From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 68D86138010 for ; Fri, 2 Nov 2012 19:14:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 2C68C21C0D4; Fri, 2 Nov 2012 19:12:22 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 660D421C0D4 for ; Fri, 2 Nov 2012 19:12:16 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 63E2033D77F for ; Fri, 2 Nov 2012 19:12:15 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id D4088E544E for ; Fri, 2 Nov 2012 19:12:12 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1351883305.0bde972c43fa9f1e756774cd42fca90d34edc9f0.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/zarafa.fc policy/modules/contrib/zarafa.if policy/modules/contrib/zarafa.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 0bde972c43fa9f1e756774cd42fca90d34edc9f0 X-VCS-Branch: master Date: Fri, 2 Nov 2012 19:12:12 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 79d04458-1643-479d-9f40-dc7862376862 X-Archives-Hash: f22440eb601a5c96b825cb2b0cddb253 commit: 0bde972c43fa9f1e756774cd42fca90d34edc9f0 Author: Dominick Grift gmail com> AuthorDate: Fri Nov 2 14:32:38 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Fri Nov 2 19:08:25 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0bde972c Changes to the zarafa policy module Add init script file Add zarafa_admin() Ported from Fedora with changes Module clean up Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/zarafa.fc | 22 ++++++--- policy/modules/contrib/zarafa.if | 92 +++++++++++++++++++++++++++++-------- policy/modules/contrib/zarafa.te | 95 +++++++++++++++++++++----------------- 3 files changed, 139 insertions(+), 70 deletions(-) diff --git a/policy/modules/contrib/zarafa.fc b/policy/modules/contrib/zarafa.fc index 25f78ef..43c6df2 100644 --- a/policy/modules/contrib/zarafa.fc +++ b/policy/modules/contrib/zarafa.fc @@ -1,5 +1,7 @@ /etc/zarafa(/.*)? gen_context(system_u:object_r:zarafa_etc_t,s0) +/etc/rc\.d/init\.d/zarafa.* -- gen_context(system_u:object_r:zarafa_initrc_exec_t,s0) + /usr/bin/zarafa-dagent -- gen_context(system_u:object_r:zarafa_deliver_exec_t,s0) /usr/bin/zarafa-gateway -- gen_context(system_u:object_r:zarafa_gateway_exec_t,s0) /usr/bin/zarafa-ical -- gen_context(system_u:object_r:zarafa_ical_exec_t,s0) @@ -8,19 +10,23 @@ /usr/bin/zarafa-server -- gen_context(system_u:object_r:zarafa_server_exec_t,s0) /usr/bin/zarafa-spooler -- gen_context(system_u:object_r:zarafa_spooler_exec_t,s0) -/var/lib/zarafa-.* gen_context(system_u:object_r:zarafa_var_lib_t,s0) +/var/lib/zarafa(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) +/var/lib/zarafa-webaccess(/.*)? gen_context(system_u:object_r:zarafa_var_lib_t,s0) -/var/log/zarafa/gateway\.log -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) -/var/log/zarafa/ical\.log -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) -/var/log/zarafa/indexer\.log -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) -/var/log/zarafa/monitor\.log -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) -/var/log/zarafa/server\.log -- gen_context(system_u:object_r:zarafa_server_log_t,s0) -/var/log/zarafa/spooler\.log -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) +/var/log/zarafa/dagent\.log.* -- gen_context(system_u:object_r:zarafa_deliver_log_t,s0) +/var/log/zarafa/gateway\.log.* -- gen_context(system_u:object_r:zarafa_gateway_log_t,s0) +/var/log/zarafa/ical\.log.* -- gen_context(system_u:object_r:zarafa_ical_log_t,s0) +/var/log/zarafa/indexer\.log.* -- gen_context(system_u:object_r:zarafa_indexer_log_t,s0) +/var/log/zarafa/monitor\.log.* -- gen_context(system_u:object_r:zarafa_monitor_log_t,s0) +/var/log/zarafa/server\.log.* -- gen_context(system_u:object_r:zarafa_server_log_t,s0) +/var/log/zarafa/spooler\.log.* -- gen_context(system_u:object_r:zarafa_spooler_log_t,s0) /var/run/zarafa -s gen_context(system_u:object_r:zarafa_server_var_run_t,s0) +/var/run/zarafa-dagent\.pid -- gen_context(system_u:object_r:zarafa_deliver_var_run_t,s0) /var/run/zarafa-gateway\.pid -- gen_context(system_u:object_r:zarafa_gateway_var_run_t,s0) /var/run/zarafa-ical\.pid -- gen_context(system_u:object_r:zarafa_ical_var_run_t,s0) -/var/run/zarafa-indexer -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) +/var/run/zarafa-indexer -s gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) +/var/run/zarafa-indexer\.pid -- gen_context(system_u:object_r:zarafa_indexer_var_run_t,s0) /var/run/zarafa-monitor\.pid -- gen_context(system_u:object_r:zarafa_monitor_var_run_t,s0) /var/run/zarafa-server\.pid -- gen_context(system_u:object_r:zarafa_server_var_run_t,s0) /var/run/zarafa-spooler\.pid -- gen_context(system_u:object_r:zarafa_spooler_var_run_t,s0) diff --git a/policy/modules/contrib/zarafa.if b/policy/modules/contrib/zarafa.if index 21ae664..36e32df 100644 --- a/policy/modules/contrib/zarafa.if +++ b/policy/modules/contrib/zarafa.if @@ -1,53 +1,55 @@ ## Zarafa collaboration platform. -###################################### +####################################### ## -## Creates types and rules for a basic -## zararfa init daemon domain. +## The template to define a zarafa domain. ## -## +## ## -## Prefix for the domain. +## Domain prefix to be used. ## ## # template(`zarafa_domain_template',` gen_require(` - attribute zarafa_domain; + attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; ') - ############################## + ######################################## # - # $1_t declarations + # Declarations # type zarafa_$1_t, zarafa_domain; type zarafa_$1_exec_t; init_daemon_domain(zarafa_$1_t, zarafa_$1_exec_t) - type zarafa_$1_log_t; + type zarafa_$1_log_t, zarafa_logfile; logging_log_file(zarafa_$1_log_t) - type zarafa_$1_var_run_t; + type zarafa_$1_var_run_t, zarafa_pidfile; files_pid_file(zarafa_$1_var_run_t) - ############################## + ######################################## # - # $1_t local policy + # Policy # manage_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) manage_sock_files_pattern(zarafa_$1_t, zarafa_$1_var_run_t, zarafa_$1_var_run_t) files_pid_filetrans(zarafa_$1_t, zarafa_$1_var_run_t, { file sock_file }) - manage_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) - logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, { file }) + append_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) + create_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) + setattr_files_pattern(zarafa_$1_t, zarafa_$1_log_t, zarafa_$1_log_t) + logging_log_filetrans(zarafa_$1_t, zarafa_$1_log_t, file) + + auth_use_nsswitch(zarafa_$1_t) ') ###################################### ## -## Allow the specified domain to search -## zarafa configuration dirs. +## search zarafa configuration directories. ## ## ## @@ -66,7 +68,7 @@ interface(`zarafa_search_config',` ######################################## ## -## Execute a domain transition to run zarafa_deliver. +## Execute a domain transition to run zarafa deliver. ## ## ## @@ -79,12 +81,13 @@ interface(`zarafa_domtrans_deliver',` type zarafa_deliver_t, zarafa_deliver_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, zarafa_deliver_exec_t, zarafa_deliver_t) ') ######################################## ## -## Execute a domain transition to run zarafa_server. +## Execute a domain transition to run zarafa server. ## ## ## @@ -97,12 +100,14 @@ interface(`zarafa_domtrans_server',` type zarafa_server_t, zarafa_server_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, zarafa_server_exec_t, zarafa_server_t) ') ####################################### ## -## Connect to zarafa-server unix domain stream socket. +## Connect to zarafa server with a unix +## domain stream socket. ## ## ## @@ -118,3 +123,52 @@ interface(`zarafa_stream_connect_server',` files_search_var_lib($1) stream_connect_pattern($1, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) ') + +######################################## +## +## All of the rules required to +## administrate an zarafa environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`zarafa_admin',` + gen_require(` + attribute zarafa_domain, zarafa_logfile, zarafa_pidfile; + type zarafa_etc_t, zarafa_initrc_exec_t, zarafa_deliver_tmp_t; + type zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_share_t; + type zarafa_var_lib_t; + ') + + allow $1 zarafa_domain:process { ptrace signal_perms }; + ps_process_pattern($1, zarafa_domain) + + init_labeled_script_domtrans($1, zarafa_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 zarafa_initrc_exec_t system_r; + allow $2 system_r; + + files_search_etc($1) + admin_pattern($1, zarafa_etc_t) + + files_search_tmp($1) + admin_pattern($1, { zarafa_deliver_tmp_t zarafa_indexer_tmp_t zarafa_server_tmp_t }) + + logging_search_log($1) + admin_pattern($1, zarafa_logfile) + + files_search_var_lib($1) + admin_pattern($1, { zarafa_var_lib_t zarafa_share_t }) + + files_search_pids($1) + admin_pattern($1, zarafa_pidfile) +') diff --git a/policy/modules/contrib/zarafa.te b/policy/modules/contrib/zarafa.te index 91267bc..95ee5f1 100644 --- a/policy/modules/contrib/zarafa.te +++ b/policy/modules/contrib/zarafa.te @@ -1,4 +1,4 @@ -policy_module(zarafa, 1.1.0) +policy_module(zarafa, 1.1.1) ######################################## # @@ -6,6 +6,8 @@ policy_module(zarafa, 1.1.0) # attribute zarafa_domain; +attribute zarafa_logfile; +attribute zarafa_pidfile; zarafa_domain_template(deliver) @@ -15,9 +17,16 @@ files_tmp_file(zarafa_deliver_tmp_t) type zarafa_etc_t; files_config_file(zarafa_etc_t) +type zarafa_initrc_exec_t; +init_script_file(zarafa_initrc_exec_t) + zarafa_domain_template(gateway) zarafa_domain_template(ical) zarafa_domain_template(indexer) + +type zarafa_indexer_tmp_t; +files_tmp_file(zarafa_indexer_tmp_t) + zarafa_domain_template(monitor) zarafa_domain_template(server) @@ -34,66 +43,62 @@ files_tmp_file(zarafa_var_lib_t) ######################################## # -# zarafa-deliver local policy +# Deliver local policy # manage_dirs_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) manage_files_pattern(zarafa_deliver_t, zarafa_deliver_tmp_t, zarafa_deliver_tmp_t) files_tmp_filetrans(zarafa_deliver_t, zarafa_deliver_tmp_t, { file dir }) -auth_use_nsswitch(zarafa_deliver_t) - ######################################## # -# zarafa_gateway local policy +# Gateway local policy # -allow zarafa_gateway_t self:capability { chown kill }; -allow zarafa_gateway_t self:process setrlimit; - corenet_all_recvfrom_unlabeled(zarafa_gateway_t) corenet_all_recvfrom_netlabel(zarafa_gateway_t) corenet_tcp_sendrecv_generic_if(zarafa_gateway_t) corenet_tcp_sendrecv_generic_node(zarafa_gateway_t) -corenet_tcp_sendrecv_all_ports(zarafa_gateway_t) corenet_tcp_bind_generic_node(zarafa_gateway_t) -corenet_tcp_bind_pop_port(zarafa_gateway_t) -auth_use_nsswitch(zarafa_gateway_t) +corenet_sendrecv_pop_server_packets(zarafa_gateway_t) +corenet_tcp_bind_pop_port(zarafa_gateway_t) +corenet_tcp_sendrecv_pop_port(zarafa_gateway_t) ####################################### # -# zarafa-ical local policy +# Ical local policy # -allow zarafa_ical_t self:capability chown; - corenet_all_recvfrom_unlabeled(zarafa_ical_t) corenet_all_recvfrom_netlabel(zarafa_ical_t) corenet_tcp_sendrecv_generic_if(zarafa_ical_t) corenet_tcp_sendrecv_generic_node(zarafa_ical_t) -corenet_tcp_sendrecv_all_ports(zarafa_ical_t) corenet_tcp_bind_generic_node(zarafa_ical_t) -corenet_tcp_bind_http_cache_port(zarafa_ical_t) -auth_use_nsswitch(zarafa_ical_t) +corenet_sendrecv_http_cache_client_packets(zarafa_ical_t) +corenet_tcp_bind_http_cache_port(zarafa_ical_t) +corenet_tcp_sendrecv_http_cache_port(zarafa_ical_t) ###################################### # -# zarafa-monitor local policy +# Indexer local policy # -allow zarafa_monitor_t self:capability chown; +manage_dirs_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) +manage_files_pattern(zarafa_indexer_t, zarafa_indexer_tmp_t, zarafa_indexer_tmp_t) +files_tmp_filetrans(zarafa_indexer_t, zarafa_indexer_tmp_t, { file dir }) -auth_use_nsswitch(zarafa_monitor_t) +manage_dirs_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) +manage_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) +manage_lnk_files_pattern(zarafa_indexer_t, zarafa_var_lib_t, zarafa_var_lib_t) ######################################## # -# zarafa_server local policy +# Server local policy # -allow zarafa_server_t self:capability { chown kill net_bind_service }; -allow zarafa_server_t self:process setrlimit; +allow zarafa_server_t self:capability net_bind_service; manage_dirs_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) manage_files_pattern(zarafa_server_t, zarafa_server_tmp_t, zarafa_server_tmp_t) @@ -101,7 +106,8 @@ files_tmp_filetrans(zarafa_server_t, zarafa_server_tmp_t, { file dir }) manage_dirs_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) manage_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) -files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir }) +manage_lnk_files_pattern(zarafa_server_t, zarafa_var_lib_t, zarafa_var_lib_t) +files_var_lib_filetrans(zarafa_server_t, zarafa_var_lib_t, { file dir lnk_file }) stream_connect_pattern(zarafa_server_t, zarafa_indexer_var_run_t, zarafa_indexer_var_run_t, zarafa_indexer_t) @@ -109,56 +115,56 @@ corenet_all_recvfrom_unlabeled(zarafa_server_t) corenet_all_recvfrom_netlabel(zarafa_server_t) corenet_tcp_sendrecv_generic_if(zarafa_server_t) corenet_tcp_sendrecv_generic_node(zarafa_server_t) -corenet_tcp_sendrecv_all_ports(zarafa_server_t) corenet_tcp_bind_generic_node(zarafa_server_t) + +corenet_sendrecv_zarafa_server_packets(zarafa_server_t) corenet_tcp_bind_zarafa_port(zarafa_server_t) +corenet_tcp_sendrecv_zarafa_port(zarafa_server_t) files_read_usr_files(zarafa_server_t) -auth_use_nsswitch(zarafa_server_t) - -logging_send_syslog_msg(zarafa_server_t) logging_send_audit_msgs(zarafa_server_t) -sysnet_dns_name_resolve(zarafa_server_t) - optional_policy(` kerberos_use(zarafa_server_t) ') optional_policy(` mysql_stream_connect(zarafa_server_t) + mysql_tcp_connect(zarafa_server_t) +') + +optional_policy(` + postgresql_stream_connect(zarafa_server_t) + postgresql_tcp_connect(zarafa_server_t) ') ######################################## # -# zarafa_spooler local policy +# Spooler local policy # -allow zarafa_spooler_t self:capability { chown kill }; - can_exec(zarafa_spooler_t, zarafa_spooler_exec_t) corenet_all_recvfrom_unlabeled(zarafa_spooler_t) corenet_all_recvfrom_netlabel(zarafa_spooler_t) corenet_tcp_sendrecv_generic_if(zarafa_spooler_t) corenet_tcp_sendrecv_generic_node(zarafa_spooler_t) -corenet_tcp_sendrecv_all_ports(zarafa_spooler_t) -corenet_tcp_connect_smtp_port(zarafa_spooler_t) -auth_use_nsswitch(zarafa_spooler_t) +corenet_sendrecv_smtp_client_packets(zarafa_spooler_t) +corenet_tcp_connect_smtp_port(zarafa_spooler_t) +corenet_tcp_sendrecv_smtp_port(zarafa_spooler_t) ######################################## # -# zarafa domains local policy +# Zarafa domain local policy # -# bad permission on /etc/zarafa -allow zarafa_domain self:capability { dac_override setgid setuid }; -allow zarafa_domain self:process signal; +allow zarafa_domain self:capability { chown kill dac_override chown setgid setuid }; +allow zarafa_domain self:process { setrlimit signal }; allow zarafa_domain self:fifo_file rw_fifo_file_perms; -allow zarafa_domain self:tcp_socket create_stream_socket_perms; -allow zarafa_domain self:unix_stream_socket create_stream_socket_perms; +allow zarafa_domain self:tcp_socket { accept listen }; +allow zarafa_domain self:unix_stream_socket { accept listen }; stream_connect_pattern(zarafa_domain, zarafa_server_var_run_t, zarafa_server_var_run_t, zarafa_server_t) @@ -166,6 +172,9 @@ read_files_pattern(zarafa_domain, zarafa_etc_t, zarafa_etc_t) kernel_read_system_state(zarafa_domain) -files_read_etc_files(zarafa_domain) +dev_read_rand(zarafa_domain) +dev_read_urand(zarafa_domain) + +logging_send_syslog_msg(zarafa_domain) miscfiles_read_localization(zarafa_domain)