Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Tue, 30 Oct 2012 18:38:15
Message-Id: 1351621976.b287a8016a7ce56c2b9c90df6b9c7da596acdf4b.SwifT@gentoo
1 commit: b287a8016a7ce56c2b9c90df6b9c7da596acdf4b
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Tue Oct 30 09:46:14 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Tue Oct 30 18:32:56 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b287a801
7
8 Changes to the tuned policy module
9
10 Ported from Fedora with changes
11
12 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14 ---
15 policy/modules/contrib/tuned.fc | 6 ++++-
16 policy/modules/contrib/tuned.if | 31 ++++++++++++++++---------
17 policy/modules/contrib/tuned.te | 48 +++++++++++++++++++++++++++++---------
18 3 files changed, 61 insertions(+), 24 deletions(-)
19
20 diff --git a/policy/modules/contrib/tuned.fc b/policy/modules/contrib/tuned.fc
21 index 45414db..23ba272 100644
22 --- a/policy/modules/contrib/tuned.fc
23 +++ b/policy/modules/contrib/tuned.fc
24 @@ -1,8 +1,12 @@
25 /etc/rc\.d/init\.d/tuned -- gen_context(system_u:object_r:tuned_initrc_exec_t,s0)
26
27 +/etc/tuned(/.)? gen_context(system_u:object_r:tuned_etc_t,s0)
28 +/etc/tuned/active_profile -- gen_context(system_u:object_r:tuned_rw_etc_t,s0)
29 +
30 /usr/sbin/tuned -- gen_context(system_u:object_r:tuned_exec_t,s0)
31
32 /var/log/tuned(/.*)? gen_context(system_u:object_r:tuned_log_t,s0)
33 -/var/log/tuned\.log -- gen_context(system_u:object_r:tuned_log_t,s0)
34 +/var/log/tuned\.log.* -- gen_context(system_u:object_r:tuned_log_t,s0)
35
36 +/var/run/tuned(/.*)? gen_context(system_u:object_r:tuned_var_run_t,s0)
37 /var/run/tuned\.pid -- gen_context(system_u:object_r:tuned_var_run_t,s0)
38
39 diff --git a/policy/modules/contrib/tuned.if b/policy/modules/contrib/tuned.if
40 index 54b8605..e29db63 100644
41 --- a/policy/modules/contrib/tuned.if
42 +++ b/policy/modules/contrib/tuned.if
43 @@ -1,13 +1,13 @@
44 -## <summary>Dynamic adaptive system tuning daemon</summary>
45 +## <summary>Dynamic adaptive system tuning daemon.</summary>
46
47 ########################################
48 ## <summary>
49 ## Execute a domain transition to run tuned.
50 ## </summary>
51 ## <param name="domain">
52 -## <summary>
53 +## <summary>
54 ## Domain allowed to transition.
55 -## </summary>
56 +## </summary>
57 ## </param>
58 #
59 interface(`tuned_domtrans',`
60 @@ -15,6 +15,7 @@ interface(`tuned_domtrans',`
61 type tuned_t, tuned_exec_t;
62 ')
63
64 + corecmd_search_bin($1)
65 domtrans_pattern($1, tuned_exec_t, tuned_t)
66 ')
67
68 @@ -39,7 +40,7 @@ interface(`tuned_exec',`
69
70 ######################################
71 ## <summary>
72 -## Read tuned PID files.
73 +## Read tuned pid files.
74 ## </summary>
75 ## <param name="domain">
76 ## <summary>
77 @@ -58,7 +59,8 @@ interface(`tuned_read_pid_files',`
78
79 #######################################
80 ## <summary>
81 -## Manage tuned PID files.
82 +## Create, read, write, and delete
83 +## tuned pid files.
84 ## </summary>
85 ## <param name="domain">
86 ## <summary>
87 @@ -77,11 +79,12 @@ interface(`tuned_manage_pid_files',`
88
89 ########################################
90 ## <summary>
91 -## Execute tuned server in the tuned domain.
92 +## Execute tuned init scripts in
93 +## the initrc domain.
94 ## </summary>
95 ## <param name="domain">
96 ## <summary>
97 -## Domain allowed access.
98 +## Domain allowed to transition.
99 ## </summary>
100 ## </param>
101 #
102 @@ -95,8 +98,8 @@ interface(`tuned_initrc_domtrans',`
103
104 ########################################
105 ## <summary>
106 -## All of the rules required to administrate
107 -## an tuned environment
108 +## All of the rules required to
109 +## administrate an tuned environment.
110 ## </summary>
111 ## <param name="domain">
112 ## <summary>
113 @@ -112,8 +115,8 @@ interface(`tuned_initrc_domtrans',`
114 #
115 interface(`tuned_admin',`
116 gen_require(`
117 - type tuned_t, tuned_var_run_t;
118 - type tuned_initrc_exec_t;
119 + type tuned_t, tuned_var_run_t, tuned_initrc_exec_t;
120 + type tuned_etc_t, tuned_rw_etc_t, tuned_log_t;
121 ')
122
123 allow $1 tuned_t:process { ptrace signal_perms };
124 @@ -124,6 +127,12 @@ interface(`tuned_admin',`
125 role_transition $2 tuned_initrc_exec_t system_r;
126 allow $2 system_r;
127
128 + files_search_etc($1)
129 + admin_pattern($1, { tuned_etc_t tuned_rw_etc_t })
130 +
131 + logging_search_logs($1)
132 + admin_pattern($1, tuned_log_t)
133 +
134 files_search_pids($1)
135 admin_pattern($1, tuned_var_run_t)
136 ')
137
138 diff --git a/policy/modules/contrib/tuned.te b/policy/modules/contrib/tuned.te
139 index 6e0d904..f8d0a7a 100644
140 --- a/policy/modules/contrib/tuned.te
141 +++ b/policy/modules/contrib/tuned.te
142 @@ -1,4 +1,4 @@
143 -policy_module(tuned, 1.1.1)
144 +policy_module(tuned, 1.1.2)
145
146 ########################################
147 #
148 @@ -12,6 +12,12 @@ init_daemon_domain(tuned_t, tuned_exec_t)
149 type tuned_initrc_exec_t;
150 init_script_file(tuned_initrc_exec_t)
151
152 +type tuned_etc_t;
153 +files_config_file(tuned_etc_t)
154 +
155 +type tuned_rw_etc_t;
156 +files_config_file(tuned_rw_etc_t)
157 +
158 type tuned_log_t;
159 logging_log_file(tuned_log_t)
160
161 @@ -20,46 +26,64 @@ files_pid_file(tuned_var_run_t)
162
163 ########################################
164 #
165 -# tuned local policy
166 +# Local policy
167 #
168
169 +allow tuned_t self:capability { sys_admin sys_nice };
170 dontaudit tuned_t self:capability { dac_override sys_tty_config };
171 +allow tuned_t self:process { setsched signal };
172 +allow tuned_t self:fifo_file rw_fifo_file_perms;
173 +
174 +read_files_pattern(tuned_t, tuned_etc_t, tuned_etc_t)
175 +
176 +manage_files_pattern(tuned_t, tuned_etc_t, tuned_rw_etc_t)
177
178 manage_dirs_pattern(tuned_t, tuned_log_t, tuned_log_t)
179 -manage_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
180 +append_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
181 +create_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
182 +setattr_files_pattern(tuned_t, tuned_log_t, tuned_log_t)
183 logging_log_filetrans(tuned_t, tuned_log_t, file)
184
185 manage_files_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
186 -files_pid_filetrans(tuned_t, tuned_var_run_t, file)
187 -
188 -corecmd_exec_shell(tuned_t)
189 -corecmd_exec_bin(tuned_t)
190 +manage_dirs_pattern(tuned_t, tuned_var_run_t, tuned_var_run_t)
191 +files_pid_filetrans(tuned_t, tuned_var_run_t, { dir file })
192
193 kernel_read_system_state(tuned_t)
194 kernel_read_network_state(tuned_t)
195 +kernel_read_kernel_sysctls(tuned_t)
196 +kernel_rw_kernel_sysctl(tuned_t)
197 +kernel_rw_hotplug_sysctls(tuned_t)
198 +kernel_rw_vm_sysctls(tuned_t)
199
200 +corecmd_exec_bin(tuned_t)
201 +corecmd_exec_shell(tuned_t)
202 +
203 +dev_getattr_all_blk_files(tuned_t)
204 +dev_getattr_all_chr_files(tuned_t)
205 dev_read_urand(tuned_t)
206 -dev_read_sysfs(tuned_t)
207 -# to allow cpu tuning
208 +dev_rw_sysfs(tuned_t)
209 dev_rw_netcontrol(tuned_t)
210
211 -files_read_etc_files(tuned_t)
212 files_read_usr_files(tuned_t)
213 files_dontaudit_search_home(tuned_t)
214 files_dontaudit_list_tmp(tuned_t)
215
216 +fs_getattr_xattr_fs(tuned_t)
217 +
218 logging_send_syslog_msg(tuned_t)
219
220 miscfiles_read_localization(tuned_t)
221
222 userdom_dontaudit_search_user_home_dirs(tuned_t)
223
224 -# to allow disk tuning
225 optional_policy(`
226 fstools_domtrans(tuned_t)
227 ')
228
229 -# to allow network interface tuning
230 +optional_policy(`
231 + mount_domtrans(tuned_t)
232 +')
233 +
234 optional_policy(`
235 sysnet_domtrans_ifconfig(tuned_t)
236 ')
Report Message
Find on MARC Find on Google Groups