[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Kenton Groombridge <concord@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Wed, 02 Nov 2022 14:42:57
Message-Id:	`1667398029.b806992f1bc6fa8187730296a708320ee0e18266.concord@gentoo`

1

commit:     b806992f1bc6fa8187730296a708320ee0e18266

2

Author:     Kenton Groombridge <me <AT> concord <DOT> sh>

3

AuthorDate: Sat Sep 24 04:09:19 2022 +0000

4

Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>

5

CommitDate: Wed Nov  2 14:07:09 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b806992f

7

8

opensm: initial policy

9

10

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>

11

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

12

13

 policy/modules/services/opensm.fc | 10 +++++

14

 policy/modules/services/opensm.if | 86 +++++++++++++++++++++++++++++++++++++++

15

 policy/modules/services/opensm.te | 45 ++++++++++++++++++++

16

 3 files changed, 141 insertions(+)

17

18

diff --git a/policy/modules/services/opensm.fc b/policy/modules/services/opensm.fc

19

new file mode 100644

20

index 000000000..6d9566bb1

21

--- /dev/null

22

+++ b/policy/modules/services/opensm.fc

23

@@ -0,0 +1,10 @@

24

+/usr/bin/opensm	--	gen_context(system_u:object_r:opensm_exec_t,s0)

25

+

26

+/usr/sbin/opensm	--	gen_context(system_u:object_r:opensm_exec_t,s0)

27

+

28

+/etc/opensm(/.*)?		gen_context(system_u:object_r:opensm_conf_t,s0)

29

+

30

+/var/cache/opensm(/.*)?		gen_context(system_u:object_r:opensm_cache_t,s0)

31

+

32

+/var/log/opensm\.log	--	gen_context(system_u:object_r:opensm_log_t,s0)

33

+/var/log/opensm-subnet\.lst	--	gen_context(system_u:object_r:opensm_log_t,s0)

34

35

diff --git a/policy/modules/services/opensm.if b/policy/modules/services/opensm.if

36

new file mode 100644

37

index 000000000..47664ce15

38

--- /dev/null

39

+++ b/policy/modules/services/opensm.if

40

@@ -0,0 +1,86 @@

41

+## <summary>OpenSM is a software implementation of an InfiniBand subnet manager.</summary>

42

+

43

+########################################

44

+## <summary>

45

+##	Execute opensm in the opensm domain.

46

+## </summary>

47

+## <param name="domain">

48

+##	<summary>

49

+##	Domain allowed to transition.

50

+##	</summary>

51

+## </param>

52

+#

53

+interface(`opensm_domtrans',`

54

+	gen_require(`

55

+		type opensm_t, opensm_exec_t;

56

+	')

57

+

58

+	corecmd_search_bin($1)

59

+	domtrans_pattern($1, opensm_exec_t, opensm_t)

60

+')

61

+

62

+########################################

63

+## <summary>

64

+##	Execute opensm in the opensm domain, and

65

+##	allow the specified role the opensm domain.

66

+## </summary>

67

+## <param name="domain">

68

+##	<summary>

69

+##	Domain allowed to transition.

70

+##	</summary>

71

+## </param>

72

+## <param name="role">

73

+##	<summary>

74

+##	Role allowed access.

75

+##	</summary>

76

+## </param>

77

+## <rolecap/>

78

+#

79

+interface(`opensm_run',`

80

+	gen_require(`

81

+		type opensm_t;

82

+	')

83

+

84

+	opensm_domtrans($1)

85

+	role $2 types opensm_t;

86

+')

87

+

88

+

89

+########################################

90

+## <summary>

91

+##	All of the rules required to administrate

92

+##	an opensm environment.

93

+## </summary>

94

+## <param name="domain">

95

+##	<summary>

96

+##	Domain allowed access.

97

+##	</summary>

98

+## </param>

99

+## <param name="role">

100

+##	<summary>

101

+##	Role allowed access.

102

+##	</summary>

103

+## </param>

104

+## <rolecap/>

105

+#

106

+interface(`opensm_admin',`

107

+	gen_require(`

108

+		type opensm_t;

109

+		type opensm_conf_t, opensm_cache_t;

110

+		type opensm_log_t;

111

+	')

112

+

113

+	opensm_run($1, $2)

114

+

115

+	allow $1 opensm_t:process { ptrace signal_perms };

116

+	ps_process_pattern($1, opensm_t)

117

+

118

+	files_search_etc($1)

119

+	admin_pattern($1, opensm_conf_t)

120

+

121

+	files_search_var($1)

122

+	admin_pattern($1, opensm_cache_t)

123

+

124

+	logging_search_logs($1)

125

+	admin_pattern($1, opensm_log_t)

126

+')

127

128

diff --git a/policy/modules/services/opensm.te b/policy/modules/services/opensm.te

129

new file mode 100644

130

index 000000000..1d5c2f57d

131

--- /dev/null

132

+++ b/policy/modules/services/opensm.te

133

@@ -0,0 +1,45 @@

134

+policy_module(opensm)

135

+

136

+########################################

137

+#

138

+# Declarations

139

+#

140

+

141

+type opensm_t;

142

+type opensm_exec_t;

143

+init_daemon_domain(opensm_t, opensm_exec_t)

144

+

145

+type opensm_conf_t;

146

+files_config_file(opensm_conf_t)

147

+

148

+type opensm_cache_t;

149

+files_type(opensm_cache_t)

150

+

151

+type opensm_log_t;

152

+logging_log_file(opensm_log_t)

153

+

154

+########################################

155

+#

156

+# opensm local policy

157

+#

158

+

159

+allow opensm_t self:process { getsched signal };

160

+allow opensm_t self:unix_dgram_socket create_socket_perms;

161

+

162

+read_files_pattern(opensm_t, opensm_conf_t, opensm_conf_t)

163

+

164

+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)

165

+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)

166

+files_var_filetrans(opensm_t, opensm_cache_t, dir)

167

+

168

+create_files_pattern(opensm_t, opensm_log_t, opensm_log_t)

169

+append_files_pattern(opensm_t, opensm_log_t, opensm_log_t)

170

+rw_files_pattern(opensm_t, opensm_log_t, opensm_log_t)

171

+logging_log_filetrans(opensm_t, opensm_log_t, file)

172

+

173

+dev_read_sysfs(opensm_t)

174

+dev_rw_infiniband(opensm_t)

175

+

176

+logging_send_syslog_msg(opensm_t)

177

+

178

+miscfiles_read_localization(opensm_t)

1	commit: b806992f1bc6fa8187730296a708320ee0e18266
2	Author: Kenton Groombridge <me <AT> concord <DOT> sh>
3	AuthorDate: Sat Sep 24 04:09:19 2022 +0000
4	Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
5	CommitDate: Wed Nov 2 14:07:09 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b806992f
7
8	opensm: initial policy
9
10	Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
11	Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
12
13	policy/modules/services/opensm.fc \| 10 +++++
14	policy/modules/services/opensm.if \| 86 +++++++++++++++++++++++++++++++++++++++
15	policy/modules/services/opensm.te \| 45 ++++++++++++++++++++
16	3 files changed, 141 insertions(+)
17
18	diff --git a/policy/modules/services/opensm.fc b/policy/modules/services/opensm.fc
19	new file mode 100644
20	index 000000000..6d9566bb1
21	--- /dev/null
22	+++ b/policy/modules/services/opensm.fc
23	@@ -0,0 +1,10 @@
24	+/usr/bin/opensm -- gen_context(system_u:object_r:opensm_exec_t,s0)
25	+
26	+/usr/sbin/opensm -- gen_context(system_u:object_r:opensm_exec_t,s0)
27	+
28	+/etc/opensm(/.*)? gen_context(system_u:object_r:opensm_conf_t,s0)
29	+
30	+/var/cache/opensm(/.*)? gen_context(system_u:object_r:opensm_cache_t,s0)
31	+
32	+/var/log/opensm\.log -- gen_context(system_u:object_r:opensm_log_t,s0)
33	+/var/log/opensm-subnet\.lst -- gen_context(system_u:object_r:opensm_log_t,s0)
34
35	diff --git a/policy/modules/services/opensm.if b/policy/modules/services/opensm.if
36	new file mode 100644
37	index 000000000..47664ce15
38	--- /dev/null
39	+++ b/policy/modules/services/opensm.if
40	@@ -0,0 +1,86 @@
41	+## <summary>OpenSM is a software implementation of an InfiniBand subnet manager.</summary>
42	+
43	+########################################
44	+## <summary>
45	+## Execute opensm in the opensm domain.
46	+## </summary>
47	+## <param name="domain">
48	+## <summary>
49	+## Domain allowed to transition.
50	+## </summary>
51	+## </param>
52	+#
53	+interface(`opensm_domtrans',`
54	+ gen_require(`
55	+ type opensm_t, opensm_exec_t;
56	+ ')
57	+
58	+ corecmd_search_bin($1)
59	+ domtrans_pattern($1, opensm_exec_t, opensm_t)
60	+')
61	+
62	+########################################
63	+## <summary>
64	+## Execute opensm in the opensm domain, and
65	+## allow the specified role the opensm domain.
66	+## </summary>
67	+## <param name="domain">
68	+## <summary>
69	+## Domain allowed to transition.
70	+## </summary>
71	+## </param>
72	+## <param name="role">
73	+## <summary>
74	+## Role allowed access.
75	+## </summary>
76	+## </param>
77	+## <rolecap/>
78	+#
79	+interface(`opensm_run',`
80	+ gen_require(`
81	+ type opensm_t;
82	+ ')
83	+
84	+ opensm_domtrans($1)
85	+ role $2 types opensm_t;
86	+')
87	+
88	+
89	+########################################
90	+## <summary>
91	+## All of the rules required to administrate
92	+## an opensm environment.
93	+## </summary>
94	+## <param name="domain">
95	+## <summary>
96	+## Domain allowed access.
97	+## </summary>
98	+## </param>
99	+## <param name="role">
100	+## <summary>
101	+## Role allowed access.
102	+## </summary>
103	+## </param>
104	+## <rolecap/>
105	+#
106	+interface(`opensm_admin',`
107	+ gen_require(`
108	+ type opensm_t;
109	+ type opensm_conf_t, opensm_cache_t;
110	+ type opensm_log_t;
111	+ ')
112	+
113	+ opensm_run($1, $2)
114	+
115	+ allow $1 opensm_t:process { ptrace signal_perms };
116	+ ps_process_pattern($1, opensm_t)
117	+
118	+ files_search_etc($1)
119	+ admin_pattern($1, opensm_conf_t)
120	+
121	+ files_search_var($1)
122	+ admin_pattern($1, opensm_cache_t)
123	+
124	+ logging_search_logs($1)
125	+ admin_pattern($1, opensm_log_t)
126	+')
127
128	diff --git a/policy/modules/services/opensm.te b/policy/modules/services/opensm.te
129	new file mode 100644
130	index 000000000..1d5c2f57d
131	--- /dev/null
132	+++ b/policy/modules/services/opensm.te
133	@@ -0,0 +1,45 @@
134	+policy_module(opensm)
135	+
136	+########################################
137	+#
138	+# Declarations
139	+#
140	+
141	+type opensm_t;
142	+type opensm_exec_t;
143	+init_daemon_domain(opensm_t, opensm_exec_t)
144	+
145	+type opensm_conf_t;
146	+files_config_file(opensm_conf_t)
147	+
148	+type opensm_cache_t;
149	+files_type(opensm_cache_t)
150	+
151	+type opensm_log_t;
152	+logging_log_file(opensm_log_t)
153	+
154	+########################################
155	+#
156	+# opensm local policy
157	+#
158	+
159	+allow opensm_t self:process { getsched signal };
160	+allow opensm_t self:unix_dgram_socket create_socket_perms;
161	+
162	+read_files_pattern(opensm_t, opensm_conf_t, opensm_conf_t)
163	+
164	+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
165	+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
166	+files_var_filetrans(opensm_t, opensm_cache_t, dir)
167	+
168	+create_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
169	+append_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
170	+rw_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
171	+logging_log_filetrans(opensm_t, opensm_log_t, file)
172	+
173	+dev_read_sysfs(opensm_t)
174	+dev_rw_infiniband(opensm_t)
175	+
176	+logging_send_syslog_msg(opensm_t)
177	+
178	+miscfiles_read_localization(opensm_t)

Gentoo Archives: gentoo-commits