sec-policy/selinux-knot: move to upstreamed policy

This commit is contained in:
Alexander Miroshnichenko 2020-02-29 11:34:59 +03:00
parent 36894d134b
commit 794d0d5f5f
Signed by: alex
GPG Key ID: E93720C6C73A77F4
5 changed files with 5 additions and 269 deletions

View File

@ -1,6 +1,3 @@
AUX knot.fc 422 BLAKE2B 9d7602908e81ab7b72f44bd302dbd83197928a92f0eab99b7f3545bb0da1af954d02a79020e0c3a4e06867ff0d8639fbb69b8a1f1975a7fec95a59c66968db1b SHA512 dcc584755579878e700bdaec34f076626fa81e1c420d9e21bcc45daffad535c36f8d85eb746b092530e257be114111b585d8160016d22de888dd5732cac57d70 DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
AUX knot.if 2312 BLAKE2B 9c6bd464e233491cd0d61579e2e3a25a87106c66f27f817e245dc9075ff303736aec1d86905adfee29be6b7c5d9702d167f0fd65c090ecd131eef99cd464b225 SHA512 4d3a321c47d94f3adfc30374eafc0c543aa4276a6728fe51636641994d895487f26c2f99e08042f3ba837b1a25d999e8cb5f86933ae16f26ad2f15ce9b43ef47 DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
AUX knot.te 3549 BLAKE2B 08392f8f8e2e0f104d1abd75dc1961a441f6c71a67ef74e5e64e2410b5b6b41207f9ab43193fd7c7a1a93786087d09ce03ca190c74dc56d58f38c62aac66aee0 SHA512 8a4ec1e751688fe9390f5fbde740317321141bcfa3380a587d452e48461932be6367ef6670a6f0960e53021d7522bcf34a6d0551a6a87d1e27203c145ec33bda EBUILD selinux-knot-2.20190609-r1.ebuild 339 BLAKE2B 83730ffefca1589be5f7b3ed114c79ff07805ecec2148a1c74f1340860f7c1a70c6eb885b1030472d6e9a5d737c16e1c2412ade6c92e8f28d3545bedef71443d SHA512 041b9cc10e52f1862e9c4aaefe4488e3bdf817071befe3e04bc30feb8d37dd0f58093c27907a8d4928a59dd3f2a2945378d5d44f9a8f685357e34f888020238d
DIST patchbundle-selinux-base-policy-2.20190201-r1.tar.bz2 426390 BLAKE2B 33e05e03e1e087f0bf460930f074108af5fa05688f7681ba3545530d21174be7d29e9035a7bc37e9acdbe3468680891f9865ad83188eb0f8fb9b9012252d6a1e SHA512 f2855a340f4ae7ba6c4cf0ec9445de7ca20f9fc0f11783992340ca2f073bbbf2d4999190f46f3910213dd1555e9578b3609284af6a7712b401053216c004ff7e
DIST refpolicy-2.20190201.tar.bz2 552750 BLAKE2B d3cbdf5c5f8480cd36173d8cfbd2f55a6ad4a9f2176883dcc19eece6059114ca8700d07f8bd318d0430da253bb9e4e6a6e03f7a7db8a7964c95b00452aaab040 SHA512 c6568b679ad1a7c5c566b55291e86ce3784ee609c0091e5d465d41055724d950180780c7eedb3413351101b9182db51c7bce1816db1a9a17b3257861363efc6e
EBUILD selinux-knot-2.20190201-r1.ebuild 377 BLAKE2B 3e0e81a404c1810ddeedad0ab2af2d6db2270f85492ea39d60992cf0b0015f500b8e70dda185af2341684115adcb580e79fba76665fbe80ba0d1db3305103082 SHA512 18f8f1a16161f4f648cbd346b467bc4bb3c810d156e6ffbdc34d12d7686f08c0911484e8c5304045ae2aef49c71d9586b574f041c1fe337fbacf1d405579c5f4

View File

@ -1,11 +0,0 @@
/etc/rc\.d/init\.d/knot -- gen_context(system_u:object_r:knot_initrc_exec_t,s0)
/etc/knot(/.*)? gen_context(system_u:object_r:knot_conf_t,s0)
/usr/sbin/knotd -- gen_context(system_u:object_r:knotd_exec_t,s0)
/usr/sbin/knotc -- gen_context(system_u:object_r:knotc_exec_t,s0)
/var/lib/knot(/.*)? gen_context(system_u:object_r:knot_var_lib_t,s0)
/run/knot(/.*)? gen_context(system_u:object_r:knot_runtime_t,s0)

View File

@ -1,108 +0,0 @@
## <summary>high-performance authoritative-only DNS server.</summary>
########################################
## <summary>
## Execute knotc in the knotc domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`knot_domtrans_client',`
gen_require(`
type knotc_t, knotc_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, knotc_exec_t, knotc_t)
')
########################################
## <summary>
## Execute knotc in the knotc domain, and
## allow the specified role the knotc domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`knot_run_client',`
gen_require(`
attribute_role knot_roles;
')
knot_domtrans_client($1)
roleattribute $2 knot_roles;
')
########################################
## <summary>
## Read knot config files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`knot_read_config_file',`
gen_require(`
type knot_conf_t;
')
read_files_pattern($1, knot_conf_t, knot_conf_t)
files_search_etc($1)
')
########################################
## <summary>
## All of the rules required to
## administrate an knot environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`knot_admin',`
gen_require(`
type knotc_t, knotd_t, knot_conf_t, knot_initrc_exec_t;
type knot_runtime_t, knot_tmp_t, knot_var_lib_t;
')
allow $1 knotc_t:process signal_perms;
allow $1 knotd_t:process { ptrace signal_perms };
ps_process_pattern($1, knotc_t)
ps_process_pattern($1, knotd_t)
init_startstop_service($1, $2, knotd_t, knot_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, knot_conf_t)
files_search_pids($1)
admin_pattern($1, knot_runtime_t)
files_search_tmp($1)
admin_pattern($1, knot_tmp_t)
files_search_var_lib($1)
admin_pattern($1, knot_var_lib_t)
')

View File

@ -1,141 +0,0 @@
policy_module(knot, 1.0.0)
########################################
#
# Declarations
#
attribute_role knot_roles;
type knotd_t;
type knotd_exec_t;
init_daemon_domain(knotd_t, knotd_exec_t)
type knotc_t;
type knotc_exec_t;
application_domain(knotc_t, knotc_exec_t)
init_daemon_domain(knotc_t, knotc_exec_t)
role knot_roles types knotc_t;
type knot_conf_t;
files_config_file(knot_conf_t)
type knot_initrc_exec_t;
init_script_file(knot_initrc_exec_t)
type knot_runtime_t;
files_pid_file(knot_runtime_t)
type knot_var_lib_t;
files_type(knot_var_lib_t)
type knot_tmp_t;
files_tmp_file(knot_tmp_t)
########################################
#
# knotd local policy
#
allow knotd_t self:capability { dac_override dac_read_search setgid setpcap setuid };
allow knotd_t self:process { signal_perms getcap getsched setsched };
allow knotd_t self:tcp_socket create_stream_socket_perms;
allow knotd_t self:udp_socket create_socket_perms;
allow knotd_t self:unix_stream_socket create_stream_socket_perms;
corenet_tcp_bind_generic_node(knotd_t)
corenet_udp_bind_generic_node(knotd_t)
corenet_sendrecv_dns_server_packets(knotd_t)
corenet_tcp_bind_dns_port(knotd_t)
corenet_udp_bind_dns_port(knotd_t)
# Slave replication
corenet_tcp_connect_dns_port(knotd_t)
kernel_read_kernel_sysctls(knotd_t)
allow knotd_t knot_conf_t:file map;
knot_read_config_file(knotd_t)
manage_dirs_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
manage_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
manage_lnk_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
manage_sock_files_pattern(knotd_t, knot_runtime_t, knot_runtime_t)
files_search_pids(knotd_t) ### Check it
files_pid_filetrans(knotd_t, knot_runtime_t, dir)
allow knotd_t knot_tmp_t:file map;
allow knotd_t knot_tmp_t:file manage_file_perms;
allow knotd_t knot_tmp_t:dir manage_dir_perms;
files_tmp_filetrans(knotd_t, knot_tmp_t, { file dir })
allow knotd_t knot_var_lib_t:file map;
manage_dirs_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
manage_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
manage_lnk_files_pattern(knotd_t, knot_var_lib_t, knot_var_lib_t)
files_search_var_lib(knotd_t)
files_var_lib_filetrans(knotd_t, knot_var_lib_t, dir)
files_map_etc_files(knotd_t)
fs_getattr_xattr_fs(knotd_t)
fs_getattr_tmpfs(knotd_t)
auth_use_nsswitch(knotd_t)
logging_send_syslog_msg(knotd_t)
miscfiles_read_localization(knotd_t)
########################################
#
# knotc local policy
#
allow knotc_t self:capability { dac_override dac_read_search };
allow knotc_t self:process signal;
stream_connect_pattern(knotc_t, knot_runtime_t, knot_runtime_t, knotd_t)
allow knotc_t knot_conf_t:file map;
knot_read_config_file(knotc_t)
allow knotc_t knot_tmp_t:file map;
allow knotc_t knot_tmp_t:file manage_file_perms;
allow knotc_t knot_tmp_t:dir manage_dir_perms;
files_tmp_filetrans(knotc_t, knot_tmp_t, { file dir })
allow knotc_t knot_var_lib_t:file map;
manage_dirs_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
manage_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
manage_lnk_files_pattern(knotc_t, knot_var_lib_t, knot_var_lib_t)
files_search_var_lib(knotc_t)
files_read_etc_files(knotc_t)
fs_getattr_tmpfs(knotc_t)
domain_use_interactive_fds(knotc_t)
miscfiles_read_localization(knotc_t)
userdom_use_user_ptys(knotc_t)
optional_policy(`
gen_require(`
type initrc_t;
')
knot_read_config_file(initrc_t)
')
optional_policy(`
gen_require(`
role sysadm_r;
type sysadm_t;
')
knot_admin(sysadm_t, sysadm_r)
knot_run_client(sysadm_t, sysadm_r)
')

View File

@ -5,16 +5,15 @@ EAPI="5"
IUSE="" IUSE=""
MODS="knot" MODS="knot"
POLICY_FILES="knot.te knot.fc knot.if"
inherit selinux-policy-2 inherit selinux-policy-2
DESCRIPTION="SELinux policy for knot" DESCRIPTION="SELinux policy for knot"
RDEPEND="sec-policy/selinux-base-policy" DEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then if [[ $PV == 9999* ]] ; then
KEYWORDS="" KEYWORDS=""
else else
KEYWORDS="amd64 x86" KEYWORDS="~amd64 ~x86"
fi fi