[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/

[Sven Vermeulen]

commit:     cd46d984ef7a811f699cff8190c8154bb87a1c78
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Sep 10 16:11:13 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Sep 28 17:53:18 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cd46d984

Add Debian locations for GDM 3

---
 policy/modules/kernel/corecommands.fc |    1 +
 policy/modules/services/xserver.fc    |   15 +++++++++------
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 4592f8a..2596ca3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -322,6 +322,7 @@ ifdef(`distro_gentoo',`
 
 ifdef(`distro_debian',`
 /usr/lib/ConsoleKit/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gdm3/.*	--	gen_context(system_u:object_r:bin_t,s0)
 ')
 
 ifdef(`distro_gentoo', `

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 30fc0e8..433d690 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -19,9 +19,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 #
 # /etc
 #
-/etc/gdm/PostSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm(3)?/PostSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm(3)?/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm(3)?/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
 /etc/rc\.d/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
 
@@ -57,9 +57,10 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 # /usr
 #
 
+/usr/(s)?bin/gdm(3)?	--      gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/(s)?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/(s)?bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/(s)?bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/(s)?bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/bin/slim		--	gen_context(system_u:object_r:xdm_exec_t,s0)
@@ -90,18 +91,20 @@ ifndef(`distro_debian',`
 
 /var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 
+/var/lib/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/[xkw]dm(/.*)?		gen_context(system_u:object_r:xdm_var_lib_t,s0)
 /var/lib/xkb(/.*)?		gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
 /var/log/[kwx]dm\.log.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/lxdm\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
-/var/log/gdm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/gdm(3)?(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/slim\.log	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
 
-/var/run/[gx]dm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/

[Sven Vermeulen]

commit:     eb2f042d2b9dfcb967c4fa77615da7997a0b7428
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Sep 17 15:08:42 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Sep 28 17:55:42 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eb2f042d

Module version bump for Debian file context updates from Laurent Bigonville.

---
 policy/modules/kernel/corecommands.te |    2 +-
 policy/modules/services/xserver.te    |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 1dd0427..43090a0 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.17.0)
+policy_module(corecommands, 1.17.3)
 
 ########################################
 #

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8ec444d..c44a6c3 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.8.0)
+policy_module(xserver, 3.8.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/

[Sven Vermeulen]

commit:     bfcca85f1b1f83d7c54e4f0b33aa40c027dc351e
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Jun  2 19:14:50 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 10 18:14:24 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bfcca85f

Module version bump for rcs2log and xserver updates from Sven Vermeulen.

---
 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/services/xserver.te    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 99dc2dc..859b61d 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.19.1)
+policy_module(corecommands, 1.19.2)
 
 ########################################
 #

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c096bba..909782e 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.10.1)
+policy_module(xserver, 3.10.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/

[Jason Zaman]

commit:     17d97f0a9bb787b5feb0fa8aaf23a87bfdc79d00
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Dec 20 15:28:49 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17d97f0a

Label OpenSSH files correctly on Arch Linux

On Arch Linux, OpenSSH installs these binary files in /usr/lib/ssh:

* sftp-server (labeled with ssh_keysign_exec_t type in refpolicy)
* ssh-askpass (symlink to x11-ssh-askpass)
* ssh-keysign
* ssh-pkcs11-helper
* x11-ssh-askpass (from x11-ssh-askpass package)

Label all these files but sftp-server as bin_t.

 policy/modules/kernel/corecommands.fc | 1 +
 policy/modules/services/ssh.fc        | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 8f12446..beb3ad8 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -240,6 +240,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/ssh(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh		--	gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/lib/systemd/systemd.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 8168244..fd6c218 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -7,7 +7,8 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 
-/usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+/usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/

[Jason Zaman]

commit:     6955590361f01ea1554313ac3cd465194d73c1b2
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jan  5 18:38:19 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=69555903

Module version bump for Xorg and SSH patches from Nicolas Iooss.

 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/services/ssh.te        | 2 +-
 policy/modules/services/xserver.te    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index 89fbb84..f8cd213 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.21.0)
+policy_module(corecommands, 1.21.1)
 
 ########################################
 #

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 917187a..30c9987 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.7.0)
+policy_module(ssh, 2.7.1)
 
 ########################################
 #

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 09c79bb..38d5623 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.11.0)
+policy_module(xserver, 3.11.1)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/

[Jason Zaman]

commit:     10337c1339bd913a4bf477e994d9774b043cfcbd
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Mar  8 00:02:27 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=10337c13

filesystem, cron, authlogin: Module version bump.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/services/cron.te     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index f7d24342..3d321072 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.25.0)
+policy_module(filesystem, 1.25.1)
 
 ########################################
 #

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 0a19e09c..f182cf92 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.15.0)
+policy_module(cron, 2.15.1)
 
 gen_require(`
 	class passwd rootok;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/

[Jason Zaman]

commit:     c0ba07217cbd68700912a61da9298aa029c371c7
Author:     Daniel Burgener <dburgener <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Dec 15 15:29:52 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c0ba0721

Use self keyword when an AV rule source type matches destination

This is reported in a new SELint check in soon to be released selint version 1.2.0

Signed-off-by: Daniel Burgener <dburgener <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/kernel.te    | 2 +-
 policy/modules/services/xserver.te | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8a7c39df..9b847078 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -263,7 +263,7 @@ kernel_mounton_proc_dirs(kernel_t)
 kernel_request_load_module(kernel_t)
 
 # Allow unlabeled network traffic
-allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
+allow unlabeled_t self:packet { forward_in forward_out };
 corenet_in_generic_if(unlabeled_t)
 corenet_in_generic_node(unlabeled_t)
 

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index b380e583..e56dcac9 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -787,9 +787,9 @@ tunable_policy(`!xserver_object_manager',`
 	# should be xserver_unconfined(xserver_t),
 	# but typeattribute doesnt work in conditionals
 
-	allow xserver_t xserver_t:x_server { getattr setattr record debug grab manage };
+	allow xserver_t self:x_server { getattr setattr record debug grab manage };
 	allow xserver_t { x_domain root_xdrawable_t }:x_drawable { create destroy read write blend getattr setattr list_child add_child remove_child list_property get_property set_property manage override show hide send receive };
-	allow xserver_t xserver_t:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show };
+	allow xserver_t self:x_screen { getattr setattr hide_cursor show_cursor saver_getattr saver_setattr saver_hide saver_show };
 	allow xserver_t x_domain:x_gc { create destroy getattr setattr use };
 	allow xserver_t { x_domain root_xcolormap_t }:x_colormap { create destroy read write getattr add_color remove_color install uninstall use };
 	allow xserver_t xproperty_type:x_property { create destroy read write append getattr setattr };

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/

[Jason Zaman]

commit:     e4de0cbe3903bc46af112502d405815875b55750
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug  9 19:21:18 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e4de0cbe

container: allow spc various rules for kubevirt

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/devices.if     | 18 ++++++++++++++++++
 policy/modules/services/container.te | 13 +++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 6bea5ccf9..085bd30f0 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5465,6 +5465,24 @@ interface(`dev_relabelfrom_vfio_dev',`
 	relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
 ')
 
+############################
+## <summary>
+##	Get the attributes of the vhost devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_vhost_dev',`
+	gen_require(`
+		type device_t, vhost_device_t;
+	')
+
+	getattr_chr_files_pattern($1, device_t, vhost_device_t)
+')
+
 ############################
 ## <summary>
 ##	Allow read/write the vhost devices

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index cc700c038..2353092e4 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -978,7 +978,7 @@ allow spc_t self:process { getcap setrlimit };
 # Normally triggered when rook-ceph executes lvm tools which creates noise.
 # This can be allowed if actually needed.
 dontaudit spc_t self:process setfscreate;
-allow spc_t self:capability { audit_write chown dac_read_search fowner fsetid ipc_lock mknod net_admin net_raw setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
+allow spc_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setuid setpcap sys_admin sys_chroot sys_nice sys_ptrace sys_rawio sys_resource };
 allow spc_t self:capability2 { bpf perfmon };
 allow spc_t self:bpf { map_create map_read map_write prog_load prog_run };
 allow spc_t self:key manage_key_perms;
@@ -1004,14 +1004,19 @@ allow spc_t container_engine_tmpfs_t:chr_file rw_chr_file_perms;
 allow spc_t container_engine_tmpfs_t:lnk_file read_lnk_file_perms;
 # for rook-ceph
 allow spc_t container_engine_tmpfs_t:blk_file rw_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_engine_tmpfs_t:chr_file { relabelfrom setattr };
 
 # for kubernetes storage class providers
 allow spc_t container_file_t:{ dir file } mounton;
 allow spc_t container_file_t:dir_file_class_set relabel_blk_file_perms;
 # for rook-ceph
 allow spc_t container_file_t:blk_file manage_blk_file_perms;
+# for multus and kubevirt
+allow spc_t container_file_t:chr_file setattr;
+allow spc_t container_file_t:filesystem unmount;
 
-allow spc_t container_runtime_t:dir { manage_dir_perms mounton };
+allow spc_t container_runtime_t:dir { manage_dir_perms mounton watch };
 allow spc_t container_runtime_t:file manage_file_perms;
 allow spc_t container_runtime_t:sock_file manage_sock_file_perms;
 
@@ -1034,6 +1039,10 @@ dev_filetrans(spc_t, container_device_t, blk_file)
 dev_dontaudit_getattr_all_chr_files(spc_t)
 dev_dontaudit_setattr_generic_symlinks(spc_t)
 dev_dontaudit_relabelto_generic_blk_files(spc_t)
+# for multus and kubevirt
+dev_getattr_kvm_dev(spc_t)
+dev_getattr_vhost_dev(spc_t)
+dev_watch_dev_dirs(spc_t)
 
 fs_read_nsfs_files(spc_t)
 fs_mount_xattr_fs(spc_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/

[Jason Zaman]

commit:     62a700f1b822f7637c5841ca119bf247c187d8aa
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Jun 18 14:38:43 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:52:23 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=62a700f1

networking (#937)

* misc small networking patches

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/corenetwork.te.in   | 2 +-
 policy/modules/services/avahi.te          | 1 -
 policy/modules/services/bind.te           | 2 ++
 policy/modules/services/networkmanager.te | 4 ++++
 policy/modules/services/rpc.fc            | 1 +
 5 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index b1649ec3a..b083746ec 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -270,7 +270,7 @@ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0)
 network_port(socks) # no defined portcon
 network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
-network_port(spamd, tcp,783,s0)
+network_port(spamd, tcp,783,s0, tcp,11333,s0)
 network_port(speech, tcp,8036,s0)
 network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp and htcp
 network_port(ssdp, tcp,1900,s0, udp,1900,s0)

diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index da7473536..13f98ae81 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -118,4 +118,3 @@ optional_policy(`
 optional_policy(`
 	unconfined_dbus_send(avahi_t)
 ')
-

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index a3336c28c..ed4b53d0f 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -224,6 +224,8 @@ allow ndc_t self:capability2 block_suspend;
 allow ndc_t self:process { getsched setsched signal_perms };
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
+allow ndc_t self:anon_inode { create map read write };
+allow ndc_t self:io_uring sqpoll;
 
 allow ndc_t dnssec_t:file read_file_perms;
 allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;

diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 39d367140..ac20fafbc 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -71,6 +71,7 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
 allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms;
 allow NetworkManager_t NetworkManager_etc_t:file read_file_perms;
 allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms;
+allow NetworkManager_t NetworkManager_etc_t:dir watch;
 
 manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
 manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t, NetworkManager_etc_rw_t)
@@ -167,7 +168,9 @@ storage_getattr_fixed_disk_dev(NetworkManager_t)
 init_read_utmp(NetworkManager_t)
 init_dontaudit_write_utmp(NetworkManager_t)
 init_domtrans_script(NetworkManager_t)
+init_get_generic_units_status(NetworkManager_t)
 init_get_system_status(NetworkManager_t)
+init_search_units(NetworkManager_t)
 
 auth_use_nsswitch(NetworkManager_t)
 
@@ -351,6 +354,7 @@ optional_policy(`
 	systemd_watch_logind_runtime_dirs(NetworkManager_t)
 	systemd_read_logind_sessions_files(NetworkManager_t)
 	systemd_watch_logind_sessions_dirs(NetworkManager_t)
+	systemd_read_networkd_runtime(NetworkManager_t)
 	systemd_read_machines(NetworkManager_t)
 	systemd_watch_machines_dirs(NetworkManager_t)
 	systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)

diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 3b6d1c930..fb579bc9d 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -20,6 +20,7 @@
 /usr/lib/systemd/system/rpc.*\.service --   gen_context(system_u:object_r:rpcd_unit_t,s0)
 
 /usr/sbin/blkmapd	--	gen_context(system_u:object_r:blkmapd_exec_t,s0)
+/usr/sbin/fsidd		--	gen_context(system_u:object_r:nfsd_exec_t,s0)
 /usr/sbin/nfsdcld	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/kernel/

[Jason Zaman]

commit:     e70e68eda848ba5c9cf3f49edd54d68be6fecdb7
Author:     Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
AuthorDate: Tue Jun 24 16:02:45 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:54 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e70e68ed

container: add new container_init_t local policy

This commit adds support for a new container_init_t type
of container which is being used by incus to run containers
using LXC that will run an init system inside the container

Signed-off-by: Marc Schiffbauer <mschiff <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/filesystem.if  |   2 +-
 policy/modules/services/container.te | 108 +++++++++++++++++++++++++++++++++++
 2 files changed, 109 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 421fb9f26..1ac35c855 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -5466,7 +5466,7 @@ interface(`fs_setattr_ramfs_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`fs_list_ramfs_dirs',`
+interface(`fs_list_ramfs',`
 	gen_require(`
 		type ramfs_t;
 	')

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index de9a96d3b..a277068a6 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -192,10 +192,19 @@ roleattribute system_r container_roles;
 container_domain_template(container)
 typealias container_t alias svirt_lxc_net_t;
 typeattribute container_t container_system_domain, container_user_domain, container_net_domain;
+optional_policy(`
+	incus_container(container_t)
+')
 optional_policy(`
 	kubernetes_container(container_t)
 ')
 
+container_domain_template(container_init)
+typeattribute container_init_t container_system_domain, container_user_domain, container_net_domain;
+optional_policy(`
+	incus_container(container_init_t)
+')
+
 container_engine_domain_template(container_engine)
 typeattribute container_engine_t container_engine_system_domain;
 type container_engine_exec_t, container_engine_exec_type;
@@ -215,6 +224,9 @@ optional_policy(`
 type spc_t, container_domain, container_net_domain, container_system_domain, privileged_container_domain;
 domain_type(spc_t)
 role system_r types spc_t;
+optional_policy(`
+	incus_container(spc_t)
+')
 optional_policy(`
 	kubernetes_container(spc_t)
 ')
@@ -628,6 +640,102 @@ optional_policy(`
 	rpm_read_db(container_t)
 ')
 
+########################################
+#
+# Init container local policy
+#
+# Containers with additional permissions
+# required to run an init system
+
+allow container_init_t self:process { getcap setrlimit };
+allow container_init_t self:bpf prog_load;
+allow container_init_t self:netlink_netfilter_socket create_socket_perms;
+allow container_init_t self:netlink_generic_socket create_socket_perms;
+allow container_init_t self:unix_dgram_socket lock;
+
+allow container_init_t container_devpts_t:chr_file { setattr watch watch_reads };
+allow container_init_t container_engine_tmpfs_t:dir { mounton write };
+allow container_init_t container_file_t:dir mounton;
+allow container_init_t container_file_t:file mounton;
+allow container_init_t container_file_t:filesystem unmount;
+allow container_init_t container_tmpfs_t:dir mounton;
+allow container_init_t container_tmpfs_t:file mounton;
+allow container_init_t container_tmpfs_t:sock_file watch;
+
+container_create_tmpfs_chr_files(container_init_t)
+container_delete_tmpfs_chr_files(container_init_t)
+container_getattr_fs(container_init_t)
+container_lock_container_ptys(container_init_t)
+container_remount_fs(container_init_t)
+container_watch_tmpfs_dirs(container_init_t)
+container_watch_tmpfs_files(container_init_t)
+
+auth_use_nsswitch(container_init_t)
+
+corenet_rw_tun_tap_dev(container_init_t)
+
+dev_getattr_mtrr_dev(container_init_t)
+dev_mounton_sysfs_dirs(container_init_t)
+dev_read_rand(container_init_t)
+dev_read_sysfs(container_init_t)
+dev_read_urand(container_init_t)
+dev_remount_fs(container_init_t)
+dev_remount_sysfs(container_init_t)
+dev_unmount_fs(container_init_t)
+dev_write_sysfs(container_init_t)
+
+files_read_kernel_modules(container_init_t)
+
+fs_manage_cgroup_dirs(container_init_t)
+fs_manage_cgroup_files(container_init_t)
+fs_create_tracefs_dirs(container_init_t)
+fs_dontaudit_remount_configfs(container_init_t)
+fs_dontaudit_remount_efivarfs(container_init_t)
+fs_dontaudit_remount_pstorefs(container_init_t)
+fs_dontaudit_remount_tracefs(container_init_t)
+fs_mount_cgroup(container_init_t)
+fs_mount_ramfs(container_init_t)
+fs_mount_tmpfs(container_init_t)
+fs_read_nsfs_files(container_init_t)
+fs_list_ramfs(container_init_t)
+fs_remount_cgroup(container_init_t)
+fs_remount_fusefs(container_init_t)
+fs_remount_tmpfs(container_init_t)
+fs_remount_xattr_fs(container_init_t)
+fs_rw_cgroup_files(container_init_t)
+fs_setattr_ramfs_dirs(container_init_t)
+fs_unmount_ramfs(container_init_t)
+fs_unmount_tmpfs(container_init_t)
+fs_unmount_xattr_fs(container_init_t)
+fs_watch_cgroup_files(container_init_t)
+
+kernel_dontaudit_remount_debugfs(container_init_t)
+kernel_dontaudit_request_load_module(container_init_t)
+kernel_get_sysvipc_info(container_init_t)
+kernel_mounton_kernel_sysctl_files(container_init_t)
+kernel_mounton_message_if(container_init_t)
+kernel_read_fs_sysctls(container_init_t)
+kernel_read_irq_sysctls(container_init_t)
+kernel_read_network_state(container_init_t)
+kernel_read_psi(container_init_t)
+kernel_read_vm_overcommit_sysctl(container_init_t)
+kernel_remount_proc(container_init_t)
+kernel_rw_unix_sysctls(container_domain)
+
+logging_send_audit_msgs(container_init_t)
+
+selinux_remount_fs(container_init_t)
+
+storage_getattr_fixed_disk_dev(container_init_t)
+storage_getattr_fuse_dev(container_init_t)
+storage_rw_fuse(container_init_t)
+
+term_dontaudit_remount_devpts(container_init_t)
+term_unmount_devpts(container_init_t)
+term_use_generic_ptys(container_init_t)
+
+userdom_use_user_ptys(container_init_t)
+
 ########################################
 #
 # Common container engine local policy