[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[Jason Zaman]

commit:     08213f5921384c780e0fd9f588a1f997c7f0d1ba
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jun  9 12:39:18 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun  9 13:06:34 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08213f59

Module version bump for admin interface changes from Jason Zaman.

 policy/modules/roles/sysadm.te    | 2 +-
 policy/modules/system/iptables.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 4ece2da..13b48c6 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.8.0)
+policy_module(sysadm, 2.8.1)
 
 ########################################
 #

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index fc97f63..8840633 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.15.1)
+policy_module(iptables, 1.15.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[Jason Zaman]

commit:     7cbd3127de4bc90b6b00f2567edf54efaa6ecd66
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jul 14 15:18:35 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:28 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7cbd3127

Module version bumps for admin interfaces from Jason Zaman.

 policy/modules/roles/sysadm.te   | 2 +-
 policy/modules/system/ipsec.te   | 2 +-
 policy/modules/system/lvm.te     | 2 +-
 policy/modules/system/setrans.te | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index e96c1fd..b6cf594 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.8.1)
+policy_module(sysadm, 2.8.2)
 
 ########################################
 #

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 0d2fc22..3734bd4 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,4 +1,4 @@
-policy_module(ipsec, 1.15.0)
+policy_module(ipsec, 1.15.1)
 
 ########################################
 #

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index a1485fb..6880656 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.16.0)
+policy_module(lvm, 1.16.1)
 
 ########################################
 #

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 6d057f8..2df8b53 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,4 +1,4 @@
-policy_module(setrans, 1.10.0)
+policy_module(setrans, 1.10.1)
 
 gen_require(`
 	class context contains;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[Jason Zaman]

commit:     41f2cdfadbb7cb1fd016839b923846a9946f3cab
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 09:15:45 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:27 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=41f2cdfa

Introduce ipsec_admin interface

 policy/modules/roles/sysadm.te |  8 +------
 policy/modules/system/ipsec.if | 51 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 7 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1ee88cd..5901b2f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -473,13 +473,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	# allow system administrator to use the ipsec script to look
-	# at things (e.g., ipsec auto --status)
-	# probably should create an ipsec_admin role for this kind of thing
-	ipsec_exec_mgmt(sysadm_t)
-	ipsec_stream_connect(sysadm_t)
-	# for lsof
-	ipsec_getattr_key_sockets(sysadm_t)
+	ipsec_admin(sysadm_t, sysadm_r)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 0d4c8d3..3d64054 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -369,3 +369,54 @@ interface(`ipsec_run_setkey',`
 	ipsec_domtrans_setkey($1)
 	role $2 types setkey_t;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an ipsec environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ipsec_admin',`
+	gen_require(`
+		type ipsec_t, ipsec_initrc_exec_t, ipsec_conf_file_t;
+		type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
+		type ipsec_var_run_t, ipsec_mgmt_lock_t;
+		type ipsec_mgmt_var_run_t, racoon_tmp_t;
+	')
+
+	allow $1 ipsec_t:process { ptrace signal_perms };
+	ps_process_pattern($1, ipsec_t)
+
+	init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
+
+	ipsec_exec_mgmt($1)
+	ipsec_stream_connect($1)
+	# for lsof
+	ipsec_getattr_key_sockets($1)
+
+	files_search_etc($1)
+	admin_pattern($1, { ipsec_conf_file_t ipsec_key_file_t })
+
+	files_search_tmp($1)
+	admin_pattern($1, { ipsec_tmp_t racoon_tmp_t })
+
+	files_search_pids($1)
+	admin_pattern($1, { ipsec_var_run_t ipsec_mgmt_var_run_t })
+
+	files_search_locks($1)
+	admin_pattern($1, ipsec_mgmt_lock_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, ipsec_log_t)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[Jason Zaman]

commit:     d12c961da29084ced47ff21373925c02fc73e022
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 09:15:46 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jul 30 16:41:28 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d12c961d

Introduce setrans_admin interface

 policy/modules/roles/sysadm.te   |  4 ++++
 policy/modules/system/setrans.if | 31 +++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 5901b2f..e96c1fd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -952,6 +952,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	setrans_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	setroubleshoot_admin(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index efa9c27..2a8ecaa 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -40,3 +40,34 @@ interface(`setrans_translate_context',`
 	stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t)
 	files_list_pids($1)
 ')
+
+######################################
+## <summary>
+##	All of the rules required to
+##	administrate an setrans environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`setrans_admin',`
+	gen_require(`
+		type setrans_t, setrans_initrc_exec_t;
+		type setrans_var_run_t;
+	')
+
+	allow $1 setrans_t:process { ptrace signal_perms };
+	ps_process_pattern($1, setrans_t)
+
+	init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)
+
+	files_search_pids($1)
+	admin_pattern($1, setrans_var_run_t)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[Jason Zaman]

commit:     8f8722e0e188680bf9d1bc518e515685cd424667
Author:     Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Apr 28 10:06:40 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:07:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f8722e0

Update refpolicy to handle hwloc

The Portable Hardware Locality (hwloc) software package provides a
portable abstraction (across OS, versions, architectures, ...) of the
hierarchical topology of modern architectures, including NUMA memory
nodes, sockets, shared caches, cores and simultaneous multithreading. It
also gathers various system attributes such as cache and memory
information as well as the locality of I/O devices such as network
interfaces, InfiniBand HCAs or GPUs.

Following changes enable:
- add interface to change dirs in /var/run
- add optional policies for hwloc-dump-hwdata

V3:
Remove files_rw_pid_dirs()
Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t)
Adjust calls to renamed hwloc dhwd run and exec interfaces

Signed-off-by: Dominick Grift <dac.override <AT> gmail.com>

 policy/modules/roles/sysadm.te      | 5 +++++
 policy/modules/system/userdomain.if | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 6c46905..e9e3e43 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -458,6 +458,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	hwloc_admin(sysadm_t)
+	hwloc_run_dhwd(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	howl_admin(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e341a1c..9284808 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -645,6 +645,11 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		hwloc_exec_dhwd($1_t)
+		hwloc_read_runtime_files($1_t)
+	')
+
+	optional_policy(`
 		inetd_use_fds($1_t)
 		inetd_rw_tcp_sockets($1_t)
 	')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[Jason Zaman]

commit:     bbcc0fa3e3162e0a012c7b740d3e549b10e3709c
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Sep 14 11:46:04 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:17:39 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bbcc0fa3

dphysswapfile: add interfaces and sysadm access

v2:

add swapfile file context

 policy/modules/roles/sysadm.te   |  4 +++
 policy/modules/system/fstools.fc |  2 ++
 policy/modules/system/fstools.if | 54 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 60 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index c7520fac..a6e7ba61 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -379,6 +379,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dphysswapfile_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
 	dpkg_run(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 71dad308..494d021e 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -106,6 +106,8 @@
 /usr/sbin/zstreamdump		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
+/var/swap			--	gen_context(system_u:object_r:swapfile_t,s0)
+
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
 
 /run/blkid(/.*)?		gen_context(system_u:object_r:fsadm_run_t,s0)

diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index f04d843c..6ebe3800 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -209,3 +209,57 @@ interface(`fstools_getattr_swap_files',`
 
 	allow $1 swapfile_t:file getattr;
 ')
+
+########################################
+## <summary>
+##	Ignore access to a swapfile.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fstools_dontaudit_getattr_swap_files',`
+	gen_require(`
+		type swapfile_t;
+	')
+
+	dontaudit $1 swapfile_t:file getattr;
+')
+
+########################################
+## <summary>
+##	Relabel to swapfile.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_relabelto_swap_files',`
+	gen_require(`
+		type swapfile_t;
+	')
+
+	allow $1 swapfile_t:file relabelto;
+')
+
+########################################
+## <summary>
+##	Manage swapfile.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fstools_manage_swap_files',`
+	gen_require(`
+		type swapfile_t;
+	')
+
+	allow $1 swapfile_t:file manage_file_perms;
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[Jason Zaman]

commit:     18a557d8e2120c52b059d17bae57811480582f52
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Mar 17 20:27:34 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18a557d8

sysadm, udev: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/roles/sysadm.te | 2 +-
 policy/modules/system/udev.te  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 6827561f..a9bdbee7 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.14.1)
+policy_module(sysadm, 2.14.2)
 
 ########################################
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index e6c64026..5d26074a 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.25.1)
+policy_module(udev, 1.25.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[Jason Zaman]

commit:     090564ca60e3405a73b5c1cea62cbe6a6d5a0eb1
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:40:44 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=090564ca

sysadm, systemd: fixes for systemd-networkd

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/roles/sysadm.te   |  4 ++++
 policy/modules/system/systemd.if | 21 +++++++++++++++++++++
 policy/modules/system/systemd.te |  3 +++
 3 files changed, 28 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1a1fddf4..3deec0a8 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -88,6 +88,10 @@ ifdef(`init_systemd',`
 	# Allow sysadm to get the status of and set properties of other users,
 	# sessions, and seats on the system.
 	systemd_dbus_chat_logind(sysadm_t)
+
+	# Allow sysadm to query and set networking settings on the system.
+	systemd_dbus_chat_networkd(sysadm_t)
+	fs_read_nsfs_files(sysadm_t)
 ')
 
 tunable_policy(`allow_ptrace',`

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index e5742254..a493f7dc 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1425,6 +1425,27 @@ interface(`systemd_startstop_networkd',`
 	allow $1 systemd_networkd_unit_t:service { start stop };
 ')
 
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd networkd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_dbus_chat_networkd',`
+	gen_require(`
+		type systemd_networkd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_networkd_t:dbus send_msg;
+	allow systemd_networkd_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Allow specified domain to get status of systemd-networkd

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0f811c77..1e7511b9 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -914,6 +914,9 @@ files_watch_runtime_dirs(systemd_networkd_t)
 files_watch_root_dirs(systemd_networkd_t)
 files_list_runtime(systemd_networkd_t)
 fs_getattr_xattr_fs(systemd_networkd_t)
+fs_getattr_cgroup(systemd_networkd_t)
+fs_search_cgroup_dirs(systemd_networkd_t)
+fs_read_nsfs_files(systemd_networkd_t)
 
 auth_use_nsswitch(systemd_networkd_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[Jason Zaman]

commit:     cef9e4e41372d7845ec7321525d36469c55b074d
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 21 02:55:15 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 21 02:55:15 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cef9e4e4

roles: Update to use user exec domain attribute

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/roles/staff.te       | 8 ++------
 policy/modules/roles/unprivuser.te  | 6 +-----
 policy/modules/system/unconfined.te | 2 +-
 3 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 29f68027..e7b711d3 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -240,7 +240,7 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
-		hadoop_role(staff_r, staff_t)
+		hadoop_role(staff, staff_t, staff_application_exec_domain, staff_r)
 	')
 
 	optional_policy(`
@@ -269,10 +269,6 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
-		wine_role(staff_r, staff_t)
-	')
-
-	optional_policy(`
-		xscreensaver_role(staff_r, staff_t)
+		wine_role(staff, staff_t, staff_application_exec_domain, staff_r)
 	')
 ')

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 32c928d7..48f86f15 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -248,10 +248,6 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
-		wine_role(user_r, user_t)
-	')
-
-	optional_policy(`
-		xscreensaver_role(user_r, user_t)
+		wine_role(user, user_t, user_application_exec_domain, user_r)
 	')
 ')

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 95d08889..a055df6e 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -240,7 +240,7 @@ optional_policy(`
 ifdef(`distro_gentoo',`
 
 	optional_policy(`
-		chromium_role(unconfined_r, unconfined_t)
+		chromium_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 	')
 
 	optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[Jason Zaman]

commit:     8e5c3ef52981f7fe7a093add0ea2e774c4a03367
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Dec 23 14:54:00 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e5c3ef5

staff, unconfined: allow container user access

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/roles/staff.te       | 4 ++++
 policy/modules/system/unconfined.te | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 253869d9..4a4867f7 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -23,6 +23,10 @@ optional_policy(`
 	auditadm_role_change(staff_r)
 ')
 
+optional_policy(`
+	container_user_role(staff, staff_t, staff_application_exec_domain, staff_r)
+')
+
 optional_policy(`
 	dbadm_role_change(staff_r)
 ')

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index e30a1197..df6fbdb7 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -80,6 +80,10 @@ optional_policy(`
 	bootloader_run(unconfined_t, unconfined_r)
 ')
 
+optional_policy(`
+	container_user_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
+')
+
 optional_policy(`
 	cron_unconfined_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/

[Kenton Groombridge]

commit:     fef16712de5ef8682ec086c0679fb60cc3b85389
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 15:35:24 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:38 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fef16712

init, sysadm: allow sysadm to manage systemd runtime units

On systemd 252, mount units generated from /etc/fstab result in services
labeled init_runtime_t. Allow sysadm to manage these services.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/roles/sysadm.te |  6 +++++
 policy/modules/system/init.if  | 57 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 002987387..eccfd5171 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -82,6 +82,12 @@ ifndef(`enable_mls',`
 ')
 
 ifdef(`init_systemd',`
+	# Allow managing runtime units, for example mount units generated
+	# from /etc/fstab.
+	init_get_runtime_units_status(sysadm_t)
+	init_start_runtime_units(sysadm_t)
+	init_stop_runtime_units(sysadm_t)
+
 	# Allow sysadm to resolve the username of dynamic users by calling
 	# LookupDynamicUserByUID on org.freedesktop.systemd1.
 	init_dbus_chat(sysadm_t)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 1186e6d2c..a091a6bef 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3516,6 +3516,63 @@ interface(`init_reload_generic_units',`
 	allow $1 systemd_unit_t:service reload;
 ')
 
+########################################
+## <summary>
+##	Get the status of runtime systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_get_runtime_units_status',`
+	gen_require(`
+		type init_runtime_t;
+		class service status;
+	')
+
+	allow $1 init_runtime_t:service status;
+')
+
+########################################
+## <summary>
+##	Start runtime systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_start_runtime_units',`
+	gen_require(`
+		type init_runtime_t;
+		class service start;
+	')
+
+	allow $1 init_runtime_t:service start;
+')
+
+########################################
+## <summary>
+##	Stop runtime systemd units.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_stop_runtime_units',`
+	gen_require(`
+		type init_runtime_t;
+		class service stop;
+	')
+
+	allow $1 init_runtime_t:service stop;
+')
+
 ########################################
 ## <summary>
 ##	Get status of transient systemd units.