[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     9660ec3c7e65d654770832d9011cce2eb7bc1134
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 20 16:26:29 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Aug 20 17:10:23 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9660ec3c

Allow udev udev to set predictable ifnames

Udev sets the interface names predictably, it uses a
netlink_route_socket to do so.

more info at:
http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/

---
 policy/modules/system/udev.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 83a8b11..737e854 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -332,6 +332,9 @@ ifdef(`distro_gentoo',`
 	allow udev_t self:capability2 block_suspend;
 	allow udev_t udev_tbl_t:dir relabelto;
 
+	# needed for predictable network interfaces naming
+	allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+
 	manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
 	manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
 	manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     eaef7e0bc37c62511400aaf136f8bb6e4e63241a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:38:37 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:38:37 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eaef7e0b

Add auth_pid_filetrans_pam_var_run

This interface allows a domain to create resources inside the generic
pid location (/var/run) and have them created with the pam_var_run_t
type.

---
 policy/modules/system/authlogin.if | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 8225390..f20a6a6 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1805,3 +1805,37 @@ interface(`auth_unconfined',`
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
+
+# Should be in an ifdef distro_gentoo but that is not supported in the global if file
+
+########################################
+## <summary>
+##	Create specified objects in
+##	pid directories with the pam var
+##      run file type using a
+##      file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`auth_pid_filetrans_pam_var_run',`
+	gen_require(`
+		type pam_var_run_t;
+	')
+
+	files_pid_filetrans($1, pam_var_run_t, $2, $3)
+')
+

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     5972047d8963d9fc145f34156e9078a40b7f3c1f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:35:21 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:35:21 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5972047d

Remove ifdef distro, pwd lock is now part of upstream

---
 policy/modules/system/authlogin.fc | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index bc3f7dc..2479587 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,9 +1,7 @@
 
 /bin/login		--	gen_context(system_u:object_r:login_exec_t,s0)
 
-ifndef(`distro_gentoo',`
 /etc/\.pwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
-')
 /etc/group\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/gshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     9d229675d7084facc9592f1ddab5f976337524f4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:47:27 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:47:27 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9d229675

Whitespace according to upstream

---
 policy/modules/system/ipsec.fc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 46d232a..082ce47 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -14,9 +14,9 @@
 
 /usr/lib/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/lib/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-/usr/lib/ipsec/eroute	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib/ipsec/eroute		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/lib/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/lib/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib/ipsec/pluto		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/lib/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 
 /usr/libexec/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     d634f3732a6e8ce11f31f6cda00e2be5d48e8276
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:34:23 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:34:23 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d634f373

Bad whitespace but matches upstream

---
 policy/modules/system/authlogin.if | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index f20a6a6..03c567a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1767,9 +1767,9 @@ interface(`auth_relabel_login_records',`
 ## <infoflow type="both" weight="10"/>
 #
 interface(`auth_use_nsswitch',`
-	gen_require(`
-		attribute nsswitch_domain;
-	')
+    gen_require(`
+        attribute nsswitch_domain;
+    ')
 
 	typeattribute $1 nsswitch_domain;
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     fe62598f2fb87fe0dfca34f82311ffd29df37795
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:46:23 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:46:23 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fe62598f

Reshuffle and update with upstream

---
 policy/modules/system/init.if | 82 ++++++++++++++++++++++++-------------------
 1 file changed, 46 insertions(+), 36 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2b7793a..99e42fc 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,39 +150,6 @@ interface(`init_ranged_domain',`
 
 ########################################
 ## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it
-## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	gen_require(`
-		attribute daemonpidfile;
-		type initrc_t;
-	')
-
-	typeattribute $1 daemonpidfile;
-
-	files_pid_file($1)
-	files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
 ##	Create a domain for long running processes
 ##	(daemons/services) which are started by init scripts.
 ## </summary>
@@ -421,16 +388,50 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
-##	Mark the type as a daemon run dir
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
 ## </summary>
-## <param name="rundirtype">
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
+##	Mark the file type as a daemon run dir, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
 ##	<summary>
 ##	Type to mark as a daemon run dir
 ##	</summary>
 ## </param>
 ## <param name="filename">
 ##	<summary>
-##	Name of the run dir directory
+##	Filename of the directory that the init script creates
 ##	</summary>
 ## </param>
 #
@@ -843,6 +844,14 @@ interface(`init_spec_domtrans_script',`
 	files_list_etc($1)
 	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
 
+	ifdef(`distro_gentoo',`
+		gen_require(`
+			type rc_exec_t;
+		')
+
+		domtrans_pattern($1, rc_exec_t, initrc_t)
+	')
+
 	ifdef(`enable_mcs',`
 		range_transition $1 initrc_exec_t:process s0;
 	')
@@ -882,6 +891,7 @@ interface(`init_domtrans_script',`
 		gen_require(`
 			type rc_exec_t;
 		')
+
 		domtrans_pattern($1, rc_exec_t, initrc_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     91a3d6f2a32354213d8da990af4b77e6680a5fc5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 09:39:33 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 09:39:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91a3d6f2

Fix bug 530898 - Enable netlink interaction from dhcpcd

---
 policy/modules/system/sysnetwork.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index d053ee2..3576536 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -402,6 +402,12 @@ ifdef(`distro_gentoo',`
 	# Fixes bug 468874
 	allow dhcpc_t self:rawip_socket create_socket_perms;
 
+	# Fixes bug 530898
+	allow dhcpc_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
+	# Also mentioned as AVCs in bug 530898. Not certain if this is needed but considering
+	# the dhcpc_t use case we currently allow it
+	allow dhcpc_t self:netlink_socket client_stream_socket_perms;
+
 	# Allow dhcpcd to set its control sockets
 	allow dhcpc_t dhcpc_var_run_t:sock_file manage_sock_file_perms;
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     8a743e507cd42248d705907e7bcb42e268bfab9a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 27 21:00:38 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Nov 27 21:00:38 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8a743e50

Fix bug 530918 - Allow lvm_t socket creation perms to handle cryptsetup luksFormat

---
 policy/modules/system/lvm.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index c9fba08..a5952f7 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -361,6 +361,9 @@ ifdef(`distro_gentoo',`
 	# Local lvm policy
 	#
 
+	# cryptsetup support bug 530918
+	allow lvm_t self:socket create_stream_socket_perms;
+
 	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_metadata_t)
 	filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, dir, "cache")
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     b86c4b022307c8477a9373e0677b9eb51240e71b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 27 21:58:05 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Nov 27 21:58:05 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b86c4b02

Fix bug #529430 - Various policy fixes to support lvmetad, dmeventd/lvm-monitoring

---
 policy/modules/system/lvm.fc | 9 +++++++++
 policy/modules/system/lvm.te | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 13a5759..ea5ba34 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -105,3 +105,12 @@ ifdef(`distro_gentoo',`
 /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
 /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+# Bug 529430 comment 7
+/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/var/run/lvm(/.*)?		gen_context(system_u:object_r:lvm_var_run_t,s0)
+
+# Bug 529430 comment 8
+/sbin/dmeventd		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+')

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index a5952f7..a1485fb 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -365,6 +365,11 @@ ifdef(`distro_gentoo',`
 	allow lvm_t self:socket create_stream_socket_perms;
 
 	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_metadata_t)
+	# Bug 529430 comment 6
+	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+	# BUg 529430 comment 8
+	manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+
 	filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, dir, "cache")
 
 	kernel_request_load_module(lvm_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     30ac48af98cd4789dcfcb897a969d51233844db4
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:04:56 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Nov 26 12:28:11 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=30ac48af

Allow admin users to manage user tmp chr_files

Needed when building initrds.

---
 policy/modules/system/userdomain.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index eba23be..1d5370c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1249,6 +1249,8 @@ template(`userdom_admin_user_template',`
 		allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
 		# Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise
 		seutil_relabelto_bin_policy($1_t)
+		# allow to manage chr_files in user_tmp (for initrd's)
+		userdom_manage_user_tmp_chr_files($1_t)
 	')
 ')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     3f6c14f9b89350b60e83e5f7764b7a095df7b005
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:00:07 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Nov 26 12:28:11 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3f6c14f9

Introduce userdom_manage_user_tmp_chr_files interface

---
 policy/modules/system/userdomain.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 16a95cc..eba23be 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3630,3 +3630,23 @@ interface(`userdom_manage_all_user_home_content',`
 	manage_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
 	manage_sock_files_pattern($1, user_home_content_type, user_home_content_type)
 ')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	temporary character files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_chr_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     9f1063357d52895b54c477bdc498d2a2b21895da
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:13:54 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 10:13:54 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9f106335

Fix bug 529204 - Support a dhcpc_script_t domain

We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.

Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.

The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.

---
 policy/modules/system/sysnetwork.fc |  3 +++
 policy/modules/system/sysnetwork.te | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index fbb935c..b1c6404 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,6 @@ ifdef(`distro_debian',`
 /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
+ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
+')

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 3576536..fad8fce 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,36 @@ ifdef(`distro_gentoo',`
 	optional_policy(`
 		resolvconf_client_domain(dhcpc_t)
 	')
+
+	#########################################
+	#
+	# dhcpc_script_t
+	#
+
+	# The purpose of the dhcpc_script_t domain is to handle the post-processing of 
+	# the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would
+	# assume others do as well. With the dhcpc_script_t domain we can isolate the
+	# privileges of the DHCP client itself from the hooks / flexibility that the developers
+	# introduced.
+
+	type dhcpc_script_t;
+	domain_type(dhcpc_script_t)
+	role dhcpc_roles types dhcpc_script_t;
+
+	type dhcpc_script_exec_t;
+	domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+	type dhcpc_script_tmp_t;
+	files_tmp_file(dhcpc_script_tmp_t)
+
+	########################################
+	#
+	# dhcpc script policy
+	#
+
+	manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t)
+	files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+	corecmd_exec_bin(dhcpc_script_t)
+	corecmd_exec_shell(dhcpc_script_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     dcb74d6325828450be6f367f787b0494ed32c7d9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 11:13:48 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 11:13:48 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dcb74d63

Add file context definitions for dhcpcd sockets

---
 policy/modules/system/sysnetwork.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index fbb935c..a809d61 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,7 @@ ifdef(`distro_debian',`
 /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
+ifdef(`distro_gentoo',`
+/var/run/dhcpcd\.sock	-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/var/run/dhcpcd\.unpriv\.sock	-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     3abae898c6fd25e2aa8e2b877c464942b980dfa8
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:21:00 2015 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Jan 20 14:32:31 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3abae898

udev: allow netlink_socket perms

udev needs these perms for CRDA communication (Central Regulatory Domain
Agent for wifi)

type=AVC msg=audit(1421753429.771:3718): avc:  denied  { create } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3719): avc:  denied  { setopt } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3720): avc:  denied  { bind } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3721): avc:  denied  { getattr } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3722): avc:  denied  { write } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3723): avc:  denied  { read } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1

---
 policy/modules/system/udev.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 78e4328..810d135 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -334,6 +334,8 @@ ifdef(`distro_gentoo',`
 
 	# needed for predictable network interfaces naming
 	allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+	# needed for crda
+	allow udev_t self:netlink_socket create_socket_perms;
 
 	manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
 	manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     7afc5feae4c17be7e24c75561cf5605509481284
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:31:35 2015 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Tue Jan 20 14:32:32 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7afc5fea

init: needs access to networkmanager rawip sockets

---
 policy/modules/system/init.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5d83a49..c265e53 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -977,6 +977,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		networkmanager_rw_rawip_sockets(initrc_t)
+		networkmanager_stream_connect(initrc_t)
+	')
+
+	optional_policy(`
 		fail2ban_stream_connect(initrc_t)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     9b58424a4d94e678b364bcc24869aa142abdaa62
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:21:00 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 25 13:45:20 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b58424a

udev: allow netlink_socket perms

udev needs these perms for CRDA communication (Central Regulatory Domain
Agent for wifi)

type=AVC msg=audit(1421753429.771:3718): avc:  denied  { create } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3719): avc:  denied  { setopt } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3720): avc:  denied  { bind } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3721): avc:  denied  { getattr } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3722): avc:  denied  { write } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3723): avc:  denied  { read } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1

---
 policy/modules/system/udev.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 78e4328..810d135 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -334,6 +334,8 @@ ifdef(`distro_gentoo',`
 
 	# needed for predictable network interfaces naming
 	allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+	# needed for crda
+	allow udev_t self:netlink_socket create_socket_perms;
 
 	manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
 	manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     1cad3696a2d8379f4c39588580ab51a2cdb2f601
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:31:35 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 25 13:45:20 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1cad3696

init: needs access to networkmanager rawip sockets

---
 policy/modules/system/init.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5d83a49..c265e53 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -977,6 +977,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		networkmanager_rw_rawip_sockets(initrc_t)
+		networkmanager_stream_connect(initrc_t)
+	')
+
+	optional_policy(`
 		fail2ban_stream_connect(initrc_t)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     75224d9c038ddc5e136838767f0cfcbce01ad8d8
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:21:00 2015 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Jan 26 06:01:05 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=75224d9c

udev: allow netlink_socket perms

udev needs these perms for CRDA communication (Central Regulatory Domain
Agent for wifi)

type=AVC msg=audit(1421753429.771:3718): avc:  denied  { create } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3719): avc:  denied  { setopt } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3720): avc:  denied  { bind } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3721): avc:  denied  { getattr } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3722): avc:  denied  { write } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3723): avc:  denied  { read } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1

---
 policy/modules/system/udev.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 78e4328..810d135 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -334,6 +334,8 @@ ifdef(`distro_gentoo',`
 
 	# needed for predictable network interfaces naming
 	allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+	# needed for crda
+	allow udev_t self:netlink_socket create_socket_perms;
 
 	manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
 	manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     9aa77e954db9e5408670b89080db02425c9c06df
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:31:35 2015 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Mon Jan 26 06:42:28 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9aa77e95

init: needs access to networkmanager rawip sockets

---
 policy/modules/system/init.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5d83a49..c265e53 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -977,6 +977,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		networkmanager_rw_rawip_sockets(initrc_t)
+		networkmanager_stream_connect(initrc_t)
+	')
+
+	optional_policy(`
 		fail2ban_stream_connect(initrc_t)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     e19b8a6df341e3dc10334f39c5ffed42035da210
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jan 25 13:49:11 2015 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Jan 25 13:49:11 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e19b8a6d

Allow dhcpc_script_t to create /run/dhcpcd directory, otherwise resolv.conf generation fails

---
 policy/modules/system/sysnetwork.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index b65117e..e5c63d6 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -455,6 +455,7 @@ ifdef(`distro_gentoo',`
 	files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
 
 	manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
+	create_dirs_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
 	files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
 
 	kernel_read_network_state(dhcpc_script_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     a0f63a5ebdaa7a52d2ea96dc1f3299f741313f93
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:31:35 2015 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:32:53 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a0f63a5e

init: needs access to networkmanager rawip sockets

---
 policy/modules/system/init.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5d83a49..c265e53 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -977,6 +977,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		networkmanager_rw_rawip_sockets(initrc_t)
+		networkmanager_stream_connect(initrc_t)
+	')
+
+	optional_policy(`
 		fail2ban_stream_connect(initrc_t)
 	')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     996d64d63da9b3510b66053b8a82fd0bce7ac3fc
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:21:00 2015 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:03:50 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=996d64d6

udev: allow netlink_socket perms

udev needs these perms for CRDA communication (Central Regulatory Domain
Agent for wifi)

type=AVC msg=audit(1421753429.771:3718): avc:  denied  { create } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3719): avc:  denied  { setopt } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3720): avc:  denied  { bind } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3721): avc:  denied  { getattr } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3722): avc:  denied  { write } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3723): avc:  denied  { read } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1

---
 policy/modules/system/udev.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 78e4328..d4d77f2 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -334,6 +334,8 @@ ifdef(`distro_gentoo',`
 
 	# needed for predictable network interfaces naming
 	allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+	# needed for crda, bug #538110
+	allow udev_t self:netlink_socket create_socket_perms;
 
 	manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
 	manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     1d291587f6308317bfd3a37227a00d68092e9c40
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb  9 08:40:08 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  9 09:52:54 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d291587

Revert "Reshuffle and update with upstream"

This reverts commit fe62598f2fb87fe0dfca34f82311ffd29df37795.

the domtrans pattern part broke openrc without run_init,
that part relies on being in the run_init domain and then
does the transition. this was transitioning directly into
initrc_t but that does not work with being in sysadm_r.

---
 policy/modules/system/init.if | 82 +++++++++++++++++++------------------------
 1 file changed, 36 insertions(+), 46 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4d923d6..7cdf3a8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,6 +150,39 @@ interface(`init_ranged_domain',`
 
 ########################################
 ## <summary>
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Create a domain for long running processes
 ##	(daemons/services) which are started by init scripts.
 ## </summary>
@@ -388,50 +421,16 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it
+##	Mark the type as a daemon run dir
 ## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	gen_require(`
-		attribute daemonpidfile;
-		type initrc_t;
-	')
-
-	typeattribute $1 daemonpidfile;
-
-	files_pid_file($1)
-	files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
-##	Mark the file type as a daemon run dir, allowing initrc_t
-##	to create it
-## </summary>
-## <param name="filetype">
+## <param name="rundirtype">
 ##	<summary>
 ##	Type to mark as a daemon run dir
 ##	</summary>
 ## </param>
 ## <param name="filename">
 ##	<summary>
-##	Filename of the directory that the init script creates
+##	Name of the run dir directory
 ##	</summary>
 ## </param>
 #
@@ -844,14 +843,6 @@ interface(`init_spec_domtrans_script',`
 	files_list_etc($1)
 	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
 
-	ifdef(`distro_gentoo',`
-		gen_require(`
-			type rc_exec_t;
-		')
-
-		domtrans_pattern($1, rc_exec_t, initrc_t)
-	')
-
 	ifdef(`enable_mcs',`
 		range_transition $1 initrc_exec_t:process s0;
 	')
@@ -891,7 +882,6 @@ interface(`init_domtrans_script',`
 		gen_require(`
 			type rc_exec_t;
 		')
-
 		domtrans_pattern($1, rc_exec_t, initrc_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     0897e2ba7152ef4752b2fb292fe9bde72b88b465
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb  9 09:20:21 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  9 09:54:18 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0897e2ba

add back the working parts of commit fe62598f2fb87

---
 policy/modules/system/init.if | 74 ++++++++++++++++++++++---------------------
 1 file changed, 38 insertions(+), 36 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 7cdf3a8..1f897d2 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,39 +150,6 @@ interface(`init_ranged_domain',`
 
 ########################################
 ## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it
-## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	gen_require(`
-		attribute daemonpidfile;
-		type initrc_t;
-	')
-
-	typeattribute $1 daemonpidfile;
-
-	files_pid_file($1)
-	files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
 ##	Create a domain for long running processes
 ##	(daemons/services) which are started by init scripts.
 ## </summary>
@@ -421,16 +388,50 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
-##	Mark the type as a daemon run dir
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
 ## </summary>
-## <param name="rundirtype">
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
+##	Mark the file type as a daemon run dir, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
 ##	<summary>
 ##	Type to mark as a daemon run dir
 ##	</summary>
 ## </param>
 ## <param name="filename">
 ##	<summary>
-##	Name of the run dir directory
+##	Filename of the directory that the init script creates
 ##	</summary>
 ## </param>
 #
@@ -882,6 +883,7 @@ interface(`init_domtrans_script',`
 		gen_require(`
 			type rc_exec_t;
 		')
+
 		domtrans_pattern($1, rc_exec_t, initrc_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     9c0dcd8c971259c2af31fb6fdc133388aa478a29
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Mar  3 15:18:48 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Mar  3 15:18:48 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9c0dcd8c

Fix bug #541990 - Grant setfscreate to semanage_migrate_store [semanage_t]

 policy/modules/system/selinuxutil.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index b0d14cb..9b70f53 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -667,4 +667,12 @@ ifdef(`distro_gentoo',`
 
 	# Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise
 	seutil_relabelto_bin_policy(restorecond_t)
+
+	##########################################
+	#
+	# semanage local policy
+	#
+
+	# Fix bug #541990 - Grant setfscreate privilege to allow semanage_migrate_store to work properly
+	allow semanage_t self:process { setfscreate };
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     da18ddd7ef66f60538a69f41d1c4ff3a7970c071
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 07:27:56 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Mar 24 07:27:56 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da18ddd7

init: add /lib64/rc/cache as an init state dir

 policy/modules/system/init.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index b4391ce..02ec851 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -87,6 +87,7 @@ ifdef(`distro_gentoo',`
 # /lib
 #
 /lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/lib/rc/cache(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 
 #
 # /sbin

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     093647516e741e4a9fe250a62dac090514850d33
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 07:27:56 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:54:45 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=09364751

init: add /lib64/rc/cache as an init state dir

 policy/modules/system/init.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index b4391ce..02ec851 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -87,6 +87,7 @@ ifdef(`distro_gentoo',`
 # /lib
 #
 /lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/lib/rc/cache(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 
 #
 # /sbin

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     6f832c0037b7b18d1e3a953831016b0eace8d896
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 07:27:56 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:54:10 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f832c00

init: add /lib64/rc/cache as an init state dir

 policy/modules/system/init.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index b4391ce..02ec851 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -87,6 +87,7 @@ ifdef(`distro_gentoo',`
 # /lib
 #
 /lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/lib/rc/cache(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 
 #
 # /sbin

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     76b213703ff1b7bbcbfb0876388c764918290070
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 13:36:30 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 13:36:30 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76b21370

Allow run_init_t to read all named init scripts

When OpenRC wants to execute a labeled init script, it fails if this is
a symlink:

~$ sudo /etc/init.d/ceph-mon.0 start
openrc-run should not be run directly

The denial shows that a read on the symlink is denied:

type=AVC msg=audit(1436621093.701:1165): avc:  denied  { read } for
pid=30786 comm="openrc" name="ceph-mon.0" dev="vda3" ino=1966780
scontext=staff_u:staff_r:run_init_t:s0
tcontext=system_u:object_r:ceph_initrc_exec_t:s0 tclass=lnk_file
permissive=0

After granting this, the behavior is as expected:

~$ sudo /etc/init.d/ceph-mon.0 start
* Starting Ceph mon.0 ...               [ ok ]

X-Gentoo-Bug: 554514
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=554514

 policy/modules/system/init.if        | 5 +++++
 policy/modules/system/selinuxutil.te | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ed65609..211d434 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1195,6 +1195,11 @@ interface(`init_read_all_script_files',`
 
 	files_search_etc($1)
 	allow $1 init_script_file_type:file read_file_perms;
+
+	ifdef(`distro_gentoo',`
+		# Bug 554514
+		allow $1 init_script_file_type:lnk_file read_lnk_file_perms;
+	')
 ')
 
 #######################################

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 51c64be..d25a0fd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -418,6 +418,8 @@ userdom_use_user_terminals(run_init_t)
 ifndef(`direct_sysadm_daemon',`
 	ifdef(`distro_gentoo',`
 		# Gentoo integrated run_init:
+		# Bug 554514
+		init_read_all_script_files(run_init_t)	
 		init_script_file_entry_type(run_init_t)
 
 		init_exec_rc(run_init_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     1142e65e5281195a865c737d4640db42ae91c89a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Aug  2 18:38:34 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug  2 19:04:45 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1142e65e

miscfiles: gen_contexts was missing the sensitivity

 policy/modules/system/miscfiles.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index f1b2103..be0b6a1 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -103,7 +103,7 @@ ifdef(`distro_redhat',`
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
 
-HOME_DIR/.pki(/.*)?		gen_context(system_u:object_r:cert_home_t)
+HOME_DIR/.pki(/.*)?		gen_context(system_u:object_r:cert_home_t,s0)
 
 ifdef(`distro_gentoo',`
 /etc/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     84d4e9d4f9c40980dd9f8c7a57c556d807990c26
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct 11 08:40:25 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 08:40:25 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=84d4e9d4

system/ipsec: Add policy for StrongSwan

Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work regarding this.

 policy/modules/system/ipsec.fc | 17 ++++++++++++
 policy/modules/system/ipsec.te | 61 +++++++++++++++++++++++++++++++++++++++---
 2 files changed, 75 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 0f1e351..d42b08e 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -10,6 +10,14 @@
 
 /etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
 
+/etc/strongswan\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/strongswan\.d(/.*)?		gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/swanctl/(.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/swanctl			-d	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/swanctl/swanctl.conf	--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
 /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
 /usr/lib/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -19,17 +27,25 @@
 /usr/lib/ipsec/pluto		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/lib/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 
+/usr/libexec/ipsec/_copyright	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/libexec/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/_updown	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/charon	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/eroute	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/lookip	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/scepclient	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/starter	--	gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
+/usr/libexec/ipsec/stroke	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
 /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
+/usr/sbin/swanctl		--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
 /var/lib/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
@@ -39,5 +55,6 @@
 
 /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
+/var/run/charon\.(.*)?		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
 /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 /var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 3734bd4..2d8b686 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -67,19 +67,25 @@ type setkey_exec_t;
 init_system_domain(setkey_t, setkey_exec_t)
 role system_r types setkey_t;
 
+type ipsec_supervisor_t;
+type ipsec_supervisor_exec_t;
+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
+role system_r types ipsec_supervisor_t;
+
 ########################################
 #
 # ipsec Local policy
 #
 
-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
 dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
 allow ipsec_t self:process { getcap setcap getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_t self:udp_socket create_socket_perms;
 allow ipsec_t self:key_socket create_socket_perms;
-allow ipsec_t self:fifo_file read_fifo_file_perms;
+allow ipsec_t self:fifo_file rw_fifo_file_perms;
 allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
+allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
 
 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
 
@@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
 allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
 
 kernel_read_kernel_sysctls(ipsec_t)
-kernel_read_net_sysctls(ipsec_t)
+kernel_rw_net_sysctls(ipsec_t);
 kernel_list_proc(ipsec_t)
 kernel_read_proc_symlinks(ipsec_t)
 # allow pluto to access /proc/net/ipsec_eroute;
@@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
 allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 
+allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
+
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
 
@@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 
 domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
+domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
 
 kernel_rw_net_sysctls(ipsec_mgmt_t)
 # allow pluto to access /proc/net/ipsec_eroute;
@@ -444,6 +453,52 @@ seutil_read_config(setkey_t)
 
 userdom_use_user_terminals(setkey_t)
 
+########################################
+#
+# ipsec_supervisor policy
+#
+
+allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
+allow ipsec_supervisor_t self:process { signal };
+allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
+allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
+
+allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
+
+manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
+
+allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
+allow ipsec_supervisor_t ipsec_t:process { signal };
+
+allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
+manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
+
+domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
+
+kernel_read_network_state(ipsec_supervisor_t)
+kernel_read_system_state(ipsec_supervisor_t)
+kernel_rw_net_sysctls(ipsec_supervisor_t);
+
+corecmd_exec_bin(ipsec_supervisor_t);
+corecmd_exec_shell(ipsec_supervisor_t)
+
+dev_read_rand(ipsec_supervisor_t);
+dev_read_urand(ipsec_supervisor_t);
+
+files_read_etc_files(ipsec_supervisor_t);
+
+logging_send_syslog_msg(ipsec_supervisor_t);
+
+miscfiles_read_localization(ipsec_supervisor_t);
+
+optional_policy(`
+	modutils_domtrans_insmod(ipsec_supervisor_t)
+')
+
 ifdef(`distro_gentoo',`
 	################################################
 	#

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     5522373aa919d8f9ee0e1937e9f031ad35c07c4a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct 11 10:37:56 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 13 14:21:41 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5522373a

system/ipsec: Add policy for StrongSwan

Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work on this.

 policy/modules/system/ipsec.fc | 17 ++++++++++++
 policy/modules/system/ipsec.te | 61 +++++++++++++++++++++++++++++++++++++++---
 2 files changed, 75 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 0f1e351..d42b08e 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -10,6 +10,14 @@
 
 /etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
 
+/etc/strongswan\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/strongswan\.d(/.*)?		gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/swanctl/(.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/swanctl			-d	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/swanctl/swanctl.conf	--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
 /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
 /usr/lib/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -19,17 +27,25 @@
 /usr/lib/ipsec/pluto		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/lib/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 
+/usr/libexec/ipsec/_copyright	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/libexec/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/_updown	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/charon	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/eroute	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/lookip	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/scepclient	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/starter	--	gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
+/usr/libexec/ipsec/stroke	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
 /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
+/usr/sbin/swanctl		--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
 /var/lib/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
@@ -39,5 +55,6 @@
 
 /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
+/var/run/charon\.(.*)?		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
 /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 /var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 3734bd4..2d8b686 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -67,19 +67,25 @@ type setkey_exec_t;
 init_system_domain(setkey_t, setkey_exec_t)
 role system_r types setkey_t;
 
+type ipsec_supervisor_t;
+type ipsec_supervisor_exec_t;
+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
+role system_r types ipsec_supervisor_t;
+
 ########################################
 #
 # ipsec Local policy
 #
 
-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
 dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
 allow ipsec_t self:process { getcap setcap getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_t self:udp_socket create_socket_perms;
 allow ipsec_t self:key_socket create_socket_perms;
-allow ipsec_t self:fifo_file read_fifo_file_perms;
+allow ipsec_t self:fifo_file rw_fifo_file_perms;
 allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
+allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
 
 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
 
@@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
 allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
 
 kernel_read_kernel_sysctls(ipsec_t)
-kernel_read_net_sysctls(ipsec_t)
+kernel_rw_net_sysctls(ipsec_t);
 kernel_list_proc(ipsec_t)
 kernel_read_proc_symlinks(ipsec_t)
 # allow pluto to access /proc/net/ipsec_eroute;
@@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
 allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 
+allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
+
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
 
@@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 
 domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
+domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
 
 kernel_rw_net_sysctls(ipsec_mgmt_t)
 # allow pluto to access /proc/net/ipsec_eroute;
@@ -444,6 +453,52 @@ seutil_read_config(setkey_t)
 
 userdom_use_user_terminals(setkey_t)
 
+########################################
+#
+# ipsec_supervisor policy
+#
+
+allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
+allow ipsec_supervisor_t self:process { signal };
+allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
+allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
+
+allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
+
+manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
+
+allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
+allow ipsec_supervisor_t ipsec_t:process { signal };
+
+allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
+manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
+
+domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
+
+kernel_read_network_state(ipsec_supervisor_t)
+kernel_read_system_state(ipsec_supervisor_t)
+kernel_rw_net_sysctls(ipsec_supervisor_t);
+
+corecmd_exec_bin(ipsec_supervisor_t);
+corecmd_exec_shell(ipsec_supervisor_t)
+
+dev_read_rand(ipsec_supervisor_t);
+dev_read_urand(ipsec_supervisor_t);
+
+files_read_etc_files(ipsec_supervisor_t);
+
+logging_send_syslog_msg(ipsec_supervisor_t);
+
+miscfiles_read_localization(ipsec_supervisor_t);
+
+optional_policy(`
+	modutils_domtrans_insmod(ipsec_supervisor_t)
+')
+
 ifdef(`distro_gentoo',`
 	################################################
 	#

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     4db341f7c2dd5502db391b2322967772e3213c01
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Oct 12 13:30:05 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 13 14:21:41 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4db341f7

Rearrange lines in ipsec.te.

 policy/modules/system/ipsec.te | 43 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 2d8b686..b9cfcc3 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -54,6 +54,11 @@ files_lock_file(ipsec_mgmt_lock_t)
 type ipsec_mgmt_var_run_t;
 files_pid_file(ipsec_mgmt_var_run_t)
 
+type ipsec_supervisor_t;
+type ipsec_supervisor_exec_t;
+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
+role system_r types ipsec_supervisor_t;
+
 type racoon_t;
 type racoon_exec_t;
 init_daemon_domain(racoon_t, racoon_exec_t)
@@ -67,11 +72,6 @@ type setkey_exec_t;
 init_system_domain(setkey_t, setkey_exec_t)
 role system_r types setkey_t;
 
-type ipsec_supervisor_t;
-type ipsec_supervisor_exec_t;
-init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
-role system_r types ipsec_supervisor_t;
-
 ########################################
 #
 # ipsec Local policy
@@ -202,49 +202,48 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
 allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 
-allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
+domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
+
+# _realsetup needs to be able to cat /var/run/pluto.pid,
+# run ps on that pid, and delete the file
+read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
+read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
+
+allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
+
+manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
 
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
 
+manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
+logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+
 manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
 manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
 files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
 
-manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
-logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
-
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
-files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
-
 manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
 
 allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
 
-# _realsetup needs to be able to cat /var/run/pluto.pid,
-# run ps on that pid, and delete the file
-read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
-read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
-
 # logger, running in ipsec_mgmt_t needs to use sockets
 allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
 allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
 
-allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
-
-manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
-manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
-
 # whack needs to connect to pluto
 stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
 
 can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 
-domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
 domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
+allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
 
 kernel_rw_net_sysctls(ipsec_mgmt_t)
 # allow pluto to access /proc/net/ipsec_eroute;

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     978ce09db2ebb2af831a04aae9e973d2706a25dd
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 14 18:34:53 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Oct 14 18:34:53 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=978ce09d

ipsec: Allow ipsec to run resolvconf

 policy/modules/system/ipsec.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 02fad03..3dd5c8b 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -514,4 +514,13 @@ ifdef(`distro_gentoo',`
 	#
 
 	domain_use_interactive_fds(setkey_t)
+
+	########################################
+	#
+	# ipsec_mgmt Local policy
+	#
+
+	optional_policy(`
+		resolvconf_client_domain(ipsec_mgmt_t)
+	')
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     360b075cbb2c37b12a039e12d4ac0f6d68c2e0f8
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 17:25:57 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:55:52 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=360b075c

Add refpolicy core socket-activated services.

 policy/modules/system/logging.te | 1 +
 policy/modules/system/lvm.te     | 1 +
 policy/modules/system/udev.te    | 1 +
 3 files changed, 3 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index fd941ab..ef56179 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -67,6 +67,7 @@ files_config_file(syslog_conf_t)
 type syslogd_t;
 type syslogd_exec_t;
 init_daemon_domain(syslogd_t, syslogd_exec_t)
+init_named_socket_activation(syslogd_t, syslogd_var_run_t)
 
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 61bd92b..d15ea3c 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -18,6 +18,7 @@ files_pid_file(clvmd_var_run_t)
 type lvm_t;
 type lvm_exec_t;
 init_system_domain(lvm_t, lvm_exec_t)
+init_named_socket_activation(lvm_t, lvm_var_run_t)
 # needs privowner because it assigns the identity system_u to device nodes
 # but runs as the identity of the sysadmin
 domain_obj_id_change_exemption(lvm_t)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 40868ad..c9091f3 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -13,6 +13,7 @@ domain_obj_id_change_exemption(udev_t)
 domain_entry_file(udev_t, udev_helper_exec_t)
 domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
+init_named_socket_activation(udev_t, udev_var_run_t)
 
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     a51ba0a947d3824df1342367d7fd6fd955e6410b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 26 04:27:25 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:27:25 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a51ba0a9

system/logging: Remove duplicate filetrans on cron.log

policy/modules/system/logging.te:534:ERROR 'duplicate filename
transition for: filename_trans cron.log syslogd_t var_log_t:file' at
type_transition syslogd_t var_log_t:file cron_log_t "cron.log";

The cron type is gentoo only so make the logging one ifndef

 policy/modules/system/logging.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 902ff63..d0c4d31 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -533,7 +533,9 @@ optional_policy(`
 
 optional_policy(`
 	cron_manage_log_files(syslogd_t)
+	ifndef(`distro_gentoo',`
 	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
+	')
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     2b1fd1cb76055efbf37feb023a65831b79932f2b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 26 04:59:35 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:59:35 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b1fd1cb

system/logging: Remove duplicate filetrans on news logs

policy/modules/system/logging.te:541:ERROR 'duplicate filename transition for:
filename_trans news.crit syslogd_t var_log_t:file'
type_transition syslogd_t var_log_t:file innd_log_t "news.crit";

The news type is gentoo only so make the logging one ifndef

 policy/modules/system/logging.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d0c4d31..52c86e5 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -540,9 +540,11 @@ optional_policy(`
 
 optional_policy(`
 	inn_manage_log(syslogd_t)
+	ifndef(`distro_gentoo',`
 	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit")
 	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err")
 	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.notice")
+	')
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     9823ccc9e3b0471ce9039295d50fddae02403df4
Author:     Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Dec 10 11:21:25 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:25:22 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9823ccc9

authlogin: remove duplicate files_list_var_lib(nsswitch_domain)

Signed-off-by: Dominick Grift <dac.override <AT> gmail.com>

 policy/modules/system/authlogin.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b811c8d..98ebecd 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -419,8 +419,6 @@ files_read_etc_files(nsswitch_domain)
 sysnet_dns_name_resolve(nsswitch_domain)
 
 tunable_policy(`authlogin_nsswitch_use_ldap',`
-	files_list_var_lib(nsswitch_domain)
-
 	miscfiles_read_generic_certs(nsswitch_domain)
 	sysnet_use_ldap(nsswitch_domain)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     aa10eb9453c2aa407e9b68da69484e598919f1e1
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Dec  9 14:40:55 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:25:22 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aa10eb94

Module version bump for systemd-user-sessions fc entry from Dominick Grift

 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index fdb9fef..1f70a93 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.1.0)
+policy_module(systemd, 1.1.1)
 
 #########################################
 #

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     8e6b99973ad02847bd3c1c6176c2d6b8dc0be32c
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Dec 17 18:15:37 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 18:46:19 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e6b9997

introduce mount_rw_pipes interface

 policy/modules/system/mount.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 8a2105b..279f6d7 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -209,3 +209,23 @@ interface(`mount_rw_loopback_files',`
 
 	allow $1 mount_loopback_t:file rw_file_perms;
 ')
+
+# gentoo specific under here
+
+########################################
+## <summary>
+##	Read and write mount unnamed pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_pipes',`
+	gen_require(`
+		type mount_t;
+	')
+
+	allow $1 mount_t:fifo_file rw_fifo_file_perms;
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     77e1231041b150b0180a556504e30cbdcd8fdfb7
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Dec 17 18:15:37 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 18:51:56 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=77e12310

introduce mount_rw_pipes interface

 policy/modules/system/mount.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 8a2105b..279f6d7 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -209,3 +209,23 @@ interface(`mount_rw_loopback_files',`
 
 	allow $1 mount_loopback_t:file rw_file_perms;
 ')
+
+# gentoo specific under here
+
+########################################
+## <summary>
+##	Read and write mount unnamed pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_pipes',`
+	gen_require(`
+		type mount_t;
+	')
+
+	allow $1 mount_t:fifo_file rw_fifo_file_perms;
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     0460b12a0cbc61b25ebcbf20f283534cc49b98f5
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Dec 17 18:15:37 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Dec 18 04:12:29 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0460b12a

Introduce mount_rw_pipes interface

 policy/modules/system/mount.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 8a2105b..279f6d7 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -209,3 +209,23 @@ interface(`mount_rw_loopback_files',`
 
 	allow $1 mount_loopback_t:file rw_file_perms;
 ')
+
+# gentoo specific under here
+
+########################################
+## <summary>
+##	Read and write mount unnamed pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_pipes',`
+	gen_require(`
+		type mount_t;
+	')
+
+	allow $1 mount_t:fifo_file rw_fifo_file_perms;
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     17881c395704cfc066a765dccdd2f812053a795c
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 26 15:09:27 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 15:33:31 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17881c39

userdomain: filetrans interfaces for user_runtime

 policy/modules/system/userdomain.if | 98 +++++++++++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 0d6d9b1..4029359 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2753,6 +2753,104 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 
 ########################################
 ## <summary>
+##	Create objects in the pid directory
+##	with an automatic type transition to
+##	the user runtime root type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create objects in a user runtime
+##	directory with an automatic type
+##	transition to a specified private
+##	type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans',`
+	gen_require(`
+		type user_runtime_dir_t;
+	')
+
+	filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4)
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Create objects in the user runtime directory
+##	with an automatic type transition to
+##	the user temporary type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans_user_tmp',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Read and write user tmpfs files.
 ## </summary>
 ## <param name="domain">

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     e46ed57244089ec585dcce05d50ea3b708e55196
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 19:12:24 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 15:33:31 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e46ed572

userdomain: user_tmp requires searching /run/user

 policy/modules/system/userdomain.if | 65 +++++++++++++++++++++++++++++--------
 1 file changed, 52 insertions(+), 13 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9284808..0d6d9b1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -339,11 +339,14 @@ interface(`userdom_manage_tmp_role',`
 #
 interface(`userdom_exec_user_tmp_files',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	exec_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 #######################################
@@ -2368,11 +2371,14 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
 #
 interface(`userdom_write_user_tmp_sockets',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	allow $1 user_tmp_t:sock_file write_sock_file_perms;
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 ########################################
@@ -2387,11 +2393,14 @@ interface(`userdom_write_user_tmp_sockets',`
 #
 interface(`userdom_list_user_tmp',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	allow $1 user_tmp_t:dir list_dir_perms;
+	allow $1 user_runtime_dir_t:dir list_dir_perms;
 	files_search_tmp($1)
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 ########################################
@@ -2444,12 +2453,15 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',`
 #
 interface(`userdom_read_user_tmp_files',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	read_files_pattern($1, user_tmp_t, user_tmp_t)
 	allow $1 user_tmp_t:dir list_dir_perms;
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 ########################################
@@ -2502,12 +2514,15 @@ interface(`userdom_dontaudit_append_user_tmp_files',`
 #
 interface(`userdom_rw_user_tmp_files',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	allow $1 user_tmp_t:dir list_dir_perms;
 	rw_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 ########################################
@@ -2541,12 +2556,15 @@ interface(`userdom_dontaudit_manage_user_tmp_files',`
 #
 interface(`userdom_read_user_tmp_symlinks',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
 	allow $1 user_tmp_t:dir list_dir_perms;
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 ########################################
@@ -2562,11 +2580,14 @@ interface(`userdom_read_user_tmp_symlinks',`
 #
 interface(`userdom_manage_user_tmp_dirs',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 ########################################
@@ -2582,11 +2603,14 @@ interface(`userdom_manage_user_tmp_dirs',`
 #
 interface(`userdom_manage_user_tmp_files',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	manage_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 ########################################
@@ -2602,11 +2626,14 @@ interface(`userdom_manage_user_tmp_files',`
 #
 interface(`userdom_manage_user_tmp_symlinks',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 ########################################
@@ -2622,11 +2649,14 @@ interface(`userdom_manage_user_tmp_symlinks',`
 #
 interface(`userdom_manage_user_tmp_pipes',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 ########################################
@@ -2642,11 +2672,14 @@ interface(`userdom_manage_user_tmp_pipes',`
 #
 interface(`userdom_manage_user_tmp_sockets',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 ########################################
@@ -2678,11 +2711,14 @@ interface(`userdom_manage_user_tmp_sockets',`
 #
 interface(`userdom_user_tmp_filetrans',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	filetrans_pattern($1, user_tmp_t, $2, $3, $4)
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')
 
 ########################################
@@ -3655,9 +3691,12 @@ interface(`userdom_manage_all_user_home_content',`
 #
 interface(`userdom_manage_user_tmp_chr_files',`
 	gen_require(`
-		type user_tmp_t;
+		type user_tmp_t, user_runtime_root_t, user_runtime_dir_t;
 	')
 
 	manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	allow $1 user_runtime_dir_t:dir search_dir_perms;
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     c0af8525d36cdc24bd03dde87d83066657e315e2
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 12 16:29:31 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 15:33:31 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c0af8525

userdomain: Introduce types for /run/user

These are the types for /run/user, analogous to /home's home_root_t and
home_dir_t.

 policy/modules/system/userdomain.fc |  4 ++++
 policy/modules/system/userdomain.te | 20 ++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..30708ca 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -2,3 +2,7 @@ HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
+
+/var/run/user		-d	gen_context(system_u:object_r:user_runtime_root_t,s0)
+/var/run/user/%{USERID}	-d	gen_context(system_u:object_r:user_runtime_dir_t,s0)
+/var/run/user/%{USERID}/.+	<<none>>

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 2a36851..c613553 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,3 +93,23 @@ userdom_user_home_content(user_tmpfs_t)
 type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
 dev_node(user_tty_device_t)
 ubac_constrained(user_tty_device_t)
+
+type user_runtime_root_t;
+fs_associate_tmpfs(user_runtime_root_t)
+files_type(user_runtime_root_t)
+files_mountpoint(user_runtime_root_t)
+files_associate_tmp(user_runtime_root_t)
+files_poly(user_runtime_root_t)
+files_poly_member(user_runtime_root_t)
+files_poly_parent(user_runtime_root_t)
+ubac_constrained(user_runtime_root_t)
+
+type user_runtime_dir_t;
+fs_associate_tmpfs(user_runtime_dir_t)
+files_type(user_runtime_dir_t)
+files_mountpoint(user_runtime_dir_t)
+files_associate_tmp(user_runtime_dir_t)
+files_poly(user_runtime_dir_t)
+files_poly_member(user_runtime_dir_t)
+files_poly_parent(user_runtime_dir_t)
+ubac_constrained(user_runtime_dir_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     caeaab82769e2525cde308a0101ea6542472f209
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 26 15:09:27 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 16:11:13 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=caeaab82

userdomain: filetrans interfaces for user_runtime

 policy/modules/system/userdomain.if | 99 +++++++++++++++++++++++++++++++++++++
 1 file changed, 99 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 0d6d9b1..90edc21 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -324,6 +324,7 @@ interface(`userdom_manage_tmp_role',`
 	manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
 	manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
 	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+	userdom_user_runtime_dir_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file })
 ')
 
 #######################################
@@ -2753,6 +2754,104 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 
 ########################################
 ## <summary>
+##	Create objects in the pid directory
+##	with an automatic type transition to
+##	the user runtime root type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create objects in a user runtime
+##	directory with an automatic type
+##	transition to a specified private
+##	type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans',`
+	gen_require(`
+		type user_runtime_dir_t;
+	')
+
+	filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4)
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Create objects in the user runtime directory
+##	with an automatic type transition to
+##	the user temporary type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans_user_tmp',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Read and write user tmpfs files.
 ## </summary>
 ## <param name="domain">

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     c2e01eedeb6884cfd367f4ca160c6b35cdcc3e38
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu May 26 15:09:27 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 26 18:44:57 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2e01eed

userdomain: filetrans interfaces for user_runtime

 policy/modules/system/userdomain.if | 99 +++++++++++++++++++++++++++++++++++++
 1 file changed, 99 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 0d6d9b1..044bf81 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -324,6 +324,7 @@ interface(`userdom_manage_tmp_role',`
 	manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
 	manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
 	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+	userdom_user_runtime_dir_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file })
 ')
 
 #######################################
@@ -2753,6 +2754,104 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 
 ########################################
 ## <summary>
+##	Create objects in the pid directory
+##	with an automatic type transition to
+##	the user runtime root type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create objects in a user runtime
+##	directory with an automatic type
+##	transition to a specified private
+##	type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans',`
+	gen_require(`
+		type user_runtime_root_t, user_runtime_dir_t;
+	')
+
+	filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4)
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Create objects in the user runtime directory
+##	with an automatic type transition to
+##	the user temporary type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_dir_filetrans_user_tmp',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Read and write user tmpfs files.
 ## </summary>
 ## <param name="domain">

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     f823f0571cf9bab988ac3d2fd85947b5e160c49e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug  6 23:14:18 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f823f057

Systemd units from Russell Coker.

 policy/modules/system/logging.fc     | 1 +
 policy/modules/system/logging.te     | 2 +-
 policy/modules/system/selinuxutil.fc | 1 +
 policy/modules/system/selinuxutil.te | 5 ++++-
 policy/modules/system/setrans.fc     | 2 ++
 policy/modules/system/setrans.te     | 2 +-
 6 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index e504aec..16fd395 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -20,6 +20,7 @@
 /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
 /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
 /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
 
 /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
 /usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d9737d0..3f3813f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.23.2)
+policy_module(logging, 1.23.3)
 
 ########################################
 #

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 8f0db04..771986f 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -33,6 +33,7 @@
 /usr/bin/newrole		--	gen_context(system_u:object_r:newrole_exec_t,s0)
 
 /usr/lib/selinux(/.*)?			gen_context(system_u:object_r:policy_src_t,s0)
+/usr/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_t,s0)
 
 /usr/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
 /usr/sbin/restorecond		--	gen_context(system_u:object_r:restorecond_exec_t,s0)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 50015ad..4a100cd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.20.1)
+policy_module(selinuxutil, 1.20.2)
 
 gen_require(`
 	bool secure_mode;
@@ -85,6 +85,9 @@ init_daemon_domain(restorecond_t, restorecond_exec_t)
 domain_obj_id_change_exemption(restorecond_t)
 role system_r types restorecond_t;
 
+type restorecond_unit_t;
+init_unit_file(restorecond_unit_t)
+
 type restorecond_var_run_t;
 files_pid_file(restorecond_var_run_t)
 

diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
index bea4629..094ef22 100644
--- a/policy/modules/system/setrans.fc
+++ b/policy/modules/system/setrans.fc
@@ -2,4 +2,6 @@
 
 /sbin/mcstransd		--	gen_context(system_u:object_r:setrans_exec_t,s0)
 
+/usr/lib/systemd/system/mcstrans.*\.service -- gen_context(system_u:object_r:setrans_unit_t,s0)
+
 /var/run/setrans(/.*)?		gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 386df74..216e871 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,4 +1,4 @@
-policy_module(setrans, 1.11.0)
+policy_module(setrans, 1.11.1)
 
 gen_require(`
 	class context contains;

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     6cbc3eb88900314095eff8f4f99b97e2ae9126b1
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Aug  3 00:22:06 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6cbc3eb8

libraries: Module version bump for libsystemd fc entry from Lukas Vrabec.

 policy/modules/system/libraries.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 0f5cd56..965841c 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.12.0)
+policy_module(libraries, 2.12.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     ebae10c1795bdf42caa83f6daed9b0974c83146f
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Aug  3 05:48:19 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ebae10c1

getattr on unlabeled blk devs

The following has been in my tree for a few years.  It allows initrc_t to stat
devices early in the boot process.

>From ad46ce856a1a780cf6c3a0bb741794019e03edc2 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift <AT> gmail.com>
Date: Sat, 9 Nov 2013 10:45:09 +0100
Subject: [PATCH] init: startpar (initrc_t) gets attributes of /dev/dm-0
 (device_t) early on boot, soon later the node context is properly reset
 (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

 policy/modules/system/init.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8e8c163..0d4f74a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -568,6 +568,9 @@ userdom_read_user_home_content_files(initrc_t)
 userdom_use_user_terminals(initrc_t)
 
 ifdef(`distro_debian',`
+	kernel_getattr_core_if(initrc_t)
+
+	dev_getattr_generic_blk_files(initrc_t)
 	dev_setattr_generic_dirs(initrc_t)
 
 	fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     c90a72dc34e6db9bd4f0c6b727491abebde69bbc
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:12:50 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c90a72dc

Allow the system user domains to chat over dbus with a few other domains (e.g. gnome session).

Thanks to Jason Zaman for pointing out the correct interface to
achieve this.

This new version fixes a typographic error in the previous version.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/userdomain.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9c40ce1..f0b4778 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -620,10 +620,18 @@ template(`userdom_common_user_template',`
 		dbus_system_bus_client($1_t)
 
 		optional_policy(`
+			accountsd_dbus_chat($1_t)
+		')
+
+		optional_policy(`
 			bluetooth_dbus_chat($1_t)
 		')
 
 		optional_policy(`
+			colord_dbus_chat($1_t)
+		')
+
+		optional_policy(`
 			consolekit_dbus_chat($1_t)
 		')
 
@@ -632,6 +640,11 @@ template(`userdom_common_user_template',`
 		')
 
 		optional_policy(`
+			devicekit_dbus_chat_disk($1_t)
+			devicekit_dbus_chat_power($1_t)
+		')
+
+		optional_policy(`
 			hal_dbus_chat($1_t)
 		')
 
@@ -642,6 +655,14 @@ template(`userdom_common_user_template',`
 		optional_policy(`
 			policykit_dbus_chat($1_t)
 		')
+
+		optional_policy(`
+			rtkit_daemon_dbus_chat($1_t)
+		')
+
+		optional_policy(`
+			xdm_dbus_chat($1_t)
+		')
 	')
 
 	optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     30f16ad46a5a5ecbfd2bad13462b1cb14852057b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:52:32 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30f16ad4

Remove redundant libs_read_lib_files() for ifconfig_t.

 policy/modules/system/sysnetwork.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 59541ff..2258f90 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -327,8 +327,6 @@ files_dontaudit_read_root_files(ifconfig_t)
 init_use_fds(ifconfig_t)
 init_use_script_ptys(ifconfig_t)
 
-libs_read_lib_files(ifconfig_t)
-
 logging_send_syslog_msg(ifconfig_t)
 
 miscfiles_read_localization(ifconfig_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     814a47ac343732aacb70ae6440c3f5b4a4f479f6
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:51:42 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=814a47ac

Update the sysnetwork module to add some permissions needed by the dhcp client (another separate patch makes changes to the ifconfig part).

Create auxiliary interfaces in the ntp module.

The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.

Include revisions from Chris PeBenito.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/sysnetwork.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 287d2fd..c67494e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -130,9 +130,11 @@ files_search_home(dhcpc_t)
 files_search_var_lib(dhcpc_t)
 files_dontaudit_search_locks(dhcpc_t)
 files_getattr_generic_locks(dhcpc_t)
+files_manage_var_files(dhcpc_t)
 
 fs_getattr_all_fs(dhcpc_t)
 fs_search_auto_mountpoints(dhcpc_t)
+fs_search_cgroup_dirs(dhcpc_t)
 
 term_dontaudit_use_all_ttys(dhcpc_t)
 term_dontaudit_use_all_ptys(dhcpc_t)
@@ -227,6 +229,7 @@ optional_policy(`
 optional_policy(`
 	ntp_initrc_domtrans(dhcpc_t)
 	ntp_read_drift_files(dhcpc_t)
+	ntp_read_conf_files(dhcpc_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     b1ab644ac721bca04de70d98abb9aa060e1539e4
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:52:07 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1ab644a

Ifconfig should be able to read firmware files in /lib (i.e. some network cards need to load their firmware) and it should not audit attempts to load kernel modules directly.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/sysnetwork.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index c67494e..59541ff 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -267,6 +267,7 @@ optional_policy(`
 #
 
 allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
+dontaudit ifconfig_t self:capability sys_module;
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_fifo_file_perms;

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     3b7b2910b3018c9b47e4b6c8463a2bb0abc903ae
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 20:08:12 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3b7b2910

userdomain: Fix compile errors.

 policy/modules/system/userdomain.if | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 534a249..f22ef9b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -661,7 +661,7 @@ template(`userdom_common_user_template',`
 		')
 
 		optional_policy(`
-			xdm_dbus_chat($1_t)
+			xserver_dbus_chat_xdm($1_t)
 		')
 	')
 

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index b6b6d15..9136d6b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.4)
+policy_module(userdomain, 4.11.5)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     90909b138975c956acff4d6d6abcd63003ed5b3b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep  8 23:17:31 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90909b13

Additional change from Guido Trentalancia related to evolution.

 policy/modules/system/userdomain.if | 22 ++++++++++++++++++++++
 policy/modules/system/userdomain.te |  2 +-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e6e434a..bf78a2b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2421,6 +2421,28 @@ interface(`userdom_read_user_certs',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to manage
+##	the user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	dontaudit $1 user_cert_t:dir manage_dir_perms;
+	dontaudit $1 user_cert_t:file manage_file_perms;
+	dontaudit $1 user_cert_t:lnk_file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Manage user SSL certificates.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index b44dd5d..c9774a1 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.6)
+policy_module(userdomain, 4.11.7)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     e057adebff1c29e23b319ea8adf5336b102bca64
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Sep 18 20:41:47 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e057adeb

Module version bump for selinuxutil fix from Jason Zaman.

 policy/modules/system/selinuxutil.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 98d7840..e162290 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.20.2)
+policy_module(selinuxutil, 1.20.3)
 
 gen_require(`
 	bool secure_mode;

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     c7941d5608f8aadd8be1cdda6abff4084b2e094e
Author:     Jason Zaman via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sun Sep 18 06:38:31 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7941d56

selinuxutil: allow setfiles to read semanage store

commit a7334eb0de98af11ec38b6263536fa01bc2a606c
libsemanage: validate and compile file contexts before installing

validates the fcontexts when they are still in /var/lib/selinux. Without
setfiles_t having access to read the files, validation fails and the
policy cannot be updated.

 policy/modules/system/selinuxutil.if | 23 +++++++++++++++++++++++
 policy/modules/system/selinuxutil.te |  1 +
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index b4c70a3..a8221f0 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1107,6 +1107,29 @@ interface(`seutil_run_semanage',`
 
 ########################################
 ## <summary>
+##	Read the semanage module store.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_read_module_store',`
+	gen_require(`
+		type selinux_config_t, semanage_store_t;
+	')
+
+	files_search_etc($1)
+	files_search_var($1)
+	list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+	list_dirs_pattern($1, semanage_store_t, semanage_store_t)
+	read_files_pattern($1, semanage_store_t, semanage_store_t)
+	read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
+########################################
+## <summary>
 ##	Full management of the semanage
 ##	module store.
 ## </summary>

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 4a100cd..98d7840 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -597,6 +597,7 @@ logging_send_syslog_msg(setfiles_t)
 miscfiles_read_localization(setfiles_t)
 
 seutil_libselinux_linked(setfiles_t)
+seutil_read_module_store(setfiles_t)
 
 userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     9cb0a2815f7612f77003747262f8b32e52a072aa
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct  9 05:08:41 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct  9 05:41:23 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9cb0a281

DO NOT MERGE. sync user_cert_t cert_home_t with upstream

Need to upstream userdom_user_home_dir_filetrans_user_cert interface

 policy/modules/system/miscfiles.fc  |  2 --
 policy/modules/system/miscfiles.if  | 46 ++++---------------------------------
 policy/modules/system/miscfiles.te  |  7 ------
 policy/modules/system/userdomain.if | 33 +++++++++++++++++++++++---
 policy/modules/system/userdomain.te |  2 +-
 5 files changed, 36 insertions(+), 54 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index be0b6a1..42ac30b 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -103,8 +103,6 @@ ifdef(`distro_redhat',`
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
 
-HOME_DIR/.pki(/.*)?		gen_context(system_u:object_r:cert_home_t,s0)
-
 ifdef(`distro_gentoo',`
 /etc/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 ')

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 63ed47f..d89c7c0 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -97,15 +97,8 @@ interface(`miscfiles_read_generic_certs',`
 ## </param>
 #
 interface(`miscfiles_manage_user_certs',`
-	gen_require(`
-		type cert_home_t;
-	')
-
-	manage_dirs_pattern($1, cert_home_t, cert_home_t)
-	manage_files_pattern($1, cert_home_t, cert_home_t)
-	manage_lnk_files_pattern($1, cert_home_t, cert_home_t)
-
-	userdom_search_user_home_dirs($1)
+	userdom_manage_user_certs($1)
+	refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_certs() instead.')
 ')
 
 ########################################
@@ -213,35 +206,6 @@ interface(`miscfiles_manage_cert_files',`
 
 ########################################
 ## <summary>
-##	Automatically use the cert_home_t label for selected resources created
-##	in a users home directory
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Resource type(s) for which the label should be used
-##	</summary>
-## </param>
-## <param name="filename" optional="true">
-##	<summary>
-##	Name of the resource that is being created
-##	</summary>
-## </param>
-#
-interface(`miscfiles_user_home_dir_filetrans_cert_home',`
-	gen_require(`
-		type cert_home_t;
-	')
-
-	userdom_user_home_dir_filetrans($1, cert_home_t, $2, $3)
-')
-
-########################################
-## <summary>
 ##	Read fonts.
 ## </summary>
 ## <param name="domain">
@@ -823,8 +787,7 @@ interface(`miscfiles_read_test_files',`
 
 ########################################
 ## <summary>
-##	Create files in etc directories
-##	with localization file type.
+##	Execute test files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -843,7 +806,8 @@ interface(`miscfiles_exec_test_files',`
 
 ########################################
 ## <summary>
-##	Execute test files.
+##	Create files in etc directories
+##	with localization file type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 246ac6a..85a29e3 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -14,13 +14,6 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
-# cert_home_t is the type of files in the users' home directories.
-#
-type cert_home_t;
-miscfiles_cert_type(cert_home_t)
-userdom_user_home_content(cert_home_t)
-
-#
 # fonts_t is the type of various font
 # files in /usr
 #

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index bf78a2b..70d39d9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -272,9 +272,6 @@ interface(`userdom_manage_home_role',`
 	')
 
 	ifdef(`distro_gentoo',`
-		miscfiles_manage_user_certs($2)
-		miscfiles_relabel_user_certs($2)
-
 		optional_policy(`
 			flash_manage_home($2)
 			flash_relabel_home($2)
@@ -2464,6 +2461,36 @@ interface(`userdom_manage_user_certs',`
 
 ########################################
 ## <summary>
+##	Automatically use the user_cert_t label for
+##	selected resources created in a users home
+##	directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Resource type(s) for which the label should be used
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the resource that is being created
+##	</summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_cert',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Write to user temporary named sockets.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index c9774a1..ad9dd88 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,7 +93,7 @@ files_associate_tmp(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
 
-type user_cert_t;
+type user_cert_t alias cert_home_t;
 userdom_user_home_content(user_cert_t)
 
 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     385048b24a6639c4a51573409f2b4c42692827b3
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 10 12:08:03 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:45:30 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=385048b2

Manage tun/tap interfaces

We need the relabelfrom/relabelto rights, otherwise tun/tap interface
activities fail:

~# tunctl -d tap0
TUNSETIFF: Permission denied

 policy/modules/system/userdomain.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index bf78a2b..1572b51 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1300,6 +1300,9 @@ template(`userdom_admin_user_template',`
 		seutil_relabelto_bin_policy($1_t)
 		# allow to manage chr_files in user_tmp (for initrd's)
 		userdom_manage_user_tmp_chr_files($1_t)
+		# allow managing tun/tap interfaces (labeling)
+		# without this operations such as tunctl -d tap0 result in a TUNSETIFF: Device or resource busy
+		allow $1_t self:tun_socket { relabelfrom relabelto };
 	')
 ')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     975c23d83a8f52c93dffdfd7899bfb561769e711
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct  9 05:08:41 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:02:52 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=975c23d8

DO NOT MERGE. sync user_cert_t cert_home_t with upstream

Need to upstream userdom_user_home_dir_filetrans_user_cert interface

 policy/modules/system/miscfiles.fc  |  2 --
 policy/modules/system/miscfiles.if  | 46 ++++---------------------------------
 policy/modules/system/miscfiles.te  |  7 ------
 policy/modules/system/userdomain.if | 33 +++++++++++++++++++++++---
 policy/modules/system/userdomain.te |  2 +-
 5 files changed, 36 insertions(+), 54 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index be0b6a1..42ac30b 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -103,8 +103,6 @@ ifdef(`distro_redhat',`
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
 
-HOME_DIR/.pki(/.*)?		gen_context(system_u:object_r:cert_home_t,s0)
-
 ifdef(`distro_gentoo',`
 /etc/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 ')

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 63ed47f..d89c7c0 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -97,15 +97,8 @@ interface(`miscfiles_read_generic_certs',`
 ## </param>
 #
 interface(`miscfiles_manage_user_certs',`
-	gen_require(`
-		type cert_home_t;
-	')
-
-	manage_dirs_pattern($1, cert_home_t, cert_home_t)
-	manage_files_pattern($1, cert_home_t, cert_home_t)
-	manage_lnk_files_pattern($1, cert_home_t, cert_home_t)
-
-	userdom_search_user_home_dirs($1)
+	userdom_manage_user_certs($1)
+	refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_certs() instead.')
 ')
 
 ########################################
@@ -213,35 +206,6 @@ interface(`miscfiles_manage_cert_files',`
 
 ########################################
 ## <summary>
-##	Automatically use the cert_home_t label for selected resources created
-##	in a users home directory
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Resource type(s) for which the label should be used
-##	</summary>
-## </param>
-## <param name="filename" optional="true">
-##	<summary>
-##	Name of the resource that is being created
-##	</summary>
-## </param>
-#
-interface(`miscfiles_user_home_dir_filetrans_cert_home',`
-	gen_require(`
-		type cert_home_t;
-	')
-
-	userdom_user_home_dir_filetrans($1, cert_home_t, $2, $3)
-')
-
-########################################
-## <summary>
 ##	Read fonts.
 ## </summary>
 ## <param name="domain">
@@ -823,8 +787,7 @@ interface(`miscfiles_read_test_files',`
 
 ########################################
 ## <summary>
-##	Create files in etc directories
-##	with localization file type.
+##	Execute test files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -843,7 +806,8 @@ interface(`miscfiles_exec_test_files',`
 
 ########################################
 ## <summary>
-##	Execute test files.
+##	Create files in etc directories
+##	with localization file type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 246ac6a..85a29e3 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -14,13 +14,6 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
-# cert_home_t is the type of files in the users' home directories.
-#
-type cert_home_t;
-miscfiles_cert_type(cert_home_t)
-userdom_user_home_content(cert_home_t)
-
-#
 # fonts_t is the type of various font
 # files in /usr
 #

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 1572b51..d2b1df0 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -272,9 +272,6 @@ interface(`userdom_manage_home_role',`
 	')
 
 	ifdef(`distro_gentoo',`
-		miscfiles_manage_user_certs($2)
-		miscfiles_relabel_user_certs($2)
-
 		optional_policy(`
 			flash_manage_home($2)
 			flash_relabel_home($2)
@@ -2467,6 +2464,36 @@ interface(`userdom_manage_user_certs',`
 
 ########################################
 ## <summary>
+##	Automatically use the user_cert_t label for
+##	selected resources created in a users home
+##	directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Resource type(s) for which the label should be used
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the resource that is being created
+##	</summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_cert',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Write to user temporary named sockets.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 0b0eb60..b590d64 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,7 +93,7 @@ files_associate_tmp(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
 
-type user_cert_t;
+type user_cert_t alias cert_home_t;
 userdom_user_home_content(user_cert_t)
 
 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     7802f6b2a69eefd11feb78859d2feb58be59a99b
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:41:27 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:41:27 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7802f6b2

Switch from cert_home_t to user_cert_t

The type for user home certificate directories (and files) is
user_cert_t. Remove all references to its code, and instead use the new
type.

Keep an alias at hand for third party SELinux policy modules though.

 policy/modules/system/miscfiles.fc  |  2 --
 policy/modules/system/miscfiles.if  | 40 ++-----------------------------------
 policy/modules/system/miscfiles.te  |  7 -------
 policy/modules/system/userdomain.if |  2 --
 policy/modules/system/userdomain.te |  7 +++++++
 5 files changed, 9 insertions(+), 49 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index be0b6a1..42ac30b 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -103,8 +103,6 @@ ifdef(`distro_redhat',`
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
 
-HOME_DIR/.pki(/.*)?		gen_context(system_u:object_r:cert_home_t,s0)
-
 ifdef(`distro_gentoo',`
 /etc/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 ')

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 63ed47f..93e6acb 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -97,15 +97,8 @@ interface(`miscfiles_read_generic_certs',`
 ## </param>
 #
 interface(`miscfiles_manage_user_certs',`
-	gen_require(`
-		type cert_home_t;
-	')
-
-	manage_dirs_pattern($1, cert_home_t, cert_home_t)
-	manage_files_pattern($1, cert_home_t, cert_home_t)
-	manage_lnk_files_pattern($1, cert_home_t, cert_home_t)
-
-	userdom_search_user_home_dirs($1)
+	userdom_manage_user_certs($1)
+	refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_certs() instead.')
 ')
 
 ########################################
@@ -213,35 +206,6 @@ interface(`miscfiles_manage_cert_files',`
 
 ########################################
 ## <summary>
-##	Automatically use the cert_home_t label for selected resources created
-##	in a users home directory
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Resource type(s) for which the label should be used
-##	</summary>
-## </param>
-## <param name="filename" optional="true">
-##	<summary>
-##	Name of the resource that is being created
-##	</summary>
-## </param>
-#
-interface(`miscfiles_user_home_dir_filetrans_cert_home',`
-	gen_require(`
-		type cert_home_t;
-	')
-
-	userdom_user_home_dir_filetrans($1, cert_home_t, $2, $3)
-')
-
-########################################
-## <summary>
 ##	Read fonts.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 246ac6a..85a29e3 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -14,13 +14,6 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
-# cert_home_t is the type of files in the users' home directories.
-#
-type cert_home_t;
-miscfiles_cert_type(cert_home_t)
-userdom_user_home_content(cert_home_t)
-
-#
 # fonts_t is the type of various font
 # files in /usr
 #

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7c0d914..879ab82 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -272,8 +272,6 @@ interface(`userdom_manage_home_role',`
 	')
 
 	ifdef(`distro_gentoo',`
-		miscfiles_manage_user_certs($2)
-		miscfiles_relabel_user_certs($2)
 
 		optional_policy(`
 			flash_manage_home($2)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 0b0eb60..94b068e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -128,3 +128,10 @@ files_poly(user_runtime_t)
 files_poly_member(user_runtime_t)
 files_poly_parent(user_runtime_t)
 ubac_constrained(user_runtime_t)
+
+ifdef(`distro_gentoo',`
+	# We used to use cert_home_t but an upstream commit introduced the same
+	# concept as user_cert_t. Enabling an alias to keep custom modules from
+	# users running.
+	type user_cert_t alias cert_home_t;
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     45d45937e484dfec4a7abcf67dc1d95d2fb267f2
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:45:01 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:45:01 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45d45937

Swap documentation for two interfaces

 policy/modules/system/miscfiles.if | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 93e6acb..d89c7c0 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -787,8 +787,7 @@ interface(`miscfiles_read_test_files',`
 
 ########################################
 ## <summary>
-##	Create files in etc directories
-##	with localization file type.
+##	Execute test files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -807,7 +806,8 @@ interface(`miscfiles_exec_test_files',`
 
 ########################################
 ## <summary>
-##	Execute test files.
+##	Create files in etc directories
+##	with localization file type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     d95d8f98194fb82bcd0afba3ce09893911a3f146
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:55:07 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:55:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d95d8f98

Move miscfiles_relabel_user_certs to userdom_relabel_user_certs

 policy/modules/system/miscfiles.if  | 11 +++--------
 policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index d89c7c0..5b9a810 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -103,7 +103,7 @@ interface(`miscfiles_manage_user_certs',`
 
 ########################################
 ## <summary>
-##	Relabel from/to cert_home_t (user-managed SSL certificates)
+##	Relabel from/to user_cert_t (user-managed SSL certificates)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112,13 +112,8 @@ interface(`miscfiles_manage_user_certs',`
 ## </param>
 #
 interface(`miscfiles_relabel_user_certs',`
-	gen_require(`
-		type cert_home_t;
-	')
-
-	relabel_dirs_pattern($1, cert_home_t, cert_home_t)
-	relabel_files_pattern($1, cert_home_t, cert_home_t)
-	relabel_lnk_files_pattern($1, cert_home_t, cert_home_t)
+	userdom_relabel_user_certs($1)
+	refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_certs() instead.')
 ')
 
 ########################################

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 666292e..c4bef2b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4053,3 +4053,26 @@ interface(`userdom_user_home_dir_filetrans_user_cert',`
 
 	userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
 ')
+
+########################################
+## <summary>
+##	Allow relabeling resources to user_cert_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+
+interface(`userdom_relabel_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	relabel_dirs_pattern($1, user_cert_t, user_cert_t)
+	relabel_files_pattern($1, user_cert_t, user_cert_t)
+	relabel_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	relabel_sock_files_pattern($1, user_cert_t, user_cert_t)
+	relabel_fifo_files_pattern($1, user_cert_t, user_cert_t)
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     64da9c74ec1c09833fc0537479c8d3298f09dd88
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:33:17 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:33:17 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=64da9c74

Introduce userdom_user_home_dir_filetrans_user_cert

The userdom_user_home_dir_filetrans_user_cert interface can be assigned
to SELinux policies for domains that create the necessary user
directories, such as ~/.pki.

This interface will need to be upstreamed later though (we currently
need it already because we have end-user domains that other
distributions generally keep in the user domain).

 policy/modules/system/userdomain.if | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 1572b51..7c0d914 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4026,3 +4026,32 @@ interface(`userdom_manage_user_tmp_chr_files',`
 	userdom_search_user_runtime($1)
 	files_search_tmp($1)
 ')
+
+########################################
+## <summary>
+##	Automatically use the cert_home_t label for selected resources
+##	created in a users home directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Resource type(s) for which the label should be used
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the resource that is being created
+##	</summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_cert',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     5ec059a3f5ae282f6a3fd355788563a8714b8430
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:49:13 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:49:13 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ec059a3

Fix documentation for userdom_user_home_dir_filetrans_user_cert

 policy/modules/system/userdomain.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 879ab82..666292e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4027,7 +4027,7 @@ interface(`userdom_manage_user_tmp_chr_files',`
 
 ########################################
 ## <summary>
-##	Automatically use the cert_home_t label for selected resources
+##	Automatically use the user_cert_t label for selected resources
 ##	created in a users home directory
 ## </summary>
 ## <param name="domain">

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     b2555d98366d548d5bffc6cf5d07f4314e5815e4
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct  9 05:08:41 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 17:13:49 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2555d98

DO NOT MERGE. sync user_cert_t cert_home_t with upstream

Need to upstream userdom_user_home_dir_filetrans_user_cert interface

 policy/modules/system/userdomain.if | 30 ++++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |  2 +-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c4bef2b..e8659da 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2465,6 +2465,36 @@ interface(`userdom_manage_user_certs',`
 
 ########################################
 ## <summary>
+##	Automatically use the user_cert_t label for
+##	selected resources created in a users home
+##	directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Resource type(s) for which the label should be used
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the resource that is being created
+##	</summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_cert',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Write to user temporary named sockets.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index d147a56..43ac9a2 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,7 +93,7 @@ files_associate_tmp(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
 
-type user_cert_t;
+type user_cert_t alias cert_home_t;
 userdom_user_home_content(user_cert_t)
 
 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Sven Vermeulen]

commit:     db3d43d0b52fc05b6bd36f6b887e84799a147ce4
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 17:00:46 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 17:00:46 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=db3d43d0

Duplicate type declaration, switch to typealias

 policy/modules/system/userdomain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 94b068e..d147a56 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -133,5 +133,5 @@ ifdef(`distro_gentoo',`
 	# We used to use cert_home_t but an upstream commit introduced the same
 	# concept as user_cert_t. Enabling an alias to keep custom modules from
 	# users running.
-	type user_cert_t alias cert_home_t;
+	typealias user_cert_t alias cert_home_t;
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     4745a1435bfff911b6b37c15351ed745923329bc
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Dec  4 16:34:11 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4745a143

allow dhcp_t to domtrans into avahi

#============= dhcpc_t ==============
# audit(1459860992.664:6):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="execute_no_trans"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.2.gz:Apr  5 14:56:32 debianSe kernel: [    4.830761]
#   audit: type=1400 audit(1459860992.664:6): avc:  denied  { execute_no_trans }
#   for  pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
#   ino=140521 scontext=system_u:system_r:dhcpc_t:s0
#   tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1454514879.616:134):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="execute_no_trans"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.5.gz:Feb  3 16:54:39 debianSe kernel: [   13.237496]
#   audit: type=1400 audit(1454514879.616:134): avc:  denied  { execute_no_trans
#   } for  pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd"
#   dev="sda1" ino=140521 scontext=system_u:system_r:dhcpc_t
#   tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 "
allow dhcpc_t avahi_exec_t:file execute_no_trans;
# audit(1459860992.660:4):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="execute"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.2.gz:Apr  5 14:56:32 debianSe kernel: [    4.827312]
#   audit: type=1400 audit(1459860992.660:4): avc:  denied  { execute } for
#   pid=412 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521
#   scontext=system_u:system_r:dhcpc_t:s0
#   tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1459860992.664:5):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="{ read open }"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.2.gz:Apr  5 14:56:32 debianSe kernel: [    4.829009]
#   audit: type=1400 audit(1459860992.664:5): avc:  denied  { read open } for
#   pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
#   ino=140521 scontext=system_u:system_r:dhcpc_t:s0
#   tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1454514879.616:132):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="execute"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.5.gz:Feb  3 16:54:39 debianSe kernel: [   13.237297]
#   audit: type=1400 audit(1454514879.616:132): avc:  denied  { execute } for
#   pid=464 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521
#   scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:avahi_exec_t
#   tclass=file permissive=1 "
# audit(1454514879.616:133):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="{ read open }"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.5.gz:Feb  3 16:54:39 debianSe kernel: [   13.237309]
#   audit: type=1400 audit(1454514879.616:133): avc:  denied  { read open } for
#   pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
#   ino=140521 scontext=system_u:system_r:dhcpc_t
#   tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 "
#!!!! This avc is allowed in the current policy
allow dhcpc_t avahi_exec_t:file { read execute open };

 policy/modules/system/sysnetwork.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 4bed58a..c5082dc 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -173,6 +173,10 @@ ifdef(`init_systemd',`
 ')
 
 optional_policy(`
+	avahi_domtrans(dhcpc_t)
+')
+
+optional_policy(`
 	consoletype_run(dhcpc_t, dhcpc_roles)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     b40edf6a92608a7e0bb13981b79bf3cb1eab4fc8
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Dec  4 16:29:17 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b40edf6a

define filecontext for /run/agetty.reload

 policy/modules/system/getty.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
index e1a1848..7bea727 100644
--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
@@ -7,6 +7,7 @@
 /var/log/vgetty\.log\..* --	gen_context(system_u:object_r:getty_log_t,s0)
 
 /var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/run/agetty\.reload	--	gen_context(system_u:object_r:getty_var_run_t,s0)
 
 /var/spool/fax(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
 /var/spool/voice(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     cbcab29a1675e9c599a8362a793624c347b18e51
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec  4 18:30:54 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cbcab29a

Module version bumps for patches from cgzones.

 policy/modules/system/getty.te      | 2 +-
 policy/modules/system/sysnetwork.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 05c6413..b2358ba 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -1,4 +1,4 @@
-policy_module(getty, 1.11.0)
+policy_module(getty, 1.11.1)
 
 ########################################
 #

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index c5082dc..f2964fc 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.19.0)
+policy_module(sysnetwork, 1.19.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     52f264ecb4cfbf36d25a980096b09d10147e9e34
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec  7 01:01:22 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec  8 04:44:05 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52f264ec

modutils: Move lines.

 policy/modules/system/modutils.te | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 87e71d9..8ebd5d1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -8,6 +8,7 @@ policy_module(modutils, 1.16.1)
 type kmod_t alias { insmod_t depmod_t update_modules_t };
 type kmod_exec_t alias { insmod_exec_t depmod_exec_t update_modules_exec_t };
 application_domain(kmod_t, kmod_exec_t)
+kernel_domtrans_to(kmod_t, kmod_exec_t)
 mls_file_write_all_levels(kmod_t)
 role system_r types kmod_t;
 
@@ -52,6 +53,7 @@ kernel_write_proc_files(kmod_t)
 kernel_mount_debugfs(kmod_t)
 kernel_mount_kvmfs(kmod_t)
 kernel_read_debugfs(kmod_t)
+kernel_search_key(kmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctls(kmod_t)
 kernel_rw_kernel_sysctl(kmod_t)
@@ -109,10 +111,6 @@ userdom_use_user_terminals(kmod_t)
 
 userdom_dontaudit_search_user_home_dirs(kmod_t)
 
-kernel_domtrans_to(kmod_t, kmod_exec_t)
-
-kernel_search_key(kmod_t)
-
 ifdef(`init_systemd',`
 	init_rw_stream_sockets(kmod_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     dfe8d0c37098717dacbadf331aafb903e108a021
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec  7 00:52:42 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec  8 04:43:12 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dfe8d0c3

Module version bump for journald fixes from cgzones.

 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index a9fbf1b..481cdef 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.24.0)
+policy_module(logging, 1.24.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     8a244682cdb051e2a700155c49e9217baee65b0e
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Dec  4 16:42:52 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec  8 04:36:39 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a244682

fix syslogd audits

 policy/modules/system/logging.te | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 96ffbcd..a9fbf1b 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -372,7 +372,7 @@ optional_policy(`
 # sys_nice for rsyslog
 # cjp: why net_admin!
 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
-dontaudit syslogd_t self:capability sys_tty_config;
+dontaudit syslogd_t self:capability { sys_tty_config sys_ptrace };
 # setpgid for metalog
 # setrlimit for syslog-ng
 # getsched for syslog-ng
@@ -456,6 +456,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
+dev_read_urand(syslogd_t)
 # Allow access to /dev/kmsg for journald
 dev_rw_kmsg(syslogd_t)
 
@@ -498,7 +499,10 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`init_systemd',`
+	# systemd-journald permissions
+
 	allow syslogd_t self:capability { chown setuid setgid };
+	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
 
 	kernel_use_fds(syslogd_t)
 	kernel_getattr_dgram_sockets(syslogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     989ddb737f2e045e534d3238a9ed8248faf55c83
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Tue Dec 27 15:33:57 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=989ddb73

base: use new genhomedircon template for username

Use the new genhomedircon templates for username-dependant
file contexts (requires libsemanage >= 2.6).

This is the base policy part (1/2).

 policy/modules/system/userdomain.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index c8b881e..6c813b4 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -2,7 +2,7 @@ HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
 
-/tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
+/tmp/gconfd-%{USERNAME} -d	gen_context(system_u:object_r:user_tmp_t,s0)
 
 /run/user		-d	gen_context(system_u:object_r:user_runtime_root_t,s0)
 /run/user/[^/]+	-d	gen_context(system_u:object_r:user_runtime_t,s0)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     136d58b22660009b8fba0fbf2a1a160aba8d9735
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Tue Dec 27 13:44:58 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=136d58b2

systemd: add systemd-backlight policy

The documentation page of this service describes well which access are
needed
(https://www.freedesktop.org/software/systemd/man/systemd-backlight <AT> .service.html).
systemd-backlight:
- is a systemd service
- manages /var/lib/systemd/backlight/
- reads udev device properties to find ID_BACKLIGHT_CLAMP

Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>

 policy/modules/system/systemd.fc |  2 ++
 policy/modules/system/systemd.te | 24 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index ff0f976..673bb68 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -28,7 +28,9 @@
 /usr/lib/systemd/system/[^/]*shutdown.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/[^/]*sleep.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/[^/]*suspend.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/systemd-backlight.*	--	gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
 
+/var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
 
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 196abab..c50e93a 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -26,6 +26,12 @@ type systemd_backlight_t;
 type systemd_backlight_exec_t;
 init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
 
+type systemd_backlight_unit_t;
+init_unit_file(systemd_backlight_unit_t)
+
+type systemd_backlight_var_lib_t;
+files_type(systemd_backlight_var_lib_t)
+
 type systemd_binfmt_t;
 type systemd_binfmt_exec_t;
 init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
@@ -140,6 +146,24 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
 
 ######################################
 #
+# Backlight local policy
+#
+
+allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
+init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
+manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
+
+systemd_log_parse_environment(systemd_backlight_t)
+
+# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
+dev_rw_sysfs(systemd_backlight_t)
+
+files_read_etc_files(systemd_backlight_t)
+
+udev_read_pid_files(systemd_backlight_t)
+
+######################################
+#
 # Cgroups local policy
 #
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     3225e34cc39a06b44cc0871b984791eeaf9bb970
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Tue Dec 27 13:45:21 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3225e34c

systemd: add systemd-binfmt policy

This systemd service registers in /proc/sys/fs/binfmt_misc binary formats
for executables.

Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>

 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.te | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 673bb68..d66feda 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -29,6 +29,7 @@
 /usr/lib/systemd/system/[^/]*sleep.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/[^/]*suspend.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/systemd-backlight.*	--	gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
+/usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c50e93a..cf22ba8 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -36,6 +36,9 @@ type systemd_binfmt_t;
 type systemd_binfmt_exec_t;
 init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
 
+type systemd_binfmt_unit_t;
+init_unit_file(systemd_binfmt_unit_t)
+
 type systemd_cgroups_t;
 type systemd_cgroups_exec_t;
 domain_type(systemd_cgroups_t)
@@ -162,6 +165,18 @@ files_read_etc_files(systemd_backlight_t)
 
 udev_read_pid_files(systemd_backlight_t)
 
+#######################################
+#
+# Binfmt local policy
+#
+
+systemd_log_parse_environment(systemd_binfmt_t)
+
+# Allow to read /etc/binfmt.d/ files
+files_read_etc_files(systemd_binfmt_t)
+
+fs_register_binary_executable_type(systemd_binfmt_t)
+
 ######################################
 #
 # Cgroups local policy

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     9b0381b0a1bb48191b63472a7297882b81f1a1a5
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 11:14:08 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:15:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9b0381b0

add init_daemon_lock_file()

needed for ntp

 policy/modules/system/init.if | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 1b26cf5e..4a36e12a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -512,6 +512,39 @@ interface(`init_daemon_pid_file',`
 
 ########################################
 ## <summary>
+##	Mark the file type as a daemon lock file, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon lock file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_lock_file',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	files_lock_file($1)
+	files_lock_filetrans(initrc_t, $1, $2, $3)
+
+	allow initrc_t $1:dir manage_dir_perms;
+	allow initrc_t $1:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Mark the file type as a daemon run dir, allowing initrc_t
 ##	to create it
 ## </summary>

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     a94131f569e9e185a3f08a774bb6ba62c5e90bd1
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:16:40 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:22:23 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a94131f5

Fix CI errors.

 policy/modules/system/logging.te | 2 --
 policy/modules/system/systemd.if | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 9a6c714a..54436756 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -515,8 +515,6 @@ ifdef(`init_systemd',`
 	allow syslogd_t self:capability2 audit_read;
 	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
-	allow syslogd_t init_var_run_t:file { read write create open };
-	allow syslogd_t var_run_t:dir create;
 
 	kernel_getattr_dgram_sockets(syslogd_t)
 	kernel_read_ring_buffer(syslogd_t)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 69ee084f..70047dbe 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -248,7 +248,7 @@ interface(`systemd_manage_all_units',`
 #
 interface(`systemd_manage_journal_files',`
 	gen_require(`
-		type systemd_logind_t;
+		type systemd_journal_t;
 	')
 
 	manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     03ff4298e41b65f82fc8f0282fe619de74288923
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 23 00:01:20 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:15:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=03ff4298

Module version bump for ntp fixes from cgzones.

 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e07f7050..a43bf19b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.4)
+policy_module(init, 2.2.5)
 
 gen_require(`
 	class passwd rootok;

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     b3270de1d3ef64f7c1c499813a242292584561de
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:32:10 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:22:23 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3270de1

Module version bump for CI fixes.

 policy/modules/system/logging.te | 2 +-
 policy/modules/system/systemd.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 54436756..8d123eea 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.3)
+policy_module(logging, 1.25.4)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 19e6947a..40719e93 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.6)
+policy_module(systemd, 1.3.7)
 
 #########################################
 #

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     14e61be0a6e5ecfedcce85f2222fa1d2179cfdb2
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 13:38:16 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:43:11 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=14e61be0

init: Rename init_search_pid_dirs() to init_search_pids().

 policy/modules/system/init.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2230df01..b1778f1a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1145,7 +1145,7 @@ interface(`init_var_lib_filetrans',`
 ##  </summary>
 ## </param>
 #
-interface(`init_search_pid_dirs',`
+interface(`init_search_pids',`
 	gen_require(`
 		type init_var_run_t;
 	')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     6fb566c033803208cc19261105ce611225d5f08d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 13:39:58 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:43:11 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6fb566c0

init: Move interface and whitespace change.

 policy/modules/system/init.if | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index b1778f1a..8d65e648 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1137,12 +1137,12 @@ interface(`init_var_lib_filetrans',`
 
 ######################################
 ## <summary>
-##  Allow search  directory in the /run/systemd directory.
+##	Allow search  directory in the /run/systemd directory.
 ## </summary>
 ## <param name="domain">
-##  <summary>
-##  Domain allowed access.
-##  </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`init_search_pids',`
@@ -2270,7 +2270,7 @@ interface(`init_read_script_tmp_files',`
 
 ########################################
 ## <summary>
-##	Read and write init script temporary data.
+##	Read and write init script inherited temporary data.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2278,18 +2278,17 @@ interface(`init_read_script_tmp_files',`
 ##	</summary>
 ## </param>
 #
-interface(`init_rw_script_tmp_files',`
+interface(`init_rw_inherited_script_tmp_files',`
 	gen_require(`
 		type initrc_tmp_t;
 	')
 
-	files_search_tmp($1)
-	rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+	allow $1 initrc_tmp_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write init script inherited temporary data.
+##	Read and write init script temporary data.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2297,12 +2296,13 @@ interface(`init_rw_script_tmp_files',`
 ##	</summary>
 ## </param>
 #
-interface(`init_rw_inherited_script_tmp_files',`
+interface(`init_rw_script_tmp_files',`
 	gen_require(`
 		type initrc_tmp_t;
 	')
 
-	allow $1 initrc_tmp_t:file rw_inherited_file_perms;
+	files_search_tmp($1)
+	rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
 ')
 
 ########################################

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     be5ad6588778385c9353e1b6ca9fcc5f4b149148
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Fri Feb 24 06:22:42 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:43:11 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=be5ad658

new init interfaces for systemd

These are needed by several patches I'm about to send.

Description: some new interfaces for init/systemd
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2017-02-24

 policy/modules/system/init.if | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 162ce266..2230df01 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1135,6 +1135,24 @@ interface(`init_var_lib_filetrans',`
 	filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
 ')
 
+######################################
+## <summary>
+##  Allow search  directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_search_pid_dirs',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create files in an init PID directory.
@@ -2271,6 +2289,24 @@ interface(`init_rw_script_tmp_files',`
 
 ########################################
 ## <summary>
+##	Read and write init script inherited temporary data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_inherited_script_tmp_files',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	allow $1 initrc_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     9aaa2422ee9903dab8bd049c7cbc7f17850cd66d
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 10:32:17 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:38:00 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9aaa2422

newrole: fix denials

dontaudit net_admin access due to setsockopt
allow communication with systemd-logind

 policy/modules/system/selinuxutil.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index bc57e4a7..5f624126 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -221,6 +221,7 @@ optional_policy(`
 # Newrole local policy
 #
 
+dontaudit newrole_t self:capability net_admin;
 allow newrole_t self:capability { dac_override fowner setgid setuid };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
@@ -282,6 +283,7 @@ auth_use_nsswitch(newrole_t)
 auth_run_chk_passwd(newrole_t, newrole_roles)
 auth_run_upd_passwd(newrole_t, newrole_roles)
 auth_rw_faillog(newrole_t)
+auth_use_pam_systemd(newrole_t)
 
 # Write to utmp.
 init_rw_utmp(newrole_t)
@@ -330,6 +332,10 @@ tunable_policy(`allow_polyinstantiation',`
 	files_polyinstantiate_all(newrole_t)
 ')
 
+optional_policy(`
+	systemd_use_logind_fds(newrole_t)
+')
+
 ########################################
 #
 # Restorecond local policy

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     790a26f8e3601f0e6f0fc4e7a480ac7196b34567
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 12:21:10 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:37:10 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=790a26f8

locallogin: adjustments

* do not grant permissions by negativ matching
* separate dbus from consolekit block for systemd

 policy/modules/system/locallogin.te | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 174ba9f4..964239a4 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -33,8 +33,7 @@ role system_r types sulogin_t;
 #
 
 allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:process { setexec setrlimit setsched };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
 allow local_login_t self:sock_file read_sock_file_perms;
@@ -171,7 +170,9 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(local_login_t)
 
-	consolekit_dbus_chat(local_login_t)
+	optional_policy(`
+		consolekit_dbus_chat(local_login_t)
+	')
 ')
 
 optional_policy(`
@@ -211,7 +212,6 @@ optional_policy(`
 #
 
 allow sulogin_t self:capability dac_override;
-allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_fifo_file_perms;
 allow sulogin_t self:unix_dgram_socket create_socket_perms;

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     9276dbc09b973cb5ec8e5ec46f39257c7ab65e3d
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sat Feb 18 20:46:56 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:37:10 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9276dbc0

authlogin: introduce auth_use_pam_systemd

add special interface for pam_systemd module permissions

 policy/modules/system/authlogin.if | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 5bac5fb3..fb92132d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -91,6 +91,23 @@ interface(`auth_use_pam',`
 
 ########################################
 ## <summary>
+##	Use the pam module systemd during authentication.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_use_pam_systemd',`
+	optional_policy(`
+		dbus_system_bus_client($1)
+		systemd_dbus_chat_logind($1)
+	')
+')
+
+########################################
+## <summary>
 ##	Make the specified domain used for a login program.
 ## </summary>
 ## <param name="domain">

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     c67ae33b11b38f63316dc1f7ada908a525768b85
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 27 11:20:10 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 11:23:13 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c67ae33b

authlogin: put interface properly inside optional

 policy/modules/system/authlogin.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 59dc8c86..23d184e6 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -87,7 +87,8 @@ logging_log_file(wtmp_t)
 
 optional_policy(`
 	systemd_tmpfilesd_managed(faillog_t, file)
-')	systemd_tmpfilesd_managed(var_auth_t, dir)
+	systemd_tmpfilesd_managed(var_auth_t, dir)
+')
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     09809ab57a026d6211ca0c65a8837110c12b4367
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 16:32:38 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:32:38 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=09809ab5

tmpfiles: fix policy broken by systemd policy update

 policy/modules/system/modutils.fc | 4 ----
 policy/modules/system/modutils.te | 6 +++---
 policy/modules/system/systemd.fc  | 2 ++
 policy/modules/system/tmpfiles.fc | 2 ++
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index b050420a..bd241944 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -8,11 +8,7 @@ ifdef(`distro_gentoo',`
 /etc/modprobe.devfs.*		--	gen_context(system_u:object_r:modules_conf_t,s0)
 ')
 
-ifdef(`init_systemd',`
 /run/tmpfiles\.d/kmod\.conf	--	gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
-',`
-/run/tmpfiles\.d/kmod\.conf	--	gen_context(system_u:object_r:kmod_var_run_t,s0)
-')
 
 /usr/bin/kmod			--	gen_context(system_u:object_r:kmod_exec_t,s0)
 

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7d614bd1..28dd296a 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -23,9 +23,9 @@ files_type(modules_conf_t)
 type modules_dep_t;
 files_type(modules_dep_t)
 
+type kmod_tmpfiles_conf_t;
+typealias kmod_tmpfiles_conf_t alias { kmod_var_run_t systemd_kmod_conf_t };
 ifdef(`init_systemd',`
-	type kmod_tmpfiles_conf_t;
-	typealias kmod_tmpfiles_conf_t alias { kmod_var_run_t systemd_kmod_conf_t };
 	systemd_tmpfiles_conf_file(kmod_tmpfiles_conf_t)
 	systemd_tmpfiles_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file)
 ')
@@ -194,5 +194,5 @@ ifdef(`distro_gentoo',`
 
 	# for /run/tmpfiles.d/kmod.conf
 	tmpfiles_create_var_run_files(kmod_t)
-	filetrans_add_pattern(kmod_t, tmpfiles_var_run_t, kmod_var_run_t, file)
+	filetrans_add_pattern(kmod_t, tmpfiles_var_run_t, kmod_tmpfiles_conf_t, file)
 ')

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 319decfe..41fdfc83 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -48,8 +48,10 @@
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
 
+ifdef(`init_systemd',`
 /run/tmpfiles\.d	-d	gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
 /run/tmpfiles\.d/.*		<<none>>
+')
 
 /var/log/journal(/.*)?		gen_context(system_u:object_r:systemd_journal_t,s0)
 /run/log/journal(/.*)?		gen_context(system_u:object_r:systemd_journal_t,s0)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
index 0240298f..16d821a8 100644
--- a/policy/modules/system/tmpfiles.fc
+++ b/policy/modules/system/tmpfiles.fc
@@ -1,6 +1,8 @@
 
+ifndef(`init_systemd',`
 /etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
 /run/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+')
 
 /usr/bin/tmpfiles				--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
 /usr/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     77bed1b44f95619267e8a36a197fc6b5513e11ed
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May  7 03:24:40 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May  7 17:40:29 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=77bed1b4

modutils: kmod_tmpfiles_conf_t create should be allowed even for openrc

 policy/modules/system/modutils.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 1c52e0b5..80831320 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -49,6 +49,7 @@ manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
 filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
 create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
 delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
+allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
 
 can_exec(kmod_t, kmod_exec_t)
 
@@ -115,8 +116,6 @@ userdom_use_user_terminals(kmod_t)
 userdom_dontaudit_search_user_home_dirs(kmod_t)
 
 ifdef(`init_systemd',`
-	# for /run/tmpfiles.d/kmod.conf
-	allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
 	# kmod needs to create /run/tmpdiles.d
 	systemd_tmpfiles_creator(kmod_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     bfbc6bd14be977d19cadd03be8e1ed57b9568496
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 12:49:14 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 12:49:14 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bfbc6bd1

Introduce userdom_map_user_tmpfs_files interface

 policy/modules/system/userdomain.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index cc019898..88704b71 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3212,6 +3212,24 @@ interface(`userdom_rw_user_tmpfs_files',`
 
 ########################################
 ## <summary>
+##	Map user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_map_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	allow $1 user_tmpfs_t:file map;
+')
+
+########################################
+## <summary>
 ##	Delete user tmpfs files.
 ## </summary>
 ## <param name="domain">

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     ab5e77931352bf9a38c3bd273b833329de9cb050
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 12:51:09 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 12:51:09 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab5e7793

userdomain: allow map user_tmpfs_t files

 policy/modules/system/userdomain.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 88704b71..84e9c57e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -401,6 +401,7 @@ interface(`userdom_manage_tmpfs_role',`
 		type user_tmpfs_t;
 	')
 
+	allow $2 user_tmpfs_t:file map;
 	manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t)
 	manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
 	manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     80dc75218a97e01f1cd48b239e7c6eb731b8c892
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:38:15 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:38:15 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=80dc7521

miscfiles: map fonts cache

 policy/modules/system/miscfiles.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index e39c387e..05968866 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -181,6 +181,7 @@ interface(`miscfiles_read_fonts',`
 
 	allow $1 fonts_cache_t:dir list_dir_perms;
 	read_files_pattern($1, fonts_cache_t, fonts_cache_t)
+	allow $1 fonts_cache_t:file map;
 	read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     f32eef0d86cbdfc1f28a91528c365c9607f5e268
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:21:05 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:21:05 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f32eef0d

modutils: allow kmod map perms

 policy/modules/system/modutils.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index baa75129..297a2e42 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -50,6 +50,7 @@ filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
 create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
 delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
 allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
+allow kmod_t { modules_dep_t modules_object_t }:file map;
 
 can_exec(kmod_t, kmod_exec_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     a529ea9e146a0a040d183a69c2840d1d36d034e4
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:51:28 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:53:02 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a529ea9e

authlogin: shadow map perms

update can_read_shadow_passwords neverallow to check map perm too

 policy/modules/system/authlogin.if | 2 +-
 policy/modules/system/authlogin.te | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 738b1e6f..1ab047bc 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -606,7 +606,7 @@ interface(`auth_tunable_read_shadow',`
 	')
 
 	files_list_etc($1)
-	allow $1 shadow_t:file read_file_perms;
+	allow $1 shadow_t:file { read_file_perms map };
 ')
 
 ########################################

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 69337c89..8ddcd226 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -60,7 +60,7 @@ files_pid_file(pam_var_run_t)
 
 type shadow_t;
 files_auth_file(shadow_t)
-neverallow ~can_read_shadow_passwords shadow_t:file read;
+neverallow ~can_read_shadow_passwords shadow_t:file { read map };
 neverallow ~can_write_shadow_passwords shadow_t:file { create write };
 neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
 
@@ -99,7 +99,7 @@ allow chkpwd_t self:capability { dac_override setuid };
 dontaudit chkpwd_t self:capability sys_tty_config;
 allow chkpwd_t self:process { getattr signal };
 
-allow chkpwd_t shadow_t:file read_file_perms;
+allow chkpwd_t shadow_t:file { read_file_perms map };
 files_list_etc(chkpwd_t)
 
 kernel_read_crypto_sysctls(chkpwd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     d9d2a067d727b222feb528d67103b4aec0e3c77a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:09:48 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:10:44 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d9d2a067

selinuxutil: allow semanage map perms

 policy/modules/system/selinuxutil.te |  4 +++-
 policy/modules/system/userdomain.if  | 18 ++++++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 0629d437..35ba57c2 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -489,7 +489,7 @@ allow semanage_t policy_src_t:dir search;
 filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
 
 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
+allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms map };
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
 kernel_read_system_state(semanage_t)
@@ -540,7 +540,9 @@ seutil_manage_default_contexts(semanage_t)
 
 # Handle pp files created in homedir and /tmp
 userdom_read_user_home_content_files(semanage_t)
+userdom_mmap_user_home_content_files(semanage_t)
 userdom_read_user_tmp_files(semanage_t)
+userdom_mmap_user_tmp_files(semanage_t)
 
 ifdef(`distro_debian',`
 	files_read_var_lib_files(semanage_t)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 16789a3c..88fdb823 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2565,6 +2565,24 @@ interface(`userdom_read_user_tmp_files',`
 
 ########################################
 ## <summary>
+##	Mmap user temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_mmap_user_tmp_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	allow $1 user_tmp_t:file map;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read users
 ##	temporary files.
 ## </summary>

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     dcabf74f03c4b6e531814174a6853849687db7d3
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:35:16 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:35:16 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dcabf74f

getty: allow nsswitch

 policy/modules/system/getty.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 6d3c4284..3a7564ab 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -82,6 +82,7 @@ term_setattr_unallocated_ttys(getty_t)
 term_setattr_console(getty_t)
 
 auth_rw_login_records(getty_t)
+auth_use_nsswitch(getty_t)
 
 init_rw_utmp(getty_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

[Jason Zaman]

commit:     58da6a68ade7d4c28dfbc679d901af98573cf441
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:32:17 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:32:17 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=58da6a68

logging: audit map config files and fcontext for /etc/audisp

 policy/modules/system/logging.fc | 1 +
 policy/modules/system/logging.te | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 9174f94b..55bb640b 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -3,6 +3,7 @@
 /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+/etc/audisp(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
 /etc/rc\.d/init\.d/auditd --	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/rsyslog --	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
 

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 6d09c8bd..de255723 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -105,6 +105,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
 
 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
+allow auditctl_t auditd_etc_t:file map;
 
 # Needed for adding watches
 files_getattr_all_dirs(auditctl_t)
@@ -245,6 +246,10 @@ allow audisp_t self:unix_dgram_socket create_socket_perms;
 
 allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
 
+read_files_pattern(audisp_t, auditd_etc_t, auditd_etc_t)
+allow audisp_t auditd_etc_t:dir list_dir_perms;
+allow audisp_t auditd_etc_t:file map;
+
 manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
 files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)