From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-510575-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id A6FAE138010
	for <garchives@archives.gentoo.org>; Tue,  2 Oct 2012 18:25:52 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id B08B621C030;
	Tue,  2 Oct 2012 18:11:23 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 62F1F21C02E
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:18 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 4DF4333D781
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:05 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id A7F90E544B
	for <gentoo-commits@lists.gentoo.org>; Tue,  2 Oct 2012 18:11:02 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1349201351.7833917670767f7c534363c93f0e22a06394ea90.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: glusterfs.fc glusterfs.if glusterfs.te
X-VCS-Directories: /
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 7833917670767f7c534363c93f0e22a06394ea90
X-VCS-Branch: master
Date: Tue,  2 Oct 2012 18:11:02 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: c90f7978-e832-454b-b86a-b32756ed19d5
X-Archives-Hash: ae3860e828eab56db4a4b5523ac424b8

commit:     7833917670767f7c534363c93f0e22a06394ea90
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Oct  2 12:23:04 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct  2 18:09:11 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=78339176

Initial glusterfs policy module

Glusterfs binary, the glusterfsd daemon and the gluster command line,
libglusterfs and glusterfs translator modules common to both GlusterFS
server and client framework.

Ported from Fedora with changes

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 glusterfs.fc |   16 +++++++++
 glusterfs.if |   49 ++++++++++++++++++++++++++++
 glusterfs.te |  102 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 167 insertions(+), 0 deletions(-)

diff --git a/glusterfs.fc b/glusterfs.fc
new file mode 100644
index 0000000..4bd6ade
--- /dev/null
+++ b/glusterfs.fc
@@ -0,0 +1,16 @@
+/etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+
+/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
+
+/usr/sbin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
+/usr/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
+
+/var/lib/gluster.*	gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+
+/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
+
+/var/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_var_run_t,s0)
+/var/run/glusterd\.pid	--	gen_context(system_u:object_r:glusterd_var_run_t,s0)

diff --git a/glusterfs.if b/glusterfs.if
new file mode 100644
index 0000000..bb2101d
--- /dev/null
+++ b/glusterfs.if
@@ -0,0 +1,49 @@
+## <summary>Cluster File System binary, daemon and command line.</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an glusterd environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterd_admin',`
+	gen_require(`
+		type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
+		type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
+		type glusterd_var_run_t;
+	')
+
+	init_labeled_script_domtrans($1, glusterd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 glusterd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	allow $1 glusterd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, glusterd_t)
+
+	files_search_etc($1)
+	admin_pattern($1, glusterd_conf_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, glusterd_log_t)
+
+	files_search_tmp($1)
+	admin_pattern($1, glusterd_tmp_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, glusterd_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, glusterd_var_run_t)
+')

diff --git a/glusterfs.te b/glusterfs.te
new file mode 100644
index 0000000..6c815e1
--- /dev/null
+++ b/glusterfs.te
@@ -0,0 +1,102 @@
+policy_module(glusterfs, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type glusterd_t;
+type glusterd_exec_t;
+init_daemon_domain(glusterd_t, glusterd_exec_t)
+
+type glusterd_conf_t;
+files_type(glusterd_conf_t)
+
+type glusterd_initrc_exec_t;
+init_script_file(glusterd_initrc_exec_t)
+
+type glusterd_tmp_t;
+files_tmp_file(glusterd_tmp_t)
+
+type glusterd_log_t;
+logging_log_file(glusterd_log_t)
+
+type glusterd_var_run_t;
+files_pid_file(glusterd_var_run_t)
+
+type glusterd_var_lib_t;
+files_type(glusterd_var_lib_t);
+
+########################################
+#
+# Local policy
+#
+
+allow glusterd_t self:capability { net_bind_service sys_admin sys_resource dac_override chown dac_read_search fowner };
+allow glusterd_t self:process { setrlimit signal };
+allow glusterd_t self:fifo_file rw_fifo_file_perms;
+allow glusterd_t self:tcp_socket { accept listen };
+allow glusterd_t self:unix_stream_socket { accept listen };
+
+manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
+files_etc_filetrans(glusterd_t, glusterd_conf_t, dir)
+
+manage_dirs_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+manage_sock_files_pattern(glusterd_t, glusterd_tmp_t, glusterd_tmp_t)
+files_tmp_filetrans(glusterd_t, glusterd_tmp_t, { dir file sock_file })
+
+manage_dirs_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+append_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+create_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+setattr_files_pattern(glusterd_t, glusterd_log_t, glusterd_log_t)
+logging_log_filetrans(glusterd_t, glusterd_log_t, dir)
+
+manage_dirs_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+manage_files_pattern(glusterd_t, glusterd_var_run_t, glusterd_var_run_t)
+files_pid_filetrans(glusterd_t, glusterd_var_run_t, { dir file })
+
+manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
+
+can_exec(glusterd_t, glusterd_exec_t)
+
+kernel_read_system_state(glusterd_t)
+
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
+corenet_all_recvfrom_unlabeled(glusterd_t)
+corenet_all_recvfrom_netlabel(glusterd_t)
+corenet_tcp_sendrecv_generic_if(glusterd_t)
+corenet_udp_sendrecv_generic_if(glusterd_t)
+corenet_tcp_sendrecv_generic_node(glusterd_t)
+corenet_udp_sendrecv_generic_node(glusterd_t)
+corenet_tcp_sendrecv_all_ports(glusterd_t)
+corenet_udp_sendrecv_all_ports(glusterd_t)
+corenet_tcp_bind_generic_node(glusterd_t)
+corenet_udp_bind_generic_node(glusterd_t)
+
+# Too coarse?
+corenet_sendrecv_all_server_packets(glusterd_t)
+corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_udp_bind_all_rpc_ports(glusterd_t)
+corenet_udp_bind_ipp_port(glusterd_t)
+
+corenet_sendrecv_all_client_packets(glusterd_t)
+corenet_tcp_connect_all_unreserved_ports(glusterd_t)
+
+dev_read_sysfs(glusterd_t)
+dev_read_urand(glusterd_t)
+
+domain_use_interactive_fds(glusterd_t)
+
+files_read_usr_files(glusterd_t)
+
+auth_use_nsswitch(glusterd_t)
+
+logging_send_syslog_msg(glusterd_t)
+
+miscfiles_read_localization(glusterd_t)