[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 30 Oct 2012 18:38:21
Message-Id:	`1351621985.166b68ef829e09d95f49f40665a28d587a3b54e8.SwifT@gentoo`

1

commit:     166b68ef829e09d95f49f40665a28d587a3b54e8

2

Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>

3

AuthorDate: Tue Oct 30 10:21:34 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Tue Oct 30 18:33:05 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=166b68ef

7

8

Changes to the ulogd policy module

9

10

Ported from Fedora with changes

11

12

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

13

14

---

15

 policy/modules/contrib/ulogd.fc |    6 ++++--

16

 policy/modules/contrib/ulogd.if |   16 ++++++++--------

17

 policy/modules/contrib/ulogd.te |   31 ++++++++++++-------------------

18

 3 files changed, 24 insertions(+), 29 deletions(-)

19

20

diff --git a/policy/modules/contrib/ulogd.fc b/policy/modules/contrib/ulogd.fc

21

index 842d11e..d5f8ac0 100644

22

--- a/policy/modules/contrib/ulogd.fc

23

+++ b/policy/modules/contrib/ulogd.fc

24

@@ -1,7 +1,9 @@

25

+/etc/ulogd\.conf	--	gen_context(system_u:object_r:ulogd_etc_t,s0)

26

+

27

 /etc/rc\.d/init\.d/ulogd	--	gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)

28

-/etc/ulogd.conf	--	gen_context(system_u:object_r:ulogd_etc_t,s0)

29

30

-/usr/lib/ulogd(/.*)?	gen_context(system_u:object_r:ulogd_modules_t,s0)	

31

+/usr/lib/ulogd(/.*)?	gen_context(system_u:object_r:ulogd_modules_t,s0)

32

+

33

 /usr/sbin/ulogd	--	gen_context(system_u:object_r:ulogd_exec_t,s0)

34

35

 /var/log/ulogd(/.*)?	gen_context(system_u:object_r:ulogd_var_log_t,s0)

36

37

diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if

38

index d23be5c..9b95c3e 100644

39

--- a/policy/modules/contrib/ulogd.if

40

+++ b/policy/modules/contrib/ulogd.if

41

@@ -15,13 +15,13 @@ interface(`ulogd_domtrans',`

42

 		type ulogd_t, ulogd_exec_t;

43

')

44

45

+	corecmd_search_bin($1)

46

 	domtrans_pattern($1, ulogd_exec_t, ulogd_t)

47

')

48

49

 ########################################

50

 ## <summary>

51

-##	Allow the specified domain to read

52

-##	ulogd configuration files.

53

+##	Read ulogd configuration files.

54

 ## </summary>

55

 ## <param name="domain">

56

 ##	<summary>

57

@@ -41,7 +41,7 @@ interface(`ulogd_read_config',`

58

59

 ########################################

60

 ## <summary>

61

-##	Allow the specified domain to read ulogd's log files.

62

+##	Read ulogd log files.

63

 ## </summary>

64

 ## <param name="domain">

65

 ##	<summary>

66

@@ -62,7 +62,7 @@ interface(`ulogd_read_log',`

67

68

 #######################################

69

 ## <summary>

70

-##	Allow the specified domain to search ulogd's log files.

71

+##	Search ulogd log files.

72

 ## </summary>

73

 ## <param name="domain">

74

 ##	<summary>

75

@@ -81,7 +81,7 @@ interface(`ulogd_search_log',`

76

77

 ########################################

78

 ## <summary>

79

-##	Allow the specified domain to append to ulogd's log files.

80

+##	Append to ulogd log files.

81

 ## </summary>

82

 ## <param name="domain">

83

 ##	<summary>

84

@@ -102,8 +102,8 @@ interface(`ulogd_append_log',`

85

86

 ########################################

87

 ## <summary>

88

-##	All of the rules required to administrate

89

-##	an ulogd environment

90

+##	All of the rules required to

91

+##	administrate an ulogd environment.

92

 ## </summary>

93

 ## <param name="domain">

94

 ##	<summary>

95

@@ -112,7 +112,7 @@ interface(`ulogd_append_log',`

96

 ## </param>

97

 ## <param name="role">

98

 ##	<summary>

99

-##	The role to be allowed to manage the syslog domain.

100

+##	Role allowed access.

101

 ##	</summary>

102

 ## </param>

103

 ## <rolecap/>

104

105

diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te

106

index 3b953f5..c6acbbe 100644

107

--- a/policy/modules/contrib/ulogd.te

108

+++ b/policy/modules/contrib/ulogd.te

109

@@ -1,4 +1,4 @@

110

-policy_module(ulogd, 1.2.0)

111

+policy_module(ulogd, 1.2.1)

112

113

 ########################################

114

#

115

@@ -9,38 +9,37 @@ type ulogd_t;

116

 type ulogd_exec_t;

117

 init_daemon_domain(ulogd_t, ulogd_exec_t)

118

119

-# config files

120

 type ulogd_etc_t;

121

-files_type(ulogd_etc_t)

122

+files_config_file(ulogd_etc_t)

123

124

 type ulogd_initrc_exec_t;

125

 init_script_file(ulogd_initrc_exec_t)

126

127

-# /usr/lib files

128

 type ulogd_modules_t;

129

 files_type(ulogd_modules_t)

130

131

-# log files

132

 type ulogd_var_log_t;

133

 logging_log_file(ulogd_var_log_t)

134

135

 ########################################

136

#

137

-# ulogd local policy

138

+# Local policy

139

#

140

141

-allow ulogd_t self:capability net_admin;

142

+allow ulogd_t self:capability { net_admin sys_nice };

143

+allow ulogd_t self:process setsched;

144

 allow ulogd_t self:netlink_nflog_socket create_socket_perms;

145

+allow ulogd_t self:netlink_socket create_socket_perms;

146

+allow ulogd_t self:tcp_socket create_stream_socket_perms;

147

148

-# config files

149

 read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)

150

151

-# modules for ulogd

152

 list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)

153

 mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)

154

155

-# log files

156

-manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)

157

+append_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)

158

+create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)

159

+setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)

160

 logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)

161

162

 files_read_etc_files(ulogd_t)

163

@@ -48,20 +47,14 @@ files_read_usr_files(ulogd_t)

164

165

 miscfiles_read_localization(ulogd_t)

166

167

-optional_policy(`

168

-	allow ulogd_t self:tcp_socket create_stream_socket_perms;

169

+sysnet_dns_name_resolve(ulogd_t)

170

171

+optional_policy(`

172

 	mysql_stream_connect(ulogd_t)

173

 	mysql_tcp_connect(ulogd_t)

174

-

175

-	sysnet_dns_name_resolve(ulogd_t)

176

')

177

178

 optional_policy(`

179

-	allow ulogd_t self:tcp_socket create_stream_socket_perms;

180

-

181

 	postgresql_stream_connect(ulogd_t)

182

 	postgresql_tcp_connect(ulogd_t)

183

-

184

-	sysnet_dns_name_resolve(ulogd_t)

185

')

1	commit: 166b68ef829e09d95f49f40665a28d587a3b54e8
2	Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
3	AuthorDate: Tue Oct 30 10:21:34 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Tue Oct 30 18:33:05 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=166b68ef
7
8	Changes to the ulogd policy module
9
10	Ported from Fedora with changes
11
12	Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
13
14	---
15	policy/modules/contrib/ulogd.fc \| 6 ++++--
16	policy/modules/contrib/ulogd.if \| 16 ++++++++--------
17	policy/modules/contrib/ulogd.te \| 31 ++++++++++++-------------------
18	3 files changed, 24 insertions(+), 29 deletions(-)
19
20	diff --git a/policy/modules/contrib/ulogd.fc b/policy/modules/contrib/ulogd.fc
21	index 842d11e..d5f8ac0 100644
22	--- a/policy/modules/contrib/ulogd.fc
23	+++ b/policy/modules/contrib/ulogd.fc
24	@@ -1,7 +1,9 @@
25	+/etc/ulogd\.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0)
26	+
27	/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
28	-/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0)
29
30	-/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
31	+/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0)
32	+
33	/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0)
34
35	/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0)
36
37	diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if
38	index d23be5c..9b95c3e 100644
39	--- a/policy/modules/contrib/ulogd.if
40	+++ b/policy/modules/contrib/ulogd.if
41	@@ -15,13 +15,13 @@ interface(`ulogd_domtrans',`
42	type ulogd_t, ulogd_exec_t;
43	')
44
45	+ corecmd_search_bin($1)
46	domtrans_pattern($1, ulogd_exec_t, ulogd_t)
47	')
48
49	########################################
50	## <summary>
51	-## Allow the specified domain to read
52	-## ulogd configuration files.
53	+## Read ulogd configuration files.
54	## </summary>
55	## <param name="domain">
56	## <summary>
57	@@ -41,7 +41,7 @@ interface(`ulogd_read_config',`
58
59	########################################
60	## <summary>
61	-## Allow the specified domain to read ulogd's log files.
62	+## Read ulogd log files.
63	## </summary>
64	## <param name="domain">
65	## <summary>
66	@@ -62,7 +62,7 @@ interface(`ulogd_read_log',`
67
68	#######################################
69	## <summary>
70	-## Allow the specified domain to search ulogd's log files.
71	+## Search ulogd log files.
72	## </summary>
73	## <param name="domain">
74	## <summary>
75	@@ -81,7 +81,7 @@ interface(`ulogd_search_log',`
76
77	########################################
78	## <summary>
79	-## Allow the specified domain to append to ulogd's log files.
80	+## Append to ulogd log files.
81	## </summary>
82	## <param name="domain">
83	## <summary>
84	@@ -102,8 +102,8 @@ interface(`ulogd_append_log',`
85
86	########################################
87	## <summary>
88	-## All of the rules required to administrate
89	-## an ulogd environment
90	+## All of the rules required to
91	+## administrate an ulogd environment.
92	## </summary>
93	## <param name="domain">
94	## <summary>
95	@@ -112,7 +112,7 @@ interface(`ulogd_append_log',`
96	## </param>
97	## <param name="role">
98	## <summary>
99	-## The role to be allowed to manage the syslog domain.
100	+## Role allowed access.
101	## </summary>
102	## </param>
103	## <rolecap/>
104
105	diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te
106	index 3b953f5..c6acbbe 100644
107	--- a/policy/modules/contrib/ulogd.te
108	+++ b/policy/modules/contrib/ulogd.te
109	@@ -1,4 +1,4 @@
110	-policy_module(ulogd, 1.2.0)
111	+policy_module(ulogd, 1.2.1)
112
113	########################################
114	#
115	@@ -9,38 +9,37 @@ type ulogd_t;
116	type ulogd_exec_t;
117	init_daemon_domain(ulogd_t, ulogd_exec_t)
118
119	-# config files
120	type ulogd_etc_t;
121	-files_type(ulogd_etc_t)
122	+files_config_file(ulogd_etc_t)
123
124	type ulogd_initrc_exec_t;
125	init_script_file(ulogd_initrc_exec_t)
126
127	-# /usr/lib files
128	type ulogd_modules_t;
129	files_type(ulogd_modules_t)
130
131	-# log files
132	type ulogd_var_log_t;
133	logging_log_file(ulogd_var_log_t)
134
135	########################################
136	#
137	-# ulogd local policy
138	+# Local policy
139	#
140
141	-allow ulogd_t self:capability net_admin;
142	+allow ulogd_t self:capability { net_admin sys_nice };
143	+allow ulogd_t self:process setsched;
144	allow ulogd_t self:netlink_nflog_socket create_socket_perms;
145	+allow ulogd_t self:netlink_socket create_socket_perms;
146	+allow ulogd_t self:tcp_socket create_stream_socket_perms;
147
148	-# config files
149	read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
150
151	-# modules for ulogd
152	list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
153	mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
154
155	-# log files
156	-manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
157	+append_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
158	+create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
159	+setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
160	logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
161
162	files_read_etc_files(ulogd_t)
163	@@ -48,20 +47,14 @@ files_read_usr_files(ulogd_t)
164
165	miscfiles_read_localization(ulogd_t)
166
167	-optional_policy(`
168	- allow ulogd_t self:tcp_socket create_stream_socket_perms;
169	+sysnet_dns_name_resolve(ulogd_t)
170
171	+optional_policy(`
172	mysql_stream_connect(ulogd_t)
173	mysql_tcp_connect(ulogd_t)
174	-
175	- sysnet_dns_name_resolve(ulogd_t)
176	')
177
178	optional_policy(`
179	- allow ulogd_t self:tcp_socket create_stream_socket_perms;
180	-
181	postgresql_stream_connect(ulogd_t)
182	postgresql_tcp_connect(ulogd_t)
183	-
184	- sysnet_dns_name_resolve(ulogd_t)
185	')

Gentoo Archives: gentoo-commits