* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/admin/
@ 2012-11-27 19:14 Sven Vermeulen
0 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
To: gentoo-commits
commit: b9655ff526f1b3327af6b19ca54b576fc539a9e4
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Nov 27 14:57:13 2012 +0000
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:02:10 2012 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b9655ff5
Module version bump for logging and tcpdump fixes from Sven Vermeulen.
---
policy/modules/admin/netutils.te | 2 +-
policy/modules/system/logging.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 3526689..93be1a4 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.11.1)
+policy_module(netutils, 1.11.2)
########################################
#
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 49f989a..59b28e6 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.19.4)
+policy_module(logging, 1.19.5)
########################################
#
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/admin/
@ 2014-01-19 19:01 Sven Vermeulen
0 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2014-01-19 19:01 UTC (permalink / raw
To: gentoo-commits
commit: ae86ea44124a8e1ea69ba291efc53ee8149d69d5
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Jan 16 16:24:25 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 18:56:09 2014 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ae86ea44
Update modules for file_t merge into unlabeled_t.
---
policy/modules/admin/bootloader.te | 15 +++++++--------
policy/modules/admin/dmesg.te | 6 +++---
policy/modules/system/authlogin.te | 4 ++--
policy/modules/system/clock.te | 6 +++---
policy/modules/system/fstools.te | 9 +++------
policy/modules/system/hostname.te | 6 +++---
policy/modules/system/hotplug.te | 6 +++---
policy/modules/system/init.te | 9 +++++----
policy/modules/system/locallogin.te | 6 +++---
policy/modules/system/logging.te | 5 +++--
policy/modules/system/lvm.te | 8 ++++----
policy/modules/system/modutils.te | 9 +++++----
policy/modules/system/mount.te | 8 ++++----
policy/modules/system/udev.te | 4 ++--
14 files changed, 50 insertions(+), 51 deletions(-)
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 0fd5c5f..3f81343 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -1,4 +1,4 @@
-policy_module(bootloader, 1.14.0)
+policy_module(bootloader, 1.14.1)
########################################
#
@@ -155,15 +155,14 @@ ifdef(`distro_redhat',`
# for memlock
allow bootloader_t self:capability ipc_lock;
- # new file system defaults to file_t, granting file_t access is still bad.
allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms };
- # new file system defaults to file_t, granting file_t access is still bad.
- files_manage_isid_type_dirs(bootloader_t)
- files_manage_isid_type_files(bootloader_t)
- files_manage_isid_type_symlinks(bootloader_t)
- files_manage_isid_type_blk_files(bootloader_t)
- files_manage_isid_type_chr_files(bootloader_t)
+ # new file system defaults to unlabeled, granting unlabeled access is still bad.
+ kernel_manage_unlabeled_dirs(bootloader_t)
+ kernel_manage_unlabeled_files(bootloader_t)
+ kernel_manage_unlabeled_symlinks(bootloader_t)
+ kernel_manage_unlabeled_blk_files(bootloader_t)
+ kernel_manage_unlabeled_chr_files(bootloader_t)
# for mke2fs
mount_run(bootloader_t, bootloader_roles)
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 9124163..914a836 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -1,4 +1,4 @@
-policy_module(dmesg, 1.3.0)
+policy_module(dmesg, 1.3.1)
########################################
#
@@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t)
kernel_change_ring_buffer_level(dmesg_t)
kernel_list_proc(dmesg_t)
kernel_read_proc_symlinks(dmesg_t)
+# for when /usr is not mounted:
+kernel_dontaudit_search_unlabeled(dmesg_t)
dev_read_sysfs(dmesg_t)
@@ -35,8 +37,6 @@ term_dontaudit_use_console(dmesg_t)
domain_use_interactive_fds(dmesg_t)
files_list_etc(dmesg_t)
-# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dirs(dmesg_t)
init_use_fds(dmesg_t)
init_use_script_ptys(dmesg_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 68bc0d6..b9ac3b0 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.5.2)
+policy_module(authlogin, 2.5.3)
########################################
#
@@ -220,6 +220,7 @@ dontaudit pam_console_t pam_var_console_t:file write;
kernel_read_kernel_sysctls(pam_console_t)
kernel_use_fds(pam_console_t)
+kernel_dontaudit_search_unlabeled(pam_console_t)
# Read /proc/meminfo
kernel_read_system_state(pam_console_t)
@@ -255,7 +256,6 @@ dev_read_urand(pam_console_t)
files_read_etc_files(pam_console_t)
files_search_pids(pam_console_t)
files_list_mnt(pam_console_t)
-files_dontaudit_search_isid_type_dirs(pam_console_t)
# read /etc/mtab
files_read_etc_runtime_files(pam_console_t)
diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te
index edece47..a3cc2ef 100644
--- a/policy/modules/system/clock.te
+++ b/policy/modules/system/clock.te
@@ -1,4 +1,4 @@
-policy_module(clock, 1.7.0)
+policy_module(clock, 1.7.1)
########################################
#
@@ -30,6 +30,8 @@ allow hwclock_t adjtime_t:file { rw_file_perms setattr };
kernel_read_kernel_sysctls(hwclock_t)
kernel_read_system_state(hwclock_t)
+# for when /usr is not mounted:
+kernel_dontaudit_search_unlabeled(hwclock_t)
corecmd_exec_bin(hwclock_t)
corecmd_exec_shell(hwclock_t)
@@ -38,8 +40,6 @@ dev_read_sysfs(hwclock_t)
dev_rw_realtime_clock(hwclock_t)
files_read_etc_files(hwclock_t)
-# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dirs(hwclock_t)
fs_getattr_xattr_fs(hwclock_t)
fs_search_auto_mountpoints(hwclock_t)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 610fa40..65f634a 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.16.3)
+policy_module(fstools, 1.16.4)
########################################
#
@@ -56,6 +56,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon };
kernel_read_system_state(fsadm_t)
kernel_read_kernel_sysctls(fsadm_t)
kernel_request_load_module(fsadm_t)
+kernel_manage_unlabeled_dirs(fsadm_t)
# Allow console log change (updfstab)
kernel_change_ring_buffer_level(fsadm_t)
# mkreiserfs needs this
@@ -64,6 +65,7 @@ kernel_getattr_core_if(fsadm_t)
# Access to /initrd devices
kernel_rw_unlabeled_dirs(fsadm_t)
kernel_rw_unlabeled_blk_files(fsadm_t)
+kernel_read_unlabeled_files(fsadm_t)
corecmd_exec_bin(fsadm_t)
#RedHat bug #201164
@@ -100,14 +102,9 @@ files_list_home(fsadm_t)
files_read_usr_files(fsadm_t)
files_read_etc_files(fsadm_t)
files_manage_lost_found(fsadm_t)
-files_manage_isid_type_dirs(fsadm_t)
# Write to /etc/mtab.
files_manage_etc_runtime_files(fsadm_t)
files_etc_filetrans_etc_runtime(fsadm_t, file)
-# Access to /initrd devices
-files_rw_isid_type_dirs(fsadm_t)
-files_rw_isid_type_blk_files(fsadm_t)
-files_read_isid_type_files(fsadm_t)
fs_search_auto_mountpoints(fsadm_t)
fs_getattr_xattr_fs(fsadm_t)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 6d9f4fe..07f83b5 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -1,4 +1,4 @@
-policy_module(hostname, 1.8.2)
+policy_module(hostname, 1.8.3)
########################################
#
@@ -23,6 +23,8 @@ dontaudit hostname_t self:capability sys_tty_config;
kernel_list_proc(hostname_t)
kernel_read_proc_symlinks(hostname_t)
+# for when /usr is not mounted:
+kernel_dontaudit_search_unlabeled(hostname_t)
dev_read_sysfs(hostname_t)
# Early devtmpfs, before udev relabel
@@ -32,8 +34,6 @@ domain_use_interactive_fds(hostname_t)
files_read_etc_files(hostname_t)
files_dontaudit_search_var(hostname_t)
-# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dirs(hostname_t)
fs_getattr_xattr_fs(hostname_t)
fs_search_auto_mountpoints(hostname_t)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index b2097e7..fb17059 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,4 +1,4 @@
-policy_module(hotplug, 1.16.0)
+policy_module(hotplug, 1.16.1)
########################################
#
@@ -49,6 +49,8 @@ kernel_read_system_state(hotplug_t)
kernel_read_network_state(hotplug_t)
kernel_read_kernel_sysctls(hotplug_t)
kernel_rw_net_sysctls(hotplug_t)
+# for when filesystems are not mounted early in the boot:
+kernel_dontaudit_search_unlabeled(hotplug_t)
files_read_kernel_modules(hotplug_t)
@@ -86,8 +88,6 @@ files_read_etc_files(hotplug_t)
files_manage_etc_runtime_files(hotplug_t)
files_etc_filetrans_etc_runtime(hotplug_t, file)
files_exec_etc_files(hotplug_t)
-# for when filesystems are not mounted early in the boot:
-files_dontaudit_search_isid_type_dirs(hotplug_t)
init_read_script_state(hotplug_t)
# Allow hotplug (including /sbin/ifup-local) to start/stop services and
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8bf29d5..dce9cd0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.20.4)
+policy_module(init, 1.20.5)
gen_require(`
class passwd rootok;
@@ -125,6 +125,7 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(init_t)
kernel_share_state(init_t)
+kernel_dontaudit_search_unlabeled(init_t)
corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)
@@ -142,7 +143,6 @@ domain_sigchld_all_domains(init_t)
files_read_etc_files(init_t)
files_rw_generic_pids(init_t)
-files_dontaudit_search_isid_type_dirs(init_t)
files_manage_etc_runtime_files(init_t)
files_etc_filetrans_etc_runtime(init_t, file)
# Run /etc/X11/prefdm:
@@ -289,6 +289,9 @@ kernel_read_all_sysctls(initrc_t)
kernel_rw_all_sysctls(initrc_t)
# for lsof which is used by alsa shutdown:
kernel_dontaudit_getattr_message_if(initrc_t)
+# cjp: not sure why these are here; should use mount policy
+kernel_list_unlabeled(initrc_t)
+kernel_mounton_unlabeled_dirs(initrc_t)
files_create_lock_dirs(initrc_t)
files_pid_filetrans_lock_dir(initrc_t, "lock")
@@ -367,8 +370,6 @@ files_manage_urandom_seed(initrc_t)
files_manage_generic_spool(initrc_t)
# Mount and unmount file systems.
# cjp: not sure why these are here; should use mount policy
-files_list_isid_type_dirs(initrc_t)
-files_mounton_isid_type_dirs(initrc_t)
files_list_default(initrc_t)
files_mounton_default(initrc_t)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 446fa99..c083ccd 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,4 +1,4 @@
-policy_module(locallogin, 1.12.0)
+policy_module(locallogin, 1.12.1)
########################################
#
@@ -216,13 +216,13 @@ allow sulogin_t self:msgq create_msgq_perms;
allow sulogin_t self:msg { send receive };
kernel_read_system_state(sulogin_t)
+# because file systems are not mounted:
+kernel_dontaudit_search_unlabeled(sulogin_t)
fs_search_auto_mountpoints(sulogin_t)
fs_rw_tmpfs_chr_files(sulogin_t)
files_read_etc_files(sulogin_t)
-# because file systems are not mounted:
-files_dontaudit_search_isid_type_dirs(sulogin_t)
auth_read_shadow(sulogin_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 455d061..64c6667 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.20.2)
+policy_module(logging, 1.20.3)
########################################
#
@@ -406,6 +406,8 @@ kernel_read_messages(syslogd_t)
kernel_read_vm_sysctls(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
+# /initrd is not umounted before minilog starts
+kernel_dontaudit_search_unlabeled(syslogd_t)
corenet_all_recvfrom_unlabeled(syslogd_t)
corenet_all_recvfrom_netlabel(syslogd_t)
@@ -443,7 +445,6 @@ files_read_usr_files(syslogd_t)
files_read_var_files(syslogd_t)
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
-files_dontaudit_search_isid_type_dirs(syslogd_t)
files_read_kernel_symbol_table(syslogd_t)
files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index a02b319..d338dc0 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.15.3)
+policy_module(lvm, 1.15.4)
########################################
#
@@ -217,6 +217,8 @@ kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
# Read system variables in /proc/sys
kernel_read_kernel_sysctls(lvm_t)
+# for when /usr is not mounted:
+kernel_dontaudit_search_unlabeled(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
@@ -254,8 +256,6 @@ domain_read_all_domains_state(lvm_t)
files_read_usr_files(lvm_t)
files_read_etc_files(lvm_t)
files_read_etc_runtime_files(lvm_t)
-# for when /usr is not mounted:
-files_dontaudit_search_isid_type_dirs(lvm_t)
fs_getattr_xattr_fs(lvm_t)
fs_search_auto_mountpoints(lvm_t)
@@ -306,7 +306,7 @@ userdom_use_user_terminals(lvm_t)
ifdef(`distro_redhat',`
# this is from the initrd:
- files_rw_isid_type_dirs(lvm_t)
+ kernel_rw_unlabeled_dirs(lvm_t)
optional_policy(`
unconfined_domain(lvm_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index c1bd664..d51a148 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,4 +1,4 @@
-policy_module(modutils, 1.14.0)
+policy_module(modutils, 1.14.1)
########################################
#
@@ -134,6 +134,8 @@ kernel_read_kernel_sysctls(insmod_t)
kernel_rw_kernel_sysctl(insmod_t)
kernel_read_hotplug_sysctls(insmod_t)
kernel_setsched(insmod_t)
+# for when /var is not mounted early in the boot:
+kernel_dontaudit_search_unlabeled(insmod_t)
corecmd_exec_bin(insmod_t)
corecmd_exec_shell(insmod_t)
@@ -157,8 +159,6 @@ files_read_usr_files(insmod_t)
files_exec_etc_files(insmod_t)
# for nscd:
files_dontaudit_search_pids(insmod_t)
-# for when /var is not mounted early in the boot:
-files_dontaudit_search_isid_type_dirs(insmod_t)
# for locking: (cjp: ????)
files_write_kernel_modules(insmod_t)
@@ -303,9 +303,10 @@ userdom_use_user_terminals(update_modules_t)
userdom_dontaudit_search_user_home_dirs(update_modules_t)
ifdef(`distro_gentoo',`
+ kernel_list_unlabeled(update_modules_t) # /var
+
files_search_pids(update_modules_t)
files_getattr_usr_src_files(update_modules_t)
- files_list_isid_type_dirs(update_modules_t) # /var
# update-modules on Gentoo throws errors when run because it
# sources /etc/init.d/functions.sh, which always scans
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index a686071..8ef3cbd 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.16.3)
+policy_module(mount, 1.16.4)
########################################
#
@@ -65,6 +65,9 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
# To load binfmt_misc kernel module
kernel_request_load_module(mount_t)
+# for when /etc/mtab loses its type
+# cjp: this seems wrong, the type should probably be etc
+kernel_read_unlabeled_files(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
@@ -92,9 +95,6 @@ files_unmount_rootfs(mount_t)
files_relabelto_all_file_type_fs(mount_t)
files_mount_all_file_type_fs(mount_t)
files_unmount_all_file_type_fs(mount_t)
-# for when /etc/mtab loses its type
-# cjp: this seems wrong, the type should probably be etc
-files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
files_list_all_mountpoints(mount_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 19a3c8e..5f7a894 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.16.5)
+policy_module(udev, 1.16.6)
########################################
#
@@ -95,6 +95,7 @@ kernel_search_debugfs(udev_t)
kernel_rw_net_sysctls(udev_t)
kernel_read_network_state(udev_t)
kernel_read_software_raid_state(udev_t)
+kernel_dontaudit_search_unlabeled(udev_t)
corecmd_exec_all_executables(udev_t)
@@ -116,7 +117,6 @@ files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
files_exec_etc_files(udev_t)
-files_dontaudit_search_isid_type_dirs(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/admin/
2017-02-27 11:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-02-27 10:50 ` Jason Zaman
0 siblings, 0 replies; 6+ messages in thread
From: Jason Zaman @ 2017-02-27 10:50 UTC (permalink / raw
To: gentoo-commits
commit: 5888727a77d8072a2d90d38c71dbed72de307d7c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 26 17:23:19 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:38:00 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5888727a
Module version bump for patches from cgzones.
policy/modules/admin/su.te | 2 +-
policy/modules/system/authlogin.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/locallogin.te | 2 +-
policy/modules/system/selinuxutil.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 1264d7a6..e662b94c 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,4 +1,4 @@
-policy_module(su, 1.14.1)
+policy_module(su, 1.14.2)
########################################
#
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 43c83620..59dc8c86 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.10.2)
+policy_module(authlogin, 2.10.3)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c9c1eb6b..c784280e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.7)
+policy_module(init, 2.2.8)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 964239a4..b616794d 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,4 +1,4 @@
-policy_module(locallogin, 1.15.1)
+policy_module(locallogin, 1.15.2)
########################################
#
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 931d8591..01f32fb1 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.4)
+policy_module(selinuxutil, 1.22.5)
gen_require(`
bool secure_mode;
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/admin/
@ 2021-11-11 21:27 Jason Zaman
0 siblings, 0 replies; 6+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
To: gentoo-commits
commit: 459df0bed3a810a10ce4a7276873cb7c878641e3
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov 7 01:30:53 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=459df0be
usbguard, sysadm: misc fixes
Fixes for usbguard and allow sysadm to connect to usbguard to manage
devices at runtime.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/usbguard.te | 3 +++
policy/modules/system/userdomain.if | 4 ++++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te
index 9304ef5b..cca00cdb 100644
--- a/policy/modules/admin/usbguard.te
+++ b/policy/modules/admin/usbguard.te
@@ -40,6 +40,7 @@ files_tmpfs_file(usbguard_tmpfs_t)
#
allow usbguard_t self:capability { chown dac_read_search fowner };
+allow usbguard_t self:process { getcap signal };
allow usbguard_t self:netlink_kobject_uevent_socket create_socket_perms;
allow usbguard_t self:unix_stream_socket rw_stream_socket_perms;
@@ -72,6 +73,8 @@ init_search_runtime(usbguard_t)
logging_send_audit_msgs(usbguard_t)
logging_send_syslog_msg(usbguard_t)
+miscfiles_read_localization(usbguard_t)
+
tunable_policy(`usbguard_user_modify_rule_files',`
manage_files_pattern(usbguard_t, usbguard_conf_t, usbguard_rules_t)
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 1539477e..958e088f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1439,6 +1439,10 @@ template(`userdom_admin_user_template',`
postgresql_unconfined($1_t)
')
+ optional_policy(`
+ usbguard_stream_connect($1_t)
+ ')
+
optional_policy(`
userhelper_exec($1_t)
')
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/admin/
@ 2021-11-12 2:00 Jason Zaman
0 siblings, 0 replies; 6+ messages in thread
From: Jason Zaman @ 2021-11-12 2:00 UTC (permalink / raw
To: gentoo-commits
commit: 9174cbc3bf8727c0070cb081cb94a7289176bec8
Author: Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Fri Apr 23 17:31:54 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Nov 12 01:53:00 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9174cbc3
Added policy for ss to access netlink.
Closes: https://github.com/perfinion/hardened-refpolicy/pull/23
Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/netutils.fc | 1 +
policy/modules/admin/netutils.if | 44 +++++++++++++++++++++++++++++++++++++
policy/modules/admin/netutils.te | 23 +++++++++++++++++++
policy/modules/system/userdomain.if | 4 ++++
4 files changed, 72 insertions(+)
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 13bd901c..3086ab3d 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -17,5 +17,6 @@
/usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/sbin/iptstate -- gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/sbin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
+/usr/sbin/ss -- gen_context(system_u:object_r:ss_exec_t,s0)
/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
diff --git a/policy/modules/admin/netutils.if b/policy/modules/admin/netutils.if
index c6ca761c..d7b9d342 100644
--- a/policy/modules/admin/netutils.if
+++ b/policy/modules/admin/netutils.if
@@ -212,6 +212,50 @@ interface(`netutils_exec_ping',`
can_exec($1, ping_exec_t)
')
+########################################
+## <summary>
+## Execute a domain transition to run ss.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`netutils_domtrans_ss',`
+ gen_require(`
+ type ss_t, ss_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, ss_exec_t, ss_t)
+')
+
+########################################
+## <summary>
+## Execute ss in the ss domain, and
+## allow the specified role the ss domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`netutils_run_ss',`
+ gen_require(`
+ type ss_t;
+ ')
+
+ netutils_domtrans_ss($1)
+ role $2 types ss_t;
+')
+
########################################
## <summary>
## Execute traceroute in the traceroute domain.
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 7210c776..d7f4a691 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -23,6 +23,10 @@ type ping_t;
type ping_exec_t;
init_system_domain(ping_t, ping_exec_t)
+type ss_t;
+type ss_exec_t;
+userdom_user_application_domain(ss_t, ss_exec_t)
+
type traceroute_t;
type traceroute_exec_t;
init_system_domain(traceroute_t, traceroute_exec_t)
@@ -148,6 +152,25 @@ optional_policy(`
munin_append_log(ping_t)
')
+########################################
+#
+# ss local policy
+#
+
+allow ss_t self:capability net_admin;
+allow ss_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
+
+kernel_read_net_sysctls(ss_t)
+kernel_read_network_state(ss_t)
+kernel_read_proc_symlinks(ss_t)
+kernel_read_system_state(ss_t)
+
+domain_use_interactive_fds(ss_t)
+
+files_read_etc_files(ss_t)
+
+userdom_use_inherited_user_terminals(ss_t)
+
########################################
#
# Traceroute local policy
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 958e088f..f916aa90 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1556,6 +1556,10 @@ interface(`userdom_security_admin_template',`
netlabel_run_mgmt($1, $2)
')
+ optional_policy(`
+ netutils_run_ss($1, $2)
+ ')
+
optional_policy(`
samhain_run($1, $2)
')
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/admin/
@ 2023-02-13 15:35 Kenton Groombridge
0 siblings, 0 replies; 6+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
To: gentoo-commits
commit: 6a125aa8a8498a230fc9c1ec2170ac2c65120501
Author: Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Mon Jan 9 08:45:55 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:03 2023 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a125aa8
selinuxutil: do not audit load_policy trying to use portage ptys
Each time portage build and install a new SELinux policy I got the following AVC:
allow load_policy_t portage_devpts_t:chr_file { read write };
Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/admin/portage.if | 18 ++++++++++++++++++
policy/modules/system/selinuxutil.te | 1 +
2 files changed, 19 insertions(+)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 645e704b4..1202ceb28 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -324,6 +324,24 @@ interface(`portage_dontaudit_use_fds',`
dontaudit $1 portage_t:fd use;
')
+########################################
+## <summary>
+## Do not audit attempts to read and write inherited portage ptys.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`portage_dontaudit_use_inherited_ptys',`
+ gen_require(`
+ type portage_devpts_t;
+ ')
+
+ dontaudit $1 portage_devpts_t:chr_file rw_inherited_term_perms;
+')
+
########################################
## <summary>
## Do not audit attempts to search the
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index c4be3ae68..5c7c1aec2 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -216,6 +216,7 @@ optional_policy(`
optional_policy(`
portage_dontaudit_use_fds(load_policy_t)
+ portage_dontaudit_use_inherited_ptys(load_policy_t)
')
optional_policy(`
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-02-13 15:35 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-11-12 2:00 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/admin/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2023-02-13 15:35 Kenton Groombridge
2021-11-11 21:27 Jason Zaman
2017-02-27 11:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-27 10:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-01-19 19:01 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox