |
34 |
+/usr/bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) |
35 |
+/usr/bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0) |
36 |
+/usr/bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0) |
37 |
|
38 |
diff --git a/policy/modules/contrib/gift.if b/policy/modules/contrib/gift.if |
39 |
index c9b90d3..37ed132 100644 |
40 |
--- a/policy/modules/contrib/gift.if |
41 |
+++ b/policy/modules/contrib/gift.if |
42 |
@@ -1,42 +1,40 @@ |
43 |
-## <summary>giFT peer to peer file sharing tool</summary> |
44 |
+## <summary>Peer to peer file sharing tool.</summary> |
45 |
|
46 |
-############################################################ |
47 |
+######################################## |
48 |
## <summary> |
49 |
-## Role access for gift |
50 |
+## Role access for gift. |
51 |
## </summary> |
52 |
## <param name="role"> |
53 |
## <summary> |
54 |
-## Role allowed access |
55 |
+## Role allowed access. |
56 |
## </summary> |
57 |
## </param> |
58 |
## <param name="domain"> |
59 |
## <summary> |
60 |
-## User domain for the role |
61 |
+## User domain for the role. |
62 |
## </summary> |
63 |
## </param> |
64 |
# |
65 |
interface(`gift_role',` |
66 |
gen_require(` |
67 |
- type gift_t, gift_exec_t; |
68 |
+ attribute_role gift_roles; |
69 |
+ type gift_t, gift_exec_t, gift_home_t; |
70 |
type giftd_t, giftd_exec_t; |
71 |
- type gift_home_t; |
72 |
') |
73 |
|
74 |
- role $1 types { gift_t giftd_t }; |
75 |
+ roleattribute $1 gift_roles; |
76 |
|
77 |
- # transition from user domain |
78 |
domtrans_pattern($2, gift_exec_t, gift_t) |
79 |
domtrans_pattern($2, giftd_exec_t, giftd_t) |
80 |
|
81 |
- # user managed content |
82 |
manage_dirs_pattern($2, gift_home_t, gift_home_t) |
83 |
manage_files_pattern($2, gift_home_t, gift_home_t) |
84 |
manage_lnk_files_pattern($2, gift_home_t, gift_home_t) |
85 |
+ |
86 |
relabel_dirs_pattern($2, gift_home_t, gift_home_t) |
87 |
relabel_files_pattern($2, gift_home_t, gift_home_t) |
88 |
relabel_lnk_files_pattern($2, gift_home_t, gift_home_t) |
89 |
|
90 |
- # Allow the user domain to signal/ps. |
91 |
ps_process_pattern($2, { gift_t giftd_t }) |
92 |
- allow $2 { gift_t giftd_t }:process signal_perms; |
93 |
+ allow $2 { gift_t giftd_t }:process { ptrace signal_perms }; |
94 |
') |
95 |
|
96 |
diff --git a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te |
97 |
index 4975343..ac25b97 100644 |
98 |
--- a/policy/modules/contrib/gift.te |
99 |
+++ b/policy/modules/contrib/gift.te |
100 |
@@ -1,15 +1,18 @@ |
101 |
-policy_module(gift, 2.3.0) |
102 |
+policy_module(gift, 2.3.1) |
103 |
|
104 |
######################################## |
105 |
# |
106 |
# Declarations |
107 |
# |
108 |
|
109 |
+attribute_role gift_roles; |
110 |
+ |
111 |
type gift_t; |
112 |
type gift_exec_t; |
113 |
typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t }; |
114 |
typealias gift_t alias { auditadm_gift_t secadm_gift_t }; |
115 |
userdom_user_application_domain(gift_t, gift_exec_t) |
116 |
+role gift_roles types gift_t; |
117 |
|
118 |
type gift_home_t; |
119 |
typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t }; |
120 |
@@ -26,10 +29,11 @@ type giftd_exec_t; |
121 |
typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t }; |
122 |
typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t }; |
123 |
userdom_user_application_domain(giftd_t, giftd_exec_t) |
124 |
+role gift_roles types gift_t; |
125 |
|
126 |
############################## |
127 |
# |
128 |
-# giFT user interface local policy |
129 |
+# Client local policy |
130 |
# |
131 |
|
132 |
allow gift_t self:tcp_socket create_socket_perms; |
133 |
@@ -45,26 +49,23 @@ manage_files_pattern(gift_t, gift_home_t, gift_home_t) |
134 |
manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t) |
135 |
userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir) |
136 |
|
137 |
-# Launch gift daemon |
138 |
domtrans_pattern(gift_t, giftd_exec_t, giftd_t) |
139 |
|
140 |
-# Read /proc/meminfo |
141 |
kernel_read_system_state(gift_t) |
142 |
|
143 |
-# Connect to gift daemon |
144 |
corenet_all_recvfrom_unlabeled(gift_t) |
145 |
corenet_all_recvfrom_netlabel(gift_t) |
146 |
corenet_tcp_sendrecv_generic_if(gift_t) |
147 |
corenet_tcp_sendrecv_generic_node(gift_t) |
148 |
-corenet_tcp_sendrecv_giftd_port(gift_t) |
149 |
-corenet_tcp_connect_giftd_port(gift_t) |
150 |
+ |
151 |
corenet_sendrecv_giftd_client_packets(gift_t) |
152 |
+corenet_tcp_connect_giftd_port(gift_t) |
153 |
+corenet_tcp_sendrecv_giftd_port(gift_t) |
154 |
|
155 |
fs_search_auto_mountpoints(gift_t) |
156 |
|
157 |
sysnet_read_config(gift_t) |
158 |
|
159 |
-# giftui looks in .icons, .themes. |
160 |
userdom_dontaudit_read_user_home_content_files(gift_t) |
161 |
|
162 |
tunable_policy(`use_nfs_home_dirs',` |
163 |
@@ -89,7 +90,7 @@ optional_policy(` |
164 |
|
165 |
############################## |
166 |
# |
167 |
-# giFT server local policy |
168 |
+# Server local policy |
169 |
# |
170 |
|
171 |
allow giftd_t self:process { signal setsched }; |
172 |
@@ -105,7 +106,6 @@ userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir) |
173 |
kernel_read_system_state(giftd_t) |
174 |
kernel_read_kernel_sysctls(giftd_t) |
175 |
|
176 |
-# Serve content on various p2p networks. Ports can be random. |
177 |
corenet_all_recvfrom_unlabeled(giftd_t) |
178 |
corenet_all_recvfrom_netlabel(giftd_t) |
179 |
corenet_tcp_sendrecv_generic_if(giftd_t) |
180 |
@@ -116,14 +116,16 @@ corenet_tcp_sendrecv_all_ports(giftd_t) |
181 |
corenet_udp_sendrecv_all_ports(giftd_t) |
182 |
corenet_tcp_bind_generic_node(giftd_t) |
183 |
corenet_udp_bind_generic_node(giftd_t) |
184 |
+ |
185 |
+corenet_sendrecv_all_server_packets(giftd_t) |
186 |
corenet_tcp_bind_all_ports(giftd_t) |
187 |
corenet_udp_bind_all_ports(giftd_t) |
188 |
-corenet_tcp_connect_all_ports(giftd_t) |
189 |
+ |
190 |
corenet_sendrecv_all_client_packets(giftd_t) |
191 |
+corenet_tcp_connect_all_ports(giftd_t) |
192 |
|
193 |
-files_read_usr_files(giftd_t) |
194 |
-# Read /etc/mtab |
195 |
files_read_etc_runtime_files(giftd_t) |
196 |
+files_read_usr_files(giftd_t) |
197 |
|
198 |
miscfiles_read_localization(giftd_t) |