1 |
commit: aec3a6dcf1de06d7b37322250d00e3f811082e6a |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Fri Nov 2 15:23:50 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Nov 2 19:08:29 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=aec3a6dc |
7 |
|
8 |
Changes to the zosremote policy module |
9 |
|
10 |
Module clean up |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/zosremote.fc | 2 ++ |
16 |
policy/modules/contrib/zosremote.if | 17 +++++++++-------- |
17 |
policy/modules/contrib/zosremote.te | 11 ++++++----- |
18 |
3 files changed, 17 insertions(+), 13 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/zosremote.fc b/policy/modules/contrib/zosremote.fc |
21 |
index d719d0b..7a7fc61 100644 |
22 |
--- a/policy/modules/contrib/zosremote.fc |
23 |
+++ b/policy/modules/contrib/zosremote.fc |
24 |
@@ -1 +1,3 @@ |
25 |
/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) |
26 |
+ |
27 |
+/usr/sbin/audispd-zos-remote -- gen_context(system_u:object_r:zos_remote_exec_t,s0) |
28 |
|
29 |
diff --git a/policy/modules/contrib/zosremote.if b/policy/modules/contrib/zosremote.if |
30 |
index 702e768..b14698c 100644 |
31 |
--- a/policy/modules/contrib/zosremote.if |
32 |
+++ b/policy/modules/contrib/zosremote.if |
33 |
@@ -1,13 +1,13 @@ |
34 |
-## <summary>policy for z/OS Remote-services Audit dispatcher plugin</summary> |
35 |
+## <summary>z/OS Remote-services Audit dispatcher plugin.</summary> |
36 |
|
37 |
######################################## |
38 |
## <summary> |
39 |
## Execute a domain transition to run audispd-zos-remote. |
40 |
## </summary> |
41 |
## <param name="domain"> |
42 |
-## <summary> |
43 |
+## <summary> |
44 |
## Domain allowed to transition. |
45 |
-## </summary> |
46 |
+## </summary> |
47 |
## </param> |
48 |
# |
49 |
interface(`zosremote_domtrans',` |
50 |
@@ -15,14 +15,15 @@ interface(`zosremote_domtrans',` |
51 |
type zos_remote_t, zos_remote_exec_t; |
52 |
') |
53 |
|
54 |
+ corecmd_search_bin($1) |
55 |
domtrans_pattern($1, zos_remote_exec_t, zos_remote_t) |
56 |
') |
57 |
|
58 |
######################################## |
59 |
## <summary> |
60 |
-## Allow specified type and role to transition and |
61 |
-## run in the zos_remote_t domain. Allow specified type |
62 |
-## to use zos_remote_t terminal. |
63 |
+## Execute zos remote in the zos remote |
64 |
+## domain, and allow the specified role |
65 |
+## the zos remote domain. |
66 |
## </summary> |
67 |
## <param name="domain"> |
68 |
## <summary> |
69 |
@@ -37,9 +38,9 @@ interface(`zosremote_domtrans',` |
70 |
# |
71 |
interface(`zosremote_run',` |
72 |
gen_require(` |
73 |
- type zos_remote_t; |
74 |
+ attribute_role zos_remote_roles; |
75 |
') |
76 |
|
77 |
zosremote_domtrans($1) |
78 |
- role $2 types zos_remote_t; |
79 |
+ roleattribute $2 zos_remote_roles; |
80 |
') |
81 |
|
82 |
diff --git a/policy/modules/contrib/zosremote.te b/policy/modules/contrib/zosremote.te |
83 |
index f9a06d2..9ba9f81 100644 |
84 |
--- a/policy/modules/contrib/zosremote.te |
85 |
+++ b/policy/modules/contrib/zosremote.te |
86 |
@@ -1,25 +1,26 @@ |
87 |
-policy_module(zosremote, 1.1.0) |
88 |
+policy_module(zosremote, 1.1.1) |
89 |
|
90 |
######################################## |
91 |
# |
92 |
# Declarations |
93 |
# |
94 |
|
95 |
+attribute_role zos_remote_roles; |
96 |
+ |
97 |
type zos_remote_t; |
98 |
type zos_remote_exec_t; |
99 |
init_system_domain(zos_remote_t, zos_remote_exec_t) |
100 |
logging_dispatcher_domain(zos_remote_t, zos_remote_exec_t) |
101 |
+role zos_remote_roles types zos_remote_t; |
102 |
|
103 |
######################################## |
104 |
# |
105 |
-# zos_remote local policy |
106 |
+# Local policy |
107 |
# |
108 |
|
109 |
allow zos_remote_t self:process signal; |
110 |
allow zos_remote_t self:fifo_file rw_file_perms; |
111 |
-allow zos_remote_t self:unix_stream_socket create_stream_socket_perms; |
112 |
- |
113 |
-files_read_etc_files(zos_remote_t) |
114 |
+allow zos_remote_t self:unix_stream_socket { accept listen }; |
115 |
|
116 |
auth_use_nsswitch(zos_remote_t) |