From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 12 Jun 2017 18:38:59 -0400 Subject: [refpolicy] [PATCH] arpwatch: update In-Reply-To: <20170609134100.8999-1-cgzones@googlemail.com> References: <20170609134100.8999-1-cgzones@googlemail.com> Message-ID: <30097d35-49bc-14ca-e98c-85ef55c53ae2@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 06/09/2017 09:41 AM, Christian G?ttsche via refpolicy wrote: > From: cgzones > > v2: > - do not deprecate arpwatch_initrc_domtrans > --- > arpwatch.fc | 4 ++-- > arpwatch.if | 15 +++++++-------- > arpwatch.te | 17 ++++++++++------- > 3 files changed, 19 insertions(+), 17 deletions(-) > > diff --git a/arpwatch.fc b/arpwatch.fc > index 304f4622..9b0eadc8 100644 > --- a/arpwatch.fc > +++ b/arpwatch.fc > @@ -1,6 +1,6 @@ > /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0) > > -/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0) > +/usr/lib/systemd/system/arpwatch[^/]*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0) > > /usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0) > > @@ -10,4 +10,4 @@ > > /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0) > > -/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0) > +/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_pid_t,s0) > diff --git a/arpwatch.if b/arpwatch.if > index 76389b79..63e1b571 100644 > --- a/arpwatch.if > +++ b/arpwatch.if > @@ -137,20 +137,19 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',` > interface(`arpwatch_admin',` > gen_require(` > type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t; > - type arpwatch_data_t, arpwatch_var_run_t; > + type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t; > ') > > - allow $1 arpwatch_t:process { ptrace signal_perms }; > - ps_process_pattern($1, arpwatch_t) > + admin_process_pattern($1, arpwatch_t) > > - init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t) > + init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, arpwatch_unit_t) > > - files_list_tmp($1) > + files_search_tmp($1) > admin_pattern($1, arpwatch_tmp_t) > > - files_list_var($1) > + files_search_var_lib($1) > admin_pattern($1, arpwatch_data_t) > > - files_list_pids($1) > - admin_pattern($1, arpwatch_var_run_t) > + files_search_pids($1) > + admin_pattern($1, arpwatch_pid_t) > ') > diff --git a/arpwatch.te b/arpwatch.te > index 935e8614..7bc0d9ce 100644 > --- a/arpwatch.te > +++ b/arpwatch.te > @@ -21,21 +21,21 @@ files_tmp_file(arpwatch_tmp_t) > type arpwatch_unit_t; > init_unit_file(arpwatch_unit_t) > > -type arpwatch_var_run_t; > -files_pid_file(arpwatch_var_run_t) > +type arpwatch_pid_t alias arpwatch_var_run_t; > +files_pid_file(arpwatch_pid_t) > > ######################################## > # > # Local policy > # > > -allow arpwatch_t self:capability { net_admin net_raw setgid setuid }; > -dontaudit arpwatch_t self:capability sys_tty_config; > +allow arpwatch_t self:capability { dac_override net_admin net_raw setgid setuid }; > allow arpwatch_t self:process signal_perms; > allow arpwatch_t self:unix_stream_socket { accept listen }; > allow arpwatch_t self:tcp_socket { accept listen }; > allow arpwatch_t self:packet_socket create_socket_perms; > -allow arpwatch_t self:socket create_socket_perms; > +allow arpwatch_t self:socket { create ioctl }; > +allow arpwatch_t self:netlink_netfilter_socket { create read write }; > > manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) > manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t) > @@ -45,14 +45,17 @@ manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) > manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t) > files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir }) > > -manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t) > -files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file) > +manage_files_pattern(arpwatch_t, arpwatch_pid_t, arpwatch_pid_t) > +files_pid_filetrans(arpwatch_t, arpwatch_pid_t, file) > > kernel_read_kernel_sysctls(arpwatch_t) > kernel_read_network_state(arpwatch_t) > kernel_read_system_state(arpwatch_t) > kernel_request_load_module(arpwatch_t) > +# /sys/kernel/debug/usb/usbmon/\d+t > +kernel_dontaudit_search_debugfs(arpwatch_t) > > +# /sys/class/net > dev_read_sysfs(arpwatch_t) > dev_read_usbmon_dev(arpwatch_t) > dev_rw_generic_usb_dev(arpwatch_t) Merged. -- Chris PeBenito