Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Wed, 25 Jun 2014 19:56:26
Message-Id: 1403726028.f4284ca3c2aa40c9c5296be9a157e45250f497c5.swift@gentoo
1 commit: f4284ca3c2aa40c9c5296be9a157e45250f497c5
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Wed Jun 25 19:53:48 2014 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Wed Jun 25 19:53:48 2014 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f4284ca3
7
8 Fix bug #509728 - Add openresolv support
9
10 The openresolv application implements the resolvconf interface that many
11 network services have. This policy should support those network services
12 *if* they are enabled further through the resolvconf_client_domain()
13 attribute.
14
15 For instance:
16 resolvconf_client_domain(dhcpc_t)
17
18 ---
19 policy/modules/contrib/resolvconf.fc | 6 +++
20 policy/modules/contrib/resolvconf.if | 102 +++++++++++++++++++++++++++++++++++
21 policy/modules/contrib/resolvconf.te | 52 ++++++++++++++++++
22 3 files changed, 160 insertions(+)
23
24 diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc
25 new file mode 100644
26 index 0000000..a7c9eed
27 --- /dev/null
28 +++ b/policy/modules/contrib/resolvconf.fc
29 @@ -0,0 +1,6 @@
30 +
31 +/etc/resolvconf.conf -- gen_context(system_u:object_r:resolvconf_conf_t,s0)
32 +
33 +/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
34 +
35 +/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0)
36
37 diff --git a/policy/modules/contrib/resolvconf.if b/policy/modules/contrib/resolvconf.if
38 new file mode 100644
39 index 0000000..7a93eb6
40 --- /dev/null
41 +++ b/policy/modules/contrib/resolvconf.if
42 @@ -0,0 +1,102 @@
43 +## <summary>OpenResolv network configuration management</summary>
44 +
45 +#########################################
46 +## <summary>
47 +## Mark the domain as a resolvconf client, automatically granting
48 +## the necessary privileges (execute resolvconf and type access).
49 +## </summary>
50 +## <param name="domain">
51 +## <summary>
52 +## Domain to mark as a resolvconf client
53 +## </summary>
54 +## </param>
55 +#
56 +interface(`resolvconf_client_domain',`
57 + gen_require(`
58 + attribute resolvconf_client;
59 + ')
60 +
61 + typeattribute $1 resolvconf_client;
62 +')
63 +
64 +#########################################
65 +## <summary>
66 +## Assign the proper permissions to the domain, such as
67 +## executing resolvconf and accessing its types.
68 +## </summary>
69 +## <param name="domain">
70 +## <summary>
71 +## Domain to assign proper permissions to
72 +## </summary>
73 +## </param>
74 +#
75 +interface(`resolvconf_client_domain_privs',`
76 + resolvconf_domtrans($1)
77 + resolvconf_generic_run_filetrans_run($1, dir, "resolvconf")
78 +')
79 +
80 +#########################################
81 +## <summary>
82 +## Execute resolvconf and transition to the resolvconf_t domain
83 +## </summary>
84 +## <param name="domain">
85 +## <summary>
86 +## Domain allowed to transition
87 +## </summary>
88 +## </param>
89 +#
90 +interface(`resolvconf_domtrans',`
91 + gen_require(`
92 + type resolvconf_t;
93 + type resolvconf_exec_t;
94 + ')
95 +
96 + domtrans_pattern($1, resolvconf_exec_t, resolvconf_t)
97 +')
98 +
99 +#########################################
100 +## <summary>
101 +## Execute resolvconf in the calling domain (no transition)
102 +## </summary>
103 +## <param name="domain">
104 +## <summary>
105 +## Domain allowed to execute
106 +## </summary>
107 +## </param>
108 +#
109 +interface(`resolvconf_exec',`
110 + gen_require(`
111 + type resolvconf_exec_t;
112 + ')
113 +
114 + can_exec($1, resolvconf_exec_t)
115 +')
116 +
117 +#########################################
118 +## <summary>
119 +## Transition to resolvconf_run_t when creating resources
120 +## inside the generic run directory
121 +## </summary>
122 +## <param name="domain">
123 +## <summary>
124 +## Domain allowed access
125 +## </summary>
126 +## </param>
127 +## <param name="class">
128 +## <summary>
129 +## Class on which a file transition has to occur
130 +## </summary>
131 +## </param>
132 +## <param name="filename" optional="true">
133 +## <summary>
134 +## Name of the resource on which a file transition has to occur
135 +## </summary>
136 +## </param>
137 +#
138 +interface(`resolvconf_generic_run_filetrans_run',`
139 + gen_require(`
140 + type resolvconf_var_run_t;
141 + ')
142 +
143 + files_pid_filetrans($1, resolvconf_var_run_t, $2, $3)
144 +')
145
146 diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te
147 new file mode 100644
148 index 0000000..7fbd00d
149 --- /dev/null
150 +++ b/policy/modules/contrib/resolvconf.te
151 @@ -0,0 +1,52 @@
152 +policy_module(resolvconf, 0.1)
153 +
154 +type resolvconf_t;
155 +type resolvconf_exec_t;
156 +domain_type(resolvconf_t)
157 +domain_entry_file(resolvconf_t, resolvconf_exec_t)
158 +role system_r types resolvconf_t;
159 +
160 +attribute resolvconf_client;
161 +
162 +type resolvconf_conf_t;
163 +files_config_file(resolvconf_conf_t)
164 +
165 +type resolvconf_var_run_t;
166 +files_pid_file(resolvconf_var_run_t)
167 +
168 +#########################################
169 +#
170 +# OpenResolv policy
171 +#
172 +
173 +allow resolvconf_t self:fifo_file manage_fifo_file_perms;
174 +allow resolvconf_t resolvconf_conf_t:file read_file_perms;
175 +
176 +manage_dirs_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t)
177 +manage_files_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t)
178 +
179 +corecmd_exec_bin(resolvconf_t)
180 +corecmd_exec_shell(resolvconf_t)
181 +
182 +files_pid_filetrans(resolvconf_t, resolvconf_var_run_t, { dir file })
183 +files_read_etc_files(resolvconf_t)
184 +
185 +sysnet_manage_config(resolvconf_t)
186 +
187 +optional_policy(`
188 + init_domtrans_script(resolvconf_t)
189 + init_read_script_status_files(resolvconf_t)
190 + init_use_script_fds(resolvconf_t)
191 + init_use_script_ptys(resolvconf_t)
192 +')
193 +
194 +optional_policy(`
195 + term_dontaudit_use_console(resolvconf_t)
196 +')
197 +
198 +#########################################
199 +#
200 +# Resolvconf client policy
201 +#
202 +
203 +resolvconf_client_domain_privs(resolvconf_client)