From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BD5AA139694 for ; Thu, 30 Mar 2017 17:09:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D2A9123403E; Thu, 30 Mar 2017 17:09:17 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 96F3623403E for ; Thu, 30 Mar 2017 17:09:12 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 67E68341656 for ; Thu, 30 Mar 2017 17:09:05 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 6E17C73F5 for ; Thu, 30 Mar 2017 17:09:02 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1490892640.4977eb8dd00874ce90306272d9b4edfad209f14b.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/gssproxy.fc policy/modules/contrib/gssproxy.if policy/modules/contrib/gssproxy.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 4977eb8dd00874ce90306272d9b4edfad209f14b X-VCS-Branch: next Date: Thu, 30 Mar 2017 17:09:02 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 4e1348b5-b412-4caa-af13-e9b34d42530c X-Archives-Hash: 6abce512e4e909ea01b8a94938c3b602 commit: 4977eb8dd00874ce90306272d9b4edfad209f14b Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 07:15:39 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 16:50:40 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4977eb8d gssproxy: add policy borrowed and modified from Fedora policy/modules/contrib/gssproxy.fc | 8 ++ policy/modules/contrib/gssproxy.if | 199 +++++++++++++++++++++++++++++++++++++ policy/modules/contrib/gssproxy.te | 67 +++++++++++++ 3 files changed, 274 insertions(+) diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc new file mode 100644 index 00000000..a9970159 --- /dev/null +++ b/policy/modules/contrib/gssproxy.fc @@ -0,0 +1,8 @@ +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0) + +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) + +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) + +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0) +/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0) diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if new file mode 100644 index 00000000..cebdb20b --- /dev/null +++ b/policy/modules/contrib/gssproxy.if @@ -0,0 +1,199 @@ + +## policy for gssproxy + +######################################## +## +## Execute gssproxy in the gssproxy domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_domtrans',` + gen_require(` + type gssproxy_t, gssproxy_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) +') + +######################################## +## +## Search gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_search_lib',` + gen_require(` + type gssproxy_var_lib_t; + ') + + allow $1 gssproxy_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + +######################################## +## +## Manage gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + +######################################## +## +## Manage gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_dirs',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + +######################################## +## +## Read gssproxy PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_pid_files',` + gen_require(` + type gssproxy_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t) +') + +######################################## +## +## Execute gssproxy server in the gssproxy domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_systemctl',` + gen_require(` + type gssproxy_t; + type gssproxy_unit_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 gssproxy_unit_t:file read_file_perms; + allow $1 gssproxy_unit_t:service manage_service_perms; + + ps_process_pattern($1, gssproxy_t) +') + +######################################## +## +## Connect to gssproxy over an unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_stream_connect',` + gen_require(` + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t) + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) +') + +######################################## +## +## All of the rules required to administrate +## an gssproxy environment +## +## +## +## Domain allowed access. +## +## +## +# +interface(`gssproxy_admin',` + gen_require(` + type gssproxy_t; + type gssproxy_var_lib_t; + type gssproxy_run_t; + type gssproxy_unit_t; + ') + + allow $1 gssproxy_t:process { ptrace signal_perms }; + ps_process_pattern($1, gssproxy_t) + + files_search_var_lib($1) + admin_pattern($1, gssproxy_var_lib_t) + + files_search_pids($1) + admin_pattern($1, gssproxy_run_t) + + gssproxy_systemctl($1) + admin_pattern($1, gssproxy_unit_t) + allow $1 gssproxy_unit_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te new file mode 100644 index 00000000..20027689 --- /dev/null +++ b/policy/modules/contrib/gssproxy.te @@ -0,0 +1,67 @@ +policy_module(gssproxy, 1.0.0) + +######################################## +# +# Declarations +# + +type gssproxy_t; +type gssproxy_exec_t; +init_daemon_domain(gssproxy_t, gssproxy_exec_t) + +type gssproxy_var_lib_t; +files_type(gssproxy_var_lib_t) + +type gssproxy_run_t; +files_pid_file(gssproxy_run_t) + +type gssproxy_unit_t; +init_unit_file(gssproxy_unit_t) + +######################################## +# +# gssproxy local policy +# +allow gssproxy_t self:capability { setuid setgid }; +allow gssproxy_t self:capability2 block_suspend; +allow gssproxy_t self:fifo_file rw_fifo_file_perms; +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file }) + +manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file }) + +kernel_rw_rpc_sysctls(gssproxy_t) + +domain_use_interactive_fds(gssproxy_t) + +files_read_etc_files(gssproxy_t) + +fs_getattr_all_fs(gssproxy_t) + +auth_use_nsswitch(gssproxy_t) + +dev_read_urand(gssproxy_t) + +logging_send_syslog_msg(gssproxy_t) + +miscfiles_read_localization(gssproxy_t) + +#userdom_read_all_users_keys(gssproxy_t) +userdom_manage_user_tmp_dirs(gssproxy_t) +userdom_manage_user_tmp_files(gssproxy_t) + +optional_policy(` + kerberos_filetrans_named_content(gssproxy_t) + kerberos_manage_host_rcache(gssproxy_t) + kerberos_read_keytab(gssproxy_t) + kerberos_use(gssproxy_t) +')