1 |
commit: dd062fb88bc26fdc9d657dc32bb23b269fac67df |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Sat Dec 29 15:50:11 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Sat Dec 29 15:50:11 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dd062fb8 |
7 |
|
8 |
Move majority of gentoo specifics downwards |
9 |
|
10 |
--- |
11 |
policy/modules/system/init.te | 69 ++++++++++++++++++++++++++-------------- |
12 |
1 files changed, 45 insertions(+), 24 deletions(-) |
13 |
|
14 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
15 |
index e71d117..a37147f 100644 |
16 |
--- a/policy/modules/system/init.te |
17 |
+++ b/policy/modules/system/init.te |
18 |
@@ -29,7 +29,7 @@ attribute init_run_all_scripts_domain; |
19 |
# Mark process types as daemons |
20 |
attribute daemon; |
21 |
|
22 |
-# Mark file as daemon run dir |
23 |
+# Mark file type as a daemon run directory |
24 |
attribute daemonrundir; |
25 |
|
26 |
# |
27 |
@@ -122,7 +122,6 @@ dev_filetrans(init_t, initctl_t, fifo_file) |
28 |
|
29 |
# Modify utmp. |
30 |
allow init_t initrc_var_run_t:file { rw_file_perms setattr }; |
31 |
-manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) |
32 |
|
33 |
kernel_read_system_state(init_t) |
34 |
kernel_share_state(init_t) |
35 |
@@ -226,7 +225,7 @@ optional_policy(` |
36 |
# |
37 |
|
38 |
allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; |
39 |
-allow initrc_t self:capability ~{ sys_module }; |
40 |
+allow initrc_t self:capability ~{ sys_admin sys_module }; |
41 |
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this |
42 |
allow initrc_t self:passwd rootok; |
43 |
allow initrc_t self:key manage_key_perms; |
44 |
@@ -257,7 +256,7 @@ manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t) |
45 |
manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t) |
46 |
|
47 |
allow initrc_t initrc_var_run_t:file manage_file_perms; |
48 |
-files_pid_filetrans(initrc_t, initrc_var_run_t, { file dir }) |
49 |
+files_pid_filetrans(initrc_t, initrc_var_run_t, file) |
50 |
|
51 |
can_exec(initrc_t, initrc_tmp_t) |
52 |
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) |
53 |
@@ -287,7 +286,6 @@ files_create_lock_dirs(initrc_t) |
54 |
files_pid_filetrans_lock_dir(initrc_t, "lock") |
55 |
files_read_kernel_symbol_table(initrc_t) |
56 |
files_setattr_lock_dirs(initrc_t) |
57 |
-files_dontaudit_write_usr_dirs(initrc_t) |
58 |
|
59 |
corecmd_exec_all_executables(initrc_t) |
60 |
|
61 |
@@ -308,7 +306,6 @@ dev_write_kmsg(initrc_t) |
62 |
dev_write_rand(initrc_t) |
63 |
dev_write_urand(initrc_t) |
64 |
dev_rw_sysfs(initrc_t) |
65 |
-dev_manage_sysfs_dirs(initrc_t) |
66 |
dev_list_usbfs(initrc_t) |
67 |
dev_read_framebuffer(initrc_t) |
68 |
dev_write_framebuffer(initrc_t) |
69 |
@@ -348,7 +345,6 @@ files_getattr_all_files(initrc_t) |
70 |
files_getattr_all_symlinks(initrc_t) |
71 |
files_getattr_all_pipes(initrc_t) |
72 |
files_getattr_all_sockets(initrc_t) |
73 |
-files_create_pid_dirs(initrc_t) |
74 |
files_purge_tmp(initrc_t) |
75 |
files_delete_all_locks(initrc_t) |
76 |
files_read_all_pids(initrc_t) |
77 |
@@ -367,11 +363,8 @@ files_list_isid_type_dirs(initrc_t) |
78 |
files_mounton_isid_type_dirs(initrc_t) |
79 |
files_list_default(initrc_t) |
80 |
files_mounton_default(initrc_t) |
81 |
-files_manage_generic_tmp_files(initrc_t) |
82 |
-files_manage_generic_tmp_dirs(initrc_t) |
83 |
|
84 |
-fs_manage_cgroup_dirs(initrc_t) |
85 |
-fs_manage_cgroup_files(initrc_t) |
86 |
+fs_write_cgroup_files(initrc_t) |
87 |
fs_list_inotifyfs(initrc_t) |
88 |
fs_register_binary_executable_type(initrc_t) |
89 |
# rhgb-console writes to ramfs |
90 |
@@ -421,7 +414,6 @@ logging_manage_generic_logs(initrc_t) |
91 |
logging_read_all_logs(initrc_t) |
92 |
logging_append_all_logs(initrc_t) |
93 |
logging_read_audit_config(initrc_t) |
94 |
-logging_delete_devlog_socket(initrc_t) |
95 |
|
96 |
miscfiles_read_localization(initrc_t) |
97 |
# slapd needs to read cert files from its initscript |
98 |
@@ -503,10 +495,6 @@ ifdef(`distro_gentoo',` |
99 |
optional_policy(` |
100 |
dhcpd_setattr_state_files(initrc_t) |
101 |
') |
102 |
- |
103 |
- optional_policy(` |
104 |
- rpc_manage_nfs_state_data(initrc_t) |
105 |
- ') |
106 |
') |
107 |
|
108 |
ifdef(`distro_redhat',` |
109 |
@@ -676,10 +664,6 @@ optional_policy(` |
110 |
') |
111 |
|
112 |
optional_policy(` |
113 |
- fail2ban_stream_connect(initrc_t) |
114 |
-') |
115 |
- |
116 |
-optional_policy(` |
117 |
ftp_read_config(initrc_t) |
118 |
') |
119 |
|
120 |
@@ -766,10 +750,10 @@ optional_policy(` |
121 |
ifdef(`distro_redhat',` |
122 |
mysql_manage_db_dirs(initrc_t) |
123 |
') |
124 |
- mysql_read_config(initrc_t) |
125 |
- mysql_setattr_run_dirs(initrc_t) |
126 |
+ |
127 |
mysql_stream_connect(initrc_t) |
128 |
mysql_write_log(initrc_t) |
129 |
+ mysql_read_config(initrc_t) |
130 |
') |
131 |
|
132 |
optional_policy(` |
133 |
@@ -861,8 +845,7 @@ optional_policy(` |
134 |
') |
135 |
|
136 |
optional_policy(` |
137 |
- udev_create_db_dirs(initrc_t) |
138 |
- udev_pid_filetrans_db(initrc_t, dir, "rules.d") |
139 |
+ udev_rw_db(initrc_t) |
140 |
udev_manage_pid_files(initrc_t) |
141 |
udev_manage_pid_dirs(initrc_t) |
142 |
udev_manage_rules_files(initrc_t) |
143 |
@@ -915,7 +898,45 @@ optional_policy(` |
144 |
') |
145 |
|
146 |
ifdef(`distro_gentoo',` |
147 |
+ ##################################### |
148 |
+ # |
149 |
+ # Local initrc_t policy |
150 |
+ # |
151 |
+ allow initrc_t self:capability sys_admin; |
152 |
+ |
153 |
+ manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t) |
154 |
+ files_pid_filetrans(initrc_t, initrc_var_run_t, dir) |
155 |
+ |
156 |
+ dev_manage_sysfs_dirs(initrc_t) |
157 |
+ |
158 |
+ files_create_pid_dirs(initrc_t) |
159 |
+ files_dontaudit_write_usr_dirs(initrc_t) |
160 |
+ files_manage_generic_tmp_dirs(initrc_t) |
161 |
+ files_manage_generic_tmp_files(initrc_t) |
162 |
+ |
163 |
+ fs_manage_cgroup_dirs(initrc_t) |
164 |
+ fs_manage_cgroup_files(initrc_t) |
165 |
+ |
166 |
+ logging_delete_devlog_socket(initrc_t) |
167 |
+ |
168 |
+ optional_policy(` |
169 |
+ mysql_setattr_run_dirs(initrc_t) |
170 |
+ ') |
171 |
+ |
172 |
+ optional_policy(` |
173 |
+ fail2ban_stream_connect(initrc_t) |
174 |
+ ') |
175 |
+ |
176 |
+ optional_policy(` |
177 |
+ rpc_manage_nfs_state_data(initrc_t) |
178 |
+ ') |
179 |
+ |
180 |
optional_policy(` |
181 |
stunnel_read_config(initrc_t) |
182 |
') |
183 |
+ |
184 |
+ optional_policy(` |
185 |
+ udev_create_db_dirs(initrc_t) |
186 |
+ udev_pid_filetrans_db(initrc_t, dir, "rules.d") |
187 |
+ ') |
188 |
') |