1 |
commit: 2828363665ab635a1b6f909e3a7dd99fe9a4c60c |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Mon Oct 29 09:42:58 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Mon Oct 29 14:48:44 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28283636 |
7 |
|
8 |
Changes to the sysstat policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
Add init script file |
12 |
Add sysstat_admin() |
13 |
|
14 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
15 |
|
16 |
--- |
17 |
policy/modules/contrib/sysstat.fc | 3 ++ |
18 |
policy/modules/contrib/sysstat.if | 39 +++++++++++++++++++++++++++++++++++- |
19 |
policy/modules/contrib/sysstat.te | 31 ++++++++++++++--------------- |
20 |
3 files changed, 55 insertions(+), 18 deletions(-) |
21 |
|
22 |
diff --git a/policy/modules/contrib/sysstat.fc b/policy/modules/contrib/sysstat.fc |
23 |
index b1b97d4..b660cfc 100644 |
24 |
--- a/policy/modules/contrib/sysstat.fc |
25 |
+++ b/policy/modules/contrib/sysstat.fc |
26 |
@@ -1,3 +1,6 @@ |
27 |
+/etc/rc\.d/init\.d/sysstat -- gen_context(system_u:object_r:sysstat_initrc_exec_t,s0) |
28 |
+ |
29 |
+/opt/sartest(/.*)? gen_context(system_u:object_r:sysstat_log_t,s0) |
30 |
|
31 |
/usr/lib/atsar/atsa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) |
32 |
/usr/lib/sa/sa.* -- gen_context(system_u:object_r:sysstat_exec_t,s0) |
33 |
|
34 |
diff --git a/policy/modules/contrib/sysstat.if b/policy/modules/contrib/sysstat.if |
35 |
index 7a23b3b..14ae3f2 100644 |
36 |
--- a/policy/modules/contrib/sysstat.if |
37 |
+++ b/policy/modules/contrib/sysstat.if |
38 |
@@ -1,8 +1,9 @@ |
39 |
-## <summary>Policy for sysstat. Reports on various system states</summary> |
40 |
+## <summary>Reports on various system states.</summary> |
41 |
|
42 |
######################################## |
43 |
## <summary> |
44 |
-## Manage sysstat logs. |
45 |
+## Create, read, write, and delete |
46 |
+## sysstat log files. |
47 |
## </summary> |
48 |
## <param name="domain"> |
49 |
## <summary> |
50 |
@@ -19,3 +20,37 @@ interface(`sysstat_manage_log',` |
51 |
logging_search_logs($1) |
52 |
manage_files_pattern($1, sysstat_log_t, sysstat_log_t) |
53 |
') |
54 |
+ |
55 |
+######################################## |
56 |
+## <summary> |
57 |
+## All of the rules required to |
58 |
+## administrate an sysstat environment. |
59 |
+## </summary> |
60 |
+## <param name="domain"> |
61 |
+## <summary> |
62 |
+## Domain allowed access. |
63 |
+## </summary> |
64 |
+## </param> |
65 |
+## <param name="role"> |
66 |
+## <summary> |
67 |
+## Role allowed access. |
68 |
+## </summary> |
69 |
+## </param> |
70 |
+## <rolecap/> |
71 |
+# |
72 |
+interface(`sysstat_admin',` |
73 |
+ gen_require(` |
74 |
+ type sysstat_t, sysstat_initrc_exec_t, sysstat_log_t; |
75 |
+ ') |
76 |
+ |
77 |
+ allow $1 sysstat_t:process { ptrace signal_perms }; |
78 |
+ ps_process_pattern($1, sysstat_t) |
79 |
+ |
80 |
+ init_labeled_script_domtrans($1, sysstat_initrc_exec_t) |
81 |
+ domain_system_change_exemption($1) |
82 |
+ role_transition $2 sysstat_initrc_exec_t system_r; |
83 |
+ allow $2 system_r; |
84 |
+ |
85 |
+ logging_search_logs($1) |
86 |
+ admin_pattern($1, sysstat_log_t) |
87 |
+') |
88 |
|
89 |
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te |
90 |
index 0ecd8a7..c8b80b2 100644 |
91 |
--- a/policy/modules/contrib/sysstat.te |
92 |
+++ b/policy/modules/contrib/sysstat.te |
93 |
@@ -1,4 +1,4 @@ |
94 |
-policy_module(sysstat, 1.7.0) |
95 |
+policy_module(sysstat, 1.7.1) |
96 |
|
97 |
######################################## |
98 |
# |
99 |
@@ -8,7 +8,9 @@ policy_module(sysstat, 1.7.0) |
100 |
type sysstat_t; |
101 |
type sysstat_exec_t; |
102 |
init_system_domain(sysstat_t, sysstat_exec_t) |
103 |
-role system_r types sysstat_t; |
104 |
+ |
105 |
+type sysstat_initrc_exec_t; |
106 |
+init_script_file(sysstat_initrc_exec_t) |
107 |
|
108 |
type sysstat_log_t; |
109 |
logging_log_file(sysstat_log_t) |
110 |
@@ -18,18 +20,18 @@ logging_log_file(sysstat_log_t) |
111 |
# Local policy |
112 |
# |
113 |
|
114 |
-allow sysstat_t self:capability { dac_override sys_resource sys_tty_config }; |
115 |
-dontaudit sysstat_t self:capability sys_admin; |
116 |
+allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_config }; |
117 |
allow sysstat_t self:fifo_file rw_fifo_file_perms; |
118 |
|
119 |
-can_exec(sysstat_t, sysstat_exec_t) |
120 |
- |
121 |
manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) |
122 |
-manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) |
123 |
+append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) |
124 |
+create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) |
125 |
+setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) |
126 |
manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) |
127 |
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) |
128 |
|
129 |
-# get info from /proc |
130 |
+can_exec(sysstat_t, sysstat_exec_t) |
131 |
+ |
132 |
kernel_read_system_state(sysstat_t) |
133 |
kernel_read_network_state(sysstat_t) |
134 |
kernel_read_kernel_sysctls(sysstat_t) |
135 |
@@ -38,14 +40,11 @@ kernel_read_rpc_sysctls(sysstat_t) |
136 |
|
137 |
corecmd_exec_bin(sysstat_t) |
138 |
|
139 |
-dev_read_urand(sysstat_t) |
140 |
dev_read_sysfs(sysstat_t) |
141 |
+dev_read_urand(sysstat_t) |
142 |
|
143 |
files_search_var(sysstat_t) |
144 |
-# for mtab |
145 |
files_read_etc_runtime_files(sysstat_t) |
146 |
-#for fstab |
147 |
-files_read_etc_files(sysstat_t) |
148 |
|
149 |
fs_getattr_xattr_fs(sysstat_t) |
150 |
fs_list_inotifyfs(sysstat_t) |
151 |
@@ -53,10 +52,14 @@ fs_list_inotifyfs(sysstat_t) |
152 |
term_use_console(sysstat_t) |
153 |
term_use_all_terms(sysstat_t) |
154 |
|
155 |
+auth_use_nsswitch(sysstat_t) |
156 |
+ |
157 |
init_use_fds(sysstat_t) |
158 |
|
159 |
locallogin_use_fds(sysstat_t) |
160 |
|
161 |
+logging_send_syslog_msg(sysstat_t) |
162 |
+ |
163 |
miscfiles_read_localization(sysstat_t) |
164 |
|
165 |
userdom_dontaudit_list_user_home_dirs(sysstat_t) |
166 |
@@ -64,7 +67,3 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t) |
167 |
optional_policy(` |
168 |
cron_system_entry(sysstat_t, sysstat_exec_t) |
169 |
') |
170 |
- |
171 |
-optional_policy(` |
172 |
- logging_send_syslog_msg(sysstat_t) |
173 |
-') |