From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8A07A138010 for ; Tue, 2 Oct 2012 18:25:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B426F21C031; Tue, 2 Oct 2012 18:11:23 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 6AC5321C02F for ; Tue, 2 Oct 2012 18:11:13 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 29A3433D766 for ; Tue, 2 Oct 2012 18:11:05 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 99109E5458 for ; Tue, 2 Oct 2012 18:11:01 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349201247.8725e760d87969766e0353cd32e814b28ef92fb5.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/games.fc policy/modules/contrib/games.if policy/modules/contrib/games.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 8725e760d87969766e0353cd32e814b28ef92fb5 X-VCS-Branch: master Date: Tue, 2 Oct 2012 18:11:01 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 04650cce-eca0-4293-bbac-8c818c68bc2b X-Archives-Hash: a1fa46f525edda41276ea3b407365c48 commit: 8725e760d87969766e0353cd32e814b28ef92fb5 Author: Dominick Grift gmail com> AuthorDate: Tue Oct 2 08:06:58 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 2 18:07:27 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8725e760 Changes to the games policy module Use role attributes Module clean up Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/games.fc | 66 +++++++++++++++++--------------------- policy/modules/contrib/games.if | 20 ++++++----- policy/modules/contrib/games.te | 21 ++++++------ 3 files changed, 51 insertions(+), 56 deletions(-) diff --git a/policy/modules/contrib/games.fc b/policy/modules/contrib/games.fc index 78dc515..5e2e4f2 100644 --- a/policy/modules/contrib/games.fc +++ b/policy/modules/contrib/games.fc @@ -1,33 +1,18 @@ -# -# /usr -# -/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0) -/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0) - -# -# /var -# -/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) -/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) - -ifndef(`distro_debian',` -/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/blackjack -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gataxx -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/glines -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gnect -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/gnibbles -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/gnobots2 -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/gnome-stones -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/gnomine -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/gnotravex -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/gnotski -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/atlantik -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/gtali -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/iagno -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/kasteroids -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/katomic -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/kbackgammon -- gen_context(system_u:object_r:games_exec_t,s0) @@ -39,28 +24,37 @@ ifndef(`distro_debian',` /usr/bin/kgoldrunner -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/kjumpingcube -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/klickety -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/klines -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/kmahjongg -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kmines -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kolf -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/konquest -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kpat -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kpoker -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/kreversi -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksame -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/kshisen -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/ksirtet -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/ksmiletris -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ksnake -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/ksokoban -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/kspaceduel -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/ktron -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/ktuberling -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/kwin4 -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/kwin4proc -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/lskat -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/lskatproc -- gen_context(system_u:object_r:games_exec_t,s0) /usr/bin/Maelstrom -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/civclient.* -- gen_context(system_u:object_r:games_exec_t,s0) -/usr/bin/civserver.* -- gen_context(system_u:object_r:games_exec_t,s0) -')dnl end non-Debian section +/usr/bin/mahjongg -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/micq -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/same-gnome -- gen_context(system_u:object_r:games_exec_t,s0) +/usr/bin/sol -- gen_context(system_u:object_r:games_exec_t,s0) + +/usr/games/.* -- gen_context(system_u:object_r:games_exec_t,s0) + +/usr/lib/games(/.*)? gen_context(system_u:object_r:games_exec_t,s0) + +/var/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) + +/var/lib/games(/.*)? gen_context(system_u:object_r:games_data_t,s0) diff --git a/policy/modules/contrib/games.if b/policy/modules/contrib/games.if index 7ac736d..f6fc226 100644 --- a/policy/modules/contrib/games.if +++ b/policy/modules/contrib/games.if @@ -1,39 +1,40 @@ -## Games +## Various games. -############################################################ +######################################## ## -## Role access for games +## Role access for games. ## ## ## -## Role allowed access +## Role allowed access. ## ## ## ## -## User domain for the role +## User domain for the role. ## ## # interface(`games_role',` gen_require(` + attribute_role games_roles; type games_t, games_exec_t; ') - role $1 types games_t; + roleattribute $1 games_roles; domtrans_pattern($2, games_exec_t, games_t) + allow $2 games_t:unix_stream_socket connectto; allow games_t $2:unix_stream_socket connectto; - # Allow the user domain to signal/ps. ps_process_pattern($2, games_t) - allow $2 games_t:process signal_perms; + allow $2 games_t:process { ptrace signal_perms }; ') ######################################## ## -## Allow the specified domain to read/write +## Read and write games data files. ## games data. ## ## @@ -47,5 +48,6 @@ interface(`games_rw_data',` type games_data_t; ') + files_search_var_lib($1) rw_files_pattern($1, games_data_t, games_data_t) ') diff --git a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te index b73d33c..0c08250 100644 --- a/policy/modules/contrib/games.te +++ b/policy/modules/contrib/games.te @@ -1,15 +1,18 @@ -policy_module(games, 2.2.0) +policy_module(games, 2.2.1) ######################################## # # Declarations # +attribute_role games_roles; + type games_t; type games_exec_t; typealias games_t alias { user_games_t staff_games_t sysadm_games_t }; typealias games_t alias { auditadm_games_t secadm_games_t }; userdom_user_application_domain(games_t, games_exec_t) +role games_roles types games_t; type games_data_t; typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t }; @@ -23,8 +26,6 @@ typealias games_devpts_t alias { auditadm_games_devpts_t secadm_games_devpts_t } term_pty(games_devpts_t) ubac_constrained(games_devpts_t) -# games_srv_t is for system operation of games, generic games daemons and -# games recovery scripts type games_srv_t; init_system_domain(games_srv_t, games_exec_t) @@ -91,7 +92,7 @@ optional_policy(` ######################################## # -# Local policy +# Client local policy # allow games_t self:sem create_sem_perms; @@ -123,22 +124,21 @@ corecmd_exec_bin(games_t) corenet_all_recvfrom_unlabeled(games_t) corenet_all_recvfrom_netlabel(games_t) corenet_tcp_sendrecv_generic_if(games_t) -corenet_udp_sendrecv_generic_if(games_t) corenet_tcp_sendrecv_generic_node(games_t) -corenet_udp_sendrecv_generic_node(games_t) corenet_tcp_sendrecv_all_ports(games_t) -corenet_udp_sendrecv_all_ports(games_t) corenet_tcp_bind_generic_node(games_t) + +corenet_sendrecv_generic_server_packets(games_t) corenet_tcp_bind_generic_port(games_t) -corenet_tcp_connect_generic_port(games_t) + corenet_sendrecv_generic_client_packets(games_t) -corenet_sendrecv_generic_server_packets(games_t) +corenet_tcp_connect_generic_port(games_t) dev_read_sound(games_t) -dev_write_sound(games_t) dev_read_input(games_t) dev_read_mouse(games_t) dev_read_urand(games_t) +dev_write_sound(games_t) files_list_var(games_t) files_search_var_lib(games_t) @@ -160,7 +160,6 @@ userdom_manage_user_tmp_dirs(games_t) userdom_manage_user_tmp_files(games_t) userdom_manage_user_tmp_symlinks(games_t) userdom_manage_user_tmp_sockets(games_t) -# Suppress .icons denial until properly implemented userdom_dontaudit_read_user_home_content_files(games_t) tunable_policy(`allow_execmem',`