[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/xdg/, policy/modules/contrib/, policy/modules/system/, ...

["Sven Vermeulen" <sven.vermeulen@siphos.be>]

commit:     9b5d3482a2a3e51aeae9402e8b56156f5eceffd7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jul 29 07:18:12 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jul 29 07:18:12 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b5d3482

Userspace confinement proceedings. Include xdg_videos support and mozilla only accessing .mozilla

---
 policy/modules/contrib/mozilla.te                  |    2 +-
 policy/modules/contrib/xdg.if                      |   18 ++++
 .../contrib/xdg/xdg_manage_videos_home.part        |   18 ++++
 policy/modules/kernel/files.if                     |  105 ++++++++++----------
 policy/modules/system/authlogin.te                 |    4 +-
 policy/modules/system/init.te                      |    4 +-
 policy/modules/system/udev.if                      |   39 -------
 policy/modules/system/userdomain.if                |    1 +
 8 files changed, 94 insertions(+), 97 deletions(-)

diff --git a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
index 0909cd6..dfd4705 100644
--- a/policy/modules/contrib/mozilla.te
+++ b/policy/modules/contrib/mozilla.te
@@ -95,7 +95,7 @@ can_exec(mozilla_t, mozilla_exec_t)
 manage_dirs_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
 manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
 manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
-userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir)
+userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")
 
 # Mozpluggerrc
 allow mozilla_t mozilla_conf_t:file read_file_perms;

diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index 923b957..1d628b7 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -796,3 +796,21 @@ interface(`xdg_relabel_all_runtime_home',`
 
 	files_search_pids($1)
 ')
+#########################################
+## <summary>
+##	Manage video content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_videos_home',`
+	gen_require(`
+		type xdg_videos_home_t;
+	')
+
+	manage_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+	manage_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+')

diff --git a/policy/modules/contrib/xdg/xdg_manage_videos_home.part b/policy/modules/contrib/xdg/xdg_manage_videos_home.part
new file mode 100644
index 0000000..5118d5d
--- /dev/null
+++ b/policy/modules/contrib/xdg/xdg_manage_videos_home.part
@@ -0,0 +1,18 @@
+#########################################
+## <summary>
+##	Manage video content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`xdg_manage_videos_home',`
+	gen_require(`
+		type xdg_videos_home_t;
+	')
+
+	manage_dirs_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+	manage_files_pattern($1, xdg_videos_home_t, xdg_videos_home_t)
+')

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 93bdc1b..6b7cc92 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -86,6 +86,26 @@ interface(`files_type',`
 
 ########################################
 ## <summary>
+##	Mark the specified type as a file
+##	that is related to authentication.
+## </summary>
+## <param name="file_type">
+##	<summary>
+##	Type of the authentication-related
+##	file.
+##	</summary>
+## </param>
+#
+interface(`files_auth_file',`
+	gen_require(`
+		attribute file_type, security_file_type, auth_file_type;
+	')
+
+	typeattribute $1 file_type, security_file_type, auth_file_type;
+')
+
+########################################
+## <summary>
 ##	Make the specified type a file that
 ##	should not be dontaudited from
 ##	browsing from user domains.
@@ -1277,28 +1297,8 @@ interface(`files_unmount_all_file_type_fs',`
 
 ########################################
 ## <summary>
-##	Mark the specified type as a file
-##  that is related to authentication.
-## </summary>
-## <param name="file_type">
-##	<summary>
-##	Type of the authentication-related
-##  file.
-##	</summary>
-## </param>
-#
-interface(`files_auth_file',`
-	gen_require(`
-		attribute file_type, security_file_type, auth_file_type;
-	')
-
-	typeattribute $1 file_type, security_file_type, auth_file_type;
-')
-
-########################################
-## <summary>
 ##	Read all non-authentication related
-##  directories.
+##	directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1317,7 +1317,7 @@ interface(`files_list_non_auth_dirs',`
 ########################################
 ## <summary>
 ##	Read all non-authentication related
-##  files.
+##	files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1354,58 +1354,54 @@ interface(`files_read_non_auth_symlinks',`
 
 ########################################
 ## <summary>
-##	Relabel all non-authentication related
-##  files.
+##	rw non-authentication related files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <rolecap/>
 #
-interface(`files_relabel_non_auth_files',`
+interface(`files_rw_non_auth_files',`
 	gen_require(`
 		attribute non_auth_file_type;
 	')
 
-	allow $1 non_auth_file_type:dir list_dir_perms;
-	relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
-	relabel_files_pattern($1, non_auth_file_type, non_auth_file_type)
-	relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
-	relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
-	relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
-	# this is only relabelfrom since there should be no
-	# device nodes with file types.
-	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
-	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
-
-	# satisfy the assertions:
-	seutil_relabelto_bin_policy($1)
+	rw_files_pattern($1, non_auth_file_type, non_auth_file_type)
 ')
 
 ########################################
 ## <summary>
-##	rw non-authentication related files.
+##	Manage non-authentication related
+##	files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <rolecap/>
 #
-interface(`files_rw_non_auth_files',`
+interface(`files_manage_non_auth_files',`
 	gen_require(`
 		attribute non_auth_file_type;
 	')
 
-	rw_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
+
+	# satisfy the assertions:
+	seutil_create_bin_policy($1)
+	files_manage_kernel_modules($1)
 ')
 
 ########################################
 ## <summary>
-##	Manage non-authentication related
-##  files.
+##	Relabel all non-authentication related
+##	files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1414,22 +1410,27 @@ interface(`files_rw_non_auth_files',`
 ## </param>
 ## <rolecap/>
 #
-interface(`files_manage_non_auth_files',`
+interface(`files_relabel_non_auth_files',`
 	gen_require(`
 		attribute non_auth_file_type;
 	')
 
-	manage_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
-	manage_files_pattern($1, non_auth_file_type, non_auth_file_type)
-	manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
-	manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
-	manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	allow $1 non_auth_file_type:dir list_dir_perms;
+	relabel_dirs_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabel_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	# this is only relabelfrom since there should be no
+	# device nodes with file types.
+	relabelfrom_blk_files_pattern($1, non_auth_file_type, non_auth_file_type)
+	relabelfrom_chr_files_pattern($1, non_auth_file_type, non_auth_file_type)
 
 	# satisfy the assertions:
-	seutil_create_bin_policy($1)
-	files_manage_kernel_modules($1)
+	seutil_relabelto_bin_policy($1)
 ')
 
+
 #############################################
 ## <summary>
 ##	Manage all configuration directories on filesystem

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 60ae701..c7c4fb6 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,10 +5,10 @@ policy_module(authlogin, 2.4.0)
 # Declarations
 #
 
+
 ## <desc>
 ## <p>
-## Allow users to resolve user passwd entries directly from ldap rather
-## than using an sssd server
+## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
 ## </p>
 ## </desc>
 gen_tunable(authlogin_nsswitch_use_ldap, false)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a2c1806..56bfca9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -260,7 +260,7 @@ manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
 files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
 
 manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
-manage_files_pattern(initrc_t, initrc_var_log_t, dir)
+manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
 logging_log_filetrans(initrc_t, initrc_var_log_t, dir)
 
 init_write_initctl(initrc_t)
@@ -856,8 +856,6 @@ optional_policy(`
 
 optional_policy(`
 	udev_create_db_dirs(initrc_t)
-	udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t)
-	udev_dontaudit_getattr_unix_stream_sockets(initrc_t)
 	udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
 	udev_pid_filetrans_db(initrc_t, dir, "rules.d")
 	udev_manage_pid_files(initrc_t)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 53f6d62..7423f26 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -132,45 +132,6 @@ interface(`udev_dontaudit_rw_dgram_sockets',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get attributes
-##	of a udev netlink_kobject_uevent_socket
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`udev_dontaudit_getattr_netlink_kobject_uevent_sockets',`
-	gen_require(`
-		type udev_t;
-	')
-
-	dontaudit $1 udev_t:netlink_kobject_uevent_socket getattr;
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to get attributes
-##	of a udev unix_stream_socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`udev_dontaudit_getattr_unix_stream_sockets',`
-	gen_require(`
-		type udev_t;
-	')
-
-	dontaudit $1 udev_t:unix_stream_socket getattr;
-')
-
-
-########################################
-## <summary>
 ##	Read udev rules files
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 4c33988..cf58129 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -282,6 +282,7 @@ interface(`userdom_manage_home_role',`
 		xdg_manage_all_data_home($2)
 		xdg_manage_all_runtime_home($2)
 		xdg_manage_downloads_home($2)
+		xdg_manage_videos_home($2)
 		xdg_relabel_all_cache_home($2)
 		xdg_relabel_all_config_home($2)
 		xdg_relabel_all_data_home($2)