From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=) Date: Fri, 9 Jun 2017 15:41:00 +0200 Subject: [refpolicy] [PATCH] arpwatch: update Message-ID: <20170609134100.8999-1-cgzones@googlemail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: cgzones v2: - do not deprecate arpwatch_initrc_domtrans --- arpwatch.fc | 4 ++-- arpwatch.if | 15 +++++++-------- arpwatch.te | 17 ++++++++++------- 3 files changed, 19 insertions(+), 17 deletions(-) diff --git a/arpwatch.fc b/arpwatch.fc index 304f4622..9b0eadc8 100644 --- a/arpwatch.fc +++ b/arpwatch.fc @@ -1,6 +1,6 @@ /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) -/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0) +/usr/lib/systemd/system/arpwatch[^/]*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0) /usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) @@ -10,4 +10,4 @@ /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) -/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0) +/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_pid_t,s0) diff --git a/arpwatch.if b/arpwatch.if index 76389b79..63e1b571 100644 --- a/arpwatch.if +++ b/arpwatch.if @@ -137,20 +137,19 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',` interface(`arpwatch_admin',` gen_require(` type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; - type arpwatch_data_t, arpwatch_var_run_t; + type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t; ') - allow $1 arpwatch_t:process { ptrace signal_perms }; - ps_process_pattern($1, arpwatch_t) + admin_process_pattern($1, arpwatch_t) - init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t) + init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, arpwatch_unit_t) - files_list_tmp($1) + files_search_tmp($1) admin_pattern($1, arpwatch_tmp_t) - files_list_var($1) + files_search_var_lib($1) admin_pattern($1, arpwatch_data_t) - files_list_pids($1) - admin_pattern($1, arpwatch_var_run_t) + files_search_pids($1) + admin_pattern($1, arpwatch_pid_t) ') diff --git a/arpwatch.te b/arpwatch.te index 935e8614..7bc0d9ce 100644 --- a/arpwatch.te +++ b/arpwatch.te @@ -21,21 +21,21 @@ files_tmp_file(arpwatch_tmp_t) type arpwatch_unit_t; init_unit_file(arpwatch_unit_t) -type arpwatch_var_run_t; -files_pid_file(arpwatch_var_run_t) +type arpwatch_pid_t alias arpwatch_var_run_t; +files_pid_file(arpwatch_pid_t) ######################################## # # Local policy # -allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; -dontaudit arpwatch_t self:capability sys_tty_config; +allow arpwatch_t self:capability { dac_override net_admin net_raw setgid setuid }; allow arpwatch_t self:process signal_perms; allow arpwatch_t self:unix_stream_socket { accept listen }; allow arpwatch_t self:tcp_socket { accept listen }; allow arpwatch_t self:packet_socket create_socket_perms; -allow arpwatch_t self:socket create_socket_perms; +allow arpwatch_t self:socket { create ioctl }; +allow arpwatch_t self:netlink_netfilter_socket { create read write }; manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) @@ -45,14 +45,17 @@ manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) -manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) -files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) +manage_files_pattern(arpwatch_t, arpwatch_pid_t, arpwatch_pid_t) +files_pid_filetrans(arpwatch_t, arpwatch_pid_t, file) kernel_read_kernel_sysctls(arpwatch_t) kernel_read_network_state(arpwatch_t) kernel_read_system_state(arpwatch_t) kernel_request_load_module(arpwatch_t) +# /sys/kernel/debug/usb/usbmon/\d+t +kernel_dontaudit_search_debugfs(arpwatch_t) +# /sys/class/net dev_read_sysfs(arpwatch_t) dev_read_usbmon_dev(arpwatch_t) dev_rw_generic_usb_dev(arpwatch_t) -- 2.11.0