From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 69501138A1A for ; Thu, 29 Jan 2015 20:53:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5286DE0867; Thu, 29 Jan 2015 20:53:10 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 82BE8E085C for ; Thu, 29 Jan 2015 20:53:09 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8AAE7340756 for ; Thu, 29 Jan 2015 20:53:08 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 26214109D5 for ; Thu, 29 Jan 2015 20:53:07 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1422564668.cba6dc0028608f027f7e02ab1d4df155632a7a46.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/samhain.if policy/modules/contrib/samhain.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: cba6dc0028608f027f7e02ab1d4df155632a7a46 X-VCS-Branch: master Date: Thu, 29 Jan 2015 20:53:07 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 17a2051e-16e0-44d5-af27-e326c733a1ee X-Archives-Hash: c025f0b0f1238028bf64538b5a84a01f commit: cba6dc0028608f027f7e02ab1d4df155632a7a46 Author: Dominick Grift gmail com> AuthorDate: Tue Jan 27 20:17:58 2015 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Thu Jan 29 20:51:08 2015 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cba6dc00 Various samhain fixes connects to smtp port resolves smtp dns name missing samhain_domain attribute reads random device samhain_domains use unnamed pipes for internal comms clarify why some rules are commented out for now in samhain_admin() remove samhain_run() from samhain_admin() samhain needs to be able to maintain directories in /var/lib Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/samhain.if | 8 +++----- policy/modules/contrib/samhain.te | 12 ++++++++++-- 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/policy/modules/contrib/samhain.if b/policy/modules/contrib/samhain.if index f0236d6..b1ebcee 100644 --- a/policy/modules/contrib/samhain.if +++ b/policy/modules/contrib/samhain.if @@ -16,7 +16,7 @@ template(`samhain_service_template',` type samhain_exec_t; ') - type $1_t; + type $1_t, samhain_domain; domain_type($1_t) domain_entry_file($1_t, samhain_exec_t) @@ -213,14 +213,14 @@ interface(`samhain_manage_pid_files',` interface(`samhain_admin',` gen_require(` attribute samhain_domain; - type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t; + type samhain_db_t, samhain_etc_t; type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t; ') allow $1 samhain_domain:process { ptrace signal_perms }; ps_process_pattern($1, samhain_domain) - # pending + # duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r) first # init_labeled_script_domtrans($1, samhain_initrc_exec_t) # domain_system_change_exemption($1) # role_transition $2 samhain_initrc_exec_t system_r; @@ -237,6 +237,4 @@ interface(`samhain_admin',` files_list_pids($1) admin_pattern($1, samhain_var_run_t) - - # samhain_run($1, $2) ') diff --git a/policy/modules/contrib/samhain.te b/policy/modules/contrib/samhain.te index c41ce4b..3ed8e45 100644 --- a/policy/modules/contrib/samhain.te +++ b/policy/modules/contrib/samhain.te @@ -1,4 +1,4 @@ -policy_module(samhain, 1.2.0) +policy_module(samhain, 1.2.1) ######################################## # @@ -50,8 +50,9 @@ ifdef(`enable_mls',` allow samhain_domain self:capability { dac_override dac_read_search fowner ipc_lock }; dontaudit samhain_domain self:capability { sys_resource sys_ptrace }; -allow samhain_domain self:fd use; allow samhain_domain self:process { setsched setrlimit signull }; +allow samhain_domain self:fd use; +allow samhain_domain self:fifo_file rw_fifo_file_perms; allow samhain_domain samhain_etc_t:file read_file_perms; @@ -96,6 +97,7 @@ logging_send_syslog_msg(samhain_domain) # manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t) +manage_dirs_pattern(samhain_t, samhain_db_t, samhain_db_t) files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir }) domain_use_interactive_fds(samhain_t) @@ -115,4 +117,10 @@ can_exec(samhaind_t, samhain_exec_t) read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t) +corenet_tcp_connect_smtp_port(samhaind_t) + +dev_read_rand(samhaind_t) + init_use_script_ptys(samhaind_t) + +sysnet_dns_name_resolve(samhaind_t)