From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-631650-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 41FF21381F3
	for <garchives@archives.gentoo.org>; Mon, 30 Sep 2013 19:04:08 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 802D7E0C29;
	Mon, 30 Sep 2013 19:03:54 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 116ACE0C29
	for <gentoo-commits@lists.gentoo.org>; Mon, 30 Sep 2013 19:03:48 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id F0CCD33E9DB
	for <gentoo-commits@lists.gentoo.org>; Mon, 30 Sep 2013 19:03:42 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 05345E545D
	for <gentoo-commits@lists.gentoo.org>; Mon, 30 Sep 2013 19:03:41 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1380567783.55711c0625e3572f837117e46493b3601d40db2d.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: gdomap.fc gdomap.if gdomap.te
X-VCS-Directories: /
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 55711c0625e3572f837117e46493b3601d40db2d
X-VCS-Branch: master
Date: Mon, 30 Sep 2013 19:03:41 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 913eb3f7-90a5-4268-a0ff-d9e0317a43b9
X-Archives-Hash: 53b71949228ff13ab93ae9ade3952853

commit:     55711c0625e3572f837117e46493b3601d40db2d
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 11:05:57 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:03:03 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=55711c06

Initial gdomap policy module

The gdomap daemon is used by GNUstep programs to look up distributed
objects of processes running across the network (and between different
user accounts on a single machine).

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 gdomap.fc |  7 +++++++
 gdomap.if | 39 +++++++++++++++++++++++++++++++++++++++
 gdomap.te | 42 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 88 insertions(+)

diff --git a/gdomap.fc b/gdomap.fc
new file mode 100644
index 0000000..0735238
--- /dev/null
+++ b/gdomap.fc
@@ -0,0 +1,7 @@
+/etc/default/gdomap	--	gen_context(system_u:object_r:gdomap_conf_t,s0)
+
+/etc/rc\.d/init\.d/gdomap	--	gen_context(system_u:object_r:gdomap_initrc_exec_t,s0)
+
+/usr/bin/gdomap	--	gen_context(system_u:object_r:gdomap_exec_t,s0)
+
+/var/run/gdomap\.pid	--	gen_context(system_u:object_r:gdomap_var_run_t,s0)

diff --git a/gdomap.if b/gdomap.if
new file mode 100644
index 0000000..f2cf3ad
--- /dev/null
+++ b/gdomap.if
@@ -0,0 +1,39 @@
+## <summary>GNUstep distributed object mapper.</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an gdomap environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`gdomap_admin',`
+	gen_require(`
+		type gdomap_t, gdomap_conf_t, gdomap_initrc_exec_t;
+		type gdomap_var_run_t;
+	')
+
+	allow $1 gdomap_t:process { ptrace signal_perms };
+	ps_process_pattern($1, gdomap_t)
+
+	init_labeled_script_domtrans($1, gdomap_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 gdomap_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, gdomap_conf_t)
+
+	files_search_pids($1)
+	admin_pattern($1, gdomap_var_run_t)
+')

diff --git a/gdomap.te b/gdomap.te
new file mode 100644
index 0000000..0d2c4f4
--- /dev/null
+++ b/gdomap.te
@@ -0,0 +1,42 @@
+policy_module(gdomap, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gdomap_t;
+type gdomap_exec_t;
+init_daemon_domain(gdomap_t, gdomap_exec_t)
+
+type gdomap_initrc_exec_t;
+init_script_file(gdomap_initrc_exec_t)
+
+type gdomap_conf_t;
+files_config_file(gdomap_conf_t)
+
+type gdomap_var_run_t;
+files_pid_file(gdomap_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow gdomap_t self:capability { setuid sys_chroot net_bind_service setgid };
+allow gdomap_t self:tcp_socket { listen accept };
+
+allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
+
+# corenet_sendrecv_gdomap_server_packets(gdomap_t)
+# corenet_tcp_bind_gdomap_port(gdomap_t)
+# corenet_tcp_sendrecv_gdomap_port(gdomap_t)
+# corenet_udp_bind_gdomap_port(gdomap_t)
+# corenet_udp_sendrecv_gdomap_port(gdomap_t)
+
+domain_use_interactive_fds(gdomap_t)
+
+auth_use_nsswitch(gdomap_t)
+
+logging_send_syslog_msg(gdomap_t)