Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Wed, 31 Oct 2012 18:11:28
Message-Id: 1351706659.4a1237b6b4975bdee56f4bd15b29d94743f4a7ca.SwifT@gentoo
1 commit: 4a1237b6b4975bdee56f4bd15b29d94743f4a7ca
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Wed Oct 31 08:19:43 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Wed Oct 31 18:04:19 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4a1237b6
7
8 Changes to the vhostmd policy module
9
10 Ported from Fedora with changes
11
12 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14 ---
15 policy/modules/contrib/vhostmd.fc | 4 +-
16 policy/modules/contrib/vhostmd.if | 56 +++++++++++++++++++++----------------
17 policy/modules/contrib/vhostmd.te | 29 +++++++++++++------
18 3 files changed, 54 insertions(+), 35 deletions(-)
19
20 diff --git a/policy/modules/contrib/vhostmd.fc b/policy/modules/contrib/vhostmd.fc
21 index 2dc3ed3..6a96da3 100644
22 --- a/policy/modules/contrib/vhostmd.fc
23 +++ b/policy/modules/contrib/vhostmd.fc
24 @@ -1,5 +1,5 @@
25 -/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
26 +/etc/rc\.d/init\.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0)
27
28 /usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0)
29
30 -/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0)
31 +/var/run/vhostmd.* gen_context(system_u:object_r:vhostmd_var_run_t,s0)
32
33 diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if
34 index 1f872b5..22edd58 100644
35 --- a/policy/modules/contrib/vhostmd.if
36 +++ b/policy/modules/contrib/vhostmd.if
37 @@ -1,13 +1,13 @@
38 -## <summary>Virtual host metrics daemon</summary>
39 +## <summary>Virtual host metrics daemon.</summary>
40
41 ########################################
42 ## <summary>
43 ## Execute a domain transition to run vhostmd.
44 ## </summary>
45 ## <param name="domain">
46 -## <summary>
47 +## <summary>
48 ## Domain allowed to transition.
49 -## </summary>
50 +## </summary>
51 ## </param>
52 #
53 interface(`vhostmd_domtrans',`
54 @@ -15,12 +15,14 @@ interface(`vhostmd_domtrans',`
55 type vhostmd_t, vhostmd_exec_t;
56 ')
57
58 + corecmd_search_bin($1)
59 domtrans_pattern($1, vhostmd_exec_t, vhostmd_t)
60 ')
61
62 ########################################
63 ## <summary>
64 -## Execute vhostmd server in the vhostmd domain.
65 +## Execute vhostmd init scripts in
66 +## the initrc domain.
67 ## </summary>
68 ## <param name="domain">
69 ## <summary>
70 @@ -38,7 +40,7 @@ interface(`vhostmd_initrc_domtrans',`
71
72 ########################################
73 ## <summary>
74 -## Allow domain to read, vhostmd tmpfs files
75 +## Read vhostmd tmpfs files.
76 ## </summary>
77 ## <param name="domain">
78 ## <summary>
79 @@ -51,13 +53,13 @@ interface(`vhostmd_read_tmpfs_files',`
80 type vhostmd_tmpfs_t;
81 ')
82
83 + fs_search_tmpfs($1)
84 allow $1 vhostmd_tmpfs_t:file read_file_perms;
85 - files_search_tmp($1)
86 ')
87
88 ########################################
89 ## <summary>
90 -## Do not audit attempts to read,
91 +## Do not audit attempts to read
92 ## vhostmd tmpfs files
93 ## </summary>
94 ## <param name="domain">
95 @@ -76,7 +78,7 @@ interface(`vhostmd_dontaudit_read_tmpfs_files',`
96
97 #######################################
98 ## <summary>
99 -## Allow domain to read and write vhostmd tmpfs files
100 +## Read and write vhostmd tmpfs files.
101 ## </summary>
102 ## <param name="domain">
103 ## <summary>
104 @@ -89,13 +91,14 @@ interface(`vhostmd_rw_tmpfs_files',`
105 type vhostmd_tmpfs_t;
106 ')
107
108 + fs_search_tmpfs($1)
109 rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
110 - files_search_tmp($1)
111 ')
112
113 ########################################
114 ## <summary>
115 -## Create, read, write, and delete vhostmd tmpfs files.
116 +## Create, read, write, and delete
117 +## vhostmd tmpfs files.
118 ## </summary>
119 ## <param name="domain">
120 ## <summary>
121 @@ -108,13 +111,13 @@ interface(`vhostmd_manage_tmpfs_files',`
122 type vhostmd_tmpfs_t;
123 ')
124
125 + fs_search_tmpfs($1)
126 manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
127 - files_search_tmp($1)
128 ')
129
130 ########################################
131 ## <summary>
132 -## Read vhostmd PID files.
133 +## Read vhostmd pid files.
134 ## </summary>
135 ## <param name="domain">
136 ## <summary>
137 @@ -133,7 +136,8 @@ interface(`vhostmd_read_pid_files',`
138
139 ########################################
140 ## <summary>
141 -## Manage vhostmd var_run files.
142 +## Create, read, write, and delete
143 +## vhostmd pid files.
144 ## </summary>
145 ## <param name="domain">
146 ## <summary>
147 @@ -146,12 +150,14 @@ interface(`vhostmd_manage_pid_files',`
148 type vhostmd_var_run_t;
149 ')
150
151 - manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
152 + files_search_pids($1)
153 + manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t)
154 ')
155
156 ########################################
157 ## <summary>
158 -## Connect to vhostmd over an unix domain stream socket.
159 +## Connect to vhostmd with a unix
160 +## domain stream socket.
161 ## </summary>
162 ## <param name="domain">
163 ## <summary>
164 @@ -170,8 +176,8 @@ interface(`vhostmd_stream_connect',`
165
166 #######################################
167 ## <summary>
168 -## Dontaudit read and write to vhostmd
169 -## over an unix domain stream socket.
170 +## Do not audit attempts to read and
171 +## write vhostmd unix domain stream sockets.
172 ## </summary>
173 ## <param name="domain">
174 ## <summary>
175 @@ -189,8 +195,8 @@ interface(`vhostmd_dontaudit_rw_stream_connect',`
176
177 ########################################
178 ## <summary>
179 -## All of the rules required to administrate
180 -## an vhostmd environment
181 +## All of the rules required to
182 +## administrate an vhostmd environment.
183 ## </summary>
184 ## <param name="domain">
185 ## <summary>
186 @@ -206,10 +212,11 @@ interface(`vhostmd_dontaudit_rw_stream_connect',`
187 #
188 interface(`vhostmd_admin',`
189 gen_require(`
190 - type vhostmd_t, vhostmd_initrc_exec_t;
191 + type vhostmd_t, vhostmd_initrc_exec_t, vhostmd_var_run_t;
192 + type vhostmd_tmpfs_t;
193 ')
194
195 - allow $1 vhostmd_t:process { ptrace signal_perms getattr };
196 + allow $1 vhostmd_t:process { ptrace signal_perms };
197 ps_process_pattern($1, vhostmd_t)
198
199 vhostmd_initrc_domtrans($1)
200 @@ -217,8 +224,9 @@ interface(`vhostmd_admin',`
201 role_transition $2 vhostmd_initrc_exec_t system_r;
202 allow $2 system_r;
203
204 - vhostmd_manage_tmpfs_files($1)
205 -
206 - vhostmd_manage_pid_files($1)
207 + fs_search_tmpfs($1)
208 + admin_pattern($1, vhostmd_tmpfs_t)
209
210 + files_search_pids($1)
211 + admin_pattern($1, vhostmd_var_run_t)
212 ')
213
214 diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te
215 index 32a3c13..0be8535 100644
216 --- a/policy/modules/contrib/vhostmd.te
217 +++ b/policy/modules/contrib/vhostmd.te
218 @@ -1,4 +1,4 @@
219 -policy_module(vhostmd, 1.0.0)
220 +policy_module(vhostmd, 1.0.1)
221
222 ########################################
223 #
224 @@ -20,12 +20,12 @@ files_pid_file(vhostmd_var_run_t)
225
226 ########################################
227 #
228 -# vhostmd local policy
229 +# Local policy
230 #
231
232 -allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
233 -allow vhostmd_t self:process { setsched getsched };
234 -allow vhostmd_t self:fifo_file rw_file_perms;
235 +allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid };
236 +allow vhostmd_t self:process { setsched getsched signal };
237 +allow vhostmd_t self:fifo_file rw_fifo_file_perms;
238
239 manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
240 manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t)
241 @@ -33,8 +33,10 @@ fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir })
242
243 manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
244 manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
245 -files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir })
246 +manage_sock_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t)
247 +files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir sock_file })
248
249 +kernel_read_kernel_sysctls(vhostmd_t)
250 kernel_read_system_state(vhostmd_t)
251 kernel_read_network_state(vhostmd_t)
252 kernel_write_xen_state(vhostmd_t)
253 @@ -42,13 +44,22 @@ kernel_write_xen_state(vhostmd_t)
254 corecmd_exec_bin(vhostmd_t)
255 corecmd_exec_shell(vhostmd_t)
256
257 -corenet_tcp_connect_soundd_port(vhostmd_t)
258 +corenet_all_recvfrom_unlabeled(vhostmd_t)
259 +corenet_all_recvfrom_netlabel(vhostmd_t)
260 +corenet_tcp_sendrecv_generic_if(vhostmd_t)
261 +corenet_tcp_sendrecv_generic_node(vhostmd_t)
262
263 -files_read_etc_files(vhostmd_t)
264 -files_read_usr_files(vhostmd_t)
265 +corenet_sendrecv_soundd_client_packets(vhostmd_t)
266 +corenet_tcp_connect_soundd_port(vhostmd_t)
267 +corenet_tcp_sendrecv_soundd_port(vhostmd_t)
268
269 +dev_read_rand(vhostmd_t)
270 +dev_read_urand(vhostmd_t)
271 dev_read_sysfs(vhostmd_t)
272
273 +files_list_tmp(vhostmd_t)
274 +files_read_usr_files(vhostmd_t)
275 +
276 auth_use_nsswitch(vhostmd_t)
277
278 logging_send_syslog_msg(vhostmd_t)