1 |
commit: 166b68ef829e09d95f49f40665a28d587a3b54e8 |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Tue Oct 30 10:21:34 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 30 18:33:05 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=166b68ef |
7 |
|
8 |
Changes to the ulogd policy module |
9 |
|
10 |
Ported from Fedora with changes |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/ulogd.fc | 6 ++++-- |
16 |
policy/modules/contrib/ulogd.if | 16 ++++++++-------- |
17 |
policy/modules/contrib/ulogd.te | 31 ++++++++++++------------------- |
18 |
3 files changed, 24 insertions(+), 29 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/ulogd.fc b/policy/modules/contrib/ulogd.fc |
21 |
index 842d11e..d5f8ac0 100644 |
22 |
--- a/policy/modules/contrib/ulogd.fc |
23 |
+++ b/policy/modules/contrib/ulogd.fc |
24 |
@@ -1,7 +1,9 @@ |
25 |
+/etc/ulogd\.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) |
26 |
+ |
27 |
/etc/rc\.d/init\.d/ulogd -- gen_context(system_u:object_r:ulogd_initrc_exec_t,s0) |
28 |
-/etc/ulogd.conf -- gen_context(system_u:object_r:ulogd_etc_t,s0) |
29 |
|
30 |
-/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) |
31 |
+/usr/lib/ulogd(/.*)? gen_context(system_u:object_r:ulogd_modules_t,s0) |
32 |
+ |
33 |
/usr/sbin/ulogd -- gen_context(system_u:object_r:ulogd_exec_t,s0) |
34 |
|
35 |
/var/log/ulogd(/.*)? gen_context(system_u:object_r:ulogd_var_log_t,s0) |
36 |
|
37 |
diff --git a/policy/modules/contrib/ulogd.if b/policy/modules/contrib/ulogd.if |
38 |
index d23be5c..9b95c3e 100644 |
39 |
--- a/policy/modules/contrib/ulogd.if |
40 |
+++ b/policy/modules/contrib/ulogd.if |
41 |
@@ -15,13 +15,13 @@ interface(`ulogd_domtrans',` |
42 |
type ulogd_t, ulogd_exec_t; |
43 |
') |
44 |
|
45 |
+ corecmd_search_bin($1) |
46 |
domtrans_pattern($1, ulogd_exec_t, ulogd_t) |
47 |
') |
48 |
|
49 |
######################################## |
50 |
## <summary> |
51 |
-## Allow the specified domain to read |
52 |
-## ulogd configuration files. |
53 |
+## Read ulogd configuration files. |
54 |
## </summary> |
55 |
## <param name="domain"> |
56 |
## <summary> |
57 |
@@ -41,7 +41,7 @@ interface(`ulogd_read_config',` |
58 |
|
59 |
######################################## |
60 |
## <summary> |
61 |
-## Allow the specified domain to read ulogd's log files. |
62 |
+## Read ulogd log files. |
63 |
## </summary> |
64 |
## <param name="domain"> |
65 |
## <summary> |
66 |
@@ -62,7 +62,7 @@ interface(`ulogd_read_log',` |
67 |
|
68 |
####################################### |
69 |
## <summary> |
70 |
-## Allow the specified domain to search ulogd's log files. |
71 |
+## Search ulogd log files. |
72 |
## </summary> |
73 |
## <param name="domain"> |
74 |
## <summary> |
75 |
@@ -81,7 +81,7 @@ interface(`ulogd_search_log',` |
76 |
|
77 |
######################################## |
78 |
## <summary> |
79 |
-## Allow the specified domain to append to ulogd's log files. |
80 |
+## Append to ulogd log files. |
81 |
## </summary> |
82 |
## <param name="domain"> |
83 |
## <summary> |
84 |
@@ -102,8 +102,8 @@ interface(`ulogd_append_log',` |
85 |
|
86 |
######################################## |
87 |
## <summary> |
88 |
-## All of the rules required to administrate |
89 |
-## an ulogd environment |
90 |
+## All of the rules required to |
91 |
+## administrate an ulogd environment. |
92 |
## </summary> |
93 |
## <param name="domain"> |
94 |
## <summary> |
95 |
@@ -112,7 +112,7 @@ interface(`ulogd_append_log',` |
96 |
## </param> |
97 |
## <param name="role"> |
98 |
## <summary> |
99 |
-## The role to be allowed to manage the syslog domain. |
100 |
+## Role allowed access. |
101 |
## </summary> |
102 |
## </param> |
103 |
## <rolecap/> |
104 |
|
105 |
diff --git a/policy/modules/contrib/ulogd.te b/policy/modules/contrib/ulogd.te |
106 |
index 3b953f5..c6acbbe 100644 |
107 |
--- a/policy/modules/contrib/ulogd.te |
108 |
+++ b/policy/modules/contrib/ulogd.te |
109 |
@@ -1,4 +1,4 @@ |
110 |
-policy_module(ulogd, 1.2.0) |
111 |
+policy_module(ulogd, 1.2.1) |
112 |
|
113 |
######################################## |
114 |
# |
115 |
@@ -9,38 +9,37 @@ type ulogd_t; |
116 |
type ulogd_exec_t; |
117 |
init_daemon_domain(ulogd_t, ulogd_exec_t) |
118 |
|
119 |
-# config files |
120 |
type ulogd_etc_t; |
121 |
-files_type(ulogd_etc_t) |
122 |
+files_config_file(ulogd_etc_t) |
123 |
|
124 |
type ulogd_initrc_exec_t; |
125 |
init_script_file(ulogd_initrc_exec_t) |
126 |
|
127 |
-# /usr/lib files |
128 |
type ulogd_modules_t; |
129 |
files_type(ulogd_modules_t) |
130 |
|
131 |
-# log files |
132 |
type ulogd_var_log_t; |
133 |
logging_log_file(ulogd_var_log_t) |
134 |
|
135 |
######################################## |
136 |
# |
137 |
-# ulogd local policy |
138 |
+# Local policy |
139 |
# |
140 |
|
141 |
-allow ulogd_t self:capability net_admin; |
142 |
+allow ulogd_t self:capability { net_admin sys_nice }; |
143 |
+allow ulogd_t self:process setsched; |
144 |
allow ulogd_t self:netlink_nflog_socket create_socket_perms; |
145 |
+allow ulogd_t self:netlink_socket create_socket_perms; |
146 |
+allow ulogd_t self:tcp_socket create_stream_socket_perms; |
147 |
|
148 |
-# config files |
149 |
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t) |
150 |
|
151 |
-# modules for ulogd |
152 |
list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) |
153 |
mmap_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t) |
154 |
|
155 |
-# log files |
156 |
-manage_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) |
157 |
+append_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) |
158 |
+create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) |
159 |
+setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t) |
160 |
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file) |
161 |
|
162 |
files_read_etc_files(ulogd_t) |
163 |
@@ -48,20 +47,14 @@ files_read_usr_files(ulogd_t) |
164 |
|
165 |
miscfiles_read_localization(ulogd_t) |
166 |
|
167 |
-optional_policy(` |
168 |
- allow ulogd_t self:tcp_socket create_stream_socket_perms; |
169 |
+sysnet_dns_name_resolve(ulogd_t) |
170 |
|
171 |
+optional_policy(` |
172 |
mysql_stream_connect(ulogd_t) |
173 |
mysql_tcp_connect(ulogd_t) |
174 |
- |
175 |
- sysnet_dns_name_resolve(ulogd_t) |
176 |
') |
177 |
|
178 |
optional_policy(` |
179 |
- allow ulogd_t self:tcp_socket create_stream_socket_perms; |
180 |
- |
181 |
postgresql_stream_connect(ulogd_t) |
182 |
postgresql_tcp_connect(ulogd_t) |
183 |
- |
184 |
- sysnet_dns_name_resolve(ulogd_t) |
185 |
') |