commit: ebeb0c3b30617f92a5e1ad7c4cfd5fab328c8673 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Sun Feb 1 19:55:45 2015 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Sun Feb 8 14:31:47 2015 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ebeb0c3b
Add interfaces for Gentoo's security model On https://wiki.gentoo.org/wiki/Project:SELinux/Development_policy the basic security model that we want to support is documented. To make support for this security model more applicable, we provide the necessary interfaces for domains to (optionally or not) call. See also http://thread.gmane.org/gmane.linux.gentoo.hardened/6292 --- policy/modules/contrib/gentoo.if | 131 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) diff --git a/policy/modules/contrib/gentoo.if b/policy/modules/contrib/gentoo.if new file mode 100644 index 0000000..db543a6 --- /dev/null +++ b/policy/modules/contrib/gentoo.if @@ -0,0 +1,131 @@ +## <summary>Gentoo specific interfaces for improving SELinux management</summary> + +######################################### +## <summary> +## Monitor the system +## </summary> +## <desc> +## <p> +## The system monitor privilege set allows for a system domain to read various +## file types, system state (like sysctl values), process states, etc. It is +## a read-only set of privileges. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +# +interface(`gentoo_secmodel_monitor_system',` + +') + +######################################### +## <summary> +## Administer services +## </summary> +## <desc> +## <p> +## The service administrator privilege set allows for a system domain to manage +## the state of services as well as perform administrative commands against +## those services (in other words, grant the _admin() interfaces of various +## services). +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +# +interface(`gentoo_secmodel_manage_services',` + +') + +######################################### +## <summary> +## Administer software +## </summary> +## <desc> +## <p> +## The software administrator privilege set allows for a system domain to manage +## various file types (but not, or only in a very controlled manner, security +## sensitive files). +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +# +interface(`gentoo_secmodel_manage_software',` + +') + +######################################### +## <summary> +## Administer system state +## </summary> +## <desc> +## <p> +## The system state administrator privilege set allows for system state +## handling, including sysctl values, network configuration settings, etc. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +# +interface(`gentoo_secmodel_manage_system_state',` + +') + +######################################### +## <summary> +## Administer system security +## </summary> +## <desc> +## <p> +## The security administrator privilege set allows for security-sensitive types +## to be managed, including SELinux policy. +## </p> +## </desc> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +# +interface(`gentoo_secmodel_manage_system_security',` + +') +
