From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 114531381F3 for ; Mon, 23 Sep 2013 13:31:52 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F036EE0AAC; Mon, 23 Sep 2013 13:31:45 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2E06AE0AD0 for ; Mon, 23 Sep 2013 13:31:45 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0E4FE33ED6A for ; Mon, 23 Sep 2013 13:31:44 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id F0973E5465 for ; Mon, 23 Sep 2013 13:31:41 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1379917639.d8ad674f9b897235cd243b9a37543bcfedb71d6e.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/lsm.fc policy/modules/contrib/lsm.if policy/modules/contrib/lsm.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: d8ad674f9b897235cd243b9a37543bcfedb71d6e X-VCS-Branch: master Date: Mon, 23 Sep 2013 13:31:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 66073480-27d8-42b2-9155-9fd51e1989d3 X-Archives-Hash: 59fccb4619c5e0b56839804b2aecb7d1 Message-ID: <20130923133141.X9jPbY1ffepjKcSNiJr2860lbH9sSjZ5MUskxsGaXFQ@z> commit: d8ad674f9b897235cd243b9a37543bcfedb71d6e Author: Dominick Grift gmail com> AuthorDate: Thu Sep 19 17:39:39 2013 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Mon Sep 23 06:27:19 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8ad674f Clean up libstoragemngmt policy module We do not yet support systemd Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/lsm.fc | 4 +-- policy/modules/contrib/lsm.if | 79 ++----------------------------------------- policy/modules/contrib/lsm.te | 9 ++--- 3 files changed, 7 insertions(+), 85 deletions(-) diff --git a/policy/modules/contrib/lsm.fc b/policy/modules/contrib/lsm.fc index 711c04b..51777c1 100644 --- a/policy/modules/contrib/lsm.fc +++ b/policy/modules/contrib/lsm.fc @@ -1,5 +1,3 @@ -/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) - -/usr/lib/systemd/system/libstoragemgmt.* -- gen_context(system_u:object_r:lsmd_unit_file_t,s0) +/usr/bin/lsmd -- gen_context(system_u:object_r:lsmd_exec_t,s0) /var/run/lsm(/.*)? -- gen_context(system_u:object_r:lsmd_var_run_t,s0) diff --git a/policy/modules/contrib/lsm.if b/policy/modules/contrib/lsm.if index f3e94d7..d314333 100644 --- a/policy/modules/contrib/lsm.if +++ b/policy/modules/contrib/lsm.if @@ -1,72 +1,9 @@ - -## lsmd SELINUX policy - -######################################## -## -## Execute TEMPLATE in the lsmd domin. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`lsmd_domtrans',` - gen_require(` - type lsmd_t, lsmd_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, lsmd_exec_t, lsmd_t) -') -######################################## -## -## Read lsmd PID files. -## -## -## -## Domain allowed access. -## -## -# -interface(`lsmd_read_pid_files',` - gen_require(` - type lsmd_var_run_t; - ') - - files_search_pids($1) - read_files_pattern($1, lsmd_var_run_t, lsmd_var_run_t) -') - -######################################## -## -## Execute lsmd server in the lsmd domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`lsmd_systemctl',` - gen_require(` - type lsmd_t; - type lsmd_unit_file_t; - ') - - systemd_exec_systemctl($1) - systemd_read_fifo_file_password_run($1) - allow $1 lsmd_unit_file_t:file read_file_perms; - allow $1 lsmd_unit_file_t:service manage_service_perms; - - ps_process_pattern($1, lsmd_t) -') - +## Storage array management library. ######################################## ## ## All of the rules required to administrate -## an lsmd environment +## an lsmd environment. ## ## ## @@ -82,9 +19,7 @@ interface(`lsmd_systemctl',` # interface(`lsmd_admin',` gen_require(` - type lsmd_t; - type lsmd_var_run_t; - type lsmd_unit_file_t; + type lsmd_t, type lsmd_var_run_t; ') allow $1 lsmd_t:process { ptrace signal_perms }; @@ -92,12 +27,4 @@ interface(`lsmd_admin',` files_search_pids($1) admin_pattern($1, lsmd_var_run_t) - - lsmd_systemctl($1) - admin_pattern($1, lsmd_unit_file_t) - allow $1 lsmd_unit_file_t:service all_service_perms; - optional_policy(` - systemd_passwd_agent_exec($1) - systemd_read_fifo_file_passwd_run($1) - ') ') diff --git a/policy/modules/contrib/lsm.te b/policy/modules/contrib/lsm.te index 14fe4d7..7f0ca47 100644 --- a/policy/modules/contrib/lsm.te +++ b/policy/modules/contrib/lsm.te @@ -12,15 +12,12 @@ init_daemon_domain(lsmd_t, lsmd_exec_t) type lsmd_var_run_t; files_pid_file(lsmd_var_run_t) -type lsmd_unit_file_t; -systemd_unit_file(lsmd_unit_file_t) - ######################################## # -# lsmd local policy +# Local policy # -allow lsmd_t self:capability { setgid }; -allow lsmd_t self:process { fork }; + +allow lsmd_t self:capability setgid; allow lsmd_t self:unix_stream_socket create_stream_socket_perms; manage_dirs_pattern(lsmd_t, lsmd_var_run_t, lsmd_var_run_t)