* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
@ 2017-03-30 17:06 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
To: gentoo-commits
commit: 13afa3ec8591b0522048fab442bb7f66bbeb5787
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Mar 28 22:51:35 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 11:46:48 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=13afa3ec
systemd-resolvd, sessions, and tmpfiles take2
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2017-03-26
policy/modules/kernel/files.if | 92 ++++++++++++++++++++++++++++
policy/modules/kernel/files.te | 2 +-
policy/modules/services/xserver.if | 56 ++++++++++++++++-
policy/modules/services/xserver.te | 2 +-
policy/modules/system/init.if | 36 +++++++++++
policy/modules/system/init.te | 2 +-
policy/modules/system/logging.if | 116 ++++++++++++++++++++++++++++++++++++
policy/modules/system/logging.te | 2 +-
policy/modules/system/miscfiles.if | 19 ++++++
policy/modules/system/miscfiles.te | 2 +-
policy/modules/system/systemd.te | 84 +++++++++++++++++++++++++-
policy/modules/system/userdomain.if | 18 ++++++
policy/modules/system/userdomain.te | 2 +-
13 files changed, 423 insertions(+), 10 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 0d6fe3c5..9d7a929a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2835,6 +2835,24 @@ interface(`files_manage_etc_dirs',`
########################################
## <summary>
+## Relabel directories to etc_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir relabelto;
+')
+
+########################################
+## <summary>
## Read generic files in /etc.
## </summary>
## <desc>
@@ -3813,6 +3831,24 @@ interface(`files_relabelto_home',`
########################################
## <summary>
+## Relabel from user home root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
## Create objects in /home.
## </summary>
## <param name="domain">
@@ -5500,6 +5536,24 @@ interface(`files_manage_var_dirs',`
########################################
## <summary>
+## relabelto/from var directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_var_dirs',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Read files in the /var directory.
## </summary>
## <param name="domain">
@@ -5767,6 +5821,44 @@ interface(`files_rw_var_lib_dirs',`
########################################
## <summary>
+## manage var_lib_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_var_lib_dirs',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## relabel var_lib_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_var_lib_dirs',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create objects in the /var/lib directory
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 9f911efd..10001b15 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.7)
+policy_module(files, 1.23.8)
########################################
#
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 060adbfa..eae74b67 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -700,6 +700,42 @@ interface(`xserver_rw_console',`
########################################
## <summary>
+## Create the X windows console named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_console_pipes',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file create;
+')
+
+########################################
+## <summary>
+## relabel the X windows console named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_relabel_console_pipes',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Use file descriptors for xdm.
## </summary>
## <param name="domain">
@@ -788,7 +824,7 @@ interface(`xserver_dbus_chat_xdm',`
gen_require(`
type xdm_t;
class dbus send_msg;
- ')
+ ')
allow $1 xdm_t:dbus send_msg;
allow xdm_t $1:dbus send_msg;
@@ -1164,6 +1200,24 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
+## Create xdm temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir create;
+')
+
+########################################
+## <summary>
## Read xdm temporary files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 9bfbafcb..5750e14e 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.4)
+policy_module(xserver, 3.13.5)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 195c5fa3..9b07a6e7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1086,6 +1086,24 @@ interface(`init_list_var_lib_dirs',`
########################################
## <summary>
+## Relabel dirs in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_relabel_var_lib_dirs',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ allow $1 init_var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Manage files in /var/lib/systemd/.
## </summary>
## <param name="domain">
@@ -2529,6 +2547,24 @@ interface(`init_manage_utmp',`
########################################
## <summary>
+## Relabel utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_relabel_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ allow $1 initrc_var_run_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create files in /var/run with the
## utmp file type.
## </summary>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9a5ed6f8..dfde3f39 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.12)
+policy_module(init, 2.2.13)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 66da3da3..b2053a0b 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -435,6 +435,82 @@ interface(`logging_domtrans_syslog',`
########################################
## <summary>
+## Set the attributes of syslog temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_setattr_syslogd_tmp_files',`
+ gen_require(`
+ type syslogd_tmp_t;
+ ')
+
+ allow $1 syslogd_tmp_t:file setattr;
+')
+
+########################################
+## <summary>
+## Relabel to and from syslog temporary file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_syslogd_tmp_files',`
+ gen_require(`
+ type syslogd_tmp_t;
+ ')
+
+ allow $1 syslogd_tmp_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Set the attributes of syslog temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_setattr_syslogd_tmp_dirs',`
+ gen_require(`
+ type syslogd_tmp_t;
+ ')
+
+ allow $1 syslogd_tmp_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Relabel to and from syslog temporary directory type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_syslogd_tmp_dirs',`
+ gen_require(`
+ type syslogd_tmp_t;
+ ')
+
+ allow $1 syslogd_tmp_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create an object in the log directory, with a private type.
## </summary>
## <desc>
@@ -941,6 +1017,46 @@ interface(`logging_manage_all_logs',`
########################################
## <summary>
+## Create, read, write, and delete generic log directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_generic_log_dirs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Relabel from and to generic log directory type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_generic_log_dirs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Read generic log files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 63e7092d..e5864342 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.8)
+policy_module(logging, 1.25.9)
########################################
#
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 5b9a8103..204390d1 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -652,6 +652,25 @@ interface(`miscfiles_manage_man_cache',`
########################################
## <summary>
+## Relabel from and to man cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_relabel_man_cache',`
+ gen_require(`
+ type man_cache_t;
+ ')
+
+ relabel_dirs_pattern($1, man_cache_t, man_cache_t)
+ relabel_files_pattern($1, man_cache_t, man_cache_t)
+')
+
+########################################
+## <summary>
## Read public files used for file
## transfer services.
## </summary>
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index ec4d8dc0..3b180a36 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.12.1)
+policy_module(miscfiles, 1.12.2)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f5af4ce4..e1f4c3a7 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.13)
+policy_module(systemd, 1.3.14)
#########################################
#
@@ -613,9 +613,18 @@ optional_policy(`
# Sessions local policy
#
+allow systemd_sessions_t self:process setfscreate;
+
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
+selinux_get_enforce_mode(systemd_sessions_t)
+selinux_get_fs_mount(systemd_sessions_t)
+
+seutil_read_config(systemd_sessions_t)
+seutil_read_default_contexts(systemd_sessions_t)
+seutil_read_file_contexts(systemd_sessions_t)
+
systemd_log_parse_environment(systemd_sessions_t)
#########################################
@@ -623,9 +632,14 @@ systemd_log_parse_environment(systemd_sessions_t)
# Tmpfiles local policy
#
-allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod };
+allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
allow systemd_tmpfiles_t self:process { setfscreate getcap };
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
+
+allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms };
+
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
@@ -635,25 +649,74 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+kernel_read_network_state(systemd_tmpfiles_t)
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+files_create_lock_dirs(systemd_tmpfiles_t)
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_delete_usr_files(systemd_tmpfiles_t)
+files_list_home(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
+files_manage_var_dirs(systemd_tmpfiles_t)
+files_manage_var_lib_dirs(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
files_read_etc_files(systemd_tmpfiles_t)
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
files_relabel_all_pid_dirs(systemd_tmpfiles_t)
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+files_relabel_var_dirs(systemd_tmpfiles_t)
+files_relabel_var_lib_dirs(systemd_tmpfiles_t)
+files_relabelfrom_home(systemd_tmpfiles_t)
+files_relabelto_home(systemd_tmpfiles_t)
+files_relabelto_etc_dirs(systemd_tmpfiles_t)
+# for /etc/mtab
+files_manage_etc_symlinks(systemd_tmpfiles_t)
-auth_manage_var_auth(systemd_tmpfiles_t)
+fs_getattr_xattr_fs(systemd_tmpfiles_t)
+
+selinux_get_fs_mount(systemd_tmpfiles_t)
+selinux_search_fs(systemd_tmpfiles_t)
+
+auth_manage_faillog(systemd_tmpfiles_t)
auth_manage_login_records(systemd_tmpfiles_t)
+auth_manage_var_auth(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
+init_manage_utmp(systemd_tmpfiles_t)
+init_manage_var_lib_files(systemd_tmpfiles_t)
+# for /proc/1/environ
+init_read_state(systemd_tmpfiles_t)
+
+init_relabel_utmp(systemd_tmpfiles_t)
+init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+
+logging_manage_generic_logs(systemd_tmpfiles_t)
+logging_manage_generic_log_dirs(systemd_tmpfiles_t)
+logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
+logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
+logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
+logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t)
+logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t)
+
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
+miscfiles_relabel_man_cache(systemd_tmpfiles_t)
+
+seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
+sysnet_create_config(systemd_tmpfiles_t)
+
systemd_log_parse_environment(systemd_tmpfiles_t)
+userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
+userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+
tunable_policy(`systemd_tmpfiles_manage_all',`
# systemd-tmpfiles can be configured to manage anything.
# have a last-resort option for users to do this.
@@ -662,3 +725,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
files_relabel_non_security_dirs(systemd_tmpfiles_t)
files_relabel_non_security_files(systemd_tmpfiles_t)
')
+
+optional_policy(`
+ dbus_read_lib_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+ xfs_create_tmp_dirs(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+ xserver_create_console_pipes(systemd_tmpfiles_t)
+ xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t)
+ xserver_relabel_console_pipes(systemd_tmpfiles_t)
+ xserver_setattr_console_pipes(systemd_tmpfiles_t)
+')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 61065118..50100dd1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2946,6 +2946,24 @@ interface(`userdom_manage_user_runtime_root_dirs',`
########################################
## <summary>
+## Relabel to and from user runtime root dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabel_user_runtime_root_dirs',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create, read, write, and delete user
## runtime dirs.
## </summary>
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index cf58bd27..0cbf3cec 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.5)
+policy_module(userdomain, 4.13.6)
########################################
#
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
@ 2017-11-05 8:01 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2017-11-05 8:01 UTC (permalink / raw
To: gentoo-commits
commit: 8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Nov 2 17:30:46 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 5 06:38:35 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cbd03f7
Add key interfaces and perms
Mostly taken from the fedora rawhide policy
policy/modules/kernel/kernel.if | 36 ++++++++++++++++++
policy/modules/services/ssh.if | 1 +
policy/modules/services/ssh.te | 1 +
policy/modules/services/xserver.if | 18 +++++++++
policy/modules/services/xserver.te | 1 +
policy/modules/system/authlogin.te | 2 +
policy/modules/system/locallogin.te | 1 +
policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++
8 files changed, 133 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index bda4c163..5afc4802 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`
########################################
## <summary>
+## Allow view the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_view_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:key view;
+')
+
+########################################
+## <summary>
+## dontaudit view the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_view_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key view;
+')
+
+########################################
+## <summary>
## Allows caller to read the ring buffer.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index aa906680..4f20137a 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -338,6 +338,7 @@ template(`ssh_role_template',`
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
+ allow ssh_t $3:key manage_key_perms;
# user can manage the keys and config
manage_files_pattern($3, ssh_home_t, ssh_home_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 32f09f80..69745a31 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:key manage_key_perms;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 0718d016..f08db931 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Manage keys for xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xdm_keys',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:key { read write setattr };
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 9c028714..16614b2a 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
kernel_read_network_state(xdm_t)
+kernel_view_key(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 5ee69fcf..95c47090 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -419,6 +419,8 @@ optional_policy(`
# nsswitch_domain local policy
#
+allow nsswitch_domain self:key manage_key_perms;
+
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index a9b8f7e5..ee5f5948 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -209,6 +209,7 @@ optional_policy(`
optional_policy(`
xserver_read_xdm_tmp_files(local_login_t)
xserver_rw_xdm_tmp_files(local_login_t)
+ xserver_rw_xdm_keys(local_login_t)
')
#################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index cb183a90..178b5fb7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -47,6 +47,7 @@ template(`userdom_base_user_template',`
allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
allow $1_t self:fd use;
+ allow $1_t self:key manage_key_perms;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -4065,6 +4066,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
+## Read keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key read;
+')
+
+########################################
+## <summary>
+## Write keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key write;
+')
+
+########################################
+## <summary>
+## Read and write keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key { read view write };
+')
+
+########################################
+## <summary>
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -4083,6 +4138,24 @@ interface(`userdom_create_all_users_keys',`
########################################
## <summary>
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
+')
+
+########################################
+## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
@ 2019-07-13 7:01 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2019-07-13 7:01 UTC (permalink / raw
To: gentoo-commits
commit: 4050c64063918cc72b7db5d5e41fe26b202092d6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jun 9 17:37:51 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4050c640
various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/storage.te | 2 +-
policy/modules/services/apache.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/systemd.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 88a4246e..5f793c52 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.24.2)
+policy_module(devices, 1.24.3)
########################################
#
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index 8f91eb2d..0b5a4245 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,4 +1,4 @@
-policy_module(storage, 1.16.1)
+policy_module(storage, 1.16.2)
########################################
#
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index e87a74ac..ff524cc1 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.16.1)
+policy_module(apache, 2.16.2)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index aca76caa..97a6d2b7 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.6.6)
+policy_module(init, 2.6.7)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a08ee785..bc8ebaf0 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.7.7)
+policy_module(systemd, 1.7.8)
#########################################
#
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
@ 2020-10-13 3:02 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2020-10-13 3:02 UTC (permalink / raw
To: gentoo-commits
commit: de272a83fd640df62020dd924780ccd76e7b67a4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 22 12:27:05 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de272a83
corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module version bump.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/corecommands.te | 2 +-
policy/modules/services/dbus.te | 2 +-
policy/modules/system/locallogin.te | 2 +-
policy/modules/system/logging.te | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/systemd.te | 2 +-
policy/modules/system/udev.te | 2 +-
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te
index b0a67367..a20d41fe 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.29.0)
+policy_module(corecommands, 1.29.1)
########################################
#
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 2637c898..f123c6d9 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.29.1)
+policy_module(dbus, 1.29.2)
gen_require(`
class dbus all_dbus_perms;
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index c0072289..6ab8c353 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,4 +1,4 @@
-policy_module(locallogin, 1.21.0)
+policy_module(locallogin, 1.21.1)
########################################
#
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 820fc8d3..0141b178 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.32.1)
+policy_module(logging, 1.32.2)
########################################
#
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 9099802e..632ebdb5 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.26.1)
+policy_module(sysnetwork, 1.26.2)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b19a20ac..a1c00d62 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.10.2)
+policy_module(systemd, 1.10.3)
#########################################
#
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 2ef2337e..753caab0 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.28.0)
+policy_module(udev, 1.28.1)
########################################
#
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
@ 2020-10-13 3:02 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2020-10-13 3:02 UTC (permalink / raw
To: gentoo-commits
commit: fd0f05a88a59cad71dde39c9234eaddabf75565b
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Oct 9 13:45:11 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd0f05a8
devices, filesystem, systemd, ntp: Module version bump.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/services/ntp.te | 2 +-
policy/modules/system/systemd.te | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 0137af03..8e72f90a 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.27.1)
+policy_module(devices, 1.27.2)
########################################
#
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 6439f410..f338e207 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.28.1)
+policy_module(filesystem, 1.28.2)
########################################
#
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 34c674e1..98ae0267 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.22.0)
+policy_module(ntp, 1.22.1)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7acbc551..74f3fc55 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.10.3)
+policy_module(systemd, 1.10.4)
#########################################
#
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
@ 2021-02-07 3:20 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2021-02-07 3:20 UTC (permalink / raw
To: gentoo-commits
commit: 38249e1e570984cbc60f21a12e0323a2e852a463
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Feb 2 15:52:59 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 21:15:09 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=38249e1e
Various fixes
Allow dovecot to watch the mail spool, and add various dontaudit rules
for several other domains.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/services/dovecot.te | 3 +++
policy/modules/services/mta.if | 18 ++++++++++++++++++
policy/modules/services/ssh.te | 2 ++
policy/modules/system/authlogin.te | 3 +++
policy/modules/system/selinuxutil.te | 1 +
6 files changed, 45 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 5869eb50..ebd73aca 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -910,6 +910,24 @@ interface(`kernel_getattr_proc',`
allow $1 proc_t:filesystem getattr;
')
+########################################
+## <summary>
+## Do not audit attempts to get the attributes of the proc filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_proc',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ dontaudit $1 proc_t:filesystem getattr;
+')
+
########################################
## <summary>
## Mount on proc directories.
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index a2d1cc5e..16fa4e52 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -207,6 +207,7 @@ optional_policy(`
optional_policy(`
mta_manage_spool(dovecot_t)
+ mta_watch_spool(dovecot_t)
mta_manage_mail_home_rw_content(dovecot_t)
mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
@@ -255,6 +256,8 @@ manage_sock_files_pattern(dovecot_auth_t, dovecot_runtime_t, dovecot_runtime_t)
allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms };
+kernel_dontaudit_getattr_proc(dovecot_auth_t)
+
files_search_runtime(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 7039a7f0..5266d52c 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -991,6 +991,24 @@ interface(`mta_manage_spool',`
manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
')
+########################################
+## <summary>
+## Watch mail spool content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mta_watch_spool',`
+ gen_require(`
+ type mail_spool_t;
+ ')
+
+ allow $1 mail_spool_t:{ dir file } watch;
+')
+
#######################################
## <summary>
## Create specified objects in the
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 16e86fbf..63a0d824 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -262,6 +262,8 @@ corenet_sendrecv_xserver_server_packets(sshd_t)
ifdef(`distro_debian',`
allow sshd_t self:process { getcap setcap };
auth_use_pam_motd_dynamic(sshd_t)
+',`
+ dontaudit sshd_t self:process { getcap setcap };
')
ifdef(`init_systemd',`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 96ebfa27..f5da5048 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -104,6 +104,9 @@ allow chkpwd_t shadow_t:file read_file_perms;
files_list_etc(chkpwd_t)
kernel_read_crypto_sysctls(chkpwd_t)
+kernel_dontaudit_search_kernel_sysctl(chkpwd_t)
+kernel_dontaudit_read_kernel_sysctl(chkpwd_t)
+kernel_dontaudit_getattr_proc(chkpwd_t)
domain_dontaudit_use_interactive_fds(chkpwd_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 560e6c8a..ec65eb88 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -500,6 +500,7 @@ files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
+kernel_dontaudit_getattr_proc(semanage_t)
corecmd_exec_bin(semanage_t)
corecmd_exec_shell(semanage_t)
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
@ 2022-09-03 19:54 Jason Zaman
0 siblings, 0 replies; 8+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
To: gentoo-commits
commit: 813eb9b92bf4f592dcedf24a2e18d2645d07ea4a
Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Wed Aug 17 17:54:09 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:49 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=813eb9b9
hypervkvp: Port updated module from Fedora policy.
Change to refpolicy interfaces and fix optional blocks.
Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/devices.fc | 3 +
policy/modules/kernel/devices.if | 36 ++++++++
policy/modules/kernel/devices.te | 9 ++
policy/modules/kernel/files.if | 18 ++++
policy/modules/services/dbus.if | 19 +++++
policy/modules/services/hypervkvp.fc | 8 +-
policy/modules/services/hypervkvp.te | 154 +++++++++++++++++++++++++++++++++--
policy/modules/system/sysnetwork.if | 18 ++++
8 files changed, 258 insertions(+), 7 deletions(-)
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 19b06ab7..84427423 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -196,6 +196,9 @@ ifdef(`distro_suse', `
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0)
+/dev/vmbus/hv_kvp -c gen_context(system_u:object_r:hyperv_kvp_device_t,s0)
+/dev/vmbus/hv_vss -c gen_context(system_u:object_r:hyperv_vss_device_t,s0)
+
/dev/wmi/dell-smbios -c gen_context(system_u:object_r:acpi_bios_t,s0)
/dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index bfb08b21..ba652e81 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2368,6 +2368,42 @@ interface(`dev_rw_framebuffer',`
rw_chr_files_pattern($1, device_t, framebuf_device_t)
')
+########################################
+## <summary>
+## Allow read/write the hypervkvp device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_hyperv_kvp',`
+ gen_require(`
+ type device_t, hyperv_kvp_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, hyperv_kvp_device_t)
+')
+
+########################################
+## <summary>
+## Allow read/write the hypervvssd device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_hyperv_vss',`
+ gen_require(`
+ type device_t, hyperv_vss_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, hyperv_vss_device_t)
+')
+
########################################
## <summary>
## Read the kernel messages
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 8ac7c212..49718cc2 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -122,6 +122,15 @@ dev_node(freefall_device_t)
type gpiochip_device_t;
dev_node(gpiochip_device_t)
+#
+# Types for Hyper-V guest devices
+#
+type hyperv_kvp_device_t;
+dev_node(hyperv_kvp_device_t)
+
+type hyperv_vss_device_t;
+dev_node(hyperv_vss_device_t)
+
#
# Type for /dev/infiniband/*
#
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index fb27ed18..eeed098c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1846,6 +1846,24 @@ interface(`files_dontaudit_list_all_mountpoints',`
dontaudit $1 mountpoint:dir list_dir_perms;
')
+########################################
+## <summary>
+## Check if all mountpoints are writable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_write_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ allow $1 mountpoint:dir write;
+')
+
########################################
## <summary>
## Do not audit attempts to write to mount points.
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 3dfeadf9..432eae55 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -647,6 +647,25 @@ interface(`dbus_watch_system_bus_runtime_dirs',`
allow $1 system_dbusd_runtime_t:dir watch;
')
+########################################
+## <summary>
+## Read system bus runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dbus_read_system_bus_runtime_files',`
+ gen_require(`
+ type system_dbusd_runtime_t;
+ ')
+
+ allow $1 system_dbusd_runtime_t:file read;
+')
+
+
########################################
## <summary>
## List system bus runtime directories.
diff --git a/policy/modules/services/hypervkvp.fc b/policy/modules/services/hypervkvp.fc
index d1bbb44c..aa585191 100644
--- a/policy/modules/services/hypervkvp.fc
+++ b/policy/modules/services/hypervkvp.fc
@@ -1,5 +1,9 @@
/etc/rc\.d/init\.d/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_initrc_exec_t,s0)
-/usr/bin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/lib/systemd/system/hypervkvpd.* -- gen_context(system_u:object_r:hypervkvpd_unit_t,s0)
+/usr/lib/systemd/system/hypervvssd.* -- gen_context(system_u:object_r:hypervvssd_unit_t,s0)
-/usr/sbin/hv_kvp_daemon -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/sbin/hypervkvpd -- gen_context(system_u:object_r:hypervkvpd_exec_t,s0)
+/usr/sbin/hypervvssd -- gen_context(system_u:object_r:hypervvssd_exec_t,s0)
+
+/var/lib/hyperv(/.*)? gen_context(system_u:object_r:hypervkvpd_var_lib_t,s0)
diff --git a/policy/modules/services/hypervkvp.te b/policy/modules/services/hypervkvp.te
index 62e4e55b..dccb0ec0 100644
--- a/policy/modules/services/hypervkvp.te
+++ b/policy/modules/services/hypervkvp.te
@@ -1,28 +1,172 @@
-policy_module(hypervkvp)
+policy_module(hypervkvp, 1.0.0)
########################################
#
# Declarations
#
-type hypervkvpd_t;
+attribute hyperv_domain;
+
+type hypervkvpd_t, hyperv_domain;
type hypervkvpd_exec_t;
init_daemon_domain(hypervkvpd_t, hypervkvpd_exec_t)
type hypervkvpd_initrc_exec_t;
init_script_file(hypervkvpd_initrc_exec_t)
+type hypervkvpd_unit_t;
+init_unit_file(hypervkvpd_unit_t)
+
+type hypervkvpd_var_lib_t;
+files_type(hypervkvpd_var_lib_t)
+
+type hypervkvpd_tmp_t;
+files_tmpfs_file(hypervkvpd_tmp_t)
+
+type hypervvssd_t, hyperv_domain;
+type hypervvssd_exec_t;
+init_daemon_domain(hypervvssd_t, hypervvssd_exec_t)
+
+type hypervvssd_unit_t;
+init_unit_file(hypervvssd_unit_t)
+
########################################
#
-# Local policy
+# hyperv domain local policy
+#
+
+allow hyperv_domain self:capability net_admin;
+allow hyperv_domain self:netlink_socket create_socket_perms;
+
+allow hyperv_domain self:fifo_file rw_fifo_file_perms;
+allow hyperv_domain self:unix_stream_socket create_stream_socket_perms;
+
+corecmd_exec_shell(hyperv_domain)
+corecmd_exec_bin(hyperv_domain)
+
+dev_read_sysfs(hyperv_domain)
+
+########################################
#
+# hypervkvp local policy
#
-allow hypervkvpd_t self:fifo_file rw_fifo_file_perms;
-allow hypervkvpd_t self:unix_stream_socket create_stream_socket_perms;
+allow hypervkvpd_t self:capability sys_ptrace;
+allow hypervkvpd_t self:process setfscreate;
+allow hypervkvpd_t self:netlink_route_socket rw_netlink_socket_perms;
+
+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t)
+manage_files_pattern(hypervkvpd_t, hypervkvpd_var_lib_t, hypervkvpd_var_lib_t)
+files_var_lib_filetrans(hypervkvpd_t, hypervkvpd_var_lib_t, dir)
+
+manage_files_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t)
+manage_dirs_pattern(hypervkvpd_t, hypervkvpd_tmp_t, hypervkvpd_tmp_t)
+files_tmp_filetrans(hypervkvpd_t, hypervkvpd_tmp_t, { file dir })
+
+kernel_read_system_state(hypervkvpd_t)
+kernel_read_network_state(hypervkvpd_t)
+kernel_request_load_module(hypervkvpd_t)
+kernel_rw_net_sysctls(hypervkvpd_t)
+
+corecmd_getattr_all_executables(hypervkvpd_t)
+
+dev_rw_hyperv_kvp(hypervkvpd_t)
+
+domain_read_all_domains_state(hypervkvpd_t)
+
+seutil_exec_setfiles(hypervkvpd_t)
+seutil_read_file_contexts(hypervkvpd_t)
+
+domain_read_all_domains_state(hypervkvpd_t)
+
+dev_read_urand(hypervkvpd_t)
+
+files_dontaudit_search_home(hypervkvpd_t)
+files_dontaudit_getattr_non_security_files(hypervkvpd_t)
+
+fs_getattr_all_fs(hypervkvpd_t)
+fs_list_hugetlbfs(hypervkvpd_t)
+
+auth_use_nsswitch(hypervkvpd_t)
logging_send_syslog_msg(hypervkvpd_t)
+logging_read_syslog_config(hypervkvpd_t)
+
+libs_exec_ldconfig(hypervkvpd_t)
miscfiles_read_localization(hypervkvpd_t)
+modutils_domtrans(hypervkvpd_t)
+
+seutil_domtrans_setfiles(hypervkvpd_t)
+
sysnet_dns_name_resolve(hypervkvpd_t)
+sysnet_domtrans_dhcpc(hypervkvpd_t)
+sysnet_domtrans_ifconfig(hypervkvpd_t)
+
+sysnet_manage_dhcpc_runtime_files(hypervkvpd_t)
+sysnet_signal_dhcpc(hypervkvpd_t)
+sysnet_manage_config(hypervkvpd_t)
+sysnet_read_dhcpc_state(hypervkvpd_t)
+sysnet_read_dhcp_config(hypervkvpd_t)
+sysnet_etc_filetrans_config(hypervkvpd_t)
+
+systemd_exec_systemctl(hypervkvpd_t)
+
+userdom_dontaudit_search_user_home_dirs(hypervkvpd_t)
+
+optional_policy(`
+ brctl_domtrans(hypervkvpd_t)
+')
+
+optional_policy(`
+ dbus_read_system_bus_runtime_files(hypervkvpd_t)
+ dbus_system_bus_client(hypervkvpd_t)
+
+ optional_policy(`
+ firewalld_dbus_chat(hypervkvpd_t)
+ ')
+
+ optional_policy(`
+ networkmanager_read_runtime_files(hypervkvpd_t)
+ networkmanager_dbus_chat(hypervkvpd_t)
+ ')
+')
+
+optional_policy(`
+ hostname_exec(hypervkvpd_t)
+')
+
+optional_policy(`
+ netutils_domtrans_ping(hypervkvpd_t)
+ netutils_domtrans(hypervkvpd_t)
+')
+
+optional_policy(`
+ sysnet_exec_ifconfig(hypervkvpd_t)
+')
+
+optional_policy(`
+ rpm_exec(hypervkvpd_t)
+')
+
+########################################
+#
+# hypervvssd local policy
+#
+
+allow hypervvssd_t self:capability { dac_read_search dac_override sys_admin };
+
+dev_rw_hyperv_vss(hypervvssd_t)
+
+files_list_boot(hypervvssd_t)
+
+files_list_all_mountpoints(hypervvssd_t)
+files_write_all_mountpoints(hypervvssd_t)
+files_list_non_auth_dirs(hypervvssd_t)
+
+logging_send_syslog_msg(hypervvssd_t)
+
+miscfiles_read_localization(hypervvssd_t)
+
+storage_raw_read_fixed_disk(hypervvssd_t)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 464893f6..2598c7ad 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -614,6 +614,24 @@ interface(`sysnet_delete_dhcpc_runtime_files',`
allow $1 dhcpc_runtime_t:file unlink;
')
+#######################################
+## <summary>
+## Create, read, write, and delete dhcp client runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_manage_dhcpc_runtime_files',`
+ gen_require(`
+ type dhcpc_runtime_t;
+ ')
+
+ manage_files_pattern($1, dhcpc_runtime_t, dhcpc_runtime_t)
+')
+
#######################################
## <summary>
## Execute ifconfig in the ifconfig domain.
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
@ 2023-03-31 23:07 Kenton Groombridge
0 siblings, 0 replies; 8+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
To: gentoo-commits
commit: c26f03fa94aa2e08b219d5040970d21c1c26869c
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar 6 15:14:55 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:27 2023 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c26f03fa
various: make /etc/machine-id etc_runtime_t
This file is updated at boot by systemd.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/files.fc | 1 +
policy/modules/services/dbus.te | 2 ++
policy/modules/system/systemd.te | 6 ++++++
3 files changed, 9 insertions(+)
diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index b22d97997..708abd32e 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -53,6 +53,7 @@ ifdef(`distro_suse',`
/etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/localtime -l gen_context(system_u:object_r:etc_t,s0)
+/etc/machine-id -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0)
/etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 29ada52aa..f6d502940 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -197,6 +197,8 @@ ifdef(`init_systemd', `
dev_rw_dri(system_dbusd_t)
dev_rw_input_dev(system_dbusd_t)
+ files_read_etc_runtime_files(system_dbusd_t)
+
# for /run/systemd/dynamic-uid/
init_list_runtime(system_dbusd_t)
init_read_runtime_symlinks(system_dbusd_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cf91547e2..db594e615 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -493,6 +493,7 @@ dev_write_sysfs_dirs(systemd_generator_t)
dev_read_urand(systemd_generator_t)
files_read_etc_files(systemd_generator_t)
+files_read_etc_runtime_files(systemd_generator_t)
files_search_runtime(systemd_generator_t)
files_list_boot(systemd_generator_t)
files_read_boot_files(systemd_generator_t)
@@ -857,6 +858,7 @@ dev_setattr_dri_dev(systemd_logind_t)
dev_setattr_generic_usb_dev(systemd_logind_t)
dev_setattr_input_dev(systemd_logind_t)
dev_setattr_kvm_dev(systemd_logind_t)
+files_read_etc_runtime_files(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
dev_setattr_video_dev(systemd_logind_t)
@@ -1140,6 +1142,7 @@ dev_read_sysfs(systemd_networkd_t)
dev_write_kmsg(systemd_networkd_t)
files_read_etc_files(systemd_networkd_t)
+files_read_etc_runtime_files(systemd_networkd_t)
files_watch_runtime_dirs(systemd_networkd_t)
files_watch_root_dirs(systemd_networkd_t)
files_list_runtime(systemd_networkd_t)
@@ -1415,6 +1418,9 @@ dontaudit systemd_pcrphase_t self:capability net_admin;
dev_rw_tpm(systemd_pcrphase_t)
dev_write_kmsg(systemd_pcrphase_t)
+# read /etc/machine-id
+files_read_etc_runtime_files(systemd_pcrphase_t)
+
fs_read_efivarfs_files(systemd_pcrphase_t)
fs_getattr_cgroup(systemd_pcrphase_t)
fs_search_cgroup_dirs(systemd_pcrphase_t)
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2023-03-31 23:07 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-02-07 3:20 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2023-03-31 23:07 Kenton Groombridge
2022-09-03 19:54 Jason Zaman
2020-10-13 3:02 Jason Zaman
2020-10-13 3:02 Jason Zaman
2019-07-13 7:01 Jason Zaman
2017-11-05 8:01 Jason Zaman
2017-03-30 17:06 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox