From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 546F3139695 for ; Tue, 21 Feb 2017 07:12:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B8A1A21C1D9; Tue, 21 Feb 2017 07:12:03 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7C7F221C1D9 for ; Tue, 21 Feb 2017 07:12:03 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B0CEC3413C3 for ; Tue, 21 Feb 2017 07:11:54 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 7280C4F58 for ; Tue, 21 Feb 2017 07:11:50 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1487660924.39e89f54a2b3cf6c3214d1da79e20c51198ab730.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/vnstatd.fc policy/modules/contrib/vnstatd.if policy/modules/contrib/vnstatd.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 39e89f54a2b3cf6c3214d1da79e20c51198ab730 X-VCS-Branch: master Date: Tue, 21 Feb 2017 07:11:50 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 102f6859-2c92-4925-84b3-396c7de6150f X-Archives-Hash: 8b39037a3fb1c00f1d01c43452aa3686 commit: 39e89f54a2b3cf6c3214d1da79e20c51198ab730 Author: cgzones googlemail com> AuthorDate: Thu Jan 5 18:49:14 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Feb 21 07:08:44 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=39e89f54 vnstatd: update module policy/modules/contrib/vnstatd.fc | 12 +++++++----- policy/modules/contrib/vnstatd.if | 11 +++++------ policy/modules/contrib/vnstatd.te | 36 ++++++++++++++++++++++++------------ 3 files changed, 36 insertions(+), 23 deletions(-) diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc index e15b7ea7..400d7f76 100644 --- a/policy/modules/contrib/vnstatd.fc +++ b/policy/modules/contrib/vnstatd.fc @@ -1,12 +1,14 @@ -/etc/rc\.d/init\.d/vnstat -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0) +/etc/rc\.d/init\.d/vnstat -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0) -/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) +/run/vnstat.* gen_context(system_u:object_r:vnstatd_pid_t,s0) -/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) +/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) -/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) +/usr/lib/systemd/system/vnstat\.service -- gen_context(system_u:object_r:vnstatd_unit_t,s0) -/run/vnstat.* gen_context(system_u:object_r:vnstatd_var_run_t,s0) +/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) + +/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) ifdef(`distro_gentoo',` # Fix bug 528602 - name is vnstatd in Gentoo diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if index 7ec9bd0f..2d863cb2 100644 --- a/policy/modules/contrib/vnstatd.if +++ b/policy/modules/contrib/vnstatd.if @@ -161,17 +161,16 @@ interface(`vnstatd_manage_lib_files',` # interface(`vnstatd_admin',` gen_require(` - type vnstatd_t, vnstatd_var_lib_t, vnstatd_initrc_exec_t; - type vnstatd_var_run_t; + type vnstatd_t, vnstatd_initrc_exec_t; + type vnstatd_pid_t, vnstatd_unit_t, vnstatd_var_lib_t; ') - allow $1 vnstatd_t:process { ptrace signal_perms }; - ps_process_pattern($1, vnstatd_t) + admin_process_pattern($1, vnstatd_t) - init_startstop_service($1, $2, vnstatd_t, vnstatd_initrc_exec_t) + init_startstop_service($1, $2, vnstatd_t, vnstatd_initrc_exec_t, vnstatd_unit_t) files_search_pids($1) - admin_pattern($1, vnstatd_var_run_t) + admin_pattern($1, vnstatd_pid_t) files_list_var_lib($1) admin_pattern($1, vnstatd_var_lib_t) diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te index 306bac94..220a2b21 100644 --- a/policy/modules/contrib/vnstatd.te +++ b/policy/modules/contrib/vnstatd.te @@ -19,12 +19,16 @@ init_daemon_domain(vnstatd_t, vnstatd_exec_t) type vnstatd_initrc_exec_t; init_script_file(vnstatd_initrc_exec_t) +type vnstatd_pid_t; +typealias vnstatd_pid_t alias vnstatd_var_run_t; +files_pid_file(vnstatd_pid_t) + +type vnstatd_unit_t; +init_unit_file(vnstatd_unit_t) + type vnstatd_var_lib_t; files_type(vnstatd_var_lib_t) -type vnstatd_var_run_t; -files_pid_file(vnstatd_var_run_t) - ######################################## # # Daemon local policy @@ -34,20 +38,20 @@ allow vnstatd_t self:process signal; allow vnstatd_t self:fifo_file rw_fifo_file_perms; allow vnstatd_t self:unix_stream_socket { accept listen }; +manage_files_pattern(vnstatd_t, vnstatd_pid_t, vnstatd_pid_t) +files_pid_filetrans(vnstatd_t, vnstatd_pid_t, file) + manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file }) - -manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) -manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t) -files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file }) kernel_read_network_state(vnstatd_t) kernel_read_system_state(vnstatd_t) -domain_use_interactive_fds(vnstatd_t) +# read /sys/class/net/eth0 +dev_read_sysfs(vnstatd_t) files_read_etc_files(vnstatd_t) +files_search_var_lib(vnstatd_t) fs_getattr_xattr_fs(vnstatd_t) @@ -60,27 +64,35 @@ miscfiles_read_localization(vnstatd_t) # Client local policy # +# dac_override : write /var/lib/vnstat/* +allow vnstat_t self:capability dac_override; allow vnstat_t self:process signal; allow vnstat_t self:fifo_file rw_fifo_file_perms; allow vnstat_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) -files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file }) kernel_read_network_state(vnstat_t) kernel_read_system_state(vnstat_t) +# read /sys/class/net/eth0 +dev_read_sysfs(vnstat_t) + domain_use_interactive_fds(vnstat_t) +files_dontaudit_search_home(vnstat_t) files_read_etc_files(vnstat_t) +files_search_var_lib(vnstat_t) fs_getattr_xattr_fs(vnstat_t) -logging_send_syslog_msg(vnstat_t) - miscfiles_read_localization(vnstat_t) +userdom_dontaudit_search_user_home_dirs(vnstat_t) + +userdom_use_user_terminals(vnstat_t) + optional_policy(` cron_system_entry(vnstat_t, vnstat_exec_t) ')