From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id EEEFA138200 for ; Wed, 31 Oct 2012 18:11:33 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5BA8021C1B6; Wed, 31 Oct 2012 18:09:40 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 6C3F221C1C6 for ; Wed, 31 Oct 2012 18:09:39 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 37BFF33D8A6 for ; Wed, 31 Oct 2012 18:09:38 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 78C7AE544C for ; Wed, 31 Oct 2012 18:09:35 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1351706666.7c191c42c9c20586e7cf70ea3a6a627aee08d44a.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/vnstatd.fc policy/modules/contrib/vnstatd.if policy/modules/contrib/vnstatd.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 7c191c42c9c20586e7cf70ea3a6a627aee08d44a X-VCS-Branch: master Date: Wed, 31 Oct 2012 18:09:35 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 0e33e0f6-1954-4003-ae2a-83848876bc64 X-Archives-Hash: a209aceef16236276eca48db296df97a commit: 7c191c42c9c20586e7cf70ea3a6a627aee08d44a Author: Dominick Grift gmail com> AuthorDate: Wed Oct 31 09:12:33 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Wed Oct 31 18:04:26 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7c191c42 Changes to the vnstatd policy module Add init script file Add role attribute for client Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/vnstatd.fc | 4 ++- policy/modules/contrib/vnstatd.if | 50 +++++++++++++++++++++++++++++++++--- policy/modules/contrib/vnstatd.te | 24 +++++++++++------ 3 files changed, 63 insertions(+), 15 deletions(-) diff --git a/policy/modules/contrib/vnstatd.fc b/policy/modules/contrib/vnstatd.fc index db1a018..24228b6 100644 --- a/policy/modules/contrib/vnstatd.fc +++ b/policy/modules/contrib/vnstatd.fc @@ -1,7 +1,9 @@ +/etc/rc\.d/init\.d/vnstat -- gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0) + /usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0) /usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0) /var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0) -/var/run/vnstat\.pid gen_context(system_u:object_r:vnstatd_var_run_t,s0) +/var/run/vnstat.* gen_context(system_u:object_r:vnstatd_var_run_t,s0) diff --git a/policy/modules/contrib/vnstatd.if b/policy/modules/contrib/vnstatd.if index 727fe95..137ac44 100644 --- a/policy/modules/contrib/vnstatd.if +++ b/policy/modules/contrib/vnstatd.if @@ -15,11 +15,38 @@ interface(`vnstatd_domtrans_vnstat',` type vnstat_t, vnstat_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, vnstat_exec_t, vnstat_t) ') ######################################## ## +## Execute vnstat in the vnstat domain, +## and allow the specified role +## the vnstat domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +# +interface(`vnstatd_run_vnstat',` + gen_require(` + attribute_role vnstat_roles; + ') + + vnstatd_domtrans_vnstat($1) + roleattribute $2 vnstat_roles; +') + +######################################## +## ## Execute a domain transition to run vnstatd. ## ## @@ -33,6 +60,7 @@ interface(`vnstatd_domtrans',` type vnstatd_t, vnstatd_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, vnstatd_exec_t, vnstatd_t) ') @@ -51,13 +79,14 @@ interface(`vnstatd_search_lib',` type vnstatd_var_lib_t; ') - allow $1 vnstatd_var_lib_t:dir search_dir_perms; files_search_var_lib($1) + allow $1 vnstatd_var_lib_t:dir search_dir_perms; ') ######################################## ## -## Manage vnstatd lib dirs. +## Create, read, write, and delete +## vnstatd lib directories. ## ## ## @@ -115,8 +144,8 @@ interface(`vnstatd_manage_lib_files',` ######################################## ## -## All of the rules required to administrate -## an vnstatd environment +## All of the rules required to +## administrate an vnstatd environment. ## ## ## @@ -132,12 +161,23 @@ interface(`vnstatd_manage_lib_files',` # interface(`vnstatd_admin',` gen_require(` - type vnstatd_t, vnstatd_var_lib_t; + type vnstatd_t, vnstatd_var_lib_t, vnstatd_initrc_exec_t; + type vnstatd_var_run_t; ') allow $1 vnstatd_t:process { ptrace signal_perms }; ps_process_pattern($1, vnstatd_t) + init_labeled_script_domtrans($1, vnstatd_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 vnstatd_initrc_exec_t system_r; + allow $2 system_r; + + files_search_pids($1) + admin_pattern($1, vnstatd_var_run_t) + files_list_var_lib($1) admin_pattern($1, vnstatd_var_lib_t) + + vnstatd_run_vnstat($1, $2) ') diff --git a/policy/modules/contrib/vnstatd.te b/policy/modules/contrib/vnstatd.te index 8121937..febc3e5 100644 --- a/policy/modules/contrib/vnstatd.te +++ b/policy/modules/contrib/vnstatd.te @@ -1,18 +1,24 @@ -policy_module(vnstatd, 1.0.0) +policy_module(vnstatd, 1.0.1) ######################################## # # Declarations # +attribute_role vnstat_roles; + type vnstat_t; type vnstat_exec_t; application_domain(vnstat_t, vnstat_exec_t) +role vnstat_roles types vnstat_t; type vnstatd_t; type vnstatd_exec_t; init_daemon_domain(vnstatd_t, vnstatd_exec_t) +type vnstatd_initrc_exec_t; +init_script_file(vnstatd_initrc_exec_t) + type vnstatd_var_lib_t; files_type(vnstatd_var_lib_t) @@ -21,12 +27,12 @@ files_pid_file(vnstatd_var_run_t) ######################################## # -# vnstatd local policy +# Daemon local policy # allow vnstatd_t self:process signal; allow vnstatd_t self:fifo_file rw_fifo_file_perms; -allow vnstatd_t self:unix_stream_socket create_stream_socket_perms; +allow vnstatd_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t) @@ -49,18 +55,14 @@ logging_send_syslog_msg(vnstatd_t) miscfiles_read_localization(vnstatd_t) -optional_policy(` - cron_system_entry(vnstat_t, vnstat_exec_t) -') - ######################################## # -# vnstat local policy +# Client local policy # allow vnstat_t self:process signal; allow vnstat_t self:fifo_file rw_fifo_file_perms; -allow vnstat_t self:unix_stream_socket create_stream_socket_perms; +allow vnstat_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t) @@ -78,3 +80,7 @@ fs_getattr_xattr_fs(vnstat_t) logging_send_syslog_msg(vnstat_t) miscfiles_read_localization(vnstat_t) + +optional_policy(` + cron_system_entry(vnstat_t, vnstat_exec_t) +')