1 |
commit: b806992f1bc6fa8187730296a708320ee0e18266 |
2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
3 |
AuthorDate: Sat Sep 24 04:09:19 2022 +0000 |
4 |
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Nov 2 14:07:09 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b806992f |
7 |
|
8 |
opensm: initial policy |
9 |
|
10 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
11 |
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> |
12 |
|
13 |
policy/modules/services/opensm.fc | 10 +++++ |
14 |
policy/modules/services/opensm.if | 86 +++++++++++++++++++++++++++++++++++++++ |
15 |
policy/modules/services/opensm.te | 45 ++++++++++++++++++++ |
16 |
3 files changed, 141 insertions(+) |
17 |
|
18 |
diff --git a/policy/modules/services/opensm.fc b/policy/modules/services/opensm.fc |
19 |
new file mode 100644 |
20 |
index 000000000..6d9566bb1 |
21 |
--- /dev/null |
22 |
+++ b/policy/modules/services/opensm.fc |
23 |
@@ -0,0 +1,10 @@ |
24 |
+/usr/bin/opensm -- gen_context(system_u:object_r:opensm_exec_t,s0) |
25 |
+ |
26 |
+/usr/sbin/opensm -- gen_context(system_u:object_r:opensm_exec_t,s0) |
27 |
+ |
28 |
+/etc/opensm(/.*)? gen_context(system_u:object_r:opensm_conf_t,s0) |
29 |
+ |
30 |
+/var/cache/opensm(/.*)? gen_context(system_u:object_r:opensm_cache_t,s0) |
31 |
+ |
32 |
+/var/log/opensm\.log -- gen_context(system_u:object_r:opensm_log_t,s0) |
33 |
+/var/log/opensm-subnet\.lst -- gen_context(system_u:object_r:opensm_log_t,s0) |
34 |
|
35 |
diff --git a/policy/modules/services/opensm.if b/policy/modules/services/opensm.if |
36 |
new file mode 100644 |
37 |
index 000000000..47664ce15 |
38 |
--- /dev/null |
39 |
+++ b/policy/modules/services/opensm.if |
40 |
@@ -0,0 +1,86 @@ |
41 |
+## <summary>OpenSM is a software implementation of an InfiniBand subnet manager.</summary> |
42 |
+ |
43 |
+######################################## |
44 |
+## <summary> |
45 |
+## Execute opensm in the opensm domain. |
46 |
+## </summary> |
47 |
+## <param name="domain"> |
48 |
+## <summary> |
49 |
+## Domain allowed to transition. |
50 |
+## </summary> |
51 |
+## </param> |
52 |
+# |
53 |
+interface(`opensm_domtrans',` |
54 |
+ gen_require(` |
55 |
+ type opensm_t, opensm_exec_t; |
56 |
+ ') |
57 |
+ |
58 |
+ corecmd_search_bin($1) |
59 |
+ domtrans_pattern($1, opensm_exec_t, opensm_t) |
60 |
+') |
61 |
+ |
62 |
+######################################## |
63 |
+## <summary> |
64 |
+## Execute opensm in the opensm domain, and |
65 |
+## allow the specified role the opensm domain. |
66 |
+## </summary> |
67 |
+## <param name="domain"> |
68 |
+## <summary> |
69 |
+## Domain allowed to transition. |
70 |
+## </summary> |
71 |
+## </param> |
72 |
+## <param name="role"> |
73 |
+## <summary> |
74 |
+## Role allowed access. |
75 |
+## </summary> |
76 |
+## </param> |
77 |
+## <rolecap/> |
78 |
+# |
79 |
+interface(`opensm_run',` |
80 |
+ gen_require(` |
81 |
+ type opensm_t; |
82 |
+ ') |
83 |
+ |
84 |
+ opensm_domtrans($1) |
85 |
+ role $2 types opensm_t; |
86 |
+') |
87 |
+ |
88 |
+ |
89 |
+######################################## |
90 |
+## <summary> |
91 |
+## All of the rules required to administrate |
92 |
+## an opensm environment. |
93 |
+## </summary> |
94 |
+## <param name="domain"> |
95 |
+## <summary> |
96 |
+## Domain allowed access. |
97 |
+## </summary> |
98 |
+## </param> |
99 |
+## <param name="role"> |
100 |
+## <summary> |
101 |
+## Role allowed access. |
102 |
+## </summary> |
103 |
+## </param> |
104 |
+## <rolecap/> |
105 |
+# |
106 |
+interface(`opensm_admin',` |
107 |
+ gen_require(` |
108 |
+ type opensm_t; |
109 |
+ type opensm_conf_t, opensm_cache_t; |
110 |
+ type opensm_log_t; |
111 |
+ ') |
112 |
+ |
113 |
+ opensm_run($1, $2) |
114 |
+ |
115 |
+ allow $1 opensm_t:process { ptrace signal_perms }; |
116 |
+ ps_process_pattern($1, opensm_t) |
117 |
+ |
118 |
+ files_search_etc($1) |
119 |
+ admin_pattern($1, opensm_conf_t) |
120 |
+ |
121 |
+ files_search_var($1) |
122 |
+ admin_pattern($1, opensm_cache_t) |
123 |
+ |
124 |
+ logging_search_logs($1) |
125 |
+ admin_pattern($1, opensm_log_t) |
126 |
+') |
127 |
|
128 |
diff --git a/policy/modules/services/opensm.te b/policy/modules/services/opensm.te |
129 |
new file mode 100644 |
130 |
index 000000000..1d5c2f57d |
131 |
--- /dev/null |
132 |
+++ b/policy/modules/services/opensm.te |
133 |
@@ -0,0 +1,45 @@ |
134 |
+policy_module(opensm) |
135 |
+ |
136 |
+######################################## |
137 |
+# |
138 |
+# Declarations |
139 |
+# |
140 |
+ |
141 |
+type opensm_t; |
142 |
+type opensm_exec_t; |
143 |
+init_daemon_domain(opensm_t, opensm_exec_t) |
144 |
+ |
145 |
+type opensm_conf_t; |
146 |
+files_config_file(opensm_conf_t) |
147 |
+ |
148 |
+type opensm_cache_t; |
149 |
+files_type(opensm_cache_t) |
150 |
+ |
151 |
+type opensm_log_t; |
152 |
+logging_log_file(opensm_log_t) |
153 |
+ |
154 |
+######################################## |
155 |
+# |
156 |
+# opensm local policy |
157 |
+# |
158 |
+ |
159 |
+allow opensm_t self:process { getsched signal }; |
160 |
+allow opensm_t self:unix_dgram_socket create_socket_perms; |
161 |
+ |
162 |
+read_files_pattern(opensm_t, opensm_conf_t, opensm_conf_t) |
163 |
+ |
164 |
+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t) |
165 |
+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t) |
166 |
+files_var_filetrans(opensm_t, opensm_cache_t, dir) |
167 |
+ |
168 |
+create_files_pattern(opensm_t, opensm_log_t, opensm_log_t) |
169 |
+append_files_pattern(opensm_t, opensm_log_t, opensm_log_t) |
170 |
+rw_files_pattern(opensm_t, opensm_log_t, opensm_log_t) |
171 |
+logging_log_filetrans(opensm_t, opensm_log_t, file) |
172 |
+ |
173 |
+dev_read_sysfs(opensm_t) |
174 |
+dev_rw_infiniband(opensm_t) |
175 |
+ |
176 |
+logging_send_syslog_msg(opensm_t) |
177 |
+ |
178 |
+miscfiles_read_localization(opensm_t) |