diff options
author | Kenton Groombridge <me@concord.sh> | 2022-09-24 00:09:19 -0400 |
---|---|---|
committer | Kenton Groombridge <concord@gentoo.org> | 2022-11-02 10:07:09 -0400 |
commit | b806992f1bc6fa8187730296a708320ee0e18266 (patch) | |
tree | b5880fca6d36bccbaf7a5245b84dba6a5aa62703 | |
parent | xdg: add interface to dontaudit searching xdg data dirs (diff) | |
download | hardened-refpolicy-b806992f1bc6fa8187730296a708320ee0e18266.tar.gz hardened-refpolicy-b806992f1bc6fa8187730296a708320ee0e18266.tar.bz2 hardened-refpolicy-b806992f1bc6fa8187730296a708320ee0e18266.zip |
opensm: initial policy
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/services/opensm.fc | 10 | ||||
-rw-r--r-- | policy/modules/services/opensm.if | 86 | ||||
-rw-r--r-- | policy/modules/services/opensm.te | 45 |
3 files changed, 141 insertions, 0 deletions
diff --git a/policy/modules/services/opensm.fc b/policy/modules/services/opensm.fc new file mode 100644 index 00000000..6d9566bb --- /dev/null +++ b/policy/modules/services/opensm.fc @@ -0,0 +1,10 @@ +/usr/bin/opensm -- gen_context(system_u:object_r:opensm_exec_t,s0) + +/usr/sbin/opensm -- gen_context(system_u:object_r:opensm_exec_t,s0) + +/etc/opensm(/.*)? gen_context(system_u:object_r:opensm_conf_t,s0) + +/var/cache/opensm(/.*)? gen_context(system_u:object_r:opensm_cache_t,s0) + +/var/log/opensm\.log -- gen_context(system_u:object_r:opensm_log_t,s0) +/var/log/opensm-subnet\.lst -- gen_context(system_u:object_r:opensm_log_t,s0) diff --git a/policy/modules/services/opensm.if b/policy/modules/services/opensm.if new file mode 100644 index 00000000..47664ce1 --- /dev/null +++ b/policy/modules/services/opensm.if @@ -0,0 +1,86 @@ +## <summary>OpenSM is a software implementation of an InfiniBand subnet manager.</summary> + +######################################## +## <summary> +## Execute opensm in the opensm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`opensm_domtrans',` + gen_require(` + type opensm_t, opensm_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, opensm_exec_t, opensm_t) +') + +######################################## +## <summary> +## Execute opensm in the opensm domain, and +## allow the specified role the opensm domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`opensm_run',` + gen_require(` + type opensm_t; + ') + + opensm_domtrans($1) + role $2 types opensm_t; +') + + +######################################## +## <summary> +## All of the rules required to administrate +## an opensm environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`opensm_admin',` + gen_require(` + type opensm_t; + type opensm_conf_t, opensm_cache_t; + type opensm_log_t; + ') + + opensm_run($1, $2) + + allow $1 opensm_t:process { ptrace signal_perms }; + ps_process_pattern($1, opensm_t) + + files_search_etc($1) + admin_pattern($1, opensm_conf_t) + + files_search_var($1) + admin_pattern($1, opensm_cache_t) + + logging_search_logs($1) + admin_pattern($1, opensm_log_t) +') diff --git a/policy/modules/services/opensm.te b/policy/modules/services/opensm.te new file mode 100644 index 00000000..1d5c2f57 --- /dev/null +++ b/policy/modules/services/opensm.te @@ -0,0 +1,45 @@ +policy_module(opensm) + +######################################## +# +# Declarations +# + +type opensm_t; +type opensm_exec_t; +init_daemon_domain(opensm_t, opensm_exec_t) + +type opensm_conf_t; +files_config_file(opensm_conf_t) + +type opensm_cache_t; +files_type(opensm_cache_t) + +type opensm_log_t; +logging_log_file(opensm_log_t) + +######################################## +# +# opensm local policy +# + +allow opensm_t self:process { getsched signal }; +allow opensm_t self:unix_dgram_socket create_socket_perms; + +read_files_pattern(opensm_t, opensm_conf_t, opensm_conf_t) + +manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t) +manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t) +files_var_filetrans(opensm_t, opensm_cache_t, dir) + +create_files_pattern(opensm_t, opensm_log_t, opensm_log_t) +append_files_pattern(opensm_t, opensm_log_t, opensm_log_t) +rw_files_pattern(opensm_t, opensm_log_t, opensm_log_t) +logging_log_filetrans(opensm_t, opensm_log_t, file) + +dev_read_sysfs(opensm_t) +dev_rw_infiniband(opensm_t) + +logging_send_syslog_msg(opensm_t) + +miscfiles_read_localization(opensm_t) |