* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2012-05-13 8:51 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2012-05-13 8:51 UTC (permalink / raw
To: gentoo-commits
commit: 582dae26c0770574e2ce819e1d193a19b89200e1
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 13 08:33:00 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 13 08:33:00 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=582dae26
Introducing support for named file transitions
---
policy/modules/kernel/devices.if | 42 ++++++++++++--
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/files.if | 98 +++++++++++++++++++++++++++++-----
policy/modules/kernel/filesystem.if | 14 ++++-
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/system/init.if | 9 +++-
policy/modules/system/logging.if | 7 ++-
policy/modules/system/selinuxutil.if | 2 +-
policy/modules/system/sysnetwork.if | 14 ++++-
policy/modules/system/userdomain.if | 42 ++++++++++++--
10 files changed, 196 insertions(+), 36 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index b657ae9..5f341b0 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -932,13 +932,18 @@ interface(`dev_manage_generic_chr_files',`
## the transition will occur.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`dev_filetrans',`
gen_require(`
type device_t;
')
- filetrans_pattern($1, device_t, $2, $3)
+ filetrans_pattern($1, device_t, $2, $3, $4)
dev_associate($2)
files_associate_tmp($2)
@@ -962,13 +967,18 @@ interface(`dev_filetrans',`
## the transition will occur.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`dev_tmpfs_filetrans_dev',`
gen_require(`
type device_t;
')
- fs_tmpfs_filetrans($1, device_t, $2)
+ fs_tmpfs_filetrans($1, device_t, $2, $3)
')
########################################
@@ -1637,13 +1647,18 @@ interface(`dev_manage_cardmgr_dev',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`dev_filetrans_cardmgr',`
gen_require(`
type device_t, cardmgr_dev_t;
')
- filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file })
+ filetrans_pattern($1, device_t, cardmgr_dev_t, { chr_file blk_file }, $2)
')
########################################
@@ -1893,13 +1908,18 @@ interface(`dev_manage_dri_dev',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`dev_filetrans_dri',`
gen_require(`
type device_t, dri_device_t;
')
- filetrans_pattern($1, device_t, dri_device_t, chr_file)
+ filetrans_pattern($1, device_t, dri_device_t, chr_file, $2)
')
########################################
@@ -2347,13 +2367,18 @@ interface(`dev_rw_lirc',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`dev_filetrans_lirc',`
gen_require(`
type device_t, lirc_device_t;
')
- filetrans_pattern($1, device_t, lirc_device_t, chr_file)
+ filetrans_pattern($1, device_t, lirc_device_t, chr_file, $2)
')
########################################
@@ -4666,13 +4691,18 @@ interface(`dev_manage_xen',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`dev_filetrans_xen',`
gen_require(`
type device_t, xen_device_t;
')
- filetrans_pattern($1, device_t, xen_device_t, chr_file)
+ filetrans_pattern($1, device_t, xen_device_t, chr_file, $2)
')
########################################
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 82be088..74894d7 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.13.0)
+policy_module(devices, 1.13.1)
########################################
#
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 2b6dd51..1405dc6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1747,13 +1747,18 @@ interface(`files_dontaudit_rw_root_dir',`
## The object class of the object being created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_root_filetrans',`
gen_require(`
type root_t;
')
- filetrans_pattern($1, root_t, $2, $3)
+ filetrans_pattern($1, root_t, $2, $3, $4)
')
########################################
@@ -2033,13 +2038,18 @@ interface(`files_manage_boot_dirs',`
## The object class of the object being created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_boot_filetrans',`
gen_require(`
type boot_t;
')
- filetrans_pattern($1, boot_t, $2, $3)
+ filetrans_pattern($1, boot_t, $2, $3, $4)
')
########################################
@@ -2809,13 +2819,18 @@ interface(`files_manage_etc_symlinks',`
## Object classes to be created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_etc_filetrans',`
gen_require(`
type etc_t;
')
- filetrans_pattern($1, etc_t, $2, $3)
+ filetrans_pattern($1, etc_t, $2, $3, $4)
')
########################################
@@ -2833,6 +2848,11 @@ interface(`files_etc_filetrans',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`files_create_boot_flag',`
@@ -2841,7 +2861,7 @@ interface(`files_create_boot_flag',`
')
allow $1 etc_runtime_t:file manage_file_perms;
- filetrans_pattern($1, root_t, etc_runtime_t, file)
+ filetrans_pattern($1, root_t, etc_runtime_t, file, $2)
')
########################################
@@ -3024,13 +3044,18 @@ interface(`files_manage_etc_runtime_lnk_files',`
## The class of the object being created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_etc_filetrans_etc_runtime',`
gen_require(`
type etc_t, etc_runtime_t;
')
- filetrans_pattern($1, etc_t, etc_runtime_t, $2)
+ filetrans_pattern($1, etc_t, etc_runtime_t, $2, $3)
')
########################################
@@ -3569,13 +3594,18 @@ interface(`files_relabelto_home',`
## The class of the object being created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_home_filetrans',`
gen_require(`
type home_root_t;
')
- filetrans_pattern($1, home_root_t, $2, $3)
+ filetrans_pattern($1, home_root_t, $2, $3, $4)
')
########################################
@@ -4009,13 +4039,18 @@ interface(`files_relabel_kernel_modules',`
## The object class of the object being created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_kernel_modules_filetrans',`
gen_require(`
type modules_object_t;
')
- filetrans_pattern($1, modules_object_t, $2, $3)
+ filetrans_pattern($1, modules_object_t, $2, $3, $4)
')
########################################
@@ -4523,13 +4558,18 @@ interface(`files_read_all_tmp_files',`
## The object class of the object being created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_tmp_filetrans',`
gen_require(`
type tmp_t;
')
- filetrans_pattern($1, tmp_t, $2, $3)
+ filetrans_pattern($1, tmp_t, $2, $3, $4)
')
########################################
@@ -4886,13 +4926,18 @@ interface(`files_read_usr_symlinks',`
## The object class.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_usr_filetrans',`
gen_require(`
type usr_t;
')
- filetrans_pattern($1, usr_t, $2, $3)
+ filetrans_pattern($1, usr_t, $2, $3, $4)
')
########################################
@@ -5289,13 +5334,18 @@ interface(`files_manage_var_symlinks',`
## The object class.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_var_filetrans',`
gen_require(`
type var_t;
')
- filetrans_pattern($1, var_t, $2, $3)
+ filetrans_pattern($1, var_t, $2, $3, $4)
')
########################################
@@ -5423,6 +5473,11 @@ interface(`files_rw_var_lib_dirs',`
## The object class.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_var_lib_filetrans',`
gen_require(`
@@ -5430,7 +5485,7 @@ interface(`files_var_lib_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_lib_t, $2, $3)
+ filetrans_pattern($1, var_lib_t, $2, $3, $4)
')
########################################
@@ -5763,6 +5818,11 @@ interface(`files_manage_all_locks',`
## The object class of the object being created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_lock_filetrans',`
gen_require(`
@@ -5771,7 +5831,7 @@ interface(`files_lock_filetrans',`
allow $1 var_t:dir search_dir_perms;
allow $1 var_lock_t:lnk_file read_lnk_file_perms;
- filetrans_pattern($1, var_lock_t, $2, $3)
+ filetrans_pattern($1, var_lock_t, $2, $3, $4)
')
########################################
@@ -5957,6 +6017,11 @@ interface(`files_write_generic_pid_pipes',`
## The object class of the object being created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
## <infoflow type="write" weight="10"/>
#
interface(`files_pid_filetrans',`
@@ -5966,7 +6031,7 @@ interface(`files_pid_filetrans',`
allow $1 var_t:dir search_dir_perms;
allow $1 var_run_t:lnk_file read_lnk_file_perms;
- filetrans_pattern($1, var_run_t, $2, $3)
+ filetrans_pattern($1, var_run_t, $2, $3, $4)
')
########################################
@@ -6294,6 +6359,11 @@ interface(`files_manage_generic_spool',`
## the transition will occur.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`files_spool_filetrans',`
gen_require(`
@@ -6301,7 +6371,7 @@ interface(`files_spool_filetrans',`
')
allow $1 var_t:dir search_dir_perms;
- filetrans_pattern($1, var_spool_t, $2, $3)
+ filetrans_pattern($1, var_spool_t, $2, $3, $4)
')
########################################
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 97fcdac..7c6b791 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2188,6 +2188,11 @@ interface(`fs_dontaudit_list_inotifyfs',`
## The object class of the object being created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`fs_hugetlbfs_filetrans',`
gen_require(`
@@ -2195,7 +2200,7 @@ interface(`fs_hugetlbfs_filetrans',`
')
allow $2 hugetlbfs_t:filesystem associate;
- filetrans_pattern($1, hugetlbfs_t, $2, $3)
+ filetrans_pattern($1, hugetlbfs_t, $2, $3, $4)
')
########################################
@@ -4014,6 +4019,11 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
## The object class of the object being created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`fs_tmpfs_filetrans',`
gen_require(`
@@ -4021,7 +4031,7 @@ interface(`fs_tmpfs_filetrans',`
')
allow $2 tmpfs_t:filesystem associate;
- filetrans_pattern($1, tmpfs_t, $2, $3)
+ filetrans_pattern($1, tmpfs_t, $2, $3, $4)
')
########################################
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index abd970d..f1ab8c6 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.15.0)
+policy_module(filesystem, 1.15.1)
########################################
#
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 01bad37..684ff3a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1579,6 +1579,11 @@ interface(`init_rw_script_tmp_files',`
## The object class.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`init_script_tmp_filetrans',`
gen_require(`
@@ -1586,7 +1591,7 @@ interface(`init_script_tmp_filetrans',`
')
files_search_tmp($1)
- filetrans_pattern($1, initrc_tmp_t, $2, $3)
+ filetrans_pattern($1, initrc_tmp_t, $2, $3, $4)
')
########################################
@@ -1754,7 +1759,7 @@ interface(`init_pid_filetrans_utmp',`
type initrc_var_run_t;
')
- files_pid_filetrans($1, initrc_var_run_t, file)
+ files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
########################################
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 51dface..ee215c1 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -480,6 +480,11 @@ interface(`logging_domtrans_syslog',`
## The object class of the object being created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
## <infoflow type="write" weight="10"/>
#
interface(`logging_log_filetrans',`
@@ -488,7 +493,7 @@ interface(`logging_log_filetrans',`
')
files_search_var($1)
- filetrans_pattern($1, var_log_t, $2, $3)
+ filetrans_pattern($1, var_log_t, $2, $3, $4)
')
########################################
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 5885571..3822072 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1043,7 +1043,7 @@ interface(`seutil_manage_module_store',`
files_search_etc($1)
manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
manage_files_pattern($1, semanage_store_t, semanage_store_t)
- filetrans_pattern($1, selinux_config_t, semanage_store_t, dir)
+ filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
')
#######################################
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index c7f6a4a..dd44150 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -403,13 +403,18 @@ interface(`sysnet_create_config',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`sysnet_etc_filetrans_config',`
gen_require(`
type net_conf_t;
')
- files_etc_filetrans($1, net_conf_t, file)
+ files_etc_filetrans($1, net_conf_t, file, $2)
')
#######################################
@@ -624,6 +629,11 @@ interface(`sysnet_search_dhcp_state',`
## The object class.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`sysnet_dhcp_state_filetrans',`
gen_require(`
@@ -631,7 +641,7 @@ interface(`sysnet_dhcp_state_filetrans',`
')
files_search_var_lib($1)
- filetrans_pattern($1, dhcp_state_t, $2, $3)
+ filetrans_pattern($1, dhcp_state_t, $2, $3, $4)
')
########################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 34a89ea..b8f49d3 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1607,13 +1607,18 @@ interface(`userdom_relabelto_user_home_dirs',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`userdom_home_filetrans_user_home_dir',`
gen_require(`
type user_home_dir_t;
')
- files_home_filetrans($1, user_home_dir_t, dir)
+ files_home_filetrans($1, user_home_dir_t, dir, $2)
')
########################################
@@ -2084,13 +2089,18 @@ interface(`userdom_manage_user_home_content_sockets',`
## The class of the object to be created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`userdom_user_home_dir_filetrans',`
gen_require(`
type user_home_dir_t;
')
- filetrans_pattern($1, user_home_dir_t, $2, $3)
+ filetrans_pattern($1, user_home_dir_t, $2, $3, $4)
files_search_home($1)
')
@@ -2115,13 +2125,18 @@ interface(`userdom_user_home_dir_filetrans',`
## The class of the object to be created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`userdom_user_home_content_filetrans',`
gen_require(`
type user_home_dir_t, user_home_t;
')
- filetrans_pattern($1, user_home_t, $2, $3)
+ filetrans_pattern($1, user_home_t, $2, $3, $4)
allow $1 user_home_dir_t:dir search_dir_perms;
files_search_home($1)
')
@@ -2142,13 +2157,18 @@ interface(`userdom_user_home_content_filetrans',`
## The class of the object to be created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`userdom_user_home_dir_filetrans_user_home_content',`
gen_require(`
type user_home_dir_t, user_home_t;
')
- filetrans_pattern($1, user_home_dir_t, user_home_t, $2)
+ filetrans_pattern($1, user_home_dir_t, user_home_t, $2, $3)
files_search_home($1)
')
@@ -2466,13 +2486,18 @@ interface(`userdom_manage_user_tmp_sockets',`
## The class of the object to be created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`userdom_user_tmp_filetrans',`
gen_require(`
type user_tmp_t;
')
- filetrans_pattern($1, user_tmp_t, $2, $3)
+ filetrans_pattern($1, user_tmp_t, $2, $3, $4)
files_search_tmp($1)
')
@@ -2492,13 +2517,18 @@ interface(`userdom_user_tmp_filetrans',`
## The class of the object to be created.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`userdom_tmp_filetrans_user_tmp',`
gen_require(`
type user_tmp_t;
')
- files_tmp_filetrans($1, user_tmp_t, $2)
+ files_tmp_filetrans($1, user_tmp_t, $2, $3)
')
########################################
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2012-05-28 6:44 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2012-05-28 6:44 UTC (permalink / raw
To: gentoo-commits
commit: d0b7ac0dd1f6dd606f3f988c2e875bc56ccceba9
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 28 06:43:46 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon May 28 06:43:46 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d0b7ac0d
Allow initrc_t to create /run/* directories
See bug #417857
---
policy/modules/kernel/files.if | 64 ++++++++++++++++++++++++++++++++++++++++
policy/modules/system/init.te | 4 ++
2 files changed, 68 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 1405dc6..36dd117 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5648,6 +5648,27 @@ interface(`files_rw_lock_dirs',`
########################################
## <summary>
+## Create lock directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_lock_dirs',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ create_dirs_pattern($1, var_lock_t, var_lock_t)
+')
+
+
+########################################
+## <summary>
## Relabel to and from all lock directory types.
## </summary>
## <param name="domain">
@@ -5691,6 +5712,24 @@ interface(`files_getattr_generic_locks',`
########################################
## <summary>
+## Set the attributes of generic lock directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_generic_dirs',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ setattr_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
## Delete generic lock files.
## </summary>
## <param name="domain">
@@ -5971,6 +6010,31 @@ interface(`files_write_generic_pid_pipes',`
allow $1 var_run_t:lnk_file read_lnk_file_perms;
allow $1 var_run_t:fifo_file write;
')
+########################################
+## <summary>
+## Write files in /var/run with the lock file type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## Name of the directory that the file transition will work on
+## </summary>
+## </param>
+#
+interface(`files_pid_filetrans_generic_lock_dirs',`
+ gen_require(`
+ type var_t, var_run_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_pid_filetrans($1, var_lock_t, dir, $2)
+')
+
########################################
## <summary>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 820c072..c8452f3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -276,7 +276,11 @@ kernel_rw_all_sysctls(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
+files_create_lock_dirs(initrc_t)
+files_pid_filetrans(initrc_t, initrc_state_t, dir, "openrc")
+files_pid_filetrans_generic_lock_dirs(initrc_t, "lock")
files_read_kernel_symbol_table(initrc_t)
+files_setattr_generic_dirs(initrc_t)
files_dontaudit_write_usr_dirs(initrc_t)
corecmd_exec_all_executables(initrc_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2012-05-28 7:22 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2012-05-28 7:22 UTC (permalink / raw
To: gentoo-commits
commit: 068bfb7fb714073b079070396937889f7c86bacf
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 28 07:22:19 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon May 28 07:22:19 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=068bfb7f
Create /run/udev immediately with udev_tbl_t
---
policy/modules/kernel/files.if | 2 +-
policy/modules/system/init.te | 1 +
policy/modules/system/udev.if | 25 +++++++++++++++++++++++++
3 files changed, 27 insertions(+), 1 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 36dd117..05329fd 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6012,7 +6012,7 @@ interface(`files_write_generic_pid_pipes',`
')
########################################
## <summary>
-## Write files in /var/run with the lock file type
+## Write dirs in /var/run with the lock file type
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c8452f3..b0cb238 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -853,6 +853,7 @@ optional_policy(`
optional_policy(`
udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t)
udev_dontaudit_getattr_unix_stream_sockets(initrc_t)
+ udev_pid_filetrans_tbl_dirs(initrc_t, "udev")
udev_rw_db(initrc_t)
udev_manage_pid_files(initrc_t)
udev_manage_rules_files(initrc_t)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 9e7f218..6330df1 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -272,6 +272,31 @@ interface(`udev_rw_db',`
########################################
## <summary>
+## Write dirs in /var/run with the udev_tbl file type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## Name of the directory that the file transition will work on
+## </summary>
+## </param>
+#
+interface(`udev_pid_filetrans_tbl_dirs',`
+ gen_require(`
+ type udev_tbl_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_run_t:lnk_file read_lnk_file_perms;
+ files_pid_filetrans($1, udev_tbl_t, dir, $2)
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## udev pid files.
## </summary>
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2012-06-27 20:41 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2012-06-27 20:41 UTC (permalink / raw
To: gentoo-commits
commit: 4d36f765b997d513e0ddd71a68cee22f6954036a
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun 27 20:40:23 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jun 27 20:40:23 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d36f765
Wrong naming
---
policy/modules/kernel/files.if | 2 +-
policy/modules/system/init.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 05329fd..fd16618 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5720,7 +5720,7 @@ interface(`files_getattr_generic_locks',`
## </summary>
## </param>
#
-interface(`files_setattr_generic_dirs',`
+interface(`files_setattr_lock_dirs',`
gen_require(`
type var_t, var_lock_t;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 07c23d4..934faf6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -280,7 +280,7 @@ files_create_lock_dirs(initrc_t)
files_pid_filetrans(initrc_t, initrc_state_t, dir, "openrc")
files_pid_filetrans_generic_lock_dirs(initrc_t, "lock")
files_read_kernel_symbol_table(initrc_t)
-files_setattr_generic_dirs(initrc_t)
+files_setattr_lock_dirs(initrc_t)
files_dontaudit_write_usr_dirs(initrc_t)
corecmd_exec_all_executables(initrc_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2012-07-04 16:34 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2012-07-04 16:34 UTC (permalink / raw
To: gentoo-commits
commit: 0018c365c968bb13a22d2bbd02a622d72984ef51
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 4 16:33:03 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul 4 16:33:03 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0018c365
Small updates
---
policy/modules/kernel/files.if | 2 +-
policy/modules/system/init.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index fd16618..aa56096 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6025,7 +6025,7 @@ interface(`files_write_generic_pid_pipes',`
## </summary>
## </param>
#
-interface(`files_pid_filetrans_generic_lock_dirs',`
+interface(`files_pid_filetrans_lock_dir',`
gen_require(`
type var_t, var_run_t;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 934faf6..f82ecf2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -278,7 +278,7 @@ kernel_dontaudit_getattr_message_if(initrc_t)
files_create_lock_dirs(initrc_t)
files_pid_filetrans(initrc_t, initrc_state_t, dir, "openrc")
-files_pid_filetrans_generic_lock_dirs(initrc_t, "lock")
+files_pid_filetrans_lock_dir(initrc_t, "lock")
files_read_kernel_symbol_table(initrc_t)
files_setattr_lock_dirs(initrc_t)
files_dontaudit_write_usr_dirs(initrc_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2012-07-10 17:22 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2012-07-10 17:22 UTC (permalink / raw
To: gentoo-commits
commit: e316570abbb74fb6aba0d62157b9842d9a910fc7
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 10 17:20:47 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jul 10 17:20:47 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e316570a
Adding auth_nss_domain patch
---
policy/modules/kernel/files.fc | 2 +
policy/modules/system/authlogin.if | 49 ++------------------------
policy/modules/system/authlogin.te | 68 ++++++++++++++++++++++++++++++++++++
3 files changed, 73 insertions(+), 46 deletions(-)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 75ceae3..90a8226 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -54,6 +54,8 @@ ifdef(`distro_suse',`
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
+/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.fuselock -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nohotplug -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/nologin.* -- gen_context(system_u:object_r:etc_runtime_t,s0)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 6ce867a..8989233 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1717,54 +1717,11 @@ interface(`auth_relabel_login_records',`
## <infoflow type="both" weight="10"/>
#
interface(`auth_use_nsswitch',`
-
- files_list_var_lib($1)
-
- # read /etc/nsswitch.conf
- files_read_etc_files($1)
-
- miscfiles_read_generic_certs($1)
-
- sysnet_dns_name_resolve($1)
- sysnet_use_ldap($1)
-
- optional_policy(`
- avahi_stream_connect($1)
- ')
-
- optional_policy(`
- ldap_stream_connect($1)
- ')
-
- optional_policy(`
- likewise_stream_connect_lsassd($1)
- ')
-
- optional_policy(`
- kerberos_use($1)
- ')
-
- optional_policy(`
- nis_use_ypbind($1)
- ')
-
- optional_policy(`
- nscd_socket_use($1)
- ')
-
- optional_policy(`
- nslcd_stream_connect($1)
- ')
-
- optional_policy(`
- sssd_stream_connect($1)
+ gen_require(`
+ attribute nsswitch_domain;
')
- optional_policy(`
- samba_stream_connect_winbind($1)
- samba_read_var_files($1)
- samba_dontaudit_write_var_files($1)
- ')
+ typeattribute $1 nsswitch_domain;
')
########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 6a96393..312da5d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,9 +5,18 @@ policy_module(authlogin, 2.3.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow users to resolve user passwd entries directly from ldap rather
+## than using an sssd server
+## </p>
+## </desc>
+gen_tunable(authlogin_nsswitch_use_ldap, false)
+
attribute can_read_shadow_passwords;
attribute can_write_shadow_passwords;
attribute can_relabelto_shadow_passwords;
+attribute nsswitch_domain;
type auth_cache_t;
logging_log_file(auth_cache_t)
@@ -395,3 +404,62 @@ optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
')
+
+#########################################
+#
+# nsswitch_domain local policy
+#
+
+files_list_var_lib(nsswitch_domain)
+
+# read /etc/nsswitch.conf
+files_read_etc_files(nsswitch_domain)
+
+sysnet_dns_name_resolve(nsswitch_domain)
+
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+ files_list_var_lib(nsswitch_domain)
+
+ miscfiles_read_generic_certs(nsswitch_domain)
+ sysnet_use_ldap(nsswitch_domain)
+')
+
+optional_policy(`
+ tunable_policy(`authlogin_nsswitch_use_ldap',`
+ ldap_stream_connect(nsswitch_domain)
+ ')
+')
+
+optional_policy(`
+ avahi_stream_connect(nsswitch_domain)
+')
+
+optional_policy(`
+ likewise_stream_connect_lsassd(nsswitch_domain)
+')
+
+optional_policy(`
+ kerberos_use(nsswitch_domain)
+')
+
+optional_policy(`
+ nis_use_ypbind(nsswitch_domain)
+')
+
+optional_policy(`
+ nscd_socket_use(nsswitch_domain)
+')
+
+optional_policy(`
+ nslcd_stream_connect(nsswitch_domain)
+')
+
+optional_policy(`
+ sssd_stream_connect(nsswitch_domain)
+')
+
+optional_policy(`
+ samba_stream_connect_winbind(nsswitch_domain)
+ samba_read_var_files(nsswitch_domain)
+ samba_dontaudit_write_var_files(nsswitch_domain)
+')
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2012-10-19 15:06 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2012-10-19 15:06 UTC (permalink / raw
To: gentoo-commits
commit: d76226773c2eeb5168192f05b3d098cfc634000c
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Oct 15 20:55:49 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Oct 19 15:03:43 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d7622677
Label port 5546 as dhcpc_port_t and allow dhcpc_t to bind to TCP for client control
Client control is used by the wide dhcp6 client, which can be controlled
via dhcp6ctl. This works by communicating over port 5546.
---
policy/modules/kernel/corenetwork.te.in | 2 +-
policy/modules/system/sysnetwork.te | 1 +
2 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 2221f56..bd2c16a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -115,7 +115,7 @@ network_port(daap, tcp,3689,s0, udp,3689,s0)
network_port(dbskkd, tcp,1178,s0)
network_port(dcc, udp,6276,s0, udp,6277,s0)
network_port(dccm, tcp,5679,s0, udp,5679,s0)
-network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp,5546,s0)
network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
network_port(dict, tcp,2628,s0)
network_port(distccd, tcp,3632,s0)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index ad95921..9f776cf 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -105,6 +105,7 @@ corenet_tcp_sendrecv_all_ports(dhcpc_t)
corenet_udp_sendrecv_all_ports(dhcpc_t)
corenet_tcp_bind_all_nodes(dhcpc_t)
corenet_udp_bind_all_nodes(dhcpc_t)
+corenet_tcp_bind_dhcpc_port(dhcpc_t)
corenet_udp_bind_dhcpc_port(dhcpc_t)
corenet_tcp_connect_all_ports(dhcpc_t)
corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2012-10-19 15:06 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2012-10-19 15:06 UTC (permalink / raw
To: gentoo-commits
commit: be24804622c85fbd154bde461d37fea1ebb514c3
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 19 12:39:02 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Oct 19 15:03:44 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=be248046
Module version bump for dhcp6 ports, from Russell Coker.
---
policy/modules/kernel/corenetwork.te.in | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index bd2c16a..8e0ae95 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.18.3)
+policy_module(corenetwork, 1.18.4)
########################################
#
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 9f776cf..67c7d7c 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.14.2)
+policy_module(sysnetwork, 1.14.3)
########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2012-10-31 18:04 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2012-10-31 18:04 UTC (permalink / raw
To: gentoo-commits
commit: 1268ed29f8f9aeb34f2544c7a406b1b7a4a5fe16
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Oct 31 15:49:56 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 31 18:02:13 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1268ed29
Module version bump for Gentoo openrc fixes for /run from Sven Vermeulen.
---
policy/modules/kernel/files.te | 2 +-
policy/modules/system/init.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 306bd64..148d87a 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.17.4)
+policy_module(files, 1.17.5)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cb5b9dc..4306768 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.19.0)
+policy_module(init, 1.19.4)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2012-12-07 17:13 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2012-12-07 17:13 UTC (permalink / raw
To: gentoo-commits
commit: 2e16631015dfd8b665ddf661e490e30b52ef4d6b
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 7 17:08:07 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec 7 17:08:07 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2e166310
Dontaudit getsched on all domains
The htop utility will attempt to get the scheduling information of all
processes. This information however does not seem to be needed for its
information (no difference in output when allowed or not).
See also bug #444962
---
policy/modules/kernel/domain.if | 20 ++++++++++++++++++++
policy/modules/system/userdomain.if | 4 ++++
2 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..b900767 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1531,3 +1531,23 @@ interface(`domain_unconfined',`
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
')
+
+# Gentoo specific stuff, but I cannot use ifdef distro_gentoo in if files
+
+########################################
+## <summary>
+## Do not audit getting the scheduler information of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getsched_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process getsched;
+')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d8d000b..d1bc7ed 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1061,6 +1061,10 @@ template(`userdom_unpriv_user_template', `
optional_policy(`
setroubleshoot_stream_connect($1_t)
')
+
+ ifdef(`distro_gentoo',`
+ domain_dontaudit_getsched_all_domains($1_t)
+ ')
')
#######################################
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2012-12-08 12:40 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2012-12-08 12:40 UTC (permalink / raw
To: gentoo-commits
commit: 1510262111193a4904afce6d2ce4e46b9bb04f96
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 7 17:08:07 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec 7 17:57:20 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15102621
Dontaudit getsched on all domains
The htop utility will attempt to get the scheduling information of all
processes. This information however does not seem to be needed for its
information (no difference in output when allowed or not).
See also bug #444962
---
policy/modules/kernel/domain.if | 20 ++++++++++++++++++++
policy/modules/system/userdomain.if | 4 ++++
2 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..b900767 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1531,3 +1531,23 @@ interface(`domain_unconfined',`
typeattribute $1 set_curr_context;
typeattribute $1 process_uncond_exempt;
')
+
+# Gentoo specific stuff, but I cannot use ifdef distro_gentoo in if files
+
+########################################
+## <summary>
+## Do not audit getting the scheduler information of all domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`domain_dontaudit_getsched_all_domains',`
+ gen_require(`
+ attribute domain;
+ ')
+
+ dontaudit $1 domain:process getsched;
+')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d8d000b..60e0fcc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -733,6 +733,10 @@ template(`userdom_common_user_template',`
optional_policy(`
usernetctl_run($1_t, $1_r)
')
+
+ ifdef(`distro_gentoo',`
+ domain_dontaudit_getsched_all_domains($1_t)
+ ')
')
#######################################
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2013-02-04 19:17 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2013-02-04 19:17 UTC (permalink / raw
To: gentoo-commits
commit: 1e8af536f8b9cc3bde00e67df960483edb0e167c
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Jan 23 12:23:52 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Feb 4 19:16:34 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1e8af536
Module version bump for Debian updates from Laurent Bigonville.
---
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/kernel/files.te | 2 +-
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/logging.te | 2 +-
policy/modules/system/mount.fc | 2 ++
policy/modules/system/mount.te | 19 +++++++++++++++----
policy/modules/system/udev.te | 2 +-
8 files changed, 23 insertions(+), 10 deletions(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 43090a0..6877f2c 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.17.3)
+policy_module(corecommands, 1.17.4)
########################################
#
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 4a59c76..5977857 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.17.5)
+policy_module(files, 1.17.6)
########################################
#
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 9e603f5..a1b7495 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.16.2)
+policy_module(filesystem, 1.16.3)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index deab8f3..e6754cd 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.19.6)
+policy_module(init, 1.19.7)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 99de723..08b70ae 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.19.6)
+policy_module(logging, 1.19.7)
########################################
#
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 72c746e..a38605e 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -2,3 +2,5 @@
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
+
+/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 1c86924..8697900 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.15.0)
+policy_module(mount, 1.15.2)
########################################
#
@@ -59,7 +59,6 @@ files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
kernel_read_system_state(mount_t)
kernel_read_kernel_sysctls(mount_t)
-kernel_setsched(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
@@ -89,7 +88,7 @@ files_etc_filetrans_etc_runtime(mount_t, file)
files_mounton_all_mountpoints(mount_t)
files_unmount_rootfs(mount_t)
# These rules need to be generalized. Only admin, initrc should have it:
-files_relabel_all_file_type_fs(mount_t)
+files_relabelto_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
# for when /etc/mtab loses its type
@@ -116,7 +115,6 @@ mls_file_read_all_levels(mount_t)
mls_file_write_all_levels(mount_t)
selinux_get_enforce_mode(mount_t)
-selinux_get_fs_mount(mount_t)
storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
@@ -225,3 +223,16 @@ optional_policy(`
files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
unconfined_domain(unconfined_mount_t)
')
+
+ifdef(`distro_gentoo',`
+ #########################################
+ #
+ # Mount local policy
+ #
+
+ kernel_setsched(mount_t)
+
+ files_relabel_all_file_type_fs(mount_t)
+
+ selinux_get_fs_mount(mount_t)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index c1b1c98..00a47d9 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.15.4)
+policy_module(udev, 1.15.5)
########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2013-08-23 8:09 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2013-08-23 8:09 UTC (permalink / raw
To: gentoo-commits
commit: f73af58302e0a58ce615f51a71b9676bd26633cc
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 23 08:06:20 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 23 08:06:20 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f73af583
Automatic filetrans to modules_object_t for /lib/modules
As per bug #428322, if /lib/modules does not exist, then "make modules_install"
will fail as it creates a directory (/lib/modules) with the wrong type (lib_t
instead of modules_object_t).
Add in a file transition when a directory named "modules" is created in a lib_t
location, transitioning to modules_object_t.
Had to add in the libs_lib_filetrans (from lib_t)
Had to add in the files_lib_filetrans_kernel_modules (to modules_object_t)
---
policy/modules/kernel/files.if | 30 ++++++++++++++++++++++++++++++
policy/modules/system/libraries.if | 36 ++++++++++++++++++++++++++++++++++++
policy/modules/system/modutils.te | 1 +
3 files changed, 67 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a544f27..56c83f6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6661,3 +6661,33 @@ interface(`files_read_src_files',`
read_files_pattern($1, src_t, src_t)
')
+
+##########################################
+## <summary>
+## Create a resource in the generic lib location
+## with an automatic type transition towards the kernel modules
+## type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Class of the created resource for which a type transition should occur
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Optional name of the resource
+## </summary>
+## </param>
+#
+interface(`files_lib_filetrans_kernel_modules',`
+ gen_require(`
+ type modules_object_t;
+ ')
+
+ libs_lib_filetrans($1, modules_object_t, $2, $3)
+')
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index 41a44f3..a83933f 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -567,3 +567,39 @@ interface(`libs_generic_etc_filetrans_ld_so_cache',`
files_etc_filetrans($1, ld_so_cache_t, $2, $3)
')
+
+##########################################
+## <summary>
+## Create an object in the generic lib location with a type transition
+## to the provided type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="target">
+## <summary>
+## Target domain towards which a type transition should occur
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Class of the resource for which a type transition occurs.
+## </summary>
+## </param>
+## <param name="filetrans" optional="true">
+## <summary>
+## Name of the resource created for which a type transition should occur
+## </summary>
+## </param>
+#
+interface(`libs_lib_filetrans',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ filetrans_pattern($1, lib_t, $2, $3, $4)
+
+ libs_search_lib($1)
+')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index b7d820c..4c0f286 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -338,4 +338,5 @@ ifdef(`distro_gentoo',`
files_read_src_files(insmod_t)
files_manage_kernel_modules(insmod_t)
+ files_lib_filetrans_kernel_modules(insmod_t, dir, "modules")
')
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2013-08-23 16:43 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2013-08-23 16:43 UTC (permalink / raw
To: gentoo-commits
commit: f0fe1273f8d088455b31f399b3ec5b2de6824bba
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 23 16:41:40 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 23 16:41:40 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f0fe1273
Supporting make tarbz2-pkg during kernel build - needs list privs in src_t
---
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/system/modutils.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 56c83f6..0a92678 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6646,6 +6646,24 @@ interface(`files_unconfined',`
#########################################
## <summary>
+## List usr/src files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`files_list_src',`
+ gen_require(`
+ type src_t;
+ ')
+
+ list_dirs_pattern($1, src_t, src_t)
+')
+
+#########################################
+## <summary>
## Read usr/src files
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 4c0f286..27334e0 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -336,6 +336,7 @@ ifdef(`distro_gentoo',`
userdom_manage_user_tmp_files(insmod_t)
userdom_manage_user_tmp_dirs(insmod_t)
+ files_list_src(insmod_t)
files_read_src_files(insmod_t)
files_manage_kernel_modules(insmod_t)
files_lib_filetrans_kernel_modules(insmod_t, dir, "modules")
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2013-08-23 17:05 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2013-08-23 17:05 UTC (permalink / raw
To: gentoo-commits
commit: 4333d0a16ec40b0bae474107adeec7aa3ff846c9
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 23 17:03:59 2013 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 23 17:03:59 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4333d0a1
Write files in /usr/src during make tarbz2-pkg
---
policy/modules/kernel/files.if | 19 +++++++++++++++++++
policy/modules/system/modutils.te | 2 +-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 0a92678..fcc9f32 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6680,6 +6680,25 @@ interface(`files_read_src_files',`
read_files_pattern($1, src_t, src_t)
')
+#########################################
+## <summary>
+## Manage /usr/src files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`files_manage_src_files',`
+ gen_require(`
+ type src_t;
+ ')
+
+ manage_files_pattern($1, src_t, src_t)
+')
+
+
##########################################
## <summary>
## Create a resource in the generic lib location
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 27334e0..1d85f94 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -337,7 +337,7 @@ ifdef(`distro_gentoo',`
userdom_manage_user_tmp_dirs(insmod_t)
files_list_src(insmod_t)
- files_read_src_files(insmod_t)
+ files_manage_src_files(insmod_t)
files_manage_kernel_modules(insmod_t)
files_lib_filetrans_kernel_modules(insmod_t, dir, "modules")
')
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2013-09-27 13:27 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
To: gentoo-commits
commit: 03be31d5199863e60292aa33e2f58e3699e092af
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Sep 26 14:45:51 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:23:25 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=03be31d5
Module version bump for init interface and corecommand fc from Dominick Grift.
---
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/system/init.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 8796c81..20c76cf 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.18.0)
+policy_module(corecommands, 1.18.1)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0257c17..4c6fd28 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.20.0)
+policy_module(init, 1.20.1)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-01-23 20:00 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-01-23 20:00 UTC (permalink / raw
To: gentoo-commits
commit: 14d96d1fa40e6d7c911904703ee00bd653194ca0
Author: Matthew Thode <mthode <AT> mthode <DOT> org>
AuthorDate: Fri Dec 20 21:06:20 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 23 19:59:27 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=14d96d1f
Extending support for SELinux on ZFS
Signed-off-by: Matthew Thode <mthode <AT> mthode.org>
---
policy/modules/kernel/storage.fc | 5 +++++
policy/modules/system/fstools.fc | 6 ++++++
policy/modules/system/mount.fc | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 54f1827..4315bd5 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -79,5 +79,10 @@ ifdef(`distro_redhat', `
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
+/dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zvol(/.*)? -l gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+
/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index e2e6b71..9b835cf 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -36,6 +36,12 @@
/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 4619000..a5e1c6e 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -2,6 +2,10 @@
/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
+
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
/var/run/mount(/.*)? gen_context(system_u:object_r:mount_var_run_t,s0)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-01-23 20:00 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-01-23 20:00 UTC (permalink / raw
To: gentoo-commits
commit: 23d6bb124d1247814a307b1771bb4598040cad49
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jan 21 13:55:37 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 23 19:59:35 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=23d6bb12
Module version bump for ZFS tools fc entries from Matthew Thode.
---
policy/modules/kernel/storage.te | 2 +-
policy/modules/system/fstools.te | 2 +-
policy/modules/system/mount.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 156c333..c86d8da 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,4 +1,4 @@
-policy_module(storage, 1.11.0)
+policy_module(storage, 1.11.1)
########################################
#
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 65f634a..5aff100 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.16.4)
+policy_module(fstools, 1.16.5)
########################################
#
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 8ef3cbd..a5f8709 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.16.4)
+policy_module(mount, 1.16.5)
########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-01-23 20:00 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-01-23 20:00 UTC (permalink / raw
To: gentoo-commits
commit: 9b3e6862dcac5c12e96ab6780ea758f380558fb2
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jan 21 13:55:28 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 23 19:59:32 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b3e6862
Rearrange ZFS fc entries.
---
policy/modules/kernel/storage.fc | 7 +++----
policy/modules/system/fstools.fc | 8 ++++----
policy/modules/system/mount.fc | 4 ++--
3 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 4ba2184..4dd865b 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -56,6 +56,9 @@ ifdef(`distro_redhat', `
/dev/ubd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/vd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/xvd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/ataraid/.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
@@ -79,9 +82,5 @@ ifdef(`distro_redhat', `
/dev/usb/rio500 -c gen_context(system_u:object_r:removable_device_t,s0)
-/dev/zfs -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/dev/zpios -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-/dev/zd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
-
/lib/udev/devices/loop.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/lib/udev/devices/fuse -c gen_context(system_u:object_r:fuse_device_t,s0)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 9b835cf..453d50c 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -36,12 +36,12 @@
/sbin/swapoff -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
-/sbin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/ztest -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/partition_uuid -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/raw -- gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 613ff7a..5f4f548 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -3,8 +3,8 @@
/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
-/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
-/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-02-09 10:54 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
To: gentoo-commits
commit: d601f08b6ac21ac7ecc56dfa402998bcce2c5f13
Author: Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 8 15:50:34 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 9 10:52:48 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d601f08b
Module version bump for loopback file mounting fixes from Luis Ressel.
---
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/kernel.te | 2 +-
policy/modules/system/mount.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 6ef9c8a..f87ea59 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.15.0)
+policy_module(devices, 1.15.1)
########################################
#
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5fa2926..b35629d 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.17.3)
+policy_module(kernel, 1.17.4)
########################################
#
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index bf84971..975be3c 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.16.5)
+policy_module(mount, 1.16.6)
########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-02-09 10:54 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
To: gentoo-commits
commit: 888b3e739f286506fbdb064b3ae7cd84c4ffb8a4
Author: Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 8 15:49:47 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 9 10:52:45 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=888b3e73
Rename mount_read_mount_loopback() to mount_read_loopback_file().
Also make kernel block optional since the calls are to a higher layer.
---
policy/modules/kernel/kernel.te | 8 +++++---
policy/modules/system/mount.if | 2 +-
policy/modules/system/mount.te | 2 +-
3 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index c47eb45..5fa2926 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -287,9 +287,6 @@ files_list_etc(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
-mount_use_fds(kernel_t)
-mount_read_mount_loopback(kernel_t)
-
mcs_process_set_categories(kernel_t)
mls_process_read_up(kernel_t)
@@ -320,6 +317,11 @@ optional_policy(`
')
optional_policy(`
+ mount_use_fds(kernel_t)
+ mount_read_loopback_file(kernel_t)
+')
+
+optional_policy(`
nis_use_ypbind(kernel_t)
')
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 802fd3d..cf80631 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -184,7 +184,7 @@ interface(`mount_run_unconfined',`
## </summary>
## </param>
#
-interface(`mount_read_mount_loopback',`
+interface(`mount_read_loopback_file',`
gen_require(`
type mount_t;
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 1b9030a..bf84971 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -43,7 +43,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-mount_read_mount_loopback(mount_t)
+mount_read_loopback_file(mount_t)
allow mount_t mount_tmp_t:file manage_file_perms;
allow mount_t mount_tmp_t:dir manage_dir_perms;
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-02-09 10:54 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
To: gentoo-commits
commit: 605d97a8cb4f58a7462fdc85122039810d1af403
Author: Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb 8 16:35:57 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb 9 10:52:49 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=605d97a8
Fix read loopback file interface.
---
policy/modules/kernel/kernel.te | 4 ++--
policy/modules/system/mount.if | 6 +++---
policy/modules/system/mount.te | 4 ++--
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b35629d..f6b1062 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.17.4)
+policy_module(kernel, 1.17.5)
########################################
#
@@ -318,7 +318,7 @@ optional_policy(`
optional_policy(`
mount_use_fds(kernel_t)
- mount_read_loopback_file(kernel_t)
+ mount_read_loopback_files(kernel_t)
')
optional_policy(`
diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index cf80631..fe24186 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -176,7 +176,7 @@ interface(`mount_run_unconfined',`
########################################
## <summary>
-## Read mount_loopback files.
+## Read loopback filesystem image files.
## </summary>
## <param name="domain">
## <summary>
@@ -184,9 +184,9 @@ interface(`mount_run_unconfined',`
## </summary>
## </param>
#
-interface(`mount_read_loopback_file',`
+interface(`mount_read_loopback_files',`
gen_require(`
- type mount_t;
+ type mount_loopback_t;
')
allow $1 mount_loopback_t:file read_file_perms;
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 975be3c..8ae8b7c 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.16.6)
+policy_module(mount, 1.16.7)
########################################
#
@@ -43,7 +43,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
-mount_read_loopback_file(mount_t)
+mount_read_loopback_files(mount_t)
allow mount_t mount_tmp_t:file manage_file_perms;
allow mount_t mount_tmp_t:dir manage_dir_perms;
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-04-21 15:25 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-04-21 15:25 UTC (permalink / raw
To: gentoo-commits
commit: ed4ee5529ecaf691d2fafd6e24beda22754073d9
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Apr 21 14:37:44 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 21 15:19:54 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed4ee552
Module version bumps for fc fixes from Nicolas Iooss.
---
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/system/logging.te | 2 +-
policy/modules/system/udev.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 3c243cb..99dc2dc 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.19.0)
+policy_module(corecommands, 1.19.1)
########################################
#
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 30a107d..fd1e7fe 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.18.2)
+policy_module(filesystem, 1.18.3)
########################################
#
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 37a3368..1ece825 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.21.0)
+policy_module(logging, 1.21.1)
########################################
#
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 4cda050..95ad555 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.17.0)
+policy_module(udev, 1.17.1)
########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-04-21 15:25 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-04-21 15:25 UTC (permalink / raw
To: gentoo-commits
commit: 12f37a40ba367dd101ea17e4e9d30ceac2334db8
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Apr 21 13:24:28 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 21 15:18:01 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=12f37a40
Module version bump for fixes from Laurent Bigonville.
---
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/system/miscfiles.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 1e5b262..30a107d 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.18.1)
+policy_module(filesystem, 1.18.2)
########################################
#
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 920ae21..f572fce 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.11.1)
+policy_module(miscfiles, 1.11.2)
########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-06-10 18:17 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-06-10 18:17 UTC (permalink / raw
To: gentoo-commits
commit: a7acfa6001b742d245b462b31fe8581625d4a431
Author: Elia Pinto <gitter.spiros <AT> gmail <DOT> com>
AuthorDate: Fri Jun 6 08:04:25 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 10 18:14:33 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a7acfa60
Fix misspelling
Fix misspelling using http://github.com/lyda/misspell-check
Signed-off-by: Elia Pinto <gitter.spiros <AT> gmail.com>
---
policy/modules/kernel/files.te | 2 +-
policy/modules/kernel/storage.if | 14 +++++++-------
policy/modules/system/miscfiles.if | 2 +-
policy/modules/system/udev.te | 2 +-
policy/modules/system/userdomain.if | 4 ++--
5 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index cdc1801..852bd46 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -71,7 +71,7 @@ typealias etc_t alias snmpd_etc_t;
#
type etc_runtime_t;
files_type(etc_runtime_t)
-#Temporarily in policy until FC5 dissappears
+#Temporarily in policy until FC5 disappears
typealias etc_runtime_t alias firstboot_rw_t;
#
diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 64c4cd0..5c1be6b 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -82,7 +82,7 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',`
########################################
## <summary>
## Allow the caller to directly read from a fixed disk.
-## This is extremly dangerous as it can bypass the
+## This is extremely dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </summary>
@@ -128,7 +128,7 @@ interface(`storage_dontaudit_read_fixed_disk',`
########################################
## <summary>
## Allow the caller to directly write to a fixed disk.
-## This is extremly dangerous as it can bypass the
+## This is extremely dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </summary>
@@ -173,7 +173,7 @@ interface(`storage_dontaudit_write_fixed_disk',`
########################################
## <summary>
## Allow the caller to directly read and write to a fixed disk.
-## This is extremly dangerous as it can bypass the
+## This is extremely dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </summary>
@@ -432,7 +432,7 @@ interface(`storage_setattr_scsi_generic_dev',`
## <summary>
## Allow the caller to directly read, in a
## generic fashion, from any SCSI device.
-## This is extremly dangerous as it can bypass the
+## This is extremely dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </summary>
@@ -457,7 +457,7 @@ interface(`storage_read_scsi_generic',`
## <summary>
## Allow the caller to directly write, in a
## generic fashion, from any SCSI device.
-## This is extremly dangerous as it can bypass the
+## This is extremely dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </summary>
@@ -638,7 +638,7 @@ interface(`storage_dontaudit_setattr_removable_dev',`
## <summary>
## Allow the caller to directly read from
## a removable device.
-## This is extremly dangerous as it can bypass the
+## This is extremely dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </summary>
@@ -679,7 +679,7 @@ interface(`storage_dontaudit_raw_read_removable_device',`
## <summary>
## Allow the caller to directly write to
## a removable device.
-## This is extremly dangerous as it can bypass the
+## This is extremely dangerous as it can bypass the
## SELinux protections for filesystem objects, and
## should only be used by trusted domains.
## </summary>
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 8b9072c..d9220f7 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -1,4 +1,4 @@
-## <summary>Miscelaneous files.</summary>
+## <summary>Miscellaneous files.</summary>
########################################
## <summary>
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 78652da..95de10c 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -193,7 +193,7 @@ ifdef(`distro_debian',`
ifdef(`distro_gentoo',`
# during boot, init scripts use /dev/.rcsysinit
- # existance to determine if we are in early booting
+ # existence to determine if we are in early booting
init_getattr_script_status_files(udev_t)
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 3cec4f1..7ad8e5b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1548,7 +1548,7 @@ interface(`userdom_search_user_home_dirs',`
## <desc>
## <p>
## Do not audit attempts to search user home directories.
-## This will supress SELinux denial messages when the specified
+## This will suppress SELinux denial messages when the specified
## domain is denied the permission to search these directories.
## </p>
## </desc>
@@ -3227,7 +3227,7 @@ interface(`userdom_use_unpriv_users_fds',`
## <desc>
## <p>
## Do not audit attempts to inherit the file descriptors
-## from unprivileged user domains. This will supress
+## from unprivileged user domains. This will suppress
## SELinux denial messages when the specified domain is denied
## the permission to inherit these file descriptors.
## </p>
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-08-19 20:07 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-08-19 20:07 UTC (permalink / raw
To: gentoo-commits
commit: edf8cf3543282583fa5e07f644f07465d8fe7713
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Aug 11 22:24:15 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 19 20:06:47 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=edf8cf35
Add neccessary permissions for losetup
This allows losetup to bind mount_loopback_t files to loop devices.
---
policy/modules/kernel/kernel.te | 5 +++++
policy/modules/system/fstools.te | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 4e39c2c..7178d93 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -300,6 +300,11 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ # loop devices
+ fstools_use_fds(kernel_t)
+')
+
+optional_policy(`
hotplug_search_config(kernel_t)
')
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 5c77a4f..7ce8171 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t)
dev_getattr_usbfs_dirs(fsadm_t)
# Access to /dev/mapper/control
dev_rw_lvm_control(fsadm_t)
+# for losetup
+dev_rw_loop_control(fsadm_t)
domain_use_interactive_fds(fsadm_t)
@@ -125,6 +127,9 @@ files_search_all(fsadm_t)
mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)
+# losetup: bind mount_loopback_t files to loop devices
+mount_rw_loopback_files(fsadm_t)
+
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-08-19 20:07 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-08-19 20:07 UTC (permalink / raw
To: gentoo-commits
commit: c7f51ec56d714296eba9de60054556fb0a5e15cf
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Aug 19 12:45:38 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 19 20:06:51 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c7f51ec5
Module version bump for losetup fixes from Luis Ressel.
---
policy/modules/kernel/kernel.te | 2 +-
policy/modules/system/fstools.te | 2 +-
policy/modules/system/mount.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7178d93..d5f2864 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.18.2)
+policy_module(kernel, 1.18.3)
########################################
#
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a2a12c4..b0475ea 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.17.1)
+policy_module(fstools, 1.17.2)
########################################
#
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 5cd97be..83854fd 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.17.0)
+policy_module(mount, 1.17.1)
########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-09-13 9:38 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-09-13 9:38 UTC (permalink / raw
To: gentoo-commits
commit: 095f93a76e79fb0a58e8262c0711ca5845b8ce24
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Sep 7 21:28:14 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:30:10 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=095f93a7
Allow journald to read the kernel ring buffer and to use /dev/kmsg
audit.log shows that journald needs to read the kernel read buffer:
avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/system/logging.te | 3 +++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 2963f91..5ab0f6e 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2198,6 +2198,24 @@ interface(`dev_write_kmsg',`
########################################
## <summary>
+## Read and write to the kernel messages device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_kmsg',`
+ gen_require(`
+ type device_t, kmsg_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
## Get the attributes of the ksm devices.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 1ece825..f254279 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -406,6 +406,7 @@ kernel_read_messages(syslogd_t)
kernel_read_vm_sysctls(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
+kernel_read_ring_buffer(syslogd_t)
# /initrd is not umounted before minilog starts
kernel_dontaudit_search_unlabeled(syslogd_t)
@@ -437,6 +438,8 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
+# Allow access to /dev/kmsg for journald
+dev_rw_kmsg(syslogd_t)
domain_use_interactive_fds(syslogd_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-09-13 9:38 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2014-09-13 9:38 UTC (permalink / raw
To: gentoo-commits
commit: b5f4e7285985d1a6adfba1aaed6c17acdaae9c79
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Sep 12 15:30:05 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:30:26 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b5f4e728
Module version bumps for systemd/journald patches from Nicolas Iooss.
---
policy/modules/kernel/devices.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/logging.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 00605a8..b862665 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.16.3)
+policy_module(devices, 1.16.4)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 94a5516..cd2b0e4 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.21.3)
+policy_module(init, 1.21.4)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 4008931..c56577e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.21.1)
+policy_module(logging, 1.21.2)
########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2015-10-26 5:48 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2015-10-26 5:48 UTC (permalink / raw
To: gentoo-commits
commit: bac1f46765f49a73cdfb5a482f45f3a83487ee06
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 17:23:35 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:55:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bac1f467
Add sysfs_types attribute.
Collect all types used to label sysfs entries.
policy/modules/kernel/devices.if | 20 ++++++++++++++++++++
policy/modules/kernel/devices.te | 5 +++--
policy/modules/system/init.te | 1 +
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a052db5..591b932 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4130,6 +4130,26 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
+## Relabel from/to all sysfs types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_all_sysfs',`
+ gen_require(`
+ attribute sysfs_types;
+ ')
+
+ allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms };
+ allow $1 sysfs_types:file relabel_file_perms;
+ allow $1 sysfs_types:lnk_file relabel_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Read and write the TPM device.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index e5bcfcd..9274a82 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -9,6 +9,7 @@ attribute device_node;
attribute memory_raw_read;
attribute memory_raw_write;
attribute devices_unconfined_type;
+attribute sysfs_types;
#
# device_t is the type of /dev.
@@ -62,7 +63,7 @@ dev_node(cpu_device_t)
#
# /sys/devices/system/cpu/online device
#
-type cpu_online_t;
+type cpu_online_t, sysfs_types;
files_type(cpu_online_t)
dev_associate_sysfs(cpu_online_t)
@@ -229,7 +230,7 @@ dev_node(sound_device_t)
#
# sysfs_t is the type for the /sys pseudofs
#
-type sysfs_t;
+type sysfs_t, sysfs_types;
files_mountpoint(sysfs_t)
fs_xattr_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 79400f2..8c9cffa 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -224,6 +224,7 @@ ifdef(`init_systemd',`
dev_create_generic_dirs(init_t)
dev_manage_input_dev(init_t)
dev_relabel_all_dev_nodes(init_t)
+ dev_relabel_all_sysfs(init_t)
dev_read_urand(init_t)
dev_write_kmsg(init_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2015-10-26 5:48 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2015-10-26 5:48 UTC (permalink / raw
To: gentoo-commits
commit: d92bdf260887935367802afbbaf25d399c020cd5
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 23 14:16:59 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:52:47 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d92bdf26
Implement core systemd policy.
Significant contributions from the Tresys CLIP team.
Other changes from Laurent Bigonville.
policy/modules/kernel/corecommands.fc | 2 +
policy/modules/kernel/domain.te | 6 +
policy/modules/kernel/files.if | 172 ++++++++++
policy/modules/kernel/filesystem.if | 73 ++++
policy/modules/kernel/kernel.if | 60 +++-
policy/modules/kernel/terminal.if | 19 ++
policy/modules/system/authlogin.if | 19 ++
policy/modules/system/init.fc | 4 +
policy/modules/system/init.if | 608 +++++++++++++++++++++++++++++++++-
policy/modules/system/init.te | 176 +++++++++-
policy/modules/system/locallogin.if | 21 ++
policy/modules/system/logging.if | 38 +++
policy/modules/system/lvm.if | 20 ++
policy/modules/system/systemd.fc | 39 +++
policy/modules/system/systemd.if | 195 +++++++++++
policy/modules/system/systemd.te | 264 +++++++++++++++
policy/modules/system/udev.if | 19 ++
17 files changed, 1711 insertions(+), 24 deletions(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index f465e43..b4e192a 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -242,6 +242,8 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 451a1be..6c3ef60 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',`
dontaudit domain self:udp_socket listen;
')
+ifdef(`init_systemd',`
+ optional_policy(`
+ shutdown_sigchld(domain)
+ ')
+')
+
tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index dd16f74..cbb8afe 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -563,6 +563,24 @@ interface(`files_manage_non_security_dirs',`
########################################
## <summary>
+## Relabel from/to non-security directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_non_security_dirs',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
## Get the attributes of all files.
## </summary>
## <param name="domain">
@@ -620,6 +638,44 @@ interface(`files_dontaudit_getattr_non_security_files',`
########################################
## <summary>
+## Create, read, write, and delete all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_manage_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ manage_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
+## Relabel from/to all non-security files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`files_relabel_non_security_files',`
+ gen_require(`
+ attribute non_security_file_type;
+ ')
+
+ relabel_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+########################################
+## <summary>
## Read all files.
## </summary>
## <param name="domain">
@@ -1948,6 +2004,24 @@ interface(`files_unmount_rootfs',`
########################################
## <summary>
+## Mount on the root directory (/)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_root',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get attributes of the /boot directory.
## </summary>
## <param name="domain">
@@ -4398,6 +4472,24 @@ interface(`files_rw_generic_tmp_sockets',`
########################################
## <summary>
+## Mount filesystems in the tmp directory (/tmp)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_tmp',`
+ gen_require(`
+ type tmp_t;
+ ')
+
+ allow $1 tmp_t:dir mounton;
+')
+
+########################################
+## <summary>
## Set the attributes of all tmp directories.
## </summary>
## <param name="domain">
@@ -5678,6 +5770,25 @@ interface(`files_list_locks',`
########################################
## <summary>
+## Add entries in the /var/lock directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_add_entry_lock_dirs',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ add_entry_dirs_pattern($1, var_t, var_lock_t)
+')
+
+########################################
+## <summary>
## Add and remove entries in the /var/lock
## directories.
## </summary>
@@ -5871,6 +5982,29 @@ interface(`files_manage_all_locks',`
########################################
## <summary>
+## Relabel from/to all lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_locks',`
+ gen_require(`
+ attribute lockfile;
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_lock_t:lnk_file read_lnk_file_perms;
+ allow $1 { var_t var_lock_t }:dir search_dir_perms;
+ relabel_dirs_pattern($1, lockfile, lockfile)
+ relabel_files_pattern($1, lockfile, lockfile)
+ relabel_lnk_files_pattern($1, lockfile, lockfile)
+')
+
+########################################
+## <summary>
## Create an object in the locks directory, with a private
## type using a type transition.
## </summary>
@@ -6300,6 +6434,44 @@ interface(`files_manage_all_pids',`
########################################
## <summary>
+## Relabel to/from all var_run (pid) directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain alloed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
+## Relabel to/from all var_run (pid) files and directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain alloed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pids',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_dirs_pattern($1, pidfile, pidfile)
+ relabel_files_pattern($1, pidfile, pidfile)
+ relabel_lnk_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
## Mount filesystems on all polyinstantiation
## member directories.
## </summary>
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 4ddef7c..0db8233 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -767,6 +767,24 @@ interface(`fs_manage_cgroup_dirs',`
########################################
## <summary>
+## Relabel cgroup directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_cgroup_dirs',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ relabel_dirs_pattern($1, cgroup_t, cgroup_t)
+')
+
+########################################
+## <summary>
## Read cgroup files.
## </summary>
## <param name="domain">
@@ -782,6 +800,7 @@ interface(`fs_read_cgroup_files',`
')
read_files_pattern($1, cgroup_t, cgroup_t)
+ read_lnk_files_pattern($1, cgroup_t, cgroup_t)
dev_search_sysfs($1)
')
@@ -3341,6 +3360,25 @@ interface(`fs_rw_nfsd_fs',`
########################################
## <summary>
+## Getattr on pstore dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_pstore_dirs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ getattr_files_pattern($1, pstore_t, pstore_t)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Allow the type to associate to ramfs filesystems.
## </summary>
## <param name="type">
@@ -4113,6 +4151,23 @@ interface(`fs_dontaudit_write_tmpfs_dirs',`
########################################
## <summary>
+## Relabel directory on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_dirs',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+ relabel_dirs_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
## Create an object in a tmpfs filesystem, with a private
## type using a type transition.
## </summary>
@@ -4241,6 +4296,24 @@ interface(`fs_rw_tmpfs_files',`
########################################
## <summary>
+## Relabel files on tmpfs filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_relabel_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ relabel_files_pattern($1, tmpfs_t, tmpfs_t)
+')
+
+########################################
+## <summary>
## Read tmpfs link files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index faa19d7..df42fa3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -8,6 +8,27 @@
########################################
## <summary>
+## Allows the kernel to start userland processes
+## by dynamic transitions to the specified domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The process type entered by the kernel.
+## </summary>
+## </param>
+#
+interface(`kernel_dyntrans_to',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ domain_dyntrans_type(kernel_t)
+ allow kernel_t self:process setcurrent;
+ allow kernel_t $1:process dyntransition;
+')
+
+########################################
+## <summary>
## Allows to start userland processes
## by transitioning to the specified domain.
## </summary>
@@ -254,6 +275,25 @@ interface(`kernel_rw_pipes',`
########################################
## <summary>
+## Read/write to kernel using a unix
+## domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_stream_sockets',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
## Connect to kernel using a unix
## domain stream socket.
## </summary>
@@ -273,7 +313,25 @@ interface(`kernel_stream_connect',`
########################################
## <summary>
-## Read and write kernel unix datagram sockets.
+## Getattr on kernel unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_getattr_dgram_sockets',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:unix_dgram_socket getattr;
+')
+
+########################################
+## <summary>
+## Read and write kernel unix datagram sockets. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index cbb729b..2e6a376 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -519,6 +519,25 @@ interface(`term_dontaudit_manage_pty_dirs',`
########################################
## <summary>
+## Relabel from and to pty directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_relabel_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 devpts_t:dir relabel_dir_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the attributes
## of generic pty devices.
## </summary>
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 6aac59c..7bb4ecb 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -773,6 +773,25 @@ interface(`auth_rw_faillog',`
allow $1 faillog_t:file rw_file_perms;
')
+########################################
+## <summary>
+## Manage the login failure logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_faillog',`
+ gen_require(`
+ type faillog_t;
+ ')
+
+ allow $1 faillog_t:file manage_file_perms;
+ logging_rw_generic_log_dirs($1)
+')
+
#######################################
## <summary>
## Read the last logins log.
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 02ec851..b4bdf65 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -45,6 +45,10 @@ ifdef(`distro_gentoo', `
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
+/usr/lib/systemd/system(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 211d434..192508f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -44,6 +44,26 @@ interface(`init_script_file',`
########################################
## <summary>
+## Make the specified type usable for
+## systemd unit files.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used for systemd unit files.
+## </summary>
+## </param>
+#
+interface(`init_unit_file',`
+ gen_require(`
+ attribute systemdunit;
+ ')
+
+ files_type($1)
+ typeattribute $1 systemdunit;
+')
+
+########################################
+## <summary>
## Create a domain used for init scripts.
## </summary>
## <desc>
@@ -108,6 +128,10 @@ interface(`init_domain',`
role system_r types $1;
domtrans_pattern(init_t, $2, $1)
+
+ ifdef(`init_systemd',`
+ allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+ ')
')
########################################
@@ -212,6 +236,12 @@ interface(`init_daemon_domain',`
userdom_dontaudit_use_user_terminals($1)
')
+ ifdef(`init_systemd',`
+ init_domain($1, $2)
+ # this may be because of late labelling
+ kernel_dgram_send($1)
+ ')
+
optional_policy(`
nscd_use($1)
')
@@ -264,15 +294,68 @@ interface(`init_ranged_daemon_domain',`
type initrc_t;
')
- init_daemon_domain($1, $2)
+ ifdef(`init_systemd',`
+ init_ranged_domain($1, $2, $3)
+ ',`
+ init_daemon_domain($1, $2)
- ifdef(`enable_mcs',`
- range_transition initrc_t $2:process $3;
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
')
+')
- ifdef(`enable_mls',`
- range_transition initrc_t $2:process $3;
- mls_rangetrans_target($1)
+#########################################
+## <summary>
+## Abstract socket service activation (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain to be started by systemd socket activation.
+## </summary>
+## </param>
+#
+interface(`init_abstract_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ ')
+')
+
+#########################################
+## <summary>
+## Named socket service activation (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## The domain to be started by systemd socket activation.
+## </summary>
+## </param>
+## <param name="sock_file">
+## <summary>
+## The domain socket file type.
+## </summary>
+## </param>
+#
+interface(`init_named_socket_activation',`
+ ifdef(`init_systemd',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow init_t $1:unix_dgram_socket create_socket_perms;
+ allow init_t $1:unix_stream_socket create_stream_socket_perms;
+ allow init_t $2:dir manage_dir_perms;
+ allow init_t $2:fifo_file manage_fifo_file_perms;
+ allow init_t $2:sock_file manage_sock_file_perms;
')
')
@@ -324,6 +407,10 @@ interface(`init_system_domain',`
role system_r types $1;
domtrans_pattern(initrc_t, $2, $1)
+
+ ifdef(`init_systemd',`
+ init_domain($1, $2)
+ ')
')
########################################
@@ -374,15 +461,19 @@ interface(`init_ranged_system_domain',`
type initrc_t;
')
- init_system_domain($1, $2)
+ ifdef(`init_systemd',`
+ init_ranged_domain($1, $2, $3)
+ ',`
+ init_system_domain($1, $2)
- ifdef(`enable_mcs',`
- range_transition initrc_t $2:process $3;
- ')
+ ifdef(`enable_mcs',`
+ range_transition initrc_t $2:process $3;
+ ')
- ifdef(`enable_mls',`
- range_transition initrc_t $2:process $3;
- mls_rangetrans_target($1)
+ ifdef(`enable_mls',`
+ range_transition initrc_t $2:process $3;
+ mls_rangetrans_target($1)
+ ')
')
')
@@ -579,10 +670,11 @@ interface(`init_sigchld',`
#
interface(`init_stream_connect',`
gen_require(`
- type init_t;
+ type init_t, init_var_run_t;
')
- allow $1 init_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ files_search_pids($1)
')
########################################
@@ -664,6 +756,45 @@ interface(`init_dontaudit_use_fds',`
########################################
## <summary>
+## Send messages to init unix datagram sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`init_dgram_send',`
+ gen_require(`
+ type init_t, init_var_run_t;
+ ')
+
+ dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read/write to
+## init with unix domain stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_rw_stream_sockets',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
## Send UDP network traffic to init. (Deprecated)
## </summary>
## <param name="domain">
@@ -678,6 +809,276 @@ interface(`init_udp_send',`
########################################
## <summary>
+## Get all service status (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_system_status',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+## Enable all systemd services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_enable',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system enable;
+')
+
+########################################
+## <summary>
+## Disable all services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_disable',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system disable;
+')
+
+########################################
+## <summary>
+## Reload all services (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system reload;
+')
+
+########################################
+## <summary>
+## Reboot the system (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reboot_system',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system reboot;
+')
+
+########################################
+## <summary>
+## Shutdown (halt) the system (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_shutdown_system',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system halt;
+')
+
+########################################
+## <summary>
+## Allow specified domain to get init status
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_status',`
+ gen_require(`
+ type init_t;
+ class service status;
+ ')
+
+ allow $1 init_t:service status;
+')
+
+########################################
+## <summary>
+## Allow specified domain to get init start
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`init_service_start',`
+ gen_require(`
+ type init_t;
+ class service start;
+ ')
+
+ allow $1 init_t:service start;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## systemd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_dbus_chat',`
+ gen_require(`
+ type initrc_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 init_t:dbus send_msg;
+ allow init_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Manage files in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_manage_var_lib_files',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ manage_files_pattern($1, init_var_lib_t, init_var_lib_t)
+ files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+## Create files in /var/lib/systemd
+## with an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="type">
+## <summary>
+## The type of object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_var_lib_filetrans',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
+## Create files in an init PID directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`init_pid_filetrans',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ filetrans_pattern($1, init_var_run_t, $2, $3, $4)
+')
+
+########################################
+## <summary>
## Get the attributes of initctl.
## </summary>
## <param name="domain">
@@ -1976,3 +2377,180 @@ interface(`init_script_readable_type',`
typeattribute $1 init_script_readable;
')
+
+######################################
+## <summary>
+## Search systemd unit dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_search_units',`
+ gen_require(`
+ type init_var_run_t, systemd_unit_t;
+ ')
+
+ search_dirs_pattern($1, init_var_run_t, systemd_unit_t)
+
+ # Units are in /etc/systemd/system, /usr/lib/systemd/system and /run/systemd
+ files_search_etc($1)
+ files_search_usr($1)
+ libs_search_lib($1)
+
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
+## Get status of generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_generic_units_status',`
+ gen_require(`
+ type systemd_unit_t;
+ class service status;
+ ')
+
+ allow $1 systemd_unit_t:service status;
+')
+
+########################################
+## <summary>
+## Start generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_start_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service start;
+ ')
+
+ allow $1 systemd_unit_t:service start;
+')
+
+########################################
+## <summary>
+## Stop generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service stop;
+ ')
+
+ allow $1 systemd_unit_t:service stop;
+')
+
+#######################################
+## <summary>
+## Reload generic systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload_generic_units',`
+ gen_require(`
+ type systemd_unit_t;
+ class service reload;
+ ')
+
+ allow $1 systemd_unit_t:service reload;
+')
+
+########################################
+## <summary>
+## Get status of all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_get_all_units_status',`
+ gen_require(`
+ attribute systemdunit;
+ class service status;
+ ')
+
+ allow $1 systemdunit:service status;
+')
+
+########################################
+## <summary>
+## Start all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_start_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service start;
+ ')
+
+ allow $1 systemdunit:service start;
+')
+
+########################################
+## <summary>
+## Stop all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_stop_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service stop;
+ ')
+
+ allow $1 systemdunit:service stop;
+')
+
+#######################################
+## <summary>
+## Reload all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_reload_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service reload;
+ ')
+
+ allow $1 systemdunit:service reload;
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 95db0d0..d5d7b10 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -19,6 +19,7 @@ gen_tunable(init_upstart, false)
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
+attribute systemdunit;
# Mark process types as daemons
attribute daemon;
@@ -64,6 +65,7 @@ type initrc_t, init_script_domain_type, init_run_all_scripts_domain;
type initrc_exec_t, init_script_file_type;
domain_type(initrc_t)
domain_entry_file(initrc_t, initrc_exec_t)
+init_named_socket_activation(initrc_t, init_var_run_t)
role system_r types initrc_t;
# should be part of the true block
# of the below init_upstart tunable
@@ -74,6 +76,9 @@ type initrc_devpts_t;
term_pty(initrc_devpts_t)
files_type(initrc_devpts_t)
+type initrc_lock_t;
+files_lock_file(initrc_lock_t)
+
type initrc_state_t;
files_type(initrc_state_t)
@@ -86,6 +91,9 @@ logging_log_file(initrc_var_log_t)
type initrc_var_run_t;
files_pid_file(initrc_var_run_t)
+type systemd_unit_t;
+init_unit_file(systemd_unit_t)
+
ifdef(`distro_gentoo',`
type rc_exec_t;
domain_entry_file(initrc_t, rc_exec_t)
@@ -182,6 +190,115 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
+ifdef(`init_systemd',`
+ # handle instances where an old labeled init script is encountered.
+ typeattribute init_t init_run_all_scripts_domain;
+
+ allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
+ allow init_t self:capability2 block_suspend;
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
+ allow init_t self:netlink_selinux_socket create_socket_perms;
+
+ manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
+ manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
+ manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
+ manage_dirs_pattern(init_t, init_var_run_t, init_var_run_t)
+
+ manage_files_pattern(init_t, systemd_unit_t, systemdunit)
+
+ manage_dirs_pattern(init_t, systemd_unit_t, systemd_unit_t)
+ manage_lnk_files_pattern(init_t, systemd_unit_t, systemd_unit_t)
+ allow init_t systemd_unit_t:dir relabel_dir_perms;
+
+ kernel_dyntrans_to(init_t)
+ kernel_read_network_state(init_t)
+ kernel_read_kernel_sysctls(init_t)
+ kernel_read_vm_sysctls(init_t)
+ kernel_dgram_send(init_t)
+ kernel_stream_connect(init_t)
+ kernel_getattr_proc(init_t)
+ kernel_read_fs_sysctls(init_t)
+
+ dev_rw_autofs(init_t)
+ dev_create_generic_dirs(init_t)
+ dev_relabel_all_dev_nodes(init_t)
+ dev_read_urand(init_t)
+ dev_write_kmsg(init_t)
+
+ domain_read_all_domains_state(init_t)
+
+ files_read_all_pids(init_t)
+ files_list_usr(init_t)
+ files_list_var(init_t)
+ files_list_var_lib(init_t)
+ files_relabel_all_lock_dirs(init_t)
+ files_mounton_root(init_t)
+ files_search_pids(init_t)
+ files_relabel_all_pids(init_t)
+ files_read_all_locks(init_t)
+ files_search_kernel_modules(init_t)
+ # for privatetmp functions
+ files_manage_generic_tmp_dirs(init_t)
+ files_mounton_tmp(init_t)
+
+ fs_manage_cgroup_dirs(init_t)
+ fs_relabel_cgroup_dirs(init_t)
+ fs_rw_cgroup_files(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_mount_autofs(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_getattr_tmpfs(init_t)
+ fs_read_tmpfs_files(init_t)
+ fs_read_cgroup_files(init_t)
+ fs_dontaudit_getattr_xattr_fs(init_t)
+ # for privatetmp functions
+ fs_relabel_tmpfs_dirs(init_t)
+ fs_relabel_tmpfs_files(init_t)
+ # mount-setup
+ fs_unmount_autofs(init_t)
+ fs_getattr_pstore_dirs(init_t)
+
+ # systemd_socket_activated policy
+ mls_socket_write_all_levels(init_t)
+
+ selinux_compute_create_context(init_t)
+ selinux_compute_access_vector(init_t)
+
+ term_relabel_pty_dirs(init_t)
+
+ clock_read_adjtime(init_t)
+
+ logging_manage_pid_sockets(init_t)
+ logging_send_audit_msgs(init_t)
+ logging_relabelto_devlog_sock_files(init_t)
+
+ seutil_read_file_contexts(init_t)
+
+ systemd_relabelto_kmod_files(init_t)
+ systemd_dbus_chat_logind(init_t)
+
+ # udevd is a "systemd kobject uevent socket activated daemon"
+ udev_create_kobject_uevent_sockets(init_t)
+
+ optional_policy(`
+ dbus_system_bus_client(init_t)
+ dbus_connect_system_bus(init_t)
+ ')
+
+ optional_policy(`
+ modutils_domtrans_insmod(init_t)
+ ')
+',`
+ tunable_policy(`init_upstart',`
+ corecmd_shell_domtrans(init_t, initrc_t)
+ ',`
+ # Run the shell in the sysadm role for single-user mode.
+ # causes problems with upstart
+ sysadm_shell_domtrans(init_t)
+ ')
+')
+
ifdef(`distro_debian',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
@@ -201,14 +318,6 @@ ifdef(`distro_redhat',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file)
')
-tunable_policy(`init_upstart',`
- corecmd_shell_domtrans(init_t, initrc_t)
-',`
- # Run the shell in the sysadm role for single-user mode.
- # causes problems with upstart
- sysadm_shell_domtrans(init_t)
-')
-
optional_policy(`
auth_rw_login_records(init_t)
')
@@ -609,6 +718,57 @@ ifdef(`distro_suse',`
')
')
+ifdef(`init_systemd',`
+ manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
+ files_lock_filetrans(initrc_t, initrc_lock_t, file)
+
+ manage_dirs_pattern(initrc_t, init_var_run_t, init_var_run_t)
+
+ manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+ manage_chr_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+ manage_lnk_files_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+ files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
+
+ create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+
+ manage_files_pattern(initrc_t, systemdunit, systemdunit)
+ manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+
+ kernel_dgram_send(initrc_t)
+
+ # run systemd misc initializations
+ # in the initrc_t domain, as would be
+ # done in traditional sysvinit/upstart.
+ corecmd_bin_entry_type(initrc_t)
+ corecmd_shell_entry_type(initrc_t)
+ corecmd_bin_domtrans(init_t, initrc_t)
+ corecmd_shell_domtrans(init_t, initrc_t)
+
+ files_read_boot_files(initrc_t)
+ files_setattr_pid_dirs(initrc_t)
+
+ selinux_set_enforce_mode(initrc_t)
+
+ init_stream_connect(initrc_t)
+ init_manage_var_lib_files(initrc_t)
+ init_rw_stream_sockets(initrc_t)
+ init_get_all_units_status(initrc_t)
+ init_stop_all_units(initrc_t)
+
+ # Create /etc/audit.rules.prev after firstboot remediation
+ logging_manage_audit_config(initrc_t)
+
+ # lvm2-activation-generator checks file labels
+ seutil_read_file_contexts(initrc_t)
+
+ systemd_start_power_units(initrc_t)
+
+ optional_policy(`
+ # create /var/lock/lvm/
+ lvm_create_lock_dirs(initrc_t)
+ ')
+')
+
optional_policy(`
amavis_search_lib(initrc_t)
amavis_setattr_pid_files(initrc_t)
diff --git a/policy/modules/system/locallogin.if b/policy/modules/system/locallogin.if
index 0e3c2a9..4305a86 100644
--- a/policy/modules/system/locallogin.if
+++ b/policy/modules/system/locallogin.if
@@ -24,6 +24,27 @@ interface(`locallogin_domtrans',`
########################################
## <summary>
+## Allow calling domain to read locallogin state.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed permission.
+## </summary>
+## </param>
+#
+interface(`locallogin_read_state',`
+ gen_require(`
+ type local_login_t;
+ ')
+
+ kernel_search_proc($1)
+ allow $1 local_login_t:file read_file_perms;
+ allow $1 local_login_t:lnk_file read_lnk_file_perms;
+ allow $1 local_login_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Allow processes to inherit local login file descriptors.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9fa0f5d..6a279f3 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -553,6 +553,25 @@ interface(`logging_send_syslog_msg',`
########################################
## <summary>
+## Allow domain to relabelto devlog sock_files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabelto_devlog_sock_files',`
+ gen_require(`
+ type devlog_t;
+ ')
+
+ allow $1 devlog_t:sock_file relabelto_sock_file_perms;
+')
+
+########################################
+## <summary>
## Read the auditd configuration files.
## </summary>
## <param name="domain">
@@ -631,6 +650,25 @@ interface(`logging_delete_devlog_socket',`
########################################
## <summary>
+## Create, read, write, and delete syslog PID sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_manage_pid_sockets',`
+ gen_require(`
+ type syslogd_var_run_t;
+ ')
+
+ manage_sock_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
+ files_search_pids($1)
+')
+
+########################################
+## <summary>
## Allows the domain to open a file in the
## log directory, but does not allow the listing
## of the contents of the log directory.
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 86b223c..6561474 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -105,6 +105,26 @@ interface(`lvm_manage_config',`
manage_files_pattern($1, lvm_etc_t, lvm_etc_t)
')
+########################################
+## <summary>
+## Create lvm_lock_t directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_create_lock_dirs',`
+ gen_require(`
+ type lvm_lock_t;
+ ')
+
+ create_dirs_pattern($1, lvm_lock_t, lvm_lock_t)
+ files_add_entry_lock_dirs($1)
+')
+
######################################
## <summary>
## Execute a domain transition to run clvmd.
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
new file mode 100644
index 0000000..864979d
--- /dev/null
+++ b/policy/modules/system/systemd.fc
@@ -0,0 +1,39 @@
+/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
+/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
+/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
+/bin/systemd-nspawn -- gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
+/bin/systemd-run -- gen_context(system_u:object_r:systemd_run_exec_t,s0)
+/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
+/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
+/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+
+/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
+/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
+/usr/lib/systemd/systemd-binfmt -- gen_context(system_u:object_r:systemd_binfmt_exec_t,s0)
+/usr/lib/systemd/systemd-cgroups-agent -- gen_context(system_u:object_r:systemd_cgroups_exec_t,s0)
+/usr/lib/systemd/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
+/usr/lib/systemd/systemd-hostnamed -- gen_context(system_u:object_r:systemd_hostnamed_exec_t,s0)
+/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
+/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+
+# Systemd unit files
+/usr/lib/systemd/system/[^/]*halt.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*hibernate.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*power.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*reboot.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*shutdown.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*sleep.* -- gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/[^/]*suspend.* -- gen_context(system_u:object_r:power_unit_t,s0)
+
+/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
+
+/var/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/var/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+
+/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/var/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
new file mode 100644
index 0000000..8bca3a3
--- /dev/null
+++ b/policy/modules/system/systemd.if
@@ -0,0 +1,195 @@
+## <summary>Systemd components (not PID 1)</summary>
+
+######################################
+## <summary>
+## Read systemd_login PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_logind_pids',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+## Manage systemd_login PID pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_logind_pid_pipes',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ files_search_pids($1)
+ manage_fifo_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+')
+
+######################################
+## <summary>
+## Use inherited systemd
+## logind file descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_use_logind_fds',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## systemd logind over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 systemd_logind_t:dbus send_msg;
+ allow systemd_logind_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Allow process to write to systemd_kmod_conf_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_write_kmod_files',`
+ gen_require(`
+ type systemd_kmod_conf_t;
+ ')
+
+ write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
+')
+
+########################################
+## <summary>
+## Allow process to relabel to systemd_kmod_conf_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_relabelto_kmod_files',`
+ gen_require(`
+ type systemd_kmod_conf_t;
+ ')
+
+ allow $1 systemd_kmod_conf_t:file relabelto_file_perms;
+')
+
+########################################
+## <summary>
+## Read systemd homedir content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_home_content',`
+ gen_require(`
+ type systemd_home_t;
+ ')
+
+ optional_policy(`
+ gnome_search_gconf_data_dir($1)
+ ')
+ read_files_pattern($1, systemd_home_t, systemd_home_t)
+ read_lnk_files_pattern($1, systemd_home_t, systemd_home_t)
+')
+
+########################################
+## <summary>
+## Get the system status information from systemd_login
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_status_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ class service status;
+ ')
+
+ allow $1 systemd_logind_t:service status;
+')
+
+########################################
+## <summary>
+## Send systemd_login a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_signull_logind',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:process signull;
+')
+
+########################################
+## <summary>
+## Allow specified domain to start power units
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`systemd_start_power_units',`
+ gen_require(`
+ type power_unit_t;
+ class service start;
+ ')
+
+ allow $1 power_unit_t:service start;
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
new file mode 100644
index 0000000..597d4aa
--- /dev/null
+++ b/policy/modules/system/systemd.te
@@ -0,0 +1,264 @@
+policy_module(systemd, 1.0.0)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Enable support for systemd-tmpfiles to manage all non-security files.
+## </p>
+## </desc>
+gen_tunable(systemd_tmpfiles_manage_all, false)
+
+type systemd_activate_t;
+type systemd_activate_exec_t;
+init_system_domain(systemd_activate_t, systemd_activate_exec_t)
+
+type systemd_analyze_t;
+type systemd_analyze_exec_t;
+init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
+
+type systemd_backlight_t;
+type systemd_backlight_exec_t;
+init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
+
+type systemd_binfmt_t;
+type systemd_binfmt_exec_t;
+init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
+
+type systemd_cgroups_t;
+type systemd_cgroups_exec_t;
+domain_type(systemd_cgroups_t)
+domain_entry_file(systemd_cgroups_t, systemd_cgroups_exec_t)
+role system_r types systemd_cgroups_t;
+
+type systemd_cgroups_var_run_t;
+files_pid_file(systemd_cgroups_var_run_t)
+init_daemon_pid_file(systemd_cgroups_var_run_t, dir, "systemd_cgroups")
+
+type systemd_cgtop_t;
+type systemd_cgtop_exec_t;
+init_daemon_domain(systemd_cgtop_t, systemd_cgtop_exec_t)
+
+type systemd_coredump_t;
+type systemd_coredump_exec_t;
+init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
+
+type systemd_detect_virt_t;
+type systemd_detect_virt_exec_t;
+init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
+
+type systemd_hostnamed_t;
+type systemd_hostnamed_exec_t;
+init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
+
+type systemd_locale_t;
+type systemd_locale_exec_t;
+init_system_domain(systemd_locale_t, systemd_locale_exec_t)
+
+type systemd_logind_t;
+type systemd_logind_exec_t;
+init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
+init_named_socket_activation(systemd_logind_t, systemd_logind_var_run_t)
+
+type systemd_logind_var_lib_t;
+files_type(systemd_logind_var_lib_t)
+
+type systemd_logind_var_run_t;
+files_pid_file(systemd_logind_var_run_t)
+init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
+
+type systemd_machined_t;
+type systemd_machined_exec_t;
+init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
+
+type systemd_nspawn_t;
+type systemd_nspawn_exec_t;
+init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+
+type systemd_run_t;
+type systemd_run_exec_t;
+init_daemon_domain(systemd_run_t, systemd_run_exec_t)
+
+type systemd_stdio_bridge_t;
+type systemd_stdio_bridge_exec_t;
+init_system_domain(systemd_stdio_bridge_t, systemd_stdio_bridge_exec_t)
+
+type systemd_passwd_agent_t;
+type systemd_passwd_agent_exec_t;
+init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+
+type systemd_sessions_t;
+type systemd_sessions_exec_t;
+init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
+
+type systemd_sessions_var_run_t;
+files_pid_file(systemd_sessions_var_run_t)
+init_daemon_pid_file(systemd_sessions_var_run_t, dir, "systemd_sessions")
+
+type systemd_tmpfiles_t;
+type systemd_tmpfiles_exec_t;
+type systemd_kmod_conf_t;
+files_config_file(systemd_kmod_conf_t)
+init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
+
+#
+# Unit file types
+#
+
+type power_unit_t;
+init_unit_file(power_unit_t)
+
+######################################
+#
+# Cgroups local policy
+#
+
+kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
+
+init_stream_connect(systemd_cgroups_t)
+
+logging_send_syslog_msg(systemd_cgroups_t)
+
+kernel_dgram_send(systemd_cgroups_t)
+
+#######################################
+#
+# locale local policy
+#
+
+files_read_etc_files(systemd_locale_t)
+
+logging_send_syslog_msg(systemd_locale_t)
+
+seutil_read_file_contexts(systemd_locale_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_locale_t)
+ dbus_system_bus_client(systemd_locale_t)
+')
+
+#######################################
+#
+# Hostnamed policy
+#
+
+files_read_etc_files(systemd_hostnamed_t)
+
+logging_send_syslog_msg(systemd_hostnamed_t)
+
+seutil_read_file_contexts(systemd_hostnamed_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_hostnamed_t)
+ dbus_connect_system_bus(systemd_hostnamed_t)
+')
+
+#########################################
+#
+# Logind local policy
+#
+
+allow systemd_logind_t self:capability { fowner sys_tty_config chown dac_override };
+allow systemd_logind_t self:process getcap;
+allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
+allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
+
+allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
+init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
+
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
+manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
+files_search_pids(systemd_logind_t)
+
+auth_manage_faillog(systemd_logind_t)
+
+dev_rw_sysfs(systemd_logind_t)
+dev_rw_input_dev(systemd_logind_t)
+dev_getattr_dri_dev(systemd_logind_t)
+dev_setattr_dri_dev(systemd_logind_t)
+dev_getattr_sound_dev(systemd_logind_t)
+dev_setattr_sound_dev(systemd_logind_t)
+
+files_read_etc_files(systemd_logind_t)
+
+fs_getattr_tmpfs(systemd_logind_t)
+
+storage_getattr_removable_dev(systemd_logind_t)
+storage_setattr_removable_dev(systemd_logind_t)
+storage_getattr_scsi_generic_dev(systemd_logind_t)
+storage_setattr_scsi_generic_dev(systemd_logind_t)
+
+term_use_unallocated_ttys(systemd_logind_t)
+
+init_get_all_units_status(systemd_logind_t)
+init_start_all_units(systemd_logind_t)
+init_stop_all_units(systemd_logind_t)
+init_service_status(systemd_logind_t)
+init_service_start(systemd_logind_t)
+# This is for reading /proc/1/cgroup
+init_read_state(systemd_logind_t)
+
+locallogin_read_state(systemd_logind_t)
+
+logging_send_syslog_msg(systemd_logind_t)
+
+systemd_start_power_units(systemd_logind_t)
+
+udev_read_db(systemd_logind_t)
+udev_read_pid_files(systemd_logind_t)
+
+userdom_use_user_ttys(systemd_logind_t)
+
+optional_policy(`
+ dbus_system_bus_client(systemd_logind_t)
+ dbus_connect_system_bus(systemd_logind_t)
+')
+
+#########################################
+#
+# Sessions local policy
+#
+
+allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
+files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
+
+logging_send_syslog_msg(systemd_sessions_t)
+
+#########################################
+#
+# Tmpfiles local policy
+#
+
+allow systemd_tmpfiles_t self:capability { fowner chown fsetid dac_override mknod };
+allow systemd_tmpfiles_t self:process { setfscreate getcap };
+
+dev_relabel_all_sysfs(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+
+files_read_etc_files(systemd_tmpfiles_t)
+files_relabel_all_lock_dirs(systemd_tmpfiles_t)
+files_relabel_all_pid_dirs(systemd_tmpfiles_t)
+files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+
+auth_manage_var_auth(systemd_tmpfiles_t)
+auth_manage_login_records(systemd_tmpfiles_t)
+auth_relabel_login_records(systemd_tmpfiles_t)
+auth_setattr_login_records(systemd_tmpfiles_t)
+
+logging_send_syslog_msg(systemd_tmpfiles_t)
+
+seutil_read_file_contexts(systemd_tmpfiles_t)
+
+tunable_policy(`systemd_tmpfiles_manage_all',`
+ # systemd-tmpfiles can be configured to manage anything.
+ # have a last-resort option for users to do this.
+ files_manage_non_security_dirs(systemd_tmpfiles_t)
+ files_manage_non_security_files(systemd_tmpfiles_t)
+ files_relabel_non_security_dirs(systemd_tmpfiles_t)
+ files_relabel_non_security_files(systemd_tmpfiles_t)
+')
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 06175a7..d4c92cc 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -92,6 +92,25 @@ interface(`udev_read_state',`
allow $1 udev_t:lnk_file read_lnk_file_perms;
')
+
+########################################
+## <summary>
+## Allow domain to create uevent sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_create_kobject_uevent_sockets',`
+ gen_require(`
+ type udev_t;
+ ')
+
+ allow $1 udev_t:netlink_kobject_uevent_socket create_socket_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to inherit a
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-12-17 16:10 ` Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
To: gentoo-commits
commit: 6383a0207e2bad0f98f684b20e96da9115686850
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Dec 10 20:46:13 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:25:22 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6383a020
Module version bumps for 2 patches from Dominick Grift.
policy/modules/kernel/kernel.te | 2 +-
policy/modules/system/authlogin.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 2625e2f..7fe0a70 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.20.0)
+policy_module(kernel, 1.20.1)
########################################
#
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 98ebecd..587b289 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.8.0)
+policy_module(authlogin, 2.8.1)
########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2016-01-30 17:21 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
To: gentoo-commits
commit: 328fabd9384f9ae1ade19b5186e6174901c3cccc
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Jan 6 14:22:11 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=328fabd9
Module version bump for syslog and systemd changes from Laurent Bigonville
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/system/logging.te | 2 +-
policy/modules/system/systemd.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index f8cd213..f2cb295 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.21.1)
+policy_module(corecommands, 1.21.2)
########################################
#
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index f2e4984..79f8084 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.23.0)
+policy_module(logging, 1.23.1)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2376af3..8892447 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.1.1)
+policy_module(systemd, 1.1.2)
#########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2016-05-13 5:37 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2016-05-13 5:37 UTC (permalink / raw
To: gentoo-commits
commit: c2a314c9ce3a40f510564217177f9ae420447bf1
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Mar 25 21:35:17 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:07:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2a314c9
Add some labels for SELinux tools path in Debian
policy/modules/kernel/corecommands.fc | 2 ++
policy/modules/system/selinuxutil.fc | 1 +
2 files changed, 3 insertions(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index c228d79..35752e7 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -268,6 +268,8 @@ ifdef(`distro_gentoo',`
/usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/selinux/hll(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
/usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 59ae92a..8f0db04 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -49,6 +49,7 @@
/var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/usr/lib/selinux/semanage_migrate_store -- gen_context(system_u:object_r:semanage_exec_t,s0)
#
# /var/run
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2016-05-13 5:37 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2016-05-13 5:37 UTC (permalink / raw
To: gentoo-commits
commit: 2c944c6b0d0251dc5e1e2f73ab40b7d175411a83
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Mar 28 13:59:02 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:07:33 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c944c6b
Module version bump for Debian fc entries from Laurent Bigonville.
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/system/selinuxutil.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index eee1a19..e944817 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.21.3)
+policy_module(corecommands, 1.21.4)
########################################
#
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 76abb95..50015ad 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.20.0)
+policy_module(selinuxutil, 1.20.1)
gen_require(`
bool secure_mode;
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2016-06-02 6:32 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2016-06-02 6:32 UTC (permalink / raw
To: gentoo-commits
commit: a401ae8d3246a7b6bbf23913fa2d01cc56d8d406
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue May 31 13:15:40 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun 1 18:20:07 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a401ae8d
Module version bump for mlstrustedsocket from qqo.
policy/modules/kernel/mls.te | 2 +-
policy/modules/system/logging.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 832f83f..e508050 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,4 +1,4 @@
-policy_module(mls, 1.8.0)
+policy_module(mls, 1.8.1)
########################################
#
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 08cff69..d9737d0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.23.1)
+policy_module(logging, 1.23.2)
########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2016-12-06 12:26 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2016-12-06 12:26 UTC (permalink / raw
To: gentoo-commits
commit: 40723b89de76f03758e907073b07c3ca5b6de1bf
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Fri Oct 21 08:35:53 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 15:12:11 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=40723b89
single binary modutils
On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote:
> On 07/31/16 08:34, Russell Coker wrote:
> > The following patch deals with a single binary for modutils, so depmod_t,
> > and insmod_t are merged.
>
> Since the main SELinux distros (including RHEL/CentOS 7) all have merged
> modutils these days, I'm open to taking a patch that fully merges these
> domains (in which case renaming to kmod_t, with proper aliasing seems
> the best idea).
>
> However, it's been some time since I used a busybox-based system; does
> busybox still have separated tools? Yes, this is a bit of an obvious
> question since busybox is also single-binary, but IIRC, the embedded
> guys made some tiny helper scripts or executables so proper
> transitioning could occur. Separate domains may still make sense.
As we have had no response from Busybox users in the last 3 months and also no
response to the thread Luis started in 2013 I think it's safe to assume that
they don't need this.
I've attached a new patch which renames to kmod_t as you suggested. Please
consider it for inclusion.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Description: Change modutils policy to match the use of a single binary
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2014-06-25
policy/modules/kernel/kernel.te | 3 +
policy/modules/kernel/terminal.if | 20 +++
policy/modules/system/modutils.fc | 19 +-
policy/modules/system/modutils.if | 4 +-
policy/modules/system/modutils.te | 352 +++++++++++---------------------------
5 files changed, 136 insertions(+), 262 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index ec05ca1..811494f 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -278,6 +278,9 @@ selinux_load_policy(kernel_t)
term_use_console(kernel_t)
+# for kdevtmpfs
+term_setattr_unlink_unallocated_ttys(kernel_t)
+
corecmd_exec_shell(kernel_t)
corecmd_list_bin(kernel_t)
# /proc/sys/kernel/modprobe is set to /bin/true if not using modules.
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index ed52733..86692b0 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1103,6 +1103,26 @@ interface(`term_getattr_unallocated_ttys',`
########################################
## <summary>
+## Setattr and unlink unallocated tty device nodes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`term_setattr_unlink_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file { getattr setattr unlink };
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the attributes
## of all unallocated tty device nodes.
## </summary>
diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 9933677..7adbbd7 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -1,4 +1,4 @@
-/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/bin/kmod -- gen_context(system_u:object_r:kmod_exec_t,s0)
/etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
/etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0)
@@ -14,12 +14,13 @@ ifdef(`distro_gentoo',`
/lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0)
-/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0)
-/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0)
-/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0)
-/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0)
+/sbin/depmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/insmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/modprobe.* -- gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/modules-update -- gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/rmmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0)
+/sbin/update-modules -- gen_context(system_u:object_r:kmod_exec_t,s0)
-/usr/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0)
+/usr/bin/kmod -- gen_context(system_u:object_r:kmod_exec_t,s0)
+/var/run/tmpfiles.d(/.*)? gen_context(system_u:object_r:kmod_var_run_t,s0)
diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index d4d6f55..ae08251 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -229,7 +229,7 @@ interface(`modutils_domtrans_depmod',`
########################################
## <summary>
-## Execute update_modules in the update_modules domain.
+## Execute depmod in the depmod domain.
## </summary>
## <param name="domain">
## <summary>
@@ -273,7 +273,7 @@ interface(`modutils_exec_depmod',`
########################################
## <summary>
-## Execute depmod in the depmod domain.
+## Execute update_modules in the update_modules domain.
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index de34ed4..3b95f98 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -5,18 +5,15 @@ policy_module(modutils, 1.16.0)
# Declarations
#
-attribute_role update_modules_roles;
+type kmod_t;
+typealias kmod_t alias { insmod_t depmod_t update_modules_t };
-type depmod_t;
-type depmod_exec_t;
-init_system_domain(depmod_t, depmod_exec_t)
-role system_r types depmod_t;
+type kmod_exec_t;
+typealias kmod_exec_t alias { insmod_exec_t depmod_exec_t update_modules_exec_t };
-type insmod_t;
-type insmod_exec_t;
-application_domain(insmod_t, insmod_exec_t)
-mls_file_write_all_levels(insmod_t)
-role system_r types insmod_t;
+application_domain(kmod_t, kmod_exec_t)
+mls_file_write_all_levels(kmod_t)
+role system_r types kmod_t;
# module loading config
type modules_conf_t;
@@ -26,311 +23,164 @@ files_type(modules_conf_t)
type modules_dep_t;
files_type(modules_dep_t)
-type update_modules_t;
-type update_modules_exec_t;
-init_system_domain(update_modules_t, update_modules_exec_t)
-roleattribute system_r update_modules_roles;
-role update_modules_roles types update_modules_t;
-
-type update_modules_tmp_t;
-files_tmp_file(update_modules_tmp_t)
-
-########################################
-#
-# depmod local policy
-#
-
-can_exec(depmod_t, depmod_exec_t)
-
-# Read conf.modules.
-read_files_pattern(depmod_t, modules_conf_t, modules_conf_t)
-
-allow depmod_t modules_dep_t:file manage_file_perms;
-files_kernel_modules_filetrans(depmod_t, modules_dep_t, file)
-
-kernel_read_system_state(depmod_t)
-
-corecmd_search_bin(depmod_t)
-
-domain_use_interactive_fds(depmod_t)
-
-files_read_kernel_symbol_table(depmod_t)
-files_read_kernel_modules(depmod_t)
-files_read_etc_runtime_files(depmod_t)
-files_read_etc_files(depmod_t)
-files_read_usr_src_files(depmod_t)
-files_list_usr(depmod_t)
-
-fs_getattr_xattr_fs(depmod_t)
-
-term_use_console(depmod_t)
-
-init_use_fds(depmod_t)
-init_use_script_fds(depmod_t)
-init_use_script_ptys(depmod_t)
-
-userdom_use_user_terminals(depmod_t)
-# Read System.map from home directories.
-files_list_home(depmod_t)
-userdom_read_user_home_content_files(depmod_t)
-
-ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(depmod_t)
- ')
-')
-
-tunable_policy(`use_nfs_home_dirs',`
- fs_read_nfs_files(depmod_t)
-')
-
-tunable_policy(`use_samba_home_dirs',`
- fs_read_cifs_files(depmod_t)
-')
-
-optional_policy(`
- rpm_rw_pipes(depmod_t)
- rpm_manage_script_tmp_files(depmod_t)
-')
-
-optional_policy(`
- # Read System.map from home directories.
- unconfined_domain(depmod_t)
-')
+type kmod_var_run_t;
+files_pid_file(kmod_var_run_t)
########################################
#
# insmod local policy
#
-allow insmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
-allow insmod_t self:process { execmem sigchld sigkill sigstop signull signal };
+allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
-allow insmod_t self:udp_socket create_socket_perms;
-allow insmod_t self:rawip_socket create_socket_perms;
+allow kmod_t self:udp_socket create_socket_perms;
+allow kmod_t self:rawip_socket create_socket_perms;
# Read module config and dependency information
-list_dirs_pattern(insmod_t, modules_conf_t, modules_conf_t)
-read_files_pattern(insmod_t, modules_conf_t, modules_conf_t)
-list_dirs_pattern(insmod_t, modules_dep_t, modules_dep_t)
-read_files_pattern(insmod_t, modules_dep_t, modules_dep_t)
-
-can_exec(insmod_t, insmod_exec_t)
-
-kernel_load_module(insmod_t)
-kernel_request_load_module(insmod_t)
-kernel_read_system_state(insmod_t)
-kernel_read_network_state(insmod_t)
-kernel_write_proc_files(insmod_t)
-kernel_mount_debugfs(insmod_t)
-kernel_mount_kvmfs(insmod_t)
-kernel_read_debugfs(insmod_t)
+list_dirs_pattern(kmod_t, modules_conf_t, modules_conf_t)
+read_files_pattern(kmod_t, modules_conf_t, modules_conf_t)
+list_dirs_pattern(kmod_t, modules_dep_t, modules_dep_t)
+manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
+filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
+create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
+delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
+
+can_exec(kmod_t, kmod_exec_t)
+
+kernel_load_module(kmod_t)
+kernel_request_load_module(kmod_t)
+kernel_read_system_state(kmod_t)
+kernel_read_network_state(kmod_t)
+kernel_write_proc_files(kmod_t)
+kernel_mount_debugfs(kmod_t)
+kernel_mount_kvmfs(kmod_t)
+kernel_read_debugfs(kmod_t)
# Rules for /proc/sys/kernel/tainted
-kernel_read_kernel_sysctls(insmod_t)
-kernel_rw_kernel_sysctl(insmod_t)
-kernel_read_hotplug_sysctls(insmod_t)
-kernel_setsched(insmod_t)
+kernel_read_kernel_sysctls(kmod_t)
+kernel_rw_kernel_sysctl(kmod_t)
+kernel_read_hotplug_sysctls(kmod_t)
+kernel_setsched(kmod_t)
# for when /var is not mounted early in the boot:
-kernel_dontaudit_search_unlabeled(insmod_t)
-
-corecmd_exec_bin(insmod_t)
-corecmd_exec_shell(insmod_t)
-
-dev_rw_sysfs(insmod_t)
-dev_search_usbfs(insmod_t)
-dev_rw_mtrr(insmod_t)
-dev_read_urand(insmod_t)
-dev_rw_agp(insmod_t)
-dev_read_sound(insmod_t)
-dev_write_sound(insmod_t)
-dev_rw_apm_bios(insmod_t)
-
-domain_signal_all_domains(insmod_t)
-domain_use_interactive_fds(insmod_t)
-
-files_read_kernel_modules(insmod_t)
-files_read_etc_runtime_files(insmod_t)
-files_read_etc_files(insmod_t)
-files_read_usr_files(insmod_t)
-files_exec_etc_files(insmod_t)
+kernel_dontaudit_search_unlabeled(kmod_t)
+
+corecmd_exec_bin(kmod_t)
+corecmd_exec_shell(kmod_t)
+
+# for /run/tmpfiles.d/kmod.conf
+files_pid_filetrans(kmod_t, kmod_var_run_t, dir)
+allow kmod_t kmod_var_run_t:dir manage_dir_perms;
+allow kmod_t kmod_var_run_t:file manage_file_perms;
+
+dev_rw_sysfs(kmod_t)
+dev_search_usbfs(kmod_t)
+dev_rw_mtrr(kmod_t)
+dev_read_urand(kmod_t)
+dev_rw_agp(kmod_t)
+dev_read_sound(kmod_t)
+dev_write_sound(kmod_t)
+dev_rw_apm_bios(kmod_t)
+
+domain_signal_all_domains(kmod_t)
+domain_use_interactive_fds(kmod_t)
+
+files_read_kernel_modules(kmod_t)
+files_read_etc_runtime_files(kmod_t)
+files_read_etc_files(kmod_t)
+files_read_usr_files(kmod_t)
+files_exec_etc_files(kmod_t)
# for nscd:
-files_dontaudit_search_pids(insmod_t)
+files_dontaudit_search_pids(kmod_t)
# for locking: (cjp: ????)
-files_write_kernel_modules(insmod_t)
+files_write_kernel_modules(kmod_t)
-fs_getattr_xattr_fs(insmod_t)
-fs_dontaudit_use_tmpfs_chr_dev(insmod_t)
+fs_getattr_xattr_fs(kmod_t)
+fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
-init_rw_initctl(insmod_t)
-init_use_fds(insmod_t)
-init_use_script_fds(insmod_t)
-init_use_script_ptys(insmod_t)
+init_rw_initctl(kmod_t)
+init_use_fds(kmod_t)
+init_use_script_fds(kmod_t)
+init_use_script_ptys(kmod_t)
-logging_send_syslog_msg(insmod_t)
-logging_search_logs(insmod_t)
+logging_send_syslog_msg(kmod_t)
+logging_search_logs(kmod_t)
-miscfiles_read_localization(insmod_t)
+miscfiles_read_localization(kmod_t)
-seutil_read_file_contexts(insmod_t)
+seutil_read_file_contexts(kmod_t)
-userdom_use_user_terminals(insmod_t)
+userdom_use_user_terminals(kmod_t)
-userdom_dontaudit_search_user_home_dirs(insmod_t)
+userdom_dontaudit_search_user_home_dirs(kmod_t)
-kernel_domtrans_to(insmod_t, insmod_exec_t)
+kernel_domtrans_to(kmod_t, kmod_exec_t)
ifdef(`init_systemd',`
- kernel_search_key(insmod_t)
+ kernel_search_key(kmod_t)
- init_rw_stream_sockets(insmod_t)
+ init_rw_stream_sockets(kmod_t)
- systemd_write_kmod_files(insmod_t)
+ systemd_write_kmod_files(kmod_t)
')
optional_policy(`
- alsa_domtrans(insmod_t)
+ alsa_domtrans(kmod_t)
')
optional_policy(`
- firstboot_dontaudit_rw_pipes(insmod_t)
- firstboot_dontaudit_rw_stream_sockets(insmod_t)
+ firstboot_dontaudit_rw_pipes(kmod_t)
+ firstboot_dontaudit_rw_stream_sockets(kmod_t)
')
optional_policy(`
- hal_write_log(insmod_t)
+ hal_write_log(kmod_t)
')
optional_policy(`
- hotplug_search_config(insmod_t)
+ hotplug_search_config(kmod_t)
')
optional_policy(`
- mount_domtrans(insmod_t)
+ mount_domtrans(kmod_t)
')
optional_policy(`
- nis_use_ypbind(insmod_t)
+ nis_use_ypbind(kmod_t)
')
optional_policy(`
- nscd_use(insmod_t)
+ nscd_use(kmod_t)
')
optional_policy(`
- fs_manage_ramfs_files(insmod_t)
+ fs_manage_ramfs_files(kmod_t)
- rhgb_use_fds(insmod_t)
- rhgb_dontaudit_use_ptys(insmod_t)
+ rhgb_use_fds(kmod_t)
+ rhgb_dontaudit_use_ptys(kmod_t)
- xserver_dontaudit_write_log(insmod_t)
- xserver_stream_connect(insmod_t)
- xserver_dontaudit_rw_stream_sockets(insmod_t)
+ xserver_dontaudit_write_log(kmod_t)
+ xserver_stream_connect(kmod_t)
+ xserver_dontaudit_rw_stream_sockets(kmod_t)
ifdef(`hide_broken_symptoms',`
- xserver_dontaudit_rw_tcp_sockets(insmod_t)
+ xserver_dontaudit_rw_tcp_sockets(kmod_t)
')
')
optional_policy(`
- rpm_rw_pipes(insmod_t)
+ rpm_rw_pipes(kmod_t)
')
optional_policy(`
- tmpfiles_create_var_run_files(insmod_t)
- tmpfiles_write_var_run_files(insmod_t)
-')
-
-optional_policy(`
- unconfined_domain(insmod_t)
- unconfined_dontaudit_rw_pipes(insmod_t)
+ unconfined_domain(kmod_t)
+ unconfined_dontaudit_rw_pipes(kmod_t)
+ unconfined_domtrans_to(kmod_t, kmod_exec_t)
')
optional_policy(`
# cjp: why is this needed:
- dev_rw_xserver_misc(insmod_t)
-
- xserver_getattr_log(insmod_t)
-')
-
-#################################
-#
-# update-modules local policy
-#
-
-allow update_modules_t self:fifo_file rw_fifo_file_perms;
-
-allow update_modules_t modules_dep_t:file rw_file_perms;
-
-can_exec(update_modules_t, insmod_exec_t)
-can_exec(update_modules_t, update_modules_exec_t)
-
-# manage module loading configuration
-manage_files_pattern(update_modules_t, modules_conf_t, modules_conf_t)
-files_kernel_modules_filetrans(update_modules_t, modules_conf_t, file)
-files_etc_filetrans(update_modules_t, modules_conf_t, file)
-
-# transition to depmod
-domain_auto_trans(update_modules_t, depmod_exec_t, depmod_t)
-allow update_modules_t depmod_t:fd use;
-allow depmod_t update_modules_t:fd use;
-allow depmod_t update_modules_t:fifo_file rw_file_perms;
-allow depmod_t update_modules_t:process sigchld;
-
-manage_dirs_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
-manage_files_pattern(update_modules_t, update_modules_tmp_t, update_modules_tmp_t)
-files_tmp_filetrans(update_modules_t, update_modules_tmp_t, { file dir })
-
-kernel_read_kernel_sysctls(update_modules_t)
-kernel_read_system_state(update_modules_t)
-
-corecmd_exec_bin(update_modules_t)
-corecmd_exec_shell(update_modules_t)
-
-dev_read_urand(update_modules_t)
+ dev_rw_xserver_misc(kmod_t)
-domain_use_interactive_fds(update_modules_t)
-
-files_read_etc_runtime_files(update_modules_t)
-files_read_etc_files(update_modules_t)
-files_exec_etc_files(update_modules_t)
-
-fs_getattr_xattr_fs(update_modules_t)
-
-term_use_console(update_modules_t)
-
-init_use_fds(update_modules_t)
-init_use_script_fds(update_modules_t)
-init_use_script_ptys(update_modules_t)
-
-logging_send_syslog_msg(update_modules_t)
-
-miscfiles_read_localization(update_modules_t)
-
-modutils_run_insmod(update_modules_t, update_modules_roles)
-
-userdom_use_user_terminals(update_modules_t)
-userdom_dontaudit_search_user_home_dirs(update_modules_t)
-
-ifdef(`distro_gentoo',`
- kernel_list_unlabeled(update_modules_t) # /var
-
- files_search_pids(update_modules_t)
- files_getattr_usr_src_files(update_modules_t)
-
- # update-modules on Gentoo throws errors when run because it
- # sources /etc/init.d/functions.sh, which always scans
- # /var/lib/init.d to set SOFTLEVEL environment var.
- # This is never used by update-modules.
- files_dontaudit_search_var_lib(update_modules_t)
- init_dontaudit_read_script_status_files(update_modules_t)
-
- optional_policy(`
- consoletype_exec(update_modules_t)
- ')
+ xserver_getattr_log(kmod_t)
')
-ifdef(`distro_ubuntu',`
- optional_policy(`
- unconfined_domain(update_modules_t)
- ')
-')
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-01-01 16:36 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2017-01-01 16:36 UTC (permalink / raw
To: gentoo-commits
commit: 1cd6b4275bef63da2c4c37ad68574230fad38a3f
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Dec 23 01:15:14 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:26:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1cd6b427
modutils: update to run in confined mode
Update the modutils module so that it can run in confined
mode instead of unconfined mode.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/kernel/files.if | 1 +
policy/modules/system/modutils.te | 10 ++--------
2 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 82901bc..3fc0487 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4102,6 +4102,7 @@ interface(`files_manage_kernel_modules',`
type modules_object_t;
')
+ allow $1 modules_object_t:dir rw_dir_perms;
manage_files_pattern($1, modules_object_t, modules_object_t)
')
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 2448f06..1a138a8 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -89,8 +89,8 @@ files_read_usr_files(kmod_t)
files_exec_etc_files(kmod_t)
# for nscd:
files_dontaudit_search_pids(kmod_t)
-# for locking: (cjp: ????)
-files_write_kernel_modules(kmod_t)
+# to manage modules.dep
+files_manage_kernel_modules(kmod_t)
fs_getattr_xattr_fs(kmod_t)
fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
@@ -166,12 +166,6 @@ optional_policy(`
')
optional_policy(`
- unconfined_domain(kmod_t)
- unconfined_dontaudit_rw_pipes(kmod_t)
- unconfined_domtrans_to(kmod_t, kmod_exec_t)
-')
-
-optional_policy(`
# cjp: why is this needed:
dev_rw_xserver_misc(kmod_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-02-17 8:44 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2017-02-17 8:44 UTC (permalink / raw
To: gentoo-commits
commit: 70c735ee60f9f82af114a3ea3479955a3659a101
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 8 21:56:09 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:13:37 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70c735ee
mon policy from Russell Coker.
policy/modules/kernel/corenetwork.te.in | 3 ++-
policy/modules/system/init.if | 18 ++++++++++++++----
policy/modules/system/init.te | 2 +-
3 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index efae68ae..68aba14c 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.23.1)
+policy_module(corenetwork, 1.23.2)
########################################
#
@@ -179,6 +179,7 @@ network_port(matahari, tcp,49000,s0, udp,49000,s0)
network_port(memcache, tcp,11211,s0, udp,11211,s0)
network_port(milter) # no defined portcon
network_port(mmcc, tcp,5050,s0, udp,5050,s0)
+network_port(mon, tcp,2583,s0, udp,2583,s0)
network_port(monit, tcp,2812,s0)
network_port(monopd, tcp,1234,s0)
network_port(mountd, tcp,20048,s0, udp,20048,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 82f94548..fdf3f034 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1088,11 +1088,21 @@ interface(`init_pid_filetrans',`
## </param>
#
interface(`init_getattr_initctl',`
- gen_require(`
- type initctl_t;
- ')
+ ifdef(`init_systemd',`
+ # stat /run/systemd/initctl/fifo
+ gen_require(`
+ type init_var_run_t;
+ ')
- allow $1 initctl_t:fifo_file getattr;
+ allow $1 init_var_run_t:fifo_file getattr;
+ allow $1 init_var_run_t:dir list_dir_perms;
+ ',`
+ gen_require(`
+ type initctl_t;
+ ')
+
+ allow $1 initctl_t:fifo_file getattr;
+ ')
')
########################################
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c688c89b..03aaae53 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.1)
+policy_module(init, 2.2.2)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
2017-02-25 16:58 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/ Jason Zaman
@ 2017-02-25 16:58 ` Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
To: gentoo-commits
commit: 4b4fbc24ce430965cce854d871cefa9666be2569
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 14:35:10 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:43:11 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b4fbc24
systemd: Further revisions from Russell Coker.
policy/modules/kernel/devices.if | 18 +++
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/filesystem.if | 20 ++++
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/system/init.if | 18 +++
policy/modules/system/init.te | 2 +-
policy/modules/system/lvm.if | 18 +++
policy/modules/system/lvm.te | 2 +-
policy/modules/system/systemd.te | 221 +++++++++++++++++++++++++++++++-----
9 files changed, 270 insertions(+), 33 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index b51a25ac..7e09e6f2 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -880,6 +880,24 @@ interface(`dev_relabel_generic_symlinks',`
########################################
## <summary>
+## write generic sock files in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dev_write_generic_sock_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ write_sock_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## Create, delete, read, and write device nodes in device directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 470f0f00..571abc30 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.3)
+policy_module(devices, 1.20.4)
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index bd6084b3..9069b0c2 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',`
########################################
## <summary>
+## Get attributes of cgroup files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_cgroup_files',`
+ gen_require(`
+ type cgroup_t;
+ ')
+
+ getattr_files_pattern($1, cgroup_t, cgroup_t)
+ fs_search_tmpfs($1)
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
## Read cgroup files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index be04ea8c..23705cd3 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.22.2)
+policy_module(filesystem, 1.22.3)
########################################
#
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 8d65e648..6de0a2d7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1068,6 +1068,24 @@ interface(`init_dbus_chat',`
########################################
## <summary>
+## List /var/lib/systemd/ dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_list_var_lib_dirs',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ allow $1 init_var_lib_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## Manage files in /var/lib/systemd/.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 54ca2ceb..c9c1eb6b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.6)
+policy_module(init, 2.2.7)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 88fa9442..49cee54d 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -65,6 +65,24 @@ interface(`lvm_run',`
########################################
## <summary>
+## Send lvm a null signal.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_signull',`
+ gen_require(`
+ type lvm_t;
+ ')
+
+ allow $1 lvm_t:process signull;
+')
+
+########################################
+## <summary>
## Read LVM configuration files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f8fed91d..e6984249 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.3)
+policy_module(lvm, 1.19.4)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 40719e93..6c8caa8d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.7)
+policy_module(systemd, 1.3.8)
#########################################
#
@@ -160,24 +160,6 @@ init_unit_file(power_unit_t)
######################################
#
-# systemd log parse enviroment
-#
-
-# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
-dontaudit systemd_log_parse_env_type self:capability net_admin;
-
-kernel_read_system_state(systemd_log_parse_env_type)
-
-dev_write_kmsg(systemd_log_parse_env_type)
-
-term_use_console(systemd_log_parse_env_type)
-
-init_read_state(systemd_log_parse_env_type)
-
-logging_send_syslog_msg(systemd_log_parse_env_type)
-
-######################################
-#
# Backlight local policy
#
@@ -226,23 +208,43 @@ init_stream_connect(systemd_cgroups_t)
systemd_log_parse_environment(systemd_cgroups_t)
-#######################################
+######################################
#
-# locale local policy
+# coredump local policy
#
-kernel_read_kernel_sysctls(systemd_locale_t)
+allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt };
+allow systemd_coredump_t self:capability { setgid setuid setpcap };
+allow systemd_coredump_t self:process { getcap setcap setfscreate };
-files_read_etc_files(systemd_locale_t)
+manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t)
-seutil_read_file_contexts(systemd_locale_t)
+kernel_read_kernel_sysctls(systemd_coredump_t)
+kernel_read_system_state(systemd_coredump_t)
+kernel_rw_pipes(systemd_coredump_t)
+kernel_use_fds(systemd_coredump_t)
-systemd_log_parse_environment(systemd_locale_t)
+corecmd_exec_bin(systemd_coredump_t)
+corecmd_read_all_executables(systemd_coredump_t)
+
+dev_write_kmsg(systemd_coredump_t)
+
+files_read_etc_files(systemd_coredump_t)
+files_search_var_lib(systemd_coredump_t)
+
+fs_getattr_xattr_fs(systemd_coredump_t)
+
+selinux_getattr_fs(systemd_coredump_t)
+
+init_list_var_lib_dirs(systemd_coredump_t)
+init_read_state(systemd_coredump_t)
+init_search_pids(systemd_coredump_t)
+init_write_pid_socket(systemd_coredump_t)
+
+logging_send_syslog_msg(systemd_coredump_t)
+
+seutil_search_default_contexts(systemd_coredump_t)
-optional_policy(`
- dbus_connect_system_bus(systemd_locale_t)
- dbus_system_bus_client(systemd_locale_t)
-')
#######################################
#
@@ -262,6 +264,42 @@ optional_policy(`
dbus_connect_system_bus(systemd_hostnamed_t)
')
+#######################################
+#
+# locale local policy
+#
+
+kernel_read_kernel_sysctls(systemd_locale_t)
+
+files_read_etc_files(systemd_locale_t)
+
+seutil_read_file_contexts(systemd_locale_t)
+
+systemd_log_parse_environment(systemd_locale_t)
+
+optional_policy(`
+ dbus_connect_system_bus(systemd_locale_t)
+ dbus_system_bus_client(systemd_locale_t)
+')
+
+######################################
+#
+# systemd log parse enviroment
+#
+
+# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
+dontaudit systemd_log_parse_env_type self:capability net_admin;
+
+kernel_read_system_state(systemd_log_parse_env_type)
+
+dev_write_kmsg(systemd_log_parse_env_type)
+
+term_use_console(systemd_log_parse_env_type)
+
+init_read_state(systemd_log_parse_env_type)
+
+logging_send_syslog_msg(systemd_log_parse_env_type)
+
#########################################
#
# Logind local policy
@@ -325,6 +363,71 @@ optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
')
+#########################################
+#
+# machined local policy
+#
+
+allow systemd_machined_t self:capability sys_ptrace;
+allow systemd_machined_t self:process setfscreate;
+allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
+
+manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t)
+allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms;
+
+kernel_read_kernel_sysctls(systemd_machined_t)
+kernel_read_system_state(systemd_machined_t)
+
+files_read_etc_files(systemd_machined_t)
+
+fs_getattr_cgroup(systemd_machined_t)
+fs_getattr_tmpfs(systemd_machined_t)
+
+selinux_getattr_fs(systemd_machined_t)
+
+init_read_script_state(systemd_machined_t)
+init_get_system_status(systemd_machined_t)
+init_read_state(systemd_machined_t)
+init_service_start(systemd_machined_t)
+init_service_status(systemd_machined_t)
+init_start_system(systemd_machined_t)
+init_stop_system(systemd_machined_t)
+
+logging_send_syslog_msg(systemd_machined_t)
+
+seutil_search_default_contexts(systemd_machined_t)
+
+optional_policy(`
+ init_dbus_chat(systemd_machined_t)
+ init_dbus_send_script(systemd_machined_t)
+
+ dbus_connect_system_bus(systemd_machined_t)
+ dbus_system_bus_client(systemd_machined_t)
+')
+
+########################################
+#
+# systemd_notify local policy
+#
+allow systemd_notify_t self:capability chown;
+allow systemd_notify_t self:process { setfscreate setsockcreate };
+
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms;
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms;
+
+domain_use_interactive_fds(systemd_notify_t)
+
+files_read_etc_files(systemd_notify_t)
+files_read_usr_files(systemd_notify_t)
+
+fs_getattr_cgroup_files(systemd_notify_t)
+
+auth_use_nsswitch(systemd_notify_t)
+
+init_rw_stream_sockets(systemd_notify_t)
+
+miscfiles_read_localization(systemd_notify_t)
+
########################################
#
# Nspawn local policy
@@ -332,6 +435,66 @@ optional_policy(`
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+#######################################
+#
+# systemd_passwd_agent_t local policy
+#
+
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override };
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t);
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file })
+
+kernel_read_system_state(systemd_passwd_agent_t)
+kernel_stream_connect(systemd_passwd_agent_t)
+
+dev_create_generic_dirs(systemd_passwd_agent_t)
+dev_read_generic_files(systemd_passwd_agent_t)
+dev_write_generic_sock_files(systemd_passwd_agent_t)
+dev_write_kmsg(systemd_passwd_agent_t)
+
+files_read_etc_files(systemd_passwd_agent_t)
+
+fs_getattr_xattr_fs(systemd_passwd_agent_t)
+
+selinux_get_enforce_mode(systemd_passwd_agent_t)
+selinux_getattr_fs(systemd_passwd_agent_t)
+
+term_read_console(systemd_passwd_agent_t)
+
+auth_use_nsswitch(systemd_passwd_agent_t)
+
+init_create_pid_dirs(systemd_passwd_agent_t)
+init_read_pid_pipes(systemd_passwd_agent_t)
+init_read_state(systemd_passwd_agent_t)
+init_read_utmp(systemd_passwd_agent_t)
+init_stream_connect(systemd_passwd_agent_t)
+
+logging_send_syslog_msg(systemd_passwd_agent_t)
+
+miscfiles_read_localization(systemd_passwd_agent_t)
+
+seutil_search_default_contexts(systemd_passwd_agent_t)
+
+userdom_use_user_ptys(systemd_passwd_agent_t)
+
+optional_policy(`
+ getty_use_fds(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+ lvm_signull(systemd_passwd_agent_t)
+')
+
+optional_policy(`
+ plymouthd_stream_connect(systemd_passwd_agent_t)
+')
+
#########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-02-27 10:50 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2017-02-27 10:50 UTC (permalink / raw
To: gentoo-commits
commit: 4cad32c069d96e1f34d90a2fc05d3d05b65c8ae3
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 16:20:19 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:38:00 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4cad32c0
Network daemon patches from Russell Coker.
policy/modules/kernel/corenetwork.te.in | 6 +++---
policy/modules/system/iptables.te | 4 +++-
policy/modules/system/sysnetwork.fc | 2 ++
policy/modules/system/sysnetwork.te | 6 +++++-
4 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 68aba14c..b3db0139 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.23.2)
+policy_module(corenetwork, 1.23.3)
########################################
#
@@ -216,7 +216,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tc
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-network_port(postgrey, tcp,60000,s0)
+network_port(postgrey, tcp,10023,s0, tcp,60000,s0)
network_port(pptp, tcp,1723,s0, udp,1723,s0)
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@@ -236,7 +236,7 @@ network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
-network_port(rndc, tcp,953,s0, udp,953,s0)
+network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0, udp,8953,s0)
network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 0380f55b..e8063b99 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.18.1)
+policy_module(iptables, 1.18.2)
########################################
#
@@ -153,4 +153,6 @@ optional_policy(`
optional_policy(`
udev_read_db(iptables_t)
+ # this is for iptables_t to inherit a file hande from xen vif-bridge
+ udev_manage_pid_files(iptables_t)
')
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index e887076b..817d620b 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -58,6 +58,7 @@ ifdef(`distro_redhat',`
/var/lib/dhcp3? -d gen_context(system_u:object_r:dhcp_state_t,s0)
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpv6(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
@@ -70,6 +71,7 @@ ifdef(`distro_gentoo',`
ifdef(`distro_debian',`
/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0)
')
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index caec3181..d21a2d64 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.20.3)
+policy_module(sysnetwork, 1.20.4)
########################################
#
@@ -244,6 +244,10 @@ optional_policy(`
')
optional_policy(`
+ samba_manage_config(dhcpc_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
')
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-03-02 10:17 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2017-03-02 10:17 UTC (permalink / raw
To: gentoo-commits
commit: 1411282ba15da370f51a5b1444a0e087352d12ea
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Mar 1 00:42:24 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Mar 2 10:16:56 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1411282b
Module version bump for misc fixes from cgzones.
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/system/init.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 08b3ff7d..ac0a7ce1 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.23.3)
+policy_module(corecommands, 1.23.4)
########################################
#
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 23705cd3..597bf615 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.22.3)
+policy_module(filesystem, 1.22.4)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c784280e..f783614f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.8)
+policy_module(init, 2.2.9)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-04-10 16:59 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2017-04-10 16:59 UTC (permalink / raw
To: gentoo-commits
commit: a223ccaf9ede7fc52fdb9d5ba5a62b0c8d72ae30
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Apr 1 16:08:42 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:44:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a223ccaf
systemd-nspawn again
This patch doesn't do everything that is needed to have systemd-nspawn work.
But it does everything that is needed and which I have written in a clear and
uncontroversial way. I think it's best to get this upstream now and then
either have a separate discussion about the more difficult issues, or wait
until I devise a way of solving those problems that's not too hacky.
Who knows, maybe someone else will devise a brilliant solution to the remaining
issues after this is accepted upstream.
Also there's a tiny patch for systemd_machined_t that is required by
systemd_nspawn_t.
Description: systemd-nspawn
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2017-03-29
policy/modules/kernel/devices.if | 36 ++++++++++
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/files.if | 18 +++++
policy/modules/kernel/files.te | 2 +-
policy/modules/kernel/filesystem.if | 18 +++++
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/kernel/kernel.if | 135 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/kernel.te | 2 +-
policy/modules/kernel/terminal.if | 18 +++++
policy/modules/kernel/terminal.te | 2 +-
policy/modules/system/init.if | 48 +++++++------
policy/modules/system/init.te | 2 +-
policy/modules/system/systemd.te | 119 ++++++++++++++++++++++++++++++-
13 files changed, 375 insertions(+), 29 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index c5af9342..1f1fbca6 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4064,6 +4064,24 @@ interface(`dev_getattr_sysfs',`
########################################
## <summary>
+## mount a sysfs filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mount_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Do not audit getting the attributes of sysfs filesystem
## </summary>
## <param name="domain">
@@ -4082,6 +4100,24 @@ interface(`dev_dontaudit_getattr_sysfs',`
########################################
## <summary>
+## mounton sysfs directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
## Search the sysfs directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index e15c26c3..277a6a19 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.5)
+policy_module(devices, 1.20.6)
########################################
#
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 9d7a929a..9f9fdded 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6340,6 +6340,24 @@ interface(`files_dontaudit_getattr_pid_dirs',`
########################################
## <summary>
+## mounton a /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_pid_dirs',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ allow $1 var_run_t:dir mounton;
+')
+
+########################################
+## <summary>
## Set the attributes of the /var/run directory.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 10001b15..33c92c70 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.8)
+policy_module(files, 1.23.9)
########################################
#
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index bba3e389..cfaa3e85 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4160,6 +4160,24 @@ interface(`fs_mounton_tmpfs',`
########################################
## <summary>
+## Mount on tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mounton_tmpfs_files',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:file mounton;
+')
+
+########################################
+## <summary>
## Set the attributes of tmpfs directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 3194b0e0..11ada353 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.22.5)
+policy_module(filesystem, 1.22.6)
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 6887b00d..cecf5d86 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -828,6 +828,42 @@ interface(`kernel_mount_kvmfs',`
########################################
## <summary>
+## mount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem mount;
+')
+
+########################################
+## <summary>
+## remount the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_remount_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:filesystem remount;
+')
+
+########################################
+## <summary>
## Unmount the proc filesystem.
## </summary>
## <param name="domain">
@@ -864,6 +900,25 @@ interface(`kernel_getattr_proc',`
########################################
## <summary>
+## Mount on proc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set the
## attributes of directories in /proc.
## </summary>
@@ -1306,6 +1361,26 @@ interface(`kernel_dontaudit_getattr_message_if',`
########################################
## <summary>
+## Mount on kernel message interfaces files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_message_if',`
+ gen_require(`
+ type proc_t, proc_kmsg_t;
+ ')
+
+ allow $1 proc_t:dir list_dir_perms;
+ allow $1 proc_kmsg_t:file { getattr mounton };
+')
+
+########################################
+## <summary>
## Do not audit attempts to search the network
## state directory.
## </summary>
@@ -1557,6 +1632,26 @@ interface(`kernel_dontaudit_search_sysctl',`
########################################
## <summary>
+## Mount on sysctl_t dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_sysctl_dirs',`
+ gen_require(`
+ type proc_t, sysctl_t;
+ ')
+
+ allow $1 proc_t:dir list_dir_perms;
+ allow $1 sysctl_t:dir { getattr mounton };
+')
+
+########################################
+## <summary>
## Allow access to read sysctl directories.
## </summary>
## <param name="domain">
@@ -1577,6 +1672,26 @@ interface(`kernel_read_sysctl',`
########################################
## <summary>
+## Mount on sysctl files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_sysctl_files',`
+ gen_require(`
+ type proc_t, sysctl_t;
+ ')
+
+ allow $1 { proc_t sysctl_t }:dir list_dir_perms;
+ allow $1 sysctl_t:file { getattr mounton };
+')
+
+########################################
+## <summary>
## Allow caller to read the device sysctls.
## </summary>
## <param name="domain">
@@ -2021,6 +2136,26 @@ interface(`kernel_rw_kernel_sysctl',`
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_kernel_t)
')
+#######################################
+## <summary>
+## Mount on kernel sysctl files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`kernel_mounton_kernel_sysctl_files',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_kernel_t;
+ ')
+
+ allow $1 { proc_t sysctl_t sysctl_kernel_t }:dir list_dir_perms;
+ allow $1 sysctl_kernel_t:file { getattr mounton };
+')
+
########################################
## <summary>
## Search filesystem sysctl directories.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 034d6a0b..639b8454 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.22.0)
+policy_module(kernel, 1.22.1)
########################################
#
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 05be0475..d72775c0 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -133,6 +133,24 @@ interface(`term_user_tty',`
########################################
## <summary>
+## mount a devpts_t filesystem
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process to mount it
+## </summary>
+## </param>
+#
+interface(`term_mount_devpts',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:filesystem mount;
+')
+
+########################################
+## <summary>
## Create a pty in the /dev/pts directory.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te
index b77752b5..a1fca0da 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.16.1)
+policy_module(terminal, 1.16.2)
########################################
#
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9b07a6e7..e42a7db5 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -828,6 +828,7 @@ interface(`init_dgram_send',`
dgram_send_pattern($1, init_var_run_t, init_var_run_t, init_t)
files_search_pids($1)
+ allow $1 init_t:unix_stream_socket getattr;
')
########################################
@@ -1111,21 +1112,6 @@ interface(`init_relabel_var_lib_dirs',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="file_type">
-## <summary>
-## The type of the object to be created
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The object class.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
#
interface(`init_manage_var_lib_files',`
gen_require(`
@@ -1513,6 +1499,24 @@ interface(`init_script_file_domtrans',`
########################################
## <summary>
+## Send a kill signal to init scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_kill_scripts',`
+ gen_require(`
+ type initrc_t;
+ ')
+
+ allow $1 initrc_t:process sigkill;
+')
+
+########################################
+## <summary>
## Allow manage service for initrc_exec_t scripts
## </summary>
## <param name="domain">
@@ -1662,14 +1666,14 @@ interface(`init_startstop_service',`
#
interface(`init_run_daemon',`
gen_require(`
- attribute init_script_file_type;
+ attribute init_script_file_type;
role system_r;
')
allow $2 system_r;
- init_all_labeled_script_domtrans($1)
- role_transition $2 init_script_file_type system_r;
+ init_all_labeled_script_domtrans($1)
+ role_transition $2 init_script_file_type system_r;
')
########################################
@@ -2649,11 +2653,11 @@ interface(`init_delete_pid_files',`
## </param>
#
interface(`init_write_pid_socket',`
- gen_require(`
- type init_var_run_t;
- ')
+ gen_require(`
+ type init_var_run_t;
+ ')
- allow $1 init_var_run_t:sock_file write;
+ allow $1 init_var_run_t:sock_file write;
')
########################################
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dfde3f39..a0a1723c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.13)
+policy_module(init, 2.2.14)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e1f4c3a7..672d289d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.14)
+policy_module(systemd, 1.3.15)
#########################################
#
@@ -472,6 +472,9 @@ init_service_start(systemd_machined_t)
init_service_status(systemd_machined_t)
init_start_system(systemd_machined_t)
init_stop_system(systemd_machined_t)
+init_get_generic_units_status(systemd_machined_t)
+init_start_generic_units(systemd_machined_t)
+init_stop_generic_units(systemd_machined_t)
logging_send_syslog_msg(systemd_machined_t)
@@ -513,8 +516,122 @@ miscfiles_read_localization(systemd_notify_t)
# Nspawn local policy
#
+allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill };
+allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:capability2 wake_alarm;
+allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
+
+allow systemd_nspawn_t systemd_journal_t:dir search;
+
+allow systemd_nspawn_t systemd_machined_t:dbus send_msg;
+
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir manage_dir_perms;
+allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+# for /run/systemd/nspawn/incoming in chroot
+allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
+
+kernel_mount_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_dirs(systemd_nspawn_t)
+kernel_mounton_kernel_sysctl_files(systemd_nspawn_t)
+kernel_mounton_message_if(systemd_nspawn_t)
+kernel_mounton_proc(systemd_nspawn_t)
+kernel_mounton_sysctl_dirs(systemd_nspawn_t)
+kernel_read_kernel_sysctls(systemd_nspawn_t)
+kernel_read_system_state(systemd_nspawn_t)
+kernel_remount_proc(systemd_nspawn_t)
+kernel_unconfined(systemd_nspawn_t)
+
+corecmd_exec_shell(systemd_nspawn_t)
+corecmd_search_bin(systemd_nspawn_t)
+
+corenet_rw_tun_tap_dev(systemd_nspawn_t)
+
+dev_getattr_fs(systemd_nspawn_t)
+dev_manage_sysfs_dirs(systemd_nspawn_t)
+dev_mounton_sysfs_dirs(systemd_nspawn_t)
+dev_mount_sysfs(systemd_nspawn_t)
+dev_read_rand(systemd_nspawn_t)
+dev_read_urand(systemd_nspawn_t)
+
+files_getattr_tmp_dirs(systemd_nspawn_t)
+files_manage_etc_files(systemd_nspawn_t)
+files_manage_mnt_dirs(systemd_nspawn_t)
+files_mounton_mnt(systemd_nspawn_t)
+files_mounton_root(systemd_nspawn_t)
+files_mounton_tmp(systemd_nspawn_t)
+files_setattr_pid_dirs(systemd_nspawn_t)
+
+fs_getattr_tmpfs(systemd_nspawn_t)
+fs_manage_tmpfs_chr_files(systemd_nspawn_t)
+fs_mount_tmpfs(systemd_nspawn_t)
+fs_remount_tmpfs(systemd_nspawn_t)
+fs_search_cgroup_dirs(systemd_nspawn_t)
+
+term_getattr_generic_ptys(systemd_nspawn_t)
+term_getattr_pty_fs(systemd_nspawn_t)
+term_mount_devpts(systemd_nspawn_t)
+term_search_ptys(systemd_nspawn_t)
+term_setattr_generic_ptys(systemd_nspawn_t)
+term_use_ptmx(systemd_nspawn_t)
+
+init_domtrans_script(systemd_nspawn_t)
+init_kill_scripts(systemd_nspawn_t)
+init_read_state(systemd_nspawn_t)
+init_search_run(systemd_nspawn_t)
+init_write_pid_socket(systemd_nspawn_t)
+init_spec_domtrans_script(systemd_nspawn_t)
+
+miscfiles_manage_localization(systemd_nspawn_t)
+
+# for writing inside chroot
+sysnet_manage_config(systemd_nspawn_t)
+
+userdom_manage_user_home_dirs(systemd_nspawn_t)
+
+tunable_policy(`systemd_nspawn_labeled_namespace',`
+ corecmd_exec_shell(systemd_nspawn_t)
+
+ dev_mounton(systemd_nspawn_t)
+ dev_setattr_generic_dirs(systemd_nspawn_t)
+
+ files_search_home(systemd_nspawn_t)
+ files_mounton_pid_dirs(systemd_nspawn_t)
+
+ fs_getattr_cgroup(systemd_nspawn_t)
+ fs_manage_cgroup_dirs(systemd_nspawn_t)
+ fs_manage_tmpfs_dirs(systemd_nspawn_t)
+ fs_manage_tmpfs_files(systemd_nspawn_t)
+ fs_manage_tmpfs_symlinks(systemd_nspawn_t)
+ fs_mount_cgroup(systemd_nspawn_t)
+ fs_mounton_cgroup(systemd_nspawn_t)
+ fs_mounton_tmpfs(systemd_nspawn_t)
+ fs_mounton_tmpfs_files(systemd_nspawn_t)
+ fs_remount_cgroup(systemd_nspawn_t)
+ fs_search_tmpfs(systemd_nspawn_t)
+ fs_write_cgroup_files(systemd_nspawn_t)
+
+ selinux_getattr_fs(systemd_nspawn_t)
+ selinux_search_fs(systemd_nspawn_t)
+
+ init_domtrans(systemd_nspawn_t)
+
+ logging_search_logs(systemd_nspawn_t)
+
+ seutil_search_default_contexts(systemd_nspawn_t)
+')
+
+optional_policy(`
+ allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
+
+ dbus_system_bus_client(systemd_nspawn_t)
+')
+
+optional_policy(`
+ virt_manage_virt_content(systemd_nspawn_t)
+')
+
#######################################
#
# systemd_passwd_agent_t local policy
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-05-07 16:09 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2017-05-07 16:09 UTC (permalink / raw
To: gentoo-commits
commit: f9f01e684dcb23519fcd03e6efdbff754dbef7be
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 1 22:45:01 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:53:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9f01e68
Module version bump for minor fixes from Guido Trentalancia.
policy/modules/kernel/kernel.te | 2 +-
policy/modules/system/init.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 87f5f9a4..a2869be7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.22.1)
+policy_module(kernel, 1.22.2)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a01b5093..a572300d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.20)
+policy_module(init, 2.2.21)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-05-18 17:03 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: 65729b614bfeb81ad1a2b8587a6ccc6e5ebd04a7
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 15 22:48:51 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:56 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=65729b61
Module version bump for systemd fix from Krzysztof Nowicki.
policy/modules/kernel/files.te | 2 +-
policy/modules/system/init.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index c0578cc4..4768906d 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.12)
+policy_module(files, 1.23.13)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4e2c6504..e44dfded 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.22)
+policy_module(init, 2.2.23)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-05-18 17:03 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: 1b7b773c1a5f2df67ef78aa7e5cb1016d4d82638
Author: Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Sun May 14 15:24:03 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:51 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b7b773c
Enable /etc directory protection using ProtectSystem
Setting this service option to 'full' or 'strict' will also remount the
/etc directory. Allow this in the policy.
This fixes the systemd-networkd service, but will also positively affect
any other service using the above hardening option.
policy/modules/kernel/files.if | 19 +++++++++++++++++++
policy/modules/system/init.te | 1 +
2 files changed, 20 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a74f7913..c6df0a62 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2853,6 +2853,25 @@ interface(`files_relabelto_etc_dirs',`
########################################
## <summary>
+## Mount a filesystem on the
+## etc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Read generic files in /etc.
## </summary>
## <desc>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f388f1e0..3d3697fb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -288,6 +288,7 @@ ifdef(`init_systemd',`
files_search_kernel_modules(init_t)
# for privatetmp functions
files_mounton_tmp(init_t)
+ files_mounton_etc_dirs(init_t)
fs_relabel_cgroup_dirs(init_t)
fs_rw_cgroup_files(init_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
2017-05-25 17:08 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-05-25 16:43 ` Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2017-05-25 16:43 UTC (permalink / raw
To: gentoo-commits
commit: 01f8128928b31a303f1521c742e8545366c72352
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed May 24 23:58:32 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:36:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=01f81289
Module version bump for mmap fixes from Stephen Smalley.
policy/modules/kernel/devices.te | 2 +-
policy/modules/system/libraries.te | 2 +-
policy/modules/system/logging.te | 2 +-
policy/modules/system/miscfiles.te | 2 +-
policy/modules/system/selinuxutil.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 9f75d8ce..b0eab749 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.8)
+policy_module(devices, 1.20.9)
########################################
#
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 1bee4fa0..1ddbf29a 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.14.4)
+policy_module(libraries, 2.14.5)
########################################
#
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 8086ca97..79c981bc 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.11)
+policy_module(logging, 1.25.12)
########################################
#
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 3b180a36..c0acc2b4 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.12.2)
+policy_module(miscfiles, 1.12.3)
########################################
#
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 557e935c..d63a322f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.11)
+policy_module(selinuxutil, 1.22.12)
gen_require(`
bool secure_mode;
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-10-29 20:42 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
To: gentoo-commits
commit: 08fff4870eab9cec72d17019d21d832176fd5905
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Thu Oct 12 16:16:17 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:08 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08fff487
Denial relabeling /run/systemd/private
I am seeing the following denial (in dmesg) during system startup:
[ 4.623332] type=1400 audit(1507767947.042:3): avc: denied { relabelto } for pid=1 comm="systemd" name="private" dev="tmpfs" ino=5865 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
It appears that systemd is attempting to relablel the socket file /run/systemd/private to init_var_run_t but doesn't have permission.
Updated to create new interface for relabeling of sock_files rather than adding to existing interface
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
policy/modules/kernel/files.if | 19 +++++++++++++++++++
policy/modules/system/init.te | 1 +
2 files changed, 20 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 12a1210c..ec2c8999 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6741,6 +6741,25 @@ interface(`files_relabel_all_pid_dirs',`
########################################
## <summary>
+## Relabel to/from all var_run (pid) socket files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain alloed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_sock_files',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_sock_files_pattern($1, pidfile, pidfile)
+')
+
+
+########################################
+## <summary>
## Relabel to/from all var_run (pid) files and directories
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 75da7a62..350554d3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -320,6 +320,7 @@ ifdef(`init_systemd',`
files_mounton_root(init_t)
files_search_pids(init_t)
files_relabel_all_pids(init_t)
+ files_relabel_all_pid_sock_files(init_t)
files_relabelto_etc_runtime_dirs(init_t)
files_relabelto_etc_runtime_files(init_t)
files_read_all_locks(init_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-10-29 20:42 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
To: gentoo-commits
commit: 6ef62a4b426e033b53667e32b5c0922b475c41db
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Oct 12 22:48:29 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:50 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ef62a4b
files, init, sysnetwork, systemd: Module version bumps.
policy/modules/kernel/files.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/systemd.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 28824331..f713d2b6 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.24.2)
+policy_module(files, 1.24.3)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 02a9e3b8..4f2247f7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.3.7)
+policy_module(init, 2.3.8)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index bda695bd..1fec9b9b 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.21.1)
+policy_module(sysnetwork, 1.21.2)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 56aa9198..2d0393a3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.4.4)
+policy_module(systemd, 1.4.5)
#########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-11-05 8:01 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2017-11-05 8:01 UTC (permalink / raw
To: gentoo-commits
commit: 209fa945a8cbd918155deda616f3e954895df6c0
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Nov 1 23:03:30 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 5 06:38:35 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=209fa945
files, userdomain: Module version bump.
policy/modules/kernel/files.te | 2 +-
policy/modules/system/userdomain.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 473931ee..9242965c 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.24.4)
+policy_module(files, 1.24.5)
########################################
#
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e36a92f7..8f954251 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.14.5)
+policy_module(userdomain, 4.14.6)
########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2018-02-18 11:30 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2018-02-18 11:30 UTC (permalink / raw
To: gentoo-commits
commit: 61c77a5671934cc8a2210c166a544e556e68ab49
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 15 22:10:34 2018 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 18 11:25:18 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61c77a56
Simple map patch from Russell Coker.
policy/modules/kernel/files.if | 30 ++++++++++++++++++++++++++++++
policy/modules/kernel/files.te | 2 +-
policy/modules/system/logging.te | 7 ++++++-
policy/modules/system/lvm.te | 3 ++-
policy/modules/system/modutils.te | 4 +++-
policy/modules/system/systemd.if | 1 +
policy/modules/system/systemd.te | 2 +-
7 files changed, 44 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 05ca46a7..4920809d 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2944,6 +2944,36 @@ interface(`files_read_etc_files',`
read_lnk_files_pattern($1, etc_t, etc_t)
')
+########################################
+## <summary>
+## Map generic files in /etc.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to map generic files in /etc.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>files_read_etc_files()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_map_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:file map;
+')
+
########################################
## <summary>
## Do not audit attempts to write generic files in /etc.
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index bfbd4b8d..f7cf321f 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.25.0)
+policy_module(files, 1.25.1)
########################################
#
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 474d3644..1f3de07d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.27.0)
+policy_module(logging, 1.27.1)
########################################
#
@@ -257,6 +257,7 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
+files_map_etc_files(audisp_t)
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
@@ -418,6 +419,8 @@ files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
# manage temporary files
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+allow syslogd_t syslogd_tmp_t:file map;
+
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
@@ -426,6 +429,8 @@ files_search_var_lib(syslogd_t)
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+allow syslogd_t syslogd_var_run_t:file map;
+
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 7c601fad..9df06823 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.20.0)
+policy_module(lvm, 1.20.1)
########################################
#
@@ -212,6 +212,7 @@ files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
allow lvm_t lvm_etc_t:file map;
+
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 850a2af4..54393d93 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,4 +1,4 @@
-policy_module(modutils, 1.19.0)
+policy_module(modutils, 1.19.1)
########################################
#
@@ -132,7 +132,9 @@ optional_policy(`
')
optional_policy(`
+ # for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)
+ dpkg_map_script_tmp_files(kmod_t)
')
optional_policy(`
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index d875098a..f6e34102 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -366,6 +366,7 @@ interface(`systemd_manage_journal_files',`
manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+ allow $1 systemd_journal_t:file map;
')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0f6b4a45..66eaea42 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.5.1)
+policy_module(systemd, 1.5.2)
#########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2018-03-25 10:29 Sven Vermeulen
0 siblings, 0 replies; 62+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
To: gentoo-commits
commit: d2dc3b997dbff09cdebf35491d7615a98a486674
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Mar 21 18:17:22 2018 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 10:28:12 2018 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2dc3b99
corenetwork, init: Module version bump.
policy/modules/kernel/corenetwork.te.in | 2 +-
policy/modules/system/init.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index cb3d4718..56ca81ac 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.24.0)
+policy_module(corenetwork, 1.24.1)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 94234055..95da9f8d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.4.1)
+policy_module(init, 2.4.2)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2020-02-15 7:33 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2020-02-15 7:33 UTC (permalink / raw
To: gentoo-commits
commit: bdf027e057879dbba76e032570be27e1cc8ba4cc
Author: Peter Morrow <pemorrow <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Wed Feb 5 15:47:47 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bdf027e0
systemd_tmpfiles_t: Allow systemd_tempfiles_t to change permissions in sysfs
Rules specified in system tmpfiles.d configuration files are often used to
change permissions on files in sysfs.
https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
Signed-off-by: Peter Morrow <pemorrow <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/devices.if | 20 ++++++++++++++++++++
policy/modules/system/systemd.te | 1 +
2 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index afbd6d4a..1b83ea68 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4413,6 +4413,26 @@ interface(`dev_relabel_all_sysfs',`
allow $1 sysfs_types:lnk_file relabel_lnk_file_perms;
')
+########################################
+## <summary>
+## Set the attributes of sysfs files, directories and symlinks.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_all_sysfs',`
+ gen_require(`
+ attribute sysfs_types;
+ ')
+
+ allow $1 sysfs_types:dir { search_dir_perms setattr };
+ allow $1 sysfs_types:file setattr;
+ allow $1 sysfs_types:lnk_file { read_lnk_file_perms setattr };
+')
+
########################################
## <summary>
## Read and write the TPM device.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4d906e5c..7624d258 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1112,6 +1112,7 @@ dev_manage_all_dev_nodes(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
+dev_setattr_all_sysfs(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
files_create_lock_dirs(systemd_tmpfiles_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2020-02-15 7:33 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2020-02-15 7:33 UTC (permalink / raw
To: gentoo-commits
commit: ea1528fd616d5b6275d955ca913b87f73b875bcb
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Jan 25 19:55:31 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea1528fd
storage, systemd: Module version bump.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/storage.te | 2 +-
policy/modules/system/systemd.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 61a35406..fca93d16 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,4 +1,4 @@
-policy_module(storage, 1.17.2)
+policy_module(storage, 1.17.3)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 65562380..d039e2a1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.8.11)
+policy_module(systemd, 1.8.12)
#########################################
#
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2020-10-13 3:02 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2020-10-13 3:02 UTC (permalink / raw
To: gentoo-commits
commit: 405b164fb380ec576ac7b278436180f2df4efbdc
Author: Deepak Rawat <drawat.floss <AT> gmail <DOT> com>
AuthorDate: Mon Oct 5 18:18:28 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=405b164f
Add selinux-policy for systemd-pstore service
systemd-pstore is a service to archive contents of pstore.
Signed-off-by: Deepak Rawat <drawat.floss <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/devices.if | 26 +++++++++++++++++
policy/modules/kernel/filesystem.if | 58 +++++++++++++++++++++++++++++++++++++
policy/modules/system/systemd.fc | 2 ++
policy/modules/system/systemd.te | 37 +++++++++++++++++++++++
4 files changed, 123 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index f1808c5c..1fae36ed 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4499,6 +4499,32 @@ interface(`dev_read_sysfs',`
list_dirs_pattern($1, sysfs_t, sysfs_t)
')
+########################################
+## <summary>
+## Write to hardware state information.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to write to the sysfs
+## filesystem.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`dev_write_sysfs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ list_dirs_pattern($1, sysfs_t, sysfs_t)
+ write_files_pattern($1, sysfs_t, sysfs_t)
+')
+
########################################
## <summary>
## Allow caller to modify hardware state information.
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 79e87e0f..aa855bd0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -3868,6 +3868,64 @@ interface(`fs_relabel_pstore_dirs',`
relabel_dirs_pattern($1, pstore_t, pstore_t)
')
+########################################
+## <summary>
+## List the directories
+## of a pstore filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_list_pstore_dirs',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ allow $1 pstore_t:dir list_dir_perms;
+ dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
+## Read pstore_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_read_pstore_files',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ allow $1 pstore_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+## Delete the files
+## of a pstore filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_pstore_files',`
+ gen_require(`
+ type pstore_t;
+ ')
+
+ delete_files_pattern($1, pstore_t, pstore_t)
+ dev_search_sysfs($1)
+')
+
########################################
## <summary>
## Allow the type to associate to ramfs filesystems.
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index f61850b2..34637068 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -33,6 +33,7 @@
/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
/usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
/usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-pstore -- gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
/usr/lib/systemd/systemd-rfkill -- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
/usr/lib/systemd/systemd-update-done -- gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
@@ -57,6 +58,7 @@
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
+/var/lib/systemd/pstore(/.*)? gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0)
/var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a1c00d62..495e9e08 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -168,6 +168,13 @@ files_runtime_file(systemd_nspawn_runtime_t)
type systemd_nspawn_tmp_t;
files_tmp_file(systemd_nspawn_tmp_t)
+type systemd_pstore_t;
+type systemd_pstore_exec_t;
+init_system_domain(systemd_pstore_t, systemd_pstore_exec_t)
+
+type systemd_pstore_var_lib_t;
+files_type(systemd_pstore_var_lib_t)
+
type systemd_resolved_t;
type systemd_resolved_exec_t;
init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
@@ -1168,6 +1175,9 @@ allow systemd_tmpfiles_t self:process { setfscreate getcap };
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
+allow systemd_tmpfiles_t systemd_pstore_var_lib_t:dir { manage_dir_perms relabel_dir_perms };
+allow systemd_tmpfiles_t systemd_pstore_var_lib_t:file manage_file_perms;
+
allow systemd_tmpfiles_t systemd_sessions_runtime_t:file { manage_file_perms relabel_file_perms };
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
@@ -1187,6 +1197,10 @@ dev_manage_all_dev_nodes(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
dev_setattr_all_sysfs(systemd_tmpfiles_t)
+# Allow systemd-tmpfiles to enable pstore kernel parameters over sysfs
+# /sys/module/printk/parameters/always_kmsg_dump
+# /sys/module/kernel/parameters/crash_kexec_post_notifiers
+dev_write_sysfs(systemd_tmpfiles_t)
files_create_lock_dirs(systemd_tmpfiles_t)
files_manage_all_runtime_dirs(systemd_tmpfiles_t)
@@ -1411,3 +1425,26 @@ userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
dbus_system_bus_client(systemd_user_runtime_dir_t)
+
+#########################################
+#
+# systemd-pstore local policy
+#
+
+dontaudit systemd_pstore_t self:capability net_admin;
+
+manage_files_pattern(systemd_pstore_t, systemd_pstore_var_lib_t, systemd_pstore_var_lib_t)
+
+files_read_etc_files(systemd_pstore_t)
+files_search_var_lib(systemd_pstore_t)
+
+fs_list_pstore_dirs(systemd_pstore_t)
+fs_read_pstore_files(systemd_pstore_t)
+fs_delete_pstore_files(systemd_pstore_t)
+
+init_search_run(systemd_pstore_t)
+init_list_var_lib_dirs(systemd_pstore_t)
+
+kernel_read_system_state(systemd_pstore_t)
+
+logging_send_syslog_msg(systemd_pstore_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2020-11-28 23:09 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
To: gentoo-commits
commit: de9c38bc9643b4d761a7eff93400c2232d75220c
Author: Anthony PERARD <anthony.perard <AT> citrix <DOT> com>
AuthorDate: Tue Oct 27 17:22:28 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de9c38bc
xen: Allow xenstored to map /proc/xen/xsd_kva
xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux
boolean "domain_can_mmap_files" in CentOS is set to false the mmap()
call fails.
Signed-off-by: Anthony PERARD <anthony.perard <AT> citrix.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
policy/modules/system/xen.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index aa855bd0..05ddc598 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -5328,6 +5328,24 @@ interface(`fs_manage_xenfs_files',`
manage_files_pattern($1, xenfs_t, xenfs_t)
')
+########################################
+## <summary>
+## Map files a XENFS filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_mmap_xenfs_files',`
+ gen_require(`
+ type xenfs_t;
+ ')
+
+ allow $1 xenfs_t:file map;
+')
+
########################################
## <summary>
## Do not audit attempts to create,
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 2c95d0ca..82328cbb 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -459,6 +459,7 @@ files_read_usr_files(xenstored_t)
fs_search_xenfs(xenstored_t)
fs_manage_xenfs_files(xenstored_t)
+fs_mmap_xenfs_files(xenstored_t)
term_use_generic_ptys(xenstored_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2021-03-21 22:10 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
To: gentoo-commits
commit: 4ca347319929cb5a24faf7eb587cabda640f28bd
Author: Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Thu Aug 13 06:44:22 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4ca34731
Allow use of systemd UNIX sockets created at initrd execution
Systemd uses a number of UNIX sockets for communication (notify
socket [1], journald socket). These sockets are normally created at
start-up after the SELinux policy is loaded, which means that the
kernel socket objects have proper security contexts of the creating
processes.
Unfortunately things look different when the system is started with an
initrd that is also running systemd (e.g. dracut). In such case the
sockets are created in the initrd systemd environment before the
SELinux policy is loaded and therefore the socket object is assigned
the default kernel context (system_u:system_r:kernel_t). When the
initrd systemd transfers control to the main systemd the notify socket
descriptors are passed to the main systemd process [2]. This means
that when the main system is running the sockets will use the default
kernel securint context until they are recreated, which for some
sockets (notify socket) never happens.
Until there is a way to change the context of an already open socket
object all processes, that wish to use systemd sockets need to be
able to send datagrams to system_u:system_r:kernel_t sockets.
Parts of this workaround were earlier hidden behind RedHat-specific
rules, since this distribution is the prime user of systemd+dracut
combo. Since other distros may want to use similar configuration it
makes sense to enable this globally.
[1] sd_notify(3)
[2] https://github.com/systemd/systemd/issues/16714
Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
tmp
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 5 +++++
policy/modules/system/logging.if | 5 ++---
policy/modules/system/logging.te | 7 ++++---
4 files changed, 29 insertions(+), 6 deletions(-)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index ebd73aca..18002e67 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -365,6 +365,24 @@ interface(`kernel_dgram_send',`
allow $1 kernel_t:unix_dgram_socket sendto;
')
+########################################
+## <summary>
+## Send messages to kernel netlink audit sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_netlink_audit_sockets',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:netlink_audit_socket { rw_netlink_socket_perms };
+')
+
########################################
## <summary>
## Allows caller to load kernel modules
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ba82d84a..f711e535 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -312,6 +312,8 @@ ifdef(`init_systemd',`
kernel_setsched(init_t)
kernel_link_key(init_t)
kernel_rw_unix_sysctls(init_t)
+ kernel_rw_stream_sockets(init_t)
+ kernel_rw_unix_dgram_sockets(init_t)
# run systemd misc initializations
# in the initrc_t domain, as would be
@@ -1032,6 +1034,9 @@ ifdef(`init_systemd',`
allow initrc_t systemdunit:service reload;
allow initrc_t init_script_file_type:service { stop start status reload };
+ # Access to notify socket for services with Type=notify
+ kernel_dgram_send(initrc_t)
+
# run systemd misc initializations
# in the initrc_t domain, as would be
# done in traditional sysvinit/upstart.
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 0f6efef8..e3851303 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -681,10 +681,9 @@ interface(`logging_send_syslog_msg',`
# Allow systemd-journald to check whether the process died
allow syslogd_t $1:process signull;
- ifdef(`distro_redhat',`
- kernel_dgram_send($1)
- ')
+ kernel_dgram_send($1)
')
+
')
########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index fb0fe124..a6868af0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -501,9 +501,6 @@ auth_use_nsswitch(syslogd_t)
init_use_fds(syslogd_t)
-# cjp: this doesnt make sense
-logging_send_syslog_msg(syslogd_t)
-
miscfiles_read_localization(syslogd_t)
seutil_read_config(syslogd_t)
@@ -525,6 +522,7 @@ ifdef(`init_systemd',`
kernel_read_ring_buffer(syslogd_t)
kernel_rw_stream_sockets(syslogd_t)
kernel_rw_unix_dgram_sockets(syslogd_t)
+ kernel_rw_netlink_audit_sockets(syslogd_t)
kernel_use_fds(syslogd_t)
dev_read_kmsg(syslogd_t)
@@ -544,6 +542,9 @@ ifdef(`init_systemd',`
init_read_runtime_symlinks(syslogd_t)
init_read_state(syslogd_t)
+ # needed for systemd-initrd case when syslog socket is unlabelled
+ logging_send_syslog_msg(syslogd_t)
+
systemd_manage_journal_files(syslogd_t)
udev_read_runtime_files(syslogd_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2022-09-03 19:10 Jason Zaman
0 siblings, 0 replies; 62+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
To: gentoo-commits
commit: 9f6c6ae09df158fda4a027209642d9393c471b03
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat May 7 01:16:29 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 18:41:55 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f6c6ae0
term, init: allow systemd to watch and watch reads on unallocated ttys
As of systemd 250, systemd needs to be able to add a watch on and watch
reads on unallocated ttys in order to start getty.
systemd[55548]: getty <AT> tty1.service: Failed to set up standard input: Permission denied
systemd[55548]: getty <AT> tty1.service: Failed at step STDIN spawning /sbin/agetty: Permission denied
time->Fri May 6 21:17:58 2022
type=PROCTITLE msg=audit(1651886278.452:1770): proctitle="(agetty)"
type=PATH msg=audit(1651886278.452:1770): item=0 name="/dev/tty1" inode=18 dev=00:05 mode=020620 ouid=0 ogid=5 rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1651886278.452:1770): cwd="/"
type=SYSCALL msg=audit(1651886278.452:1770): arch=c000003e syscall=254 success=no exit=-13 a0=3 a1=60ba5c21e020 a2=18 a3=23 items=1 ppid=1 pid=55551 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(agetty)" exe="/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1651886278.452:1770): avc: denied { watch watch_reads } for pid=55551 comm="(agetty)" path="/dev/tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/terminal.if | 38 ++++++++++++++++++++++++++++++++++++++
policy/modules/system/init.te | 2 ++
2 files changed, 40 insertions(+)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 55c18dff..e5645c7c 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1284,6 +1284,44 @@ interface(`term_dontaudit_use_unallocated_ttys',`
dontaudit $1 tty_device_t:chr_file rw_chr_file_perms;
')
+########################################
+## <summary>
+## Watch unallocated ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_watch_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file watch;
+')
+
+########################################
+## <summary>
+## Watch reads on unallocated ttys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_watch_reads_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_list_all_dev_nodes($1)
+ allow $1 tty_device_t:chr_file watch_reads;
+')
+
########################################
## <summary>
## Get the attributes of all tty device nodes.
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index db06551c..a93eefed 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -523,6 +523,8 @@ ifdef(`init_systemd',`
term_create_devpts_dirs(init_t)
term_create_ptmx(init_t)
term_create_controlling_term(init_t)
+ term_watch_unallocated_ttys(init_t)
+ term_watch_reads_unallocated_ttys(init_t)
# udevd is a "systemd kobject uevent socket activated daemon"
udev_create_kobject_uevent_sockets(init_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2022-12-13 20:55 Kenton Groombridge
0 siblings, 0 replies; 62+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
To: gentoo-commits
commit: 495622d3b23f95f5645afa087020240af0951f97
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec 7 15:27:48 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:34 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=495622d3
filesystem, init: allow systemd to setattr on ramfs dirs
This is needed by systemd-creds on system boot. Without this access,
many services fail to start. Observed on systemd-252 on Gentoo.
type=PROCTITLE msg=audit(1670295099.238:180306): proctitle="(sd-mkdcreds)"
type=PATH msg=audit(1670295099.238:180306): item=0 name=(null) inode=16711 dev=00:2c mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1670295099.238:180306): cwd="/"
type=SYSCALL msg=audit(1670295099.238:180306): arch=c000003e syscall=91 success=no exit=-13 a0=3 a1=140 a2=77fb64c2bd90 a3=e9dbd3ce8cce3dba items=1 ppid=23082 pid=23083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-mkdcreds)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1670295099.238:180306): avc: denied { setattr } for pid=23083 comm="(sd-mkdcreds)" name="/" dev="ramfs" ino=16711 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir permissive=0
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
policy/modules/system/init.te | 2 ++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index c1078d796..af2023e62 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4778,6 +4778,25 @@ interface(`fs_dontaudit_search_ramfs',`
dontaudit $1 ramfs_t:dir search_dir_perms;
')
+########################################
+## <summary>
+## Set the attributes of directories on
+## a ramfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_setattr_ramfs_dirs',`
+ gen_require(`
+ type ramfs_t;
+ ')
+
+ allow $1 ramfs_t:dir setattr;
+')
+
########################################
## <summary>
## Create, read, write, and delete
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 310655045..7249dd13f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -473,6 +473,8 @@ ifdef(`init_systemd',`
fs_create_pstore_dirs(init_t)
# for network namespaces
fs_read_nsfs_files(init_t)
+ # needed by systemd-creds
+ fs_setattr_ramfs_dirs(init_t)
init_manage_all_unit_files(init_t)
init_read_script_state(init_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2023-02-13 15:35 Kenton Groombridge
0 siblings, 0 replies; 62+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
To: gentoo-commits
commit: ef6668a7d48e72ecd3513518f32449c4c0bc8423
Author: Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Fri Dec 16 07:15:19 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:51 2023 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef6668a7
rsyslog: add label for /var/empty/dev/log
On gentoo, starting rsyslog give this:
allow syslogd_t var_t:dir { add_name remove_name };
allow syslogd_t var_t:sock_file { create setattr unlink };
This is due to the following piece of code in configuration:
"""
Create an additional socket for the default chroot location
(used by net-misc/openssh[hpn], see https://bugs.gentoo.org/490744)
input(type="imuxsock" Socket="/var/empty/dev/log")
"""
So let's add correct label for this file
Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/devices.fc | 4 ++++
policy/modules/system/logging.fc | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 84427423c..da21259b8 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -236,3 +236,7 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0)
/var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0)
')
+
+ifdef(`distro_gentoo',`
+/var/empty/dev -d gen_context(system_u:object_r:device_t,s0)
+')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 5681acb51..3b0dea51b 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -68,6 +68,10 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
+ifdef(`distro_gentoo',`
+/var/empty/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
+')
+
/run/audit_events -s gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh)
/run/audispd_events -s gen_context(system_u:object_r:audisp_runtime_t,mls_systemhigh)
/run/auditd\.pid -- gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh)
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2023-10-06 16:44 Kenton Groombridge
0 siblings, 0 replies; 62+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
To: gentoo-commits
commit: ca3332b1b3ad6b6cc3b52bf8cff26e4407f93c92
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Fri Oct 6 10:48:52 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:31:45 2023 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca3332b1
Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited from cron, and dontaudit ps type operations from it
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/corecommands.fc | 1 -
policy/modules/system/raid.fc | 2 ++
policy/modules/system/raid.te | 2 ++
3 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index da5db80a2..21ec61464 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -320,7 +320,6 @@ ifdef(`distro_debian',`
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0)
-/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/ajaxterm/ajaxterm\.py.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/ajaxterm/qweb\.py.* -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc
index 84f1ab02a..ca16bdfdf 100644
--- a/policy/modules/system/raid.fc
+++ b/policy/modules/system/raid.fc
@@ -11,6 +11,8 @@
/usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0)
/usr/bin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:mdadm_exec_t,s0)
+
# Systemd unit files
/usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
/usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0)
diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 907facf8d..c8db38261 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -57,6 +57,7 @@ dev_read_realtime_clock(mdadm_t)
# create links in /dev/md
dev_create_generic_symlinks(mdadm_t)
+domain_dontaudit_search_all_domains_state(mdadm_t)
domain_use_interactive_fds(mdadm_t)
files_read_etc_files(mdadm_t)
@@ -95,6 +96,7 @@ userdom_dontaudit_search_user_home_content(mdadm_t)
optional_policy(`
cron_system_entry(mdadm_t, mdadm_exec_t)
+ cron_rw_inherited_tmp_files(mdadm_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 62+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2024-03-01 19:56 Kenton Groombridge
0 siblings, 0 replies; 62+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
To: gentoo-commits
commit: 2742ffe56eb2a1943c6ddbbd47071a6fa5437875
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:40 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 1 17:05:44 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2742ffe5
selinuxutil: setfiles updates
type=PROCTITLE msg=audit(21/02/24 22:31:50.044:122) : proctitle=restorecon -vRn -T0 /
type=SYSCALL msg=audit(21/02/24 22:31:50.044:122) : arch=x86_64 syscall=sched_getaffinity success=yes exit=8 a0=0x0 a1=0x1000 a2=0x7fc235649bf0 a3=0x0 items=0 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(21/02/24 22:31:50.044:122) : avc: denied { getsched } for pid=13398 comm=restorecon scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process permissive=1
type=PROCTITLE msg=audit(21/02/24 22:31:55.040:123) : proctitle=restorecon -vRn -T0 /
type=PATH msg=audit(21/02/24 22:31:55.040:123) : item=0 name=/sys/fs/cgroup/user.slice/user-0.slice/user <AT> 0.service/memory.pressure inode=2455 dev=00:1b mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:memory_pressure_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:31:55.040:123) : cwd=/root/workspace/selinux/refpolicy/refpolicy
type=SYSCALL msg=audit(21/02/24 22:31:55.040:123) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x557264466530 a2=0x7fc2004cacc0 a3=0x100 items=1 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(21/02/24 22:31:55.040:123) : avc: denied { getattr } for pid=13398 comm=restorecon path=/sys/fs/cgroup/user.slice/user-0.slice/user <AT> 0.service/memory.pressure dev="cgroup2" ino=2455 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_pressure_t:s0 tclass=file permissive=1
type=PROCTITLE msg=audit(21/02/24 22:32:15.512:126) : proctitle=restorecon -vRFn -T0 /usr/
type=PATH msg=audit(21/02/24 22:32:15.512:126) : item=0 name=/proc/sys/vm/overcommit_memory inode=41106 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_overcommit_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:32:15.512:126) : cwd=/root/workspace/selinux/refpolicy/refpolicy
type=SYSCALL msg=audit(21/02/24 22:32:15.512:126) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7f59f7316810 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1103 pid=13491 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { open } for pid=13491 comm=restorecon path=/proc/sys/vm/overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1
type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { read } for pid=13491 comm=restorecon name=overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++
policy/modules/system/selinuxutil.te | 3 +++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index e529b187f..08ad5503d 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1271,6 +1271,24 @@ interface(`fs_cgroup_filetrans_memory_pressure',`
fs_cgroup_filetrans($1, memory_pressure_t, $2, $3)
')
+########################################
+## <summary>
+## Get the attributes of cgroup's memory.pressure files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_memory_pressure',`
+ gen_require(`
+ type memory_pressure_t;
+ ')
+
+ allow $1 memory_pressure_t:file getattr;
+')
+
########################################
## <summary>
## Allow managing a cgroup's memory.pressure file to get notifications
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 82130ecd0..b1213aa76 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -599,6 +599,7 @@ optional_policy(`
allow setfiles_t self:capability { dac_override dac_read_search fowner };
dontaudit setfiles_t self:capability sys_tty_config;
+allow setfiles_t self:process getsched;
allow setfiles_t self:fifo_file rw_fifo_file_perms;
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:dir list_dir_perms;
@@ -621,6 +622,7 @@ kernel_dontaudit_list_all_proc(setfiles_t)
kernel_dontaudit_list_all_sysctls(setfiles_t)
kernel_getattr_debugfs(setfiles_t)
kernel_read_kernel_sysctls(setfiles_t)
+kernel_read_vm_overcommit_sysctl(setfiles_t)
kernel_dontaudit_getattr_proc(setfiles_t)
dev_read_urand(setfiles_t)
@@ -640,6 +642,7 @@ files_dontaudit_read_all_symlinks(setfiles_t)
fs_getattr_all_xattr_fs(setfiles_t)
fs_getattr_cgroup(setfiles_t)
+fs_getattr_memory_pressure(setfiles_t)
fs_getattr_nfs(setfiles_t)
fs_getattr_pstore_dirs(setfiles_t)
fs_getattr_pstorefs(setfiles_t)
^ permalink raw reply related [flat|nested] 62+ messages in thread
end of thread, other threads:[~2024-03-01 19:56 UTC | newest]
Thread overview: 62+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-13 5:37 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2024-03-01 19:56 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-09-03 19:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-10-13 3:02 Jason Zaman
2020-02-15 7:33 Jason Zaman
2020-02-15 7:33 Jason Zaman
2018-03-25 10:29 Sven Vermeulen
2018-02-18 11:30 Jason Zaman
2017-11-05 8:01 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-05-25 17:08 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-05-25 16:43 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:03 Sven Vermeulen
2017-05-07 16:09 Jason Zaman
2017-04-10 16:59 Sven Vermeulen
2017-03-02 10:17 Sven Vermeulen
2017-02-27 10:50 Jason Zaman
2017-02-25 16:58 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/ Jason Zaman
2017-02-25 16:58 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
2017-02-17 8:44 Jason Zaman
2017-01-01 16:36 Jason Zaman
2016-12-06 12:26 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-05-13 5:37 Jason Zaman
2016-01-30 17:21 Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-26 5:48 Jason Zaman
2015-10-26 5:48 Jason Zaman
2014-09-13 9:38 Sven Vermeulen
2014-09-13 9:38 Sven Vermeulen
2014-08-19 20:07 Sven Vermeulen
2014-08-19 20:07 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-01-23 20:00 Sven Vermeulen
2014-01-23 20:00 Sven Vermeulen
2014-01-23 20:00 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-08-23 17:05 Sven Vermeulen
2013-08-23 16:43 Sven Vermeulen
2013-08-23 8:09 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2012-12-08 12:40 Sven Vermeulen
2012-12-07 17:13 Sven Vermeulen
2012-10-31 18:04 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-07-10 17:22 Sven Vermeulen
2012-07-04 16:34 Sven Vermeulen
2012-06-27 20:41 Sven Vermeulen
2012-05-28 7:22 Sven Vermeulen
2012-05-28 6:44 Sven Vermeulen
2012-05-13 8:51 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox