commit: 39547652cd07ae3611419261d255128aa1f436e8 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Fri Nov 28 10:13:54 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Fri Nov 28 10:22:30 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=39547652
Fix bug 529204 - Support a dhcpc_script_t domain We introduce an executable domain (dhcpc_script_t) through which the hooks can be executed for the DHCP clients. This domain is separate in order to keep the privileges of the application small, but also because this domain will execute commands that are not in the responsibility of the DHCP client code itself (code-wise) but is provided by administrators. Security-wise, as these are scripts, it is more difficult to guarantee correctness. As such, we want to isolate these privileges into its own domain. The domain will have basic privileges to support the majority of installations, but we also include a sysnet_dhcpc_script_entry() interface so that domain transitions can be easily added without the need for augmenting the privileges of the dhcpc_script_t domain. --- policy/modules/kernel/corecommands.fc | 2 +- policy/modules/system/sysnetwork.fc | 3 +++ policy/modules/system/sysnetwork.te | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 406a11e..40fd54b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -143,7 +143,7 @@ ifdef(`distro_debian',` /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo',` -/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) +#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index fbb935c..b1c6404 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -80,3 +80,6 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') +ifdef(`distro_gentoo',` +/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 3576536..fad8fce 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -422,4 +422,36 @@ ifdef(`distro_gentoo',` optional_policy(` resolvconf_client_domain(dhcpc_t) ') + + ######################################### + # + # dhcpc_script_t + # + + # The purpose of the dhcpc_script_t domain is to handle the post-processing of + # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would + # assume others do as well. With the dhcpc_script_t domain we can isolate the + # privileges of the DHCP client itself from the hooks / flexibility that the developers + # introduced. + + type dhcpc_script_t; + domain_type(dhcpc_script_t) + role dhcpc_roles types dhcpc_script_t; + + type dhcpc_script_exec_t; + domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) + + type dhcpc_script_tmp_t; + files_tmp_file(dhcpc_script_tmp_t) + + ######################################## + # + # dhcpc script policy + # + + manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) + files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir }) + + corecmd_exec_bin(dhcpc_script_t) + corecmd_exec_shell(dhcpc_script_t) ')