From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [Various 1/1] Add nfctool module and its dependencies.
Date: Thu, 09 Sep 2010 08:33:32 -0400 [thread overview]
Message-ID: <4C88D41C.8060700@tresys.com> (raw)
In-Reply-To: <20100903194621.GA4338@localhost.localdomain>
On 09/03/10 15:46, Dominick Grift wrote:
> Add brctl_run interface to cleaned up brctl module.
> Add brctl domtrans and run calls to new ncftool module, modutils.
> Implement system conf type for manageable system configuration files.
> Add /replace calls to system configuration interfaces in virt, init, iptables.
> Add network configuration interfaces and add calls to these interfaces in various modules.
There are unrelated changes in this patch; please remove them. This
patch is also big enough that it should probably be split up into 2 or 3
patches.
> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 5b43db5... 8f1ee2c... M policy/modules/admin/brctl.if
> :100644 100644 0ff3679... 45b26c9... M policy/modules/admin/brctl.te
> :000000 100644 0000000... 19710b5... A policy/modules/admin/ncftool.fc
> :000000 100644 0000000... 5b9318b... A policy/modules/admin/ncftool.if
> :000000 100644 0000000... 2e2f551... A policy/modules/admin/ncftool.te
> :100644 100644 a22e546... 157f6ff... M policy/modules/admin/shorewall.te
> :100644 100644 3517db2... ba92739... M policy/modules/kernel/files.fc
> :100644 100644 5302dac... 17e7a6a... M policy/modules/kernel/files.if
> :100644 100644 07352a5... ec07a47... M policy/modules/kernel/files.te
> :100644 100644 3cce663... 57c0f15... M policy/modules/services/virt.te
> :100644 100644 abab4cf... c038370... M policy/modules/system/init.te
> :100644 100644 13f62a6... e0813a1... M policy/modules/system/iptables.fc
> :100644 100644 5c94dfe... 68cd2d2... M policy/modules/system/iptables.if
> :100644 100644 a3fdcb3... 8e644c4... M policy/modules/system/iptables.te
> :100644 100644 9c0faab... 565e5bc... M policy/modules/system/modutils.if
> :100644 100644 8e71fb7... 1e4892d... M policy/modules/system/sysnetwork.if
> :100644 100644 dfbe736... ab27920... M policy/modules/system/sysnetwork.te
> policy/modules/admin/brctl.if | 34 ++++++++++++-
> policy/modules/admin/brctl.te | 1 -
> policy/modules/admin/ncftool.fc | 1 +
> policy/modules/admin/ncftool.if | 80 +++++++++++++++++++++++++++++++
> policy/modules/admin/ncftool.te | 82 ++++++++++++++++++++++++++++++++
> policy/modules/admin/shorewall.te | 4 ++
> policy/modules/kernel/files.fc | 89 +++--------------------------------
> policy/modules/kernel/files.if | 74 +++++++++++++++++++++++++++++
> policy/modules/kernel/files.te | 8 +++
> policy/modules/services/virt.te | 7 ++-
> policy/modules/system/init.te | 2 +
> policy/modules/system/iptables.fc | 2 -
> policy/modules/system/iptables.if | 78 ------------------------------
> policy/modules/system/iptables.te | 4 +-
> policy/modules/system/modutils.if | 20 ++++++++
> policy/modules/system/sysnetwork.if | 38 +++++++++++++++
> policy/modules/system/sysnetwork.te | 4 ++
> 17 files changed, 357 insertions(+), 171 deletions(-)
>
> diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
> index 5b43db5..8f1ee2c 100644
> --- a/policy/modules/admin/brctl.if
> +++ b/policy/modules/admin/brctl.if
> @@ -1,13 +1,13 @@
> -##<summary>Utilities for configuring the linux ethernet bridge</summary>
> +##<summary>Utilities for configuring the linux ethernet bridge.</summary>
>
> ########################################
> ##<summary>
> ## Execute a domain transition to run brctl.
> ##</summary>
> ##<param name="domain">
> -##<summary>
> +## <summary>
> ## Domain allowed to transition.
> -##</summary>
> +## </summary>
> ##</param>
> #
> interface(`brctl_domtrans',`
> @@ -15,5 +15,33 @@ interface(`brctl_domtrans',`
> type brctl_t, brctl_exec_t;
> ')
>
> + corecmd_search_bin($1)
> domtrans_pattern($1, brctl_exec_t, brctl_t)
> ')
> +
> +#####################################
> +##<summary>
> +## Execute a domain transition to run
> +## Brctl, and allow the specified role
> +## the Brctl domain.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +##</param>
> +##<param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`brctl_run',`
> + gen_require(`
> + type brctl_t, brctl_exec_t;
> + ')
> +
> + brctl_domtrans($1)
> + role $2 types brctl_t;
> +')
> diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
> index 0ff3679..45b26c9 100644
> --- a/policy/modules/admin/brctl.te
> +++ b/policy/modules/admin/brctl.te
> @@ -30,7 +30,6 @@ corenet_rw_tun_tap_dev(brctl_t)
> dev_rw_sysfs(brctl_t)
> dev_write_sysfs_dirs(brctl_t)
>
> -# Init script handling
> domain_use_interactive_fds(brctl_t)
>
> files_read_etc_files(brctl_t)
> diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc
> new file mode 100644
> index 0000000..19710b5
> --- /dev/null
> +++ b/policy/modules/admin/ncftool.fc
> @@ -0,0 +1 @@
> +/usr/bin/ncftool -- gen_context(system_u:object_r:ncftool_exec_t,s0)
> diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if
> new file mode 100644
> index 0000000..5b9318b
> --- /dev/null
> +++ b/policy/modules/admin/ncftool.if
> @@ -0,0 +1,80 @@
> +##<summary>Network Interface Management.</summary>
> +
> +########################################
> +##<summary>
> +## Execute a domain transition to run Ncftool.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +##</param>
> +#
> +interface(`ncftool_domtrans',`
> + gen_require(`
> + type ncftool_t, ncftool_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, ncftool_exec_t, ncftool_t)
> +')
> +
> +########################################
> +##<summary>
> +## Execute a domain transition to run
> +## Ncftool, and allow the specified role
> +## the Ncftool domain.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +##<param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`ncftool_run',`
> + gen_require(`
> + type ncftool_t;
> + ')
> +
> + ncftool_domtrans($1)
> + role $2 types ncftool_t;
> +
> + optional_policy(`
> + brctl_run(ncftool_t, $2)
> + ')
> +')
> +
> +########################################
> +##<summary>
> +## Role access for Ncftool.
> +##</summary>
> +##<param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +##</param>
> +##<param name="domain">
> +## <summary>
> +## User domain for the role.
> +## </summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`ncftool_role',`
> + gen_require(`
> + type ncftool_t;
> + ')
> +
> + role $1 types ncftool_t;
> +
> + ncftool_domtrans($2)
> +
> + ps_process_pattern($2, ncftool_t)
> + allow $2 ncftool_t:process { ptrace signal_perms };
> +')
> diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
> new file mode 100644
> index 0000000..2e2f551
> --- /dev/null
> +++ b/policy/modules/admin/ncftool.te
> @@ -0,0 +1,82 @@
> +policy_module(ncftool, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type ncftool_t;
> +type ncftool_exec_t;
> +application_domain(ncftool_t, ncftool_exec_t)
> +domain_obj_id_change_exemption(ncftool_t)
> +domain_system_change_exemption(ncftool_t)
> +role system_r types ncftool_t;
> +
> +########################################
> +#
> +# local policy
> +#
> +
> +allow ncftool_t self:capability { net_admin sys_ptrace };
> +allow ncftool_t self:process signal;
> +allow ncftool_t self:fifo_file manage_fifo_file_perms;
> +allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
> +allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ncftool_t self:tcp_socket create_stream_socket_perms;
> +
> +kernel_read_kernel_sysctls(ncftool_t)
> +kernel_read_modprobe_sysctls(ncftool_t)
> +kernel_read_network_state(ncftool_t)
> +kernel_read_system_state(ncftool_t)
> +kernel_request_load_module(ncftool_t)
> +kernel_rw_net_sysctls(ncftool_t)
> +
> +corecmd_exec_bin(ncftool_t)
> +corecmd_exec_shell(ncftool_t)
> +
> +domain_read_all_domains_state(ncftool_t)
> +
> +dev_read_sysfs(ncftool_t)
> +
> +files_manage_system_conf_files(ncftool_t)
> +files_relabelto_system_conf_files(ncftool_t)
> +files_read_etc_files(ncftool_t)
> +files_read_etc_runtime_files(ncftool_t)
> +files_read_usr_files(ncftool_t)
> +
> +term_use_all_terms(ncftool_t)
> +
> +miscfiles_read_localization(ncftool_t)
> +
> +modutils_list_module_config(ncftool_t)
> +modutils_read_module_config(ncftool_t)
> +modutils_domtrans_insmod(ncftool_t)
> +
> +sysnet_delete_dhcpc_pid(ncftool_t)
> +sysnet_domtrans_dhcpc(ncftool_t)
> +sysnet_domtrans_ifconfig(ncftool_t)
> +sysnet_etc_filetrans_config(ncftool_t)
> +sysnet_manage_config(ncftool_t)
> +sysnet_read_dhcpc_state(ncftool_t)
> +sysnet_relabelfrom_net_conf(ncftool_t)
> +sysnet_relabelto_net_conf(ncftool_t)
> +sysnet_read_dhcpc_pid(ncftool_t)
> +sysnet_signal_dhcpc(ncftool_t)
> +
> +userdom_read_user_tmp_files(ncftool_t)
> +
> +optional_policy(`
> + consoletype_exec(ncftool_t)
> +')
> +
> +optional_policy(`
> + dbus_system_bus_client(ncftool_t)
> +')
> +
> +optional_policy(`
> + iptables_initrc_domtrans(ncftool_t)
> +')
> +
> +optional_policy(`
> + netutils_domtrans(ncftool_t)
> +')
> diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
> index a22e546..157f6ff 100644
> --- a/policy/modules/admin/shorewall.te
> +++ b/policy/modules/admin/shorewall.te
> @@ -89,6 +89,10 @@ sysnet_domtrans_ifconfig(shorewall_t)
> userdom_dontaudit_list_user_home_dirs(shorewall_t)
>
> optional_policy(`
> + brctl_domtrans(shorewall_t)
> +')
> +
> +optional_policy(`
> hostname_exec(shorewall_t)
> ')
>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index 3517db2..ba92739 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -1,15 +1,9 @@
> -
> -#
> -# /
> -#
> /.* gen_context(system_u:object_r:default_t,s0)
> / -d gen_context(system_u:object_r:root_t,s0)
> /\.journal <<none>>
> /afs -d gen_context(system_u:object_r:mnt_t,s0)
> /initrd\.img.* -l gen_context(system_u:object_r:boot_t,s0)
> /vmlinuz.* -l gen_context(system_u:object_r:boot_t,s0)
> -
> -ifdef(`distro_redhat',`
> /\.autofsck -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /\.autorelabel -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /\.suspended -- gen_context(system_u:object_r:etc_runtime_t,s0)
> @@ -18,15 +12,8 @@ ifdef(`distro_redhat',`
> /fsckoptions -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /halt -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /poweroff -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
> -
> -ifdef(`distro_suse',`
> /success -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
>
> -#
> -# /boot
> -#
> /boot -d gen_context(system_u:object_r:boot_t,s0)
> /boot/.* gen_context(system_u:object_r:boot_t,s0)
> /boot/\.journal <<none>>
> @@ -35,15 +22,9 @@ ifdef(`distro_suse',`
> /boot/lost\+found/.* <<none>>
> /boot/System\.map(-.*)? -- gen_context(system_u:object_r:system_map_t,s0)
>
> -#
> -# /emul
> -#
> /emul -d gen_context(system_u:object_r:usr_t,s0)
> /emul/.* gen_context(system_u:object_r:usr_t,s0)
>
> -#
> -# /etc
> -#
> /etc -d gen_context(system_u:object_r:etc_t,s0)
> /etc/.* gen_context(system_u:object_r:etc_t,s0)
> /etc/\.fstab\.hal\..+ -- gen_context(system_u:object_r:etc_runtime_t,s0)
> @@ -72,114 +53,68 @@ ifdef(`distro_suse',`
>
> /etc/ptal/ptal-printd-like -- gen_context(system_u:object_r:etc_runtime_t,s0)
>
> +/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
> +/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/sysconfig/hwconf -- gen_context(system_u:object_r:etc_runtime_t,s0)
> +/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
> /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
> +/etc/sysconfig/ipvsadm.* -- gen_context(system_u:object_r:system_conf_t,s0)
> +/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:system_conf_t,s0)
> +
> +/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
>
> -ifdef(`distro_gentoo', `
> /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/env\.d/.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
>
> -ifdef(`distro_redhat',`
> /etc/rhgb(/.*)? -d gen_context(system_u:object_r:mnt_t,s0)
> -')
>
> -ifdef(`distro_suse',`
> /etc/defkeymap\.map -- gen_context(system_u:object_r:etc_runtime_t,s0)
> /etc/init\.d/\.depend.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
>
> -#
> -# HOME_ROOT
> -# expanded by genhomedircon
> -#
> HOME_ROOT -d gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
> HOME_ROOT/\.journal <<none>>
> HOME_ROOT/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
> HOME_ROOT/lost\+found/.* <<none>>
>
> -#
> -# /initrd
> -#
> -# initrd mount point, only used during boot
> /initrd -d gen_context(system_u:object_r:root_t,s0)
>
> -#
> -# /lib(64)?
> -#
> /lib/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
> /lib64/modules(/.*)? gen_context(system_u:object_r:modules_object_t,s0)
>
> -#
> -# /lost+found
> -#
> /lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
> /lost\+found/.* <<none>>
>
> -#
> -# /media
> -#
> -# Mount points; do not relabel subdirectories, since
> -# we don't want to change any removable media by default.
> /media(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
> /media(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
> /media/[^/]*/.* <<none>>
> /media/\.hal-.* -- gen_context(system_u:object_r:mnt_t,s0)
>
> -#
> -# /misc
> -#
> /misc -d gen_context(system_u:object_r:mnt_t,s0)
>
> -#
> -# /mnt
> -#
> /mnt(/[^/]*) -l gen_context(system_u:object_r:mnt_t,s0)
> /mnt(/[^/]*)? -d gen_context(system_u:object_r:mnt_t,s0)
> /mnt/[^/]*/.* <<none>>
>
> -#
> -# /net
> -#
> /net -d gen_context(system_u:object_r:mnt_t,s0)
>
> -#
> -# /opt
> -#
> /opt -d gen_context(system_u:object_r:usr_t,s0)
> /opt/.* gen_context(system_u:object_r:usr_t,s0)
>
> /opt/(.*/)?var/lib(64)?(/.*)? gen_context(system_u:object_r:var_lib_t,s0)
>
> -#
> -# /proc
> -#
> /proc -d <<none>>
> /proc/.* <<none>>
>
> -#
> -# /selinux
> -#
> /selinux -d <<none>>
> /selinux/.* <<none>>
>
> -#
> -# /srv
> -#
> /srv -d gen_context(system_u:object_r:var_t,s0)
> /srv/.* gen_context(system_u:object_r:var_t,s0)
>
> -#
> -# /sys
> -#
> /sys -d <<none>>
> /sys/.* <<none>>
>
> -#
> -# /tmp
> -#
> /tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
> /tmp/.* <<none>>
> /tmp/\.journal <<none>>
> @@ -187,9 +122,6 @@ HOME_ROOT/lost\+found/.* <<none>>
> /tmp/lost\+found -d gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
> /tmp/lost\+found/.* <<none>>
>
> -#
> -# /usr
> -#
> /usr -d gen_context(system_u:object_r:usr_t,s0)
> /usr/.* gen_context(system_u:object_r:usr_t,s0)
> /usr/\.journal <<none>>
> @@ -215,16 +147,11 @@ HOME_ROOT/lost\+found/.* <<none>>
> /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
> /usr/tmp/.* <<none>>
>
> -ifndef(`distro_redhat',`
> /usr/local/src(/.*)? gen_context(system_u:object_r:src_t,s0)
>
> /usr/src(/.*)? gen_context(system_u:object_r:src_t,s0)
> /usr/src/kernels/.+/lib(/.*)? gen_context(system_u:object_r:usr_t,s0)
> -')
>
> -#
> -# /var
> -#
> /var -d gen_context(system_u:object_r:var_t,s0)
> /var/.* gen_context(system_u:object_r:var_t,s0)
> /var/\.journal <<none>>
> @@ -255,6 +182,4 @@ ifndef(`distro_redhat',`
> /var/tmp/lost\+found/.* <<none>>
> /var/tmp/vi\.recover -d gen_context(system_u:object_r:tmp_t,s0)
>
> -ifdef(`distro_debian',`
> /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 5302dac..17e7a6a 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -1875,6 +1875,80 @@ interface(`files_manage_boot_symlinks',`
> manage_lnk_files_pattern($1, boot_t, boot_t)
> ')
>
> +###################################
> +##<summary>
> +## Create manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`files_etc_filetrans_system_conf',`
> + gen_require(`
> + type etc_t, system_conf_t;
> + ')
> +
> + filetrans_pattern($1, etc_t, system_conf_t, file)
> +')
> +
> +######################################
> +##<summary>
> +## Manage manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`files_manage_system_conf_files',`
> + gen_require(`
> + type etc_t, system_conf_t;
> + ')
> +
> + manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
> +')
> +
> +######################################
> +##<summary>
> +## Relabel from manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`files_relabelfrom_system_conf_files',`
> + gen_require(`
> + type system_conf_t;
> + ')
> +
> + files_search_etc($1)
> + relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
> +')
> +
> +######################################
> +##<summary>
> +## Relabel to manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`files_relabelto_system_conf_files',`
> + gen_require(`
> + type system_conf_t;
> + ')
> +
> + files_search_etc($1)
> + relabelto_files_pattern($1, system_conf_t, system_conf_t)
> +')
> +
> ########################################
> ##<summary>
> ## Read kernel files in the /boot directory.
> diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
> index 07352a5..ec07a47 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -128,6 +128,14 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
> type src_t;
> files_mountpoint(src_t)
>
> +# system_conf_t is a new type of various
> +# files in /etc/ that can be managed and
> +# created by several domains.
> +#
> +type system_conf_t, configfile;
> +files_type(system_conf_t)
> +typealias system_conf_t alias iptables_conf_t;
> +
> #
> # system_map_t is for the system.map files in /boot
> #
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index 3cce663..57c0f15 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -255,6 +255,10 @@ files_search_all(virtd_t)
> files_read_kernel_modules(virtd_t)
> files_read_usr_src_files(virtd_t)
> files_manage_etc_files(virtd_t)
> +files_relabelfrom_system_conf_files(virtd_t)
> +files_relabelto_system_conf_files(virtd_t)
> +files_manage_system_conf_files(virtd_t)
> +files_etc_filetrans_system_conf(virtd_t)
>
> fs_list_auto_mountpoints(virtd_t)
> fs_getattr_xattr_fs(virtd_t)
> @@ -339,9 +343,6 @@ optional_policy(`
> optional_policy(`
> iptables_domtrans(virtd_t)
> iptables_initrc_domtrans(virtd_t)
> -
> - # Manages /etc/sysconfig/system-config-firewall
> - iptables_manage_config(virtd_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index abab4cf..c038370 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -530,6 +530,8 @@ ifdef(`distro_redhat',`
> optional_policy(`
> sysnet_rw_dhcp_config(initrc_t)
> sysnet_manage_config(initrc_t)
> + sysnet_relabelfrom_net_conf(initrc_t)
> + sysnet_relabelto_net_conf(initrc_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
> index 13f62a6..e0813a1 100644
> --- a/policy/modules/system/iptables.fc
> +++ b/policy/modules/system/iptables.fc
> @@ -1,6 +1,4 @@
> /etc/rc\.d/init\.d/ip6?tables -- gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
> -/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
> -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>
> /sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
> /sbin/ip6?tables -- gen_context(system_u:object_r:iptables_exec_t,s0)
> diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> index 5c94dfe..68cd2d2 100644
> --- a/policy/modules/system/iptables.if
> +++ b/policy/modules/system/iptables.if
> @@ -87,81 +87,3 @@ interface(`iptables_initrc_domtrans',`
>
> init_labeled_script_domtrans($1, iptables_initrc_exec_t)
> ')
> -
> -#####################################
> -##<summary>
> -## Set the attributes of iptables config files.
> -##</summary>
> -##<param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -##</param>
> -#
> -interface(`iptables_setattr_config',`
> - gen_require(`
> - type iptables_conf_t;
> - ')
> -
> - files_search_etc($1)
> - allow $1 iptables_conf_t:file setattr;
> -')
> -
> -#####################################
> -##<summary>
> -## Read iptables config files.
> -##</summary>
> -##<param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -##</param>
> -#
> -interface(`iptables_read_config',`
> - gen_require(`
> - type iptables_conf_t;
> - ')
> -
> - files_search_etc($1)
> - allow $1 iptables_conf_t:dir list_dir_perms;
> - read_files_pattern($1, iptables_conf_t, iptables_conf_t)
> -')
> -
> -#####################################
> -##<summary>
> -## Create files in /etc with the type used for
> -## the iptables config files.
> -##</summary>
> -##<param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -##</param>
> -#
> -interface(`iptables_etc_filetrans_config',`
> - gen_require(`
> - type iptables_conf_t;
> - ')
> -
> - files_etc_filetrans($1, iptables_conf_t, file)
> -')
> -
> -###################################
> -##<summary>
> -## Manage iptables config files.
> -##</summary>
> -##<param name="domain">
> -## <summary>
> -## Domain allowed access.
> -## </summary>
> -##</param>
> -#
> -interface(`iptables_manage_config',`
> - gen_require(`
> - type iptables_conf_t;
> - type etc_t;
> - ')
> -
> - files_search_etc($1)
> - manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
> -')
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index a3fdcb3..8e644c4 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -33,8 +33,8 @@ allow iptables_t self:fifo_file rw_fifo_file_perms;
> allow iptables_t self:process { sigchld sigkill sigstop signull signal };
> allow iptables_t self:rawip_socket create_socket_perms;
>
> -manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
> -files_etc_filetrans(iptables_t, iptables_conf_t, file)
> +files_manage_system_conf_files(iptables_t)
> +files_etc_filetrans_system_conf(iptables_t)
>
> manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
> files_pid_filetrans(iptables_t, iptables_var_run_t, file)
> diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
> index 9c0faab..565e5bc 100644
> --- a/policy/modules/system/modutils.if
> +++ b/policy/modules/system/modutils.if
> @@ -39,6 +39,26 @@ interface(`modutils_read_module_deps',`
>
> ########################################
> ##<summary>
> +## List the configuration options used when
> +## loading modules.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`modutils_list_module_config',`
> + gen_require(`
> + type modules_conf_t;
> + ')
> +
> + files_search_etc($1)
> + list_dirs_pattern($1, modules_conf_t, modules_conf_t)
> +')
> +
> +########################################
> +##<summary>
> ## Read the configuration options used when
> ## loading modules.
> ##</summary>
> diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
> index 8e71fb7..1e4892d 100644
> --- a/policy/modules/system/sysnetwork.if
> +++ b/policy/modules/system/sysnetwork.if
> @@ -652,6 +652,44 @@ interface(`sysnet_dns_name_resolve',`
> ')
> ')
>
> +#######################################
> +##<summary>
> +## Relabel from network configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`sysnet_relabelfrom_net_conf',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 net_conf_t:file relabelfrom;
> +')
> +
> +######################################
> +##<summary>
> +## Relabel to network configuration files.
> +##</summary>
> +##<param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +##</param>
> +#
> +interface(`sysnet_relabelto_net_conf',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 net_conf_t:file relabelto;
> +')
> +
> ########################################
> ##<summary>
> ## Connect and use a LDAP server.
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index dfbe736..ab27920 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',`
> ')
>
> optional_policy(`
> + brctl_domtrans(ifconfig_t)
> +')
> +
> +optional_policy(`
> hal_dontaudit_rw_pipes(ifconfig_t)
> hal_dontaudit_rw_dgram_sockets(ifconfig_t)
> ')
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
prev parent reply other threads:[~2010-09-09 12:33 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-03 19:46 [refpolicy] [Various 1/1] Add nfctool module and its dependencies Dominick Grift
2010-09-09 12:33 ` Christopher J. PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C88D41C.8060700@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.