1 |
commit: 7c41301a215662b550962c3440879d302d4fc6ee |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Fri Nov 28 10:13:54 2014 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Nov 28 10:43:29 2014 +0000 |
6 |
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7c41301a |
7 |
|
8 |
Fix bug 529204 - Support a dhcpc_script_t domain |
9 |
|
10 |
We introduce an executable domain (dhcpc_script_t) through which the |
11 |
hooks can be executed for the DHCP clients. This domain is separate in |
12 |
order to keep the privileges of the application small, but also because |
13 |
this domain will execute commands that are not in the responsibility of |
14 |
the DHCP client code itself (code-wise) but is provided by |
15 |
administrators. |
16 |
|
17 |
Security-wise, as these are scripts, it is more difficult to guarantee |
18 |
correctness. As such, we want to isolate these privileges into its own |
19 |
domain. |
20 |
|
21 |
The domain will have basic privileges to support the majority of |
22 |
installations, but we also include a sysnet_dhcpc_script_entry() |
23 |
interface so that domain transitions can be easily added without the |
24 |
need for augmenting the privileges of the dhcpc_script_t domain. |
25 |
|
26 |
--- |
27 |
policy/modules/kernel/corecommands.fc | 2 +- |
28 |
policy/modules/system/sysnetwork.fc | 3 +++ |
29 |
policy/modules/system/sysnetwork.te | 49 +++++++++++++++++++++++++++++++++++ |
30 |
3 files changed, 53 insertions(+), 1 deletion(-) |
31 |
|
32 |
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc |
33 |
index 406a11e..40fd54b 100644 |
34 |
--- a/policy/modules/kernel/corecommands.fc |
35 |
+++ b/policy/modules/kernel/corecommands.fc |
36 |
@@ -143,7 +143,7 @@ ifdef(`distro_debian',` |
37 |
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) |
38 |
|
39 |
ifdef(`distro_gentoo',` |
40 |
-/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) |
41 |
+#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) |
42 |
|
43 |
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) |
44 |
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) |
45 |
|
46 |
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc |
47 |
index fbb935c..b1c6404 100644 |
48 |
--- a/policy/modules/system/sysnetwork.fc |
49 |
+++ b/policy/modules/system/sysnetwork.fc |
50 |
@@ -80,3 +80,6 @@ ifdef(`distro_debian',` |
51 |
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) |
52 |
') |
53 |
|
54 |
+ifdef(`distro_gentoo',` |
55 |
+/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) |
56 |
+') |
57 |
|
58 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
59 |
index 3576536..7ee4bf7 100644 |
60 |
--- a/policy/modules/system/sysnetwork.te |
61 |
+++ b/policy/modules/system/sysnetwork.te |
62 |
@@ -422,4 +422,53 @@ ifdef(`distro_gentoo',` |
63 |
optional_policy(` |
64 |
resolvconf_client_domain(dhcpc_t) |
65 |
') |
66 |
+ |
67 |
+ ######################################### |
68 |
+ # |
69 |
+ # dhcpc_script_t |
70 |
+ # |
71 |
+ |
72 |
+ # The purpose of the dhcpc_script_t domain is to handle the post-processing of |
73 |
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would |
74 |
+ # assume others do as well. With the dhcpc_script_t domain we can isolate the |
75 |
+ # privileges of the DHCP client itself from the hooks / flexibility that the developers |
76 |
+ # introduced. |
77 |
+ |
78 |
+ type dhcpc_script_t; |
79 |
+ domain_type(dhcpc_script_t) |
80 |
+ role dhcpc_roles types dhcpc_script_t; |
81 |
+ |
82 |
+ type dhcpc_script_exec_t; |
83 |
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) |
84 |
+ |
85 |
+ type dhcpc_script_var_run_t; |
86 |
+ files_pid_file(dhcpc_script_var_run_t) |
87 |
+ |
88 |
+ type dhcpc_script_tmp_t; |
89 |
+ files_tmp_file(dhcpc_script_tmp_t) |
90 |
+ |
91 |
+ ######################################## |
92 |
+ # |
93 |
+ # dhcpc script policy |
94 |
+ # |
95 |
+ |
96 |
+ allow dhcpc_script_t self:fifo_file rw_fifo_file_perms; |
97 |
+ |
98 |
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) |
99 |
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir }) |
100 |
+ |
101 |
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_var_run_t, dhcpc_script_var_run_t) |
102 |
+ filetrans_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_script_var_run_t, { file dir }) |
103 |
+ |
104 |
+ corecmd_exec_bin(dhcpc_script_t) |
105 |
+ corecmd_exec_shell(dhcpc_script_t) |
106 |
+ |
107 |
+ # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section |
108 |
+ domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t) |
109 |
+ |
110 |
+ sysnet_manage_config(dhcpc_script_t) |
111 |
+ |
112 |
+ optional_policy(` |
113 |
+ ntp_manage_config(dhcpc_script_t) |
114 |
+ ') |
115 |
') |