From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 19F27138200 for ; Sat, 6 Oct 2012 15:57:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 75E11E04C8; Sat, 6 Oct 2012 15:56:39 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 78170E0507 for ; Sat, 6 Oct 2012 15:56:38 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 9E51733D77F for ; Sat, 6 Oct 2012 15:56:37 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 2C5F6E5441 for ; Sat, 6 Oct 2012 15:56:36 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349537703.c51d33d0f6eb4b63d5da3f715de2933df0ecbd53.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: / X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: mandb.fc mandb.if mandb.te X-VCS-Directories: / X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: c51d33d0f6eb4b63d5da3f715de2933df0ecbd53 X-VCS-Branch: master Date: Sat, 6 Oct 2012 15:56:36 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c4e5bd55-47e2-4568-8d78-251c2a5e4bf5 X-Archives-Hash: 5d57612274d59fee4535d1faed41b6e5 commit: c51d33d0f6eb4b63d5da3f715de2933df0ecbd53 Author: Dominick Grift gmail com> AuthorDate: Fri Oct 5 07:15:49 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Oct 6 15:35:03 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c51d33d0 Initial mandb policy module man-db is an implementation of the standard Unix documentation system accessed using the man command. It uses a Berkeley DB database in place of the traditional flat-text whatis databases. Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- mandb.fc | 4 +++ mandb.if | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ mandb.te | 42 +++++++++++++++++++++++++++++++++ 3 files changed, 124 insertions(+), 0 deletions(-) diff --git a/mandb.fc b/mandb.fc new file mode 100644 index 0000000..e4864f3 --- /dev/null +++ b/mandb.fc @@ -0,0 +1,4 @@ +/etc/cron.daily/man-db\.cron -- gen_context(system_u:object_r:mandb_exec_t,s0) + +# file context conflict with spec in miscfiles. remove comment when the spec in miscfiles is removed +# /var/cache/man(/.*)? gen_context(system_u:object_r:mandb_cache_t,s0) diff --git a/mandb.if b/mandb.if new file mode 100644 index 0000000..56306c6 --- /dev/null +++ b/mandb.if @@ -0,0 +1,78 @@ +## On-line manual database. + +######################################## +## +## Execute the mandb program in +## the mandb domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`mandb_domtrans',` + gen_require(` + type mandb_t, mandb_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mandb_exec_t, mandb_t) +') + +######################################## +## +## Execute mandb in the mandb +## domain, and allow the specified +## role the mandb domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +# +interface(`mandb_run',` + gen_require(` + attribute_role mandb_roles; + ') + + lightsquid_domtrans($1) + roleattribute $2 mandb_roles; +') + +######################################## +## +## All of the rules required to +## administrate an mandb environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`mandb_admin',` + gen_require(` + type mandb_t, mandb_cache_t; + ') + + allow $1 mandb_t:process { ptrace signal_perms }; + ps_process_pattern($1, mandb_t) + + mandb_run($1, $2) + + files_search_var($1) + admin_pattern($1, mandb_cache_t) +') diff --git a/mandb.te b/mandb.te new file mode 100644 index 0000000..3009005 --- /dev/null +++ b/mandb.te @@ -0,0 +1,42 @@ +policy_module(mandb, 1.0.0) + +######################################## +# +# Declarations +# + +attribute_role mandb_roles; +roleattribute system_r mandb_roles; + +type mandb_t; +type mandb_exec_t; +application_domain(mandb_t, mandb_exec_t) +role mandb_roles types mandb_t; + +type mandb_cache_t; +files_type(mandb_cache_t) + +######################################## +# +# Local policy +# + +allow mandb_t self:process signal; +allow mandb_t self:fifo_file rw_fifo_file_perms; +allow mandb_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +manage_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) +manage_lnk_files_pattern(mandb_t, mandb_cache_t, mandb_cache_t) + +kernel_read_system_state(mandb_t) + +corecmd_exec_bin(mandb_t) + +domain_use_interactive_fds(mandb_t) + +files_read_etc_files(mandb_t) + +optional_policy(` + cron_system_entry(mandb_t, mandb_exec_t) +')