| 1 |
commit: fe1441e04e5a9c444c4f4fd620ea66070809dc14 |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Sun Oct 28 16:48:53 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Sun Oct 28 17:59:00 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fe1441e0 |
| 7 |
|
| 8 |
Changes to the sosreport policy module and relevant dependencies |
| 9 |
|
| 10 |
Ported from Fedora with changes |
| 11 |
|
| 12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 13 |
|
| 14 |
--- |
| 15 |
policy/modules/contrib/abrt.if | 18 +++++++++++++++++ |
| 16 |
policy/modules/contrib/abrt.te | 2 +- |
| 17 |
policy/modules/contrib/logrotate.te | 4 +- |
| 18 |
policy/modules/contrib/sosreport.fc | 2 + |
| 19 |
policy/modules/contrib/sosreport.if | 32 +++++++++++++++--------------- |
| 20 |
policy/modules/contrib/sosreport.te | 36 ++++++++++++++-------------------- |
| 21 |
6 files changed, 54 insertions(+), 40 deletions(-) |
| 22 |
|
| 23 |
diff --git a/policy/modules/contrib/abrt.if b/policy/modules/contrib/abrt.if |
| 24 |
index e380368..058d908 100644 |
| 25 |
--- a/policy/modules/contrib/abrt.if |
| 26 |
+++ b/policy/modules/contrib/abrt.if |
| 27 |
@@ -173,12 +173,30 @@ interface(`abrt_run_helper',` |
| 28 |
## </param> |
| 29 |
# |
| 30 |
interface(`abrt_cache_manage',` |
| 31 |
+ refpolicywarn(`$0($*) has been deprecated, use abrt_manage_cache() instead.') |
| 32 |
+ abrt_manage_cache($1) |
| 33 |
+') |
| 34 |
+ |
| 35 |
+######################################## |
| 36 |
+## <summary> |
| 37 |
+## Create, read, write, and delete |
| 38 |
+## abrt cache content. |
| 39 |
+## </summary> |
| 40 |
+## <param name="domain"> |
| 41 |
+## <summary> |
| 42 |
+## Domain allowed access. |
| 43 |
+## </summary> |
| 44 |
+## </param> |
| 45 |
+# |
| 46 |
+interface(`abrt_manage_cache',` |
| 47 |
gen_require(` |
| 48 |
type abrt_var_cache_t; |
| 49 |
') |
| 50 |
|
| 51 |
files_search_var($1) |
| 52 |
manage_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) |
| 53 |
+ manage_lnk_files_pattern($1, abrt_var_cache_t, abrt_var_cache_t) |
| 54 |
+ manage_dirs_pattern($1, abrt_var_cache_t, abrt_var_cache_t) |
| 55 |
') |
| 56 |
|
| 57 |
#################################### |
| 58 |
|
| 59 |
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te |
| 60 |
index 8490e9b..a6f1aec 100644 |
| 61 |
--- a/policy/modules/contrib/abrt.te |
| 62 |
+++ b/policy/modules/contrib/abrt.te |
| 63 |
@@ -1,4 +1,4 @@ |
| 64 |
-policy_module(abrt, 1.3.1) |
| 65 |
+policy_module(abrt, 1.3.2) |
| 66 |
|
| 67 |
######################################## |
| 68 |
# |
| 69 |
|
| 70 |
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te |
| 71 |
index c88af3c..ffb4127 100644 |
| 72 |
--- a/policy/modules/contrib/logrotate.te |
| 73 |
+++ b/policy/modules/contrib/logrotate.te |
| 74 |
@@ -1,4 +1,4 @@ |
| 75 |
-policy_module(logrotate, 1.14.3) |
| 76 |
+policy_module(logrotate, 1.14.4) |
| 77 |
|
| 78 |
######################################## |
| 79 |
# |
| 80 |
@@ -124,7 +124,7 @@ ifdef(`distro_debian',` |
| 81 |
') |
| 82 |
|
| 83 |
optional_policy(` |
| 84 |
- abrt_cache_manage(logrotate_t) |
| 85 |
+ abrt_manage_cache(logrotate_t) |
| 86 |
') |
| 87 |
|
| 88 |
optional_policy(` |
| 89 |
|
| 90 |
diff --git a/policy/modules/contrib/sosreport.fc b/policy/modules/contrib/sosreport.fc |
| 91 |
index a40478e..704e2da 100644 |
| 92 |
--- a/policy/modules/contrib/sosreport.fc |
| 93 |
+++ b/policy/modules/contrib/sosreport.fc |
| 94 |
@@ -1 +1,3 @@ |
| 95 |
/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0) |
| 96 |
+ |
| 97 |
+/\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0) |
| 98 |
|
| 99 |
diff --git a/policy/modules/contrib/sosreport.if b/policy/modules/contrib/sosreport.if |
| 100 |
index 94c01b5..634c6b4 100644 |
| 101 |
--- a/policy/modules/contrib/sosreport.if |
| 102 |
+++ b/policy/modules/contrib/sosreport.if |
| 103 |
@@ -1,4 +1,4 @@ |
| 104 |
-## <summary>sosreport - Generate debugging information for system</summary> |
| 105 |
+## <summary>Generate debugging information for system.</summary> |
| 106 |
|
| 107 |
######################################## |
| 108 |
## <summary> |
| 109 |
@@ -15,13 +15,15 @@ interface(`sosreport_domtrans',` |
| 110 |
type sosreport_t, sosreport_exec_t; |
| 111 |
') |
| 112 |
|
| 113 |
+ corecmd_search_bin($1) |
| 114 |
domtrans_pattern($1, sosreport_exec_t, sosreport_t) |
| 115 |
') |
| 116 |
|
| 117 |
######################################## |
| 118 |
## <summary> |
| 119 |
-## Execute sosreport in the sosreport domain, and |
| 120 |
-## allow the specified role the sosreport domain. |
| 121 |
+## Execute sosreport in the sosreport |
| 122 |
+## domain, and allow the specified |
| 123 |
+## role the sosreport domain. |
| 124 |
## </summary> |
| 125 |
## <param name="domain"> |
| 126 |
## <summary> |
| 127 |
@@ -36,25 +38,25 @@ interface(`sosreport_domtrans',` |
| 128 |
# |
| 129 |
interface(`sosreport_run',` |
| 130 |
gen_require(` |
| 131 |
- type sosreport_t; |
| 132 |
+ attribute_role sosreport_roles; |
| 133 |
') |
| 134 |
|
| 135 |
sosreport_domtrans($1) |
| 136 |
- role $2 types sosreport_t; |
| 137 |
+ roleattribute $2 sospreport_roles; |
| 138 |
') |
| 139 |
|
| 140 |
######################################## |
| 141 |
## <summary> |
| 142 |
-## Role access for sosreport |
| 143 |
+## Role access for sosreport. |
| 144 |
## </summary> |
| 145 |
## <param name="role"> |
| 146 |
## <summary> |
| 147 |
-## Role allowed access |
| 148 |
+## Role allowed access. |
| 149 |
## </summary> |
| 150 |
## </param> |
| 151 |
## <param name="domain"> |
| 152 |
## <summary> |
| 153 |
-## User domain for the role |
| 154 |
+## User domain for the role. |
| 155 |
## </summary> |
| 156 |
## </param> |
| 157 |
# |
| 158 |
@@ -63,18 +65,15 @@ interface(`sosreport_role',` |
| 159 |
type sosreport_t; |
| 160 |
') |
| 161 |
|
| 162 |
- role $1 types sosreport_t; |
| 163 |
- |
| 164 |
- sosreport_domtrans($2) |
| 165 |
+ sosreport_run($2, $1) |
| 166 |
|
| 167 |
+ allow $2 sosreport_t:process { ptrace signal_perms }; |
| 168 |
ps_process_pattern($2, sosreport_t) |
| 169 |
- allow $2 sosreport_t:process signal; |
| 170 |
') |
| 171 |
|
| 172 |
######################################## |
| 173 |
## <summary> |
| 174 |
-## Allow the specified domain to read |
| 175 |
-## sosreport tmp files. |
| 176 |
+## Read sosreport temporary files. |
| 177 |
## </summary> |
| 178 |
## <param name="domain"> |
| 179 |
## <summary> |
| 180 |
@@ -93,7 +92,7 @@ interface(`sosreport_read_tmp_files',` |
| 181 |
|
| 182 |
######################################## |
| 183 |
## <summary> |
| 184 |
-## Append sosreport tmp files. |
| 185 |
+## Append sosreport temporary files. |
| 186 |
## </summary> |
| 187 |
## <param name="domain"> |
| 188 |
## <summary> |
| 189 |
@@ -106,12 +105,13 @@ interface(`sosreport_append_tmp_files',` |
| 190 |
type sosreport_tmp_t; |
| 191 |
') |
| 192 |
|
| 193 |
+ files_search_tmp($1) |
| 194 |
append_files_pattern($1, sosreport_tmp_t, sosreport_tmp_t) |
| 195 |
') |
| 196 |
|
| 197 |
######################################## |
| 198 |
## <summary> |
| 199 |
-## Delete sosreport tmp files. |
| 200 |
+## Delete sosreport temporary files. |
| 201 |
## </summary> |
| 202 |
## <param name="domain"> |
| 203 |
## <summary> |
| 204 |
|
| 205 |
diff --git a/policy/modules/contrib/sosreport.te b/policy/modules/contrib/sosreport.te |
| 206 |
index c6079a5..e832424 100644 |
| 207 |
--- a/policy/modules/contrib/sosreport.te |
| 208 |
+++ b/policy/modules/contrib/sosreport.te |
| 209 |
@@ -1,14 +1,17 @@ |
| 210 |
-policy_module(sosreport, 1.2.0) |
| 211 |
+policy_module(sosreport, 1.2.1) |
| 212 |
|
| 213 |
######################################## |
| 214 |
# |
| 215 |
# Declarations |
| 216 |
# |
| 217 |
|
| 218 |
+attribute_role sosreport_roles; |
| 219 |
+roleattribute system_r sosreport_roles; |
| 220 |
+ |
| 221 |
type sosreport_t; |
| 222 |
type sosreport_exec_t; |
| 223 |
application_domain(sosreport_t, sosreport_exec_t) |
| 224 |
-role system_r types sosreport_t; |
| 225 |
+role sosreport_roles types sosreport_t; |
| 226 |
|
| 227 |
type sosreport_tmp_t; |
| 228 |
files_tmp_file(sosreport_tmp_t) |
| 229 |
@@ -18,21 +21,19 @@ files_tmpfs_file(sosreport_tmpfs_t) |
| 230 |
|
| 231 |
######################################## |
| 232 |
# |
| 233 |
-# sosreport local policy |
| 234 |
+# Local policy |
| 235 |
# |
| 236 |
|
| 237 |
-allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice sys_ptrace dac_override }; |
| 238 |
+allow sosreport_t self:capability { kill net_admin net_raw setuid sys_admin sys_nice dac_override }; |
| 239 |
allow sosreport_t self:process { setsched signull }; |
| 240 |
allow sosreport_t self:fifo_file rw_fifo_file_perms; |
| 241 |
-allow sosreport_t self:tcp_socket create_stream_socket_perms; |
| 242 |
-allow sosreport_t self:udp_socket create_socket_perms; |
| 243 |
-allow sosreport_t self:unix_dgram_socket create_socket_perms; |
| 244 |
-allow sosreport_t self:netlink_route_socket r_netlink_socket_perms; |
| 245 |
-allow sosreport_t self:unix_stream_socket create_stream_socket_perms; |
| 246 |
+allow sosreport_t self:tcp_socket { accept listen }; |
| 247 |
+allow sosreport_t self:unix_stream_socket { accept listen }; |
| 248 |
|
| 249 |
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) |
| 250 |
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) |
| 251 |
manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t) |
| 252 |
+files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file") |
| 253 |
files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir }) |
| 254 |
|
| 255 |
manage_files_pattern(sosreport_t, sosreport_tmpfs_t, sosreport_tmpfs_t) |
| 256 |
@@ -64,23 +65,22 @@ files_getattr_all_sockets(sosreport_t) |
| 257 |
files_exec_etc_files(sosreport_t) |
| 258 |
files_list_all(sosreport_t) |
| 259 |
files_read_config_files(sosreport_t) |
| 260 |
-files_read_etc_files(sosreport_t) |
| 261 |
files_read_generic_tmp_files(sosreport_t) |
| 262 |
+files_read_non_auth_files(sosreport_t) |
| 263 |
files_read_usr_files(sosreport_t) |
| 264 |
files_read_var_lib_files(sosreport_t) |
| 265 |
files_read_var_symlinks(sosreport_t) |
| 266 |
files_read_kernel_modules(sosreport_t) |
| 267 |
files_read_all_symlinks(sosreport_t) |
| 268 |
-# for blkid.tab |
| 269 |
files_manage_etc_runtime_files(sosreport_t) |
| 270 |
files_etc_filetrans_etc_runtime(sosreport_t, file) |
| 271 |
|
| 272 |
fs_getattr_all_fs(sosreport_t) |
| 273 |
fs_list_inotifyfs(sosreport_t) |
| 274 |
|
| 275 |
-# some config files do not have configfile attribute |
| 276 |
-# sosreport needs to read various files on system |
| 277 |
-files_read_non_auth_files(sosreport_t) |
| 278 |
+storage_dontaudit_read_fixed_disk(sosreport_t) |
| 279 |
+storage_dontaudit_read_removable_device(sosreport_t) |
| 280 |
+ |
| 281 |
auth_use_nsswitch(sosreport_t) |
| 282 |
|
| 283 |
init_domtrans_script(sosreport_t) |
| 284 |
@@ -92,13 +92,11 @@ logging_send_syslog_msg(sosreport_t) |
| 285 |
|
| 286 |
miscfiles_read_localization(sosreport_t) |
| 287 |
|
| 288 |
-# needed by modinfo |
| 289 |
modutils_read_module_deps(sosreport_t) |
| 290 |
|
| 291 |
-sysnet_read_config(sosreport_t) |
| 292 |
- |
| 293 |
optional_policy(` |
| 294 |
abrt_manage_pid_files(sosreport_t) |
| 295 |
+ abrt_manage_cache(sosreport_t) |
| 296 |
') |
| 297 |
|
| 298 |
optional_policy(` |
| 299 |
@@ -142,7 +140,3 @@ optional_policy(` |
| 300 |
optional_policy(` |
| 301 |
xserver_stream_connect(sosreport_t) |
| 302 |
') |
| 303 |
- |
| 304 |
-optional_policy(` |
| 305 |
- unconfined_domain(sosreport_t) |
| 306 |
-') |
Archives