[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Jason Zaman Tue, 13 Jun 2017 01:26:54 -0700

commit:     d14a17d668122568037f0f2600b915c43403e7fc
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jun  9 13:41:00 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:03:23 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d14a17d6


arpwatch: update

v2:
 - do not deprecate arpwatch_initrc_domtrans

 policy/modules/contrib/arpwatch.fc |  4 ++--
 policy/modules/contrib/arpwatch.if | 15 +++++++--------
 policy/modules/contrib/arpwatch.te | 17 ++++++++++-------
 3 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/policy/modules/contrib/arpwatch.fc 
b/policy/modules/contrib/arpwatch.fc
index 304f4622..9b0eadc8 100644
--- a/policy/modules/contrib/arpwatch.fc
+++ b/policy/modules/contrib/arpwatch.fc
@@ -1,6 +1,6 @@
 /etc/rc\.d/init\.d/arpwatch            --      
gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
 
-/usr/lib/systemd/system/arpwatch.*\.service -- 
gen_context(system_u:object_r:arpwatch_unit_t,s0)
+/usr/lib/systemd/system/arpwatch[^/]*\.service -- 
gen_context(system_u:object_r:arpwatch_unit_t,s0)
 
 /usr/bin/arpwatch                      --      
gen_context(system_u:object_r:arpwatch_exec_t,s0)
 
@@ -10,4 +10,4 @@
 
 /var/lib/arpwatch(/.*)?                                
gen_context(system_u:object_r:arpwatch_data_t,s0)
 
-/run/arpwatch.*\.pid                   --      
gen_context(system_u:object_r:arpwatch_var_run_t,s0)
+/run/arpwatch.*\.pid                   --      
gen_context(system_u:object_r:arpwatch_pid_t,s0)

diff --git a/policy/modules/contrib/arpwatch.if 
b/policy/modules/contrib/arpwatch.if
index 76389b79..63e1b571 100644
--- a/policy/modules/contrib/arpwatch.if
+++ b/policy/modules/contrib/arpwatch.if
@@ -137,20 +137,19 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
 interface(`arpwatch_admin',`
        gen_require(`
                type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
-               type arpwatch_data_t, arpwatch_var_run_t;
+               type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t;
        ')
 
-       allow $1 arpwatch_t:process { ptrace signal_perms };
-       ps_process_pattern($1, arpwatch_t)
+       admin_process_pattern($1, arpwatch_t)
 
-       init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t)
+       init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, 
arpwatch_unit_t)
 
-       files_list_tmp($1)
+       files_search_tmp($1)
        admin_pattern($1, arpwatch_tmp_t)
 
-       files_list_var($1)
+       files_search_var_lib($1)
        admin_pattern($1, arpwatch_data_t)
 
-       files_list_pids($1)
-       admin_pattern($1, arpwatch_var_run_t)
+       files_search_pids($1)
+       admin_pattern($1, arpwatch_pid_t)
 ')

diff --git a/policy/modules/contrib/arpwatch.te 
b/policy/modules/contrib/arpwatch.te
index 935e8614..7bc0d9ce 100644
--- a/policy/modules/contrib/arpwatch.te
+++ b/policy/modules/contrib/arpwatch.te
@@ -21,21 +21,21 @@ files_tmp_file(arpwatch_tmp_t)
 type arpwatch_unit_t;
 init_unit_file(arpwatch_unit_t)
 
-type arpwatch_var_run_t;
-files_pid_file(arpwatch_var_run_t)
+type arpwatch_pid_t alias arpwatch_var_run_t;
+files_pid_file(arpwatch_pid_t)
 
 ########################################
 #
 # Local policy
 #
 
-allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
-dontaudit arpwatch_t self:capability sys_tty_config;
+allow arpwatch_t self:capability { dac_override net_admin net_raw setgid 
setuid };
 allow arpwatch_t self:process signal_perms;
 allow arpwatch_t self:unix_stream_socket { accept listen };
 allow arpwatch_t self:tcp_socket { accept listen };
 allow arpwatch_t self:packet_socket create_socket_perms;
-allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:socket { create ioctl };
+allow arpwatch_t self:netlink_netfilter_socket { create read write };
 
 manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
 manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,14 +45,17 @@ manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, 
arpwatch_tmp_t)
 manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
 files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
 
-manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
-files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+manage_files_pattern(arpwatch_t, arpwatch_pid_t, arpwatch_pid_t)
+files_pid_filetrans(arpwatch_t, arpwatch_pid_t, file)
 
 kernel_read_kernel_sysctls(arpwatch_t)
 kernel_read_network_state(arpwatch_t)
 kernel_read_system_state(arpwatch_t)
 kernel_request_load_module(arpwatch_t)
+# /sys/kernel/debug/usb/usbmon/\d+t
+kernel_dontaudit_search_debugfs(arpwatch_t)
 
+# /sys/class/net
 dev_read_sysfs(arpwatch_t)
 dev_read_usbmon_dev(arpwatch_t)
 dev_rw_generic_usb_dev(arpwatch_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Reply via email to