1 |
commit: 4a1237b6b4975bdee56f4bd15b29d94743f4a7ca |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Wed Oct 31 08:19:43 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Oct 31 18:04:19 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4a1237b6 |
7 |
|
8 |
Changes to the vhostmd policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/vhostmd.fc | 4 +- |
16 |
policy/modules/contrib/vhostmd.if | 56 +++++++++++++++++++++---------------- |
17 |
policy/modules/contrib/vhostmd.te | 29 +++++++++++++------ |
18 |
3 files changed, 54 insertions(+), 35 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/vhostmd.fc b/policy/modules/contrib/vhostmd.fc |
21 |
index 2dc3ed3..6a96da3 100644 |
22 |
--- a/policy/modules/contrib/vhostmd.fc |
23 |
+++ b/policy/modules/contrib/vhostmd.fc |
24 |
@@ -1,5 +1,5 @@ |
25 |
-/etc/rc.d/init.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) |
26 |
+/etc/rc\.d/init\.d/vhostmd -- gen_context(system_u:object_r:vhostmd_initrc_exec_t,s0) |
27 |
|
28 |
/usr/sbin/vhostmd -- gen_context(system_u:object_r:vhostmd_exec_t,s0) |
29 |
|
30 |
-/var/run/vhostmd.pid -- gen_context(system_u:object_r:vhostmd_var_run_t,s0) |
31 |
+/var/run/vhostmd.* gen_context(system_u:object_r:vhostmd_var_run_t,s0) |
32 |
|
33 |
diff --git a/policy/modules/contrib/vhostmd.if b/policy/modules/contrib/vhostmd.if |
34 |
index 1f872b5..22edd58 100644 |
35 |
--- a/policy/modules/contrib/vhostmd.if |
36 |
+++ b/policy/modules/contrib/vhostmd.if |
37 |
@@ -1,13 +1,13 @@ |
38 |
-## <summary>Virtual host metrics daemon</summary> |
39 |
+## <summary>Virtual host metrics daemon.</summary> |
40 |
|
41 |
######################################## |
42 |
## <summary> |
43 |
## Execute a domain transition to run vhostmd. |
44 |
## </summary> |
45 |
## <param name="domain"> |
46 |
-## <summary> |
47 |
+## <summary> |
48 |
## Domain allowed to transition. |
49 |
-## </summary> |
50 |
+## </summary> |
51 |
## </param> |
52 |
# |
53 |
interface(`vhostmd_domtrans',` |
54 |
@@ -15,12 +15,14 @@ interface(`vhostmd_domtrans',` |
55 |
type vhostmd_t, vhostmd_exec_t; |
56 |
') |
57 |
|
58 |
+ corecmd_search_bin($1) |
59 |
domtrans_pattern($1, vhostmd_exec_t, vhostmd_t) |
60 |
') |
61 |
|
62 |
######################################## |
63 |
## <summary> |
64 |
-## Execute vhostmd server in the vhostmd domain. |
65 |
+## Execute vhostmd init scripts in |
66 |
+## the initrc domain. |
67 |
## </summary> |
68 |
## <param name="domain"> |
69 |
## <summary> |
70 |
@@ -38,7 +40,7 @@ interface(`vhostmd_initrc_domtrans',` |
71 |
|
72 |
######################################## |
73 |
## <summary> |
74 |
-## Allow domain to read, vhostmd tmpfs files |
75 |
+## Read vhostmd tmpfs files. |
76 |
## </summary> |
77 |
## <param name="domain"> |
78 |
## <summary> |
79 |
@@ -51,13 +53,13 @@ interface(`vhostmd_read_tmpfs_files',` |
80 |
type vhostmd_tmpfs_t; |
81 |
') |
82 |
|
83 |
+ fs_search_tmpfs($1) |
84 |
allow $1 vhostmd_tmpfs_t:file read_file_perms; |
85 |
- files_search_tmp($1) |
86 |
') |
87 |
|
88 |
######################################## |
89 |
## <summary> |
90 |
-## Do not audit attempts to read, |
91 |
+## Do not audit attempts to read |
92 |
## vhostmd tmpfs files |
93 |
## </summary> |
94 |
## <param name="domain"> |
95 |
@@ -76,7 +78,7 @@ interface(`vhostmd_dontaudit_read_tmpfs_files',` |
96 |
|
97 |
####################################### |
98 |
## <summary> |
99 |
-## Allow domain to read and write vhostmd tmpfs files |
100 |
+## Read and write vhostmd tmpfs files. |
101 |
## </summary> |
102 |
## <param name="domain"> |
103 |
## <summary> |
104 |
@@ -89,13 +91,14 @@ interface(`vhostmd_rw_tmpfs_files',` |
105 |
type vhostmd_tmpfs_t; |
106 |
') |
107 |
|
108 |
+ fs_search_tmpfs($1) |
109 |
rw_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) |
110 |
- files_search_tmp($1) |
111 |
') |
112 |
|
113 |
######################################## |
114 |
## <summary> |
115 |
-## Create, read, write, and delete vhostmd tmpfs files. |
116 |
+## Create, read, write, and delete |
117 |
+## vhostmd tmpfs files. |
118 |
## </summary> |
119 |
## <param name="domain"> |
120 |
## <summary> |
121 |
@@ -108,13 +111,13 @@ interface(`vhostmd_manage_tmpfs_files',` |
122 |
type vhostmd_tmpfs_t; |
123 |
') |
124 |
|
125 |
+ fs_search_tmpfs($1) |
126 |
manage_files_pattern($1, vhostmd_tmpfs_t, vhostmd_tmpfs_t) |
127 |
- files_search_tmp($1) |
128 |
') |
129 |
|
130 |
######################################## |
131 |
## <summary> |
132 |
-## Read vhostmd PID files. |
133 |
+## Read vhostmd pid files. |
134 |
## </summary> |
135 |
## <param name="domain"> |
136 |
## <summary> |
137 |
@@ -133,7 +136,8 @@ interface(`vhostmd_read_pid_files',` |
138 |
|
139 |
######################################## |
140 |
## <summary> |
141 |
-## Manage vhostmd var_run files. |
142 |
+## Create, read, write, and delete |
143 |
+## vhostmd pid files. |
144 |
## </summary> |
145 |
## <param name="domain"> |
146 |
## <summary> |
147 |
@@ -146,12 +150,14 @@ interface(`vhostmd_manage_pid_files',` |
148 |
type vhostmd_var_run_t; |
149 |
') |
150 |
|
151 |
- manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) |
152 |
+ files_search_pids($1) |
153 |
+ manage_files_pattern($1, vhostmd_var_run_t, vhostmd_var_run_t) |
154 |
') |
155 |
|
156 |
######################################## |
157 |
## <summary> |
158 |
-## Connect to vhostmd over an unix domain stream socket. |
159 |
+## Connect to vhostmd with a unix |
160 |
+## domain stream socket. |
161 |
## </summary> |
162 |
## <param name="domain"> |
163 |
## <summary> |
164 |
@@ -170,8 +176,8 @@ interface(`vhostmd_stream_connect',` |
165 |
|
166 |
####################################### |
167 |
## <summary> |
168 |
-## Dontaudit read and write to vhostmd |
169 |
-## over an unix domain stream socket. |
170 |
+## Do not audit attempts to read and |
171 |
+## write vhostmd unix domain stream sockets. |
172 |
## </summary> |
173 |
## <param name="domain"> |
174 |
## <summary> |
175 |
@@ -189,8 +195,8 @@ interface(`vhostmd_dontaudit_rw_stream_connect',` |
176 |
|
177 |
######################################## |
178 |
## <summary> |
179 |
-## All of the rules required to administrate |
180 |
-## an vhostmd environment |
181 |
+## All of the rules required to |
182 |
+## administrate an vhostmd environment. |
183 |
## </summary> |
184 |
## <param name="domain"> |
185 |
## <summary> |
186 |
@@ -206,10 +212,11 @@ interface(`vhostmd_dontaudit_rw_stream_connect',` |
187 |
# |
188 |
interface(`vhostmd_admin',` |
189 |
gen_require(` |
190 |
- type vhostmd_t, vhostmd_initrc_exec_t; |
191 |
+ type vhostmd_t, vhostmd_initrc_exec_t, vhostmd_var_run_t; |
192 |
+ type vhostmd_tmpfs_t; |
193 |
') |
194 |
|
195 |
- allow $1 vhostmd_t:process { ptrace signal_perms getattr }; |
196 |
+ allow $1 vhostmd_t:process { ptrace signal_perms }; |
197 |
ps_process_pattern($1, vhostmd_t) |
198 |
|
199 |
vhostmd_initrc_domtrans($1) |
200 |
@@ -217,8 +224,9 @@ interface(`vhostmd_admin',` |
201 |
role_transition $2 vhostmd_initrc_exec_t system_r; |
202 |
allow $2 system_r; |
203 |
|
204 |
- vhostmd_manage_tmpfs_files($1) |
205 |
- |
206 |
- vhostmd_manage_pid_files($1) |
207 |
+ fs_search_tmpfs($1) |
208 |
+ admin_pattern($1, vhostmd_tmpfs_t) |
209 |
|
210 |
+ files_search_pids($1) |
211 |
+ admin_pattern($1, vhostmd_var_run_t) |
212 |
') |
213 |
|
214 |
diff --git a/policy/modules/contrib/vhostmd.te b/policy/modules/contrib/vhostmd.te |
215 |
index 32a3c13..0be8535 100644 |
216 |
--- a/policy/modules/contrib/vhostmd.te |
217 |
+++ b/policy/modules/contrib/vhostmd.te |
218 |
@@ -1,4 +1,4 @@ |
219 |
-policy_module(vhostmd, 1.0.0) |
220 |
+policy_module(vhostmd, 1.0.1) |
221 |
|
222 |
######################################## |
223 |
# |
224 |
@@ -20,12 +20,12 @@ files_pid_file(vhostmd_var_run_t) |
225 |
|
226 |
######################################## |
227 |
# |
228 |
-# vhostmd local policy |
229 |
+# Local policy |
230 |
# |
231 |
|
232 |
-allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; |
233 |
-allow vhostmd_t self:process { setsched getsched }; |
234 |
-allow vhostmd_t self:fifo_file rw_file_perms; |
235 |
+allow vhostmd_t self:capability { dac_override ipc_lock setuid setgid }; |
236 |
+allow vhostmd_t self:process { setsched getsched signal }; |
237 |
+allow vhostmd_t self:fifo_file rw_fifo_file_perms; |
238 |
|
239 |
manage_dirs_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) |
240 |
manage_files_pattern(vhostmd_t, vhostmd_tmpfs_t, vhostmd_tmpfs_t) |
241 |
@@ -33,8 +33,10 @@ fs_tmpfs_filetrans(vhostmd_t, vhostmd_tmpfs_t, { file dir }) |
242 |
|
243 |
manage_dirs_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) |
244 |
manage_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) |
245 |
-files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir }) |
246 |
+manage_sock_files_pattern(vhostmd_t, vhostmd_var_run_t, vhostmd_var_run_t) |
247 |
+files_pid_filetrans(vhostmd_t, vhostmd_var_run_t, { file dir sock_file }) |
248 |
|
249 |
+kernel_read_kernel_sysctls(vhostmd_t) |
250 |
kernel_read_system_state(vhostmd_t) |
251 |
kernel_read_network_state(vhostmd_t) |
252 |
kernel_write_xen_state(vhostmd_t) |
253 |
@@ -42,13 +44,22 @@ kernel_write_xen_state(vhostmd_t) |
254 |
corecmd_exec_bin(vhostmd_t) |
255 |
corecmd_exec_shell(vhostmd_t) |
256 |
|
257 |
-corenet_tcp_connect_soundd_port(vhostmd_t) |
258 |
+corenet_all_recvfrom_unlabeled(vhostmd_t) |
259 |
+corenet_all_recvfrom_netlabel(vhostmd_t) |
260 |
+corenet_tcp_sendrecv_generic_if(vhostmd_t) |
261 |
+corenet_tcp_sendrecv_generic_node(vhostmd_t) |
262 |
|
263 |
-files_read_etc_files(vhostmd_t) |
264 |
-files_read_usr_files(vhostmd_t) |
265 |
+corenet_sendrecv_soundd_client_packets(vhostmd_t) |
266 |
+corenet_tcp_connect_soundd_port(vhostmd_t) |
267 |
+corenet_tcp_sendrecv_soundd_port(vhostmd_t) |
268 |
|
269 |
+dev_read_rand(vhostmd_t) |
270 |
+dev_read_urand(vhostmd_t) |
271 |
dev_read_sysfs(vhostmd_t) |
272 |
|
273 |
+files_list_tmp(vhostmd_t) |
274 |
+files_read_usr_files(vhostmd_t) |
275 |
+ |
276 |
auth_use_nsswitch(vhostmd_t) |
277 |
|
278 |
logging_send_syslog_msg(vhostmd_t) |