commit: 14d4ab23ddd8ab4d3d294aff25caa09298623448 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Fri Nov 28 10:13:54 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Fri Nov 28 11:15:23 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=14d4ab23
Fix bug 529204 - Support a dhcpc_script_t domain We introduce an executable domain (dhcpc_script_t) through which the hooks can be executed for the DHCP clients. This domain is separate in order to keep the privileges of the application small, but also because this domain will execute commands that are not in the responsibility of the DHCP client code itself (code-wise) but is provided by administrators. Security-wise, as these are scripts, it is more difficult to guarantee correctness. As such, we want to isolate these privileges into its own domain. The domain will have basic privileges to support the majority of installations, but we also include a sysnet_dhcpc_script_entry() interface so that domain transitions can be easily added without the need for augmenting the privileges of the dhcpc_script_t domain. --- policy/modules/kernel/corecommands.fc | 2 +- policy/modules/system/sysnetwork.fc | 1 + policy/modules/system/sysnetwork.te | 46 +++++++++++++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 406a11e..40fd54b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -143,7 +143,7 @@ ifdef(`distro_debian',` /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo',` -/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) +#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index a809d61..d9b674e 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -81,6 +81,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_gentoo',` +/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) /var/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) /var/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) ') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 3576536..8adbcfa 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -422,4 +422,50 @@ ifdef(`distro_gentoo',` optional_policy(` resolvconf_client_domain(dhcpc_t) ') + + ######################################### + # + # dhcpc_script_t + # + + # The purpose of the dhcpc_script_t domain is to handle the post-processing of + # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would + # assume others do as well. With the dhcpc_script_t domain we can isolate the + # privileges of the DHCP client itself from the hooks / flexibility that the developers + # introduced. + + type dhcpc_script_t; + domain_type(dhcpc_script_t) + role dhcpc_roles types dhcpc_script_t; + + type dhcpc_script_exec_t; + domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) + + type dhcpc_script_tmp_t; + files_tmp_file(dhcpc_script_tmp_t) + + ######################################## + # + # dhcpc script policy + # + + allow dhcpc_script_t self:fifo_file rw_fifo_file_perms; + + manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) + files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir }) + + manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t) + files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir }) + + corecmd_exec_bin(dhcpc_script_t) + corecmd_exec_shell(dhcpc_script_t) + + # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section + domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t) + + sysnet_manage_config(dhcpc_script_t) + + optional_policy(` + ntp_manage_config(dhcpc_script_t) + ') ')