Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Thu, 29 Jan 2015 20:53:11
Message-Id: 1422564668.cba6dc0028608f027f7e02ab1d4df155632a7a46.swift@gentoo
1 commit: cba6dc0028608f027f7e02ab1d4df155632a7a46
2 Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
3 AuthorDate: Tue Jan 27 20:17:58 2015 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Thu Jan 29 20:51:08 2015 +0000
6 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cba6dc00
7
8 Various samhain fixes
9
10 connects to smtp port
11 resolves smtp dns name
12 missing samhain_domain attribute
13 reads random device
14 samhain_domains use unnamed pipes for internal comms
15 clarify why some rules are commented out for now in samhain_admin()
16 remove samhain_run() from samhain_admin()
17 samhain needs to be able to maintain directories in /var/lib
18
19 Signed-off-by: Dominick Grift <dac.override <AT> gmail.com>
20
21 ---
22 policy/modules/contrib/samhain.if | 8 +++-----
23 policy/modules/contrib/samhain.te | 12 ++++++++++--
24 2 files changed, 13 insertions(+), 7 deletions(-)
25
26 diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if
27 index f0236d6..b1ebcee 100644
28 --- a/policy/modules/contrib/samhain.if
29 +++ b/policy/modules/contrib/samhain.if
30 @@ -16,7 +16,7 @@ template(`samhain_service_template',`
31 type samhain_exec_t;
32 ')
33
34 - type $1_t;
35 + type $1_t, samhain_domain;
36 domain_type($1_t)
37 domain_entry_file($1_t, samhain_exec_t)
38
39 @@ -213,14 +213,14 @@ interface(`samhain_manage_pid_files',`
40 interface(`samhain_admin',`
41 gen_require(`
42 attribute samhain_domain;
43 - type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
44 + type samhain_db_t, samhain_etc_t;
45 type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
46 ')
47
48 allow $1 samhain_domain:process { ptrace signal_perms };
49 ps_process_pattern($1, samhain_domain)
50
51 - # pending
52 + # duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first
53 # init_labeled_script_domtrans($1, samhain_initrc_exec_t)
54 # domain_system_change_exemption($1)
55 # role_transition $2 samhain_initrc_exec_t system_r;
56 @@ -237,6 +237,4 @@ interface(`samhain_admin',`
57
58 files_list_pids($1)
59 admin_pattern($1, samhain_var_run_t)
60 -
61 - # samhain_run($1, $2)
62 ')
63
64 diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te
65 index c41ce4b..3ed8e45 100644
66 --- a/policy/modules/contrib/samhain.te
67 +++ b/policy/modules/contrib/samhain.te
68 @@ -1,4 +1,4 @@
69 -policy_module(samhain, 1.2.0)
70 +policy_module(samhain, 1.2.1)
71
72 ########################################
73 #
74 @@ -50,8 +50,9 @@ ifdef(`enable_mls',`
75
76 allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock };
77 dontaudit samhain_domain self:capability { sys_resource sys_ptrace };
78 -allow samhain_domain self:fd use;
79 allow samhain_domain self:process { setsched setrlimit signull };
80 +allow samhain_domain self:fd use;
81 +allow samhain_domain self:fifo_file rw_fifo_file_perms;
82
83 allow samhain_domain samhain_etc_t:file read_file_perms;
84
85 @@ -96,6 +97,7 @@ logging_send_syslog_msg(samhain_domain)
86 #
87
88 manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
89 +manage_dirs_pattern(samhain_t, samhain_db_t, samhain_db_t)
90 files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
91
92 domain_use_interactive_fds(samhain_t)
93 @@ -115,4 +117,10 @@ can_exec(samhaind_t, samhain_exec_t)
94
95 read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t)
96
97 +corenet_tcp_connect_smtp_port(samhaind_t)
98 +
99 +dev_read_rand(samhaind_t)
100 +
101 init_use_script_ptys(samhaind_t)
102 +
103 +sysnet_dns_name_resolve(samhaind_t)
Report Message
Find on MARC Find on Google Groups