commit: c4d741a059de129238da9d8f669085cd216973c6 Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Thu Mar 30 07:15:39 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Sep 10 13:53:30 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4d741a0
gssproxy: add policy borrowed and modified from Fedora policy/modules/contrib/gssproxy.fc | 8 ++ policy/modules/contrib/gssproxy.if | 199 +++++++++++++++++++++++++++++++++++++ policy/modules/contrib/gssproxy.te | 67 +++++++++++++ 3 files changed, 274 insertions(+) diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc new file mode 100644 index 00000000..a9970159 --- /dev/null +++ b/policy/modules/contrib/gssproxy.fc @@ -0,0 +1,8 @@ +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0) + +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) + +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) + +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0) +/run/gssproxy\.sock -s gen_context(system_u:object_r:gssproxy_run_t,s0) diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if new file mode 100644 index 00000000..cebdb20b --- /dev/null +++ b/policy/modules/contrib/gssproxy.if @@ -0,0 +1,199 @@ + +## <summary>policy for gssproxy</summary> + +######################################## +## <summary> +## Execute gssproxy in the gssproxy domin. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gssproxy_domtrans',` + gen_require(` + type gssproxy_t, gssproxy_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) +') + +######################################## +## <summary> +## Search gssproxy lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_search_lib',` + gen_require(` + type gssproxy_var_lib_t; + ') + + allow $1 gssproxy_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + +######################################## +## <summary> +## Read gssproxy lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_read_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + +######################################## +## <summary> +## Manage gssproxy lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_manage_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + +######################################## +## <summary> +## Manage gssproxy lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_manage_lib_dirs',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + +######################################## +## <summary> +## Read gssproxy PID files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_read_pid_files',` + gen_require(` + type gssproxy_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t) +') + +######################################## +## <summary> +## Execute gssproxy server in the gssproxy domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`gssproxy_systemctl',` + gen_require(` + type gssproxy_t; + type gssproxy_unit_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 gssproxy_unit_t:file read_file_perms; + allow $1 gssproxy_unit_t:service manage_service_perms; + + ps_process_pattern($1, gssproxy_t) +') + +######################################## +## <summary> +## Connect to gssproxy over an unix +## domain stream socket. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`gssproxy_stream_connect',` + gen_require(` + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t) + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) +') + +######################################## +## <summary> +## All of the rules required to administrate +## an gssproxy environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`gssproxy_admin',` + gen_require(` + type gssproxy_t; + type gssproxy_var_lib_t; + type gssproxy_run_t; + type gssproxy_unit_t; + ') + + allow $1 gssproxy_t:process { ptrace signal_perms }; + ps_process_pattern($1, gssproxy_t) + + files_search_var_lib($1) + admin_pattern($1, gssproxy_var_lib_t) + + files_search_pids($1) + admin_pattern($1, gssproxy_run_t) + + gssproxy_systemctl($1) + admin_pattern($1, gssproxy_unit_t) + allow $1 gssproxy_unit_t:service all_service_perms; + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') diff --git a/policy/modules/contrib/gssproxy.te b/policy/modules/contrib/gssproxy.te new file mode 100644 index 00000000..20027689 --- /dev/null +++ b/policy/modules/contrib/gssproxy.te @@ -0,0 +1,67 @@ +policy_module(gssproxy, 1.0.0) + +######################################## +# +# Declarations +# + +type gssproxy_t; +type gssproxy_exec_t; +init_daemon_domain(gssproxy_t, gssproxy_exec_t) + +type gssproxy_var_lib_t; +files_type(gssproxy_var_lib_t) + +type gssproxy_run_t; +files_pid_file(gssproxy_run_t) + +type gssproxy_unit_t; +init_unit_file(gssproxy_unit_t) + +######################################## +# +# gssproxy local policy +# +allow gssproxy_t self:capability { setuid setgid }; +allow gssproxy_t self:capability2 block_suspend; +allow gssproxy_t self:fifo_file rw_fifo_file_perms; +allow gssproxy_t self:unix_stream_socket create_stream_socket_perms; + +manage_dirs_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +manage_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +manage_sock_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +manage_lnk_files_pattern(gssproxy_t, gssproxy_var_lib_t, gssproxy_var_lib_t) +files_var_lib_filetrans(gssproxy_t, gssproxy_var_lib_t, { dir file lnk_file }) + +manage_dirs_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +manage_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +manage_sock_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +manage_lnk_files_pattern(gssproxy_t, gssproxy_run_t, gssproxy_run_t) +files_pid_filetrans(gssproxy_t, gssproxy_run_t, { dir file lnk_file sock_file }) + +kernel_rw_rpc_sysctls(gssproxy_t) + +domain_use_interactive_fds(gssproxy_t) + +files_read_etc_files(gssproxy_t) + +fs_getattr_all_fs(gssproxy_t) + +auth_use_nsswitch(gssproxy_t) + +dev_read_urand(gssproxy_t) + +logging_send_syslog_msg(gssproxy_t) + +miscfiles_read_localization(gssproxy_t) + +#userdom_read_all_users_keys(gssproxy_t) +userdom_manage_user_tmp_dirs(gssproxy_t) +userdom_manage_user_tmp_files(gssproxy_t) + +optional_policy(` + kerberos_filetrans_named_content(gssproxy_t) + kerberos_manage_host_rcache(gssproxy_t) + kerberos_read_keytab(gssproxy_t) + kerberos_use(gssproxy_t) +')