commit: 1c5eb0bbef55a47a0867916104065beb3f5e26f0
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 20:02:36 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:41:38 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c5eb0bb
add dphysswapfile module
dphysswapfile.fc | 5 +++++
dphysswapfile.if | 19 +++++++++++++++++++
dphysswapfile.te | 47 +++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 71 insertions(+)
diff --git a/dphysswapfile.fc b/dphysswapfile.fc
new file mode 100644
index 0000000..1b2bfcc
--- /dev/null
+++ b/dphysswapfile.fc
@@ -0,0 +1,5 @@
+/etc/dphys-swapfile --
gen_context(system_u:object_r:dphysswapfile_conf_t,s0)
+
+/sbin/dphys-swapfile --
gen_context(system_u:object_r:dphysswapfile_exec_t,s0)
+
+/var/swap --
gen_context(system_u:object_r:dphysswapfile_swap_t,s0)
diff --git a/dphysswapfile.if b/dphysswapfile.if
new file mode 100644
index 0000000..5372574
--- /dev/null
+++ b/dphysswapfile.if
@@ -0,0 +1,19 @@
+## <summary>Set up, mount/unmount, and delete an swap file.</summary>
+
+########################################
+## <summary>
+## Dontaudit acces to the swap file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dphysswapfile_dontaudit_read_swap',`
+ gen_require(`
+ type dphysswapfile_swap_t;
+ ')
+
+ dontaudit $1 dphysswapfile_swap_t:file read_file_perms;
+')
diff --git a/dphysswapfile.te b/dphysswapfile.te
new file mode 100644
index 0000000..1dabdb1
--- /dev/null
+++ b/dphysswapfile.te
@@ -0,0 +1,47 @@
+policy_module(dphysswapfile, 0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type dphysswapfile_t;
+type dphysswapfile_exec_t;
+init_system_domain(dphysswapfile_t, dphysswapfile_exec_t)
+
+type dphysswapfile_conf_t;
+files_config_file(dphysswapfile_conf_t)
+
+type dphysswapfile_swap_t;
+files_type(dphysswapfile_swap_t)
+
+########################################
+#
+# Policy
+#
+
+# sys_admin : for swapon
+allow dphysswapfile_t self:capability sys_admin;
+allow dphysswapfile_t self:fifo_file rw_fifo_file_perms;
+allow dphysswapfile_t self:unix_stream_socket { create connect };
+
+allow dphysswapfile_t dphysswapfile_conf_t:file read_file_perms;
+
+allow dphysswapfile_t dphysswapfile_exec_t:file execute_no_trans;
+
+allow dphysswapfile_t dphysswapfile_swap_t:file manage_file_perms;
+
+kernel_read_system_state(dphysswapfile_t)
+
+corecmd_exec_bin(dphysswapfile_t)
+corecmd_exec_shell(dphysswapfile_t)
+
+files_dontaudit_getattr_pid_dirs(dphysswapfile_t)
+files_read_etc_files(dphysswapfile_t)
+files_search_var(dphysswapfile_t)
+
+fstools_exec(dphysswapfile_t)
+
+miscfiles_read_localization(dphysswapfile_t)
+
+userdom_dontaudit_search_user_home_dirs(dphysswapfile_t)
