[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Mon, 29 Oct 2012 14:56:38
Message-Id:	`1351522119.173c3e3dc3581c5073a9be245f9ac79078f79573.SwifT@gentoo`

1

commit:     173c3e3dc3581c5073a9be245f9ac79078f79573

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Mon Oct 29 09:22:42 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Mon Oct 29 14:48:39 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=173c3e3d

7

8

Changes to the stunnel policy module

9

10

Module clean up

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/stunnel.if |    4 +-

16

 policy/modules/contrib/stunnel.te |   83 +++++++++++++++----------------------

17

 2 files changed, 35 insertions(+), 52 deletions(-)

18

19

diff --git a/policy/modules/contrib/stunnel.if b/policy/modules/contrib/stunnel.if

20

index 6073656..47fea00 100644

21

--- a/policy/modules/contrib/stunnel.if

22

+++ b/policy/modules/contrib/stunnel.if

23

@@ -1,4 +1,4 @@

24

-## <summary>SSL Tunneling Proxy</summary>

25

+## <summary>SSL Tunneling Proxy.</summary>

26

27

 ########################################

28

 ## <summary>

29

@@ -20,6 +20,6 @@ interface(`stunnel_service_domain',`

30

 		type stunnel_t;

31

')

32

33

-	domtrans_pattern(stunnel_t,$2,$1)

34

+	domtrans_pattern(stunnel_t, $2, $1)

35

 	allow $1 stunnel_t:tcp_socket rw_socket_perms;

36

')

37

38

diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te

39

index f646c66..bdfee61 100644

40

--- a/policy/modules/contrib/stunnel.te

41

+++ b/policy/modules/contrib/stunnel.te

42

@@ -1,4 +1,4 @@

43

-policy_module(stunnel, 1.10.0)

44

+policy_module(stunnel, 1.10.1)

45

46

 ########################################

47

#

48

@@ -6,17 +6,8 @@ policy_module(stunnel, 1.10.0)

49

#

50

51

 type stunnel_t;

52

-domain_type(stunnel_t)

53

-role system_r types stunnel_t;

54

-

55

 type stunnel_exec_t;

56

-domain_entry_file(stunnel_t, stunnel_exec_t)

57

-

58

-ifdef(`distro_gentoo',`

59

-	init_daemon_domain(stunnel_t, stunnel_exec_t)

60

-',`

61

-	inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)

62

-')

63

+init_daemon_domain(stunnel_t, stunnel_exec_t)

64

65

 type stunnel_etc_t;

66

 files_config_file(stunnel_etc_t)

67

@@ -33,14 +24,15 @@ files_pid_file(stunnel_var_run_t)

68

#

69

70

 allow stunnel_t self:capability { setgid setuid sys_chroot };

71

+dontaudit stunnel_t self:capability sys_tty_config;

72

 allow stunnel_t self:process signal_perms;

73

 allow stunnel_t self:fifo_file rw_fifo_file_perms;

74

-allow stunnel_t self:tcp_socket create_stream_socket_perms;

75

-allow stunnel_t self:udp_socket create_socket_perms;

76

+allow stunnel_t self:tcp_socket { accept listen };

77

+allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;

78

79

 allow stunnel_t stunnel_etc_t:dir list_dir_perms;

80

 allow stunnel_t stunnel_etc_t:file read_file_perms;

81

-allow stunnel_t stunnel_etc_t:lnk_file { getattr read };

82

+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;

83

84

 manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)

85

 manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)

86

@@ -59,15 +51,23 @@ corecmd_exec_bin(stunnel_t)

87

 corenet_all_recvfrom_unlabeled(stunnel_t)

88

 corenet_all_recvfrom_netlabel(stunnel_t)

89

 corenet_tcp_sendrecv_generic_if(stunnel_t)

90

-corenet_udp_sendrecv_generic_if(stunnel_t)

91

 corenet_tcp_sendrecv_generic_node(stunnel_t)

92

-corenet_udp_sendrecv_generic_node(stunnel_t)

93

 corenet_tcp_sendrecv_all_ports(stunnel_t)

94

-corenet_udp_sendrecv_all_ports(stunnel_t)

95

 corenet_tcp_bind_generic_node(stunnel_t)

96

+

97

+corenet_sendrecv_all_client_packets(stunnel_t)

98

 corenet_tcp_connect_all_ports(stunnel_t)

99

100

+dev_read_sysfs(stunnel_t)

101

+dev_read_urand(stunnel_t)

102

+

103

+domain_use_interactive_fds(stunnel_t)

104

+

105

+files_read_etc_runtime_files(stunnel_t)

106

+files_search_home(stunnel_t)

107

+

108

 fs_getattr_all_fs(stunnel_t)

109

+fs_search_auto_mountpoints(stunnel_t)

110

111

 auth_use_nsswitch(stunnel_t)

112

113

@@ -75,44 +75,27 @@ logging_send_syslog_msg(stunnel_t)

114

115

 miscfiles_read_localization(stunnel_t)

116

117

-sysnet_read_config(stunnel_t)

118

-

119

-ifdef(`distro_gentoo', `

120

-	dontaudit stunnel_t self:capability sys_tty_config;

121

-	allow stunnel_t self:udp_socket create_socket_perms;

122

-

123

-	dev_read_sysfs(stunnel_t)

124

+userdom_dontaudit_use_unpriv_user_fds(stunnel_t)

125

+userdom_dontaudit_search_user_home_dirs(stunnel_t)

126

127

-	fs_search_auto_mountpoints(stunnel_t)

128

-

129

-	domain_use_interactive_fds(stunnel_t)

130

-

131

-	userdom_dontaudit_use_unpriv_user_fds(stunnel_t)

132

-	userdom_dontaudit_search_user_home_dirs(stunnel_t)

133

-

134

-	optional_policy(`

135

-		daemontools_service_domain(stunnel_t, stunnel_exec_t)

136

-	')

137

-

138

-	optional_policy(`

139

-		seutil_sigchld_newrole(stunnel_t)

140

-	')

141

+optional_policy(`

142

+	daemontools_service_domain(stunnel_t, stunnel_exec_t)

143

+')

144

145

-	optional_policy(`

146

-		udev_read_db(stunnel_t)

147

-	')

148

-',`

149

-	allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;

150

+optional_policy(`

151

+	inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)

152

+')

153

154

-	dev_read_urand(stunnel_t)

155

+optional_policy(`

156

+	kerberos_use(stunnel_t)

157

+')

158

159

-	files_read_etc_files(stunnel_t)

160

-	files_read_etc_runtime_files(stunnel_t)

161

-	files_search_home(stunnel_t)

162

+optional_policy(`

163

+	seutil_sigchld_newrole(stunnel_t)

164

+')

165

166

-	optional_policy(`

167

-		kerberos_use(stunnel_t)

168

-	')

169

+optional_policy(`

170

+	udev_read_db(stunnel_t)

171

')

172

173

 # hack since this port has no interfaces since it doesnt

1	commit: 173c3e3dc3581c5073a9be245f9ac79078f79573
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Mon Oct 29 09:22:42 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Mon Oct 29 14:48:39 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=173c3e3d
7
8	Changes to the stunnel policy module
9
10	Module clean up
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/stunnel.if \| 4 +-
16	policy/modules/contrib/stunnel.te \| 83 +++++++++++++++----------------------
17	2 files changed, 35 insertions(+), 52 deletions(-)
18
19	diff --git a/policy/modules/contrib/stunnel.if b/policy/modules/contrib/stunnel.if
20	index 6073656..47fea00 100644
21	--- a/policy/modules/contrib/stunnel.if
22	+++ b/policy/modules/contrib/stunnel.if
23	@@ -1,4 +1,4 @@
24	-## <summary>SSL Tunneling Proxy</summary>
25	+## <summary>SSL Tunneling Proxy.</summary>
26
27	########################################
28	## <summary>
29	@@ -20,6 +20,6 @@ interface(`stunnel_service_domain',`
30	type stunnel_t;
31	')
32
33	- domtrans_pattern(stunnel_t,$2,$1)
34	+ domtrans_pattern(stunnel_t, $2, $1)
35	allow $1 stunnel_t:tcp_socket rw_socket_perms;
36	')
37
38	diff --git a/policy/modules/contrib/stunnel.te b/policy/modules/contrib/stunnel.te
39	index f646c66..bdfee61 100644
40	--- a/policy/modules/contrib/stunnel.te
41	+++ b/policy/modules/contrib/stunnel.te
42	@@ -1,4 +1,4 @@
43	-policy_module(stunnel, 1.10.0)
44	+policy_module(stunnel, 1.10.1)
45
46	########################################
47	#
48	@@ -6,17 +6,8 @@ policy_module(stunnel, 1.10.0)
49	#
50
51	type stunnel_t;
52	-domain_type(stunnel_t)
53	-role system_r types stunnel_t;
54	-
55	type stunnel_exec_t;
56	-domain_entry_file(stunnel_t, stunnel_exec_t)
57	-
58	-ifdef(`distro_gentoo',`
59	- init_daemon_domain(stunnel_t, stunnel_exec_t)
60	-',`
61	- inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
62	-')
63	+init_daemon_domain(stunnel_t, stunnel_exec_t)
64
65	type stunnel_etc_t;
66	files_config_file(stunnel_etc_t)
67	@@ -33,14 +24,15 @@ files_pid_file(stunnel_var_run_t)
68	#
69
70	allow stunnel_t self:capability { setgid setuid sys_chroot };
71	+dontaudit stunnel_t self:capability sys_tty_config;
72	allow stunnel_t self:process signal_perms;
73	allow stunnel_t self:fifo_file rw_fifo_file_perms;
74	-allow stunnel_t self:tcp_socket create_stream_socket_perms;
75	-allow stunnel_t self:udp_socket create_socket_perms;
76	+allow stunnel_t self:tcp_socket { accept listen };
77	+allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
78
79	allow stunnel_t stunnel_etc_t:dir list_dir_perms;
80	allow stunnel_t stunnel_etc_t:file read_file_perms;
81	-allow stunnel_t stunnel_etc_t:lnk_file { getattr read };
82	+allow stunnel_t stunnel_etc_t:lnk_file read_lnk_file_perms;
83
84	manage_dirs_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
85	manage_files_pattern(stunnel_t, stunnel_tmp_t, stunnel_tmp_t)
86	@@ -59,15 +51,23 @@ corecmd_exec_bin(stunnel_t)
87	corenet_all_recvfrom_unlabeled(stunnel_t)
88	corenet_all_recvfrom_netlabel(stunnel_t)
89	corenet_tcp_sendrecv_generic_if(stunnel_t)
90	-corenet_udp_sendrecv_generic_if(stunnel_t)
91	corenet_tcp_sendrecv_generic_node(stunnel_t)
92	-corenet_udp_sendrecv_generic_node(stunnel_t)
93	corenet_tcp_sendrecv_all_ports(stunnel_t)
94	-corenet_udp_sendrecv_all_ports(stunnel_t)
95	corenet_tcp_bind_generic_node(stunnel_t)
96	+
97	+corenet_sendrecv_all_client_packets(stunnel_t)
98	corenet_tcp_connect_all_ports(stunnel_t)
99
100	+dev_read_sysfs(stunnel_t)
101	+dev_read_urand(stunnel_t)
102	+
103	+domain_use_interactive_fds(stunnel_t)
104	+
105	+files_read_etc_runtime_files(stunnel_t)
106	+files_search_home(stunnel_t)
107	+
108	fs_getattr_all_fs(stunnel_t)
109	+fs_search_auto_mountpoints(stunnel_t)
110
111	auth_use_nsswitch(stunnel_t)
112
113	@@ -75,44 +75,27 @@ logging_send_syslog_msg(stunnel_t)
114
115	miscfiles_read_localization(stunnel_t)
116
117	-sysnet_read_config(stunnel_t)
118	-
119	-ifdef(`distro_gentoo', `
120	- dontaudit stunnel_t self:capability sys_tty_config;
121	- allow stunnel_t self:udp_socket create_socket_perms;
122	-
123	- dev_read_sysfs(stunnel_t)
124	+userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
125	+userdom_dontaudit_search_user_home_dirs(stunnel_t)
126
127	- fs_search_auto_mountpoints(stunnel_t)
128	-
129	- domain_use_interactive_fds(stunnel_t)
130	-
131	- userdom_dontaudit_use_unpriv_user_fds(stunnel_t)
132	- userdom_dontaudit_search_user_home_dirs(stunnel_t)
133	-
134	- optional_policy(`
135	- daemontools_service_domain(stunnel_t, stunnel_exec_t)
136	- ')
137	-
138	- optional_policy(`
139	- seutil_sigchld_newrole(stunnel_t)
140	- ')
141	+optional_policy(`
142	+ daemontools_service_domain(stunnel_t, stunnel_exec_t)
143	+')
144
145	- optional_policy(`
146	- udev_read_db(stunnel_t)
147	- ')
148	-',`
149	- allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
150	+optional_policy(`
151	+ inetd_tcp_service_domain(stunnel_t, stunnel_exec_t)
152	+')
153
154	- dev_read_urand(stunnel_t)
155	+optional_policy(`
156	+ kerberos_use(stunnel_t)
157	+')
158
159	- files_read_etc_files(stunnel_t)
160	- files_read_etc_runtime_files(stunnel_t)
161	- files_search_home(stunnel_t)
162	+optional_policy(`
163	+ seutil_sigchld_newrole(stunnel_t)
164	+')
165
166	- optional_policy(`
167	- kerberos_use(stunnel_t)
168	- ')
169	+optional_policy(`
170	+ udev_read_db(stunnel_t)
171	')
172
173	# hack since this port has no interfaces since it doesnt

Gentoo Archives: gentoo-commits