valitydev/gentoo-overlay
14
0
Fork 0
mirror of https://github.com/valitydev/gentoo-overlay.git synced 2024-11-06 18:05:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

selinux-lldpd: fix upstream notes

Browse Source
This commit is contained in:
Alexander Miroshnichenko 2019-06-17 15:53:49 +03:00
parent cc38073a25
commit ce71f9d4f1
3 changed files with 35 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
sec-policy/selinux-lldpd/files/lldpd.fc
View File

@ -1,9 +1,9 @@
/etc/lldpd.conf -- gen_context(system_u:object_r:lldpd_etc_t,s0)
/etc/lldpd.d(/.*)? gen_context(system_u:object_r:lldpd_etc_t,s0)
/etc/lldpd.conf -- gen_context(system_u:object_r:lldpd_conf_t,s0)
/etc/lldpd.d(/.*)? gen_context(system_u:object_r:lldpd_conf_t,s0)
/usr/sbin/lldpd -- gen_context(system_u:object_r:lldpd_exec_t,s0)
/usr/sbin/lldpcli -- gen_context(system_u:object_r:lldp_cli_exec_t,s0)
/run/lldpd -d gen_context(system_u:object_r:lldpd_var_run_t,s0)
/run/lldpd(/.*)? gen_context(system_u:object_r:lldpd_var_run_t,s0)
/run/lldpd.pid -- gen_context(system_u:object_r:lldpd_var_run_t,s0)
/run/lldpd -d gen_context(system_u:object_r:lldpd_runtime_t,s0)
/run/lldpd(/.*)? gen_context(system_u:object_r:lldpd_runtime_t,s0)
/run/lldpd.pid -- gen_context(system_u:object_r:lldpd_runtime_t,s0)

135
sec-policy/selinux-lldpd/files/lldpd.if
View File

@ -1,25 +1,6 @@
## <summary>policy for lldpd</summary>
########################################
## <summary>
## Execute lldpd_exec_t in the lldpd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`lldpd_domtrans',`
gen_require(`
type lldpd_t, lldpd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, lldpd_exec_t, lldpd_t)
')
########################################
## <summary>
## Execute a domain transition to run lldpcli.
@ -30,13 +11,12 @@ interface(`lldpd_domtrans',`
## </summary>
## </param>
#
interface(`lldp_cli_domtrans',`
interface(`lldp_domtrans_cli',`
gen_require(`
type lldp_cli_t, lldp_cli_exec_t;
')
corecmd_search_bin($1)
can_exec($1, lldp_cli_exec_t)
domtrans_pattern($1, lldp_cli_exec_t, lldp_cli_t)
')
@ -62,109 +42,10 @@ interface(`lldp_cli_run',`
type lldp_cli_t;
')
lldp_cli_domtrans($1)
lldp_domtrans_cli($1)
role $2 types lldp_cli_t;
')
######################################
## <summary>
## Execute lldpd in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lldpd_exec',`
gen_require(`
type lldpd_exec_t;
')
corecmd_search_bin($1)
can_exec($1, lldpd_exec_t)
')
########################################
## <summary>
## Search lldpd conf directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lldpd_search_conf',`
gen_require(`
type lldpd_etc_t;
')
allow $1 lldpd_etc_t:dir search_dir_perms;
files_search_etc($1)
')
########################################
## <summary>
## Read lldpd conf files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lldpd_read_conf_files',`
gen_require(`
type lldpd_etc_t;
')
allow $1 lldpd_etc_t:dir list_dir_perms;
read_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
files_search_etc($1)
')
########################################
## <summary>
## Manage lldpd conf files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lldpd_manage_conf_files',`
gen_require(`
type lldpd_etc_t;
')
manage_files_pattern($1, lldpd_etc_t, lldpd_etc_t)
files_search_etc($1)
')
########################################
## <summary>
## Create, read, write, and delete
## lldpd PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`lldpd_manage_pid_files',`
gen_require(`
type lldpd_var_run_t;
')
files_search_pids($1)
manage_files_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
manage_dirs_pattern($1, lldpd_var_run_t, lldpd_var_run_t)
')
########################################
## <summary>
## All of the rules required to administrate
@ -185,22 +66,18 @@ interface(`lldpd_manage_pid_files',`
interface(`lldp_admin',`
gen_require(`
type lldpd_t;
type lldpd_etc_t;
type lldpd_var_run_t;
type lldpd_conf_t;
type lldpd_runtime_t;
')
allow $1 lldpd_t:process { signal_perms };
ps_process_pattern($1, lldpd_t)
tunable_policy(`allow_ptrace',`
allow $1 lldpd_t:process ptrace;
')
files_search_etc($1)
admin_pattern($1, lldpd_etc_t)
admin_pattern($1, lldpd_conf_t)
files_search_pids($1)
admin_pattern($1, lldpd_var_run_t)
admin_pattern($1, lldpd_runtime_t)
lldp_cli_run($1, $2)
')

49
sec-policy/selinux-lldpd/files/lldpd.te
View File

@ -14,37 +14,35 @@ type lldp_cli_exec_t;
init_system_domain(lldp_cli_t, lldp_cli_exec_t)
application_domain(lldp_cli_t, lldp_cli_exec_t)
type lldpd_etc_t;
files_config_file(lldpd_etc_t)
type lldpd_conf_t;
files_config_file(lldpd_conf_t)
type lldpd_var_run_t;
files_pid_file(lldpd_var_run_t)
init_daemon_pid_file(lldpd_var_run_t, dir, "lldpd")
typealias lldpd_var_run_t alias lldp_sock_t;
type lldpd_runtime_t;
files_pid_file(lldpd_runtime_t)
init_daemon_pid_file(lldpd_runtime_t, dir, "lldpd")
########################################
#
# lldpd local policy
#
allow lldpd_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
allow lldpd_t self:capability { chown dac_read_search dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot };
allow lldpd_t self:process { fork signal_perms };
allow lldpd_t self:fifo_file rw_fifo_file_perms;
allow lldpd_t self:unix_stream_socket { accept listen };
allow lldpd_t lldp_sock_t:sock_file { create_sock_file_perms delete_sock_file_perms setattr };
allow lldpd_t self:unix_stream_socket create_stream_socket_perms;
allow lldpd_t self:packet_socket create_socket_perms;
lldp_cli_domtrans(lldpd_t)
lldp_domtrans_cli(lldpd_t)
kernel_read_net_sysctls(lldpd_t)
lldpd_read_conf_files(lldpd_t)
list_dirs_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
read_files_pattern(lldpd_t, lldpd_conf_t, lldpd_conf_t)
lldpd_manage_pid_files(lldpd_t)
manage_sock_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
manage_lnk_files_pattern(lldpd_t, lldpd_var_run_t, lldpd_var_run_t)
files_pid_filetrans(lldpd_t, lldpd_var_run_t, {file dir sock_file})
domain_use_interactive_fds(lldpd_t)
manage_dirs_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
manage_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
manage_sock_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
manage_lnk_files_pattern(lldpd_t, lldpd_runtime_t, lldpd_runtime_t)
files_pid_filetrans(lldpd_t, lldpd_runtime_t, {file dir sock_file})
files_read_etc_files(lldpd_t)
@ -63,10 +61,14 @@ allow lldp_cli_t self:unix_dgram_socket { connect create };
allow lldp_cli_t self:unix_stream_socket { connect create read write };
allow lldp_cli_t self:process signal;
allow lldp_cli_t lldpd_t:unix_stream_socket connectto;
allow lldp_cli_t lldpd_var_run_t:sock_file { read write };
allow lldp_cli_t lldpd_runtime_t:sock_file read_sock_file_perms;
stream_connect_pattern(lldp_cli_t, lldpd_runtime_t, lldpd_runtime_t, lldpd_t)
lldpd_read_conf_files(lldp_cli_t)
domain_use_interactive_fds(lldp_cli_t)
files_search_etc(lldp_cli_t)
list_dirs_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
read_files_pattern(lldp_cli_t, lldpd_conf_t, lldpd_conf_t)
logging_send_syslog_msg(lldp_cli_t)
@ -74,15 +76,12 @@ files_dontaudit_read_etc_files(lldp_cli_t)
miscfiles_read_localization(lldp_cli_t)
domain_use_interactive_fds(lldp_cli_t)
userdom_use_user_ptys(lldp_cli_t)
init_dontaudit_use_script_ptys(lldp_cli_t)
optional_policy(`
gen_require(`
type sysadm_t;
role sysadm_r;
role sysadm_r;
')
lldp_admin(sysadm_t, sysadm_r)
lldp_admin(sysadm_t, sysadm_r)
')