From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 40090139694 for ; Tue, 21 Feb 2017 07:12:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id ADCC421C0C9; Tue, 21 Feb 2017 07:12:00 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7443A21C0A0 for ; Tue, 21 Feb 2017 07:12:00 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 1BD633412B7 for ; Tue, 21 Feb 2017 07:11:53 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id BAE164F4F for ; Tue, 21 Feb 2017 07:11:49 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1487660604.714e9ab9df24045d661cbd2d5335a3739d4cf8a5.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/admin/, policy/modules/kernel/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/bootloader.te policy/modules/kernel/devices.if policy/modules/kernel/devices.te policy/modules/system/init.if policy/modules/system/init.te policy/modules/system/systemd.if policy/modules/system/systemd.te policy/modules/system/userdomain.if policy/modules/system/userdomain.te X-VCS-Directories: policy/modules/kernel/ policy/modules/system/ policy/modules/admin/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 714e9ab9df24045d661cbd2d5335a3739d4cf8a5 X-VCS-Branch: master Date: Tue, 21 Feb 2017 07:11:49 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: dafc9c4a-4fe5-4c7a-a89f-5ba330e5a26f X-Archives-Hash: d7f81215886f452b81f79cb7e7136c0e commit: 714e9ab9df24045d661cbd2d5335a3739d4cf8a5 Author: Chris PeBenito ieee org> AuthorDate: Sun Feb 19 21:13:14 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Feb 21 07:03:24 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=714e9ab9 dpkg: Updates from Russell Coker. policy/modules/admin/bootloader.te | 8 +++- policy/modules/kernel/devices.if | 20 ++++++++++ policy/modules/kernel/devices.te | 2 +- policy/modules/system/init.if | 73 +++++++++++++++++++++++++++++++++++++ policy/modules/system/init.te | 8 ++-- policy/modules/system/systemd.if | 19 ++++++++++ policy/modules/system/systemd.te | 2 +- policy/modules/system/userdomain.if | 4 ++ policy/modules/system/userdomain.te | 2 +- 9 files changed, 131 insertions(+), 7 deletions(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 8b7c18cd..51c2266c 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,4 +1,4 @@ -policy_module(bootloader, 1.17.2) +policy_module(bootloader, 1.17.3) ######################################## # @@ -149,6 +149,12 @@ ifdef(`distro_debian',` fstools_relabelto_entry_files(bootloader_t) libs_relabelto_lib_files(bootloader_t) + + # for apt-cache + apt_read_db(bootloader_t) + apt_read_cache(bootloader_t) + + dpkg_read_db(bootloader_t) ') ifdef(`distro_redhat',` diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 428f5a01..08e2e8af 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -3260,6 +3260,26 @@ interface(`dev_create_null_dev',` ######################################## ## +## Manage services with script type null_device_t for when +## /lib/systemd/system/something.service is a link to /dev/null +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_null_service',` + gen_require(` + type null_device_t; + class service { status start stop reload }; + ') + + allow $1 null_device_t:service { status start stop reload }; +') + +######################################## +## ## Do not audit attempts to get the attributes ## of the BIOS non-volatile RAM device. ## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 767da245..66bc754e 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.20.1) +policy_module(devices, 1.20.2) ######################################## # diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index fdf3f034..1b26cf5e 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -809,6 +809,42 @@ interface(`init_udp_send',` ######################################## ## +## start service (systemd). +## +## +## +## Domain allowed access. +## +## +# +interface(`init_start_system',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system start; +') + +######################################## +## +## stop service (systemd). +## +## +## +## Domain allowed access. +## +## +# +interface(`init_stop_system',` + gen_require(` + type init_t; + ') + + allow $1 init_t:system stop; +') + +######################################## +## ## Get all service status (systemd). ## ## @@ -1335,6 +1371,25 @@ interface(`init_script_file_domtrans',` ######################################## ## +## Allow manage service for initrc_exec_t scripts +## +## +## +## Target domain +## +## +# +interface(`init_manage_script_service',` + gen_require(` + type initrc_exec_t; + class service { status start stop }; + ') + + allow $1 initrc_exec_t:service { start stop status }; +') + +######################################## +## ## Transition to the init script domain ## on a specified labeled init script. ## @@ -1475,6 +1530,24 @@ interface(`init_run_daemon',` ######################################## ## +## Start and stop init_script_file_type services +## +## +## +## domain that can start and stop the services +## +## +# +interface(`init_startstop_all_script_services',` + gen_require(` + attribute init_script_file_type; + ') + + allow $1 init_script_file_type:service { start status stop }; +') + +######################################## +## ## Read the process state (/proc/pid) of init. ## ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index cad90ba5..e07f7050 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.2.3) +policy_module(init, 2.2.4) gen_require(` class passwd rootok; @@ -277,8 +277,6 @@ ifdef(`init_systemd',` term_relabel_pty_dirs(init_t) - clock_read_adjtime(init_t) - logging_manage_pid_sockets(init_t) logging_send_audit_msgs(init_t) logging_relabelto_devlog_sock_files(init_t) @@ -289,6 +287,10 @@ ifdef(`init_systemd',` udev_create_kobject_uevent_sockets(init_t) optional_policy(` + clock_read_adjtime(init_t) + ') + + optional_policy(` systemd_relabelto_kmod_files(init_t) systemd_dbus_chat_logind(init_t) ') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 705cbaa3..b07d2c5b 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -137,6 +137,25 @@ interface(`systemd_relabelto_kmod_files',` ######################################## ## +## Allow systemd_logind_t to read process state for cgroup file +## +## +## +## Domain systemd_logind_t may access. +## +## +# +interface(`systemd_read_logind_state',` + gen_require(` + type systemd_logind_t; + ') + + allow systemd_logind_t $1:dir list_dir_perms; + allow systemd_logind_t $1:file read_file_perms; +') + +######################################## +## ## Get the system status information from systemd_login ## ## diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 395f62cd..7ae7ce1d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.3.2) +policy_module(systemd, 1.3.3) ######################################### # diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 334759e8..45c0339f 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -696,6 +696,10 @@ template(`userdom_common_user_template',` ') optional_policy(` + dpkg_read_db($1_t) + ') + + optional_policy(` hwloc_exec_dhwd($1_t) hwloc_read_runtime_files($1_t) ') diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index e5c04d77..df3b9572 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,4 +1,4 @@ -policy_module(userdomain, 4.13.0) +policy_module(userdomain, 4.13.1) ######################################## #