1 |
commit: f60407b3ca7141300739ca9edc20e2c65aa53e46 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Oct 29 09:48:56 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Mon Oct 29 14:48:46 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f60407b3 |
7 |
|
8 |
Changes to the tcpd policy module |
9 |
|
10 |
Module clean up |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/tcpd.fc | 1 - |
16 |
policy/modules/contrib/tcpd.if | 3 ++- |
17 |
policy/modules/contrib/tcpd.te | 7 +++---- |
18 |
3 files changed, 5 insertions(+), 6 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/tcpd.fc b/policy/modules/contrib/tcpd.fc |
21 |
index 393345c..034ec7f 100644 |
22 |
--- a/policy/modules/contrib/tcpd.fc |
23 |
+++ b/policy/modules/contrib/tcpd.fc |
24 |
@@ -1,2 +1 @@ |
25 |
- |
26 |
/usr/sbin/tcpd -- gen_context(system_u:object_r:tcpd_exec_t,s0) |
27 |
|
28 |
diff --git a/policy/modules/contrib/tcpd.if b/policy/modules/contrib/tcpd.if |
29 |
index 2075ebb..9eb34fd 100644 |
30 |
--- a/policy/modules/contrib/tcpd.if |
31 |
+++ b/policy/modules/contrib/tcpd.if |
32 |
@@ -1,4 +1,4 @@ |
33 |
-## <summary>Policy for TCP daemon.</summary> |
34 |
+## <summary>TCP daemon.</summary> |
35 |
|
36 |
######################################## |
37 |
## <summary> |
38 |
@@ -15,6 +15,7 @@ interface(`tcpd_domtrans',` |
39 |
type tcpd_t, tcpd_exec_t; |
40 |
') |
41 |
|
42 |
+ corecmd_search_bin($1) |
43 |
domtrans_pattern($1, tcpd_exec_t, tcpd_t) |
44 |
') |
45 |
|
46 |
|
47 |
diff --git a/policy/modules/contrib/tcpd.te b/policy/modules/contrib/tcpd.te |
48 |
index 7038b55..f388db3 100644 |
49 |
--- a/policy/modules/contrib/tcpd.te |
50 |
+++ b/policy/modules/contrib/tcpd.te |
51 |
@@ -1,13 +1,13 @@ |
52 |
-policy_module(tcpd, 1.4.0) |
53 |
+policy_module(tcpd, 1.4.1) |
54 |
|
55 |
######################################## |
56 |
# |
57 |
# Declarations |
58 |
# |
59 |
+ |
60 |
type tcpd_t; |
61 |
type tcpd_exec_t; |
62 |
inetd_tcp_service_domain(tcpd_t, tcpd_exec_t) |
63 |
-role system_r types tcpd_t; |
64 |
|
65 |
type tcpd_tmp_t; |
66 |
files_tmp_file(tcpd_tmp_t) |
67 |
@@ -16,6 +16,7 @@ files_tmp_file(tcpd_tmp_t) |
68 |
# |
69 |
# Local policy |
70 |
# |
71 |
+ |
72 |
allow tcpd_t self:tcp_socket create_stream_socket_perms; |
73 |
|
74 |
manage_dirs_pattern(tcpd_t, tcpd_tmp_t, tcpd_tmp_t) |
75 |
@@ -30,11 +31,9 @@ corenet_tcp_sendrecv_all_ports(tcpd_t) |
76 |
|
77 |
fs_getattr_xattr_fs(tcpd_t) |
78 |
|
79 |
-# Run other daemons in the inetd child domain. |
80 |
corecmd_search_bin(tcpd_t) |
81 |
|
82 |
files_read_etc_files(tcpd_t) |
83 |
-# no good reason for files_dontaudit_search_var, probably nscd |
84 |
files_dontaudit_search_var(tcpd_t) |
85 |
|
86 |
logging_send_syslog_msg(tcpd_t) |