From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 8146E138010 for ; Thu, 11 Oct 2012 16:07:29 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2F97EE04C8; Thu, 11 Oct 2012 16:06:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 450AAE04C2 for ; Thu, 11 Oct 2012 16:06:11 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 71C7233D7E8 for ; Thu, 11 Oct 2012 16:06:10 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 368BFE544E for ; Thu, 11 Oct 2012 16:06:08 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349971257.8ab84c282c3a4ea6dd5c370756bce6be0a1e8b46.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/memcached.fc policy/modules/contrib/memcached.if policy/modules/contrib/memcached.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 8ab84c282c3a4ea6dd5c370756bce6be0a1e8b46 X-VCS-Branch: master Date: Thu, 11 Oct 2012 16:06:08 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: b0522693-e0c6-4fa0-8397-fe1ddcecc68f X-Archives-Hash: 7ca07f6d06a3ec553be33f4109a8f954 commit: 8ab84c282c3a4ea6dd5c370756bce6be0a1e8b46 Author: Dominick Grift gmail com> AuthorDate: Thu Oct 11 08:56:21 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Thu Oct 11 16:00:57 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8ab84c28 Changes to the memcached policy module Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/memcached.fc | 1 + policy/modules/contrib/memcached.if | 24 +++++++++++----------- policy/modules/contrib/memcached.te | 38 ++++++++++++++++++---------------- 3 files changed, 33 insertions(+), 30 deletions(-) diff --git a/policy/modules/contrib/memcached.fc b/policy/modules/contrib/memcached.fc index 6ad4e62..51497be 100644 --- a/policy/modules/contrib/memcached.fc +++ b/policy/modules/contrib/memcached.fc @@ -2,4 +2,5 @@ /usr/bin/memcached -- gen_context(system_u:object_r:memcached_exec_t,s0) +/var/run/ipa_memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) /var/run/memcached(/.*)? gen_context(system_u:object_r:memcached_var_run_t,s0) diff --git a/policy/modules/contrib/memcached.if b/policy/modules/contrib/memcached.if index e974080..1d4eb19 100644 --- a/policy/modules/contrib/memcached.if +++ b/policy/modules/contrib/memcached.if @@ -1,4 +1,4 @@ -## high-performance memory object caching system +## High-performance memory object caching system. ######################################## ## @@ -12,17 +12,17 @@ # interface(`memcached_domtrans',` gen_require(` - type memcached_t; - type memcached_exec_t; + type memcached_t,memcached_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, memcached_exec_t, memcached_t) ') ######################################## ## ## Create, read, write, and delete -## memcached lib files. +## memcached pid files. ## ## ## @@ -41,7 +41,7 @@ interface(`memcached_manage_pid_files',` ######################################## ## -## Read memcached PID files. +## Read memcached pid files. ## ## ## @@ -60,8 +60,8 @@ interface(`memcached_read_pid_files',` ######################################## ## -## Connect to memcached with a -## unix stream socket. +## Connect to memcached using a unix +## domain stream socket. ## ## ## @@ -101,8 +101,8 @@ interface(`memcached_tcp_connect',` ######################################## ## -## All of the rules required to administrate -## an memcached environment +## All of the rules required to +## administrate an memcached environment. ## ## ## @@ -111,15 +111,14 @@ interface(`memcached_tcp_connect',` ## ## ## -## The role to be allowed to manage the memcached domain. +## Role allowed access. ## ## ## # interface(`memcached_admin',` gen_require(` - type memcached_t; - type memcached_initrc_exec_t; + type memcached_t, memcached_initrc_exec_t, memcached_var_run_t; ') allow $1 memcached_t:process { ptrace signal_perms }; @@ -130,5 +129,6 @@ interface(`memcached_admin',` role_transition $2 memcached_initrc_exec_t system_r; allow $2 system_r; + files_search_pids($1) admin_pattern($1, memcached_var_run_t) ') diff --git a/policy/modules/contrib/memcached.te b/policy/modules/contrib/memcached.te index 020d2b5..4926208 100644 --- a/policy/modules/contrib/memcached.te +++ b/policy/modules/contrib/memcached.te @@ -1,4 +1,4 @@ -policy_module(memcached, 1.2.2) +policy_module(memcached, 1.2.3) ######################################## # @@ -17,37 +17,39 @@ files_pid_file(memcached_var_run_t) ######################################## # -# memcached local policy +# Local policy # allow memcached_t self:capability { setuid setgid }; dontaudit memcached_t self:capability sys_tty_config; allow memcached_t self:process { setrlimit signal_perms }; -allow memcached_t self:tcp_socket create_stream_socket_perms; -allow memcached_t self:udp_socket { create_socket_perms listen }; +allow memcached_t self:tcp_socket { accept listen }; +allow memcached_t self:udp_socket { accept listen }; allow memcached_t self:fifo_file rw_fifo_file_perms; allow memcached_t self:unix_stream_socket create_stream_socket_perms; -corenet_all_recvfrom_unlabeled(memcached_t) -corenet_udp_sendrecv_generic_if(memcached_t) -corenet_udp_sendrecv_generic_node(memcached_t) -corenet_udp_sendrecv_all_ports(memcached_t) -corenet_udp_bind_generic_node(memcached_t) -corenet_tcp_sendrecv_generic_if(memcached_t) -corenet_tcp_sendrecv_generic_node(memcached_t) -corenet_tcp_sendrecv_all_ports(memcached_t) -corenet_tcp_bind_generic_node(memcached_t) -corenet_tcp_bind_memcache_port(memcached_t) -corenet_udp_bind_memcache_port(memcached_t) - manage_dirs_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) manage_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) -files_pid_filetrans(memcached_t, memcached_var_run_t, { file dir }) +manage_sock_files_pattern(memcached_t, memcached_var_run_t, memcached_var_run_t) +files_pid_filetrans(memcached_t, memcached_var_run_t, dir) kernel_read_kernel_sysctls(memcached_t) kernel_read_system_state(memcached_t) -files_read_etc_files(memcached_t) +corenet_all_recvfrom_unlabeled(memcached_t) +corenet_all_recvfrom_netlabel(memcached_t) +corenet_tcp_sendrecv_generic_if(memcached_t) +corenet_udp_sendrecv_generic_if(memcached_t) +corenet_tcp_sendrecv_generic_node(memcached_t) +corenet_udp_sendrecv_generic_node(memcached_t) +corenet_tcp_bind_generic_node(memcached_t) +corenet_udp_bind_generic_node(memcached_t) + +corenet_sendrecv_memcache_server_packets(memcached_t) +corenet_tcp_bind_memcache_port(memcached_t) +corenet_tcp_sendrecv_all_ports(memcached_t) +corenet_udp_bind_memcache_port(memcached_t) +corenet_udp_sendrecv_all_ports(memcached_t) term_dontaudit_use_all_ptys(memcached_t) term_dontaudit_use_all_ttys(memcached_t)