[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     21ac5d4937112c4cca29d52c36c91b240c2abb5f
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Jan 26 23:08:54 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=21ac5d49

sudo: add tunable for HTTP connections

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/sudo.te | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 2cebeef7..2ac111d6 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -1,5 +1,16 @@
 policy_module(sudo, 1.15.0)
 
+## <desc>
+##	<p>
+##	Determine whether all sudo domains
+##	can connect to TCP HTTP ports. This
+##	is needed if an additional authentication
+##	mechanism via an HTTP server is
+##	required for users to use sudo.
+##	</p>
+## </desc>
+gen_tunable(sudo_all_tcp_connect_http_port, false)
+
 ########################################
 #
 # Declarations
@@ -7,3 +18,7 @@ attribute sudodomain;
 
 type sudo_exec_t;
 application_executable_file(sudo_exec_t)
+
+tunable_policy(`sudo_all_tcp_connect_http_port',`
+	corenet_tcp_connect_http_port(sudodomain)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Kenton Groombridge]

commit:     ef89017d69182a71eb3cd46369ba5bb079f6f165
Author:     Grzegorz Filo <gf578 <AT> wp <DOT> pl>
AuthorDate: Thu Apr  4 18:09:08 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:43:11 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef89017d

remove unnecessary code

Signed-off-by: Grzegorz Filo <gf578 <AT> wp.pl>
Closes: https://github.com/gentoo/hardened-refpolicy/pull/2
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/bootloader.te | 5 -----
 policy/modules/admin/portage.te    | 1 -
 2 files changed, 6 deletions(-)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 81748a5f3..5a7e1cd4d 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -263,8 +263,3 @@ optional_policy(`
 optional_policy(`
 	rpm_rw_pipes(bootloader_t)
 ')
-
-ifdef(`distro_gentoo',`
-	# Fix bug #537652 - grub2-mkconfig has search rights needed on current dir (usually user home dir)
-	userdom_search_user_home_dirs(bootloader_t)
-')

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 2cd5d0482..c42552651 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -173,7 +173,6 @@ allow portage_t self:process { setfscreate };
 # - kill for mysql merging, at least
 allow portage_t self:capability { kill setfcap sys_nice };
 allow portage_t self:netlink_route_socket create_netlink_socket_perms;
-dontaudit portage_t self:capability { dac_read_search };
 
 # user post-sync scripts
 can_exec(portage_t, portage_conf_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Kenton Groombridge]

commit:     1c5e100deea50d51456ec8b55b3a84c11ef84e96
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon Feb 13 15:31:52 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:34:51 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c5e100d

portage: cleanup duplicated file contexts

Some file contexts were upstreamed from Gentoo's policy. Remove these
now duplicated lines.

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/portage.fc | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 4fc9c880a..a042aff8b 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -46,12 +46,3 @@
 /var/tmp/emerge-webrsync(/.*)?	gen_context(system_u:object_r:portage_tmp_t,s0)
 /var/tmp/portage(/.*)?	gen_context(system_u:object_r:portage_tmp_t,s0)
 /var/tmp/portage-pkg(/.*)?	gen_context(system_u:object_r:portage_tmp_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/bin/emerge-webrsync				--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
-/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check	--	gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/python-exec/python[0-9]\.[0-9]*/layman	--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
-/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint	--	gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge	--	gen_context(system_u:object_r:portage_exec_t,s0)
-/var/log/sandbox(/.*)?					gen_context(system_u:object_r:portage_log_t,s0)
-')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Kenton Groombridge]

commit:     ebc351672097ac1ab08d576432cde74ee54b8b46
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Tue Jan 17 06:25:35 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:00 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ebc35167

portage: add missing go/hg context in new distfiles location

go/hg source files context are added in old portage distfiles location,
but are missing in new one.

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/portage.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 620ade57a..4fc9c880a 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -31,6 +31,8 @@
 /var/cache/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/distfiles/git[0-9]-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/var/cache/distfiles/go-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/var/cache/distfiles/hg-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/distfiles/svn-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/edb(/.*)?	gen_context(system_u:object_r:portage_cache_t,s0)
 /var/cache/eix(/.*)?	gen_context(system_u:object_r:portage_cache_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Kenton Groombridge]

commit:     2cec96ddfb5cdb3f78f9a380ab06fa8fdc0478d2
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Mon Jan  9 08:33:10 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:58 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2cec96dd

usermanage: permit groupadd to read kernel sysctl

When using groupadd, I got some AVC due to groupadd reading /proc/sys/kernel/cap_last_cap

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/usermanage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index b5d443dd4..fd2da2ffc 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -227,6 +227,8 @@ files_relabel_etc_files(groupadd_t)
 files_read_etc_runtime_files(groupadd_t)
 files_read_usr_symlinks(groupadd_t)
 
+kernel_read_kernel_sysctls(groupadd_t)
+
 # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
 corecmd_exec_bin(groupadd_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Kenton Groombridge]

commit:     b541f2c178bdcafd132f99124f7e4e7fb18524c7
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Tue Jan 10 09:00:41 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:22:54 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b541f2c1

portage: Remove old binary location

/usr/lib/portage/bin is not used anymore

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/portage.fc | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 6911cb48c..7cf6e7855 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -10,13 +10,6 @@
 /usr/bin/layman	--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
 /usr/bin/sandbox	--	gen_context(system_u:object_r:portage_exec_t,s0)
 
-/usr/lib/portage/bin/emerge	--	gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/emerge-webrsync	--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
-/usr/lib/portage/bin/quickpkg	--	gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/regenworld	--	gen_context(system_u:object_r:portage_exec_t,s0)
-/usr/lib/portage/bin/sandbox	--	gen_context(system_u:object_r:portage_exec_t,s0)
-
-
 /usr/portage(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
 /usr/portage/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Kenton Groombridge]

commit:     a54fe39b3f5462bb0bbb22cfe883c8d38dfe9168
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Tue Jan 10 09:11:56 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:23:57 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a54fe39b

portage: add new location for portage commands

There are missing lot of portage commands location, add them following the gentoo SELinux repo.

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/portage.fc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 7cf6e7855..620ade57a 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -5,11 +5,17 @@
 /etc/portage/gpg(/.*)?	gen_context(system_u:object_r:portage_gpg_t,s0)
 
 /usr/bin/emerge --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/bin/emerge-webrsync				--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
 /usr/bin/gcc-config	--	gen_context(system_u:object_r:gcc_config_exec_t,s0)
 /usr/bin/glsa-check	--	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/bin/layman	--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
 /usr/bin/sandbox	--	gen_context(system_u:object_r:portage_exec_t,s0)
 
+/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check	--	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/layman	--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint	--	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge	--	gen_context(system_u:object_r:portage_exec_t,s0)
+
 /usr/portage(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
 /usr/portage/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
@@ -31,6 +37,7 @@
 /var/log/emerge\.log.*	--	gen_context(system_u:object_r:portage_log_t,s0)
 /var/log/emerge-fetch\.log	--	gen_context(system_u:object_r:portage_log_t,s0)
 /var/log/portage(/.*)?	gen_context(system_u:object_r:portage_log_t,s0)
+/var/log/sandbox(/.*)?	gen_context(system_u:object_r:portage_log_t,s0)
 /var/lib/layman(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
 /var/lib/portage(/.*)?	gen_context(system_u:object_r:portage_cache_t,s0)
 /var/tmp/binpkgs(/.*)?	gen_context(system_u:object_r:portage_tmp_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Kenton Groombridge]

commit:     c13b9d0ad5d447db396972111c4534dbdb00e3d9
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 14:49:14 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:31 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c13b9d0a

netutils: minor fixes for nmap and traceroute

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/netutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 3f85d1a57..85c9a33d5 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -40,6 +40,8 @@ init_system_domain(traceroute_t, traceroute_exec_t)
 allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot };
 dontaudit netutils_t self:capability { dac_override sys_tty_config };
 allow netutils_t self:process { getcap setcap signal_perms };
+# netlink_generic_socket for nmap.
+allow netutils_t self:netlink_generic_socket create_socket_perms;
 allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
 allow netutils_t self:netlink_socket create_socket_perms;
 # For tcpdump.
@@ -73,6 +75,8 @@ fs_getattr_xattr_fs(netutils_t)
 
 domain_use_interactive_fds(netutils_t)
 
+kernel_dontaudit_getattr_proc(netutils_t)
+
 files_read_etc_files(netutils_t)
 # for nscd
 files_dontaudit_search_var(netutils_t)
@@ -177,6 +181,7 @@ userdom_use_inherited_user_terminals(ss_t)
 allow traceroute_t self:capability { net_admin net_raw setgid setuid };
 allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
 allow traceroute_t self:process signal;
+allow traceroute_t self:netlink_generic_socket create_socket_perms;
 allow traceroute_t self:rawip_socket create_socket_perms;
 allow traceroute_t self:packet_socket { map create_socket_perms };
 allow traceroute_t self:udp_socket create_socket_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Kenton Groombridge]

commit:     bd1a6b7906f6d0d7df6af70e91d8eb11a6fc8c7b
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Mon Oct  3 20:54:41 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:25 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd1a6b79

fapolicyd: fagenrules chgrp's the compiled.rules

node=localhost type=AVC msg=audit(1664829990.107:8051): avc:  denied  { chown } for  pid=3709 comm="chgrp" capability=0 scontext=toor_u:sysadm_r:fagenrules_t:s0 tcontext=sysadm_u:sysadm_r:fagenrules_t:s0 tclass=capability permissive=0

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/fapolicyd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/fapolicyd.te b/policy/modules/admin/fapolicyd.te
index 9effdb04a..2e716c1aa 100644
--- a/policy/modules/admin/fapolicyd.te
+++ b/policy/modules/admin/fapolicyd.te
@@ -93,7 +93,7 @@ optional_policy(`
 # fagenrules local policy
 #
 
-allow fagenrules_t self:capability { fsetid kill };
+allow fagenrules_t self:capability { chown fsetid kill };
 allow fagenrules_t self:fifo_file rw_inherited_fifo_file_perms;
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Kenton Groombridge]

commit:     c735ad15b5bc4ebb73d3995c1c43a59d36fbd0d4
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Mon Oct  3 11:54:03 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:23 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c735ad15

fix: issue #550 - compile failed when DIRECT_INITRC=y

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/fapolicyd.if | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/fapolicyd.if b/policy/modules/admin/fapolicyd.if
index aaa4c14eb..4ae2590ac 100644
--- a/policy/modules/admin/fapolicyd.if
+++ b/policy/modules/admin/fapolicyd.if
@@ -152,6 +152,8 @@ interface(`fapolicyd_admin',`
 	files_search_runtime($1)
 	admin_pattern($1, fapolicyd_runtime_t)
 
-	fapolicyd_run_fagenrules($1, $2)
+	ifndef(`direct_sysadm_daemon',`
+		fapolicyd_run_fagenrules($1, $2)
+	')
 	fapolicyd_run_cli($1, $2)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Kenton Groombridge]

commit:     922e518a0609288260db0a8207b9e3a81dbff89f
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Sep 20 13:52:11 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:06:52 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=922e518a

fapolicyd: Fix selint issue.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/fapolicyd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/fapolicyd.te b/policy/modules/admin/fapolicyd.te
index 35e475340..9effdb04a 100644
--- a/policy/modules/admin/fapolicyd.te
+++ b/policy/modules/admin/fapolicyd.te
@@ -103,7 +103,7 @@ ps_process_pattern(fagenrules_t, fapolicyd_t)
 
 # /sbin/fagenrules copies compiled rules into /etc/faplicyd then calls restorecon
 # on new /etc/fapolicy/compiled.rules
-allow fagenrules_t fapolicyd_compiled_rules_t:file { relabelfrom relabelto };
+allow fagenrules_t fapolicyd_compiled_rules_t:file relabel_file_perms;
 filetrans_pattern(fagenrules_t, fapolicyd_config_t, fapolicyd_compiled_rules_t, file)
 manage_files_pattern(fagenrules_t, fapolicyd_config_t, fapolicyd_compiled_rules_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Kenton Groombridge]

commit:     7d41f1b7b4f4d675b62835be6d2416eb2368a1a1
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Tue Apr 19 22:53:44 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 20:04:23 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d41f1b7

portage: allow portage to map ebuild files

When portage syncs a repo with git, git will mmap() ebuild files. Allow
portage to map ebuild files to fix permission denied errors on syncing.

Bug: https://bugs.gentoo.org/833017
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/portage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 86966705..e3a19574 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -200,6 +200,8 @@ domain_dontaudit_read_all_domains_state(portage_t)
 files_manage_all_files(portage_t)
 # eselect uses file, which mmap()s its db
 files_map_usr_files(portage_t)
+# portage executing git mmap()s ebuild files when syncing
+allow portage_t portage_ebuild_t:file map;
 
 selinux_get_fs_mount(portage_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     7e3534c4597019c27f590644345ee64d3b45ceb0
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Aug 25 01:56:56 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e3534c4

usbguard: Allow to read fips_enabled sysctl

node=localhost type=AVC msg=audit(1661391275.238:339): avc:  denied  { search } for  pid=1031 comm="usbguard-daemon" name="crypto" dev="proc" ino=20463 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661391275.238:339): avc:  denied  { read } for  pid=1031 comm="usbguard-daemon" name="fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661391275.238:339): avc:  denied  { open } for  pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661391275.238:340): avc:  denied  { getattr } for  pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/usbguard.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te
index 26d9028b..4e8be854 100644
--- a/policy/modules/admin/usbguard.te
+++ b/policy/modules/admin/usbguard.te
@@ -65,6 +65,7 @@ setattr_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t)
 
 dev_rw_sysfs(usbguard_t)
 
+kernel_read_crypto_sysctls(usbguard_t)
 kernel_read_kernel_sysctls(usbguard_t)
 kernel_dontaudit_getattr_proc(usbguard_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     1308dbe2fce172abaee054dbeaa489cb0ca60a94
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Nov 10 17:14:46 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1308dbe2

sudo: fixes for polyinstantiation

PAM can be configured to allow sudo to unmount/remount private tmp
directories when invoked. Allow this access if enabled.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/sudo.if | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d4249ec0..fb2c8333 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -145,6 +145,12 @@ template(`sudo_role_template',`
 	userdom_dontaudit_search_user_home_content($1_sudo_t)
 	userdom_dontaudit_search_user_home_dirs($1_sudo_t)
 
+	tunable_policy(`allow_polyinstantiation',`
+		allow $1_sudo_t self:capability sys_admin;
+		fs_mount_xattr_fs($1_sudo_t)
+		fs_unmount_xattr_fs($1_sudo_t)
+	')
+
 	tunable_policy(`sudo_allow_user_exec_domains',`
 		allow $1_sudo_t $3:key search;
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     4b1f697b6a9ee59734e0cdf1067cc6d57a3b0799
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Feb 17 14:45:38 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 27 02:13:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b1f697b

puppet V3

Removed the entrypoint stuff that was controversial, the rest should be fine.

I think it's ready to merge.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/puppet.fc | 1 +
 policy/modules/admin/puppet.te | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/puppet.fc b/policy/modules/admin/puppet.fc
index f45bdc6a..001f21fe 100644
--- a/policy/modules/admin/puppet.fc
+++ b/policy/modules/admin/puppet.fc
@@ -11,6 +11,7 @@
 /usr/sbin/puppetd	--	gen_context(system_u:object_r:puppet_exec_t,s0)
 /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 
+/var/cache/puppet(/.*)?	gen_context(system_u:object_r:puppet_cache_t,s0)
 /var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
 
 /var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)

diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te
index 3d5a832b..7ef5ab83 100644
--- a/policy/modules/admin/puppet.te
+++ b/policy/modules/admin/puppet.te
@@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_t, dir, "puppet")
 type puppet_tmp_t;
 files_tmp_file(puppet_tmp_t)
 
+type puppet_cache_t;
+files_type(puppet_cache_t)
+
 type puppet_var_lib_t;
 files_type(puppet_var_lib_t)
 
@@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
 can_exec(puppet_t, puppet_var_lib_t)
 
+manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
+manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
+
 setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
 manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
 files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir })
@@ -182,8 +188,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	files_rw_var_files(puppet_t)
-
 	rpm_domtrans(puppet_t)
 	rpm_manage_db(puppet_t)
 	rpm_manage_log(puppet_t)
@@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms;
 allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
 append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
 logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     300f017b1807980f57f1578f8ac1ffdf49a4285e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 18 18:25:04 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 27 02:13:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=300f017b

puppet: Style fixes.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/puppet.fc |  1 +
 policy/modules/admin/puppet.te | 14 +++++++-------
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/policy/modules/admin/puppet.fc b/policy/modules/admin/puppet.fc
index 001f21fe..42f3b7b2 100644
--- a/policy/modules/admin/puppet.fc
+++ b/policy/modules/admin/puppet.fc
@@ -12,6 +12,7 @@
 /usr/sbin/puppetmasterd	--	gen_context(system_u:object_r:puppetmaster_exec_t,s0)
 
 /var/cache/puppet(/.*)?	gen_context(system_u:object_r:puppet_cache_t,s0)
+
 /var/lib/puppet(/.*)?	gen_context(system_u:object_r:puppet_var_lib_t,s0)
 
 /var/log/puppet(/.*)?	gen_context(system_u:object_r:puppet_log_t,s0)

diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te
index 7ef5ab83..9e312a17 100644
--- a/policy/modules/admin/puppet.te
+++ b/policy/modules/admin/puppet.te
@@ -20,6 +20,9 @@ type puppet_t;
 type puppet_exec_t;
 init_daemon_domain(puppet_t, puppet_exec_t)
 
+type puppet_cache_t;
+files_type(puppet_cache_t)
+
 type puppet_etc_t;
 files_config_file(puppet_etc_t)
 
@@ -36,9 +39,6 @@ init_daemon_runtime_file(puppet_runtime_t, dir, "puppet")
 type puppet_tmp_t;
 files_tmp_file(puppet_tmp_t)
 
-type puppet_cache_t;
-files_type(puppet_cache_t)
-
 type puppet_var_lib_t;
 files_type(puppet_var_lib_t)
 
@@ -73,10 +73,6 @@ allow puppet_t puppet_etc_t:dir list_dir_perms;
 allow puppet_t puppet_etc_t:file read_file_perms;
 allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
 
-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-can_exec(puppet_t, puppet_var_lib_t)
-
 manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
 manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
 
@@ -84,6 +80,10 @@ setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
 manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
 files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir })
 
+manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+can_exec(puppet_t, puppet_var_lib_t)
+
 allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
 append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
 create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     943fe93787010a8bded9d75728cc3ab097ef3aeb
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Thu Jan 27 19:48:57 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 31 17:55:20 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=943fe937

portage.te: Allow gcc_config_t to manage portage_tmp_t

Allows /etc/env.d/04gcc-x86_64-gentoo-linux-musl to be correctly generated.

Closes: https://github.com/perfinion/hardened-refpolicy/pull/26
Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/portage.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index cd66e6e7..9abbdc37 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -435,6 +435,9 @@ gen_tunable(portage_enable_test, false)
 	can_exec(gcc_config_t, gcc_config_tmp_t) # libffi support
 	files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)
 
+	allow gcc_config_t portage_tmp_t:dir manage_dir_perms;
+	allow gcc_config_t portage_tmp_t:file manage_file_perms;
+
 	files_manage_etc_runtime_files(gcc_config_t)
 	files_manage_etc_runtime_lnk_files(gcc_config_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     545b803c06726d7b5f28a244b7ae4f9a92a353ef
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Mon Jan 31 19:25:33 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 31 19:25:33 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=545b803c

puppet: Update gentoo-specific tunable to fix selint error

Can use files_relabel_all_non_security_file_types instead of the
gen_require hack

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/puppet.te | 24 ++----------------------
 1 file changed, 2 insertions(+), 22 deletions(-)

diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te
index 8e7c20c3..3d5a832b 100644
--- a/policy/modules/admin/puppet.te
+++ b/policy/modules/admin/puppet.te
@@ -370,28 +370,8 @@ ifdef(`distro_gentoo',`
 	usermanage_domtrans_passwd(puppet_t)
 
 	tunable_policy(`puppet_manage_all_files',`
-		# We should use files_relabel_all_files here, but it calls
-		# seutil_relabelto_bin_policy which sets a "typeattribute type attr",
-		# which is not allowed within a tunable_policy.
-		# So, we duplicate the content of files_relabel_all_files except for
-		# the policy configuration stuff and hope users do that through Portage
-		
-		gen_require(` #selint-disable:S-001
-			attribute file_type;
-			attribute security_file_type;
-			type policy_config_t;
-		')
-	
-		allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms;
-		relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
-		relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
-		relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
-		relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
-		relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
-		# this is only relabelfrom since there should be no
-		# device nodes with file types.
-		relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
-		relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type })
+		# Also allows relabelfrom blk and chr_files which are not in files_manage_non_auth_files
+		files_relabel_all_non_security_file_types(puppet_t)
 	')
 
 	optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     192f62919b5866ad4de5558b7a69f03f81ed4ad3
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 21 23:12:40 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 21 23:14:49 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=192f6291

portage: Allow sandbox to map /dev/zero

Bug: https://bugs.gentoo.org/738546
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/portage.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 6cab80bd..1db76efe 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -511,6 +511,7 @@ gen_tunable(portage_enable_test, false)
 	dontaudit portage_sandbox_t self:capability sys_admin;
 
 	dev_getattr_xserver_misc_dev(portage_sandbox_t)
+	dev_rwx_zero(portage_sandbox_t)
 
 	kernel_read_vm_overcommit_sysctl(portage_sandbox_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     1d839d4ab07f3bb2002f07cc397ef3e057472d23
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Sun Nov 21 09:41:18 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 21 19:21:13 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d839d4a

portage.te: Added corecmd_manage_bin_symlinks() for gcc_config_t.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/portage.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index da0aecf0..9a6c6083 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -111,6 +111,7 @@ kernel_read_kernel_sysctls(gcc_config_t)
 corecmd_exec_shell(gcc_config_t)
 corecmd_exec_bin(gcc_config_t)
 corecmd_manage_bin_files(gcc_config_t)
+corecmd_manage_bin_symlinks(gcc_config_t)
 
 domain_use_interactive_fds(gcc_config_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     9f82ed8fe322e0bfb84ec9991772faf1887d5f71
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Sun Nov 21 09:35:48 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 21 19:25:43 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f82ed8f

portage.te: Added libs_manage_lib_symlinks() for gcc_config_t.

Closes: https://github.com/perfinion/hardened-refpolicy/pull/20
Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/portage.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 9a6c6083..6cab80bd 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -132,6 +132,7 @@ libs_run_ldconfig(gcc_config_t, portage_roles)
 libs_manage_shared_libs(gcc_config_t)
 # gcc-config creates a temp dir for the libs
 libs_manage_lib_dirs(gcc_config_t)
+libs_manage_lib_symlinks(gcc_config_t)
 
 logging_send_syslog_msg(gcc_config_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     5a876bd1d15b448dd0cf6fc86b0ce31dc730f8d0
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Aug  8 21:35:23 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a876bd1

su: add tunable to control user exec domain access

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/su.if | 40 ++++++++++++++++++++++++++++------------
 policy/modules/admin/su.te | 10 ++++++++++
 2 files changed, 38 insertions(+), 12 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 2d0143d6..62a6cf9d 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -156,8 +156,6 @@ template(`su_role_template',`
 	domain_interactive_fd($1_su_t)
 	role $4 types $1_su_t;
 
-	allow $2 $1_su_t:process signal;
-
 	allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
 	dontaudit $1_su_t self:capability { net_admin sys_tty_config };
 	allow $1_su_t self:process { setexec setsched setrlimit };
@@ -165,18 +163,8 @@ template(`su_role_template',`
 	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
 	allow $1_su_t self:key { search write };
 
-	allow $1_su_t $2:key search;
-
-	# Transition from the user domain to this domain.
-	domtrans_pattern($2, su_exec_t, $1_su_t)
-
-	ps_process_pattern($2, $1_su_t)
-
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_su_t, $2)
-	allow $2 $1_su_t:fd use;
-	allow $2 $1_su_t:fifo_file rw_inherited_fifo_file_perms;
-	allow $2 $1_su_t:process sigchld;
 
 	kernel_read_system_state($1_su_t)
 	kernel_read_kernel_sysctls($1_su_t)
@@ -235,6 +223,34 @@ template(`su_role_template',`
 		auth_use_pam_systemd($1_su_t)
 	')
 
+	tunable_policy(`su_allow_user_exec_domains',`
+		allow $3 $1_su_t:process signal;
+
+		allow $1_su_t $3:key search;
+
+		# Transition from the user domain to this domain.
+		domtrans_pattern($3, su_exec_t, $1_su_t)
+
+		ps_process_pattern($3, $1_su_t)
+
+		allow $3 $1_su_t:fd use;
+		allow $3 $1_su_t:fifo_file rw_inherited_fifo_file_perms;
+		allow $3 $1_su_t:process sigchld;
+	',`
+		allow $2 $1_su_t:process signal;
+
+		allow $1_su_t $2:key search;
+
+		# Transition from the user domain to this domain.
+		domtrans_pattern($2, su_exec_t, $1_su_t)
+
+		ps_process_pattern($2, $1_su_t)
+
+		allow $2 $1_su_t:fd use;
+		allow $2 $1_su_t:fifo_file rw_inherited_fifo_file_perms;
+		allow $2 $1_su_t:process sigchld;
+	')
+
 	tunable_policy(`allow_polyinstantiation',`
 		fs_mount_xattr_fs($1_su_t)
 		fs_unmount_xattr_fs($1_su_t)

diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 295f31bd..479469c5 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,5 +1,15 @@
 policy_module(su, 1.16.0)
 
+## <desc>
+##	<p>
+##	Determine whether the user application
+##	exec domain attribute should be respected
+##	for su access. If not enabled, only user
+##	domains themselves may use su.
+##	</p>
+## </desc>
+gen_tunable(su_allow_user_exec_domains, false)
+
 ########################################
 #
 # Declarations

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     c15fd881704f72bfba0381c433d090ece731374d
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Aug  8 15:10:47 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c15fd881

sudo: add tunable to control user exec domain access

The tunable 'sudo_allow_user_exec_domains' only allows user domains
themselves to use sudo if disabled (default), otherwise any domain with
the corresponding user exec domain attribute may use sudo.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/sudo.if | 37 ++++++++++++++++++++++++++-----------
 policy/modules/admin/sudo.te | 10 ++++++++++
 2 files changed, 36 insertions(+), 11 deletions(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 4e2d7830..bab07e31 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -73,20 +73,9 @@ template(`sudo_role_template',`
 	allow $1_sudo_t self:key manage_key_perms;
 	dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
 
-	allow $1_sudo_t $3:key search;
-
-	# Transmit SIGWINCH to children
-	allow $1_sudo_t $3:process signal;
-
-	# Enter this derived domain from the user domain
-	domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
-
 	# By default, revert to the calling domain when a shell is executed.
 	corecmd_shell_domtrans($1_sudo_t, $2)
 	corecmd_bin_domtrans($1_sudo_t, $2)
-	allow $3 $1_sudo_t:fd use;
-	allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
-	allow $3 $1_sudo_t:process signal_perms;
 
 	kernel_read_kernel_sysctls($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
@@ -158,6 +147,32 @@ template(`sudo_role_template',`
 		dontaudit $1_sudo_t $3:socket_class_set { read write };
 	')
 
+	tunable_policy(`sudo_allow_user_exec_domains',`
+		allow $1_sudo_t $3:key search;
+
+		# Transmit SIGWINCH to children
+		allow $1_sudo_t $3:process signal;
+
+		# Enter this derived domain from the user domain
+		domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
+
+		allow $3 $1_sudo_t:fd use;
+		allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
+		allow $3 $1_sudo_t:process signal_perms;
+	',`
+		allow $1_sudo_t $2:key search;
+
+		# Transmit SIGWINCH to children
+		allow $1_sudo_t $2:process signal;
+
+		# Enter this derived domain from the user domain
+		domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+
+		allow $2 $1_sudo_t:fd use;
+		allow $2 $1_sudo_t:fifo_file rw_fifo_file_perms;
+		allow $2 $1_sudo_t:process signal_perms;
+	')
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_files($1_sudo_t)
 	')

diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 8704a154..f6618cd9 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -11,6 +11,16 @@ policy_module(sudo, 1.17.0)
 ## </desc>
 gen_tunable(sudo_all_tcp_connect_http_port, false)
 
+## <desc>
+##	<p>
+##	Determine whether the user application exec
+##	domain attribute should be respected for sudo
+##	access. If not enabled, only user domains
+##	themselves may use sudo.
+##	</p>
+## </desc>
+gen_tunable(sudo_allow_user_exec_domains, false)
+
 ########################################
 #
 # Declarations

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     a9b9720b82e797983be0c4af4a7fbfdfa9c7f8f1
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Oct  8 20:02:50 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 20 22:58:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a9b9720b

shutdown: add tunable to control user exec domain access

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/shutdown.if | 16 +++++++++++++---
 policy/modules/admin/shutdown.te | 10 ++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
index 2a428398..3a86edeb 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
@@ -28,13 +28,23 @@
 #
 template(`shutdown_role',`
 	gen_require(`
+		attribute_role shutdown_roles;
 		type shutdown_t;
 	')
 
-	shutdown_run($3, $4)
+	roleattribute $4 shutdown_roles;
+
+	tunable_policy(`shutdown_allow_user_exec_domains',`
+		shutdown_domtrans($3)
 
-	allow $3 shutdown_t:process { ptrace signal_perms };
-	ps_process_pattern($3, shutdown_t)
+		allow $3 shutdown_t:process { ptrace signal_perms };
+		ps_process_pattern($3, shutdown_t)
+	',`
+		shutdown_domtrans($2)
+
+		allow $2 shutdown_t:process { ptrace signal_perms };
+		ps_process_pattern($2, shutdown_t)
+	')
 
 	optional_policy(`
 		systemd_user_app_status($1, shutdown_t)

diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
index cb8a6c6b..d3302a76 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -1,5 +1,15 @@
 policy_module(shutdown, 1.7.0)
 
+## <desc>
+##	<p>
+##	Determine whether the user application exec
+##	domain attribute should be respected for
+##	shutdown access. If not enabled, only user
+##	domains themselves may use shutdown.
+##	</p>
+## </desc>
+gen_tunable(shutdown_allow_user_exec_domains, false)
+
 ########################################
 #
 # Declarations

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     42a6dc478442e531cd701638057210d9b1c58ec1
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Fri May 28 14:00:30 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Nov 12 01:53:00 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42a6dc47

logrotate.te: Added boolean for allowing logrotate to rotate the audit log.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/logrotate.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 1c704120..1419d878 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -5,6 +5,14 @@ policy_module(logrotate, 1.26.0)
 # Declarations
 #
 
+## <desc>
+##      <p>
+##      Determine whether logrotate can manage
+##      audit log files
+##      </p>
+## </desc>
+gen_tunable(logrotate_manage_audit_log, false)
+
 attribute_role logrotate_roles;
 roleattribute system_r logrotate_roles;
 
@@ -138,6 +146,11 @@ ifdef(`distro_debian',`
 	logging_read_syslog_config(logrotate_t)
 ')
 
+tunable_policy(`logrotate_manage_audit_log',`
+	logging_manage_audit_log(logrotate_t)
+')
+
+
 optional_policy(`
 	abrt_manage_cache(logrotate_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     c752ecf2cdb6694584af6306b148263d7bcd8378
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:49:32 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c752ecf2

netutils: fix ping

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/netutils.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 93a2fe8b..ec753a88 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -109,7 +109,7 @@ allow ping_t self:tcp_socket create_socket_perms;
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
 allow ping_t self:netlink_route_socket create_netlink_socket_perms;
-allow ping_t self:icmp_socket create;
+allow ping_t self:icmp_socket create_socket_perms;
 
 corenet_all_recvfrom_netlabel(ping_t)
 corenet_sendrecv_icmp_packets(ping_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     b90cb8704ffb2d1e57e38107076206f780ea7561
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Tue Sep 28 07:46:50 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b90cb870

passwd: allow passwd to map SELinux status page

We encountered a passwd runtime error with selinux 3.3:
$ passwd user1
passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running'
failed.
Aborted

Fixes:
avc: denied { map } for pid=325 comm="passwd"
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:
sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file
permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/usermanage.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 19290878..ca60a09e 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -322,6 +322,7 @@ mls_file_write_all_levels(passwd_t)
 mls_file_downgrade(passwd_t)
 
 selinux_get_fs_mount(passwd_t)
+selinux_use_status_page(passwd_t)
 selinux_validate_context(passwd_t)
 selinux_compute_access_vector(passwd_t)
 selinux_compute_create_context(passwd_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     abdb4768109d7b7251122ef03c200517eeada4cc
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Tue Jul  6 14:48:28 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=abdb4768

dmesg.te: Added files_read_etc_files() as some distros store terminfo files in /etc/.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/dmesg.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index a254f13e..8c5337b1 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -38,6 +38,7 @@ term_dontaudit_use_console(dmesg_t)
 domain_use_interactive_fds(dmesg_t)
 
 files_list_etc(dmesg_t)
+files_read_etc_files(dmesg_t)
 files_read_usr_files(dmesg_t)
 
 init_use_fds(dmesg_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     71f9eaa40d0cca90e45ad49ae78e0ce3767ebb7a
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb  2 18:32:42 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:09 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71f9eaa4

apt, bootloader: Move lines.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/apt.fc        | 6 ++++--
 policy/modules/admin/bootloader.te | 5 ++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
index 66fec023..456375f9 100644
--- a/policy/modules/admin/apt.fc
+++ b/policy/modules/admin/apt.fc
@@ -4,9 +4,11 @@
 /usr/bin/apt-get	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
+
 /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+
 /usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
 
 ifndef(`distro_redhat',`
 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
@@ -25,5 +27,5 @@ ifndef(`distro_redhat',`
 /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
 
 /var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
-/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)
 /var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)
+/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 78b34125..cbaf65cd 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -180,15 +180,14 @@ ifdef(`distro_debian',`
 
 	libs_relabelto_lib_files(bootloader_t)
 
+	apt_use_fds(bootloader_t)
+	apt_use_ptys(bootloader_t)
 	# for apt-cache
 	apt_read_db(bootloader_t)
 	apt_manage_cache(bootloader_t)
 
 	dpkg_read_db(bootloader_t)
 	dpkg_rw_pipes(bootloader_t)
-
-	apt_use_fds(bootloader_t)
-	apt_use_ptys(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     b3f7bbec02352eb175391b51119180bad035b096
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Tue Nov 17 15:58:31 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 29 01:32:30 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3f7bbec

portage.te: Allow portage_fetch_t to read /dev/urandom through interface.

Closes: https://github.com/perfinion/hardened-refpolicy/pull/3
Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/portage.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index c0d6cace..8e9865e2 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -303,6 +303,7 @@ corenet_udp_bind_generic_node(portage_fetch_t)
 corenet_udp_bind_all_unreserved_ports(portage_fetch_t)
 
 dev_read_rand(portage_fetch_t)
+dev_read_urand(portage_fetch_t)
 
 domain_use_interactive_fds(portage_fetch_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     b0b027157f3d12f12c5f859343ae4c28224c5629
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Tue Nov 17 03:46:23 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 28 22:55:59 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0b02715

portage: Added /var/cache/distfiles path.

Closes: https://github.com/perfinion/hardened-refpolicy/pull/1
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/portage.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 5757deaa..b1b28f3e 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -28,6 +28,7 @@
 /var/db/pkg(/.*)?	gen_context(system_u:object_r:portage_db_t,s0)
 /var/db/repos(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
 /var/cache/binpkgs(/.*)?  gen_context(system_u:object_r:portage_ebuild_t,s0)
+/var/cache/distfiles(/.*)?	gen_context(system_u:object_r:portage_ebuild_t,s0)
 /var/cache/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /var/cache/distfiles/git[0-9]-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     79c6971616012abf80e22b1678be2826a2860b42
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Wed Jan 15 21:01:08 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79c69716

usermanage: allow groupadd to lookup dynamic users from systemd

On a Debian 10 test virtual machine, when installing packages adds a
group, the following AVC occurs:

    type=USER_AVC msg=audit(1578863991.588:575): pid=381 uid=104
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager
    member=LookupDynamicUserByName dest=org.freedesktop.systemd1
    spid=13759 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=104 hostname=? addr=? terminal=?'

Allow groupadd to use nss-systemd, which calls DBUS method
LookupDynamicUserByName().

Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/usermanage.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 3605da43..ef18fd64 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -277,6 +277,10 @@ optional_policy(`
 	rpm_rw_pipes(groupadd_t)
 ')
 
+optional_policy(`
+	systemd_use_nss(groupadd_t)
+')
+
 optional_policy(`
 	unconfined_use_fds(groupadd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     747810c85068a0c6e3820733e05f4ee9fd820454
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Oct  6 10:32:03 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=747810c8

Allow alsa_t to set scheduling priority and send signal to itself

When alsactl is running as a daemon with systemd, it sets its process
priority to be nice to other processes. When stopping the service, it's
signaling to itself that it needs to exit.

----
time->Sun Oct  6 11:59:59 2019
type=AVC msg=audit(1570355999.755:43): avc:  denied  { setsched } for  pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct  6 11:59:59 2019
type=AVC msg=audit(1570355999.755:44): avc:  denied  { getsched } for  pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct  6 12:07:26 2019
type=AVC msg=audit(1570356446.747:292): avc:  denied  { signal } for  pid=3585 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1

Signed-off-by: Laurent Bigonville <bigon <AT> bigon.be>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/alsa.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 6a0e6fa0..1f27ee28 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -44,6 +44,7 @@ files_lock_file(alsa_var_lock_t)
 allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid };
 # kill : kill pulseaudio
 dontaudit alsa_t self:capability { kill sys_admin };
+allow alsa_t self:process { getsched setsched signal };
 allow alsa_t self:sem create_sem_perms;
 allow alsa_t self:shm create_shm_perms;
 allow alsa_t self:unix_stream_socket { accept listen };

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     d7af41866897c6ec751ea4b95413a850a3e04e10
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Oct  6 10:01:48 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d7af4186

Allow alsa_t to create alsa_runtime_t file as well

When alsactl is started as a daemon, it creates a pidfile
(/run/alsactl.pid), that needs to be allowed

----
time->Sun Oct  6 10:59:09 2019
type=AVC msg=audit(1570352349.743:45): avc:  denied  { write open } for  pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570352349.743:45): avc:  denied  { create } for  pid=804 comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.226:657): avc:  denied  { open } for  pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570355678.226:657): avc:  denied  { read } for  pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.230:659): avc:  denied  { unlink } for  pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon <AT> bigon.be>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/alsa.fc | 1 +
 policy/modules/admin/alsa.te | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
index 75ea9ebf..3f52f370 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
@@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc				--	gen_context(system_u:object_r:alsa_home_t,s0)
 /etc/asound\.conf				--	gen_context(system_u:object_r:alsa_etc_t,s0)
 
 /run/alsa(/.*)?						gen_context(system_u:object_r:alsa_runtime_t,s0)
+/run/alsactl\.pid				--	gen_context(system_u:object_r:alsa_runtime_t,s0)
 
 /usr/bin/ainit					--	gen_context(system_u:object_r:alsa_exec_t,s0)
 /usr/bin/alsactl				--	gen_context(system_u:object_r:alsa_exec_t,s0)

diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 06c7635c..6a0e6fa0 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -58,8 +58,9 @@ allow alsa_t alsa_etc_t:file map;
 can_exec(alsa_t, alsa_exec_t)
 
 allow alsa_t alsa_runtime_t:dir manage_dir_perms;
+allow alsa_t alsa_runtime_t:file manage_file_perms;
 allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
-files_pid_filetrans(alsa_t, alsa_runtime_t, dir)
+files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file })
 
 manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
 manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     ff958f25ddf696b09e9a0b91dd2883262abcaa7c
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Jul  2 17:59:43 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff958f25

grant permission for rpm to write to audit log

Messages like this are added to the audit log when an rpm is installed:
type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0 msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=?  terminal=? res=success'

These are the denials that I'm seeing:
type=AVC msg=audit(1560913896.581:243): avc:  denied  { audit_write } for  pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1

type=AVC msg=audit(1561298132.446:240): avc:  denied  { create } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc:  denied  { write } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc:  denied  { nlmsg_relay } for  pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.447:243): avc:  denied  { read } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1

v2 - Use interface rather than adding permissions here - this change may
confuse subsequent patches in this set, if so let me know and I will
submit a pull request on github.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/rpm.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 85e32b3e..ff1dbf15 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -204,6 +204,7 @@ libs_exec_ld_so(rpm_t)
 libs_exec_lib_files(rpm_t)
 libs_run_ldconfig(rpm_t, rpm_roles)
 
+logging_send_audit_msgs(rpm_t)
 logging_send_syslog_msg(rpm_t)
 
 seutil_manage_src_policy(rpm_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     6ad26170be5e95a49bdbeb1a4c45a080ae7fe6b2
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Jul  2 15:30:31 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ad26170

Allow rpm to map file contexts

type=AVC msg=audit(1560944465.365:270): avc:  denied  { map } for pid=1265 comm="rpm" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-0" ino=44911 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/rpm.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index e385a8ba..a7b13467 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -211,6 +211,7 @@ miscfiles_read_localization(rpm_t)
 
 seutil_manage_src_policy(rpm_t)
 seutil_manage_bin_policy(rpm_t)
+seutil_read_file_contexts(rpm_t)
 
 userdom_use_user_terminals(rpm_t)
 userdom_use_unpriv_users_fds(rpm_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     eae38520b58bfb213ab8db6792a6c2ba94fc9161
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Jul  2 15:30:30 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eae38520

grant rpm permissions to map locale_t

type=AVC msg=audit(1560913896.408:217): avc:  denied  { map } for pid=1265 comm="rpm" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=24721 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/rpm.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index ff1dbf15..e385a8ba 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -207,6 +207,8 @@ libs_run_ldconfig(rpm_t, rpm_roles)
 logging_send_audit_msgs(rpm_t)
 logging_send_syslog_msg(rpm_t)
 
+miscfiles_read_localization(rpm_t)
+
 seutil_manage_src_policy(rpm_t)
 seutil_manage_bin_policy(rpm_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     069c0408e5a33a230222f6bde4904dab51dcfff3
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Jul  2 15:30:29 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=069c0408

grant rpm permission to map rpm_var_lib_t

type=AVC msg=audit(1560913896.432:218): avc:  denied  { map } for pid=1265 comm="rpm" path="/var/lib/rpm/__db.001" dev="dm-0" ino=2223 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/rpm.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 2b15088a..85e32b3e 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -111,6 +111,7 @@ files_lock_filetrans(rpm_t, rpm_lock_t, file)
 
 manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
 manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
+mmap_read_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
 files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file })
 
 manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     1a367564756b5ecefb06c3dfe204ca068f75c0c0
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Jul  2 15:30:31 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a367564

Allow rpm scripts to alter systemd services

In RPM scripts it is common to enable/start services that are being
installed.  This allows rpm_script_t to manage sysemd units

type=USER_AVC msg=audit(1561033935.758:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpdate.service" cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1561033935.837:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service" cmdline="systemctl preset ntpd.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

type=USER_AVC msg=audit(1561059114.937:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/rpm.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index a7b13467..e74113fc 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -345,6 +345,8 @@ auth_dontaudit_getattr_shadow(rpm_script_t)
 auth_use_nsswitch(rpm_script_t)
 
 init_domtrans_script(rpm_script_t)
+init_manage_all_units(rpm_script_t)
+init_reload(rpm_script_t)
 init_telinit(rpm_script_t)
 
 libs_exec_ld_so(rpm_script_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     9f421ae98022ed24ccc66e2c6d32f09d61d3427e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Jul  9 00:49:31 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f421ae9

rpm: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/rpm.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index e74113fc..a73be953 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.23.0)
+policy_module(rpm, 1.23.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     6b8e7ca613d74efbe08d3ad4aabafe2361cba20c
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri May  3 11:32:04 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b8e7ca6

Allow logrotate to execute fail2ban-client

fail2ban logrotate configuration runs "fail2ban-client flushlogs" after
rotating the logs

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/logrotate.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index e66f15ef..e6e2a97b 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -193,6 +193,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	fail2ban_domtrans_client(logrotate_t)
 	fail2ban_stream_connect(logrotate_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     848ab47ce8e072e0485216d113b49ec3ecdc8e19
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 27 23:30:24 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=848ab47c

logrotate: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/logrotate.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 37bab0aa..adc3101d 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.22.1)
+policy_module(logrotate, 1.22.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     5fcc3d0770d58a36c657164ff60d81a276c39d79
Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Thu May 16 12:57:36 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5fcc3d07

logrotate: Make MTA optional.

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/logrotate.te | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 52cb35a5..37bab0aa 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -29,8 +29,6 @@ files_type(logrotate_var_lib_t)
 type logrotate_unit_t;
 init_unit_file(logrotate_unit_t)
 
-mta_base_mail_template(logrotate)
-role system_r types logrotate_mail_t;
 
 ########################################
 #
@@ -131,8 +129,6 @@ userdom_use_user_terminals(logrotate_t)
 userdom_list_user_home_dirs(logrotate_t)
 userdom_use_unpriv_users_fds(logrotate_t)
 
-mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
-
 ifdef(`distro_debian',`
 	allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
 	can_exec(logrotate_t, logrotate_exec_t)
@@ -279,13 +275,21 @@ optional_policy(`
 # Mail local policy
 #
 
-allow logrotate_mail_t logrotate_t:fd use;
-allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms;
-allow logrotate_mail_t logrotate_t:process sigchld;
+optional_policy(`
+	mta_base_mail_template(logrotate)
+	role system_r types logrotate_mail_t;
+
+	allow logrotate_mail_t logrotate_t:fd use;
+	allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms;
+	allow logrotate_mail_t logrotate_t:process sigchld;
 
-manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
+	manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t)
+
+	mta_sendmail_domtrans(logrotate_t, logrotate_mail_t)
+
+	logging_read_all_logs(logrotate_mail_t)
+')
 
-logging_read_all_logs(logrotate_mail_t)
 
 ifdef(`distro_gentoo',`
 	# Fix bug 534256 - fail2ban installs a logrotate file that calls fail2ban-client so allow transition

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     52cb621762b5a0e7c4276d1c527623181f2ee454
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Mar 12 00:56:46 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52cb6217

usermanage: Move kernel_dgram_send(passwd_t) to systemd block.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/usermanage.te | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 0f874b1a..d8ba89e6 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -304,7 +304,6 @@ allow passwd_t self:msg { send receive };
 allow passwd_t crack_db_t:dir list_dir_perms;
 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
 
-kernel_dgram_send(passwd_t)
 kernel_read_crypto_sysctls(passwd_t)
 kernel_read_kernel_sysctls(passwd_t)
 
@@ -367,6 +366,11 @@ userdom_read_user_tmp_files(passwd_t)
 # on user home dir
 userdom_dontaudit_search_user_home_content(passwd_t)
 
+ifdef(`init_systemd',`
+	# for journald /dev/log
+	kernel_dgram_send(passwd_t)
+')
+
 optional_policy(`
 	nscd_run(passwd_t, passwd_roles)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     17daafd3ec8af0e3e870d7b9aa2e4a68dcd5d00c
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Mar 11 16:02:29 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17daafd3

Resolve denial while changing password

I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging.  This resolves those denials.

type=AVC msg=audit(1552222811.419:470): avc:  denied  { search } for  pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { read } for  pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { open } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:471): avc:  denied  { getattr } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1552222811.431:476): avc:  denied  { sendto } for  pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/usermanage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index a91c0b7c..0f874b1a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -304,6 +304,8 @@ allow passwd_t self:msg { send receive };
 allow passwd_t crack_db_t:dir list_dir_perms;
 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
 
+kernel_dgram_send(passwd_t)
+kernel_read_crypto_sysctls(passwd_t)
 kernel_read_kernel_sysctls(passwd_t)
 
 # for SSP

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     d4a52c8d5636dc5c0ca411704137cee945f1071d
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Feb 25 23:37:47 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4a52c8d

Allow AIDE to read kernel sysctl_crypto_t

type=AVC msg=audit(1550799594.212:164): avc:  denied  { search } for  pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { read } for  pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { open } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc:  denied  { getattr } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/aide.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index 6297b60e..f58ba850 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -36,6 +36,7 @@ files_read_all_files(aide_t)
 files_read_all_symlinks(aide_t)
 
 kernel_dgram_send(aide_t)
+kernel_read_crypto_sysctls(aide_t)
 
 logging_send_audit_msgs(aide_t)
 logging_send_syslog_msg(aide_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     45581b7ac1b5fafd180b6bc43c1ea329c416b1ec
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Feb 25 23:37:47 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45581b7a

Allow AIDE to mmap files

AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning.  RHEL7 has set this option in the
aide rpm they distribute.

Changes made to add a tunable to enable permissions allowing
aide to map files that it needs.  I have set the default to
false as this seems perfered (in my mind).

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/aide.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index f58ba850..fe52a280 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -5,6 +5,15 @@ policy_module(aide, 1.8.0)
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Control if AIDE can mmap files.
+##	AIDE can be compiled with the option 'with-mmap' in which case it will
+## 	attempt to mmap files while running.
+##	</p>
+## </desc>
+gen_tunable(aide_mmap_files, false)
+
 attribute_role aide_roles;
 
 type aide_t;
@@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t)
 
 userdom_use_user_terminals(aide_t)
 
+tunable_policy(`aide_mmap_files',`
+	files_map_non_auth_files(aide_t)
+')
+
 optional_policy(`
 	seutil_use_newrole_fds(aide_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     fd2f4ebf4bfebbf0660ea15a84a9e5fd9db217b8
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Oct 23 23:14:28 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:59:17 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd2f4ebf

Allow portage_sandbox_t to read /proc/sys/vm/overcommit_memory

git uses this.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/portage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 33547b6e..bdf5d412 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -515,6 +515,8 @@ gen_tunable(portage_enable_test, false)
 
 	dev_getattr_xserver_misc_dev(portage_sandbox_t)
 
+	kernel_read_vm_overcommit_sysctl(portage_sandbox_t)
+
 	tunable_policy(`portage_enable_test',`
 		# lots of tests connect over loopback
 		corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     da88f8dde868a0fa49d6e786b4296a26ee03d065
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Fri Oct 12 22:23:05 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da88f8dd

Realign logrotate.fc, remove an obvious comment

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/logrotate.fc | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/policy/modules/admin/logrotate.fc b/policy/modules/admin/logrotate.fc
index cd43ab28..fd5497f3 100644
--- a/policy/modules/admin/logrotate.fc
+++ b/policy/modules/admin/logrotate.fc
@@ -1,12 +1,11 @@
 /etc/cron\.(daily|weekly)/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 /etc/cron\.(daily|weekly)/sysklogd	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 
-/usr/bin/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
+/usr/bin/logrotate			--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 
-# Systemd unit file
-/usr/lib/systemd/system/[^/]*logrotate.*	--	gen_context(system_u:object_r:logrotate_unit_t,s0)
+/usr/lib/systemd/system/[^/]*logrotate.*  --	gen_context(system_u:object_r:logrotate_unit_t,s0)
 
-/usr/sbin/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
+/usr/sbin/logrotate			--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 
-/var/lib/logrotate(/.*)?	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+/var/lib/logrotate(/.*)?			gen_context(system_u:object_r:logrotate_var_lib_t,s0)
 /var/lib/(misc/)?logrotate\.status	--	gen_context(system_u:object_r:logrotate_var_lib_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     9ef8aea97d654eb4b3659ca1aaa87caae7665d0b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Oct 13 17:38:18 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ef8aea9

logrotate: Module version bump.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/logrotate.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 01e99b12..c43cf4ba 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.21.0)
+policy_module(logrotate, 1.21.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     da4fa3729e32c0af8e0cda241986ba0600e584f1
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Fri Oct 12 22:23:04 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da4fa372

Add fc for /var/lib/misc/logrotate.status

Some distros configure logrotate to put its status file somewhere else
than the default /var/lib/logrotate.status. Debian puts it in
/var/lib/logrotate/, and Gentoo uses /var/lib/misc/.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/logrotate.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/logrotate.fc b/policy/modules/admin/logrotate.fc
index dac1af39..cd43ab28 100644
--- a/policy/modules/admin/logrotate.fc
+++ b/policy/modules/admin/logrotate.fc
@@ -9,4 +9,4 @@
 /usr/sbin/logrotate	--	gen_context(system_u:object_r:logrotate_exec_t,s0)
 
 /var/lib/logrotate(/.*)?	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
-/var/lib/logrotate\.status	--	gen_context(system_u:object_r:logrotate_var_lib_t,s0)
+/var/lib/(misc/)?logrotate\.status	--	gen_context(system_u:object_r:logrotate_var_lib_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     2183738fdf2058f431c6eb7fbdadf9c398eb0eac
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul  9 13:04:40 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jul 11 14:42:50 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2183738f

portage: allow getattr xserver_misc_device for cuda

 policy/modules/admin/portage.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 4d1a4955..33547b6e 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -477,6 +477,8 @@ gen_tunable(portage_enable_test, false)
 
 	auth_use_nsswitch(portage_t)
 
+	dev_getattr_xserver_misc_dev(portage_t)
+
 	# Support cgroup FEATURES
 	fs_mount_cgroup(portage_t)
 	fs_mounton_cgroup(portage_t)
@@ -511,6 +513,8 @@ gen_tunable(portage_enable_test, false)
 	# install-xattr does listxattr() which throws a lot of this
 	dontaudit portage_sandbox_t self:capability sys_admin;
 
+	dev_getattr_xserver_misc_dev(portage_sandbox_t)
+
 	tunable_policy(`portage_enable_test',`
 		# lots of tests connect over loopback
 		corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     ab221a14bbcdcf910a655ce840f6f75fbad8a869
Author:     Luis Ressel via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Tue Oct 24 23:46:30 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:50 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab221a14

netutils: Grant netutils_t map perms for the packet_socket class

This is required for the PACKET_RX_RING feature used by tcpdump.

 policy/modules/admin/netutils.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index f0995ef3..0d3fb75d 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -40,7 +40,7 @@ allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
 allow netutils_t self:netlink_socket create_socket_perms;
 # For tcpdump.
 allow netutils_t self:netlink_netfilter_socket create_socket_perms;
-allow netutils_t self:packet_socket create_socket_perms;
+allow netutils_t self:packet_socket { create_socket_perms map };
 allow netutils_t self:udp_socket create_socket_perms;
 allow netutils_t self:tcp_socket create_stream_socket_perms;
 allow netutils_t self:socket create_socket_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     fe17c9fa110210e65e9eee5122c787048256e667
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jun  9 13:30:24 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:02:15 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fe17c9fa

netutils: update

v2:
 - keep files_read_etc_files interfaces

 policy/modules/admin/netutils.fc |  1 +
 policy/modules/admin/netutils.te | 15 +++------------
 2 files changed, 4 insertions(+), 12 deletions(-)

diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 4f77e1cc..54c0793f 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -3,6 +3,7 @@
 /usr/bin/hping2		--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/bin/iptstate	--	gen_context(system_u:object_r:netutils_exec_t,s0)
 /usr/bin/lft		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/mtr		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/nmap		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/ping.* 	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/bin/send_arp	--	gen_context(system_u:object_r:ping_exec_t,s0)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 19af9a5d..f881cf8b 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -49,7 +49,6 @@ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
 manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
 files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
 
-kernel_search_proc(netutils_t)
 kernel_read_network_state(netutils_t)
 kernel_read_all_sysctls(netutils_t)
 
@@ -86,9 +85,7 @@ logging_send_syslog_msg(netutils_t)
 
 miscfiles_read_localization(netutils_t)
 
-term_dontaudit_use_console(netutils_t)
-userdom_use_user_terminals(netutils_t)
-userdom_use_all_users_fds(netutils_t)
+userdom_use_inherited_user_terminals(netutils_t)
 
 optional_policy(`
 	nis_use_ypbind(netutils_t)
@@ -127,12 +124,9 @@ corenet_tcp_sendrecv_all_ports(ping_t)
 
 dev_read_urand(ping_t)
 
-fs_dontaudit_getattr_xattr_fs(ping_t)
-
 domain_use_interactive_fds(ping_t)
 
 files_read_etc_files(ping_t)
-files_dontaudit_search_var(ping_t)
 
 kernel_read_system_state(ping_t)
 
@@ -142,7 +136,7 @@ logging_send_syslog_msg(ping_t)
 
 miscfiles_read_localization(ping_t)
 
-userdom_use_user_terminals(ping_t)
+userdom_use_inherited_user_terminals(ping_t)
 
 ifdef(`hide_broken_symptoms',`
 	init_dontaudit_use_fds(ping_t)
@@ -197,12 +191,9 @@ corenet_tcp_connect_all_ports(traceroute_t)
 corenet_sendrecv_all_client_packets(traceroute_t)
 corenet_sendrecv_traceroute_server_packets(traceroute_t)
 
-fs_dontaudit_getattr_xattr_fs(traceroute_t)
-
 domain_use_interactive_fds(traceroute_t)
 
 files_read_etc_files(traceroute_t)
-files_dontaudit_search_var(traceroute_t)
 
 init_use_fds(traceroute_t)
 
@@ -212,7 +203,7 @@ logging_send_syslog_msg(traceroute_t)
 
 miscfiles_read_localization(traceroute_t)
 
-userdom_use_user_terminals(traceroute_t)
+userdom_use_inherited_user_terminals(traceroute_t)
 
 #rules needed for nmap
 dev_read_rand(traceroute_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 11 19:26:48 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:13:37 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26534d63

Revert "bootloader: stricter permissions and more tailored file contexts"

This reverts commit b0c13980d224c49207315154905eb7fcb90f289d.

 policy/modules/admin/bootloader.fc |  6 ------
 policy/modules/admin/bootloader.te | 17 ++++-------------
 2 files changed, 4 insertions(+), 19 deletions(-)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d3925950..cdd6d3dd 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,12 +1,6 @@
-/boot/grub.*	-d	gen_context(system_u:object_r:bootloader_run_t,s0)
-/boot/grub.*/.*		gen_context(system_u:object_r:bootloader_run_t,s0)
-
-/boot/grub.*/grub.cfg	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-/boot/grub.*/grub.conf	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
 /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-/etc/grub.d(/.*)?	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index fd9df5c8..bd69d431 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -22,13 +22,6 @@ application_domain(bootloader_t, bootloader_exec_t)
 role bootloader_roles types bootloader_t;
 
 #
-# bootloader_run_t are image and other runtime
-# files
-#
-type bootloader_run_t alias run_bootloader_t;
-files_type(bootloader_run_t)
-
-#
 # bootloader_etc_t is the configuration file,
 # grub.conf, lilo.conf, etc.
 #
@@ -52,7 +45,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
-allow bootloader_t bootloader_etc_t:file exec_file_perms;
+allow bootloader_t bootloader_etc_t:file read_file_perms;
 # uncomment the following lines if you use "lilo -p"
 #allow bootloader_t bootloader_etc_t:file manage_file_perms;
 #files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
@@ -66,11 +59,6 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
 # for tune2fs (cjp: ?)
 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
 
-manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })
-
 kernel_getattr_core_if(bootloader_t)
 kernel_read_network_state(bootloader_t)
 kernel_read_system_state(bootloader_t)
@@ -108,7 +96,10 @@ corecmd_exec_all_executables(bootloader_t)
 domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
+files_exec_etc_files(bootloader_t)
 files_read_usr_src_files(bootloader_t)
 files_read_usr_files(bootloader_t)
 files_read_var_files(bootloader_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     6071ad267042af00ae73aa58d7c07d5e78a3e0b3
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb  5 07:42:30 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb  5 08:45:23 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6071ad26

bootloader: grub needs to manage grub.cfg

commit b0c13980d224c49207315154905eb7fcb90f289d
broke grub-mkconfig which needs to be able to update the grub.cfg file.
Remove the fcontext for grub.cfg so it can update the file.

$ grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
mv: cannot move '/boot/grub/grub.cfg.new' to '/boot/grub/grub.cfg':
Permission denied

type=AVC msg=audit(1486273313.557:26703): avc:  denied  { unlink } for  pid=10757 comm="mv" name="grub.cfg" dev="md1" ino=10070 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_etc_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1486273313.557:26703): arch=c000003e syscall=82 success=no exit=-13 a0=3a93725fbef a1=3a93725fc07 a2=0 a3=2 items=4 ppid=9489 pid=10757 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=4 comm="mv" exe="/bin/mv" subj=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1486273313.557:26703): cwd="/root"
type=PATH msg=audit(1486273313.557:26703): item=0 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
type=PATH msg=audit(1486273313.557:26703): item=1 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
type=PATH msg=audit(1486273313.557:26703): item=2 name="/boot/grub/grub.cfg.new" inode=10072 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:bootloader_run_t:s0 nametype=DELETE
type=PATH msg=audit(1486273313.557:26703): item=3 name="/boot/grub/grub.cfg" inode=10070 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_etc_t:s0 nametype=DELETE

 policy/modules/admin/bootloader.fc | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index c43c428..d62e8e3 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,9 +1,6 @@
 /boot/grub.*	-d	gen_context(system_u:object_r:bootloader_run_t,s0)
 /boot/grub.*/.*		gen_context(system_u:object_r:bootloader_run_t,s0)
 
-/boot/grub.*/grub.cfg	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-/boot/grub.*/grub.conf	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
-
 /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/grub.d(/.*)?	--	gen_context(system_u:object_r:bootloader_etc_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     7c30c8834c281dc9a151d1d11f68aac9d86067b1
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Dec 23 00:22:39 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c30c883

bootloader: stricter permissions and more tailored file contexts

Update the bootloader module so that it can manage only its
own runtime files and not all boot_t files (which include,
for example, the common locations for kernel images and
initramfs archives) and so that it can execute only its own
etc files (needed by grub2-mkconfig) and not all etc_t files
which is more dangerous.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/admin/bootloader.fc |  6 ++++++
 policy/modules/admin/bootloader.te | 17 +++++++++++++----
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d908d56..5b67c16 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,6 +1,12 @@
+/boot/grub.*	-d	gen_context(system_u:object_r:bootloader_run_t,s0)
+/boot/grub.*/.*		gen_context(system_u:object_r:bootloader_run_t,s0)
+
+/boot/grub.*/grub.cfg	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
+/boot/grub.*/grub.conf	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
 /etc/lilo\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 /etc/yaboot\.conf.*	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/grub.d(/.*)?	--	gen_context(system_u:object_r:bootloader_etc_t,s0)
 
 /sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /sbin/lilo.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index fcaa6d4..e3f2a72 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -22,6 +22,13 @@ application_domain(bootloader_t, bootloader_exec_t)
 role bootloader_roles types bootloader_t;
 
 #
+# bootloader_run_t are image and other runtime
+# files
+#
+type bootloader_run_t alias run_bootloader_t;
+files_type(bootloader_run_t)
+
+#
 # bootloader_etc_t is the configuration file,
 # grub.conf, lilo.conf, etc.
 #
@@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw
 allow bootloader_t self:process { signal_perms execmem };
 allow bootloader_t self:fifo_file rw_fifo_file_perms;
 
-allow bootloader_t bootloader_etc_t:file read_file_perms;
+allow bootloader_t bootloader_etc_t:file exec_file_perms;
 # uncomment the following lines if you use "lilo -p"
 #allow bootloader_t bootloader_etc_t:file manage_file_perms;
 #files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
@@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file
 # for tune2fs (cjp: ?)
 files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
 
+manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })
+
 kernel_getattr_core_if(bootloader_t)
 kernel_read_network_state(bootloader_t)
 kernel_read_system_state(bootloader_t)
@@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_t)
 domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
-files_manage_boot_files(bootloader_t)
-files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
-files_exec_etc_files(bootloader_t)
 files_read_usr_src_files(bootloader_t)
 files_read_usr_files(bootloader_t)
 files_read_var_files(bootloader_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Jason Zaman]

commit:     dc478cb2c42a8b5d120203a1aa1157873a131cb3
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Mar 25 14:24:59 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:07:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc478cb2

Update su for libselinux-2.5 changes.

su is linked against libselinux via pam_unix.so.  Use the selinuxutil
interface so future libselinux changes are pulled in.

 policy/modules/admin/su.if | 3 +++
 policy/modules/admin/su.te | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index a069cb8..02aabd8 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -217,6 +217,9 @@ template(`su_role_template',`
 
 	miscfiles_read_localization($1_su_t)
 
+	# pam_unix is linked against libselinux
+	seutil_libselinux_linked($1_su_t)
+
 	userdom_use_user_terminals($1_su_t)
 	userdom_search_user_home_dirs($1_su_t)
 

diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 85bb77e..d936e3b 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,4 +1,4 @@
-policy_module(su, 1.12.0)
+policy_module(su, 1.12.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     770ab52d286978f77fc9ebc650cbf0a8f04663ce
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 15 13:44:53 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jul 15 13:44:53 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=770ab52d

Fix avc_context_to_raw assertion in su domains (bug #554080)

Although earlier investigations on the same matter [1] did not result in
a good fix (it seemed that the permissions where needed for the wrong
reasons, but would most likely require a fix in either the application
that is SELinux-aware or in how the permissions are handled). It does
not look like we will see a proper solution in the near future.

[1] http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html

So allow the permissions (without write / send/recv_msg) to allow su
domains to go forward.

X-Gentoo-Bug: 554080
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=554080

 policy/modules/admin/su.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index aea8a4f..a069cb8 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -119,6 +119,8 @@ template(`su_restricted_domain_template', `
 	')
 
 	ifdef(`distro_gentoo',`
+		# Fix bug 554080 - Allow su to query SELinux subsystem (netlink_selinux_socket)
+		allow $1_su_t self:netlink_selinux_socket { create bind read };
 		selinux_get_fs_mount($1_su_t)
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     4835f7f1d0a050d045335d19505e8113de883dfa
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun  9 10:45:03 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun  9 10:45:03 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4835f7f1

Support capabilities for tcpdump (netutils_t)

 policy/modules/admin/netutils.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 54e1603..407685f 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -224,6 +224,11 @@ ifdef(`distro_gentoo',`
 	#
 
 	# Fix bug 535988
+	allow netutils_t self:process getcap;
+	allow netutils_t self:capability setpcap;
+
+	kernel_request_load_module(netutils_t)
 	kernel_dontaudit_search_debugfs(netutils_t)
-	dev_dontaudit_read_usbmon_dev(netutils_t)	
+
+	dev_dontaudit_read_usbmon_dev(netutils_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     4835f7f1d0a050d045335d19505e8113de883dfa
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun  9 10:45:03 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun  9 10:45:03 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4835f7f1

Support capabilities for tcpdump (netutils_t)

 policy/modules/admin/netutils.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 54e1603..407685f 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -224,6 +224,11 @@ ifdef(`distro_gentoo',`
 	#
 
 	# Fix bug 535988
+	allow netutils_t self:process getcap;
+	allow netutils_t self:capability setpcap;
+
+	kernel_request_load_module(netutils_t)
 	kernel_dontaudit_search_debugfs(netutils_t)
-	dev_dontaudit_read_usbmon_dev(netutils_t)	
+
+	dev_dontaudit_read_usbmon_dev(netutils_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     abcbaf9dd3597c68f75999fb3f755dd4c158e3d4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun  7 09:19:00 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jun  7 09:19:00 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=abcbaf9d

Fix bug 535988 - Do not audit device reads when invoking tcpdump

Occurs when invoking tcpdump without any options:

~# tcpdump

Denials:

time->Sun Jun  7 10:52:50 2015
type=AVC msg=audit(1433667170.527:83): avc:  denied  { read } for
pid=17708 comm="tcpdump" name="usbmon4" dev="devtmpfs" ino=163
scontext=staff_u:sysadm_r:netutils_t:s0
tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file
permissive=0

time->Sun Jun  7 10:52:50 2015
type=AVC msg=audit(1433667170.527:84): avc:  denied  { search } for
pid=17708 comm="tcpdump" name="/" dev="debugfs" ino=1
scontext=staff_u:sysadm_r:netutils_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0

X-Gentoo-Bug: 535988

 policy/modules/admin/netutils.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index b8169a8..54e1603 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -216,3 +216,14 @@ userdom_use_user_terminals(traceroute_t)
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
 files_read_usr_files(traceroute_t)
+
+ifdef(`distro_gentoo',`
+	########################################
+	# 
+	# netutils_t policy updates
+	#
+
+	# Fix bug 535988
+	kernel_dontaudit_search_debugfs(netutils_t)
+	dev_dontaudit_read_usbmon_dev(netutils_t)	
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     abcbaf9dd3597c68f75999fb3f755dd4c158e3d4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun  7 09:19:00 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jun  7 09:19:00 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=abcbaf9d

Fix bug 535988 - Do not audit device reads when invoking tcpdump

Occurs when invoking tcpdump without any options:

~# tcpdump

Denials:

time->Sun Jun  7 10:52:50 2015
type=AVC msg=audit(1433667170.527:83): avc:  denied  { read } for
pid=17708 comm="tcpdump" name="usbmon4" dev="devtmpfs" ino=163
scontext=staff_u:sysadm_r:netutils_t:s0
tcontext=system_u:object_r:usbmon_device_t:s0 tclass=chr_file
permissive=0

time->Sun Jun  7 10:52:50 2015
type=AVC msg=audit(1433667170.527:84): avc:  denied  { search } for
pid=17708 comm="tcpdump" name="/" dev="debugfs" ino=1
scontext=staff_u:sysadm_r:netutils_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=dir permissive=0

X-Gentoo-Bug: 535988

 policy/modules/admin/netutils.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index b8169a8..54e1603 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -216,3 +216,14 @@ userdom_use_user_terminals(traceroute_t)
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
 files_read_usr_files(traceroute_t)
+
+ifdef(`distro_gentoo',`
+	########################################
+	# 
+	# netutils_t policy updates
+	#
+
+	# Fix bug 535988
+	kernel_dontaudit_search_debugfs(netutils_t)
+	dev_dontaudit_read_usbmon_dev(netutils_t)	
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     a2a70a8441dcf2d226c6f35ee8549acc420b0be1
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 16 11:08:49 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat May 16 11:08:49 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2a70a84

Fix bug #549640 - Add dontaudit getattr on chr and blk devices for sudo domain

 policy/modules/admin/sudo.if | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 56ce11c..8bd1963 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -160,6 +160,12 @@ template(`sudo_role_template',`
 	optional_policy(`
 		fprintd_dbus_chat($1_sudo_t)
 	')
+
+	ifdef(`distro_gentoo',`
+		# Fix bug 549640 - Add dontaudit getattr on chr and blk devices as is done with regular user domains too
+		dev_dontaudit_getattr_all_blk_files($1_sudo_t)
+		dev_dontaudit_getattr_all_chr_files($1_sudo_t)
+	')
 ')
 
 ########################################

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     6021047ffb0b923335185c9a879a7ebb994acedb
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jan 25 14:03:05 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 25 14:03:05 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6021047f

Fix bug #537652 - Allow grub2-mkconfig to be executed from the user home dir (default location when executing commands for a user)

---
 policy/modules/admin/bootloader.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 197791f..fcaa6d4 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -208,3 +208,8 @@ optional_policy(`
 optional_policy(`
 	rpm_rw_pipes(bootloader_t)
 ')
+
+ifdef(`distro_gentoo',`
+	# Fix bug #537652 - grub2-mkconfig has search rights needed on current dir (usually user home dir)
+	userdom_search_user_home_dirs(bootloader_t)
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     364faaa731277dee24837e0781cb3cc520f36406
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 17:28:47 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 17:28:47 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=364faaa7

Add upstream feedback when sent but needs some work

---
 policy/modules/admin/usermanage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 4855693..e11f53a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -571,11 +571,13 @@ ifdef(`distro_gentoo',`
 	# groupadd_t
 
 	# fix bug #499036
+	# Upstream: http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html
 	allow groupadd_t self:netlink_selinux_socket { create bind };
 
 	########################################
 	# useradd_t
 
 	# fix bug #499036
+	# Upstream: http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html
 	allow useradd_t self:netlink_selinux_socket { create bind };
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     364faaa731277dee24837e0781cb3cc520f36406
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 17:28:47 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 17:28:47 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=364faaa7

Add upstream feedback when sent but needs some work

---
 policy/modules/admin/usermanage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 4855693..e11f53a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -571,11 +571,13 @@ ifdef(`distro_gentoo',`
 	# groupadd_t
 
 	# fix bug #499036
+	# Upstream: http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html
 	allow groupadd_t self:netlink_selinux_socket { create bind };
 
 	########################################
 	# useradd_t
 
 	# fix bug #499036
+	# Upstream: http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html
 	allow useradd_t self:netlink_selinux_socket { create bind };
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     4d16571c5e3d0449b38cdd8619db04e93526fcf9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 27 22:22:02 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Nov 27 22:22:02 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d16571c

Missing quote

---
 policy/modules/admin/dmesg.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if
index 1b6e1b2..6271b3c 100644
--- a/policy/modules/admin/dmesg.if
+++ b/policy/modules/admin/dmesg.if
@@ -58,7 +58,7 @@ interface(`dmesg_exec',`
 ## </param>
 ## <rolecap/>
 #
-interface(`dmesg_run,`
+interface(`dmesg_run',`
 	gen_require(`
 		type dmesg_t;
 	')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     67ee9d7026c6e3887eb590811aa1291682945840
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:56:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:56:22 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67ee9d70

Allow setting ownership of ts/ directory

When creating the ts/ directory (in which sudo keeps timestamps), allow
the sudo application to set ownership.

No errors involved (only denial) but the end result is different (group
ownership is different, even though there is no group privilege).

---
 policy/modules/admin/sudo.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index b282877..58c456b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -161,6 +161,9 @@ template(`sudo_role_template',`
 	')
 
 	ifdef(`distro_gentoo',`
+		# Set ownership of ts directory (timestamp keeping)
+		allow $1_sudo_t self:capability { chown };
+		# Create /var/run/sudo
 		auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     67ee9d7026c6e3887eb590811aa1291682945840
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:56:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:56:22 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67ee9d70

Allow setting ownership of ts/ directory

When creating the ts/ directory (in which sudo keeps timestamps), allow
the sudo application to set ownership.

No errors involved (only denial) but the end result is different (group
ownership is different, even though there is no group privilege).

---
 policy/modules/admin/sudo.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index b282877..58c456b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -161,6 +161,9 @@ template(`sudo_role_template',`
 	')
 
 	ifdef(`distro_gentoo',`
+		# Set ownership of ts directory (timestamp keeping)
+		allow $1_sudo_t self:capability { chown };
+		# Create /var/run/sudo
 		auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
 	')
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     733eef5b0f9b79c0b8dd2b5a9ea4020cc0c765f7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:40:53 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:40:53 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=733eef5b

Allow sudo to create /var/run/sudo if non-existing

When sudo is invoked and the /var/run/sudo directory (in which a ts/
subdirectory would be created and managed by sudo) is not available yet,
sudo will try to create it.

Grant it this privilege and have this directory be labeled as
pam_var_run_t.

Without this, we get:
sudo: unable to mkdir /var/run/sudo: Permission denied

---
 policy/modules/admin/sudo.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d9114b3..b282877 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -160,6 +160,9 @@ template(`sudo_role_template',`
 		fprintd_dbus_chat($1_sudo_t)
 	')
 
+	ifdef(`distro_gentoo',`
+		auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
+	')
 ')
 
 ########################################

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     733eef5b0f9b79c0b8dd2b5a9ea4020cc0c765f7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:40:53 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:40:53 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=733eef5b

Allow sudo to create /var/run/sudo if non-existing

When sudo is invoked and the /var/run/sudo directory (in which a ts/
subdirectory would be created and managed by sudo) is not available yet,
sudo will try to create it.

Grant it this privilege and have this directory be labeled as
pam_var_run_t.

Without this, we get:
sudo: unable to mkdir /var/run/sudo: Permission denied

---
 policy/modules/admin/sudo.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d9114b3..b282877 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -160,6 +160,9 @@ template(`sudo_role_template',`
 		fprintd_dbus_chat($1_sudo_t)
 	')
 
+	ifdef(`distro_gentoo',`
+		auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
+	')
 ')
 
 ########################################

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     f591616e559675fd9ebec18575267d125d4eb135
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Oct  6 13:50:58 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:24:40 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f591616e

Module version bump for Debian arping fc entries from Laurent Bigonville.

---
 policy/modules/admin/netutils.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index cfd9700..5f4c84e 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.13.1)
+policy_module(netutils, 1.13.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     d211e0e619833fd7743396651109e91eb09d620d
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Oct  3 12:35:58 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:24:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d211e0e6

Debian also ship a different arping implementation

In addition to the iputils arping implementation, Debian also ships an
other implementation which is installed under /usr/sbin/arping

---
 policy/modules/admin/netutils.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 355714d..a4672ca 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -9,6 +9,7 @@
 /usr/bin/nmap		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 
+/usr/sbin/arping	--	gen_context(system_u:object_r:netutils_exec_t,s0)
 /usr/sbin/fping 	--	gen_context(system_u:object_r:ping_exec_t,s0)
 /usr/sbin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/sbin/hping2	--	gen_context(system_u:object_r:ping_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     282116096675c76b306401b6dd93ee63e22e5931
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Oct  3 12:29:05 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:24:31 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28211609

On Debian iputils-arping is installed in /usr/bin/arping

---
 policy/modules/admin/netutils.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 407078f..355714d 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -4,6 +4,7 @@
 
 /sbin/arping		--	gen_context(system_u:object_r:netutils_exec_t,s0)
 
+/usr/bin/arping		--	gen_context(system_u:object_r:netutils_exec_t,s0)
 /usr/bin/lft		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/nmap		--	gen_context(system_u:object_r:traceroute_exec_t,s0)
 /usr/bin/traceroute.*	--	gen_context(system_u:object_r:traceroute_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     a2c27b5797c6d7420fe0bb36ee364406d260c960
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 31 18:14:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 31 18:14:16 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a2c27b57

Mark mkconfig as bootloader executable too

---
 policy/modules/admin/bootloader.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d56f931..2503c58 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -10,3 +10,7 @@
 /usr/sbin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-install	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/sbin/grub2?-mkconfig	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     ed4c234f64e2e952f796563b8a7bb4a23b3210cc
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Thu Jun 26 21:22:07 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 19 20:06:36 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed4c234f

Grant ping_t getattr on rawip_socket

If the (sadly nearly undocumented) Linux kernel feature which allows
specific user groups to send ICMP echos without CAP_NET_RAW
(configurable with the sysctl net.ipv4.ping_group_range, available since
3.0) is used, ping needs the getattr permission of the rawip_socket
class in order to work.

---
 policy/modules/admin/netutils.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 7aa7384..570bf2c 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -110,7 +110,7 @@ allow ping_t self:capability { setuid net_raw };
 allow ping_t self:process { getcap setcap };
 dontaudit ping_t self:capability sys_tty_config;
 allow ping_t self:tcp_socket create_socket_perms;
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
 allow ping_t self:netlink_route_socket create_netlink_socket_perms;
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     e28086742e431918f0a742b4a8bc458b83032f40
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Aug 18 14:30:28 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 19 20:06:38 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e2808674

Module version bump for ping rawip socket fix from Luis Ressel.

---
 policy/modules/admin/netutils.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 570bf2c..cfd9700 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.13.0)
+policy_module(netutils, 1.13.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     6f89ead94bb14f55eca319a101c791159faa9739
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Mar 25 20:30:04 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr  8 15:20:56 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6f89ead9

Hide getattr denials upon sudo invocation

When sudo is invoked (sudo -i) the audit log gets quite a lot of denials
related to the getattr permission against tty_device_t:chr_file for the
*_sudo_t domain. However, no additional logging (that would hint at a
need) by sudo, nor any functional issues come up.

Hence the dontaudit call.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/admin/sudo.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 4bb2245..07e5db8 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -110,6 +110,7 @@ template(`sudo_role_template',`
 	selinux_compute_relabel_context($1_sudo_t)
 
 	term_getattr_pty_fs($1_sudo_t)
+	term_dontaudit_getattr_unallocated_ttys($1_sudo_t)
 	term_relabel_all_ttys($1_sudo_t)
 	term_relabel_all_ptys($1_sudo_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     67a1eb781526f979335c4eb54184d66c9bc2b060
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Mar 25 19:40:21 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Mar 25 19:40:21 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67a1eb78

Dontaudit to hide large set of denials that show no other signs (no logging or functional reduction)

---
 policy/modules/admin/sudo.if | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 0960199..4bb2245 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -159,6 +159,11 @@ template(`sudo_role_template',`
 		fprintd_dbus_chat($1_sudo_t)
 	')
 
+	ifdef(`distro_gentoo',`
+		# Massive amount of getattr denials but no mention in logs or functional issues, so dontaudit it
+		term_dontaudit_getattr_unallocated_ttys($1_sudo_t)
+	')
+
 ')
 
 ########################################

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     8ffd7330d9872f0c9bebfbbcb035d600cc986d98
Author:     Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Mon Mar  3 14:07:00 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Mar  4 15:27:03 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8ffd7330

Module version bump for bootloader fc fixes from Luis Ressel.

---
 policy/modules/admin/bootloader.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 3f81343..5b21248 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,4 +1,4 @@
-policy_module(bootloader, 1.14.1)
+policy_module(bootloader, 1.14.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     2a915adb767cc3a81ea12ab7bb36f20fca6ee57a
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Feb 16 13:59:43 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Mar  4 15:27:02 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2a915adb

Label grub2-install as bootloader_exec_t

---
 policy/modules/admin/bootloader.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 8c7e6c2..d56f931 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -8,4 +8,5 @@
 
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-install	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 /usr/sbin/grub2?-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     f295a5e0f40b3c0f538b11376f48fa497af9cbb0
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Feb 16 13:35:39 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Mar  4 15:27:00 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f295a5e0

Generalize grub2 pattern

GRUB2 helper programs can be named either grub2-* or grub-*, depending
on distro and configuration.

---
 policy/modules/admin/bootloader.fc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 2626ebf..8c7e6c2 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -7,5 +7,5 @@
 /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/usr/sbin/grub2-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/usr/sbin/grub2-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     c93122f27770d5ffec2ac84da73d2236efa67ccf
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 15 09:38:43 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 09:38:43 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c93122f2

Is now upstreamed so no longer needed in separate block

---
 policy/modules/admin/netutils.te | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 457c17b..c44c359 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -214,13 +214,3 @@ userdom_use_user_terminals(traceroute_t)
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
 files_read_usr_files(traceroute_t)
-
-ifdef(`distro_gentoo',`
-	#########################################
-	#
-	# ping_t policy
-	#
-
-	# When not using setuid ping but capabilities
-	allow ping_t self:process { getcap setcap };
-')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     2a38128e3940d14e9cae65ecdb80ab0812af9e9b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Feb  2 12:17:33 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb  2 12:17:33 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2a38128e

Fix bug #499036 - avc_running assertion fails otherwise

---
 policy/modules/admin/usermanage.te | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 3ba4972..7bfba16 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -565,3 +565,17 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
+
+ifdef(`distro_gentoo',`
+	########################################
+	# groupadd_t
+
+	# fix bug #499036
+	allow groupadd_t self:netlink_selinux_socket { create bind };
+
+	########################################
+	# useradd_t
+
+	# fix bug #499036
+	allow useradd_t self:netlink_selinux_socket { create bind };
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     2e962da6bacefd990d93cfbef5a5cd0f40b385f3
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Dec  6 13:16:10 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:14 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2e962da6

Whitespace fix in usermanage.

---
 policy/modules/admin/usermanage.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index 4b7737e..1184395 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -3,7 +3,7 @@ ifdef(`distro_gentoo',`
 ')
 
 ifdef(`distro_debian',`
-/etc/cron\.daily/cracklib-runtime	--	gen_context(system_u:object_r:crack_exec_t,s0)
+/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
 ')
 
 /usr/bin/chage		--	gen_context(system_u:object_r:passwd_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     ba216ef241d5520f914fbe8a0ba06a966eea5709
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:44:54 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:12 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ba216ef2

usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/admin/usermanage.fc | 4 ++++
 policy/modules/admin/usermanage.te | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index f82f0ce..4b7737e 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -2,6 +2,10 @@ ifdef(`distro_gentoo',`
 /bin/passwd		--	gen_context(system_u:object_r:passwd_exec_t,s0)
 ')
 
+ifdef(`distro_debian',`
+/etc/cron\.daily/cracklib-runtime	--	gen_context(system_u:object_r:crack_exec_t,s0)
+')
+
 /usr/bin/chage		--	gen_context(system_u:object_r:passwd_exec_t,s0)
 /usr/bin/chfn		--	gen_context(system_u:object_r:chfn_exec_t,s0)
 /usr/bin/chsh		--	gen_context(system_u:object_r:chfn_exec_t,s0)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1..471d4a7 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -171,10 +171,13 @@ logging_send_syslog_msg(crack_t)
 userdom_dontaudit_search_user_home_dirs(crack_t)
 
 ifdef(`distro_debian',`
+	allow crack_t self:process getsched;
 	# the package cracklib-runtime on Debian contains a daily maintenance
 	# script /etc/cron.daily/cracklib-runtime, that calls
 	# update-cracklib and that calls crack_mkdict, which is a shell script.
 	corecmd_exec_shell(crack_t)
+	dev_search_sysfs(crack_t)
+	miscfiles_read_localization(crack_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     48dc4ab330d1d22ff816d728919604a284cbcee9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Sep 25 18:27:34 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:23:27 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=48dc4ab3

Allow ping to get/set capabilities

When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.

Reported-by: Luis Ressel <aranea <AT> aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/admin/netutils.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 59933cd..f443186 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -106,6 +106,8 @@ optional_policy(`
 #
 
 allow ping_t self:capability { setuid net_raw };
+# When ping is installed with capabilities instead of setuid
+allow ping_t self:process { getcap setcap };
 dontaudit ping_t self:capability sys_tty_config;
 allow ping_t self:tcp_socket create_socket_perms;
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     68419bdca63b68e38a0c3d936915d60216f9e893
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Sep 26 14:47:24 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:23:30 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=68419bdc

Module version bump for ping capabilities from Sven Vermeulen.

---
 policy/modules/admin/netutils.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index f443186..457c17b 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.12.0)
+policy_module(netutils, 1.12.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     2a98a932abe18912b22cf3977f79a8ff7d6fc0b3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Sep 24 13:41:01 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Sep 24 13:41:01 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2a98a932

Merged upstream

---
 policy/modules/admin/bootloader.fc | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 4fe1641..2626ebf 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -7,8 +7,5 @@
 /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-
-ifdef(`distro_gentoo',`
 /usr/sbin/grub2-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-/usr/sbin/grub2-probe		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-')
+/usr/sbin/grub2-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     3b7bfcfd65b3892a0a8f5b07e5d4273c671f5ad6
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Sep 18 14:07:25 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Sep 18 14:07:25 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3b7bfcfd

Fix bug #485304 - Allow capabilities for ping

When the ping binary is not setuid, but uses capabilities, then the ping_t
domain needs to be able to get and set capabilities.

---
 policy/modules/admin/netutils.te | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 557da97..59933cd 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -212,3 +212,13 @@ userdom_use_user_terminals(traceroute_t)
 dev_read_rand(traceroute_t)
 dev_read_urand(traceroute_t)
 files_read_usr_files(traceroute_t)
+
+ifdef(`distro_gentoo',`
+	#########################################
+	#
+	# ping_t policy
+	#
+
+	# When not using setuid ping but capabilities
+	allow ping_t self:process { getcap setcap };
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     527e263bcc63ffcfd21caaf9851c90c62ccb40ea
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 17 18:09:15 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Aug 17 18:09:15 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=527e263b

Get grub2-install to work properly

The grub2-install application runs a few grub2-* commands in the background. Two
of those, grub2-bios-setup and grub2-probe, need access to the (fixed) disks, a
permission not granted to users by default (unless running in unconfined of
course).

Mark those two applications as bootloader_exec_t (as was the case with the
"grub" legacy command in the past) so these get their appropriate permissions
again.

---
 policy/modules/admin/bootloader.fc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 7a6f06f..4fe1641 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -7,3 +7,8 @@
 /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/sbin/grub2-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2-probe		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     88294dbc653fa12f86943bd5064b8a2f7dfc1a40
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 12:12:26 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 12:12:26 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=88294dbc

Moved into distro_gentoo blocks

---
 policy/modules/admin/su.if | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index c9196e3..5437f9c 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -73,7 +73,6 @@ template(`su_restricted_domain_template', `
 
 	# for the rootok check
 	selinux_compute_access_vector($1_su_t)
-	selinux_get_fs_mount($1_su_t)
 
 	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
@@ -137,6 +136,10 @@ template(`su_restricted_domain_template', `
 		# used when the password has expired
 		usermanage_read_crack_db($1_su_t)
 	')
+
+	ifdef(`distro_gentoo',`
+		selinux_get_fs_mount($1_su_t)
+	')
 ')
 
 #######################################
@@ -206,7 +209,6 @@ template(`su_role_template',`
 
 	# needed for pam_rootok
 	selinux_compute_access_vector($1_su_t)
-	selinux_get_fs_mount($1_su_t)
 
 	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
@@ -315,6 +317,10 @@ template(`su_role_template',`
 		xserver_user_home_dir_filetrans_user_xauth($1_su_t)
 		xserver_domtrans_xauth($1_su_t)
 	')
+
+	ifdef(`distro_gentoo',`
+		selinux_get_fs_mount($1_su_t)
+	')
 ')
 
 #######################################

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     53ffaa16bcf8e6265d8248ae2b0ae92cefd9f3b3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 12:09:16 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 12:09:16 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=53ffaa16

Merged with main

---
 policy/modules/admin/usermanage.te | 14 --------------
 1 file changed, 14 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index eeb0c7a..1d732f1 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -562,17 +562,3 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
-
-ifdef(`distro_gentoo',`
-	################################
-	#
-	# Local policy for chfn
-	#
-
-	# Needed to use chsh
-	seutil_read_file_contexts(chfn_t)
-
-	optional_policy(`
-		nscd_run(chfn_t, chfn_roles)
-	')
-')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     fa25d07e18131d11a1999d490b2a43b9f36205ba
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 11:59:49 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 11:59:49 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fa25d07e

Allow su to get selinux mount info

(Most likely) The pam_selinux module, which is loaded by the "su" command, tries
to "getattr" on the security_t file system (selinux file system). If denied, the
su command fails to succeed:

~$ su -
su: Authentication service cannot retrieve authentication info

The denial:

type=AVC msg=audit(1376567915.011:8003): avc:  denied  { getattr } for
pid=10640 comm="su" name="/" dev="selinuxfs" ino=1
scontext=staff_u:staff_r:staff_su_t tcontext=system_u:object_r:security_t
tclass=filesystem

Allowing selinux_get_fs_mount() is enough for su to succeed again.

---
 policy/modules/admin/su.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index a77eb49..c9196e3 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -73,7 +73,7 @@ template(`su_restricted_domain_template', `
 
 	# for the rootok check
 	selinux_compute_access_vector($1_su_t)
-	#selinux_get_fs_mount($1_su_t)
+	selinux_get_fs_mount($1_su_t)
 
 	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
@@ -206,7 +206,7 @@ template(`su_role_template',`
 
 	# needed for pam_rootok
 	selinux_compute_access_vector($1_su_t)
-	#selinux_get_fs_mount($1_su_t)
+	selinux_get_fs_mount($1_su_t)
 
 	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     10b250a557b65ba6ca1c0ac85381301086468a90
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 11:43:32 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 11:43:32 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=10b250a5

Comment out selinux_get_fs_mount to reproduce reason

---
 policy/modules/admin/su.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index c9196e3..a77eb49 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -73,7 +73,7 @@ template(`su_restricted_domain_template', `
 
 	# for the rootok check
 	selinux_compute_access_vector($1_su_t)
-	selinux_get_fs_mount($1_su_t)
+	#selinux_get_fs_mount($1_su_t)
 
 	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)
@@ -206,7 +206,7 @@ template(`su_role_template',`
 
 	# needed for pam_rootok
 	selinux_compute_access_vector($1_su_t)
-	selinux_get_fs_mount($1_su_t)
+	#selinux_get_fs_mount($1_su_t)
 
 	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     0782f8b96882dd12bcf12d27abd283bbc6489901
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 11:42:30 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 11:42:30 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0782f8b9

Move to distro_gentoo block

---
 policy/modules/admin/dmesg.te | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 12f7627..9124163 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -27,7 +27,6 @@ kernel_list_proc(dmesg_t)
 kernel_read_proc_symlinks(dmesg_t)
 
 dev_read_sysfs(dmesg_t)
-dev_dontaudit_rw_generic_chr_files(dmesg_t) # early access when /dev/console isn't relabeled by udev yet
 
 fs_search_auto_mountpoints(dmesg_t)
 
@@ -57,3 +56,11 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(dmesg_t)
 ')
+
+ifdef(`distro_gentoo',`
+	#########################
+	#
+	# dmesg_t policy
+	#
+	dev_dontaudit_rw_generic_chr_files(dmesg_t) # early access when /dev/console is not relabeled by udev yet
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     529cfd80d846dba566f93e462127110bf2121d91
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 11:41:47 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 11:41:47 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=529cfd80

Merged with main

---
 policy/modules/admin/netutils.te | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 6fb14ea..557da97 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -88,14 +88,6 @@ term_dontaudit_use_console(netutils_t)
 userdom_use_user_terminals(netutils_t)
 userdom_use_all_users_fds(netutils_t)
 
-ifdef(`distro_gentoo',`
-	allow netutils_t self:capability { dac_read_search sys_chroot };
-	dontaudit netutils_t self:capability dac_override;
-	allow netutils_t self:netlink_socket create_socket_perms;
-
-	kernel_read_network_state(netutils_t)
-')
-
 optional_policy(`
 	nis_use_ypbind(netutils_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     0bc7a2f8c02c914b538483cf72ce0db2dfb6f68c
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 11:38:12 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 11:38:12 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0bc7a2f8

Revert back to apache_manage_all_user_content

Previously, apache_manage_all_user_content was deprecated and potentially moved
to apache_manage_all_content. However, this was a wrong step - the interface was
put back and its content was updated to do what it was supposed to do.

Hence we revert the change to apache_manage_all_content back to
apache_manage_all_user_content.

---
 policy/modules/admin/usermanage.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 2bd4f3d..eeb0c7a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -536,7 +536,7 @@ ifdef(`distro_redhat',`
 ')
 
 optional_policy(`
-	apache_manage_all_content(useradd_t)
+	apache_manage_all_user_content(useradd_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     405941d734168531d185f9ecd2031ea38957d18b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Apr  4 16:55:42 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr 11 07:17:37 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=405941d7

chfn_t reads in file context information and executes nscd

The chsh application (which runs in the chfn_t domain) requires read access on
the file context definitions. If not, the following error occurs:

Changing the login shell for root
Enter the new value, or press ENTER for the default
	Login Shell [/bin/zsh]: /bin/bash
chsh: failure while writing changes to /etc/passwd

The following AVC denials are shown:

Jan 23 20:23:43 lain kernel: [20378.806719] type=1400 audit(1358969023.507:585):
avc:  denied  { search } for  pid=18281 comm="chsh" name="selinux" dev="dm-0"
ino=23724520 scontext=staff_u:sysadm_r:chfn_t
tcontext=system_u:object_r:selinux_config_t tclass=dir

In permissive mode, this goes up to:

Jan 23 20:22:15 lain kernel: [20290.691128] type=1400 audit(1358968935.217:566):
avc:  denied  { open } for  pid=18195 comm="chsh"
path="/etc/selinux/strict/contexts/files/file_contexts" dev="dm-0" ino=23726403
scontext=staff_u:sysadm_r:chfn_t tcontext=staff_u:object_r:file_context_t
tclass=file

Hence, adding in seutil_read_file_contexts().

A second error is that chsh, if available, wants to execute nscd:

Changing the login shell for root
Enter the new value, or press ENTER for the default
        Login Shell [/bin/sh]: /bin/bash
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.
chsh: cannot execute /usr/sbin/nscd: Permission denied
chsh: nscd exited with status 126
chsh: Failed to flush the nscd cache.

Similar to most other user admin utilities, we grant it the rights to run nscd.

Changes since v1
- Removed seutil_dontaudit_search_config() call

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/admin/usermanage.te |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 5267993..2b275e0 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -125,14 +125,17 @@ miscfiles_read_localization(chfn_t)
 
 logging_send_syslog_msg(chfn_t)
 
-# uses unix_chkpwd for checking passwords
-seutil_dontaudit_search_config(chfn_t)
+seutil_read_file_contexts(chfn_t)
 
 userdom_use_unpriv_users_fds(chfn_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(chfn_t)
 
+optional_policy(`
+	nscd_run(chfn_t, chfn_roles)
+')
+
 ########################################
 #
 # Crack local policy

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     c0a81082bbb76c3f66c149e75d763324b23a8ead
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Apr  4 19:22:08 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr 11 07:17:40 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c0a81082

Module version bump for chfn fixes from Sven Vermeulen.

---
 policy/modules/admin/usermanage.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 2b275e0..626a6d6 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,4 +1,4 @@
-policy_module(usermanage, 1.18.1)
+policy_module(usermanage, 1.18.2)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     26955d60145d6e29110c6c06ac6a0d56fb5334b4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar 20 09:03:38 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Mar 20 09:03:38 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=26955d60

Use nscd_run instead of execute (similar to other user admin utils)

---
 policy/modules/admin/usermanage.te |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index ee075d8..5267993 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -568,5 +568,8 @@ ifdef(`distro_gentoo',`
 
 	# Needed to use chsh
 	seutil_read_file_contexts(chfn_t)
-	nscd_exec(chfn_t)
+
+	optional_policy(`
+		nscd_run(chfn_t, chfn_roles)
+	')
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     4d46bc79a2a30fe2d4a18edd4deedf9b4e50db98
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jan 27 13:11:47 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jan 27 13:11:47 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d46bc79

Fix bug #453724 - chsh fails

Running chsh fails (error on writing to /etc/passwd).

Analysis of the denials (cfr bug report) tell us that we need to provide chfn_t
(the domain in which chsh runs) read rights on the file context definitions, and
furthermore also execute rights on nscd_t to flush the cache.

---
 policy/modules/admin/usermanage.te |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1fa974a..ee075d8 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -559,3 +559,14 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
+
+ifdef(`distro_gentoo',`
+	################################
+	#
+	# Local policy for chfn
+	#
+
+	# Needed to use chsh
+	seutil_read_file_contexts(chfn_t)
+	nscd_exec(chfn_t)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     80a0782dc605b835f9919edb9c99dbe1e80d9950
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 17 09:42:50 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jan  3 16:24:07 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=80a0782d

Introduce exec-check interfaces for passwd binaries and useradd binaries

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/admin/usermanage.if |   36 ++++++++++++++++++++++++++++++++++++
 1 files changed, 36 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index ace07f5..38aad90 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -140,6 +140,24 @@ interface(`usermanage_kill_passwd',`
 
 ########################################
 ## <summary>
+##	Check if the passwd binary is executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_check_exec_passwd',`
+	gen_require(`
+		type passwd_exec_t;
+	')
+
+	allow $1 passwd_exec_t:file { execute getattr_file_perms };
+')
+
+########################################
+## <summary>
 ##	Execute passwd in the passwd domain, and
 ##	allow the specified role the passwd domain.
 ## </summary>
@@ -253,6 +271,24 @@ interface(`usermanage_domtrans_useradd',`
 
 ########################################
 ## <summary>
+##	Check if the useradd binaries are executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_check_exec_useradd',`
+	gen_require(`
+		type useradd_exec_t;
+	')
+
+	allow $1 useradd_exec_t:file { execute getattr_file_perms };
+')
+
+########################################
+## <summary>
 ##	Execute useradd in the useradd domain, and
 ##	allow the specified role the useradd domain.
 ## </summary>

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     75507bcafcc864292275b05cd8f0d3ffcdc8cee9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 17 09:26:33 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Dec 17 09:26:33 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=75507bca

Introduce checks on executable binaries of passwd and useradd families

---
 policy/modules/admin/usermanage.if |   38 ++++++++++++++++++++++++++++++++++++
 1 files changed, 38 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 98b8b2d..ace07f5 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -295,3 +295,41 @@ interface(`usermanage_read_crack_db',`
 	files_search_var($1)
 	read_files_pattern($1, crack_db_t, crack_db_t)
 ')
+
+# Gentoo specific interfaces but cannot use ifdef distro_gentoo here
+
+########################################
+## <summary>
+##	Check execute rights on passwd binaries
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_check_exec_passwd',`
+	gen_require(`
+		type passwd_exec_t;
+	')
+
+	allow $1 passwd_exec_t:file { execute getattr_file_perms };
+')
+
+########################################
+## <summary>
+##	Check execute rights on useradd binaries
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_check_exec_useradd',`
+	gen_require(`
+		type useradd_exec_t;
+	')
+
+	allow $1 useradd_exec_t:file { execute getattr_file_perms };
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     ab14e7b92253c495f6bff3cff7148711ac67460a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Dec  4 20:26:32 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Dec  4 20:41:46 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ab14e7b9

Update towards apache_manage_all_content

The apache_manage_all_user_content interface has been deprecated and is now
pointing towards apache_manage_all_content.

---
 policy/modules/admin/usermanage.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 673180c..9721f3b 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -533,7 +533,7 @@ ifdef(`distro_redhat',`
 ')
 
 optional_policy(`
-	apache_manage_all_user_content(useradd_t)
+	apache_manage_all_content(useradd_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     ff69b7bdfeb4f532cc5867b4637b0462fa97258d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov 18 07:41:07 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:01:15 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ff69b7bd

tcpdump chroots into /var/lib/tcpdump

When invoking tcpdump, the application creates a netlink_socket and then chroots
into /var/lib/tcpdump.

Without the right to create a netlink_socket:
tcpdump: Can't open netlink socket 13:Permission denied

Without the right on dac_read_search and sys_chroot:
tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied

See also https://bugs.gentoo.org/show_bug.cgi?id=443624

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/admin/netutils.te |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 8be4775..3526689 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -33,10 +33,11 @@ init_system_domain(traceroute_t, traceroute_exec_t)
 #
 
 # Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { net_admin net_raw setuid setgid };
-dontaudit netutils_t self:capability sys_tty_config;
+allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot };
+dontaudit netutils_t self:capability { dac_override sys_tty_config };
 allow netutils_t self:process { setcap signal_perms };
 allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
+allow netutils_t self:netlink_socket create_socket_perms;
 allow netutils_t self:packet_socket create_socket_perms;
 allow netutils_t self:udp_socket create_socket_perms;
 allow netutils_t self:tcp_socket create_stream_socket_perms;
@@ -47,6 +48,7 @@ manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
 files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
 
 kernel_search_proc(netutils_t)
+kernel_read_network_state(netutils_t)
 kernel_read_all_sysctls(netutils_t)
 
 corenet_all_recvfrom_unlabeled(netutils_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     ce3d2d9a0bbe850406a20176d917f1e183e23527
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 17 20:15:35 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Nov 17 20:15:35 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ce3d2d9a

tcpdump chroots into /var/lib/tcpdump

When invoking tcpdump, the application creates a netlink_socket and then chroots
into /var/lib/tcpdump.

Without the right to create a netlink_socket:
tcpdump: Can't open netlink socket 13:Permission denied

Without the right on dac_read_search and sys_chroot:
tcpdump: Couldn't chroot/chdir to '/var/lib/tcpdump': Permission denied

See also https://bugs.gentoo.org/show_bug.cgi?id=443624

---
 policy/modules/admin/netutils.te |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index b6c221d..8be4775 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -86,6 +86,14 @@ term_dontaudit_use_console(netutils_t)
 userdom_use_user_terminals(netutils_t)
 userdom_use_all_users_fds(netutils_t)
 
+ifdef(`distro_gentoo',`
+	allow netutils_t self:capability { dac_read_search sys_chroot };
+	dontaudit netutils_t self:capability dac_override;
+	allow netutils_t self:netlink_socket create_socket_perms;
+
+	kernel_read_network_state(netutils_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(netutils_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     282cb7cd1fd6546303dd0d0dea9e415f86f94008
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Oct 24 12:45:57 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct 30 20:17:51 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=282cb7cd

Arping needs setcap to cap_set_proc

rhbz#869615

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/admin/netutils.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index e0791b9..7bd6d5c 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -35,7 +35,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
 # Perform network administration operations and have raw access to the network.
 allow netutils_t self:capability { net_admin net_raw setuid setgid };
 dontaudit netutils_t self:capability sys_tty_config;
-allow netutils_t self:process signal_perms;
+allow netutils_t self:process { setcap signal_perms };
 allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
 allow netutils_t self:packet_socket create_socket_perms;
 allow netutils_t self:udp_socket create_socket_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     4abdae51796d8ad505da9c0546bfe83d4d1876b4
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 30 18:28:53 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct 30 20:17:53 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4abdae51

Module version bump for arping setcap from Dominick Grift.

---
 policy/modules/admin/netutils.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 7bd6d5c..b6c221d 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.11.0)
+policy_module(netutils, 1.11.1)
 
 ########################################
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     27a9c01ce8fe128577daeefec8ced8025b3e76ee
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Oct  9 07:44:35 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 10 19:49:28 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=27a9c01c

Changes to the bootloader policy module

Add bootloader_exec() for kdumpgui

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/admin/bootloader.if |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/bootloader.if b/policy/modules/admin/bootloader.if
index a778bb1..cc8df9d 100644
--- a/policy/modules/admin/bootloader.if
+++ b/policy/modules/admin/bootloader.if
@@ -47,6 +47,25 @@ interface(`bootloader_run',`
 
 ########################################
 ## <summary>
+##	Execute bootloader in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bootloader_exec',`
+	gen_require(`
+		type bootloader_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, bootloader_exec_t)
+')
+
+########################################
+## <summary>
 ##	Read the bootloader configuration file.
 ## </summary>
 ## <param name="domain">

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     5974ae4f57cf1ac6919f8b3393a98103051156bb
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 28 08:41:31 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon May 28 08:41:31 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5974ae4f

Do not audit dmesg attempts to read/write /dev/console when not labeled properly yet

---
 policy/modules/admin/dmesg.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 72bc6d8..12f7627 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -27,6 +27,7 @@ kernel_list_proc(dmesg_t)
 kernel_read_proc_symlinks(dmesg_t)
 
 dev_read_sysfs(dmesg_t)
+dev_dontaudit_rw_generic_chr_files(dmesg_t) # early access when /dev/console isn't relabeled by udev yet
 
 fs_search_auto_mountpoints(dmesg_t)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

[Sven Vermeulen]

commit:     cae882486fe3e6e942c63c1d3781634076020e1a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Apr 22 12:39:51 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Apr 22 12:39:51 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cae88248

Allow shadow utils to read selinux context information

Recent shadow utilities, like groupadd and passwd, are now linked with libselinux and require additional privileges for
accessing the context information provided by SELinux.

This fixes bugs #413065 and #413061

---
 policy/modules/admin/usermanage.te |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 7cac66f..07a99a6 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -241,6 +241,7 @@ auth_relabel_shadow(groupadd_t)
 auth_etc_filetrans_shadow(groupadd_t)
 
 seutil_read_config(groupadd_t)
+seutil_read_file_contexts(groupadd_t)
 
 userdom_use_unpriv_users_fds(groupadd_t)
 # for when /root is the cwd
@@ -336,7 +337,8 @@ logging_send_syslog_msg(passwd_t)
 
 miscfiles_read_localization(passwd_t)
 
-seutil_dontaudit_search_config(passwd_t)
+seutil_read_config(groupadd_t)
+seutil_read_file_contexts(groupadd_t)
 
 userdom_use_user_terminals(passwd_t)
 userdom_use_unpriv_users_fds(passwd_t)