gentoo diff for dhcpd

All of lore.kernel.org
 help / color / mirror / Atom feed

* gentoo diff for dhcpd
@ 2004-11-21 11:48 petre rodan
  2004-11-23 21:13 ` James Carter
  0 siblings, 1 reply; 2+ messages in thread
From: petre rodan @ 2004-11-21 11:48 UTC (permalink / raw)
  To: SELinux


[-- Attachment #1.1: Type: text/plain, Size: 144 bytes --]


added needed capabilities
sys_chroot-related file locations

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux

[-- Attachment #1.2: selinux-dhcp.diff --]
[-- Type: text/plain, Size: 1896 bytes --]

--- /root/public_html/policy/nsa/file_contexts/program/dhcpd.fc	2004-11-19 10:48:10.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/dhcp/dhcpd.fc	2004-11-19 10:35:55.000000000 +0200
@@ -8,3 +8,27 @@
 /var/lib/dhcp(3)?	-d	system_u:object_r:dhcp_state_t
 define(`dhcp_defined')
 ')
+
+ifdef(`distro_gentoo', `
+/etc/dhcp			-d	system_u:object_r:dhcp_etc_t
+/etc/dhcp(/.*)?			--	system_u:object_r:dhcp_etc_t
+/var/lib/dhcp			-d 	system_u:object_r:dhcp_state_t
+/var/lib/dhcp/dhcpd\.leases.* 	--	system_u:object_r:dhcpd_state_t
+/var/run/dhcp/dhcpd\.pid     	--	system_u:object_r:dhcpd_var_run_t
+
+# for the chroot setup
+/chroot						-d	system_u:object_r:root_t
+/chroot/dhcp					-d	system_u:object_r:root_t
+/chroot/dhcp/dev				-d	system_u:object_r:device_t
+/chroot/dhcp/etc				-d	system_u:object_r:etc_t
+/chroot/dhcp/etc/dhcp               -d  system_u:object_r:dhcp_etc_t
+/chroot/dhcp/etc/dhcp(/.*)?         --  system_u:object_r:dhcp_etc_t
+/chroot/dhcp/usr/sbin/dhcpd         --  system_u:object_r:dhcpd_exec_t
+/chroot/dhcp/var				-d	system_u:object_r:var_t
+/chroot/dhcp/var/run				-d	system_u:object_r:var_run_t
+/chroot/dhcp/var/lib				-d	system_u:object_r:var_lib_t
+/chroot/dhcp/var/lib/dhcp			-d	system_u:object_r:dhcp_state_t
+/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.*	--	system_u:object_r:dhcpd_state_t
+/chroot/dhcp/var/run/dhcp/dhcpd\.pid     	--	system_u:object_r:dhcpd_state_t
+')
+
--- /root/public_html/policy/nsa/domains/program/unused/dhcpd.te	2004-11-20 09:01:20.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/dhcp/dhcpd.te	2004-11-20 09:47:28.000000000 +0200
@@ -67,3 +67,8 @@
 # allow reading /proc
 allow dhcpd_t proc_t:{ file lnk_file } r_file_perms;
 tmp_domain(dhcpd)
+
+ifdef(`distro_gentoo', `
+allow dhcpd_t self:capability { chown dac_override setgid setuid sys_chroot };
+allow initrc_t dhcpd_state_t:file setattr;
+')

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: gentoo diff for dhcpd
  2004-11-21 11:48 gentoo diff for dhcpd petre rodan
@ 2004-11-23 21:13 ` James Carter
  0 siblings, 0 replies; 2+ messages in thread
From: James Carter @ 2004-11-23 21:13 UTC (permalink / raw)
  To: petre rodan; +Cc: SELinux

Merged.  I removed the '/chroot' line.  It will already be labeled with
root_t and it doesn't pertain to the dhcp stuff anyway.

--- /root/public_html/policy/nsa/file_contexts/program/dhcpd.fc 2004-11-19 10:48:10.000000000 +0200
+++ /root/cvs/cvs.gentoo.org/gentoo-projects/selinux/dhcp/dhcpd.fc      2004-11-19 10:35:55.000000000 +0200
@@ -8,3 +8,27 @@
 /var/lib/dhcp(3)?      -d      system_u:object_r:dhcp_state_t
 define(`dhcp_defined')
 ')
+
+ifdef(`distro_gentoo', `
+/etc/dhcp                      -d      system_u:object_r:dhcp_etc_t
+/etc/dhcp(/.*)?                        --      system_u:object_r:dhcp_etc_t
+/var/lib/dhcp                  -d      system_u:object_r:dhcp_state_t
+/var/lib/dhcp/dhcpd\.leases.*  --      system_u:object_r:dhcpd_state_t
+/var/run/dhcp/dhcpd\.pid       --      system_u:object_r:dhcpd_var_run_t
+
+# for the chroot setup
+/chroot                                                -d      system_u:object_r:root_t
+/chroot/dhcp                                   -d      system_u:object_r:root_t
+/chroot/dhcp/dev                               -d      system_u:object_r:device_t
+/chroot/dhcp/etc                               -d      system_u:object_r:etc_t
+/chroot/dhcp/etc/dhcp               -d  system_u:object_r:dhcp_etc_t
+/chroot/dhcp/etc/dhcp(/.*)?         --  system_u:object_r:dhcp_etc_t
+/chroot/dhcp/usr/sbin/dhcpd         --  system_u:object_r:dhcpd_exec_t
+/chroot/dhcp/var                               -d      system_u:object_r:var_t
+/chroot/dhcp/var/run                           -d      system_u:object_r:var_run_t
+/chroot/dhcp/var/lib                           -d      system_u:object_r:var_lib_t
+/chroot/dhcp/var/lib/dhcp                      -d      system_u:object_r:dhcp_state_t
+/chroot/dhcp/var/lib/dhcp/dhcpd\.leases.*      --      system_u:object_r:dhcpd_state_t
+/chroot/dhcp/var/run/dhcp/dhcpd\.pid           --      system_u:object_r:dhcpd_state_t
+')
+

On Sun, 2004-11-21 at 06:48, petre rodan wrote:
> added needed capabilities
> sys_chroot-related file locations
> 
> bye,
> peter
-- 
James Carter <jwcart2@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2004-11-23 21:11 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-21 11:48 gentoo diff for dhcpd petre rodan
2004-11-23 21:13 ` James Carter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.