Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Thu, 27 Sep 2012 18:06:46
Message-Id: 1348768978.93ce6c8c23d102a9a5b50da848779d1ffe49cb80.SwifT@gentoo
1 commit: 93ce6c8c23d102a9a5b50da848779d1ffe49cb80
2 Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3 AuthorDate: Thu Sep 27 13:41:53 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Thu Sep 27 18:02:58 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=93ce6c8c
7
8 Changes to the dcc policy module
9
10 Use role attributes for application domains
11 Module clean up
12
13 Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
14 Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
15
16 ---
17 policy/modules/contrib/dcc.fc | 42 ++++++++---------
18 policy/modules/contrib/dcc.if | 37 +++++++++-------
19 policy/modules/contrib/dcc.te | 99 +++++++++-------------------------------
20 3 files changed, 63 insertions(+), 115 deletions(-)
21
22 diff --git a/policy/modules/contrib/dcc.fc b/policy/modules/contrib/dcc.fc
23 index 29773e7..62d3c4e 100644
24 --- a/policy/modules/contrib/dcc.fc
25 +++ b/policy/modules/contrib/dcc.fc
26 @@ -1,30 +1,26 @@
27 -/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
28 -/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
29 -/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
30 +/etc/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
31 +/etc/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
32 +/etc/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
33
34 -/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
35 -/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
36 +/usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
37 +/usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
38
39 /usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
40 -/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
41 -/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
42 -/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
43 +/usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
44 +/usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
45 +/usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
46
47 -ifdef(`distro_debian',`
48 -/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
49 -/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
50 -/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
51 -/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
52 -')
53 +/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
54 +/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
55 +/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
56 +/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
57
58 -/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
59 -/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
60 +/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
61 +/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
62
63 -/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
64 -/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
65 -/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
66 +/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
67 +/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
68
69 -ifdef(`distro_redhat',`
70 -/var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
71 -/var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
72 -')
73 +/var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
74 +/var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
75 +/var/run/dcc/dccifd -s gen_context(system_u:object_r:dccifd_var_run_t,s0)
76
77 diff --git a/policy/modules/contrib/dcc.if b/policy/modules/contrib/dcc.if
78 index 784753e..a5c21e0 100644
79 --- a/policy/modules/contrib/dcc.if
80 +++ b/policy/modules/contrib/dcc.if
81 @@ -1,4 +1,4 @@
82 -## <summary>Distributed checksum clearinghouse spam filtering</summary>
83 +## <summary>Distributed checksum clearinghouse spam filtering.</summary>
84
85 ########################################
86 ## <summary>
87 @@ -22,7 +22,8 @@ interface(`dcc_domtrans_cdcc',`
88 ########################################
89 ## <summary>
90 ## Execute cdcc in the cdcc domain, and
91 -## allow the specified role the cdcc domain.
92 +## allow the specified role the
93 +## cdcc domain.
94 ## </summary>
95 ## <param name="domain">
96 ## <summary>
97 @@ -38,16 +39,17 @@ interface(`dcc_domtrans_cdcc',`
98 #
99 interface(`dcc_run_cdcc',`
100 gen_require(`
101 - type cdcc_t;
102 + attribute_role cdcc_roles;
103 ')
104
105 dcc_domtrans_cdcc($1)
106 - role $2 types cdcc_t;
107 + roleattribute $2 cdcc_roles;
108 ')
109
110 ########################################
111 ## <summary>
112 -## Execute dcc_client in the dcc_client domain.
113 +## Execute dcc client in the dcc
114 +## client domain.
115 ## </summary>
116 ## <param name="domain">
117 ## <summary>
118 @@ -66,7 +68,7 @@ interface(`dcc_domtrans_client',`
119
120 ########################################
121 ## <summary>
122 -## Send a signal to the dcc_client.
123 +## Send generic signals to dcc client.
124 ## </summary>
125 ## <param name="domain">
126 ## <summary>
127 @@ -84,8 +86,9 @@ interface(`dcc_signal_client',`
128
129 ########################################
130 ## <summary>
131 -## Execute dcc_client in the dcc_client domain, and
132 -## allow the specified role the dcc_client domain.
133 +## Execute dcc client in the dcc
134 +## client domain, and allow the
135 +## specified role the dcc client domain.
136 ## </summary>
137 ## <param name="domain">
138 ## <summary>
139 @@ -101,16 +104,16 @@ interface(`dcc_signal_client',`
140 #
141 interface(`dcc_run_client',`
142 gen_require(`
143 - type dcc_client_t;
144 + attribute_role dcc_client_roles;
145 ')
146
147 dcc_domtrans_client($1)
148 - role $2 types dcc_client_t;
149 + roleattribute $2 dcc_client_roles;
150 ')
151
152 ########################################
153 ## <summary>
154 -## Execute dbclean in the dcc_dbclean domain.
155 +## Execute dbclean in the dcc dbclean domain.
156 ## </summary>
157 ## <param name="domain">
158 ## <summary>
159 @@ -129,8 +132,9 @@ interface(`dcc_domtrans_dbclean',`
160
161 ########################################
162 ## <summary>
163 -## Execute dbclean in the dcc_dbclean domain, and
164 -## allow the specified role the dcc_dbclean domain.
165 +## Execute dbclean in the dcc dbclean
166 +## domain, and allow the specified
167 +## role the dcc dbclean domain.
168 ## </summary>
169 ## <param name="domain">
170 ## <summary>
171 @@ -146,16 +150,17 @@ interface(`dcc_domtrans_dbclean',`
172 #
173 interface(`dcc_run_dbclean',`
174 gen_require(`
175 - type dcc_dbclean_t;
176 + attribute_role dcc_dbclean_roles;
177 ')
178
179 dcc_domtrans_dbclean($1)
180 - role $2 types dcc_dbclean_t;
181 + roleattribute $2 dcc_dbclean_roles;
182 ')
183
184 ########################################
185 ## <summary>
186 -## Connect to dccifd over a unix domain stream socket.
187 +## Connect to dccifd over a unix
188 +## domain stream socket.
189 ## </summary>
190 ## <param name="domain">
191 ## <summary>
192
193 diff --git a/policy/modules/contrib/dcc.te b/policy/modules/contrib/dcc.te
194 index 5178337..15d908f 100644
195 --- a/policy/modules/contrib/dcc.te
196 +++ b/policy/modules/contrib/dcc.te
197 @@ -1,14 +1,23 @@
198 -policy_module(dcc, 1.11.0)
199 +policy_module(dcc, 1.11.1)
200
201 ########################################
202 #
203 # Declarations
204 #
205
206 +attribute_role cdcc_roles;
207 +roleattribute system_r cdcc_roles;
208 +
209 +attribute_role dcc_client_roles;
210 +roleattribute system_r dcc_client_roles;
211 +
212 +attribute_role dcc_dbclean_roles;
213 +roleattribute system_r dcc_dbclean_roles;
214 +
215 type cdcc_t;
216 type cdcc_exec_t;
217 application_domain(cdcc_t, cdcc_exec_t)
218 -role system_r types cdcc_t;
219 +role cdcc_roles types cdcc_t;
220
221 type cdcc_tmp_t;
222 files_tmp_file(cdcc_tmp_t)
223 @@ -16,7 +25,7 @@ files_tmp_file(cdcc_tmp_t)
224 type dcc_client_t;
225 type dcc_client_exec_t;
226 application_domain(dcc_client_t, dcc_client_exec_t)
227 -role system_r types dcc_client_t;
228 +role dcc_client_roles types dcc_client_t;
229
230 type dcc_client_map_t;
231 files_type(dcc_client_map_t)
232 @@ -27,7 +36,7 @@ files_tmp_file(dcc_client_tmp_t)
233 type dcc_dbclean_t;
234 type dcc_dbclean_exec_t;
235 application_domain(dcc_dbclean_t, dcc_dbclean_exec_t)
236 -role system_r types dcc_dbclean_t;
237 +role dcc_dbclean_roles types dcc_dbclean_t;
238
239 type dcc_dbclean_tmp_t;
240 files_tmp_file(dcc_dbclean_tmp_t)
241 @@ -68,21 +77,12 @@ files_tmp_file(dccm_tmp_t)
242 type dccm_var_run_t;
243 files_pid_file(dccm_var_run_t)
244
245 -# NOTE: DCC has writeable files in /etc/dcc that should probably be in
246 -# /var/lib/dcc. For now this policy supports both directories being
247 -# writable.
248 -
249 -# cjp: dccifd and dccm should be merged, as
250 -# they have the same rules.
251 -
252 ########################################
253 #
254 -# dcc daemon controller local policy
255 +# Daemon controller local policy
256 #
257
258 allow cdcc_t self:capability { setuid setgid };
259 -allow cdcc_t self:unix_dgram_socket create_socket_perms;
260 -allow cdcc_t self:udp_socket create_socket_perms;
261
262 manage_dirs_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
263 manage_files_pattern(cdcc_t, cdcc_tmp_t, cdcc_tmp_t)
264 @@ -90,18 +90,10 @@ files_tmp_filetrans(cdcc_t, cdcc_tmp_t, { file dir })
265
266 allow cdcc_t dcc_client_map_t:file rw_file_perms;
267
268 -# Access files in /var/dcc. The map file can be updated
269 allow cdcc_t dcc_var_t:dir list_dir_perms;
270 read_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
271 read_lnk_files_pattern(cdcc_t, dcc_var_t, dcc_var_t)
272
273 -corenet_all_recvfrom_unlabeled(cdcc_t)
274 -corenet_all_recvfrom_netlabel(cdcc_t)
275 -corenet_udp_sendrecv_generic_if(cdcc_t)
276 -corenet_udp_sendrecv_generic_node(cdcc_t)
277 -corenet_udp_sendrecv_all_ports(cdcc_t)
278 -
279 -files_read_etc_files(cdcc_t)
280 files_read_etc_runtime_files(cdcc_t)
281
282 auth_use_nsswitch(cdcc_t)
283 @@ -114,12 +106,10 @@ userdom_use_user_terminals(cdcc_t)
284
285 ########################################
286 #
287 -# dcc procmail interface local policy
288 +# Procmail interface local policy
289 #
290
291 allow dcc_client_t self:capability { setuid setgid };
292 -allow dcc_client_t self:unix_dgram_socket create_socket_perms;
293 -allow dcc_client_t self:udp_socket create_socket_perms;
294
295 allow dcc_client_t dcc_client_map_t:file rw_file_perms;
296
297 @@ -127,21 +117,12 @@ manage_dirs_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
298 manage_files_pattern(dcc_client_t, dcc_client_tmp_t, dcc_client_tmp_t)
299 files_tmp_filetrans(dcc_client_t, dcc_client_tmp_t, { file dir })
300
301 -# Access files in /var/dcc. The map file can be updated
302 allow dcc_client_t dcc_var_t:dir list_dir_perms;
303 manage_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
304 read_lnk_files_pattern(dcc_client_t, dcc_var_t, dcc_var_t)
305
306 kernel_read_system_state(dcc_client_t)
307
308 -corenet_all_recvfrom_unlabeled(dcc_client_t)
309 -corenet_all_recvfrom_netlabel(dcc_client_t)
310 -corenet_udp_sendrecv_generic_if(dcc_client_t)
311 -corenet_udp_sendrecv_generic_node(dcc_client_t)
312 -corenet_udp_sendrecv_all_ports(dcc_client_t)
313 -corenet_udp_bind_generic_node(dcc_client_t)
314 -
315 -files_read_etc_files(dcc_client_t)
316 files_read_etc_runtime_files(dcc_client_t)
317
318 fs_getattr_all_fs(dcc_client_t)
319 @@ -164,12 +145,9 @@ optional_policy(`
320
321 ########################################
322 #
323 -# Database cleanup tool local policy
324 +# Database cleanup local policy
325 #
326
327 -allow dcc_dbclean_t self:unix_dgram_socket create_socket_perms;
328 -allow dcc_dbclean_t self:udp_socket create_socket_perms;
329 -
330 allow dcc_dbclean_t dcc_client_map_t:file rw_file_perms;
331
332 manage_dirs_pattern(dcc_dbclean_t, dcc_dbclean_tmp_t, dcc_dbclean_tmp_t)
333 @@ -182,13 +160,6 @@ manage_lnk_files_pattern(dcc_dbclean_t, dcc_var_t, dcc_var_t)
334
335 kernel_read_system_state(dcc_dbclean_t)
336
337 -corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
338 -corenet_all_recvfrom_netlabel(dcc_dbclean_t)
339 -corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
340 -corenet_udp_sendrecv_generic_node(dcc_dbclean_t)
341 -corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
342 -
343 -files_read_etc_files(dcc_dbclean_t)
344 files_read_etc_runtime_files(dcc_dbclean_t)
345
346 auth_use_nsswitch(dcc_dbclean_t)
347 @@ -201,28 +172,21 @@ userdom_use_user_terminals(dcc_dbclean_t)
348
349 ########################################
350 #
351 -# Server daemon local policy
352 +# Server local policy
353 #
354
355 allow dccd_t self:capability net_admin;
356 dontaudit dccd_t self:capability sys_tty_config;
357 allow dccd_t self:process signal_perms;
358 -allow dccd_t self:unix_stream_socket create_socket_perms;
359 -allow dccd_t self:netlink_route_socket { bind create getattr nlmsg_read read write };
360 -allow dccd_t self:udp_socket create_socket_perms;
361
362 allow dccd_t dcc_client_map_t:file rw_file_perms;
363
364 -# Access files in /var/dcc. The map file can be updated
365 allow dccd_t dcc_var_t:dir list_dir_perms;
366 read_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
367 read_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
368
369 -# Runs the dbclean program
370 domtrans_pattern(dccd_t, dcc_dbclean_exec_t, dcc_dbclean_t)
371 -corecmd_search_bin(dccd_t)
372
373 -# Updating dcc_db, flod, ...
374 manage_dirs_pattern(dccd_t, dcc_var_t, dcc_var_t)
375 manage_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
376 manage_lnk_files_pattern(dccd_t, dcc_var_t, dcc_var_t)
377 @@ -244,14 +208,16 @@ corenet_udp_sendrecv_generic_if(dccd_t)
378 corenet_udp_sendrecv_generic_node(dccd_t)
379 corenet_udp_sendrecv_all_ports(dccd_t)
380 corenet_udp_bind_generic_node(dccd_t)
381 +
382 corenet_udp_bind_dcc_port(dccd_t)
383 corenet_sendrecv_dcc_server_packets(dccd_t)
384
385 +corecmd_search_bin(dccd_t)
386 +
387 dev_read_sysfs(dccd_t)
388
389 domain_use_interactive_fds(dccd_t)
390
391 -files_read_etc_files(dccd_t)
392 files_read_etc_runtime_files(dccd_t)
393
394 fs_getattr_all_fs(dccd_t)
395 @@ -281,13 +247,10 @@ optional_policy(`
396
397 dontaudit dccifd_t self:capability sys_tty_config;
398 allow dccifd_t self:process signal_perms;
399 -allow dccifd_t self:unix_stream_socket create_stream_socket_perms;
400 -allow dccifd_t self:unix_dgram_socket create_socket_perms;
401 -allow dccifd_t self:udp_socket create_socket_perms;
402 +allow dccifd_t self:unix_stream_socket { accept listen };
403
404 allow dccifd_t dcc_client_map_t:file rw_file_perms;
405
406 -# Updating dcc_db, flod, ...
407 manage_dirs_pattern(dccifd_t, dcc_var_t, dcc_var_t)
408 manage_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
409 manage_lnk_files_pattern(dccifd_t, dcc_var_t, dcc_var_t)
410 @@ -306,17 +269,10 @@ files_pid_filetrans(dccifd_t, dccifd_var_run_t, file)
411 kernel_read_system_state(dccifd_t)
412 kernel_read_kernel_sysctls(dccifd_t)
413
414 -corenet_all_recvfrom_unlabeled(dccifd_t)
415 -corenet_all_recvfrom_netlabel(dccifd_t)
416 -corenet_udp_sendrecv_generic_if(dccifd_t)
417 -corenet_udp_sendrecv_generic_node(dccifd_t)
418 -corenet_udp_sendrecv_all_ports(dccifd_t)
419 -
420 dev_read_sysfs(dccifd_t)
421
422 domain_use_interactive_fds(dccifd_t)
423
424 -files_read_etc_files(dccifd_t)
425 files_read_etc_runtime_files(dccifd_t)
426
427 fs_getattr_all_fs(dccifd_t)
428 @@ -341,14 +297,12 @@ optional_policy(`
429
430 ########################################
431 #
432 -# sendmail milter client local policy
433 +# Sendmail milter client local policy
434 #
435
436 dontaudit dccm_t self:capability sys_tty_config;
437 allow dccm_t self:process signal_perms;
438 -allow dccm_t self:unix_stream_socket create_stream_socket_perms;
439 -allow dccm_t self:unix_dgram_socket create_socket_perms;
440 -allow dccm_t self:udp_socket create_socket_perms;
441 +allow dccm_t self:unix_stream_socket { accept listen };
442
443 allow dccm_t dcc_client_map_t:file rw_file_perms;
444
445 @@ -370,17 +324,10 @@ files_pid_filetrans(dccm_t, dccm_var_run_t, file)
446 kernel_read_system_state(dccm_t)
447 kernel_read_kernel_sysctls(dccm_t)
448
449 -corenet_all_recvfrom_unlabeled(dccm_t)
450 -corenet_all_recvfrom_netlabel(dccm_t)
451 -corenet_udp_sendrecv_generic_if(dccm_t)
452 -corenet_udp_sendrecv_generic_node(dccm_t)
453 -corenet_udp_sendrecv_all_ports(dccm_t)
454 -
455 dev_read_sysfs(dccm_t)
456
457 domain_use_interactive_fds(dccm_t)
458
459 -files_read_etc_files(dccm_t)
460 files_read_etc_runtime_files(dccm_t)
461
462 fs_getattr_all_fs(dccm_t)