From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-519065-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 47FC0138010
	for <garchives@archives.gentoo.org>; Tue, 30 Oct 2012 18:38:43 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 6D40821C0A9;
	Tue, 30 Oct 2012 18:36:18 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 9899921C0AB
	for <gentoo-commits@lists.gentoo.org>; Tue, 30 Oct 2012 18:36:17 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id AC79933D87E
	for <gentoo-commits@lists.gentoo.org>; Tue, 30 Oct 2012 18:36:16 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 63D3CE5447
	for <gentoo-commits@lists.gentoo.org>; Tue, 30 Oct 2012 18:36:14 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1351621969.33523d3f5ee1b9ba8779c917d25fe1846a3703f0.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/tor.fc policy/modules/contrib/tor.if policy/modules/contrib/tor.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 33523d3f5ee1b9ba8779c917d25fe1846a3703f0
X-VCS-Branch: master
Date: Tue, 30 Oct 2012 18:36:14 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 5e544195-bbdd-41c2-9c54-19dc54fe3a3e
X-Archives-Hash: 827a438dc89e0a82edc301c03b9de5ba

commit:     33523d3f5ee1b9ba8779c917d25fe1846a3703f0
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Oct 30 09:05:59 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct 30 18:32:49 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=33523d3f

Changes to the tor policy module

Remove some tor_var_lib_t file transitions that do not make sense (no
file context specification)

Ported from Fedora with changes

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/contrib/tor.fc |    4 ++-
 policy/modules/contrib/tor.if |   16 +++++-----
 policy/modules/contrib/tor.te |   65 ++++++++++++++++++----------------------
 3 files changed, 40 insertions(+), 45 deletions(-)

diff --git a/policy/modules/contrib/tor.fc b/policy/modules/contrib/tor.fc
index 79e0a51..6b9d449 100644
--- a/policy/modules/contrib/tor.fc
+++ b/policy/modules/contrib/tor.fc
@@ -1,7 +1,9 @@
-/etc/rc\.d/init\.d/tor	--	gen_context(system_u:object_r:tor_initrc_exec_t,s0)
 /etc/tor(/.*)?	gen_context(system_u:object_r:tor_etc_t,s0)
 
+/etc/rc\.d/init\.d/tor	--	gen_context(system_u:object_r:tor_initrc_exec_t,s0)
+
 /usr/bin/tor	--	gen_context(system_u:object_r:tor_exec_t,s0)
+
 /usr/sbin/tor	--	gen_context(system_u:object_r:tor_exec_t,s0)
 
 /var/lib/tor(/.*)?	gen_context(system_u:object_r:tor_var_lib_t,s0)

diff --git a/policy/modules/contrib/tor.if b/policy/modules/contrib/tor.if
index 904f13e..61c2e07 100644
--- a/policy/modules/contrib/tor.if
+++ b/policy/modules/contrib/tor.if
@@ -1,8 +1,8 @@
-## <summary>TOR, the onion router</summary>
+## <summary>The onion router.</summary>
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run TOR.
+##	Execute a domain transition to run tor.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -15,13 +15,14 @@ interface(`tor_domtrans',`
 		type tor_t, tor_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, tor_exec_t, tor_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
-##	an tor environment
+##	All of the rules required to
+##	administrate an tor environment.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -30,7 +31,7 @@ interface(`tor_domtrans',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	The role to be allowed to manage the tor domain.
+##	Role allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -38,11 +39,10 @@ interface(`tor_domtrans',`
 interface(`tor_admin',`
 	gen_require(`
 		type tor_t, tor_var_log_t, tor_etc_t;
-		type tor_var_lib_t, tor_var_run_t;
-		type tor_initrc_exec_t;
+		type tor_var_lib_t, tor_var_run_t, tor_initrc_exec_t;
 	')
 
-	allow $1 tor_t:process { ptrace signal_perms getattr };
+	allow $1 tor_t:process { ptrace signal_perms };
 	ps_process_pattern($1, tor_t)
 
 	init_labeled_script_domtrans($1, tor_initrc_exec_t)

diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te
index 76292d1..f5d1326 100644
--- a/policy/modules/contrib/tor.te
+++ b/policy/modules/contrib/tor.te
@@ -1,4 +1,4 @@
-policy_module(tor, 1.8.2)
+policy_module(tor, 1.8.3)
 
 ########################################
 #
@@ -6,10 +6,10 @@ policy_module(tor, 1.8.2)
 #
 
 ## <desc>
-## <p>
-## Allow tor daemon to bind
-## tcp sockets to all unreserved ports.
-## </p>
+##	<p>
+##	Determine whether tor can bind
+##	tcp sockets to all unreserved ports.
+##	</p>
 ## </desc>
 gen_tunable(tor_bind_all_unreserved_ports, false)
 
@@ -17,57 +17,49 @@ type tor_t;
 type tor_exec_t;
 init_daemon_domain(tor_t, tor_exec_t)
 
-# etc/tor
 type tor_etc_t;
 files_config_file(tor_etc_t)
 
 type tor_initrc_exec_t;
 init_script_file(tor_initrc_exec_t)
 
-# var/lib/tor
 type tor_var_lib_t;
 files_type(tor_var_lib_t)
 
-# log files
 type tor_var_log_t;
 logging_log_file(tor_var_log_t)
 
-# pid files
 type tor_var_run_t;
 files_pid_file(tor_var_run_t)
 init_daemon_run_dir(tor_var_run_t, "tor")
 
 ########################################
 #
-# tor local policy
+# Local policy
 #
 
 allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
-allow tor_t self:unix_stream_socket create_stream_socket_perms;
-allow tor_t self:netlink_route_socket r_netlink_socket_perms;
-allow tor_t self:tcp_socket create_stream_socket_perms;
+allow tor_t self:unix_stream_socket { accept listen };
+allow tor_t self:tcp_socket { accept listen };
 
-# configuration files
 allow tor_t tor_etc_t:dir list_dir_perms;
-read_files_pattern(tor_t, tor_etc_t, tor_etc_t)
-read_lnk_files_pattern(tor_t, tor_etc_t, tor_etc_t)
+allow tor_t tor_etc_t:file read_file_perms;
+allow tor_t tor_etc_t:lnk_file read_lnk_file_perms;
 
-# var/lib/tor files
 manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
 manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
-files_usr_filetrans(tor_t, tor_var_lib_t, file)
-files_var_filetrans(tor_t, tor_var_lib_t, { file dir sock_file })
-files_var_lib_filetrans(tor_t, tor_var_lib_t, file)
+files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)
 
-# log files
-allow tor_t tor_var_log_t:dir setattr;
-manage_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+allow tor_t tor_var_log_t:dir setattr_dir_perms;
+append_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+create_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
+setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
 manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
 logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
 
-# pid file
 manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t)
 manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
 manage_sock_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
@@ -76,34 +68,34 @@ files_pid_filetrans(tor_t, tor_var_run_t, { dir file sock_file })
 kernel_read_net_sysctls(tor_t)
 kernel_read_system_state(tor_t)
 
-# networking basics
 corenet_all_recvfrom_unlabeled(tor_t)
 corenet_all_recvfrom_netlabel(tor_t)
 corenet_tcp_sendrecv_generic_if(tor_t)
 corenet_udp_sendrecv_generic_if(tor_t)
 corenet_tcp_sendrecv_generic_node(tor_t)
 corenet_udp_sendrecv_generic_node(tor_t)
-corenet_tcp_sendrecv_all_ports(tor_t)
-corenet_udp_sendrecv_dns_port(tor_t)
-corenet_tcp_sendrecv_all_reserved_ports(tor_t)
 corenet_tcp_bind_generic_node(tor_t)
 corenet_udp_bind_generic_node(tor_t)
-corenet_tcp_bind_tor_port(tor_t)
+
+corenet_sendrecv_dns_server_packets(tor_t)
 corenet_udp_bind_dns_port(tor_t)
+corenet_udp_sendrecv_dns_port(tor_t)
+
 corenet_sendrecv_tor_server_packets(tor_t)
-corenet_sendrecv_dns_server_packets(tor_t)
-# TOR will need to connect to various ports
-corenet_tcp_connect_all_ports(tor_t)
+corenet_tcp_bind_tor_port(tor_t)
+corenet_tcp_sendrecv_tor_port(tor_t)
+
 corenet_sendrecv_all_client_packets(tor_t)
-# ... especially including port 80 and other privileged ports
+corenet_tcp_connect_all_ports(tor_t)
 corenet_tcp_connect_all_reserved_ports(tor_t)
+corenet_tcp_sendrecv_all_ports(tor_t)
+corenet_tcp_sendrecv_all_reserved_ports(tor_t)
 
-# tor uses crypto and needs random
+dev_read_sysfs(tor_t)
 dev_read_urand(tor_t)
 
 domain_use_interactive_fds(tor_t)
 
-files_read_etc_files(tor_t)
 files_read_etc_runtime_files(tor_t)
 files_read_usr_files(tor_t)
 
@@ -113,7 +105,8 @@ logging_send_syslog_msg(tor_t)
 
 miscfiles_read_localization(tor_t)
 
-tunable_policy(`tor_bind_all_unreserved_ports', `
+tunable_policy(`tor_bind_all_unreserved_ports',`
+	corenet_sendrecv_all_server_packets(tor_t)
 	corenet_tcp_bind_all_unreserved_ports(tor_t)
 ')