From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1SjxfX-0000JT-Fd for garchives@archives.gentoo.org; Wed, 27 Jun 2012 19:12:51 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 96642E0860; Wed, 27 Jun 2012 19:12:14 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 572F3E0860 for ; Wed, 27 Jun 2012 19:12:14 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 85F841B4723 for ; Wed, 27 Jun 2012 19:12:13 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id A3BCBE5442 for ; Wed, 27 Jun 2012 19:12:11 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1340824274.65c75e23dccd7c35b7ba50a5e8f1d094c0410c80.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/apache.if policy/modules/contrib/dracut.fc policy/modules/contrib/dracut.if policy/modules/contrib/dracut.te policy/modules/contrib/networkmanager.te policy/modules/contrib/rpm.fc policy/modules/system/libraries.te policy/modules/system/modutils.if policy/modules/system/modutils.te policy/modules/system/udev.if X-VCS-Directories: policy/modules/contrib/ policy/modules/system/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 65c75e23dccd7c35b7ba50a5e8f1d094c0410c80 X-VCS-Branch: master Date: Wed, 27 Jun 2012 19:12:11 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 9bb4d7ba-8b00-4548-872f-3e287888e5bc X-Archives-Hash: 1518cf13b579d96825bdb3bca37f01dc commit: 65c75e23dccd7c35b7ba50a5e8f1d094c0410c80 Author: Sven Vermeulen siphos be> AuthorDate: Wed Jun 27 19:11:14 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Wed Jun 27 19:11:14 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/hardened-refp= olicy.git;a=3Dcommit;h=3D65c75e23 Rework and refactoring based on refpolicy feedback --- policy/modules/contrib/apache.if | 2 +- policy/modules/contrib/dracut.fc | 3 ++- policy/modules/contrib/dracut.if | 8 +++----- policy/modules/contrib/dracut.te | 29 ++++++++++--------------= ----- policy/modules/contrib/networkmanager.te | 8 -------- policy/modules/contrib/rpm.fc | 3 +++ policy/modules/system/libraries.te | 4 ---- policy/modules/system/modutils.if | 9 ++++++--- policy/modules/system/modutils.te | 2 +- policy/modules/system/udev.if | 2 ++ 10 files changed, 28 insertions(+), 42 deletions(-) diff --git a/policy/modules/contrib/apache.if b/policy/modules/contrib/ap= ache.if index a1d1905..6696f6b 100644 --- a/policy/modules/contrib/apache.if +++ b/policy/modules/contrib/apache.if @@ -479,7 +479,7 @@ interface(`apache_read_all_ra_content',` ## ## # -interface(`apache_append_all_ra_content_files',` +interface(`apache_append_all_ra_content',` gen_require(` attribute httpd_ra_content; ') diff --git a/policy/modules/contrib/dracut.fc b/policy/modules/contrib/dr= acut.fc index fca0d67..75533ca 100644 --- a/policy/modules/contrib/dracut.fc +++ b/policy/modules/contrib/dracut.fc @@ -1,4 +1,5 @@ # # /usr # -/usr/(s)?bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) +/usr/sbin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) +/usr/bin/dracut -- gen_context(system_u:object_r:dracut_exec_t,s0) diff --git a/policy/modules/contrib/dracut.if b/policy/modules/contrib/dr= acut.if index 929fffd..e8a0e53 100644 --- a/policy/modules/contrib/dracut.if +++ b/policy/modules/contrib/dracut.if @@ -46,7 +46,7 @@ interface(`dracut_run',` =20 ######################################## ## -## Allow domain to manage dracut temporary files +## Read/write dracut temporary files ## ## ## @@ -54,7 +54,7 @@ interface(`dracut_run',` ## ## # -interface(`dracut_manage_tmp_files',` +interface(`dracut_rw_tmp_files',` gen_require(` type dracut_tmp_t; ') @@ -62,8 +62,6 @@ interface(`dracut_manage_tmp_files',` files_search_var($1) files_search_tmp($1) =20 - manage_files_pattern($1, dracut_tmp_t, dracut_tmp_t) - manage_dirs_pattern($1, dracut_tmp_t, dracut_tmp_t) - read_lnk_files_pattern($1, dracut_tmp_t, dracut_tmp_t) + rw_files_pattern($1, dracut_tmp_t, dracut_tmp_t) ') =20 diff --git a/policy/modules/contrib/dracut.te b/policy/modules/contrib/dr= acut.te index 4bd6cb3..d61e49e 100644 --- a/policy/modules/contrib/dracut.te +++ b/policy/modules/contrib/dracut.te @@ -15,23 +15,27 @@ files_tmp_file(dracut_tmp_t) # Local policy # allow dracut_t self:process setfscreate; +allow dracut_t self:capability dac_override; allow dracut_t self:fifo_file rw_fifo_file_perms; allow dracut_t self:unix_stream_socket create_stream_socket_perms; =20 manage_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) -manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) manage_dirs_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) -files_tmp_filetrans(dracut_t, dracut_tmp_t, { file lnk_file dir }) +manage_lnk_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +manage_chr_files_pattern(dracut_t, dracut_tmp_t, dracut_tmp_t) +files_tmp_filetrans(dracut_t, dracut_tmp_t, dir) =20 manage_files_pattern(dracut_t, dracut_var_log_t, dracut_var_log_t) logging_log_filetrans(dracut_t, dracut_var_log_t, file) =20 +kernel_read_messages(dracut_t) kernel_read_system_state(dracut_t) =20 corecmd_exec_bin(dracut_t) corecmd_exec_shell(dracut_t) -corecmd_read_all_executables(dracut_t) +corecmd_mmap_all_executables(dracut_t) =20 +dev_read_kmsg(dracut_t) dev_read_sysfs(dracut_t) =20 domain_use_interactive_fds(dracut_t) @@ -42,35 +46,22 @@ files_read_kernel_modules(dracut_t) files_read_usr_files(dracut_t) files_search_pids(dracut_t) =20 -fstools_exec(dracut_t) - -libs_domtrans_ldconfig(dracut_t) +libs_exec_ldconfig(dracut_t) libs_exec_ld_so(dracut_t) libs_exec_lib_files(dracut_t) =20 miscfiles_read_localization(dracut_t) =20 -modutils_exec_depmod(dracut_t) -modutils_exec_insmod(dracut_t) -modutils_list_module_config(dracut_t) +modutils_list_module_config(dracut_t) #find /etc/modprobe.d modutils_read_module_config(dracut_t) modutils_read_module_deps(dracut_t) =20 -mount_exec(dracut_t) - -seutil_exec_setfiles(dracut_t) - -udev_exec(dracut_t) udev_read_rules_files(dracut_t) =20 +userdom_search_user_home_dirs(dracut_t) userdom_use_user_terminals(dracut_t) =20 optional_policy(` - dmesg_exec(dracut_t) -') - -optional_policy(` - lvm_exec(dracut_t) lvm_read_config(dracut_t) ') =20 diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/co= ntrib/networkmanager.te index 8e89b43..1e1dab0 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -295,14 +295,6 @@ domain_use_interactive_fds(wpa_cli_t) files_read_etc_files(wpa_cli_t) files_search_pids(wpa_cli_t) =20 -fs_manage_tmpfs_dirs(wpa_cli_t) -fs_manage_tmpfs_sockets(wpa_cli_t) -fs_manage_tmpfs_sockets(NetworkManager_t) -fs_rw_tmpfs_files(wpa_cli_t) -fs_rw_tmpfs_files(NetworkManager_t) -fs_search_tmpfs(wpa_cli_t) -fs_search_tmpfs(NetworkManager_t) - term_dontaudit_use_console(wpa_cli_t) =20 getty_use_fds(wpa_cli_t) diff --git a/policy/modules/contrib/rpm.fc b/policy/modules/contrib/rpm.f= c index b206bf6..b2a0b6a 100644 --- a/policy/modules/contrib/rpm.fc +++ b/policy/modules/contrib/rpm.fc @@ -7,6 +7,7 @@ =20 /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) =20 +/usr/libexec/packagekitd -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/libexec/yumDBUSBackend.py -- gen_context(system_u:object_r:rpm_exec= _t,s0) =20 /usr/sbin/yum-complete-transaction -- gen_context(system_u:object_r:rpm_= exec_t,s0) @@ -27,9 +28,11 @@ ifdef(`distro_redhat', ` /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) ') =20 +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache= _t,s0) /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) =20 /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t= ,s0) +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s= 0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) =20 diff --git a/policy/modules/system/libraries.te b/policy/modules/system/l= ibraries.te index 50332d3..5a16f99 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -131,10 +131,6 @@ optional_policy(` ') =20 optional_policy(` - dracut_manage_tmp_files(ldconfig_t) -') - -optional_policy(` puppet_rw_tmp(ldconfig_t) ') =20 diff --git a/policy/modules/system/modutils.if b/policy/modules/system/mo= dutils.if index 19d328a..ad5f878 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -39,7 +39,7 @@ interface(`modutils_read_module_deps',` =20 ######################################## ## -## List the module configuration option files=20 +## List the module configuration option files ## ## ## @@ -53,11 +53,14 @@ interface(`modutils_list_module_config',` type modules_conf_t; ') =20 + # This file type can be in /etc or + # /lib(64)?/modules + files_search_etc($1) + files_search_boot($1) + list_dirs_pattern($1, modules_conf_t, modules_conf_t) ') =20 - - ######################################## ## ## Read the configuration options used when diff --git a/policy/modules/system/modutils.te b/policy/modules/system/mo= dutils.te index 43e99e5..78137a5 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -89,7 +89,7 @@ tunable_policy(`use_samba_home_dirs',` ') =20 optional_policy(` - dracut_manage_tmp_files(depmod_t) + dracut_rw_tmp_files(depmod_t) ') =20 optional_policy(` diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.i= f index 46c8e82..8f59ae9 100644 --- a/policy/modules/system/udev.if +++ b/policy/modules/system/udev.if @@ -184,6 +184,8 @@ interface(`udev_read_rules_files',` type udev_rules_t; ') =20 + files_search_etc($1) # /etc/udev/rules.d + udev_search_pids($1) # /run/udev/rules.d read_files_pattern($1, udev_rules_t, udev_rules_t) ') =20