1 |
commit: 066a3a15354a32da9c52345cfa2a0b6a5d4026e7 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sun Oct 28 12:51:30 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Sun Oct 28 17:59:04 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=066a3a15 |
7 |
|
8 |
Changes to the soundserver policy module |
9 |
|
10 |
Module clean up |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/soundserver.fc | 3 ++- |
16 |
policy/modules/contrib/soundserver.if | 18 ++++++++++++------ |
17 |
policy/modules/contrib/soundserver.te | 19 +++++++------------ |
18 |
3 files changed, 21 insertions(+), 19 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/soundserver.fc b/policy/modules/contrib/soundserver.fc |
21 |
index 76d0f37..02c23b3 100644 |
22 |
--- a/policy/modules/contrib/soundserver.fc |
23 |
+++ b/policy/modules/contrib/soundserver.fc |
24 |
@@ -1,7 +1,8 @@ |
25 |
/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) |
26 |
-/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0) |
27 |
/etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) |
28 |
|
29 |
+/etc/rc\.d/init\.d/nasd -- gen_context(system_u:object_r:soundd_initrc_exec_t,s0) |
30 |
+ |
31 |
/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) |
32 |
/usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0) |
33 |
|
34 |
|
35 |
diff --git a/policy/modules/contrib/soundserver.if b/policy/modules/contrib/soundserver.if |
36 |
index 93fe7bf..a5abc5a 100644 |
37 |
--- a/policy/modules/contrib/soundserver.if |
38 |
+++ b/policy/modules/contrib/soundserver.if |
39 |
@@ -16,8 +16,8 @@ interface(`soundserver_tcp_connect',` |
40 |
|
41 |
######################################## |
42 |
## <summary> |
43 |
-## All of the rules required to administrate |
44 |
-## an soundd environment |
45 |
+## All of the rules required to |
46 |
+## administrate an soundd environment. |
47 |
## </summary> |
48 |
## <param name="domain"> |
49 |
## <summary> |
50 |
@@ -26,16 +26,16 @@ interface(`soundserver_tcp_connect',` |
51 |
## </param> |
52 |
## <param name="role"> |
53 |
## <summary> |
54 |
-## The role to be allowed to manage the soundd domain. |
55 |
+## Role allowed access. |
56 |
## </summary> |
57 |
## </param> |
58 |
## <rolecap/> |
59 |
# |
60 |
interface(`soundserver_admin',` |
61 |
gen_require(` |
62 |
- type soundd_t, soundd_etc_t; |
63 |
- type soundd_tmp_t, soundd_var_run_t; |
64 |
- type soundd_initrc_exec_t; |
65 |
+ type soundd_t, soundd_etc_t, soundd_initrc_exec_t; |
66 |
+ type soundd_tmp_t, soundd_var_run_t, soundd_tmpfs_t; |
67 |
+ type soundd_state_t; |
68 |
') |
69 |
|
70 |
allow $1 soundd_t:process { ptrace signal_perms }; |
71 |
@@ -52,6 +52,12 @@ interface(`soundserver_admin',` |
72 |
files_list_tmp($1) |
73 |
admin_pattern($1, soundd_tmp_t) |
74 |
|
75 |
+ fs_list_tmpfs($1) |
76 |
+ admin_pattern($1, soundd_tmpfs_t) |
77 |
+ |
78 |
+ files_list_var($1) |
79 |
+ admin_pattern($1, soundd_state_t) |
80 |
+ |
81 |
files_list_pids($1) |
82 |
admin_pattern($1, soundd_var_run_t) |
83 |
') |
84 |
|
85 |
diff --git a/policy/modules/contrib/soundserver.te b/policy/modules/contrib/soundserver.te |
86 |
index 3217605..db1bc6f 100644 |
87 |
--- a/policy/modules/contrib/soundserver.te |
88 |
+++ b/policy/modules/contrib/soundserver.te |
89 |
@@ -1,4 +1,4 @@ |
90 |
-policy_module(soundserver, 1.8.0) |
91 |
+policy_module(soundserver, 1.8.1) |
92 |
|
93 |
######################################## |
94 |
# |
95 |
@@ -21,7 +21,6 @@ files_type(soundd_state_t) |
96 |
type soundd_tmp_t; |
97 |
files_tmp_file(soundd_tmp_t) |
98 |
|
99 |
-# for yiff - probably need some rules for the client support too |
100 |
type soundd_tmpfs_t; |
101 |
files_tmpfs_file(soundd_tmpfs_t) |
102 |
|
103 |
@@ -36,12 +35,10 @@ files_pid_file(soundd_var_run_t) |
104 |
allow soundd_t self:capability dac_override; |
105 |
dontaudit soundd_t self:capability sys_tty_config; |
106 |
allow soundd_t self:process { setpgid signal_perms }; |
107 |
+allow soundd_t self:shm create_shm_perms; |
108 |
allow soundd_t self:tcp_socket create_stream_socket_perms; |
109 |
allow soundd_t self:udp_socket create_socket_perms; |
110 |
-allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms }; |
111 |
- |
112 |
-# for yiff |
113 |
-allow soundd_t self:shm create_shm_perms; |
114 |
+allow soundd_t self:unix_stream_socket { accept connectto listen }; |
115 |
|
116 |
read_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) |
117 |
read_lnk_files_pattern(soundd_t, soundd_etc_t, soundd_etc_t) |
118 |
@@ -59,9 +56,9 @@ manage_fifo_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) |
119 |
manage_sock_files_pattern(soundd_t, soundd_tmpfs_t, soundd_tmpfs_t) |
120 |
fs_tmpfs_filetrans(soundd_t, soundd_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
121 |
|
122 |
-manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) |
123 |
manage_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) |
124 |
manage_dirs_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) |
125 |
+manage_sock_files_pattern(soundd_t, soundd_var_run_t, soundd_var_run_t) |
126 |
files_pid_filetrans(soundd_t, soundd_var_run_t, { file dir }) |
127 |
|
128 |
kernel_read_kernel_sysctls(soundd_t) |
129 |
@@ -71,14 +68,12 @@ kernel_read_proc_symlinks(soundd_t) |
130 |
corenet_all_recvfrom_unlabeled(soundd_t) |
131 |
corenet_all_recvfrom_netlabel(soundd_t) |
132 |
corenet_tcp_sendrecv_generic_if(soundd_t) |
133 |
-corenet_udp_sendrecv_generic_if(soundd_t) |
134 |
corenet_tcp_sendrecv_generic_node(soundd_t) |
135 |
-corenet_udp_sendrecv_generic_node(soundd_t) |
136 |
-corenet_tcp_sendrecv_all_ports(soundd_t) |
137 |
-corenet_udp_sendrecv_all_ports(soundd_t) |
138 |
corenet_tcp_bind_generic_node(soundd_t) |
139 |
-corenet_tcp_bind_soundd_port(soundd_t) |
140 |
+ |
141 |
corenet_sendrecv_soundd_server_packets(soundd_t) |
142 |
+corenet_tcp_bind_soundd_port(soundd_t) |
143 |
+corenet_tcp_sendrecv_soundd_port(soundd_t) |
144 |
|
145 |
dev_read_sysfs(soundd_t) |
146 |
dev_read_sound(soundd_t) |