* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/kernel/
@ 2012-07-26 19:23 Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2012-07-26 19:23 UTC (permalink / raw
To: gentoo-commits
commit: ad1ad721727628e23bac07bd0bc6bb12c140b7fe
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul 26 08:09:13 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul 26 08:09:13 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ad1ad721
Working on handling plugins properly within browsers
---
policy/modules/contrib/chromium.te | 93 +++++++++++++++++++++++++++--------
policy/modules/kernel/devices.if | 20 ++++++++
policy/modules/kernel/files.if | 18 +++++++
3 files changed, 109 insertions(+), 22 deletions(-)
diff --git a/policy/modules/contrib/chromium.te b/policy/modules/contrib/chromium.te
index 22a78a0..a0a6c7a 100644
--- a/policy/modules/contrib/chromium.te
+++ b/policy/modules/contrib/chromium.te
@@ -7,6 +7,20 @@ policy_module(chromium-browser, 1.0.0)
## <desc>
## <p>
+## Allow chromium to read user content
+## </p>
+## </desc>
+gen_tunable(chromium_read_user_content, true)
+
+## <desc>
+## <p>
+## Allow chromium to write (manage) user content
+## </p>
+## </desc>
+gen_tunable(chromium_manage_user_content, false)
+
+## <desc>
+## <p>
## Allow the use of java plugins
## </p>
## <p>
@@ -18,6 +32,18 @@ policy_module(chromium-browser, 1.0.0)
## </desc>
gen_tunable(chromium_use_java, false)
+## <desc>
+## <p>
+## Allow chromium to read system information
+## </p>
+## <p>
+## Although not needed for regular browsing, this will allow chromium to update
+## its own memory consumption based on system state, support additional
+## debugging, detect specific devices, etc.
+## </p>
+## </desc>
+gen_tunable(chromium_read_system_info, false)
+
type chromium_t;
domain_dyntrans_type(chromium_t)
@@ -39,6 +65,8 @@ xdg_config_home_content(chromium_xdg_config_t)
type chromium_xdg_cache_t;
xdg_cache_home_content(chromium_xdg_cache_t)
+
+
########################################
#
# chromium local policy
@@ -81,12 +109,7 @@ xdg_cache_home_filetrans(chromium_t, chromium_xdg_cache_t, dir, "chromium")
dyntrans_pattern(chromium_t, chromium_renderer_t)
-kernel_read_kernel_sysctls(chromium_t)
-# Memory optimizations & optimizations based on OS/version
-kernel_read_system_state(chromium_t)
-
corecmd_exec_bin(chromium_t)
-corecmd_exec_shell(chromium_t)
corenet_tcp_connect_all_unreserved_ports(chromium_t)
corenet_tcp_connect_ftp_port(chromium_t)
@@ -94,13 +117,11 @@ corenet_tcp_connect_http_port(chromium_t)
dev_read_sound(chromium_t)
dev_write_sound(chromium_t)
-# Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
-dev_read_sysfs(chromium_t)
dev_read_urand(chromium_t)
domain_dontaudit_search_all_domains_state(chromium_t)
-files_list_home(chromium_t)
+files_search_home(chromium_t)
files_read_usr_files(chromium_t)
files_read_etc_files(chromium_t)
@@ -110,18 +131,46 @@ getty_dontaudit_use_fds(chromium_t)
miscfiles_read_localization(chromium_t)
-#seutil_libselinux_linked(chromium_t)
-
sysnet_dns_name_resolve(chromium_t)
-userdom_manage_user_home_content_dirs(chromium_t)
-userdom_manage_user_home_content_files(chromium_t)
+userdom_dontaudit_list_user_home_dirs(chromium_t)
# Debugging. Also on user_tty_device_t if X is started through "startx" for instance
userdom_use_user_terminals(chromium_t)
xdg_read_generic_data_home_files(chromium_t)
+xdg_read_generic_config_home_files(chromium_t)
+
xserver_user_x_domain_template(chromium, chromium_t, chromium_tmpfs_t)
+tunable_policy(`chromium_read_system_info',`
+ kernel_read_kernel_sysctls(chromium_t)
+ # Memory optimizations & optimizations based on OS/version
+ kernel_read_system_state(chromium_t)
+
+ # Debugging (sys/kernel/debug) and device information (sys/bus and sys/devices).
+ dev_read_sysfs(chromium_t)
+
+ files_read_etc_runtime_files(chromium_t)
+',`
+ kernel_dontaudit_read_kernel_sysctls(chromium_t)
+ kernel_dontaudit_read_system_state(chromium_t)
+
+ dev_dontaudit_read_sysfs(chromium_t)
+
+ files_dontaudit_read_etc_runtime(chromium_t)
+')
+
+tunable_policy(`chromium_read_user_content',`
+ userdom_read_user_home_content_files(chromium_t)
+ userdom_read_user_home_content_symlinks(chromium_t)
+ userdom_search_user_home_content(chromium_t)
+')
+
+tunable_policy(`chromium_manage_user_content',`
+ userdom_manage_user_home_content_files(chromium_t)
+ userdom_manage_user_home_content_dirs(chromium_t)
+')
+
optional_policy(`
alsa_read_rw_config(chromium_t)
')
@@ -177,20 +226,12 @@ read_files_pattern(chromium_renderer_t, chromium_xdg_config_t, chromium_xdg_conf
rw_fifo_files_pattern(chromium_renderer_t, chromium_tmp_t, chromium_tmp_t)
-kernel_dontaudit_read_system_state(chromium_renderer_t)
-kernel_dontaudit_search_sysctl(chromium_renderer_t)
-
dev_read_urand(chromium_renderer_t)
-files_list_tmp(chromium_renderer_t)
-files_read_etc_files(chromium_renderer_t)
-files_search_usr(chromium_renderer_t)
+files_dontaudit_list_tmp(chromium_renderer_t)
+files_dontaudit_read_etc_files(chromium_renderer_t)
files_search_var(chromium_renderer_t)
-#files_dontaudit_read_all_symlinks(chromium_renderer_t)
-# was dontaudited, perhaps needed for plugins?
-#files_search_var(chromium_renderer_t)
-
init_sigchld(chromium_renderer_t)
miscfiles_read_localization(chromium_renderer_t)
@@ -201,3 +242,11 @@ userdom_use_user_terminals(chromium_renderer_t)
xdg_read_generic_config_home_files(chromium_renderer_t)
xserver_user_x_domain_template(chromium_renderer, chromium_renderer_t, chromium_tmpfs_t)
+
+tunable_policy(`chromium_read_system_info',`
+ kernel_read_kernel_sysctls(chromium_renderer_t)
+ kernel_read_system_state(chromium_renderer_t)
+',`
+ kernel_dontaudit_read_kernel_sysctls(chromium_renderer_t)
+ kernel_dontaudit_read_system_state(chromium_renderer_t)
+')
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 9b389a6..399ceaf 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4001,6 +4001,26 @@ interface(`dev_manage_sysfs_dirs',`
########################################
## <summary>
+## Dont audit attempts to read hardware state information
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain for which the attempts do not need to be audited
+## </summary>
+## </param>
+#
+interface(`dev_dontaudit_read_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ dontaudit $1 sysfs_t:file read_file_perms;
+ dontaudit $1 sysfs_t:dir list_dir_perms;
+ dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Read hardware state information.
## </summary>
## <desc>
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 2924d8c..93bdc1b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2928,6 +2928,24 @@ interface(`files_dontaudit_setattr_etc_runtime_files',`
########################################
## <summary>
+## Do not audit attempts to read etc_runtime resources
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_read_etc_runtime',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ dontaudit $1 etc_runtime_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read files in /etc that are dynamically
## created on boot, such as mtab.
## </summary>
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/kernel/
@ 2012-08-08 19:37 Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2012-08-08 19:37 UTC (permalink / raw
To: gentoo-commits
commit: 112743ef475b5b5c02018c19ecd0a879faf12f50
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 8 18:51:36 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 8 18:51:36 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=112743ef
Backport mcelog changes, from refpolicy, thanks to Guido Trantalancia
---
policy/modules/contrib/mcelog.fc | 12 ++++
policy/modules/contrib/mcelog.te | 111 +++++++++++++++++++++++++++++++-
policy/modules/kernel/corecommands.fc | 7 ++-
3 files changed, 125 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/mcelog.fc b/policy/modules/contrib/mcelog.fc
index 56c43c0..e5c1a63 100644
--- a/policy/modules/contrib/mcelog.fc
+++ b/policy/modules/contrib/mcelog.fc
@@ -1 +1,13 @@
+/etc/mcelog(/.*)? gen_context(system_u:object_r:mcelog_etc_t,s0)
+
+ifdef(`distro_redhat',`
+/etc/mcelog/triggers -d gen_context(system_u:object_r:mcelog_etc_t,s0)
+')
+
+/etc/rc\.d/init\.d/mcelog -- gen_context(system_u:object_r:mcelog_initrc_exec_t,s0)
+
/usr/sbin/mcelog -- gen_context(system_u:object_r:mcelog_exec_t,s0)
+
+/var/log/mcelog.* -- gen_context(system_u:object_r:mcelog_log_t,s0)
+/var/run/mcelog\.pid -- gen_context(system_u:object_r:mcelog_var_run_t,s0)
+/var/run/mcelog-client -s gen_context(system_u:object_r:mcelog_var_run_t,s0)
diff --git a/policy/modules/contrib/mcelog.te b/policy/modules/contrib/mcelog.te
index 5671977..6e44f91 100644
--- a/policy/modules/contrib/mcelog.te
+++ b/policy/modules/contrib/mcelog.te
@@ -1,14 +1,70 @@
-policy_module(mcelog, 1.1.0)
+policy_module(mcelog, 1.1.1)
########################################
#
# Declarations
#
+## <desc>
+## <p>
+## Allow mcelog to run in client mode.
+## Required to run mcelog in client
+## mode.
+## </p>
+## </desc>
+gen_tunable(mcelog_client, false)
+
+## <desc>
+## <p>
+## Allow mcelog to execute scripts.
+## Required to execute optional triggers
+## and/or local scripts.
+## </p>
+## </desc>
+gen_tunable(mcelog_exec_scripts, true)
+
+## <desc>
+## <p>
+## Allow mcelog to use all the user ttys.
+## Required in foreground mode and to
+## print out usage and version information.
+## </p>
+## </desc>
+gen_tunable(mcelog_foreground, true)
+
+## <desc>
+## <p>
+## Allow mcelog to run a server.
+## Required to enable the optional configurable
+## Unix stream socket server functionality.
+## </p>
+## </desc>
+gen_tunable(mcelog_server, false)
+
+## <desc>
+## <p>
+## Allow mcelog to use syslog.
+## Required to use the configurable
+## syslog option.
+## </p>
+## </desc>
+gen_tunable(mcelog_syslog, true)
+
type mcelog_t;
type mcelog_exec_t;
-application_domain(mcelog_t, mcelog_exec_t)
-cron_system_entry(mcelog_t, mcelog_exec_t)
+init_daemon_domain(mcelog_t, mcelog_exec_t)
+
+type mcelog_initrc_exec_t;
+init_script_file(mcelog_initrc_exec_t)
+
+type mcelog_etc_t;
+files_config_file(mcelog_etc_t)
+
+type mcelog_log_t;
+logging_log_file(mcelog_log_t)
+
+type mcelog_var_run_t;
+files_pid_file(mcelog_var_run_t)
########################################
#
@@ -16,17 +72,64 @@ cron_system_entry(mcelog_t, mcelog_exec_t)
#
allow mcelog_t self:capability sys_admin;
+allow mcelog_t self:unix_stream_socket connected_socket_perms;
+allow mcelog_t mcelog_etc_t:dir list_dir_perms;
+
+read_files_pattern(mcelog_t, mcelog_etc_t, mcelog_etc_t)
+
+# manage a logfile in a generic or private log directory
+manage_dirs_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+manage_files_pattern(mcelog_t, mcelog_log_t, mcelog_log_t)
+logging_log_filetrans(mcelog_t, mcelog_log_t, file)
+
+manage_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+manage_sock_files_pattern(mcelog_t, mcelog_var_run_t, mcelog_var_run_t)
+files_pid_filetrans(mcelog_t, mcelog_var_run_t, { file sock_file })
kernel_read_system_state(mcelog_t)
dev_read_raw_memory(mcelog_t)
dev_read_kmsg(mcelog_t)
+dev_rw_sysfs(mcelog_t)
files_read_etc_files(mcelog_t)
# for /dev/mem access
mls_file_read_all_levels(mcelog_t)
-logging_send_syslog_msg(mcelog_t)
+locallogin_use_fds(mcelog_t)
miscfiles_read_localization(mcelog_t)
+
+# needed in client-mode
+tunable_policy(`mcelog_client',`
+ allow mcelog_t self:unix_stream_socket connectto;
+')
+
+# required for executing optional triggers and scripts
+tunable_policy(`mcelog_exec_scripts',`
+ allow mcelog_t self:fifo_file { read getattr write };
+ corecmd_exec_bin(mcelog_t)
+ corecmd_exec_shell(mcelog_t)
+')
+
+# required for optional foreground mode and
+# console output
+tunable_policy(`mcelog_foreground',`
+ userdom_use_user_terminals(mcelog_t)
+')
+
+# required for the optional server functionality
+tunable_policy(`mcelog_server',`
+ allow mcelog_t self:unix_stream_socket { listen accept };
+')
+
+# use syslog functionality (optional, configurable)
+tunable_policy(`mcelog_syslog',`
+ logging_send_syslog_msg(mcelog_t)
+')
+
+# optional support for running it as a cron job
+optional_policy(`
+ cron_system_entry(mcelog_t, mcelog_exec_t)
+')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index f212f4a..defaa6d 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,8 +72,13 @@ ifdef(`distro_redhat',`
/etc/kde/shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
-/etc/mcelog/cache-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
+
+/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0)
+
+ifdef(`distro_redhat',`
/etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0)
+')
/etc/mgetty\+sendfax/new_fax -- gen_context(system_u:object_r:bin_t,s0)
/etc/netplug\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
^ permalink raw reply related [flat|nested] 5+ messages in thread* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/kernel/
@ 2012-10-28 18:01 Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2012-10-28 18:01 UTC (permalink / raw
To: gentoo-commits
commit: 4dedda31c2025ccde5ee8ce2500648d786f28d89
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 28 17:52:18 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Oct 28 17:52:18 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4dedda31
Keep file contexts local
Unlike what is used in refpolicy, I think it is much cleaner if file contexts
related to the application the module reflects are within the file context file.
This does mean that "elsewhere" defined types must be accepted in the context,
but as long as these types are part of the base install (or as a depending
module without optional_policy() statement) this should be okay.
One main advantage to this - beyond clarity - is that the contexts file on a
users' system will not contain paths for files that are of applications he
doesn't have.
Doing this for a few shorewall contexts for now, will update as these come
along.
---
policy/modules/contrib/shorewall.fc | 5 +++++
policy/modules/kernel/corecommands.fc | 6 ------
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/shorewall.fc b/policy/modules/contrib/shorewall.fc
index 341bd25..daf852d 100644
--- a/policy/modules/contrib/shorewall.fc
+++ b/policy/modules/contrib/shorewall.fc
@@ -20,6 +20,11 @@
ifdef(`distro_gentoo',`
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/getparams -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/wait4ifup -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
')
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 57fd2ed..de94bd0 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -309,12 +309,6 @@ ifdef(`distro_gentoo',`
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall-perl(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall-shell(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/usr/share/shorewall6-lite(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf/web2c/mktexdir -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/kernel/
@ 2012-12-17 16:56 Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2012-12-17 16:56 UTC (permalink / raw
To: gentoo-commits
commit: 4d73fed5d3cbd2642178cb456bedbc81aa9d6dd8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 17 14:52:46 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Dec 17 16:52:13 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d73fed5
Updates on puppet policy
---
policy/modules/contrib/portage.if | 63 +++++++++++++++++++
policy/modules/contrib/puppet.te | 104 +++++++++++++++++++------------
policy/modules/kernel/corenetwork.te.in | 1 +
3 files changed, 129 insertions(+), 39 deletions(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index c0051ae..06655e1 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -380,3 +380,66 @@ interface(`portage_eselect_module',`
typeattribute $1 portage_eselect_domain;
')
+########################################
+## <summary>
+## Read portage cache files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_cache',`
+ gen_require(`
+ type portage_cache_t;
+ ')
+
+ files_search_var($1)
+ list_dirs_pattern($1, portage_cache_t, portage_cache_t)
+ read_files_pattern($1, portage_cache_t, portage_cache_t)
+ read_lnk_files_pattern($1, portage_cache_t, portage_cache_t)
+')
+
+########################################
+## <summary>
+## Read portage configuration files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_config',`
+ gen_require(`
+ type portage_conf_t;
+ ')
+
+ files_search_etc($1)
+ list_dirs_pattern($1, portage_conf_t, portage_conf_t)
+ read_files_pattern($1, portage_conf_t, portage_conf_t)
+ read_lnk_files_pattern($1, portage_conf_t, portage_conf_t)
+')
+
+########################################
+## <summary>
+## Read portage ebuild files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_ebuild',`
+ gen_require(`
+ type portage_ebuild_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, portage_ebuild_t, portage_ebuild_t)
+ read_files_pattern($1, portage_ebuild_t, portage_ebuild_t)
+ read_lnk_files_pattern($1, portage_ebuild_t, portage_ebuild_t)
+')
+
diff --git a/policy/modules/contrib/puppet.te b/policy/modules/contrib/puppet.te
index 329562c..ef03f3a 100644
--- a/policy/modules/contrib/puppet.te
+++ b/policy/modules/contrib/puppet.te
@@ -145,47 +145,8 @@ seutil_domtrans_semanage(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
-ifdef(`distro_gentoo',`
- allow puppet_t self:capability chown;
-
- kernel_read_kernel_sysctls(puppet_t)
- kernel_read_network_state(puppet_t)
-
- sysnet_use_ldap(puppet_t)
-
- usermanage_domtrans_passwd(puppet_t)
-
- optional_policy(`
- init_exec_rc(puppet_t)
- portage_run(puppet_t, system_r)
- ')
-')
-
tunable_policy(`puppet_manage_all_files',`
files_manage_non_auth_files(puppet_t)
-
- # We should use files_relabel_all_files here, but it calls
- # seutil_relabelto_bin_policy which sets a "typeattribute type attr",
- # which is not allowed within a tunable_policy.
- # So, we duplicate the content of files_relabel_all_files except for
- # the policy configuration stuff and hope users do that through Portage
-
- gen_require(`
- attribute file_type;
- attribute security_file_type;
- type policy_config_t;
- ')
-
- allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms;
- relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- # this is only relabelfrom since there should be no
- # device nodes with file types.
- relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
- relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
')
optional_policy(`
@@ -388,4 +349,69 @@ ifdef(`distro_gentoo',`
usermanage_check_exec_passwd(puppetmaster_t)
usermanage_check_exec_useradd(puppetmaster_t)
')
+
+ ###########################################
+ #
+ # Puppet client policy
+ #
+ allow puppet_t self:capability chown;
+ allow puppet_t self:udp_socket create_socket_perms;
+ allow puppet_t puppet_log_t:file read_file_perms;
+
+ kernel_read_kernel_sysctls(puppet_t)
+ kernel_read_net_sysctls(puppet_t)
+ kernel_read_network_state(puppet_t)
+
+ corenet_all_recvfrom_netlabel(puppet_t)
+ corenet_all_recvfrom_unlabeled(puppet_t)
+ corenet_tcp_sendrecv_generic_if(puppet_t)
+ corenet_tcp_sendrecv_generic_node(puppet_t)
+ corenet_tcp_bind_generic_node(puppet_t)
+
+ corenet_sendrecv_puppetclient_server_packets(puppet_t)
+ corenet_tcp_bind_puppetclient_port(puppet_t)
+ corenet_tcp_sendrecv_puppetclient_port(puppet_t)
+
+ files_search_var_lib(puppet_t)
+
+ sysnet_use_ldap(puppet_t)
+
+ usermanage_domtrans_passwd(puppet_t)
+
+ tunable_policy(`puppet_manage_all_files',`
+ # We should use files_relabel_all_files here, but it calls
+ # seutil_relabelto_bin_policy which sets a "typeattribute type attr",
+ # which is not allowed within a tunable_policy.
+ # So, we duplicate the content of files_relabel_all_files except for
+ # the policy configuration stuff and hope users do that through Portage
+
+ gen_require(`
+ attribute file_type;
+ attribute security_file_type;
+ type policy_config_t;
+ ')
+
+ allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms;
+ relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ # this is only relabelfrom since there should be no
+ # device nodes with file types.
+ relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+ ')
+
+ optional_policy(`
+ dmidecode_domtrans(puppet_t)
+ ')
+
+ optional_policy(`
+ init_exec_rc(puppet_t)
+ portage_read_cache(puppet_t)
+ portage_read_config(puppet_t)
+ portage_read_ebuild(puppet_t)
+ portage_run(puppet_t, system_r)
+ ')
')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 8e0ae95..db913e9 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -216,6 +216,7 @@ network_port(printer, tcp,515,s0)
network_port(ptal, tcp,5703,s0)
network_port(pulseaudio, tcp,4713,s0)
network_port(puppet, tcp, 8140, s0)
+network_port(puppetclient, tcp, 8139, s0)
network_port(pxe, udp,4011,s0)
network_port(pyzor, udp,24441,s0)
network_port(radacct, udp,1646,s0, udp,1813,s0)
^ permalink raw reply related [flat|nested] 5+ messages in thread* [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/, policy/modules/kernel/
@ 2014-11-23 14:06 Sven Vermeulen
2014-11-22 17:43 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 5+ messages in thread
From: Sven Vermeulen @ 2014-11-23 14:06 UTC (permalink / raw
To: gentoo-commits
commit: 1682e5c2811be74ff6fb847d878e129e3dbb7214
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 17:32:37 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 17:32:37 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1682e5c2
Move Portage bin definition to portage module (core filedefs can be in module in Gentoo)
---
policy/modules/contrib/portage.fc | 1 +
policy/modules/kernel/corecommands.fc | 2 --
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index 2eaa62c..119043b 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -2,6 +2,7 @@
/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 7e1b58c..58b5a6e 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -89,8 +89,6 @@ ifdef(`distro_redhat',`
/etc/pm/power\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/pm/sleep\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/kernel/
2014-11-23 14:06 [gentoo-commits] proj/hardened-refpolicy:bitcoin " Sven Vermeulen
@ 2014-11-22 17:43 ` Sven Vermeulen
0 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2014-11-22 17:43 UTC (permalink / raw
To: gentoo-commits
commit: 1682e5c2811be74ff6fb847d878e129e3dbb7214
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 17:32:37 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 17:32:37 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1682e5c2
Move Portage bin definition to portage module (core filedefs can be in module in Gentoo)
---
policy/modules/contrib/portage.fc | 1 +
policy/modules/kernel/corecommands.fc | 2 --
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.fc b/policy/modules/contrib/portage.fc
index 2eaa62c..119043b 100644
--- a/policy/modules/contrib/portage.fc
+++ b/policy/modules/contrib/portage.fc
@@ -2,6 +2,7 @@
/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 7e1b58c..58b5a6e 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -89,8 +89,6 @@ ifdef(`distro_redhat',`
/etc/pm/power\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/pm/sleep\.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
-/etc/portage/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
-
/etc/ppp/ip-down\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ip-up\..* -- gen_context(system_u:object_r:bin_t,s0)
/etc/ppp/ipv6-up\..* -- gen_context(system_u:object_r:bin_t,s0)
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-11-22 17:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-07-26 19:23 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/kernel/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2012-08-08 19:37 Sven Vermeulen
2012-10-28 18:01 Sven Vermeulen
2012-12-17 16:56 Sven Vermeulen
2014-11-23 14:06 [gentoo-commits] proj/hardened-refpolicy:bitcoin " Sven Vermeulen
2014-11-22 17:43 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox