[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Fri, 28 Sep 2012 17:51:41
Message-Id:	`1348854072.cf4135ed179e1864d9251c9eb8a8c6e6c172b894.SwifT@gentoo`

1

commit:     cf4135ed179e1864d9251c9eb8a8c6e6c172b894

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Fri Sep 28 08:23:59 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Fri Sep 28 17:41:12 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf4135ed

7

8

Changes to the denyhosts policy module

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/denyhosts.fc |    8 +++++---

16

 policy/modules/contrib/denyhosts.if |   24 +++++++++---------------

17

 policy/modules/contrib/denyhosts.te |   24 ++++++++++++------------

18

 3 files changed, 26 insertions(+), 30 deletions(-)

19

20

diff --git a/policy/modules/contrib/denyhosts.fc b/policy/modules/contrib/denyhosts.fc

21

index 257fef6..89b0b77 100644

22

--- a/policy/modules/contrib/denyhosts.fc

23

+++ b/policy/modules/contrib/denyhosts.fc

24

@@ -1,7 +1,9 @@

25

 /etc/rc\.d/init\.d/denyhosts	--	gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0)

26

27

-/usr/bin/denyhosts\.py		--	gen_context(system_u:object_r:denyhosts_exec_t,s0)

28

+/usr/bin/denyhosts\.py	--	gen_context(system_u:object_r:denyhosts_exec_t,s0)

29

+

30

+/var/lib/denyhosts(/.*)?	gen_context(system_u:object_r:denyhosts_var_lib_t,s0)

31

32

-/var/lib/denyhosts(/.*)?		gen_context(system_u:object_r:denyhosts_var_lib_t,s0)

33

 /var/lock/subsys/denyhosts	--	gen_context(system_u:object_r:denyhosts_var_lock_t,s0)

34

-/var/log/denyhosts(/.*)?		gen_context(system_u:object_r:denyhosts_var_log_t,s0)

35

+

36

+/var/log/denyhosts(/.*)?	gen_context(system_u:object_r:denyhosts_var_log_t,s0)

37

38

diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if

39

index 567865f..a7326da 100644

40

--- a/policy/modules/contrib/denyhosts.if

41

+++ b/policy/modules/contrib/denyhosts.if

42

@@ -1,12 +1,4 @@

43

-## <summary>DenyHosts SSH dictionary attack mitigation</summary>

44

-## <desc>

45

-##	<p>

46

-##	DenyHosts is a script intended to be run by Linux

47

-##	system administrators to help thwart SSH server attacks

48

-##	(also known as dictionary based attacks and brute force

49

-##	attacks).

50

-##	</p>

51

-## </desc>

52

+## <summary>SSH dictionary attack mitigation.</summary>

53

54

 ########################################

55

 ## <summary>

56

@@ -18,17 +10,19 @@

57

 ## </summary>

58

 ## </param>

59

#

60

-interface(`denyhosts_domtrans', `

61

+interface(`denyhosts_domtrans',`

62

 	gen_require(`

63

 		type denyhosts_t, denyhosts_exec_t;

64

')

65

66

+	corecmd_search_bin($1)

67

 	domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)

68

')

69

70

 ########################################

71

 ## <summary>

72

-##	Execute denyhost server in the denyhost domain.

73

+##	Execute denyhost server in the

74

+##	denyhost domain.

75

 ## </summary>

76

 ## <param name="domain">

77

 ##	<summary>

78

@@ -36,7 +30,7 @@ interface(`denyhosts_domtrans', `

79

 ##	</summary>

80

 ## </param>

81

#

82

-interface(`denyhosts_initrc_domtrans', `

83

+interface(`denyhosts_initrc_domtrans',`

84

 	gen_require(`

85

 		type denyhosts_initrc_exec_t;

86

')

87

@@ -46,8 +40,8 @@ interface(`denyhosts_initrc_domtrans', `

88

89

 ########################################

90

 ## <summary>

91

-##	All of the rules required to administrate

92

-##	an denyhosts environment.

93

+##	All of the rules required to

94

+##	administrate an denyhosts environment.

95

 ## </summary>

96

 ## <param name="domain">

97

 ##	<summary>

98

@@ -60,7 +54,7 @@ interface(`denyhosts_initrc_domtrans', `

99

 ##	</summary>

100

 ## </param>

101

#

102

-interface(`denyhosts_admin', `

103

+interface(`denyhosts_admin',`

104

 	gen_require(`

105

 		type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;

106

 		type denyhosts_var_log_t, denyhosts_initrc_exec_t;

107

108

diff --git a/policy/modules/contrib/denyhosts.te b/policy/modules/contrib/denyhosts.te

109

index 8ba9425..2c544f5 100644

110

--- a/policy/modules/contrib/denyhosts.te

111

+++ b/policy/modules/contrib/denyhosts.te

112

@@ -1,8 +1,8 @@

113

-policy_module(denyhosts, 1.0.0)

114

+policy_module(denyhosts, 1.0.1)

115

116

 ########################################

117

#

118

-# DenyHosts personal declarations.

119

+# Declarations

120

#

121

122

 type denyhosts_t;

123

@@ -23,15 +23,14 @@ logging_log_file(denyhosts_var_log_t)

124

125

 ########################################

126

#

127

-# DenyHosts personal policy.

128

+# Local policy

129

#

130

131

-allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;

132

-allow denyhosts_t self:tcp_socket create_socket_perms;

133

-allow denyhosts_t self:udp_socket create_socket_perms;

134

+allow denyhosts_t self:capability sys_tty_config;

135

+allow denyhosts_t self:fifo_file rw_fifo_file_perms;

136

+allow denyhosts_t self:netlink_route_socket nlmsg_write;

137

138

 manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)

139

-files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file)

140

141

 manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)

142

 manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)

143

@@ -43,24 +42,25 @@ read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)

144

 setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)

145

 logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)

146

147

+kernel_read_network_state(denyhosts_t)

148

 kernel_read_system_state(denyhosts_t)

149

150

 corecmd_exec_bin(denyhosts_t)

151

+corecmd_exec_shell(denyhosts_t)

152

153

 corenet_all_recvfrom_unlabeled(denyhosts_t)

154

 corenet_all_recvfrom_netlabel(denyhosts_t)

155

 corenet_tcp_sendrecv_generic_if(denyhosts_t)

156

 corenet_tcp_sendrecv_generic_node(denyhosts_t)

157

-corenet_tcp_bind_generic_node(denyhosts_t)

158

-corenet_tcp_connect_smtp_port(denyhosts_t)

159

+

160

 corenet_sendrecv_smtp_client_packets(denyhosts_t)

161

+corenet_tcp_connect_smtp_port(denyhosts_t)

162

+corenet_tcp_sendrecv_smtp_port(denyhosts_t)

163

164

 dev_read_urand(denyhosts_t)

165

166

-files_read_etc_files(denyhosts_t)

167

-

168

-# /var/log/secure

169

 logging_read_generic_logs(denyhosts_t)

170

+logging_send_syslog_msg(denyhosts_t)

171

172

 miscfiles_read_localization(denyhosts_t)

1	commit: cf4135ed179e1864d9251c9eb8a8c6e6c172b894
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Fri Sep 28 08:23:59 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Fri Sep 28 17:41:12 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf4135ed
7
8	Changes to the denyhosts policy module
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/denyhosts.fc \| 8 +++++---
16	policy/modules/contrib/denyhosts.if \| 24 +++++++++---------------
17	policy/modules/contrib/denyhosts.te \| 24 ++++++++++++------------
18	3 files changed, 26 insertions(+), 30 deletions(-)
19
20	diff --git a/policy/modules/contrib/denyhosts.fc b/policy/modules/contrib/denyhosts.fc
21	index 257fef6..89b0b77 100644
22	--- a/policy/modules/contrib/denyhosts.fc
23	+++ b/policy/modules/contrib/denyhosts.fc
24	@@ -1,7 +1,9 @@
25	/etc/rc\.d/init\.d/denyhosts -- gen_context(system_u:object_r:denyhosts_initrc_exec_t,s0)
26
27	-/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0)
28	+/usr/bin/denyhosts\.py -- gen_context(system_u:object_r:denyhosts_exec_t,s0)
29	+
30	+/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0)
31
32	-/var/lib/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_lib_t,s0)
33	/var/lock/subsys/denyhosts -- gen_context(system_u:object_r:denyhosts_var_lock_t,s0)
34	-/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0)
35	+
36	+/var/log/denyhosts(/.*)? gen_context(system_u:object_r:denyhosts_var_log_t,s0)
37
38	diff --git a/policy/modules/contrib/denyhosts.if b/policy/modules/contrib/denyhosts.if
39	index 567865f..a7326da 100644
40	--- a/policy/modules/contrib/denyhosts.if
41	+++ b/policy/modules/contrib/denyhosts.if
42	@@ -1,12 +1,4 @@
43	-## <summary>DenyHosts SSH dictionary attack mitigation</summary>
44	-## <desc>
45	-## <p>
46	-## DenyHosts is a script intended to be run by Linux
47	-## system administrators to help thwart SSH server attacks
48	-## (also known as dictionary based attacks and brute force
49	-## attacks).
50	-## </p>
51	-## </desc>
52	+## <summary>SSH dictionary attack mitigation.</summary>
53
54	########################################
55	## <summary>
56	@@ -18,17 +10,19 @@
57	## </summary>
58	## </param>
59	#
60	-interface(`denyhosts_domtrans', `
61	+interface(`denyhosts_domtrans',`
62	gen_require(`
63	type denyhosts_t, denyhosts_exec_t;
64	')
65
66	+ corecmd_search_bin($1)
67	domtrans_pattern($1, denyhosts_exec_t, denyhosts_t)
68	')
69
70	########################################
71	## <summary>
72	-## Execute denyhost server in the denyhost domain.
73	+## Execute denyhost server in the
74	+## denyhost domain.
75	## </summary>
76	## <param name="domain">
77	## <summary>
78	@@ -36,7 +30,7 @@ interface(`denyhosts_domtrans', `
79	## </summary>
80	## </param>
81	#
82	-interface(`denyhosts_initrc_domtrans', `
83	+interface(`denyhosts_initrc_domtrans',`
84	gen_require(`
85	type denyhosts_initrc_exec_t;
86	')
87	@@ -46,8 +40,8 @@ interface(`denyhosts_initrc_domtrans', `
88
89	########################################
90	## <summary>
91	-## All of the rules required to administrate
92	-## an denyhosts environment.
93	+## All of the rules required to
94	+## administrate an denyhosts environment.
95	## </summary>
96	## <param name="domain">
97	## <summary>
98	@@ -60,7 +54,7 @@ interface(`denyhosts_initrc_domtrans', `
99	## </summary>
100	## </param>
101	#
102	-interface(`denyhosts_admin', `
103	+interface(`denyhosts_admin',`
104	gen_require(`
105	type denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lock_t;
106	type denyhosts_var_log_t, denyhosts_initrc_exec_t;
107
108	diff --git a/policy/modules/contrib/denyhosts.te b/policy/modules/contrib/denyhosts.te
109	index 8ba9425..2c544f5 100644
110	--- a/policy/modules/contrib/denyhosts.te
111	+++ b/policy/modules/contrib/denyhosts.te
112	@@ -1,8 +1,8 @@
113	-policy_module(denyhosts, 1.0.0)
114	+policy_module(denyhosts, 1.0.1)
115
116	########################################
117	#
118	-# DenyHosts personal declarations.
119	+# Declarations
120	#
121
122	type denyhosts_t;
123	@@ -23,15 +23,14 @@ logging_log_file(denyhosts_var_log_t)
124
125	########################################
126	#
127	-# DenyHosts personal policy.
128	+# Local policy
129	#
130
131	-allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
132	-allow denyhosts_t self:tcp_socket create_socket_perms;
133	-allow denyhosts_t self:udp_socket create_socket_perms;
134	+allow denyhosts_t self:capability sys_tty_config;
135	+allow denyhosts_t self:fifo_file rw_fifo_file_perms;
136	+allow denyhosts_t self:netlink_route_socket nlmsg_write;
137
138	manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
139	-files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file)
140
141	manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
142	manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
143	@@ -43,24 +42,25 @@ read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
144	setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
145	logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
146
147	+kernel_read_network_state(denyhosts_t)
148	kernel_read_system_state(denyhosts_t)
149
150	corecmd_exec_bin(denyhosts_t)
151	+corecmd_exec_shell(denyhosts_t)
152
153	corenet_all_recvfrom_unlabeled(denyhosts_t)
154	corenet_all_recvfrom_netlabel(denyhosts_t)
155	corenet_tcp_sendrecv_generic_if(denyhosts_t)
156	corenet_tcp_sendrecv_generic_node(denyhosts_t)
157	-corenet_tcp_bind_generic_node(denyhosts_t)
158	-corenet_tcp_connect_smtp_port(denyhosts_t)
159	+
160	corenet_sendrecv_smtp_client_packets(denyhosts_t)
161	+corenet_tcp_connect_smtp_port(denyhosts_t)
162	+corenet_tcp_sendrecv_smtp_port(denyhosts_t)
163
164	dev_read_urand(denyhosts_t)
165
166	-files_read_etc_files(denyhosts_t)
167	-
168	-# /var/log/secure
169	logging_read_generic_logs(denyhosts_t)
170	+logging_send_syslog_msg(denyhosts_t)
171
172	miscfiles_read_localization(denyhosts_t)

Gentoo Archives: gentoo-commits