From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C5DFE139694 for ; Thu, 18 May 2017 16:55:09 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 02098E0EA3; Thu, 18 May 2017 16:54:58 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C1914E0EA3 for ; Thu, 18 May 2017 16:54:57 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 6D1E434165C for ; Thu, 18 May 2017 16:54:56 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 0FCD57455 for ; Thu, 18 May 2017 16:54:55 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1493561865.9f8cb24323e7357725e97e57caa71920e398ea6b.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/apt.if policy/modules/contrib/apt.te policy/modules/contrib/cron.te policy/modules/contrib/mrtg.if policy/modules/contrib/mrtg.te policy/modules/contrib/rsync.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 9f8cb24323e7357725e97e57caa71920e398ea6b X-VCS-Branch: swift Date: Thu, 18 May 2017 16:54:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: c01b86de-2a4d-4049-8680-7bba9b4f9f54 X-Archives-Hash: 3ca3ccb13a1c92875866df3b337c3d69 commit: 9f8cb24323e7357725e97e57caa71920e398ea6b Author: Chris PeBenito ieee org> AuthorDate: Wed Apr 26 22:02:08 2017 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Apr 30 14:17:45 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f8cb243 some little misc things from Russell Coker. This patch allows setfiles to use file handles inherited from apt (for dpkg postinst scripts), adds those rsync permissions that were rejected previously due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and allows system_cronjob_t some access it requires (including net_admin for when it runs utilities that set buffers). policy/modules/contrib/apt.if | 20 ++++++++++++++++++++ policy/modules/contrib/apt.te | 2 +- policy/modules/contrib/cron.te | 25 +++++++++++++++++++++---- policy/modules/contrib/mrtg.if | 18 ++++++++++++++++++ policy/modules/contrib/mrtg.te | 2 +- policy/modules/contrib/rsync.te | 4 +++- 6 files changed, 64 insertions(+), 7 deletions(-) diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if index 0a1bc49f..568aa97d 100644 --- a/policy/modules/contrib/apt.if +++ b/policy/modules/contrib/apt.if @@ -176,6 +176,26 @@ interface(`apt_read_cache',` ######################################## ## +## Create, read, write, and delete apt package cache content. +## +## +## +## Domain allowed access. +## +## +# +interface(`apt_manage_cache',` + gen_require(` + type apt_var_cache_t; + ') + + files_search_var($1) + allow $1 apt_var_cache_t:dir manage_dir_perms; + allow $1 apt_var_cache_t:file manage_file_perms; +') + +######################################## +## ## Read apt package database content. ## ## diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te index 05197c4c..dc6f09b1 100644 --- a/policy/modules/contrib/apt.te +++ b/policy/modules/contrib/apt.te @@ -1,4 +1,4 @@ -policy_module(apt, 1.10.1) +policy_module(apt, 1.10.2) ######################################## # diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te index 5cb7dac1..15e6bdb4 100644 --- a/policy/modules/contrib/cron.te +++ b/policy/modules/contrib/cron.te @@ -1,4 +1,4 @@ -policy_module(cron, 2.11.3) +policy_module(cron, 2.11.4) gen_require(` class passwd rootok; @@ -338,6 +338,13 @@ ifdef(`distro_debian',` allow crond_t self:process setrlimit; optional_policy(` + apt_manage_cache(system_cronjob_t) + apt_read_db(system_cronjob_t) + + dpkg_manage_db(system_cronjob_t) + ') + + optional_policy(` logwatch_search_cache_dir(crond_t) ') ') @@ -429,6 +436,7 @@ optional_policy(` systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) # so cron jobs can restart daemons init_stream_connect(system_cronjob_t) + init_manage_script_service(system_cronjob_t) ') optional_policy(` @@ -440,7 +448,7 @@ optional_policy(` # System local policy # -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice }; +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice }; allow system_cronjob_t self:process { signal_perms getsched setsched }; allow system_cronjob_t self:fd use; allow system_cronjob_t self:fifo_file rw_fifo_file_perms; @@ -461,10 +469,11 @@ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms; files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file }) +manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir }) manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) @@ -475,7 +484,7 @@ allow system_cronjob_t crond_t:process sigchld; allow system_cronjob_t cron_spool_t:dir list_dir_perms; allow system_cronjob_t cron_spool_t:file rw_file_perms; -allow system_cronjob_t crond_tmp_t:file { read write }; +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms; kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) @@ -560,10 +569,15 @@ tunable_policy(`cron_can_relabel',` ') optional_policy(` + acct_manage_data(system_cronjob_t) +') + +optional_policy(` apache_exec_modules(system_cronjob_t) apache_read_config(system_cronjob_t) apache_read_log(system_cronjob_t) apache_read_sys_content(system_cronjob_t) + apache_delete_lib_files(system_cronjob_t) ') optional_policy(` @@ -607,6 +621,7 @@ optional_policy(` optional_policy(` mrtg_append_create_logs(system_cronjob_t) + mrtg_read_config(system_cronjob_t) ') optional_policy(` @@ -649,6 +664,8 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; allow cronjob_t self:unix_stream_socket create_stream_socket_perms; allow cronjob_t self:unix_dgram_socket create_socket_perms; +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms; + kernel_read_system_state(cronjob_t) kernel_read_kernel_sysctls(cronjob_t) diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if index 0a71bd89..b25b0894 100644 --- a/policy/modules/contrib/mrtg.if +++ b/policy/modules/contrib/mrtg.if @@ -2,6 +2,24 @@ ######################################## ## +## Read mrtg configuration +## +## +## +## Domain allowed access. +## +## +# +interface(`mrtg_read_config',` + gen_require(` + type mrtg_etc_t; + ') + + allow $1 mrtg_etc_t:file read_file_perms; +') + +######################################## +## ## Create and append mrtg log files. ## ## diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te index 5126d9d5..96d48f37 100644 --- a/policy/modules/contrib/mrtg.te +++ b/policy/modules/contrib/mrtg.te @@ -1,4 +1,4 @@ -policy_module(mrtg, 1.11.0) +policy_module(mrtg, 1.11.1) ######################################## # diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te index 2fce98b0..11c7041a 100644 --- a/policy/modules/contrib/rsync.te +++ b/policy/modules/contrib/rsync.te @@ -1,4 +1,4 @@ -policy_module(rsync, 1.15.0) +policy_module(rsync, 1.15.1) ######################################## # @@ -123,6 +123,8 @@ dev_read_urand(rsync_t) fs_getattr_all_fs(rsync_t) fs_search_auto_mountpoints(rsync_t) +files_getattr_all_pipes(rsync_t) +files_getattr_all_sockets(rsync_t) files_search_home(rsync_t) auth_can_read_shadow_passwords(rsync_t)