1 |
commit: fe1441e04e5a9c444c4f4fd620ea66070809dc14 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sun Oct 28 16:48:53 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Sun Oct 28 17:59:00 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fe1441e0 |
7 |
|
8 |
Changes to the sosreport policy module and relevant dependencies |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/abrt.if | 18 +++++++++++++++++ |
16 |
policy/modules/contrib/abrt.te | 2 +- |
17 |
policy/modules/contrib/logrotate.te | 4 +- |
18 |
policy/modules/contrib/sosreport.fc | 2 + |
19 |
policy/modules/contrib/sosreport.if | 32 +++++++++++++++--------------- |
20 |
policy/modules/contrib/sosreport.te | 36 ++++++++++++++-------------------- |
21 |
6 files changed, 54 insertions(+), 40 deletions(-) |
22 |
|
23 |
diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if |
24 |
index e380368..058d908 100644 |
25 |
--- a/policy/modules/contrib/abrt.if |
26 |
+++ b/policy/modules/contrib/abrt.if |
27 |
@@ -173,12 +173,30 @@ interface(`abrt_run_helper',` |
28 |
## </param> |
29 |
# |
30 |
interface(`abrt_cache_manage',` |
31 |
+ refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.') |
32 |
+ abrt_manage_cache($1) |
33 |
+') |
34 |
+ |
35 |
+######################################## |
36 |
+## <summary> |
37 |
+## Create, read, write, and delete |
38 |
+## abrt cache content. |
39 |
+## </summary> |
40 |
+## <param name="domain"> |
41 |
+## <summary> |
42 |
+## Domain allowed access. |
43 |
+## </summary> |
44 |
+## </param> |
45 |
+# |
46 |
+interface(`abrt_manage_cache',` |
47 |
gen_require(` |
48 |
type abrt_var_cache_t; |
49 |
') |
50 |
|
51 |
files_search_var($1) |
52 |
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) |
53 |
+ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) |
54 |
+ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) |
55 |
') |
56 |
|
57 |
#################################### |
58 |
|
59 |
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te |
60 |
index 8490e9b..a6f1aec 100644 |
61 |
--- a/policy/modules/contrib/abrt.te |
62 |
+++ b/policy/modules/contrib/abrt.te |
63 |
@@ -1,4 +1,4 @@ |
64 |
-policy_module(abrt, 1.3.1) |
65 |
+policy_module(abrt, 1.3.2) |
66 |
|
67 |
######################################## |
68 |
# |
69 |
|
70 |
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te |
71 |
index c88af3c..ffb4127 100644 |
72 |
--- a/policy/modules/contrib/logrotate.te |
73 |
+++ b/policy/modules/contrib/logrotate.te |
74 |
@@ -1,4 +1,4 @@ |
75 |
-policy_module(logrotate, 1.14.3) |
76 |
+policy_module(logrotate, 1.14.4) |
77 |
|
78 |
######################################## |
79 |
# |
80 |
@@ -124,7 +124,7 @@ ifdef(`distro_debian',` |
81 |
') |
82 |
|
83 |
optional_policy(` |
84 |
- abrt_cache_manage(logrotate_t) |
85 |
+ abrt_manage_cache(logrotate_t) |
86 |
') |
87 |
|
88 |
optional_policy(` |
89 |
|
90 |
diff --git a/policy/modules/contrib/sosreport.fc b/policy/modules/contrib/sosreport.fc |
91 |
index a40478e..704e2da 100644 |
92 |
--- a/policy/modules/contrib/sosreport.fc |
93 |
+++ b/policy/modules/contrib/sosreport.fc |
94 |
@@ -1 +1,3 @@ |
95 |
/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) |
96 |
+ |
97 |
+/\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0) |
98 |
|
99 |
diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if |
100 |
index 94c01b5..634c6b4 100644 |
101 |
--- a/policy/modules/contrib/sosreport.if |
102 |
+++ b/policy/modules/contrib/sosreport.if |
103 |
@@ -1,4 +1,4 @@ |
104 |
-## <summary>sosreport - Generate debugging information for system</summary> |
105 |
+## <summary>Generate debugging information for system.</summary> |
106 |
|
107 |
######################################## |
108 |
## <summary> |
109 |
@@ -15,13 +15,15 @@ interface(`sosreport_domtrans',` |
110 |
type sosreport_t, sosreport_exec_t; |
111 |
') |
112 |
|
113 |
+ corecmd_search_bin($1) |
114 |
domtrans_pattern($1, sosreport_exec_t, sosreport_t) |
115 |
') |
116 |
|
117 |
######################################## |
118 |
## <summary> |
119 |
-## Execute sosreport in the sosreport domain, and |
120 |
-## allow the specified role the sosreport domain. |
121 |
+## Execute sosreport in the sosreport |
122 |
+## domain, and allow the specified |
123 |
+## role the sosreport domain. |
124 |
## </summary> |
125 |
## <param name="domain"> |
126 |
## <summary> |
127 |
@@ -36,25 +38,25 @@ interface(`sosreport_domtrans',` |
128 |
# |
129 |
interface(`sosreport_run',` |
130 |
gen_require(` |
131 |
- type sosreport_t; |
132 |
+ attribute_role sosreport_roles; |
133 |
') |
134 |
|
135 |
sosreport_domtrans($1) |
136 |
- role $2 types sosreport_t; |
137 |
+ roleattribute $2 sospreport_roles; |
138 |
') |
139 |
|
140 |
######################################## |
141 |
## <summary> |
142 |
-## Role access for sosreport |
143 |
+## Role access for sosreport. |
144 |
## </summary> |
145 |
## <param name="role"> |
146 |
## <summary> |
147 |
-## Role allowed access |
148 |
+## Role allowed access. |
149 |
## </summary> |
150 |
## </param> |
151 |
## <param name="domain"> |
152 |
## <summary> |
153 |
-## User domain for the role |
154 |
+## User domain for the role. |
155 |
## </summary> |
156 |
## </param> |
157 |
# |
158 |
@@ -63,18 +65,15 @@ interface(`sosreport_role',` |
159 |
type sosreport_t; |
160 |
') |
161 |
|
162 |
- role $1 types sosreport_t; |
163 |
- |
164 |
- sosreport_domtrans($2) |
165 |
+ sosreport_run($2, $1) |
166 |
|
167 |
+ allow $2 sosreport_t:process { ptrace signal_perms }; |
168 |
ps_process_pattern($2, sosreport_t) |
169 |
- allow $2 sosreport_t:process signal; |
170 |
') |
171 |
|
172 |
######################################## |
173 |
## <summary> |
174 |
-## Allow the specified domain to read |
175 |
-## sosreport tmp files. |
176 |
+## Read sosreport temporary files. |
177 |
## </summary> |
178 |
## <param name="domain"> |
179 |
## <summary> |
180 |
@@ -93,7 +92,7 @@ interface(`sosreport_read_tmp_files',` |
181 |
|
182 |
######################################## |
183 |
## <summary> |
184 |
-## Append sosreport tmp files. |
185 |
+## Append sosreport temporary files. |
186 |
## </summary> |
187 |
## <param name="domain"> |
188 |
## <summary> |
189 |
@@ -106,12 +105,13 @@ interface(`sosreport_append_tmp_files',` |
190 |
type sosreport_tmp_t; |
191 |
') |
192 |
|
193 |
+ files_search_tmp($1) |
194 |
append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) |
195 |
') |
196 |
|
197 |
######################################## |
198 |
## <summary> |
199 |
-## Delete sosreport tmp files. |
200 |
+## Delete sosreport temporary files. |
201 |
## </summary> |
202 |
## <param name="domain"> |
203 |
## <summary> |
204 |
|
205 |
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te |
206 |
index c6079a5..e832424 100644 |
207 |
--- a/policy/modules/contrib/sosreport.te |
208 |
+++ b/policy/modules/contrib/sosreport.te |
209 |
@@ -1,14 +1,17 @@ |
210 |
-policy_module(sosreport, 1.2.0) |
211 |
+policy_module(sosreport, 1.2.1) |
212 |
|
213 |
######################################## |
214 |
# |
215 |
# Declarations |
216 |
# |
217 |
|
218 |
+attribute_role sosreport_roles; |
219 |
+roleattribute system_r sosreport_roles; |
220 |
+ |
221 |
type sosreport_t; |
222 |
type sosreport_exec_t; |
223 |
application_domain(sosreport_t, sosreport_exec_t) |
224 |
-role system_r types sosreport_t; |
225 |
+role sosreport_roles types sosreport_t; |
226 |
|
227 |
type sosreport_tmp_t; |
228 |
files_tmp_file(sosreport_tmp_t) |
229 |
@@ -18,21 +21,19 @@ files_tmpfs_file(sosreport_tmpfs_t) |
230 |
|
231 |
######################################## |
232 |
# |
233 |
-# sosreport local policy |
234 |
+# Local policy |
235 |
# |
236 |
|
237 |
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; |
238 |
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; |
239 |
allow sosreport_t self:process { setsched signull }; |
240 |
allow sosreport_t self:fifo_file rw_fifo_file_perms; |
241 |
-allow sosreport_t self:tcp_socket create_stream_socket_perms; |
242 |
-allow sosreport_t self:udp_socket create_socket_perms; |
243 |
-allow sosreport_t self:unix_dgram_socket create_socket_perms; |
244 |
-allow sosreport_t self:netlink_route_socket r_netlink_socket_perms; |
245 |
-allow sosreport_t self:unix_stream_socket create_stream_socket_perms; |
246 |
+allow sosreport_t self:tcp_socket { accept listen }; |
247 |
+allow sosreport_t self:unix_stream_socket { accept listen }; |
248 |
|
249 |
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) |
250 |
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) |
251 |
manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) |
252 |
+files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") |
253 |
files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) |
254 |
|
255 |
manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) |
256 |
@@ -64,23 +65,22 @@ files_getattr_all_sockets(sosreport_t) |
257 |
files_exec_etc_files(sosreport_t) |
258 |
files_list_all(sosreport_t) |
259 |
files_read_config_files(sosreport_t) |
260 |
-files_read_etc_files(sosreport_t) |
261 |
files_read_generic_tmp_files(sosreport_t) |
262 |
+files_read_non_auth_files(sosreport_t) |
263 |
files_read_usr_files(sosreport_t) |
264 |
files_read_var_lib_files(sosreport_t) |
265 |
files_read_var_symlinks(sosreport_t) |
266 |
files_read_kernel_modules(sosreport_t) |
267 |
files_read_all_symlinks(sosreport_t) |
268 |
-# for blkid.tab |
269 |
files_manage_etc_runtime_files(sosreport_t) |
270 |
files_etc_filetrans_etc_runtime(sosreport_t, file) |
271 |
|
272 |
fs_getattr_all_fs(sosreport_t) |
273 |
fs_list_inotifyfs(sosreport_t) |
274 |
|
275 |
-# some config files do not have configfile attribute |
276 |
-# sosreport needs to read various files on system |
277 |
-files_read_non_auth_files(sosreport_t) |
278 |
+storage_dontaudit_read_fixed_disk(sosreport_t) |
279 |
+storage_dontaudit_read_removable_device(sosreport_t) |
280 |
+ |
281 |
auth_use_nsswitch(sosreport_t) |
282 |
|
283 |
init_domtrans_script(sosreport_t) |
284 |
@@ -92,13 +92,11 @@ logging_send_syslog_msg(sosreport_t) |
285 |
|
286 |
miscfiles_read_localization(sosreport_t) |
287 |
|
288 |
-# needed by modinfo |
289 |
modutils_read_module_deps(sosreport_t) |
290 |
|
291 |
-sysnet_read_config(sosreport_t) |
292 |
- |
293 |
optional_policy(` |
294 |
abrt_manage_pid_files(sosreport_t) |
295 |
+ abrt_manage_cache(sosreport_t) |
296 |
') |
297 |
|
298 |
optional_policy(` |
299 |
@@ -142,7 +140,3 @@ optional_policy(` |
300 |
optional_policy(` |
301 |
xserver_stream_connect(sosreport_t) |
302 |
') |
303 |
- |
304 |
-optional_policy(` |
305 |
- unconfined_domain(sosreport_t) |
306 |
-') |