1 |
commit: f4284ca3c2aa40c9c5296be9a157e45250f497c5 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Wed Jun 25 19:53:48 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Jun 25 19:53:48 2014 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f4284ca3 |
7 |
|
8 |
Fix bug #509728 - Add openresolv support |
9 |
|
10 |
The openresolv application implements the resolvconf interface that many |
11 |
network services have. This policy should support those network services |
12 |
*if* they are enabled further through the resolvconf_client_domain() |
13 |
attribute. |
14 |
|
15 |
For instance: |
16 |
resolvconf_client_domain(dhcpc_t) |
17 |
|
18 |
--- |
19 |
policy/modules/contrib/resolvconf.fc | 6 +++ |
20 |
policy/modules/contrib/resolvconf.if | 102 +++++++++++++++++++++++++++++++++++ |
21 |
policy/modules/contrib/resolvconf.te | 52 ++++++++++++++++++ |
22 |
3 files changed, 160 insertions(+) |
23 |
|
24 |
diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc |
25 |
new file mode 100644 |
26 |
index 0000000..a7c9eed |
27 |
--- /dev/null |
28 |
+++ b/policy/modules/contrib/resolvconf.fc |
29 |
@@ -0,0 +1,6 @@ |
30 |
+ |
31 |
+/etc/resolvconf.conf -- gen_context(system_u:object_r:resolvconf_conf_t,s0) |
32 |
+ |
33 |
+/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0) |
34 |
+ |
35 |
+/sbin/resolvconf -- gen_context(system_u:object_r:resolvconf_exec_t,s0) |
36 |
|
37 |
diff --git a/policy/modules/contrib/resolvconf.if b/policy/modules/contrib/resolvconf.if |
38 |
new file mode 100644 |
39 |
index 0000000..7a93eb6 |
40 |
--- /dev/null |
41 |
+++ b/policy/modules/contrib/resolvconf.if |
42 |
@@ -0,0 +1,102 @@ |
43 |
+## <summary>OpenResolv network configuration management</summary> |
44 |
+ |
45 |
+######################################### |
46 |
+## <summary> |
47 |
+## Mark the domain as a resolvconf client, automatically granting |
48 |
+## the necessary privileges (execute resolvconf and type access). |
49 |
+## </summary> |
50 |
+## <param name="domain"> |
51 |
+## <summary> |
52 |
+## Domain to mark as a resolvconf client |
53 |
+## </summary> |
54 |
+## </param> |
55 |
+# |
56 |
+interface(`resolvconf_client_domain',` |
57 |
+ gen_require(` |
58 |
+ attribute resolvconf_client; |
59 |
+ ') |
60 |
+ |
61 |
+ typeattribute $1 resolvconf_client; |
62 |
+') |
63 |
+ |
64 |
+######################################### |
65 |
+## <summary> |
66 |
+## Assign the proper permissions to the domain, such as |
67 |
+## executing resolvconf and accessing its types. |
68 |
+## </summary> |
69 |
+## <param name="domain"> |
70 |
+## <summary> |
71 |
+## Domain to assign proper permissions to |
72 |
+## </summary> |
73 |
+## </param> |
74 |
+# |
75 |
+interface(`resolvconf_client_domain_privs',` |
76 |
+ resolvconf_domtrans($1) |
77 |
+ resolvconf_generic_run_filetrans_run($1, dir, "resolvconf") |
78 |
+') |
79 |
+ |
80 |
+######################################### |
81 |
+## <summary> |
82 |
+## Execute resolvconf and transition to the resolvconf_t domain |
83 |
+## </summary> |
84 |
+## <param name="domain"> |
85 |
+## <summary> |
86 |
+## Domain allowed to transition |
87 |
+## </summary> |
88 |
+## </param> |
89 |
+# |
90 |
+interface(`resolvconf_domtrans',` |
91 |
+ gen_require(` |
92 |
+ type resolvconf_t; |
93 |
+ type resolvconf_exec_t; |
94 |
+ ') |
95 |
+ |
96 |
+ domtrans_pattern($1, resolvconf_exec_t, resolvconf_t) |
97 |
+') |
98 |
+ |
99 |
+######################################### |
100 |
+## <summary> |
101 |
+## Execute resolvconf in the calling domain (no transition) |
102 |
+## </summary> |
103 |
+## <param name="domain"> |
104 |
+## <summary> |
105 |
+## Domain allowed to execute |
106 |
+## </summary> |
107 |
+## </param> |
108 |
+# |
109 |
+interface(`resolvconf_exec',` |
110 |
+ gen_require(` |
111 |
+ type resolvconf_exec_t; |
112 |
+ ') |
113 |
+ |
114 |
+ can_exec($1, resolvconf_exec_t) |
115 |
+') |
116 |
+ |
117 |
+######################################### |
118 |
+## <summary> |
119 |
+## Transition to resolvconf_run_t when creating resources |
120 |
+## inside the generic run directory |
121 |
+## </summary> |
122 |
+## <param name="domain"> |
123 |
+## <summary> |
124 |
+## Domain allowed access |
125 |
+## </summary> |
126 |
+## </param> |
127 |
+## <param name="class"> |
128 |
+## <summary> |
129 |
+## Class on which a file transition has to occur |
130 |
+## </summary> |
131 |
+## </param> |
132 |
+## <param name="filename" optional="true"> |
133 |
+## <summary> |
134 |
+## Name of the resource on which a file transition has to occur |
135 |
+## </summary> |
136 |
+## </param> |
137 |
+# |
138 |
+interface(`resolvconf_generic_run_filetrans_run',` |
139 |
+ gen_require(` |
140 |
+ type resolvconf_var_run_t; |
141 |
+ ') |
142 |
+ |
143 |
+ files_pid_filetrans($1, resolvconf_var_run_t, $2, $3) |
144 |
+') |
145 |
|
146 |
diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te |
147 |
new file mode 100644 |
148 |
index 0000000..7fbd00d |
149 |
--- /dev/null |
150 |
+++ b/policy/modules/contrib/resolvconf.te |
151 |
@@ -0,0 +1,52 @@ |
152 |
+policy_module(resolvconf, 0.1) |
153 |
+ |
154 |
+type resolvconf_t; |
155 |
+type resolvconf_exec_t; |
156 |
+domain_type(resolvconf_t) |
157 |
+domain_entry_file(resolvconf_t, resolvconf_exec_t) |
158 |
+role system_r types resolvconf_t; |
159 |
+ |
160 |
+attribute resolvconf_client; |
161 |
+ |
162 |
+type resolvconf_conf_t; |
163 |
+files_config_file(resolvconf_conf_t) |
164 |
+ |
165 |
+type resolvconf_var_run_t; |
166 |
+files_pid_file(resolvconf_var_run_t) |
167 |
+ |
168 |
+######################################### |
169 |
+# |
170 |
+# OpenResolv policy |
171 |
+# |
172 |
+ |
173 |
+allow resolvconf_t self:fifo_file manage_fifo_file_perms; |
174 |
+allow resolvconf_t resolvconf_conf_t:file read_file_perms; |
175 |
+ |
176 |
+manage_dirs_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t) |
177 |
+manage_files_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t) |
178 |
+ |
179 |
+corecmd_exec_bin(resolvconf_t) |
180 |
+corecmd_exec_shell(resolvconf_t) |
181 |
+ |
182 |
+files_pid_filetrans(resolvconf_t, resolvconf_var_run_t, { dir file }) |
183 |
+files_read_etc_files(resolvconf_t) |
184 |
+ |
185 |
+sysnet_manage_config(resolvconf_t) |
186 |
+ |
187 |
+optional_policy(` |
188 |
+ init_domtrans_script(resolvconf_t) |
189 |
+ init_read_script_status_files(resolvconf_t) |
190 |
+ init_use_script_fds(resolvconf_t) |
191 |
+ init_use_script_ptys(resolvconf_t) |
192 |
+') |
193 |
+ |
194 |
+optional_policy(` |
195 |
+ term_dontaudit_use_console(resolvconf_t) |
196 |
+') |
197 |
+ |
198 |
+######################################### |
199 |
+# |
200 |
+# Resolvconf client policy |
201 |
+# |
202 |
+ |
203 |
+resolvconf_client_domain_privs(resolvconf_client) |