public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-06  9:19 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-06  9:19 UTC (permalink / raw
  To: gentoo-commits

commit:     13028888c98455c718f3706b38a2801c7b76b465
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  6 09:17:15 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug  6 09:17:15 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=13028888

Make SELinux configuration a security file type

The SELinux configuration should be considered a security-sensitive
configuration type and as such should not be made part of the
system-wide accesses towards regular files (non_auth/non_security).

---
 policy/modules/system/selinuxutil.te | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 48566a4..4d6f5d9 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -28,7 +28,7 @@ roleattribute system_r semanage_roles;
 # in the domain_type interface
 # (fix dup decl)
 type selinux_config_t;
-files_type(selinux_config_t)
+files_security_file(selinux_config_t)
 
 type checkpolicy_t, can_write_binary_policy;
 type checkpolicy_exec_t;
@@ -40,14 +40,14 @@ role system_r types checkpolicy_t;
 # /etc/selinux/*/contexts/*
 #
 type default_context_t;
-files_type(default_context_t)
+files_security_file(default_context_t)
 
 #
 # file_context_t is the type applied to
 # /etc/selinux/*/contexts/files
 #
 type file_context_t;
-files_type(file_context_t)
+files_security_file(file_context_t)
 
 type load_policy_t;
 type load_policy_exec_t;
@@ -67,7 +67,7 @@ role newrole_roles types newrole_t;
 # the security server policy configuration.
 #
 type policy_config_t;
-files_type(policy_config_t)
+files_security_file(policy_config_t)
 
 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
 #neverallow ~can_write_binary_policy policy_config_t:file { write append };


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
  2014-08-07  8:06 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2014-08-06 18:13 ` Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-06 18:13 UTC (permalink / raw
  To: gentoo-commits

commit:     3b742fca07833a9b5f5f1d4f2566593f90f6b22f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  6 09:17:15 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug  6 18:08:37 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3b742fca

Make SELinux configuration a security file type

The SELinux configuration should be considered a security-sensitive
configuration type and as such should not be made part of the
system-wide accesses towards regular files (non_auth/non_security).

---
 policy/modules/system/selinuxutil.te | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 48566a4..4d6f5d9 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -28,7 +28,7 @@ roleattribute system_r semanage_roles;
 # in the domain_type interface
 # (fix dup decl)
 type selinux_config_t;
-files_type(selinux_config_t)
+files_security_file(selinux_config_t)
 
 type checkpolicy_t, can_write_binary_policy;
 type checkpolicy_exec_t;
@@ -40,14 +40,14 @@ role system_r types checkpolicy_t;
 # /etc/selinux/*/contexts/*
 #
 type default_context_t;
-files_type(default_context_t)
+files_security_file(default_context_t)
 
 #
 # file_context_t is the type applied to
 # /etc/selinux/*/contexts/files
 #
 type file_context_t;
-files_type(file_context_t)
+files_security_file(file_context_t)
 
 type load_policy_t;
 type load_policy_exec_t;
@@ -67,7 +67,7 @@ role newrole_roles types newrole_t;
 # the security server policy configuration.
 #
 type policy_config_t;
-files_type(policy_config_t)
+files_security_file(policy_config_t)
 
 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
 #neverallow ~can_write_binary_policy policy_config_t:file { write append };


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-07  8:29 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-07  8:29 UTC (permalink / raw
  To: gentoo-commits

commit:     42a94ad73b4ac25e9d6d8298f70e77e36d3acade
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug  7 07:26:28 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug  7 07:26:28 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=42a94ad7

modutils: give kmod access to tmpfiles

---
 policy/modules/system/modutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index f52e72a..91147fe 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -243,6 +243,11 @@ optional_policy(`
 	xserver_getattr_log(insmod_t)
 ')
 
+optional_policy(`
+	tmpfiles_create_var_run(insmod_t)
+	tmpfiles_write_var_run(insmod_t)
+')
+
 #################################
 #
 # update-modules local policy


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-07  8:29 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-07  8:29 UTC (permalink / raw
  To: gentoo-commits

commit:     17ca057ac3505f29f480bddba7f54e48dccb875b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug  6 12:22:19 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug  7 06:58:27 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=17ca057a

Module for tmpfiles

---
 policy/modules/system/tmpfiles.fc |   7 ++
 policy/modules/system/tmpfiles.if | 164 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/tmpfiles.te |  91 +++++++++++++++++++++
 3 files changed, 262 insertions(+)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
new file mode 100644
index 0000000..12fd30a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.fc
@@ -0,0 +1,7 @@
+
+/etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
+/var/run/tmpfiles.d(/.*)?			gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+
+/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+

diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if
new file mode 100644
index 0000000..dce932a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.if
@@ -0,0 +1,164 @@
+## <summary>Policy for tmpfiles</summary>
+
+########################################
+## <summary>
+##	Read files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 tmpfiles_var_run_t:dir list_dir_perms;
+	allow $1 tmpfiles_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+
+	# create new files with the tmpfiles_var_run_t type
+	filetrans_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t, file)
+	create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Write to files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+	write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+
+	# create new files with the tmpfiles_var_run_t type
+	filetrans_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t, file)
+	manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 tmpfiles_conf_t:dir list_dir_perms;
+	allow $1 tmpfiles_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	tmpfiles_read_conf($1)
+	filetrans_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t, file)
+	create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+')
+
+########################################
+## <summary>
+##	Write to files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	tmpfiles_read_conf($1)
+	write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+')
+
+########################################
+## <summary>
+##	Manage files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	tmpfiles_read_conf($1)
+	filetrans_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t, file)
+	manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+')
+

diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
new file mode 100644
index 0000000..11fb70b
--- /dev/null
+++ b/policy/modules/system/tmpfiles.te
@@ -0,0 +1,91 @@
+policy_module(tmpfiles, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##      <p>
+##      Determine whether tmpfiles can manage
+##      all non auth and non security files.
+##	Without this, it is only allowed things
+##	in /dev, /run, /var and /tmp.
+##      </p>
+## </desc>
+gen_tunable(tmpfiles_manage_all, false)
+
+
+type tmpfiles_t;
+type tmpfiles_exec_t;
+init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
+
+type tmpfiles_conf_t;
+files_config_file(tmpfiles_conf_t)
+
+type tmpfiles_var_run_t;
+files_pid_file(tmpfiles_var_run_t)
+
+
+########################################
+#
+# Local policy
+#
+
+init_exec_rc(tmpfiles_t)
+corecmd_exec_shell(tmpfiles_t)
+corecmd_exec_bin(tmpfiles_t)
+allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
+
+# needs to check if selinux is enabled
+seutil_libselinux_linked(tmpfiles_t)
+selinux_get_enforce_mode(tmpfiles_t)
+
+# creates files / dirs
+allow tmpfiles_t self:capability { mknod chown fowner fsetid };
+allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
+files_manage_var_dirs(tmpfiles_t)
+files_manage_var_files(tmpfiles_t)
+files_manage_generic_tmp_dirs(tmpfiles_t)
+files_manage_generic_tmp_files(tmpfiles_t)
+files_manage_all_pids(tmpfiles_t)
+dev_create_generic_chr_files(tmpfiles_t)
+dev_create_all_chr_files(tmpfiles_t)
+
+tunable_policy(`tmpfiles_manage_all',`
+	files_manage_non_security_dirs(tmpfiles_t)
+	files_manage_non_security_file_type(tmpfiles_t)
+	#files_manage_non_auth_files(tmpfiles_t)
+')
+
+# relabel / chmod files
+seutil_read_file_contexts(tmpfiles_t)
+seutil_domtrans_setfiles(tmpfiles_t)
+
+dev_getattr_generic_chr_files(tmpfiles_t)
+dev_getattr_all_chr_files(tmpfiles_t)
+dev_getattr_generic_blk_files(tmpfiles_t)
+dev_getattr_all_blk_files(tmpfiles_t)
+files_getattr_tmp_dirs(tmpfiles_t)
+files_getattr_generic_locks(tmpfiles_t)
+
+dev_setattr_generic_dirs(tmpfiles_t)
+dev_setattr_generic_chr_files(tmpfiles_t)
+dev_setattr_all_chr_files(tmpfiles_t)
+dev_setattr_all_blk_files(tmpfiles_t)
+files_setattr_all_tmp_dirs(tmpfiles_t)
+files_setattr_lock_dirs(tmpfiles_t)
+files_setattr_pid_dirs(tmpfiles_t)
+
+dev_relabel_generic_dev_dirs(tmpfiles_t)
+dev_relabelfrom_generic_chr_files(tmpfiles_t)
+files_relabel_all_tmp_dirs(tmpfiles_t)
+files_relabel_all_tmp_files(tmpfiles_t)
+files_relabel_all_lock_dirs(tmpfiles_t)
+
+tunable_policy(`tmpfiles_manage_all',`
+	dev_relabel_all_dev_nodes(tmpfiles_t)
+	files_relabel_non_auth_files(tmpfiles_t)
+')
+


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-07 12:41 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-07 12:41 UTC (permalink / raw
  To: gentoo-commits

commit:     ff4fd7dab886637da1e941f826ffad73a356d342
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Aug  7 07:26:28 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug  7 12:34:53 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ff4fd7da

modutils: give kmod access to tmpfiles

---
 policy/modules/system/modutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index f52e72a..91147fe 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -243,6 +243,11 @@ optional_policy(`
 	xserver_getattr_log(insmod_t)
 ')
 
+optional_policy(`
+	tmpfiles_create_var_run(insmod_t)
+	tmpfiles_write_var_run(insmod_t)
+')
+
 #################################
 #
 # update-modules local policy


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-07 12:41 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-07 12:41 UTC (permalink / raw
  To: gentoo-commits

commit:     8998df08a5f909c315e8b469e92b372e5bcc4331
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug  6 12:22:19 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug  7 12:34:47 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8998df08

Module for tmpfiles

---
 policy/modules/system/tmpfiles.fc |   7 ++
 policy/modules/system/tmpfiles.if | 164 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/tmpfiles.te |  91 +++++++++++++++++++++
 3 files changed, 262 insertions(+)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
new file mode 100644
index 0000000..12fd30a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.fc
@@ -0,0 +1,7 @@
+
+/etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
+/var/run/tmpfiles.d(/.*)?			gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+
+/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+

diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if
new file mode 100644
index 0000000..dce932a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.if
@@ -0,0 +1,164 @@
+## <summary>Policy for tmpfiles</summary>
+
+########################################
+## <summary>
+##	Read files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 tmpfiles_var_run_t:dir list_dir_perms;
+	allow $1 tmpfiles_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+
+	# create new files with the tmpfiles_var_run_t type
+	filetrans_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t, file)
+	create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Write to files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+	write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Manage files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+
+	# create new files with the tmpfiles_var_run_t type
+	filetrans_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t, file)
+	manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 tmpfiles_conf_t:dir list_dir_perms;
+	allow $1 tmpfiles_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	tmpfiles_read_conf($1)
+	filetrans_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t, file)
+	create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+')
+
+########################################
+## <summary>
+##	Write to files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	tmpfiles_read_conf($1)
+	write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+')
+
+########################################
+## <summary>
+##	Manage files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	tmpfiles_read_conf($1)
+	filetrans_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t, file)
+	manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+')
+

diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
new file mode 100644
index 0000000..1dc9bff
--- /dev/null
+++ b/policy/modules/system/tmpfiles.te
@@ -0,0 +1,91 @@
+policy_module(tmpfiles, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##      <p>
+##      Determine whether tmpfiles can manage
+##      all non auth and non security files.
+##	Without this, it is only allowed things
+##	in /dev, /run, /var and /tmp.
+##      </p>
+## </desc>
+gen_tunable(tmpfiles_manage_all_non_security, false)
+
+
+type tmpfiles_t;
+type tmpfiles_exec_t;
+init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
+
+type tmpfiles_conf_t;
+files_config_file(tmpfiles_conf_t)
+
+type tmpfiles_var_run_t;
+files_pid_file(tmpfiles_var_run_t)
+
+
+########################################
+#
+# Local policy
+#
+
+init_exec_rc(tmpfiles_t)
+corecmd_exec_shell(tmpfiles_t)
+corecmd_exec_bin(tmpfiles_t)
+allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
+
+# needs to check if selinux is enabled
+seutil_libselinux_linked(tmpfiles_t)
+selinux_get_enforce_mode(tmpfiles_t)
+
+# creates files / dirs
+allow tmpfiles_t self:capability { mknod chown fowner fsetid };
+allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
+files_manage_var_dirs(tmpfiles_t)
+files_manage_var_files(tmpfiles_t)
+files_manage_generic_tmp_dirs(tmpfiles_t)
+files_manage_generic_tmp_files(tmpfiles_t)
+files_manage_all_pids(tmpfiles_t)
+dev_create_generic_chr_files(tmpfiles_t)
+dev_create_all_chr_files(tmpfiles_t)
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+	files_manage_non_security_dirs(tmpfiles_t)
+	files_manage_non_security_file_type(tmpfiles_t)
+')
+
+# relabel / chmod files
+seutil_read_file_contexts(tmpfiles_t)
+seutil_domtrans_setfiles(tmpfiles_t)
+
+dev_getattr_generic_chr_files(tmpfiles_t)
+dev_getattr_all_chr_files(tmpfiles_t)
+dev_getattr_generic_blk_files(tmpfiles_t)
+dev_getattr_all_blk_files(tmpfiles_t)
+files_getattr_tmp_dirs(tmpfiles_t)
+files_getattr_generic_locks(tmpfiles_t)
+
+dev_setattr_generic_dirs(tmpfiles_t)
+dev_setattr_generic_chr_files(tmpfiles_t)
+dev_setattr_all_chr_files(tmpfiles_t)
+dev_setattr_all_blk_files(tmpfiles_t)
+files_setattr_all_tmp_dirs(tmpfiles_t)
+files_setattr_lock_dirs(tmpfiles_t)
+files_setattr_pid_dirs(tmpfiles_t)
+
+dev_relabel_generic_dev_dirs(tmpfiles_t)
+dev_relabelfrom_generic_chr_files(tmpfiles_t)
+files_relabel_all_tmp_dirs(tmpfiles_t)
+files_relabel_all_tmp_files(tmpfiles_t)
+files_relabel_all_lock_dirs(tmpfiles_t)
+files_relabel_all_pids(tmpfiles_t)
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+	dev_relabel_all_dev_nodes(tmpfiles_t)
+	files_relabel_non_security_file_type(tmpfiles_t)
+')
+


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-08  8:50 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-08  8:50 UTC (permalink / raw
  To: gentoo-commits

commit:     6cda444fb573daa75c0e56b67aa2705e5fdb9cff
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:31:11 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 08:50:27 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6cda444f

Give kmod access to tmpfiles

Upon boot, the kmod application (running as insmod_t) can generate a
tmpfiles configuration file to allow tmpfiles to relabel and set the
required static device nodes for the kernel:

kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf

This requires the insmod_t domain to have create/write privileges
towards the /run/tmpfiles.d location.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/modutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index f52e72a..419b826 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -232,6 +232,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	tmpfiles_create_var_run_files(insmod_t)
+	tmpfiles_write_var_run_files(insmod_t)
+')
+
+optional_policy(`
 	unconfined_domain(insmod_t)
 	unconfined_dontaudit_rw_pipes(insmod_t)
 ')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-08  8:50 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-08  8:50 UTC (permalink / raw
  To: gentoo-commits

commit:     5f4ec4935ac4cec8774bbeee4ff40ee42ce1d4b4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:27:49 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 08:50:06 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5f4ec493

Introduce the tmpfiles_t domain

The tmpfiles application, as documented in [1], is used to prepare directory
structures in runtime, volatile locations (such as /var/run, /run and
perhaps even /tmp and /var/tmp).

[1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html

The need for the tmpfiles application seems to came forward as systemd
service files ("unit files") are not the flexible shell scripts that are
used in init scripts (/etc/rc.d/init.d/* files). Whereas these init scripts
usually did the preparation of runtime directories, the systemd service
scripts do not (well, beyond the RuntimeDirectory= directive, that is).

Instead, services are required to create a tmpfiles configuration file
inside one of the following locations, informing the tmpfiles application to
create directories and files as needed:

(a.) /usr/lib/tmpfiles.d/ (*.conf) for packaged services (default settings)
(b.) /run/tmpfiles.d/ (*.conf) for dynamically generated overrides of (a.)
(c.) /etc/tmpfiles.d/ (*.conf) for local system administration overrides
     of (a.) and (b.)

These files declare what action to perform on a specific location (such as
create a directory) and which ownership to apply (similar to the install(1)
application it seems).

Both in systemd as well as OpenRC the tmpfiles application is SELinux-aware,
(re)setting the context of the target.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/tmpfiles.fc |   7 ++
 policy/modules/system/tmpfiles.if | 161 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/tmpfiles.te |  99 +++++++++++++++++++++++
 3 files changed, 267 insertions(+)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
new file mode 100644
index 0000000..12fd30a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.fc
@@ -0,0 +1,7 @@
+
+/etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
+/var/run/tmpfiles.d(/.*)?			gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+
+/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+

diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if
new file mode 100644
index 0000000..09897fc
--- /dev/null
+++ b/policy/modules/system/tmpfiles.if
@@ -0,0 +1,161 @@
+## <summary>Policy for tmpfiles, a boot-time temporary file handler</summary>
+
+########################################
+## <summary>
+##	Read resources in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 tmpfiles_var_run_t:dir list_dir_perms;
+	allow $1 tmpfiles_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+
+	manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 tmpfiles_conf_t:dir list_dir_perms;
+	allow $1 tmpfiles_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')

diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
new file mode 100644
index 0000000..10590f3
--- /dev/null
+++ b/policy/modules/system/tmpfiles.te
@@ -0,0 +1,99 @@
+policy_module(tmpfiles, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##      <p>
+##      Determine whether tmpfiles can manage
+##      all non-security sensitive resources.
+##	Without this, it is only allowed rights towards
+##	/run, /tmp, /dev and /var/lock.
+##      </p>
+## </desc>
+gen_tunable(tmpfiles_manage_all_non_security, false)
+
+type tmpfiles_t;
+type tmpfiles_exec_t;
+init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
+
+type tmpfiles_conf_t;
+files_config_file(tmpfiles_conf_t)
+
+type tmpfiles_var_run_t;
+files_pid_file(tmpfiles_var_run_t)
+
+
+########################################
+#
+# Local policy
+#
+
+allow tmpfiles_t self:capability { mknod chown fowner fsetid };
+allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
+allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans;
+
+list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+
+manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+corecmd_exec_bin(tmpfiles_t)
+corecmd_exec_shell(tmpfiles_t)
+
+dev_create_all_blk_files(tmpfiles_t)
+dev_create_all_chr_files(tmpfiles_t)
+dev_getattr_all_blk_files(tmpfiles_t)
+dev_getattr_generic_blk_files(tmpfiles_t)
+dev_getattr_generic_chr_files(tmpfiles_t)
+dev_relabel_all_dev_nodes(tmpfiles_t)
+dev_relabel_generic_dev_dirs(tmpfiles_t)
+dev_relabelfrom_generic_chr_files(tmpfiles_t)
+dev_setattr_all_chr_files(tmpfiles_t)
+dev_setattr_generic_dirs(tmpfiles_t)
+
+files_manage_all_pids(tmpfiles_t)
+files_manage_cgroup_files(tmpfiles_t)
+files_manage_generic_locks(tmpfiles_t)
+files_manage_generic_tmp_dirs(tmpfiles_t)
+files_manage_generic_tmp_files(tmpfiles_t)
+files_manage_var_dirs(tmpfiles_t)
+files_manage_var_files(tmpfiles_t)
+files_relabel_all_lock_dirs(tmpfiles_t)
+files_relabel_all_pids(tmpfiles_t)
+files_relabel_all_tmp_dirs(tmpfiles_t)
+files_relabel_all_tmp_files(tmpfiles_t)
+files_setattr_all_tmp_dirs(tmpfiles_t)
+files_setattr_lock_dirs(tmpfiles_t)
+files_setattr_pid_dirs(tmpfiles_t)
+
+fs_getattr_all_fs(tmpfiles_t)
+fs_getattr_tmpfs_dirs(tmpfiles_t)
+
+selinux_get_enforce_mode(tmpfiles_t)
+
+auth_use_nsswitch(tmpfiles_t)
+
+init_exec_rc(tmpfiles_t)
+
+miscfiles_read_localization(tmpfiles_t)
+
+seutil_exec_setfiles(tmpfiles_t)
+seutil_libselinux_linked(tmpfiles_t)
+seutil_read_file_contexts(tmpfiles_t)
+
+ifdef(`distro_gentoo',`
+	dev_create_generic_dirs(tmpfiles_t)
+')
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+	files_manage_non_security_dirs(tmpfiles_t)
+	files_manage_all_non_security_file_types(tmpfiles_t)
+	files_relabel_all_non_security_file_types(tmpfiles_t)
+')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-08 11:24 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-08 11:24 UTC (permalink / raw
  To: gentoo-commits

commit:     36afd504a7bd1928e99357d14a882209c47870f2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:27:49 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 11:13:37 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=36afd504

Introduce the tmpfiles_t domain

The tmpfiles application, as documented in [1], is used to prepare directory
structures in runtime, volatile locations (such as /var/run, /run and
perhaps even /tmp and /var/tmp).

[1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html

The need for the tmpfiles application seems to came forward as systemd
service files ("unit files") are not the flexible shell scripts that are
used in init scripts (/etc/rc.d/init.d/* files). Whereas these init scripts
usually did the preparation of runtime directories, the systemd service
scripts do not (well, beyond the RuntimeDirectory= directive, that is).

Instead, services are required to create a tmpfiles configuration file
inside one of the following locations, informing the tmpfiles application to
create directories and files as needed:

(a.) /usr/lib/tmpfiles.d/ (*.conf) for packaged services (default settings)
(b.) /run/tmpfiles.d/ (*.conf) for dynamically generated overrides of (a.)
(c.) /etc/tmpfiles.d/ (*.conf) for local system administration overrides
     of (a.) and (b.)

These files declare what action to perform on a specific location (such as
create a directory) and which ownership to apply (similar to the install(1)
application it seems).

Both in systemd as well as OpenRC the tmpfiles application is SELinux-aware,
(re)setting the context of the target.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/tmpfiles.fc |   7 ++
 policy/modules/system/tmpfiles.if | 161 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/tmpfiles.te |  99 +++++++++++++++++++++++
 3 files changed, 267 insertions(+)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
new file mode 100644
index 0000000..12fd30a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.fc
@@ -0,0 +1,7 @@
+
+/etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
+/var/run/tmpfiles.d(/.*)?			gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+
+/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+

diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if
new file mode 100644
index 0000000..09897fc
--- /dev/null
+++ b/policy/modules/system/tmpfiles.if
@@ -0,0 +1,161 @@
+## <summary>Policy for tmpfiles, a boot-time temporary file handler</summary>
+
+########################################
+## <summary>
+##	Read resources in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 tmpfiles_var_run_t:dir list_dir_perms;
+	allow $1 tmpfiles_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+
+	manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 tmpfiles_conf_t:dir list_dir_perms;
+	allow $1 tmpfiles_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')

diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
new file mode 100644
index 0000000..37c957e
--- /dev/null
+++ b/policy/modules/system/tmpfiles.te
@@ -0,0 +1,99 @@
+policy_module(tmpfiles, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##      <p>
+##      Determine whether tmpfiles can manage
+##      all non-security sensitive resources.
+##	Without this, it is only allowed rights towards
+##	/run, /tmp, /dev and /var/lock.
+##      </p>
+## </desc>
+gen_tunable(tmpfiles_manage_all_non_security, false)
+
+type tmpfiles_t;
+type tmpfiles_exec_t;
+init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
+
+type tmpfiles_conf_t;
+files_config_file(tmpfiles_conf_t)
+
+type tmpfiles_var_run_t;
+files_pid_file(tmpfiles_var_run_t)
+
+
+########################################
+#
+# Local policy
+#
+
+allow tmpfiles_t self:capability { mknod chown fowner fsetid };
+allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
+allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans;
+
+list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+
+manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+corecmd_exec_bin(tmpfiles_t)
+corecmd_exec_shell(tmpfiles_t)
+
+dev_create_all_blk_files(tmpfiles_t)
+dev_create_all_chr_files(tmpfiles_t)
+dev_getattr_all_blk_files(tmpfiles_t)
+dev_getattr_generic_blk_files(tmpfiles_t)
+dev_getattr_generic_chr_files(tmpfiles_t)
+dev_relabel_all_dev_nodes(tmpfiles_t)
+dev_relabel_generic_dev_dirs(tmpfiles_t)
+dev_relabelfrom_generic_chr_files(tmpfiles_t)
+dev_setattr_all_chr_files(tmpfiles_t)
+dev_setattr_generic_dirs(tmpfiles_t)
+
+files_manage_all_pids(tmpfiles_t)
+files_manage_generic_locks(tmpfiles_t)
+files_manage_generic_tmp_dirs(tmpfiles_t)
+files_manage_generic_tmp_files(tmpfiles_t)
+files_manage_var_dirs(tmpfiles_t)
+files_manage_var_files(tmpfiles_t)
+files_relabel_all_lock_dirs(tmpfiles_t)
+files_relabel_all_pidfiles(tmpfiles_t)
+files_relabel_all_tmp_dirs(tmpfiles_t)
+files_relabel_all_tmp_files(tmpfiles_t)
+files_setattr_all_tmp_dirs(tmpfiles_t)
+files_setattr_lock_dirs(tmpfiles_t)
+files_setattr_pid_dirs(tmpfiles_t)
+
+fs_getattr_all_fs(tmpfiles_t)
+fs_getattr_tmpfs_dirs(tmpfiles_t)
+fs_manage_cgroup_files(tmpfiles_t)
+
+selinux_get_enforce_mode(tmpfiles_t)
+
+auth_use_nsswitch(tmpfiles_t)
+
+init_exec_rc(tmpfiles_t)
+
+miscfiles_read_localization(tmpfiles_t)
+
+seutil_exec_setfiles(tmpfiles_t)
+seutil_libselinux_linked(tmpfiles_t)
+seutil_read_file_contexts(tmpfiles_t)
+
+ifdef(`distro_gentoo',`
+	dev_create_generic_dirs(tmpfiles_t)
+')
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+	files_manage_non_security_dirs(tmpfiles_t)
+	files_manage_all_non_security_file_types(tmpfiles_t)
+	files_relabel_all_non_security_file_types(tmpfiles_t)
+')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-08 11:24 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-08 11:24 UTC (permalink / raw
  To: gentoo-commits

commit:     5af706038704d1d607d1a31916a4f7eadb4c49bc
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:31:11 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 11:13:42 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5af70603

Give kmod access to tmpfiles

Upon boot, the kmod application (running as insmod_t) can generate a
tmpfiles configuration file to allow tmpfiles to relabel and set the
required static device nodes for the kernel:

kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf

This requires the insmod_t domain to have create/write privileges
towards the /run/tmpfiles.d location.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/modutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index f52e72a..419b826 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -232,6 +232,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	tmpfiles_create_var_run_files(insmod_t)
+	tmpfiles_write_var_run_files(insmod_t)
+')
+
+optional_policy(`
 	unconfined_domain(insmod_t)
 	unconfined_dontaudit_rw_pipes(insmod_t)
 ')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-08 12:36 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-08 12:36 UTC (permalink / raw
  To: gentoo-commits

commit:     5ad9043cff0a3495ee357ee3c9b8f2ef50f2d15a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:27:49 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 12:36:42 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5ad9043c

Introduce the tmpfiles_t domain

The tmpfiles application, as documented in [1], is used to prepare directory
structures in runtime, volatile locations (such as /var/run, /run and
perhaps even /tmp and /var/tmp).

[1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html

The need for the tmpfiles application seems to came forward as systemd
service files ("unit files") are not the flexible shell scripts that are
used in init scripts (/etc/rc.d/init.d/* files). Whereas these init scripts
usually did the preparation of runtime directories, the systemd service
scripts do not (well, beyond the RuntimeDirectory= directive, that is).

Instead, services are required to create a tmpfiles configuration file
inside one of the following locations, informing the tmpfiles application to
create directories and files as needed:

(a.) /usr/lib/tmpfiles.d/ (*.conf) for packaged services (default settings)
(b.) /run/tmpfiles.d/ (*.conf) for dynamically generated overrides of (a.)
(c.) /etc/tmpfiles.d/ (*.conf) for local system administration overrides
     of (a.) and (b.)

These files declare what action to perform on a specific location (such as
create a directory) and which ownership to apply (similar to the install(1)
application it seems).

Both in systemd as well as OpenRC the tmpfiles application is SELinux-aware,
(re)setting the context of the target.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/tmpfiles.fc |   7 ++
 policy/modules/system/tmpfiles.if | 161 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/tmpfiles.te |  99 +++++++++++++++++++++++
 3 files changed, 267 insertions(+)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
new file mode 100644
index 0000000..12fd30a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.fc
@@ -0,0 +1,7 @@
+
+/etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
+/var/run/tmpfiles.d(/.*)?			gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+
+/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+

diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if
new file mode 100644
index 0000000..09897fc
--- /dev/null
+++ b/policy/modules/system/tmpfiles.if
@@ -0,0 +1,161 @@
+## <summary>Policy for tmpfiles, a boot-time temporary file handler</summary>
+
+########################################
+## <summary>
+##	Read resources in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 tmpfiles_var_run_t:dir list_dir_perms;
+	allow $1 tmpfiles_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+
+	manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 tmpfiles_conf_t:dir list_dir_perms;
+	allow $1 tmpfiles_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')

diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
new file mode 100644
index 0000000..37c957e
--- /dev/null
+++ b/policy/modules/system/tmpfiles.te
@@ -0,0 +1,99 @@
+policy_module(tmpfiles, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##      <p>
+##      Determine whether tmpfiles can manage
+##      all non-security sensitive resources.
+##	Without this, it is only allowed rights towards
+##	/run, /tmp, /dev and /var/lock.
+##      </p>
+## </desc>
+gen_tunable(tmpfiles_manage_all_non_security, false)
+
+type tmpfiles_t;
+type tmpfiles_exec_t;
+init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
+
+type tmpfiles_conf_t;
+files_config_file(tmpfiles_conf_t)
+
+type tmpfiles_var_run_t;
+files_pid_file(tmpfiles_var_run_t)
+
+
+########################################
+#
+# Local policy
+#
+
+allow tmpfiles_t self:capability { mknod chown fowner fsetid };
+allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
+allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans;
+
+list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+
+manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+corecmd_exec_bin(tmpfiles_t)
+corecmd_exec_shell(tmpfiles_t)
+
+dev_create_all_blk_files(tmpfiles_t)
+dev_create_all_chr_files(tmpfiles_t)
+dev_getattr_all_blk_files(tmpfiles_t)
+dev_getattr_generic_blk_files(tmpfiles_t)
+dev_getattr_generic_chr_files(tmpfiles_t)
+dev_relabel_all_dev_nodes(tmpfiles_t)
+dev_relabel_generic_dev_dirs(tmpfiles_t)
+dev_relabelfrom_generic_chr_files(tmpfiles_t)
+dev_setattr_all_chr_files(tmpfiles_t)
+dev_setattr_generic_dirs(tmpfiles_t)
+
+files_manage_all_pids(tmpfiles_t)
+files_manage_generic_locks(tmpfiles_t)
+files_manage_generic_tmp_dirs(tmpfiles_t)
+files_manage_generic_tmp_files(tmpfiles_t)
+files_manage_var_dirs(tmpfiles_t)
+files_manage_var_files(tmpfiles_t)
+files_relabel_all_lock_dirs(tmpfiles_t)
+files_relabel_all_pidfiles(tmpfiles_t)
+files_relabel_all_tmp_dirs(tmpfiles_t)
+files_relabel_all_tmp_files(tmpfiles_t)
+files_setattr_all_tmp_dirs(tmpfiles_t)
+files_setattr_lock_dirs(tmpfiles_t)
+files_setattr_pid_dirs(tmpfiles_t)
+
+fs_getattr_all_fs(tmpfiles_t)
+fs_getattr_tmpfs_dirs(tmpfiles_t)
+fs_manage_cgroup_files(tmpfiles_t)
+
+selinux_get_enforce_mode(tmpfiles_t)
+
+auth_use_nsswitch(tmpfiles_t)
+
+init_exec_rc(tmpfiles_t)
+
+miscfiles_read_localization(tmpfiles_t)
+
+seutil_exec_setfiles(tmpfiles_t)
+seutil_libselinux_linked(tmpfiles_t)
+seutil_read_file_contexts(tmpfiles_t)
+
+ifdef(`distro_gentoo',`
+	dev_create_generic_dirs(tmpfiles_t)
+')
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+	files_manage_non_security_dirs(tmpfiles_t)
+	files_manage_all_non_security_file_types(tmpfiles_t)
+	files_relabel_all_non_security_file_types(tmpfiles_t)
+')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-08 12:36 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-08 12:36 UTC (permalink / raw
  To: gentoo-commits

commit:     f0b46842ab3230a1f2aeef4d9ca4685962b5fdaf
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:31:11 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 12:36:42 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f0b46842

Give kmod access to tmpfiles

Upon boot, the kmod application (running as insmod_t) can generate a
tmpfiles configuration file to allow tmpfiles to relabel and set the
required static device nodes for the kernel:

kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf

This requires the insmod_t domain to have create/write privileges
towards the /run/tmpfiles.d location.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/modutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index f52e72a..419b826 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -232,6 +232,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	tmpfiles_create_var_run_files(insmod_t)
+	tmpfiles_write_var_run_files(insmod_t)
+')
+
+optional_policy(`
 	unconfined_domain(insmod_t)
 	unconfined_dontaudit_rw_pipes(insmod_t)
 ')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-08 14:49 Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-08 14:49 UTC (permalink / raw
  To: gentoo-commits

commit:     41fed32dfd6a3a812c252bd6facd6982b23988da
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:27:49 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 14:49:43 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=41fed32d

Introduce the tmpfiles_t domain

The tmpfiles application, as documented in [1], is used to prepare directory
structures in runtime, volatile locations (such as /var/run, /run and
perhaps even /tmp and /var/tmp).

[1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html

The need for the tmpfiles application seems to came forward as systemd
service files ("unit files") are not the flexible shell scripts that are
used in init scripts (/etc/rc.d/init.d/* files). Whereas these init scripts
usually did the preparation of runtime directories, the systemd service
scripts do not (well, beyond the RuntimeDirectory= directive, that is).

Instead, services are required to create a tmpfiles configuration file
inside one of the following locations, informing the tmpfiles application to
create directories and files as needed:

(a.) /usr/lib/tmpfiles.d/ (*.conf) for packaged services (default settings)
(b.) /run/tmpfiles.d/ (*.conf) for dynamically generated overrides of (a.)
(c.) /etc/tmpfiles.d/ (*.conf) for local system administration overrides
     of (a.) and (b.)

These files declare what action to perform on a specific location (such as
create a directory) and which ownership to apply (similar to the install(1)
application it seems).

Both in systemd as well as OpenRC the tmpfiles application is SELinux-aware,
(re)setting the context of the target.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/tmpfiles.fc |   7 ++
 policy/modules/system/tmpfiles.if | 161 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/tmpfiles.te | 103 ++++++++++++++++++++++++
 3 files changed, 271 insertions(+)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
new file mode 100644
index 0000000..12fd30a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.fc
@@ -0,0 +1,7 @@
+
+/etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
+/var/run/tmpfiles.d(/.*)?			gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+
+/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+

diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if
new file mode 100644
index 0000000..09897fc
--- /dev/null
+++ b/policy/modules/system/tmpfiles.if
@@ -0,0 +1,161 @@
+## <summary>Policy for tmpfiles, a boot-time temporary file handler</summary>
+
+########################################
+## <summary>
+##	Read resources in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 tmpfiles_var_run_t:dir list_dir_perms;
+	allow $1 tmpfiles_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+
+	manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 tmpfiles_conf_t:dir list_dir_perms;
+	allow $1 tmpfiles_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')

diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
new file mode 100644
index 0000000..de92477
--- /dev/null
+++ b/policy/modules/system/tmpfiles.te
@@ -0,0 +1,103 @@
+policy_module(tmpfiles, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##      <p>
+##      Determine whether tmpfiles can manage
+##      all non-security sensitive resources.
+##	Without this, it is only allowed rights towards
+##	/run, /tmp, /dev and /var/lock.
+##      </p>
+## </desc>
+gen_tunable(tmpfiles_manage_all_non_security, false)
+
+type tmpfiles_t;
+type tmpfiles_exec_t;
+init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
+
+type tmpfiles_conf_t;
+files_config_file(tmpfiles_conf_t)
+
+type tmpfiles_var_run_t;
+files_pid_file(tmpfiles_var_run_t)
+
+
+########################################
+#
+# Local policy
+#
+
+allow tmpfiles_t self:capability { mknod chown fowner fsetid };
+allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
+allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans;
+
+list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+
+manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+corecmd_exec_bin(tmpfiles_t)
+corecmd_exec_shell(tmpfiles_t)
+
+dev_create_all_blk_files(tmpfiles_t)
+dev_create_all_chr_files(tmpfiles_t)
+dev_getattr_all_blk_files(tmpfiles_t)
+dev_getattr_generic_blk_files(tmpfiles_t)
+dev_getattr_generic_chr_files(tmpfiles_t)
+dev_relabel_all_dev_nodes(tmpfiles_t)
+dev_relabel_generic_dev_dirs(tmpfiles_t)
+dev_relabelfrom_generic_chr_files(tmpfiles_t)
+dev_setattr_all_chr_files(tmpfiles_t)
+dev_setattr_generic_dirs(tmpfiles_t)
+
+files_manage_all_pids(tmpfiles_t)
+files_manage_generic_locks(tmpfiles_t)
+files_manage_generic_tmp_dirs(tmpfiles_t)
+files_manage_generic_tmp_files(tmpfiles_t)
+files_manage_var_dirs(tmpfiles_t)
+files_manage_var_files(tmpfiles_t)
+files_relabel_all_lock_dirs(tmpfiles_t)
+files_relabel_all_pidfiles(tmpfiles_t)
+files_relabel_all_tmp_dirs(tmpfiles_t)
+files_relabel_all_tmp_files(tmpfiles_t)
+files_setattr_all_tmp_dirs(tmpfiles_t)
+files_setattr_lock_dirs(tmpfiles_t)
+files_setattr_pid_dirs(tmpfiles_t)
+
+fs_getattr_all_fs(tmpfiles_t)
+fs_getattr_tmpfs_dirs(tmpfiles_t)
+fs_manage_cgroup_files(tmpfiles_t)
+
+selinux_get_enforce_mode(tmpfiles_t)
+
+auth_use_nsswitch(tmpfiles_t)
+
+init_exec_rc(tmpfiles_t)
+
+miscfiles_read_localization(tmpfiles_t)
+
+seutil_exec_setfiles(tmpfiles_t)
+seutil_libselinux_linked(tmpfiles_t)
+seutil_read_file_contexts(tmpfiles_t)
+
+ifdef(`distro_gentoo',`
+	dev_create_generic_dirs(tmpfiles_t)
+	# Early at boot, access /dev/console and /dev/tty which is device_t due to kernel-provided devtmpfs 
+	dev_rw_generic_chr_files(tmpfiles_t)
+
+	init_relabelto_script_state(tmpfiles_t)
+')
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+	files_manage_all_non_security_file_types(tmpfiles_t)
+	files_manage_non_security_dirs(tmpfiles_t)
+	files_relabel_all_non_security_file_types(tmpfiles_t)
+')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
  2014-08-08 15:27 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2014-08-08 14:49 ` Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-08 14:49 UTC (permalink / raw
  To: gentoo-commits

commit:     f901a2a92def4f0c956c9ddc43bac2109a5f1348
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:31:11 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 14:49:47 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f901a2a9

Give kmod access to tmpfiles

Upon boot, the kmod application (running as insmod_t) can generate a
tmpfiles configuration file to allow tmpfiles to relabel and set the
required static device nodes for the kernel:

kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf

This requires the insmod_t domain to have create/write privileges
towards the /run/tmpfiles.d location.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/modutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index f52e72a..419b826 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -232,6 +232,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	tmpfiles_create_var_run_files(insmod_t)
+	tmpfiles_write_var_run_files(insmod_t)
+')
+
+optional_policy(`
 	unconfined_domain(insmod_t)
 	unconfined_dontaudit_rw_pipes(insmod_t)
 ')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
  2014-08-08 15:27 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2014-08-08 14:49 ` Sven Vermeulen
  0 siblings, 0 replies; 18+ messages in thread
From: Sven Vermeulen @ 2014-08-08 14:49 UTC (permalink / raw
  To: gentoo-commits

commit:     bb44da60efc9fca1377a3270f67da79aafa2b820
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug  8 14:42:31 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 14:42:51 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bb44da60

Introduce init_relabelto_script_state

---
 policy/modules/system/init.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 6a01568..ab4b450 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1892,3 +1892,22 @@ interface(`init_read_script_status_files',`
 
 	read_files_pattern($1, initrc_state_t, initrc_state_t)
 ')
+
+#########################################
+## <summary>
+##	Label to init script status files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`init_relabelto_script_state',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	relabelto_files_pattern($1, initrc_state_t, initrc_state_t)
+	relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t)
+')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-09 11:56 Jason Zaman
  0 siblings, 0 replies; 18+ messages in thread
From: Jason Zaman @ 2014-08-09 11:56 UTC (permalink / raw
  To: gentoo-commits

commit:     bb44da60efc9fca1377a3270f67da79aafa2b820
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug  8 14:42:31 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug  8 14:42:51 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bb44da60

Introduce init_relabelto_script_state

---
 policy/modules/system/init.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 6a01568..ab4b450 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1892,3 +1892,22 @@ interface(`init_read_script_status_files',`
 
 	read_files_pattern($1, initrc_state_t, initrc_state_t)
 ')
+
+#########################################
+## <summary>
+##	Label to init script status files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`init_relabelto_script_state',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	relabelto_files_pattern($1, initrc_state_t, initrc_state_t)
+	relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t)
+')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-09 11:57 Jason Zaman
  0 siblings, 0 replies; 18+ messages in thread
From: Jason Zaman @ 2014-08-09 11:57 UTC (permalink / raw
  To: gentoo-commits

commit:     f901a2a92def4f0c956c9ddc43bac2109a5f1348
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:31:11 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug  8 14:49:47 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f901a2a9

Give kmod access to tmpfiles

Upon boot, the kmod application (running as insmod_t) can generate a
tmpfiles configuration file to allow tmpfiles to relabel and set the
required static device nodes for the kernel:

kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf

This requires the insmod_t domain to have create/write privileges
towards the /run/tmpfiles.d location.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/modutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index f52e72a..419b826 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -232,6 +232,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	tmpfiles_create_var_run_files(insmod_t)
+	tmpfiles_write_var_run_files(insmod_t)
+')
+
+optional_policy(`
 	unconfined_domain(insmod_t)
 	unconfined_dontaudit_rw_pipes(insmod_t)
 ')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-09 11:57 Jason Zaman
  0 siblings, 0 replies; 18+ messages in thread
From: Jason Zaman @ 2014-08-09 11:57 UTC (permalink / raw
  To: gentoo-commits

commit:     41fed32dfd6a3a812c252bd6facd6982b23988da
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:27:49 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug  8 14:49:43 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=41fed32d

Introduce the tmpfiles_t domain

The tmpfiles application, as documented in [1], is used to prepare directory
structures in runtime, volatile locations (such as /var/run, /run and
perhaps even /tmp and /var/tmp).

[1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html

The need for the tmpfiles application seems to came forward as systemd
service files ("unit files") are not the flexible shell scripts that are
used in init scripts (/etc/rc.d/init.d/* files). Whereas these init scripts
usually did the preparation of runtime directories, the systemd service
scripts do not (well, beyond the RuntimeDirectory= directive, that is).

Instead, services are required to create a tmpfiles configuration file
inside one of the following locations, informing the tmpfiles application to
create directories and files as needed:

(a.) /usr/lib/tmpfiles.d/ (*.conf) for packaged services (default settings)
(b.) /run/tmpfiles.d/ (*.conf) for dynamically generated overrides of (a.)
(c.) /etc/tmpfiles.d/ (*.conf) for local system administration overrides
     of (a.) and (b.)

These files declare what action to perform on a specific location (such as
create a directory) and which ownership to apply (similar to the install(1)
application it seems).

Both in systemd as well as OpenRC the tmpfiles application is SELinux-aware,
(re)setting the context of the target.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/tmpfiles.fc |   7 ++
 policy/modules/system/tmpfiles.if | 161 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/tmpfiles.te | 103 ++++++++++++++++++++++++
 3 files changed, 271 insertions(+)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
new file mode 100644
index 0000000..12fd30a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.fc
@@ -0,0 +1,7 @@
+
+/etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
+/var/run/tmpfiles.d(/.*)?			gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+
+/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+

diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if
new file mode 100644
index 0000000..09897fc
--- /dev/null
+++ b/policy/modules/system/tmpfiles.if
@@ -0,0 +1,161 @@
+## <summary>Policy for tmpfiles, a boot-time temporary file handler</summary>
+
+########################################
+## <summary>
+##	Read resources in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 tmpfiles_var_run_t:dir list_dir_perms;
+	allow $1 tmpfiles_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+
+	manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 tmpfiles_conf_t:dir list_dir_perms;
+	allow $1 tmpfiles_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')

diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
new file mode 100644
index 0000000..de92477
--- /dev/null
+++ b/policy/modules/system/tmpfiles.te
@@ -0,0 +1,103 @@
+policy_module(tmpfiles, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##      <p>
+##      Determine whether tmpfiles can manage
+##      all non-security sensitive resources.
+##	Without this, it is only allowed rights towards
+##	/run, /tmp, /dev and /var/lock.
+##      </p>
+## </desc>
+gen_tunable(tmpfiles_manage_all_non_security, false)
+
+type tmpfiles_t;
+type tmpfiles_exec_t;
+init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
+
+type tmpfiles_conf_t;
+files_config_file(tmpfiles_conf_t)
+
+type tmpfiles_var_run_t;
+files_pid_file(tmpfiles_var_run_t)
+
+
+########################################
+#
+# Local policy
+#
+
+allow tmpfiles_t self:capability { mknod chown fowner fsetid };
+allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
+allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans;
+
+list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+
+manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+corecmd_exec_bin(tmpfiles_t)
+corecmd_exec_shell(tmpfiles_t)
+
+dev_create_all_blk_files(tmpfiles_t)
+dev_create_all_chr_files(tmpfiles_t)
+dev_getattr_all_blk_files(tmpfiles_t)
+dev_getattr_generic_blk_files(tmpfiles_t)
+dev_getattr_generic_chr_files(tmpfiles_t)
+dev_relabel_all_dev_nodes(tmpfiles_t)
+dev_relabel_generic_dev_dirs(tmpfiles_t)
+dev_relabelfrom_generic_chr_files(tmpfiles_t)
+dev_setattr_all_chr_files(tmpfiles_t)
+dev_setattr_generic_dirs(tmpfiles_t)
+
+files_manage_all_pids(tmpfiles_t)
+files_manage_generic_locks(tmpfiles_t)
+files_manage_generic_tmp_dirs(tmpfiles_t)
+files_manage_generic_tmp_files(tmpfiles_t)
+files_manage_var_dirs(tmpfiles_t)
+files_manage_var_files(tmpfiles_t)
+files_relabel_all_lock_dirs(tmpfiles_t)
+files_relabel_all_pidfiles(tmpfiles_t)
+files_relabel_all_tmp_dirs(tmpfiles_t)
+files_relabel_all_tmp_files(tmpfiles_t)
+files_setattr_all_tmp_dirs(tmpfiles_t)
+files_setattr_lock_dirs(tmpfiles_t)
+files_setattr_pid_dirs(tmpfiles_t)
+
+fs_getattr_all_fs(tmpfiles_t)
+fs_getattr_tmpfs_dirs(tmpfiles_t)
+fs_manage_cgroup_files(tmpfiles_t)
+
+selinux_get_enforce_mode(tmpfiles_t)
+
+auth_use_nsswitch(tmpfiles_t)
+
+init_exec_rc(tmpfiles_t)
+
+miscfiles_read_localization(tmpfiles_t)
+
+seutil_exec_setfiles(tmpfiles_t)
+seutil_libselinux_linked(tmpfiles_t)
+seutil_read_file_contexts(tmpfiles_t)
+
+ifdef(`distro_gentoo',`
+	dev_create_generic_dirs(tmpfiles_t)
+	# Early at boot, access /dev/console and /dev/tty which is device_t due to kernel-provided devtmpfs 
+	dev_rw_generic_chr_files(tmpfiles_t)
+
+	init_relabelto_script_state(tmpfiles_t)
+')
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+	files_manage_all_non_security_file_types(tmpfiles_t)
+	files_manage_non_security_dirs(tmpfiles_t)
+	files_relabel_all_non_security_file_types(tmpfiles_t)
+')


^ permalink raw reply related	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2014-08-09 11:57 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-09 11:57 [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/ Jason Zaman
  -- strict thread matches above, loose matches on Subject: below --
2014-08-09 11:57 Jason Zaman
2014-08-09 11:56 Jason Zaman
2014-08-08 15:27 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-08 14:49 ` [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-08 15:27 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-08 14:49 ` [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-08 14:49 Sven Vermeulen
2014-08-08 12:36 Sven Vermeulen
2014-08-08 12:36 Sven Vermeulen
2014-08-08 11:24 Sven Vermeulen
2014-08-08 11:24 Sven Vermeulen
2014-08-08  8:50 Sven Vermeulen
2014-08-08  8:50 Sven Vermeulen
2014-08-07 12:41 Sven Vermeulen
2014-08-07 12:41 Sven Vermeulen
2014-08-07  8:29 Sven Vermeulen
2014-08-07  8:29 Sven Vermeulen
2014-08-07  8:06 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-06 18:13 ` [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-06  9:19 Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox