* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: a4cd0594e707a739edae6a241a92823e90e31203
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Dec 12 02:15:28 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 12:03:31 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4cd0594
Allow systemd_logind to delete user_runtime_content_type files
Now that objects in /run/user/%{USERID}/* use the attribute user_runtime_content_type use interfaces userdom_delete_all_user_runtime_* to allow deletion of these objects.
type=AVC msg=audit(1511920346.734:199): avc: denied { read } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:199): avc: denied { open } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:200): avc: denied { getattr } for pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc: denied { write } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc: denied { remove_name } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc: denied { unlink } for pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
type=AVC msg=audit(1511920346.734:202): avc: denied { rmdir } for pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
policy/modules/system/systemd.te | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9ab85680..f64059b1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -445,6 +445,11 @@ udev_list_pids(systemd_logind_t)
udev_read_db(systemd_logind_t)
udev_read_pid_files(systemd_logind_t)
+userdom_delete_all_user_runtime_dirs(systemd_logind_t)
+userdom_delete_all_user_runtime_files(systemd_logind_t)
+userdom_delete_all_user_runtime_named_pipes(systemd_logind_t)
+userdom_delete_all_user_runtime_named_sockets(systemd_logind_t)
+userdom_delete_all_user_runtime_symlinks(systemd_logind_t)
userdom_manage_user_runtime_dirs(systemd_logind_t)
userdom_manage_user_runtime_root_dirs(systemd_logind_t)
userdom_mounton_user_runtime_dirs(systemd_logind_t)
@@ -454,7 +459,6 @@ userdom_relabel_user_tmpfs_files(systemd_logind_t)
userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
userdom_relabelto_user_runtime_dirs(systemd_logind_t)
userdom_setattr_user_ttys(systemd_logind_t)
-userdom_delete_user_runtime_files(systemd_logind_t)
userdom_use_user_ttys(systemd_logind_t)
# Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: ec078ec960bf0bdade1b2f7d5438e30344c21956
Author: David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Dec 12 02:15:18 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 12:03:31 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ec078ec9
Make an attribute for objects in /run/user/%{USERID}/*
Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
policy/modules/system/userdomain.if | 156 +++++++++++++++++++++++++++++++++++-
policy/modules/system/userdomain.te | 4 +
2 files changed, 159 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 68e0ee8b..696983f1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2978,6 +2978,28 @@ interface(`userdom_relabel_user_tmpfs_files',`
########################################
## <summary>
+## Make the specified type usable in
+## the directory /run/user/%{USERID}/.
+## </summary>
+## <param name="type">
+## <summary>
+## Type to be used as a file in the
+## user_runtime_content_dir_t.
+## </summary>
+## </param>
+#
+interface(`userdom_user_runtime_content',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ typeattribute $1 user_runtime_content_type;
+ files_type($1)
+ ubac_constrained($1)
+')
+
+########################################
+## <summary>
## Search users runtime directories.
## </summary>
## <param name="domain">
@@ -3143,7 +3165,139 @@ interface(`userdom_delete_user_runtime_files',`
')
allow $1 user_runtime_t:dir list_dir_perms;
- allow $1 user_runtime_t:file unlink;
+ allow $1 user_runtime_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## Search users runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_all_user_runtime',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir search_dir_perms;
+ userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+## List user runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_list_all_user_runtime',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
+## delete user runtime directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_dirs',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms };
+')
+
+########################################
+## <summary>
+## delete user runtime files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_files',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:file delete_file_perms;
+')
+
+########################################
+## <summary>
+## delete user runtime symlink files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_symlinks',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
+## delete user runtime fifo files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_named_pipes',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## delete user runtime socket files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_named_sockets',`
+ gen_require(`
+ attribute user_runtime_content_type;
+ ')
+
+ allow $1 user_runtime_content_type:dir list_dir_perms;
+ allow $1 user_runtime_content_type:file delete_sock_file_perms;
')
########################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 0e8aa374..a130215b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -75,6 +75,9 @@ attribute unpriv_userdomain;
attribute user_home_content_type;
+# dirs/files/etc created in /run/user/%{USERID}/
+attribute user_runtime_content_type;
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
@@ -128,6 +131,7 @@ files_poly(user_runtime_t)
files_poly_member(user_runtime_t)
files_poly_parent(user_runtime_t)
ubac_constrained(user_runtime_t)
+userdom_user_runtime_content(user_runtime_t)
ifdef(`distro_gentoo',`
# We used to use cert_home_t but an upstream commit introduced the same
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2018-01-18 16:15 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:15 UTC (permalink / raw
To: gentoo-commits
commit: cdfafeaeac734530e89e329dccf9ca03840e0b62
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:15:35 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 04:55:22 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdfafeae
userdomain: Allow public content access
All are allowed read access to readonly files.
unpriv and admin users are allowed rw access to public rw files.
policy/modules/system/userdomain.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 696983f1..0d4fa8e4 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -894,6 +894,7 @@ template(`userdom_login_user_template', `
miscfiles_read_man_pages($1_t)
# map is needed for man-dbs apropos program
miscfiles_map_man_cache($1_t)
+ miscfiles_read_public_files($1_t)
# for running TeX programs
miscfiles_read_tetex_data($1_t)
miscfiles_exec_tetex_data($1_t)
@@ -1093,6 +1094,8 @@ template(`userdom_unpriv_user_template', `
files_exec_usr_files($1_t)
+ miscfiles_manage_public_files($1_t)
+
tunable_policy(`user_dmesg',`
kernel_read_ring_buffer($1_t)
',`
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
0 siblings, 1 reply; 37+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: d1630fe00a7902d54fa57bad9c9f047072528179
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 15 22:42:18 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d1630fe0
init: add comment for ProtectSystem.
policy/modules/system/init.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 3d3697fb..4e2c6504 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -288,6 +288,7 @@ ifdef(`init_systemd',`
files_search_kernel_modules(init_t)
# for privatetmp functions
files_mounton_tmp(init_t)
+ # for ProtectSystem
files_mounton_etc_dirs(init_t)
fs_relabel_cgroup_dirs(init_t)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
0 siblings, 1 reply; 37+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: a2905af973f935e826ee973a5ec5895d6a848fc8
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon May 8 17:02:14 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:46 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2905af9
system/selinuxutil: Allow semanage to execute its tmp files
Since app-admin/setools-4.1.0, some python internals try to create and
execute a file in /tmp during semanage initalization, causing semanage
to crash. Here's the backtrace (with the path
"/usr/lib64/python3.4/site-packages" replaced by "py" for brevity):
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.4/semanage", line 28, in <module>
import seobject
File "py/seobject.py", line 34, in <module>
import sepolicy
File "py/sepolicy/__init__.py", line 8, in <module>
import setools
File "py/setools/__init__.py", line 77, in <module>
from .infoflow import InfoFlowAnalysis
File "py/setools/infoflow.py", line 22, in <module>
import networkx as nx
File "py/networkx/__init__.py", line 93, in <module>
import networkx.linalg
File "py/networkx/linalg/__init__.py", line 9, in <module>
from networkx.linalg.algebraicconnectivity import *
File "py/networkx/linalg/algebraicconnectivity.py", line 18, in <module>
from numpy import (array, asmatrix, asarray, dot, matrix, ndarray, ones,
File "py/numpy/__init__.py", line 180, in <module>
from . import add_newdocs
File "py/numpy/add_newdocs.py", line 13, in <module>
from numpy.lib import add_newdoc
File "py/numpy/lib/__init__.py", line 8, in <module>
from .type_check import *
File "py/numpy/lib/type_check.py", line 11, in <module>
import numpy.core.numeric as _nx
File "py/numpy/core/__init__.py", line 22, in <module>
from . import _internal # for freeze programs
File "py/numpy/core/_internal.py", line 14, in <module>
import ctypes
File "/usr/lib64/python3.4/ctypes/__init__.py", line 541, in <module>
_reset_cache()
File "/usr/lib64/python3.4/ctypes/__init__.py", line 280, in _reset_cache
CFUNCTYPE(c_int)(lambda: None)
MemoryError
policy/modules/system/selinuxutil.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 748e4acf..487bceca 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -488,7 +488,7 @@ allow semanage_t policy_src_t:dir search;
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
+allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2017-05-18 17:02 ` Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: a2905af973f935e826ee973a5ec5895d6a848fc8
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon May 8 17:02:14 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:46 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2905af9
system/selinuxutil: Allow semanage to execute its tmp files
Since app-admin/setools-4.1.0, some python internals try to create and
execute a file in /tmp during semanage initalization, causing semanage
to crash. Here's the backtrace (with the path
"/usr/lib64/python3.4/site-packages" replaced by "py" for brevity):
Traceback (most recent call last):
File "/usr/lib/python-exec/python3.4/semanage", line 28, in <module>
import seobject
File "py/seobject.py", line 34, in <module>
import sepolicy
File "py/sepolicy/__init__.py", line 8, in <module>
import setools
File "py/setools/__init__.py", line 77, in <module>
from .infoflow import InfoFlowAnalysis
File "py/setools/infoflow.py", line 22, in <module>
import networkx as nx
File "py/networkx/__init__.py", line 93, in <module>
import networkx.linalg
File "py/networkx/linalg/__init__.py", line 9, in <module>
from networkx.linalg.algebraicconnectivity import *
File "py/networkx/linalg/algebraicconnectivity.py", line 18, in <module>
from numpy import (array, asmatrix, asarray, dot, matrix, ndarray, ones,
File "py/numpy/__init__.py", line 180, in <module>
from . import add_newdocs
File "py/numpy/add_newdocs.py", line 13, in <module>
from numpy.lib import add_newdoc
File "py/numpy/lib/__init__.py", line 8, in <module>
from .type_check import *
File "py/numpy/lib/type_check.py", line 11, in <module>
import numpy.core.numeric as _nx
File "py/numpy/core/__init__.py", line 22, in <module>
from . import _internal # for freeze programs
File "py/numpy/core/_internal.py", line 14, in <module>
import ctypes
File "/usr/lib64/python3.4/ctypes/__init__.py", line 541, in <module>
_reset_cache()
File "/usr/lib64/python3.4/ctypes/__init__.py", line 280, in _reset_cache
CFUNCTYPE(c_int)(lambda: None)
MemoryError
policy/modules/system/selinuxutil.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 748e4acf..487bceca 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -488,7 +488,7 @@ allow semanage_t policy_src_t:dir search;
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
+allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
0 siblings, 1 reply; 37+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
To: gentoo-commits
commit: bdcf54d71cb3522081eeeb5b6268d1016c70f280
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 17:44:55 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 16:57:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bdcf54d7
libraries: update wildcard /usr/lib fcontext
subs_dist takes care of it, the wildcard is no longer needed
policy/modules/system/libraries.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 1dfa5714..482bb014 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -227,7 +227,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2017-05-18 17:02 ` Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:02 UTC (permalink / raw
To: gentoo-commits
commit: bdcf54d71cb3522081eeeb5b6268d1016c70f280
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 17:44:55 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 16:57:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bdcf54d7
libraries: update wildcard /usr/lib fcontext
subs_dist takes care of it, the wildcard is no longer needed
policy/modules/system/libraries.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 1dfa5714..482bb014 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -227,7 +227,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* -- gen_context(system_u:object_r:textrel_shlib_t
/usr/lib/ocaml/stublibs/dllnums\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
# Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib.*/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/(/.*)?/libmpg123\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 77bed1b44f95619267e8a36a197fc6b5513e11ed
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May 7 03:24:40 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 17:40:29 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=77bed1b4
modutils: kmod_tmpfiles_conf_t create should be allowed even for openrc
policy/modules/system/modutils.te | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 1c52e0b5..80831320 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -49,6 +49,7 @@ manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
+allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
can_exec(kmod_t, kmod_exec_t)
@@ -115,8 +116,6 @@ userdom_use_user_terminals(kmod_t)
userdom_dontaudit_search_user_home_dirs(kmod_t)
ifdef(`init_systemd',`
- # for /run/tmpfiles.d/kmod.conf
- allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
# kmod needs to create /run/tmpdiles.d
systemd_tmpfiles_creator(kmod_t)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 42bae906477136079a1599048a431574d03643fa
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:17:30 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:53:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42bae906
init: smoother system boot
Improve the initrc domain within the init module with some permissions
needed for a smoother boot.
Let the iptables init scripts read the iptables configuration.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/system/init.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 07238399..a01b5093 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -487,6 +487,7 @@ kernel_clear_ring_buffer(initrc_t)
kernel_get_sysvipc_info(initrc_t)
kernel_read_all_sysctls(initrc_t)
kernel_rw_all_sysctls(initrc_t)
+kernel_use_fds(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
# cjp: not sure why these are here; should use mount policy
@@ -494,6 +495,7 @@ kernel_list_unlabeled(initrc_t)
kernel_mounton_unlabeled_dirs(initrc_t)
files_create_lock_dirs(initrc_t)
+files_manage_all_locks(initrc_t)
files_pid_filetrans_lock_dir(initrc_t, "lock")
files_read_kernel_symbol_table(initrc_t)
files_setattr_lock_dirs(initrc_t)
@@ -1116,6 +1118,10 @@ optional_policy(`
')
optional_policy(`
+ iptables_read_config(initrc_t)
+')
+
+optional_policy(`
iscsi_stream_connect(initrc_t)
iscsi_read_lib_files(initrc_t)
')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 542af989565d81b90ef54fcb78d259fb7073bfba
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Apr 15 18:23:34 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun May 7 15:49:16 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=542af989
Synchronize file patterns for /usr/bin/mount... and /usr/sbin/mount...
mount.fc defines file contexts for /usr/bin/mount.*, /usr/bin/umount.*
and /usr/sbin/mount\.zfs. These patterns are not consistent for two
reasons:
- some distributions use /sbin/mount... for other file systems that zfs.
For example Debian uses /sbin/mount.ntfs-3g
(https://packages.debian.org/jessie/amd64/ntfs-3g/filelist)
- mount_exec_t type should only be applied to mount, umount, mount.$FS
and umount.udisks2, not mountpoint.
Replace the file patterns with ones that do not match mountpoint and
match every mount and umount programs in /usr/bin and /usr/sbin.
policy/modules/system/mount.fc | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 39ea6f5c..97e2596b 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -1,8 +1,9 @@
/usr/bin/fusermount -- gen_context(system_u:object_r:mount_exec_t,s0)
-/usr/bin/mount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
-/usr/bin/umount.* -- gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/bin/mount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/bin/umount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
-/usr/sbin/mount\.zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/sbin/mount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/sbin/umount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
/usr/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
/usr/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2017-05-18 16:54 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2017-05-18 16:54 UTC (permalink / raw
To: gentoo-commits
commit: 1d14d5ba6e3da3b114bc6035a2216c7b4cc30b29
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Apr 30 14:38:18 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:38:18 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d14d5ba
unconfined: remove duplicated xserver_role
policy/modules/system/unconfined.te | 4 ----
1 file changed, 4 deletions(-)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index b15aaee7..b7edee8c 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -236,8 +236,4 @@ ifdef(`distro_gentoo',`
optional_policy(`
rtorrent_role(unconfined_r, unconfined_t)
')
-
- optional_policy(`
- xserver_role(unconfined_r, unconfined_t)
- ')
')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-24 16:56 Sven Vermeulen
2016-10-24 16:47 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
0 siblings, 1 reply; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:56 UTC (permalink / raw
To: gentoo-commits
commit: 45d45937e484dfec4a7abcf67dc1d95d2fb267f2
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:45:01 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:45:01 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45d45937
Swap documentation for two interfaces
policy/modules/system/miscfiles.if | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 93e6acb..d89c7c0 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -787,8 +787,7 @@ interface(`miscfiles_read_test_files',`
########################################
## <summary>
-## Create files in etc directories
-## with localization file type.
+## Execute test files.
## </summary>
## <param name="domain">
## <summary>
@@ -807,7 +806,8 @@ interface(`miscfiles_exec_test_files',`
########################################
## <summary>
-## Execute test files.
+## Create files in etc directories
+## with localization file type.
## </summary>
## <param name="domain">
## <summary>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-10-24 16:47 ` Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:47 UTC (permalink / raw
To: gentoo-commits
commit: 45d45937e484dfec4a7abcf67dc1d95d2fb267f2
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:45:01 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:45:01 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45d45937
Swap documentation for two interfaces
policy/modules/system/miscfiles.if | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 93e6acb..d89c7c0 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -787,8 +787,7 @@ interface(`miscfiles_read_test_files',`
########################################
## <summary>
-## Create files in etc directories
-## with localization file type.
+## Execute test files.
## </summary>
## <param name="domain">
## <summary>
@@ -807,7 +806,8 @@ interface(`miscfiles_exec_test_files',`
########################################
## <summary>
-## Execute test files.
+## Create files in etc directories
+## with localization file type.
## </summary>
## <param name="domain">
## <summary>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-24 16:56 Sven Vermeulen
2016-10-24 16:56 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
0 siblings, 1 reply; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:56 UTC (permalink / raw
To: gentoo-commits
commit: d95d8f98194fb82bcd0afba3ce09893911a3f146
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:55:07 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:55:07 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d95d8f98
Move miscfiles_relabel_user_certs to userdom_relabel_user_certs
policy/modules/system/miscfiles.if | 11 +++--------
policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++
2 files changed, 26 insertions(+), 8 deletions(-)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index d89c7c0..5b9a810 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -103,7 +103,7 @@ interface(`miscfiles_manage_user_certs',`
########################################
## <summary>
-## Relabel from/to cert_home_t (user-managed SSL certificates)
+## Relabel from/to user_cert_t (user-managed SSL certificates)
## </summary>
## <param name="domain">
## <summary>
@@ -112,13 +112,8 @@ interface(`miscfiles_manage_user_certs',`
## </param>
#
interface(`miscfiles_relabel_user_certs',`
- gen_require(`
- type cert_home_t;
- ')
-
- relabel_dirs_pattern($1, cert_home_t, cert_home_t)
- relabel_files_pattern($1, cert_home_t, cert_home_t)
- relabel_lnk_files_pattern($1, cert_home_t, cert_home_t)
+ userdom_relabel_user_certs($1)
+ refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_certs() instead.')
')
########################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 666292e..c4bef2b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4053,3 +4053,26 @@ interface(`userdom_user_home_dir_filetrans_user_cert',`
userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
')
+
+########################################
+## <summary>
+## Allow relabeling resources to user_cert_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+
+interface(`userdom_relabel_user_certs',`
+ gen_require(`
+ type user_cert_t;
+ ')
+
+ relabel_dirs_pattern($1, user_cert_t, user_cert_t)
+ relabel_files_pattern($1, user_cert_t, user_cert_t)
+ relabel_lnk_files_pattern($1, user_cert_t, user_cert_t)
+ relabel_sock_files_pattern($1, user_cert_t, user_cert_t)
+ relabel_fifo_files_pattern($1, user_cert_t, user_cert_t)
+')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-10-24 16:56 ` Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:56 UTC (permalink / raw
To: gentoo-commits
commit: d95d8f98194fb82bcd0afba3ce09893911a3f146
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:55:07 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:55:07 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d95d8f98
Move miscfiles_relabel_user_certs to userdom_relabel_user_certs
policy/modules/system/miscfiles.if | 11 +++--------
policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++
2 files changed, 26 insertions(+), 8 deletions(-)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index d89c7c0..5b9a810 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -103,7 +103,7 @@ interface(`miscfiles_manage_user_certs',`
########################################
## <summary>
-## Relabel from/to cert_home_t (user-managed SSL certificates)
+## Relabel from/to user_cert_t (user-managed SSL certificates)
## </summary>
## <param name="domain">
## <summary>
@@ -112,13 +112,8 @@ interface(`miscfiles_manage_user_certs',`
## </param>
#
interface(`miscfiles_relabel_user_certs',`
- gen_require(`
- type cert_home_t;
- ')
-
- relabel_dirs_pattern($1, cert_home_t, cert_home_t)
- relabel_files_pattern($1, cert_home_t, cert_home_t)
- relabel_lnk_files_pattern($1, cert_home_t, cert_home_t)
+ userdom_relabel_user_certs($1)
+ refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_certs() instead.')
')
########################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 666292e..c4bef2b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4053,3 +4053,26 @@ interface(`userdom_user_home_dir_filetrans_user_cert',`
userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
')
+
+########################################
+## <summary>
+## Allow relabeling resources to user_cert_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+
+interface(`userdom_relabel_user_certs',`
+ gen_require(`
+ type user_cert_t;
+ ')
+
+ relabel_dirs_pattern($1, user_cert_t, user_cert_t)
+ relabel_files_pattern($1, user_cert_t, user_cert_t)
+ relabel_lnk_files_pattern($1, user_cert_t, user_cert_t)
+ relabel_sock_files_pattern($1, user_cert_t, user_cert_t)
+ relabel_fifo_files_pattern($1, user_cert_t, user_cert_t)
+')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-24 16:56 Sven Vermeulen
2016-10-24 16:47 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
0 siblings, 1 reply; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:56 UTC (permalink / raw
To: gentoo-commits
commit: 7802f6b2a69eefd11feb78859d2feb58be59a99b
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:41:27 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:41:27 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7802f6b2
Switch from cert_home_t to user_cert_t
The type for user home certificate directories (and files) is
user_cert_t. Remove all references to its code, and instead use the new
type.
Keep an alias at hand for third party SELinux policy modules though.
policy/modules/system/miscfiles.fc | 2 --
policy/modules/system/miscfiles.if | 40 ++-----------------------------------
policy/modules/system/miscfiles.te | 7 -------
policy/modules/system/userdomain.if | 2 --
policy/modules/system/userdomain.te | 7 +++++++
5 files changed, 9 insertions(+), 49 deletions(-)
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index be0b6a1..42ac30b 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -103,8 +103,6 @@ ifdef(`distro_redhat',`
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
-HOME_DIR/.pki(/.*)? gen_context(system_u:object_r:cert_home_t,s0)
-
ifdef(`distro_gentoo',`
/etc/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 63ed47f..93e6acb 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -97,15 +97,8 @@ interface(`miscfiles_read_generic_certs',`
## </param>
#
interface(`miscfiles_manage_user_certs',`
- gen_require(`
- type cert_home_t;
- ')
-
- manage_dirs_pattern($1, cert_home_t, cert_home_t)
- manage_files_pattern($1, cert_home_t, cert_home_t)
- manage_lnk_files_pattern($1, cert_home_t, cert_home_t)
-
- userdom_search_user_home_dirs($1)
+ userdom_manage_user_certs($1)
+ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_certs() instead.')
')
########################################
@@ -213,35 +206,6 @@ interface(`miscfiles_manage_cert_files',`
########################################
## <summary>
-## Automatically use the cert_home_t label for selected resources created
-## in a users home directory
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-## <param name="class">
-## <summary>
-## Resource type(s) for which the label should be used
-## </summary>
-## </param>
-## <param name="filename" optional="true">
-## <summary>
-## Name of the resource that is being created
-## </summary>
-## </param>
-#
-interface(`miscfiles_user_home_dir_filetrans_cert_home',`
- gen_require(`
- type cert_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, cert_home_t, $2, $3)
-')
-
-########################################
-## <summary>
## Read fonts.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 246ac6a..85a29e3 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -14,13 +14,6 @@ type cert_t;
miscfiles_cert_type(cert_t)
#
-# cert_home_t is the type of files in the users' home directories.
-#
-type cert_home_t;
-miscfiles_cert_type(cert_home_t)
-userdom_user_home_content(cert_home_t)
-
-#
# fonts_t is the type of various font
# files in /usr
#
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7c0d914..879ab82 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -272,8 +272,6 @@ interface(`userdom_manage_home_role',`
')
ifdef(`distro_gentoo',`
- miscfiles_manage_user_certs($2)
- miscfiles_relabel_user_certs($2)
optional_policy(`
flash_manage_home($2)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 0b0eb60..94b068e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -128,3 +128,10 @@ files_poly(user_runtime_t)
files_poly_member(user_runtime_t)
files_poly_parent(user_runtime_t)
ubac_constrained(user_runtime_t)
+
+ifdef(`distro_gentoo',`
+ # We used to use cert_home_t but an upstream commit introduced the same
+ # concept as user_cert_t. Enabling an alias to keep custom modules from
+ # users running.
+ type user_cert_t alias cert_home_t;
+')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
@ 2016-10-24 16:47 ` Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:47 UTC (permalink / raw
To: gentoo-commits
commit: 7802f6b2a69eefd11feb78859d2feb58be59a99b
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:41:27 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:41:27 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7802f6b2
Switch from cert_home_t to user_cert_t
The type for user home certificate directories (and files) is
user_cert_t. Remove all references to its code, and instead use the new
type.
Keep an alias at hand for third party SELinux policy modules though.
policy/modules/system/miscfiles.fc | 2 --
policy/modules/system/miscfiles.if | 40 ++-----------------------------------
policy/modules/system/miscfiles.te | 7 -------
policy/modules/system/userdomain.if | 2 --
policy/modules/system/userdomain.te | 7 +++++++
5 files changed, 9 insertions(+), 49 deletions(-)
diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index be0b6a1..42ac30b 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -103,8 +103,6 @@ ifdef(`distro_redhat',`
/var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
')
-HOME_DIR/.pki(/.*)? gen_context(system_u:object_r:cert_home_t,s0)
-
ifdef(`distro_gentoo',`
/etc/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
')
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 63ed47f..93e6acb 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -97,15 +97,8 @@ interface(`miscfiles_read_generic_certs',`
## </param>
#
interface(`miscfiles_manage_user_certs',`
- gen_require(`
- type cert_home_t;
- ')
-
- manage_dirs_pattern($1, cert_home_t, cert_home_t)
- manage_files_pattern($1, cert_home_t, cert_home_t)
- manage_lnk_files_pattern($1, cert_home_t, cert_home_t)
-
- userdom_search_user_home_dirs($1)
+ userdom_manage_user_certs($1)
+ refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_certs() instead.')
')
########################################
@@ -213,35 +206,6 @@ interface(`miscfiles_manage_cert_files',`
########################################
## <summary>
-## Automatically use the cert_home_t label for selected resources created
-## in a users home directory
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access
-## </summary>
-## </param>
-## <param name="class">
-## <summary>
-## Resource type(s) for which the label should be used
-## </summary>
-## </param>
-## <param name="filename" optional="true">
-## <summary>
-## Name of the resource that is being created
-## </summary>
-## </param>
-#
-interface(`miscfiles_user_home_dir_filetrans_cert_home',`
- gen_require(`
- type cert_home_t;
- ')
-
- userdom_user_home_dir_filetrans($1, cert_home_t, $2, $3)
-')
-
-########################################
-## <summary>
## Read fonts.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 246ac6a..85a29e3 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -14,13 +14,6 @@ type cert_t;
miscfiles_cert_type(cert_t)
#
-# cert_home_t is the type of files in the users' home directories.
-#
-type cert_home_t;
-miscfiles_cert_type(cert_home_t)
-userdom_user_home_content(cert_home_t)
-
-#
# fonts_t is the type of various font
# files in /usr
#
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7c0d914..879ab82 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -272,8 +272,6 @@ interface(`userdom_manage_home_role',`
')
ifdef(`distro_gentoo',`
- miscfiles_manage_user_certs($2)
- miscfiles_relabel_user_certs($2)
optional_policy(`
flash_manage_home($2)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 0b0eb60..94b068e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -128,3 +128,10 @@ files_poly(user_runtime_t)
files_poly_member(user_runtime_t)
files_poly_parent(user_runtime_t)
ubac_constrained(user_runtime_t)
+
+ifdef(`distro_gentoo',`
+ # We used to use cert_home_t but an upstream commit introduced the same
+ # concept as user_cert_t. Enabling an alias to keep custom modules from
+ # users running.
+ type user_cert_t alias cert_home_t;
+')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 16:56 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:56 UTC (permalink / raw
To: gentoo-commits
commit: 5ec059a3f5ae282f6a3fd355788563a8714b8430
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:49:13 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:49:13 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ec059a3
Fix documentation for userdom_user_home_dir_filetrans_user_cert
policy/modules/system/userdomain.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 879ab82..666292e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4027,7 +4027,7 @@ interface(`userdom_manage_user_tmp_chr_files',`
########################################
## <summary>
-## Automatically use the cert_home_t label for selected resources
+## Automatically use the user_cert_t label for selected resources
## created in a users home directory
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 16:47 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:47 UTC (permalink / raw
To: gentoo-commits
commit: 64da9c74ec1c09833fc0537479c8d3298f09dd88
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:33:17 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:33:17 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=64da9c74
Introduce userdom_user_home_dir_filetrans_user_cert
The userdom_user_home_dir_filetrans_user_cert interface can be assigned
to SELinux policies for domains that create the necessary user
directories, such as ~/.pki.
This interface will need to be upstreamed later though (we currently
need it already because we have end-user domains that other
distributions generally keep in the user domain).
policy/modules/system/userdomain.if | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 1572b51..7c0d914 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4026,3 +4026,32 @@ interface(`userdom_manage_user_tmp_chr_files',`
userdom_search_user_runtime($1)
files_search_tmp($1)
')
+
+########################################
+## <summary>
+## Automatically use the cert_home_t label for selected resources
+## created in a users home directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Resource type(s) for which the label should be used
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## Name of the resource that is being created
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_cert',`
+ gen_require(`
+ type user_cert_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
+')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 385048b24a6639c4a51573409f2b4c42692827b3
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 10 12:08:03 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:45:30 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=385048b2
Manage tun/tap interfaces
We need the relabelfrom/relabelto rights, otherwise tun/tap interface
activities fail:
~# tunctl -d tap0
TUNSETIFF: Permission denied
policy/modules/system/userdomain.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index bf78a2b..1572b51 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1300,6 +1300,9 @@ template(`userdom_admin_user_template',`
seutil_relabelto_bin_policy($1_t)
# allow to manage chr_files in user_tmp (for initrd's)
userdom_manage_user_tmp_chr_files($1_t)
+ # allow managing tun/tap interfaces (labeling)
+ # without this operations such as tunctl -d tap0 result in a TUNSETIFF: Device or resource busy
+ allow $1_t self:tun_socket { relabelfrom relabelto };
')
')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: e057adebff1c29e23b319ea8adf5336b102bca64
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Sep 18 20:41:47 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:04:21 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e057adeb
Module version bump for selinuxutil fix from Jason Zaman.
policy/modules/system/selinuxutil.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 98d7840..e162290 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.20.2)
+policy_module(selinuxutil, 1.20.3)
gen_require(`
bool secure_mode;
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 90909b138975c956acff4d6d6abcd63003ed5b3b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep 8 23:17:31 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:04:21 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90909b13
Additional change from Guido Trentalancia related to evolution.
policy/modules/system/userdomain.if | 22 ++++++++++++++++++++++
policy/modules/system/userdomain.te | 2 +-
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e6e434a..bf78a2b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2421,6 +2421,28 @@ interface(`userdom_read_user_certs',`
########################################
## <summary>
+## Do not audit attempts to manage
+## the user SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_certs',`
+ gen_require(`
+ type user_cert_t;
+ ')
+
+ dontaudit $1 user_cert_t:dir manage_dir_perms;
+ dontaudit $1 user_cert_t:file manage_file_perms;
+ dontaudit $1 user_cert_t:lnk_file manage_file_perms;
+')
+
+########################################
+## <summary>
## Manage user SSL certificates.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index b44dd5d..c9774a1 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.6)
+policy_module(userdomain, 4.11.7)
########################################
#
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: c7941d5608f8aadd8be1cdda6abff4084b2e094e
Author: Jason Zaman via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sun Sep 18 06:38:31 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:04:21 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7941d56
selinuxutil: allow setfiles to read semanage store
commit a7334eb0de98af11ec38b6263536fa01bc2a606c
libsemanage: validate and compile file contexts before installing
validates the fcontexts when they are still in /var/lib/selinux. Without
setfiles_t having access to read the files, validation fails and the
policy cannot be updated.
policy/modules/system/selinuxutil.if | 23 +++++++++++++++++++++++
policy/modules/system/selinuxutil.te | 1 +
2 files changed, 24 insertions(+)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index b4c70a3..a8221f0 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1107,6 +1107,29 @@ interface(`seutil_run_semanage',`
########################################
## <summary>
+## Read the semanage module store.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`seutil_read_module_store',`
+ gen_require(`
+ type selinux_config_t, semanage_store_t;
+ ')
+
+ files_search_etc($1)
+ files_search_var($1)
+ list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+ list_dirs_pattern($1, semanage_store_t, semanage_store_t)
+ read_files_pattern($1, semanage_store_t, semanage_store_t)
+ read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
+########################################
+## <summary>
## Full management of the semanage
## module store.
## </summary>
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 4a100cd..98d7840 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -597,6 +597,7 @@ logging_send_syslog_msg(setfiles_t)
miscfiles_read_localization(setfiles_t)
seutil_libselinux_linked(setfiles_t)
+seutil_read_module_store(setfiles_t)
userdom_use_all_users_fds(setfiles_t)
# for config files in a home directory
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: ca00fbff6cea187f3b7c99ff328c0f13dffef900
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Sep 7 21:51:42 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:04:21 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca00fbff
userdomain: Move enable_mls block in userdom_common_user_template().
policy/modules/system/userdomain.if | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 12585fb..e353c6e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -592,6 +592,17 @@ template(`userdom_common_user_template',`
# to this one.
seutil_dontaudit_signal_newrole($1_t)
+ ifndef(`enable_mls',`
+ tunable_policy(`user_write_removable',`
+ # Read/write floppies and other removable devices
+ storage_raw_read_removable_device($1_t)
+ storage_raw_write_removable_device($1_t)
+ ',`
+ # Read floppies
+ storage_raw_read_removable_device($1_t)
+ ')
+ ')
+
tunable_policy(`user_direct_mouse',`
dev_read_mouse($1_t)
')
@@ -607,17 +618,6 @@ template(`userdom_common_user_template',`
term_getattr_all_ttys($1_t)
')
- ifndef(`enable_mls',`
- tunable_policy(`user_write_removable',`
- # Read/write floppies and other removable devices
- storage_raw_read_removable_device($1_t)
- storage_raw_write_removable_device($1_t)
- ',`
- # Read floppies
- storage_raw_read_removable_device($1_t)
- ')
- ')
-
tunable_policy(`user_write_removable',`
# Read/write USB devices (e.g. external removable USB mass storage devices)
dev_rw_generic_usb_dev($1_t)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: facae736af918d3a0c96c1bf70c718babcf6f773
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Sep 7 22:02:18 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:04:21 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=facae736
Module version bumps for LVM and useromain patches from Guido Trentalancia.
policy/modules/system/lvm.te | 2 +-
policy/modules/system/userdomain.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index c8831c6..b178770 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.17.0)
+policy_module(lvm, 1.17.1)
########################################
#
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 3a97cc9..deb6a8d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.5)
+policy_module(userdomain, 4.11.6)
########################################
#
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 15:45 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 2022bceff1d223d72e93d2a62d952f6de4d88e2d
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Sep 8 16:38:37 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 3 06:04:21 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2022bcef
userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)
Introduce a new file context for user certificates (user_cert_t)
located in home directories.
Introduce new auxiliary interfaces to read and manage such files
files and directories.
Thanks to Christopher PeBenito for the useful suggestions that
led to this improved version of the patch.
Compared to the previous version, this patch adds the ability to
search the user home directories in the new interfaces.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/system/userdomain.fc | 1 +
policy/modules/system/userdomain.if | 46 +++++++++++++++++++++++++++++++++++++
policy/modules/system/userdomain.te | 3 +++
3 files changed, 50 insertions(+)
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 0ec8d11..0214d21 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,5 +1,6 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e353c6e..e6e434a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',`
# cjp: this should probably be removed:
allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
+ userdom_manage_user_certs($2)
+ userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs($2)
fs_manage_nfs_files($2)
@@ -2396,6 +2399,49 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
########################################
## <summary>
+## Read user SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_user_certs',`
+ gen_require(`
+ type user_cert_t;
+ ')
+
+ allow $1 user_cert_t:dir list_dir_perms;
+ read_files_pattern($1, user_cert_t, user_cert_t)
+ read_lnk_files_pattern($1, user_cert_t, user_cert_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
+## Manage user SSL certificates.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_user_certs',`
+ gen_require(`
+ type user_cert_t;
+ ')
+
+ manage_dirs_pattern($1, user_cert_t, user_cert_t)
+ manage_files_pattern($1, user_cert_t, user_cert_t)
+ manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
+ files_search_home($1)
+')
+
+########################################
+## <summary>
## Write to user temporary named sockets.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index deb6a8d..b44dd5d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,6 +93,9 @@ files_associate_tmp(user_home_t)
files_poly_parent(user_home_t)
files_mountpoint(user_home_t)
+type user_cert_t;
+userdom_user_home_content(user_cert_t)
+
type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
dev_node(user_devpts_t)
files_type(user_devpts_t)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 04768f431e51e63fe01b5c93fd639d54feb29380
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 10 12:08:03 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:33:57 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04768f43
Manage tun/tap interfaces
We need the relabelfrom/relabelto rights, otherwise tun/tap interface
activities fail:
~# tunctl -d tap0
TUNSETIFF: Permission denied
policy/modules/system/userdomain.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b04d149..e085cff 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1259,6 +1259,9 @@ template(`userdom_admin_user_template',`
seutil_relabelto_bin_policy($1_t)
# allow to manage chr_files in user_tmp (for initrd's)
userdom_manage_user_tmp_chr_files($1_t)
+ # allow managing tun/tap interfaces (labeling)
+ # without this operations such as tunctl -d tap0 result in a TUNSETIFF: Device or resource busy
+ allow $1_t self:tun_socket { relabelfrom relabelto };
')
')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-07-03 11:34 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2016-07-03 11:34 UTC (permalink / raw
To: gentoo-commits
commit: 75a4146c71914a7fde5a09918baa4e54db21683d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jun 2 04:39:36 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jun 2 04:39:36 2016 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75a4146c
userdomain: Add user runtime to gentoo-specific interfaces
policy/modules/system/userdomain.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index beed625..00b9335 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3916,5 +3916,6 @@ interface(`userdom_manage_user_tmp_chr_files',`
')
manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
+ userdom_search_user_runtime($1)
files_search_tmp($1)
')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: d63fd441ccb0fd52cf45a82e0c23a11d052fb1da
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 10 12:08:03 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Dec 2 15:45:15 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d63fd441
Manage tun/tap interfaces
We need the relabelfrom/relabelto rights, otherwise tun/tap interface
activities fail:
~# tunctl -d tap0
TUNSETIFF: Permission denied
policy/modules/system/userdomain.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index ea03e86..c53daff 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1254,6 +1254,9 @@ template(`userdom_admin_user_template',`
seutil_relabelto_bin_policy($1_t)
# allow to manage chr_files in user_tmp (for initrd's)
userdom_manage_user_tmp_chr_files($1_t)
+ # allow managing tun/tap interfaces (labeling)
+ # without this operations such as tunctl -d tap0 result in a TUNSETIFF: Device or resource busy
+ allow $1_t self:tun_socket { relabelfrom relabelto };
')
')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 360b075cbb2c37b12a039e12d4ac0f6d68c2e0f8
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 17:25:57 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:55:52 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=360b075c
Add refpolicy core socket-activated services.
policy/modules/system/logging.te | 1 +
policy/modules/system/lvm.te | 1 +
policy/modules/system/udev.te | 1 +
3 files changed, 3 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index fd941ab..ef56179 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -67,6 +67,7 @@ files_config_file(syslog_conf_t)
type syslogd_t;
type syslogd_exec_t;
init_daemon_domain(syslogd_t, syslogd_exec_t)
+init_named_socket_activation(syslogd_t, syslogd_var_run_t)
type syslogd_initrc_exec_t;
init_script_file(syslogd_initrc_exec_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 61bd92b..d15ea3c 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -18,6 +18,7 @@ files_pid_file(clvmd_var_run_t)
type lvm_t;
type lvm_exec_t;
init_system_domain(lvm_t, lvm_exec_t)
+init_named_socket_activation(lvm_t, lvm_var_run_t)
# needs privowner because it assigns the identity system_u to device nodes
# but runs as the identity of the sysadmin
domain_obj_id_change_exemption(lvm_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 40868ad..c9091f3 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -13,6 +13,7 @@ domain_obj_id_change_exemption(udev_t)
domain_entry_file(udev_t, udev_helper_exec_t)
domain_interactive_fd(udev_t)
init_daemon_domain(udev_t, udev_exec_t)
+init_named_socket_activation(udev_t, udev_var_run_t)
type udev_etc_t alias etc_udev_t;
files_config_file(udev_etc_t)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: 2b1fd1cb76055efbf37feb023a65831b79932f2b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 26 04:59:35 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:59:35 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b1fd1cb
system/logging: Remove duplicate filetrans on news logs
policy/modules/system/logging.te:541:ERROR 'duplicate filename transition for:
filename_trans news.crit syslogd_t var_log_t:file'
type_transition syslogd_t var_log_t:file innd_log_t "news.crit";
The news type is gentoo only so make the logging one ifndef
policy/modules/system/logging.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d0c4d31..52c86e5 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -540,9 +540,11 @@ optional_policy(`
optional_policy(`
inn_manage_log(syslogd_t)
+ ifndef(`distro_gentoo',`
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit")
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err")
inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.notice")
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-12-02 15:45 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-12-02 15:45 UTC (permalink / raw
To: gentoo-commits
commit: a51ba0a947d3824df1342367d7fd6fd955e6410b
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 26 04:27:25 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:27:25 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a51ba0a9
system/logging: Remove duplicate filetrans on cron.log
policy/modules/system/logging.te:534:ERROR 'duplicate filename
transition for: filename_trans cron.log syslogd_t var_log_t:file' at
type_transition syslogd_t var_log_t:file cron_log_t "cron.log";
The cron type is gentoo only so make the logging one ifndef
policy/modules/system/logging.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 902ff63..d0c4d31 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -533,7 +533,9 @@ optional_policy(`
optional_policy(`
cron_manage_log_files(syslogd_t)
+ ifndef(`distro_gentoo',`
cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
+ ')
')
optional_policy(`
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-10-10 12:11 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-10-10 12:11 UTC (permalink / raw
To: gentoo-commits
commit: bb92924b4730deb3dbd1c0a9f2a763ff99cd06c5
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 10 12:08:03 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Oct 10 12:08:03 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bb92924b
Manage tun/tap interfaces
We need the relabelfrom/relabelto rights, otherwise tun/tap interface
activities fail:
~# tunctl -d tap0
TUNSETIFF: Permission denied
policy/modules/system/userdomain.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index ea03e86..c53daff 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1254,6 +1254,9 @@ template(`userdom_admin_user_template',`
seutil_relabelto_bin_policy($1_t)
# allow to manage chr_files in user_tmp (for initrd's)
userdom_manage_user_tmp_chr_files($1_t)
+ # allow managing tun/tap interfaces (labeling)
+ # without this operations such as tunctl -d tap0 result in a TUNSETIFF: Device or resource busy
+ allow $1_t self:tun_socket { relabelfrom relabelto };
')
')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-07-11 14:09 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
To: gentoo-commits
commit: 76b213703ff1b7bbcbfb0876388c764918290070
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 13:36:30 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 13:36:30 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76b21370
Allow run_init_t to read all named init scripts
When OpenRC wants to execute a labeled init script, it fails if this is
a symlink:
~$ sudo /etc/init.d/ceph-mon.0 start
openrc-run should not be run directly
The denial shows that a read on the symlink is denied:
type=AVC msg=audit(1436621093.701:1165): avc: denied { read } for
pid=30786 comm="openrc" name="ceph-mon.0" dev="vda3" ino=1966780
scontext=staff_u:staff_r:run_init_t:s0
tcontext=system_u:object_r:ceph_initrc_exec_t:s0 tclass=lnk_file
permissive=0
After granting this, the behavior is as expected:
~$ sudo /etc/init.d/ceph-mon.0 start
* Starting Ceph mon.0 ... [ ok ]
X-Gentoo-Bug: 554514
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=554514
policy/modules/system/init.if | 5 +++++
policy/modules/system/selinuxutil.te | 2 ++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ed65609..211d434 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1195,6 +1195,11 @@ interface(`init_read_all_script_files',`
files_search_etc($1)
allow $1 init_script_file_type:file read_file_perms;
+
+ ifdef(`distro_gentoo',`
+ # Bug 554514
+ allow $1 init_script_file_type:lnk_file read_lnk_file_perms;
+ ')
')
#######################################
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 51c64be..d25a0fd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -418,6 +418,8 @@ userdom_use_user_terminals(run_init_t)
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
# Gentoo integrated run_init:
+ # Bug 554514
+ init_read_all_script_files(run_init_t)
init_script_file_entry_type(run_init_t)
init_exec_rc(run_init_t)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-06-11 16:04 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-06-11 16:04 UTC (permalink / raw
To: gentoo-commits
commit: 4e0b54e1d130040aa21f0add9b6b6a748d64d40e
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun 11 16:04:34 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jun 11 16:04:34 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4e0b54e1
Allow user domains to manage XDG documents, pictures and music
policy/modules/system/userdomain.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 1d5370c..ea03e86 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -282,7 +282,10 @@ interface(`userdom_manage_home_role',`
xdg_manage_all_config_home($2)
xdg_manage_all_data_home($2)
xdg_manage_all_runtime_home($2)
+ xdg_manage_documents_home($2)
xdg_manage_downloads_home($2)
+ xdg_manage_music_home($2)
+ xdg_manage_pictures_home($2)
xdg_manage_videos_home($2)
xdg_relabel_all_cache_home($2)
xdg_relabel_all_config_home($2)
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 612782c9a0018a2b6d38c19476f44b7ad92ff070
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon May 25 09:33:55 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed May 27 18:59:50 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=612782c9
logging: use init_startstop_service in _admin interface
The logging_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.
policy/modules/system/logging.if | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 1c4af7b..9fa0f5d 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1022,10 +1022,7 @@ interface(`logging_admin_audit',`
logging_run_auditctl($1, $2)
- init_labeled_script_domtrans($1, auditd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 auditd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t)
')
########################################
@@ -1080,10 +1077,7 @@ interface(`logging_admin_syslog',`
logging_manage_all_logs($1)
- init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
- domain_system_change_exemption($1)
- role_transition $2 syslogd_initrc_exec_t system_r;
- allow $2 system_r;
+ init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t)
')
########################################
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 78438b16c855c83be05b9d421c8fd0a3d0e878d2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed May 27 18:58:19 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed May 27 18:59:51 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=78438b16
Add openrc support to init_startstop_service
Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.
policy/modules/system/init.if | 3 ++-
policy/modules/system/selinuxutil.if | 6 +++---
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 7b17c5c..ed65609 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -999,7 +999,8 @@ interface(`init_startstop_service',`
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
- seutil_spec_run_runinit($1, $2, $4)
+ # for OpenRC
+ seutil_labeled_init_script_run_runinit($1, $2, $4)
',`
# rules for sysvinit / upstart
init_labeled_script_domtrans($1, $4)
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index e69f279..bcb4330 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -398,7 +398,7 @@ interface(`seutil_domtrans_runinit',`
## </summary>
## </param>
#
-interface(`seutil_spec_domtrans_runinit',`
+interface(`seutil_labeled_init_script_domtrans_runinit',`
gen_require(`
type run_init_t;
')
@@ -534,12 +534,12 @@ interface(`seutil_init_script_run_runinit',`
## </summary>
## </param>
#
-interface(`seutil_spec_run_runinit',`
+interface(`seutil_labeled_init_script_run_runinit',`
gen_require(`
attribute_role run_init_roles;
')
- seutil_spec_domtrans_runinit($1, $3)
+ seutil_labeled_init_script_domtrans_runinit($1, $3)
roleattribute $2 run_init_roles;
')
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 7a7d862ad99304dbe93e2feb668088b4966db74d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 15 15:03:30 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 22 20:01:41 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a7d862a
Add openrc support to init_startstop_service
Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.
policy/modules/system/init.if | 14 ++++---
policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
2 files changed, 84 insertions(+), 5 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 61db079..7b17c5c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -998,11 +998,15 @@ interface(`init_startstop_service',`
')
ifndef(`direct_sysadm_daemon',`
- # rules for sysvinit / upstart
- init_labeled_script_domtrans($1, $4)
- domain_system_change_exemption($1)
- role_transition $2 $4 system_r;
- allow $2 system_r;
+ ifdef(`distro_gentoo',`
+ seutil_spec_run_runinit($1, $2, $4)
+ ',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
')
')
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 129a6e0..e69f279 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
########################################
## <summary>
+## Execute file in the run_init domain.
+## </summary>
+## <desc>
+## <p>
+## Execute file in the run_init domain.
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of entry file.
+## </summary>
+## </param>
+#
+interface(`seutil_spec_domtrans_runinit',`
+ gen_require(`
+ type run_init_t;
+ ')
+
+ domain_entry_file(run_init_t, $2)
+ domain_auto_transition_pattern($1, $2, run_init_t)
+
+ allow run_init_t $1:fd use;
+ allow run_init_t $1:fifo_file rw_file_perms;
+ allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
## Execute init scripts in the run_init domain.
## </summary>
## <desc>
@@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
########################################
## <summary>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </summary>
+## <desc>
+## <p>
+## Execute specified file in the run_init domain, and
+## allow the specified role the run_init domain,
+## and use the caller's terminal.
+## </p>
+## <p>
+## This is used for the Gentoo integrated run_init.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type of init script.
+## </summary>
+## </param>
+#
+interface(`seutil_spec_run_runinit',`
+ gen_require(`
+ attribute_role run_init_roles;
+ ')
+
+ seutil_spec_domtrans_runinit($1, $3)
+ roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
## Inherit and use run_init file descriptors.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 5454b1692fd734babb5b459922136c7dfc7c4aa2
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 22 14:08:05 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:16:43 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5454b169
Introduce init_startstop_service interface
This is to be used where a role needs to start and stop a labeled
service. It centralizes all the rules for redhat < 6 sysvinit that
were used in the _admin interfaces. The rules for other inits will
be added later.
policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 61db079..acf1fae 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1008,6 +1008,46 @@ interface(`init_startstop_service',`
########################################
## <summary>
+## Allow the role to start and stop
+## labeled services.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be performing this action.
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## Type to be used as a daemon domain.
+## </summary>
+## </param>
+## <param name="init_script_file">
+## <summary>
+## Labeled init script file.
+## </summary>
+## </param>
+#
+interface(`init_startstop_service',`
+ gen_require(`
+ role system_r;
+ ')
+
+ ifndef(`direct_sysadm_daemon',`
+ # rules for sysvinit / upstart
+ init_labeled_script_domtrans($1, $4)
+ domain_system_change_exemption($1)
+ role_transition $2 $4 system_r;
+ allow $2 system_r;
+ ')
+')
+
+########################################
+## <summary>
## Start and stop daemon programs directly.
## </summary>
## <desc>
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 9e474937977d0e21a9b63eee5717d8b4837dba32
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri May 22 18:25:04 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:16:43 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e474937
Module version bump for init_startstop_service from Jason Zaman.
policy/modules/system/init.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c265e53..141df45 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.22.0)
+policy_module(init, 1.22.1)
gen_require(`
class passwd rootok;
^ permalink raw reply related [flat|nested] 37+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-06-09 13:24 Sven Vermeulen
0 siblings, 0 replies; 37+ messages in thread
From: Sven Vermeulen @ 2015-06-09 13:24 UTC (permalink / raw
To: gentoo-commits
commit: 4145312546b2dfef571c04698fa81b545a5be63d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 22 19:52:07 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:52:07 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=41453125
Revert "Introduce init_startstop_service interface", accidentally applied twice
This reverts commit c2986eed04bbae7ef6ff1bdad6df31022abdc970.
policy/modules/system/init.if | 40 ----------------------------------------
1 file changed, 40 deletions(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index acf1fae..61db079 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1008,46 +1008,6 @@ interface(`init_startstop_service',`
########################################
## <summary>
-## Allow the role to start and stop
-## labeled services.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to be performing this action.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Type to be used as a daemon domain.
-## </summary>
-## </param>
-## <param name="init_script_file">
-## <summary>
-## Labeled init script file.
-## </summary>
-## </param>
-#
-interface(`init_startstop_service',`
- gen_require(`
- role system_r;
- ')
-
- ifndef(`direct_sysadm_daemon',`
- # rules for sysvinit / upstart
- init_labeled_script_domtrans($1, $4)
- domain_system_change_exemption($1)
- role_transition $2 $4 system_r;
- allow $2 system_r;
- ')
-')
-
-########################################
-## <summary>
## Start and stop daemon programs directly.
## </summary>
## <desc>
^ permalink raw reply related [flat|nested] 37+ messages in thread
end of thread, other threads:[~2018-01-18 16:15 UTC | newest]
Thread overview: 37+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-18 16:15 [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/ Sven Vermeulen
-- strict thread matches above, loose matches on Subject: below --
2018-01-18 16:15 Sven Vermeulen
2018-01-18 16:15 Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 17:03 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2017-05-18 17:02 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2017-05-18 16:54 Sven Vermeulen
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:47 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:56 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:47 ` [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:56 Sven Vermeulen
2016-10-24 16:47 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-10-24 15:45 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2016-07-03 11:34 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-12-02 15:45 Sven Vermeulen
2015-10-10 12:11 Sven Vermeulen
2015-07-11 14:09 Sven Vermeulen
2015-06-11 16:04 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
2015-06-09 13:24 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox