commit: f4284ca3c2aa40c9c5296be9a157e45250f497c5
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun 25 19:53:48 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 19:53:48 2014 +0000
URL:
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f4284ca3
Fix bug #509728 - Add openresolv support
The openresolv application implements the resolvconf interface that many
network services have. This policy should support those network services
*if* they are enabled further through the resolvconf_client_domain()
attribute.
For instance:
resolvconf_client_domain(dhcpc_t)
---
policy/modules/contrib/resolvconf.fc | 6 +++
policy/modules/contrib/resolvconf.if | 102 +++++++++++++++++++++++++++++++++++
policy/modules/contrib/resolvconf.te | 52 ++++++++++++++++++
3 files changed, 160 insertions(+)
diff --git a/policy/modules/contrib/resolvconf.fc
b/policy/modules/contrib/resolvconf.fc
new file mode 100644
index 0000000..a7c9eed
--- /dev/null
+++ b/policy/modules/contrib/resolvconf.fc
@@ -0,0 +1,6 @@
+
+/etc/resolvconf.conf --
gen_context(system_u:object_r:resolvconf_conf_t,s0)
+
+/lib/resolvconf(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+/sbin/resolvconf --
gen_context(system_u:object_r:resolvconf_exec_t,s0)
diff --git a/policy/modules/contrib/resolvconf.if
b/policy/modules/contrib/resolvconf.if
new file mode 100644
index 0000000..7a93eb6
--- /dev/null
+++ b/policy/modules/contrib/resolvconf.if
@@ -0,0 +1,102 @@
+## <summary>OpenResolv network configuration management</summary>
+
+#########################################
+## <summary>
+## Mark the domain as a resolvconf client, automatically granting
+## the necessary privileges (execute resolvconf and type access).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to mark as a resolvconf client
+## </summary>
+## </param>
+#
+interface(`resolvconf_client_domain',`
+ gen_require(`
+ attribute resolvconf_client;
+ ')
+
+ typeattribute $1 resolvconf_client;
+')
+
+#########################################
+## <summary>
+## Assign the proper permissions to the domain, such as
+## executing resolvconf and accessing its types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to assign proper permissions to
+## </summary>
+## </param>
+#
+interface(`resolvconf_client_domain_privs',`
+ resolvconf_domtrans($1)
+ resolvconf_generic_run_filetrans_run($1, dir, "resolvconf")
+')
+
+#########################################
+## <summary>
+## Execute resolvconf and transition to the resolvconf_t domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition
+## </summary>
+## </param>
+#
+interface(`resolvconf_domtrans',`
+ gen_require(`
+ type resolvconf_t;
+ type resolvconf_exec_t;
+ ')
+
+ domtrans_pattern($1, resolvconf_exec_t, resolvconf_t)
+')
+
+#########################################
+## <summary>
+## Execute resolvconf in the calling domain (no transition)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to execute
+## </summary>
+## </param>
+#
+interface(`resolvconf_exec',`
+ gen_require(`
+ type resolvconf_exec_t;
+ ')
+
+ can_exec($1, resolvconf_exec_t)
+')
+
+#########################################
+## <summary>
+## Transition to resolvconf_run_t when creating resources
+## inside the generic run directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Class on which a file transition has to occur
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the resource on which a file transition has to occur
+## </summary>
+## </param>
+#
+interface(`resolvconf_generic_run_filetrans_run',`
+ gen_require(`
+ type resolvconf_var_run_t;
+ ')
+
+ files_pid_filetrans($1, resolvconf_var_run_t, $2, $3)
+')
diff --git a/policy/modules/contrib/resolvconf.te
b/policy/modules/contrib/resolvconf.te
new file mode 100644
index 0000000..7fbd00d
--- /dev/null
+++ b/policy/modules/contrib/resolvconf.te
@@ -0,0 +1,52 @@
+policy_module(resolvconf, 0.1)
+
+type resolvconf_t;
+type resolvconf_exec_t;
+domain_type(resolvconf_t)
+domain_entry_file(resolvconf_t, resolvconf_exec_t)
+role system_r types resolvconf_t;
+
+attribute resolvconf_client;
+
+type resolvconf_conf_t;
+files_config_file(resolvconf_conf_t)
+
+type resolvconf_var_run_t;
+files_pid_file(resolvconf_var_run_t)
+
+#########################################
+#
+# OpenResolv policy
+#
+
+allow resolvconf_t self:fifo_file manage_fifo_file_perms;
+allow resolvconf_t resolvconf_conf_t:file read_file_perms;
+
+manage_dirs_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t)
+manage_files_pattern(resolvconf_t, resolvconf_var_run_t, resolvconf_var_run_t)
+
+corecmd_exec_bin(resolvconf_t)
+corecmd_exec_shell(resolvconf_t)
+
+files_pid_filetrans(resolvconf_t, resolvconf_var_run_t, { dir file })
+files_read_etc_files(resolvconf_t)
+
+sysnet_manage_config(resolvconf_t)
+
+optional_policy(`
+ init_domtrans_script(resolvconf_t)
+ init_read_script_status_files(resolvconf_t)
+ init_use_script_fds(resolvconf_t)
+ init_use_script_ptys(resolvconf_t)
+')
+
+optional_policy(`
+ term_dontaudit_use_console(resolvconf_t)
+')
+
+#########################################
+#
+# Resolvconf client policy
+#
+
+resolvconf_client_domain_privs(resolvconf_client)
