From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id B2A78138010 for ; Tue, 2 Oct 2012 18:25:17 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id AE42621C02F; Tue, 2 Oct 2012 18:11:23 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 6185C21C02C for ; Tue, 2 Oct 2012 18:11:18 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 95D7733D784 for ; Tue, 2 Oct 2012 18:11:05 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 13938E5436 for ; Tue, 2 Oct 2012 18:11:02 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349201267.79bc0312e32c580b2d05fab4f194886cc9f9e0af.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/gift.fc policy/modules/contrib/gift.if policy/modules/contrib/gift.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 79bc0312e32c580b2d05fab4f194886cc9f9e0af X-VCS-Branch: master Date: Tue, 2 Oct 2012 18:11:02 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: d9d4479a-99b3-42f5-9216-f6b9c1f88f6f X-Archives-Hash: b791fc3077c0ce641a4aa624a2336563 commit: 79bc0312e32c580b2d05fab4f194886cc9f9e0af Author: Dominick Grift gmail com> AuthorDate: Tue Oct 2 09:57:54 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 2 18:07:47 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=79bc0312 Changes to the gift policy module Use role attributes Module clean up Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/gift.fc | 10 +++++----- policy/modules/contrib/gift.if | 22 ++++++++++------------ policy/modules/contrib/gift.te | 28 +++++++++++++++------------- 3 files changed, 30 insertions(+), 30 deletions(-) diff --git a/policy/modules/contrib/gift.fc b/policy/modules/contrib/gift.fc index df7ced4..e27fa51 100644 --- a/policy/modules/contrib/gift.fc +++ b/policy/modules/contrib/gift.fc @@ -1,6 +1,6 @@ -HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0) +HOME_DIR/\.giFT(/.*)? gen_context(system_u:object_r:gift_home_t,s0) -/usr/(local/)?bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) -/usr/(local/)?bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) -/usr/(local/)?bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0) -/usr/(local/)?bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0) +/usr/bin/apollon -- gen_context(system_u:object_r:gift_exec_t,s0) +/usr/bin/giftd -- gen_context(system_u:object_r:giftd_exec_t,s0) +/usr/bin/giftui -- gen_context(system_u:object_r:gift_exec_t,s0) +/usr/bin/giFToxic -- gen_context(system_u:object_r:gift_exec_t,s0) diff --git a/policy/modules/contrib/gift.if b/policy/modules/contrib/gift.if index c9b90d3..37ed132 100644 --- a/policy/modules/contrib/gift.if +++ b/policy/modules/contrib/gift.if @@ -1,42 +1,40 @@ -## giFT peer to peer file sharing tool +## Peer to peer file sharing tool. -############################################################ +######################################## ## -## Role access for gift +## Role access for gift. ## ## ## -## Role allowed access +## Role allowed access. ## ## ## ## -## User domain for the role +## User domain for the role. ## ## # interface(`gift_role',` gen_require(` - type gift_t, gift_exec_t; + attribute_role gift_roles; + type gift_t, gift_exec_t, gift_home_t; type giftd_t, giftd_exec_t; - type gift_home_t; ') - role $1 types { gift_t giftd_t }; + roleattribute $1 gift_roles; - # transition from user domain domtrans_pattern($2, gift_exec_t, gift_t) domtrans_pattern($2, giftd_exec_t, giftd_t) - # user managed content manage_dirs_pattern($2, gift_home_t, gift_home_t) manage_files_pattern($2, gift_home_t, gift_home_t) manage_lnk_files_pattern($2, gift_home_t, gift_home_t) + relabel_dirs_pattern($2, gift_home_t, gift_home_t) relabel_files_pattern($2, gift_home_t, gift_home_t) relabel_lnk_files_pattern($2, gift_home_t, gift_home_t) - # Allow the user domain to signal/ps. ps_process_pattern($2, { gift_t giftd_t }) - allow $2 { gift_t giftd_t }:process signal_perms; + allow $2 { gift_t giftd_t }:process { ptrace signal_perms }; ') diff --git a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te index 4975343..ac25b97 100644 --- a/policy/modules/contrib/gift.te +++ b/policy/modules/contrib/gift.te @@ -1,15 +1,18 @@ -policy_module(gift, 2.3.0) +policy_module(gift, 2.3.1) ######################################## # # Declarations # +attribute_role gift_roles; + type gift_t; type gift_exec_t; typealias gift_t alias { user_gift_t staff_gift_t sysadm_gift_t }; typealias gift_t alias { auditadm_gift_t secadm_gift_t }; userdom_user_application_domain(gift_t, gift_exec_t) +role gift_roles types gift_t; type gift_home_t; typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t }; @@ -26,10 +29,11 @@ type giftd_exec_t; typealias giftd_t alias { user_giftd_t staff_giftd_t sysadm_giftd_t }; typealias giftd_t alias { auditadm_giftd_t secadm_giftd_t }; userdom_user_application_domain(giftd_t, giftd_exec_t) +role gift_roles types gift_t; ############################## # -# giFT user interface local policy +# Client local policy # allow gift_t self:tcp_socket create_socket_perms; @@ -45,26 +49,23 @@ manage_files_pattern(gift_t, gift_home_t, gift_home_t) manage_lnk_files_pattern(gift_t, gift_home_t, gift_home_t) userdom_user_home_dir_filetrans(gift_t, gift_home_t, dir) -# Launch gift daemon domtrans_pattern(gift_t, giftd_exec_t, giftd_t) -# Read /proc/meminfo kernel_read_system_state(gift_t) -# Connect to gift daemon corenet_all_recvfrom_unlabeled(gift_t) corenet_all_recvfrom_netlabel(gift_t) corenet_tcp_sendrecv_generic_if(gift_t) corenet_tcp_sendrecv_generic_node(gift_t) -corenet_tcp_sendrecv_giftd_port(gift_t) -corenet_tcp_connect_giftd_port(gift_t) + corenet_sendrecv_giftd_client_packets(gift_t) +corenet_tcp_connect_giftd_port(gift_t) +corenet_tcp_sendrecv_giftd_port(gift_t) fs_search_auto_mountpoints(gift_t) sysnet_read_config(gift_t) -# giftui looks in .icons, .themes. userdom_dontaudit_read_user_home_content_files(gift_t) tunable_policy(`use_nfs_home_dirs',` @@ -89,7 +90,7 @@ optional_policy(` ############################## # -# giFT server local policy +# Server local policy # allow giftd_t self:process { signal setsched }; @@ -105,7 +106,6 @@ userdom_user_home_dir_filetrans(giftd_t, gift_home_t, dir) kernel_read_system_state(giftd_t) kernel_read_kernel_sysctls(giftd_t) -# Serve content on various p2p networks. Ports can be random. corenet_all_recvfrom_unlabeled(giftd_t) corenet_all_recvfrom_netlabel(giftd_t) corenet_tcp_sendrecv_generic_if(giftd_t) @@ -116,14 +116,16 @@ corenet_tcp_sendrecv_all_ports(giftd_t) corenet_udp_sendrecv_all_ports(giftd_t) corenet_tcp_bind_generic_node(giftd_t) corenet_udp_bind_generic_node(giftd_t) + +corenet_sendrecv_all_server_packets(giftd_t) corenet_tcp_bind_all_ports(giftd_t) corenet_udp_bind_all_ports(giftd_t) -corenet_tcp_connect_all_ports(giftd_t) + corenet_sendrecv_all_client_packets(giftd_t) +corenet_tcp_connect_all_ports(giftd_t) -files_read_usr_files(giftd_t) -# Read /etc/mtab files_read_etc_runtime_files(giftd_t) +files_read_usr_files(giftd_t) miscfiles_read_localization(giftd_t)