2017-06-08 17:16:24

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] arpwatch: align file contexts

From: cgzones <[email protected]>

---
arpwatch.fc | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/arpwatch.fc b/arpwatch.fc
index b439c10c..304f4622 100644
--- a/arpwatch.fc
+++ b/arpwatch.fc
@@ -1,13 +1,13 @@
-/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)

-/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
+/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)

-/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)

-/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
+/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)

-/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
+/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)

-/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
+/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)

-/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
+/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
--
2.11.0


2017-06-08 17:16:25

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/2] arpwatch: update

From: cgzones <[email protected]>

---
arpwatch.fc | 4 ++--
arpwatch.if | 17 +++++++++--------
arpwatch.te | 17 ++++++++++-------
3 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/arpwatch.fc b/arpwatch.fc
index 304f4622..9b0eadc8 100644
--- a/arpwatch.fc
+++ b/arpwatch.fc
@@ -1,6 +1,6 @@
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)

-/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
+/usr/lib/systemd/system/arpwatch[^/]*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)

/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)

@@ -10,4 +10,4 @@

/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)

-/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
+/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_pid_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
index 76389b79..e8127128 100644
--- a/arpwatch.if
+++ b/arpwatch.if
@@ -12,6 +12,8 @@
## </param>
#
interface(`arpwatch_initrc_domtrans',`
+ refpolicywarn(`$0($*) has been deprecated.')
+
gen_require(`
type arpwatch_initrc_exec_t;
')
@@ -137,20 +139,19 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
interface(`arpwatch_admin',`
gen_require(`
type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
- type arpwatch_data_t, arpwatch_var_run_t;
+ type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t;
')

- allow $1 arpwatch_t:process { ptrace signal_perms };
- ps_process_pattern($1, arpwatch_t)
+ admin_process_pattern($1, arpwatch_t)

- init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t)
+ init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, arpwatch_unit_t)

- files_list_tmp($1)
+ files_search_tmp($1)
admin_pattern($1, arpwatch_tmp_t)

- files_list_var($1)
+ files_search_var_lib($1)
admin_pattern($1, arpwatch_data_t)

- files_list_pids($1)
- admin_pattern($1, arpwatch_var_run_t)
+ files_search_pids($1)
+ admin_pattern($1, arpwatch_pid_t)
')
diff --git a/arpwatch.te b/arpwatch.te
index 441c0f3c..cec74011 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,21 +21,21 @@ files_tmp_file(arpwatch_tmp_t)
type arpwatch_unit_t;
init_unit_file(arpwatch_unit_t)

-type arpwatch_var_run_t;
-files_pid_file(arpwatch_var_run_t)
+type arpwatch_pid_t alias arpwatch_var_run_t;
+files_pid_file(arpwatch_pid_t)

########################################
#
# Local policy
#

-allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
-dontaudit arpwatch_t self:capability sys_tty_config;
+allow arpwatch_t self:capability { dac_override net_admin net_raw setgid setuid };
allow arpwatch_t self:process signal_perms;
allow arpwatch_t self:unix_stream_socket { accept listen };
allow arpwatch_t self:tcp_socket { accept listen };
allow arpwatch_t self:packet_socket create_socket_perms;
-allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:socket { create ioctl };
+allow arpwatch_t self:netlink_netfilter_socket { create read write };

manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,14 +45,17 @@ manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })

-manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
-files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+manage_files_pattern(arpwatch_t, arpwatch_pid_t, arpwatch_pid_t)
+files_pid_filetrans(arpwatch_t, arpwatch_pid_t, file)

kernel_read_kernel_sysctls(arpwatch_t)
kernel_read_network_state(arpwatch_t)
kernel_read_system_state(arpwatch_t)
kernel_request_load_module(arpwatch_t)
+# /sys/kernel/debug/usb/usbmon/\d+t
+kernel_dontaudit_search_debugfs(arpwatch_t)

+# /sys/class/net
dev_read_sysfs(arpwatch_t)
dev_read_usbmon_dev(arpwatch_t)
dev_rw_generic_usb_dev(arpwatch_t)
--
2.11.0

2017-06-08 22:40:56

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/2] arpwatch: update

On 06/08/2017 01:16 PM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> ---
> arpwatch.fc | 4 ++--
> arpwatch.if | 17 +++++++++--------
> arpwatch.te | 17 ++++++++++-------
> 3 files changed, 21 insertions(+), 17 deletions(-)
>
> diff --git a/arpwatch.fc b/arpwatch.fc
> index 304f4622..9b0eadc8 100644
> --- a/arpwatch.fc
> +++ b/arpwatch.fc
> @@ -1,6 +1,6 @@
> /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
>
> -/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
> +/usr/lib/systemd/system/arpwatch[^/]*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
>
> /usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
>
> @@ -10,4 +10,4 @@
>
> /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
>
> -/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
> +/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_pid_t,s0)
> diff --git a/arpwatch.if b/arpwatch.if
> index 76389b79..e8127128 100644
> --- a/arpwatch.if
> +++ b/arpwatch.if
> @@ -12,6 +12,8 @@
> ## </param>
> #
> interface(`arpwatch_initrc_domtrans',`
> + refpolicywarn(`$0($*) has been deprecated.')

I don't see why this should be deprecated.


> gen_require(`
> type arpwatch_initrc_exec_t;
> ')
> @@ -137,20 +139,19 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
> interface(`arpwatch_admin',`
> gen_require(`
> type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
> - type arpwatch_data_t, arpwatch_var_run_t;
> + type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t;
> ')
>
> - allow $1 arpwatch_t:process { ptrace signal_perms };
> - ps_process_pattern($1, arpwatch_t)
> + admin_process_pattern($1, arpwatch_t)
>
> - init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t)
> + init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, arpwatch_unit_t)
>
> - files_list_tmp($1)
> + files_search_tmp($1)
> admin_pattern($1, arpwatch_tmp_t)
>
> - files_list_var($1)
> + files_search_var_lib($1)
> admin_pattern($1, arpwatch_data_t)
>
> - files_list_pids($1)
> - admin_pattern($1, arpwatch_var_run_t)
> + files_search_pids($1)
> + admin_pattern($1, arpwatch_pid_t)
> ')
> diff --git a/arpwatch.te b/arpwatch.te
> index 441c0f3c..cec74011 100644
> --- a/arpwatch.te
> +++ b/arpwatch.te
> @@ -21,21 +21,21 @@ files_tmp_file(arpwatch_tmp_t)
> type arpwatch_unit_t;
> init_unit_file(arpwatch_unit_t)
>
> -type arpwatch_var_run_t;
> -files_pid_file(arpwatch_var_run_t)
> +type arpwatch_pid_t alias arpwatch_var_run_t;
> +files_pid_file(arpwatch_pid_t)
>
> ########################################
> #
> # Local policy
> #
>
> -allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
> -dontaudit arpwatch_t self:capability sys_tty_config;
> +allow arpwatch_t self:capability { dac_override net_admin net_raw setgid setuid };
> allow arpwatch_t self:process signal_perms;
> allow arpwatch_t self:unix_stream_socket { accept listen };
> allow arpwatch_t self:tcp_socket { accept listen };
> allow arpwatch_t self:packet_socket create_socket_perms;
> -allow arpwatch_t self:socket create_socket_perms;
> +allow arpwatch_t self:socket { create ioctl };
> +allow arpwatch_t self:netlink_netfilter_socket { create read write };
>
> manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
> manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
> @@ -45,14 +45,17 @@ manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
> manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
> files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
>
> -manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
> -files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
> +manage_files_pattern(arpwatch_t, arpwatch_pid_t, arpwatch_pid_t)
> +files_pid_filetrans(arpwatch_t, arpwatch_pid_t, file)
>
> kernel_read_kernel_sysctls(arpwatch_t)
> kernel_read_network_state(arpwatch_t)
> kernel_read_system_state(arpwatch_t)
> kernel_request_load_module(arpwatch_t)
> +# /sys/kernel/debug/usb/usbmon/\d+t
> +kernel_dontaudit_search_debugfs(arpwatch_t)
>
> +# /sys/class/net
> dev_read_sysfs(arpwatch_t)
> dev_read_usbmon_dev(arpwatch_t)
> dev_rw_generic_usb_dev(arpwatch_t)
>


--
Chris PeBenito

2017-06-08 22:41:10

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] arpwatch: align file contexts

On 06/08/2017 01:16 PM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> ---
> arpwatch.fc | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
>
> diff --git a/arpwatch.fc b/arpwatch.fc
> index b439c10c..304f4622 100644
> --- a/arpwatch.fc
> +++ b/arpwatch.fc
> @@ -1,13 +1,13 @@
> -/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
> +/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
>
> -/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
> +/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
>
> -/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
> +/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
>
> -/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
> +/usr/sbin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
>
> -/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
> +/var/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
>
> -/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
> +/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
>
> -/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
> +/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
>

Merged.

--
Chris PeBenito