From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
Date: Fri, 8 Aug 2014 12:36:55 +0000 (UTC) [thread overview]
Message-ID: <1407501402.5ad9043cff0a3495ee357ee3c9b8f2ef50f2d15a.swift@gentoo> (raw)
commit: 5ad9043cff0a3495ee357ee3c9b8f2ef50f2d15a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 7 15:27:49 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 8 12:36:42 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5ad9043c
Introduce the tmpfiles_t domain
The tmpfiles application, as documented in [1], is used to prepare directory
structures in runtime, volatile locations (such as /var/run, /run and
perhaps even /tmp and /var/tmp).
[1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
The need for the tmpfiles application seems to came forward as systemd
service files ("unit files") are not the flexible shell scripts that are
used in init scripts (/etc/rc.d/init.d/* files). Whereas these init scripts
usually did the preparation of runtime directories, the systemd service
scripts do not (well, beyond the RuntimeDirectory= directive, that is).
Instead, services are required to create a tmpfiles configuration file
inside one of the following locations, informing the tmpfiles application to
create directories and files as needed:
(a.) /usr/lib/tmpfiles.d/ (*.conf) for packaged services (default settings)
(b.) /run/tmpfiles.d/ (*.conf) for dynamically generated overrides of (a.)
(c.) /etc/tmpfiles.d/ (*.conf) for local system administration overrides
of (a.) and (b.)
These files declare what action to perform on a specific location (such as
create a directory) and which ownership to apply (similar to the install(1)
application it seems).
Both in systemd as well as OpenRC the tmpfiles application is SELinux-aware,
(re)setting the context of the target.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
---
policy/modules/system/tmpfiles.fc | 7 ++
policy/modules/system/tmpfiles.if | 161 ++++++++++++++++++++++++++++++++++++++
policy/modules/system/tmpfiles.te | 99 +++++++++++++++++++++++
3 files changed, 267 insertions(+)
diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
new file mode 100644
index 0000000..12fd30a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.fc
@@ -0,0 +1,7 @@
+
+/etc/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_conf_t,s0)
+/var/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+
+/lib/rc/bin/checkpath -- gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/lib/rc/sh/tmpfiles.sh -- gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+
diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if
new file mode 100644
index 0000000..09897fc
--- /dev/null
+++ b/policy/modules/system/tmpfiles.if
@@ -0,0 +1,161 @@
+## <summary>Policy for tmpfiles, a boot-time temporary file handler</summary>
+
+########################################
+## <summary>
+## Read resources in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_read_var_run',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 tmpfiles_var_run_t:dir list_dir_perms;
+ allow $1 tmpfiles_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_create_var_run_files',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+ tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+## Write to files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_write_var_run_files',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+ tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+## Manage files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_manage_var_run_files',`
+ gen_require(`
+ type tmpfiles_var_run_t;
+ ')
+
+ tmpfiles_read_var_run($1)
+
+ manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+## Read files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_read_conf',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 tmpfiles_conf_t:dir list_dir_perms;
+ allow $1 tmpfiles_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Create files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_create_conf_files',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+ tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+## Write to files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_write_conf_files',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+ tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+## Manage files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`tmpfiles_manage_conf_files',`
+ gen_require(`
+ type tmpfiles_conf_t;
+ ')
+
+ manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+ tmpfiles_read_conf($1)
+')
diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
new file mode 100644
index 0000000..37c957e
--- /dev/null
+++ b/policy/modules/system/tmpfiles.te
@@ -0,0 +1,99 @@
+policy_module(tmpfiles, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether tmpfiles can manage
+## all non-security sensitive resources.
+## Without this, it is only allowed rights towards
+## /run, /tmp, /dev and /var/lock.
+## </p>
+## </desc>
+gen_tunable(tmpfiles_manage_all_non_security, false)
+
+type tmpfiles_t;
+type tmpfiles_exec_t;
+init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
+
+type tmpfiles_conf_t;
+files_config_file(tmpfiles_conf_t)
+
+type tmpfiles_var_run_t;
+files_pid_file(tmpfiles_var_run_t)
+
+
+########################################
+#
+# Local policy
+#
+
+allow tmpfiles_t self:capability { mknod chown fowner fsetid };
+allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
+allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans;
+
+list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+
+manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+corecmd_exec_bin(tmpfiles_t)
+corecmd_exec_shell(tmpfiles_t)
+
+dev_create_all_blk_files(tmpfiles_t)
+dev_create_all_chr_files(tmpfiles_t)
+dev_getattr_all_blk_files(tmpfiles_t)
+dev_getattr_generic_blk_files(tmpfiles_t)
+dev_getattr_generic_chr_files(tmpfiles_t)
+dev_relabel_all_dev_nodes(tmpfiles_t)
+dev_relabel_generic_dev_dirs(tmpfiles_t)
+dev_relabelfrom_generic_chr_files(tmpfiles_t)
+dev_setattr_all_chr_files(tmpfiles_t)
+dev_setattr_generic_dirs(tmpfiles_t)
+
+files_manage_all_pids(tmpfiles_t)
+files_manage_generic_locks(tmpfiles_t)
+files_manage_generic_tmp_dirs(tmpfiles_t)
+files_manage_generic_tmp_files(tmpfiles_t)
+files_manage_var_dirs(tmpfiles_t)
+files_manage_var_files(tmpfiles_t)
+files_relabel_all_lock_dirs(tmpfiles_t)
+files_relabel_all_pidfiles(tmpfiles_t)
+files_relabel_all_tmp_dirs(tmpfiles_t)
+files_relabel_all_tmp_files(tmpfiles_t)
+files_setattr_all_tmp_dirs(tmpfiles_t)
+files_setattr_lock_dirs(tmpfiles_t)
+files_setattr_pid_dirs(tmpfiles_t)
+
+fs_getattr_all_fs(tmpfiles_t)
+fs_getattr_tmpfs_dirs(tmpfiles_t)
+fs_manage_cgroup_files(tmpfiles_t)
+
+selinux_get_enforce_mode(tmpfiles_t)
+
+auth_use_nsswitch(tmpfiles_t)
+
+init_exec_rc(tmpfiles_t)
+
+miscfiles_read_localization(tmpfiles_t)
+
+seutil_exec_setfiles(tmpfiles_t)
+seutil_libselinux_linked(tmpfiles_t)
+seutil_read_file_contexts(tmpfiles_t)
+
+ifdef(`distro_gentoo',`
+ dev_create_generic_dirs(tmpfiles_t)
+')
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+ files_manage_non_security_dirs(tmpfiles_t)
+ files_manage_all_non_security_file_types(tmpfiles_t)
+ files_relabel_all_non_security_file_types(tmpfiles_t)
+')
next reply other threads:[~2014-08-08 12:36 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-08 12:36 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2014-08-09 11:57 [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/ Jason Zaman
2014-08-09 11:57 Jason Zaman
2014-08-09 11:56 Jason Zaman
2014-08-08 15:27 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-08 14:49 ` [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-08 15:27 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-08 14:49 ` [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-08 14:49 Sven Vermeulen
2014-08-08 12:36 Sven Vermeulen
2014-08-08 11:24 Sven Vermeulen
2014-08-08 11:24 Sven Vermeulen
2014-08-08 8:50 Sven Vermeulen
2014-08-08 8:50 Sven Vermeulen
2014-08-07 12:41 Sven Vermeulen
2014-08-07 12:41 Sven Vermeulen
2014-08-07 8:29 Sven Vermeulen
2014-08-07 8:29 Sven Vermeulen
2014-08-07 8:06 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-06 18:13 ` [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-06 9:19 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1407501402.5ad9043cff0a3495ee357ee3c9b8f2ef50f2d15a.swift@gentoo \
--to=swift@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox