| 1 |
commit: dd062fb88bc26fdc9d657dc32bb23b269fac67df |
| 2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 3 |
AuthorDate: Sat Dec 29 15:50:11 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Sat Dec 29 15:50:11 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dd062fb8 |
| 7 |
|
| 8 |
Move majority of gentoo specifics downwards |
| 9 |
|
| 10 |
--- |
| 11 |
policy/modules/system/init.te | 69 ++++++++++++++++++++++++++-------------- |
| 12 |
1 files changed, 45 insertions(+), 24 deletions(-) |
| 13 |
|
| 14 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
| 15 |
index e71d117..a37147f 100644 |
| 16 |
--- a/policy/modules/system/init.te |
| 17 |
+++ b/policy/modules/system/init.te |
| 18 |
@@ -29,7 +29,7 @@ attribute init_run_all_scripts_domain; |
| 19 |
# Mark process types as daemons |
| 20 |
attribute daemon; |
| 21 |
|
| 22 |
-# Mark file as daemon run dir |
| 23 |
+# Mark file type as a daemon run directory |
| 24 |
attribute daemonrundir; |
| 25 |
|
| 26 |
# |
| 27 |
@@ -122,7 +122,6 @@ dev_filetrans(init_t, initctl_t, fifo_file) |
| 28 |
|
| 29 |
# Modify utmp. |
| 30 |
allow init_t initrc_var_run_t:file { rw_file_perms setattr }; |
| 31 |
-manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) |
| 32 |
|
| 33 |
kernel_read_system_state(init_t) |
| 34 |
kernel_share_state(init_t) |
| 35 |
@@ -226,7 +225,7 @@ optional_policy(` |
| 36 |
# |
| 37 |
|
| 38 |
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; |
| 39 |
-allow initrc_t self:capability ~{ sys_module }; |
| 40 |
+allow initrc_t self:capability ~{ sys_admin sys_module }; |
| 41 |
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this |
| 42 |
allow initrc_t self:passwd rootok; |
| 43 |
allow initrc_t self:key manage_key_perms; |
| 44 |
@@ -257,7 +256,7 @@ manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t) |
| 45 |
manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) |
| 46 |
|
| 47 |
allow initrc_t initrc_var_run_t:file manage_file_perms; |
| 48 |
-files_pid_filetrans(initrc_t, initrc_var_run_t, { file dir }) |
| 49 |
+files_pid_filetrans(initrc_t, initrc_var_run_t, file) |
| 50 |
|
| 51 |
can_exec(initrc_t, initrc_tmp_t) |
| 52 |
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) |
| 53 |
@@ -287,7 +286,6 @@ files_create_lock_dirs(initrc_t) |
| 54 |
files_pid_filetrans_lock_dir(initrc_t, "lock") |
| 55 |
files_read_kernel_symbol_table(initrc_t) |
| 56 |
files_setattr_lock_dirs(initrc_t) |
| 57 |
-files_dontaudit_write_usr_dirs(initrc_t) |
| 58 |
|
| 59 |
corecmd_exec_all_executables(initrc_t) |
| 60 |
|
| 61 |
@@ -308,7 +306,6 @@ dev_write_kmsg(initrc_t) |
| 62 |
dev_write_rand(initrc_t) |
| 63 |
dev_write_urand(initrc_t) |
| 64 |
dev_rw_sysfs(initrc_t) |
| 65 |
-dev_manage_sysfs_dirs(initrc_t) |
| 66 |
dev_list_usbfs(initrc_t) |
| 67 |
dev_read_framebuffer(initrc_t) |
| 68 |
dev_write_framebuffer(initrc_t) |
| 69 |
@@ -348,7 +345,6 @@ files_getattr_all_files(initrc_t) |
| 70 |
files_getattr_all_symlinks(initrc_t) |
| 71 |
files_getattr_all_pipes(initrc_t) |
| 72 |
files_getattr_all_sockets(initrc_t) |
| 73 |
-files_create_pid_dirs(initrc_t) |
| 74 |
files_purge_tmp(initrc_t) |
| 75 |
files_delete_all_locks(initrc_t) |
| 76 |
files_read_all_pids(initrc_t) |
| 77 |
@@ -367,11 +363,8 @@ files_list_isid_type_dirs(initrc_t) |
| 78 |
files_mounton_isid_type_dirs(initrc_t) |
| 79 |
files_list_default(initrc_t) |
| 80 |
files_mounton_default(initrc_t) |
| 81 |
-files_manage_generic_tmp_files(initrc_t) |
| 82 |
-files_manage_generic_tmp_dirs(initrc_t) |
| 83 |
|
| 84 |
-fs_manage_cgroup_dirs(initrc_t) |
| 85 |
-fs_manage_cgroup_files(initrc_t) |
| 86 |
+fs_write_cgroup_files(initrc_t) |
| 87 |
fs_list_inotifyfs(initrc_t) |
| 88 |
fs_register_binary_executable_type(initrc_t) |
| 89 |
# rhgb-console writes to ramfs |
| 90 |
@@ -421,7 +414,6 @@ logging_manage_generic_logs(initrc_t) |
| 91 |
logging_read_all_logs(initrc_t) |
| 92 |
logging_append_all_logs(initrc_t) |
| 93 |
logging_read_audit_config(initrc_t) |
| 94 |
-logging_delete_devlog_socket(initrc_t) |
| 95 |
|
| 96 |
miscfiles_read_localization(initrc_t) |
| 97 |
# slapd needs to read cert files from its initscript |
| 98 |
@@ -503,10 +495,6 @@ ifdef(`distro_gentoo',` |
| 99 |
optional_policy(` |
| 100 |
dhcpd_setattr_state_files(initrc_t) |
| 101 |
') |
| 102 |
- |
| 103 |
- optional_policy(` |
| 104 |
- rpc_manage_nfs_state_data(initrc_t) |
| 105 |
- ') |
| 106 |
') |
| 107 |
|
| 108 |
ifdef(`distro_redhat',` |
| 109 |
@@ -676,10 +664,6 @@ optional_policy(` |
| 110 |
') |
| 111 |
|
| 112 |
optional_policy(` |
| 113 |
- fail2ban_stream_connect(initrc_t) |
| 114 |
-') |
| 115 |
- |
| 116 |
-optional_policy(` |
| 117 |
ftp_read_config(initrc_t) |
| 118 |
') |
| 119 |
|
| 120 |
@@ -766,10 +750,10 @@ optional_policy(` |
| 121 |
ifdef(`distro_redhat',` |
| 122 |
mysql_manage_db_dirs(initrc_t) |
| 123 |
') |
| 124 |
- mysql_read_config(initrc_t) |
| 125 |
- mysql_setattr_run_dirs(initrc_t) |
| 126 |
+ |
| 127 |
mysql_stream_connect(initrc_t) |
| 128 |
mysql_write_log(initrc_t) |
| 129 |
+ mysql_read_config(initrc_t) |
| 130 |
') |
| 131 |
|
| 132 |
optional_policy(` |
| 133 |
@@ -861,8 +845,7 @@ optional_policy(` |
| 134 |
') |
| 135 |
|
| 136 |
optional_policy(` |
| 137 |
- udev_create_db_dirs(initrc_t) |
| 138 |
- udev_pid_filetrans_db(initrc_t, dir, "rules.d") |
| 139 |
+ udev_rw_db(initrc_t) |
| 140 |
udev_manage_pid_files(initrc_t) |
| 141 |
udev_manage_pid_dirs(initrc_t) |
| 142 |
udev_manage_rules_files(initrc_t) |
| 143 |
@@ -915,7 +898,45 @@ optional_policy(` |
| 144 |
') |
| 145 |
|
| 146 |
ifdef(`distro_gentoo',` |
| 147 |
+ ##################################### |
| 148 |
+ # |
| 149 |
+ # Local initrc_t policy |
| 150 |
+ # |
| 151 |
+ allow initrc_t self:capability sys_admin; |
| 152 |
+ |
| 153 |
+ manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) |
| 154 |
+ files_pid_filetrans(initrc_t, initrc_var_run_t, dir) |
| 155 |
+ |
| 156 |
+ dev_manage_sysfs_dirs(initrc_t) |
| 157 |
+ |
| 158 |
+ files_create_pid_dirs(initrc_t) |
| 159 |
+ files_dontaudit_write_usr_dirs(initrc_t) |
| 160 |
+ files_manage_generic_tmp_dirs(initrc_t) |
| 161 |
+ files_manage_generic_tmp_files(initrc_t) |
| 162 |
+ |
| 163 |
+ fs_manage_cgroup_dirs(initrc_t) |
| 164 |
+ fs_manage_cgroup_files(initrc_t) |
| 165 |
+ |
| 166 |
+ logging_delete_devlog_socket(initrc_t) |
| 167 |
+ |
| 168 |
+ optional_policy(` |
| 169 |
+ mysql_setattr_run_dirs(initrc_t) |
| 170 |
+ ') |
| 171 |
+ |
| 172 |
+ optional_policy(` |
| 173 |
+ fail2ban_stream_connect(initrc_t) |
| 174 |
+ ') |
| 175 |
+ |
| 176 |
+ optional_policy(` |
| 177 |
+ rpc_manage_nfs_state_data(initrc_t) |
| 178 |
+ ') |
| 179 |
+ |
| 180 |
optional_policy(` |
| 181 |
stunnel_read_config(initrc_t) |
| 182 |
') |
| 183 |
+ |
| 184 |
+ optional_policy(` |
| 185 |
+ udev_create_db_dirs(initrc_t) |
| 186 |
+ udev_pid_filetrans_db(initrc_t, dir, "rules.d") |
| 187 |
+ ') |
| 188 |
') |
Archives