1 |
commit: cba6dc0028608f027f7e02ab1d4df155632a7a46 |
2 |
Author: Dominick Grift <dac.override <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Jan 27 20:17:58 2015 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Jan 29 20:51:08 2015 +0000 |
6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cba6dc00 |
7 |
|
8 |
Various samhain fixes |
9 |
|
10 |
connects to smtp port |
11 |
resolves smtp dns name |
12 |
missing samhain_domain attribute |
13 |
reads random device |
14 |
samhain_domains use unnamed pipes for internal comms |
15 |
clarify why some rules are commented out for now in samhain_admin() |
16 |
remove samhain_run() from samhain_admin() |
17 |
samhain needs to be able to maintain directories in /var/lib |
18 |
|
19 |
Signed-off-by: Dominick Grift <dac.override <AT> gmail.com> |
20 |
|
21 |
--- |
22 |
policy/modules/contrib/samhain.if | 8 +++----- |
23 |
policy/modules/contrib/samhain.te | 12 ++++++++++-- |
24 |
2 files changed, 13 insertions(+), 7 deletions(-) |
25 |
|
26 |
diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if |
27 |
index f0236d6..b1ebcee 100644 |
28 |
--- a/policy/modules/contrib/samhain.if |
29 |
+++ b/policy/modules/contrib/samhain.if |
30 |
@@ -16,7 +16,7 @@ template(`samhain_service_template',` |
31 |
type samhain_exec_t; |
32 |
') |
33 |
|
34 |
- type $1_t; |
35 |
+ type $1_t, samhain_domain; |
36 |
domain_type($1_t) |
37 |
domain_entry_file($1_t, samhain_exec_t) |
38 |
|
39 |
@@ -213,14 +213,14 @@ interface(`samhain_manage_pid_files',` |
40 |
interface(`samhain_admin',` |
41 |
gen_require(` |
42 |
attribute samhain_domain; |
43 |
- type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t; |
44 |
+ type samhain_db_t, samhain_etc_t; |
45 |
type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; |
46 |
') |
47 |
|
48 |
allow $1 samhain_domain:process { ptrace signal_perms }; |
49 |
ps_process_pattern($1, samhain_domain) |
50 |
|
51 |
- # pending |
52 |
+ # duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first |
53 |
# init_labeled_script_domtrans($1, samhain_initrc_exec_t) |
54 |
# domain_system_change_exemption($1) |
55 |
# role_transition $2 samhain_initrc_exec_t system_r; |
56 |
@@ -237,6 +237,4 @@ interface(`samhain_admin',` |
57 |
|
58 |
files_list_pids($1) |
59 |
admin_pattern($1, samhain_var_run_t) |
60 |
- |
61 |
- # samhain_run($1, $2) |
62 |
') |
63 |
|
64 |
diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te |
65 |
index c41ce4b..3ed8e45 100644 |
66 |
--- a/policy/modules/contrib/samhain.te |
67 |
+++ b/policy/modules/contrib/samhain.te |
68 |
@@ -1,4 +1,4 @@ |
69 |
-policy_module(samhain, 1.2.0) |
70 |
+policy_module(samhain, 1.2.1) |
71 |
|
72 |
######################################## |
73 |
# |
74 |
@@ -50,8 +50,9 @@ ifdef(`enable_mls',` |
75 |
|
76 |
allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock }; |
77 |
dontaudit samhain_domain self:capability { sys_resource sys_ptrace }; |
78 |
-allow samhain_domain self:fd use; |
79 |
allow samhain_domain self:process { setsched setrlimit signull }; |
80 |
+allow samhain_domain self:fd use; |
81 |
+allow samhain_domain self:fifo_file rw_fifo_file_perms; |
82 |
|
83 |
allow samhain_domain samhain_etc_t:file read_file_perms; |
84 |
|
85 |
@@ -96,6 +97,7 @@ logging_send_syslog_msg(samhain_domain) |
86 |
# |
87 |
|
88 |
manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t) |
89 |
+manage_dirs_pattern(samhain_t, samhain_db_t, samhain_db_t) |
90 |
files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir }) |
91 |
|
92 |
domain_use_interactive_fds(samhain_t) |
93 |
@@ -115,4 +117,10 @@ can_exec(samhaind_t, samhain_exec_t) |
94 |
|
95 |
read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t) |
96 |
|
97 |
+corenet_tcp_connect_smtp_port(samhaind_t) |
98 |
+ |
99 |
+dev_read_rand(samhaind_t) |
100 |
+ |
101 |
init_use_script_ptys(samhaind_t) |
102 |
+ |
103 |
+sysnet_dns_name_resolve(samhaind_t) |