From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 99AEB138010 for ; Sat, 27 Oct 2012 11:09:04 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3931821C0B6; Sat, 27 Oct 2012 11:06:32 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id A525821C0B6 for ; Sat, 27 Oct 2012 11:06:26 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C2F1033D945 for ; Sat, 27 Oct 2012 11:06:25 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id EE9B1E5450 for ; Sat, 27 Oct 2012 11:06:22 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1351335785.0c94624ee62bb1022d3b103d7597a3c1ba8b6f7c.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/rwho.if policy/modules/contrib/rwho.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 0c94624ee62bb1022d3b103d7597a3c1ba8b6f7c X-VCS-Branch: master Date: Sat, 27 Oct 2012 11:06:22 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 44d96550-f7dd-421e-8657-3d979b14f08c X-Archives-Hash: c99e75479ee46021e864b66789bf3f46 commit: 0c94624ee62bb1022d3b103d7597a3c1ba8b6f7c Author: Dominick Grift gmail com> AuthorDate: Thu Oct 25 12:26:47 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Sat Oct 27 11:03:05 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0c94624e Changes to the rwho policy module Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/rwho.if | 19 ++++++++++--------- policy/modules/contrib/rwho.te | 22 +++++++++++++--------- 2 files changed, 23 insertions(+), 18 deletions(-) diff --git a/policy/modules/contrib/rwho.if b/policy/modules/contrib/rwho.if index 71ea0ea..0360ff0 100644 --- a/policy/modules/contrib/rwho.if +++ b/policy/modules/contrib/rwho.if @@ -15,6 +15,7 @@ interface(`rwho_domtrans',` type rwho_t, rwho_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, rwho_exec_t, rwho_t) ') @@ -33,8 +34,8 @@ interface(`rwho_search_log',` type rwho_log_t; ') - allow $1 rwho_log_t:dir search_dir_perms; logging_search_logs($1) + allow $1 rwho_log_t:dir search_dir_perms; ') ######################################## @@ -52,9 +53,9 @@ interface(`rwho_read_log_files',` type rwho_log_t; ') - allow $1 rwho_log_t:file read_file_perms; - allow $1 rwho_log_t:dir list_dir_perms; logging_search_logs($1) + allow $1 rwho_log_t:dir list_dir_perms; + allow $1 rwho_log_t:file read_file_perms; ') ######################################## @@ -72,8 +73,8 @@ interface(`rwho_search_spool',` type rwho_spool_t; ') - allow $1 rwho_spool_t:dir search_dir_perms; files_search_spool($1) + allow $1 rwho_spool_t:dir search_dir_perms; ') ######################################## @@ -91,8 +92,8 @@ interface(`rwho_read_spool_files',` type rwho_spool_t; ') - read_files_pattern($1, rwho_spool_t, rwho_spool_t) files_search_spool($1) + read_files_pattern($1, rwho_spool_t, rwho_spool_t) ') ######################################## @@ -111,14 +112,14 @@ interface(`rwho_manage_spool_files',` type rwho_spool_t; ') - manage_files_pattern($1, rwho_spool_t, rwho_spool_t) files_search_spool($1) + manage_files_pattern($1, rwho_spool_t, rwho_spool_t) ') ######################################## ## -## All of the rules required to administrate -## an rwho environment +## All of the rules required to +## administrate an rwho environment. ## ## ## @@ -127,7 +128,7 @@ interface(`rwho_manage_spool_files',` ## ## ## -## The role allowed access. +## Role allowed access. ## ## ## diff --git a/policy/modules/contrib/rwho.te b/policy/modules/contrib/rwho.te index a07b2f4..9927d29 100644 --- a/policy/modules/contrib/rwho.te +++ b/policy/modules/contrib/rwho.te @@ -1,4 +1,4 @@ -policy_module(rwho, 1.6.0) +policy_module(rwho, 1.6.1) ######################################## # @@ -20,17 +20,16 @@ files_type(rwho_spool_t) ######################################## # -# rwho local policy +# Local policy # allow rwho_t self:capability sys_chroot; -allow rwho_t self:unix_dgram_socket create; -allow rwho_t self:fifo_file rw_file_perms; -allow rwho_t self:unix_stream_socket create_stream_socket_perms; -allow rwho_t self:udp_socket create_socket_perms; +allow rwho_t self:process signal; +allow rwho_t self:fifo_file rw_fifo_file_perms; +allow rwho_t self:unix_stream_socket { accept listen }; allow rwho_t rwho_log_t:dir manage_dir_perms; -allow rwho_t rwho_log_t:file manage_file_perms; +allow rwho_t rwho_log_t:file { append_file_perms create_file_perms setattr_file_perms }; logging_log_filetrans(rwho_t, rwho_log_t, { file dir }) allow rwho_t rwho_spool_t:dir manage_dir_perms; @@ -43,10 +42,11 @@ corenet_all_recvfrom_unlabeled(rwho_t) corenet_all_recvfrom_netlabel(rwho_t) corenet_udp_sendrecv_generic_if(rwho_t) corenet_udp_sendrecv_generic_node(rwho_t) -corenet_udp_sendrecv_all_ports(rwho_t) corenet_udp_bind_generic_node(rwho_t) -corenet_udp_bind_rwho_port(rwho_t) + corenet_sendrecv_rwho_server_packets(rwho_t) +corenet_udp_bind_rwho_port(rwho_t) +corenet_udp_sendrecv_rwho_port(rwho_t) domain_use_interactive_fds(rwho_t) @@ -55,6 +55,10 @@ files_read_etc_files(rwho_t) init_read_utmp(rwho_t) init_dontaudit_write_utmp(rwho_t) +logging_send_syslog_msg(rwho_t) + miscfiles_read_localization(rwho_t) sysnet_dns_name_resolve(rwho_t) + +# userdom_getattr_user_terminals(rwho_t)