All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [Various 1/1] Add nfctool module and its dependencies.
@ 2010-09-03 19:46 Dominick Grift
  2010-09-09 12:33 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2010-09-03 19:46 UTC (permalink / raw)
  To: refpolicy

Add brctl_run interface to cleaned up brctl module.
Add brctl domtrans and run calls to new ncftool module, modutils.
Implement system conf type for manageable system configuration files.
Add /replace calls to system configuration interfaces in virt, init, iptables.
Add network configuration interfaces and add calls to these interfaces in various modules.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 5b43db5... 8f1ee2c... M	policy/modules/admin/brctl.if
:100644 100644 0ff3679... 45b26c9... M	policy/modules/admin/brctl.te
:000000 100644 0000000... 19710b5... A	policy/modules/admin/ncftool.fc
:000000 100644 0000000... 5b9318b... A	policy/modules/admin/ncftool.if
:000000 100644 0000000... 2e2f551... A	policy/modules/admin/ncftool.te
:100644 100644 a22e546... 157f6ff... M	policy/modules/admin/shorewall.te
:100644 100644 3517db2... ba92739... M	policy/modules/kernel/files.fc
:100644 100644 5302dac... 17e7a6a... M	policy/modules/kernel/files.if
:100644 100644 07352a5... ec07a47... M	policy/modules/kernel/files.te
:100644 100644 3cce663... 57c0f15... M	policy/modules/services/virt.te
:100644 100644 abab4cf... c038370... M	policy/modules/system/init.te
:100644 100644 13f62a6... e0813a1... M	policy/modules/system/iptables.fc
:100644 100644 5c94dfe... 68cd2d2... M	policy/modules/system/iptables.if
:100644 100644 a3fdcb3... 8e644c4... M	policy/modules/system/iptables.te
:100644 100644 9c0faab... 565e5bc... M	policy/modules/system/modutils.if
:100644 100644 8e71fb7... 1e4892d... M	policy/modules/system/sysnetwork.if
:100644 100644 dfbe736... ab27920... M	policy/modules/system/sysnetwork.te
 policy/modules/admin/brctl.if       |   34 ++++++++++++-
 policy/modules/admin/brctl.te       |    1 -
 policy/modules/admin/ncftool.fc     |    1 +
 policy/modules/admin/ncftool.if     |   80 +++++++++++++++++++++++++++++++
 policy/modules/admin/ncftool.te     |   82 ++++++++++++++++++++++++++++++++
 policy/modules/admin/shorewall.te   |    4 ++
 policy/modules/kernel/files.fc      |   89 +++--------------------------------
 policy/modules/kernel/files.if      |   74 +++++++++++++++++++++++++++++
 policy/modules/kernel/files.te      |    8 +++
 policy/modules/services/virt.te     |    7 ++-
 policy/modules/system/init.te       |    2 +
 policy/modules/system/iptables.fc   |    2 -
 policy/modules/system/iptables.if   |   78 ------------------------------
 policy/modules/system/iptables.te   |    4 +-
 policy/modules/system/modutils.if   |   20 ++++++++
 policy/modules/system/sysnetwork.if |   38 +++++++++++++++
 policy/modules/system/sysnetwork.te |    4 ++
 17 files changed, 357 insertions(+), 171 deletions(-)

diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
index 5b43db5..8f1ee2c 100644
--- a/policy/modules/admin/brctl.if
+++ b/policy/modules/admin/brctl.if
@@ -1,13 +1,13 @@
-## <summary>Utilities for configuring the linux ethernet bridge</summary>
+## <summary>Utilities for configuring the linux ethernet bridge.</summary>
 
 ########################################
 ## <summary>
 ##	Execute a domain transition to run brctl.
 ## </summary>
 ## <param name="domain">
-## <summary>
+##	<summary>
 ##	Domain allowed to transition.
-## </summary>
+##	</summary>
 ## </param>
 #
 interface(`brctl_domtrans',`
@@ -15,5 +15,33 @@ interface(`brctl_domtrans',`
 		type brctl_t, brctl_exec_t;
 	')
 
+	corecmd_search_bin($1)
 	domtrans_pattern($1, brctl_exec_t, brctl_t)
 ')
+
+#####################################
+## <summary>
+##	Execute a domain transition to run
+##	Brctl, and allow the specified role
+##	the Brctl domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`brctl_run',`
+	gen_require(`
+		type brctl_t, brctl_exec_t;
+	')
+
+	brctl_domtrans($1)
+	role $2 types brctl_t;
+')
diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
index 0ff3679..45b26c9 100644
--- a/policy/modules/admin/brctl.te
+++ b/policy/modules/admin/brctl.te
@@ -30,7 +30,6 @@ corenet_rw_tun_tap_dev(brctl_t)
 dev_rw_sysfs(brctl_t)
 dev_write_sysfs_dirs(brctl_t)
 
-# Init script handling
 domain_use_interactive_fds(brctl_t)
 
 files_read_etc_files(brctl_t)
diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc
new file mode 100644
index 0000000..19710b5
--- /dev/null
+++ b/policy/modules/admin/ncftool.fc
@@ -0,0 +1 @@
+/usr/bin/ncftool		--	gen_context(system_u:object_r:ncftool_exec_t,s0)
diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if
new file mode 100644
index 0000000..5b9318b
--- /dev/null
+++ b/policy/modules/admin/ncftool.if
@@ -0,0 +1,80 @@
+## <summary>Network Interface Management.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run Ncftool.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`ncftool_domtrans',`
+	gen_require(`
+		type ncftool_t, ncftool_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ncftool_exec_t, ncftool_t)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run
+##	Ncftool, and allow the specified role
+##	the Ncftool domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ncftool_run',`
+	gen_require(`
+		type ncftool_t;
+	')
+
+	ncftool_domtrans($1)
+	role $2 types ncftool_t;
+
+	optional_policy(`
+		brctl_run(ncftool_t, $2)
+	')
+')
+
+########################################
+## <summary>
+##	Role access for Ncftool.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ncftool_role',`
+	gen_require(`
+		type ncftool_t;
+	')
+
+	role $1 types ncftool_t;
+
+	ncftool_domtrans($2)
+
+	ps_process_pattern($2, ncftool_t)
+	allow $2 ncftool_t:process { ptrace signal_perms };
+')
diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
new file mode 100644
index 0000000..2e2f551
--- /dev/null
+++ b/policy/modules/admin/ncftool.te
@@ -0,0 +1,82 @@
+policy_module(ncftool, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type ncftool_t;
+type ncftool_exec_t;
+application_domain(ncftool_t, ncftool_exec_t)
+domain_obj_id_change_exemption(ncftool_t)
+domain_system_change_exemption(ncftool_t)
+role system_r types ncftool_t;
+
+########################################
+#
+# local policy
+#
+
+allow ncftool_t self:capability { net_admin sys_ptrace };
+allow ncftool_t self:process signal;
+allow ncftool_t self:fifo_file manage_fifo_file_perms;
+allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
+allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
+allow ncftool_t self:tcp_socket create_stream_socket_perms;
+
+kernel_read_kernel_sysctls(ncftool_t)
+kernel_read_modprobe_sysctls(ncftool_t)
+kernel_read_network_state(ncftool_t)
+kernel_read_system_state(ncftool_t)
+kernel_request_load_module(ncftool_t)
+kernel_rw_net_sysctls(ncftool_t)
+
+corecmd_exec_bin(ncftool_t)
+corecmd_exec_shell(ncftool_t)
+
+domain_read_all_domains_state(ncftool_t)
+
+dev_read_sysfs(ncftool_t)
+
+files_manage_system_conf_files(ncftool_t)
+files_relabelto_system_conf_files(ncftool_t)
+files_read_etc_files(ncftool_t)
+files_read_etc_runtime_files(ncftool_t)
+files_read_usr_files(ncftool_t)
+
+term_use_all_terms(ncftool_t)
+
+miscfiles_read_localization(ncftool_t)
+
+modutils_list_module_config(ncftool_t)
+modutils_read_module_config(ncftool_t)
+modutils_domtrans_insmod(ncftool_t)
+
+sysnet_delete_dhcpc_pid(ncftool_t)
+sysnet_domtrans_dhcpc(ncftool_t)
+sysnet_domtrans_ifconfig(ncftool_t)
+sysnet_etc_filetrans_config(ncftool_t)
+sysnet_manage_config(ncftool_t)
+sysnet_read_dhcpc_state(ncftool_t)
+sysnet_relabelfrom_net_conf(ncftool_t)
+sysnet_relabelto_net_conf(ncftool_t)
+sysnet_read_dhcpc_pid(ncftool_t)
+sysnet_signal_dhcpc(ncftool_t)
+
+userdom_read_user_tmp_files(ncftool_t)
+
+optional_policy(`
+	consoletype_exec(ncftool_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(ncftool_t)
+')
+
+optional_policy(`
+	iptables_initrc_domtrans(ncftool_t)
+')
+
+optional_policy(`
+	netutils_domtrans(ncftool_t)
+')
diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
index a22e546..157f6ff 100644
--- a/policy/modules/admin/shorewall.te
+++ b/policy/modules/admin/shorewall.te
@@ -89,6 +89,10 @@ sysnet_domtrans_ifconfig(shorewall_t)
 userdom_dontaudit_list_user_home_dirs(shorewall_t)
 
 optional_policy(`
+	brctl_domtrans(shorewall_t)
+')
+
+optional_policy(`
 	hostname_exec(shorewall_t)
 ')
 
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 3517db2..ba92739 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -1,15 +1,9 @@
-
-#
-# /
-#
 /.*				gen_context(system_u:object_r:default_t,s0)
 /			-d	gen_context(system_u:object_r:root_t,s0)
 /\.journal			<<none>>
 /afs			-d	gen_context(system_u:object_r:mnt_t,s0)
 /initrd\.img.*		-l	gen_context(system_u:object_r:boot_t,s0)
 /vmlinuz.*		-l	gen_context(system_u:object_r:boot_t,s0)
-
-ifdef(`distro_redhat',`
 /\.autofsck		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /\.autorelabel		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /\.suspended		--	gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -18,15 +12,8 @@ ifdef(`distro_redhat',`
 /fsckoptions 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /halt			--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /poweroff		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-')
-
-ifdef(`distro_suse',`
 /success		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-')
 
-#
-# /boot
-#
 /boot			-d	gen_context(system_u:object_r:boot_t,s0)
 /boot/.*			gen_context(system_u:object_r:boot_t,s0)
 /boot/\.journal			<<none>>
@@ -35,15 +22,9 @@ ifdef(`distro_suse',`
 /boot/lost\+found/.*		<<none>>
 /boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
 
-#
-# /emul
-#
 /emul			-d	gen_context(system_u:object_r:usr_t,s0)
 /emul/.*			gen_context(system_u:object_r:usr_t,s0)
 
-#
-# /etc
-#
 /etc			-d	gen_context(system_u:object_r:etc_t,s0)
 /etc/.*				gen_context(system_u:object_r:etc_t,s0)
 /etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
@@ -72,114 +53,68 @@ ifdef(`distro_suse',`
 
 /etc/ptal/ptal-printd-like -- 	gen_context(system_u:object_r:etc_runtime_t,s0)
 
+/etc/sysconfig/ebtables.*	--	gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/firstboot --	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/sysconfig/hwconf	--	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:system_conf_t,s0)
 /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
-/etc/sysconfig/firstboot --	gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/sysconfig/ipvsadm.*	--	gen_context(system_u:object_r:system_conf_t,s0)
+/etc/sysconfig/system-config-firewall.*	--	gen_context(system_u:object_r:system_conf_t,s0)
+
+/etc/sysctl\.conf(\.old)?	--	gen_context(system_u:object_r:system_conf_t,s0)
 
-ifdef(`distro_gentoo', `
 /etc/profile\.env	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/csh\.env		--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/env\.d/.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-')
 
-ifdef(`distro_redhat',`
 /etc/rhgb(/.*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
-')
 
-ifdef(`distro_suse',`
 /etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/init\.d/\.depend.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
-')
 
-#
-# HOME_ROOT
-# expanded by genhomedircon
-#
 HOME_ROOT		-d	gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
 HOME_ROOT/\.journal		<<none>>
 HOME_ROOT/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 HOME_ROOT/lost\+found/.*		<<none>>
 
-#
-# /initrd
-#
-# initrd mount point, only used during boot
 /initrd			-d	gen_context(system_u:object_r:root_t,s0)
 
-#
-# /lib(64)?
-#
 /lib/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
 /lib64/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
 
-#
-# /lost+found
-#
 /lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /lost\+found/.*			<<none>>
 
-#
-# /media
-#
-# Mount points; do not relabel subdirectories, since
-# we don't want to change any removable media by default.
 /media(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
 /media(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
 /media/[^/]*/.*			<<none>>
 /media/\.hal-.*		--	gen_context(system_u:object_r:mnt_t,s0)
 
-#
-# /misc
-#
 /misc			-d	gen_context(system_u:object_r:mnt_t,s0)
 
-#
-# /mnt
-#
 /mnt(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
 /mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
 /mnt/[^/]*/.*			<<none>>
 
-#
-# /net
-#
 /net			-d	gen_context(system_u:object_r:mnt_t,s0)
 
-#
-# /opt
-#
 /opt			-d	gen_context(system_u:object_r:usr_t,s0)
 /opt/.*				gen_context(system_u:object_r:usr_t,s0)
 
 /opt/(.*/)?var/lib(64)?(/.*)?	gen_context(system_u:object_r:var_lib_t,s0)
 
-#
-# /proc
-#
 /proc			-d	<<none>>
 /proc/.*			<<none>>
 
-#
-# /selinux
-#
 /selinux		-d	<<none>>
 /selinux/.*			<<none>>
 
-#
-# /srv
-#
 /srv			-d	gen_context(system_u:object_r:var_t,s0)
 /srv/.*				gen_context(system_u:object_r:var_t,s0)
 
-#
-# /sys
-#
 /sys			-d	<<none>>
 /sys/.*				<<none>>
 
-#
-# /tmp
-#
 /tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /tmp/.*				<<none>>
 /tmp/\.journal			<<none>>
@@ -187,9 +122,6 @@ HOME_ROOT/lost\+found/.*		<<none>>
 /tmp/lost\+found	-d		gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
 /tmp/lost\+found/.*		<<none>>
 
-#
-# /usr
-#
 /usr			-d	gen_context(system_u:object_r:usr_t,s0)
 /usr/.*				gen_context(system_u:object_r:usr_t,s0)
 /usr/\.journal			<<none>>
@@ -215,16 +147,11 @@ HOME_ROOT/lost\+found/.*		<<none>>
 /usr/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /usr/tmp/.*			<<none>>
 
-ifndef(`distro_redhat',`
 /usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
 
 /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
 /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
-')
 
-#
-# /var
-#
 /var			-d	gen_context(system_u:object_r:var_t,s0)
 /var/.*				gen_context(system_u:object_r:var_t,s0)
 /var/\.journal			<<none>>
@@ -255,6 +182,4 @@ ifndef(`distro_redhat',`
 /var/tmp/lost\+found/.*		<<none>>
 /var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)
 
-ifdef(`distro_debian',`
 /var/run/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
-')
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 5302dac..17e7a6a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1875,6 +1875,80 @@ interface(`files_manage_boot_symlinks',`
 	manage_lnk_files_pattern($1, boot_t, boot_t)
 ')
 
+###################################
+## <summary>
+##	Create manageable system configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_etc_filetrans_system_conf',`
+	gen_require(`
+		type etc_t, system_conf_t;
+	')
+
+	filetrans_pattern($1, etc_t, system_conf_t, file)
+')
+
+######################################
+## <summary>
+##  Manage manageable system configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_manage_system_conf_files',`
+	gen_require(`
+		type etc_t, system_conf_t;
+	')
+
+	manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
+')
+
+######################################
+## <summary>
+##  Relabel from manageable system configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelfrom_system_conf_files',`
+	gen_require(`
+		type system_conf_t;
+	')
+
+	files_search_etc($1)
+	relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
+')
+
+######################################
+## <summary>
+##  Relabel to manageable system configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_relabelto_system_conf_files',`
+	gen_require(`
+		type system_conf_t;
+	')
+
+	files_search_etc($1)
+	relabelto_files_pattern($1, system_conf_t, system_conf_t)
+')
+
 ########################################
 ## <summary>
 ##	Read kernel files in the /boot directory.
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 07352a5..ec07a47 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -128,6 +128,14 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
 type src_t;
 files_mountpoint(src_t)
 
+# system_conf_t is a new type of various
+# files in /etc/ that can be managed and
+# created by several domains.
+# 
+type system_conf_t, configfile;
+files_type(system_conf_t)
+typealias system_conf_t alias iptables_conf_t;
+
 #
 # system_map_t is for the system.map files in /boot
 #
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 3cce663..57c0f15 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -255,6 +255,10 @@ files_search_all(virtd_t)
 files_read_kernel_modules(virtd_t)
 files_read_usr_src_files(virtd_t)
 files_manage_etc_files(virtd_t)
+files_relabelfrom_system_conf_files(virtd_t)
+files_relabelto_system_conf_files(virtd_t)
+files_manage_system_conf_files(virtd_t)
+files_etc_filetrans_system_conf(virtd_t)
 
 fs_list_auto_mountpoints(virtd_t)
 fs_getattr_xattr_fs(virtd_t)
@@ -339,9 +343,6 @@ optional_policy(`
 optional_policy(`
 	iptables_domtrans(virtd_t)
 	iptables_initrc_domtrans(virtd_t)
-
-	# Manages /etc/sysconfig/system-config-firewall
-	iptables_manage_config(virtd_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index abab4cf..c038370 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -530,6 +530,8 @@ ifdef(`distro_redhat',`
 	optional_policy(`
 		sysnet_rw_dhcp_config(initrc_t)
 		sysnet_manage_config(initrc_t)
+		sysnet_relabelfrom_net_conf(initrc_t)
+		sysnet_relabelto_net_conf(initrc_t)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 13f62a6..e0813a1 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,6 +1,4 @@
 /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
 
 /sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 5c94dfe..68cd2d2 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -87,81 +87,3 @@ interface(`iptables_initrc_domtrans',`
 
 	init_labeled_script_domtrans($1, iptables_initrc_exec_t)
 ')
-
-#####################################
-## <summary>
-##	Set the attributes of iptables config files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`iptables_setattr_config',`
-	gen_require(`
-		type iptables_conf_t;
-	')
-
-	files_search_etc($1)
-	allow $1 iptables_conf_t:file setattr;
-')
-
-#####################################
-## <summary>
-##	Read iptables config files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`iptables_read_config',`
-	gen_require(`
-		type iptables_conf_t;
-	')
-
-	files_search_etc($1)
-	allow $1 iptables_conf_t:dir list_dir_perms;
-	read_files_pattern($1, iptables_conf_t, iptables_conf_t)
-')
-
-#####################################
-## <summary>
-##	Create files in /etc with the type used for
-##	the iptables config files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`iptables_etc_filetrans_config',`
-	gen_require(`
-		type iptables_conf_t;
-	')
-
-	files_etc_filetrans($1, iptables_conf_t, file)
-')
-
-###################################
-## <summary>
-##	Manage iptables config files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`iptables_manage_config',`
-	gen_require(`
-		type iptables_conf_t;
-		type etc_t;
-	')
-
-	files_search_etc($1)
-	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
-')
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index a3fdcb3..8e644c4 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -33,8 +33,8 @@ allow iptables_t self:fifo_file rw_fifo_file_perms;
 allow iptables_t self:process { sigchld sigkill sigstop signull signal };
 allow iptables_t self:rawip_socket create_socket_perms;
 
-manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
-files_etc_filetrans(iptables_t, iptables_conf_t, file)
+files_manage_system_conf_files(iptables_t)
+files_etc_filetrans_system_conf(iptables_t)
 
 manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
 files_pid_filetrans(iptables_t, iptables_var_run_t, file)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index 9c0faab..565e5bc 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -39,6 +39,26 @@ interface(`modutils_read_module_deps',`
 
 ########################################
 ## <summary>
+##	List the configuration options used when
+##	loading modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_list_module_config',`
+	gen_require(`
+		type modules_conf_t;
+	')
+
+	files_search_etc($1)
+	list_dirs_pattern($1, modules_conf_t, modules_conf_t)
+')
+
+########################################
+## <summary>
 ##	Read the configuration options used when
 ##	loading modules.
 ## </summary>
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 8e71fb7..1e4892d 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -652,6 +652,44 @@ interface(`sysnet_dns_name_resolve',`
 	')
 ')
 
+#######################################
+## <summary>
+##	Relabel from network configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_relabelfrom_net_conf',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file relabelfrom;
+')
+
+######################################
+## <summary>
+##	Relabel to network configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_relabelto_net_conf',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file relabelto;
+')
+
 ########################################
 ## <summary>
 ##	Connect and use a LDAP server.
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index dfbe736..ab27920 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 optional_policy(`
+	brctl_domtrans(ifconfig_t)
+')
+
+optional_policy(`
 	hal_dontaudit_rw_pipes(ifconfig_t)
 	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
 ')
-- 
1.7.2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/4cb758a5/attachment.bin 

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [refpolicy] [Various 1/1] Add nfctool module and its dependencies.
  2010-09-03 19:46 [refpolicy] [Various 1/1] Add nfctool module and its dependencies Dominick Grift
@ 2010-09-09 12:33 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2010-09-09 12:33 UTC (permalink / raw)
  To: refpolicy

On 09/03/10 15:46, Dominick Grift wrote:
> Add brctl_run interface to cleaned up brctl module.
> Add brctl domtrans and run calls to new ncftool module, modutils.
> Implement system conf type for manageable system configuration files.
> Add /replace calls to system configuration interfaces in virt, init, iptables.
> Add network configuration interfaces and add calls to these interfaces in various modules.

There are unrelated changes in this patch; please remove them.  This 
patch is also big enough that it should probably be split up into 2 or 3 
patches.

> Signed-off-by: Dominick Grift<domg472@gmail.com>
> ---
> :100644 100644 5b43db5... 8f1ee2c... M	policy/modules/admin/brctl.if
> :100644 100644 0ff3679... 45b26c9... M	policy/modules/admin/brctl.te
> :000000 100644 0000000... 19710b5... A	policy/modules/admin/ncftool.fc
> :000000 100644 0000000... 5b9318b... A	policy/modules/admin/ncftool.if
> :000000 100644 0000000... 2e2f551... A	policy/modules/admin/ncftool.te
> :100644 100644 a22e546... 157f6ff... M	policy/modules/admin/shorewall.te
> :100644 100644 3517db2... ba92739... M	policy/modules/kernel/files.fc
> :100644 100644 5302dac... 17e7a6a... M	policy/modules/kernel/files.if
> :100644 100644 07352a5... ec07a47... M	policy/modules/kernel/files.te
> :100644 100644 3cce663... 57c0f15... M	policy/modules/services/virt.te
> :100644 100644 abab4cf... c038370... M	policy/modules/system/init.te
> :100644 100644 13f62a6... e0813a1... M	policy/modules/system/iptables.fc
> :100644 100644 5c94dfe... 68cd2d2... M	policy/modules/system/iptables.if
> :100644 100644 a3fdcb3... 8e644c4... M	policy/modules/system/iptables.te
> :100644 100644 9c0faab... 565e5bc... M	policy/modules/system/modutils.if
> :100644 100644 8e71fb7... 1e4892d... M	policy/modules/system/sysnetwork.if
> :100644 100644 dfbe736... ab27920... M	policy/modules/system/sysnetwork.te
>   policy/modules/admin/brctl.if       |   34 ++++++++++++-
>   policy/modules/admin/brctl.te       |    1 -
>   policy/modules/admin/ncftool.fc     |    1 +
>   policy/modules/admin/ncftool.if     |   80 +++++++++++++++++++++++++++++++
>   policy/modules/admin/ncftool.te     |   82 ++++++++++++++++++++++++++++++++
>   policy/modules/admin/shorewall.te   |    4 ++
>   policy/modules/kernel/files.fc      |   89 +++--------------------------------
>   policy/modules/kernel/files.if      |   74 +++++++++++++++++++++++++++++
>   policy/modules/kernel/files.te      |    8 +++
>   policy/modules/services/virt.te     |    7 ++-
>   policy/modules/system/init.te       |    2 +
>   policy/modules/system/iptables.fc   |    2 -
>   policy/modules/system/iptables.if   |   78 ------------------------------
>   policy/modules/system/iptables.te   |    4 +-
>   policy/modules/system/modutils.if   |   20 ++++++++
>   policy/modules/system/sysnetwork.if |   38 +++++++++++++++
>   policy/modules/system/sysnetwork.te |    4 ++
>   17 files changed, 357 insertions(+), 171 deletions(-)
>
> diff --git a/policy/modules/admin/brctl.if b/policy/modules/admin/brctl.if
> index 5b43db5..8f1ee2c 100644
> --- a/policy/modules/admin/brctl.if
> +++ b/policy/modules/admin/brctl.if
> @@ -1,13 +1,13 @@
> -##<summary>Utilities for configuring the linux ethernet bridge</summary>
> +##<summary>Utilities for configuring the linux ethernet bridge.</summary>
>
>   ########################################
>   ##<summary>
>   ##	Execute a domain transition to run brctl.
>   ##</summary>
>   ##<param name="domain">
> -##<summary>
> +##	<summary>
>   ##	Domain allowed to transition.
> -##</summary>
> +##	</summary>
>   ##</param>
>   #
>   interface(`brctl_domtrans',`
> @@ -15,5 +15,33 @@ interface(`brctl_domtrans',`
>   		type brctl_t, brctl_exec_t;
>   	')
>
> +	corecmd_search_bin($1)
>   	domtrans_pattern($1, brctl_exec_t, brctl_t)
>   ')
> +
> +#####################################
> +##<summary>
> +##	Execute a domain transition to run
> +##	Brctl, and allow the specified role
> +##	the Brctl domain.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +##</param>
> +##<param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`brctl_run',`
> +	gen_require(`
> +		type brctl_t, brctl_exec_t;
> +	')
> +
> +	brctl_domtrans($1)
> +	role $2 types brctl_t;
> +')
> diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te
> index 0ff3679..45b26c9 100644
> --- a/policy/modules/admin/brctl.te
> +++ b/policy/modules/admin/brctl.te
> @@ -30,7 +30,6 @@ corenet_rw_tun_tap_dev(brctl_t)
>   dev_rw_sysfs(brctl_t)
>   dev_write_sysfs_dirs(brctl_t)
>
> -# Init script handling
>   domain_use_interactive_fds(brctl_t)
>
>   files_read_etc_files(brctl_t)
> diff --git a/policy/modules/admin/ncftool.fc b/policy/modules/admin/ncftool.fc
> new file mode 100644
> index 0000000..19710b5
> --- /dev/null
> +++ b/policy/modules/admin/ncftool.fc
> @@ -0,0 +1 @@
> +/usr/bin/ncftool		--	gen_context(system_u:object_r:ncftool_exec_t,s0)
> diff --git a/policy/modules/admin/ncftool.if b/policy/modules/admin/ncftool.if
> new file mode 100644
> index 0000000..5b9318b
> --- /dev/null
> +++ b/policy/modules/admin/ncftool.if
> @@ -0,0 +1,80 @@
> +##<summary>Network Interface Management.</summary>
> +
> +########################################
> +##<summary>
> +##	Execute a domain transition to run Ncftool.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +##</param>
> +#
> +interface(`ncftool_domtrans',`
> +	gen_require(`
> +		type ncftool_t, ncftool_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, ncftool_exec_t, ncftool_t)
> +')
> +
> +########################################
> +##<summary>
> +##	Execute a domain transition to run
> +##	Ncftool, and allow the specified role
> +##	the Ncftool domain.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +##<param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`ncftool_run',`
> +	gen_require(`
> +		type ncftool_t;
> +	')
> +
> +	ncftool_domtrans($1)
> +	role $2 types ncftool_t;
> +
> +	optional_policy(`
> +		brctl_run(ncftool_t, $2)
> +	')
> +')
> +
> +########################################
> +##<summary>
> +##	Role access for Ncftool.
> +##</summary>
> +##<param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +##</param>
> +##<param name="domain">
> +##	<summary>
> +##	User domain for the role.
> +##	</summary>
> +##</param>
> +##<rolecap/>
> +#
> +interface(`ncftool_role',`
> +	gen_require(`
> +		type ncftool_t;
> +	')
> +
> +	role $1 types ncftool_t;
> +
> +	ncftool_domtrans($2)
> +
> +	ps_process_pattern($2, ncftool_t)
> +	allow $2 ncftool_t:process { ptrace signal_perms };
> +')
> diff --git a/policy/modules/admin/ncftool.te b/policy/modules/admin/ncftool.te
> new file mode 100644
> index 0000000..2e2f551
> --- /dev/null
> +++ b/policy/modules/admin/ncftool.te
> @@ -0,0 +1,82 @@
> +policy_module(ncftool, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type ncftool_t;
> +type ncftool_exec_t;
> +application_domain(ncftool_t, ncftool_exec_t)
> +domain_obj_id_change_exemption(ncftool_t)
> +domain_system_change_exemption(ncftool_t)
> +role system_r types ncftool_t;
> +
> +########################################
> +#
> +# local policy
> +#
> +
> +allow ncftool_t self:capability { net_admin sys_ptrace };
> +allow ncftool_t self:process signal;
> +allow ncftool_t self:fifo_file manage_fifo_file_perms;
> +allow ncftool_t self:unix_stream_socket create_stream_socket_perms;
> +allow ncftool_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ncftool_t self:tcp_socket create_stream_socket_perms;
> +
> +kernel_read_kernel_sysctls(ncftool_t)
> +kernel_read_modprobe_sysctls(ncftool_t)
> +kernel_read_network_state(ncftool_t)
> +kernel_read_system_state(ncftool_t)
> +kernel_request_load_module(ncftool_t)
> +kernel_rw_net_sysctls(ncftool_t)
> +
> +corecmd_exec_bin(ncftool_t)
> +corecmd_exec_shell(ncftool_t)
> +
> +domain_read_all_domains_state(ncftool_t)
> +
> +dev_read_sysfs(ncftool_t)
> +
> +files_manage_system_conf_files(ncftool_t)
> +files_relabelto_system_conf_files(ncftool_t)
> +files_read_etc_files(ncftool_t)
> +files_read_etc_runtime_files(ncftool_t)
> +files_read_usr_files(ncftool_t)
> +
> +term_use_all_terms(ncftool_t)
> +
> +miscfiles_read_localization(ncftool_t)
> +
> +modutils_list_module_config(ncftool_t)
> +modutils_read_module_config(ncftool_t)
> +modutils_domtrans_insmod(ncftool_t)
> +
> +sysnet_delete_dhcpc_pid(ncftool_t)
> +sysnet_domtrans_dhcpc(ncftool_t)
> +sysnet_domtrans_ifconfig(ncftool_t)
> +sysnet_etc_filetrans_config(ncftool_t)
> +sysnet_manage_config(ncftool_t)
> +sysnet_read_dhcpc_state(ncftool_t)
> +sysnet_relabelfrom_net_conf(ncftool_t)
> +sysnet_relabelto_net_conf(ncftool_t)
> +sysnet_read_dhcpc_pid(ncftool_t)
> +sysnet_signal_dhcpc(ncftool_t)
> +
> +userdom_read_user_tmp_files(ncftool_t)
> +
> +optional_policy(`
> +	consoletype_exec(ncftool_t)
> +')
> +
> +optional_policy(`
> +	dbus_system_bus_client(ncftool_t)
> +')
> +
> +optional_policy(`
> +	iptables_initrc_domtrans(ncftool_t)
> +')
> +
> +optional_policy(`
> +	netutils_domtrans(ncftool_t)
> +')
> diff --git a/policy/modules/admin/shorewall.te b/policy/modules/admin/shorewall.te
> index a22e546..157f6ff 100644
> --- a/policy/modules/admin/shorewall.te
> +++ b/policy/modules/admin/shorewall.te
> @@ -89,6 +89,10 @@ sysnet_domtrans_ifconfig(shorewall_t)
>   userdom_dontaudit_list_user_home_dirs(shorewall_t)
>
>   optional_policy(`
> +	brctl_domtrans(shorewall_t)
> +')
> +
> +optional_policy(`
>   	hostname_exec(shorewall_t)
>   ')
>
> diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
> index 3517db2..ba92739 100644
> --- a/policy/modules/kernel/files.fc
> +++ b/policy/modules/kernel/files.fc
> @@ -1,15 +1,9 @@
> -
> -#
> -# /
> -#
>   /.*				gen_context(system_u:object_r:default_t,s0)
>   /			-d	gen_context(system_u:object_r:root_t,s0)
>   /\.journal			<<none>>
>   /afs			-d	gen_context(system_u:object_r:mnt_t,s0)
>   /initrd\.img.*		-l	gen_context(system_u:object_r:boot_t,s0)
>   /vmlinuz.*		-l	gen_context(system_u:object_r:boot_t,s0)
> -
> -ifdef(`distro_redhat',`
>   /\.autofsck		--	gen_context(system_u:object_r:etc_runtime_t,s0)
>   /\.autorelabel		--	gen_context(system_u:object_r:etc_runtime_t,s0)
>   /\.suspended		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> @@ -18,15 +12,8 @@ ifdef(`distro_redhat',`
>   /fsckoptions 		--	gen_context(system_u:object_r:etc_runtime_t,s0)
>   /halt			--	gen_context(system_u:object_r:etc_runtime_t,s0)
>   /poweroff		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
> -
> -ifdef(`distro_suse',`
>   /success		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
>
> -#
> -# /boot
> -#
>   /boot			-d	gen_context(system_u:object_r:boot_t,s0)
>   /boot/.*			gen_context(system_u:object_r:boot_t,s0)
>   /boot/\.journal			<<none>>
> @@ -35,15 +22,9 @@ ifdef(`distro_suse',`
>   /boot/lost\+found/.*		<<none>>
>   /boot/System\.map(-.*)?	--	gen_context(system_u:object_r:system_map_t,s0)
>
> -#
> -# /emul
> -#
>   /emul			-d	gen_context(system_u:object_r:usr_t,s0)
>   /emul/.*			gen_context(system_u:object_r:usr_t,s0)
>
> -#
> -# /etc
> -#
>   /etc			-d	gen_context(system_u:object_r:etc_t,s0)
>   /etc/.*				gen_context(system_u:object_r:etc_t,s0)
>   /etc/\.fstab\.hal\..+	--	gen_context(system_u:object_r:etc_runtime_t,s0)
> @@ -72,114 +53,68 @@ ifdef(`distro_suse',`
>
>   /etc/ptal/ptal-printd-like -- 	gen_context(system_u:object_r:etc_runtime_t,s0)
>
> +/etc/sysconfig/ebtables.*	--	gen_context(system_u:object_r:system_conf_t,s0)
> +/etc/sysconfig/firstboot --	gen_context(system_u:object_r:etc_runtime_t,s0)
>   /etc/sysconfig/hwconf	--	gen_context(system_u:object_r:etc_runtime_t,s0)
> +/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:system_conf_t,s0)
>   /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
> -/etc/sysconfig/firstboot --	gen_context(system_u:object_r:etc_runtime_t,s0)
> +/etc/sysconfig/ipvsadm.*	--	gen_context(system_u:object_r:system_conf_t,s0)
> +/etc/sysconfig/system-config-firewall.*	--	gen_context(system_u:object_r:system_conf_t,s0)
> +
> +/etc/sysctl\.conf(\.old)?	--	gen_context(system_u:object_r:system_conf_t,s0)
>
> -ifdef(`distro_gentoo', `
>   /etc/profile\.env	--	gen_context(system_u:object_r:etc_runtime_t,s0)
>   /etc/csh\.env		--	gen_context(system_u:object_r:etc_runtime_t,s0)
>   /etc/env\.d/.*		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
>
> -ifdef(`distro_redhat',`
>   /etc/rhgb(/.*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
> -')
>
> -ifdef(`distro_suse',`
>   /etc/defkeymap\.map	--	gen_context(system_u:object_r:etc_runtime_t,s0)
>   /etc/init\.d/\.depend.*	--	gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
>
> -#
> -# HOME_ROOT
> -# expanded by genhomedircon
> -#
>   HOME_ROOT		-d	gen_context(system_u:object_r:home_root_t,s0-mls_systemhigh)
>   HOME_ROOT/\.journal		<<none>>
>   HOME_ROOT/lost\+found	-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
>   HOME_ROOT/lost\+found/.*		<<none>>
>
> -#
> -# /initrd
> -#
> -# initrd mount point, only used during boot
>   /initrd			-d	gen_context(system_u:object_r:root_t,s0)
>
> -#
> -# /lib(64)?
> -#
>   /lib/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
>   /lib64/modules(/.*)?		gen_context(system_u:object_r:modules_object_t,s0)
>
> -#
> -# /lost+found
> -#
>   /lost\+found		-d	gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
>   /lost\+found/.*			<<none>>
>
> -#
> -# /media
> -#
> -# Mount points; do not relabel subdirectories, since
> -# we don't want to change any removable media by default.
>   /media(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
>   /media(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
>   /media/[^/]*/.*			<<none>>
>   /media/\.hal-.*		--	gen_context(system_u:object_r:mnt_t,s0)
>
> -#
> -# /misc
> -#
>   /misc			-d	gen_context(system_u:object_r:mnt_t,s0)
>
> -#
> -# /mnt
> -#
>   /mnt(/[^/]*)		-l	gen_context(system_u:object_r:mnt_t,s0)
>   /mnt(/[^/]*)?		-d	gen_context(system_u:object_r:mnt_t,s0)
>   /mnt/[^/]*/.*			<<none>>
>
> -#
> -# /net
> -#
>   /net			-d	gen_context(system_u:object_r:mnt_t,s0)
>
> -#
> -# /opt
> -#
>   /opt			-d	gen_context(system_u:object_r:usr_t,s0)
>   /opt/.*				gen_context(system_u:object_r:usr_t,s0)
>
>   /opt/(.*/)?var/lib(64)?(/.*)?	gen_context(system_u:object_r:var_lib_t,s0)
>
> -#
> -# /proc
> -#
>   /proc			-d	<<none>>
>   /proc/.*			<<none>>
>
> -#
> -# /selinux
> -#
>   /selinux		-d	<<none>>
>   /selinux/.*			<<none>>
>
> -#
> -# /srv
> -#
>   /srv			-d	gen_context(system_u:object_r:var_t,s0)
>   /srv/.*				gen_context(system_u:object_r:var_t,s0)
>
> -#
> -# /sys
> -#
>   /sys			-d	<<none>>
>   /sys/.*				<<none>>
>
> -#
> -# /tmp
> -#
>   /tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
>   /tmp/.*				<<none>>
>   /tmp/\.journal			<<none>>
> @@ -187,9 +122,6 @@ HOME_ROOT/lost\+found/.*		<<none>>
>   /tmp/lost\+found	-d		gen_context(system_u:object_r:lost_found_t,mls_systemhigh)
>   /tmp/lost\+found/.*		<<none>>
>
> -#
> -# /usr
> -#
>   /usr			-d	gen_context(system_u:object_r:usr_t,s0)
>   /usr/.*				gen_context(system_u:object_r:usr_t,s0)
>   /usr/\.journal			<<none>>
> @@ -215,16 +147,11 @@ HOME_ROOT/lost\+found/.*		<<none>>
>   /usr/tmp			-d	gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
>   /usr/tmp/.*			<<none>>
>
> -ifndef(`distro_redhat',`
>   /usr/local/src(/.*)?		gen_context(system_u:object_r:src_t,s0)
>
>   /usr/src(/.*)?			gen_context(system_u:object_r:src_t,s0)
>   /usr/src/kernels/.+/lib(/.*)?	gen_context(system_u:object_r:usr_t,s0)
> -')
>
> -#
> -# /var
> -#
>   /var			-d	gen_context(system_u:object_r:var_t,s0)
>   /var/.*				gen_context(system_u:object_r:var_t,s0)
>   /var/\.journal			<<none>>
> @@ -255,6 +182,4 @@ ifndef(`distro_redhat',`
>   /var/tmp/lost\+found/.*		<<none>>
>   /var/tmp/vi\.recover	-d	gen_context(system_u:object_r:tmp_t,s0)
>
> -ifdef(`distro_debian',`
>   /var/run/motd		--	gen_context(system_u:object_r:etc_runtime_t,s0)
> -')
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index 5302dac..17e7a6a 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -1875,6 +1875,80 @@ interface(`files_manage_boot_symlinks',`
>   	manage_lnk_files_pattern($1, boot_t, boot_t)
>   ')
>
> +###################################
> +##<summary>
> +##	Create manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`files_etc_filetrans_system_conf',`
> +	gen_require(`
> +		type etc_t, system_conf_t;
> +	')
> +
> +	filetrans_pattern($1, etc_t, system_conf_t, file)
> +')
> +
> +######################################
> +##<summary>
> +##  Manage manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`files_manage_system_conf_files',`
> +	gen_require(`
> +		type etc_t, system_conf_t;
> +	')
> +
> +	manage_files_pattern($1, { etc_t system_conf_t }, system_conf_t)
> +')
> +
> +######################################
> +##<summary>
> +##  Relabel from manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`files_relabelfrom_system_conf_files',`
> +	gen_require(`
> +		type system_conf_t;
> +	')
> +
> +	files_search_etc($1)
> +	relabelfrom_files_pattern($1, system_conf_t, system_conf_t)
> +')
> +
> +######################################
> +##<summary>
> +##  Relabel to manageable system configuration files.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`files_relabelto_system_conf_files',`
> +	gen_require(`
> +		type system_conf_t;
> +	')
> +
> +	files_search_etc($1)
> +	relabelto_files_pattern($1, system_conf_t, system_conf_t)
> +')
> +
>   ########################################
>   ##<summary>
>   ##	Read kernel files in the /boot directory.
> diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
> index 07352a5..ec07a47 100644
> --- a/policy/modules/kernel/files.te
> +++ b/policy/modules/kernel/files.te
> @@ -128,6 +128,14 @@ genfscon rootfs / gen_context(system_u:object_r:root_t,s0)
>   type src_t;
>   files_mountpoint(src_t)
>
> +# system_conf_t is a new type of various
> +# files in /etc/ that can be managed and
> +# created by several domains.
> +#
> +type system_conf_t, configfile;
> +files_type(system_conf_t)
> +typealias system_conf_t alias iptables_conf_t;
> +
>   #
>   # system_map_t is for the system.map files in /boot
>   #
> diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
> index 3cce663..57c0f15 100644
> --- a/policy/modules/services/virt.te
> +++ b/policy/modules/services/virt.te
> @@ -255,6 +255,10 @@ files_search_all(virtd_t)
>   files_read_kernel_modules(virtd_t)
>   files_read_usr_src_files(virtd_t)
>   files_manage_etc_files(virtd_t)
> +files_relabelfrom_system_conf_files(virtd_t)
> +files_relabelto_system_conf_files(virtd_t)
> +files_manage_system_conf_files(virtd_t)
> +files_etc_filetrans_system_conf(virtd_t)
>
>   fs_list_auto_mountpoints(virtd_t)
>   fs_getattr_xattr_fs(virtd_t)
> @@ -339,9 +343,6 @@ optional_policy(`
>   optional_policy(`
>   	iptables_domtrans(virtd_t)
>   	iptables_initrc_domtrans(virtd_t)
> -
> -	# Manages /etc/sysconfig/system-config-firewall
> -	iptables_manage_config(virtd_t)
>   ')
>
>   optional_policy(`
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index abab4cf..c038370 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -530,6 +530,8 @@ ifdef(`distro_redhat',`
>   	optional_policy(`
>   		sysnet_rw_dhcp_config(initrc_t)
>   		sysnet_manage_config(initrc_t)
> +		sysnet_relabelfrom_net_conf(initrc_t)
> +		sysnet_relabelto_net_conf(initrc_t)
>   	')
>
>   	optional_policy(`
> diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
> index 13f62a6..e0813a1 100644
> --- a/policy/modules/system/iptables.fc
> +++ b/policy/modules/system/iptables.fc
> @@ -1,6 +1,4 @@
>   /etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
> -/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
> -/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
>
>   /sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
>   /sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
> diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
> index 5c94dfe..68cd2d2 100644
> --- a/policy/modules/system/iptables.if
> +++ b/policy/modules/system/iptables.if
> @@ -87,81 +87,3 @@ interface(`iptables_initrc_domtrans',`
>
>   	init_labeled_script_domtrans($1, iptables_initrc_exec_t)
>   ')
> -
> -#####################################
> -##<summary>
> -##	Set the attributes of iptables config files.
> -##</summary>
> -##<param name="domain">
> -##	<summary>
> -##	Domain allowed access.
> -##	</summary>
> -##</param>
> -#
> -interface(`iptables_setattr_config',`
> -	gen_require(`
> -		type iptables_conf_t;
> -	')
> -
> -	files_search_etc($1)
> -	allow $1 iptables_conf_t:file setattr;
> -')
> -
> -#####################################
> -##<summary>
> -##	Read iptables config files.
> -##</summary>
> -##<param name="domain">
> -##	<summary>
> -##	Domain allowed access.
> -##	</summary>
> -##</param>
> -#
> -interface(`iptables_read_config',`
> -	gen_require(`
> -		type iptables_conf_t;
> -	')
> -
> -	files_search_etc($1)
> -	allow $1 iptables_conf_t:dir list_dir_perms;
> -	read_files_pattern($1, iptables_conf_t, iptables_conf_t)
> -')
> -
> -#####################################
> -##<summary>
> -##	Create files in /etc with the type used for
> -##	the iptables config files.
> -##</summary>
> -##<param name="domain">
> -##	<summary>
> -##	Domain allowed access.
> -##	</summary>
> -##</param>
> -#
> -interface(`iptables_etc_filetrans_config',`
> -	gen_require(`
> -		type iptables_conf_t;
> -	')
> -
> -	files_etc_filetrans($1, iptables_conf_t, file)
> -')
> -
> -###################################
> -##<summary>
> -##	Manage iptables config files.
> -##</summary>
> -##<param name="domain">
> -##	<summary>
> -##	Domain allowed access.
> -##	</summary>
> -##</param>
> -#
> -interface(`iptables_manage_config',`
> -	gen_require(`
> -		type iptables_conf_t;
> -		type etc_t;
> -	')
> -
> -	files_search_etc($1)
> -	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
> -')
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index a3fdcb3..8e644c4 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -33,8 +33,8 @@ allow iptables_t self:fifo_file rw_fifo_file_perms;
>   allow iptables_t self:process { sigchld sigkill sigstop signull signal };
>   allow iptables_t self:rawip_socket create_socket_perms;
>
> -manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
> -files_etc_filetrans(iptables_t, iptables_conf_t, file)
> +files_manage_system_conf_files(iptables_t)
> +files_etc_filetrans_system_conf(iptables_t)
>
>   manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
>   files_pid_filetrans(iptables_t, iptables_var_run_t, file)
> diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
> index 9c0faab..565e5bc 100644
> --- a/policy/modules/system/modutils.if
> +++ b/policy/modules/system/modutils.if
> @@ -39,6 +39,26 @@ interface(`modutils_read_module_deps',`
>
>   ########################################
>   ##<summary>
> +##	List the configuration options used when
> +##	loading modules.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`modutils_list_module_config',`
> +	gen_require(`
> +		type modules_conf_t;
> +	')
> +
> +	files_search_etc($1)
> +	list_dirs_pattern($1, modules_conf_t, modules_conf_t)
> +')
> +
> +########################################
> +##<summary>
>   ##	Read the configuration options used when
>   ##	loading modules.
>   ##</summary>
> diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
> index 8e71fb7..1e4892d 100644
> --- a/policy/modules/system/sysnetwork.if
> +++ b/policy/modules/system/sysnetwork.if
> @@ -652,6 +652,44 @@ interface(`sysnet_dns_name_resolve',`
>   	')
>   ')
>
> +#######################################
> +##<summary>
> +##	Relabel from network configuration files.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`sysnet_relabelfrom_net_conf',`
> +	gen_require(`
> +		type net_conf_t;
> +	')
> +
> +	files_search_etc($1)
> +	allow $1 net_conf_t:file relabelfrom;
> +')
> +
> +######################################
> +##<summary>
> +##	Relabel to network configuration files.
> +##</summary>
> +##<param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +##</param>
> +#
> +interface(`sysnet_relabelto_net_conf',`
> +	gen_require(`
> +		type net_conf_t;
> +	')
> +
> +	files_search_etc($1)
> +	allow $1 net_conf_t:file relabelto;
> +')
> +
>   ########################################
>   ##<summary>
>   ##	Connect and use a LDAP server.
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index dfbe736..ab27920 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -325,6 +325,10 @@ ifdef(`hide_broken_symptoms',`
>   ')
>
>   optional_policy(`
> +	brctl_domtrans(ifconfig_t)
> +')
> +
> +optional_policy(`
>   	hal_dontaudit_rw_pipes(ifconfig_t)
>   	hal_dontaudit_rw_dgram_sockets(ifconfig_t)
>   ')
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-09-09 12:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-03 19:46 [refpolicy] [Various 1/1] Add nfctool module and its dependencies Dominick Grift
2010-09-09 12:33 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.