* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23 6:29 ` Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 1306dae79c45f570f9c5ecec1fbf2788a2f96ea6
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:11:58 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:37 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1306dae7
Remove duplicate rules due to addition of auth_use_nsswitch()
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/rpcbind.te | 9 +--------
1 file changed, 1 insertion(+), 8 deletions(-)
diff --git a/policy/modules/contrib/rpcbind.te b/policy/modules/contrib/rpcbind.te
index 31d9287..bad1939 100644
--- a/policy/modules/contrib/rpcbind.te
+++ b/policy/modules/contrib/rpcbind.te
@@ -1,4 +1,4 @@
-policy_module(rpcbind, 1.6.0)
+policy_module(rpcbind, 1.6.1)
########################################
#
@@ -62,7 +62,6 @@ corecmd_exec_shell(rpcbind_t)
domain_use_interactive_fds(rpcbind_t)
-files_read_etc_files(rpcbind_t)
files_read_etc_runtime_files(rpcbind_t)
auth_use_nsswitch(rpcbind_t)
@@ -70,9 +69,3 @@ auth_use_nsswitch(rpcbind_t)
logging_send_syslog_msg(rpcbind_t)
miscfiles_read_localization(rpcbind_t)
-
-sysnet_dns_name_resolve(rpcbind_t)
-
-optional_policy(`
- nis_use_ypbind(rpcbind_t)
-')
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: ca18cb22cf84906139910c600d5bb2afd4bae1a1
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Fri Aug 23 08:27:18 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:38 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ca18cb22
Add support for abrt-upload-watch
---
policy/modules/contrib/abrt.fc | 1 +
policy/modules/contrib/abrt.te | 23 +++++++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/policy/modules/contrib/abrt.fc b/policy/modules/contrib/abrt.fc
index e4f84de..1a93dc5 100644
--- a/policy/modules/contrib/abrt.fc
+++ b/policy/modules/contrib/abrt.fc
@@ -12,6 +12,7 @@
/usr/sbin/abrtd -- gen_context(system_u:object_r:abrt_exec_t,s0)
/usr/sbin/abrt-dbus -- gen_context(system_u:object_r:abrt_exec_t,s0)
+/usr/sbin/abrt-upload-watch -- gen_context(system_u:object_r:abrt_upload_watch_exec_t,s0)
/var/cache/abrt(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
/var/cache/abrt-di(/.*)? gen_context(system_u:object_r:abrt_var_cache_t,s0)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 09a02b2..de3f140 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -15,6 +15,14 @@ policy_module(abrt, 1.4.0)
gen_tunable(abrt_anon_write, false)
## <desc>
+## <p>
+## Allow abrt-handle-upload to modify public files
+## used for public file transfer services in /var/spool/abrt-upload/.
+## </p>
+## </desc>
+gen_tunable(abrt_upload_watch_anon_write, true)
+
+## <desc>
## <p>
## Determine whether ABRT can run in
## the abrt_handle_event_t domain to
@@ -87,6 +95,10 @@ type abrt_watch_log_t, abrt_domain;
type abrt_watch_log_exec_t;
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
+# Support for abrt-upload-watch
+abrt_basic_types_template(abrt_upload_watch)
+init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(abrt_t, abrt_exec_t, s0 - mcs_systemhigh)
')
@@ -403,6 +415,17 @@ logging_read_all_logs(abrt_watch_log_t)
#######################################
#
+# abrt-upload-watch local policy
+#
+
+corecmd_exec_bin(abrt_upload_watch_t)
+
+tunable_policy(`abrt_upload_watch_anon_write',`
+ miscfiles_manage_public_files(abrt_upload_watch_t)
+')
+
+#######################################
+#
# Global local policy
#
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
0 siblings, 1 reply; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: d8ad674f9b897235cd243b9a37543bcfedb71d6e
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:39:39 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:19 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8ad674f
Clean up libstoragemngmt policy module We do not yet support systemd
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/lsm.fc | 4 +--
policy/modules/contrib/lsm.if | 79 ++-----------------------------------------
policy/modules/contrib/lsm.te | 9 ++---
3 files changed, 7 insertions(+), 85 deletions(-)
diff --git a/policy/modules/contrib/lsm.fc b/policy/modules/contrib/lsm.fc
index 711c04b..51777c1 100644
--- a/policy/modules/contrib/lsm.fc
+++ b/policy/modules/contrib/lsm.fc
@@ -1,5 +1,3 @@
-/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
-
-/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/policy/modules/contrib/lsm.if b/policy/modules/contrib/lsm.if
index f3e94d7..d314333 100644
--- a/policy/modules/contrib/lsm.if
+++ b/policy/modules/contrib/lsm.if
@@ -1,72 +1,9 @@
-
-## <summary>lsmd SELINUX policy </summary>
-
-########################################
-## <summary>
-## Execute TEMPLATE in the lsmd domin.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lsmd_domtrans',`
- gen_require(`
- type lsmd_t, lsmd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, lsmd_exec_t, lsmd_t)
-')
-########################################
-## <summary>
-## Read lsmd PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`lsmd_read_pid_files',`
- gen_require(`
- type lsmd_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
-')
-
-########################################
-## <summary>
-## Execute lsmd server in the lsmd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lsmd_systemctl',`
- gen_require(`
- type lsmd_t;
- type lsmd_unit_file_t;
- ')
-
- systemd_exec_systemctl($1)
- systemd_read_fifo_file_password_run($1)
- allow $1 lsmd_unit_file_t:file read_file_perms;
- allow $1 lsmd_unit_file_t:service manage_service_perms;
-
- ps_process_pattern($1, lsmd_t)
-')
-
+## <summary>Storage array management library.</summary>
########################################
## <summary>
## All of the rules required to administrate
-## an lsmd environment
+## an lsmd environment.
## </summary>
## <param name="domain">
## <summary>
@@ -82,9 +19,7 @@ interface(`lsmd_systemctl',`
#
interface(`lsmd_admin',`
gen_require(`
- type lsmd_t;
- type lsmd_var_run_t;
- type lsmd_unit_file_t;
+ type lsmd_t, type lsmd_var_run_t;
')
allow $1 lsmd_t:process { ptrace signal_perms };
@@ -92,12 +27,4 @@ interface(`lsmd_admin',`
files_search_pids($1)
admin_pattern($1, lsmd_var_run_t)
-
- lsmd_systemctl($1)
- admin_pattern($1, lsmd_unit_file_t)
- allow $1 lsmd_unit_file_t:service all_service_perms;
- optional_policy(`
- systemd_passwd_agent_exec($1)
- systemd_read_fifo_file_passwd_run($1)
- ')
')
diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te
index 14fe4d7..7f0ca47 100644
--- a/policy/modules/contrib/lsm.te
+++ b/policy/modules/contrib/lsm.te
@@ -12,15 +12,12 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
type lsmd_var_run_t;
files_pid_file(lsmd_var_run_t)
-type lsmd_unit_file_t;
-systemd_unit_file(lsmd_unit_file_t)
-
########################################
#
-# lsmd local policy
+# Local policy
#
-allow lsmd_t self:capability { setgid };
-allow lsmd_t self:process { fork };
+
+allow lsmd_t self:capability setgid;
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23 6:29 ` Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 9c2fcb4cc9c84006d9cb99e67d2ecf56570ea440
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Fri Aug 23 08:14:08 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:45 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9c2fcb4c
Allow virtd to relabel unix stream socket
---
policy/modules/contrib/virt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 65ede42..3f48d7f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -418,7 +418,7 @@ corenet_tcp_connect_all_ports(svirt_t)
allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
-allow virtd_t self:unix_stream_socket { accept connectto listen };
+allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
allow virtd_t self:tcp_socket { accept listen };
allow virtd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow virtd_t self:rawip_socket create_socket_perms;
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23 6:29 ` Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: c285f2ef655360833348a3d57ec2962c0a818194
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Tue Sep 3 14:44:31 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:24 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c285f2ef
Also sock_file trans rule is needed in lsm
Conflicts:
lsm.te
---
policy/modules/contrib/lsm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te
index 7f0ca47..4ec0eea 100644
--- a/policy/modules/contrib/lsm.te
+++ b/policy/modules/contrib/lsm.te
@@ -24,5 +24,6 @@ manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_lnk_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
manage_sock_files_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
+files_pid_filetrans(lsmd_t, lsmd_var_run_t, { dir file sock_file })
logging_send_syslog_msg(lsmd_t)
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: da10fcbc0b173d636603c46203a47ef2ca51f74c
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:25:11 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:26:40 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=da10fcbc
We dont use the arbt domain types template. Use a more uniform boolean discription
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/abrt.te | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index de3f140..eb50f07 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -1,4 +1,4 @@
-policy_module(abrt, 1.4.0)
+policy_module(abrt, 1.4.1)
########################################
#
@@ -15,10 +15,11 @@ policy_module(abrt, 1.4.0)
gen_tunable(abrt_anon_write, false)
## <desc>
-## <p>
-## Allow abrt-handle-upload to modify public files
-## used for public file transfer services in /var/spool/abrt-upload/.
-## </p>
+## <p>
+## Determine whether abrt-handle-upload
+## can modify public files used for public file
+## transfer services in /var/spool/abrt-upload/.
+## </p>
## </desc>
gen_tunable(abrt_upload_watch_anon_write, true)
@@ -95,8 +96,8 @@ type abrt_watch_log_t, abrt_domain;
type abrt_watch_log_exec_t;
init_daemon_domain(abrt_watch_log_t, abrt_watch_log_exec_t)
-# Support for abrt-upload-watch
-abrt_basic_types_template(abrt_upload_watch)
+type abrt_upload_watch_t, abrt_domain;
+type abrt_upload_watch_exec_t;
init_daemon_domain(abrt_upload_watch_t, abrt_upload_watch_exec_t)
ifdef(`enable_mcs',`
@@ -415,7 +416,7 @@ logging_read_all_logs(abrt_watch_log_t)
#######################################
#
-# abrt-upload-watch local policy
+# Upload watch local policy
#
corecmd_exec_bin(abrt_upload_watch_t)
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23 6:29 ` Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 2aab42920d3153bffa3f3b618c622c709bb762f3
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Wed Sep 4 10:28:28 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:20 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2aab4292
Fix lsm.fc for pid files
---
policy/modules/contrib/lsm.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/lsm.fc b/policy/modules/contrib/lsm.fc
index 51777c1..c455730 100644
--- a/policy/modules/contrib/lsm.fc
+++ b/policy/modules/contrib/lsm.fc
@@ -1,3 +1,3 @@
/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
-/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
+/var/run/lsm(/.*)? gen_context(system_u:object_r:lsmd_var_run_t,s0)
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 433ae56729bc46e1888bace2d296927d2b4bcffd
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 11:03:42 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:34 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=433ae567
Allow condor domains to manage own logs
---
policy/modules/contrib/condor.te | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 5fd1388..32b299a 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -68,9 +68,7 @@ allow condor_domain self:unix_stream_socket { accept listen };
rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
-append_files_pattern(condor_domain, condor_log_t, condor_log_t)
-create_files_pattern(condor_domain, condor_log_t, condor_log_t)
-getattr_files_pattern(condor_domain, condor_log_t, condor_log_t)
+manage_files_pattern(condor_domain, condor_log_t, condor_log_t)
logging_log_filetrans(condor_domain, condor_log_t, { dir file })
manage_dirs_pattern(condor_domain, condor_var_lib_t, condor_var_lib_t)
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 0afa74b4db3fc54e1d1e5937667246cb6621df3e
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 11:10:10 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:27 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0afa74b4
Add labeling for /etc/condor and allow condor domain to write it (bug)
---
policy/modules/contrib/condor.fc | 2 ++
policy/modules/contrib/condor.te | 7 +++++++
2 files changed, 9 insertions(+)
diff --git a/policy/modules/contrib/condor.fc b/policy/modules/contrib/condor.fc
index 23dc348..543321b 100644
--- a/policy/modules/contrib/condor.fc
+++ b/policy/modules/contrib/condor.fc
@@ -1,3 +1,5 @@
+/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0)
+
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
/usr/sbin/condor_collector -- gen_context(system_u:object_r:condor_collector_exec_t,s0)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 4ca829b..7666be4 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -34,6 +34,9 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
+type condor_etc_rw_t;
+files_config_file(condor_etc_rw_t)
+
type condor_log_t;
logging_log_file(condor_log_t)
@@ -62,6 +65,8 @@ allow condor_domain self:fifo_file rw_fifo_file_perms;
allow condor_domain self:tcp_socket { accept listen };
allow condor_domain self:unix_stream_socket { accept listen };
+rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
+
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
append_files_pattern(condor_domain, condor_log_t, condor_log_t)
create_files_pattern(condor_domain, condor_log_t, condor_log_t)
@@ -110,6 +115,8 @@ logging_send_syslog_msg(condor_domain)
miscfiles_read_localization(condor_domain)
+sysnet_dns_name_resolve(condor_domain)
+
tunable_policy(`condor_tcp_network_connect',`
corenet_sendrecv_all_client_packets(condor_domain)
corenet_tcp_connect_all_ports(condor_domain)
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: ece5508dd2c59b8100fdcea7032a0b927069b222
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 06:51:35 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:32 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ece5508d
We will find another way to run pa as a system server
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/pulseaudio.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te
index 643d58e..fca8b1d 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -12,7 +12,7 @@ attribute_role pulseaudio_roles;
type pulseaudio_t;
type pulseaudio_exec_t;
-init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
+# init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
userdom_user_application_domain(pulseaudio_t, pulseaudio_exec_t)
role pulseaudio_roles types pulseaudio_t;
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 71888201c517f31907207e0060d1809dd5c8b6ed
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 09:13:26 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:36 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=71888201
Allow glusterd to read domains state
---
policy/modules/contrib/glusterfs.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index d9f8ec1..0a8e91e 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -92,6 +92,8 @@ corenet_tcp_connect_all_unreserved_ports(glusterd_t)
dev_read_sysfs(glusterd_t)
dev_read_urand(glusterd_t)
+domain_read_all_domains_state(glusterd_t)
+
domain_use_interactive_fds(glusterd_t)
files_read_usr_files(glusterd_t)
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23 6:29 ` Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 6e23089d1f62f91276576f9038553bba5dd232bd
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:59:43 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:30 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6e23089d
Hit by a nasty optional policy nesting issue
Basically gnome keyring daemon depends on a window manager, and window
managers depend on dbus
Thus for restricted xwindows users, the gnome_per_role_template optional
policy needs to be nested in the wm_per_role_template optional policy,
which needs to be nested in the dbus_per_role_template optional policy
I tried to get dbus out of the equation but was not able to
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/gnome.if | 4 +++-
policy/modules/contrib/wm.if | 12 +++++++-----
policy/modules/contrib/wm.te | 4 ----
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index d03fd43..ab09d61 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -111,7 +111,9 @@ template(`gnome_role_template',`
optional_policy(`
dbus_spec_session_domain($1, gkeyringd_exec_t, $1_gkeyringd_t)
- gnome_dbus_chat_gkeyringd($1, $3)
+ optional_policy(`
+ gnome_dbus_chat_gkeyringd($1, $3)
+ ')
')
')
diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
index 25b702d..fbd84ba 100644
--- a/policy/modules/contrib/wm.if
+++ b/policy/modules/contrib/wm.if
@@ -68,6 +68,9 @@ template(`wm_role_template',`
auth_use_nsswitch($1_wm_t)
+ xserver_role($2, $1_wm_t)
+ xserver_manage_core_devices($1_wm_t)
+
optional_policy(`
dbus_spec_session_bus_client($1, $1_wm_t)
dbus_system_bus_client($1_wm_t)
@@ -77,13 +80,12 @@ template(`wm_role_template',`
')
')
- optional_policy(`
- pulseaudio_run($1_wm_t, $2)
- ')
+ # optional_policy(`
+ # gnome_stream_connect_gkeyringd($1, $1_wm_t)
+ # ')
optional_policy(`
- xserver_role($2, $1_wm_t)
- xserver_manage_core_devices($1_wm_t)
+ pulseaudio_run($1_wm_t, $2)
')
')
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 0f5148e..ffe166f 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -57,10 +57,6 @@ optional_policy(`
')
optional_policy(`
- gnome_stream_connect_gkeyringd(wm_domain)
-')
-
-optional_policy(`
networkmanager_dbus_chat(wm_domain)
')
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 259ffaed9af0165011cc36ed38c140d9f007cd94
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Thu Aug 22 11:25:49 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:26 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=259ffaed
Update condor_master rules to allow read system state info and allow logging
---
policy/modules/contrib/condor.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 3f2b672..4ca829b 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -185,7 +185,7 @@ allow condor_negotiator_t condor_master_t:udp_socket getattr;
allow condor_procd_t self:capability { fowner chown kill dac_override sys_ptrace };
-allow condor_procd_t condor_startd_t:process sigkill;
+allow condor_procd_t condor_domain:process sigkill;
domain_read_all_domains_state(condor_procd_t)
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23 6:29 ` Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 5562e1cd22a89358906eb674325fb40a10cf9ae2
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:54:51 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:28 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5562e1cd
Change type from etc_rw to conf for readability admin access to condor_conf_t
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/condor.fc | 2 +-
policy/modules/contrib/condor.if | 5 ++++-
policy/modules/contrib/condor.te | 6 +++---
3 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/policy/modules/contrib/condor.fc b/policy/modules/contrib/condor.fc
index 543321b..ad2b696 100644
--- a/policy/modules/contrib/condor.fc
+++ b/policy/modules/contrib/condor.fc
@@ -1,4 +1,4 @@
-/etc/condor(/.*)? gen_context(system_u:object_r:condor_etc_rw_t,s0)
+/etc/condor(/.*)? gen_context(system_u:object_r:condor_conf_t,s0)
/etc/rc\.d/init\.d/condor -- gen_context(system_u:object_r:condor_initrc_exec_t,s0)
diff --git a/policy/modules/contrib/condor.if b/policy/modules/contrib/condor.if
index 3fe3cb8..881d92f 100644
--- a/policy/modules/contrib/condor.if
+++ b/policy/modules/contrib/condor.if
@@ -60,7 +60,7 @@ interface(`condor_admin',`
attribute condor_domain;
type condor_initrc_exec_config_t, condor_log_t;
type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
- type condor_var_run_t, condor_startd_tmp_t;
+ type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
')
allow $1 condor_domain:process { ptrace signal_perms };
@@ -71,6 +71,9 @@ interface(`condor_admin',`
role_transition $2 condor_initrc_exec_t system_r;
allow $2 system_r;
+ files_search_etc($1)
+ admin_pattern($1, condor_conf_t)
+
logging_search_logs($1)
admin_pattern($1, condor_log_t)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 7666be4..5fd1388 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -34,8 +34,8 @@ files_tmp_file(condor_startd_tmp_t)
type condor_startd_tmpfs_t;
files_tmpfs_file(condor_startd_tmpfs_t)
-type condor_etc_rw_t;
-files_config_file(condor_etc_rw_t)
+type condor_conf_t;
+files_config_file(condor_conf_t)
type condor_log_t;
logging_log_file(condor_log_t)
@@ -65,7 +65,7 @@ allow condor_domain self:fifo_file rw_fifo_file_perms;
allow condor_domain self:tcp_socket { accept listen };
allow condor_domain self:unix_stream_socket { accept listen };
-rw_files_pattern(condor_domain, condor_etc_rw_t, condor_etc_rw_t)
+rw_files_pattern(condor_domain, condor_conf_t, condor_conf_t)
manage_dirs_pattern(condor_domain, condor_log_t, condor_log_t)
append_files_pattern(condor_domain, condor_log_t, condor_log_t)
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 1e570633210d20c462a98fdfa0c3a23e9a2652ec
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 07:28:45 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:39 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1e570633
Clean up initial redis policy module
Need a redis port type
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/redis.fc | 10 +-
policy/modules/contrib/redis.if | 243 ++--------------------------------------
policy/modules/contrib/redis.te | 15 ++-
3 files changed, 20 insertions(+), 248 deletions(-)
diff --git a/policy/modules/contrib/redis.fc b/policy/modules/contrib/redis.fc
index 638d6b4..e240ac9 100644
--- a/policy/modules/contrib/redis.fc
+++ b/policy/modules/contrib/redis.fc
@@ -1,11 +1,9 @@
/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0)
-/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0)
+/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
-/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0)
+/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
-/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0)
+/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
-/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0)
-
-/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
+/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0)
diff --git a/policy/modules/contrib/redis.if b/policy/modules/contrib/redis.if
index e3efff0..16c8ecb 100644
--- a/policy/modules/contrib/redis.if
+++ b/policy/modules/contrib/redis.if
@@ -1,226 +1,9 @@
-
-## <summary>policy for redis</summary>
-
-########################################
-## <summary>
-## Execute TEMPLATE in the redis domin.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`redis_domtrans',`
- gen_require(`
- type redis_t, redis_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, redis_exec_t, redis_t)
-')
-
-########################################
-## <summary>
-## Execute redis server in the redis domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_initrc_domtrans',`
- gen_require(`
- type redis_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, redis_initrc_exec_t)
-')
-########################################
-## <summary>
-## Read redis's log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`redis_read_log',`
- gen_require(`
- type redis_log_t;
- ')
-
- logging_search_logs($1)
- read_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-## Append to redis log files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_append_log',`
- gen_require(`
- type redis_log_t;
- ')
-
- logging_search_logs($1)
- append_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-## Manage redis log files
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_manage_log',`
- gen_require(`
- type redis_log_t;
- ')
-
- logging_search_logs($1)
- manage_dirs_pattern($1, redis_log_t, redis_log_t)
- manage_files_pattern($1, redis_log_t, redis_log_t)
- manage_lnk_files_pattern($1, redis_log_t, redis_log_t)
-')
-
-########################################
-## <summary>
-## Search redis lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_search_lib',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- allow $1 redis_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-## Read redis lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_read_lib_files',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- files_search_var_lib($1)
- read_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-## Manage redis lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_manage_lib_files',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-## Manage redis lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_manage_lib_dirs',`
- gen_require(`
- type redis_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t)
-')
-
-########################################
-## <summary>
-## Read redis PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`redis_read_pid_files',`
- gen_require(`
- type redis_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, redis_var_run_t, redis_var_run_t)
-')
+## <summary>Advanced key-value store.</summary>
########################################
## <summary>
-## Execute redis server in the redis domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`redis_systemctl',`
- gen_require(`
- type redis_t;
- type redis_unit_file_t;
- ')
-
- systemd_exec_systemctl($1)
- systemd_read_fifo_file_password_run($1)
- allow $1 redis_unit_file_t:file read_file_perms;
- allow $1 redis_unit_file_t:service manage_service_perms;
-
- ps_process_pattern($1, redis_t)
-')
-
-
-########################################
-## <summary>
-## All of the rules required to administrate
-## an redis environment
+## All of the rules required to
+## administrate an redis environment.
## </summary>
## <param name="domain">
## <summary>
@@ -236,36 +19,24 @@ interface(`redis_systemctl',`
#
interface(`redis_admin',`
gen_require(`
- type redis_t;
- type redis_initrc_exec_t;
- type redis_log_t;
- type redis_var_lib_t;
- type redis_var_run_t;
- type redis_unit_file_t;
+ type redis_t, redis_initrc_exec_t, redis_var_lib_t;
+ type redis_log_t, redis_var_run_t;
')
allow $1 redis_t:process { ptrace signal_perms };
ps_process_pattern($1, redis_t)
- redis_initrc_domtrans($1)
+ init_labeled_script_domtrans($1, redis_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 redis_initrc_exec_t system_r;
allow $2 system_r;
logging_search_logs($1)
- admin_pattern($1, redis_log_t)
+ admin_pattern($!, redis_log_t)
files_search_var_lib($1)
admin_pattern($1, redis_var_lib_t)
files_search_pids($1)
admin_pattern($1, redis_var_run_t)
-
- redis_systemctl($1)
- admin_pattern($1, redis_unit_file_t)
- allow $1 redis_unit_file_t:service all_service_perms;
- optional_policy(`
- systemd_passwd_agent_exec($1)
- systemd_read_fifo_file_passwd_run($1)
- ')
')
diff --git a/policy/modules/contrib/redis.te b/policy/modules/contrib/redis.te
index e5e9cf7..f98e40e 100644
--- a/policy/modules/contrib/redis.te
+++ b/policy/modules/contrib/redis.te
@@ -21,12 +21,9 @@ files_type(redis_var_lib_t)
type redis_var_run_t;
files_pid_file(redis_var_run_t)
-type redis_unit_file_t;
-systemd_unit_file(redis_unit_file_t)
-
########################################
#
-# redis local policy
+# Local policy
#
allow redis_t self:process { setrlimit signal_perms };
@@ -48,8 +45,15 @@ manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)
kernel_read_system_state(redis_t)
+corenet_all_recvfrom_unlabeled(redis_t)
+corenet_all_recvfrom_netlabel(redis_t)
+corenet_tcp_sendrecv_generic_if(redis_t)
+corenet_tcp_sendrecv_generic_node(redis_t)
corenet_tcp_bind_generic_node(redis_t)
-corenet_tcp_bind_redis_port(redis_t)
+
+# corenet_sendrecv_redis_server_packets(redis_t)
+# corenet_tcp_bind_redis_port(redis_t)
+# corenet_tcp_sendrecv_redis_port(redis_t)
dev_read_sysfs(redis_t)
dev_read_urand(redis_t)
@@ -59,4 +63,3 @@ logging_send_syslog_msg(redis_t)
miscfiles_read_localization(redis_t)
sysnet_dns_name_resolve(redis_t)
-
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
@ 2013-09-23 6:29 Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: f32d2da8b2f3a4cbaf11f9eb0a1c27d1678ce4d5
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 07:12:29 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:03 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f32d2da8
Clean up hypervkvp policy module (seems incomplete)
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/hypervkvp.fc | 4 ++--
policy/modules/contrib/hypervkvp.if | 31 +++++++++++++++++++++----------
policy/modules/contrib/hypervkvp.te | 24 +++++++++++-------------
3 files changed, 34 insertions(+), 25 deletions(-)
diff --git a/policy/modules/contrib/hypervkvp.fc b/policy/modules/contrib/hypervkvp.fc
index 2a69ee4..b46130e 100644
--- a/policy/modules/contrib/hypervkvp.fc
+++ b/policy/modules/contrib/hypervkvp.fc
@@ -1,3 +1,3 @@
-/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvp_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
-/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvp_exec_t,s0)
+/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
diff --git a/policy/modules/contrib/hypervkvp.if b/policy/modules/contrib/hypervkvp.if
index 7743be5..6517fad 100644
--- a/policy/modules/contrib/hypervkvp.if
+++ b/policy/modules/contrib/hypervkvp.if
@@ -1,21 +1,32 @@
-
-## <summary>policy for hypervkvp</summary>
+## <summary>HyperV key value pair (KVP).</summary>
########################################
## <summary>
-## Execute TEMPLATE in the hypervkvp domin.
+## All of the rules required to
+## administrate an hypervkvp environment.
## </summary>
## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
+## <summary>
+## Domain allowed access.
+## </summary>
## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
#
-interface(`hypervkvp_domtrans',`
+interface(`hypervkvp_admin',`
gen_require(`
- type hypervkvp_t, hypervkvp_exec_t;
+ type hypervkvpd_t, hypervkvpd_initrc_exec_t;
')
- corecmd_search_bin($1)
- domtrans_pattern($1, hypervkvp_exec_t, hypervkvp_t)
+ allow $1 hypervkvpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, hypervkvpd_t)
+
+ init_labeled_script_domtrans($1, hypervkvpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 hypervkvpd_initrc_exec_t system_r;
+ allow $2 system_r;
')
diff --git a/policy/modules/contrib/hypervkvp.te b/policy/modules/contrib/hypervkvp.te
index 631ed79..4eb7041 100644
--- a/policy/modules/contrib/hypervkvp.te
+++ b/policy/modules/contrib/hypervkvp.te
@@ -5,26 +5,24 @@ policy_module(hypervkvp, 1.0.0)
# Declarations
#
-type hypervkvp_t;
-type hypervkvp_exec_t;
-init_daemon_domain(hypervkvp_t, hypervkvp_exec_t)
-
-type hypervkvp_initrc_exec_t;
-init_script_file(hypervkvp_initrc_exec_t)
+type hypervkvpd_t;
+type hypervkvpd_exec_t;
+init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
+type hypervkvpd_initrc_exec_t;
+init_script_file(hypervkvpd_initrc_exec_t)
########################################
#
-# hypervkvp local policy
+# Local policy
#
#
-allow hypervkvp_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvp_t self:unix_stream_socket create_stream_socket_perms;
-domain_use_interactive_fds(hypervkvp_t)
+allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
+allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
-logging_send_syslog_msg(hypervkvp_t)
+logging_send_syslog_msg(hypervkvpd_t)
-miscfiles_read_localization(hypervkvp_t)
+miscfiles_read_localization(hypervkvpd_t)
-sysnet_dns_name_resolve(hypervkvp_t)
+sysnet_dns_name_resolve(hypervkvpd_t)
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
2013-09-23 13:31 Sven Vermeulen
@ 2013-09-23 6:29 ` Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 1885a6b8dbea8123e438d8b17ceb6aaf80bca8f8
Author: Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Tue Aug 20 09:09:06 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:41 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1885a6b8
Add openvpn_can_network_connect() boolean
---
policy/modules/contrib/openvpn.te | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 1c3599a..5816817 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -13,6 +13,14 @@ policy_module(openvpn, 1.12.1)
## </desc>
gen_tunable(openvpn_enable_homedirs, false)
+## <desc>
+## <p>
+## Determine whether openvpn can
+## connect to the TCP network.
+## </p>
+## </desc>
+gen_tunable(openvpn_can_network_connect, false)
+
attribute_role openvpn_roles;
type openvpn_t;
@@ -149,6 +157,10 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
fs_read_cifs_files(openvpn_t)
')
+tunable_policy(`openvpn_can_network_connect',`
+ corenet_tcp_connect_all_ports(openvpn_t)
+')
+
optional_policy(`
daemontools_service_domain(openvpn_t, openvpn_exec_t)
')
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23 6:29 ` Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 0a54a711c81b74e91cc633b005b28cb71170d960
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 12:45:01 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:38 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0a54a711
Module version bump for changes to various policy modules by Miroslav Grepl
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/condor.te | 2 +-
policy/modules/contrib/glusterfs.te | 2 +-
policy/modules/contrib/rhcs.te | 2 +-
policy/modules/contrib/virt.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/contrib/condor.te b/policy/modules/contrib/condor.te
index 32b299a..ce9f040 100644
--- a/policy/modules/contrib/condor.te
+++ b/policy/modules/contrib/condor.te
@@ -1,4 +1,4 @@
-policy_module(condor, 1.0.0)
+policy_module(condor, 1.0.1)
########################################
#
diff --git a/policy/modules/contrib/glusterfs.te b/policy/modules/contrib/glusterfs.te
index 0a8e91e..4e95c7e 100644
--- a/policy/modules/contrib/glusterfs.te
+++ b/policy/modules/contrib/glusterfs.te
@@ -1,4 +1,4 @@
-policy_module(glusterfs, 1.1.1)
+policy_module(glusterfs, 1.1.2)
########################################
#
diff --git a/policy/modules/contrib/rhcs.te b/policy/modules/contrib/rhcs.te
index 7f87224..6cf79c4 100644
--- a/policy/modules/contrib/rhcs.te
+++ b/policy/modules/contrib/rhcs.te
@@ -1,4 +1,4 @@
-policy_module(rhcs, 1.2.0)
+policy_module(rhcs, 1.2.1)
########################################
#
diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3f48d7f..7afd03d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.7.3)
+policy_module(virt, 1.7.4)
########################################
#
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2013-09-23 6:29 ` Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 6:29 UTC (permalink / raw
To: gentoo-commits
commit: 8313772124285241a40d56a7030ba9c4dc5431b3
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 20 07:41:07 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:28:43 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83137721
Additional openvpn tcp networking rules
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/openvpn.te | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te
index 5816817..63957a3 100644
--- a/policy/modules/contrib/openvpn.te
+++ b/policy/modules/contrib/openvpn.te
@@ -1,4 +1,4 @@
-policy_module(openvpn, 1.12.1)
+policy_module(openvpn, 1.12.2)
########################################
#
@@ -14,10 +14,10 @@ policy_module(openvpn, 1.12.1)
gen_tunable(openvpn_enable_homedirs, false)
## <desc>
-## <p>
-## Determine whether openvpn can
-## connect to the TCP network.
-## </p>
+## <p>
+## Determine whether openvpn can
+## connect to the TCP network.
+## </p>
## </desc>
gen_tunable(openvpn_can_network_connect, false)
@@ -158,7 +158,9 @@ tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',`
')
tunable_policy(`openvpn_can_network_connect',`
- corenet_tcp_connect_all_ports(openvpn_t)
+ corenet_sendrecv_all_client_packets(openvpn_t)
+ corenet_tcp_connect_all_ports(openvpn_t)
+ corenet_tcp_sendrecv_all_ports(openvpn_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 20+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/ Sven Vermeulen
@ 2013-09-23 13:31 ` Sven Vermeulen
0 siblings, 0 replies; 20+ messages in thread
From: Sven Vermeulen @ 2013-09-23 13:31 UTC (permalink / raw
To: gentoo-commits
commit: d8ad674f9b897235cd243b9a37543bcfedb71d6e
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 19 17:39:39 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 23 06:27:19 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8ad674f
Clean up libstoragemngmt policy module We do not yet support systemd
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
policy/modules/contrib/lsm.fc | 4 +--
policy/modules/contrib/lsm.if | 79 ++-----------------------------------------
policy/modules/contrib/lsm.te | 9 ++---
3 files changed, 7 insertions(+), 85 deletions(-)
diff --git a/policy/modules/contrib/lsm.fc b/policy/modules/contrib/lsm.fc
index 711c04b..51777c1 100644
--- a/policy/modules/contrib/lsm.fc
+++ b/policy/modules/contrib/lsm.fc
@@ -1,5 +1,3 @@
-/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
-
-/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0)
+/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0)
/var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0)
diff --git a/policy/modules/contrib/lsm.if b/policy/modules/contrib/lsm.if
index f3e94d7..d314333 100644
--- a/policy/modules/contrib/lsm.if
+++ b/policy/modules/contrib/lsm.if
@@ -1,72 +1,9 @@
-
-## <summary>lsmd SELINUX policy </summary>
-
-########################################
-## <summary>
-## Execute TEMPLATE in the lsmd domin.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lsmd_domtrans',`
- gen_require(`
- type lsmd_t, lsmd_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, lsmd_exec_t, lsmd_t)
-')
-########################################
-## <summary>
-## Read lsmd PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`lsmd_read_pid_files',`
- gen_require(`
- type lsmd_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t)
-')
-
-########################################
-## <summary>
-## Execute lsmd server in the lsmd domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`lsmd_systemctl',`
- gen_require(`
- type lsmd_t;
- type lsmd_unit_file_t;
- ')
-
- systemd_exec_systemctl($1)
- systemd_read_fifo_file_password_run($1)
- allow $1 lsmd_unit_file_t:file read_file_perms;
- allow $1 lsmd_unit_file_t:service manage_service_perms;
-
- ps_process_pattern($1, lsmd_t)
-')
-
+## <summary>Storage array management library.</summary>
########################################
## <summary>
## All of the rules required to administrate
-## an lsmd environment
+## an lsmd environment.
## </summary>
## <param name="domain">
## <summary>
@@ -82,9 +19,7 @@ interface(`lsmd_systemctl',`
#
interface(`lsmd_admin',`
gen_require(`
- type lsmd_t;
- type lsmd_var_run_t;
- type lsmd_unit_file_t;
+ type lsmd_t, type lsmd_var_run_t;
')
allow $1 lsmd_t:process { ptrace signal_perms };
@@ -92,12 +27,4 @@ interface(`lsmd_admin',`
files_search_pids($1)
admin_pattern($1, lsmd_var_run_t)
-
- lsmd_systemctl($1)
- admin_pattern($1, lsmd_unit_file_t)
- allow $1 lsmd_unit_file_t:service all_service_perms;
- optional_policy(`
- systemd_passwd_agent_exec($1)
- systemd_read_fifo_file_passwd_run($1)
- ')
')
diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te
index 14fe4d7..7f0ca47 100644
--- a/policy/modules/contrib/lsm.te
+++ b/policy/modules/contrib/lsm.te
@@ -12,15 +12,12 @@ init_daemon_domain(lsmd_t, lsmd_exec_t)
type lsmd_var_run_t;
files_pid_file(lsmd_var_run_t)
-type lsmd_unit_file_t;
-systemd_unit_file(lsmd_unit_file_t)
-
########################################
#
-# lsmd local policy
+# Local policy
#
-allow lsmd_t self:capability { setgid };
-allow lsmd_t self:process { fork };
+
+allow lsmd_t self:capability setgid;
allow lsmd_t self:unix_stream_socket create_stream_socket_perms;
manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)
^ permalink raw reply related [flat|nested] 20+ messages in thread
end of thread, other threads:[~2013-09-23 13:31 UTC | newest]
Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge commit in: policy/modules/contrib/ Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2013-09-23 13:31 Sven Vermeulen
2013-09-23 6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 ` [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 6:29 Sven Vermeulen
2013-09-23 6:29 Sven Vermeulen
2013-09-23 6:29 Sven Vermeulen
2013-09-23 6:29 Sven Vermeulen
2013-09-23 6:29 Sven Vermeulen
2013-09-23 6:29 Sven Vermeulen
2013-09-23 6:29 Sven Vermeulen
2013-09-23 6:29 Sven Vermeulen
2013-09-23 6:29 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox