commit: cba6dc0028608f027f7e02ab1d4df155632a7a46
Author: Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Jan 27 20:17:58 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 29 20:51:08 2015 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cba6dc00
Various samhain fixes
connects to smtp port
resolves smtp dns name
missing samhain_domain attribute
reads random device
samhain_domains use unnamed pipes for internal comms
clarify why some rules are commented out for now in samhain_admin()
remove samhain_run() from samhain_admin()
samhain needs to be able to maintain directories in /var/lib
Signed-off-by: Dominick Grift <dac.override <AT> gmail.com>
---
policy/modules/contrib/samhain.if | 8 +++-----
policy/modules/contrib/samhain.te | 12 ++++++++++--
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/policy/modules/contrib/samhain.if
b/policy/modules/contrib/samhain.if
index f0236d6..b1ebcee 100644
--- a/policy/modules/contrib/samhain.if
+++ b/policy/modules/contrib/samhain.if
@@ -16,7 +16,7 @@ template(`samhain_service_template',`
type samhain_exec_t;
')
- type $1_t;
+ type $1_t, samhain_domain;
domain_type($1_t)
domain_entry_file($1_t, samhain_exec_t)
@@ -213,14 +213,14 @@ interface(`samhain_manage_pid_files',`
interface(`samhain_admin',`
gen_require(`
attribute samhain_domain;
- type samhain_t, samhaind_t, samhain_db_t, samhain_etc_t;
+ type samhain_db_t, samhain_etc_t;
type samhain_initrc_exec_t, samhain_log_t, samhain_var_run_t;
')
allow $1 samhain_domain:process { ptrace signal_perms };
ps_process_pattern($1, samhain_domain)
- # pending
+ # duplicate role transition: remove samhain_admin(sysadm_t, sysadm_r)
first
# init_labeled_script_domtrans($1, samhain_initrc_exec_t)
# domain_system_change_exemption($1)
# role_transition $2 samhain_initrc_exec_t system_r;
@@ -237,6 +237,4 @@ interface(`samhain_admin',`
files_list_pids($1)
admin_pattern($1, samhain_var_run_t)
-
- # samhain_run($1, $2)
')
diff --git a/policy/modules/contrib/samhain.te
b/policy/modules/contrib/samhain.te
index c41ce4b..3ed8e45 100644
--- a/policy/modules/contrib/samhain.te
+++ b/policy/modules/contrib/samhain.te
@@ -1,4 +1,4 @@
-policy_module(samhain, 1.2.0)
+policy_module(samhain, 1.2.1)
########################################
#
@@ -50,8 +50,9 @@ ifdef(`enable_mls',`
allow samhain_domain self:capability { dac_override dac_read_search fowner
ipc_lock };
dontaudit samhain_domain self:capability { sys_resource sys_ptrace };
-allow samhain_domain self:fd use;
allow samhain_domain self:process { setsched setrlimit signull };
+allow samhain_domain self:fd use;
+allow samhain_domain self:fifo_file rw_fifo_file_perms;
allow samhain_domain samhain_etc_t:file read_file_perms;
@@ -96,6 +97,7 @@ logging_send_syslog_msg(samhain_domain)
#
manage_files_pattern(samhain_t, samhain_db_t, samhain_db_t)
+manage_dirs_pattern(samhain_t, samhain_db_t, samhain_db_t)
files_var_lib_filetrans(samhain_t, samhain_db_t, { file dir })
domain_use_interactive_fds(samhain_t)
@@ -115,4 +117,10 @@ can_exec(samhaind_t, samhain_exec_t)
read_files_pattern(samhaind_t, samhain_db_t, samhain_db_t)
+corenet_tcp_connect_smtp_port(samhaind_t)
+
+dev_read_rand(samhaind_t)
+
init_use_script_ptys(samhaind_t)
+
+sysnet_dns_name_resolve(samhaind_t)
