apparmor/apparmor-profiles-dhclient

120 lines
3.7 KiB
Plaintext

From: Jeff Mahoney <jeffm@suse.com>
Subject: profiles: update dhclient
References: bnc#561152
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
profiles/apparmor/profiles/extras/sbin.dhclient | 60 +++++++++++------
profiles/apparmor/profiles/extras/sbin.dhclient-script | 21 +++++
2 files changed, 60 insertions(+), 21 deletions(-)
--- a/profiles/apparmor/profiles/extras/sbin.dhclient
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient
@@ -12,12 +12,12 @@
# raw sockets, and thus cannot be confined with NetDomain
#
# Should these programs have their own domains?
-# /bin/ps mixr,
-# /sbin/arp rmix,
-# /usr/bin/dig rmix,
-# /usr/bin/uptime rmix,
-# /usr/bin/vmstat rmix,
-# /usr/bin/w rmix,
+# /bin/ps mrix,
+# /sbin/arp mrix,
+# /usr/bin/dig mrix,
+# /usr/bin/uptime mrix,
+# /usr/bin/vmstat mrix,
+# /usr/bin/w mrix,
#include <tunables/global>
@@ -25,25 +25,29 @@
#include <abstractions/base>
#include <abstractions/bash>
#include <abstractions/nameservice>
- /sbin/dhclient rmix,
- /sbin/dhclient-script rmix,
- /bin/bash rmix,
- /bin/df rmix,
+
+ network packet packet,
+
+ /sbin/dhclient mrix,
+
+ /sbin/dhclient-script mrix,
+ /bin/bash mrix,
+ /bin/df mrix,
/bin/netstat Px,
- /bin/ps mixr,
+ /bin/ps mrix,
/dev/random r,
/etc/dhclient.conf r,
- @{PROC}/ r,
- @{PROC}/interrupts r,
- @{PROC}/net/dev r,
- @{PROC}/rtc r,
+ @{PROC}/ r,
+ @{PROC}/interrupts r,
+ @{PROC}/*/net/dev r,
+ @{PROC}/rtc r,
# following rule shouldn't work, self is a symlink
- @{PROC}/self/status r,
- /sbin/arp rmix,
- /usr/bin/dig rmix,
- /usr/bin/uptime rmix,
- /usr/bin/vmstat rmix,
- /usr/bin/w rmix,
+ @{PROC}/self/status r,
+ /sbin/arp mrix,
+ /usr/bin/dig mrix,
+ /usr/bin/uptime mrix,
+ /usr/bin/vmstat mrix,
+ /usr/bin/w mrix,
/var/lib/dhcp/dhclient.leases rw,
/var/lib/dhcp/dhclient-*.leases rw,
/var/log/lastlog r,
@@ -53,4 +57,18 @@
/var/run/dhclient-*.pid rw,
/var/spool r,
/var/spool/mail r,
+
+ # This one will need to be fleshed out depending on what the user is doing
+ /sbin/dhclient-script mrpx,
+
+ /bin/grep mrix,
+ /bin/sleep mrix,
+ /etc/sysconfig/network/dhcp r,
+ /etc/sysconfig/network/scripts/functions.common r,
+ /etc/sysconfig/network/scripts/functions r,
+ /sbin/ip mrix,
+ /usr/lib/NetworkManager/nm-dhcp-client.action mrix,
+ /var/lib/dhcp/* rw,
+ /var/run/nm-dhclient-*.conf r,
+
}
--- /dev/null
+++ b/profiles/apparmor/profiles/extras/sbin.dhclient-script
@@ -0,0 +1,21 @@
+# Last Modified: Tue Jan 25 16:48:30 2011
+#include <tunables/global>
+
+# dhclient-script will call plugins from /etc/netconfig.d, so this
+# will need to be extended on a per-site basis.
+
+/sbin/dhclient-script {
+ #include <abstractions/base>
+ #include <abstractions/bash>
+ #include <abstractions/consoles>
+
+ /bin/bash rix,
+ /bin/grep rix,
+ /bin/sleep rix,
+ /bin/touch rix,
+ /dev/.sysconfig/network/** r,
+ /etc/netconfig.d/* mrix,
+ /etc/sysconfig/network/** r,
+ /sbin/dhclient-script r,
+ /sbin/ip rix,
+}