From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 61C96138010 for ; Tue, 2 Oct 2012 18:24:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8C6E921C010; Tue, 2 Oct 2012 18:11:23 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 4742421C010 for ; Tue, 2 Oct 2012 18:11:13 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 1619B33D71C for ; Tue, 2 Oct 2012 18:11:05 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 24BE6E5455 for ; Tue, 2 Oct 2012 18:11:01 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349201230.0e55ec371ae7abf780d77b5a9bc98ee345b203c9.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/firstboot.fc policy/modules/contrib/firstboot.if policy/modules/contrib/firstboot.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 0e55ec371ae7abf780d77b5a9bc98ee345b203c9 X-VCS-Branch: master Date: Tue, 2 Oct 2012 18:11:01 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 352e991d-9206-4624-be03-c43baf10052b X-Archives-Hash: 489971792d659f14b383858fb704e5f0 commit: 0e55ec371ae7abf780d77b5a9bc98ee345b203c9 Author: Dominick Grift gmail com> AuthorDate: Mon Oct 1 08:46:42 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 2 18:07:10 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0e55ec37 Changes to the firstboot policy module Ported from Fedora Add init script file type Module clean up Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/firstboot.fc | 6 ++- policy/modules/contrib/firstboot.if | 33 +++++++++-------- policy/modules/contrib/firstboot.te | 68 +++++++++++++++------------------- 3 files changed, 51 insertions(+), 56 deletions(-) diff --git a/policy/modules/contrib/firstboot.fc b/policy/modules/contrib/firstboot.fc index ba614e4..12c782c 100644 --- a/policy/modules/contrib/firstboot.fc +++ b/policy/modules/contrib/firstboot.fc @@ -1,3 +1,5 @@ -/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) +/etc/rc\.d/init\.d/firstboot.* -- gen_context(system_u:object_r:firstboot_initrc_exec_t,s0) -/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) +/usr/sbin/firstboot -- gen_context(system_u:object_r:firstboot_exec_t,s0) + +/usr/share/firstboot/firstboot\.py -- gen_context(system_u:object_r:firstboot_exec_t,s0) diff --git a/policy/modules/contrib/firstboot.if b/policy/modules/contrib/firstboot.if index 8fa451c..280f875 100644 --- a/policy/modules/contrib/firstboot.if +++ b/policy/modules/contrib/firstboot.if @@ -1,7 +1,4 @@ -## -## Final system configuration run during the first boot -## after installation of Red Hat/Fedora systems. -## +## Initial system configuration utility. ######################################## ## @@ -18,13 +15,15 @@ interface(`firstboot_domtrans',` type firstboot_t, firstboot_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, firstboot_exec_t, firstboot_t) ') ######################################## ## -## Execute firstboot in the firstboot domain, and -## allow the specified role the firstboot domain. +## Execute firstboot in the firstboot +## domain, and allow the specified role +## the firstboot domain. ## ## ## @@ -39,16 +38,16 @@ interface(`firstboot_domtrans',` # interface(`firstboot_run',` gen_require(` - type firstboot_t; + attribute_role firstboot_roles; ') firstboot_domtrans($1) - role $2 types firstboot_t; + roleattribute $2 firstboot_roles; ') ######################################## ## -## Inherit and use a file descriptor from firstboot. +## Inherit and use firstboot file descriptors. ## ## ## @@ -66,8 +65,8 @@ interface(`firstboot_use_fds',` ######################################## ## -## Do not audit attempts to inherit a -## file descriptor from firstboot. +## Do not audit attempts to inherit +## firstboot file descriptors. ## ## ## @@ -85,7 +84,7 @@ interface(`firstboot_dontaudit_use_fds',` ######################################## ## -## Write to a firstboot unnamed pipe. +## Write firstboot unnamed pipes. ## ## ## @@ -103,7 +102,7 @@ interface(`firstboot_write_pipes',` ######################################## ## -## Read and Write to a firstboot unnamed pipe. +## Read and Write firstboot unnamed pipes. ## ## ## @@ -121,7 +120,8 @@ interface(`firstboot_rw_pipes',` ######################################## ## -## Do not audit attemps to read and write to a firstboot unnamed pipe. +## Do not audit attemps to read and +## write firstboot unnamed pipes. ## ## ## @@ -139,8 +139,9 @@ interface(`firstboot_dontaudit_rw_pipes',` ######################################## ## -## Do not audit attemps to read and write to a firstboot -## unix domain stream socket. +## Do not audit attemps to read and +## write firstboot unix domain +## stream sockets. ## ## ## diff --git a/policy/modules/contrib/firstboot.te b/policy/modules/contrib/firstboot.te index c4d8998..5640772 100644 --- a/policy/modules/contrib/firstboot.te +++ b/policy/modules/contrib/firstboot.te @@ -1,7 +1,7 @@ -policy_module(firstboot, 1.12.0) +policy_module(firstboot, 1.12.1) gen_require(` - class passwd rootok; + class passwd { passwd chfn chsh rootok }; ') ######################################## @@ -9,12 +9,17 @@ gen_require(` # Declarations # +attribute_role firstboot_roles; + type firstboot_t; type firstboot_exec_t; init_system_domain(firstboot_t, firstboot_exec_t) domain_obj_id_change_exemption(firstboot_t) domain_subj_id_change_exemption(firstboot_t) -role system_r types firstboot_t; +role firstboot_roles types firstboot_t; + +type firstboot_initrc_exec_t; +init_script_file(firstboot_initrc_exec_t) type firstboot_etc_t; files_config_file(firstboot_etc_t) @@ -28,22 +33,28 @@ allow firstboot_t self:capability { dac_override setgid }; allow firstboot_t self:process setfscreate; allow firstboot_t self:fifo_file rw_fifo_file_perms; allow firstboot_t self:tcp_socket create_stream_socket_perms; -allow firstboot_t self:unix_stream_socket { connect create }; -allow firstboot_t self:passwd rootok; +allow firstboot_t self:unix_stream_socket create_socket_perms; +allow firstboot_t self:passwd { rootok passwd chfn chsh }; allow firstboot_t firstboot_etc_t:file read_file_perms; kernel_read_system_state(firstboot_t) kernel_read_kernel_sysctls(firstboot_t) -corenet_all_recvfrom_unlabeled(firstboot_t) -corenet_all_recvfrom_netlabel(firstboot_t) -corenet_tcp_sendrecv_generic_if(firstboot_t) -corenet_tcp_sendrecv_generic_node(firstboot_t) -corenet_tcp_sendrecv_all_ports(firstboot_t) +corecmd_exec_all_executables(firstboot_t) dev_read_urand(firstboot_t) +files_exec_etc_files(firstboot_t) +files_manage_etc_files(firstboot_t) +files_manage_etc_runtime_files(firstboot_t) +files_read_usr_files(firstboot_t) +files_manage_var_dirs(firstboot_t) +files_manage_var_files(firstboot_t) +files_manage_var_symlinks(firstboot_t) +files_create_boot_flag(firstboot_t) +files_delete_boot_flag(firstboot_t) + selinux_get_fs_mount(firstboot_t) selinux_validate_context(firstboot_t) selinux_compute_access_vector(firstboot_t) @@ -53,16 +64,6 @@ selinux_compute_user_contexts(firstboot_t) auth_dontaudit_getattr_shadow(firstboot_t) -corecmd_exec_all_executables(firstboot_t) - -files_exec_etc_files(firstboot_t) -files_manage_etc_files(firstboot_t) -files_manage_etc_runtime_files(firstboot_t) -files_read_usr_files(firstboot_t) -files_manage_var_dirs(firstboot_t) -files_manage_var_files(firstboot_t) -files_manage_var_symlinks(firstboot_t) - init_domtrans_script(firstboot_t) init_rw_utmp(firstboot_t) @@ -75,13 +76,9 @@ logging_send_syslog_msg(firstboot_t) miscfiles_read_localization(firstboot_t) -modutils_domtrans_insmod(firstboot_t) -modutils_domtrans_depmod(firstboot_t) -modutils_read_module_config(firstboot_t) -modutils_read_module_deps(firstboot_t) +sysnet_dns_name_resolve(firstboot_t) userdom_use_user_terminals(firstboot_t) -# Add/remove user home directories userdom_manage_user_home_content_dirs(firstboot_t) userdom_manage_user_home_content_files(firstboot_t) userdom_manage_user_home_content_symlinks(firstboot_t) @@ -91,10 +88,6 @@ userdom_home_filetrans_user_home_dir(firstboot_t) userdom_user_home_dir_filetrans_user_home_content(firstboot_t, { dir file lnk_file fifo_file sock_file }) optional_policy(` - consoletype_domtrans(firstboot_t) -') - -optional_policy(` dbus_system_bus_client(firstboot_t) optional_policy(` @@ -103,6 +96,13 @@ optional_policy(` ') optional_policy(` + modutils_domtrans_insmod(firstboot_t) + modutils_domtrans_depmod(firstboot_t) + modutils_read_module_config(firstboot_t) + modutils_read_module_deps(firstboot_t) +') + +optional_policy(` nis_use_ypbind(firstboot_t) ') @@ -112,19 +112,10 @@ optional_policy(` optional_policy(` unconfined_domtrans(firstboot_t) - # The big hammer unconfined_domain(firstboot_t) ') optional_policy(` - usermanage_domtrans_chfn(firstboot_t) - usermanage_domtrans_groupadd(firstboot_t) - usermanage_domtrans_passwd(firstboot_t) - usermanage_domtrans_useradd(firstboot_t) - usermanage_domtrans_admin_passwd(firstboot_t) -') - -optional_policy(` gnome_manage_config(firstboot_t) ') @@ -132,4 +123,5 @@ optional_policy(` xserver_domtrans(firstboot_t) xserver_rw_shm(firstboot_t) xserver_unconfined(firstboot_t) + xserver_stream_connect(firstboot_t) ')