From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 3A1B4139695 for ; Thu, 30 Mar 2017 17:06:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A0183234009; Thu, 30 Mar 2017 17:06:35 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6F82E2241A1 for ; Thu, 30 Mar 2017 17:06:30 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 72AA4341421 for ; Thu, 30 Mar 2017 17:06:24 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id C76F973E8 for ; Thu, 30 Mar 2017 17:06:21 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1490882318.61dedbfbae31d9ab77c89176a73b09cab9700c4e.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/dphysswapfile.fc policy/modules/contrib/dphysswapfile.if policy/modules/contrib/dphysswapfile.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 61dedbfbae31d9ab77c89176a73b09cab9700c4e X-VCS-Branch: master Date: Thu, 30 Mar 2017 17:06:21 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 4384bad5-69c6-4104-991d-c0d10b2a4a3f X-Archives-Hash: 4bed6f585b46296d03684bc63221d0af commit: 61dedbfbae31d9ab77c89176a73b09cab9700c4e Author: cgzones googlemail com> AuthorDate: Wed Mar 8 20:21:44 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 13:58:38 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61dedbfb dphysswapfile: update policy/modules/contrib/dphysswapfile.fc | 8 +++++--- policy/modules/contrib/dphysswapfile.if | 33 +++++++++++++++++++++++++++++++++ policy/modules/contrib/dphysswapfile.te | 6 +++++- 3 files changed, 43 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/dphysswapfile.fc b/policy/modules/contrib/dphysswapfile.fc index 3cf1968d..5c0feb83 100644 --- a/policy/modules/contrib/dphysswapfile.fc +++ b/policy/modules/contrib/dphysswapfile.fc @@ -1,5 +1,7 @@ -/etc/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_conf_t,s0) +/etc/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_conf_t,s0) -/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0) +/etc/rc\.d/init\.d/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_initrc_exec_t,s0) -/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0) +/usr/sbin/dphys-swapfile -- gen_context(system_u:object_r:dphysswapfile_exec_t,s0) + +/var/swap -- gen_context(system_u:object_r:dphysswapfile_swap_t,s0) diff --git a/policy/modules/contrib/dphysswapfile.if b/policy/modules/contrib/dphysswapfile.if index 53725743..7dda9553 100644 --- a/policy/modules/contrib/dphysswapfile.if +++ b/policy/modules/contrib/dphysswapfile.if @@ -17,3 +17,36 @@ interface(`dphysswapfile_dontaudit_read_swap',` dontaudit $1 dphysswapfile_swap_t:file read_file_perms; ') + +######################################## +## +## All of the rules required to +## administrate an dphys-swapfile environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +## +# +interface(`dphysswapfile_admin',` + gen_require(` + type dphysswapfile_t, dphysswapfile_conf_t; + type dphysswapfile_initrc_exec_t; + ') + + admin_process_pattern($1, dphysswapfile_t) + + init_startstop_service($1, $2, dphysswapfile_t, dphysswapfile_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, dphysswapfile_conf_t) + + # do not grant access to swap file for now +') diff --git a/policy/modules/contrib/dphysswapfile.te b/policy/modules/contrib/dphysswapfile.te index 26faf67d..cb3d194f 100644 --- a/policy/modules/contrib/dphysswapfile.te +++ b/policy/modules/contrib/dphysswapfile.te @@ -12,6 +12,9 @@ init_system_domain(dphysswapfile_t, dphysswapfile_exec_t) type dphysswapfile_conf_t; files_config_file(dphysswapfile_conf_t) +type dphysswapfile_initrc_exec_t; +init_script_file(dphysswapfile_initrc_exec_t) + type dphysswapfile_swap_t; files_type(dphysswapfile_swap_t) @@ -20,7 +23,7 @@ files_type(dphysswapfile_swap_t) # Policy # -# sys_admin : for swapon +# sys_admin : swapon allow dphysswapfile_t self:capability sys_admin; allow dphysswapfile_t self:fifo_file rw_fifo_file_perms; allow dphysswapfile_t self:unix_stream_socket { create connect }; @@ -36,6 +39,7 @@ kernel_read_system_state(dphysswapfile_t) corecmd_exec_bin(dphysswapfile_t) corecmd_exec_shell(dphysswapfile_t) +# ignore ls -l /var/swap noise files_dontaudit_getattr_pid_dirs(dphysswapfile_t) files_read_etc_files(dphysswapfile_t) files_search_var(dphysswapfile_t)