From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5D89513800E for ; Wed, 8 Aug 2012 19:38:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C8575E0853; Wed, 8 Aug 2012 19:37:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 7F435E0853 for ; Wed, 8 Aug 2012 19:37:56 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 914A11B403F for ; Wed, 8 Aug 2012 19:37:55 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 64F92E543F for ; Wed, 8 Aug 2012 19:37:53 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1344451478.c9707ca062c2721eaae1f831240ca62e83992a46.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/bird.fc policy/modules/contrib/bird.if policy/modules/contrib/bird.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: c9707ca062c2721eaae1f831240ca62e83992a46 X-VCS-Branch: master Date: Wed, 8 Aug 2012 19:37:53 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: b3f796a0-bed6-4493-b101-5e47b5344e1b X-Archives-Hash: 4f8b24ab3ba8acd697dfd2ad6d31d562 commit: c9707ca062c2721eaae1f831240ca62e83992a46 Author: Sven Vermeulen siphos be> AuthorDate: Wed Aug 8 18:44:38 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Wed Aug 8 18:44:38 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c9707ca0 Add in initial policy for BIRD Internet Routing Daemon, backport of refpolicy, thanks to Dominick Grift --- policy/modules/contrib/bird.fc | 11 +++++++ policy/modules/contrib/bird.if | 42 +++++++++++++++++++++++++++++ policy/modules/contrib/bird.te | 57 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 110 insertions(+), 0 deletions(-) diff --git a/policy/modules/contrib/bird.fc b/policy/modules/contrib/bird.fc new file mode 100644 index 0000000..7b63b8e --- /dev/null +++ b/policy/modules/contrib/bird.fc @@ -0,0 +1,11 @@ +/etc/bird\.conf -- gen_context(system_u:object_r:bird_etc_t,s0) + +/etc/default/bird -- gen_context(system_u:object_r:bird_etc_t,s0) + +/etc/rc\.d/init\.d/bird -- gen_context(system_u:object_r:bird_initrc_exec_t,s0) + +/usr/sbin/bird -- gen_context(system_u:object_r:bird_exec_t,s0) + +/var/log/bird\.log.* -- gen_context(system_u:object_r:bird_log_t,s0) + +/var/run/bird\.ctl -s gen_context(system_u:object_r:bird_var_run_t,s0) diff --git a/policy/modules/contrib/bird.if b/policy/modules/contrib/bird.if new file mode 100644 index 0000000..fae3f36 --- /dev/null +++ b/policy/modules/contrib/bird.if @@ -0,0 +1,42 @@ +## BIRD Internet Routing Daemon. + +######################################## +## +## All of the rules required to administrate +## an bird environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access.. +## +## +## +# +interface(`bird_admin',` + gen_require(` + type bird_t, bird_etc_t, bird_log_t; + type bird_var_run_t, bird_initrc_exec_t; + ') + + allow $1 bird_t:process { ptrace signal_perms }; + ps_process_pattern($1, bird_t) + + init_labeled_script_domtrans($1, bird_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bird_initrc_exec_t system_r; + allow $2 system_r; + + files_list_etc($1) + admin_pattern($1, bird_etc_t) + + logging_list_logs($1) + admin_pattern($1, bird_log_t) + + files_list_pids($1) + admin_pattern($1, bird_var_run_t) +') diff --git a/policy/modules/contrib/bird.te b/policy/modules/contrib/bird.te new file mode 100644 index 0000000..9afd52b --- /dev/null +++ b/policy/modules/contrib/bird.te @@ -0,0 +1,57 @@ +policy_module(bird, 1.0.0) + +######################################## +# +# Declarations +# + +type bird_t; +type bird_exec_t; +init_daemon_domain(bird_t, bird_exec_t) + +type bird_initrc_exec_t; +init_script_file(bird_initrc_exec_t) + +type bird_etc_t; +files_config_file(bird_etc_t) + +type bird_log_t; +logging_log_file(bird_log_t) + +type bird_var_run_t; +files_pid_file(bird_var_run_t) + +######################################## +# +# Local policy +# + +allow bird_t self:capability { net_admin net_bind_service }; +allow bird_t self:netlink_route_socket create_netlink_socket_perms; +allow bird_t self:tcp_socket create_stream_socket_perms; + +allow bird_t bird_etc_t:file read_file_perms; + +allow bird_t bird_log_t:file { create_file_perms append_file_perms setattr_file_perms }; +logging_log_filetrans(bird_t, bird_log_t, file) + +allow bird_t bird_var_run_t:sock_file manage_sock_file_perms; +files_pid_filetrans(bird_t, bird_var_run_t, sock_file) + +corenet_all_recvfrom_unlabeled(bird_t) +corenet_all_recvfrom_netlabel(bird_t) +corenet_tcp_sendrecv_generic_if(bird_t) +corenet_tcp_bind_generic_node(bird_t) +corenet_tcp_sendrecv_generic_node(bird_t) +corenet_tcp_sendrecv_bgp_port(bird_t) +corenet_sendrecv_bgp_client_packets(bird_t) +corenet_tcp_connect_bgp_port(bird_t) +corenet_sendrecv_bgp_server_packets(bird_t) +corenet_tcp_bind_bgp_port(bird_t) + +# /etc/iproute2/rt_realms +files_read_etc_files(bird_t) + +logging_send_syslog_msg(bird_t) + +miscfiles_read_localization(bird_t)