From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 40489138010 for ; Fri, 28 Sep 2012 17:51:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3A692E0712; Fri, 28 Sep 2012 17:50:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id E5784E0712 for ; Fri, 28 Sep 2012 17:50:37 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A4F9733D2A8 for ; Fri, 28 Sep 2012 17:50:36 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 62A97E544A for ; Fri, 28 Sep 2012 17:50:35 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1348853988.4caa328e7b867ee09452693062be5e48ea82b7d8.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/ddclient.fc policy/modules/contrib/ddclient.if policy/modules/contrib/ddclient.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 4caa328e7b867ee09452693062be5e48ea82b7d8 X-VCS-Branch: master Date: Fri, 28 Sep 2012 17:50:35 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 3f5db229-0e36-4d4c-991f-d95621b6dcc5 X-Archives-Hash: 3a715204a2f62057935b11c201191c46 commit: 4caa328e7b867ee09452693062be5e48ea82b7d8 Author: Dominick Grift gmail com> AuthorDate: Fri Sep 28 08:01:31 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Fri Sep 28 17:39:48 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4caa328e Changes to the ddclient policy module Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/ddclient.fc | 8 ++++++-- policy/modules/contrib/ddclient.if | 21 +++++++++++++-------- policy/modules/contrib/ddclient.te | 31 ++++++++++++++++++++++--------- 3 files changed, 41 insertions(+), 19 deletions(-) diff --git a/policy/modules/contrib/ddclient.fc b/policy/modules/contrib/ddclient.fc index 083c135..13c0c4a 100644 --- a/policy/modules/contrib/ddclient.fc +++ b/policy/modules/contrib/ddclient.fc @@ -1,12 +1,16 @@ /etc/ddclient\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) /etc/ddtcd\.conf -- gen_context(system_u:object_r:ddclient_etc_t,s0) -/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0) + +/etc/rc\.d/init\.d/ddclient -- gen_context(system_u:object_r:ddclient_initrc_exec_t,s0) /usr/sbin/ddclient -- gen_context(system_u:object_r:ddclient_exec_t,s0) -/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) +/usr/sbin/ddtcd -- gen_context(system_u:object_r:ddclient_exec_t,s0) /var/cache/ddclient(/.*)? gen_context(system_u:object_r:ddclient_var_t,s0) + /var/lib/ddt-client(/.*)? gen_context(system_u:object_r:ddclient_var_lib_t,s0) + /var/log/ddtcd\.log.* -- gen_context(system_u:object_r:ddclient_log_t,s0) + /var/run/ddclient\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) /var/run/ddtcd\.pid -- gen_context(system_u:object_r:ddclient_var_run_t,s0) diff --git a/policy/modules/contrib/ddclient.if b/policy/modules/contrib/ddclient.if index 0a1a61b..5606b40 100644 --- a/policy/modules/contrib/ddclient.if +++ b/policy/modules/contrib/ddclient.if @@ -1,4 +1,4 @@ -## Update dynamic IP address at DynDNS.org +## Update dynamic IP address at DynDNS.org. ####################################### ## @@ -21,7 +21,9 @@ interface(`ddclient_domtrans',` ######################################## ## -## Execute ddclient daemon on behalf of a user or staff type. +## Execute ddclient in the ddclient +## domain, and allow the specified +## role the ddclient domain. ## ## ## @@ -37,17 +39,17 @@ interface(`ddclient_domtrans',` # interface(`ddclient_run',` gen_require(` - type ddclient_t; + attribute_role ddclient_roles; ') ddclient_domtrans($1) - role $2 types ddclient_t; + roleattribute $2 ddclient_roles; ') ######################################## ## -## All of the rules required to administrate -## an ddclient environment +## All of the rules required to +## administrate an ddclient environment. ## ## ## @@ -56,7 +58,7 @@ interface(`ddclient_run',` ## ## ## -## The role to be allowed to manage the ddclient domain. +## Role allowed access. ## ## ## @@ -64,7 +66,7 @@ interface(`ddclient_run',` interface(`ddclient_admin',` gen_require(` type ddclient_t, ddclient_etc_t, ddclient_log_t; - type ddclient_var_t, ddclient_var_lib_t; + type ddclient_var_t, ddclient_var_lib_t, ddclient_tmp_t; type ddclient_var_run_t, ddclient_initrc_exec_t; ') @@ -90,4 +92,7 @@ interface(`ddclient_admin',` files_list_pids($1) admin_pattern($1, ddclient_var_run_t) + + files_list_tmp($1) + admin_pattern($1, ddclient_tmp_t) ') diff --git a/policy/modules/contrib/ddclient.te b/policy/modules/contrib/ddclient.te index 24ba98a..3af769c 100644 --- a/policy/modules/contrib/ddclient.te +++ b/policy/modules/contrib/ddclient.te @@ -1,13 +1,16 @@ -policy_module(ddclient, 1.9.0) +policy_module(ddclient, 1.9.1) ######################################## # # Declarations # +attribute_role ddclient_roles; + type ddclient_t; type ddclient_exec_t; init_daemon_domain(ddclient_t, ddclient_exec_t) +role ddclient_roles types ddclient_t; type ddclient_etc_t; files_config_file(ddclient_etc_t) @@ -18,6 +21,9 @@ init_script_file(ddclient_initrc_exec_t) type ddclient_log_t; logging_log_file(ddclient_log_t) +type ddclient_tmp_t; +files_tmp_file(ddclient_tmp_t) + type ddclient_var_t; files_type(ddclient_var_t) @@ -37,31 +43,37 @@ allow ddclient_t self:process signal_perms; allow ddclient_t self:fifo_file rw_fifo_file_perms; allow ddclient_t self:tcp_socket create_socket_perms; allow ddclient_t self:udp_socket create_socket_perms; +allow ddclient_t self:netlink_route_socket r_netlink_socket_perms; -allow ddclient_t ddclient_etc_t:file read_file_perms; +read_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) +setattr_files_pattern(ddclient_t, ddclient_etc_t, ddclient_etc_t) -allow ddclient_t ddclient_log_t:file manage_file_perms; +allow ddclient_t ddclient_log_t:file append_file_perms; +allow ddclient_t ddclient_log_t:file create_file_perms; +allow ddclient_t ddclient_log_t:file setattr_file_perms; logging_log_filetrans(ddclient_t, ddclient_log_t, file) +manage_files_pattern(ddclient_t, ddclient_tmp_t, ddclient_tmp_t) +files_tmp_filetrans(ddclient_t, ddclient_tmp_t, file) + manage_dirs_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_lnk_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_fifo_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) manage_sock_files_pattern(ddclient_t, ddclient_var_t, ddclient_var_t) -files_var_filetrans(ddclient_t, ddclient_var_t, { file lnk_file sock_file fifo_file }) manage_files_pattern(ddclient_t, ddclient_var_lib_t, ddclient_var_lib_t) -files_var_lib_filetrans(ddclient_t, ddclient_var_lib_t, file) manage_files_pattern(ddclient_t, ddclient_var_run_t, ddclient_var_run_t) files_pid_filetrans(ddclient_t, ddclient_var_run_t, file) -kernel_read_system_state(ddclient_t) -kernel_read_network_state(ddclient_t) -kernel_read_software_raid_state(ddclient_t) kernel_getattr_core_if(ddclient_t) kernel_getattr_message_if(ddclient_t) kernel_read_kernel_sysctls(ddclient_t) +kernel_read_network_state(ddclient_t) +kernel_read_software_raid_state(ddclient_t) +kernel_read_system_state(ddclient_t) +kernel_search_network_sysctl(ddclient_t) corecmd_exec_shell(ddclient_t) corecmd_exec_bin(ddclient_t) @@ -74,8 +86,9 @@ corenet_tcp_sendrecv_generic_node(ddclient_t) corenet_udp_sendrecv_generic_node(ddclient_t) corenet_tcp_sendrecv_all_ports(ddclient_t) corenet_udp_sendrecv_all_ports(ddclient_t) -corenet_tcp_connect_all_ports(ddclient_t) + corenet_sendrecv_all_client_packets(ddclient_t) +corenet_tcp_connect_all_ports(ddclient_t) dev_read_sysfs(ddclient_t) dev_read_urand(ddclient_t)