From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5BEBF138010 for ; Fri, 28 Sep 2012 17:51:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 99B3BE0724; Fri, 28 Sep 2012 17:50:39 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 59884E071E for ; Fri, 28 Sep 2012 17:50:39 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 7E01033C2E1 for ; Fri, 28 Sep 2012 17:50:38 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 514B4E5452 for ; Fri, 28 Sep 2012 17:50:36 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1348854123.47a8f40ec73bd819767b06a155cdff7b5f756b4c.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/dhcp.fc policy/modules/contrib/dhcp.if policy/modules/contrib/dhcp.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 47a8f40ec73bd819767b06a155cdff7b5f756b4c X-VCS-Branch: master Date: Fri, 28 Sep 2012 17:50:36 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: abdb9015-aefa-40f7-ae08-9aba37b68fee X-Archives-Hash: b025453c60a025aa9ab1f84521785e5b commit: 47a8f40ec73bd819767b06a155cdff7b5f756b4c Author: Dominick Grift gmail com> AuthorDate: Fri Sep 28 09:32:16 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Fri Sep 28 17:42:03 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=47a8f40e Changes to the dhcpd policy module Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/dhcp.fc | 4 +- policy/modules/contrib/dhcp.if | 17 +++++++------- policy/modules/contrib/dhcp.te | 46 +++++++++++++++++---------------------- 3 files changed, 31 insertions(+), 36 deletions(-) diff --git a/policy/modules/contrib/dhcp.fc b/policy/modules/contrib/dhcp.fc index 767e0c7..7956248 100644 --- a/policy/modules/contrib/dhcp.fc +++ b/policy/modules/contrib/dhcp.fc @@ -1,8 +1,8 @@ -/etc/rc\.d/init\.d/dhcpd -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/dhcpd(6)? -- gen_context(system_u:object_r:dhcpd_initrc_exec_t,s0) /usr/sbin/dhcpd.* -- gen_context(system_u:object_r:dhcpd_exec_t,s0) /var/lib/dhcpd(/.*)? gen_context(system_u:object_r:dhcpd_state_t,s0) /var/lib/dhcp(3)?/dhcpd\.leases.* -- gen_context(system_u:object_r:dhcpd_state_t,s0) -/var/run/dhcpd\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) +/var/run/dhcpd(6)?\.pid -- gen_context(system_u:object_r:dhcpd_var_run_t,s0) diff --git a/policy/modules/contrib/dhcp.if b/policy/modules/contrib/dhcp.if index 5e2cea8..c697edb 100644 --- a/policy/modules/contrib/dhcp.if +++ b/policy/modules/contrib/dhcp.if @@ -1,8 +1,8 @@ -## Dynamic host configuration protocol (DHCP) server +## Dynamic host configuration protocol server. ######################################## ## -## Transition to dhcpd. +## Execute a domain transition to run dhcpd. ## ## ## @@ -21,8 +21,8 @@ interface(`dhcpd_domtrans',` ######################################## ## -## Set the attributes of the DCHP -## server state files. +## Set attributes of dhcpd server +## state files. ## ## ## @@ -60,8 +60,8 @@ interface(`dhcpd_initrc_domtrans',` ######################################## ## -## All of the rules required to administrate -## an dhcp environment +## All of the rules required to +## administrate an dhcpd environment. ## ## ## @@ -70,14 +70,14 @@ interface(`dhcpd_initrc_domtrans',` ## ## ## -## The role to be allowed to manage the dhcp domain. +## Role allowed access. ## ## ## # interface(`dhcpd_admin',` gen_require(` - type dhcpd_t; type dhcpd_tmp_t; type dhcpd_state_t; + type dhcpd_t, dhcpd_tmp_t, dhcpd_state_t; type dhcpd_var_run_t, dhcpd_initrc_exec_t; ') @@ -92,6 +92,7 @@ interface(`dhcpd_admin',` files_list_tmp($1) admin_pattern($1, dhcpd_tmp_t) + files_list_var_lib($1) admin_pattern($1, dhcpd_state_t) files_list_pids($1) diff --git a/policy/modules/contrib/dhcp.te b/policy/modules/contrib/dhcp.te index ed07b26..c93c3db 100644 --- a/policy/modules/contrib/dhcp.te +++ b/policy/modules/contrib/dhcp.te @@ -1,4 +1,4 @@ -policy_module(dhcp, 1.10.0) +policy_module(dhcp, 1.10.1) ######################################## # @@ -6,9 +6,10 @@ policy_module(dhcp, 1.10.0) # ## -##

-## Allow DHCP daemon to use LDAP backends -##

+##

+## Determine whether DHCP daemon +## can use LDAP backends. +##

## gen_tunable(dhcpd_use_ldap, false) @@ -33,30 +34,26 @@ files_pid_file(dhcpd_var_run_t) # Local policy # -allow dhcpd_t self:capability { net_raw sys_resource }; +allow dhcpd_t self:capability { chown dac_override sys_chroot net_raw setgid setuid sys_resource }; dontaudit dhcpd_t self:capability { net_admin sys_tty_config }; -allow dhcpd_t self:process signal_perms; +allow dhcpd_t self:process { getcap setcap signal_perms }; allow dhcpd_t self:fifo_file rw_fifo_file_perms; -allow dhcpd_t self:unix_dgram_socket create_socket_perms; -allow dhcpd_t self:unix_stream_socket create_socket_perms; -allow dhcpd_t self:tcp_socket create_stream_socket_perms; -allow dhcpd_t self:udp_socket create_socket_perms; -# Allow dhcpd_t to use packet sockets +allow dhcpd_t self:tcp_socket { accept listen }; allow dhcpd_t self:packet_socket create_socket_perms; allow dhcpd_t self:rawip_socket create_socket_perms; -can_exec(dhcpd_t, dhcpd_exec_t) - manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t) sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file) manage_dirs_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) manage_files_pattern(dhcpd_t, dhcpd_tmp_t, dhcpd_tmp_t) -files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { file dir }) +files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { dir file }) manage_files_pattern(dhcpd_t, dhcpd_var_run_t, dhcpd_var_run_t) files_pid_filetrans(dhcpd_t, dhcpd_var_run_t, file) +can_exec(dhcpd_t, dhcpd_exec_t) + kernel_read_system_state(dhcpd_t) kernel_read_kernel_sysctls(dhcpd_t) kernel_read_network_state(dhcpd_t) @@ -73,16 +70,21 @@ corenet_tcp_sendrecv_all_ports(dhcpd_t) corenet_udp_sendrecv_all_ports(dhcpd_t) corenet_tcp_bind_generic_node(dhcpd_t) corenet_udp_bind_generic_node(dhcpd_t) + +corenet_sendrecv_dhcpd_server_packets(dhcpd_t) corenet_tcp_bind_dhcpd_port(dhcpd_t) corenet_udp_bind_dhcpd_port(dhcpd_t) -corenet_udp_bind_pxe_port(dhcpd_t) -corenet_tcp_connect_all_ports(dhcpd_t) -corenet_sendrecv_dhcpd_server_packets(dhcpd_t) + corenet_sendrecv_pxe_server_packets(dhcpd_t) +corenet_udp_bind_pxe_port(dhcpd_t) + corenet_sendrecv_all_client_packets(dhcpd_t) -# Needed to detect open number of interfaces (common/discover.c::begin_iface_scan) +corenet_tcp_connect_all_ports(dhcpd_t) + corenet_udp_bind_all_unreserved_ports(dhcpd_t) +corecmd_exec_bin(dhcpd_t) + dev_read_sysfs(dhcpd_t) dev_read_rand(dhcpd_t) dev_read_urand(dhcpd_t) @@ -90,11 +92,8 @@ dev_read_urand(dhcpd_t) fs_getattr_all_fs(dhcpd_t) fs_search_auto_mountpoints(dhcpd_t) -corecmd_exec_bin(dhcpd_t) - domain_use_interactive_fds(dhcpd_t) -files_read_etc_files(dhcpd_t) files_read_usr_files(dhcpd_t) files_read_etc_runtime_files(dhcpd_t) files_search_var_lib(dhcpd_t) @@ -110,16 +109,11 @@ sysnet_read_dhcp_config(dhcpd_t) userdom_dontaudit_use_unpriv_user_fds(dhcpd_t) userdom_dontaudit_search_user_home_dirs(dhcpd_t) -ifdef(`distro_gentoo',` - allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot }; -') - tunable_policy(`dhcpd_use_ldap',` sysnet_use_ldap(dhcpd_t) ') optional_policy(` - # used for dynamic DNS bind_read_dnssec_keys(dhcpd_t) ')