From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <gentoo-commits+bounces-629707-garchives=archives.gentoo.org@lists.gentoo.org> Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 114531381F3 for <garchives@archives.gentoo.org>; Mon, 23 Sep 2013 13:31:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F036EE0AAC; Mon, 23 Sep 2013 13:31:45 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2E06AE0AD0 for <gentoo-commits@lists.gentoo.org>; Mon, 23 Sep 2013 13:31:45 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0E4FE33ED6A for <gentoo-commits@lists.gentoo.org>; Mon, 23 Sep 2013 13:31:44 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id F0973E5465 for <gentoo-commits@lists.gentoo.org>; Mon, 23 Sep 2013 13:31:41 +0000 (UTC) From: "Sven Vermeulen" <sven.vermeulen@siphos.be> To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be> Message-ID: <1379917639.d8ad674f9b897235cd243b9a37543bcfedb71d6e.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/lsm.fc policy/modules/contrib/lsm.if policy/modules/contrib/lsm.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: d8ad674f9b897235cd243b9a37543bcfedb71d6e X-VCS-Branch: master Date: Mon, 23 Sep 2013 13:31:41 +0000 (UTC) Precedence: bulk List-Post: <mailto:gentoo-commits@lists.gentoo.org> List-Help: <mailto:gentoo-commits+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org> X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 66073480-27d8-42b2-9155-9fd51e1989d3 X-Archives-Hash: 59fccb4619c5e0b56839804b2aecb7d1 Message-ID: <20130923133141.X9jPbY1ffepjKcSNiJr2860lbH9sSjZ5MUskxsGaXFQ@z> commit: d8ad674f9b897235cd243b9a37543bcfedb71d6e Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> AuthorDate: Thu Sep 19 17:39:39 2013 +0000 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> CommitDate: Mon Sep 23 06:27:19 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8ad674f Clean up libstoragemngmt policy module We do not yet support systemd Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> --- policy/modules/contrib/lsm.fc | 4 +-- policy/modules/contrib/lsm.if | 79 ++----------------------------------------- policy/modules/contrib/lsm.te | 9 ++--- 3 files changed, 7 insertions(+), 85 deletions(-) diff --git a/policy/modules/contrib/lsm.fc b/policy/modules/contrib/lsm.fc index 711c04b..51777c1 100644 --- a/policy/modules/contrib/lsm.fc +++ b/policy/modules/contrib/lsm.fc @@ -1,5 +1,3 @@ -/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) - -/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) +/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) /var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0) diff --git a/policy/modules/contrib/lsm.if b/policy/modules/contrib/lsm.if index f3e94d7..d314333 100644 --- a/policy/modules/contrib/lsm.if +++ b/policy/modules/contrib/lsm.if @@ -1,72 +1,9 @@ - -## <summary>lsmd SELINUX policy </summary> - -######################################## -## <summary> -## Execute TEMPLATE in the lsmd domin. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`lsmd_domtrans',` - gen_require(` - type lsmd_t, lsmd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, lsmd_exec_t, lsmd_t) -') -######################################## -## <summary> -## Read lsmd PID files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`lsmd_read_pid_files',` - gen_require(` - type lsmd_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t) -') - -######################################## -## <summary> -## Execute lsmd server in the lsmd domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`lsmd_systemctl',` - gen_require(` - type lsmd_t; - type lsmd_unit_file_t; - ') - - systemd_exec_systemctl($1) - systemd_read_fifo_file_password_run($1) - allow $1 lsmd_unit_file_t:file read_file_perms; - allow $1 lsmd_unit_file_t:service manage_service_perms; - - ps_process_pattern($1, lsmd_t) -') - +## <summary>Storage array management library.</summary> ######################################## ## <summary> ## All of the rules required to administrate -## an lsmd environment +## an lsmd environment. ## </summary> ## <param name="domain"> ## <summary> @@ -82,9 +19,7 @@ interface(`lsmd_systemctl',` # interface(`lsmd_admin',` gen_require(` - type lsmd_t; - type lsmd_var_run_t; - type lsmd_unit_file_t; + type lsmd_t, type lsmd_var_run_t; ') allow $1 lsmd_t:process { ptrace signal_perms }; @@ -92,12 +27,4 @@ interface(`lsmd_admin',` files_search_pids($1) admin_pattern($1, lsmd_var_run_t) - - lsmd_systemctl($1) - admin_pattern($1, lsmd_unit_file_t) - allow $1 lsmd_unit_file_t:service all_service_perms; - optional_policy(` - systemd_passwd_agent_exec($1) - systemd_read_fifo_file_passwd_run($1) - ') ') diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te index 14fe4d7..7f0ca47 100644 --- a/policy/modules/contrib/lsm.te +++ b/policy/modules/contrib/lsm.te @@ -12,15 +12,12 @@ init_daemon_domain(lsmd_t, lsmd_exec_t) type lsmd_var_run_t; files_pid_file(lsmd_var_run_t) -type lsmd_unit_file_t; -systemd_unit_file(lsmd_unit_file_t) - ######################################## # -# lsmd local policy +# Local policy # -allow lsmd_t self:capability { setgid }; -allow lsmd_t self:process { fork }; + +allow lsmd_t self:capability setgid; allow lsmd_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)