[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 02 Oct 2012 18:24:10
Message-Id:	`1349201260.a547b35b07da63caeae77d4210e0e4c0fac3b475.SwifT@gentoo`

1

commit:     a547b35b07da63caeae77d4210e0e4c0fac3b475

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Tue Oct  2 09:33:25 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct  2 18:07:40 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a547b35b

7

8

Changes to the gatekeeper policy module

9

10

Module clean up

11

Add init script file type

12

Add gatekeeper_admin()

13

14

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

15

16

---

17

 policy/modules/contrib/gatekeeper.fc |   11 +++++---

18

 policy/modules/contrib/gatekeeper.if |   46 +++++++++++++++++++++++++++++++++-

19

 policy/modules/contrib/gatekeeper.te |   21 +++++++++------

20

 3 files changed, 65 insertions(+), 13 deletions(-)

21

22

diff --git a/policy/modules/contrib/gatekeeper.fc b/policy/modules/contrib/gatekeeper.fc

23

index d6ef025..9f44fb6 100644

24

--- a/policy/modules/contrib/gatekeeper.fc

25

+++ b/policy/modules/contrib/gatekeeper.fc

26

@@ -1,8 +1,11 @@

27

 /etc/gatekeeper\.ini	--	gen_context(system_u:object_r:gatekeeper_etc_t,s0)

28

29

-/usr/sbin/gk		--	gen_context(system_u:object_r:gatekeeper_exec_t,s0)

30

-/usr/sbin/gnugk		--	gen_context(system_u:object_r:gatekeeper_exec_t,s0)

31

+/etc/rc\.d/init\.d/gnugk	--	gen_context(system_u:object_r:gatekeeper_initrc_exec_t,s0)

32

+

33

+/usr/sbin/gk	--	gen_context(system_u:object_r:gatekeeper_exec_t,s0)

34

+/usr/sbin/gnugk	--	gen_context(system_u:object_r:gatekeeper_exec_t,s0)

35

+

36

+/var/log/gnugk(/.*)?	gen_context(system_u:object_r:gatekeeper_log_t,s0)

37

38

-/var/log/gnugk(/.*)?		gen_context(system_u:object_r:gatekeeper_log_t,s0)

39

 /var/run/gk\.pid	--	gen_context(system_u:object_r:gatekeeper_var_run_t,s0)

40

-/var/run/gnugk(/.*)?		gen_context(system_u:object_r:gatekeeper_var_run_t,s0)

41

+/var/run/gnugk(/.*)?	gen_context(system_u:object_r:gatekeeper_var_run_t,s0)

42

43

diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if

44

index 311cb06..159cd16 100644

45

--- a/policy/modules/contrib/gatekeeper.if

46

+++ b/policy/modules/contrib/gatekeeper.if

47

@@ -1 +1,45 @@

48

-## <summary>OpenH.323 Voice-Over-IP Gatekeeper</summary>

49

+## <summary>OpenH.323 Voice-Over-IP Gatekeeper.</summary>

50

+

51

+########################################

52

+## <summary>

53

+##	All of the rules required to

54

+##	administrate an gatekeeper environment.

55

+## </summary>

56

+## <param name="domain">

57

+##	<summary>

58

+##	Domain allowed access.

59

+##	</summary>

60

+## </param>

61

+## <param name="role">

62

+##	<summary>

63

+##	Role allowed access.

64

+##	</summary>

65

+## </param>

66

+## <rolecap/>

67

+#

68

+interface(`gatekeeper_admin',`

69

+	gen_require(`

70

+		type gatekeeper_t, gatekeeper_etc_t, gatekeeper_log_t;

71

+		type gatekeeper_var_run_t, gatekeeper_tmp_t, gatekeeper_initrc_exec_t;

72

+	')

73

+

74

+	allow $1 gatekeeper_t:process { ptrace signal_perms };

75

+	ps_process_pattern($1, gatekeeper_t)

76

+

77

+	init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)

78

+	domain_system_change_exemption($1)

79

+	role_transition $2 gatekeeper_initrc_exec_t system_r;

80

+	allow $2 system_r;

81

+

82

+	files_search_etc($1)

83

+	admin_pattern($1, gatekeeper_etc_t)

84

+

85

+	logging_search_logs($1)

86

+	admin_pattern($1, gatekeeper_log_t)

87

+

88

+	files_search_tmp($1)

89

+	admin_pattern($1, gatekeeper_tmp_t)

90

+

91

+	files_search_var_lib($1)

92

+	admin_pattern($1, gatekeeper_var_run_t)

93

+')

94

\ No newline at end of file

95

96

diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te

97

index 99a94de..fc3b036 100644

98

--- a/policy/modules/contrib/gatekeeper.te

99

+++ b/policy/modules/contrib/gatekeeper.te

100

@@ -1,4 +1,4 @@

101

-policy_module(gatekeeper, 1.7.0)

102

+policy_module(gatekeeper, 1.7.1)

103

104

 ########################################

105

#

106

@@ -9,13 +9,15 @@ type gatekeeper_t;

107

 type gatekeeper_exec_t;

108

 init_daemon_domain(gatekeeper_t, gatekeeper_exec_t)

109

110

+type gatekeeper_initrc_exec_t;

111

+init_script_file(gatekeeper_initrc_exec_t)

112

+

113

 type gatekeeper_etc_t;

114

 files_config_file(gatekeeper_etc_t)

115

116

 type gatekeeper_log_t;

117

 logging_log_file(gatekeeper_log_t)

118

119

-# for stupid symlinks

120

 type gatekeeper_tmp_t;

121

 files_tmp_file(gatekeeper_tmp_t)

122

123

@@ -33,19 +35,22 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;

124

 allow gatekeeper_t self:tcp_socket create_stream_socket_perms;

125

 allow gatekeeper_t self:udp_socket create_socket_perms;

126

127

-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };

128

+allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;

129

 allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;

130

-files_search_etc(gatekeeper_t)

131

132

-manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)

133

+manage_dirs_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)

134

+append_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)

135

+create_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)

136

+setattr_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)

137

 logging_log_filetrans(gatekeeper_t, gatekeeper_log_t, { file dir })

138

139

 manage_dirs_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t)

140

 manage_files_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t)

141

 files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir })

142

143

+manage_dirs_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t)

144

 manage_files_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t)

145

-files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, file)

146

+files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, { dir file })

147

148

 kernel_read_system_state(gatekeeper_t)

149

 kernel_read_kernel_sysctls(gatekeeper_t)

150

@@ -62,12 +67,12 @@ corenet_tcp_sendrecv_all_ports(gatekeeper_t)

151

 corenet_udp_sendrecv_all_ports(gatekeeper_t)

152

 corenet_tcp_bind_generic_node(gatekeeper_t)

153

 corenet_udp_bind_generic_node(gatekeeper_t)

154

+

155

+corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t)

156

 corenet_tcp_bind_gatekeeper_port(gatekeeper_t)

157

 corenet_udp_bind_gatekeeper_port(gatekeeper_t)

158

-corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t)

159

160

 dev_read_sysfs(gatekeeper_t)

161

-# for SSP

162

 dev_read_urand(gatekeeper_t)

163

164

 domain_use_interactive_fds(gatekeeper_t)

1	commit: a547b35b07da63caeae77d4210e0e4c0fac3b475
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Tue Oct 2 09:33:25 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 2 18:07:40 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a547b35b
7
8	Changes to the gatekeeper policy module
9
10	Module clean up
11	Add init script file type
12	Add gatekeeper_admin()
13
14	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
15
16	---
17	policy/modules/contrib/gatekeeper.fc \| 11 +++++---
18	policy/modules/contrib/gatekeeper.if \| 46 +++++++++++++++++++++++++++++++++-
19	policy/modules/contrib/gatekeeper.te \| 21 +++++++++------
20	3 files changed, 65 insertions(+), 13 deletions(-)
21
22	diff --git a/policy/modules/contrib/gatekeeper.fc b/policy/modules/contrib/gatekeeper.fc
23	index d6ef025..9f44fb6 100644
24	--- a/policy/modules/contrib/gatekeeper.fc
25	+++ b/policy/modules/contrib/gatekeeper.fc
26	@@ -1,8 +1,11 @@
27	/etc/gatekeeper\.ini -- gen_context(system_u:object_r:gatekeeper_etc_t,s0)
28
29	-/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
30	-/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
31	+/etc/rc\.d/init\.d/gnugk -- gen_context(system_u:object_r:gatekeeper_initrc_exec_t,s0)
32	+
33	+/usr/sbin/gk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
34	+/usr/sbin/gnugk -- gen_context(system_u:object_r:gatekeeper_exec_t,s0)
35	+
36	+/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0)
37
38	-/var/log/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_log_t,s0)
39	/var/run/gk\.pid -- gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
40	-/var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
41	+/var/run/gnugk(/.*)? gen_context(system_u:object_r:gatekeeper_var_run_t,s0)
42
43	diff --git a/policy/modules/contrib/gatekeeper.if b/policy/modules/contrib/gatekeeper.if
44	index 311cb06..159cd16 100644
45	--- a/policy/modules/contrib/gatekeeper.if
46	+++ b/policy/modules/contrib/gatekeeper.if
47	@@ -1 +1,45 @@
48	-## <summary>OpenH.323 Voice-Over-IP Gatekeeper</summary>
49	+## <summary>OpenH.323 Voice-Over-IP Gatekeeper.</summary>
50	+
51	+########################################
52	+## <summary>
53	+## All of the rules required to
54	+## administrate an gatekeeper environment.
55	+## </summary>
56	+## <param name="domain">
57	+## <summary>
58	+## Domain allowed access.
59	+## </summary>
60	+## </param>
61	+## <param name="role">
62	+## <summary>
63	+## Role allowed access.
64	+## </summary>
65	+## </param>
66	+## <rolecap/>
67	+#
68	+interface(`gatekeeper_admin',`
69	+ gen_require(`
70	+ type gatekeeper_t, gatekeeper_etc_t, gatekeeper_log_t;
71	+ type gatekeeper_var_run_t, gatekeeper_tmp_t, gatekeeper_initrc_exec_t;
72	+ ')
73	+
74	+ allow $1 gatekeeper_t:process { ptrace signal_perms };
75	+ ps_process_pattern($1, gatekeeper_t)
76	+
77	+ init_labeled_script_domtrans($1, gatekeeper_initrc_exec_t)
78	+ domain_system_change_exemption($1)
79	+ role_transition $2 gatekeeper_initrc_exec_t system_r;
80	+ allow $2 system_r;
81	+
82	+ files_search_etc($1)
83	+ admin_pattern($1, gatekeeper_etc_t)
84	+
85	+ logging_search_logs($1)
86	+ admin_pattern($1, gatekeeper_log_t)
87	+
88	+ files_search_tmp($1)
89	+ admin_pattern($1, gatekeeper_tmp_t)
90	+
91	+ files_search_var_lib($1)
92	+ admin_pattern($1, gatekeeper_var_run_t)
93	+')
94	\ No newline at end of file
95
96	diff --git a/policy/modules/contrib/gatekeeper.te b/policy/modules/contrib/gatekeeper.te
97	index 99a94de..fc3b036 100644
98	--- a/policy/modules/contrib/gatekeeper.te
99	+++ b/policy/modules/contrib/gatekeeper.te
100	@@ -1,4 +1,4 @@
101	-policy_module(gatekeeper, 1.7.0)
102	+policy_module(gatekeeper, 1.7.1)
103
104	########################################
105	#
106	@@ -9,13 +9,15 @@ type gatekeeper_t;
107	type gatekeeper_exec_t;
108	init_daemon_domain(gatekeeper_t, gatekeeper_exec_t)
109
110	+type gatekeeper_initrc_exec_t;
111	+init_script_file(gatekeeper_initrc_exec_t)
112	+
113	type gatekeeper_etc_t;
114	files_config_file(gatekeeper_etc_t)
115
116	type gatekeeper_log_t;
117	logging_log_file(gatekeeper_log_t)
118
119	-# for stupid symlinks
120	type gatekeeper_tmp_t;
121	files_tmp_file(gatekeeper_tmp_t)
122
123	@@ -33,19 +35,22 @@ allow gatekeeper_t self:fifo_file rw_fifo_file_perms;
124	allow gatekeeper_t self:tcp_socket create_stream_socket_perms;
125	allow gatekeeper_t self:udp_socket create_socket_perms;
126
127	-allow gatekeeper_t gatekeeper_etc_t:lnk_file { getattr read };
128	+allow gatekeeper_t gatekeeper_etc_t:lnk_file read_lnk_file_perms;
129	allow gatekeeper_t gatekeeper_etc_t:file read_file_perms;
130	-files_search_etc(gatekeeper_t)
131
132	-manage_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)
133	+manage_dirs_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)
134	+append_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)
135	+create_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)
136	+setattr_files_pattern(gatekeeper_t, gatekeeper_log_t, gatekeeper_log_t)
137	logging_log_filetrans(gatekeeper_t, gatekeeper_log_t, { file dir })
138
139	manage_dirs_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t)
140	manage_files_pattern(gatekeeper_t, gatekeeper_tmp_t, gatekeeper_tmp_t)
141	files_tmp_filetrans(gatekeeper_t, gatekeeper_tmp_t, { file dir })
142
143	+manage_dirs_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t)
144	manage_files_pattern(gatekeeper_t, gatekeeper_var_run_t, gatekeeper_var_run_t)
145	-files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, file)
146	+files_pid_filetrans(gatekeeper_t, gatekeeper_var_run_t, { dir file })
147
148	kernel_read_system_state(gatekeeper_t)
149	kernel_read_kernel_sysctls(gatekeeper_t)
150	@@ -62,12 +67,12 @@ corenet_tcp_sendrecv_all_ports(gatekeeper_t)
151	corenet_udp_sendrecv_all_ports(gatekeeper_t)
152	corenet_tcp_bind_generic_node(gatekeeper_t)
153	corenet_udp_bind_generic_node(gatekeeper_t)
154	+
155	+corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t)
156	corenet_tcp_bind_gatekeeper_port(gatekeeper_t)
157	corenet_udp_bind_gatekeeper_port(gatekeeper_t)
158	-corenet_sendrecv_gatekeeper_server_packets(gatekeeper_t)
159
160	dev_read_sysfs(gatekeeper_t)
161	-# for SSP
162	dev_read_urand(gatekeeper_t)
163
164	domain_use_interactive_fds(gatekeeper_t)

Gentoo Archives: gentoo-commits