sec-policy/selinux-knot: move to upstreamed policy
parent
36894d134b
commit
794d0d5f5f
GPG Key ID:
E93720C6C73A77F4
|
|
@ -1,6 +1,3 @@
|
|||
AUX knot.fc 422 BLAKE2B 9d7602908e81ab7b72f44bd302dbd83197928a92f0eab99b7f3545bb0da1af954d02a79020e0c3a4e06867ff0d8639fbb69b8a1f1975a7fec95a59c66968db1b SHA512 dcc584755579878e700bdaec34f076626fa81e1c420d9e21bcc45daffad535c36f8d85eb746b092530e257be114111b585d8160016d22de888dd5732cac57d70
|
||||
AUX knot.if 2312 BLAKE2B 9c6bd464e233491cd0d61579e2e3a25a87106c66f27f817e245dc9075ff303736aec1d86905adfee29be6b7c5d9702d167f0fd65c090ecd131eef99cd464b225 SHA512 4d3a321c47d94f3adfc30374eafc0c543aa4276a6728fe51636641994d895487f26c2f99e08042f3ba837b1a25d999e8cb5f86933ae16f26ad2f15ce9b43ef47
|
||||
AUX knot.te 3549 BLAKE2B 08392f8f8e2e0f104d1abd75dc1961a441f6c71a67ef74e5e64e2410b5b6b41207f9ab43193fd7c7a1a93786087d09ce03ca190c74dc56d58f38c62aac66aee0 SHA512 8a4ec1e751688fe9390f5fbde740317321141bcfa3380a587d452e48461932be6367ef6670a6f0960e53021d7522bcf34a6d0551a6a87d1e27203c145ec33bda
|
||||
DIST patchbundle-selinux-base-policy-2.20190201-r1.tar.bz2 426390 BLAKE2B 33e05e03e1e087f0bf460930f074108af5fa05688f7681ba3545530d21174be7d29e9035a7bc37e9acdbe3468680891f9865ad83188eb0f8fb9b9012252d6a1e SHA512 f2855a340f4ae7ba6c4cf0ec9445de7ca20f9fc0f11783992340ca2f073bbbf2d4999190f46f3910213dd1555e9578b3609284af6a7712b401053216c004ff7e
|
||||
DIST refpolicy-2.20190201.tar.bz2 552750 BLAKE2B d3cbdf5c5f8480cd36173d8cfbd2f55a6ad4a9f2176883dcc19eece6059114ca8700d07f8bd318d0430da253bb9e4e6a6e03f7a7db8a7964c95b00452aaab040 SHA512 c6568b679ad1a7c5c566b55291e86ce3784ee609c0091e5d465d41055724d950180780c7eedb3413351101b9182db51c7bce1816db1a9a17b3257861363efc6e
|
||||
EBUILD selinux-knot-2.20190201-r1.ebuild 377 BLAKE2B 3e0e81a404c1810ddeedad0ab2af2d6db2270f85492ea39d60992cf0b0015f500b8e70dda185af2341684115adcb580e79fba76665fbe80ba0d1db3305103082 SHA512 18f8f1a16161f4f648cbd346b467bc4bb3c810d156e6ffbdc34d12d7686f08c0911484e8c5304045ae2aef49c71d9586b574f041c1fe337fbacf1d405579c5f4
|
||||
DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
|
||||
DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
|
||||
EBUILD selinux-knot-2.20190609-r1.ebuild 339 BLAKE2B 83730ffefca1589be5f7b3ed114c79ff07805ecec2148a1c74f1340860f7c1a70c6eb885b1030472d6e9a5d737c16e1c2412ade6c92e8f28d3545bedef71443d SHA512 041b9cc10e52f1862e9c4aaefe4488e3bdf817071befe3e04bc30feb8d37dd0f58093c27907a8d4928a59dd3f2a2945378d5d44f9a8f685357e34f888020238d
|
||||
|
|
|
|||
|
|
@ -1,11 +0,0 @@
|
|||
/etc/rc\.d/init\.d/knot -- gen_context(system_u:object_r:knot_initrc_exec_t,s0)
|
||||
|
||||
/etc/knot(/.*)? gen_context(system_u:object_r:knot_conf_t,s0)
|
||||
|
||||
/usr/sbin/knotd -- gen_context(system_u:object_r:knotd_exec_t,s0)
|
||||
|
||||
/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0)
|
||||
|
||||
/var/lib/knot(/.*)? gen_context(system_u:object_r:knot_var_lib_t,s0)
|
||||
|
||||
/run/knot(/.*)? gen_context(system_u:object_r:knot_runtime_t,s0)
|
||||
|
|
@ -1,108 +0,0 @@
|
|||
## <summary>high-performance authoritative-only DNS server.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute knotc in the knotc domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`knot_domtrans_client',`
|
||||
gen_require(`
|
||||
type knotc_t, knotc_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, knotc_exec_t, knotc_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute knotc in the knotc domain, and
|
||||
## allow the specified role the knotc domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`knot_run_client',`
|
||||
gen_require(`
|
||||
attribute_role knot_roles;
|
||||
')
|
||||
|
||||
knot_domtrans_client($1)
|
||||
roleattribute $2 knot_roles;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read knot config files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`knot_read_config_file',`
|
||||
gen_require(`
|
||||
type knot_conf_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, knot_conf_t, knot_conf_t)
|
||||
files_search_etc($1)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to
|
||||
## administrate an knot environment.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`knot_admin',`
|
||||
gen_require(`
|
||||
type knotc_t, knotd_t, knot_conf_t, knot_initrc_exec_t;
|
||||
type knot_runtime_t, knot_tmp_t, knot_var_lib_t;
|
||||
')
|
||||
|
||||
allow $1 knotc_t:process signal_perms;
|
||||
allow $1 knotd_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, knotc_t)
|
||||
ps_process_pattern($1, knotd_t)
|
||||
|
||||
init_startstop_service($1, $2, knotd_t, knot_initrc_exec_t)
|
||||
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, knot_conf_t)
|
||||
|
||||
files_search_pids($1)
|
||||
admin_pattern($1, knot_runtime_t)
|
||||
|
||||
files_search_tmp($1)
|
||||
admin_pattern($1, knot_tmp_t)
|
||||
|
||||
files_search_var_lib($1)
|
||||
admin_pattern($1, knot_var_lib_t)
|
||||
')
|
||||
|
|
@ -1,141 +0,0 @@
|
|||
policy_module(knot, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute_role knot_roles;
|
||||
|
||||
type knotd_t;
|
||||
type knotd_exec_t;
|
||||
init_daemon_domain(knotd_t, knotd_exec_t)
|
||||
|
||||
type knotc_t;
|
||||
type knotc_exec_t;
|
||||
application_domain(knotc_t, knotc_exec_t)
|
||||
init_daemon_domain(knotc_t, knotc_exec_t)
|
||||
role knot_roles types knotc_t;
|
||||
|
||||
type knot_conf_t;
|
||||
files_config_file(knot_conf_t)
|
||||
|
||||
type knot_initrc_exec_t;
|
||||
init_script_file(knot_initrc_exec_t)
|
||||
|
||||
type knot_runtime_t;
|
||||
files_pid_file(knot_runtime_t)
|
||||
|
||||
type knot_var_lib_t;
|
||||
files_type(knot_var_lib_t)
|
||||
|
||||
type knot_tmp_t;
|
||||
files_tmp_file(knot_tmp_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# knotd local policy
|
||||
#
|
||||
allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid };
|
||||
allow knotd_t self:process { signal_perms getcap getsched setsched };
|
||||
allow knotd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow knotd_t self:udp_socket create_socket_perms;
|
||||
allow knotd_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
corenet_tcp_bind_generic_node(knotd_t)
|
||||
corenet_udp_bind_generic_node(knotd_t)
|
||||
|
||||
corenet_sendrecv_dns_server_packets(knotd_t)
|
||||
corenet_tcp_bind_dns_port(knotd_t)
|
||||
corenet_udp_bind_dns_port(knotd_t)
|
||||
# Slave replication
|
||||
corenet_tcp_connect_dns_port(knotd_t)
|
||||
|
||||
kernel_read_kernel_sysctls(knotd_t)
|
||||
|
||||
allow knotd_t knot_conf_t:file map;
|
||||
knot_read_config_file(knotd_t)
|
||||
|
||||
manage_dirs_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
|
||||
manage_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
|
||||
manage_lnk_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
|
||||
manage_sock_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
|
||||
files_search_pids(knotd_t) ### Check it
|
||||
files_pid_filetrans(knotd_t, knot_runtime_t, dir)
|
||||
|
||||
allow knotd_t knot_tmp_t:file map;
|
||||
allow knotd_t knot_tmp_t:file manage_file_perms;
|
||||
allow knotd_t knot_tmp_t:dir manage_dir_perms;
|
||||
files_tmp_filetrans(knotd_t, knot_tmp_t, { file dir })
|
||||
|
||||
allow knotd_t knot_var_lib_t:file map;
|
||||
manage_dirs_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
|
||||
manage_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
|
||||
manage_lnk_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
|
||||
files_search_var_lib(knotd_t)
|
||||
files_var_lib_filetrans(knotd_t, knot_var_lib_t, dir)
|
||||
|
||||
files_map_etc_files(knotd_t)
|
||||
|
||||
fs_getattr_xattr_fs(knotd_t)
|
||||
|
||||
fs_getattr_tmpfs(knotd_t)
|
||||
|
||||
auth_use_nsswitch(knotd_t)
|
||||
|
||||
logging_send_syslog_msg(knotd_t)
|
||||
|
||||
miscfiles_read_localization(knotd_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# knotc local policy
|
||||
#
|
||||
allow knotc_t self:capability { dac_override dac_read_search };
|
||||
allow knotc_t self:process signal;
|
||||
|
||||
stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t)
|
||||
|
||||
allow knotc_t knot_conf_t:file map;
|
||||
knot_read_config_file(knotc_t)
|
||||
|
||||
allow knotc_t knot_tmp_t:file map;
|
||||
allow knotc_t knot_tmp_t:file manage_file_perms;
|
||||
allow knotc_t knot_tmp_t:dir manage_dir_perms;
|
||||
files_tmp_filetrans(knotc_t, knot_tmp_t, { file dir })
|
||||
|
||||
allow knotc_t knot_var_lib_t:file map;
|
||||
manage_dirs_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
|
||||
manage_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
|
||||
manage_lnk_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
|
||||
files_search_var_lib(knotc_t)
|
||||
|
||||
files_read_etc_files(knotc_t)
|
||||
|
||||
fs_getattr_tmpfs(knotc_t)
|
||||
|
||||
domain_use_interactive_fds(knotc_t)
|
||||
|
||||
miscfiles_read_localization(knotc_t)
|
||||
|
||||
userdom_use_user_ptys(knotc_t)
|
||||
|
||||
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
type initrc_t;
|
||||
')
|
||||
|
||||
knot_read_config_file(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gen_require(`
|
||||
role sysadm_r;
|
||||
type sysadm_t;
|
||||
')
|
||||
|
||||
knot_admin(sysadm_t, sysadm_r)
|
||||
knot_run_client(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
|
@ -5,16 +5,15 @@ EAPI="5"
|
|||
|
||||
IUSE=""
|
||||
MODS="knot"
|
||||
POLICY_FILES="knot.te knot.fc knot.if"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for knot"
|
||||
|
||||
RDEPEND="sec-policy/selinux-base-policy"
|
||||
DEPEND="sec-policy/selinux-base-policy"
|
||||
|
||||
if [[ $PV == 9999* ]] ; then
|
||||
KEYWORDS=""
|
||||
else
|
||||
KEYWORDS="amd64 x86"
|
||||
KEYWORDS="~amd64 ~x86"
|
||||
fi
|
||||
Loading…
Reference in New Issue