commit: 39e89f54a2b3cf6c3214d1da79e20c51198ab730
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 18:49:14 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:08:44 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=39e89f54
vnstatd: update module
policy/modules/contrib/vnstatd.fc | 12 +++++++-----
policy/modules/contrib/vnstatd.if | 11 +++++------
policy/modules/contrib/vnstatd.te | 36 ++++++++++++++++++++++++------------
3 files changed, 36 insertions(+), 23 deletions(-)
diff --git a/policy/modules/contrib/vnstatd.fc
b/policy/modules/contrib/vnstatd.fc
index e15b7ea7..400d7f76 100644
--- a/policy/modules/contrib/vnstatd.fc
+++ b/policy/modules/contrib/vnstatd.fc
@@ -1,12 +1,14 @@
-/etc/rc\.d/init\.d/vnstat --
gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/vnstat --
gen_context(system_u:object_r:vnstatd_initrc_exec_t,s0)
-/usr/bin/vnstat -- gen_context(system_u:object_r:vnstat_exec_t,s0)
+/run/vnstat.*
gen_context(system_u:object_r:vnstatd_pid_t,s0)
-/usr/sbin/vnstatd -- gen_context(system_u:object_r:vnstatd_exec_t,s0)
+/usr/bin/vnstat --
gen_context(system_u:object_r:vnstat_exec_t,s0)
-/var/lib/vnstat(/.*)? gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
+/usr/lib/systemd/system/vnstat\.service --
gen_context(system_u:object_r:vnstatd_unit_t,s0)
-/run/vnstat.* gen_context(system_u:object_r:vnstatd_var_run_t,s0)
+/usr/sbin/vnstatd --
gen_context(system_u:object_r:vnstatd_exec_t,s0)
+
+/var/lib/vnstat(/.*)?
gen_context(system_u:object_r:vnstatd_var_lib_t,s0)
ifdef(`distro_gentoo',`
# Fix bug 528602 - name is vnstatd in Gentoo
diff --git a/policy/modules/contrib/vnstatd.if
b/policy/modules/contrib/vnstatd.if
index 7ec9bd0f..2d863cb2 100644
--- a/policy/modules/contrib/vnstatd.if
+++ b/policy/modules/contrib/vnstatd.if
@@ -161,17 +161,16 @@ interface(`vnstatd_manage_lib_files',`
#
interface(`vnstatd_admin',`
gen_require(`
- type vnstatd_t, vnstatd_var_lib_t, vnstatd_initrc_exec_t;
- type vnstatd_var_run_t;
+ type vnstatd_t, vnstatd_initrc_exec_t;
+ type vnstatd_pid_t, vnstatd_unit_t, vnstatd_var_lib_t;
')
- allow $1 vnstatd_t:process { ptrace signal_perms };
- ps_process_pattern($1, vnstatd_t)
+ admin_process_pattern($1, vnstatd_t)
- init_startstop_service($1, $2, vnstatd_t, vnstatd_initrc_exec_t)
+ init_startstop_service($1, $2, vnstatd_t, vnstatd_initrc_exec_t,
vnstatd_unit_t)
files_search_pids($1)
- admin_pattern($1, vnstatd_var_run_t)
+ admin_pattern($1, vnstatd_pid_t)
files_list_var_lib($1)
admin_pattern($1, vnstatd_var_lib_t)
diff --git a/policy/modules/contrib/vnstatd.te
b/policy/modules/contrib/vnstatd.te
index 306bac94..220a2b21 100644
--- a/policy/modules/contrib/vnstatd.te
+++ b/policy/modules/contrib/vnstatd.te
@@ -19,12 +19,16 @@ init_daemon_domain(vnstatd_t, vnstatd_exec_t)
type vnstatd_initrc_exec_t;
init_script_file(vnstatd_initrc_exec_t)
+type vnstatd_pid_t;
+typealias vnstatd_pid_t alias vnstatd_var_run_t;
+files_pid_file(vnstatd_pid_t)
+
+type vnstatd_unit_t;
+init_unit_file(vnstatd_unit_t)
+
type vnstatd_var_lib_t;
files_type(vnstatd_var_lib_t)
-type vnstatd_var_run_t;
-files_pid_file(vnstatd_var_run_t)
-
########################################
#
# Daemon local policy
@@ -34,20 +38,20 @@ allow vnstatd_t self:process signal;
allow vnstatd_t self:fifo_file rw_fifo_file_perms;
allow vnstatd_t self:unix_stream_socket { accept listen };
+manage_files_pattern(vnstatd_t, vnstatd_pid_t, vnstatd_pid_t)
+files_pid_filetrans(vnstatd_t, vnstatd_pid_t, file)
+
manage_dirs_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstatd_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstatd_t, vnstatd_var_lib_t, { dir file })
-
-manage_files_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-manage_dirs_pattern(vnstatd_t, vnstatd_var_run_t, vnstatd_var_run_t)
-files_pid_filetrans(vnstatd_t, vnstatd_var_run_t, { dir file })
kernel_read_network_state(vnstatd_t)
kernel_read_system_state(vnstatd_t)
-domain_use_interactive_fds(vnstatd_t)
+# read /sys/class/net/eth0
+dev_read_sysfs(vnstatd_t)
files_read_etc_files(vnstatd_t)
+files_search_var_lib(vnstatd_t)
fs_getattr_xattr_fs(vnstatd_t)
@@ -60,27 +64,35 @@ miscfiles_read_localization(vnstatd_t)
# Client local policy
#
+# dac_override : write /var/lib/vnstat/*
+allow vnstat_t self:capability dac_override;
allow vnstat_t self:process signal;
allow vnstat_t self:fifo_file rw_fifo_file_perms;
allow vnstat_t self:unix_stream_socket { accept listen };
manage_dirs_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
manage_files_pattern(vnstat_t, vnstatd_var_lib_t, vnstatd_var_lib_t)
-files_var_lib_filetrans(vnstat_t, vnstatd_var_lib_t, { dir file })
kernel_read_network_state(vnstat_t)
kernel_read_system_state(vnstat_t)
+# read /sys/class/net/eth0
+dev_read_sysfs(vnstat_t)
+
domain_use_interactive_fds(vnstat_t)
+files_dontaudit_search_home(vnstat_t)
files_read_etc_files(vnstat_t)
+files_search_var_lib(vnstat_t)
fs_getattr_xattr_fs(vnstat_t)
-logging_send_syslog_msg(vnstat_t)
-
miscfiles_read_localization(vnstat_t)
+userdom_dontaudit_search_user_home_dirs(vnstat_t)
+
+userdom_use_user_terminals(vnstat_t)
+
optional_policy(`
cron_system_entry(vnstat_t, vnstat_exec_t)
')
