From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 6974F138010 for ; Thu, 4 Oct 2012 17:36:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 83304E06FD; Thu, 4 Oct 2012 17:36:16 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 3F0B4E070C for ; Thu, 4 Oct 2012 17:36:16 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 2316B33C3DD for ; Thu, 4 Oct 2012 17:36:15 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 24512E5450 for ; Thu, 4 Oct 2012 17:36:13 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349371923.1d3f2e896069ed851f4a2e5185393c1b973826ae.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/chronyd.if policy/modules/contrib/chronyd.te policy/modules/contrib/gpm.fc policy/modules/contrib/gpsd.fc policy/modules/contrib/gpsd.if policy/modules/contrib/gpsd.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 1d3f2e896069ed851f4a2e5185393c1b973826ae X-VCS-Branch: master Date: Thu, 4 Oct 2012 17:36:13 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 6383c293-411e-4cf6-bef5-3ff9612ed188 X-Archives-Hash: 31178600fea263e99a524f025271f6f5 commit: 1d3f2e896069ed851f4a2e5185393c1b973826ae Author: Dominick Grift gmail com> AuthorDate: Thu Oct 4 10:07:06 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Thu Oct 4 17:32:03 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d3f2e89 Changes to the gpsd policy module and relevant dependencies Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/chronyd.if | 62 +++++++++++++++++++++++++++++++++++++ policy/modules/contrib/chronyd.te | 2 +- policy/modules/contrib/gpm.fc | 2 +- policy/modules/contrib/gpsd.fc | 2 +- policy/modules/contrib/gpsd.if | 43 ++++++++++++++++++++++++-- policy/modules/contrib/gpsd.te | 34 ++++++++++++++++---- 6 files changed, 132 insertions(+), 13 deletions(-) diff --git a/policy/modules/contrib/chronyd.if b/policy/modules/contrib/chronyd.if index b64ec10..0bf3ca7 100644 --- a/policy/modules/contrib/chronyd.if +++ b/policy/modules/contrib/chronyd.if @@ -76,6 +76,68 @@ interface(`chronyd_read_log',` read_files_pattern($1, chronyd_var_log_t, chronyd_var_log_t) ') +######################################## +## +## Read and write chronyd shared memory. +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_rw_shm',` + gen_require(` + type chronyd_t, chronyd_tmpfs_t; + ') + + allow $1 chronyd_t:shm rw_shm_perms; + allow $1 chronyd_tmpfs_t:dir list_dir_perms; + rw_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) + read_lnk_files_pattern($1, chronyd_tmpfs_t, chronyd_tmpfs_t) + fs_search_tmpfs($1) +') + +######################################## +## +## Connect to chronyd using a unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_stream_connect',` + gen_require(` + type chronyd_t, chronyd_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) +') + +######################################## +## +## Send to chronyd using a unix domain +## datagram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`chronyd_dgram_send',` + gen_require(` + type chronyd_t, chronyd_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, chronyd_var_run_t, chronyd_var_run_t, chronyd_t) +') + #################################### ## ## All of the rules required to diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te index 2b4fe4e..8582a53 100644 --- a/policy/modules/contrib/chronyd.te +++ b/policy/modules/contrib/chronyd.te @@ -1,4 +1,4 @@ -policy_module(chronyd, 1.1.2) +policy_module(chronyd, 1.1.3) ######################################## # diff --git a/policy/modules/contrib/gpm.fc b/policy/modules/contrib/gpm.fc index fea6fa4..184680b 100644 --- a/policy/modules/contrib/gpm.fc +++ b/policy/modules/contrib/gpm.fc @@ -8,4 +8,4 @@ /usr/sbin/gpm -- gen_context(system_u:object_r:gpm_exec_t,s0) -/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0) \ No newline at end of file +/var/run/gpm\.pid -- gen_context(system_u:object_r:gpm_var_run_t,s0) diff --git a/policy/modules/contrib/gpsd.fc b/policy/modules/contrib/gpsd.fc index 5e81e33..21be63d 100644 --- a/policy/modules/contrib/gpsd.fc +++ b/policy/modules/contrib/gpsd.fc @@ -1,6 +1,6 @@ /etc/rc\.d/init\.d/gpsd -- gen_context(system_u:object_r:gpsd_initrc_exec_t,s0) -/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) +/usr/sbin/gpsd -- gen_context(system_u:object_r:gpsd_exec_t,s0) /var/run/gpsd\.pid -- gen_context(system_u:object_r:gpsd_var_run_t,s0) /var/run/gpsd\.sock -s gen_context(system_u:object_r:gpsd_var_run_t,s0) diff --git a/policy/modules/contrib/gpsd.if b/policy/modules/contrib/gpsd.if index c0ee676..92eb564 100644 --- a/policy/modules/contrib/gpsd.if +++ b/policy/modules/contrib/gpsd.if @@ -1,4 +1,4 @@ -## gpsd monitor daemon +## gpsd monitor daemon. ######################################## ## @@ -15,6 +15,7 @@ interface(`gpsd_domtrans',` type gpsd_t, gpsd_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, gpsd_exec_t, gpsd_t) ') @@ -36,11 +37,11 @@ interface(`gpsd_domtrans',` # interface(`gpsd_run',` gen_require(` - type gpsd_t; + attribute_role gpsd_roles; ') gpsd_domtrans($1) - role $2 types gpsd_t; + roleattribute $2 gpsd_roles; ') ######################################## @@ -64,3 +65,39 @@ interface(`gpsd_rw_shm',` read_lnk_files_pattern($1, gpsd_tmpfs_t, gpsd_tmpfs_t) fs_search_tmpfs($1) ') + +######################################## +## +## All of the rules required to +## administrate an gpsd environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`gpsd_admin',` + gen_require(` + type gpsd_t, gpsd_initrc_exec_t, gpsd_var_run_t; + ') + + allow $1 gpsd_t:process { ptrace signal_perms }; + ps_process_pattern($1, gpsd_t) + + init_labeled_script_domtrans($1, gpsd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 gpsd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_pids($1) + admin_pattern($1, gpsd_var_run_t) + + gpsd_run($1, $2) +') diff --git a/policy/modules/contrib/gpsd.te b/policy/modules/contrib/gpsd.te index 03742d8..25f09ae 100644 --- a/policy/modules/contrib/gpsd.te +++ b/policy/modules/contrib/gpsd.te @@ -1,14 +1,17 @@ -policy_module(gpsd, 1.1.0) +policy_module(gpsd, 1.1.1) ######################################## # # Declarations # +attribute_role gpsd_roles; + type gpsd_t; type gpsd_exec_t; application_domain(gpsd_t, gpsd_exec_t) init_daemon_domain(gpsd_t, gpsd_exec_t) +role gpsd_roles types gpsd_t; type gpsd_initrc_exec_t; init_script_file(gpsd_initrc_exec_t) @@ -21,14 +24,15 @@ files_pid_file(gpsd_var_run_t) ######################################## # -# gpsd local policy +# Local policy # -allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_tty_config }; -allow gpsd_t self:process setsched; +allow gpsd_t self:capability { fowner fsetid setuid setgid sys_nice sys_time sys_tty_config }; +dontaudit gpsd_t self:capability { dac_read_search dac_override }; +allow gpsd_t self:process { setsched signal_perms }; allow gpsd_t self:shm create_shm_perms; -allow gpsd_t self:unix_dgram_socket { create_socket_perms sendto }; -allow gpsd_t self:tcp_socket create_stream_socket_perms; +allow gpsd_t self:unix_dgram_socket sendto; +allow gpsd_t self:tcp_socket { accept listen }; manage_dirs_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) manage_files_pattern(gpsd_t, gpsd_tmpfs_t, gpsd_tmpfs_t) @@ -38,13 +42,23 @@ manage_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) manage_sock_files_pattern(gpsd_t, gpsd_var_run_t, gpsd_var_run_t) files_pid_filetrans(gpsd_t, gpsd_var_run_t, { file sock_file }) +kernel_list_proc(gpsd_t) +kernel_request_load_module(gpsd_t) + corenet_all_recvfrom_unlabeled(gpsd_t) corenet_all_recvfrom_netlabel(gpsd_t) corenet_tcp_sendrecv_generic_if(gpsd_t) corenet_tcp_sendrecv_generic_node(gpsd_t) -corenet_tcp_sendrecv_all_ports(gpsd_t) corenet_tcp_bind_all_nodes(gpsd_t) + +corenet_sendrecv_gpsd_server_packets(gpsd_t) corenet_tcp_bind_gpsd_port(gpsd_t) +corenet_tcp_sendrecv_gpsd_port(gpsd_t) + +dev_read_sysfs(gpsd_t) +dev_rw_realtime_clock(gpsd_t) + +domain_dontaudit_read_all_domains_state(gpsd_t) term_use_unallocated_ttys(gpsd_t) term_setattr_unallocated_ttys(gpsd_t) @@ -56,6 +70,12 @@ logging_send_syslog_msg(gpsd_t) miscfiles_read_localization(gpsd_t) optional_policy(` + chronyd_rw_shm(gpsd_t) + chronyd_stream_connect(gpsd_t) + chronyd_dgram_send(gpsd_t) +') + +optional_policy(` dbus_system_bus_client(gpsd_t) ')