From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 79BD4138010 for ; Mon, 24 Sep 2012 19:36:56 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D010D21C208; Mon, 24 Sep 2012 19:36:18 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 8DFC021C208 for ; Mon, 24 Sep 2012 19:36:18 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id BD3A233D31C for ; Mon, 24 Sep 2012 19:36:17 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 2A5BDE544B for ; Mon, 24 Sep 2012 19:36:15 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1348514456.517cc64d1b43b97a2deb35c249e0b8bfdfad53b0.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/fcoe.fc policy/modules/contrib/fcoe.if policy/modules/contrib/fcoe.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 517cc64d1b43b97a2deb35c249e0b8bfdfad53b0 X-VCS-Branch: master Date: Mon, 24 Sep 2012 19:36:15 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 4e68e8ca-3f09-4fd2-a583-c3e0538504b1 X-Archives-Hash: e04875095f6e5a75f52a3c511ed53121 commit: 517cc64d1b43b97a2deb35c249e0b8bfdfad53b0 Author: Sven Vermeulen siphos be> AuthorDate: Mon Sep 24 19:20:56 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Mon Sep 24 19:20:56 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=517cc64d Introduce fcoe policy (merge from refpolicy) --- policy/modules/contrib/fcoe.fc | 6 ++++ policy/modules/contrib/fcoe.if | 54 ++++++++++++++++++++++++++++++++++++++++ policy/modules/contrib/fcoe.te | 44 ++++++++++++++++++++++++++++++++ 3 files changed, 104 insertions(+), 0 deletions(-) diff --git a/policy/modules/contrib/fcoe.fc b/policy/modules/contrib/fcoe.fc new file mode 100644 index 0000000..d485e45 --- /dev/null +++ b/policy/modules/contrib/fcoe.fc @@ -0,0 +1,6 @@ +/etc/rc\.d/init\.d/fcoe -- gen_context(system_u:object_r:fcoemon_initrc_exec_t,s0) + +/usr/sbin/fcoemon -- gen_context(system_u:object_r:fcoemon_exec_t,s0) + +/var/run/fcm(/.*)? gen_context(system_u:object_r:fcoemon_var_run_t,s0) +/var/run/fcoemon\.pid -- gen_context(system_u:object_r:fcoemon_var_run_t,s0) diff --git a/policy/modules/contrib/fcoe.if b/policy/modules/contrib/fcoe.if new file mode 100644 index 0000000..c3484a9 --- /dev/null +++ b/policy/modules/contrib/fcoe.if @@ -0,0 +1,54 @@ +## Fibre Channel over Ethernet utilities. + +####################################### +## +## Send to fcoemon with a unix dgram socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`fcoe_dgram_send_fcoemon',` + gen_require(` + type fcoemon_t, fcoemon_var_run_t; + ') + + files_search_pids($1) + dgram_send_pattern($1, fcoemon_var_run_t, fcoemon_var_run_t, fcoemon_t) +') + +######################################## +## +## All of the rules required to +## administrate an fcoemon environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`fcoe_admin',` + gen_require(` + type fcoemon_t, fcoemon_initrc_exec_t, fcoemon_var_run_t; + ') + + allow $1 fcoemon_t:process { ptrace signal_perms }; + ps_process_pattern($1, fcoemon_t) + + init_labeled_script_domtrans($1, fcoemon_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fcoemon_initrc_exec_t system_r; + allow $2 system_r; + + files_search_pids($1) + admin_pattern($1, fcoemon_var_run_t) +') diff --git a/policy/modules/contrib/fcoe.te b/policy/modules/contrib/fcoe.te new file mode 100644 index 0000000..acb6088 --- /dev/null +++ b/policy/modules/contrib/fcoe.te @@ -0,0 +1,44 @@ +policy_module(fcoe, 1.0.1) + +######################################## +# +# Declarations +# + +type fcoemon_t; +type fcoemon_exec_t; +init_daemon_domain(fcoemon_t, fcoemon_exec_t) + +type fcoemon_initrc_exec_t; +init_script_file(fcoemon_initrc_exec_t) + +type fcoemon_var_run_t; +files_pid_file(fcoemon_var_run_t) + +######################################## +# +# Monitor local policy +# + +allow fcoemon_t self:capability { dac_override kill net_admin }; +allow fcoemon_t self:fifo_file rw_fifo_file_perms; +allow fcoemon_t self:unix_stream_socket { accept listen }; +allow fcoemon_t self:netlink_socket create_socket_perms; +allow fcoemon_t self:netlink_route_socket create_netlink_socket_perms; + +manage_dirs_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) +manage_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) +manage_sock_files_pattern(fcoemon_t, fcoemon_var_run_t, fcoemon_var_run_t) +files_pid_filetrans(fcoemon_t, fcoemon_var_run_t, { dir file }) + +files_read_etc_files(fcoemon_t) + +dev_read_sysfs(fcoemon_t) + +logging_send_syslog_msg(fcoemon_t) + +miscfiles_read_localization(fcoemon_t) + +optional_policy(` + lldpad_dgram_send(fcoemon_t) +')