[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 02 Oct 2012 18:24:16
Message-Id:	`1349201216.3a8dfeed16e5aacda90b31b64657a1cd5c15687c.SwifT@gentoo`

1

commit:     3a8dfeed16e5aacda90b31b64657a1cd5c15687c

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Tue Oct  2 18:06:56 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:06:56 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3a8dfeed

7

8

Initial firewalld policy module

9

10

---

11

 policy/modules/contrib/firewalld.fc |   10 ++++

12

 policy/modules/contrib/firewalld.if |   43 ++++++++++++++++++

13

 policy/modules/contrib/firewalld.te |   85 +++++++++++++++++++++++++++++++++++

14

 3 files changed, 138 insertions(+), 0 deletions(-)

15

16

diff --git a/policy/modules/contrib/firewalld.fc b/policy/modules/contrib/firewalld.fc

17

new file mode 100644

18

index 0000000..21d7b84

19

--- /dev/null

20

+++ b/policy/modules/contrib/firewalld.fc

21

@@ -0,0 +1,10 @@

22

+/etc/rc\.d/init\.d/firewalld	--	gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)

23

+

24

+/etc/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_etc_rw_t,s0)

25

+

26

+/usr/sbin/firewalld	--	gen_context(system_u:object_r:firewalld_exec_t,s0)

27

+

28

+/var/log/firewalld.*	--	gen_context(system_u:object_r:firewalld_var_log_t,s0)

29

+

30

+/var/run/firewalld(/.*)?	gen_context(system_u:object_r:firewalld_var_run_t,s0)

31

+/var/run/firewalld\.pid	--	gen_context(system_u:object_r:firewalld_var_run_t,s0)

32

33

diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if

34

new file mode 100644

35

index 0000000..82a225a

36

--- /dev/null

37

+++ b/policy/modules/contrib/firewalld.if

38

@@ -0,0 +1,43 @@

39

+## <summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary>

40

+

41

+########################################

42

+## <summary>

43

+##	All of the rules required to

44

+##	administrate an firewalld environment.

45

+## </summary>

46

+## <param name="domain">

47

+##	<summary>

48

+##	Domain allowed access.

49

+##	</summary>

50

+## </param>

51

+## <param name="role">

52

+##	<summary>

53

+##	Role allowed access.

54

+##	</summary>

55

+## </param>

56

+## <rolecap/>

57

+#

58

+interface(`firewalld_admin',`

59

+	gen_require(`

60

+		type firewalld_t, firewalld_initrc_exec_t;

61

+		type firewall_etc_rw_t, firewalld_var_run_t;

62

+		type firewalld_var_log_t;

63

+	')

64

+

65

+	allow $1 firewalld_t:process { ptrace signal_perms };

66

+	ps_process_pattern($1, firewalld_t)

67

+

68

+	init_labeled_script_domtrans($1, firewalld_initrc_exec_t)

69

+	domain_system_change_exemption($1)

70

+	role_transition $2 firewalld_initrc_exec_t system_r;

71

+	allow $2 system_r;

72

+

73

+	files_search_pids($1)

74

+	admin_pattern($1, firewalld_var_run_t)

75

+

76

+	logging_search_logs($1)

77

+	admin_pattern($1, firewalld_var_log_t)

78

+

79

+	files_search_etc($1)

80

+	admin_pattern($1, firewall_etc_rw_t)

81

+')

82

83

diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te

84

new file mode 100644

85

index 0000000..0010122

86

--- /dev/null

87

+++ b/policy/modules/contrib/firewalld.te

88

@@ -0,0 +1,85 @@

89

+policy_module(firewalld, 1.0.0)

90

+

91

+########################################

92

+#

93

+# Declarations

94

+#

95

+

96

+type firewalld_t;

97

+type firewalld_exec_t;

98

+init_daemon_domain(firewalld_t, firewalld_exec_t)

99

+

100

+type firewalld_initrc_exec_t;

101

+init_script_file(firewalld_initrc_exec_t)

102

+

103

+type firewalld_etc_rw_t;

104

+files_config_file(firewalld_etc_rw_t)

105

+

106

+type firewalld_var_log_t;

107

+logging_log_file(firewalld_var_log_t)

108

+

109

+type firewalld_var_run_t;

110

+files_pid_file(firewalld_var_run_t)

111

+

112

+########################################

113

+#

114

+# Local policy

115

+#

116

+

117

+dontaudit firewalld_t self:capability sys_tty_config;

118

+allow firewalld_t self:fifo_file rw_fifo_file_perms;

119

+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;

120

+

121

+manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)

122

+manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)

123

+

124

+allow firewalld_t firewalld_var_log_t:file append_file_perms;

125

+allow firewalld_t firewalld_var_log_t:file create_file_perms;

126

+allow firewalld_t firewalld_var_log_t:file read_file_perms;

127

+allow firewalld_t firewalld_var_log_t:file setattr_file_perms;

128

+logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)

129

+

130

+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)

131

+files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)

132

+

133

+kernel_read_network_state(firewalld_t)

134

+kernel_read_system_state(firewalld_t)

135

+

136

+corecmd_exec_bin(firewalld_t)

137

+corecmd_exec_shell(firewalld_t)

138

+

139

+dev_read_urand(firewalld_t)

140

+

141

+domain_use_interactive_fds(firewalld_t)

142

+

143

+files_read_etc_files(firewalld_t)

144

+files_read_usr_files(firewalld_t)

145

+

146

+fs_getattr_xattr_fs(firewalld_t)

147

+

148

+logging_send_syslog_msg(firewalld_t)

149

+

150

+miscfiles_read_localization(firewalld_t)

151

+

152

+seutil_exec_setfiles(firewalld_t)

153

+seutil_read_file_contexts(firewalld_t)

154

+

155

+optional_policy(`

156

+	dbus_system_domain(firewalld_t, firewalld_exec_t)

157

+

158

+	optional_policy(`

159

+		policykit_dbus_chat(firewalld_t)

160

+	')

161

+

162

+	optional_policy(`

163

+		networkmanager_dbus_chat(firewalld_t)

164

+	')

165

+')

166

+

167

+optional_policy(`

168

+	iptables_domtrans(firewalld_t)

169

+')

170

+

171

+optional_policy(`

172

+	modutils_domtrans_insmod(firewalld_t)

173

+')

1	commit: 3a8dfeed16e5aacda90b31b64657a1cd5c15687c
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Tue Oct 2 18:06:56 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 2 18:06:56 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3a8dfeed
7
8	Initial firewalld policy module
9
10	---
11	policy/modules/contrib/firewalld.fc \| 10 ++++
12	policy/modules/contrib/firewalld.if \| 43 ++++++++++++++++++
13	policy/modules/contrib/firewalld.te \| 85 +++++++++++++++++++++++++++++++++++
14	3 files changed, 138 insertions(+), 0 deletions(-)
15
16	diff --git a/policy/modules/contrib/firewalld.fc b/policy/modules/contrib/firewalld.fc
17	new file mode 100644
18	index 0000000..21d7b84
19	--- /dev/null
20	+++ b/policy/modules/contrib/firewalld.fc
21	@@ -0,0 +1,10 @@
22	+/etc/rc\.d/init\.d/firewalld -- gen_context(system_u:object_r:firewalld_initrc_exec_t,s0)
23	+
24	+/etc/firewalld(/.*)? gen_context(system_u:object_r:firewalld_etc_rw_t,s0)
25	+
26	+/usr/sbin/firewalld -- gen_context(system_u:object_r:firewalld_exec_t,s0)
27	+
28	+/var/log/firewalld.* -- gen_context(system_u:object_r:firewalld_var_log_t,s0)
29	+
30	+/var/run/firewalld(/.*)? gen_context(system_u:object_r:firewalld_var_run_t,s0)
31	+/var/run/firewalld\.pid -- gen_context(system_u:object_r:firewalld_var_run_t,s0)
32
33	diff --git a/policy/modules/contrib/firewalld.if b/policy/modules/contrib/firewalld.if
34	new file mode 100644
35	index 0000000..82a225a
36	--- /dev/null
37	+++ b/policy/modules/contrib/firewalld.if
38	@@ -0,0 +1,43 @@
39	+## <summary>Service daemon with a D-BUS interface that provides a dynamic managed firewall.</summary>
40	+
41	+########################################
42	+## <summary>
43	+## All of the rules required to
44	+## administrate an firewalld environment.
45	+## </summary>
46	+## <param name="domain">
47	+## <summary>
48	+## Domain allowed access.
49	+## </summary>
50	+## </param>
51	+## <param name="role">
52	+## <summary>
53	+## Role allowed access.
54	+## </summary>
55	+## </param>
56	+## <rolecap/>
57	+#
58	+interface(`firewalld_admin',`
59	+ gen_require(`
60	+ type firewalld_t, firewalld_initrc_exec_t;
61	+ type firewall_etc_rw_t, firewalld_var_run_t;
62	+ type firewalld_var_log_t;
63	+ ')
64	+
65	+ allow $1 firewalld_t:process { ptrace signal_perms };
66	+ ps_process_pattern($1, firewalld_t)
67	+
68	+ init_labeled_script_domtrans($1, firewalld_initrc_exec_t)
69	+ domain_system_change_exemption($1)
70	+ role_transition $2 firewalld_initrc_exec_t system_r;
71	+ allow $2 system_r;
72	+
73	+ files_search_pids($1)
74	+ admin_pattern($1, firewalld_var_run_t)
75	+
76	+ logging_search_logs($1)
77	+ admin_pattern($1, firewalld_var_log_t)
78	+
79	+ files_search_etc($1)
80	+ admin_pattern($1, firewall_etc_rw_t)
81	+')
82
83	diff --git a/policy/modules/contrib/firewalld.te b/policy/modules/contrib/firewalld.te
84	new file mode 100644
85	index 0000000..0010122
86	--- /dev/null
87	+++ b/policy/modules/contrib/firewalld.te
88	@@ -0,0 +1,85 @@
89	+policy_module(firewalld, 1.0.0)
90	+
91	+########################################
92	+#
93	+# Declarations
94	+#
95	+
96	+type firewalld_t;
97	+type firewalld_exec_t;
98	+init_daemon_domain(firewalld_t, firewalld_exec_t)
99	+
100	+type firewalld_initrc_exec_t;
101	+init_script_file(firewalld_initrc_exec_t)
102	+
103	+type firewalld_etc_rw_t;
104	+files_config_file(firewalld_etc_rw_t)
105	+
106	+type firewalld_var_log_t;
107	+logging_log_file(firewalld_var_log_t)
108	+
109	+type firewalld_var_run_t;
110	+files_pid_file(firewalld_var_run_t)
111	+
112	+########################################
113	+#
114	+# Local policy
115	+#
116	+
117	+dontaudit firewalld_t self:capability sys_tty_config;
118	+allow firewalld_t self:fifo_file rw_fifo_file_perms;
119	+allow firewalld_t self:unix_stream_socket create_stream_socket_perms;
120	+
121	+manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
122	+manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
123	+
124	+allow firewalld_t firewalld_var_log_t:file append_file_perms;
125	+allow firewalld_t firewalld_var_log_t:file create_file_perms;
126	+allow firewalld_t firewalld_var_log_t:file read_file_perms;
127	+allow firewalld_t firewalld_var_log_t:file setattr_file_perms;
128	+logging_log_filetrans(firewalld_t, firewalld_var_log_t, file)
129	+
130	+manage_files_pattern(firewalld_t, firewalld_var_run_t, firewalld_var_run_t)
131	+files_pid_filetrans(firewalld_t, firewalld_var_run_t, file)
132	+
133	+kernel_read_network_state(firewalld_t)
134	+kernel_read_system_state(firewalld_t)
135	+
136	+corecmd_exec_bin(firewalld_t)
137	+corecmd_exec_shell(firewalld_t)
138	+
139	+dev_read_urand(firewalld_t)
140	+
141	+domain_use_interactive_fds(firewalld_t)
142	+
143	+files_read_etc_files(firewalld_t)
144	+files_read_usr_files(firewalld_t)
145	+
146	+fs_getattr_xattr_fs(firewalld_t)
147	+
148	+logging_send_syslog_msg(firewalld_t)
149	+
150	+miscfiles_read_localization(firewalld_t)
151	+
152	+seutil_exec_setfiles(firewalld_t)
153	+seutil_read_file_contexts(firewalld_t)
154	+
155	+optional_policy(`
156	+ dbus_system_domain(firewalld_t, firewalld_exec_t)
157	+
158	+ optional_policy(`
159	+ policykit_dbus_chat(firewalld_t)
160	+ ')
161	+
162	+ optional_policy(`
163	+ networkmanager_dbus_chat(firewalld_t)
164	+ ')
165	+')
166	+
167	+optional_policy(`
168	+ iptables_domtrans(firewalld_t)
169	+')
170	+
171	+optional_policy(`
172	+ modutils_domtrans_insmod(firewalld_t)
173	+')

Gentoo Archives: gentoo-commits