From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-706724-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 0253813877A
	for <garchives@archives.gentoo.org>; Wed, 25 Jun 2014 19:56:26 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 8F725E09ED;
	Wed, 25 Jun 2014 19:56:15 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 12C05E09ED
	for <gentoo-commits@lists.gentoo.org>; Wed, 25 Jun 2014 19:56:09 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id EB1A233FF98
	for <gentoo-commits@lists.gentoo.org>; Wed, 25 Jun 2014 19:56:08 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by spoonbill.gentoo.org (Postfix) with ESMTP id A322E19152
	for <gentoo-commits@lists.gentoo.org>; Wed, 25 Jun 2014 19:56:07 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1403726028.f4284ca3c2aa40c9c5296be9a157e45250f497c5.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/resolvconf.fc policy/modules/contrib/resolvconf.if policy/modules/contrib/resolvconf.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: f4284ca3c2aa40c9c5296be9a157e45250f497c5
X-VCS-Branch: master
Date: Wed, 25 Jun 2014 19:56:07 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 4e41bdfa-176f-4a87-a74d-bff667cc3ac8
X-Archives-Hash: bb66272d99ddfdbadaaf0d346980eb37

commit:     f4284ca3c2aa40c9c5296be9a157e45250f497c5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun 25 19:53:48 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 19:53:48 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f4284ca3

Fix bug #509728 - Add openresolv support

The openresolv application implements the resolvconf interface that many
network services have. This policy should support those network services
*if* they are enabled further through the resolvconf_client_domain()
attribute.

For instance:
  resolvconf_client_domain(dhcpc_t)

---
 policy/modules/contrib/resolvconf.fc |   6 +++
 policy/modules/contrib/resolvconf.if | 102 +++++++++++++++++++++++++++++++++++
 policy/modules/contrib/resolvconf.te |  52 ++++++++++++++++++
 3 files changed, 160 insertions(+)

diff --git a/policy/modules/contrib/resolvconf.fc b/policy/modules/contrib/resolvconf.fc
new file mode 100644
index 0000000..a7c9eed
--- /dev/null
+++ b/policy/modules/contrib/resolvconf.fc
@@ -0,0 +1,6 @@
+
+/etc/resolvconf.conf	--	gen_context(system_u:object_r:resolvconf_conf_t,s0)
+
+/lib/resolvconf(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+
+/sbin/resolvconf	--	gen_context(system_u:object_r:resolvconf_exec_t,s0)

diff --git a/policy/modules/contrib/resolvconf.if b/policy/modules/contrib/resolvconf.if
new file mode 100644
index 0000000..7a93eb6
--- /dev/null
+++ b/policy/modules/contrib/resolvconf.if
@@ -0,0 +1,102 @@
+## <summary>OpenResolv network configuration management</summary>
+
+#########################################
+## <summary>
+##	Mark the domain as a resolvconf client, automatically granting
+##	the necessary privileges (execute resolvconf and type access).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to mark as a resolvconf client
+##	</summary>
+## </param>
+#
+interface(`resolvconf_client_domain',`
+	gen_require(`
+		attribute resolvconf_client;
+	')
+
+	typeattribute $1 resolvconf_client;	
+')
+
+#########################################
+## <summary>
+##	Assign the proper permissions to the domain, such as
+##	executing resolvconf and accessing its types.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to assign proper permissions to
+##	</summary>
+## </param>
+#
+interface(`resolvconf_client_domain_privs',`
+	resolvconf_domtrans($1)
+	resolvconf_generic_run_filetrans_run($1, dir, "resolvconf")
+')
+
+#########################################
+## <summary>
+##	Execute resolvconf and transition to the resolvconf_t domain
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition
+##	</summary>
+## </param>
+#
+interface(`resolvconf_domtrans',`
+	gen_require(`
+		type resolvconf_t;
+		type resolvconf_exec_t;
+	')
+
+	domtrans_pattern($1, resolvconf_exec_t, resolvconf_t)
+')
+
+#########################################
+## <summary>
+##	Execute resolvconf in the calling domain (no transition)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to execute
+##	</summary>
+## </param>
+#
+interface(`resolvconf_exec',`
+	gen_require(`
+		type resolvconf_exec_t;
+	')
+
+	can_exec($1, resolvconf_exec_t)
+')
+
+#########################################
+## <summary>
+##	Transition to resolvconf_run_t when creating resources
+##	inside the generic run directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which a file transition has to occur
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the resource on which a file transition has to occur
+##	</summary>
+## </param>
+#
+interface(`resolvconf_generic_run_filetrans_run',`
+	gen_require(`
+		type resolvconf_var_run_t;
+	')
+
+	files_pid_filetrans($1, resolvconf_var_run_t, $2, $3)
+')

diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te
new file mode 100644
index 0000000..7fbd00d
--- /dev/null
+++ b/policy/modules/contrib/resolvconf.te
@@ -0,0 +1,52 @@
+policy_module(resolvconf, 0.1)
+
+type resolvconf_t;
+type resolvconf_exec_t;
+domain_type(resolvconf_t)
+domain_entry_file(resolvconf_t, resolvconf_exec_t)
+role system_r types resolvconf_t;
+
+attribute resolvconf_client;
+
+type resolvconf_conf_t;
+files_config_file(resolvconf_conf_t)
+
+type resolvconf_var_run_t;
+files_pid_file(resolvconf_var_run_t)
+
+#########################################
+#
+# OpenResolv policy
+#
+
+allow resolvconf_t self:fifo_file manage_fifo_file_perms;
+allow resolvconf_t resolvconf_conf_t:file read_file_perms;
+
+manage_dirs_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t)
+manage_files_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t)
+
+corecmd_exec_bin(resolvconf_t)
+corecmd_exec_shell(resolvconf_t)
+
+files_pid_filetrans(resolvconf_t, resolvconf_var_run_t, { dir file })
+files_read_etc_files(resolvconf_t)
+
+sysnet_manage_config(resolvconf_t)
+
+optional_policy(`
+	init_domtrans_script(resolvconf_t)
+	init_read_script_status_files(resolvconf_t)
+	init_use_script_fds(resolvconf_t)
+	init_use_script_ptys(resolvconf_t)
+')
+
+optional_policy(`
+	term_dontaudit_use_console(resolvconf_t)
+')
+
+#########################################
+#
+# Resolvconf client policy
+#
+
+resolvconf_client_domain_privs(resolvconf_client)