From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E697E1381F3 for ; Mon, 23 Sep 2013 06:29:49 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D6667E09F1; Mon, 23 Sep 2013 06:29:36 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1CE43E09ED for ; Mon, 23 Sep 2013 06:29:30 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 01D0633ED4D for ; Mon, 23 Sep 2013 06:29:30 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 8E979E5470 for ; Mon, 23 Sep 2013 06:29:27 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1379917685.cc29211b9a8299a1793c2158c66fc5058c50d98f.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:merge commit in: / X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: redis.fc redis.if redis.te X-VCS-Directories: / X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: cc29211b9a8299a1793c2158c66fc5058c50d98f X-VCS-Branch: merge Date: Mon, 23 Sep 2013 06:29:27 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: f6c3078b-a3c9-4138-8e44-d8d545e10191 X-Archives-Hash: 1a4c906c554a916450d8b8856a79f93a commit: cc29211b9a8299a1793c2158c66fc5058c50d98f Author: Lukas Vrabec redhat com> AuthorDate: Tue Aug 6 12:14:52 2013 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Mon Sep 23 06:28:05 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cc29211b Add policy for redis-server --- redis.fc | 11 +++ redis.if | 271 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ redis.te | 62 +++++++++++++++ 3 files changed, 344 insertions(+) diff --git a/redis.fc b/redis.fc new file mode 100644 index 0000000..638d6b4 --- /dev/null +++ b/redis.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) + +/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) + +/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) + +/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) + +/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) + +/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) diff --git a/redis.if b/redis.if new file mode 100644 index 0000000..e3efff0 --- /dev/null +++ b/redis.if @@ -0,0 +1,271 @@ + +## policy for redis + +######################################## +## +## Execute TEMPLATE in the redis domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`redis_domtrans',` + gen_require(` + type redis_t, redis_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, redis_exec_t, redis_t) +') + +######################################## +## +## Execute redis server in the redis domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_initrc_domtrans',` + gen_require(` + type redis_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, redis_initrc_exec_t) +') +######################################## +## +## Read redis's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`redis_read_log',` + gen_require(` + type redis_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, redis_log_t, redis_log_t) +') + +######################################## +## +## Append to redis log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_append_log',` + gen_require(` + type redis_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, redis_log_t, redis_log_t) +') + +######################################## +## +## Manage redis log files +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_manage_log',` + gen_require(` + type redis_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, redis_log_t, redis_log_t) + manage_files_pattern($1, redis_log_t, redis_log_t) + manage_lnk_files_pattern($1, redis_log_t, redis_log_t) +') + +######################################## +## +## Search redis lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_search_lib',` + gen_require(` + type redis_var_lib_t; + ') + + allow $1 redis_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read redis lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_read_lib_files',` + gen_require(` + type redis_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, redis_var_lib_t, redis_var_lib_t) +') + +######################################## +## +## Manage redis lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_manage_lib_files',` + gen_require(` + type redis_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t) +') + +######################################## +## +## Manage redis lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_manage_lib_dirs',` + gen_require(` + type redis_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t) +') + +######################################## +## +## Read redis PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_read_pid_files',` + gen_require(` + type redis_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, redis_var_run_t, redis_var_run_t) +') + +######################################## +## +## Execute redis server in the redis domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`redis_systemctl',` + gen_require(` + type redis_t; + type redis_unit_file_t; + ') + + systemd_exec_systemctl($1) + systemd_read_fifo_file_password_run($1) + allow $1 redis_unit_file_t:file read_file_perms; + allow $1 redis_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, redis_t) +') + + +######################################## +## +## All of the rules required to administrate +## an redis environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`redis_admin',` + gen_require(` + type redis_t; + type redis_initrc_exec_t; + type redis_log_t; + type redis_var_lib_t; + type redis_var_run_t; + type redis_unit_file_t; + ') + + allow $1 redis_t:process { ptrace signal_perms }; + ps_process_pattern($1, redis_t) + + redis_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 redis_initrc_exec_t system_r; + allow $2 system_r; + + logging_search_logs($1) + admin_pattern($1, redis_log_t) + + files_search_var_lib($1) + admin_pattern($1, redis_var_lib_t) + + files_search_pids($1) + admin_pattern($1, redis_var_run_t) + + redis_systemctl($1) + admin_pattern($1, redis_unit_file_t) + allow $1 redis_unit_file_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/redis.te b/redis.te new file mode 100644 index 0000000..e5e9cf7 --- /dev/null +++ b/redis.te @@ -0,0 +1,62 @@ +policy_module(redis, 1.0.0) + +######################################## +# +# Declarations +# + +type redis_t; +type redis_exec_t; +init_daemon_domain(redis_t, redis_exec_t) + +type redis_initrc_exec_t; +init_script_file(redis_initrc_exec_t) + +type redis_log_t; +logging_log_file(redis_log_t) + +type redis_var_lib_t; +files_type(redis_var_lib_t) + +type redis_var_run_t; +files_pid_file(redis_var_run_t) + +type redis_unit_file_t; +systemd_unit_file(redis_unit_file_t) + +######################################## +# +# redis local policy +# + +allow redis_t self:process { setrlimit signal_perms }; +allow redis_t self:fifo_file rw_fifo_file_perms; +allow redis_t self:unix_stream_socket create_stream_socket_perms; +allow redis_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) +manage_files_pattern(redis_t, redis_log_t, redis_log_t) +manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t) + +manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) +manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) +manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) + +manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) +manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) +manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) + +kernel_read_system_state(redis_t) + +corenet_tcp_bind_generic_node(redis_t) +corenet_tcp_bind_redis_port(redis_t) + +dev_read_sysfs(redis_t) +dev_read_urand(redis_t) + +logging_send_syslog_msg(redis_t) + +miscfiles_read_localization(redis_t) + +sysnet_dns_name_resolve(redis_t) + From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 42CE61381F3 for ; Mon, 23 Sep 2013 13:32:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D87B5E0AEA; Mon, 23 Sep 2013 13:31:52 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 62405E0AEA for ; Mon, 23 Sep 2013 13:31:47 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 32A6133ED76 for ; Mon, 23 Sep 2013 13:31:46 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id E4EC2E546F for ; Mon, 23 Sep 2013 13:31:43 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1379917685.cc29211b9a8299a1793c2158c66fc5058c50d98f.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: / X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: redis.fc redis.if redis.te X-VCS-Directories: / X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: cc29211b9a8299a1793c2158c66fc5058c50d98f X-VCS-Branch: master Date: Mon, 23 Sep 2013 13:31:43 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 77d67bdf-a838-4ebd-8bdc-ea106cc3896b X-Archives-Hash: 5e488f21dae049d7feae650ab5845e00 Message-ID: <20130923133143.xgQC6Dj-PadqChuinsZ3H-nC6T0631ROi9HmfOl5UVU@z> commit: cc29211b9a8299a1793c2158c66fc5058c50d98f Author: Lukas Vrabec redhat com> AuthorDate: Tue Aug 6 12:14:52 2013 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Mon Sep 23 06:28:05 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cc29211b Add policy for redis-server --- redis.fc | 11 +++ redis.if | 271 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ redis.te | 62 +++++++++++++++ 3 files changed, 344 insertions(+) diff --git a/redis.fc b/redis.fc new file mode 100644 index 0000000..638d6b4 --- /dev/null +++ b/redis.fc @@ -0,0 +1,11 @@ +/etc/rc\.d/init\.d/redis -- gen_context(system_u:object_r:redis_initrc_exec_t,s0) + +/usr/lib/systemd/system/redis.* -- gen_context(system_u:object_r:redis_unit_file_t,s0) + +/usr/sbin/redis-server -- gen_context(system_u:object_r:redis_exec_t,s0) + +/var/lib/redis(/.*)? gen_context(system_u:object_r:redis_var_lib_t,s0) + +/var/log/redis(/.*)? gen_context(system_u:object_r:redis_log_t,s0) + +/var/run/redis(/.*)? gen_context(system_u:object_r:redis_var_run_t,s0) diff --git a/redis.if b/redis.if new file mode 100644 index 0000000..e3efff0 --- /dev/null +++ b/redis.if @@ -0,0 +1,271 @@ + +## policy for redis + +######################################## +## +## Execute TEMPLATE in the redis domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`redis_domtrans',` + gen_require(` + type redis_t, redis_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, redis_exec_t, redis_t) +') + +######################################## +## +## Execute redis server in the redis domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_initrc_domtrans',` + gen_require(` + type redis_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, redis_initrc_exec_t) +') +######################################## +## +## Read redis's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`redis_read_log',` + gen_require(` + type redis_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, redis_log_t, redis_log_t) +') + +######################################## +## +## Append to redis log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_append_log',` + gen_require(` + type redis_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, redis_log_t, redis_log_t) +') + +######################################## +## +## Manage redis log files +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_manage_log',` + gen_require(` + type redis_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, redis_log_t, redis_log_t) + manage_files_pattern($1, redis_log_t, redis_log_t) + manage_lnk_files_pattern($1, redis_log_t, redis_log_t) +') + +######################################## +## +## Search redis lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_search_lib',` + gen_require(` + type redis_var_lib_t; + ') + + allow $1 redis_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## +## Read redis lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_read_lib_files',` + gen_require(` + type redis_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, redis_var_lib_t, redis_var_lib_t) +') + +######################################## +## +## Manage redis lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_manage_lib_files',` + gen_require(` + type redis_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, redis_var_lib_t, redis_var_lib_t) +') + +######################################## +## +## Manage redis lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_manage_lib_dirs',` + gen_require(` + type redis_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, redis_var_lib_t, redis_var_lib_t) +') + +######################################## +## +## Read redis PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`redis_read_pid_files',` + gen_require(` + type redis_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, redis_var_run_t, redis_var_run_t) +') + +######################################## +## +## Execute redis server in the redis domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`redis_systemctl',` + gen_require(` + type redis_t; + type redis_unit_file_t; + ') + + systemd_exec_systemctl($1) + systemd_read_fifo_file_password_run($1) + allow $1 redis_unit_file_t:file read_file_perms; + allow $1 redis_unit_file_t:service manage_service_perms; + + ps_process_pattern($1, redis_t) +') + + +######################################## +## +## All of the rules required to administrate +## an redis environment +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`redis_admin',` + gen_require(` + type redis_t; + type redis_initrc_exec_t; + type redis_log_t; + type redis_var_lib_t; + type redis_var_run_t; + type redis_unit_file_t; + ') + + allow $1 redis_t:process { ptrace signal_perms }; + ps_process_pattern($1, redis_t) + + redis_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 redis_initrc_exec_t system_r; + allow $2 system_r; + + logging_search_logs($1) + admin_pattern($1, redis_log_t) + + files_search_var_lib($1) + admin_pattern($1, redis_var_lib_t) + + files_search_pids($1) + admin_pattern($1, redis_var_run_t) + + redis_systemctl($1) + admin_pattern($1, redis_unit_file_t) + allow $1 redis_unit_file_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/redis.te b/redis.te new file mode 100644 index 0000000..e5e9cf7 --- /dev/null +++ b/redis.te @@ -0,0 +1,62 @@ +policy_module(redis, 1.0.0) + +######################################## +# +# Declarations +# + +type redis_t; +type redis_exec_t; +init_daemon_domain(redis_t, redis_exec_t) + +type redis_initrc_exec_t; +init_script_file(redis_initrc_exec_t) + +type redis_log_t; +logging_log_file(redis_log_t) + +type redis_var_lib_t; +files_type(redis_var_lib_t) + +type redis_var_run_t; +files_pid_file(redis_var_run_t) + +type redis_unit_file_t; +systemd_unit_file(redis_unit_file_t) + +######################################## +# +# redis local policy +# + +allow redis_t self:process { setrlimit signal_perms }; +allow redis_t self:fifo_file rw_fifo_file_perms; +allow redis_t self:unix_stream_socket create_stream_socket_perms; +allow redis_t self:tcp_socket create_stream_socket_perms; + +manage_dirs_pattern(redis_t, redis_log_t, redis_log_t) +manage_files_pattern(redis_t, redis_log_t, redis_log_t) +manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t) + +manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) +manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) +manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t) + +manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t) +manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) +manage_lnk_files_pattern(redis_t, redis_var_run_t, redis_var_run_t) + +kernel_read_system_state(redis_t) + +corenet_tcp_bind_generic_node(redis_t) +corenet_tcp_bind_redis_port(redis_t) + +dev_read_sysfs(redis_t) +dev_read_urand(redis_t) + +logging_send_syslog_msg(redis_t) + +miscfiles_read_localization(redis_t) + +sysnet_dns_name_resolve(redis_t) +