From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5CE98138204 for ; Mon, 23 Sep 2013 13:31:45 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C1456E0ABD; Mon, 23 Sep 2013 13:31:44 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 230ACE0AAC for ; Mon, 23 Sep 2013 13:31:44 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id F071833ED4F for ; Mon, 23 Sep 2013 13:31:42 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id A2C4EE5463 for ; Mon, 23 Sep 2013 13:31:41 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1379917607.712f8c525da8aaf0bd8588d00aa1ab1b38cc3bcc.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: / X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: lsm.fc lsm.if lsm.te X-VCS-Directories: / X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 712f8c525da8aaf0bd8588d00aa1ab1b38cc3bcc X-VCS-Branch: master Date: Mon, 23 Sep 2013 13:31:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: ad54111a-d50b-4426-ad66-8e6bee45fe44 X-Archives-Hash: ec54bcbfc60e37d9a3693a8722677b8e commit: 712f8c525da8aaf0bd8588d00aa1ab1b38cc3bcc Author: Lukas Vrabec redhat com> AuthorDate: Thu Aug 22 14:37:11 2013 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Mon Sep 23 06:26:47 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=712f8c52 Add policy for lsmd --- lsm.fc | 5 ++++ lsm.if | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lsm.te | 31 ++++++++++++++++++++ 3 files changed, 139 insertions(+) diff --git a/lsm.fc b/lsm.fc new file mode 100644 index 0000000..711c04b --- /dev/null +++ b/lsm.fc @@ -0,0 +1,5 @@ +/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) + +/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) + +/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0) diff --git a/lsm.if b/lsm.if new file mode 100644 index 0000000..f3e94d7 --- /dev/null +++ b/lsm.if @@ -0,0 +1,103 @@ + +## lsmd SELINUX policy + +######################################## +## +## Execute TEMPLATE in the lsmd domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`lsmd_domtrans',` + gen_require(` + type lsmd_t, lsmd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, lsmd_exec_t, lsmd_t) +') +######################################## +## +## Read lsmd PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`lsmd_read_pid_files',` + gen_require(` + type lsmd_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t) +') + +######################################## +## +## Execute lsmd server in the lsmd domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`lsmd_systemctl',` + gen_require(` + type lsmd_t; + type lsmd_unit_file_t; + ') + + systemd_exec_systemctl($1) + systemd_read_fifo_file_password_run($1) + allow $1 lsmd_unit_file_t:file read_file_perms; + allow $1 lsmd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, lsmd_t) +') + + +######################################## +## +## All of the rules required to administrate +## an lsmd environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`lsmd_admin',` + gen_require(` + type lsmd_t; + type lsmd_var_run_t; + type lsmd_unit_file_t; + ') + + allow $1 lsmd_t:process { ptrace signal_perms }; + ps_process_pattern($1, lsmd_t) + + files_search_pids($1) + admin_pattern($1, lsmd_var_run_t) + + lsmd_systemctl($1) + admin_pattern($1, lsmd_unit_file_t) + allow $1 lsmd_unit_file_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/lsm.te b/lsm.te new file mode 100644 index 0000000..14fe4d7 --- /dev/null +++ b/lsm.te @@ -0,0 +1,31 @@ +policy_module(lsm, 1.0.0) + +######################################## +# +# Declarations +# + +type lsmd_t; +type lsmd_exec_t; +init_daemon_domain(lsmd_t, lsmd_exec_t) + +type lsmd_var_run_t; +files_pid_file(lsmd_var_run_t) + +type lsmd_unit_file_t; +systemd_unit_file(lsmd_unit_file_t) + +######################################## +# +# lsmd local policy +# +allow lsmd_t self:capability { setgid }; +allow lsmd_t self:process { fork }; +allow lsmd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) + +logging_send_syslog_msg(lsmd_t) From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id A803B1381F3 for ; Mon, 23 Sep 2013 06:29:30 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 725AAE09AD; Mon, 23 Sep 2013 06:29:28 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CA65AE09AA for ; Mon, 23 Sep 2013 06:29:27 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A29D633ED36 for ; Mon, 23 Sep 2013 06:29:26 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 5A8CDE5463 for ; Mon, 23 Sep 2013 06:29:25 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1379917607.712f8c525da8aaf0bd8588d00aa1ab1b38cc3bcc.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:merge commit in: / X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: lsm.fc lsm.if lsm.te X-VCS-Directories: / X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 712f8c525da8aaf0bd8588d00aa1ab1b38cc3bcc X-VCS-Branch: merge Date: Mon, 23 Sep 2013 06:29:25 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: a5d962e4-5d1b-4f57-823c-f74ab8a95cfb X-Archives-Hash: cdcd2eaccc8d6e6f8b7b2e6f82cfcdb5 Message-ID: <20130923062925.HRYTOUFuZWPsY2Jzp-hdEJRpN9ORDYATr4y109O91MY@z> commit: 712f8c525da8aaf0bd8588d00aa1ab1b38cc3bcc Author: Lukas Vrabec redhat com> AuthorDate: Thu Aug 22 14:37:11 2013 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Mon Sep 23 06:26:47 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=712f8c52 Add policy for lsmd --- lsm.fc | 5 ++++ lsm.if | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ lsm.te | 31 ++++++++++++++++++++ 3 files changed, 139 insertions(+) diff --git a/lsm.fc b/lsm.fc new file mode 100644 index 0000000..711c04b --- /dev/null +++ b/lsm.fc @@ -0,0 +1,5 @@ +/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) + +/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) + +/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0) diff --git a/lsm.if b/lsm.if new file mode 100644 index 0000000..f3e94d7 --- /dev/null +++ b/lsm.if @@ -0,0 +1,103 @@ + +## lsmd SELINUX policy + +######################################## +## +## Execute TEMPLATE in the lsmd domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`lsmd_domtrans',` + gen_require(` + type lsmd_t, lsmd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, lsmd_exec_t, lsmd_t) +') +######################################## +## +## Read lsmd PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`lsmd_read_pid_files',` + gen_require(` + type lsmd_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t) +') + +######################################## +## +## Execute lsmd server in the lsmd domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`lsmd_systemctl',` + gen_require(` + type lsmd_t; + type lsmd_unit_file_t; + ') + + systemd_exec_systemctl($1) + systemd_read_fifo_file_password_run($1) + allow $1 lsmd_unit_file_t:file read_file_perms; + allow $1 lsmd_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, lsmd_t) +') + + +######################################## +## +## All of the rules required to administrate +## an lsmd environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`lsmd_admin',` + gen_require(` + type lsmd_t; + type lsmd_var_run_t; + type lsmd_unit_file_t; + ') + + allow $1 lsmd_t:process { ptrace signal_perms }; + ps_process_pattern($1, lsmd_t) + + files_search_pids($1) + admin_pattern($1, lsmd_var_run_t) + + lsmd_systemctl($1) + admin_pattern($1, lsmd_unit_file_t) + allow $1 lsmd_unit_file_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/lsm.te b/lsm.te new file mode 100644 index 0000000..14fe4d7 --- /dev/null +++ b/lsm.te @@ -0,0 +1,31 @@ +policy_module(lsm, 1.0.0) + +######################################## +# +# Declarations +# + +type lsmd_t; +type lsmd_exec_t; +init_daemon_domain(lsmd_t, lsmd_exec_t) + +type lsmd_var_run_t; +files_pid_file(lsmd_var_run_t) + +type lsmd_unit_file_t; +systemd_unit_file(lsmd_unit_file_t) + +######################################## +# +# lsmd local policy +# +allow lsmd_t self:capability { setgid }; +allow lsmd_t self:process { fork }; +allow lsmd_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) +manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t) + +logging_send_syslog_msg(lsmd_t)