From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/
Date: Wed, 27 Jun 2012 19:12:11 +0000 (UTC) [thread overview]
Message-ID: <1340824274.65c75e23dccd7c35b7ba50a5e8f1d094c0410c80.SwifT@gentoo> (raw)
commit: 65c75e23dccd7c35b7ba50a5e8f1d094c0410c80
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun 27 19:11:14 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jun 27 19:11:14 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=65c75e23
Rework and refactoring based on refpolicy feedback
---
policy/modules/contrib/apache.if | 2 +-
policy/modules/contrib/dracut.fc | 3 ++-
policy/modules/contrib/dracut.if | 8 +++-----
policy/modules/contrib/dracut.te | 29 ++++++++++-------------------
policy/modules/contrib/networkmanager.te | 8 --------
policy/modules/contrib/rpm.fc | 3 +++
policy/modules/system/libraries.te | 4 ----
policy/modules/system/modutils.if | 9 ++++++---
policy/modules/system/modutils.te | 2 +-
policy/modules/system/udev.if | 2 ++
10 files changed, 28 insertions(+), 42 deletions(-)
diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/apache.if
index a1d1905..6696f6b 100644
--- a/policy/modules/contrib/apache.if
+++ b/policy/modules/contrib/apache.if
@@ -479,7 +479,7 @@ interface(`apache_read_all_ra_content',`
## </param>
## <rolecap/>
#
-interface(`apache_append_all_ra_content_files',`
+interface(`apache_append_all_ra_content',`
gen_require(`
attribute httpd_ra_content;
')
diff --git a/policy/modules/contrib/dracut.fc b/policy/modules/contrib/dracut.fc
index fca0d67..75533ca 100644
--- a/policy/modules/contrib/dracut.fc
+++ b/policy/modules/contrib/dracut.fc
@@ -1,4 +1,5 @@
#
# /usr
#
-/usr/(s)?bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
+/usr/sbin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
+/usr/bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0)
diff --git a/policy/modules/contrib/dracut.if b/policy/modules/contrib/dracut.if
index 929fffd..e8a0e53 100644
--- a/policy/modules/contrib/dracut.if
+++ b/policy/modules/contrib/dracut.if
@@ -46,7 +46,7 @@ interface(`dracut_run',`
########################################
## <summary>
-## Allow domain to manage dracut temporary files
+## Read/write dracut temporary files
## </summary>
## <param name="domain">
## <summary>
@@ -54,7 +54,7 @@ interface(`dracut_run',`
## </summary>
## </param>
#
-interface(`dracut_manage_tmp_files',`
+interface(`dracut_rw_tmp_files',`
gen_require(`
type dracut_tmp_t;
')
@@ -62,8 +62,6 @@ interface(`dracut_manage_tmp_files',`
files_search_var($1)
files_search_tmp($1)
- manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
- manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t)
- read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
+ rw_files_pattern($1, dracut_tmp_t, dracut_tmp_t)
')
diff --git a/policy/modules/contrib/dracut.te b/policy/modules/contrib/dracut.te
index 4bd6cb3..d61e49e 100644
--- a/policy/modules/contrib/dracut.te
+++ b/policy/modules/contrib/dracut.te
@@ -15,23 +15,27 @@ files_tmp_file(dracut_tmp_t)
# Local policy
#
allow dracut_t self:process setfscreate;
+allow dracut_t self:capability dac_override;
allow dracut_t self:fifo_file rw_fifo_file_perms;
allow dracut_t self:unix_stream_socket create_stream_socket_perms;
manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
-manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
-files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir })
+manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+manage_chr_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t)
+files_tmp_filetrans(dracut_t, dracut_tmp_t, dir)
manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t)
logging_log_filetrans(dracut_t, dracut_var_log_t, file)
+kernel_read_messages(dracut_t)
kernel_read_system_state(dracut_t)
corecmd_exec_bin(dracut_t)
corecmd_exec_shell(dracut_t)
-corecmd_read_all_executables(dracut_t)
+corecmd_mmap_all_executables(dracut_t)
+dev_read_kmsg(dracut_t)
dev_read_sysfs(dracut_t)
domain_use_interactive_fds(dracut_t)
@@ -42,35 +46,22 @@ files_read_kernel_modules(dracut_t)
files_read_usr_files(dracut_t)
files_search_pids(dracut_t)
-fstools_exec(dracut_t)
-
-libs_domtrans_ldconfig(dracut_t)
+libs_exec_ldconfig(dracut_t)
libs_exec_ld_so(dracut_t)
libs_exec_lib_files(dracut_t)
miscfiles_read_localization(dracut_t)
-modutils_exec_depmod(dracut_t)
-modutils_exec_insmod(dracut_t)
-modutils_list_module_config(dracut_t)
+modutils_list_module_config(dracut_t) #find /etc/modprobe.d
modutils_read_module_config(dracut_t)
modutils_read_module_deps(dracut_t)
-mount_exec(dracut_t)
-
-seutil_exec_setfiles(dracut_t)
-
-udev_exec(dracut_t)
udev_read_rules_files(dracut_t)
+userdom_search_user_home_dirs(dracut_t)
userdom_use_user_terminals(dracut_t)
optional_policy(`
- dmesg_exec(dracut_t)
-')
-
-optional_policy(`
- lvm_exec(dracut_t)
lvm_read_config(dracut_t)
')
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
index 8e89b43..1e1dab0 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -295,14 +295,6 @@ domain_use_interactive_fds(wpa_cli_t)
files_read_etc_files(wpa_cli_t)
files_search_pids(wpa_cli_t)
-fs_manage_tmpfs_dirs(wpa_cli_t)
-fs_manage_tmpfs_sockets(wpa_cli_t)
-fs_manage_tmpfs_sockets(NetworkManager_t)
-fs_rw_tmpfs_files(wpa_cli_t)
-fs_rw_tmpfs_files(NetworkManager_t)
-fs_search_tmpfs(wpa_cli_t)
-fs_search_tmpfs(NetworkManager_t)
-
term_dontaudit_use_console(wpa_cli_t)
getty_use_fds(wpa_cli_t)
diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.fc
index b206bf6..b2a0b6a 100644
--- a/policy/modules/contrib/rpm.fc
+++ b/policy/modules/contrib/rpm.fc
@@ -7,6 +7,7 @@
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
+/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_exec_t,s0)
@@ -27,9 +28,11 @@ ifdef(`distro_redhat', `
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
+/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
/var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
+/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
/var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0)
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 50332d3..5a16f99 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -131,10 +131,6 @@ optional_policy(`
')
optional_policy(`
- dracut_manage_tmp_files(ldconfig_t)
-')
-
-optional_policy(`
puppet_rw_tmp(ldconfig_t)
')
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 19d328a..ad5f878 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -39,7 +39,7 @@ interface(`modutils_read_module_deps',`
########################################
## <summary>
-## List the module configuration option files
+## List the module configuration option files
## </summary>
## <param name="domain">
## <summary>
@@ -53,11 +53,14 @@ interface(`modutils_list_module_config',`
type modules_conf_t;
')
+ # This file type can be in /etc or
+ # /lib(64)?/modules
+ files_search_etc($1)
+ files_search_boot($1)
+
list_dirs_pattern($1, modules_conf_t, modules_conf_t)
')
-
-
########################################
## <summary>
## Read the configuration options used when
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 43e99e5..78137a5 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -89,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- dracut_manage_tmp_files(depmod_t)
+ dracut_rw_tmp_files(depmod_t)
')
optional_policy(`
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 46c8e82..8f59ae9 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -184,6 +184,8 @@ interface(`udev_read_rules_files',`
type udev_rules_t;
')
+ files_search_etc($1) # /etc/udev/rules.d
+ udev_search_pids($1) # /run/udev/rules.d
read_files_pattern($1, udev_rules_t, udev_rules_t)
')
next reply other threads:[~2012-06-27 19:12 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-27 19:12 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-07-12 20:02 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/ Sven Vermeulen
2012-07-17 17:15 Sven Vermeulen
2012-07-24 9:24 Sven Vermeulen
2012-08-08 19:37 Sven Vermeulen
2012-08-15 13:03 Sven Vermeulen
2012-08-29 18:48 Sven Vermeulen
2012-10-29 18:41 Sven Vermeulen
2012-11-12 21:30 Sven Vermeulen
2012-12-07 17:28 Sven Vermeulen
2012-12-08 12:40 Sven Vermeulen
2012-12-08 12:41 Sven Vermeulen
2012-12-31 23:19 Sven Vermeulen
2013-02-11 19:52 Sven Vermeulen
2013-12-17 8:52 Sven Vermeulen
2014-06-25 19:59 Sven Vermeulen
2014-07-15 16:16 Sven Vermeulen
2016-12-06 12:26 Jason Zaman
2017-02-16 11:34 Jason Zaman
2017-05-07 17:41 Jason Zaman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1340824274.65c75e23dccd7c35b7ba50a5e8f1d094c0410c80.SwifT@gentoo \
--to=sven.vermeulen@siphos.be \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox