[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Wed, 31 Oct 2012 18:11:22
Message-Id:	`1351706657.f18e2cf0e7b93e4f5a3a0afaff70aa787ae9dfac.SwifT@gentoo`

1

commit:     f18e2cf0e7b93e4f5a3a0afaff70aa787ae9dfac

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Wed Oct 31 08:05:21 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Wed Oct 31 18:04:17 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f18e2cf0

7

8

Changes to the vdagent policy module

9

10

Add init script file

11

Ported from Fedora with changes

12

13

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

14

15

---

16

 policy/modules/contrib/vdagent.fc |    4 +++-

17

 policy/modules/contrib/vdagent.if |   30 ++++++++++++++++++++----------

18

 policy/modules/contrib/vdagent.te |   27 +++++++++++++++++++--------

19

 3 files changed, 42 insertions(+), 19 deletions(-)

20

21

diff --git a/policy/modules/contrib/vdagent.fc b/policy/modules/contrib/vdagent.fc

22

index 394e9b3..45b6dde 100644

23

--- a/policy/modules/contrib/vdagent.fc

24

+++ b/policy/modules/contrib/vdagent.fc

25

@@ -1,7 +1,9 @@

26

+/etc/rc\.d/init\.d/spice-vdagentd	--	gen_context(system_u:object_r:vdagentd_initrc_exec_t,s0)

27

+

28

 /usr/sbin/spice-vdagentd	--	gen_context(system_u:object_r:vdagent_exec_t,s0)

29

30

 /var/log/spice-vdagentd(/.*)?	gen_context(system_u:object_r:vdagent_log_t,s0)

31

-/var/log/spice-vdagentd\.log	--	gen_context(system_u:object_r:vdagent_log_t,s0)

32

+/var/log/spice-vdagentd\.log.*	--	gen_context(system_u:object_r:vdagent_log_t,s0)

33

34

 /var/run/spice-vdagentd(/.*)?	gen_context(system_u:object_r:vdagent_var_run_t,s0)

35

 /var/run/spice-vdagentd\.pid	--	gen_context(system_u:object_r:vdagent_var_run_t,s0)

36

37

diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if

38

index e59a074..31c752e 100644

39

--- a/policy/modules/contrib/vdagent.if

40

+++ b/policy/modules/contrib/vdagent.if

41

@@ -1,4 +1,4 @@

42

-## <summary>policy for vdagent</summary>

43

+## <summary>Spice agent for Linux.</summary>

44

45

 ########################################

46

 ## <summary>

47

@@ -15,12 +15,13 @@ interface(`vdagent_domtrans',`

48

 		type vdagent_t, vdagent_exec_t;

49

')

50

51

+	corecmd_search_bin($1)

52

 	domtrans_pattern($1, vdagent_exec_t, vdagent_t)

53

')

54

55

 #####################################

56

 ## <summary>

57

-##	Getattr on vdagent executable.

58

+##	Get attributes of vdagent executable files.

59

 ## </summary>

60

 ## <param name="domain">

61

 ##	<summary>

62

@@ -33,12 +34,12 @@ interface(`vdagent_getattr_exec_files',`

63

 		type vdagent_exec_t;

64

')

65

66

-	allow $1 vdagent_exec_t:file getattr;

67

+	allow $1 vdagent_exec_t:file getattr_file_perms;

68

')

69

70

 #######################################

71

 ## <summary>

72

-##	Get the attributes of vdagent logs.

73

+##	Get attributes of vdagent log files.

74

 ## </summary>

75

 ## <param name="domain">

76

 ##	<summary>

77

@@ -57,7 +58,7 @@ interface(`vdagent_getattr_log',`

78

79

 ########################################

80

 ## <summary>

81

-##	Read vdagent PID files.

82

+##	Read vdagent pid files.

83

 ## </summary>

84

 ## <param name="domain">

85

 ##	<summary>

86

@@ -76,8 +77,8 @@ interface(`vdagent_read_pid_files',`

87

88

 #####################################

89

 ## <summary>

90

-##	Connect to vdagent over a unix domain

91

-##	stream socket.

92

+##	Connect to vdagent with a unix

93

+##	domain stream socket.

94

 ## </summary>

95

 ## <param name="domain">

96

 ##	<summary>

97

@@ -96,8 +97,8 @@ interface(`vdagent_stream_connect',`

98

99

 ########################################

100

 ## <summary>

101

-##	All of the rules required to administrate

102

-##	an vdagent environment

103

+##	All of the rules required to

104

+##	administrate an vdagent environment.

105

 ## </summary>

106

 ## <param name="domain">

107

 ##	<summary>

108

@@ -113,12 +114,21 @@ interface(`vdagent_stream_connect',`

109

#

110

 interface(`vdagent_admin',`

111

 	gen_require(`

112

-		type vdagent_t, vdagent_var_run_t;

113

+		type vdagent_t, vdagent_var_run_t, vdagentd_initrc_exec_t;

114

+		type vdagent_log_t;

115

')

116

117

 	allow $1 vdagent_t:process signal_perms;

118

 	ps_process_pattern($1, vdagent_t)

119

120

+	init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)

121

+	domain_system_change_exemption($1)

122

+	role_transition $2 vdagentd_initrc_exec_t system_r;

123

+	allow $2 system_r;

124

+

125

+	logging_search_logs($1)

126

+	admin_pattern($1, vdagent_log_t)

127

+

128

 	files_search_pids($1)

129

 	admin_pattern($1, vdagent_var_run_t)

130

')

131

132

diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te

133

index 57578ae..77be35a 100644

134

--- a/policy/modules/contrib/vdagent.te

135

+++ b/policy/modules/contrib/vdagent.te

136

@@ -1,4 +1,4 @@

137

-policy_module(vdagent, 1.0.1)

138

+policy_module(vdagent, 1.0.2)

139

140

 ########################################

141

#

142

@@ -9,6 +9,9 @@ type vdagent_t;

143

 type vdagent_exec_t;

144

 init_daemon_domain(vdagent_t, vdagent_exec_t)

145

146

+type vdagentd_initrc_exec_t;

147

+init_script_file(vdagentd_initrc_exec_t)

148

+

149

 type vdagent_var_run_t;

150

 files_pid_file(vdagent_var_run_t)

151

152

@@ -17,13 +20,13 @@ logging_log_file(vdagent_log_t)

153

154

 ########################################

155

#

156

-# vdagent local policy

157

+# Local policy

158

#

159

160

 dontaudit vdagent_t self:capability sys_admin;

161

-

162

+allow vdagent_t self:process signal;

163

 allow vdagent_t self:fifo_file rw_fifo_file_perms;

164

-allow vdagent_t self:unix_stream_socket create_stream_socket_perms;

165

+allow vdagent_t self:unix_stream_socket { accept listen };

166

167

 manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)

168

 manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)

169

@@ -31,7 +34,9 @@ manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)

170

 files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file })

171

172

 manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)

173

-manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)

174

+append_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)

175

+create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)

176

+setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)

177

 logging_log_filetrans(vdagent_t, vdagent_log_t, file)

178

179

 dev_rw_input_dev(vdagent_t)

180

@@ -40,12 +45,18 @@ dev_dontaudit_write_mtrr(vdagent_t)

181

182

 files_read_etc_files(vdagent_t)

183

184

+init_read_state(vdagent_t)

185

+

186

+logging_send_syslog_msg(vdagent_t)

187

+

188

 miscfiles_read_localization(vdagent_t)

189

190

-optional_policy(`

191

-	consolekit_dbus_chat(vdagent_t)

192

-')

193

+userdom_read_all_users_state(vdagent_t)

194

195

 optional_policy(`

196

 	dbus_system_bus_client(vdagent_t)

197

+

198

+	optional_policy(`

199

+		consolekit_dbus_chat(vdagent_t)

200

+	')

201

')

1	commit: f18e2cf0e7b93e4f5a3a0afaff70aa787ae9dfac
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Wed Oct 31 08:05:21 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Wed Oct 31 18:04:17 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f18e2cf0
7
8	Changes to the vdagent policy module
9
10	Add init script file
11	Ported from Fedora with changes
12
13	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14
15	---
16	policy/modules/contrib/vdagent.fc \| 4 +++-
17	policy/modules/contrib/vdagent.if \| 30 ++++++++++++++++++++----------
18	policy/modules/contrib/vdagent.te \| 27 +++++++++++++++++++--------
19	3 files changed, 42 insertions(+), 19 deletions(-)
20
21	diff --git a/policy/modules/contrib/vdagent.fc b/policy/modules/contrib/vdagent.fc
22	index 394e9b3..45b6dde 100644
23	--- a/policy/modules/contrib/vdagent.fc
24	+++ b/policy/modules/contrib/vdagent.fc
25	@@ -1,7 +1,9 @@
26	+/etc/rc\.d/init\.d/spice-vdagentd -- gen_context(system_u:object_r:vdagentd_initrc_exec_t,s0)
27	+
28	/usr/sbin/spice-vdagentd -- gen_context(system_u:object_r:vdagent_exec_t,s0)
29
30	/var/log/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_log_t,s0)
31	-/var/log/spice-vdagentd\.log -- gen_context(system_u:object_r:vdagent_log_t,s0)
32	+/var/log/spice-vdagentd\.log.* -- gen_context(system_u:object_r:vdagent_log_t,s0)
33
34	/var/run/spice-vdagentd(/.*)? gen_context(system_u:object_r:vdagent_var_run_t,s0)
35	/var/run/spice-vdagentd\.pid -- gen_context(system_u:object_r:vdagent_var_run_t,s0)
36
37	diff --git a/policy/modules/contrib/vdagent.if b/policy/modules/contrib/vdagent.if
38	index e59a074..31c752e 100644
39	--- a/policy/modules/contrib/vdagent.if
40	+++ b/policy/modules/contrib/vdagent.if
41	@@ -1,4 +1,4 @@
42	-## <summary>policy for vdagent</summary>
43	+## <summary>Spice agent for Linux.</summary>
44
45	########################################
46	## <summary>
47	@@ -15,12 +15,13 @@ interface(`vdagent_domtrans',`
48	type vdagent_t, vdagent_exec_t;
49	')
50
51	+ corecmd_search_bin($1)
52	domtrans_pattern($1, vdagent_exec_t, vdagent_t)
53	')
54
55	#####################################
56	## <summary>
57	-## Getattr on vdagent executable.
58	+## Get attributes of vdagent executable files.
59	## </summary>
60	## <param name="domain">
61	## <summary>
62	@@ -33,12 +34,12 @@ interface(`vdagent_getattr_exec_files',`
63	type vdagent_exec_t;
64	')
65
66	- allow $1 vdagent_exec_t:file getattr;
67	+ allow $1 vdagent_exec_t:file getattr_file_perms;
68	')
69
70	#######################################
71	## <summary>
72	-## Get the attributes of vdagent logs.
73	+## Get attributes of vdagent log files.
74	## </summary>
75	## <param name="domain">
76	## <summary>
77	@@ -57,7 +58,7 @@ interface(`vdagent_getattr_log',`
78
79	########################################
80	## <summary>
81	-## Read vdagent PID files.
82	+## Read vdagent pid files.
83	## </summary>
84	## <param name="domain">
85	## <summary>
86	@@ -76,8 +77,8 @@ interface(`vdagent_read_pid_files',`
87
88	#####################################
89	## <summary>
90	-## Connect to vdagent over a unix domain
91	-## stream socket.
92	+## Connect to vdagent with a unix
93	+## domain stream socket.
94	## </summary>
95	## <param name="domain">
96	## <summary>
97	@@ -96,8 +97,8 @@ interface(`vdagent_stream_connect',`
98
99	########################################
100	## <summary>
101	-## All of the rules required to administrate
102	-## an vdagent environment
103	+## All of the rules required to
104	+## administrate an vdagent environment.
105	## </summary>
106	## <param name="domain">
107	## <summary>
108	@@ -113,12 +114,21 @@ interface(`vdagent_stream_connect',`
109	#
110	interface(`vdagent_admin',`
111	gen_require(`
112	- type vdagent_t, vdagent_var_run_t;
113	+ type vdagent_t, vdagent_var_run_t, vdagentd_initrc_exec_t;
114	+ type vdagent_log_t;
115	')
116
117	allow $1 vdagent_t:process signal_perms;
118	ps_process_pattern($1, vdagent_t)
119
120	+ init_labeled_script_domtrans($1, vdagentd_initrc_exec_t)
121	+ domain_system_change_exemption($1)
122	+ role_transition $2 vdagentd_initrc_exec_t system_r;
123	+ allow $2 system_r;
124	+
125	+ logging_search_logs($1)
126	+ admin_pattern($1, vdagent_log_t)
127	+
128	files_search_pids($1)
129	admin_pattern($1, vdagent_var_run_t)
130	')
131
132	diff --git a/policy/modules/contrib/vdagent.te b/policy/modules/contrib/vdagent.te
133	index 57578ae..77be35a 100644
134	--- a/policy/modules/contrib/vdagent.te
135	+++ b/policy/modules/contrib/vdagent.te
136	@@ -1,4 +1,4 @@
137	-policy_module(vdagent, 1.0.1)
138	+policy_module(vdagent, 1.0.2)
139
140	########################################
141	#
142	@@ -9,6 +9,9 @@ type vdagent_t;
143	type vdagent_exec_t;
144	init_daemon_domain(vdagent_t, vdagent_exec_t)
145
146	+type vdagentd_initrc_exec_t;
147	+init_script_file(vdagentd_initrc_exec_t)
148	+
149	type vdagent_var_run_t;
150	files_pid_file(vdagent_var_run_t)
151
152	@@ -17,13 +20,13 @@ logging_log_file(vdagent_log_t)
153
154	########################################
155	#
156	-# vdagent local policy
157	+# Local policy
158	#
159
160	dontaudit vdagent_t self:capability sys_admin;
161	-
162	+allow vdagent_t self:process signal;
163	allow vdagent_t self:fifo_file rw_fifo_file_perms;
164	-allow vdagent_t self:unix_stream_socket create_stream_socket_perms;
165	+allow vdagent_t self:unix_stream_socket { accept listen };
166
167	manage_dirs_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
168	manage_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
169	@@ -31,7 +34,9 @@ manage_sock_files_pattern(vdagent_t, vdagent_var_run_t, vdagent_var_run_t)
170	files_pid_filetrans(vdagent_t, vdagent_var_run_t, { dir file sock_file })
171
172	manage_dirs_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
173	-manage_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
174	+append_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
175	+create_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
176	+setattr_files_pattern(vdagent_t, vdagent_log_t, vdagent_log_t)
177	logging_log_filetrans(vdagent_t, vdagent_log_t, file)
178
179	dev_rw_input_dev(vdagent_t)
180	@@ -40,12 +45,18 @@ dev_dontaudit_write_mtrr(vdagent_t)
181
182	files_read_etc_files(vdagent_t)
183
184	+init_read_state(vdagent_t)
185	+
186	+logging_send_syslog_msg(vdagent_t)
187	+
188	miscfiles_read_localization(vdagent_t)
189
190	-optional_policy(`
191	- consolekit_dbus_chat(vdagent_t)
192	-')
193	+userdom_read_all_users_state(vdagent_t)
194
195	optional_policy(`
196	dbus_system_bus_client(vdagent_t)
197	+
198	+ optional_policy(`
199	+ consolekit_dbus_chat(vdagent_t)
200	+ ')
201	')

Gentoo Archives: gentoo-commits