[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

Jason Zaman Sat, 16 Sep 2017 21:22:03 -0700

commit:     bbcc0fa3e3162e0a012c7b740d3e549b10e3709c
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Sep 14 11:46:04 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:17:39 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bbcc0fa3


dphysswapfile: add interfaces and sysadm access

v2:

add swapfile file context

 policy/modules/roles/sysadm.te   |  4 +++
 policy/modules/system/fstools.fc |  2 ++
 policy/modules/system/fstools.if | 54 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 60 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index c7520fac..a6e7ba61 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -379,6 +379,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+       dphysswapfile_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
        dpkg_run(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 71dad308..494d021e 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -106,6 +106,8 @@
 /usr/sbin/zstreamdump          --      
gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/ztest                        --      
gen_context(system_u:object_r:fsadm_exec_t,s0)
 
+/var/swap                      --      
gen_context(system_u:object_r:swapfile_t,s0)
+
 /var/log/fsck(/.*)?            gen_context(system_u:object_r:fsadm_log_t,s0)
 
 /run/blkid(/.*)?               gen_context(system_u:object_r:fsadm_run_t,s0)

diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index f04d843c..6ebe3800 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -209,3 +209,57 @@ interface(`fstools_getattr_swap_files',`
 
        allow $1 swapfile_t:file getattr;
 ')
+
+########################################
+## <summary>
+##     Ignore access to a swapfile.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`fstools_dontaudit_getattr_swap_files',`
+       gen_require(`
+               type swapfile_t;
+       ')
+
+       dontaudit $1 swapfile_t:file getattr;
+')
+
+########################################
+## <summary>
+##     Relabel to swapfile.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fstools_relabelto_swap_files',`
+       gen_require(`
+               type swapfile_t;
+       ')
+
+       allow $1 swapfile_t:file relabelto;
+')
+
+########################################
+## <summary>
+##     Manage swapfile.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`fstools_manage_swap_files',`
+       gen_require(`
+               type swapfile_t;
+       ')
+
+       allow $1 swapfile_t:file manage_file_perms;
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

Reply via email to