From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 44569138010 for ; Wed, 17 Oct 2012 17:43:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A01BDE039A; Wed, 17 Oct 2012 17:41:17 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id C1E2FE027D for ; Wed, 17 Oct 2012 17:41:16 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id ED33333D80B for ; Wed, 17 Oct 2012 17:41:15 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id D6A66E544F for ; Wed, 17 Oct 2012 17:41:13 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1350495511.1b79500c81e24c7df4d1465baa4d2a5ecefe861c.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/openvpn.fc policy/modules/contrib/openvpn.if policy/modules/contrib/openvpn.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 1b79500c81e24c7df4d1465baa4d2a5ecefe861c X-VCS-Branch: master Date: Wed, 17 Oct 2012 17:41:13 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: efaf2e32-fec5-48fd-9a5b-7c38fda007f3 X-Archives-Hash: cd8daa8f163d8d2694c04a7cb2d60ff8 commit: 1b79500c81e24c7df4d1465baa4d2a5ecefe861c Author: Dominick Grift gmail com> AuthorDate: Wed Oct 17 09:23:43 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Wed Oct 17 17:38:31 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1b79500c Changes to the openvpn policy module Ported from Fedora with changes We need a certificate userdom user home content type Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/openvpn.fc | 2 + policy/modules/contrib/openvpn.if | 38 ++++++++------- policy/modules/contrib/openvpn.te | 91 +++++++++++++++++++++---------------- 3 files changed, 73 insertions(+), 58 deletions(-) diff --git a/policy/modules/contrib/openvpn.fc b/policy/modules/contrib/openvpn.fc index 4832915..9f86d3d 100644 --- a/policy/modules/contrib/openvpn.fc +++ b/policy/modules/contrib/openvpn.fc @@ -1,9 +1,11 @@ /etc/openvpn(/.*)? gen_context(system_u:object_r:openvpn_etc_t,s0) /etc/openvpn/ipp.txt -- gen_context(system_u:object_r:openvpn_etc_rw_t,s0) + /etc/rc\.d/init\.d/openvpn -- gen_context(system_u:object_r:openvpn_initrc_exec_t,s0) /usr/sbin/openvpn -- gen_context(system_u:object_r:openvpn_exec_t,s0) /var/log/openvpn.* gen_context(system_u:object_r:openvpn_var_log_t,s0) + /var/run/openvpn(/.*)? gen_context(system_u:object_r:openvpn_var_run_t,s0) /var/run/openvpn\.client.* -- gen_context(system_u:object_r:openvpn_var_run_t,s0) diff --git a/policy/modules/contrib/openvpn.if b/policy/modules/contrib/openvpn.if index d883214..c11f537 100644 --- a/policy/modules/contrib/openvpn.if +++ b/policy/modules/contrib/openvpn.if @@ -1,8 +1,9 @@ -## full-featured SSL VPN solution +## full-featured SSL VPN solution. ######################################## ## -## Execute OPENVPN clients in the openvpn domain. +## Execute openvpn clients in the +## openvpn domain. ## ## ## @@ -15,13 +16,15 @@ interface(`openvpn_domtrans',` type openvpn_t, openvpn_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, openvpn_exec_t, openvpn_t) ') ######################################## ## -## Execute OPENVPN clients in the openvpn domain, and -## allow the specified role the openvpn domain. +## Execute openvpn clients in the +## openvpn domain, and allow the +## specified role the openvpn domain. ## ## ## @@ -37,16 +40,16 @@ interface(`openvpn_domtrans',` # interface(`openvpn_run',` gen_require(` - type openvpn_t; + attribute_role openvpn_roles; ') openvpn_domtrans($1) - role $2 types openvpn_t; + roleattribute $2 openvpn_roles; ') ######################################## ## -## Send OPENVPN clients the kill signal. +## Send kill signals to openvpn. ## ## ## @@ -64,7 +67,7 @@ interface(`openvpn_kill',` ######################################## ## -## Send generic signals to OPENVPN clients. +## Send generic signals to openvpn. ## ## ## @@ -82,7 +85,7 @@ interface(`openvpn_signal',` ######################################## ## -## Send signulls to OPENVPN clients. +## Send null signals to openvpn. ## ## ## @@ -100,8 +103,7 @@ interface(`openvpn_signull',` ######################################## ## -## Allow the specified domain to read -## OpenVPN configuration files. +## Read openvpn configuration content. ## ## ## @@ -117,14 +119,14 @@ interface(`openvpn_read_config',` files_search_etc($1) allow $1 openvpn_etc_t:dir list_dir_perms; - read_files_pattern($1, openvpn_etc_t, openvpn_etc_t) - read_lnk_files_pattern($1, openvpn_etc_t, openvpn_etc_t) + allow $1 openvpn_etc_t:file read_file_perms; + allow $1 openvpn_etc_t:lnk_file read_lnk_file_perms; ') ######################################## ## -## All of the rules required to administrate -## an openvpn environment +## All of the rules required to +## administrate an openvpn environment. ## ## ## @@ -133,7 +135,7 @@ interface(`openvpn_read_config',` ## ## ## -## The role to be allowed to manage the openvpn domain. +## Role allowed access. ## ## ## @@ -141,7 +143,7 @@ interface(`openvpn_read_config',` interface(`openvpn_admin',` gen_require(` type openvpn_t, openvpn_etc_t, openvpn_var_log_t; - type openvpn_var_run_t, openvpn_initrc_exec_t; + type openvpn_var_run_t, openvpn_initrc_exec_t, openvpn_etc_rw_t; ') allow $1 openvpn_t:process { ptrace signal_perms }; @@ -153,7 +155,7 @@ interface(`openvpn_admin',` allow $2 system_r; files_list_etc($1) - admin_pattern($1, openvpn_etc_t) + admin_pattern($1, { openvpn_etc_t openvpn_etc_rw_t }) logging_list_logs($1) admin_pattern($1, openvpn_var_log_t) diff --git a/policy/modules/contrib/openvpn.te b/policy/modules/contrib/openvpn.te index 66a52ee..58607b0 100644 --- a/policy/modules/contrib/openvpn.te +++ b/policy/modules/contrib/openvpn.te @@ -1,4 +1,4 @@ -policy_module(openvpn, 1.11.0) +policy_module(openvpn, 1.11.1) ######################################## # @@ -6,18 +6,20 @@ policy_module(openvpn, 1.11.0) # ## -##

-## Allow openvpn to read home directories -##

+##

+## Determine whether openvpn can +## read generic user home content files. +##

## gen_tunable(openvpn_enable_homedirs, false) -# main openvpn domain +attribute_role openvpn_roles; + type openvpn_t; type openvpn_exec_t; init_daemon_domain(openvpn_t, openvpn_exec_t) +role openvpn_roles types openvpn_t; -# configuration files type openvpn_etc_t; files_config_file(openvpn_etc_t) @@ -27,47 +29,50 @@ files_config_file(openvpn_etc_rw_t) type openvpn_initrc_exec_t; init_script_file(openvpn_initrc_exec_t) -# log files type openvpn_var_log_t; logging_log_file(openvpn_var_log_t) -# pid files type openvpn_var_run_t; files_pid_file(openvpn_var_run_t) ######################################## # -# openvpn local policy +# Local policy # -allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config }; -allow openvpn_t self:process { signal getsched }; +allow openvpn_t self:capability { dac_read_search dac_override ipc_lock net_bind_service net_admin setgid setuid sys_chroot sys_tty_config sys_nice }; +allow openvpn_t self:process { signal getsched setsched }; allow openvpn_t self:fifo_file rw_fifo_file_perms; - -allow openvpn_t self:unix_dgram_socket { create_socket_perms sendto }; -allow openvpn_t self:unix_stream_socket { create_stream_socket_perms connectto }; -allow openvpn_t self:udp_socket create_socket_perms; +allow openvpn_t self:unix_dgram_socket sendto; +allow openvpn_t self:unix_stream_socket { accept connectto listen }; allow openvpn_t self:tcp_socket server_stream_socket_perms; -allow openvpn_t self:tun_socket create; -allow openvpn_t self:netlink_route_socket rw_netlink_socket_perms; +allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto }; +allow openvpn_t self:netlink_route_socket nlmsg_write; -can_exec(openvpn_t, openvpn_etc_t) -read_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) -read_lnk_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_t) +allow openvpn_t openvpn_etc_t:dir list_dir_perms; +allow openvpn_t openvpn_etc_t:file read_file_perms; +allow openvpn_t openvpn_etc_t:lnk_file read_lnk_file_perms; manage_files_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t) filetrans_pattern(openvpn_t, openvpn_etc_t, openvpn_etc_rw_t, file) -allow openvpn_t openvpn_var_log_t:file manage_file_perms; +manage_dirs_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +append_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +create_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) +setattr_files_pattern(openvpn_t, openvpn_var_log_t, openvpn_var_log_t) logging_log_filetrans(openvpn_t, openvpn_var_log_t, file) +manage_dirs_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) manage_files_pattern(openvpn_t, openvpn_var_run_t, openvpn_var_run_t) files_pid_filetrans(openvpn_t, openvpn_var_run_t, { file dir }) +can_exec(openvpn_t, openvpn_etc_t) + kernel_read_kernel_sysctls(openvpn_t) kernel_read_net_sysctls(openvpn_t) kernel_read_network_state(openvpn_t) kernel_read_system_state(openvpn_t) +kernel_request_load_module(openvpn_t) corecmd_exec_bin(openvpn_t) corecmd_exec_shell(openvpn_t) @@ -78,39 +83,45 @@ corenet_tcp_sendrecv_generic_if(openvpn_t) corenet_udp_sendrecv_generic_if(openvpn_t) corenet_tcp_sendrecv_generic_node(openvpn_t) corenet_udp_sendrecv_generic_node(openvpn_t) -corenet_tcp_sendrecv_all_ports(openvpn_t) -corenet_udp_sendrecv_all_ports(openvpn_t) corenet_tcp_bind_generic_node(openvpn_t) corenet_udp_bind_generic_node(openvpn_t) + +corenet_sendrecv_openvpn_server_packets(openvpn_t) corenet_tcp_bind_openvpn_port(openvpn_t) corenet_udp_bind_openvpn_port(openvpn_t) -corenet_tcp_bind_http_port(openvpn_t) +corenet_sendrecv_openvpn_client_packets(openvpn_t) corenet_tcp_connect_openvpn_port(openvpn_t) +corenet_tcp_sendrecv_openvpn_port(openvpn_t) +corenet_udp_sendrecv_openvpn_port(openvpn_t) + +corenet_sendrecv_http_server_packets(openvpn_t) +corenet_tcp_bind_http_port(openvpn_t) +corenet_sendrecv_http_client_packets(openvpn_t) corenet_tcp_connect_http_port(openvpn_t) +corenet_tcp_sendrecv_http_port(openvpn_t) + +corenet_sendrecv_http_cache_client_packets(openvpn_t) corenet_tcp_connect_http_cache_port(openvpn_t) +corenet_tcp_sendrecv_http_cache_port(openvpn_t) + corenet_rw_tun_tap_dev(openvpn_t) -corenet_sendrecv_openvpn_server_packets(openvpn_t) -corenet_sendrecv_openvpn_client_packets(openvpn_t) -corenet_sendrecv_http_client_packets(openvpn_t) -dev_search_sysfs(openvpn_t) dev_read_rand(openvpn_t) -dev_read_urand(openvpn_t) -files_read_etc_files(openvpn_t) files_read_etc_runtime_files(openvpn_t) -auth_use_pam(openvpn_t) +fs_getattr_all_fs(openvpn_t) +fs_search_auto_mountpoints(openvpn_t) -logging_send_syslog_msg(openvpn_t) +auth_use_pam(openvpn_t) miscfiles_read_localization(openvpn_t) miscfiles_read_all_certs(openvpn_t) -sysnet_dns_name_resolve(openvpn_t) sysnet_exec_ifconfig(openvpn_t) sysnet_manage_config(openvpn_t) sysnet_etc_filetrans_config(openvpn_t) +sysnet_use_ldap(openvpn_t) userdom_use_user_terminals(openvpn_t) @@ -119,14 +130,12 @@ tunable_policy(`openvpn_enable_homedirs',` ') tunable_policy(`openvpn_enable_homedirs && use_nfs_home_dirs',` - fs_read_nfs_files(openvpn_t) - fs_read_nfs_symlinks(openvpn_t) -') + fs_read_nfs_files(openvpn_t) +') tunable_policy(`openvpn_enable_homedirs && use_samba_home_dirs',` - fs_read_cifs_files(openvpn_t) - fs_read_cifs_symlinks(openvpn_t) -') + fs_read_cifs_files(openvpn_t) +') optional_policy(` daemontools_service_domain(openvpn_t, openvpn_exec_t) @@ -136,5 +145,7 @@ optional_policy(` dbus_system_bus_client(openvpn_t) dbus_connect_system_bus(openvpn_t) - networkmanager_dbus_chat(openvpn_t) + optional_policy(` + networkmanager_dbus_chat(openvpn_t) + ') ')