commit: 39547652cd07ae3611419261d255128aa1f436e8
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:13:54 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 10:22:30 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=39547652
Fix bug 529204 - Support a dhcpc_script_t domain
We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.
Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.
The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.
---
policy/modules/kernel/corecommands.fc | 2 +-
policy/modules/system/sysnetwork.fc | 3 +++
policy/modules/system/sysnetwork.te | 32 ++++++++++++++++++++++++++++++++
3 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.fc
b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)?
gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/sysnetwork.fc
b/policy/modules/system/sysnetwork.fc
index fbb935c..b1c6404 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks --
gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
+')
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index 3576536..fad8fce 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,36 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+ #########################################
+ #
+ # dhcpc_script_t
+ #
+
+ # The purpose of the dhcpc_script_t domain is to handle the
post-processing of
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and
I would
+ # assume others do as well. With the dhcpc_script_t domain we can
isolate the
+ # privileges of the DHCP client itself from the hooks / flexibility
that the developers
+ # introduced.
+
+ type dhcpc_script_t;
+ domain_type(dhcpc_script_t)
+ role dhcpc_roles types dhcpc_script_t;
+
+ type dhcpc_script_exec_t;
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+ type dhcpc_script_tmp_t;
+ files_tmp_file(dhcpc_script_tmp_t)
+
+ ########################################
+ #
+ # dhcpc script policy
+ #
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t,
dhcpc_script_tmp_t)
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+ corecmd_exec_bin(dhcpc_script_t)
+ corecmd_exec_shell(dhcpc_script_t)
')
