From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: /
Date: Mon, 30 Sep 2013 19:03:41 +0000 (UTC) [thread overview]
Message-ID: <1380567784.bfd3a1c8be8744da6db2648be14a1c0ffc0e2cd3.swift@gentoo> (raw)
commit: bfd3a1c8be8744da6db2648be14a1c0ffc0e2cd3
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 15:43:02 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:03:04 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bfd3a1c8
Initial minissdpd policy module
MiniSSDPd is a small daemon used by MiniUPnPc (a UPnP control point for
IGD devices) to speed up device discoveries. MiniSSDPd keeps memory of
all UPnP devices that announced themselves on the network through SSDP
NOTIFY packets. MiniSSDPd also has the ability to handle all SSDP
traffic received on a computer via the multicast group
239.255.255.250:1900.
MiniSSDPd receives NOTIFY packets and stores information contained for
later use by UPnP Control Points on the machine. MiniSSDPd receives
M-SEARCH packets and answers on behalf of the UPnP devices running on
the machine. MiniUPnPd and MiniUPnPc are designed to take automatically
advantage of MiniSSDPd running on the same computer. Just make sure that
MiniSSDPd is started before any other UPnP program on the computer.
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>
---
minissdpd.fc | 8 ++++++++
minissdpd.if | 39 +++++++++++++++++++++++++++++++++++++++
minissdpd.te | 46 ++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 93 insertions(+)
diff --git a/minissdpd.fc b/minissdpd.fc
new file mode 100644
index 0000000..4970404
--- /dev/null
+++ b/minissdpd.fc
@@ -0,0 +1,8 @@
+/etc/default/minissdpd -- gen_context(system_u:object_r:minissdpd_conf_t,s0)
+
+/etc/rc\.d/init\.d/minissdpd -- gen_context(system_u:object_r:minissdpd_initrc_exec_t,s0)
+
+/usr/sbin/minissdpd -- gen_context(system_u:object_r:minissdpd_exec_t,s0)
+
+/var/run/minissdpd\.pid -- gen_context(system_u:object_r:minissdpd_var_run_t,s0)
+/var/run/minissdpd\.sock -s gen_context(system_u:object_r:minissdpd_var_run_t,s0)
diff --git a/minissdpd.if b/minissdpd.if
new file mode 100644
index 0000000..20de8ef
--- /dev/null
+++ b/minissdpd.if
@@ -0,0 +1,39 @@
+## <summary>Daemon used by MiniUPnPc to speed up device discoveries.</summary>
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an minissdpd environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`minissdpd_admin',`
+ gen_require(`
+ type minissdpd_t, minissdpd_initrc_exec_t, minissdpd_conf_t;
+ type minissdpd_var_run_t
+ ')
+
+ allow $1 minissdpd_t:process { ptrace signal_perms };
+ ps_process_pattern($1, minissdpd_t)
+
+ init_labeled_script_domtrans($1, minissdpd_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 minissdpd_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ files_search_etc($1)
+ admin_pattern($1, minissdpd_conf_t)
+
+ files_search_pids($1)
+ admin_pattern($1, minissdpd_var_run_t)
+')
diff --git a/minissdpd.te b/minissdpd.te
new file mode 100644
index 0000000..ae9004b
--- /dev/null
+++ b/minissdpd.te
@@ -0,0 +1,46 @@
+policy_module(minissdpd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type minissdpd_t;
+type minissdpd_exec_t;
+init_daemon_domain(minissdpd_t, minissdpd_exec_t)
+
+type minissdpd_initrc_exec_t;
+init_script_file(minissdpd_initrc_exec_t)
+
+type minissdpd_conf_t;
+files_config_file(minissdpd_conf_t)
+
+type minissdpd_var_run_t;
+files_pid_file(minissdpd_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow minissdpd_t self:capability { sys_module net_admin };
+allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
+allow minissdpd_t self:udp_socket create_socket_perms;
+allow minissdpd_t self:unix_dgram_socket create_socket_perms;
+
+allow minissdpd_t minissdpd_var_run_t:file manage_file_perms;
+allow minissdpd_t minissdpd_var_run_t:sock_file manage_sock_file_perms;
+files_pid_filetrans(minissdpd_t, minissdpd_var_run_t, { file sock_file })
+
+kernel_read_network_state(minissdpd_t)
+kernel_request_load_module(minissdpd_t)
+
+corenet_all_recvfrom_unlabeled(minissdpd_t)
+corenet_all_recvfrom_netlabel(minissdpd_t)
+corenet_udp_sendrecv_generic_if(minissdpd_t)
+corenet_udp_sendrecv_generic_node(minissdpd_t)
+corenet_udp_bind_generic_node(minissdpd_t)
+
+corenet_sendrecv_ssdp_server_packets(minissdpd_t)
+corenet_udp_bind_ssdp_port(minissdpd_t)
+corenet_udp_sendrecv_ssdp_port(minissdpd_t)
next reply other threads:[~2013-09-30 19:04 UTC|newest]
Thread overview: 103+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-30 19:03 Sven Vermeulen [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-03-08 23:55 [gentoo-commits] proj/hardened-refpolicy:master commit in: / Jason Zaman
2025-03-08 23:55 Jason Zaman
2024-09-22 0:03 Jason Zaman
2024-09-22 0:03 Jason Zaman
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2023-02-10 20:30 Kenton Groombridge
2022-03-31 3:31 Jason Zaman
2022-03-31 3:31 Jason Zaman
2022-03-31 3:31 Jason Zaman
2022-03-31 3:31 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-04-03 3:10 Jason Zaman
2021-02-07 3:21 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-01-11 1:27 Jason Zaman
2020-10-13 3:02 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-07-13 7:01 Jason Zaman
2019-07-13 7:01 Jason Zaman
2019-02-10 4:14 Jason Zaman
2018-07-08 11:47 Jason Zaman
2018-06-24 8:46 Jason Zaman
2018-03-25 10:29 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2017-06-13 8:25 Jason Zaman
2017-04-10 16:59 Sven Vermeulen
2017-03-30 17:06 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-02 10:17 Sven Vermeulen
2017-02-27 10:50 Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-05 6:29 Jason Zaman
2017-01-23 15:44 Jason Zaman
2017-01-23 15:44 Jason Zaman
2017-01-23 15:44 Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2016-12-06 13:39 Jason Zaman
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 Sven Vermeulen
2016-08-31 16:38 Jason Zaman
2016-08-31 16:38 Jason Zaman
2016-05-13 5:37 Jason Zaman
2016-05-13 5:37 Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-10-26 5:36 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-26 5:48 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-29 9:59 Jason Zaman
2015-02-15 17:39 Sven Vermeulen
2014-12-04 1:46 Jason Zaman
2014-11-27 8:31 Jason Zaman
2014-11-22 16:25 Sven Vermeulen
2014-09-21 14:08 [gentoo-commits] proj/hardened-refpolicy:mailinfra " Sven Vermeulen
2014-09-13 9:38 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-03-06 15:20 Sven Vermeulen
2014-01-19 19:01 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-26 13:19 Sven Vermeulen
2013-09-23 13:31 Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-09-23 6:29 [gentoo-commits] proj/hardened-refpolicy:merge " Sven Vermeulen
2013-09-23 13:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2013-05-01 18:23 Sven Vermeulen
2013-05-01 18:23 Sven Vermeulen
2013-01-16 19:48 Sven Vermeulen
2012-12-08 12:41 Sven Vermeulen
2012-12-03 21:03 Sven Vermeulen
2012-12-03 9:35 Sven Vermeulen
2012-11-06 20:21 Sven Vermeulen
2012-10-27 11:06 Sven Vermeulen
2012-10-22 18:15 Sven Vermeulen
2012-10-17 17:41 Sven Vermeulen
2012-10-16 17:39 Sven Vermeulen
2012-10-16 17:39 Sven Vermeulen
2012-10-16 17:39 Sven Vermeulen
2012-10-06 17:14 Sven Vermeulen
2012-10-06 17:05 Sven Vermeulen
2012-10-06 17:05 Sven Vermeulen
2012-10-06 15:56 Sven Vermeulen
2012-10-06 15:56 Sven Vermeulen
2012-10-04 17:36 Sven Vermeulen
2012-10-04 17:36 Sven Vermeulen
2012-10-04 17:36 Sven Vermeulen
2012-10-02 18:11 Sven Vermeulen
2012-10-02 18:11 Sven Vermeulen
2012-09-27 18:05 Sven Vermeulen
2012-09-27 18:05 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1380567784.bfd3a1c8be8744da6db2648be14a1c0ffc0e2cd3.swift@gentoo \
--to=swift@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox