From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-520998-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 713411381F3
	for <garchives@archives.gentoo.org>; Tue,  6 Nov 2012 20:22:26 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id D8EF6E060F;
	Tue,  6 Nov 2012 20:21:50 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	by pigeon.gentoo.org (Postfix) with ESMTP id 0B8F0E060F
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Nov 2012 20:21:49 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id B21DC33DA0D
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Nov 2012 20:21:48 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 46EBEE5450
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Nov 2012 20:21:47 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1352233096.7e9b47c14b7e9165bbad0274d6d11624daf46f87.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: smstools.fc smstools.if smstools.te
X-VCS-Directories: /
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 7e9b47c14b7e9165bbad0274d6d11624daf46f87
X-VCS-Branch: master
Date: Tue,  6 Nov 2012 20:21:47 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 3c823257-47d3-432e-9306-d3196db84044
X-Archives-Hash: 46723d37c594da8a7e713546acab52b2

commit:     7e9b47c14b7e9165bbad0274d6d11624daf46f87
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Nov  5 09:58:39 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov  6 20:18:16 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7e9b47c1

Initial smstools policy module

SMS Server Tools for GSM modems The SMS Server Tools make your server
into a central SMS gateway. You can send and receive SM using a simple
file-based interface.

Ported from Fedora with changes

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 smstools.fc |   13 ++++++++++
 smstools.if |   49 +++++++++++++++++++++++++++++++++++++++
 smstools.te |   74 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 136 insertions(+), 0 deletions(-)

diff --git a/smstools.fc b/smstools.fc
new file mode 100644
index 0000000..8e7d825
--- /dev/null
+++ b/smstools.fc
@@ -0,0 +1,13 @@
+/etc/smsd\.conf	--	gen_context(system_u:object_r:smsd_conf_t,s0)
+
+/etc/rc\.d/init\.d/((smsd)|(smstools))	--	gen_context(system_u:object_r:smsd_initrc_exec_t,s0)
+
+/usr/sbin/smsd	--	gen_context(system_u:object_r:smsd_exec_t,s0)
+
+/var/lib/smstools(/.*)?	gen_context(system_u:object_r:smsd_var_lib_t,s0)
+
+/var/log/smsd(/.*)?	gen_context(system_u:object_r:smsd_log_t,s0)
+
+/var/run/smsd(/.*)?	gen_context(system_u:object_r:smsd_var_run_t,s0)
+
+/var/spool/sms(/.*)?	gen_context(system_u:object_r:smsd_spool_t,s0)

diff --git a/smstools.if b/smstools.if
new file mode 100644
index 0000000..cbfe369
--- /dev/null
+++ b/smstools.if
@@ -0,0 +1,49 @@
+## <summary> Tools to send and receive short messages through GSM modems or mobile phones.</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an smstools environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`smstools_admin',`
+	gen_require(`
+		type smsd_t, smsd_initrc_exec_t, smsd_conf_t;
+		type smsd_log_t, smsd_var_lib_t, smsd_var_run_t;
+		type smsd_spool_t;
+	')
+
+	allow $1 smsd_t:process { ptrace signal_perms };
+	ps_process_pattern($1, smsd_t)
+
+	init_labeled_script_domtrans($1, smsd_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 smsd_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_config($1)
+	admin_pattern($1, smsd_conf_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, smsd_var_lib_t)
+
+	files_search_spool($1)
+	admin_pattern($1, smsd_spool_t)
+
+	files_search_pids($1)
+	admin_pattern($1, smsd_var_run_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, smsd_log_t)
+')

diff --git a/smstools.te b/smstools.te
new file mode 100644
index 0000000..5ccf83c
--- /dev/null
+++ b/smstools.te
@@ -0,0 +1,74 @@
+policy_module(smstools, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type smsd_t;
+type smsd_exec_t;
+init_daemon_domain(smsd_t, smsd_exec_t)
+
+type smsd_initrc_exec_t;
+init_script_file(smsd_initrc_exec_t)
+
+type smsd_conf_t;
+files_config_file(smsd_conf_t)
+
+type smsd_log_t;
+logging_log_file(smsd_log_t)
+
+type smsd_var_lib_t;
+files_type(smsd_var_lib_t)
+
+type smsd_var_run_t;
+files_pid_file(smsd_var_run_t)
+
+type smsd_spool_t;
+files_type(smsd_spool_t)
+
+########################################
+#
+# Local policy
+#
+
+allow smsd_t self:capability { kill setgid setuid };
+allow smsd_t self:process signal;
+allow smsd_t self:fifo_file rw_fifo_file_perms;
+allow smsd_t self:unix_stream_socket { accept listen };
+
+allow smsd_t smsd_conf_t:file read_file_perms;
+
+manage_dirs_pattern(smsd_t, smsd_log_t, smsd_log_t)
+create_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+append_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+setattr_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+manage_lnk_files_pattern(smsd_t, smsd_log_t, smsd_log_t)
+logging_log_filetrans(smsd_t, smsd_log_t, { dir file })
+
+manage_dirs_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+manage_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+manage_lnk_files_pattern(smsd_t, smsd_var_lib_t, smsd_var_lib_t)
+
+manage_dirs_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+manage_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+manage_lnk_files_pattern(smsd_t, smsd_var_run_t, smsd_var_run_t)
+files_pid_filetrans(smsd_t, smsd_var_run_t, { dir file })
+
+manage_dirs_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+manage_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+manage_lnk_files_pattern(smsd_t, smsd_spool_t, smsd_spool_t)
+files_spool_filetrans(smsd_t, smsd_spool_t, dir)
+
+kernel_read_kernel_sysctls(smsd_t)
+kernel_read_system_state(smsd_t)
+
+corecmd_exec_shell(smsd_t)
+
+auth_use_nsswitch(smsd_t)
+
+logging_send_syslog_msg(smsd_t)
+
+optional_policy(`
+	mysql_stream_connect(smsd_t)
+')