| 1 |
commit: f60407b3ca7141300739ca9edc20e2c65aa53e46 |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Mon Oct 29 09:48:56 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Mon Oct 29 14:48:46 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f60407b3 |
| 7 |
|
| 8 |
Changes to the tcpd policy module |
| 9 |
|
| 10 |
Module clean up |
| 11 |
|
| 12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 13 |
|
| 14 |
--- |
| 15 |
policy/modules/contrib/tcpd.fc | 1 - |
| 16 |
policy/modules/contrib/tcpd.if | 3 ++- |
| 17 |
policy/modules/contrib/tcpd.te | 7 +++---- |
| 18 |
3 files changed, 5 insertions(+), 6 deletions(-) |
| 19 |
|
| 20 |
diff --git a/policy/modules/contrib/tcpd.fc b/policy/modules/contrib/tcpd.fc |
| 21 |
index 393345c..034ec7f 100644 |
| 22 |
--- a/policy/modules/contrib/tcpd.fc |
| 23 |
+++ b/policy/modules/contrib/tcpd.fc |
| 24 |
@@ -1,2 +1 @@ |
| 25 |
- |
| 26 |
/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0) |
| 27 |
|
| 28 |
diff --git a/policy/modules/contrib/tcpd.if b/policy/modules/contrib/tcpd.if |
| 29 |
index 2075ebb..9eb34fd 100644 |
| 30 |
--- a/policy/modules/contrib/tcpd.if |
| 31 |
+++ b/policy/modules/contrib/tcpd.if |
| 32 |
@@ -1,4 +1,4 @@ |
| 33 |
-## <summary>Policy for TCP daemon.</summary> |
| 34 |
+## <summary>TCP daemon.</summary> |
| 35 |
|
| 36 |
######################################## |
| 37 |
## <summary> |
| 38 |
@@ -15,6 +15,7 @@ interface(`tcpd_domtrans',` |
| 39 |
type tcpd_t, tcpd_exec_t; |
| 40 |
') |
| 41 |
|
| 42 |
+ corecmd_search_bin($1) |
| 43 |
domtrans_pattern($1, tcpd_exec_t, tcpd_t) |
| 44 |
') |
| 45 |
|
| 46 |
|
| 47 |
diff --git a/policy/modules/contrib/tcpd.te b/policy/modules/contrib/tcpd.te |
| 48 |
index 7038b55..f388db3 100644 |
| 49 |
--- a/policy/modules/contrib/tcpd.te |
| 50 |
+++ b/policy/modules/contrib/tcpd.te |
| 51 |
@@ -1,13 +1,13 @@ |
| 52 |
-policy_module(tcpd, 1.4.0) |
| 53 |
+policy_module(tcpd, 1.4.1) |
| 54 |
|
| 55 |
######################################## |
| 56 |
# |
| 57 |
# Declarations |
| 58 |
# |
| 59 |
+ |
| 60 |
type tcpd_t; |
| 61 |
type tcpd_exec_t; |
| 62 |
inetd_tcp_service_domain(tcpd_t, tcpd_exec_t) |
| 63 |
-role system_r types tcpd_t; |
| 64 |
|
| 65 |
type tcpd_tmp_t; |
| 66 |
files_tmp_file(tcpd_tmp_t) |
| 67 |
@@ -16,6 +16,7 @@ files_tmp_file(tcpd_tmp_t) |
| 68 |
# |
| 69 |
# Local policy |
| 70 |
# |
| 71 |
+ |
| 72 |
allow tcpd_t self:tcp_socket create_stream_socket_perms; |
| 73 |
|
| 74 |
manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) |
| 75 |
@@ -30,11 +31,9 @@ corenet_tcp_sendrecv_all_ports(tcpd_t) |
| 76 |
|
| 77 |
fs_getattr_xattr_fs(tcpd_t) |
| 78 |
|
| 79 |
-# Run other daemons in the inetd child domain. |
| 80 |
corecmd_search_bin(tcpd_t) |
| 81 |
|
| 82 |
files_read_etc_files(tcpd_t) |
| 83 |
-# no good reason for files_dontaudit_search_var, probably nscd |
| 84 |
files_dontaudit_search_var(tcpd_t) |
| 85 |
|
| 86 |
logging_send_syslog_msg(tcpd_t) |
Archives