[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 30 Oct 2012 18:38:27
Message-Id:	`1351621988.81a88d7f2e5391813affdc4b375892681ee8bc09.SwifT@gentoo`

1

commit:     81a88d7f2e5391813affdc4b375892681ee8bc09

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Tue Oct 30 10:55:05 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct 30 18:33:08 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=81a88d7f

7

8

Changes to the uml policy module

9

10

Module clean up

11

Role attribute for uml client

12

13

So the user is expected to label and create the tools executable

14

files himself?

15

16

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

17

18

---

19

 policy/modules/contrib/uml.fc |    9 -----

20

 policy/modules/contrib/uml.if |   54 +++++++++------------------

21

 policy/modules/contrib/uml.te |   81 ++++++++++++++++++++---------------------

22

 3 files changed, 57 insertions(+), 87 deletions(-)

23

24

diff --git a/policy/modules/contrib/uml.fc b/policy/modules/contrib/uml.fc

25

index 40120e1..c384968 100644

26

--- a/policy/modules/contrib/uml.fc

27

+++ b/policy/modules/contrib/uml.fc

28

@@ -1,14 +1,5 @@

29

-#

30

-# HOME_DIR/

31

-#

32

 HOME_DIR/\.uml(/.*)?	gen_context(system_u:object_r:uml_rw_t,s0)

33

34

-#

35

-# /usr

36

-#

37

 /usr/bin/uml_switch	--	gen_context(system_u:object_r:uml_switch_exec_t,s0)

38

39

-#

40

-# /var

41

-#

42

 /var/run/uml-utilities(/.*)?	gen_context(system_u:object_r:uml_switch_var_run_t,s0)

43

44

diff --git a/policy/modules/contrib/uml.if b/policy/modules/contrib/uml.if

45

index d2ab7cb..ab5c1d0 100644

46

--- a/policy/modules/contrib/uml.if

47

+++ b/policy/modules/contrib/uml.if

48

@@ -1,69 +1,50 @@

49

-## <summary>Policy for UML</summary>

50

+## <summary>User mode linux tools and services.</summary>

51

52

 ########################################

53

 ## <summary>

54

-##	Role access for uml

55

+##	Role access for uml.

56

 ## </summary>

57

 ## <param name="role">

58

 ##	<summary>

59

-##	Role allowed access

60

+##	Role allowed access.

61

 ##	</summary>

62

 ## </param>

63

 ## <param name="domain">

64

 ##	<summary>

65

-##	User domain for the role

66

+##	User domain for the role.

67

 ##	</summary>

68

 ## </param>

69

#

70

 interface(`uml_role',`

71

 	gen_require(`

72

+		attribute_role uml_roles;

73

 		type uml_t, uml_exec_t;

74

 		type uml_ro_t, uml_rw_t, uml_tmp_t;

75

 		type uml_devpts_t, uml_tmpfs_t;

76

')

77

78

-	role $1 types uml_t;

79

+	roleattribute $1 uml_roles;

80

81

-	# Transition from the user domain to this domain.

82

 	domtrans_pattern($2, uml_exec_t, uml_t)

83

84

-	# for mconsole

85

-	allow $2 uml_t:unix_dgram_socket sendto;

86

+	dgram_send_pattern($2, uml_tmpfs_t, uml_tmpfs_t, uml_t)

87

+

88

 	allow uml_t $2:unix_dgram_socket sendto;

89

90

-	# allow ps, ptrace, signal

91

 	ps_process_pattern($2, uml_t)

92

 	allow $2 uml_t:process { ptrace signal_perms };

93

94

-	allow $2 uml_ro_t:dir list_dir_perms;

95

-	read_files_pattern($2, uml_ro_t, uml_ro_t)

96

-	read_lnk_files_pattern($2, uml_ro_t, uml_ro_t)

97

-

98

-	manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })

99

-	manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })

100

-	manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })

101

-	manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })

102

-	manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })

103

-	relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })

104

-	relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })

105

-	relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })

106

-	relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })

107

-	relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })

108

-

109

-	manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })

110

-	manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })

111

-	relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })

112

-	relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })

113

-

114

-	manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t)

115

-	manage_files_pattern($2, uml_tmp_t, uml_tmp_t)

116

-	manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t)

117

-	manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t)

118

+	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };

119

+	allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };

120

+	allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };

121

+	allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };

122

+	allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };

123

+	userdom_user_home_dir_filetrans($2, uml_rw_t, dir, ".uml")

124

')

125

126

 ########################################

127

 ## <summary>

128

-##	Set attributes on uml utility socket files.

129

+##	Set attributes of uml pid sock files.

130

 ## </summary>

131

 ## <param name="domain">

132

 ##	<summary>

133

@@ -76,12 +57,13 @@ interface(`uml_setattr_util_sockets',`

134

 		type uml_switch_var_run_t;

135

')

136

137

-	allow $1 uml_switch_var_run_t:sock_file setattr;

138

+	allow $1 uml_switch_var_run_t:sock_file setattr_sock_file_perms;

139

')

140

141

 ########################################

142

 ## <summary>

143

-##	Manage uml utility files.

144

+##	Create, read, write, and delete

145

+##	uml pid files.

146

 ## </summary>

147

 ## <param name="domain">

148

 ##	<summary>

149

150

diff --git a/policy/modules/contrib/uml.te b/policy/modules/contrib/uml.te

151

index ff094e5..dc03cc5 100644

152

--- a/policy/modules/contrib/uml.te

153

+++ b/policy/modules/contrib/uml.te

154

@@ -1,17 +1,20 @@

155

-policy_module(uml, 2.2.0)

156

+policy_module(uml, 2.2.1)

157

158

 ########################################

159

#

160

 # Declarations

161

#

162

163

+attribute_role uml_roles;

164

+

165

 type uml_t;

166

-type uml_exec_t;

167

+type uml_exec_t; # customizable

168

 typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t };

169

 typealias uml_t alias { auditadm_uml_t secadm_uml_t };

170

 userdom_user_application_domain(uml_t, uml_exec_t)

171

+role uml_roles types uml_t;

172

173

-type uml_ro_t;

174

+type uml_ro_t; # customizable

175

 typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };

176

 typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };

177

 userdom_user_home_content(uml_ro_t)

178

@@ -49,93 +52,88 @@ files_pid_file(uml_switch_var_run_t)

179

 # Local policy

180

#

181

182

+allow uml_t self:process signal_perms;

183

 allow uml_t self:fifo_file rw_fifo_file_perms;

184

-allow uml_t self:process { signal_perms ptrace };

185

 allow uml_t self:unix_stream_socket create_stream_socket_perms;

186

-allow uml_t self:unix_dgram_socket create_socket_perms;

187

-# Use the network.

188

-allow uml_t self:tcp_socket create_stream_socket_perms;

189

-allow uml_t self:udp_socket create_socket_perms;

190

+allow uml_t self:tcp_socket { accept listen };

191

 allow uml_t self:tun_socket create;

192

-# for mconsole

193

-allow uml_t self:unix_dgram_socket sendto;

194

+allow uml_t self:unix_dgram_socket { create_socket_perms sendto };

195

196

-# allow the UML thing to happen

197

-allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr };

198

+allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr_chr_file_perms };

199

 term_create_pty(uml_t, uml_devpts_t)

200

201

 manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t)

202

 manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t)

203

 files_tmp_filetrans(uml_t, uml_tmp_t, { file dir })

204

-can_exec(uml_t, uml_tmp_t)

205

206

 manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)

207

 manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)

208

 manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)

209

 manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)

210

 fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file })

211

-can_exec(uml_t, uml_tmpfs_t)

212

213

-# access config files

214

-allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms;

215

-read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })

216

-read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })

217

+allow uml_t uml_ro_t:dir list_dir_perms;

218

+allow uml_t uml_ro_t:file read_file_perms;

219

+allow uml_t uml_ro_t:lnk_file read_lnk_file_perms;

220

221

 manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t)

222

 manage_files_pattern(uml_t, uml_rw_t, uml_rw_t)

223

 manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t)

224

 manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t)

225

 manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t)

226

-userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file })

227

+userdom_user_home_dir_filetrans(uml_t, uml_rw_t, dir, ".uml")

228

229

-can_exec(uml_t, { uml_exec_t uml_exec_t })

230

+can_exec(uml_t, { uml_exec_t uml_tmp_t uml_tmpfs_t })

231

232

 kernel_read_system_state(uml_t)

233

-# for SKAS - need something better

234

 kernel_write_proc_files(uml_t)

235

236

-# for xterm

237

 corecmd_exec_bin(uml_t)

238

239

 corenet_all_recvfrom_unlabeled(uml_t)

240

 corenet_all_recvfrom_netlabel(uml_t)

241

 corenet_tcp_sendrecv_generic_if(uml_t)

242

-corenet_udp_sendrecv_generic_if(uml_t)

243

 corenet_tcp_sendrecv_generic_node(uml_t)

244

-corenet_udp_sendrecv_generic_node(uml_t)

245

 corenet_tcp_sendrecv_all_ports(uml_t)

246

-corenet_udp_sendrecv_all_ports(uml_t)

247

-corenet_tcp_connect_all_ports(uml_t)

248

+

249

 corenet_sendrecv_all_client_packets(uml_t)

250

+corenet_tcp_connect_all_ports(uml_t)

251

+

252

 corenet_rw_tun_tap_dev(uml_t)

253

254

 domain_use_interactive_fds(uml_t)

255

256

-# for xterm

257

-files_read_etc_files(uml_t)

258

 files_dontaudit_read_etc_runtime_files(uml_t)

259

-# putting uml data under /var is usual...

260

-files_search_var(uml_t)

261

262

-fs_getattr_xattr_fs(uml_t)

263

+fs_getattr_all_fs(uml_t)

264

+fs_search_auto_mountpoints(uml_t)

265

+

266

+auth_use_nsswitch(uml_t)

267

268

 init_read_utmp(uml_t)

269

 init_dontaudit_write_utmp(uml_t)

270

271

-# for xterm

272

 libs_exec_lib_files(uml_t)

273

274

-# Inherit and use descriptors from newrole.

275

-seutil_use_newrole_fds(uml_t)

276

-

277

-# Use the network.

278

-sysnet_read_config(uml_t)

279

-

280

 userdom_use_user_terminals(uml_t)

281

 userdom_attach_admin_tun_iface(uml_t)

282

283

+tunable_policy(`use_nfs_home_dirs',`

284

+	fs_manage_nfs_dirs(uml_t)

285

+	fs_manage_nfs_files(uml_t)

286

+	fs_manage_nfs_named_pipes(uml_t)

287

+	fs_manage_nfs_symlinks(uml_t)

288

+')

289

+

290

+tunable_policy(`use_samba_home_dirs',`

291

+	fs_manage_cifs_dirs(uml_t)

292

+	fs_manage_cifs_files(uml_t)

293

+	fs_manage_cifs_named_pipes(uml_t)

294

+	fs_manage_cifs_symlinks(uml_t)

295

+')

296

+

297

 optional_policy(`

298

-	nis_use_ypbind(uml_t)

299

+	seutil_use_newrole_fds(uml_t)

300

')

301

302

 optional_policy(`

303

@@ -144,13 +142,12 @@ optional_policy(`

304

305

 ########################################

306

#

307

-# Local policy

308

+# Switch local policy

309

#

310

311

 dontaudit uml_switch_t self:capability sys_tty_config;

312

 allow uml_switch_t self:process signal_perms;

313

-allow uml_switch_t self:unix_dgram_socket create_socket_perms;

314

-allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;

315

+allow uml_switch_t self:unix_stream_socket { accept listen };

316

317

 manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)

318

 manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)

1	commit: 81a88d7f2e5391813affdc4b375892681ee8bc09
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Tue Oct 30 10:55:05 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 30 18:33:08 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=81a88d7f
7
8	Changes to the uml policy module
9
10	Module clean up
11	Role attribute for uml client
12
13	So the user is expected to label and create the tools executable
14	files himself?
15
16	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
17
18	---
19	policy/modules/contrib/uml.fc \| 9 -----
20	policy/modules/contrib/uml.if \| 54 +++++++++------------------
21	policy/modules/contrib/uml.te \| 81 ++++++++++++++++++++---------------------
22	3 files changed, 57 insertions(+), 87 deletions(-)
23
24	diff --git a/policy/modules/contrib/uml.fc b/policy/modules/contrib/uml.fc
25	index 40120e1..c384968 100644
26	--- a/policy/modules/contrib/uml.fc
27	+++ b/policy/modules/contrib/uml.fc
28	@@ -1,14 +1,5 @@
29	-#
30	-# HOME_DIR/
31	-#
32	HOME_DIR/\.uml(/.*)? gen_context(system_u:object_r:uml_rw_t,s0)
33
34	-#
35	-# /usr
36	-#
37	/usr/bin/uml_switch -- gen_context(system_u:object_r:uml_switch_exec_t,s0)
38
39	-#
40	-# /var
41	-#
42	/var/run/uml-utilities(/.*)? gen_context(system_u:object_r:uml_switch_var_run_t,s0)
43
44	diff --git a/policy/modules/contrib/uml.if b/policy/modules/contrib/uml.if
45	index d2ab7cb..ab5c1d0 100644
46	--- a/policy/modules/contrib/uml.if
47	+++ b/policy/modules/contrib/uml.if
48	@@ -1,69 +1,50 @@
49	-## <summary>Policy for UML</summary>
50	+## <summary>User mode linux tools and services.</summary>
51
52	########################################
53	## <summary>
54	-## Role access for uml
55	+## Role access for uml.
56	## </summary>
57	## <param name="role">
58	## <summary>
59	-## Role allowed access
60	+## Role allowed access.
61	## </summary>
62	## </param>
63	## <param name="domain">
64	## <summary>
65	-## User domain for the role
66	+## User domain for the role.
67	## </summary>
68	## </param>
69	#
70	interface(`uml_role',`
71	gen_require(`
72	+ attribute_role uml_roles;
73	type uml_t, uml_exec_t;
74	type uml_ro_t, uml_rw_t, uml_tmp_t;
75	type uml_devpts_t, uml_tmpfs_t;
76	')
77
78	- role $1 types uml_t;
79	+ roleattribute $1 uml_roles;
80
81	- # Transition from the user domain to this domain.
82	domtrans_pattern($2, uml_exec_t, uml_t)
83
84	- # for mconsole
85	- allow $2 uml_t:unix_dgram_socket sendto;
86	+ dgram_send_pattern($2, uml_tmpfs_t, uml_tmpfs_t, uml_t)
87	+
88	allow uml_t $2:unix_dgram_socket sendto;
89
90	- # allow ps, ptrace, signal
91	ps_process_pattern($2, uml_t)
92	allow $2 uml_t:process { ptrace signal_perms };
93
94	- allow $2 uml_ro_t:dir list_dir_perms;
95	- read_files_pattern($2, uml_ro_t, uml_ro_t)
96	- read_lnk_files_pattern($2, uml_ro_t, uml_ro_t)
97	-
98	- manage_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
99	- manage_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
100	- manage_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
101	- manage_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
102	- manage_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
103	- relabel_dirs_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
104	- relabel_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
105	- relabel_lnk_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
106	- relabel_fifo_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
107	- relabel_sock_files_pattern($2, { uml_ro_t uml_rw_t }, { uml_ro_t uml_rw_t })
108	-
109	- manage_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
110	- manage_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
111	- relabel_dirs_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
112	- relabel_files_pattern($2, { uml_ro_t uml_rw_t uml_exec_t }, { uml_ro_t uml_rw_t uml_exec_t })
113	-
114	- manage_dirs_pattern($2, uml_tmp_t, uml_tmp_t)
115	- manage_files_pattern($2, uml_tmp_t, uml_tmp_t)
116	- manage_lnk_files_pattern($2, uml_tmp_t, uml_tmp_t)
117	- manage_sock_files_pattern($2, uml_tmp_t, uml_tmp_t)
118	+ allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms };
119	+ allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms };
120	+ allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
121	+ allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
122	+ allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms };
123	+ userdom_user_home_dir_filetrans($2, uml_rw_t, dir, ".uml")
124	')
125
126	########################################
127	## <summary>
128	-## Set attributes on uml utility socket files.
129	+## Set attributes of uml pid sock files.
130	## </summary>
131	## <param name="domain">
132	## <summary>
133	@@ -76,12 +57,13 @@ interface(`uml_setattr_util_sockets',`
134	type uml_switch_var_run_t;
135	')
136
137	- allow $1 uml_switch_var_run_t:sock_file setattr;
138	+ allow $1 uml_switch_var_run_t:sock_file setattr_sock_file_perms;
139	')
140
141	########################################
142	## <summary>
143	-## Manage uml utility files.
144	+## Create, read, write, and delete
145	+## uml pid files.
146	## </summary>
147	## <param name="domain">
148	## <summary>
149
150	diff --git a/policy/modules/contrib/uml.te b/policy/modules/contrib/uml.te
151	index ff094e5..dc03cc5 100644
152	--- a/policy/modules/contrib/uml.te
153	+++ b/policy/modules/contrib/uml.te
154	@@ -1,17 +1,20 @@
155	-policy_module(uml, 2.2.0)
156	+policy_module(uml, 2.2.1)
157
158	########################################
159	#
160	# Declarations
161	#
162
163	+attribute_role uml_roles;
164	+
165	type uml_t;
166	-type uml_exec_t;
167	+type uml_exec_t; # customizable
168	typealias uml_t alias { user_uml_t staff_uml_t sysadm_uml_t };
169	typealias uml_t alias { auditadm_uml_t secadm_uml_t };
170	userdom_user_application_domain(uml_t, uml_exec_t)
171	+role uml_roles types uml_t;
172
173	-type uml_ro_t;
174	+type uml_ro_t; # customizable
175	typealias uml_ro_t alias { user_uml_ro_t staff_uml_ro_t sysadm_uml_ro_t };
176	typealias uml_ro_t alias { auditadm_uml_ro_t secadm_uml_ro_t };
177	userdom_user_home_content(uml_ro_t)
178	@@ -49,93 +52,88 @@ files_pid_file(uml_switch_var_run_t)
179	# Local policy
180	#
181
182	+allow uml_t self:process signal_perms;
183	allow uml_t self:fifo_file rw_fifo_file_perms;
184	-allow uml_t self:process { signal_perms ptrace };
185	allow uml_t self:unix_stream_socket create_stream_socket_perms;
186	-allow uml_t self:unix_dgram_socket create_socket_perms;
187	-# Use the network.
188	-allow uml_t self:tcp_socket create_stream_socket_perms;
189	-allow uml_t self:udp_socket create_socket_perms;
190	+allow uml_t self:tcp_socket { accept listen };
191	allow uml_t self:tun_socket create;
192	-# for mconsole
193	-allow uml_t self:unix_dgram_socket sendto;
194	+allow uml_t self:unix_dgram_socket { create_socket_perms sendto };
195
196	-# allow the UML thing to happen
197	-allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr };
198	+allow uml_t uml_devpts_t:chr_file { rw_file_perms setattr_chr_file_perms };
199	term_create_pty(uml_t, uml_devpts_t)
200
201	manage_dirs_pattern(uml_t, uml_tmp_t, uml_tmp_t)
202	manage_files_pattern(uml_t, uml_tmp_t, uml_tmp_t)
203	files_tmp_filetrans(uml_t, uml_tmp_t, { file dir })
204	-can_exec(uml_t, uml_tmp_t)
205
206	manage_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
207	manage_lnk_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
208	manage_fifo_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
209	manage_sock_files_pattern(uml_t, uml_tmpfs_t, uml_tmpfs_t)
210	fs_tmpfs_filetrans(uml_t, uml_tmpfs_t, { file lnk_file sock_file fifo_file })
211	-can_exec(uml_t, uml_tmpfs_t)
212
213	-# access config files
214	-allow uml_t { uml_ro_t uml_ro_t }:dir list_dir_perms;
215	-read_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
216	-read_lnk_files_pattern(uml_t, { uml_ro_t uml_ro_t }, { uml_ro_t uml_ro_t })
217	+allow uml_t uml_ro_t:dir list_dir_perms;
218	+allow uml_t uml_ro_t:file read_file_perms;
219	+allow uml_t uml_ro_t:lnk_file read_lnk_file_perms;
220
221	manage_dirs_pattern(uml_t, uml_rw_t, uml_rw_t)
222	manage_files_pattern(uml_t, uml_rw_t, uml_rw_t)
223	manage_lnk_files_pattern(uml_t, uml_rw_t, uml_rw_t)
224	manage_fifo_files_pattern(uml_t, uml_rw_t, uml_rw_t)
225	manage_sock_files_pattern(uml_t, uml_rw_t, uml_rw_t)
226	-userdom_user_home_dir_filetrans(uml_t, uml_rw_t, { file lnk_file sock_file fifo_file })
227	+userdom_user_home_dir_filetrans(uml_t, uml_rw_t, dir, ".uml")
228
229	-can_exec(uml_t, { uml_exec_t uml_exec_t })
230	+can_exec(uml_t, { uml_exec_t uml_tmp_t uml_tmpfs_t })
231
232	kernel_read_system_state(uml_t)
233	-# for SKAS - need something better
234	kernel_write_proc_files(uml_t)
235
236	-# for xterm
237	corecmd_exec_bin(uml_t)
238
239	corenet_all_recvfrom_unlabeled(uml_t)
240	corenet_all_recvfrom_netlabel(uml_t)
241	corenet_tcp_sendrecv_generic_if(uml_t)
242	-corenet_udp_sendrecv_generic_if(uml_t)
243	corenet_tcp_sendrecv_generic_node(uml_t)
244	-corenet_udp_sendrecv_generic_node(uml_t)
245	corenet_tcp_sendrecv_all_ports(uml_t)
246	-corenet_udp_sendrecv_all_ports(uml_t)
247	-corenet_tcp_connect_all_ports(uml_t)
248	+
249	corenet_sendrecv_all_client_packets(uml_t)
250	+corenet_tcp_connect_all_ports(uml_t)
251	+
252	corenet_rw_tun_tap_dev(uml_t)
253
254	domain_use_interactive_fds(uml_t)
255
256	-# for xterm
257	-files_read_etc_files(uml_t)
258	files_dontaudit_read_etc_runtime_files(uml_t)
259	-# putting uml data under /var is usual...
260	-files_search_var(uml_t)
261
262	-fs_getattr_xattr_fs(uml_t)
263	+fs_getattr_all_fs(uml_t)
264	+fs_search_auto_mountpoints(uml_t)
265	+
266	+auth_use_nsswitch(uml_t)
267
268	init_read_utmp(uml_t)
269	init_dontaudit_write_utmp(uml_t)
270
271	-# for xterm
272	libs_exec_lib_files(uml_t)
273
274	-# Inherit and use descriptors from newrole.
275	-seutil_use_newrole_fds(uml_t)
276	-
277	-# Use the network.
278	-sysnet_read_config(uml_t)
279	-
280	userdom_use_user_terminals(uml_t)
281	userdom_attach_admin_tun_iface(uml_t)
282
283	+tunable_policy(`use_nfs_home_dirs',`
284	+ fs_manage_nfs_dirs(uml_t)
285	+ fs_manage_nfs_files(uml_t)
286	+ fs_manage_nfs_named_pipes(uml_t)
287	+ fs_manage_nfs_symlinks(uml_t)
288	+')
289	+
290	+tunable_policy(`use_samba_home_dirs',`
291	+ fs_manage_cifs_dirs(uml_t)
292	+ fs_manage_cifs_files(uml_t)
293	+ fs_manage_cifs_named_pipes(uml_t)
294	+ fs_manage_cifs_symlinks(uml_t)
295	+')
296	+
297	optional_policy(`
298	- nis_use_ypbind(uml_t)
299	+ seutil_use_newrole_fds(uml_t)
300	')
301
302	optional_policy(`
303	@@ -144,13 +142,12 @@ optional_policy(`
304
305	########################################
306	#
307	-# Local policy
308	+# Switch local policy
309	#
310
311	dontaudit uml_switch_t self:capability sys_tty_config;
312	allow uml_switch_t self:process signal_perms;
313	-allow uml_switch_t self:unix_dgram_socket create_socket_perms;
314	-allow uml_switch_t self:unix_stream_socket create_stream_socket_perms;
315	+allow uml_switch_t self:unix_stream_socket { accept listen };
316
317	manage_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)
318	manage_sock_files_pattern(uml_switch_t, uml_switch_var_run_t, uml_switch_var_run_t)

Gentoo Archives: gentoo-commits