From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A4BBF138010 for ; Thu, 27 Sep 2012 18:08:28 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 114BE21C0CF; Thu, 27 Sep 2012 18:05:20 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id B265A21C0B3 for ; Thu, 27 Sep 2012 18:05:15 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id E6AD333D736 for ; Thu, 27 Sep 2012 18:05:14 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 321D0E5457 for ; Thu, 27 Sep 2012 18:05:12 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1348766174.5cb54b240e323365623c0ce6ca683a1408d3e15d.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/corosync.fc policy/modules/contrib/corosync.if policy/modules/contrib/corosync.te policy/modules/contrib/drbd.fc policy/modules/contrib/drbd.if policy/modules/contrib/drbd.te policy/modules/contrib/rhcs.if policy/modules/contrib/rhcs.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 5cb54b240e323365623c0ce6ca683a1408d3e15d X-VCS-Branch: master Date: Thu, 27 Sep 2012 18:05:12 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 9cd309a2-b74b-4c2a-b7a0-b97538833849 X-Archives-Hash: 7191190523d80bb7324c56ae73bdb665 commit: 5cb54b240e323365623c0ce6ca683a1408d3e15d Author: Dominick Grift gmail com> AuthorDate: Tue Sep 25 10:06:59 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Thu Sep 27 17:16:14 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5cb54b24 Changes to the corosync policy module and relevant dependencies Ported from Fedora with changes Left out conflicting policy Cannot label /var/lib/cluster it is not owned by any package but it is used by many (ccs) ccs_tool is part of css and not corosync Initial drbd policy module DRBD mirrors a block device over the network to another machine. Think of it as networked raid 1. It is a building block for setting up high availability (HA) clusters. This is a virtual package, installing the full DRBD userland suite. Module clean up Signed-off-by: Dominick Grift gmail.com> Signed-off-by: Sven Vermeulen siphos.be> --- policy/modules/contrib/corosync.fc | 15 ++++--- policy/modules/contrib/corosync.if | 15 ++++--- policy/modules/contrib/corosync.te | 74 ++++++++++++++++++++++++++--------- policy/modules/contrib/drbd.fc | 13 ++++++ policy/modules/contrib/drbd.if | 59 ++++++++++++++++++++++++++++ policy/modules/contrib/drbd.te | 55 ++++++++++++++++++++++++++ policy/modules/contrib/rhcs.if | 64 ++++++++++++++++++++++++++++++- policy/modules/contrib/rhcs.te | 3 +- 8 files changed, 263 insertions(+), 35 deletions(-) diff --git a/policy/modules/contrib/corosync.fc b/policy/modules/contrib/corosync.fc index 3a6d7eb..1882605 100644 --- a/policy/modules/contrib/corosync.fc +++ b/policy/modules/contrib/corosync.fc @@ -1,12 +1,15 @@ /etc/rc\.d/init\.d/corosync -- gen_context(system_u:object_r:corosync_initrc_exec_t,s0) -/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/corosync -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/corosync-notifyd -- gen_context(system_u:object_r:corosync_exec_t,s0) -/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/ccs_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) +/usr/sbin/cman_tool -- gen_context(system_u:object_r:corosync_exec_t,s0) -/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) +/var/lib/corosync(/.*)? gen_context(system_u:object_r:corosync_var_lib_t,s0) -/var/log/cluster/corosync\.log -- gen_context(system_u:object_r:corosync_var_log_t,s0) +/var/log/cluster/corosync\.log.* -- gen_context(system_u:object_r:corosync_var_log_t,s0) -/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) -/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/cman_.* -s gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/corosync\.pid -- gen_context(system_u:object_r:corosync_var_run_t,s0) +/var/run/rsctmp(/.*)? gen_context(system_u:object_r:corosync_var_run_t,s0) diff --git a/policy/modules/contrib/corosync.if b/policy/modules/contrib/corosync.if index 5220c9d..18c1db7 100644 --- a/policy/modules/contrib/corosync.if +++ b/policy/modules/contrib/corosync.if @@ -1,4 +1,4 @@ -## Corosync Cluster Engine +## Corosync Cluster Engine. ######################################## ## @@ -15,12 +15,13 @@ interface(`corosync_domtrans',` type corosync_t, corosync_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, corosync_exec_t, corosync_t) ') ####################################### ## -## Allow the specified domain to read corosync's log files. +## Read corosync log files. ## ## ## @@ -40,8 +41,8 @@ interface(`corosync_read_log',` ##################################### ## -## Connect to corosync over a unix domain -## stream socket. +## Connect to corosync over a unix +## domain stream socket. ## ## ## @@ -60,8 +61,8 @@ interface(`corosync_stream_connect',` ###################################### ## -## All of the rules required to administrate -## an corosync environment +## All of the rules required to +## administrate an corosync environment. ## ## ## @@ -70,7 +71,7 @@ interface(`corosync_stream_connect',` ## ## ## -## The role to be allowed to manage the corosyncd domain. +## Role allowed access. ## ## ## diff --git a/policy/modules/contrib/corosync.te b/policy/modules/contrib/corosync.te index 04969e5..e2435a4 100644 --- a/policy/modules/contrib/corosync.te +++ b/policy/modules/contrib/corosync.te @@ -1,4 +1,4 @@ -policy_module(corosync, 1.0.0) +policy_module(corosync, 1.0.1) ######################################## # @@ -8,6 +8,7 @@ policy_module(corosync, 1.0.0) type corosync_t; type corosync_exec_t; init_daemon_domain(corosync_t, corosync_exec_t) +domain_obj_id_change_exemption(corosync_t) type corosync_initrc_exec_t; init_script_file(corosync_initrc_exec_t) @@ -29,21 +30,22 @@ files_pid_file(corosync_var_run_t) ######################################## # -# corosync local policy +# Local policy # -allow corosync_t self:capability { sys_nice sys_resource ipc_lock }; -allow corosync_t self:process { setrlimit setsched signal }; - +allow corosync_t self:capability { dac_override setuid setgid sys_nice sys_admin sys_resource ipc_lock }; +# for hearbeat +allow corosync_t self:capability { net_raw chown }; +allow corosync_t self:process { setpgid setrlimit setsched signal signull }; allow corosync_t self:fifo_file rw_fifo_file_perms; allow corosync_t self:sem create_sem_perms; -allow corosync_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow corosync_t self:unix_dgram_socket create_socket_perms; -allow corosync_t self:udp_socket create_socket_perms; +allow corosync_t self:shm create_shm_perms; +allow corosync_t self:unix_stream_socket { accept connectto listen }; manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) -files_tmp_filetrans(corosync_t, corosync_tmp_t, { file dir }) +relabel_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t) +files_tmp_filetrans(corosync_t, corosync_tmp_t, { dir file }) manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t) @@ -52,30 +54,49 @@ fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file }) manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) manage_dirs_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) manage_sock_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t) -files_var_lib_filetrans(corosync_t, corosync_var_lib_t, { file dir sock_file }) +manage_fifo_files_pattern(corosync_t, corosync_var_lib_t,corosync_var_lib_t) +files_var_lib_filetrans(corosync_t,corosync_var_lib_t, { dir fifo_file file sock_file }) -manage_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) -manage_sock_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) -logging_log_filetrans(corosync_t, corosync_var_log_t, { sock_file file }) +create_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) +append_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) +setattr_files_pattern(corosync_t, corosync_var_log_t, corosync_var_log_t) +logging_log_filetrans(corosync_t, corosync_var_log_t, file) manage_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) manage_sock_files_pattern(corosync_t, corosync_var_run_t, corosync_var_run_t) -files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file }) +manage_dirs_pattern(corosync_t, corosync_var_run_t,corosync_var_run_t) +files_pid_filetrans(corosync_t, corosync_var_run_t, { file sock_file dir }) + +can_exec(corosync_t, corosync_exec_t) +kernel_read_net_sysctls(corosync_t) +kernel_read_network_state(corosync_t) +kernel_read_kernel_sysctls(corosync_t) kernel_read_system_state(corosync_t) corecmd_exec_bin(corosync_t) +corecmd_exec_shell(corosync_t) +corenet_all_recvfrom_unlabeled(corosync_t) +corenet_all_recvfrom_netlabel(corosync_t) +corenet_udp_sendrecv_generic_if(corosync_t) +corenet_udp_sendrecv_generic_node(corosync_t) +corenet_udp_bind_generic_node(corosync_t) + +corenet_sendrecv_netsupport_server_packets(corosync_t) corenet_udp_bind_netsupport_port(corosync_t) +corenet_udp_sendrecv_netsupport_port(corosync_t) dev_read_urand(corosync_t) domain_read_all_domains_state(corosync_t) files_manage_mounttab(corosync_t) +files_read_usr_files(corosync_t) auth_use_nsswitch(corosync_t) +init_domtrans_script(corosync_t) init_read_script_state(corosync_t) init_rw_script_tmp_files(corosync_t) @@ -83,19 +104,34 @@ logging_send_syslog_msg(corosync_t) miscfiles_read_localization(corosync_t) -userdom_rw_user_tmpfs_files(corosync_t) +userdom_read_user_tmp_files(corosync_t) +userdom_manage_user_tmpfs_files(corosync_t) optional_policy(` ccs_read_config(corosync_t) ') optional_policy(` - # to communication with RHCS - rhcs_rw_dlm_controld_semaphores(corosync_t) + cmirrord_rw_shm(corosync_t) +') - rhcs_rw_fenced_semaphores(corosync_t) +optional_policy(` + dbus_system_bus_client(corosync_t) +') - rhcs_rw_gfs_controld_semaphores(corosync_t) +optional_policy(` + drbd_domtrans(corosync_t) +') + +optional_policy(` + qpidd_rw_shm(corosync_t) +') + +optional_policy(` + rhcs_getattr_fenced_exec_files(corosync_t) + rhcs_rw_cluster_shm(corosync_t) + rhcs_rw_cluster_semaphores(corosync_t) + rhcs_stream_connect_cluster(corosync_t) ') optional_policy(` diff --git a/policy/modules/contrib/drbd.fc b/policy/modules/contrib/drbd.fc new file mode 100644 index 0000000..671a3fb --- /dev/null +++ b/policy/modules/contrib/drbd.fc @@ -0,0 +1,13 @@ +/etc/rc\.d/init\.d/drbd -- gen_context(system_u:object_r:drbd_initrc_exec_t,s0) + +/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) +/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) + +/usr/lib/ocf/resource.\d/linbit/drbd -- gen_context(system_u:object_r:drbd_exec_t,s0) + +/usr/sbin/drbdadm -- gen_context(system_u:object_r:drbd_exec_t,s0) +/usr/sbin/drbdsetup -- gen_context(system_u:object_r:drbd_exec_t,s0) + +/var/lib/drbd(/.*)? gen_context(system_u:object_r:drbd_var_lib_t,s0) + +/var/lock/subsys/drbd -- gen_context(system_u:object_r:drbd_lock_t,s0) diff --git a/policy/modules/contrib/drbd.if b/policy/modules/contrib/drbd.if new file mode 100644 index 0000000..9a21639 --- /dev/null +++ b/policy/modules/contrib/drbd.if @@ -0,0 +1,59 @@ +## Mirrors a block device over the network to another machine. + +######################################## +## +## Execute a domain transition to +## run drbd. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`drbd_domtrans',` + gen_require(` + type drbd_t, drbd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, drbd_exec_t, drbd_t) +') + +######################################## +## +## All of the rules required to +## administrate an drbd environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`drbd_admin',` + gen_require(` + type drbd_t, drbd_initrc_exec_t, drbd_lock_t; + type drbd_var_lib_t; + ') + + allow $1 drbd_t:process { ptrace signal_perms }; + ps_process_pattern($1, drbd_t) + + init_labeled_script_domtrans($1, drbd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 drbd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_locks($1) + admin_pattern($1, drbd_lock_t) + + files_search_var_lib($1) + admin_pattern($1, drbd_var_lib_t) +') diff --git a/policy/modules/contrib/drbd.te b/policy/modules/contrib/drbd.te new file mode 100644 index 0000000..f58fdc5 --- /dev/null +++ b/policy/modules/contrib/drbd.te @@ -0,0 +1,55 @@ +policy_module(drbd, 1.0.0) + +######################################## +# +# Declarations +# + +type drbd_t; +type drbd_exec_t; +init_daemon_domain(drbd_t, drbd_exec_t) + +type drbd_initrc_exec_t; +init_script_file(drbd_initrc_exec_t) + +type drbd_var_lib_t; +files_type(drbd_var_lib_t) + +type drbd_lock_t; +files_lock_file(drbd_lock_t) + +######################################## +# +# Local policy +# + +allow drbd_t self:capability { kill net_admin }; +dontaudit drbd_t self:capability sys_tty_config; +allow drbd_t self:fifo_file rw_fifo_file_perms; +allow drbd_t self:unix_stream_socket create_stream_socket_perms; +allow drbd_t self:netlink_socket create_socket_perms; +allow drbd_t self:netlink_route_socket rw_netlink_socket_perms; + +manage_dirs_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) +manage_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) +manage_lnk_files_pattern(drbd_t, drbd_var_lib_t, drbd_var_lib_t) +files_var_lib_filetrans(drbd_t, drbd_var_lib_t, dir) + +manage_files_pattern(drbd_t, drbd_lock_t, drbd_lock_t) +files_lock_filetrans(drbd_t, drbd_lock_t, file) + +can_exec(drbd_t, drbd_exec_t) + +kernel_read_system_state(drbd_t) + +dev_read_rand(drbd_t) +dev_read_sysfs(drbd_t) +dev_read_urand(drbd_t) + +files_read_etc_files(drbd_t) + +storage_raw_read_fixed_disk(drbd_t) + +miscfiles_read_localization(drbd_t) + +sysnet_dns_name_resolve(drbd_t) diff --git a/policy/modules/contrib/rhcs.if b/policy/modules/contrib/rhcs.if index 84dcae6..81a84ab 100644 --- a/policy/modules/contrib/rhcs.if +++ b/policy/modules/contrib/rhcs.if @@ -13,7 +13,7 @@ # template(`rhcs_domain_template',` gen_require(` - attribute cluster_domain, cluster_pid; + attribute cluster_domain, cluster_pid, cluster_tmpfs; ') ############################## @@ -25,7 +25,7 @@ template(`rhcs_domain_template',` type $1_exec_t; init_daemon_domain($1_t, $1_exec_t) - type $1_tmpfs_t; + type $1_tmpfs_t, cluster_tmpfs; files_tmpfs_file($1_tmpfs_t) type $1_var_log_t; @@ -75,6 +75,25 @@ interface(`rhcs_domtrans_dlm_controld',` ##################################### ## +## Get attributes of fenced +## executable files. +## +## +## +## Domain allowed access. +## +## +# +interface(`rhcs_getattr_fenced_exec_files',` + gen_require(` + type fenced_exec_t; + ') + + allow $1 fenced_exec_t:file getattr_file_perms; +') + +##################################### +## ## Connect to dlm_controld over a unix domain ## stream socket. ## @@ -313,6 +332,47 @@ interface(`rhcs_stream_connect_groupd',` stream_connect_pattern($1, groupd_var_run_t, groupd_var_run_t, groupd_t) ') +######################################## +## +## Read and write all cluster domains +## shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`rhcs_rw_cluster_shm',` + gen_require(` + attribute cluster_domain, cluster_tmpfs; + ') + + allow $1 cluster_domain:shm { rw_shm_perms destroy }; + + fs_search_tmpfs($1) + manage_files_pattern($1, cluster_tmpfs, cluster_tmpfs) +') + +#################################### +## +## Read and write all cluster +## domains semaphores. +## +## +## +## Domain allowed access. +## +## +# +interface(`rhcs_rw_cluster_semaphores',` + gen_require(` + attribute cluster_domain; + ') + + allow $1 cluster_domain:sem { rw_sem_perms destroy }; +') + ##################################### ## ## Allow read and write access to groupd semaphores. diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te index d7e72bc..fc85020 100644 --- a/policy/modules/contrib/rhcs.te +++ b/policy/modules/contrib/rhcs.te @@ -1,4 +1,4 @@ -policy_module(rhcs, 1.1.1) +policy_module(rhcs, 1.1.2) ######################################## # @@ -13,6 +13,7 @@ policy_module(rhcs, 1.1.1) gen_tunable(fenced_can_network_connect, false) attribute cluster_domain; +attribute cluster_tmpfs; attribute cluster_pid; rhcs_domain_template(dlm_controld)