2017-06-09 13:41:00

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] arpwatch: update

From: cgzones <[email protected]>

v2:
- do not deprecate arpwatch_initrc_domtrans
---
arpwatch.fc | 4 ++--
arpwatch.if | 15 +++++++--------
arpwatch.te | 17 ++++++++++-------
3 files changed, 19 insertions(+), 17 deletions(-)

diff --git a/arpwatch.fc b/arpwatch.fc
index 304f4622..9b0eadc8 100644
--- a/arpwatch.fc
+++ b/arpwatch.fc
@@ -1,6 +1,6 @@
/etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)

-/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
+/usr/lib/systemd/system/arpwatch[^/]*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)

/usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)

@@ -10,4 +10,4 @@

/var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)

-/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
+/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_pid_t,s0)
diff --git a/arpwatch.if b/arpwatch.if
index 76389b79..63e1b571 100644
--- a/arpwatch.if
+++ b/arpwatch.if
@@ -137,20 +137,19 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
interface(`arpwatch_admin',`
gen_require(`
type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
- type arpwatch_data_t, arpwatch_var_run_t;
+ type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t;
')

- allow $1 arpwatch_t:process { ptrace signal_perms };
- ps_process_pattern($1, arpwatch_t)
+ admin_process_pattern($1, arpwatch_t)

- init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t)
+ init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, arpwatch_unit_t)

- files_list_tmp($1)
+ files_search_tmp($1)
admin_pattern($1, arpwatch_tmp_t)

- files_list_var($1)
+ files_search_var_lib($1)
admin_pattern($1, arpwatch_data_t)

- files_list_pids($1)
- admin_pattern($1, arpwatch_var_run_t)
+ files_search_pids($1)
+ admin_pattern($1, arpwatch_pid_t)
')
diff --git a/arpwatch.te b/arpwatch.te
index 935e8614..7bc0d9ce 100644
--- a/arpwatch.te
+++ b/arpwatch.te
@@ -21,21 +21,21 @@ files_tmp_file(arpwatch_tmp_t)
type arpwatch_unit_t;
init_unit_file(arpwatch_unit_t)

-type arpwatch_var_run_t;
-files_pid_file(arpwatch_var_run_t)
+type arpwatch_pid_t alias arpwatch_var_run_t;
+files_pid_file(arpwatch_pid_t)

########################################
#
# Local policy
#

-allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
-dontaudit arpwatch_t self:capability sys_tty_config;
+allow arpwatch_t self:capability { dac_override net_admin net_raw setgid setuid };
allow arpwatch_t self:process signal_perms;
allow arpwatch_t self:unix_stream_socket { accept listen };
allow arpwatch_t self:tcp_socket { accept listen };
allow arpwatch_t self:packet_socket create_socket_perms;
-allow arpwatch_t self:socket create_socket_perms;
+allow arpwatch_t self:socket { create ioctl };
+allow arpwatch_t self:netlink_netfilter_socket { create read write };

manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
@@ -45,14 +45,17 @@ manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })

-manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
-files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+manage_files_pattern(arpwatch_t, arpwatch_pid_t, arpwatch_pid_t)
+files_pid_filetrans(arpwatch_t, arpwatch_pid_t, file)

kernel_read_kernel_sysctls(arpwatch_t)
kernel_read_network_state(arpwatch_t)
kernel_read_system_state(arpwatch_t)
kernel_request_load_module(arpwatch_t)
+# /sys/kernel/debug/usb/usbmon/\d+t
+kernel_dontaudit_search_debugfs(arpwatch_t)

+# /sys/class/net
dev_read_sysfs(arpwatch_t)
dev_read_usbmon_dev(arpwatch_t)
dev_rw_generic_usb_dev(arpwatch_t)
--
2.11.0


2017-06-12 22:38:59

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] arpwatch: update

On 06/09/2017 09:41 AM, Christian G?ttsche via refpolicy wrote:
> From: cgzones <[email protected]>
>
> v2:
> - do not deprecate arpwatch_initrc_domtrans
> ---
> arpwatch.fc | 4 ++--
> arpwatch.if | 15 +++++++--------
> arpwatch.te | 17 ++++++++++-------
> 3 files changed, 19 insertions(+), 17 deletions(-)
>
> diff --git a/arpwatch.fc b/arpwatch.fc
> index 304f4622..9b0eadc8 100644
> --- a/arpwatch.fc
> +++ b/arpwatch.fc
> @@ -1,6 +1,6 @@
> /etc/rc\.d/init\.d/arpwatch -- gen_context(system_u:object_r:arpwatch_initrc_exec_t,s0)
>
> -/usr/lib/systemd/system/arpwatch.*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
> +/usr/lib/systemd/system/arpwatch[^/]*\.service -- gen_context(system_u:object_r:arpwatch_unit_t,s0)
>
> /usr/bin/arpwatch -- gen_context(system_u:object_r:arpwatch_exec_t,s0)
>
> @@ -10,4 +10,4 @@
>
> /var/lib/arpwatch(/.*)? gen_context(system_u:object_r:arpwatch_data_t,s0)
>
> -/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_var_run_t,s0)
> +/run/arpwatch.*\.pid -- gen_context(system_u:object_r:arpwatch_pid_t,s0)
> diff --git a/arpwatch.if b/arpwatch.if
> index 76389b79..63e1b571 100644
> --- a/arpwatch.if
> +++ b/arpwatch.if
> @@ -137,20 +137,19 @@ interface(`arpwatch_dontaudit_rw_packet_sockets',`
> interface(`arpwatch_admin',`
> gen_require(`
> type arpwatch_t, arpwatch_tmp_t, arpwatch_initrc_exec_t;
> - type arpwatch_data_t, arpwatch_var_run_t;
> + type arpwatch_data_t, arpwatch_pid_t, arpwatch_unit_t;
> ')
>
> - allow $1 arpwatch_t:process { ptrace signal_perms };
> - ps_process_pattern($1, arpwatch_t)
> + admin_process_pattern($1, arpwatch_t)
>
> - init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t)
> + init_startstop_service($1, $2, arpwatch_t, arpwatch_initrc_exec_t, arpwatch_unit_t)
>
> - files_list_tmp($1)
> + files_search_tmp($1)
> admin_pattern($1, arpwatch_tmp_t)
>
> - files_list_var($1)
> + files_search_var_lib($1)
> admin_pattern($1, arpwatch_data_t)
>
> - files_list_pids($1)
> - admin_pattern($1, arpwatch_var_run_t)
> + files_search_pids($1)
> + admin_pattern($1, arpwatch_pid_t)
> ')
> diff --git a/arpwatch.te b/arpwatch.te
> index 935e8614..7bc0d9ce 100644
> --- a/arpwatch.te
> +++ b/arpwatch.te
> @@ -21,21 +21,21 @@ files_tmp_file(arpwatch_tmp_t)
> type arpwatch_unit_t;
> init_unit_file(arpwatch_unit_t)
>
> -type arpwatch_var_run_t;
> -files_pid_file(arpwatch_var_run_t)
> +type arpwatch_pid_t alias arpwatch_var_run_t;
> +files_pid_file(arpwatch_pid_t)
>
> ########################################
> #
> # Local policy
> #
>
> -allow arpwatch_t self:capability { net_admin net_raw setgid setuid };
> -dontaudit arpwatch_t self:capability sys_tty_config;
> +allow arpwatch_t self:capability { dac_override net_admin net_raw setgid setuid };
> allow arpwatch_t self:process signal_perms;
> allow arpwatch_t self:unix_stream_socket { accept listen };
> allow arpwatch_t self:tcp_socket { accept listen };
> allow arpwatch_t self:packet_socket create_socket_perms;
> -allow arpwatch_t self:socket create_socket_perms;
> +allow arpwatch_t self:socket { create ioctl };
> +allow arpwatch_t self:netlink_netfilter_socket { create read write };
>
> manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
> manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
> @@ -45,14 +45,17 @@ manage_dirs_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
> manage_files_pattern(arpwatch_t, arpwatch_tmp_t, arpwatch_tmp_t)
> files_tmp_filetrans(arpwatch_t, arpwatch_tmp_t, { file dir })
>
> -manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
> -files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
> +manage_files_pattern(arpwatch_t, arpwatch_pid_t, arpwatch_pid_t)
> +files_pid_filetrans(arpwatch_t, arpwatch_pid_t, file)
>
> kernel_read_kernel_sysctls(arpwatch_t)
> kernel_read_network_state(arpwatch_t)
> kernel_read_system_state(arpwatch_t)
> kernel_request_load_module(arpwatch_t)
> +# /sys/kernel/debug/usb/usbmon/\d+t
> +kernel_dontaudit_search_debugfs(arpwatch_t)
>
> +# /sys/class/net
> dev_read_sysfs(arpwatch_t)
> dev_read_usbmon_dev(arpwatch_t)
> dev_rw_generic_usb_dev(arpwatch_t)

Merged.

--
Chris PeBenito