From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1452629-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 7D239158020
	for <garchives@archives.gentoo.org>; Wed,  2 Nov 2022 14:42:57 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id BE6E2E09D0;
	Wed,  2 Nov 2022 14:42:55 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id A1EE3E09D0
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:55 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id B192B340F92
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:54 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 05B6B6FE
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:52 +0000 (UTC)
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" <concord@gentoo.org>
Message-ID: <1667398029.b806992f1bc6fa8187730296a708320ee0e18266.concord@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/opensm.fc policy/modules/services/opensm.if policy/modules/services/opensm.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: concord
X-VCS-Committer-Name: Kenton Groombridge
X-VCS-Revision: b806992f1bc6fa8187730296a708320ee0e18266
X-VCS-Branch: master
Date: Wed,  2 Nov 2022 14:42:52 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: bd2bd73a-cacb-41fe-afa9-b1c84e842da1
X-Archives-Hash: f6056d298566679e8b5b1615f81db09c

commit:     b806992f1bc6fa8187730296a708320ee0e18266
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 04:09:19 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:09 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b806992f

opensm: initial policy

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/opensm.fc | 10 +++++
 policy/modules/services/opensm.if | 86 +++++++++++++++++++++++++++++++++++++++
 policy/modules/services/opensm.te | 45 ++++++++++++++++++++
 3 files changed, 141 insertions(+)

diff --git a/policy/modules/services/opensm.fc b/policy/modules/services/opensm.fc
new file mode 100644
index 000000000..6d9566bb1
--- /dev/null
+++ b/policy/modules/services/opensm.fc
@@ -0,0 +1,10 @@
+/usr/bin/opensm	--	gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/usr/sbin/opensm	--	gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/etc/opensm(/.*)?		gen_context(system_u:object_r:opensm_conf_t,s0)
+
+/var/cache/opensm(/.*)?		gen_context(system_u:object_r:opensm_cache_t,s0)
+
+/var/log/opensm\.log	--	gen_context(system_u:object_r:opensm_log_t,s0)
+/var/log/opensm-subnet\.lst	--	gen_context(system_u:object_r:opensm_log_t,s0)

diff --git a/policy/modules/services/opensm.if b/policy/modules/services/opensm.if
new file mode 100644
index 000000000..47664ce15
--- /dev/null
+++ b/policy/modules/services/opensm.if
@@ -0,0 +1,86 @@
+## <summary>OpenSM is a software implementation of an InfiniBand subnet manager.</summary>
+
+########################################
+## <summary>
+##	Execute opensm in the opensm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`opensm_domtrans',`
+	gen_require(`
+		type opensm_t, opensm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, opensm_exec_t, opensm_t)
+')
+
+########################################
+## <summary>
+##	Execute opensm in the opensm domain, and
+##	allow the specified role the opensm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`opensm_run',`
+	gen_require(`
+		type opensm_t;
+	')
+
+	opensm_domtrans($1)
+	role $2 types opensm_t;
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an opensm environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`opensm_admin',`
+	gen_require(`
+		type opensm_t;
+		type opensm_conf_t, opensm_cache_t;
+		type opensm_log_t;
+	')
+
+	opensm_run($1, $2)
+
+	allow $1 opensm_t:process { ptrace signal_perms };
+	ps_process_pattern($1, opensm_t)
+
+	files_search_etc($1)
+	admin_pattern($1, opensm_conf_t)
+
+	files_search_var($1)
+	admin_pattern($1, opensm_cache_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, opensm_log_t)
+')

diff --git a/policy/modules/services/opensm.te b/policy/modules/services/opensm.te
new file mode 100644
index 000000000..1d5c2f57d
--- /dev/null
+++ b/policy/modules/services/opensm.te
@@ -0,0 +1,45 @@
+policy_module(opensm)
+
+########################################
+#
+# Declarations
+#
+
+type opensm_t;
+type opensm_exec_t;
+init_daemon_domain(opensm_t, opensm_exec_t)
+
+type opensm_conf_t;
+files_config_file(opensm_conf_t)
+
+type opensm_cache_t;
+files_type(opensm_cache_t)
+
+type opensm_log_t;
+logging_log_file(opensm_log_t)
+
+########################################
+#
+# opensm local policy
+#
+
+allow opensm_t self:process { getsched signal };
+allow opensm_t self:unix_dgram_socket create_socket_perms;
+
+read_files_pattern(opensm_t, opensm_conf_t, opensm_conf_t)
+
+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+files_var_filetrans(opensm_t, opensm_cache_t, dir)
+
+create_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+append_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+rw_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+logging_log_filetrans(opensm_t, opensm_log_t, file)
+
+dev_read_sysfs(opensm_t)
+dev_rw_infiniband(opensm_t)
+
+logging_send_syslog_msg(opensm_t)
+
+miscfiles_read_localization(opensm_t)