From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-631643-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 0EA06138202
	for <garchives@archives.gentoo.org>; Mon, 30 Sep 2013 19:04:05 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id EA231E0BD1;
	Mon, 30 Sep 2013 19:03:44 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 3C754E0BD1
	for <gentoo-commits@lists.gentoo.org>; Mon, 30 Sep 2013 19:03:44 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 0295733EA15
	for <gentoo-commits@lists.gentoo.org>; Mon, 30 Sep 2013 19:03:43 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 266C0E5471
	for <gentoo-commits@lists.gentoo.org>; Mon, 30 Sep 2013 19:03:41 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1380567784.bfd3a1c8be8744da6db2648be14a1c0ffc0e2cd3.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: minissdpd.fc minissdpd.if minissdpd.te
X-VCS-Directories: /
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: bfd3a1c8be8744da6db2648be14a1c0ffc0e2cd3
X-VCS-Branch: master
Date: Mon, 30 Sep 2013 19:03:41 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: dd21f41f-dece-44a8-8af8-1b2da747820a
X-Archives-Hash: 2d153bdff115d4e36c039e553017ddf1

commit:     bfd3a1c8be8744da6db2648be14a1c0ffc0e2cd3
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 15:43:02 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:03:04 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bfd3a1c8

Initial minissdpd policy module

MiniSSDPd is a small daemon used by MiniUPnPc (a UPnP control point for
IGD devices) to speed up device discoveries. MiniSSDPd keeps memory of
all UPnP devices that announced themselves on the network through SSDP
NOTIFY packets. MiniSSDPd also has the ability to handle all SSDP
traffic received on a computer via the multicast group
239.255.255.250:1900.

MiniSSDPd receives NOTIFY packets and stores information contained for
later use by UPnP Control Points on the machine. MiniSSDPd receives
M-SEARCH packets and answers on behalf of the UPnP devices running on
the machine. MiniUPnPd and MiniUPnPc are designed to take automatically
advantage of MiniSSDPd running on the same computer. Just make sure that
MiniSSDPd is started before any other UPnP program on the computer.

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 minissdpd.fc |  8 ++++++++
 minissdpd.if | 39 +++++++++++++++++++++++++++++++++++++++
 minissdpd.te | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 93 insertions(+)

diff --git a/minissdpd.fc b/minissdpd.fc
new file mode 100644
index 0000000..4970404
--- /dev/null
+++ b/minissdpd.fc
@@ -0,0 +1,8 @@
+/etc/default/minissdpd	--	gen_context(system_u:object_r:minissdpd_conf_t,s0)
+
+/etc/rc\.d/init\.d/minissdpd	--	gen_context(system_u:object_r:minissdpd_initrc_exec_t,s0)
+
+/usr/sbin/minissdpd	--	gen_context(system_u:object_r:minissdpd_exec_t,s0)
+
+/var/run/minissdpd\.pid	--	gen_context(system_u:object_r:minissdpd_var_run_t,s0)
+/var/run/minissdpd\.sock	-s	gen_context(system_u:object_r:minissdpd_var_run_t,s0)

diff --git a/minissdpd.if b/minissdpd.if
new file mode 100644
index 0000000..20de8ef
--- /dev/null
+++ b/minissdpd.if
@@ -0,0 +1,39 @@
+## <summary>Daemon used by MiniUPnPc to speed up device discoveries.</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an minissdpd environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`minissdpd_admin',`
+	gen_require(`
+		type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
+		type minissdpd_var_run_t
+	')
+
+	allow $1 minissdpd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, minissdpd_t)
+
+	init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 minissdpd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, minissdpd_conf_t)
+
+	files_search_pids($1)
+	admin_pattern($1, minissdpd_var_run_t)
+')

diff --git a/minissdpd.te b/minissdpd.te
new file mode 100644
index 0000000..ae9004b
--- /dev/null
+++ b/minissdpd.te
@@ -0,0 +1,46 @@
+policy_module(minissdpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type minissdpd_t;
+type minissdpd_exec_t;
+init_daemon_domain(minissdpd_t, minissdpd_exec_t)
+
+type minissdpd_initrc_exec_t;
+init_script_file(minissdpd_initrc_exec_t)
+
+type minissdpd_conf_t;
+files_config_file(minissdpd_conf_t)
+
+type minissdpd_var_run_t;
+files_pid_file(minissdpd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow minissdpd_t self:capability { sys_module net_admin };
+allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
+allow minissdpd_t self:udp_socket create_socket_perms;
+allow minissdpd_t self:unix_dgram_socket create_socket_perms;
+
+allow minissdpd_t minissdpd_var_run_t:file manage_file_perms;
+allow minissdpd_t minissdpd_var_run_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(minissdpd_t, minissdpd_var_run_t, { file sock_file })
+
+kernel_read_network_state(minissdpd_t)
+kernel_request_load_module(minissdpd_t)
+
+corenet_all_recvfrom_unlabeled(minissdpd_t)
+corenet_all_recvfrom_netlabel(minissdpd_t)
+corenet_udp_sendrecv_generic_if(minissdpd_t)
+corenet_udp_sendrecv_generic_node(minissdpd_t)
+corenet_udp_bind_generic_node(minissdpd_t)
+
+corenet_sendrecv_ssdp_server_packets(minissdpd_t)
+corenet_udp_bind_ssdp_port(minissdpd_t)
+corenet_udp_sendrecv_ssdp_port(minissdpd_t)