[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

Fri, 28 Nov 2014 03:16:54 -0800 

commit:     14d4ab23ddd8ab4d3d294aff25caa09298623448
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:13:54 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 11:15:23 2014 +0000
URL:        
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=14d4ab23

Fix bug 529204 - Support a dhcpc_script_t domain

We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.

Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.

The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.

---
 policy/modules/kernel/corecommands.fc |  2 +-
 policy/modules/system/sysnetwork.fc   |  1 +
 policy/modules/system/sysnetwork.te   | 46 +++++++++++++++++++++++++++++++++++
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
 /lib/upstart(/.*)?                     gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks   --      gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks  --      gen_context(system_u:object_r:bin_t,s0)
 
 /lib/rcscripts/addons(/.*)?            gen_context(system_u:object_r:bin_t,s0)
 /lib/rcscripts/sh(/.*)?                        
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index a809d61..d9b674e 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -81,6 +81,7 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks   --      
gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
 /var/run/dhcpcd\.sock  -s      
gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 /var/run/dhcpcd\.unpriv\.sock  -s      
gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 ')

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 3576536..8adbcfa 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,50 @@ ifdef(`distro_gentoo',`
        optional_policy(`
                resolvconf_client_domain(dhcpc_t)
        ')
+
+       #########################################
+       #
+       # dhcpc_script_t
+       #
+
+       # The purpose of the dhcpc_script_t domain is to handle the 
post-processing of 
+       # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and 
I would
+       # assume others do as well. With the dhcpc_script_t domain we can 
isolate the
+       # privileges of the DHCP client itself from the hooks / flexibility 
that the developers
+       # introduced.
+
+       type dhcpc_script_t;
+       domain_type(dhcpc_script_t)
+       role dhcpc_roles types dhcpc_script_t;
+
+       type dhcpc_script_exec_t;
+       domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+       type dhcpc_script_tmp_t;
+       files_tmp_file(dhcpc_script_tmp_t)
+
+       ########################################
+       #
+       # dhcpc script policy
+       #
+
+       allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
+
+       manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, 
dhcpc_script_tmp_t)
+       files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+       manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
+       files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
+
+       corecmd_exec_bin(dhcpc_script_t)
+       corecmd_exec_shell(dhcpc_script_t)
+
+       # Perhaps sysnet_domtrans_dhcpc_script could be used instead and 
positioned in the dhcpc_t section
+       domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t)
+
+       sysnet_manage_config(dhcpc_script_t)
+
+       optional_policy(`
+               ntp_manage_config(dhcpc_script_t)
+       ')
 ')

Reply via email to