subject:"\[gentoo\-commits\] proj\/hardened\-refpolicy\:next commit in\: policy\/modules\/kernel\/, policy\/"

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

2017-09-10 Thread Jason Zaman

commit: df80c8bf3a5c5e581370d75bf6ea5154a8b02b0b
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Sep 10 13:00:36 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:00:36 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df80c8bf

Allow sysadm to map all non auth files

 policy/modules/kernel/files.if  | 20 
 policy/modules/system/userdomain.if |  1 +
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f2b76f86..35dcfe7b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1474,6 +1474,26 @@ interface(`files_manage_non_auth_files',`
 
 
 ## 
+## Mmap non-authentication related
+## files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`files_map_non_auth_files',`
+   gen_require(`
+   attribute non_auth_file_type;
+   ')
+
+   allow $1 non_auth_file_type:file map;
+')
+
+
+## 
 ## Relabel all non-authentication related
 ## files.
 ## 

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 84e9c57e..16789a3c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1256,6 +1256,7 @@ template(`userdom_admin_user_template',`
auth_getattr_shadow($1_t)
# Manage almost all files
files_manage_non_auth_files($1_t)
+   files_map_non_auth_files($1_t)
# Relabel almost all files
files_relabel_non_auth_files($1_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

2015-10-25 Thread Jason Zaman

commit: d92bdf260887935367802afbbaf25d399c020cd5
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Oct 23 14:16:59 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Oct 26 03:52:47 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d92bdf26

Implement core systemd policy.

Significant contributions from the Tresys CLIP team.

Other changes from Laurent Bigonville.

 policy/modules/kernel/corecommands.fc |   2 +
 policy/modules/kernel/domain.te   |   6 +
 policy/modules/kernel/files.if| 172 ++
 policy/modules/kernel/filesystem.if   |  73 
 policy/modules/kernel/kernel.if   |  60 +++-
 policy/modules/kernel/terminal.if |  19 ++
 policy/modules/system/authlogin.if|  19 ++
 policy/modules/system/init.fc |   4 +
 policy/modules/system/init.if | 608 +-
 policy/modules/system/init.te | 176 +-
 policy/modules/system/locallogin.if   |  21 ++
 policy/modules/system/logging.if  |  38 +++
 policy/modules/system/lvm.if  |  20 ++
 policy/modules/system/systemd.fc  |  39 +++
 policy/modules/system/systemd.if  | 195 +++
 policy/modules/system/systemd.te  | 264 +++
 policy/modules/system/udev.if |  19 ++
 17 files changed, 1711 insertions(+), 24 deletions(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index f465e43..b4e192a 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -242,6 +242,8 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmv  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server   --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh --  
gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/lib/systemd/system-generators(/.*)? 
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/tumbler-1/tumblerd--  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vte/gnome-pty-helper  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- 
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 451a1be..6c3ef60 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',`
dontaudit domain self:udp_socket listen;
 ')
 
+ifdef(`init_systemd',`
+   optional_policy(`
+   shutdown_sigchld(domain)
+   ')
+')
+
 tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index dd16f74..cbb8afe 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -563,6 +563,24 @@ interface(`files_manage_non_security_dirs',`
 
 
 ## 
+## Relabel from/to non-security directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_relabel_non_security_dirs',`
+   gen_require(`
+   attribute non_security_file_type;
+   ')
+
+   relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+
+## 
 ## Get the attributes of all files.
 ## 
 ## 
@@ -620,6 +638,44 @@ interface(`files_dontaudit_getattr_non_security_files',`
 
 
 ## 
+## Create, read, write, and delete all non-security files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`files_manage_non_security_files',`
+   gen_require(`
+   attribute non_security_file_type;
+   ')
+
+   manage_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+
+## 
+## Relabel from/to all non-security files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`files_relabel_non_security_files',`
+   gen_require(`
+   attribute non_security_file_type;
+   ')
+
+   relabel_files_pattern($1, non_security_file_type, 
non_security_file_type)
+')
+
+
+## 
 ## Read all files.
 ## 
 ## 
@@ -1948,6 +2004,24 @@ interface(`files_unmount_rootfs',`
 
 
 ## 
+## Mount on the root directory (/)
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_mounton_root',`
+   gen_require(`
+   type root_t;
+   ')
+
+   allow $1 root_t:dir mounton;
+')
+
+
+## 
 ## Get attributes of the /boot directory.
 ## 
 ## 
@@ -4398,6 +4472,24 @@

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/

2015-10-25 Thread Jason Zaman

commit: eaa1a1b1454ce8ae38f2d84774b3047e9203efd9
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue Oct 20 18:33:56 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Oct 26 03:54:24 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eaa1a1b1

Add systemd units for core refpolicy services.

Only for services that already have a named init script.

Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.

 policy/modules/kernel/files.if| 18 ++
 policy/modules/services/postgresql.if |  4 ++--
 policy/modules/services/postgresql.te |  3 +++
 policy/modules/system/init.if | 17 +
 policy/modules/system/init.te |  3 +++
 policy/modules/system/ipsec.if|  3 ++-
 policy/modules/system/ipsec.te|  3 +++
 policy/modules/system/iptables.fc |  5 +
 policy/modules/system/iptables.if |  4 ++--
 policy/modules/system/iptables.te |  3 +++
 policy/modules/system/logging.fc  |  2 ++
 policy/modules/system/logging.if  |  8 
 policy/modules/system/logging.te  |  6 ++
 policy/modules/system/lvm.fc  |  6 ++
 policy/modules/system/lvm.if  |  4 ++--
 policy/modules/system/lvm.te  |  3 +++
 policy/modules/system/setrans.if  |  4 ++--
 policy/modules/system/setrans.te  |  3 +++
 18 files changed, 86 insertions(+), 13 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index cbb8afe..20acc0e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2892,6 +2892,24 @@ interface(`files_exec_etc_files',`
exec_files_pattern($1, etc_t, etc_t)
 ')
 
+
+## 
+## Get etc_t service status.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_get_etc_unit_status',`
+   gen_require(`
+   type etc_t;
+   ')
+
+   allow $1 etc_t:service status;
+')
+
 ###
 ## 
 ## Relabel from and to generic files in /etc.

diff --git a/policy/modules/services/postgresql.if 
b/policy/modules/services/postgresql.if
index 11526b6..32e5d06 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -587,7 +587,7 @@ interface(`postgresql_admin',`
type postgresql_t, postgresql_var_run_t;
type postgresql_tmp_t, postgresql_db_t;
type postgresql_etc_t, postgresql_log_t;
-   type postgresql_initrc_exec_t;
+   type postgresql_initrc_exec_t, postgresql_unit_t;
')
 
typeattribute $1 sepgsql_admin_type;
@@ -595,7 +595,7 @@ interface(`postgresql_admin',`
allow $1 postgresql_t:process { ptrace signal_perms };
ps_process_pattern($1, postgresql_t)
 
-   init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)
+   init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, 
postgresql_unit_t)
 
admin_pattern($1, postgresql_var_run_t)
 

diff --git a/policy/modules/services/postgresql.te 
b/policy/modules/services/postgresql.te
index b4ba0f1..6844c35 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t)
 type postgresql_tmp_t;
 files_tmp_file(postgresql_tmp_t)
 
+type postgresql_unit_t;
+init_unit_file(postgresql_unit_t)
+
 type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)
 init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 192508f..cfe4bd4 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1392,6 +1392,11 @@ interface(`init_all_labeled_script_domtrans',`
 ## Labeled init script file.
 ## 
 ## 
+## 
+## 
+## Systemd unit file type.
+## 
+## 
 #
 interface(`init_startstop_service',`
gen_require(`
@@ -1409,6 +1414,18 @@ interface(`init_startstop_service',`
role_transition $2 $4 system_r;
allow $2 system_r;
')
+
+   ifdef(`init_systemd',`
+   # This ifelse condition is temporary, until
+   # all callers are updated to provide unit files.
+   ifelse(`$5',`',`',`
+   gen_require(`
+   class service { start stop };
+   ')
+
+   allow $1 $5:service { start stop };
+   ')
+   ')
')
 ')
 

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 916b895..79400f2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -746,6 +746,9 @@

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/

2015-10-25 Thread Jason Zaman

commit: 5dece5bd67bca8c3df92c74d776119ae9af8ebc2
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue Oct 20 18:48:38 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Oct 26 03:52:58 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dece5bd

Add supporting rules for domains tightly-coupled with systemd.

 policy/modules/kernel/devices.if| 52 +
 policy/modules/kernel/kernel.te | 17 
 policy/modules/services/ssh.te  |  5 
 policy/modules/system/init.te   |  1 +
 policy/modules/system/locallogin.te |  8 ++
 policy/modules/system/logging.fc|  1 +
 policy/modules/system/logging.te| 22 
 policy/modules/system/lvm.te|  6 +
 policy/modules/system/modutils.te   |  8 ++
 policy/modules/system/sysnetwork.te |  8 ++
 policy/modules/system/udev.te   | 12 +
 11 files changed, 135 insertions(+), 5 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 835ec14..a052db5 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,11 +143,11 @@ interface(`dev_relabel_all_dev_nodes',`
type device_t;
')
 
-   relabelfrom_dirs_pattern($1, device_t, device_node)
-   relabelfrom_files_pattern($1, device_t, device_node)
+   relabelfrom_dirs_pattern($1, device_t, { device_t device_node })
+   relabelfrom_files_pattern($1, device_t, { device_t device_node })
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
-   relabelfrom_fifo_files_pattern($1, device_t, device_node)
-   relabelfrom_sock_files_pattern($1, device_t, device_node)
+   relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node })
+   relabelfrom_sock_files_pattern($1, device_t, { device_t device_node })
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
 ')
@@ -709,7 +709,7 @@ interface(`dev_relabelfrom_generic_chr_files',`
type device_t;
')
 
-   allow $1 device_t:chr_file relabelfrom;
+   allow $1 device_t:chr_file relabelfrom_chr_file_perms;
 ')
 
 
@@ -1943,6 +1943,30 @@ interface(`dev_filetrans_dri',`
 
 
 ## 
+## Automatic type transition to the type
+## for event device nodes when created in /dev.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+## 
+## The name of the object being created.
+## 
+## 
+#
+interface(`dev_filetrans_input_dev',`
+   gen_require(`
+   type device_t, event_device_t;
+   ')
+
+   filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
+')
+
+
+## 
 ## Get the attributes of the event devices.
 ## 
 ## 
@@ -2017,6 +2041,24 @@ interface(`dev_rw_input_dev',`
 
 
 ## 
+## Create, read, write, and delete input event devices (/dev/input).
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dev_manage_input_dev',`
+   gen_require(`
+   type device_t, event_device_t;
+   ')
+
+   manage_chr_files_pattern($1, device_t, event_device_t)
+')
+
+
+## 
 ## Get the attributes of the framebuffer device node.
 ## 
 ## 

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 14b5713..f2d5756 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -299,6 +299,23 @@ ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(kernel_t)
 ')
 
+ifdef(`init_systemd',`
+   optional_policy(`
+   dev_manage_input_dev(kernel_t)
+   dev_filetrans_input_dev(kernel_t)
+   ')
+
+   optional_policy(`
+   selinux_compute_create_context(kernel_t)
+   ')
+
+   optional_policy(`
+   storage_dev_filetrans_fixed_disk(kernel_t)
+   storage_setattr_fixed_disk_dev(kernel_t)
+   storage_create_fixed_disk_dev(kernel_t)
+   ')
+')
+
 optional_policy(`
# loop devices
fstools_use_fds(kernel_t)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 783d0e7..e5932aa 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -266,6 +266,11 @@ ifdef(`distro_debian',`
allow sshd_t self:process { getcap setcap };
 ')
 
+ifdef(`init_systemd',`
+   systemd_dbus_chat_logind(sshd_t)
+   init_rw_stream_sockets(sshd_t)
+')
+
 tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to

diff --git a/policy/modules/system/init.te

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/

2015-03-04 Thread Sven Vermeulen

commit: cf050c09f77027dd6ae24e17e5035b617e2d682b
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Wed Mar  4 17:14:12 2015 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Wed Mar  4 17:39:39 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf050c09

Mark storage as base module

All modules within the base should not depend on anything that is
modular. However recently we had to allow kernel_t certain privileges
which are covered not only by an interface of the storage module (which
is not an issue) but also by an attribute that is managed by that
module.

As a result, base fails to build:

$ make base
Compiling mcs base module
/usr/bin/checkmodule:  loading policy configuration from base.conf
policy/modules/kernel/kernel.te:433:ERROR 'attribute fixed_disk_raw_read
is not declared' at token ';' on line 23210:
typeattribute kernel_t fixed_disk_raw_read;
\#line 433
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
Rules.modular:98: recipe for target 'tmp/base.mod' failed
make: *** [tmp/base.mod] Error 1

Moving storage as a base module.

X-Gentoo-Bug: 535992
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=535992

 policy/modules.conf  | 2 +-
 policy/modules/kernel/storage.if | 4 
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules.conf b/policy/modules.conf
index b9b41d9..5d9eee7 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -2306,7 +2306,7 @@ zosremote = module
 #
 # Policy controlling access to storage devices
 # 
-storage = module
+storage = base
 
 # Layer: roles
 # Module: auditadm

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 5c1be6b..8a7119d 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -1,4 +1,8 @@
 ## summaryPolicy controlling access to storage devices/summary
+## required val=true
+## This module defines attributes that are used by other
+## required modules (such as kernel_t in the kernel module)
+## /required
 
 
 ## summary

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

2014-11-28 Thread Sven Vermeulen

commit: 39547652cd07ae3611419261d255128aa1f436e8
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Fri Nov 28 10:13:54 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Fri Nov 28 10:22:30 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=39547652

Fix bug 529204 - Support a dhcpc_script_t domain

We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.

Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.

The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.

---
 policy/modules/kernel/corecommands.fc |  2 +-
 policy/modules/system/sysnetwork.fc   |  3 +++
 policy/modules/system/sysnetwork.te   | 32 
 3 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
 /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks   --  gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks  --  gen_context(system_u:object_r:bin_t,s0)
 
 /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0)
 /lib/rcscripts/sh(/.*)?
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index fbb935c..b1c6404 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,6 @@ ifdef(`distro_debian',`
 /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
+ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks   --  
gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
+')

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 3576536..fad8fce 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,36 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+   #
+   #
+   # dhcpc_script_t
+   #
+
+   # The purpose of the dhcpc_script_t domain is to handle the 
post-processing of 
+   # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and 
I would
+   # assume others do as well. With the dhcpc_script_t domain we can 
isolate the
+   # privileges of the DHCP client itself from the hooks / flexibility 
that the developers
+   # introduced.
+
+   type dhcpc_script_t;
+   domain_type(dhcpc_script_t)
+   role dhcpc_roles types dhcpc_script_t;
+
+   type dhcpc_script_exec_t;
+   domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+   type dhcpc_script_tmp_t;
+   files_tmp_file(dhcpc_script_tmp_t)
+
+   
+   #
+   # dhcpc script policy
+   #
+
+   manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, 
dhcpc_script_tmp_t)
+   files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+   corecmd_exec_bin(dhcpc_script_t)
+   corecmd_exec_shell(dhcpc_script_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

2014-11-28 Thread Sven Vermeulen

commit: 14d4ab23ddd8ab4d3d294aff25caa09298623448
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Fri Nov 28 10:13:54 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Fri Nov 28 11:15:23 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=14d4ab23

Fix bug 529204 - Support a dhcpc_script_t domain

We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.

Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.

The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.

---
 policy/modules/kernel/corecommands.fc |  2 +-
 policy/modules/system/sysnetwork.fc   |  1 +
 policy/modules/system/sysnetwork.te   | 46 +++
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
 /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks   --  gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks  --  gen_context(system_u:object_r:bin_t,s0)
 
 /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0)
 /lib/rcscripts/sh(/.*)?
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index a809d61..d9b674e 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -81,6 +81,7 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks   --  
gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
 /var/run/dhcpcd\.sock  -s  
gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 /var/run/dhcpcd\.unpriv\.sock  -s  
gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 ')

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 3576536..8adbcfa 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,50 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+   #
+   #
+   # dhcpc_script_t
+   #
+
+   # The purpose of the dhcpc_script_t domain is to handle the 
post-processing of 
+   # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and 
I would
+   # assume others do as well. With the dhcpc_script_t domain we can 
isolate the
+   # privileges of the DHCP client itself from the hooks / flexibility 
that the developers
+   # introduced.
+
+   type dhcpc_script_t;
+   domain_type(dhcpc_script_t)
+   role dhcpc_roles types dhcpc_script_t;
+
+   type dhcpc_script_exec_t;
+   domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+   type dhcpc_script_tmp_t;
+   files_tmp_file(dhcpc_script_tmp_t)
+
+   
+   #
+   # dhcpc script policy
+   #
+
+   allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
+
+   manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, 
dhcpc_script_tmp_t)
+   files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+   manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
+   files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
+
+   corecmd_exec_bin(dhcpc_script_t)
+   corecmd_exec_shell(dhcpc_script_t)
+
+   # Perhaps sysnet_domtrans_dhcpc_script could be used instead and 
positioned in the dhcpc_t section
+   domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t)
+
+   sysnet_manage_config(dhcpc_script_t)
+
+   optional_policy(`
+   ntp_manage_config(dhcpc_script_t)
+   ')
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

2014-11-28 Thread Sven Vermeulen

commit: c1d8aae88e48692c2777032706464c7a2be256cd
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Fri Nov 28 10:13:54 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Fri Nov 28 11:24:08 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1d8aae8

Fix bug 529204 - Support a dhcpc_script_t domain

We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.

Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.

The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.

---
 policy/modules/kernel/corecommands.fc |  2 +-
 policy/modules/system/sysnetwork.fc   |  1 +
 policy/modules/system/sysnetwork.if   | 29 ++
 policy/modules/system/sysnetwork.te   | 58 +++
 4 files changed, 89 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
 /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks   --  gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks  --  gen_context(system_u:object_r:bin_t,s0)
 
 /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0)
 /lib/rcscripts/sh(/.*)?
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index a809d61..d9b674e 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -81,6 +81,7 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks   --  
gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
 /var/run/dhcpcd\.sock  -s  
gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 /var/run/dhcpcd\.unpriv\.sock  -s  
gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 ')

diff --git a/policy/modules/system/sysnetwork.if 
b/policy/modules/system/sysnetwork.if
index 2cea692..86313b6 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -796,3 +796,32 @@ interface(`sysnet_use_portmap',`
 
sysnet_read_config($1)
 ')
+
+# This should be after an ifdef distro_gentoo but that is not allowed in an if 
file
+
+
+## summary
+## Make the specified program domain
+## accessable from the DHCP hooks/scripts.
+## /summary
+## param name=domain
+## summary
+## The type of the process to transition to.
+## /summary
+## /param
+## param name=entrypoint
+## summary
+## The type of the file used as an entrypoint to this domain.
+## /summary
+## /param
+#
+interface(`sysnet_dhcpc_script_entry',`
+   gen_require(`
+   type dhcpc_script_t;
+   attribute_role dhcpc_roles;
+   ')
+
+   role dhcpc_roles types $1;
+
+   domtrans_pattern(dhcpc_script_t, $2, $1)
+')

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 3576536..1dd0817 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,62 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+   #
+   #
+   # dhcpc_script_t
+   #
+
+   # The purpose of the dhcpc_script_t domain is to handle the 
post-processing of 
+   # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and 
I would
+   # assume others do as well. With the dhcpc_script_t domain we can 
isolate the
+   # privileges of the DHCP client itself from the hooks / flexibility 
that the developers
+   # introduced.
+
+   type dhcpc_script_t;
+   domain_type(dhcpc_script_t)
+   role dhcpc_roles types dhcpc_script_t;
+
+   type dhcpc_script_exec_t;
+   domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+   type dhcpc_script_tmp_t;
+   files_tmp_file(dhcpc_script_tmp_t)
+
+   
+   #
+   # dhcpc script policy
+   #
+
+   allow dhcpc_script_t

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

8 matches

Site Navigation

Mail list logo

Footer information