From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id B2FAB13835A for ; Sun, 21 Mar 2021 22:11:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7AD9FE08E0; Sun, 21 Mar 2021 22:11:04 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 47FB9E08DD for ; Sun, 21 Mar 2021 22:11:04 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A8FDF34058A for ; Sun, 21 Mar 2021 22:11:02 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id AEF71639 for ; Sun, 21 Mar 2021 22:10:58 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1616362703.b7d31bbf66452be6655b7c32fc5a992c23807cb4.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/rpc.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: b7d31bbf66452be6655b7c32fc5a992c23807cb4 X-VCS-Branch: master Date: Sun, 21 Mar 2021 22:10:58 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: b86d2984-643e-4c69-b797-38a97fe4075f X-Archives-Hash: 0eaf5d1de9e8831b76248c493bf03e57 commit: b7d31bbf66452be6655b7c32fc5a992c23807cb4 Author: Chris PeBenito ieee org> AuthorDate: Tue Feb 16 14:30:13 2021 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Mar 21 21:38:23 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b7d31bbf rpc: Move lines. No rule changes. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/rpc.te | 189 ++++++++++++++++++++--------------------- 1 file changed, 94 insertions(+), 95 deletions(-) diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te index 5cacb381..37b57537 100644 --- a/policy/modules/services/rpc.te +++ b/policy/modules/services/rpc.te @@ -33,6 +33,13 @@ gen_tunable(allow_nfsd_anon_write, false) attribute rpc_domain; +rpc_domain_template(blkmapd) + +type blkmapd_runtime_t; +files_runtime_file(blkmapd_runtime_t) +files_runtime_filetrans(blkmapd_t, blkmapd_runtime_t, file, "blkmapd.pid") +allow blkmapd_t blkmapd_runtime_t:file manage_file_perms; + type exports_t; files_config_file(exports_t) @@ -72,14 +79,6 @@ init_unit_file(nfsd_unit_t) type var_lib_nfs_t; files_mountpoint(var_lib_nfs_t) -rpc_domain_template(blkmapd) - -type blkmapd_runtime_t; -files_runtime_file(blkmapd_runtime_t) -files_runtime_filetrans(blkmapd_t, blkmapd_runtime_t, file, "blkmapd.pid") -allow blkmapd_t blkmapd_runtime_t:file manage_file_perms; - - ######################################## # # Common rpc domain local policy @@ -141,6 +140,93 @@ optional_policy(` seutil_sigchld_newrole(rpc_domain) ') +######################################## +# +# BLKMAPD local policy +# + +allow blkmapd_t self:capability sys_rawio; +allow blkmapd_t self:unix_dgram_socket create_socket_perms; + +fs_list_rpc(blkmapd_t) +storage_raw_read_fixed_disk(blkmapd_t) + +######################################## +# +# GSSD local policy +# + +allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice }; +allow gssd_t self:process { getsched setsched }; +allow gssd_t self:fifo_file rw_fifo_file_perms; + +allow gssd_t gssd_keytab_t:file read_file_perms; + +manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) +files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) + +kernel_read_network_state(gssd_t) +kernel_read_network_state_symlinks(gssd_t) +kernel_request_load_module(gssd_t) +kernel_search_network_sysctl(gssd_t) +kernel_signal(gssd_t) + +corecmd_exec_bin(gssd_t) + +fs_list_inotifyfs(gssd_t) +fs_list_rpc(gssd_t) +fs_rw_rpc_sockets(gssd_t) +fs_read_rpc_files(gssd_t) +fs_read_nfs_files(gssd_t) + +files_list_tmp(gssd_t) +files_dontaudit_write_var_dirs(gssd_t) + +auth_manage_cache(gssd_t) + +miscfiles_read_generic_certs(gssd_t) +miscfiles_read_generic_tls_privkey(gssd_t) + +userdom_signal_all_users(gssd_t) + +tunable_policy(`allow_gssd_read_tmp',` + userdom_list_user_tmp(gssd_t) + userdom_read_user_tmp_files(gssd_t) + userdom_read_user_tmp_symlinks(gssd_t) +') + +tunable_policy(`allow_gssd_write_tmp',` + userdom_list_user_tmp(gssd_t) + userdom_rw_user_tmp_files(gssd_t) +') + +optional_policy(` + automount_signal(gssd_t) +') + +optional_policy(` + gssproxy_stream_connect(gssd_t) +') +optional_policy(` + kerberos_manage_host_rcache(gssd_t) + kerberos_read_keytab(gssd_t) + kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") + kerberos_use(gssd_t) +') + +optional_policy(` + mount_signal(gssd_t) +') + +optional_policy(` + pcscd_read_runtime_files(gssd_t) +') + +optional_policy(` + xserver_rw_xdm_tmp_files(gssd_t) +') + ######################################## # # Local policy @@ -287,90 +373,3 @@ tunable_policy(`nfs_export_all_ro',` optional_policy(` mount_exec(nfsd_t) ') - -######################################## -# -# BLKMAPD local policy -# - -allow blkmapd_t self:capability sys_rawio; -allow blkmapd_t self:unix_dgram_socket create_socket_perms; - -fs_list_rpc(blkmapd_t) -storage_raw_read_fixed_disk(blkmapd_t) - -######################################## -# -# GSSD local policy -# - -allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice }; -allow gssd_t self:process { getsched setsched }; -allow gssd_t self:fifo_file rw_fifo_file_perms; - -allow gssd_t gssd_keytab_t:file read_file_perms; - -manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t) -files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir }) - -kernel_read_network_state(gssd_t) -kernel_read_network_state_symlinks(gssd_t) -kernel_request_load_module(gssd_t) -kernel_search_network_sysctl(gssd_t) -kernel_signal(gssd_t) - -corecmd_exec_bin(gssd_t) - -fs_list_inotifyfs(gssd_t) -fs_list_rpc(gssd_t) -fs_rw_rpc_sockets(gssd_t) -fs_read_rpc_files(gssd_t) -fs_read_nfs_files(gssd_t) - -files_list_tmp(gssd_t) -files_dontaudit_write_var_dirs(gssd_t) - -auth_manage_cache(gssd_t) - -miscfiles_read_generic_certs(gssd_t) -miscfiles_read_generic_tls_privkey(gssd_t) - -userdom_signal_all_users(gssd_t) - -tunable_policy(`allow_gssd_read_tmp',` - userdom_list_user_tmp(gssd_t) - userdom_read_user_tmp_files(gssd_t) - userdom_read_user_tmp_symlinks(gssd_t) -') - -tunable_policy(`allow_gssd_write_tmp',` - userdom_list_user_tmp(gssd_t) - userdom_rw_user_tmp_files(gssd_t) -') - -optional_policy(` - automount_signal(gssd_t) -') - -optional_policy(` - gssproxy_stream_connect(gssd_t) -') -optional_policy(` - kerberos_manage_host_rcache(gssd_t) - kerberos_read_keytab(gssd_t) - kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") - kerberos_use(gssd_t) -') - -optional_policy(` - mount_signal(gssd_t) -') - -optional_policy(` - pcscd_read_runtime_files(gssd_t) -') - -optional_policy(` - xserver_rw_xdm_tmp_files(gssd_t) -')