[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Mon, 29 Oct 2012 14:56:37
Message-Id:	`1351522124.2828363665ab635a1b6f909e3a7dd99fe9a4c60c.SwifT@gentoo`

1

commit:     2828363665ab635a1b6f909e3a7dd99fe9a4c60c

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Mon Oct 29 09:42:58 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Mon Oct 29 14:48:44 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28283636

7

8

Changes to the sysstat policy module

9

10

Ported from Fedora with changes

11

Add init script file

12

Add sysstat_admin()

13

14

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

15

16

---

17

 policy/modules/contrib/sysstat.fc |    3 ++

18

 policy/modules/contrib/sysstat.if |   39 +++++++++++++++++++++++++++++++++++-

19

 policy/modules/contrib/sysstat.te |   31 ++++++++++++++---------------

20

 3 files changed, 55 insertions(+), 18 deletions(-)

21

22

diff --git a/policy/modules/contrib/sysstat.fc b/policy/modules/contrib/sysstat.fc

23

index b1b97d4..b660cfc 100644

24

--- a/policy/modules/contrib/sysstat.fc

25

+++ b/policy/modules/contrib/sysstat.fc

26

@@ -1,3 +1,6 @@

27

+/etc/rc\.d/init\.d/sysstat	--	gen_context(system_u:object_r:sysstat_initrc_exec_t,s0)

28

+

29

+/opt/sartest(/.*)?	gen_context(system_u:object_r:sysstat_log_t,s0)

30

31

 /usr/lib/atsar/atsa.*	--	gen_context(system_u:object_r:sysstat_exec_t,s0)

32

 /usr/lib/sa/sa.*	--	gen_context(system_u:object_r:sysstat_exec_t,s0)

33

34

diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if

35

index 7a23b3b..14ae3f2 100644

36

--- a/policy/modules/contrib/sysstat.if

37

+++ b/policy/modules/contrib/sysstat.if

38

@@ -1,8 +1,9 @@

39

-## <summary>Policy for sysstat. Reports on various system states</summary>

40

+## <summary>Reports on various system states.</summary>

41

42

 ########################################

43

 ## <summary>

44

-##	Manage sysstat logs.

45

+##	Create, read, write, and delete

46

+##	sysstat log files.

47

 ## </summary>

48

 ## <param name="domain">

49

 ##	<summary>

50

@@ -19,3 +20,37 @@ interface(`sysstat_manage_log',`

51

 	logging_search_logs($1)

52

 	manage_files_pattern($1, sysstat_log_t, sysstat_log_t)

53

')

54

+

55

+########################################

56

+## <summary>

57

+##	All of the rules required to

58

+##	administrate an sysstat environment.

59

+## </summary>

60

+## <param name="domain">

61

+##	<summary>

62

+##	Domain allowed access.

63

+##	</summary>

64

+## </param>

65

+## <param name="role">

66

+##	<summary>

67

+##	Role allowed access.

68

+##	</summary>

69

+## </param>

70

+## <rolecap/>

71

+#

72

+interface(`sysstat_admin',`

73

+	gen_require(`

74

+		type sysstat_t, sysstat_initrc_exec_t, sysstat_log_t;

75

+	')

76

+

77

+	allow $1 sysstat_t:process { ptrace signal_perms };

78

+	ps_process_pattern($1, sysstat_t)

79

+

80

+	init_labeled_script_domtrans($1, sysstat_initrc_exec_t)

81

+	domain_system_change_exemption($1)

82

+	role_transition $2 sysstat_initrc_exec_t system_r;

83

+	allow $2 system_r;

84

+

85

+	logging_search_logs($1)

86

+	admin_pattern($1, sysstat_log_t)

87

+')

88

89

diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te

90

index 0ecd8a7..c8b80b2 100644

91

--- a/policy/modules/contrib/sysstat.te

92

+++ b/policy/modules/contrib/sysstat.te

93

@@ -1,4 +1,4 @@

94

-policy_module(sysstat, 1.7.0)

95

+policy_module(sysstat, 1.7.1)

96

97

 ########################################

98

#

99

@@ -8,7 +8,9 @@ policy_module(sysstat, 1.7.0)

100

 type sysstat_t;

101

 type sysstat_exec_t;

102

 init_system_domain(sysstat_t, sysstat_exec_t)

103

-role system_r types sysstat_t;

104

+

105

+type sysstat_initrc_exec_t;

106

+init_script_file(sysstat_initrc_exec_t)

107

108

 type sysstat_log_t;

109

 logging_log_file(sysstat_log_t)

110

@@ -18,18 +20,18 @@ logging_log_file(sysstat_log_t)

111

 # Local policy

112

#

113

114

-allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };

115

-dontaudit sysstat_t self:capability sys_admin;

116

+allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };

117

 allow sysstat_t self:fifo_file rw_fifo_file_perms;

118

119

-can_exec(sysstat_t, sysstat_exec_t)

120

-

121

 manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)

122

-manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)

123

+append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)

124

+create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)

125

+setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)

126

 manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)

127

 logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })

128

129

-# get info from /proc

130

+can_exec(sysstat_t, sysstat_exec_t)

131

+

132

 kernel_read_system_state(sysstat_t)

133

 kernel_read_network_state(sysstat_t)

134

 kernel_read_kernel_sysctls(sysstat_t)

135

@@ -38,14 +40,11 @@ kernel_read_rpc_sysctls(sysstat_t)

136

137

 corecmd_exec_bin(sysstat_t)

138

139

-dev_read_urand(sysstat_t)

140

 dev_read_sysfs(sysstat_t)

141

+dev_read_urand(sysstat_t)

142

143

 files_search_var(sysstat_t)

144

-# for mtab

145

 files_read_etc_runtime_files(sysstat_t)

146

-#for fstab

147

-files_read_etc_files(sysstat_t)

148

149

 fs_getattr_xattr_fs(sysstat_t)

150

 fs_list_inotifyfs(sysstat_t)

151

@@ -53,10 +52,14 @@ fs_list_inotifyfs(sysstat_t)

152

 term_use_console(sysstat_t)

153

 term_use_all_terms(sysstat_t)

154

155

+auth_use_nsswitch(sysstat_t)

156

+

157

 init_use_fds(sysstat_t)

158

159

 locallogin_use_fds(sysstat_t)

160

161

+logging_send_syslog_msg(sysstat_t)

162

+

163

 miscfiles_read_localization(sysstat_t)

164

165

 userdom_dontaudit_list_user_home_dirs(sysstat_t)

166

@@ -64,7 +67,3 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)

167

 optional_policy(`

168

 	cron_system_entry(sysstat_t, sysstat_exec_t)

169

')

170

-

171

-optional_policy(`

172

-	logging_send_syslog_msg(sysstat_t)

173

-')

1	commit: 2828363665ab635a1b6f909e3a7dd99fe9a4c60c
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Mon Oct 29 09:42:58 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Mon Oct 29 14:48:44 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28283636
7
8	Changes to the sysstat policy module
9
10	Ported from Fedora with changes
11	Add init script file
12	Add sysstat_admin()
13
14	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
15
16	---
17	policy/modules/contrib/sysstat.fc \| 3 ++
18	policy/modules/contrib/sysstat.if \| 39 +++++++++++++++++++++++++++++++++++-
19	policy/modules/contrib/sysstat.te \| 31 ++++++++++++++---------------
20	3 files changed, 55 insertions(+), 18 deletions(-)
21
22	diff --git a/policy/modules/contrib/sysstat.fc b/policy/modules/contrib/sysstat.fc
23	index b1b97d4..b660cfc 100644
24	--- a/policy/modules/contrib/sysstat.fc
25	+++ b/policy/modules/contrib/sysstat.fc
26	@@ -1,3 +1,6 @@
27	+/etc/rc\.d/init\.d/sysstat -- gen_context(system_u:object_r:sysstat_initrc_exec_t,s0)
28	+
29	+/opt/sartest(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0)
30
31	/usr/lib/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
32	/usr/lib/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0)
33
34	diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if
35	index 7a23b3b..14ae3f2 100644
36	--- a/policy/modules/contrib/sysstat.if
37	+++ b/policy/modules/contrib/sysstat.if
38	@@ -1,8 +1,9 @@
39	-## <summary>Policy for sysstat. Reports on various system states</summary>
40	+## <summary>Reports on various system states.</summary>
41
42	########################################
43	## <summary>
44	-## Manage sysstat logs.
45	+## Create, read, write, and delete
46	+## sysstat log files.
47	## </summary>
48	## <param name="domain">
49	## <summary>
50	@@ -19,3 +20,37 @@ interface(`sysstat_manage_log',`
51	logging_search_logs($1)
52	manage_files_pattern($1, sysstat_log_t, sysstat_log_t)
53	')
54	+
55	+########################################
56	+## <summary>
57	+## All of the rules required to
58	+## administrate an sysstat environment.
59	+## </summary>
60	+## <param name="domain">
61	+## <summary>
62	+## Domain allowed access.
63	+## </summary>
64	+## </param>
65	+## <param name="role">
66	+## <summary>
67	+## Role allowed access.
68	+## </summary>
69	+## </param>
70	+## <rolecap/>
71	+#
72	+interface(`sysstat_admin',`
73	+ gen_require(`
74	+ type sysstat_t, sysstat_initrc_exec_t, sysstat_log_t;
75	+ ')
76	+
77	+ allow $1 sysstat_t:process { ptrace signal_perms };
78	+ ps_process_pattern($1, sysstat_t)
79	+
80	+ init_labeled_script_domtrans($1, sysstat_initrc_exec_t)
81	+ domain_system_change_exemption($1)
82	+ role_transition $2 sysstat_initrc_exec_t system_r;
83	+ allow $2 system_r;
84	+
85	+ logging_search_logs($1)
86	+ admin_pattern($1, sysstat_log_t)
87	+')
88
89	diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
90	index 0ecd8a7..c8b80b2 100644
91	--- a/policy/modules/contrib/sysstat.te
92	+++ b/policy/modules/contrib/sysstat.te
93	@@ -1,4 +1,4 @@
94	-policy_module(sysstat, 1.7.0)
95	+policy_module(sysstat, 1.7.1)
96
97	########################################
98	#
99	@@ -8,7 +8,9 @@ policy_module(sysstat, 1.7.0)
100	type sysstat_t;
101	type sysstat_exec_t;
102	init_system_domain(sysstat_t, sysstat_exec_t)
103	-role system_r types sysstat_t;
104	+
105	+type sysstat_initrc_exec_t;
106	+init_script_file(sysstat_initrc_exec_t)
107
108	type sysstat_log_t;
109	logging_log_file(sysstat_log_t)
110	@@ -18,18 +20,18 @@ logging_log_file(sysstat_log_t)
111	# Local policy
112	#
113
114	-allow sysstat_t self:capability { dac_override sys_resource sys_tty_config };
115	-dontaudit sysstat_t self:capability sys_admin;
116	+allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config };
117	allow sysstat_t self:fifo_file rw_fifo_file_perms;
118
119	-can_exec(sysstat_t, sysstat_exec_t)
120	-
121	manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
122	-manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
123	+append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
124	+create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
125	+setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
126	manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
127	logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
128
129	-# get info from /proc
130	+can_exec(sysstat_t, sysstat_exec_t)
131	+
132	kernel_read_system_state(sysstat_t)
133	kernel_read_network_state(sysstat_t)
134	kernel_read_kernel_sysctls(sysstat_t)
135	@@ -38,14 +40,11 @@ kernel_read_rpc_sysctls(sysstat_t)
136
137	corecmd_exec_bin(sysstat_t)
138
139	-dev_read_urand(sysstat_t)
140	dev_read_sysfs(sysstat_t)
141	+dev_read_urand(sysstat_t)
142
143	files_search_var(sysstat_t)
144	-# for mtab
145	files_read_etc_runtime_files(sysstat_t)
146	-#for fstab
147	-files_read_etc_files(sysstat_t)
148
149	fs_getattr_xattr_fs(sysstat_t)
150	fs_list_inotifyfs(sysstat_t)
151	@@ -53,10 +52,14 @@ fs_list_inotifyfs(sysstat_t)
152	term_use_console(sysstat_t)
153	term_use_all_terms(sysstat_t)
154
155	+auth_use_nsswitch(sysstat_t)
156	+
157	init_use_fds(sysstat_t)
158
159	locallogin_use_fds(sysstat_t)
160
161	+logging_send_syslog_msg(sysstat_t)
162	+
163	miscfiles_read_localization(sysstat_t)
164
165	userdom_dontaudit_list_user_home_dirs(sysstat_t)
166	@@ -64,7 +67,3 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
167	optional_policy(`
168	cron_system_entry(sysstat_t, sysstat_exec_t)
169	')
170	-
171	-optional_policy(`
172	- logging_send_syslog_msg(sysstat_t)
173	-')

Gentoo Archives: gentoo-commits