From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 39B58138010 for ; Tue, 2 Oct 2012 18:22:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8AFAE21C014; Tue, 2 Oct 2012 18:11:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 4A07221C014 for ; Tue, 2 Oct 2012 18:11:07 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8647033D2A8 for ; Tue, 2 Oct 2012 18:11:00 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 382CFE5441 for ; Tue, 2 Oct 2012 18:10:59 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349200974.d19c2a5dc791e022562c83830830abe673930b78.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/dnsmasq.fc policy/modules/contrib/dnsmasq.if policy/modules/contrib/dnsmasq.te policy/modules/contrib/virt.if policy/modules/contrib/virt.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: d19c2a5dc791e022562c83830830abe673930b78 X-VCS-Branch: master Date: Tue, 2 Oct 2012 18:10:59 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 9814b0dc-1d06-4597-bbe6-6b8cfe6bade9 X-Archives-Hash: f69a47fffb0cd6652f8979250d98bb3e commit: d19c2a5dc791e022562c83830830abe673930b78 Author: Dominick Grift gmail com> AuthorDate: Sat Sep 29 08:30:50 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 2 18:02:54 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d19c2a5d Changes to the dnsmasq policy module and relevant dependencies Ported from Fedora with changes. Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/dnsmasq.fc | 13 +++++++------ policy/modules/contrib/dnsmasq.if | 28 ++++++++++++++++------------ policy/modules/contrib/dnsmasq.te | 32 ++++++++++++++++++++++---------- policy/modules/contrib/virt.if | 36 ++++++++++++++++++++++++++++++++++++ policy/modules/contrib/virt.te | 2 +- 5 files changed, 82 insertions(+), 29 deletions(-) diff --git a/policy/modules/contrib/dnsmasq.fc b/policy/modules/contrib/dnsmasq.fc index b886676..1840808 100644 --- a/policy/modules/contrib/dnsmasq.fc +++ b/policy/modules/contrib/dnsmasq.fc @@ -1,12 +1,13 @@ -/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t, s0) +/etc/dnsmasq\.conf -- gen_context(system_u:object_r:dnsmasq_etc_t,s0) + /etc/rc\.d/init\.d/dnsmasq -- gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0) -/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) +/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0) /var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0) -/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) +/var/lib/dnsmasq(/.*)? gen_context(system_u:object_r:dnsmasq_lease_t,s0) -/var/log/dnsmasq\.log gen_context(system_u:object_r:dnsmasq_var_log_t,s0) +/var/log/dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_var_log_t,s0) -/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) -/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0) +/var/run/libvirt/network(/.*)? gen_context(system_u:object_r:dnsmasq_var_run_t,s0) diff --git a/policy/modules/contrib/dnsmasq.if b/policy/modules/contrib/dnsmasq.if index 9bd812b..8da726e 100644 --- a/policy/modules/contrib/dnsmasq.if +++ b/policy/modules/contrib/dnsmasq.if @@ -1,4 +1,4 @@ -## dnsmasq DNS forwarder and DHCP server +## DNS forwarder and DHCP server. ######################################## ## @@ -22,7 +22,8 @@ interface(`dnsmasq_domtrans',` ######################################## ## -## Execute the dnsmasq init script in the init script domain. +## Execute the dnsmasq init script in +## the init script domain. ## ## ## @@ -41,7 +42,7 @@ interface(`dnsmasq_initrc_domtrans',` ######################################## ## -## Send dnsmasq a signal +## Send generic signals to dnsmasq. ## ## ## @@ -60,7 +61,7 @@ interface(`dnsmasq_signal',` ######################################## ## -## Send dnsmasq a signull +## Send null signals to dnsmasq. ## ## ## @@ -79,7 +80,7 @@ interface(`dnsmasq_signull',` ######################################## ## -## Send dnsmasq a kill signal. +## Send kill signals to dnsmasq. ## ## ## @@ -117,7 +118,7 @@ interface(`dnsmasq_read_config',` ######################################## ## -## Write to dnsmasq config files. +## Write dnsmasq config files. ## ## ## @@ -136,7 +137,7 @@ interface(`dnsmasq_write_config',` ######################################## ## -## Delete dnsmasq pid files +## Delete dnsmasq pid files. ## ## ## @@ -155,7 +156,7 @@ interface(`dnsmasq_delete_pid_files',` ######################################## ## -## Read dnsmasq pid files +## Read dnsmasq pid files. ## ## ## @@ -174,8 +175,8 @@ interface(`dnsmasq_read_pid_files',` ######################################## ## -## All of the rules required to administrate -## an dnsmasq environment +## All of the rules required to +## administrate an dnsmasq environment. ## ## ## @@ -184,7 +185,7 @@ interface(`dnsmasq_read_pid_files',` ## ## ## -## The role to be allowed to manage the dnsmasq domain. +## Role allowed access. ## ## ## @@ -192,7 +193,7 @@ interface(`dnsmasq_read_pid_files',` interface(`dnsmasq_admin',` gen_require(` type dnsmasq_t, dnsmasq_lease_t, dnsmasq_var_run_t; - type dnsmasq_initrc_exec_t; + type dnsmasq_initrc_exec_t, dnsmasq_var_log_t; ') allow $1 dnsmasq_t:process { ptrace signal_perms }; @@ -206,6 +207,9 @@ interface(`dnsmasq_admin',` files_list_var_lib($1) admin_pattern($1, dnsmasq_lease_t) + logging_seearch_logs($1) + admin_pattern($1, dnsmasq_var_log_t) + files_list_pids($1) admin_pattern($1, dnsmasq_var_run_t) ') diff --git a/policy/modules/contrib/dnsmasq.te b/policy/modules/contrib/dnsmasq.te index fdaeeba..aef646e 100644 --- a/policy/modules/contrib/dnsmasq.te +++ b/policy/modules/contrib/dnsmasq.te @@ -1,4 +1,4 @@ -policy_module(dnsmasq, 1.9.0) +policy_module(dnsmasq, 1.9.1) ######################################## # @@ -33,26 +33,28 @@ allow dnsmasq_t self:capability { chown dac_override net_admin setgid setuid net dontaudit dnsmasq_t self:capability sys_tty_config; allow dnsmasq_t self:process { getcap setcap signal_perms }; allow dnsmasq_t self:fifo_file rw_fifo_file_perms; -allow dnsmasq_t self:netlink_route_socket { bind create nlmsg_read read write }; -allow dnsmasq_t self:tcp_socket create_stream_socket_perms; -allow dnsmasq_t self:udp_socket create_socket_perms; +allow dnsmasq_t self:tcp_socket { accept listen }; allow dnsmasq_t self:packet_socket create_socket_perms; allow dnsmasq_t self:rawip_socket create_socket_perms; read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) -# dhcp leases manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) -manage_files_pattern(dnsmasq_t, dnsmasq_var_log_t, dnsmasq_var_log_t) +allow dnsmasq_t dnsmasq_var_log_t:file append_file_perms; +allow dnsmasq_t dnsmasq_var_log_t:file create_file_perms; +allow dnsmasq_t dnsmasq_var_log_t:file setattr_file_perms; logging_log_filetrans(dnsmasq_t, dnsmasq_var_log_t, file) +manage_dirs_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) manage_files_pattern(dnsmasq_t, dnsmasq_var_run_t, dnsmasq_var_run_t) -files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, file) +files_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) kernel_read_kernel_sysctls(dnsmasq_t) +kernel_read_network_state(dnsmasq_t) kernel_read_system_state(dnsmasq_t) +kernel_request_load_module(dnsmasq_t) corenet_all_recvfrom_unlabeled(dnsmasq_t) corenet_all_recvfrom_netlabel(dnsmasq_t) @@ -66,17 +68,17 @@ corenet_tcp_sendrecv_all_ports(dnsmasq_t) corenet_udp_sendrecv_all_ports(dnsmasq_t) corenet_tcp_bind_generic_node(dnsmasq_t) corenet_udp_bind_generic_node(dnsmasq_t) -corenet_tcp_bind_dns_port(dnsmasq_t) -corenet_udp_bind_all_ports(dnsmasq_t) + corenet_sendrecv_dns_server_packets(dnsmasq_t) +corenet_tcp_bind_dns_port(dnsmasq_t) corenet_sendrecv_dhcpd_server_packets(dnsmasq_t) +corenet_udp_bind_all_ports(dnsmasq_t) dev_read_sysfs(dnsmasq_t) dev_read_urand(dnsmasq_t) domain_use_interactive_fds(dnsmasq_t) -files_read_etc_files(dnsmasq_t) files_read_etc_runtime_files(dnsmasq_t) fs_getattr_all_fs(dnsmasq_t) @@ -96,10 +98,19 @@ optional_policy(` ') optional_policy(` + dbus_connect_system_bus(dnsmasq_t) dbus_system_bus_client(dnsmasq_t) ') optional_policy(` + networkmanager_read_pid_files(dnsmasq_t) +') + +optional_policy(` + ppp_read_pid_files(dnsmasq_t) +') + +optional_policy(` seutil_sigchld_newrole(dnsmasq_t) ') @@ -114,4 +125,5 @@ optional_policy(` optional_policy(` virt_manage_lib_files(dnsmasq_t) virt_read_pid_files(dnsmasq_t) + virt_pid_filetrans(dnsmasq_t, dnsmasq_var_run_t, { dir file }) ') diff --git a/policy/modules/contrib/virt.if b/policy/modules/contrib/virt.if index d50f826..8879895 100644 --- a/policy/modules/contrib/virt.if +++ b/policy/modules/contrib/virt.if @@ -348,6 +348,42 @@ interface(`virt_manage_lib_files',` ######################################## ## +## Create objects in virt pid +## directories with a private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +## +# +interface(`virt_pid_filetrans',` + gen_require(` + type virt_var_run_t; + ') + + files_search_pids($1) + filetrans_pattern($1, virt_var_run_t, $2, $3, $4) +') + +######################################## +## ## Allow the specified domain to read virt's log files. ## ## diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 53428f9..a3aa08e 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1,4 +1,4 @@ -policy_module(virt, 1.5.2) +policy_module(virt, 1.5.3) ######################################## #