public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-05-28 12:39 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-05-28 12:39 UTC (permalink / raw
  To: gentoo-commits

commit:     7bfaff0b1cbe1b1d2c9d75f56f267eeeae7022dd
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 28 12:38:47 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon May 28 12:38:47 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7bfaff0b

Fix typo, thanks to amade for noticing

---
 policy/modules/services/postgresql.if |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 414397e..19b53b3 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -498,7 +498,7 @@ interface(`postgresql_unpriv_client',`
 	type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
 
 	allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
-	ype_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t;
+	type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t;
 
 	allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
 	type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;



^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-08-21 17:52 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-08-21 17:52 UTC (permalink / raw
  To: gentoo-commits

commit:     33afc3c1bb08e65b6b426d8d1c354a7e65d117b7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 16 18:19:26 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 16 18:19:26 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=33afc3c1

The postgresql init script handles /run/postgresql

Allow the init script domain to create /run/postgresql with the proper file
context transition in place.

---
 policy/modules/services/postgresql.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 4318f73..b49c929 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -63,6 +63,7 @@ files_tmp_file(postgresql_tmp_t)
 
 type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)
+init_daemon_run_dir(postgresql_var_run_t, "postgresql")
 
 # database clients attribute
 attribute sepgsql_admin_type;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-08-21 17:52 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-08-21 17:52 UTC (permalink / raw
  To: gentoo-commits

commit:     308888a12ee5791053d6d80cfc49fc620b54ba83
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 16 18:20:03 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 16 18:20:03 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=308888a1

Support executing postgresql utilities without transition

Clients that want to interact with postgresql need execute privileges on the
commands, but do not require domain transitions.

---
 policy/modules/services/postgresql.if |   18 ++++++++++++++++++
 1 files changed, 18 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index ecef19f..81f87bd 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -334,6 +334,24 @@ interface(`postgresql_manage_db',`
 	allow $1 postgresql_db_t:lnk_file { getattr read };
 ')
 
+#######################################
+## <summary>
+##	Execute postgresql in the calling domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`postgresql_exec',`
+	gen_require(`
+		type postgresql_exec_t;
+	')
+
+	can_exec($1, postgresql_exec_t);
+')
+
 ########################################
 ## <summary>
 ##	Execute postgresql in the postgresql domain.


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-10-10 19:52 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-10-10 19:52 UTC (permalink / raw
  To: gentoo-commits

commit:     193911a10b440767ca00db4c3dea347201109135
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Oct  6 16:10:38 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 10 19:49:20 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=193911a1

Allow search within postgresql var directory for the stream connect interface

Domains that are granted postgresql_stream_connect() need to be able to search
through the postgresql_var_run_t directory (in which the socket is located).

Update the interface to use the stream_connect_pattern definition to simplify
the interface and make it more readable.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/services/postgresql.if |    7 +++----
 1 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 81f87bd..85d430f 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -446,11 +446,10 @@ interface(`postgresql_stream_connect',`
 		type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
 	')
 
+	stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
+
 	files_search_pids($1)
-	allow $1 postgresql_t:unix_stream_socket connectto;
-	allow $1 postgresql_var_run_t:sock_file write;
-	# Some versions of postgresql put the sock file in /tmp
-	allow $1 postgresql_tmp_t:sock_file write;
+	files_search_tmp($1)
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-10-19 15:06 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-10-19 15:06 UTC (permalink / raw
  To: gentoo-commits

commit:     1ff1d0a461809593992c333504120e362bded74b
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 19 12:49:43 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Oct 19 15:03:49 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1ff1d0a4

Rearrange new xserver interfaces.

---
 policy/modules/services/xserver.if |   26 +++++++++++++-------------
 1 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 15abcfa..71e6d3b 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -713,8 +713,7 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete
-##	xdm_spool files.
+##	Read xdm process state files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -722,18 +721,21 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_manage_spool_files_xdm',`
+interface(`xserver_read_state_xdm',`
 	gen_require(`
-		type xdm_spool_t;
+		type xdm_t;
 	')
 
-	files_search_spool($1)
-	manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
+	kernel_search_proc($1)
+	allow $1 xdm_t:dir list_dir_perms;
+	allow $1 xdm_t:file read_file_perms;
+	allow $1 xdm_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read xdm process state files.
+##	Create, read, write, and delete
+##	xdm_spool files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -741,15 +743,13 @@ interface(`xserver_manage_spool_files_xdm',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_read_state_xdm',`
+interface(`xserver_manage_spool_files_xdm',`
 	gen_require(`
-		type xdm_t;
+		type xdm_spool_t;
 	')
 
-	kernel_search_proc($1)
-	allow $1 xdm_t:dir list_dir_perms;
-	allow $1 xdm_t:file read_file_perms;
-	allow $1 xdm_t:lnk_file read_lnk_file_perms;
+	files_search_spool($1)
+	manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-10-19 15:06 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-10-19 15:06 UTC (permalink / raw
  To: gentoo-commits

commit:     5fdd3de696ee2118692e81678fa152cd5d3d80c6
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Oct 17 12:28:38 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Oct 19 15:03:48 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5fdd3de6

Changes to the xserver policy module

These interfaces are needed by at least plymouth

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/services/xserver.if |   41 ++++++++++++++++++++++++++++++++++++
 1 files changed, 41 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 130ced9..15abcfa 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -713,6 +713,47 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete
+##	xdm_spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_spool_files_xdm',`
+	gen_require(`
+		type xdm_spool_t;
+	')
+
+	files_search_spool($1)
+	manage_files_pattern($1, xdm_spool_t, xdm_spool_t)
+')
+
+########################################
+## <summary>
+##	Read xdm process state files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_state_xdm',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	kernel_search_proc($1)
+	allow $1 xdm_t:dir list_dir_perms;
+	allow $1 xdm_t:file read_file_perms;
+	allow $1 xdm_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
 ##	Connect to XDM over a unix domain
 ##	stream socket.
 ## </summary>


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-10-19 15:06 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-10-19 15:06 UTC (permalink / raw
  To: gentoo-commits

commit:     eddc2b0985e0cea5c485eaa5c6382444c923c3b0
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 19 12:58:54 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Oct 19 15:03:54 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eddc2b09

Module version bump for xserver interfaces from Dominick Grift.

---
 policy/modules/services/xserver.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c44a6c3..74ab6e8 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.8.2)
+policy_module(xserver, 3.8.3)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-10-19 15:06 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-10-19 15:06 UTC (permalink / raw
  To: gentoo-commits

commit:     e201c6d1dafe08298aa18dd51881eb9496aec12c
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 19 12:52:58 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Oct 19 15:03:52 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e201c6d1

Rename new xserver interfaces.

---
 policy/modules/services/xserver.if |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 71e6d3b..6bf0ecc 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -721,7 +721,7 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_read_state_xdm',`
+interface(`xserver_read_xdm_state',`
 	gen_require(`
 		type xdm_t;
 	')
@@ -743,7 +743,7 @@ interface(`xserver_read_state_xdm',`
 ##	</summary>
 ## </param>
 #
-interface(`xserver_manage_spool_files_xdm',`
+interface(`xserver_manage_xdm_spool_files',`
 	gen_require(`
 		type xdm_spool_t;
 	')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-11-25 21:39 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-11-25 21:39 UTC (permalink / raw
  To: gentoo-commits

commit:     51abb9d4bde449ab072cd8d922d22b89758ad823
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov 25 21:38:04 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Nov 25 21:38:19 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=51abb9d4

Postgresql 9.2 connects to its unix stream socket

When starting postgresql, it fails with the (little saying) error message:
pg_ctl: could not start server

In the denials, we notice:
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
audit(1353750112.021:10143): avc:  denied  { connectto } for  pid=20481
comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
tclass=unix_stream_socket

Hence, allow postgresql to connect to its own stream socket.

See also bug #444540

---
 policy/modules/services/postgresql.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0210aef..906a2c1 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -363,6 +363,10 @@ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
 userdom_dontaudit_search_user_home_dirs(postgresql_t)
 userdom_dontaudit_use_user_terminals(postgresql_t)
 
+ifdef(`distro_gentoo',`
+	allow postgresql_t self:unix_stream_socket connectto;
+')
+
 optional_policy(`
 	mta_getattr_spool(postgresql_t)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     36b2560dbdde3bbb74372a90a31e3aabe6547f5a
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Nov  4 01:23:10 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:00:47 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=36b2560d

Add Debian location for ssh-keysign

---
 policy/modules/services/ssh.fc |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 078bcd7..7df96c5 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -9,6 +9,8 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)
 /usr/bin/ssh-keygen		--	gen_context(system_u:object_r:ssh_keygen_exec_t,s0)
 
+/usr/lib/openssh/ssh-keysign	 --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
+
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     337cde6d5b13891f937f3f149431add69639d6ba
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Nov 26 16:13:12 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:00:49 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=337cde6d

Module version bump for Debian ssh-keysign location from Laurent Bigonville.

---
 policy/modules/services/ssh.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index b17e27a..fc2a164 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.3.0)
+policy_module(ssh, 2.3.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-12-07 15:36 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-12-07 15:36 UTC (permalink / raw
  To: gentoo-commits

commit:     23451ed5292aeb37c7c9f8c7e9d8cf44c593c0cb
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec  5 20:39:22 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec  7 15:30:09 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=23451ed5

Properly label all the ssh host keys

Be sure that we are labeling properly all ssh host keys even if new
algorithms are added in the future.

---
 policy/modules/services/ssh.fc |    4 +---
 1 files changed, 1 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 7df96c5..76d9f66 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -1,9 +1,7 @@
 HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 
 /etc/ssh/primes			--	gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_key 		--	gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_dsa_key	--	gen_context(system_u:object_r:sshd_key_t,s0)
-/etc/ssh/ssh_host_rsa_key	--	gen_context(system_u:object_r:sshd_key_t,s0)
+/etc/ssh/ssh_host.*_key		--	gen_context(system_u:object_r:sshd_key_t,s0)
 
 /usr/bin/ssh			--	gen_context(system_u:object_r:ssh_exec_t,s0)
 /usr/bin/ssh-agent		--	gen_context(system_u:object_r:ssh_agent_exec_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-12-07 15:36 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-12-07 15:36 UTC (permalink / raw
  To: gentoo-commits

commit:     cff847fe93202b103dc1aa491911646fad63ebed
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec  5 20:39:28 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec  7 15:35:40 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cff847fe

Drop /etc/rc.d/init.d/xfree86-common filecontext definition

This only seems to be used in Debian and the file is gone since 2006

---
 policy/modules/services/xserver.fc |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 4c22b50..136f1ef 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -29,7 +29,6 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
 /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
-/etc/rc\.d/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2012-12-07 15:36 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2012-12-07 15:36 UTC (permalink / raw
  To: gentoo-commits

commit:     8516e03e982f8ec6a75f0bc297c6e1e3bc156eb6
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec  5 20:39:27 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec  7 15:33:36 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8516e03e

Label /etc/rc.d/init.d/x11-common as xdm_exec_t

In Debian, this initscript is creating both /tmp/.X11-unix and
/tmp/.ICE-unix. This allows the directory to transition to the context
defined in the filecontext.

---
 policy/modules/services/xserver.fc |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 433d690..4c22b50 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -23,13 +23,14 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /etc/gdm(3)?/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/gdm(3)?/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
-/etc/rc\.d/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
-
 /etc/kde[34]?/kdm/Xstartup --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/Xreset --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/kde[34]?/kdm/backgroundrc	gen_context(system_u:object_r:xdm_var_run_t,s0)
 
+/etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/etc/rc\.d/init\.d/xfree86-common --	gen_context(system_u:object_r:xserver_exec_t,s0)
+
 /etc/X11/[wx]dm/Xreset.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/[wxg]dm/Xsession --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/X11/wdm(/.*)?		gen_context(system_u:object_r:xdm_rw_etc_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2013-01-03 16:49 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2013-01-03 16:49 UTC (permalink / raw
  To: gentoo-commits

commit:     c2097b396b8301c8fbea6c7e0ccf894f5a469f29
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 17 09:42:43 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jan  3 16:23:59 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c2097b39

Postgresql 9.2 connects to its unix stream socket

When starting postgresql, it fails with the (little saying) error message:
pg_ctl: could not start server

In the denials, we notice:
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
audit(1353750112.021:10143): avc:  denied  { connectto } for  pid=20481
comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
tclass=unix_stream_socket

Hence, allow postgresql to connect to its own stream socket.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/services/postgresql.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 906a2c1..5ccf1ba 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -234,7 +234,7 @@ allow postgresql_t self:shm create_shm_perms;
 allow postgresql_t self:tcp_socket create_stream_socket_perms;
 allow postgresql_t self:udp_socket create_stream_socket_perms;
 allow postgresql_t self:unix_dgram_socket create_socket_perms;
-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow postgresql_t self:netlink_selinux_socket create_socket_perms;
 tunable_policy(`sepgsql_transmit_client_label',`
 	allow postgresql_t self:process { setsockcreate };


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2013-07-23 12:02 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2013-07-23 12:02 UTC (permalink / raw
  To: gentoo-commits

commit:     e4a2e7aef6f63743e93b33bb0c7be09c348b836e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 23 12:00:59 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jul 23 12:00:59 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e4a2e7ae

Mark PostgreSQL service as appropriate initrc script

The postgresql-* service scripts should be labeled as postgresql_initrc_exec_t
so that non-sysadmin users, when allowed by policy, can still manipulate the
service.

---
 policy/modules/services/postgresql.fc | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index d7bbc24..4ff317d 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -2,9 +2,6 @@
 # /etc
 #
 /etc/postgresql(/.*)?			gen_context(system_u:object_r:postgresql_etc_t,s0)
-ifdef(`distro_gentoo',`
-/etc/postgresql-.*(/.*)?		gen_context(system_u:object_r:postgresql_etc_t,s0)
-')
 /etc/rc\.d/init\.d/(se)?postgresql --	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
 /etc/sysconfig/pgsql(/.*)? 		gen_context(system_u:object_r:postgresql_etc_t,s0)
 
@@ -16,7 +13,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/pgsql/test/regress(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
 /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql/bin/.* --	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 
 ifdef(`distro_debian', `
 /usr/lib/postgresql/.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
@@ -26,10 +23,6 @@ ifdef(`distro_redhat', `
 /usr/share/jonas/pgsql(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
 ')
 
-ifdef(`distro_gentoo',`
-/usr/lib/postgresql-.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-')
-
 #
 # /var
 #
@@ -53,3 +46,12 @@ ifdef(`distro_redhat', `
 /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
 
 /var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/rc\.d/init\.d/postgresql-.*	--	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+
+/etc/postgresql-.*(/.*)?		gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+/usr/lib/postgresql-.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
+


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2013-09-24 17:10 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2013-09-24 17:10 UTC (permalink / raw
  To: gentoo-commits

commit:     fc120561aecf2754b2f6e690a8e2c2bccddd9201
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Aug 16 11:03:07 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Sep 24 13:39:07 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fc120561

The kerberos_keytab_template() template is deprecated: Breaks monolithic built (out-of-scope)

This keytab functionality should be re-evaluated because it does not
make sense in its current implementation

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/services/ssh.te | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index eada65c..568c335 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -74,6 +74,9 @@ typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_ho
 typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t };
 userdom_user_home_content(ssh_home_t)
 
+type sshd_keytab_t;
+files_type(sshd_keytab_t)
+
 ##############################
 #
 # SSH client local policy
@@ -224,6 +227,8 @@ optional_policy(`
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
 
+allow sshd_t sshd_keytab_t:file read_file_perms;
+
 manage_dirs_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
 manage_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
 manage_sock_files_pattern(sshd_t, sshd_tmp_t, sshd_tmp_t)
@@ -261,7 +266,8 @@ optional_policy(`
 ')
 
 optional_policy(`
-	kerberos_keytab_template(sshd, sshd_t)
+	kerberos_read_keytab(sshd_t)
+	kerberos_use(sshd_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2013-09-24 17:10 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2013-09-24 17:10 UTC (permalink / raw
  To: gentoo-commits

commit:     e230f3bb3244c34ebe1ff823d038c5bb85ff272a
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Sep 23 18:28:00 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Sep 24 13:39:11 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e230f3bb

Module version bump for kerberos keytab changes for ssh from Dominick Grift.

---
 policy/modules/services/ssh.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 568c335..6977e7a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.4.0)
+policy_module(ssh, 2.4.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     1963fdd9c7e624dce82bdfb16cb3060fbad08ea2
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 26 13:35:49 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:26:26 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1963fdd9

xdm: is a system bus client and acquires service on the system bus xdm: dbus chat with accounts-daemon

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/services/xserver.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 64e47af..fb6c2b8 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -518,6 +518,15 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_system_bus_client(xdm_t)
+	dbus_connect_system_bus(xdm_t)
+
+	optional_policy(`
+		accountsd_dbus_chat(xdm_t)
+	')
+')
+
+optional_policy(`
 	# Talk to the console mouse server.
 	gpm_stream_connect(xdm_t)
 	gpm_setattr_gpmctl(xdm_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     17d2fc2227d0c2fae5a58f04ffd21a5cde8def2c
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Sep 26 14:48:55 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:23:34 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=17d2fc22

Module version bump for slim fc entries from Sven Vermeulen.

---
 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 25f3cc6..64e47af 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.9.1)
+policy_module(xserver, 3.9.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     4197798184b39f3bcf07425e048301f164668ac5
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Sep 26 15:09:28 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:26:29 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=41977981

Module version bump for xdm dbus access from Dominick Grift.

---
 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index fb6c2b8..671c5bb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.9.2)
+policy_module(xserver, 3.9.3)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     1eb5b981533b6974ce7b7e7c603f5d7a8e258f21
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Sep 25 18:26:31 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:23:32 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1eb5b981

Extend slim /var/run expression

On Gentoo, slim files are not in /var/run/slim, but directly in
/var/run. All names start with slim though, so changing the expression
to match those as well.

There is already a file transition in place (xdm_t writing files in
var_run_t -> xdm_var_run_t) so that needs no further changes.

Reported-by: Luis Ressel <aranea <AT> aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/services/xserver.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index ad8b197..8cd4625 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -108,7 +108,7 @@ ifndef(`distro_debian',`
 /var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
-/var/run/slim(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/slim.*			gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xauth(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdmctl(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     a8b24b78cfd0b208f8d092ca53b29cc4cb322e4b
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:45:18 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:30:14 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a8b24b78

xserver: already allowed by auth_login_pgm_domain(xdm_t)

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 969ed6c..8e0d2d4 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -305,7 +305,7 @@ optional_policy(`
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
 allow xdm_t self:sem create_sem_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2013-12-09 14:37 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2013-12-09 14:37 UTC (permalink / raw
  To: gentoo-commits

commit:     26aa2f301f6a2a53897e23e2272d988e0233da75
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec  9 14:36:16 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Dec  9 14:36:16 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=26aa2f30

Duplicate line, and should be in optional statement anyhow

---
 policy/modules/services/xserver.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 158c2c1..8fece92 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -600,9 +600,6 @@ type_transition root_xdrawable_t input_xevent_t:x_event root_input_xevent_t;
 allow xserver_t { root_xdrawable_t x_domain }:x_drawable send;
 allow xserver_t input_xevent_t:x_event send;
 
-# Allow X to process keyboard events
-udev_read_db(xserver_t)
-
 # setuid/setgid for the wrapper program to change UID
 # sys_rawio is for iopl access - should not be needed for frame-buffer
 # sys_admin, locking shared mem?  chowning IPC message queues or semaphores?


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-01-19 19:01 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-01-19 19:01 UTC (permalink / raw
  To: gentoo-commits

commit:     5903f5d287917c6e41ba89740c28eff0809b79dc
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Jan  8 18:58:51 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 18:50:22 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5903f5d2

Module version bump for xserver change from Dominick Grift.

---
 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c90df6f..c4739fc 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.9.5)
+policy_module(xserver, 3.9.6)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-01-19 19:01 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-01-19 19:01 UTC (permalink / raw
  To: gentoo-commits

commit:     2ebc952d351ecc57e2a024f7df7bbf6872cad2a4
Author:     Dominick Grift <errno13 <AT> gmail <DOT> com>
AuthorDate: Sat Dec  7 19:17:43 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 18:50:19 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2ebc952d

xserver: These are no longer needed

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/services/xserver.te | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8fece92..c90df6f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -745,11 +745,6 @@ userdom_rw_user_tmpfs_files(xserver_t)
 
 xserver_use_user_fonts(xserver_t)
 
-ifndef(`distro_redhat',`
-	allow xserver_t self:process { execmem execheap execstack };
-	domain_mmap_low_uncond(xserver_t)
-')
-
 ifdef(`distro_rhel4',`
 	allow xserver_t self:process { execmem execheap execstack };
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-02-09 10:54 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
  To: gentoo-commits

commit:     d9f1c1dbc714bd8209b53994b0e2c15b68fee63b
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Feb  6 14:13:44 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb  9 10:51:01 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d9f1c1db

Module version bump for pid file directory from Russell Coker/Laurent Bigonville.

---
 policy/modules/services/ssh.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 70bad35..2022f28 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.4.3)
+policy_module(ssh, 2.4.4)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-02-09 10:54 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
  To: gentoo-commits

commit:     3c19ea3eb2b246159664f9a06503d10c06260b67
Author:     Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb  8 13:41:05 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb  9 10:51:09 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3c19ea3e

Module version bump for ssh use of gpg-agent from Luis Ressel.

---
 policy/modules/services/ssh.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index e7b6412..141d76c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.4.4)
+policy_module(ssh, 2.4.5)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-02-09 10:54 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
  To: gentoo-commits

commit:     0cc26bea9b48fa43b815a9da5013c0d60a0ec770
Author:     Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb  8 13:40:37 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb  9 10:51:07 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0cc26bea

Rearrange gpg agent calls.

---
 policy/modules/services/ssh.if | 10 +++++-----
 policy/modules/services/ssh.te | 10 +++++-----
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index dbce034..cbd0cdd 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -423,16 +423,16 @@ template(`ssh_role_template',`
 	')
 
 	optional_policy(`
-		xserver_use_xdm_fds($1_ssh_agent_t)
-		xserver_rw_xdm_pipes($1_ssh_agent_t)
-	')
-
-	optional_policy(`
 		tunable_policy(`ssh_use_gpg_agent',`
 			# for ssh-add
 			gpg_stream_connect_agent($3)
 		')
 	')
+
+	optional_policy(`
+		xserver_use_xdm_fds($1_ssh_agent_t)
+		xserver_rw_xdm_pipes($1_ssh_agent_t)
+	')
 ')
 
 ########################################

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 48654c2..e7b6412 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -205,16 +205,16 @@ tunable_policy(`user_tcp_server',`
 ')
 
 optional_policy(`
-	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
-	xserver_domtrans_xauth(ssh_t)
-')
-
-optional_policy(`
 	tunable_policy(`ssh_use_gpg_agent',`
 		gpg_stream_connect_agent(ssh_t)
 	')
 ')
 
+optional_policy(`
+	xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t)
+	xserver_domtrans_xauth(ssh_t)
+')
+
 ##############################
 #
 # ssh_keysign_t local policy


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-02-09 10:54 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
  To: gentoo-commits

commit:     592e52f5dffbbbf004e77e8e1fd2dbcf921e2312
Author:     Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb  8 13:24:41 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb  9 10:51:05 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=592e52f5

Rename gpg_agent_connect to gpg_stream_connect_agent.

---
 policy/modules/services/ssh.if | 2 +-
 policy/modules/services/ssh.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 33ad1b4..dbce034 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -430,7 +430,7 @@ template(`ssh_role_template',`
 	optional_policy(`
 		tunable_policy(`ssh_use_gpg_agent',`
 			# for ssh-add
-			gpg_agent_connect($3)
+			gpg_stream_connect_agent($3)
 		')
 	')
 ')

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 65b5be9..48654c2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -211,7 +211,7 @@ optional_policy(`
 
 optional_policy(`
 	tunable_policy(`ssh_use_gpg_agent',`
-		gpg_agent_connect(ssh_t)
+		gpg_stream_connect_agent(ssh_t)
 	')
 ')
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-02-09 10:54 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
  To: gentoo-commits

commit:     ee4eba3c01aff37e2c201ce4f998887aa0b211be
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Feb  2 12:19:31 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb  9 10:51:03 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ee4eba3c

Conditionally allow ssh to use gpg-agent

gpg-agent also offers an ssh-compatible interface. This is useful e.g.
for smartcard authentication.

---
 policy/modules/services/ssh.if |  7 +++++++
 policy/modules/services/ssh.te | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 48eb1c8..33ad1b4 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -426,6 +426,13 @@ template(`ssh_role_template',`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
 	')
+
+	optional_policy(`
+		tunable_policy(`ssh_use_gpg_agent',`
+			# for ssh-add
+			gpg_agent_connect($3)
+		')
+	')
 ')
 
 ########################################

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 2022f28..65b5be9 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -19,6 +19,13 @@ gen_tunable(allow_ssh_keysign, false)
 ## </desc>
 gen_tunable(ssh_sysadm_login, false)
 
+## <desc>
+## <p>
+## Allow ssh to use gpg-agent
+## </p>
+## </desc>
+gen_tunable(ssh_use_gpg_agent, false)
+
 attribute ssh_server;
 attribute ssh_agent_type;
 
@@ -202,6 +209,12 @@ optional_policy(`
 	xserver_domtrans_xauth(ssh_t)
 ')
 
+optional_policy(`
+	tunable_policy(`ssh_use_gpg_agent',`
+		gpg_agent_connect(ssh_t)
+	')
+')
+
 ##############################
 #
 # ssh_keysign_t local policy


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-02-09 10:54 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
  To: gentoo-commits

commit:     e75e43633695b99fd3892f07f94e9ff84da1b1e8
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Feb  5 21:23:32 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb  9 10:51:00 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e75e4363

Move the ifdef at the end of the declaration block

---
 policy/modules/services/ssh.te | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 30726f2..70bad35 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -33,10 +33,6 @@ corecmd_executable_file(sshd_exec_t)
 ssh_server_template(sshd)
 init_daemon_domain(sshd_t, sshd_exec_t)
 
-ifdef(`distro_debian',`
-	init_daemon_run_dir(sshd_var_run_t, "sshd")
-')
-
 type sshd_key_t;
 files_type(sshd_key_t)
 
@@ -81,6 +77,10 @@ userdom_user_home_content(ssh_home_t)
 type sshd_keytab_t;
 files_type(sshd_keytab_t)
 
+ifdef(`distro_debian',`
+	init_daemon_run_dir(sshd_var_run_t, "sshd")
+')
+
 ##############################
 #
 # SSH client local policy


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-02-09 10:54 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
  To: gentoo-commits

commit:     3c2ad3e4b5919b0012847ae45f7197cdc0830e94
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Feb  5 21:23:31 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb  9 10:50:58 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3c2ad3e4

Add fcontext for sshd pidfile and directory used for privsep

Also allow sshd_t domain to chroot(2) in this directory as explained in
the README.privsep file in the openssh tarball.

Thanks to Russell Coker for this patch

---
 policy/modules/services/ssh.fc | 2 ++
 policy/modules/services/ssh.if | 1 +
 2 files changed, 3 insertions(+)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index 76d9f66..8168244 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -13,4 +13,6 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 
 /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
 
+/var/run/sshd(/.*)?			gen_context(system_u:object_r:sshd_var_run_t,s0)
 /var/run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd\.pid		--	gen_context(system_u:object_r:sshd_var_run_t,s0)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index fe0c682..48eb1c8 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -196,6 +196,7 @@ template(`ssh_server_template', `
 	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
 	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, file)
 
+	allow $1_t $1_var_run_t:dir search_dir_perms;
 	allow $1_t $1_var_run_t:file manage_file_perms;
 	files_pid_filetrans($1_t, $1_var_run_t, file)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-03-17  8:24 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-03-17  8:24 UTC (permalink / raw
  To: gentoo-commits

commit:     d231476b4c4483ab9106b351ea806a2aedb566b8
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Mar 14 14:59:45 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:19:31 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d231476b

Module version bump for postgresql fc entries from Luis Ressel.

---
 policy/modules/services/postgresql.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0306134..c771377 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.16.0)
+policy_module(postgresql, 1.16.1)
 
 gen_require(`
 	class db_database all_db_database_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-03-17  8:24 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-03-17  8:24 UTC (permalink / raw
  To: gentoo-commits

commit:     726a9fbcf9cdacba8a7aa6b220f19dcfc74c2a6a
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Mar  3 22:59:25 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:19:36 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=726a9fbc

Label /usr/sbin/lightdm as xdm_exec_t

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739163

---
 policy/modules/services/xserver.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 6d52bba..e1ac018 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -67,6 +67,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-03-17  8:24 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-03-17  8:24 UTC (permalink / raw
  To: gentoo-commits

commit:     967cdd987bf5e4aae9e88737264bdf5c1e84a49f
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Feb  8 17:31:52 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:19:27 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=967cdd98

Add two postgresql file contexts from gentoo policy

Gentoo appends version numbers to the names of the init script and the
config directory.

---
 policy/modules/services/postgresql.fc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index 4ff317d..2f877cb 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -1,8 +1,10 @@
 #
 # /etc
 #
-/etc/postgresql(/.*)?			gen_context(system_u:object_r:postgresql_etc_t,s0)
-/etc/rc\.d/init\.d/(se)?postgresql --	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+/etc/postgresql(-.*)?(/.*)?		gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+/etc/rc\.d/init\.d/(se)?postgresql(-.*)?	--	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+
 /etc/sysconfig/pgsql(/.*)? 		gen_context(system_u:object_r:postgresql_etc_t,s0)
 
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-03-17  8:24 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-03-17  8:24 UTC (permalink / raw
  To: gentoo-commits

commit:     68bd80a5f6023d63f1915c37cb6cd9637261aad6
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Mar 14 15:17:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:19:38 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=68bd80a5

Move lightdm line in xserver.fc.

---
 policy/modules/services/xserver.fc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index e1ac018..b46895a 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -67,10 +67,11 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /usr/bin/Xair		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/bin/xauth		--	gen_context(system_u:object_r:xauth_exec_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
 
+/usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-03-17  8:24 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-03-17  8:24 UTC (permalink / raw
  To: gentoo-commits

commit:     ceece5eec9b0035997cd68ec236fb80871e3f99b
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Mar 14 14:10:32 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:19:29 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ceece5ee

Whitespace fix in postgresql.fc

---
 policy/modules/services/postgresql.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index 2f877cb..bb8cac8 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -3,7 +3,7 @@
 #
 /etc/postgresql(-.*)?(/.*)?		gen_context(system_u:object_r:postgresql_etc_t,s0)
 
-/etc/rc\.d/init\.d/(se)?postgresql(-.*)?	--	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/(se)?postgresql(-.*)? -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
 
 /etc/sysconfig/pgsql(/.*)? 		gen_context(system_u:object_r:postgresql_etc_t,s0)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-03-17  8:24 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-03-17  8:24 UTC (permalink / raw
  To: gentoo-commits

commit:     1cc5841984e3ce4ad0866eceda64da0cb4b2ee48
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Mar 14 15:17:44 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Mar 17 08:19:39 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1cc58419

Whitespace fix in xserver.fc.

---
 policy/modules/services/xserver.fc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index b46895a..29c8138 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -19,8 +19,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 #
 # /etc
 #
-/etc/gdm(3)?/PostSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
-/etc/gdm(3)?/PreSession/.*	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm(3)?/PostSession/.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/gdm(3)?/PreSession/.* --	gen_context(system_u:object_r:xsession_exec_t,s0)
 /etc/gdm(3)?/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
 /etc/kde[34]?/kdm/Xstartup --	gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -59,7 +59,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 
 /usr/s?bin/gdm(3)?	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/s?bin/gdm-binary	--	gen_context(system_u:object_r:xdm_exec_t,s0)
-/usr/s?bin/lxdm(-binary)?	--	gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/s?bin/lxdm(-binary)? --	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/s?bin/[xkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/gpe-dm		--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
@@ -105,7 +105,7 @@ ifndef(`distro_debian',`
 /var/log/XFree86.*	--	gen_context(system_u:object_r:xserver_log_t,s0)
 /var/log/Xorg.*		--	gen_context(system_u:object_r:xserver_log_t,s0)
 
-/var/run/gdm(3)?(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/gdm(3)?(/.*)?		gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/gdm(3)?\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/xdm\.pid	--	gen_context(system_u:object_r:xdm_var_run_t,s0)
 /var/run/lxdm\.auth	--	gen_context(system_u:object_r:xdm_var_run_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-03-25 20:41 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-03-25 20:41 UTC (permalink / raw
  To: gentoo-commits

commit:     91f3a004d5cfa695d1a21b0dc47c13058d234223
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Mar 25 20:27:42 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Mar 25 20:27:42 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91f3a004

Merged with upstream

---
 policy/modules/services/postgresql.fc | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index bb8cac8..5a34c7b 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -50,10 +50,6 @@ ifdef(`distro_redhat', `
 /var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
 
 ifdef(`distro_gentoo',`
-/etc/rc\.d/init\.d/postgresql-.*	--	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
-
-/etc/postgresql-.*(/.*)?		gen_context(system_u:object_r:postgresql_etc_t,s0)
-
 /usr/lib/postgresql-.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 ')
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-04-17 19:04 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-04-17 19:04 UTC (permalink / raw
  To: gentoo-commits

commit:     b515caffd4a76d93c61b1b4a045bd1e922c8356c
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Apr 11 17:28:27 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Apr 17 19:03:39 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b515caff

Allow the xdm_t domain to enter all the gkeyringd ones

During the opening of the session, the pam_gnome_keyring module is
starting the daemon in the gkeyringd user domain, allow xdm_t to
transition to it.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=742966

---
 policy/modules/services/xserver.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 6366abf..ac13180 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -528,6 +528,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gnome_spec_domtrans_all_gkeyringd(xdm_t)
+')
+
+optional_policy(`
 	# Talk to the console mouse server.
 	gpm_stream_connect(xdm_t)
 	gpm_setattr_gpmctl(xdm_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-04-17 19:04 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-04-17 19:04 UTC (permalink / raw
  To: gentoo-commits

commit:     ea8a0b2e03f83982188736cf96997663996b8fda
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Apr 15 18:51:53 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Apr 17 19:03:41 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ea8a0b2e

Module version bump for gnome keyring fix from Laurent Bigonville.

---
 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index ac13180..e8c8c01 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.10.0)
+policy_module(xserver, 3.10.1)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-04-18 20:06 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-04-18 20:06 UTC (permalink / raw
  To: gentoo-commits

commit:     8e35f4e8a33a7428aa4fae2f72bc1e9da9f074a2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Apr 18 20:05:33 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 18 20:05:33 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8e35f4e8

Update file contexts for LightDM

---
 policy/modules/services/xserver.fc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 29c8138..9c8ebf8 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -118,3 +118,12 @@ ifndef(`distro_debian',`
 ifdef(`distro_suse',`
 /var/lib/pam_devperm/:0	--	gen_context(system_u:object_r:xdm_var_lib_t,s0)
 ')
+
+ifdef(`distro_gentoo',`
+/etc/lightdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
+
+/var/cache/lightdm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/log/lightdm(/.*)?	gen_context(system_u:object_r:xserver_log_t,s0)
+/var/run/lightdm(/.*)?	gen_context(system_u:object_r:xdm_var_run_t,s0)
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-06-10 18:17 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-06-10 18:17 UTC (permalink / raw
  To: gentoo-commits

commit:     ee22b88958f80507f38476c8036ee1b9d24bd423
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed May 28 15:25:49 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 10 18:12:49 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ee22b889

xserver_t needs to ender dirs labeled xdm_var_run_t

The LightDM application stores its xauth file in a subdirectory
(/var/run/lightdm/root) which is labeled as xdm_var_run_t. As a result,
X11 (xserver_t) needs search rights to this location.

With this setup, X is run as follows:
  /usr/bin/X :0 -auth /var/run/lightdm/root/:0

Changes since v1:
- Use read_files_pattern instead of separate allow rules

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index e8c8c01..c096bba 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -824,7 +824,7 @@ allow xserver_t xdm_t:shm rw_shm_perms;
 allow xserver_t xdm_var_lib_t:file { getattr read };
 dontaudit xserver_t xdm_var_lib_t:dir search;
 
-allow xserver_t xdm_var_run_t:file read_file_perms;
+read_files_pattern(xserver_t, xdm_var_run_t, xdm_var_run_t)
 
 # Label pid and temporary files with derived types.
 manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-06-10 18:17 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-06-10 18:17 UTC (permalink / raw
  To: gentoo-commits

commit:     fcd9103749c10057508ffd8efc08f3a4559c5e39
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Wed Jun  4 15:12:40 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 10 18:14:28 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fcd91037

Allow xdm_t to transition to shutdown_t domain

Several DMs offer the possibility to shutdown the system. I personally
don't think a bool is neccessary for this permission, but I wouldn't
oppose one either.

---
 policy/modules/services/xserver.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 909782e..a3aa4bc 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -563,6 +563,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	shutdown_domtrans(xdm_t)
+')
+
+optional_policy(`
 	udev_read_db(xdm_t)
 ')
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-08-13 20:02 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-08-13 20:02 UTC (permalink / raw
  To: gentoo-commits

commit:     715c4095e06198adb8aaaafe11cf332292d8e7ea
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 13 19:57:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug 13 19:57:16 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=715c4095

Moving Gentoo specifics downward

---
 policy/modules/services/xserver.te | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index f2cc9b3..7119319 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -230,14 +230,11 @@ userdom_user_home_dir_filetrans(iceauth_t, iceauth_home_t, file)
 
 allow xdm_t iceauth_home_t:file read_file_perms;
 
-files_search_tmp(iceauth_t)
 fs_search_auto_mountpoints(iceauth_t)
 
 userdom_use_user_terminals(iceauth_t)
 userdom_read_user_tmp_files(iceauth_t)
 
-getty_use_fds(iceauth_t)
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(iceauth_t)
 ')
@@ -281,7 +278,6 @@ auth_use_nsswitch(xauth_t)
 
 userdom_use_user_terminals(xauth_t)
 userdom_read_user_tmp_files(xauth_t)
-userdom_read_user_tmp_files(xserver_t)
 
 xserver_rw_xdm_tmp_files(xauth_t)
 
@@ -1014,3 +1010,21 @@ allow xserver_unconfined_type { x_domain xserver_t }:x_keyboard *;
 allow xserver_unconfined_type xextension_type:x_extension *;
 allow xserver_unconfined_type { x_domain xserver_t }:x_resource *;
 allow xserver_unconfined_type xevent_type:{ x_event x_synthetic_event } *;
+
+ifdef(`distro_gentoo',`
+	########################################
+	#
+	# iceauth_t policy
+	#
+
+	files_search_tmp(iceauth_t)
+
+	getty_use_fds(iceauth_t)
+
+	########################################
+	#
+	# xserver_t policy
+	#
+
+	userdom_read_user_tmp_files(xserver_t)
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-08-13 20:02 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-08-13 20:02 UTC (permalink / raw
  To: gentoo-commits

commit:     e7cfba2e5b61f61a7512eea93d319b6566dd081f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 13 20:01:30 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug 13 20:01:30 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e7cfba2e

Fix bug #516512 - Support non-root X11 which uses ~/.local/share/xorg

---
 policy/modules/services/xserver.fc | 2 ++
 policy/modules/services/xserver.te | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 9c8ebf8..c37e7c8 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -120,6 +120,8 @@ ifdef(`distro_suse',`
 ')
 
 ifdef(`distro_gentoo',`
+HOME_DIR/\.local/share/xorg(/.*)?	gen_context(system_u:object_r:xserver_xdg_data_home_t,s0)
+
 /etc/lightdm/Xsession	--	gen_context(system_u:object_r:xsession_exec_t,s0)
 
 /var/cache/lightdm(/.*)?	gen_context(system_u:object_r:xdm_var_lib_t,s0)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 7119319..3eb114f 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1026,5 +1026,13 @@ ifdef(`distro_gentoo',`
 	# xserver_t policy
 	#
 
+	type xserver_xdg_data_home_t;
+	xdg_data_home_content(xserver_xdg_data_home_t)
+
+	# Mark data in ~/.local/share as xserver_t XDG data, see bug #516512
+	manage_dirs_pattern(xserver_t, xserver_xdg_data_home_t, xserver_xdg_data_home_t)
+	allow xserver_t xserver_xdg_data_home_t:file manage_file_perms;
+	xdg_data_home_filetrans(xserver_t, xserver_xdg_data_home_t, dir)
+
 	userdom_read_user_tmp_files(xserver_t)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-08-21 17:31 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-08-21 17:31 UTC (permalink / raw
  To: gentoo-commits

commit:     dcad5d08cbb05a789cb6aaad3c5eea9174e8cdc7
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Aug 20 18:38:30 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 21 17:29:41 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dcad5d08

Module version bump for postgres fc revisions from Luis Ressel.

---
 policy/modules/services/postgresql.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 87cf69d..6e84c95 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.16.2)
+policy_module(postgresql, 1.16.3)
 
 gen_require(`
 	class db_database all_db_database_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-08-21 17:31 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-08-21 17:31 UTC (permalink / raw
  To: gentoo-commits

commit:     bcb20e08625b97c697de810bf596ca341a775b92
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Aug 12 12:35:57 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 21 17:29:31 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bcb20e08

Only label administrative postgres commands as postgresql_exec_t

Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)

---
 policy/modules/services/postgresql.fc | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index 5a34c7b..cc9eb3a 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -15,7 +15,17 @@
 
 /usr/lib/pgsql/test/regress(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
 /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_resetxlog	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_standby	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_upgrade	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_xlogdump	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/postmaster	-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
 
 ifdef(`distro_debian', `
 /usr/lib/postgresql/.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2014-08-21 17:31 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2014-08-21 17:31 UTC (permalink / raw
  To: gentoo-commits

commit:     3738cf10d1b3cfa76d8ee163a8f89ae9f2495171
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Aug 12 12:35:58 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 21 17:29:35 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3738cf10

Also apply the new postgres labeling scheme on Debian

I'm sure this is the right thing to do; however, the Debian developers
might want to have a say in this, so I made a separate patch.

---
 policy/modules/services/postgresql.fc | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index cc9eb3a..2a1b1a3 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -16,20 +16,16 @@
 /usr/lib/pgsql/test/regress(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
 /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
 
-/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_resetxlog	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_standby	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_upgrade	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_xlogdump	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/postmaster	-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
-
-ifdef(`distro_debian', `
-/usr/lib/postgresql/.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-')
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_resetxlog	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_standby		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_upgrade		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_xlogdump		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster		-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
 
 ifdef(`distro_redhat', `
 /usr/share/jonas/pgsql(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
  2015-03-04 17:03 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
@ 2015-03-04 16:45 ` Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2015-03-04 16:45 UTC (permalink / raw
  To: gentoo-commits

commit:     66bb200d47dcfa85b39c491171b4f3a6a4f341ed
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Mar  4 16:42:33 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Mar  4 16:42:33 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66bb200d

Support SSH agent forwarding

When using SSH agent forwarding, the SSH daemon creates the necessary
sockets somewhere in a random /tmp/ssh-* location. These sockets get the
sshd_tmp_t type associated.

Currently, the SSH client (running as ssh_t) does not have any
privileges on sshd_tmp_t *socket* files, but it has manage rights on the
*regular* files. This means that any attempt to make use of the agent
forwarding (i.e. from the logged-in server, attempt to SSH to another
server while using the SSH agent running on the users' workstation) will
fail.

By granting rw_socket_file_perms permissions to ssh_t against the
sshd_tmp_t socket files, agent forwarding is working well.

X-Gentoo-Bug: 529336
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=529336

 policy/modules/services/ssh.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 147888c..b63f585 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -358,3 +358,8 @@ optional_policy(`
 optional_policy(`
 	udev_read_db(ssh_keygen_t)
 ')
+
+ifdef(`distro_gentoo',`
+	# Fix bug #529336 - Allow ssh_t to read/write sshd_tmp_t sockets (ssh agent forwarding)
+	allow ssh_t sshd_tmp_t:sock_file rw_sock_file_perms;
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2015-05-27 20:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2015-05-27 20:00 UTC (permalink / raw
  To: gentoo-commits

commit:     880e5bc49e6e08fb4f8e4732e6cdd5e1c05eba13
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon May 25 09:33:56 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed May 27 18:59:50 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=880e5bc4

postgresql: use init_startstop_service in _admin interface

The postgresql_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.

 policy/modules/services/postgresql.if | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 85d430f..11526b6 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -595,10 +595,7 @@ interface(`postgresql_admin',`
 	allow $1 postgresql_t:process { ptrace signal_perms };
 	ps_process_pattern($1, postgresql_t)
 
-	init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 postgresql_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)
 
 	admin_pattern($1, postgresql_var_run_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
  2015-08-02 19:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-08-02 19:23 ` Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2015-08-02 19:23 UTC (permalink / raw
  To: gentoo-commits

commit:     39d8b095afd5ef78ef353bf04b7a11764daca067
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Jul 20 14:01:52 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug  2 19:21:29 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=39d8b095

Module version bump for ssh-agent -k fix from Luis Ressel.

 policy/modules/services/ssh.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index b63f585..783d0e7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.6.0)
+policy_module(ssh, 2.6.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
  2015-08-02 19:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2015-08-02 19:23 ` Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2015-08-02 19:23 UTC (permalink / raw
  To: gentoo-commits

commit:     35e90ad86ba18ed67f37e94ceffe97349c899c68
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Jul 19 17:48:28 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug  2 19:21:29 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35e90ad8

Allow ssh-agent to send signals to itself

This is neccessary for "ssh-agent -k".

 policy/modules/services/ssh.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index cbd0cdd..3fda887 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -346,7 +346,7 @@ template(`ssh_role_template',`
 	# SSH agent local policy
 	#
 
-	allow $1_ssh_agent_t self:process setrlimit;
+	allow $1_ssh_agent_t self:process { setrlimit signal };
 	allow $1_ssh_agent_t self:capability setgid;
 
 	allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2015-10-10 16:11 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2015-10-10 16:11 UTC (permalink / raw
  To: gentoo-commits

commit:     deb9b102fb562bc57e776cba6c1dee7c674c76ac
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Oct 10 15:36:32 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Oct 10 16:09:15 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=deb9b102

services/postgresql.fc: Drop obsolete distro_gentoo block

Only some of the binaries in /usr/lib/postgresql-.../bin should be
marked postgresql_exec_t (e.g. pg_ctl), the others (e.g. psql) should
get a bin_t marking so they're user-accessible. refpolicy applies
correct labels since last year (commit 3738cf10), but this ifdef block
still overrides them on Gentoo.

 policy/modules/services/postgresql.fc | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index 2a1b1a3..d3bc4bb 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -54,8 +54,3 @@ ifdef(`distro_redhat', `
 /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
 
 /var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
-
-ifdef(`distro_gentoo',`
-/usr/lib/postgresql-.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-')
-


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2016-01-30 17:21 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
  To: gentoo-commits

commit:     a5ee3e4cc8dcc31a8a91cda5bebe514c15c83556
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Dec 20 15:28:48 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:02:52 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5ee3e4c

Label Xorg server binary correctly on Arch Linux

On Arch Linux, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg-server/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg-server/Xorg.

Even though Xorg.wrap is not a full X server, it reads X11 configuration
files, uses the DRM interface to detect KMS, etc. (cf.
http://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/xorg-wrapper.c?id=xorg-server-1.18.0
for more details).  Therefore label it as xserver_exec_t.

This makes the following AVC appear:

    denied  { execute_no_trans } for  pid=927 comm="X"
    path="/usr/lib/xorg-server/Xorg.wrap" dev="dm-0" ino=3152592
    scontext=system_u:system_r:xserver_t
    tcontext=system_u:object_r:xserver_exec_t tclass=file

Allow /usr/bin/Xorg to execute Xorg.wrap with a can_exec statement.

 policy/modules/services/xserver.fc | 2 ++
 policy/modules/services/xserver.te | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 5ef36fb..619bb9f 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -71,6 +71,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 82b9501..09c79bb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -827,6 +827,9 @@ manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 allow xserver_t xkb_var_lib_t:lnk_file read;
 can_exec(xserver_t, xkb_var_lib_t)
 
+# Run Xorg.wrap
+can_exec(xserver_t, xserver_exec_t)
+
 # VNC v4 module in X server
 corenet_tcp_bind_vnc_port(xserver_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2016-01-30 17:21 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
  To: gentoo-commits

commit:     8796183777154929efc6b058e462cc7037eb0817
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Dec 20 15:28:50 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=87961837

Label OpenSSH systemd unit files

On Arch Linux, OpenSSH unit files are:
    /usr/lib/systemd/system/sshdgenkeys.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd@.service
    /usr/lib/systemd/system/sshd.socket

On Debian jessie, the unit files are:
    /lib/systemd/system/ssh.service
    /lib/systemd/system/ssh@.service
    /lib/systemd/system/ssh.socket

On Fedora 22, the unit files are:
    /usr/lib/systemd/system/sshd-keygen.service
    /usr/lib/systemd/system/sshd.service
    /usr/lib/systemd/system/sshd@.service
    /usr/lib/systemd/system/sshd.socket

Use a pattern which matches every sshd unit and introduce an other type
for ssh-keygen units.

 policy/modules/services/ssh.fc | 4 ++++
 policy/modules/services/ssh.te | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/services/ssh.fc b/policy/modules/services/ssh.fc
index fd6c218..027c8a8 100644
--- a/policy/modules/services/ssh.fc
+++ b/policy/modules/services/ssh.fc
@@ -10,6 +10,10 @@ HOME_DIR/\.ssh(/.*)?			gen_context(system_u:object_r:ssh_home_t,s0)
 /usr/lib/openssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 /usr/lib/ssh/ssh-keysign	--	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
+/usr/lib/systemd/system/ssh.*		--	gen_context(system_u:object_r:sshd_unit_t,s0)
+/usr/lib/systemd/system/sshdgenkeys.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
+/usr/lib/systemd/system/sshd-keygen.*	--	gen_context(system_u:object_r:sshd_keygen_unit_t,s0)
+
 /usr/libexec/openssh/ssh-keysign --	gen_context(system_u:object_r:ssh_keysign_exec_t,s0)
 
 /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index d83662a..917187a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -47,6 +47,12 @@ type sshd_tmp_t;
 files_tmp_file(sshd_tmp_t)
 files_poly_parent(sshd_tmp_t)
 
+type sshd_keygen_unit_t;
+init_unit_file(sshd_keygen_unit_t)
+
+type sshd_unit_t;
+init_unit_file(sshd_unit_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2016-01-30 17:21 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
  To: gentoo-commits

commit:     d52ce0b18302a2d51b03348311622e6fb76c84e1
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Jan  7 18:11:50 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d52ce0b1

Module version bump for Debian Xorg fc fixes from Laurent Bigonville

 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 38d5623..ca4be69 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.11.1)
+policy_module(xserver, 3.11.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2016-01-30 17:21 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
  To: gentoo-commits

commit:     d3276d612490b7dad0eb6731d49ded1e0761c5ef
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu Jan  7 15:46:49 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d3276d61

Label Xorg server binary correctly on Debian

On Debian, /usr/bin/Xorg is only a shell script which executes
/usr/lib/xorg/Xorg.wrap, which is a SUID binary wrapper around
/usr/lib/xorg/Xorg.

 policy/modules/services/xserver.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 619bb9f..a531dba 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -71,6 +71,8 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /usr/bin/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
 
 /usr/lib/qt-.*/etc/settings(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
+/usr/lib/xorg/Xorg		--	gen_context(system_u:object_r:xserver_exec_t,s0)
+/usr/lib/xorg/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/lib/xorg-server/Xorg\.wrap	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2016-08-17 16:59 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
  To: gentoo-commits

commit:     8cae0e05081a2d859bc3c4861a2ecd7787ad3e11
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 19:13:24 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cae0e05

Update for the xserver module:

- updated the file contexts for the Xsession script;
- created an interface for chatting over dbus with
  xdm (currently used by the userdomain module in
  the common user template);
- added permission to chat over dbus with colord.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/services/xserver.if | 21 +++++++++++++++++++++
 policy/modules/services/xserver.te |  6 +++++-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 6bf0ecc..690c2b6 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -713,6 +713,27 @@ interface(`xserver_dontaudit_rw_xdm_pipes',`
 
 ########################################
 ## <summary>
+##	Send and receive messages from
+##	xdm over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_dbus_chat_xdm',`
+	gen_require(`
+		type xdm_t;
+		class dbus send_msg;
+        ')
+
+	allow $1 xdm_t:dbus send_msg;
+	allow xdm_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
 ##	Read xdm process state files.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index fc19905..44a561b 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.11.3)
+policy_module(xserver, 3.11.4)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
@@ -511,6 +511,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	colord_dbus_chat(xdm_t)
+')
+
+optional_policy(`
 	consolekit_dbus_chat(xdm_t)
 ')
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2016-12-06 13:39 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
  To: gentoo-commits

commit:     b07ec91c10381d6464c06a8ded9c800ea91f5d22
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Dec  1 15:00:38 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b07ec91c

xserver: remove unneeded user content permissions

Remove unneeded permissions to read user content from the
xserver module.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/services/xserver.te | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 9cb5f74..12f05b0 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -843,12 +843,6 @@ corenet_tcp_bind_vnc_port(xserver_t)
 
 init_use_fds(xserver_t)
 
-# FIXME: After per user fonts are properly working
-# xserver_t may no longer have any reason
-# to read ROLE_home_t - examine this in more detail
-# (xauth?)
-userdom_read_user_home_content_files(xserver_t)
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_dirs(xserver_t)
 	fs_manage_nfs_files(xserver_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
  2016-12-06 14:24 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2016-12-06 13:39 ` Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
  To: gentoo-commits

commit:     365c71e7df78b3d981252f7bc627739d578e52b3
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec  4 14:10:25 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=365c71e7

xserver: Rearrange lines

 policy/modules/services/xserver.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 96cc1ff..1a8a311 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -102,6 +102,9 @@ typealias user_xproperty_t alias { auditadm_xproperty_t secadm_xproperty_t };
 typealias user_input_xevent_t alias { staff_input_xevent_t sysadm_input_xevent_t };
 typealias user_input_xevent_t alias { auditadm_input_xevent_t secadm_input_xevent_t };
 
+type dmrc_home_t;
+userdom_user_home_content(dmrc_home_t)
+
 type remote_t;
 xserver_object_types_template(remote)
 xserver_common_x_domain_template(remote, remote_t)
@@ -211,9 +214,6 @@ corecmd_executable_file(xsession_exec_t)
 type xserver_log_t;
 logging_log_file(xserver_log_t)
 
-type dmrc_home_t;
-userdom_user_home_content(dmrc_home_t)
-
 ifdef(`enable_mcs',`
 	init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
 	init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2016-12-06 13:39 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
  To: gentoo-commits

commit:     d92c0e639cb7f7842e76a2c054ab5ddcac61e38c
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Dec  2 13:44:07 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d92c0e63

xserver: remove unneeded user content permissions

Remove unneeded permissions to read user content from the
xserver module (xserver and xdm domains).

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/services/xserver.fc |  1 +
 policy/modules/services/xserver.if | 19 +++++++++++++++++++
 policy/modules/services/xserver.te |  9 +++++++--
 3 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 4cbba44..41b97e2 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -1,6 +1,7 @@
 #
 # HOME_DIR
 #
+HOME_DIR/\.dmrc		--	gen_context(system_u:object_r:dmrc_home_t,s0)
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
 HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)
 HOME_DIR/\.fonts/auto(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index afc157f..a5dbdaa 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -602,6 +602,25 @@ interface(`xserver_read_user_xauth',`
 
 ########################################
 ## <summary>
+##	Read all users .dmrc.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_read_user_dmrc',`
+	gen_require(`
+		type dmrc_home_t;
+	')
+
+	allow $1 dmrc_home_t:file read_file_perms;
+	userdom_search_user_home_dirs($1)
+')
+
+########################################
+## <summary>
 ##	Set the attributes of the X windows console named pipes.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 097fd07..96cc1ff 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -211,6 +211,9 @@ corecmd_executable_file(xsession_exec_t)
 type xserver_log_t;
 logging_log_file(xserver_log_t)
 
+type dmrc_home_t;
+userdom_user_home_content(dmrc_home_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
 	init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
@@ -467,12 +470,14 @@ sysnet_read_config(xdm_t)
 
 userdom_dontaudit_use_unpriv_user_fds(xdm_t)
 userdom_create_all_users_keys(xdm_t)
-# for .dmrc
-userdom_read_user_home_content_files(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
 
+# for .dmrc: this was used by the Gnome Display Manager (gdm)
+# and it is now obsolete in Gnome3
+xserver_read_user_dmrc(xdm_t)
+
 xserver_rw_session(xdm_t, xdm_tmpfs_t)
 xserver_unconfined(xdm_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2016-12-06 13:39 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
  To: gentoo-commits

commit:     6a266282c025186aeb21bde5eedd7cb0e5d7ea05
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Dec  2 00:44:24 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a266282

Module version bump for xserver patch from Guido Trentalancia

 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 12f05b0..097fd07 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.12.0)
+policy_module(xserver, 3.12.1)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2016-12-06 13:39 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
  To: gentoo-commits

commit:     5ab142a89ffc948fc066f546fd4b57ece9eb2a36
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec  4 14:11:02 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ab142a8

Module version bump for xserver changes from Guido Trentalancia.

 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 1a8a311..9898817 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.12.1)
+policy_module(xserver, 3.12.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-01-01 16:36 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2017-01-01 16:36 UTC (permalink / raw
  To: gentoo-commits

commit:     72650f3e45abe1df97d416208d4472ae9956fd7a
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec 18 22:53:46 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=72650f3e

xserver: Move interface definition.

 policy/modules/services/xserver.if | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index bebc419..c1d41b5 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -792,6 +792,25 @@ interface(`xserver_read_xdm_state',`
 
 ########################################
 ## <summary>
+##	Set the priority of the X Display
+##	Manager (XDM).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_setsched_xdm',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:process setsched;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	xdm_spool files.
 ## </summary>
@@ -1349,22 +1368,3 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
-
-########################################
-## <summary>
-##	Set the priority of the X Display
-##	Manager (XDM).
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`xserver_setsched_xdm',`
-	gen_require(`
-		type xdm_t;
-	')
-
-	allow $1 xdm_t:process setsched;
-')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-01-01 16:36 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2017-01-01 16:36 UTC (permalink / raw
  To: gentoo-commits

commit:     02533322fa1a4030098ff54a3480b2fa7d362a8c
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec 18 22:42:39 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=02533322

rtkit: enable dbus chat with xdm

Enable dbus messaging between the X Display Manager (XDM) and
the rtkit daemon.

Also, let the rtkit daemon set the priority of the X Display
Manager (XDM).

This patch (along with parts 3/5 and 4/5) might be needed when
running gdm.

I do apologize for the broken interface in the previous version
of this patch.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/services/xserver.if | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 3b55a08..bebc419 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -162,7 +162,6 @@ interface(`xserver_role',`
 	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
-
 ')
 
 #######################################
@@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',`
 	typeattribute $1 x_domain;
 	typeattribute $1 xserver_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	Set the priority of the X Display
+##	Manager (XDM).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_setsched_xdm',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	allow $1 xdm_t:process setsched;
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
  2017-01-01 16:37 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
@ 2017-01-01 16:36 ` Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2017-01-01 16:36 UTC (permalink / raw
  To: gentoo-commits

commit:     f6a604430f3cc0948d3d7fc97066ad65ba62e5c4
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Wed Dec 28 19:43:23 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:31:26 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6a60443

xserver: introduce new fc and interface to manage X session logs

The following patch (split in two parts, one for base and
another one for contrib) introduces a new file context for
the X session log files and two new interface to manage
them (instead of allowing to manage the whole user home
content files).

It is required after the recent confinement of graphical
desktop components (e.g. wm, xscreensaver).

The second version of the patch correctly uses file type
transitions and uses more tight permissions.

The third version simply moves some interface calls.

The fourth version introduces the new template for
username-dependent file contexts.

The fifth version moves other interface calls thanks to
further revisions from Christopher PeBenito (the corresponding
contrib policy part remains unchanged at version 4).

This sixth version, adds the missing diff relative to the
xserver.te policy file to declare the new xsession_log_t type.

The corresponding base policy patch is at version 4.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/services/xserver.fc |  2 ++
 policy/modules/services/xserver.if | 65 ++++++++++++++++++++++++++++++++++++--
 policy/modules/services/xserver.te |  3 ++
 3 files changed, 68 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 5b218c6..389b74f 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -10,6 +10,7 @@ HOME_DIR/\.fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.ICEauthority.* --	gen_context(system_u:object_r:iceauth_home_t,s0)
 HOME_DIR/\.serverauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 HOME_DIR/\.xauth.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors	--	gen_context(system_u:object_r:xsession_log_t,s0)
 HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 
 #
@@ -55,6 +56,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /tmp/\.X0-lock		--	gen_context(system_u:object_r:xserver_tmp_t,s0)
 /tmp/\.X11-unix		-d	gen_context(system_u:object_r:xdm_tmp_t,s0)
 /tmp/\.X11-unix/.*	-s	<<none>>
+/tmp/xses-%{USERNAME}	--	gen_context(system_u:object_r:xsession_log_t,s0)
 
 #
 # /usr

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c1d41b5..59d5821 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -107,6 +107,10 @@ interface(`xserver_restricted_role',`
 	# Needed for escd, remove if we get escd policy
 	xserver_manage_xdm_tmp_files($2)
 
+	# for the .xsession-errors log file
+	xserver_user_home_dir_filetrans_user_xsession_log($2)
+	xserver_manage_xsession_log($2)
+
 	# Client write xserver shm
 	tunable_policy(`allow_write_xshm',`
 		allow $2 xserver_t:shm rw_shm_perms;
@@ -307,7 +311,7 @@ interface(`xserver_user_client',`
 
 	userdom_search_user_home_dirs($1)
 	# for .xsession-errors
-	userdom_dontaudit_write_user_home_content_files($1)
+	xserver_rw_xsession_log($1)
 
 	xserver_ro_session($1,$2)
 	xserver_use_user_fonts($1)
@@ -469,7 +473,7 @@ template(`xserver_user_x_domain_template',`
 
 	userdom_search_user_home_dirs($2)
 	# for .xsession-errors
-	userdom_dontaudit_write_user_home_content_files($2)
+	xserver_rw_xsession_log($2)
 
 	xserver_ro_session($2,$3)
 	xserver_use_user_fonts($2)
@@ -566,6 +570,25 @@ interface(`xserver_user_home_dir_filetrans_user_xauth',`
 
 ########################################
 ## <summary>
+##	Create a .xsession-errors log
+##	file in the user home directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_user_home_dir_filetrans_user_xsession_log',`
+	gen_require(`
+		type xsession_log_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, xsession_log_t, file, ".xsession-errors")
+')
+
+########################################
+## <summary>
 ##	Read all users fonts, user font configurations,
 ##	and manage all users font caches.
 ## </summary>
@@ -1001,6 +1024,44 @@ interface(`xserver_xsession_spec_domtrans',`
 
 ########################################
 ## <summary>
+##	Read and write xsession log
+##	files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_xsession_log',`
+	gen_require(`
+		type xsession_log_t;
+	')
+
+	allow $1 xsession_log_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	Manage xsession log files such
+##	as .xsession-errors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_manage_xsession_log',`
+	gen_require(`
+		type xsession_log_t;
+	')
+
+	allow $1 xsession_log_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of X server logs.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index ba96a78..1956ddb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -210,6 +210,9 @@ userdom_user_tmpfs_file(xserver_tmpfs_t)
 type xsession_exec_t;
 corecmd_executable_file(xsession_exec_t)
 
+type xsession_log_t;
+userdom_user_home_content(xsession_log_t)
+
 # Type for the X server log file.
 type xserver_log_t;
 logging_log_file(xserver_log_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-01-13 18:43 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
  To: gentoo-commits

commit:     5f795b817282c2043871c0b527f8406cb5f86db8
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Jan  2 18:11:31 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:38:36 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5f795b81

xserver: Update from Russell Coker for boinc.

 policy/modules/services/xserver.if | 18 ++++++++++++++++++
 policy/modules/services/xserver.te |  2 +-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 59d5821..a054c9c 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1236,6 +1236,24 @@ interface(`xserver_dontaudit_getattr_xdm_tmp_sockets',`
 
 ########################################
 ## <summary>
+##	list xdm_tmp_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`xserver_list_xdm_tmp',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Execute the X server in the X server domain.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 00fad47..33f0487 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.12.7)
+policy_module(xserver, 3.12.8)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-01-13 18:43 Sven Vermeulen
  0 siblings, 0 replies; 299+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
  To: gentoo-commits

commit:     71ed05134f724892f2fe1529bc55d88fe021ce2a
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Dec 31 16:43:46 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:38:45 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71ed0513

xserver: restrict executable memory permissions

The dangerous execheap permission is removed from xdm and the
dangerous execmem permission is only enabled for the Gnome
Display Manager (gnome-shell running in gdm mode) through a
new "xserver_gnome_xdm" boolean.

This patch also updates the XKB libs file context with their
default location (which at the moment is not compliant with
FHS3 due to the fact that it allows by default to write the
output from xkbcomp), adds the ability to read udev pid files
and finally adds a few permissions so that xconsole can run
smoothly.

The anomalous permission to execute XKB var library files has
been removed and the old X11R6 library location has been
updated so that subdirectories are also labeled as xkb_var_lib.

This patch includes various improvements and bug fixes as
kindly suggested in reviews made by Christopher PeBenito.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/services/xserver.fc |  6 ++++--
 policy/modules/services/xserver.te | 25 ++++++++++++++++---------
 2 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 389b74f..40b214a 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -82,6 +82,9 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 
 /usr/sbin/lightdm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 
+# xserver default configure bug: not FHS-compliant because not read-only !
+/usr/share/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+
 /usr/X11R6/bin/[xgkw]dm	--	gen_context(system_u:object_r:xdm_exec_t,s0)
 /usr/X11R6/bin/iceauth	--	gen_context(system_u:object_r:iceauth_exec_t,s0)
 /usr/X11R6/bin/X	--	gen_context(system_u:object_r:xserver_exec_t,s0)
@@ -90,8 +93,7 @@ HOME_DIR/\.Xauthority.*	--	gen_context(system_u:object_r:xauth_home_t,s0)
 /usr/X11R6/bin/Xipaq	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xorg	--	gen_context(system_u:object_r:xserver_exec_t,s0)
 /usr/X11R6/bin/Xwrapper	--	gen_context(system_u:object_r:xserver_exec_t,s0)
-/usr/X11R6/lib/X11/xkb	-d	gen_context(system_u:object_r:xkb_var_lib_t,s0)
-/usr/X11R6/lib/X11/xkb/.* --	gen_context(system_u:object_r:xkb_var_lib_t,s0)
+/usr/X11R6/lib/X11/xkb(/.*)?	gen_context(system_u:object_r:xkb_var_lib_t,s0)
 
 ifndef(`distro_debian',`
 /usr/var/[xgkw]dm(/.*)?		gen_context(system_u:object_r:xserver_log_t,s0)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 33f0487..2df9a3e 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -42,6 +42,14 @@ gen_tunable(xdm_sysadm_login, false)
 
 ## <desc>
 ## <p>
+## Use gnome-shell in gdm mode as the
+## X Display Manager (XDM)
+## </p>
+## </desc>
+gen_tunable(xserver_gnome_xdm, false)
+
+## <desc>
+## <p>
 ## Support X userspace object manager
 ## </p>
 ## </desc>
@@ -307,6 +315,7 @@ optional_policy(`
 #
 
 allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
+dontaudit xdm_t self:capability sys_admin;
 allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
 allow xdm_t self:fifo_file rw_fifo_file_perms;
 allow xdm_t self:shm create_shm_perms;
@@ -319,7 +328,7 @@ allow xdm_t self:socket create_socket_perms;
 allow xdm_t self:appletalk_socket create_socket_perms;
 allow xdm_t self:key { search link write };
 
-allow xdm_t xconsole_device_t:fifo_file { getattr setattr };
+allow xdm_t xconsole_device_t:fifo_file { read_fifo_file_perms setattr_fifo_file_perms };
 
 # Allow gdm to run gdm-binary
 can_exec(xdm_t, xdm_exec_t)
@@ -510,6 +519,10 @@ tunable_policy(`xdm_sysadm_login',`
 #	allow xserver_t xdm_tmpfs_t:file rw_file_perms;
 ')
 
+tunable_policy(`xserver_gnome_xdm',`
+	allow xdm_t self:process execmem;
+')
+
 optional_policy(`
 	alsa_domtrans(xdm_t)
 ')
@@ -589,10 +602,6 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(xdm_t)
 	unconfined_domtrans(xdm_t)
-
-	ifndef(`distro_redhat',`
-		allow xdm_t self:process { execheap execmem };
-	')
 ')
 
 optional_policy(`
@@ -658,6 +667,7 @@ manage_fifo_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 manage_sock_files_pattern(xserver_t, xserver_tmpfs_t, xserver_tmpfs_t)
 fs_tmpfs_filetrans(xserver_t, xserver_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+# Run xkbcomp
 manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
@@ -806,6 +816,7 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(xserver_t)
+	udev_read_pid_files(xserver_t)
 ')
 
 optional_policy(`
@@ -843,10 +854,6 @@ manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
-# Run xkbcomp.
-allow xserver_t xkb_var_lib_t:lnk_file read;
-can_exec(xserver_t, xkb_var_lib_t)
-
 # Run Xorg.wrap
 can_exec(xserver_t, xserver_exec_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-01-26  3:32 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2017-01-26  3:32 UTC (permalink / raw
  To: gentoo-commits

commit:     b4d17da29d15421d2f67fbc484c343aec9ab572d
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jan 25 17:44:23 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jan 26 03:31:05 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b4d17da2

xserver: allow X roles to read xkb libs to set keymaps

commit d76d9e13b188e9fd8df98e1e21d88aa45951860e
xserver: restrict executable memory permissions
changed XKB libs which made them no longer readable by users.
setting xkeymaps fails with the following errors:

$ setxkbmap -option "ctrl:nocaps"
Couldn't find rules file (evdev)

type=AVC msg=audit(1485357942.135:4458): avc:  denied  { search } for
pid=5359 comm="X" name="20990" dev="proc" ino=103804
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4459): avc:  denied  { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1485357942.136:4460): avc:  denied  { search } for
pid=20990 comm="setxkbmap" name="xkb" dev="zfs" ino=130112
scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=system_u:object_r:xkb_var_lib_t:s0 tclass=dir permissive=0

 policy/modules/services/xserver.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index a054c9c..f0761c9 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -166,6 +166,8 @@ interface(`xserver_role',`
 	manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
+
+	xserver_read_xkb_libs($2)
 ')
 
 #######################################


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-02-05  6:29 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2017-02-05  6:29 UTC (permalink / raw
  To: gentoo-commits

commit:     c4dda8def2e818d9b44315e8f4990ed5d9ff2d2d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jan 29 17:48:01 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb  5 06:24:52 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4dda8de

Module version bump for xkb fix from Jason Zaman.

 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index cef33cb..7f27691 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.12.9)
+policy_module(xserver, 3.12.10)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-10-29 20:42 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
  To: gentoo-commits

commit:     b690cc49e498479f60f74d5880b87c6f64cd3870
Author:     Amadeusz Sławiński <amade <AT> asmblr <DOT> net>
AuthorDate: Tue Oct 17 20:46:33 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 13:57:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b690cc49

if application uses fonts, they may be mapped

Signed-off-by: Amadeusz Sławiński <amade <AT> asmblr.net>

 policy/modules/services/xserver.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index e0c5be82..0718d016 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -466,7 +466,7 @@ interface(`xserver_use_user_fonts',`
 
 	# Read per user fonts
 	allow $1 user_fonts_t:dir list_dir_perms;
-	allow $1 user_fonts_t:file read_file_perms;
+	allow $1 user_fonts_t:file { map read_file_perms };
 
 	# Manipulate the global font cache
 	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-11-17 14:59 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2017-11-17 14:59 UTC (permalink / raw
  To: gentoo-commits

commit:     e4cb86ffdac851ff96281ca1e185f2efff824b11
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Nov 14 02:03:53 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 15 01:11:07 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e4cb86ff

xserver: Allow xdm_t to map usr_t files

This is required for gtk-based login managers to access gtk's icon
cache. IIRC, past discussion on the ML came to the conclusion that
adding a new domain for this would be overkill.

 policy/modules/services/xserver.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 60570875..7e5a97d3 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -450,6 +450,7 @@ files_read_etc_runtime_files(xdm_t)
 files_exec_etc_files(xdm_t)
 files_list_mnt(xdm_t)
 # Read /usr/share/terminfo/l/linux and /usr/share/icons/default/index.theme...
+files_map_usr_files(xdm_t)
 files_read_usr_files(xdm_t)
 # Poweroff wants to create the /poweroff file when run from xdm
 files_create_boot_flag(xdm_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-12-12  7:59 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2017-12-12  7:59 UTC (permalink / raw
  To: gentoo-commits

commit:     e21a1ab6acced79dae83f0c0da38fb9a97bd24bc
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Dec  8 12:43:47 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:06:27 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e21a1ab6

Create interfaces to write to inherited xserver log files.

Updated based on feedback

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/services/xserver.if | 39 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index f08db931..893e469f 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1058,6 +1058,26 @@ interface(`xserver_xsession_spec_domtrans',`
 
 ########################################
 ## <summary>
+##	Write to inherited  xsession log
+##	files such as .xsession-errors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_write_inherited_xsession_log',`
+	gen_require(`
+		type xsession_log_t;
+	')
+
+	allow $1 xsession_log_t:file write_inherited_file_perms;
+')
+
+
+########################################
+## <summary>
 ##	Read and write xsession log
 ##	files such as .xsession-errors.
 ## </summary>
@@ -1096,6 +1116,25 @@ interface(`xserver_manage_xsession_log',`
 
 ########################################
 ## <summary>
+##	Write to inherited X server log
+##  files like /var/log/lightdm/lightdm.log
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_write_inherited_log',`
+	gen_require(`
+		type xserver_log_t;
+	')
+
+	allow $1 xserver_log_t:file write_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Get the attributes of X server logs.
 ## </summary>
 ## <param name="domain">


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-12-12  7:59 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2017-12-12  7:59 UTC (permalink / raw
  To: gentoo-commits

commit:     db770ba7020a1407d1458fa649bccda8b3daa405
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Dec  9 02:04:20 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:06:27 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=db770ba7

xserver: Module version bump.

 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 5936018f..efd965a7 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.14.6)
+policy_module(xserver, 3.14.7)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-12-12  7:59 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2017-12-12  7:59 UTC (permalink / raw
  To: gentoo-commits

commit:     e48cc818eaab15e5da207b91292d1f6314966912
Author:     David Sugar via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Wed Dec  6 18:24:44 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:06:26 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e48cc818

Allow xdm_t to read /proc/sys/crypto/fips_enabled

type=AVC msg=audit(1512047222.742:53): avc:  denied  { search } for pid=1174 comm="lightdm-gtk-gre" name="crypto" dev="proc" ino=6218 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1512047222.742:53): avc:  denied  { read } for pid=1174 comm="lightdm-gtk-gre" name="fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1512047222.742:53): avc:  denied  { open } for pid=1174 comm="lightdm-gtk-gre" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1512047222.743:54): avc:  denied  { getattr } for pid=1174 comm="lightdm-gtk-gre" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6219 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/services/xserver.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c3380257..b512fbe7 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -391,6 +391,7 @@ manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
 manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
 logging_log_filetrans(xdm_t, xserver_log_t, file)
 
+kernel_read_crypto_sysctls(xdm_t)
 kernel_read_system_state(xdm_t)
 kernel_read_kernel_sysctls(xdm_t)
 kernel_read_net_sysctls(xdm_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2017-12-14  5:15 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2017-12-14  5:15 UTC (permalink / raw
  To: gentoo-commits

commit:     fe73a7e41325536c918f4da90cf251b731d37824
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Dec 12 02:15:24 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 12:03:31 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fe73a7e4

Make xdm directories created in /run/user/%{USERID}/ xdm_runtime_t (user_runtime_content_type)

Setup type  xdm_runtime_t for files and directories created in /run/user/%{USERID}/ and use filetrans to transition from user_runtime_t to our private type.

type=AVC msg=audit(1511962167.495:64): avc:  denied  { write } for  pid=1137 comm="at-spi-bus-laun" name="/" dev="tmpfs" ino=14731 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { add_name } for  pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:64): avc:  denied  { create } for  pid=1137 comm="at-spi-bus-laun" name="dconf" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=dir
type=AVC msg=audit(1511962167.495:65): avc:  denied  { create } for  pid=1137 comm="at-spi-bus-laun" name="user" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962167.495:65): avc:  denied  { read write open } for  pid=1137 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { read write } for  pid=1614 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962199.010:144): avc:  denied  { open } for  pid=1614 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { read write } for  pid=1784 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962947.864:350): avc:  denied  { open } for  pid=1784 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { read write } for  pid=1877 comm="at-spi-bus-laun" name="user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file
type=AVC msg=audit(1511962981.011:440): avc:  denied  { open } for  pid=1877 comm="at-spi-bus-laun" path="/run/user/998/dconf/user" dev="tmpfs" ino=14798 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/services/xserver.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index efd965a7..6564c7f4 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -186,6 +186,10 @@ files_type(xdm_var_lib_t)
 type xdm_var_run_t;
 files_pid_file(xdm_var_run_t)
 
+# type for /run/user/%{USERID}/*
+type xdm_runtime_t;
+userdom_user_runtime_content(xdm_runtime_t)
+
 type xdm_tmp_t;
 files_tmp_file(xdm_tmp_t)
 typealias xdm_tmp_t alias ice_tmp_t;
@@ -345,6 +349,10 @@ files_lock_filetrans(xdm_t, xdm_lock_t, file)
 # this is ugly, daemons should not create files under /etc!
 manage_files_pattern(xdm_t, xdm_rw_etc_t, xdm_rw_etc_t)
 
+# files in /run/user/%{USERID}/*
+manage_dirs_pattern(xdm_t, xdm_runtime_t, xdm_runtime_t)
+manage_files_pattern(xdm_t, xdm_runtime_t, xdm_runtime_t)
+
 manage_dirs_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 manage_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xdm_t, xdm_tmp_t, xdm_tmp_t)
@@ -493,6 +501,7 @@ userdom_create_all_users_keys(xdm_t)
 # Search /proc for any user domain processes.
 userdom_read_all_users_state(xdm_t)
 userdom_signal_all_users(xdm_t)
+userdom_user_runtime_filetrans(xdm_t, xdm_runtime_t, dir)
 
 # for .dmrc: this was used by the Gnome Display Manager (gdm)
 # and it is now obsolete in Gnome3


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-06-24  8:46 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-06-24  8:46 UTC (permalink / raw
  To: gentoo-commits

commit:     3b307f674b86d7bdb9f650cc58618f5151655c80
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jun 14 14:13:18 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 16 13:16:02 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3b307f67

xserver: update to use new upstream xdg interfaces

 policy/modules/services/xserver.fc |  2 +-
 policy/modules/services/xserver.te | 12 +++++++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index a4d2f339..969214f2 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -147,5 +147,5 @@ ifdef(`distro_suse',`
 ')
 
 ifdef(`distro_gentoo',`
-HOME_DIR/\.local/share/xorg(/.*)?	gen_context(system_u:object_r:xserver_xdg_data_home_t,s0)
+HOME_DIR/\.local/share/xorg(/.*)?	gen_context(system_u:object_r:xserver_xdg_data_t,s0)
 ')

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c82e4c15..c4c786e4 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1064,13 +1064,15 @@ ifdef(`distro_gentoo',`
 	# xserver_t policy
 	#
 
-	type xserver_xdg_data_home_t;
-	xdg_data_home_content(xserver_xdg_data_home_t)
+	type xserver_xdg_data_t;
+	typealias xserver_xdg_data_t alias xserver_xdg_data_home_t;
+	xdg_data_content(xserver_xdg_data_t)
 
 	# Mark data in ~/.local/share as xserver_t XDG data, see bug #516512
-	manage_dirs_pattern(xserver_t, xserver_xdg_data_home_t, xserver_xdg_data_home_t)
-	allow xserver_t xserver_xdg_data_home_t:file manage_file_perms;
-	xdg_data_home_filetrans(xserver_t, xserver_xdg_data_home_t, dir)
+	manage_dirs_pattern(xserver_t, xserver_xdg_data_t, xserver_xdg_data_t)
+	allow xserver_t xserver_xdg_data_t:file manage_file_perms;
+	xdg_data_filetrans(xserver_t, xserver_xdg_data_home_t, dir)
+	xdg_generic_user_home_dir_filetrans_data(xserver_t, dir, ".local")
 
 	userdom_read_user_tmp_files(xserver_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-06-25  5:33 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-06-25  5:33 UTC (permalink / raw
  To: gentoo-commits

commit:     9e2eeb8b7182b0c91a54f57cf6a593ba591a84ec
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 24 09:56:10 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 25 05:31:59 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e2eeb8b

xserver: Add mesa_shader_cache for GLSL in ~/.cache/mesa_shader_cache/

 policy/modules/services/xserver.fc |  1 +
 policy/modules/services/xserver.if | 37 ++++++++++++++++++++++++++++++++++---
 policy/modules/services/xserver.te |  9 +++++++++
 3 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 969214f2..171a8df1 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -1,6 +1,7 @@
 #
 # HOME_DIR
 #
+HOME_DIR/\.cache/mesa_shader_cache(/.*)?	gen_context(system_u:object_r:mesa_shader_cache_t,s0)
 HOME_DIR/\.dmrc		--	gen_context(system_u:object_r:dmrc_home_t,s0)
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
 HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 86391675..c1c07b32 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -138,6 +138,7 @@ interface(`xserver_role',`
 	gen_require(`
 		type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t;
 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
+		type mesa_shader_cache_t;
 	')
 
 	xserver_restricted_role($1, $2)
@@ -167,6 +168,12 @@ interface(`xserver_role',`
 	relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
 	relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
 
+	manage_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+	manage_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+	allow $2 mesa_shader_cache_t:file map;
+	relabel_dirs_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+	relabel_files_pattern($2, mesa_shader_cache_t, mesa_shader_cache_t)
+
 	xserver_user_home_dir_filetrans_user_iceauth($2, ".ICEauthority")
 
 	xserver_read_xkb_libs($2)
@@ -178,17 +185,17 @@ interface(`xserver_role',`
 		xdg_relabel_all_config($2)
 		xdg_manage_all_data($2)
 		xdg_relabel_all_data($2)
-	
+
 		xdg_generic_user_home_dir_filetrans_cache($2, dir, ".cache")
 		xdg_generic_user_home_dir_filetrans_config($2, dir, ".config")
 		xdg_generic_user_home_dir_filetrans_data($2, dir, ".local")
-	
+
 		xdg_generic_user_home_dir_filetrans_documents($2, dir, "Documents")
 		xdg_generic_user_home_dir_filetrans_downloads($2, dir, "Downloads")
 		xdg_generic_user_home_dir_filetrans_music($2, dir, "Music")
 		xdg_generic_user_home_dir_filetrans_pictures($2, dir, "Pictures")
 		xdg_generic_user_home_dir_filetrans_videos($2, dir, "Videos")
-	
+
 		xdg_manage_documents($2)
 		xdg_relabel_documents($2)
 		xdg_manage_downloads($2)
@@ -199,6 +206,8 @@ interface(`xserver_role',`
 		xdg_relabel_pictures($2)
 		xdg_manage_videos($2)
 		xdg_relabel_videos($2)
+
+		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
 	')
 ')
 
@@ -1619,3 +1628,25 @@ interface(`xserver_rw_xdm_keys',`
 
 	allow $1 xdm_t:key { read write setattr };
 ')
+
+########################################
+## <summary>
+##	Read and write the mesa shader cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xserver_rw_mesa_shader_cache',`
+	gen_require(`
+		type mesa_shader_cache_t;
+	')
+
+	rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	allow $1 mesa_shader_cache_t:file map;
+
+	xdg_search_cache_dirs($1)
+')

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c4c786e4..3d71e65a 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -229,6 +229,9 @@ userdom_user_home_content(xsession_log_t)
 type xserver_log_t;
 logging_log_file(xserver_log_t)
 
+type mesa_shader_cache_t;
+xdg_cache_content(mesa_shader_cache_t)
+
 ifdef(`enable_mcs',`
 	init_ranged_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
 	init_ranged_daemon_domain(xdm_t, xdm_exec_t, s0 - mcs_systemhigh)
@@ -693,6 +696,12 @@ manage_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 manage_lnk_files_pattern(xserver_t, xkb_var_lib_t, xkb_var_lib_t)
 files_search_var_lib(xserver_t)
 
+manage_dirs_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t)
+manage_files_pattern(xserver_t, mesa_shader_cache_t, mesa_shader_cache_t)
+allow xserver_t mesa_shader_cache_t:file map;
+xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache")
+xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache")
+
 domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
 allow xserver_t xauth_home_t:file read_file_perms;
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-07-12 14:37 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-07-12 14:37 UTC (permalink / raw
  To: gentoo-commits

commit:     08115177f277119abef4b9186ef84ef575f9dde6
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 10 15:03:16 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jul 11 14:41:35 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08115177

xserver: label .cache/fontconfig as user_fonts_cache_t

 policy/modules/services/xserver.fc | 1 +
 policy/modules/services/xserver.if | 1 +
 policy/modules/services/xserver.te | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 171a8df1..b7f8612d 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -2,6 +2,7 @@
 # HOME_DIR
 #
 HOME_DIR/\.cache/mesa_shader_cache(/.*)?	gen_context(system_u:object_r:mesa_shader_cache_t,s0)
+HOME_DIR/\.cache/fontconfig(/.*)?	gen_context(system_u:object_r:user_fonts_cache_t,s0)
 HOME_DIR/\.dmrc		--	gen_context(system_u:object_r:dmrc_home_t,s0)
 HOME_DIR/\.fonts\.conf	--	gen_context(system_u:object_r:user_fonts_config_t,s0)
 HOME_DIR/\.fonts(/.*)?		gen_context(system_u:object_r:user_fonts_t,s0)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index c1c07b32..24caccad 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -516,6 +516,7 @@ interface(`xserver_use_user_fonts',`
 	allow $1 user_fonts_config_t:file read_file_perms;
 
 	userdom_search_user_home_dirs($1)
+	xdg_search_cache_dirs($1)
 ')
 
 ########################################

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4ce36384..1202b8e5 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -125,7 +125,7 @@ userdom_user_home_content(user_fonts_t)
 type user_fonts_cache_t;
 typealias user_fonts_cache_t alias { staff_fonts_cache_t sysadm_fonts_cache_t };
 typealias user_fonts_cache_t alias { auditadm_fonts_cache_t secadm_fonts_cache_t };
-userdom_user_home_content(user_fonts_cache_t)
+xdg_cache_content(user_fonts_cache_t)
 
 type user_fonts_config_t;
 typealias user_fonts_config_t alias { staff_fonts_config_t sysadm_fonts_config_t };


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     4975a3106024fccd597ea67483b25a679c249050
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Oct  4 02:08:23 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 22:49:58 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4975a310

xserver: Module version bump.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/xserver.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4fc46f4f..803d15cd 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.16.1)
+policy_module(xserver, 3.16.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     4dbae70829f2e1492de27c90fe3d2ec543d7a62b
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Oct  2 20:02:54 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 22:49:58 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4dbae708

xserver: Allow user fonts (and caches) to be mmap()ed.

Applications can optionally map fonts and fontconfig caches into memory.
miscfiles_read_fonts() already grants those perms, but it seems
xserver_use_user_fonts() was forgotten.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/xserver.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 7e13483b..ec944672 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -511,6 +511,7 @@ interface(`xserver_use_user_fonts',`
 	# Manipulate the global font cache
 	manage_dirs_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
 	manage_files_pattern($1, user_fonts_cache_t, user_fonts_cache_t)
+	allow $1 user_fonts_cache_t:file { map read_file_perms };
 
 	# Read per user font config
 	allow $1 user_fonts_config_t:dir list_dir_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     1a660dec08464a41b9dabc0c7d9718405bf59035
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Oct 27 12:47:03 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a660dec

services/ssh: Don't audit accesses from ssh_t to /dev/random

OpenSSL 1.1 always opens both /dev/urandom and /dev/random, which
generates spurious denial messages for ssh_t, ssh_keygen_t and probably
various other domains too.

The code only uses /dev/random as a fallback and can cope with an open()
failure just fine, so I'm dontauditing the access. However, I don't have
strong feelings about this -- if someone would prefer to allow these
accesses instead, I'd be okay with that too.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/ssh.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 19ebd9d9..0403842b 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -156,6 +156,7 @@ corenet_tcp_connect_ssh_port(ssh_t)
 corenet_sendrecv_ssh_client_packets(ssh_t)
 
 dev_read_urand(ssh_t)
+dev_dontaudit_read_rand(ssh_t)
 
 fs_getattr_all_fs(ssh_t)
 fs_search_auto_mountpoints(ssh_t)
@@ -352,6 +353,7 @@ fs_search_auto_mountpoints(ssh_keygen_t)
 
 dev_read_sysfs(ssh_keygen_t)
 dev_read_urand(ssh_keygen_t)
+dev_dontaudit_read_rand(ssh_keygen_t)
 
 term_dontaudit_use_console(ssh_keygen_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     97d472c60912a6991b880577f167b2afcc20d9f5
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Sat Oct 27 16:14:42 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=97d472c6

Interface to allow reading of virus signature files.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/clamav.if | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 7ad8e800..80ac5c1e 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -177,6 +177,34 @@ interface(`clamav_read_state_clamd',`
 	read_lnk_files_pattern($1, clamd_t, clamd_t)
 ')
 
+#######################################
+## <summary>
+##	Read clam virus signature files
+## </summary>
+## <desc>
+##	<p>
+##	Useful for when using things like 'sigtool'
+##	which provides useful information about
+##	ClamAV signature files.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_read_signatures',`
+	gen_require(`
+		type clamd_var_lib_t;
+	')
+
+	clamav_search_lib($1)
+	allow $1 clamd_var_lib_t:dir list_dir_perms;
+	read_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
+	read_lnk_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     e360dcc7417d7f25d77f4c8d7172cfca93581a7b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Nov 10 00:34:00 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:23:07 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e360dcc7

dnsmasq: Whitespace fix in file contexts.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/dnsmasq.fc | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
index 07ffc0d4..57669f98 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
@@ -1,22 +1,22 @@
-/etc/dnsmasq\.conf	--	gen_context(system_u:object_r:dnsmasq_etc_t,s0)
-/etc/dnsmasq\.d(/.*)?   gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+/etc/dnsmasq\.conf		--	gen_context(system_u:object_r:dnsmasq_etc_t,s0)
+/etc/dnsmasq\.d(/.*)?			gen_context(system_u:object_r:dnsmasq_etc_t,s0)
 
 /etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
 
-/usr/bin/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+/usr/bin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
 
 # Systemd unit file
-/usr/lib/systemd/system/[^/]*dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_unit_t,s0)
+/usr/lib/systemd/system/[^/]*dnsmasq.* -- gen_context(system_u:object_r:dnsmasq_unit_t,s0)
 
-/usr/sbin/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+/usr/sbin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
 
 /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
-/var/lib/dnsmasq(/.*)?	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/lib/dnsmasq(/.*)?			gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 
-/var/log/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq.*		--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
 
-/run/dnsmasq.*	--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-/run/libvirt/network(/.*)?	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/run/dnsmasq.*			--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
 
 ifdef(`distro_gentoo',`
 # Fix bug 531836 - Needed to support dnssec in dnsmasq


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     876526eaec1af77abca0b1033ef863882dd92b48
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Nov  2 00:38:01 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=876526ea

Allow clamd_t to read /proc/sys/crypt/fips_enabled

To fix the following denials:
type=AVC msg=audit(1540821927.216:215): avc:  denied  { search } for
pid=1726 comm="clamd" name="crypto" dev="proc" ino=68
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
type=AVC msg=audit(1540821927.216:215): avc:  denied  { read } for
pid=1726 comm="clamd" name="fips_enabled" dev="proc" ino=69
scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:215): avc:  denied  { open } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
type=AVC msg=audit(1540821927.216:216): avc:  denied  { getattr } for
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=69 scontext=system_u:system_r:clamd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/clamav.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index b8c53a58..b55bac56 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -104,6 +104,7 @@ manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
 files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file })
 
 kernel_dontaudit_list_proc(clamd_t)
+kernel_read_crypto_sysctls(clamd_t)
 kernel_read_sysctl(clamd_t)
 kernel_read_kernel_sysctls(clamd_t)
 kernel_read_system_state(clamd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     80fc619afbb4265a9158c776b0fb917bd5633f54
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Nov  2 00:39:58 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=80fc619a

Interface to add domain allowed to be read by ClamAV for scanning.

Create an attribute for types that clamd_t and clamscan_t can read
(for scanning purposes) rather than require clamav.te to be modified.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/amavis.te |  1 +
 policy/modules/services/apache.te |  1 +
 policy/modules/services/clamav.if | 18 ++++++++++++++++++
 policy/modules/services/clamav.te | 23 +++++++++--------------
 policy/modules/services/exim.te   |  1 +
 policy/modules/services/mta.te    |  1 +
 6 files changed, 31 insertions(+), 14 deletions(-)

diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 9517486e..59d87259 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -152,6 +152,7 @@ tunable_policy(`amavis_use_jit',`
 ')
 
 optional_policy(`
+	clamav_scannable_files(amavis_spool_t)
 	clamav_stream_connect(amavis_t)
 	clamav_domtrans_clamscan(amavis_t)
 	clamav_read_state_clamd(amavis_t)

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 341dd150..f45cf73b 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1323,6 +1323,7 @@ tunable_policy(`httpd_use_nfs && httpd_builtin_scripting',`
 
 optional_policy(`
 	clamav_domtrans_clamscan(httpd_sys_script_t)
+	clamav_scannable_files(httpd_sys_content_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 80ac5c1e..d1296fcc 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -205,6 +205,24 @@ interface(`clamav_read_signatures',`
 	read_lnk_files_pattern($1, clamd_var_lib_t, clamd_var_lib_t)
 ')
 
+#######################################
+## <summary>
+##	Denote a particular type to be scanned by ClamAV
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type that clamd_t and clamscan_t can read.
+##	</summary>
+## </param>
+#
+interface(`clamav_scannable_files',`
+	gen_require(`
+		attribute clam_scannable_type;
+	')
+
+	typeattribute $1 clam_scannable_type;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to

diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index b55bac56..1de8b4cb 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -27,6 +27,7 @@ gen_tunable(clamd_use_jit, false)
 #
 # Declarations
 #
+attribute clam_scannable_type;
 
 type clamd_t;
 type clamd_exec_t;
@@ -103,6 +104,10 @@ manage_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
 manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
 files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file })
 
+read_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+read_lnk_files_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+list_dirs_pattern(clamd_t, clam_scannable_type, clam_scannable_type)
+
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_crypto_sysctls(clamd_t)
 kernel_read_sysctl(clamd_t)
@@ -152,7 +157,6 @@ tunable_policy(`clamd_use_jit',`
 
 optional_policy(`
 	amavis_read_lib_files(clamd_t)
-	amavis_read_spool_files(clamd_t)
 	amavis_spool_filetrans(clamd_t, clamd_var_run_t, sock_file)
 	amavis_create_pid_files(clamd_t)
 ')
@@ -163,10 +167,6 @@ optional_policy(`
 	cron_rw_pipes(clamd_t)
 ')
 
-optional_policy(`
-	exim_read_spool_files(clamd_t)
-')
-
 optional_policy(`
 	mta_read_config(clamd_t)
 	mta_send_mail(clamd_t)
@@ -274,6 +274,10 @@ manage_dirs_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
 manage_files_pattern(clamscan_t, clamscan_tmp_t, clamscan_tmp_t)
 files_tmp_filetrans(clamscan_t, clamscan_tmp_t, { dir file })
 
+read_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
+read_lnk_files_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
+list_dirs_pattern(clamscan_t, clam_scannable_type, clam_scannable_type)
+
 allow clamscan_t clamd_var_lib_t:dir list_dir_perms;
 manage_files_pattern(clamscan_t, clamd_var_lib_t, clamd_var_lib_t)
 
@@ -320,17 +324,8 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
 	files_getattr_all_sockets(clamscan_t)
 ')
 
-optional_policy(`
-	amavis_read_spool_files(clamscan_t)
-')
-
-optional_policy(`
-	apache_read_sys_content(clamscan_t)
-')
-
 optional_policy(`
 	mta_send_mail(clamscan_t)
-	mta_read_queue(clamscan_t)
 ')
 
 ifdef(`distro_gentoo',`

diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 693ac491..6430aee8 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -189,6 +189,7 @@ tunable_policy(`exim_manage_user_files',`
 
 optional_policy(`
 	clamav_domtrans_clamscan(exim_t)
+	clamav_scannable_files(exim_spool_t)
 	clamav_stream_connect(exim_t)
 ')
 

diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 3b389d02..a7133c2b 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -233,6 +233,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	clamav_scannable_files(mqueue_spool_t)
 	clamav_stream_connect(system_mail_t)
 	clamav_append_log(system_mail_t)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     ab0f433384c8a532bcb8a75dac6117c2590403a6
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Nov  2 00:40:57 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab0f4333

Add interfaces to control clamav_unit_t systemd services

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/clamav.if | 76 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 76 insertions(+)

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index d1296fcc..2adb1230 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -223,6 +223,82 @@ interface(`clamav_scannable_files',`
 	typeattribute $1 clam_scannable_type;
 ')
 
+########################################
+## <summary>
+##	Allow specified domain to enable clamd units
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_enabledisable_clamd',`
+	gen_require(`
+		type clamav_unit_t;
+		class service { enable disable };
+	')
+
+	allow $1 clamav_unit_t:service { enable disable };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to start clamd units
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_startstop_clamd',`
+	gen_require(`
+		type clamd_unit_t;
+		class service { start stop };
+	')
+
+	allow $1 clamd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to get status of clamd
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_status_clamd',`
+	gen_require(`
+		type clamd_unit_t;
+		class service status;
+	')
+
+	allow $1 clamd_unit_t:service status;
+')
+
+########################################
+## <summary>
+##	Allow specified domain reload of clamd
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_reload_clamd',`
+	gen_require(`
+		type clamd_unit_t;
+		class service reload;
+	')
+
+	allow $1 clamd_unit_t:service reload;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     270b0b8bc0ad22dcce3287e4e531c4d9c799eca9
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Nov 10 00:35:14 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:24:55 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=270b0b8b

dnsmasq: Reorder lines in file contexts.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/dnsmasq.fc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
index 57669f98..278b880f 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
@@ -3,6 +3,9 @@
 
 /etc/rc\.d/init\.d/dnsmasq	--	gen_context(system_u:object_r:dnsmasq_initrc_exec_t,s0)
 
+/run/dnsmasq.*			--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+/run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
+
 /usr/bin/dnsmasq		--	gen_context(system_u:object_r:dnsmasq_exec_t,s0)
 
 # Systemd unit file
@@ -15,9 +18,6 @@
 
 /var/log/dnsmasq.*		--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
 
-/run/dnsmasq.*			--	gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-/run/libvirt/network(/.*)?		gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
-
 ifdef(`distro_gentoo',`
 # Fix bug 531836 - Needed to support dnssec in dnsmasq
 /usr/share/dnsmasq(/.*)?	gen_context(system_u:object_r:dnsmasq_etc_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     81711bb3a8d8dc9b91d1fd8c9450050c5a598277
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Nov  2 19:10:20 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=81711bb3

Allow clamd to use sent file descriptor

This allows a process connecting to a local clamd server to send
an open file descriptor for A/V scanning.  This still requires
the file type to be readable by clamd.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/clamav.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 2adb1230..7b6df49e 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -35,6 +35,8 @@ interface(`clamav_stream_connect',`
 		type clamd_t, clamd_var_run_t;
 	')
 
+	allow clamd_t $1:fd use;
+
 	files_search_pids($1)
 	stream_connect_pattern($1, clamd_var_run_t, clamd_var_run_t, clamd_t)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     ecf21a2dc57dd85fe6065a1bb2996a72daa6ca78
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu Nov  1 10:12:26 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ecf21a2d

irqbalance now creates an abstract socket

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/irqbalance.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index a71058d8..ade99be0 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -28,6 +28,7 @@ allow irqbalance_t self:capability { setpcap };
 dontaudit irqbalance_t self:capability sys_tty_config;
 allow irqbalance_t self:process { getcap getsched setcap signal_perms };
 allow irqbalance_t self:udp_socket create_socket_perms;
+allow irqbalance_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
 files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     4f0bb0f94aff4aa39bd3be21704100e12da6f042
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu Nov  1 15:09:00 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4f0bb0f9

Allow ntpd_t to read init state

With systemd-timesyncd, the following AVC denials are generated:
  type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc:  denied  { open } for  pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
  type=AVC msg=audit(01/11/18 15:44:39.564:48) : avc:  denied  { read } for  pid=397 comm=systemd-timesyn name=sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1
  type=AVC msg=audit(01/11/18 15:44:39.564:49) : avc:  denied  { getattr } for  pid=397 comm=systemd-timesyn path=/proc/1/sched dev="proc" ino=1128 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=file permissive=1

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/ntp.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 39ea1c5e..76ce4da9 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -145,6 +145,7 @@ ifdef(`init_systemd',`
 	init_dbus_chat(ntpd_t)
 	init_get_system_status(ntpd_t)
 	allow ntpd_t self:capability { fowner setpcap };
+	init_read_state(ntpd_t)
 	init_reload(ntpd_t)
 
 	# for /var/lib/systemd/clock


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     1ec76423aa4ac2c17b12e6a69a2887c47bffac1c
Author:     Petr Vorel <pvorel <AT> suse <DOT> cz>
AuthorDate: Mon Nov 12 08:47:30 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1ec76423

dnsmasq: Require log files to have .log suffix

+ allow log rotate as well.

Signed-off-by: Petr Vorel <pvorel <AT> suse.cz>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/dnsmasq.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/dnsmasq.fc b/policy/modules/services/dnsmasq.fc
index 278b880f..bfa87f4c 100644
--- a/policy/modules/services/dnsmasq.fc
+++ b/policy/modules/services/dnsmasq.fc
@@ -16,7 +16,7 @@
 /var/lib/misc/dnsmasq\.leases	--	gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 /var/lib/dnsmasq(/.*)?			gen_context(system_u:object_r:dnsmasq_lease_t,s0)
 
-/var/log/dnsmasq.*		--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
+/var/log/dnsmasq(.*)?\.log(\..+)	--	gen_context(system_u:object_r:dnsmasq_var_log_t,s0)
 
 ifdef(`distro_gentoo',`
 # Fix bug 531836 - Needed to support dnssec in dnsmasq


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     bf29459cb0451db9170934809e8d204c9358d1b6
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Nov 12 15:16:04 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf29459c

Allow minissdpd_t to create a unix_stream_socket

----
type=PROCTITLE msg=audit(12/11/18 15:37:06.293:231) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 15:37:06.293:231) : arch=x86_64 syscall=listen success=yes exit=0 a0=0x7 a1=0x5 a2=0x6e a3=0x7ffdbca26c50 items=0 ppid=1 pid=1880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 15:37:06.293:231) : avc:  denied  { listen } for  pid=1880 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1
----
type=PROCTITLE msg=audit(12/11/18 16:12:29.172:758) : proctitle=/usr/sbin/minissdpd -i enp0s25 -i wlp3s0 -6
type=SYSCALL msg=audit(12/11/18 16:12:29.172:758) : arch=x86_64 syscall=accept success=yes exit=8 a0=0x7 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=1 pid=11460 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=minissdpd exe=/usr/sbin/minissdpd subj=system_u:system_r:minissdpd_t:s0 key=(null)
type=AVC msg=audit(12/11/18 16:12:29.172:758) : avc:  denied  { accept } for  pid=11460 comm=minissdpd path=/run/minissdpd.sock scontext=system_u:system_r:minissdpd_t:s0 tcontext=system_u:system_r:minissdpd_t:s0 tclass=unix_stream_socket permissive=1

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/minissdpd.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/minissdpd.te b/policy/modules/services/minissdpd.te
index 86d0d54e..65b1aed3 100644
--- a/policy/modules/services/minissdpd.te
+++ b/policy/modules/services/minissdpd.te
@@ -27,6 +27,7 @@ allow minissdpd_t self:capability { net_admin sys_module };
 allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms;
 allow minissdpd_t self:udp_socket create_socket_perms;
 allow minissdpd_t self:unix_dgram_socket create_socket_perms;
+allow minissdpd_t self:unix_stream_socket create_stream_socket_perms;
 
 allow minissdpd_t minissdpd_var_run_t:file manage_file_perms;
 allow minissdpd_t minissdpd_var_run_t:sock_file manage_sock_file_perms;
@@ -48,4 +49,4 @@ corenet_udp_sendrecv_ssdp_port(minissdpd_t)
 
 logging_send_syslog_msg(minissdpd_t)
 
-miscfiles_read_localization(minissdpd_t)
\ No newline at end of file
+miscfiles_read_localization(minissdpd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     ea4f4fa195aa079306669e20f23a271825a0e7a7
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Nov 16 17:43:25 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea4f4fa1

Interface to read cron_system_spool_t

Useful for the case that manage isn't requied.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/cron.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 7bb6065b..87f8322b 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -703,6 +703,26 @@ interface(`cron_manage_system_spool',`
 	manage_files_pattern($1, system_cron_spool_t, system_cron_spool_t)
 ')
 
+########################################
+## <summary>
+##      Read the system spool.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`cron_read_system_spool',`
+	gen_require(`
+		type system_cron_spool_t;
+	')
+
+	cron_search_spool($1)
+	list_dirs_pattern($1, system_cron_spool_t, system_cron_spool_t)
+	read_files_pattern($1, system_cron_spool_t, system_cron_spool_t)
+')
+
 ########################################
 ## <summary>
 ##      Read and write crond temporary files.


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     c86f9cdaa5be19e77c695aa94774bc06bedbca3b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Nov 17 23:50:18 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c86f9cda

dnsmasq: Module version bump.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/dnsmasq.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 29d34c13..4d78450a 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -1,4 +1,4 @@
-policy_module(dnsmasq, 1.16.0)
+policy_module(dnsmasq, 1.16.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     fc20bbb5187bd1cb4527ebf38390d1a31b8593c4
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Sat Nov 17 04:23:43 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc20bbb5

Add interfaces to control ntpd_unit_t systemd services

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/ntp.if | 63 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index 31f71108..ff85b74b 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -177,6 +177,69 @@ interface(`ntp_rw_shm',`
 	fs_search_tmpfs($1)
 ')
 
+########################################
+## <summary>
+##	Allow specified domain to enable/disable ntpd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_enabledisable',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type ntpd_unit_t;
+			class service { enable disable };
+		')
+
+		allow $1 ntpd_unit_t:service { enable disable };
+	')
+')
+
+########################################
+## <summary>
+##	Allow specified domain to start/stop ntpd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_startstop',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type ntpd_unit_t;
+			class service { start stop };
+		')
+
+		allow $1 ntpd_unit_t:service { start stop };
+	')
+')
+
+########################################
+## <summary>
+##	Allow specified domain to get status of ntpd unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_status',`
+	ifdef(`init_systemd',`
+		gen_require(`
+			type ntpd_unit_t;
+			class service status;
+		')
+
+		allow $1 ntpd_unit_t:service status;
+	')
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-02-10  4:14 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-02-10  4:14 UTC (permalink / raw
  To: gentoo-commits

commit:     1463b90ab62ddfcfa18e9a08f04e7dd3a7e200a5
Author:     Alexander Miroshnichenko <alex <AT> millerson <DOT> name>
AuthorDate: Tue Jan 29 19:01:52 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1463b90a

Add hostapd service module

Add a SELinux Reference Policy module for the hostapd
IEEE 802.11 wireless LAN Host AP daemon.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/hostapd.fc |  7 +++++
 policy/modules/services/hostapd.if |  1 +
 policy/modules/services/hostapd.te | 56 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+)

diff --git a/policy/modules/services/hostapd.fc b/policy/modules/services/hostapd.fc
new file mode 100644
index 00000000..83583a77
--- /dev/null
+++ b/policy/modules/services/hostapd.fc
@@ -0,0 +1,7 @@
+/usr/sbin/hostapd               --      gen_context(system_u:object_r:hostapd_exec_t,s0)
+
+/var/run/hostapd(/.*)?          gen_context(system_u:object_r:hostapd_var_run_t,s0)
+
+/etc/hostapd(/.*)?          gen_context(system_u:object_r:hostapd_conf_t,s0)
+
+/run/hostapd.pid                --      gen_context(system_u:object_r:hostapd_var_run_t,s0)

diff --git a/policy/modules/services/hostapd.if b/policy/modules/services/hostapd.if
new file mode 100644
index 00000000..fce874d2
--- /dev/null
+++ b/policy/modules/services/hostapd.if
@@ -0,0 +1 @@
+## <summary>IEEE 802.11 wireless LAN Host AP daemon.</summary>

diff --git a/policy/modules/services/hostapd.te b/policy/modules/services/hostapd.te
new file mode 100644
index 00000000..2db1e7de
--- /dev/null
+++ b/policy/modules/services/hostapd.te
@@ -0,0 +1,56 @@
+policy_module(hostapd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type hostapd_t;
+type hostapd_exec_t;
+init_daemon_domain(hostapd_t, hostapd_exec_t)
+
+type hostapd_var_run_t;
+files_pid_file(hostapd_var_run_t)
+
+type hostapd_conf_t;
+files_type(hostapd_conf_t)
+
+########################################
+#
+# hostapd local policy
+#
+
+allow hostapd_t self:capability { fsetid chown net_admin net_raw dac_read_search dac_override };
+allow hostapd_t self:fifo_file rw_fifo_file_perms;
+allow hostapd_t self:unix_stream_socket create_stream_socket_perms;
+allow hostapd_t self:netlink_socket create_socket_perms;
+allow hostapd_t self:netlink_generic_socket create_socket_perms;
+allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
+allow hostapd_t self:packet_socket create_socket_perms;
+
+manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
+files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file })
+
+read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t)
+
+kernel_read_system_state(hostapd_t)
+kernel_read_network_state(hostapd_t)
+kernel_request_load_module(hostapd_t)
+kernel_rw_net_sysctls(hostapd_t)
+dev_rw_sysfs(hostapd_t)
+
+dev_read_rand(hostapd_t)
+dev_read_urand(hostapd_t)
+dev_read_sysfs(hostapd_t)
+dev_rw_wireless(hostapd_t)
+
+domain_use_interactive_fds(hostapd_t)
+
+auth_use_nsswitch(hostapd_t)
+
+logging_send_syslog_msg(hostapd_t)
+
+miscfiles_read_localization(hostapd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-02-10  4:14 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-02-10  4:14 UTC (permalink / raw
  To: gentoo-commits

commit:     786c0036013ee91c6b77dfe509f10537fa38d2e6
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Jan 29 23:58:08 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=786c0036

hostapd: Whitespace change.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/hostapd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/hostapd.te b/policy/modules/services/hostapd.te
index 2db1e7de..ce6e352d 100644
--- a/policy/modules/services/hostapd.te
+++ b/policy/modules/services/hostapd.te
@@ -40,8 +40,8 @@ kernel_read_system_state(hostapd_t)
 kernel_read_network_state(hostapd_t)
 kernel_request_load_module(hostapd_t)
 kernel_rw_net_sysctls(hostapd_t)
-dev_rw_sysfs(hostapd_t)
 
+dev_rw_sysfs(hostapd_t)
 dev_read_rand(hostapd_t)
 dev_read_urand(hostapd_t)
 dev_read_sysfs(hostapd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-02-10  4:14 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-02-10  4:14 UTC (permalink / raw
  To: gentoo-commits

commit:     d5238cafa6c1b972527056af9a61ae2052ccbe2c
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 24 00:01:37 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d5238caf

dovecot: Move lines.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/dovecot.te | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index bee63714..f23cee27 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -288,12 +288,6 @@ tunable_policy(`dovecot_can_connect_db',`
         corenet_tcp_sendrecv_oracledb_port(dovecot_auth_t)
 ')
 
-optional_policy(`
-	userdom_list_user_tmp(dovecot_auth_t)
-	userdom_read_user_tmp_files(dovecot_auth_t)
-	userdom_read_user_tmp_symlinks(dovecot_auth_t)
-')
-
 optional_policy(`
         tunable_policy(`dovecot_can_connect_db',`
 		mysql_stream_connect(dovecot_auth_t)
@@ -302,6 +296,15 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	nis_authenticate(dovecot_auth_t)
+')
+
+optional_policy(`
+	postfix_manage_private_sockets(dovecot_auth_t)
+	postfix_search_spool(dovecot_auth_t)
+')
+
 optional_policy(`
         postgresql_unpriv_client(dovecot_auth_t)
 
@@ -312,12 +315,9 @@ optional_policy(`
 ')
 
 optional_policy(`
-	nis_authenticate(dovecot_auth_t)
-')
-
-optional_policy(`
-	postfix_manage_private_sockets(dovecot_auth_t)
-	postfix_search_spool(dovecot_auth_t)
+	userdom_list_user_tmp(dovecot_auth_t)
+	userdom_read_user_tmp_files(dovecot_auth_t)
+	userdom_read_user_tmp_symlinks(dovecot_auth_t)
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-02-10  4:14 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-02-10  4:14 UTC (permalink / raw
  To: gentoo-commits

commit:     7f5efa7ad3cefbd2051462310741d939d23c32b9
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jan 30 23:46:07 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7f5efa7a

redis: Move line.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/redis.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/redis.te b/policy/modules/services/redis.te
index 0878fb8f..bfd4f417 100644
--- a/policy/modules/services/redis.te
+++ b/policy/modules/services/redis.te
@@ -41,10 +41,10 @@ manage_files_pattern(redis_t, redis_log_t, redis_log_t)
 manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
 logging_log_filetrans(redis_t, redis_log_t, dir)
 
-files_search_var_lib(redis_t)
 manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
 manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
 manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
+files_search_var_lib(redis_t)
 
 manage_dirs_pattern(redis_t, redis_var_run_t, redis_var_run_t)
 manage_files_pattern(redis_t, redis_var_run_t, redis_var_run_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-02-10  4:14 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-02-10  4:14 UTC (permalink / raw
  To: gentoo-commits

commit:     303fcd28bebfc54c808007492968b1e554cea5ed
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jan 30 23:46:28 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=303fcd28

redis: Module version bump.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/redis.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/redis.te b/policy/modules/services/redis.te
index bfd4f417..962b8eb7 100644
--- a/policy/modules/services/redis.te
+++ b/policy/modules/services/redis.te
@@ -1,4 +1,4 @@
-policy_module(redis, 1.6.0)
+policy_module(redis, 1.6.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-02-10  4:14 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-02-10  4:14 UTC (permalink / raw
  To: gentoo-commits

commit:     3c0924b50a0d475522b1c1ad5f0f1a511a718797
Author:     Alexander Miroshnichenko <alex <AT> millerson <DOT> name>
AuthorDate: Wed Jan 30 13:21:58 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3c0924b5

minor updates redis module to be able to start the app

Signed-off-by: Alexander Miroshnichenko <alex <AT> millerson.name>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/redis.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/redis.te b/policy/modules/services/redis.te
index afb5ba87..0878fb8f 100644
--- a/policy/modules/services/redis.te
+++ b/policy/modules/services/redis.te
@@ -29,7 +29,7 @@ files_config_file(redis_conf_t)
 # Local policy
 #
 
-allow redis_t self:process { setrlimit signal_perms };
+allow redis_t self:process { setrlimit signal_perms getsched };
 allow redis_t self:fifo_file rw_fifo_file_perms;
 allow redis_t self:unix_stream_socket create_stream_socket_perms;
 allow redis_t self:tcp_socket create_stream_socket_perms;
@@ -41,6 +41,7 @@ manage_files_pattern(redis_t, redis_log_t, redis_log_t)
 manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
 logging_log_filetrans(redis_t, redis_log_t, dir)
 
+files_search_var_lib(redis_t)
 manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
 manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
 manage_lnk_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-02-10  4:14 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-02-10  4:14 UTC (permalink / raw
  To: gentoo-commits

commit:     856f682f59535221d6900d838eeccaf42e94d2c2
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Jan 29 23:58:20 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=856f682f

hostapd: Move line.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/hostapd.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/hostapd.te b/policy/modules/services/hostapd.te
index ce6e352d..5a961054 100644
--- a/policy/modules/services/hostapd.te
+++ b/policy/modules/services/hostapd.te
@@ -28,14 +28,14 @@ allow hostapd_t self:netlink_generic_socket create_socket_perms;
 allow hostapd_t self:netlink_route_socket create_netlink_socket_perms;
 allow hostapd_t self:packet_socket create_socket_perms;
 
+read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t)
+
 manage_dirs_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
 manage_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
 manage_lnk_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
 manage_sock_files_pattern(hostapd_t, hostapd_var_run_t, hostapd_var_run_t)
 files_pid_filetrans(hostapd_t, hostapd_var_run_t, { dir file lnk_file sock_file })
 
-read_files_pattern(hostapd_t, hostapd_conf_t, hostapd_conf_t)
-
 kernel_read_system_state(hostapd_t)
 kernel_read_network_state(hostapd_t)
 kernel_request_load_module(hostapd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-03-26 10:17 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     9e14807a1e8fda9bff75b262cde1a9d3b92ba381
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Mar 20 00:20:34 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e14807a

Allow ntpd to update chronyd service

type=USER_AVC msg=audit(1553013917.361:9938): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { disable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?
type=USER_AVC msg=audit(1553013917.406:9943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { stop } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.061:9970): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553021100.104:9973): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/ntp.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index f281090f..f2df01a5 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -155,6 +155,11 @@ ifdef(`init_systemd',`
 	# for /run/systemd/netif/links
 	systemd_list_networkd_runtime(ntpd_t)
 
+	optional_policy(`
+		chronyd_enabledisable(ntpd_t)
+		chronyd_startstop(ntpd_t)
+	')
+
 	optional_policy(`
 		unconfined_dbus_send(ntpd_t)
 	')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-03-26 10:17 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     fc9d8ff11e412d7bf6d8a126c5ec3a0733020d1e
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Mar 20 00:20:33 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc9d8ff1

Add interface ntp_dbus_chat

type=USER_AVC msg=audit(1553013821.622:9900): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.timedate1 member=SetTimezone dest=org.freedesktop.timedate1 spid=16280 tpid=16281 scontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1553013821.625:9911): pid=7377 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.258 spid=16281 tpid=16280 scontext=system_u:system_r:ntpd_t:s0 tcontext=sysadm_u:sysadm_r:settings_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/ntp.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index ff85b74b..d64dd86b 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -79,6 +79,27 @@ interface(`ntp_run',`
 	roleattribute $2 ntpd_roles;
 ')
 
+########################################
+## <summary>
+##	Send and receive messages from
+##	ntpd over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_dbus_chat',`
+	gen_require(`
+		type ntpd_t;
+		class dbus send_msg;
+	')
+
+	allow $1 ntpd_t:dbus send_msg;
+	allow ntpd_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##	Execute ntpdate server in the ntpd domain.


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-03-26 10:17 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     0ff48e66b630898f591d1ddef992e4ee868715f4
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Mar 20 00:20:34 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0ff48e66

Allow ntpd to update timezone symlink

type=AVC msg=audit(1553013821.624:9907): avc:  denied  { create } for  pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc:  denied  { rename } for  pid=16281 comm="systemd-timedat" name=".#localtime69bc4c9ad513a247" dev="dm-1" ino=714303 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1553013821.624:9908): avc:  denied  { unlink } for  pid=16281 comm="systemd-timedat" name="localtime" dev="dm-1" ino=1063377 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/ntp.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index f2df01a5..bf8d46a4 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -118,6 +118,7 @@ dev_rw_realtime_clock(ntpd_t)
 domain_use_interactive_fds(ntpd_t)
 domain_dontaudit_list_all_domains_state(ntpd_t)
 
+files_manage_etc_symlinks(ntpd_t)
 files_read_etc_runtime_files(ntpd_t)
 files_read_usr_files(ntpd_t)
 files_list_var_lib(ntpd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-03-26 10:17 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     b926696965951bb6543dabfbfe85eb469ffa2e51
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Thu Mar 21 18:29:27 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b9266969

Resolve denial about logging to journal from dbus

type=AVC msg=audit(1553013821.597:9897): avc:  denied  { sendto } for  pid=7377 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/dbus.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index ae85b7ef..cfe63c4a 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -168,6 +168,9 @@ ifdef(`init_systemd', `
 	# for /run/systemd/dynamic-uid/
 	init_list_pids(system_dbusd_t)
 	init_read_runtime_symlinks(system_dbusd_t)
+
+	# for journald /dev/log
+	kernel_dgram_send(system_dbusd_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-07-13  7:01 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-07-13  7:01 UTC (permalink / raw
  To: gentoo-commits

commit:     eeb241f1c72608674a22fdd992c29709dc52b00f
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Sun Apr 28 14:28:51 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eeb241f1

create interfaces for NetworkManager units

Create interfaces to allow start/stop, enable/disable
and status of NetworkManager systemd unit

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/networkmanager.if | 57 +++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/policy/modules/services/networkmanager.if b/policy/modules/services/networkmanager.if
index 371ebfbd..39ff8cc0 100644
--- a/policy/modules/services/networkmanager.if
+++ b/policy/modules/services/networkmanager.if
@@ -293,6 +293,63 @@ interface(`networkmanager_stream_connect',`
 	stream_connect_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t, NetworkManager_t)
 ')
 
+########################################
+## <summary>
+##	Allow specified domain to enable/disable NetworkManager units
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_enabledisable',`
+	gen_require(`
+		type NetworkManager_unit_t;
+		class service { enable disable };
+	')
+
+	allow $1 NetworkManager_unit_t:service { enable disable };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to start/stop NetworkManager units
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_startstop',`
+	gen_require(`
+		type NetworkManager_unit_t;
+		class service { start stop };
+	')
+
+	allow $1 NetworkManager_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to get status of NetworkManager
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`networkmanager_status',`
+	gen_require(`
+		type NetworkManager_unit_t;
+		class service status;
+	')
+
+	allow $1 NetworkManager_unit_t:service status;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-07-13  7:01 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-07-13  7:01 UTC (permalink / raw
  To: gentoo-commits

commit:     a59bba5a73324e8d769dd47bb44353784a27f416
Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Tue May 28 14:02:31 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a59bba5a

apache: Web content rules simplification.

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/apache.fc |  3 ++-
 policy/modules/services/apache.if | 24 ++----------------------
 policy/modules/services/apache.te | 27 +++++++++++++++++++++++++++
 3 files changed, 31 insertions(+), 23 deletions(-)

diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index f3202453..36bff004 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -179,7 +179,8 @@ ifdef(`distro_suse',`
 /var/spool/viewvc(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t, s0)
 
 /var/www(/.*)?							gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/var/www(/.*)?/logs(/.*)?					gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/logs					-d	gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
+/var/www(/.*)?/logs/.*						gen_context(system_u:object_r:httpd_sys_ra_content_t,s0)
 /var/www(/.*)?/roundcubemail/logs(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www(/.*)?/roundcubemail/temp(/.*)?				gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/www/[^/]*/cgi-bin(/.*)?					gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 94878d66..2934337b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -15,7 +15,7 @@ template(`apache_content_template',`
 	gen_require(`
 		attribute httpdcontent, httpd_exec_scripts, httpd_script_exec_type;
 		attribute httpd_script_domains, httpd_htaccess_type;
-		attribute httpd_rw_content, httpd_ra_content;
+		attribute httpd_ro_content, httpd_rw_content, httpd_ra_content;
 		type httpd_t, httpd_suexec_t;
 	')
 
@@ -34,7 +34,7 @@ template(`apache_content_template',`
 	## </desc>
 	gen_tunable(allow_httpd_$1_script_anon_write, false)
 
-	type httpd_$1_content_t, httpdcontent; # customizable
+	type httpd_$1_content_t, httpdcontent, httpd_ro_content; # customizable
 	typealias httpd_$1_content_t alias httpd_$1_script_ro_t;
 	files_type(httpd_$1_content_t)
 
@@ -79,30 +79,10 @@ template(`apache_content_template',`
 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	files_tmp_filetrans(httpd_$1_script_t, httpd_$1_rw_content_t, { dir file lnk_file sock_file fifo_file })
 
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:dir list_dir_perms;
-	allow { httpd_t httpd_suexec_t } { httpd_$1_content_t httpd_$1_htaccess_t }:file read_file_perms;
-	allow { httpd_t httpd_suexec_t } httpd_$1_content_t:lnk_file read_lnk_file_perms;
-
 	tunable_policy(`allow_httpd_$1_script_anon_write',`
 		miscfiles_manage_public_files(httpd_$1_script_t)
 	')
 
-	tunable_policy(`httpd_builtin_scripting',`
-		manage_dirs_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_fifo_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_lnk_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-		manage_sock_files_pattern(httpd_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-
-		allow httpd_t httpd_$1_ra_content_t:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
-		allow httpd_t httpd_$1_ra_content_t:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
-		allow httpd_t httpd_$1_ra_content_t:lnk_file read_lnk_file_perms;
-	')
-
-	tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
-		can_exec(httpd_t, httpd_$1_rw_content_t)
-	')
-
 	tunable_policy(`httpd_enable_cgi',`
 		allow httpd_$1_script_t httpd_$1_script_exec_t:file entrypoint;
 		domtrans_pattern({ httpd_t httpd_suexec_t httpd_exec_scripts }, httpd_$1_script_exec_t, httpd_$1_script_t)

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index ee95b305..e87a74ac 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -258,6 +258,7 @@ attribute httpd_htaccess_type;
 attribute httpd_exec_scripts;
 
 attribute httpd_ra_content;
+attribute httpd_ro_content;
 attribute httpd_rw_content;
 
 attribute httpd_script_exec_type;
@@ -400,6 +401,12 @@ allow httpd_t httpd_config_t:dir list_dir_perms;
 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 
+allow httpd_t httpd_htaccess_type:file read_file_perms;
+
+allow httpd_t httpd_ro_content:dir list_dir_perms;
+allow httpd_t httpd_ro_content:file read_file_perms;
+allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
+
 allow httpd_t httpd_keytab_t:file read_file_perms;
 
 allow httpd_t httpd_lock_t:dir manage_dir_perms;
@@ -597,6 +604,20 @@ tunable_policy(`httpd_builtin_scripting',`
 	allow httpd_t httpdcontent:dir list_dir_perms;
 	allow httpd_t httpdcontent:file read_file_perms;
 	allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
+
+	allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
+	allow httpd_t httpd_ra_content:file { append_file_perms read_file_perms create_file_perms setattr_file_perms };
+	allow httpd_t httpd_ra_content:lnk_file read_lnk_file_perms;
+
+	manage_dirs_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_fifo_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_lnk_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+	manage_sock_files_pattern(httpd_t, httpd_rw_content, httpd_rw_content)
+')
+
+tunable_policy(`httpd_builtin_scripting && httpd_tmp_exec',`
+	can_exec(httpd_t, httpd_rw_content)
 ')
 
 tunable_policy(`httpd_enable_cgi',`
@@ -945,6 +966,12 @@ allow httpd_suexec_t self:fifo_file rw_fifo_file_perms;
 allow httpd_suexec_t self:tcp_socket { accept listen };
 allow httpd_suexec_t self:unix_stream_socket { accept listen };
 
+allow httpd_suexec_t httpd_htaccess_type:file read_file_perms;
+
+allow httpd_suexec_t httpd_ro_content:dir list_dir_perms;
+allow httpd_suexec_t httpd_ro_content:file read_file_perms;
+allow httpd_suexec_t httpd_ro_content:lnk_file read_lnk_file_perms;
+
 create_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 append_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)
 read_files_pattern(httpd_suexec_t, httpd_log_t, httpd_log_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-07-13  7:01 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-07-13  7:01 UTC (permalink / raw
  To: gentoo-commits

commit:     61bdf57fff0381f5d1b78ee6ae6030a84750db20
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri May  3 10:25:00 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61bdf57f

Add dovecot to listen to LMTP port

Mails can be injected in dovecot directly using LMTP

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/dovecot.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 8b45f5c3..4f2c38bf 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -148,6 +148,8 @@ corenet_tcp_sendrecv_generic_node(dovecot_t)
 corenet_tcp_sendrecv_all_ports(dovecot_t)
 corenet_tcp_bind_generic_node(dovecot_t)
 
+corenet_sendrecv_lmtp_server_packets(dovecot_t)
+corenet_tcp_bind_lmtp_port(dovecot_t)
 corenet_sendrecv_mail_server_packets(dovecot_t)
 corenet_tcp_bind_mail_port(dovecot_t)
 corenet_sendrecv_pop_server_packets(dovecot_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     49aea25fb6c9a842294f966c236b215dde8925fb
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Oct 12 15:38:52 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=49aea25f

xserver: Move XDM dbus chats under main dbus optional.

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/xserver.te | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 1adac371..1553454a 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.18.1)
+policy_module(xserver, 3.18.2)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;
@@ -514,14 +514,6 @@ optional_policy(`
 	alsa_domtrans(xdm_t)
 ')
 
-optional_policy(`
-	colord_dbus_chat(xdm_t)
-')
-
-optional_policy(`
-	consolekit_dbus_chat(xdm_t)
-')
-
 optional_policy(`
 	consoletype_exec(xdm_t)
 ')
@@ -537,14 +529,23 @@ optional_policy(`
 		accountsd_dbus_chat(xdm_t)
 	')
 
+	optional_policy(`
+		colord_dbus_chat(xdm_t)
+	')
+
+	optional_policy(`
+		consolekit_dbus_chat(xdm_t)
+	')
+
+	optional_policy(`
+		devicekit_dbus_chat_power(xdm_t)
+	')
+
 	optional_policy(`
 		systemd_read_logind_pids(xdm_t)
 	')
 ')
 
-optional_policy(`
-	devicekit_dbus_chat_power(xdm_t)
-')
 
 optional_policy(`
 	gnome_spec_domtrans_all_gkeyringd(xdm_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     37542ac09fb256f61633b16f5173a68605dfce72
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Oct 12 15:36:54 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=37542ac0

xserver: Remove duplicate colord rule.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/xserver.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 5948205a..1adac371 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -518,10 +518,6 @@ optional_policy(`
 	colord_dbus_chat(xdm_t)
 ')
 
-optional_policy(`
-	colord_dbus_chat(xdm_t)
-')
-
 optional_policy(`
 	consolekit_dbus_chat(xdm_t)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     bc0f3d5ffd39f0ffe8fc386fbb619337f3923718
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Oct  5 11:27:24 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bc0f3d5f

Allow realmd_t to read localization files

----
time->Sat Oct  5 13:11:40 2019
type=AVC msg=audit(1570273900.483:148): avc:  denied  { open } for  pid=1382 comm="realmd" path="/etc/locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { read } for  pid=1382 comm="realmd" name="locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { read } for  pid=1382 comm="realmd" name="locale.alias" dev="dm-1" ino=262415 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1570273900.483:148): avc:  denied  { search } for  pid=1382 comm="realmd" name="locale" dev="dm-1" ino=262056 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
----
time->Sat Oct  5 13:11:40 2019
type=AVC msg=audit(1570273900.483:149): avc:  denied  { getattr } for  pid=1382 comm="realmd" path="/etc/locale.alias" dev="dm-1" ino=1047048 scontext=system_u:system_r:realmd_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
----

Signed-off-by: Laurent Bigonville <bigon <AT> bigon.be>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/realmd.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/services/realmd.te b/policy/modules/services/realmd.te
index 5bc878b2..841b02a4 100644
--- a/policy/modules/services/realmd.te
+++ b/policy/modules/services/realmd.te
@@ -44,6 +44,9 @@ auth_use_nsswitch(realmd_t)
 
 logging_send_syslog_msg(realmd_t)
 
+# Read /etc/locale.alias
+miscfiles_read_localization(realmd_t)
+
 optional_policy(`
 	dbus_system_domain(realmd_t, realmd_exec_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     5aa9a2bef4cc2428c7d31dd892ad9f6d8b85c85e
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu Oct  3 16:22:17 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5aa9a2be

Allow the systemd dbus-daemon to talk to systemd

Recent versions of dbus are started as Type=notify

type=AVC msg=audit(03/10/19 15:32:40.347:64) : avc:  denied  { write } for  pid=809 comm=dbus-daemon name=notify dev="tmpfs" ino=1751 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:init_runtime_t:s0 tclass=sock_file permissive=1

Signed-off-by: Laurent Bigonville <bigon <AT> bigon.be>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 3c422dd8..1d7123ba 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -165,6 +165,9 @@ ifdef(`init_systemd', `
 	# for /run/systemd/dynamic-uid/
 	init_list_pids(system_dbusd_t)
 	init_read_runtime_symlinks(system_dbusd_t)
+
+	# Recent versions of dbus are started as Type=notify
+	init_write_runtime_socket(system_dbusd_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     826d79e436b5411db1e63fb2b1fde34e31f541ad
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Oct  4 14:13:02 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=826d79e4

Allow geoclue to log in syslog

----
time->Thu Oct  3 17:16:40 2019
type=AVC msg=audit(1570115800.136:513): avc:  denied  { create } for  pid=1384 comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=unix_dgram_socket permissive=1
----
time->Thu Oct  3 17:16:40 2019
type=AVC msg=audit(1570115800.136:514): avc:  denied  { sendto } for  pid=1384 comm="geoclue" path="/run/systemd/journal/socket" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:syslogd_t:s0 tc
lass=unix_dgram_socket permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { write } for  pid=1384 comm="geoclue" name="socket" dev="tmpfs" ino=1781 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:devlog_t:s0 tcla
ss=sock_file permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { search } for  pid=1384 comm="geoclue" name="journal" dev="tmpfs" ino=1777 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:syslogd_runtim
e_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { search } for  pid=1384 comm="geoclue" name="systemd" dev="tmpfs" ino=11001 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:init_runtime_
t:s0 tclass=dir permissive=1
type=AVC msg=audit(1570115800.136:514): avc:  denied  { write } for  pid=1384 comm="geoclue" scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:system_r:geoclue_t:s0 tclass=unix_dgram_socket permissive=1
----

Signed-off-by: Laurent Bigonville <bigon <AT> bigon.be>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/geoclue.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/geoclue.te b/policy/modules/services/geoclue.te
index c6e66408..a36bcb80 100644
--- a/policy/modules/services/geoclue.te
+++ b/policy/modules/services/geoclue.te
@@ -30,6 +30,8 @@ dev_read_urand(geoclue_t)
 
 auth_use_nsswitch(geoclue_t)
 
+logging_send_syslog_msg(geoclue_t)
+
 miscfiles_read_generic_certs(geoclue_t)
 miscfiles_read_localization(geoclue_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     ec4ba4836f56d8d07f354fd8113f3439eb240bcc
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Sat Feb  1 20:53:04 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ec4ba483

consolesetup: add policy for console-setup

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/consolesetup.fc |   9 +++
 policy/modules/services/consolesetup.if | 104 ++++++++++++++++++++++++++++++++
 policy/modules/services/consolesetup.te |  54 +++++++++++++++++
 3 files changed, 167 insertions(+)

diff --git a/policy/modules/services/consolesetup.fc b/policy/modules/services/consolesetup.fc
new file mode 100644
index 00000000..847034b7
--- /dev/null
+++ b/policy/modules/services/consolesetup.fc
@@ -0,0 +1,9 @@
+/etc/console-setup(/.*)?	gen_context(system_u:object_r:consolesetup_conf_t,s0)
+
+/etc/default/console-setup.*	--	gen_context(system_u:object_r:consolesetup_conf_t,s0)
+/etc/default/keyboard.*	--	gen_context(system_u:object_r:consolesetup_conf_t,s0)
+
+/run/console-setup(/.*)?	gen_context(system_u:object_r:consolesetup_runtime_t,s0)
+
+/usr/lib/console-setup/console-setup\.sh	--	gen_context(system_u:object_r:consolesetup_exec_t,s0)
+/usr/lib/console-setup/keyboard-setup\.sh	--	gen_context(system_u:object_r:consolesetup_exec_t,s0)

diff --git a/policy/modules/services/consolesetup.if b/policy/modules/services/consolesetup.if
new file mode 100644
index 00000000..888fd234
--- /dev/null
+++ b/policy/modules/services/consolesetup.if
@@ -0,0 +1,104 @@
+## <summary>console font and keymap setup program for debian</summary>
+
+########################################
+## <summary>
+##  Execute console-setup in the consolesetup domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`consolesetup_domtrans', `
+    gen_require(`
+        type consolesetup_t, consolesetup_conf_t, consolesetup_exec_t, consolesetup_runtime_t;
+    ')
+
+    corecmd_search_bin($1)
+    domtrans_pattern($1, consolesetup_exec_t, consolesetup_t)
+')
+
+########################################
+## <summary>
+##  Read console-setup configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`consolesetup_read_conf',`
+	gen_require(`
+        type consolesetup_conf_t;
+	')
+
+    files_search_etc($1)
+    allow $1 consolesetup_conf_t:dir list_dir_perms;
+    allow $1 consolesetup_conf_t:file read_file_perms;
+    allow $1 consolesetup_conf_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##  Execute console-setup configuration files
+##  in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`consolesetup_exec_conf', `
+    gen_require(`
+        type consolesetup_conf_t;
+    ')
+
+    files_search_etc($1)
+    exec_files_pattern($1, consolesetup_conf_t, consolesetup_conf_t)
+')
+
+########################################
+## <summary>
+##  Allow the caller to manage
+##  consolesetup_runtime_t files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`consolesetup_manage_runtime', `
+    gen_require(`
+        type consolesetup_runtime_t;
+    ')
+
+    files_search_pids($1)
+    manage_dirs_pattern($1, consolesetup_runtime_t, consolesetup_runtime_t)
+    manage_files_pattern($1, consolesetup_runtime_t, consolesetup_runtime_t)
+')
+
+########################################
+## <summary>
+##  Create a console-setup directory in
+##  the runtime directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`consolesetup_pid_filetrans_runtime', `
+    gen_require(`
+        type consolesetup_runtime_t;
+    ')
+
+    files_pid_filetrans($1, consolesetup_runtime_t, dir, "console-setup")
+')

diff --git a/policy/modules/services/consolesetup.te b/policy/modules/services/consolesetup.te
new file mode 100644
index 00000000..92fc42f4
--- /dev/null
+++ b/policy/modules/services/consolesetup.te
@@ -0,0 +1,54 @@
+policy_module(consolesetup, 1.0)
+
+########################################
+#
+# Declarations
+#
+
+type consolesetup_t;
+type consolesetup_exec_t;
+init_daemon_domain(consolesetup_t, consolesetup_exec_t)
+
+type consolesetup_conf_t;
+files_config_file(consolesetup_conf_t)
+
+type consolesetup_runtime_t;
+files_pid_file(consolesetup_runtime_t)
+
+type consolesetup_tmp_t;
+files_tmp_file(consolesetup_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow consolesetup_t self:capability sys_tty_config;
+allow consolesetup_t self:fifo_file rw_inherited_fifo_file_perms;
+
+can_exec(consolesetup_t, consolesetup_conf_t)
+
+manage_files_pattern(consolesetup_t, consolesetup_conf_t, consolesetup_conf_t)
+
+manage_dirs_pattern(consolesetup_t, consolesetup_runtime_t, consolesetup_runtime_t)
+manage_files_pattern(consolesetup_t, consolesetup_runtime_t, consolesetup_runtime_t)
+files_pid_filetrans(consolesetup_t, consolesetup_runtime_t, dir, "console-setup")
+
+manage_files_pattern(consolesetup_t, consolesetup_tmp_t, consolesetup_tmp_t)
+files_tmp_filetrans(consolesetup_t, consolesetup_tmp_t, file)
+
+corecmd_exec_bin(consolesetup_t)
+corecmd_exec_shell(consolesetup_t)
+
+files_read_etc_files(consolesetup_t)
+files_read_usr_files(consolesetup_t)
+files_search_tmp(consolesetup_t)
+
+term_use_console(consolesetup_t)
+term_use_unallocated_ttys(consolesetup_t)
+
+miscfiles_read_localization(consolesetup_t)
+
+xserver_read_xkb_libs(consolesetup_t)
+
+loadkeys_domtrans(consolesetup_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     a8cb98adc8518f860b25d7afb7fe35886db3c763
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Mon Sep 21 14:13:02 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a8cb98ad

dbus: allow clients to list runtime dirs and named sockets

Fixes:

avc:  denied  { read } for  pid=77 comm="systemd-resolve" name="dbus"
dev="tmpfs" ino=2748 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir
permissive=1

avc:  denied  { read } for  pid=77 comm="systemd-resolve"
name="system_bus_socket" dev="tmpfs" ino=2765
scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file
permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network" name="dbus"
dev="tmpfs" ino=2777 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir
permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network"
name="system_bus_socket" dev="tmpfs" ino=2791
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 13675aaf..540147c7 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -149,6 +149,8 @@ interface(`dbus_system_bus_client',`
 	stream_connect_pattern($1, system_dbusd_runtime_t, system_dbusd_runtime_t, system_dbusd_t)
 
 	dbus_read_config($1)
+	dbus_list_system_bus_runtime($1)
+	dbus_read_system_bus_runtime_named_sockets($1)
 
 	ifdef(`distro_gentoo',`
 		# The /var/lib/dbus/machine-id file is a link to /etc/machine-id


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     70268bb783c124594191f4c789b5b1eb2277340d
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Mon Sep 14 14:31:54 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:07:46 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70268bb7

dbus: add two interfaces to allow reading from directories and named sockets

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.if | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index e547337c..13675aaf 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -605,6 +605,24 @@ interface(`dbus_watch_system_bus_runtime_dirs',`
 	allow $1 system_dbusd_runtime_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	List system bus runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_list_system_bus_runtime',`
+	gen_require(`
+		type system_dbusd_runtime_t;
+	')
+
+	allow $1 system_dbusd_runtime_t:dir list_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Watch system bus runtime named sockets.
@@ -623,6 +641,24 @@ interface(`dbus_watch_system_bus_runtime_named_sockets',`
 	allow $1 system_dbusd_runtime_t:sock_file watch;
 ')
 
+########################################
+## <summary>
+##	Read system bus runtime named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dbus_read_system_bus_runtime_named_sockets',`
+	gen_require(`
+		type system_dbusd_runtime_t;
+	')
+
+	allow $1 system_dbusd_runtime_t:sock_file read;
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to DBUS.


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     cb663b200b61b96128f908d286ef1370b8c5cd1c
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Mon Oct  5 14:54:57 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb663b20

ntp: allow systemd-timesyn to watch dbus objects

Fixes:

avc:  denied  { watch } for  pid=68 comm="systemd-timesyn"
path="/run/dbus" dev="tmpfs" ino=2707 scontext=system_u:system_r:ntpd_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=dir
permissive=1

avc:  denied  { watch } for  pid=68 comm="systemd-timesyn"
path="/run/dbus/system_bus_socket" dev="tmpfs" ino=2716
scontext=system_u:system_r:ntpd_t
tcontext=system_u:object_r:system_dbusd_runtime_t tclass=sock_file
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ntp.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 86bfc9ff..b9cc0ea2 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -145,6 +145,8 @@ ifdef(`init_systemd',`
 
 	dbus_system_bus_client(ntpd_t)
 	dbus_connect_system_bus(ntpd_t)
+	dbus_watch_system_bus_runtime_dirs(ntpd_t)
+	dbus_watch_system_bus_runtime_named_sockets(ntpd_t)
 	init_dbus_chat(ntpd_t)
 	init_get_system_status(ntpd_t)
 	init_list_unit_dirs(ntpd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     68e66b7974bc222f0f8b09dc02e377fb28f5599d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Oct  5 13:55:13 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68e66b79

snmp: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/snmp.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index c61721c5..c9bb4a72 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,4 +1,4 @@
-policy_module(snmp, 1.19.0)
+policy_module(snmp, 1.19.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     f08d86da1f32efeee3a182aec308abfd13eeac95
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Thu Oct  1 16:19:54 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f08d86da

Allow snmpd to read hwdata

Oct  1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2198): avc:  denied  { getattr } for  pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Oct  1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc:  denied  { read } for  pid=4114 comm="snmpd" name="pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1
Oct  1 16:11:49 localhost audispd: node=virtual type=AVC msg=audit(1601568708.950:2197): avc:  denied  { open } for  pid=4114 comm="snmpd" path="/usr/share/hwdata/pci.ids" dev="dm-0" ino=76435 scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/snmp.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index 97c457e2..c61721c5 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -108,6 +108,7 @@ init_dontaudit_write_utmp(snmpd_t)
 
 logging_send_syslog_msg(snmpd_t)
 
+miscfiles_read_hwdata(snmpd_t)
 miscfiles_read_localization(snmpd_t)
 
 seutil_dontaudit_search_config(snmpd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     756a3f044b37130daf744a690cacc0f6fb3c8155
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Mon Oct  5 14:59:27 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=756a3f04

ntp: allow systemd-timesyn to setfscreate

Fixes:

avc:  denied  { setfscreate } for  pid=68 comm="systemd-timesyn"
scontext=system_u:system_r:ntpd_t tcontext=system_u:system_r:ntpd_t
tclass=process permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ntp.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index b9cc0ea2..34c674e1 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -141,6 +141,8 @@ userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
 userdom_list_user_home_dirs(ntpd_t)
 
 ifdef(`init_systemd',`
+	allow ntpd_t self:process setfscreate;
+
 	allow ntpd_t ntpd_unit_t:file read_file_perms;
 
 	dbus_system_bus_client(ntpd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     998aa259af68dfd78d712d4688f03fd1be4a78b0
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Oct 13 19:25:24 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=998aa259

corosync, pacemaker: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/corosync.te  | 2 +-
 policy/modules/services/pacemaker.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
index b85b1c9a..4fbc7426 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -1,4 +1,4 @@
-policy_module(corosync, 1.6.0)
+policy_module(corosync, 1.6.1)
 
 ########################################
 #

diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
index 69d619a1..a34f5536 100644
--- a/policy/modules/services/pacemaker.te
+++ b/policy/modules/services/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.6.0)
+policy_module(pacemaker, 1.6.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     8fff7fea29cd303fb618520b0d792e6ee0cbf0a7
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Sat Sep 26 19:07:30 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8fff7fea

Allow pacemaker to map/read/write corosync shared memory files

Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc:  denied  { read write } for pid=7173 comm="stonithd" name="qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc:  denied  { open } for  pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2916): avc:  denied  { map } for  pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/corosync.if  | 19 +++++++++++++++++++
 policy/modules/services/pacemaker.te |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/corosync.if b/policy/modules/services/corosync.if
index f86dbed3..ee54bc9a 100644
--- a/policy/modules/services/corosync.if
+++ b/policy/modules/services/corosync.if
@@ -97,6 +97,25 @@ interface(`corosync_stream_connect',`
 	stream_connect_pattern($1, corosync_runtime_t, corosync_runtime_t, corosync_t)
 ')
 
+######################################
+## <summary>
+##	Memmap, read and write corosync tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corosync_mmap_rw_tmpfs',`
+	gen_require(`
+		type corosync_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	mmap_rw_files_pattern($1, corosync_tmpfs_t, corosync_tmpfs_t)
+')
+
 ######################################
 ## <summary>
 ##	Read and write corosync tmpfs files.

diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
index 70d976ea..69d619a1 100644
--- a/policy/modules/services/pacemaker.te
+++ b/policy/modules/services/pacemaker.te
@@ -121,6 +121,7 @@ tunable_policy(`pacemaker_startstop_all_services',`
 
 optional_policy(`
 	corosync_read_log(pacemaker_t)
+	corosync_mmap_rw_tmpfs(pacemaker_t)
 	corosync_stream_connect(pacemaker_t)
 ')
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     51a5f6d799fac283615b106a05916e3179123db5
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Sun Sep 27 02:07:21 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51a5f6d7

pacemaker systemd permissions

Allow pacemaker to get status of all running services and reload systemd

Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=n/a uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Allow pacemaker to start/sotp all units (when enabled)

Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Allow for dynamic creation of unit files (with private type)

By using a private type pacemaker doesn't need permission to
read/write all init_runtime_t files.

Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { write } for  pid=5075 comm="lrmd" name="system" dev="tmpfs" ino=1177 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { add_name } for  pid=5075 comm="lrmd" name="target-monitor <AT> my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc:  denied  { create } for  pid=5075 comm="lrmd" name="target-monitor <AT> my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc:  denied  { create } for  pid=5075 comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc:  denied  { write open } for  pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor <AT> my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3073): avc:  denied  { getattr } for  pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor <AT> my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/pacemaker.te | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
index f7a18a7f..70d976ea 100644
--- a/policy/modules/services/pacemaker.te
+++ b/policy/modules/services/pacemaker.te
@@ -5,6 +5,13 @@ policy_module(pacemaker, 1.6.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow pacemaker to start/stop services
+## </p>
+## </desc>
+gen_tunable(pacemaker_startstop_all_services, false)
+
 type pacemaker_t;
 type pacemaker_exec_t;
 init_daemon_domain(pacemaker_t, pacemaker_exec_t)
@@ -18,6 +25,9 @@ logging_log_file(pacemaker_log_t)
 type pacemaker_runtime_t alias pacemaker_var_run_t;
 files_runtime_file(pacemaker_runtime_t)
 
+type pacemaker_runtime_unit_t;
+init_unit_file(pacemaker_runtime_unit_t)
+
 type pacemaker_tmp_t;
 files_tmp_file(pacemaker_tmp_t)
 
@@ -61,6 +71,10 @@ manage_dirs_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t)
 manage_files_pattern(pacemaker_t, pacemaker_runtime_t, pacemaker_runtime_t)
 files_runtime_filetrans(pacemaker_t, pacemaker_runtime_t, { dir file })
 
+manage_dirs_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t)
+manage_files_pattern(pacemaker_t, pacemaker_runtime_unit_t, pacemaker_runtime_unit_t)
+init_runtime_filetrans(pacemaker_t, pacemaker_runtime_unit_t, { dir file })
+
 kernel_getattr_core_if(pacemaker_t)
 kernel_read_all_sysctls(pacemaker_t)
 kernel_read_messages(pacemaker_t)
@@ -95,6 +109,16 @@ logging_send_syslog_msg(pacemaker_t)
 
 miscfiles_read_localization(pacemaker_t)
 
+ifdef(`init_systemd',`
+	init_get_all_units_status(pacemaker_t)
+	init_reload(pacemaker_t)
+')
+
+tunable_policy(`pacemaker_startstop_all_services',`
+	init_start_all_units(pacemaker_t)
+	init_stop_all_units(pacemaker_t)
+')
+
 optional_policy(`
 	corosync_read_log(pacemaker_t)
 	corosync_stream_connect(pacemaker_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     fb88733bbd3f7017f4baf778b9f147eb769b53e9
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Sat Sep 26 18:55:35 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fb88733b

Updates for corosync to work in enforcing

Allow corosync to map its own shared memory

Sep 26 18:45:02 localhost audispd: node=virtual type=AVC msg=audit(1601145902.400:2972): avc:  denied  { map } for  pid=6903 comm="corosync" path="/dev/shm/qb-6903-7028-31-FGGoGv/qb-request-cmap-header" dev="tmpfs" ino=40759 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1

Setup corosync lock file type

Sep 27 17:20:07 localhost audispd: node=virtual type=PATH msg=audit(1601227207.522:3421): item=1 name="/var/lock/subsys/corosync" inode=35029 dev=00:14 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc:  denied  { read } for  pid=6748 comm="corosync" name="lock" dev="dm-0" ino=13082 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc:  denied  { search } for  pid=6748 comm="corosync" name="lock" dev="tmpfs" ino=10248 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc:  denied  { add_name } for  pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc:  denied  { create } for  pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc:  denied  { write open } for pid=7066 comm="touch" path="/run/lock/subsys/corosync" dev="tmpfs" ino=35048 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1

On RHEL7 systemd executes '/usr/share/corosync/corosync start' to start, label these files.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/corosync.fc | 7 +++++++
 policy/modules/services/corosync.te | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/policy/modules/services/corosync.fc b/policy/modules/services/corosync.fc
index 51a558c8..1c4787d7 100644
--- a/policy/modules/services/corosync.fc
+++ b/policy/modules/services/corosync.fc
@@ -6,8 +6,15 @@
 /usr/sbin/corosync	--	gen_context(system_u:object_r:corosync_exec_t,s0)
 /usr/sbin/corosync-notifyd	--	gen_context(system_u:object_r:corosync_exec_t,s0)
 
+ifdef(`distro_redhat',`
+/usr/share/corosync/corosync			--	gen_context(system_u:object_r:corosync_exec_t,s0)
+/usr/share/corosync/corosync-notifyd	--	gen_context(system_u:object_r:corosync_exec_t,s0)
+')
+
 /var/lib/corosync(/.*)?	gen_context(system_u:object_r:corosync_var_lib_t,s0)
 
+/var/lock/subsys/corosync	--	gen_context(system_u:object_r:corosync_lock_t,s0)
+
 /var/log/cluster/corosync\.log.*	--	gen_context(system_u:object_r:corosync_var_log_t,s0)
 
 /run/cman_.*	-s	gen_context(system_u:object_r:corosync_runtime_t,s0)

diff --git a/policy/modules/services/corosync.te b/policy/modules/services/corosync.te
index 36a6ffab..b85b1c9a 100644
--- a/policy/modules/services/corosync.te
+++ b/policy/modules/services/corosync.te
@@ -13,6 +13,9 @@ domain_obj_id_change_exemption(corosync_t)
 type corosync_initrc_exec_t;
 init_script_file(corosync_initrc_exec_t)
 
+type corosync_lock_t;
+files_lock_file(corosync_lock_t)
+
 type corosync_runtime_t alias corosync_var_run_t;
 files_runtime_file(corosync_runtime_t)
 
@@ -43,6 +46,9 @@ allow corosync_t self:shm create_shm_perms;
 allow corosync_t self:unix_dgram_socket sendto;
 allow corosync_t self:unix_stream_socket { accept connectto listen };
 
+manage_files_pattern(corosync_t, corosync_lock_t, corosync_lock_t)
+files_lock_filetrans(corosync_t, corosync_lock_t, file)
+
 manage_dirs_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
 manage_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
 relabel_files_pattern(corosync_t, corosync_tmp_t, corosync_tmp_t)
@@ -50,6 +56,7 @@ files_tmp_filetrans(corosync_t, corosync_tmp_t, { dir file })
 
 manage_dirs_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
 manage_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
+mmap_read_files_pattern(corosync_t, corosync_tmpfs_t, corosync_tmpfs_t)
 fs_tmpfs_filetrans(corosync_t, corosync_tmpfs_t, { dir file })
 
 manage_files_pattern(corosync_t, corosync_var_lib_t, corosync_var_lib_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     054510904041ecc1b8cbacfbfd853c88e01423d9
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Sun Sep 27 00:43:44 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05451090

To get pacemaker working in enforcing

Allow pacemaker to map its shared memory

Sep 27 00:30:32 localhost audispd: node=virtual type=AVC msg=audit(1601166632.229:2936): avc:  denied  { map } for  pid=7173 comm="cib" path="/dev/shm/qb-7173-7465-14-5Voxju/qb-request-cib_rw-header" dev="tmpfs" ino=39707 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1

Label pacemaker private log file

Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { write } for  pid=7168 comm="pacemakerd" name="/" dev="tmpfs" ino=13995 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { add_name } for  pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { create } for  pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc:  denied  { append open } for pid=7168 comm="pacemakerd" path="/var/log/pacemaker.log" dev="tmpfs" ino=32670 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1

It writes to log, but also reads

Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.381:2892): avc:  denied  { read } for  pid=7177 comm="pengine" name="pacemaker.log" dev="tmpfs" ino=35813 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_log_t:s0 tclass=file permissive=1

Pacemaker can read stuff in /usr/share/pacemaker/

Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc:  denied  { read } for  pid=7173 comm="cib" name="pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc:  denied  { open } for  pid=7173 comm="cib" path="/usr/share/pacemaker/pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

pacemaker dbus related stuff

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc:  denied  { write } for  pid=7175 comm="lrmd" name="system_bus_socket" dev="tmpfs" ino=13960 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc:  denied  { connectto } for pid=7175 comm="lrmd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.763:2954): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=7175 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.764:2955): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LoadUnit dest=org.freedesktop.systemd1 spid=7175 tpid=1 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.767:2959): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.12 spid=1 tpid=7175 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Pacemaker execute network monitoring

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2962): avc:  denied  { getattr } for  pid=7581 comm="which" path="/usr/sbin/arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.778:2963): avc:  denied  { execute } for  pid=7551 comm="ethmonitor" name="arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.766:2956): avc:  denied  { getattr } for  pid=7556 comm="which" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.767:2957): avc:  denied  { execute } for  pid=7541 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2960): avc:  denied  { read } for  pid=7582 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc:  denied  { open } for  pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc:  denied  { execute_no_trans } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc:  denied  { map } for  pid=7582 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc:  denied  { nlmsg_write } for  pid=7617 comm="ip" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=netlink_route_socket permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc:  denied  { net_admin } for  pid=7617 comm="ip" capability=12  scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc:  denied  { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1

Update pacemaker process perms

Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.729:2950): avc:  denied  { getsched } for  pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.730:2951): avc:  denied  { setsched } for  pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
Sep 27 00:30:59 localhost audispd: node=virtual type=AVC msg=audit(1601166659.606:2967): avc:  denied  { signull } for  pid=7178 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1

pacemaker network communication

Sep 29 01:46:08 localhost audispd: node=virtual type=AVC msg=audit(1601343968.444:2963): avc:  denied  { node_bind } for pid=7681 comm="send_arp" saddr=192.168.11.12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
Sep 29 02:08:25 localhost audispd: node=virtual type=AVC msg=audit(1601345305.150:3137): avc:  denied  { net_raw } for  pid=8317 comm="send_arp" capability=13  scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1
Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3094): avc:  denied  { getcap } for  pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3095): avc:  denied  { setcap } for  pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1

Let pacemaker exec lib_t files

Oct  1 14:48:25 localhost audispd: node=virtual type=AVC msg=audit(1601563705.848:2242): avc:  denied  { execute_no_trans } for pid=6909 comm="crm_resource" path="/usr/lib/ocf/resource.d/heartbeat/IPsrcaddr" dev="dm-0" ino=82111 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
Oct  1 15:01:31 localhost audispd: node=virtual type=AVC msg=audit(1601564491.091:2353): avc:  denied  { execute_no_trans } for pid=8285 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/ethmonitor" dev="dm-0" ino=82129 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
Oct  1 14:49:21 localhost audispd: node=virtual type=AVC msg=audit(1601563761.158:2265): avc:  denied  { execute_no_trans } for pid=7307 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/IPaddr2" dev="dm-0" ino=82110 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/pacemaker.fc |  1 +
 policy/modules/services/pacemaker.te | 34 ++++++++++++++++++++++++++++++++--
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/pacemaker.fc b/policy/modules/services/pacemaker.fc
index 0df77ee6..dc7fbb8d 100644
--- a/policy/modules/services/pacemaker.fc
+++ b/policy/modules/services/pacemaker.fc
@@ -9,3 +9,4 @@
 /var/lib/pengine(/.*)?	gen_context(system_u:object_r:pacemaker_var_lib_t,s0)
 
 /run/crm(/.*)?	gen_context(system_u:object_r:pacemaker_runtime_t,s0)
+/run/resource-agents(/.*)?		gen_context(system_u:object_r:pacemaker_runtime_t,s0)

diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
index e7c0d691..f7a18a7f 100644
--- a/policy/modules/services/pacemaker.te
+++ b/policy/modules/services/pacemaker.te
@@ -12,6 +12,9 @@ init_daemon_domain(pacemaker_t, pacemaker_exec_t)
 type pacemaker_initrc_exec_t;
 init_script_file(pacemaker_initrc_exec_t)
 
+type pacemaker_log_t;
+logging_log_file(pacemaker_log_t)
+
 type pacemaker_runtime_t alias pacemaker_var_run_t;
 files_runtime_file(pacemaker_runtime_t)
 
@@ -29,15 +32,23 @@ files_type(pacemaker_var_lib_t)
 # Local policy
 #
 
-allow pacemaker_t self:capability { chown dac_override fowner fsetid kill setuid };
-allow pacemaker_t self:process { setrlimit signal setpgid };
+allow pacemaker_t self:capability { chown dac_override fowner fsetid kill net_raw setgid setuid };
+allow pacemaker_t self:process { getsched getcap setcap setpgid setrlimit setsched signal signull };
 allow pacemaker_t self:fifo_file rw_fifo_file_perms;
+allow pacemaker_t self:packet_socket { bind create getattr read write };
 allow pacemaker_t self:unix_stream_socket { connectto accept listen };
 
+create_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
+append_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
+setattr_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
+read_files_pattern(pacemaker_t, pacemaker_log_t, pacemaker_log_t)
+logging_log_filetrans(pacemaker_t, pacemaker_log_t, file)
+
 manage_dirs_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
 manage_files_pattern(pacemaker_t, pacemaker_tmp_t, pacemaker_tmp_t)
 files_tmp_filetrans(pacemaker_t, pacemaker_tmp_t, { file dir })
 
+mmap_rw_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
 manage_dirs_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
 manage_files_pattern(pacemaker_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
 fs_tmpfs_filetrans(pacemaker_t, pacemaker_tmpfs_t, { dir file })
@@ -60,6 +71,8 @@ kernel_read_system_state(pacemaker_t)
 corecmd_exec_bin(pacemaker_t)
 corecmd_exec_shell(pacemaker_t)
 
+corenet_udp_bind_generic_node(pacemaker_t)
+
 dev_getattr_mtrr_dev(pacemaker_t)
 dev_read_rand(pacemaker_t)
 dev_read_urand(pacemaker_t)
@@ -68,11 +81,16 @@ domain_read_all_domains_state(pacemaker_t)
 domain_use_interactive_fds(pacemaker_t)
 
 files_read_kernel_symbol_table(pacemaker_t)
+files_read_usr_files(pacemaker_t)
 
 fs_getattr_all_fs(pacemaker_t)
 
 auth_use_nsswitch(pacemaker_t)
 
+init_dbus_chat(pacemaker_t)
+
+libs_exec_lib_files(pacemaker_t)
+
 logging_send_syslog_msg(pacemaker_t)
 
 miscfiles_read_localization(pacemaker_t)
@@ -81,3 +99,15 @@ optional_policy(`
 	corosync_read_log(pacemaker_t)
 	corosync_stream_connect(pacemaker_t)
 ')
+
+optional_policy(`
+	dbus_system_bus_client(pacemaker_t)
+')
+
+optional_policy(`
+	netutils_exec(pacemaker_t)
+')
+
+optional_policy(`
+	sysnet_domtrans_ifconfig(pacemaker_t)
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     1958d08d70d801a23e7ef15a8b3b0857b6c79946
Author:     Daniel Burgener <Daniel.Burgener <AT> microsoft <DOT> com>
AuthorDate: Wed Nov 11 21:14:43 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 28 22:55:41 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1958d08d

Allow init to mount over the system bus

In portable profiles, systemd bind mounts the system bus into process
namespaces

Signed-off-by: Daniel Burgener <Daniel.Burgener <AT> microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index f123c6d9..86e79b76 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -50,6 +50,7 @@ init_named_socket_activation(system_dbusd_t, system_dbusd_runtime_t)
 type system_dbusd_runtime_t alias system_dbusd_var_run_t;
 files_runtime_file(system_dbusd_runtime_t)
 init_daemon_runtime_file(system_dbusd_runtime_t, dir, "dbus")
+init_mountpoint(system_dbusd_runtime_t)
 
 type system_dbusd_tmp_t;
 files_tmp_file(system_dbusd_tmp_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     e42716a61c8fe4fb0317fbc23a9b8054e0ec9608
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Nov 20 14:54:32 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 28 22:55:46 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e42716a6

dbus: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 86e79b76..f4ee2ad3 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.29.2)
+policy_module(dbus, 1.29.3)
 
 gen_require(`
 	class dbus all_dbus_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     d2423ae4bde7048042e80957e3c727eb59e04c8b
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Jan 27 03:15:50 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2423ae4

misc services patches with changes Dominick and Chris wanted

I think this one is ready to merge.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/apache.fc    |  6 +++++-
 policy/modules/services/apache.if    | 22 ++++++++++++++++++++
 policy/modules/services/apache.te    | 15 ++++++++++++--
 policy/modules/services/aptcacher.fc |  5 ++++-
 policy/modules/services/aptcacher.if | 40 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/aptcacher.te |  2 ++
 policy/modules/services/bind.te      |  1 +
 policy/modules/services/colord.te    | 10 +++++++++
 policy/modules/services/cron.te      | 12 +++++++++++
 policy/modules/services/cups.te      |  3 ++-
 policy/modules/services/devicekit.te |  2 ++
 policy/modules/services/entropyd.te  |  1 +
 policy/modules/services/fail2ban.te  |  2 ++
 policy/modules/services/jabber.te    |  3 +++
 policy/modules/services/l2tp.te      |  1 +
 policy/modules/services/mon.te       |  7 ++++++-
 policy/modules/services/mysql.fc     |  1 +
 policy/modules/services/mysql.te     |  7 ++++++-
 policy/modules/services/openvpn.te   | 10 +++++++++
 policy/modules/services/postgrey.te  |  1 +
 policy/modules/services/rpc.te       |  1 +
 policy/modules/services/samba.te     | 18 ++++++++++++++--
 policy/modules/services/smartmon.te  |  2 +-
 policy/modules/services/squid.te     |  2 ++
 policy/modules/services/tor.te       |  1 +
 policy/modules/services/watchdog.te  |  2 ++
 policy/modules/services/xserver.if   |  1 +
 27 files changed, 168 insertions(+), 10 deletions(-)

diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 52879fe1..6c4ddba7 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -80,6 +80,8 @@ ifndef(`distro_gentoo',`
 /usr/sbin/hiawatha					--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd\.event					--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/httpd(\.worker)?				--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php.*-fpm					--	gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm[^/]+					--	gen_context(system_u:object_r:httpd_exec_t,s0)
 /usr/sbin/lighttpd					--	gen_context(system_u:object_r:httpd_exec_t,s0)
 ifndef(`distro_gentoo',`
 /usr/sbin/nginx						--  gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -152,7 +154,7 @@ ifndef(`distro_gentoo',`
 /var/lib/php/session(/.*)?					gen_context(system_u:object_r:httpd_runtime_t,s0)
 /var/lib/pootle/po(/.*)?					gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/rt3/data/RT-Shredder(/.*)?				gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/squirrelmail/prefs(/.*)?				gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/squirrelmail(/.*)?					gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
 /var/lib/stickshift/\.httpd\.d(/.*)?				gen_context(system_u:object_r:httpd_config_t,s0)
 /var/lib/svn(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
 /var/lib/trac(/.*)?						gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -180,6 +182,7 @@ ifndef(`distro_gentoo',`
 /var/log/roundcubemail(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/suphp\.log.*					--	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/php7..-fpm.log					--	gen_context(system_u:object_r:httpd_log_t,s0)
 
 /run/apache.*							gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/cherokee\.pid					--	gen_context(system_u:object_r:httpd_runtime_t,s0)
@@ -188,6 +191,7 @@ ifndef(`distro_gentoo',`
 /run/httpd.*							gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/lighttpd(/.*)?						gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/mod_.*							gen_context(system_u:object_r:httpd_runtime_t,s0)
+/run/php(/.*)?							gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/wsgi.*						-s	gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/user/apache(/.*)?						gen_context(system_u:object_r:httpd_tmp_t,s0)
 

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index f8c6c909..44767359 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -71,6 +71,7 @@ template(`apache_content_template',`
 
 	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+	allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
 	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -97,6 +98,8 @@ template(`apache_content_template',`
 
 	tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 		filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+		allow httpd_t httpd_$1_content_t:file map;
+		allow httpd_t httpd_$1_rw_content_t:file map;
 	')
 ')
 
@@ -1023,6 +1026,7 @@ interface(`apache_manage_sys_rw_content',`
 	apache_search_sys_content($1)
 	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+	allow $1 httpd_sys_rw_content_t:file map;
 	manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 ')
 
@@ -1149,6 +1153,24 @@ interface(`apache_append_squirrelmail_data',`
 	allow $1 httpd_squirrelmail_t:file append_file_perms;
 ')
 
+########################################
+## <summary>
+##	delete httpd squirrelmail spool files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_delete_squirrelmail_spool',`
+	gen_require(`
+		type squirrelmail_spool_t;
+	')
+
+	delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
+')
+
 ########################################
 ## <summary>
 ##	Search httpd system content.

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 39685bef..da43a1d8 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 files_var_filetrans(httpd_t, httpd_cache_t, dir)
+allow httpd_t httpd_cache_t:file map;
 
 allow httpd_t httpd_config_t:dir list_dir_perms;
 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
@@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
 allow httpd_t httpd_htaccess_type:file read_file_perms;
 
 allow httpd_t httpd_ro_content:dir list_dir_perms;
-allow httpd_t httpd_ro_content:file read_file_perms;
+allow httpd_t httpd_ro_content:file { map read_file_perms };
 allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
 
 allow httpd_t httpd_keytab_t:file read_file_perms;
@@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process signal_perms;
 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_squirrelmail_t:file map;
 
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 
@@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process signull;
 
 manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+allow httpd_t httpd_tmp_t:file map;
 manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
 files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
@@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_fi
 
 manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+allow httpd_t httpd_var_lib_t:file map;
 manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 
@@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelogs_exec_t, httpd_rotatelogs_t)
 domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
 
 kernel_read_kernel_sysctls(httpd_t)
+kernel_read_crypto_sysctls(httpd_t)
 kernel_read_vm_sysctls(httpd_t)
 kernel_read_vm_overcommit_sysctl(httpd_t)
 kernel_read_network_state(httpd_t)
@@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t)
 dev_read_rand(httpd_t)
 dev_read_urand(httpd_t)
 dev_rw_crypto(httpd_t)
+dev_rwx_zero(httpd_t)
 
 domain_use_interactive_fds(httpd_t)
 
@@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t)
 
 fs_read_anon_inodefs_files(httpd_t)
 fs_rw_inherited_hugetlbfs_files(httpd_t)
+fs_mmap_rw_hugetlbfs_files(httpd_t)
 fs_read_iso9660_files(httpd_t)
 
 files_dontaudit_getattr_all_runtime_files(httpd_t)
 files_read_usr_files(httpd_t)
+files_map_usr_files(httpd_t)
 files_list_mnt(httpd_t)
 files_search_spool(httpd_t)
 files_read_var_symlinks(httpd_t)
@@ -504,6 +512,7 @@ files_search_home(httpd_t)
 files_getattr_home_dir(httpd_t)
 files_read_etc_runtime_files(httpd_t)
 files_read_var_lib_symlinks(httpd_t)
+files_map_etc_files(httpd_t)
 
 auth_use_nsswitch(httpd_t)
 
@@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting',`
 	exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
 
 	allow httpd_t httpdcontent:dir list_dir_perms;
-	allow httpd_t httpdcontent:file read_file_perms;
+	allow httpd_t httpdcontent:file { map read_file_perms };
 	allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
 
 	allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
@@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+	allow httpd_t httpdcontent:file map;
 	manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -899,6 +909,7 @@ optional_policy(`
 #
 
 read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+allow httpd_t httpd_config_t:file map;
 
 append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)

diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc
index 5f27bb04..fcdc96a8 100644
--- a/policy/modules/services/aptcacher.fc
+++ b/policy/modules/services/aptcacher.fc
@@ -2,12 +2,15 @@
 
 /usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
 
-/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
 
+/run/apt-cacher(/.*)?  gen_context(system_u:object_r:aptcacher_runtime_t,s0)
 /run/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_runtime_t,s0)
 
+/var/cache/apt-cacher(/.*)?	gen_context(system_u:object_r:aptcacher_cache_t,s0)
 /var/cache/apt-cacher-ng(/.*)?	gen_context(system_u:object_r:aptcacher_cache_t,s0)
 
 /var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0)
 
+/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
 /var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)

diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if
index 12c1335a..8c99a699 100644
--- a/policy/modules/services/aptcacher.if
+++ b/policy/modules/services/aptcacher.if
@@ -63,3 +63,43 @@ interface(`aptcacher_stream_connect',`
 	files_search_runtime($1)
 	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
 ')
+
+######################################
+## <summary>
+##     read aptcacher config
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to read it.
+##     </summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+	gen_require(`
+		type aptcacher_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 aptcacher_etc_t:dir list_dir_perms;
+	allow $1 aptcacher_etc_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+##     mmap and read aptcacher config
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed to read it.
+##     </summary>
+## </param>
+#
+interface(`aptcacher_mmap_read_config',`
+	gen_require(`
+		type aptcacher_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 aptcacher_etc_t:dir list_dir_perms;
+	allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')

diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
index 57ceaed5..d9089a77 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_t)
 
 auth_use_nsswitch(aptcacher_t)
 
+files_read_etc_files(aptcacher_t)
+
 # Uses sd_notify() to inform systemd it has properly started
 init_dgram_send(aptcacher_t)
 

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 1eceba35..57ae7be3 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t)
 
 files_read_etc_runtime_files(named_t)
 files_read_usr_files(named_t)
+files_map_usr_files(named_t)
 
 fs_getattr_all_fs(named_t)
 fs_search_auto_mountpoints(named_t)

diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te
index 1eba7d63..ca035d5e 100644
--- a/policy/modules/services/colord.te
+++ b/policy/modules/services/colord.te
@@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow colord_t self:tcp_socket { accept listen };
 allow colord_t self:shm create_shm_perms;
 
+can_exec(colord_t, colord_exec_t)
+
 manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
 files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
@@ -127,6 +129,10 @@ optional_policy(`
 	policykit_read_reload(colord_t)
 ')
 
+optional_policy(`
+	snmp_read_snmp_var_lib_files(colord_t)
+')
+
 optional_policy(`
 	sysnet_exec_ifconfig(colord_t)
 ')
@@ -135,6 +141,10 @@ optional_policy(`
 	udev_read_runtime_files(colord_t)
 ')
 
+optional_policy(`
+	unconfined_dbus_send(colord_t)
+')
+
 optional_policy(`
 	xserver_read_xdm_lib_files(colord_t)
 	xserver_use_xdm_fds(colord_t)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 69de0c54..72e1d8c4 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -309,6 +309,8 @@ init_start_all_units(system_cronjob_t)
 init_get_generic_units_status(system_cronjob_t)
 init_get_system_status(system_cronjob_t)
 
+backup_manage_store_files(system_cronjob_t)
+
 auth_manage_var_auth(crond_t)
 auth_use_pam(crond_t)
 
@@ -344,6 +346,11 @@ ifdef(`distro_debian',`
 		dpkg_manage_db(system_cronjob_t)
 	')
 
+	optional_policy(`
+		aptcacher_mmap_read_config(system_cronjob_t)
+		corenet_tcp_connect_aptcacher_port(system_cronjob_t)
+	')
+
 	optional_policy(`
 		logwatch_search_cache_dir(crond_t)
 	')
@@ -432,6 +439,7 @@ optional_policy(`
 	init_dbus_chat(crond_t)
 	init_dbus_chat(system_cronjob_t)
 	systemd_dbus_chat_logind(system_cronjob_t)
+	systemd_read_journal_files(system_cronjob_t)
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
 	# so cron jobs can restart daemons
 	init_stream_connect(system_cronjob_t)
@@ -501,6 +509,7 @@ corenet_tcp_sendrecv_generic_if(system_cronjob_t)
 corenet_udp_sendrecv_generic_if(system_cronjob_t)
 corenet_tcp_sendrecv_generic_node(system_cronjob_t)
 corenet_udp_sendrecv_generic_node(system_cronjob_t)
+corenet_udp_bind_generic_node(system_cronjob_t)
 
 dev_getattr_all_blk_files(system_cronjob_t)
 dev_getattr_all_chr_files(system_cronjob_t)
@@ -583,6 +592,7 @@ optional_policy(`
 	apache_read_log(system_cronjob_t)
 	apache_read_sys_content(system_cronjob_t)
 	apache_delete_lib_files(system_cronjob_t)
+	apache_delete_squirrelmail_spool(system_cronjob_t)
 ')
 
 optional_policy(`
@@ -655,6 +665,8 @@ optional_policy(`
 
 optional_policy(`
 	spamassassin_manage_lib_files(system_cronjob_t)
+	spamassassin_status(system_cronjob_t)
+	spamassassin_reload(system_cronjob_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 9ead4c30..f6e4a0e6 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -111,11 +111,12 @@ ifdef(`enable_mls',`
 
 allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
 dontaudit cupsd_t self:capability { net_admin sys_tty_config };
-allow cupsd_t self:capability2 block_suspend;
+allow cupsd_t self:capability2 { block_suspend wake_alarm };
 allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
 allow cupsd_t self:fifo_file rw_fifo_file_perms;
 allow cupsd_t self:unix_stream_socket { accept connectto listen };
 allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow cupsd_t self:shm create_shm_perms;
 allow cupsd_t self:sem create_sem_perms;
 allow cupsd_t self:tcp_socket { accept listen };

diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index fcae68a5..b69c8113 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t)
 fs_unmount_all_fs(devicekit_disk_t)
 fs_search_all(devicekit_disk_t)
 
+mount_rw_runtime_files(devicekit_disk_t)
+
 mls_file_read_all_levels(devicekit_disk_t)
 mls_file_write_to_clearance(devicekit_disk_t)
 

diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te
index aa404773..f2405692 100644
--- a/policy/modules/services/entropyd.te
+++ b/policy/modules/services/entropyd.te
@@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t)
 
 fs_getattr_all_fs(entropyd_t)
 fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)
 
 domain_use_interactive_fds(entropyd_t)
 

diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 352b4ca8..1e97cdfa 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
 files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
 
 kernel_read_system_state(fail2ban_t)
+kernel_search_fs_sysctls(fail2ban_t)
 
 corecmd_exec_bin(fail2ban_t)
 corecmd_exec_shell(fail2ban_t)
@@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t)
 auth_use_nsswitch(fail2ban_t)
 
 logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
 logging_send_syslog_msg(fail2ban_t)
 
 miscfiles_read_localization(fail2ban_t)

diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 7d028b8d..06273d09 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t)
 # usr for lua modules
 files_read_usr_files(jabberd_t)
 
+files_search_var_lib(jabberd_t)
+
 fs_search_auto_mountpoints(jabberd_t)
 
+miscfiles_read_generic_tls_privkey(jabberd_t)
 miscfiles_read_all_certs(jabberd_t)
 
 sysnet_read_config(jabberd_t)

diff --git a/policy/modules/services/l2tp.te b/policy/modules/services/l2tp.te
index 0fa4d8dd..6a429835 100644
--- a/policy/modules/services/l2tp.te
+++ b/policy/modules/services/l2tp.te
@@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_perms;
 allow l2tpd_t self:tcp_socket { accept listen };
 allow l2tpd_t self:unix_dgram_socket sendto;
 allow l2tpd_t self:unix_stream_socket { accept listen };
+allow l2tpd_t self:pppox_socket create;
 
 read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)
 

diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index 08f1b0a0..74a94b89 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -147,6 +147,10 @@ optional_policy(`
 	bind_read_zone(mon_net_test_t)
 ')
 
+optional_policy(`
+	mysql_stream_connect(mon_net_test_t)
+')
+
 ########################################
 #
 # Local policy
@@ -156,7 +160,8 @@ optional_policy(`
 # try not to use dontaudit rules for this
 #
 
-allow mon_local_test_t self:capability sys_admin;
+# sys_ptrace is for reading /proc/1/maps etc
+allow mon_local_test_t self:capability { sys_ptrace sys_admin };
 allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
 allow mon_local_test_t self:process getsched;
 

diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
index 7739d36d..d23f2636 100644
--- a/policy/modules/services/mysql.fc
+++ b/policy/modules/services/mysql.fc
@@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
 /usr/sbin/mysqld(-max)?	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 /usr/sbin/mysqlmanager	--	gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
 /usr/sbin/ndbd	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mariadbd	--	gen_context(system_u:object_r:mysqld_exec_t,s0)
 
 /var/lib/mysql(/.*)?	gen_context(system_u:object_r:mysqld_db_t,s0)
 /var/lib/mysql/mysql.*	-s	gen_context(system_u:object_r:mysqld_runtime_t,s0)

diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index f88f458b..5a264e2f 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime_t)
 # Local policy
 #
 
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
+allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
 dontaudit mysqld_t self:capability sys_tty_config;
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+allow mysqld_t mysqld_db_t:file map;
 manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
 
@@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
 
 manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
 manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+allow mysqld_t mysqld_tmp_t:file map;
 files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
 
 manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
@@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t)
 kernel_read_network_state(mysqld_t)
 kernel_read_system_state(mysqld_t)
 kernel_read_vm_sysctls(mysqld_t)
+kernel_read_vm_overcommit_sysctl(mysqld_t)
 
 corenet_all_recvfrom_netlabel(mysqld_t)
 corenet_tcp_sendrecv_generic_if(mysqld_t)
@@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t)
 
 fs_getattr_all_fs(mysqld_t)
 fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
 fs_rw_hugetlbfs_files(mysqld_t)
 
 files_read_etc_runtime_files(mysqld_t)
@@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t)
 
 logging_send_syslog_msg(mysqld_t)
 
+miscfiles_read_generic_certs(mysqld_t)
 miscfiles_read_localization(mysqld_t)
 
 userdom_search_user_home_dirs(mysqld_t)

diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 76bdae5a..9aa0afaf 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t)
 
 auth_use_pam(openvpn_t)
 
+init_read_state(openvpn_t)
+
 miscfiles_read_localization(openvpn_t)
 miscfiles_read_all_certs(openvpn_t)
 
@@ -162,6 +164,10 @@ optional_policy(`
 	daemontools_service_domain(openvpn_t, openvpn_exec_t)
 ')
 
+optional_policy(`
+	dpkg_script_rw_inherited_pipes(openvpn_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(openvpn_t)
 	dbus_connect_system_bus(openvpn_t)
@@ -174,3 +180,7 @@ optional_policy(`
 optional_policy(`
 	systemd_use_passwd_agent(openvpn_t)
 ')
+
+optional_policy(`
+	unconfined_use_fds(openvpn_t)
+')

diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index 169dab12..a96e9dd9 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
 manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
 
 manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+allow postgrey_t postgrey_var_lib_t:file map;
 files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
 
 manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 9e95d8dc..844a8038 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
 
 kernel_read_network_state(nfsd_t)
 kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_search_debugfs(nfsd_t)
 kernel_setsched(nfsd_t)
 kernel_request_load_module(nfsd_t)
 # kernel_mounton_proc(nfsd_t)

diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 2f0fefef..855d846d 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t)
 
 allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
 allow samba_net_t self:capability2 block_suspend;
-allow samba_net_t self:process { getsched setsched };
+allow samba_net_t self:process { sigkill getsched setsched };
 allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:fifo_file rw_file_perms;
 
 allow samba_net_t samba_etc_t:file read_file_perms;
 
+allow samba_net_t samba_var_run_t:file { map read_file_perms };
+
 manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
 filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)
 
@@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
 
 manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
 manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+allow samba_net_t samba_var_t:file map;
 manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
 files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
 
@@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem { getattr quotaget };
 
 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+allow smbd_t samba_var_t:file map;
 manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
 
 manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
 manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
+allow smbd_t samba_runtime_t:file map;
 manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
 files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
 
@@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file read_sock_file_perms;
 stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t)
 
 stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t)
+allow smbd_t nmbd_t:unix_dgram_socket sendto;
 
 kernel_getattr_core_if(smbd_t)
 kernel_getattr_message_if(smbd_t)
@@ -479,6 +486,10 @@ optional_policy(`
 	cups_stream_connect(smbd_t)
 ')
 
+optional_policy(`
+	dbus_system_bus_client(smbd_t)
+')
+
 optional_policy(`
 	kerberos_read_keytab(smbd_t)
 	kerberos_use(smbd_t)
@@ -520,6 +531,7 @@ allow nmbd_t self:unix_stream_socket { accept connectto listen };
 
 manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
 manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
+allow nmbd_t samba_runtime_t:file map;
 manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
 files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
 
@@ -532,7 +544,7 @@ create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
 setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
 
 manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+allow nmbd_t samba_var_t:file map;
 manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
@@ -613,6 +625,8 @@ allow smbcontrol_t self:process { signal signull };
 
 allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
 read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
+init_use_fds(smbcontrol_t)
 
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
 

diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index fc3f9502..a6351969 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
 # Local policy
 #
 
-allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
+allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
 dontaudit fsdaemon_t self:capability sys_tty_config;
 allow fsdaemon_t self:process { getcap setcap signal_perms };
 allow fsdaemon_t self:fifo_file rw_fifo_file_perms;

diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index f7b3a5a3..f9890df1 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
 allow squid_t self:unix_dgram_socket sendto;
 allow squid_t self:unix_stream_socket { accept connectto listen };
 allow squid_t self:tcp_socket { accept listen };
+allow squid_t self:netlink_netfilter_socket create_socket_perms;
 
 manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
 manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
@@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
 files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
 
 manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+allow squid_t squid_tmpfs_t:file map;
 fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
 
 manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)

diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index 445ab87f..0da1a599 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runtime_t, { dir file sock_file })
 kernel_read_kernel_sysctls(tor_t)
 kernel_read_net_sysctls(tor_t)
 kernel_read_system_state(tor_t)
+kernel_read_vm_overcommit_sysctl(tor_t)
 
 corenet_all_recvfrom_netlabel(tor_t)
 corenet_tcp_sendrecv_generic_if(tor_t)

diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index e1e9d9a9..4a677a3f 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t)
 
 logging_send_syslog_msg(watchdog_t)
 
+mcs_killall(watchdog_t)
+
 miscfiles_read_localization(watchdog_t)
 
 sysnet_dns_name_resolve(watchdog_t)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 0e76767f..8ba496cd 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1643,6 +1643,7 @@ interface(`xserver_rw_mesa_shader_cache',`
 
 	rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
 	rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+	allow $1 mesa_shader_cache_t:file map;
 	xdg_search_cache_dirs($1)
 ')
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     3e5d54e1629c156c4076759ff10df78bd6067151
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 15:55:54 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e5d54e1

samba: Fix samba_runtime_t alias use.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/samba.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 10960805..1d7683a2 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -207,7 +207,7 @@ allow samba_net_t self:fifo_file rw_file_perms;
 
 allow samba_net_t samba_etc_t:file read_file_perms;
 
-allow samba_net_t samba_var_run_t:file { map read_file_perms };
+allow samba_net_t samba_runtime_t:file { map read_file_perms };
 
 manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
 filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     fba048b31aa18b9f42c843863cd2e750854c86ce
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 15:55:09 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fba048b3

devicekit, jabber, samba: Move lines.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/devicekit.te | 4 ++--
 policy/modules/services/jabber.te    | 3 +--
 policy/modules/services/samba.te     | 3 ++-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index b69c8113..25f93898 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -131,11 +131,11 @@ fs_mount_all_fs(devicekit_disk_t)
 fs_unmount_all_fs(devicekit_disk_t)
 fs_search_all(devicekit_disk_t)
 
-mount_rw_runtime_files(devicekit_disk_t)
-
 mls_file_read_all_levels(devicekit_disk_t)
 mls_file_write_to_clearance(devicekit_disk_t)
 
+mount_rw_runtime_files(devicekit_disk_t)
+
 storage_raw_read_fixed_disk(devicekit_disk_t)
 storage_raw_write_fixed_disk(devicekit_disk_t)
 storage_raw_read_removable_device(devicekit_disk_t)

diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 06273d09..30d53a8c 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -84,6 +84,7 @@ manage_files_pattern(jabberd_t, jabberd_log_t, jabberd_log_t)
 logging_log_filetrans(jabberd_t, jabberd_log_t, { file dir })
 
 manage_files_pattern(jabberd_domain, jabberd_spool_t, jabberd_spool_t)
+files_search_var_lib(jabberd_t)
 
 manage_files_pattern(jabberd_t, jabberd_runtime_t, jabberd_runtime_t)
 files_runtime_filetrans(jabberd_t, jabberd_runtime_t, file)
@@ -110,8 +111,6 @@ files_read_etc_runtime_files(jabberd_t)
 # usr for lua modules
 files_read_usr_files(jabberd_t)
 
-files_search_var_lib(jabberd_t)
-
 fs_search_auto_mountpoints(jabberd_t)
 
 miscfiles_read_generic_tls_privkey(jabberd_t)

diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 40b6684c..10960805 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -621,7 +621,6 @@ allow smbcontrol_t self:process { signal signull };
 allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
 read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
 allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
-init_use_fds(smbcontrol_t)
 
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
 
@@ -638,6 +637,8 @@ files_search_var_lib(smbcontrol_t)
 
 term_use_console(smbcontrol_t)
 
+init_use_fds(smbcontrol_t)
+
 miscfiles_read_localization(smbcontrol_t)
 
 sysnet_use_ldap(smbcontrol_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     b39af892a3459615c9941f545574d9561db23ab2
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 16:27:54 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b39af892

samba: Move service interface definitions.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/samba.if | 152 +++++++++++++++++++--------------------
 1 file changed, 76 insertions(+), 76 deletions(-)

diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 5e01db23..6af30d0c 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -328,6 +328,82 @@ interface(`samba_read_share_files',`
 	read_files_pattern($1, samba_share_t, samba_share_t)
 ')
 
+########################################
+## <summary>
+##	start samba daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_start',`
+	gen_require(`
+		type samba_unit_t;
+	')
+
+	allow $1 samba_unit_t:file getattr;
+	allow $1 samba_unit_t:service start;
+')
+
+########################################
+## <summary>
+##	stop samba daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_stop',`
+	gen_require(`
+		type samba_unit_t;
+	')
+
+	allow $1 samba_unit_t:file getattr;
+	allow $1 samba_unit_t:service stop;
+')
+
+########################################
+## <summary>
+##	get status of samba daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_status',`
+	gen_require(`
+		type samba_unit_t;
+	')
+
+	allow $1 samba_unit_t:file getattr;
+	allow $1 samba_unit_t:service status;
+')
+
+########################################
+## <summary>
+##	reload samba daemon
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`samba_reload',`
+	gen_require(`
+		type samba_unit_t;
+	')
+
+	allow $1 samba_unit_t:file getattr;
+	allow $1 samba_unit_t:service reload;
+')
+
 ########################################
 ## <summary>
 ##	Search samba var directories.
@@ -729,79 +805,3 @@ interface(`samba_admin',`
 	files_list_tmp($1)
 	admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
 ')
-
-########################################
-## <summary>
-##	start samba daemon
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`samba_start',`
-	gen_require(`
-		type samba_unit_t;
-	')
-
-	allow $1 samba_unit_t:file getattr;
-	allow $1 samba_unit_t:service start;
-')
-
-########################################
-## <summary>
-##	stop samba daemon
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`samba_stop',`
-	gen_require(`
-		type samba_unit_t;
-	')
-
-	allow $1 samba_unit_t:file getattr;
-	allow $1 samba_unit_t:service stop;
-')
-
-########################################
-## <summary>
-##	get status of samba daemon
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`samba_status',`
-	gen_require(`
-		type samba_unit_t;
-	')
-
-	allow $1 samba_unit_t:file getattr;
-	allow $1 samba_unit_t:service status;
-')
-
-########################################
-## <summary>
-##	reload samba daemon
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`samba_reload',`
-	gen_require(`
-		type samba_unit_t;
-	')
-
-	allow $1 samba_unit_t:file getattr;
-	allow $1 samba_unit_t:service reload;
-')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     0305b1b1d184ffac8b11e372ea4f8f8d78e3630d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 15:55:35 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0305b1b1

cron: Make backup call for system_cronjob_t optional.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/cron.te | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 72e1d8c4..c4342f05 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -309,8 +309,6 @@ init_start_all_units(system_cronjob_t)
 init_get_generic_units_status(system_cronjob_t)
 init_get_system_status(system_cronjob_t)
 
-backup_manage_store_files(system_cronjob_t)
-
 auth_manage_var_auth(crond_t)
 auth_use_pam(crond_t)
 
@@ -396,6 +394,10 @@ optional_policy(`
 	amavis_search_lib(crond_t)
 ')
 
+optional_policy(`
+	backup_manage_store_files(system_cronjob_t)
+')
+
 optional_policy(`
 	djbdns_search_tinydns_keys(crond_t)
 	djbdns_link_tinydns_keys(crond_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     44c7994f453c43349074368972d58e465e1f5d27
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 15:53:04 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44c7994f

apache, mysql, postgrey, samba, squid: Apply new mmap_manage_files_pattern().

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/apache.if   |  6 ++----
 policy/modules/services/apache.te   | 15 +++++----------
 policy/modules/services/mysql.te    |  6 ++----
 policy/modules/services/postgrey.te |  3 +--
 policy/modules/services/samba.te    | 15 +++++----------
 policy/modules/services/squid.te    |  3 +--
 6 files changed, 16 insertions(+), 32 deletions(-)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 44767359..1695af75 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -70,8 +70,7 @@ template(`apache_content_template',`
 	allow httpd_$1_script_t { httpd_$1_content_t httpd_$1_script_exec_t }:lnk_file read_lnk_file_perms;
 
 	manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
-	allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
+	mmap_manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
 	manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -1025,8 +1024,7 @@ interface(`apache_manage_sys_rw_content',`
 
 	apache_search_sys_content($1)
 	manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-	manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
-	allow $1 httpd_sys_rw_content_t:file map;
+	mmap_manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 	manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
 ')
 

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index da43a1d8..35fafe56 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -378,10 +378,9 @@ allow httpd_t self:unix_stream_socket { accept connectto listen };
 allow httpd_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
-manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
+mmap_manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
 files_var_filetrans(httpd_t, httpd_cache_t, dir)
-allow httpd_t httpd_cache_t:file map;
 
 allow httpd_t httpd_config_t:dir list_dir_perms;
 read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
@@ -415,9 +414,8 @@ read_lnk_files_pattern(httpd_t, httpd_modules_t, httpd_modules_t)
 allow httpd_t httpd_rotatelogs_t:process signal_perms;
 
 manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+mmap_manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
 manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
-allow httpd_t httpd_squirrelmail_t:file map;
 
 allow httpd_t httpd_suexec_exec_t:file read_file_perms;
 
@@ -441,8 +439,7 @@ manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
 manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
-manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
-allow httpd_t httpd_var_lib_t:file map;
+mmap_manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
 files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
 
@@ -622,8 +619,7 @@ tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
 	domtrans_pattern(httpd_t, httpdcontent, httpd_sys_script_t)
 
 	manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
-	manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
-	allow httpd_t httpdcontent:file map;
+	mmap_manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
 	manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -908,8 +904,7 @@ optional_policy(`
 # Helper local policy
 #
 
-read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
-allow httpd_t httpd_config_t:file map;
+mmap_read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
 
 append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
 read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)

diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 5a264e2f..84a49b16 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -74,8 +74,7 @@ allow mysqld_t self:unix_stream_socket { connectto accept listen };
 allow mysqld_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
-manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
-allow mysqld_t mysqld_db_t:file map;
+mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
 
@@ -91,8 +90,7 @@ manage_lnk_files_pattern(mysqld_t, mysqld_log_t, mysqld_log_t)
 logging_log_filetrans(mysqld_t, mysqld_log_t, { dir file })
 
 manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
-allow mysqld_t mysqld_tmp_t:file map;
+mmap_manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
 files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
 
 manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)

diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index a96e9dd9..da47d1e0 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -46,8 +46,7 @@ manage_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
 manage_fifo_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
 manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
 
-manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
-allow postgrey_t postgrey_var_lib_t:file map;
+mmap_manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
 files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
 
 manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)

diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 855d846d..40b6684c 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -217,8 +217,7 @@ manage_files_pattern(samba_net_t, samba_net_tmp_t, samba_net_tmp_t)
 files_tmp_filetrans(samba_net_t, samba_net_tmp_t, { file dir })
 
 manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
-manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
-allow samba_net_t samba_var_t:file map;
+mmap_manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
 files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
 
@@ -303,8 +302,7 @@ manage_lnk_files_pattern(smbd_t, samba_share_t, samba_share_t)
 allow smbd_t samba_share_t:filesystem { getattr quotaget };
 
 manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
-manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
-allow smbd_t samba_var_t:file map;
+mmap_manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
 files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -314,8 +312,7 @@ manage_files_pattern(smbd_t, smbd_tmp_t, smbd_tmp_t)
 files_tmp_filetrans(smbd_t, smbd_tmp_t, { file dir })
 
 manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
-manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
-allow smbd_t samba_runtime_t:file map;
+mmap_manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
 manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
 files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
 
@@ -530,8 +527,7 @@ allow nmbd_t self:unix_dgram_socket sendto;
 allow nmbd_t self:unix_stream_socket { accept connectto listen };
 
 manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
-manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
-allow nmbd_t samba_runtime_t:file map;
+mmap_manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
 manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
 files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
 
@@ -543,8 +539,7 @@ append_files_pattern(nmbd_t, samba_log_t, samba_log_t)
 create_files_pattern(nmbd_t, samba_log_t, samba_log_t)
 setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
 
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-allow nmbd_t samba_var_t:file map;
+mmap_manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
 files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")

diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index f9890df1..263574f5 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -91,8 +91,7 @@ manage_dirs_pattern(squid_t, squid_tmp_t, squid_tmp_t)
 manage_files_pattern(squid_t, squid_tmp_t, squid_tmp_t)
 files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
 
-manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
-allow squid_t squid_tmpfs_t:file map;
+mmap_manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
 fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
 
 manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     f5c9fba7feac9bd937bf9de3783b2717fd145f50
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 16:39:34 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5c9fba7

samba: Add missing userspace class requirements in unit interfaces.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/samba.if | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 6af30d0c..92eab06d 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -341,6 +341,7 @@ interface(`samba_read_share_files',`
 interface(`samba_start',`
 	gen_require(`
 		type samba_unit_t;
+		class service start;
 	')
 
 	allow $1 samba_unit_t:file getattr;
@@ -360,6 +361,7 @@ interface(`samba_start',`
 interface(`samba_stop',`
 	gen_require(`
 		type samba_unit_t;
+		class service stop;
 	')
 
 	allow $1 samba_unit_t:file getattr;
@@ -379,6 +381,7 @@ interface(`samba_stop',`
 interface(`samba_status',`
 	gen_require(`
 		type samba_unit_t;
+		class service status;
 	')
 
 	allow $1 samba_unit_t:file getattr;
@@ -398,6 +401,7 @@ interface(`samba_status',`
 interface(`samba_reload',`
 	gen_require(`
 		type samba_unit_t;
+		class service reload;
 	')
 
 	allow $1 samba_unit_t:file getattr;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     5029446ced5d230d805287ac8096db80bcc0217d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 19:29:26 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5029446c

apache: Fix lint error.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/apache.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 6c4ddba7..34d62881 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -182,7 +182,7 @@ ifndef(`distro_gentoo',`
 /var/log/roundcubemail(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/suphp\.log.*					--	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/log/php7..-fpm.log					--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php[^/]+-fpm.log				--	gen_context(system_u:object_r:httpd_log_t,s0)
 
 /run/apache.*							gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/cherokee\.pid					--	gen_context(system_u:object_r:httpd_runtime_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     9531f15d3e4ddcd2dd55283bc3a303dbb3c547e1
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 19:57:19 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9531f15d

samba: Fix lint error.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/samba.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 9f8ef0f1..9c21f473 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -203,7 +203,7 @@ allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_
 allow samba_net_t self:capability2 block_suspend;
 allow samba_net_t self:process { sigkill getsched setsched };
 allow samba_net_t self:unix_stream_socket { accept listen };
-allow samba_net_t self:fifo_file rw_file_perms;
+allow samba_net_t self:fifo_file rw_inherited_fifo_file_perms;
 
 allow samba_net_t samba_etc_t:file read_file_perms;
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     85682039cf3239aa4e8ba7c4300d6fdab463155f
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Jan 27 18:29:36 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=85682039

pcs_snmpd_agent_t fix denials to allow it to read needed queues

Jan 27 18:16:51 audispd: node=virtual type=AVC msg=audit(1611771411.553:9337): avc:  denied  { search } for  pid=13880 comm="cibadmin" name="qb-6671-13880-13-bRhDEX" dev="tmpfs" ino=88809 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=dir permissive=0
Jan 27 19:53:46 audispd: node=virtual type=AVC msg=audit(1611777226.144:25975): avc:  denied  { getattr } for  pid=29489 comm="systemctl" name="/" dev="tmpfs" ino=14072 scontext=system_u:system_r:pcs_snmp_agent_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/pacemaker.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
index fc934bc7..d69b5d9c 100644
--- a/policy/modules/services/pacemaker.te
+++ b/policy/modules/services/pacemaker.te
@@ -160,12 +160,13 @@ logging_log_filetrans(pcs_snmp_agent_t, pcs_snmp_agent_log_t, file)
 
 read_files_pattern(pcs_snmp_agent_t, pacemaker_t, pacemaker_t)
 stream_connect_pattern(pcs_snmp_agent_t, pacemaker_t, pacemaker_t, pacemaker_t)
-allow pcs_snmp_agent_t pacemaker_tmpfs_t:file mmap_rw_file_perms;
+mmap_rw_files_pattern(pcs_snmp_agent_t, pacemaker_tmpfs_t, pacemaker_tmpfs_t)
 
 corecmd_exec_bin(pcs_snmp_agent_t)
 
 files_read_usr_files(pcs_snmp_agent_t)
 
+fs_getattr_tmpfs(pcs_snmp_agent_t)
 fs_list_cgroup_dirs(pcs_snmp_agent_t)
 fs_read_cgroup_files(pcs_snmp_agent_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     a7b3815e4094fbd2026df9993962d57b41493e90
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 20:28:06 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a7b3815e

pacemaker: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/pacemaker.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/pacemaker.te b/policy/modules/services/pacemaker.te
index d69b5d9c..eee432f3 100644
--- a/policy/modules/services/pacemaker.te
+++ b/policy/modules/services/pacemaker.te
@@ -1,4 +1,4 @@
-policy_module(pacemaker, 1.6.2)
+policy_module(pacemaker, 1.6.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     2ff03b51ae8c9acfe0d0d25105637550ce7d0ff5
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 19:26:31 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2ff03b51

apache, fail2ban, stunnel: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/apache.te   | 2 +-
 policy/modules/services/fail2ban.te | 2 +-
 policy/modules/services/stunnel.te  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 229848c0..b1906d17 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.19.3)
+policy_module(apache, 2.19.4)
 
 ########################################
 #

diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index 640905d4..41b9239f 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -1,4 +1,4 @@
-policy_module(fail2ban, 1.9.2)
+policy_module(fail2ban, 1.9.3)
 
 ########################################
 #

diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index 3109b460..ecfe78a8 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,4 +1,4 @@
-policy_module(stunnel, 1.15.1)
+policy_module(stunnel, 1.15.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     bf4b1f16a4f6a0b415d77ea028996cdadefde3e2
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 19:57:08 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf4b1f16

aptcacher: Drop broken config interfaces.

The aptcacher_etc_t type does not exist in the policy.  The block in cron
will never be enabled because of this, so drop that too.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/aptcacher.if | 40 ------------------------------------
 policy/modules/services/cron.te      |  5 -----
 2 files changed, 45 deletions(-)

diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if
index 8c99a699..12c1335a 100644
--- a/policy/modules/services/aptcacher.if
+++ b/policy/modules/services/aptcacher.if
@@ -63,43 +63,3 @@ interface(`aptcacher_stream_connect',`
 	files_search_runtime($1)
 	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
 ')
-
-######################################
-## <summary>
-##     read aptcacher config
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed to read it.
-##     </summary>
-## </param>
-#
-interface(`aptcacher_read_config',`
-	gen_require(`
-		type aptcacher_etc_t;
-	')
-
-	files_search_etc($1)
-	allow $1 aptcacher_etc_t:dir list_dir_perms;
-	allow $1 aptcacher_etc_t:file read_file_perms;
-')
-
-######################################
-## <summary>
-##     mmap and read aptcacher config
-## </summary>
-## <param name="domain">
-##     <summary>
-##     Domain allowed to read it.
-##     </summary>
-## </param>
-#
-interface(`aptcacher_mmap_read_config',`
-	gen_require(`
-		type aptcacher_etc_t;
-	')
-
-	files_search_etc($1)
-	allow $1 aptcacher_etc_t:dir list_dir_perms;
-	allow $1 aptcacher_etc_t:file mmap_read_file_perms;
-')

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 23e990ad..712a84dd 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -344,11 +344,6 @@ ifdef(`distro_debian',`
 		dpkg_manage_db(system_cronjob_t)
 	')
 
-	optional_policy(`
-		aptcacher_mmap_read_config(system_cronjob_t)
-		corenet_tcp_connect_aptcacher_port(system_cronjob_t)
-	')
-
 	optional_policy(`
 		logwatch_search_cache_dir(crond_t)
 	')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     220dd4819409d7c664b52140d67952c4627eb46e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 19:34:02 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=220dd481

apache: Really fix lint error.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/apache.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
index 34d62881..433f2895 100644
--- a/policy/modules/services/apache.fc
+++ b/policy/modules/services/apache.fc
@@ -182,7 +182,7 @@ ifndef(`distro_gentoo',`
 /var/log/roundcubemail(/.*)?					gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/suphp\.log.*					--	gen_context(system_u:object_r:httpd_log_t,s0)
 /var/log/z-push(/.*)?						gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/log/php[^/]+-fpm.log				--	gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php[^/]+-fpm\.log				--	gen_context(system_u:object_r:httpd_log_t,s0)
 
 /run/apache.*							gen_context(system_u:object_r:httpd_runtime_t,s0)
 /run/cherokee\.pid					--	gen_context(system_u:object_r:httpd_runtime_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-07  3:20 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-07  3:20 UTC (permalink / raw
  To: gentoo-commits

commit:     0b6c2d466e55f5f6e14ef67b2ecd9303a6b507a5
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Jan 29 16:22:30 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 20:54:11 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0b6c2d46

certbot: add support for acme.sh

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/certbot.fc |  2 ++
 policy/modules/services/certbot.te | 13 +++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/policy/modules/services/certbot.fc b/policy/modules/services/certbot.fc
index 508f9862..d1bc3f64 100644
--- a/policy/modules/services/certbot.fc
+++ b/policy/modules/services/certbot.fc
@@ -1,4 +1,6 @@
 /usr/bin/certbot	--	gen_context(system_u:object_r:certbot_exec_t,s0)
 /usr/bin/letsencrypt	--	gen_context(system_u:object_r:certbot_exec_t,s0)
+/usr/share/acme\.sh/acme\.sh	--	gen_context(system_u:object_r:certbot_exec_t,s0)
 /var/lib/letsencrypt(/.*)?	gen_context(system_u:object_r:certbot_lib_t,s0)
 /var/log/letsencrypt(/.*)?	gen_context(system_u:object_r:certbot_log_t,s0)
+/var/lib/acme\.sh(/.*)?		gen_context(system_u:object_r:certbot_lib_t,s0)

diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te
index 5f3b155f..62a59478 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -1,5 +1,13 @@
 policy_module(certbot, 1.0.0)
 
+## <desc>
+##	<p>
+##	Determine whether additional rules
+##	should be enabled to support acme.sh
+##	</p>
+## </desc>
+gen_tunable(certbot_acmesh, false)
+
 ########################################
 #
 # Declarations
@@ -93,6 +101,11 @@ sysnet_read_config(certbot_t)
 userdom_dontaudit_search_user_home_dirs(certbot_t)
 userdom_use_user_ptys(certbot_t)
 
+tunable_policy(`certbot_acmesh',`
+	corecmd_exec_bin(certbot_t)
+	corecmd_exec_shell(certbot_t)
+')
+
 optional_policy(`
 	# for writing to webroot
 	apache_manage_sys_content(certbot_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-07  3:20 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-07  3:20 UTC (permalink / raw
  To: gentoo-commits

commit:     a57a062f937ba25ea6d7035f932d3917f8c19bdb
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Feb  1 20:56:31 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 20:54:11 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a57a062f

certbot: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/certbot.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te
index 62a59478..7d8cf2d9 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -1,4 +1,4 @@
-policy_module(certbot, 1.0.0)
+policy_module(certbot, 1.0.1)
 
 ## <desc>
 ##	<p>


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-07  3:21 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-07  3:21 UTC (permalink / raw
  To: gentoo-commits

commit:     b3afcd57276f8844ab25af288948cca8c543abfa
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Feb  2 16:34:44 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:10 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3afcd57

dovecot, postfix: add missing accesses

postfix_pipe_t requires reading dovecot configuration and connecting to
dovecot stream sockets if configured to use dovecot for local mail
delivery.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dovecot.if | 22 ++++++++++++++++++++++
 policy/modules/services/postfix.te |  2 ++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/services/dovecot.if b/policy/modules/services/dovecot.if
index 1aa28f47..ec66a893 100644
--- a/policy/modules/services/dovecot.if
+++ b/policy/modules/services/dovecot.if
@@ -61,6 +61,28 @@ interface(`dovecot_domtrans_deliver',`
 	domtrans_pattern($1, dovecot_deliver_exec_t, dovecot_deliver_t)
 ')
 
+########################################
+## <summary>
+##	Read dovecot configuration content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dovecot_read_config',`
+	gen_require(`
+		type dovecot_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 dovecot_etc_t:dir list_dir_perms;
+	allow $1 dovecot_etc_t:file read_file_perms;
+	allow $1 dovecot_etc_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 5e25fa75..05c0b4a5 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -596,6 +596,8 @@ corecmd_exec_bin(postfix_pipe_t)
 
 optional_policy(`
 	dovecot_domtrans_deliver(postfix_pipe_t)
+	dovecot_read_config(postfix_pipe_t)
+	dovecot_stream_connect(postfix_pipe_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-07  3:21 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-07  3:21 UTC (permalink / raw
  To: gentoo-commits

commit:     b0157d68a28486d4e657dae4f0351e8e5561831b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb  3 18:05:46 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:10 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0157d68

dovecot, postfix: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dovecot.te | 2 +-
 policy/modules/services/postfix.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 1081e609..b56be9b0 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,4 +1,4 @@
-policy_module(dovecot, 1.26.0)
+policy_module(dovecot, 1.26.1)
 
 ########################################
 #

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 05c0b4a5..690b06ce 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.24.0)
+policy_module(postfix, 1.24.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-02-07  3:21 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-02-07  3:21 UTC (permalink / raw
  To: gentoo-commits

commit:     e12b82af4a4be9fab7e8b892e8891995abe7868e
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Sun Feb  7 01:52:28 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb  7 03:04:51 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e12b82af

clamav: Drop conflicting gentoo-specific rule

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/clamav.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index c64942f4..691210ef 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -321,7 +321,3 @@ tunable_policy(`clamav_read_all_non_security_files_clamscan',`
 optional_policy(`
 	mta_send_mail(clamscan_t)
 ')
-
-ifdef(`distro_gentoo',`
-	init_daemon_runtime_file(clamd_runtime_t, dir, "clamav")
-')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     f1d3bfcfddd12301a24a6c58e60e53f63b782220
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Tue Feb  2 22:13:58 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f1d3bfcf

Allow systemd-tmpfilesd populating of /var/lib/dbus

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 411297ea..0a6c3b72 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -196,6 +196,9 @@ optional_policy(`
 
 	# for passing around terminal file handles for machinectl shell
 	systemd_use_inherited_machined_ptys(system_dbusd_t)
+
+	# allow populating of /var/lib/dbus by systemd-tmpfilesd
+	systemd_tmpfilesd_managed(system_dbusd_var_lib_t, dir)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     5292cf65538555de69ba8edee5b342fcf3db8098
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb 16 14:30:31 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 21 21:38:23 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5292cf65

rpc: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/rpc.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 37b57537..89dfbef5 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,4 +1,4 @@
-policy_module(rpc, 1.24.0)
+policy_module(rpc, 1.24.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     6280fcf010aa38352561da281652c8ab9f35bf6a
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sun Feb 14 03:58:00 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 21 21:38:23 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6280fcf0

blkmapd

Patch for the blkmapd daemon that's part of the NFS server.

I think this is ready for mergikng.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/rpc.fc |  2 ++
 policy/modules/services/rpc.te | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 6d3c9b68..88d2acaf 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -16,6 +16,7 @@
 /usr/lib/systemd/system/nfs.*\.service --   gen_context(system_u:object_r:nfsd_unit_t,s0)
 /usr/lib/systemd/system/rpc.*\.service --   gen_context(system_u:object_r:rpcd_unit_t,s0)
 
+/usr/sbin/blkmapd	--	gen_context(system_u:object_r:blkmapd_exec_t,s0)
 /usr/sbin/rpc\..*	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.idmapd	--	gen_context(system_u:object_r:rpcd_exec_t,s0)
 /usr/sbin/rpc\.gssd	--	gen_context(system_u:object_r:gssd_exec_t,s0)
@@ -27,6 +28,7 @@
 
 /var/lib/nfs(/.*)?	gen_context(system_u:object_r:var_lib_nfs_t,s0)
 
+/run/blkmapd\.pid	--	gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/rpc\.statd(/.*)?	gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/rpc\.statd\.pid	--	gen_context(system_u:object_r:rpcd_runtime_t,s0)
 /run/sm-notify\.pid	--	gen_context(system_u:object_r:rpcd_runtime_t,s0)

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 8059b10c..5cacb381 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -72,6 +72,14 @@ init_unit_file(nfsd_unit_t)
 type var_lib_nfs_t;
 files_mountpoint(var_lib_nfs_t)
 
+rpc_domain_template(blkmapd)
+
+type blkmapd_runtime_t;
+files_runtime_file(blkmapd_runtime_t)
+files_runtime_filetrans(blkmapd_t, blkmapd_runtime_t, file, "blkmapd.pid")
+allow blkmapd_t blkmapd_runtime_t:file manage_file_perms;
+
+
 ########################################
 #
 # Common rpc domain local policy
@@ -280,6 +288,17 @@ optional_policy(`
 	mount_exec(nfsd_t)
 ')
 
+########################################
+#
+# BLKMAPD local policy
+#
+
+allow blkmapd_t self:capability sys_rawio;
+allow blkmapd_t self:unix_dgram_socket create_socket_perms;
+
+fs_list_rpc(blkmapd_t)
+storage_raw_read_fixed_disk(blkmapd_t)
+
 ########################################
 #
 # GSSD local policy


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     b7d31bbf66452be6655b7c32fc5a992c23807cb4
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb 16 14:30:13 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 21 21:38:23 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b7d31bbf

rpc: Move lines.

No rule changes.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/rpc.te | 189 ++++++++++++++++++++---------------------
 1 file changed, 94 insertions(+), 95 deletions(-)

diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 5cacb381..37b57537 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -33,6 +33,13 @@ gen_tunable(allow_nfsd_anon_write, false)
 
 attribute rpc_domain;
 
+rpc_domain_template(blkmapd)
+
+type blkmapd_runtime_t;
+files_runtime_file(blkmapd_runtime_t)
+files_runtime_filetrans(blkmapd_t, blkmapd_runtime_t, file, "blkmapd.pid")
+allow blkmapd_t blkmapd_runtime_t:file manage_file_perms;
+
 type exports_t;
 files_config_file(exports_t)
 
@@ -72,14 +79,6 @@ init_unit_file(nfsd_unit_t)
 type var_lib_nfs_t;
 files_mountpoint(var_lib_nfs_t)
 
-rpc_domain_template(blkmapd)
-
-type blkmapd_runtime_t;
-files_runtime_file(blkmapd_runtime_t)
-files_runtime_filetrans(blkmapd_t, blkmapd_runtime_t, file, "blkmapd.pid")
-allow blkmapd_t blkmapd_runtime_t:file manage_file_perms;
-
-
 ########################################
 #
 # Common rpc domain local policy
@@ -141,6 +140,93 @@ optional_policy(`
 	seutil_sigchld_newrole(rpc_domain)
 ')
 
+########################################
+#
+# BLKMAPD local policy
+#
+
+allow blkmapd_t self:capability sys_rawio;
+allow blkmapd_t self:unix_dgram_socket create_socket_perms;
+
+fs_list_rpc(blkmapd_t)
+storage_raw_read_fixed_disk(blkmapd_t)
+
+########################################
+#
+# GSSD local policy
+#
+
+allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice };
+allow gssd_t self:process { getsched setsched };
+allow gssd_t self:fifo_file rw_fifo_file_perms;
+
+allow gssd_t gssd_keytab_t:file read_file_perms;
+
+manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
+files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
+
+kernel_read_network_state(gssd_t)
+kernel_read_network_state_symlinks(gssd_t)
+kernel_request_load_module(gssd_t)
+kernel_search_network_sysctl(gssd_t)
+kernel_signal(gssd_t)
+
+corecmd_exec_bin(gssd_t)
+
+fs_list_inotifyfs(gssd_t)
+fs_list_rpc(gssd_t)
+fs_rw_rpc_sockets(gssd_t)
+fs_read_rpc_files(gssd_t)
+fs_read_nfs_files(gssd_t)
+
+files_list_tmp(gssd_t)
+files_dontaudit_write_var_dirs(gssd_t)
+
+auth_manage_cache(gssd_t)
+
+miscfiles_read_generic_certs(gssd_t)
+miscfiles_read_generic_tls_privkey(gssd_t)
+
+userdom_signal_all_users(gssd_t)
+
+tunable_policy(`allow_gssd_read_tmp',`
+	userdom_list_user_tmp(gssd_t)
+	userdom_read_user_tmp_files(gssd_t)
+	userdom_read_user_tmp_symlinks(gssd_t)
+')
+
+tunable_policy(`allow_gssd_write_tmp',`
+	userdom_list_user_tmp(gssd_t)
+	userdom_rw_user_tmp_files(gssd_t)
+')
+
+optional_policy(`
+	automount_signal(gssd_t)
+')
+
+optional_policy(`
+	gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
+	kerberos_manage_host_rcache(gssd_t)
+	kerberos_read_keytab(gssd_t)
+	kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
+	kerberos_use(gssd_t)
+')
+
+optional_policy(`
+	mount_signal(gssd_t)
+')
+
+optional_policy(`
+	pcscd_read_runtime_files(gssd_t)
+')
+
+optional_policy(`
+	xserver_rw_xdm_tmp_files(gssd_t)
+')
+
 ########################################
 #
 # Local policy
@@ -287,90 +373,3 @@ tunable_policy(`nfs_export_all_ro',`
 optional_policy(`
 	mount_exec(nfsd_t)
 ')
-
-########################################
-#
-# BLKMAPD local policy
-#
-
-allow blkmapd_t self:capability sys_rawio;
-allow blkmapd_t self:unix_dgram_socket create_socket_perms;
-
-fs_list_rpc(blkmapd_t)
-storage_raw_read_fixed_disk(blkmapd_t)
-
-########################################
-#
-# GSSD local policy
-#
-
-allow gssd_t self:capability { dac_override dac_read_search setgid setuid sys_nice };
-allow gssd_t self:process { getsched setsched };
-allow gssd_t self:fifo_file rw_fifo_file_perms;
-
-allow gssd_t gssd_keytab_t:file read_file_perms;
-
-manage_dirs_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-manage_files_pattern(gssd_t, gssd_tmp_t, gssd_tmp_t)
-files_tmp_filetrans(gssd_t, gssd_tmp_t, { file dir })
-
-kernel_read_network_state(gssd_t)
-kernel_read_network_state_symlinks(gssd_t)
-kernel_request_load_module(gssd_t)
-kernel_search_network_sysctl(gssd_t)
-kernel_signal(gssd_t)
-
-corecmd_exec_bin(gssd_t)
-
-fs_list_inotifyfs(gssd_t)
-fs_list_rpc(gssd_t)
-fs_rw_rpc_sockets(gssd_t)
-fs_read_rpc_files(gssd_t)
-fs_read_nfs_files(gssd_t)
-
-files_list_tmp(gssd_t)
-files_dontaudit_write_var_dirs(gssd_t)
-
-auth_manage_cache(gssd_t)
-
-miscfiles_read_generic_certs(gssd_t)
-miscfiles_read_generic_tls_privkey(gssd_t)
-
-userdom_signal_all_users(gssd_t)
-
-tunable_policy(`allow_gssd_read_tmp',`
-	userdom_list_user_tmp(gssd_t)
-	userdom_read_user_tmp_files(gssd_t)
-	userdom_read_user_tmp_symlinks(gssd_t)
-')
-
-tunable_policy(`allow_gssd_write_tmp',`
-	userdom_list_user_tmp(gssd_t)
-	userdom_rw_user_tmp_files(gssd_t)
-')
-
-optional_policy(`
-	automount_signal(gssd_t)
-')
-
-optional_policy(`
-	gssproxy_stream_connect(gssd_t)
-')
-optional_policy(`
-	kerberos_manage_host_rcache(gssd_t)
-	kerberos_read_keytab(gssd_t)
-	kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
-	kerberos_use(gssd_t)
-')
-
-optional_policy(`
-	mount_signal(gssd_t)
-')
-
-optional_policy(`
-	pcscd_read_runtime_files(gssd_t)
-')
-
-optional_policy(`
-	xserver_rw_xdm_tmp_files(gssd_t)
-')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-03-22  0:21 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-03-22  0:21 UTC (permalink / raw
  To: gentoo-commits

commit:     9c713028668b6f1cec101f5b523ce6d6bea54db1
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 21 05:24:14 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 21 22:07:35 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9c713028

ntp: allow sock_file filetrans for /run/ntpd.sock

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ntp.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 24c94bbb..e9bab2e0 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -81,7 +81,7 @@ logging_log_filetrans(ntpd_t, ntpd_log_t, { file dir })
 
 manage_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
 manage_sock_files_pattern(ntpd_t, ntpd_pid_t, ntpd_pid_t)
-files_runtime_filetrans(ntpd_t, ntpd_pid_t, file)
+files_runtime_filetrans(ntpd_t, ntpd_pid_t, { file sock_file })
 
 manage_dirs_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)
 manage_files_pattern(ntpd_t, ntpd_tmp_t, ntpd_tmp_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     282a03ad002857daaf67e2579854f04ff0ddc0bf
Author:     Markus Linnala <Markus.Linnala <AT> cybercom <DOT> com>
AuthorDate: Tue Jun 29 12:28:54 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=282a03ad

policy: xserver: xserver_dbus_chat: fix require

Signed-off-by: Markus Linnala <Markus.Linnala <AT> cybercom.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/xserver.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 9fea101f..a49f9ee0 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1539,6 +1539,7 @@ interface(`xserver_read_tmp_files',`
 interface(`xserver_dbus_chat',`
 	gen_require(`
 		type xserver_t;
+		class dbus send_msg;
 	')
 
 	allow $1 xserver_t:dbus send_msg;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     e315469c688df9a1782d5023a092414f89ba21f1
Author:     Markus Linnala <Markus.Linnala <AT> cybercom <DOT> com>
AuthorDate: Wed Jun 30 08:21:40 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e315469c

policy avahi: avahi_filetrans_pid: doc: add missing params

Even if interface is deprecated, still use all documented parameters.

Signed-off-by: Markus Linnala <Markus.Linnala <AT> cybercom.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/avahi.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/avahi.if b/policy/modules/services/avahi.if
index 98d9d179..c223e8b3 100644
--- a/policy/modules/services/avahi.if
+++ b/policy/modules/services/avahi.if
@@ -255,7 +255,7 @@ interface(`avahi_dontaudit_search_pid',`
 #
 interface(`avahi_filetrans_pid',`
 	refpolicywarn(`$0($*) has been deprecated, please use avahi_filetrans_runtime() instead.')
-	avahi_filetrans_runtime($1)
+	avahi_filetrans_runtime($*)
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     6ace9f7ad898e563a286fdb9a176b468145c1e8e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jul 14 13:35:51 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ace9f7a

radvd: Whitespace fix.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/radvd.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 84280152..7d01b6ce 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -48,7 +48,6 @@ corenet_raw_sendrecv_generic_if(radvd_t)
 corenet_tcp_sendrecv_generic_node(radvd_t)
 corenet_udp_sendrecv_generic_node(radvd_t)
 corenet_raw_sendrecv_generic_node(radvd_t)
-
 corenet_sendrecv_icmp_packets(radvd_t)
 
 dev_read_sysfs(radvd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     0e7d2a03d1a7db3e941a350728b8dc16bfe7c8ce
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Sat Jul 10 01:08:35 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e7d2a03

radvd.te: Added corenet_sendrecv_icmp_packets().

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/radvd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 51ce167b..84280152 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -49,6 +49,8 @@ corenet_tcp_sendrecv_generic_node(radvd_t)
 corenet_udp_sendrecv_generic_node(radvd_t)
 corenet_raw_sendrecv_generic_node(radvd_t)
 
+corenet_sendrecv_icmp_packets(radvd_t)
+
 dev_read_sysfs(radvd_t)
 
 domain_use_interactive_fds(radvd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     32e277187e6c47d9fe8a27f63a5225948be350c7
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Sat Jul 10 01:09:03 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=32e27718

dhcp.te: Added corenet_sendrecv_icmp_packets().

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dhcp.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index 403fcdad..d0560268 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -72,6 +72,7 @@ corenet_tcp_bind_generic_node(dhcpd_t)
 corenet_udp_bind_generic_node(dhcpd_t)
 
 corenet_sendrecv_dhcpd_server_packets(dhcpd_t)
+corenet_sendrecv_icmp_packets(dhcpd_t)
 corenet_tcp_bind_dhcpd_port(dhcpd_t)
 corenet_udp_bind_dhcpd_port(dhcpd_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     447bde4884a3b4a69f9b29edcaaa83e20513b1c3
Author:     Markus Linnala <Markus.Linnala <AT> cybercom <DOT> com>
AuthorDate: Tue Jun 29 12:29:19 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=447bde48

policy:ssh: ssh_server_template: fix require

Signed-off-by: Markus Linnala <Markus.Linnala <AT> cybercom.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ssh.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index e5edf17a..66992a9c 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -167,6 +167,7 @@ template(`ssh_basic_client_template',`
 #
 template(`ssh_server_template', `
 	gen_require(`
+		attribute ssh_server;
 		type sshd_exec_t, sshd_key_t;
 	')
 	type $1_t, ssh_server;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     1c22963524cf93fc449049ebe6ebc858e4030f4e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Aug 10 18:54:38 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c229635

cvs, ifplugd: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/cvs.te     | 2 +-
 policy/modules/services/ifplugd.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 61589228..f59b3c41 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -1,4 +1,4 @@
-policy_module(cvs, 1.15.0)
+policy_module(cvs, 1.15.2)
 
 ########################################
 #

diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te
index 550eecca..7dde29d0 100644
--- a/policy/modules/services/ifplugd.te
+++ b/policy/modules/services/ifplugd.te
@@ -1,4 +1,4 @@
-policy_module(ifplugd, 1.7.0)
+policy_module(ifplugd, 1.7.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     6dcf394fe72ea7bc72c4ec5936be1f17d463f241
Author:     Fabrice Fontaine <fontaine.fabrice <AT> gmail <DOT> com>
AuthorDate: Sun Jul 25 15:59:15 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6dcf394f

policy/modules/services/minidlna.te: make xdg optional

Make xdg optional to avoid the following build failure:

 Compiling targeted policy.28
 env LD_LIBRARY_PATH="/home/buildroot/autobuild/instance-1/output-1/host/lib:/home/buildroot/autobuild/instance-1/output-1/host/usr/lib" /home/buildroot/autobuild/instance-1/output-1/host/usr/bin/checkpolicy -c 28 -U deny -S -O -E policy.conf -o policy.28
 policy/modules/services/minidlna.te:85:ERROR 'unknown type xdg_music_t' at token ';' on line 146109:
 #line 85
	allow minidlna_t xdg_music_t:dir { getattr search open };
 checkpolicy:  error(s) encountered while parsing configuration
 Rules.monolithic:78: recipe for target 'policy.28' failed

Fixes:
 - http://autobuild.buildroot.org/results/52490172afd9b72b08a7deb0bd3c2124398bbffa/build-end.log

Signed-off-by: Fabrice Fontaine <fontaine.fabrice <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/minidlna.te | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/minidlna.te b/policy/modules/services/minidlna.te
index b980d270..4d87e8ee 100644
--- a/policy/modules/services/minidlna.te
+++ b/policy/modules/services/minidlna.te
@@ -82,10 +82,6 @@ logging_search_logs(minidlna_t)
 miscfiles_read_localization(minidlna_t)
 miscfiles_read_public_files(minidlna_t)
 
-xdg_read_music(minidlna_t)
-xdg_read_pictures(minidlna_t)
-xdg_read_videos(minidlna_t)
-
 tunable_policy(`minidlna_read_generic_user_content',`
 	userdom_list_user_tmp(minidlna_t)
 	userdom_read_user_home_content_files(minidlna_t)
@@ -101,3 +97,9 @@ tunable_policy(`minidlna_read_generic_user_content',`
 	userdom_dontaudit_read_user_home_content_files(minidlna_t)
 	userdom_dontaudit_read_user_tmp_files(minidlna_t)
 ')
+
+optional_policy(`
+	xdg_read_music(minidlna_t)
+	xdg_read_pictures(minidlna_t)
+	xdg_read_videos(minidlna_t)
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     b0e6b6b7332d08ba52a93ae3b9d4b9f81e42f429
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Aug  6 14:15:11 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0e6b6b7

ftp: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ftp.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 5686b225..92e00713 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,4 +1,4 @@
-policy_module(ftp, 1.25.0)
+policy_module(ftp, 1.25.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     922a36f3770145f871fae43693999f592b0edca5
Author:     Fabrice Fontaine <fontaine.fabrice <AT> gmail <DOT> com>
AuthorDate: Fri Jul 30 20:40:20 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=922a36f3

policy/modules/services/ftp.te: make ssh optional

Make ssh optional to avoid the following build failure:

 Compiling targeted policy.30
 env LD_LIBRARY_PATH="/home/fabrice/buildroot/output/host/lib:/home/fabrice/buildroot/output/host/usr/lib" /home/fabrice/buildroot/output/host/usr/bin/checkpolicy -c 30 -U deny -S -O -E policy.conf -o policy.30
 policy/modules/services/ftp.te:484:ERROR 'type ssh_home_t is not within scope' at token ';' on line 92051:
 	allow sftpd_t ssh_home_t:dir { open read getattr lock search ioctl add_name remove_name write };
 #line 484
 checkpolicy:  error(s) encountered while parsing configuration

Signed-off-by: Fabrice Fontaine <fontaine.fabrice <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ftp.te | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 0d84da71..5686b225 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -481,10 +481,6 @@ tunable_policy(`sftpd_full_access',`
 	files_manage_non_auth_files(sftpd_t)
 ')
 
-tunable_policy(`sftpd_write_ssh_home',`
-	ssh_manage_home_files(sftpd_t)
-')
-
 tunable_policy(`use_samba_home_dirs',`
 	fs_list_cifs(sftpd_t)
 	fs_read_cifs_files(sftpd_t)
@@ -496,3 +492,9 @@ tunable_policy(`use_nfs_home_dirs',`
 	fs_read_nfs_files(sftpd_t)
 	fs_read_nfs_symlinks(ftpd_t)
 ')
+
+optional_policy(`
+	tunable_policy(`sftpd_write_ssh_home',`
+		ssh_manage_home_files(sftpd_t)
+	')
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     72f8fb14693da17667c5bf03d4ccdf3e10fb0667
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Jul 16 13:41:40 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=72f8fb14

virt: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/virt.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 8d822e2a..4cd4c5f0 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1,4 +1,4 @@
-policy_module(virt, 1.17.0)
+policy_module(virt, 1.17.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     f22a19f89ed29874bc2070979342ba43f96aad62
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Jul 30 18:47:28 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f22a19f8

minidlna: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/minidlna.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/minidlna.te b/policy/modules/services/minidlna.te
index 4d87e8ee..3e5cefbd 100644
--- a/policy/modules/services/minidlna.te
+++ b/policy/modules/services/minidlna.te
@@ -1,4 +1,4 @@
-policy_module(minidlna, 1.5.0)
+policy_module(minidlna, 1.5.1)
 
 #############################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     f04ea627a99d4b6650f22da3ac0a4e4a97b34b63
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Wed Jul 14 21:30:37 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f04ea627

virt: Defined a virt_common_runtime_t type for the new common/system.token file and added permissions to virtd_t and virtlogd_t.

Modelled on: https://github.com/fedora-selinux/selinux-policy/commit/1f761d0bbdc08d21a91cdcbd1909ddb53858e354
libvirt change introducing this: https://gitlab.com/libvirt/libvirt/-/commit/cbfebfc74741a00bddf67b7fa10892b757fffd6a

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/virt.fc |  1 +
 policy/modules/services/virt.te | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
index 5266b68c..ab5d0885 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -58,6 +58,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_context(system_u:object_r:virt_content_t
 /run/libguestfs(/.*)?	gen_context(system_u:object_r:virt_runtime_t,s0)
 /run/libvirtd\.pid	--	gen_context(system_u:object_r:virt_runtime_t,s0)
 /run/libvirt(/.*)?	gen_context(system_u:object_r:virt_runtime_t,s0)
+/run/libvirt/common(/.*)?	gen_context(system_u:object_r:virt_common_runtime_t,s0)
 /run/libvirt/lxc(/.*)?	gen_context(system_u:object_r:virtd_lxc_runtime_t,s0)
 /run/libvirt-sandbox(/.*)?	gen_context(system_u:object_r:virtd_lxc_runtime_t,s0)
 /run/libvirt/qemu(/.*)?	gen_context(system_u:object_r:svirt_runtime_t,s0-mls_systemhigh)

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index da88b2cb..47c6042c 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -129,6 +129,9 @@ type virt_image_t; # customizable
 virt_image(virt_image_t)
 files_mountpoint(virt_image_t)
 
+type virt_common_runtime_t;
+files_runtime_file(virt_common_runtime_t)
+
 type virt_content_t; # customizable
 virt_image(virt_content_t)
 userdom_user_home_content(virt_content_t)
@@ -581,6 +584,11 @@ manage_files_pattern(virtd_t, virt_runtime_t, virt_runtime_t)
 manage_sock_files_pattern(virtd_t, virt_runtime_t, virt_runtime_t)
 files_runtime_filetrans(virtd_t, virt_runtime_t, { file dir })
 
+allow virtd_t virt_common_runtime_t:file append_file_perms;
+manage_dirs_pattern(virtd_t, virt_common_runtime_t, virt_common_runtime_t)
+manage_files_pattern(virtd_t, virt_common_runtime_t, virt_common_runtime_t)
+filetrans_pattern(virtd_t, virt_runtime_t, virt_common_runtime_t, dir, "common")
+
 manage_dirs_pattern(virtd_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t)
 manage_files_pattern(virtd_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t)
 filetrans_pattern(virtd_t, virt_runtime_t, virtd_lxc_runtime_t, dir, "lxc")
@@ -1371,6 +1379,9 @@ manage_sock_files_pattern(virtlogd_t, virt_runtime_t, virtlogd_run_t)
 filetrans_pattern(virtlogd_t, virt_runtime_t, virtlogd_run_t, sock_file)
 files_runtime_filetrans(virtlogd_t, virtlogd_run_t, file)
 
+allow virtlogd_t virt_common_runtime_t:file append_file_perms;
+manage_files_pattern(virtlogd_t, virt_runtime_t, virt_common_runtime_t)
+
 kernel_read_system_state(virtlogd_t)
 
 files_read_etc_files(virtlogd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     54b210e366b3188161e877dcb43f0371104d4828
Author:     Fabrice Fontaine <fontaine.fabrice <AT> gmail <DOT> com>
AuthorDate: Fri Aug  6 14:33:36 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=54b210e3

policy/modules/services/cvs.te: make inetd optional

Signed-off-by: Fabrice Fontaine <fontaine.fabrice <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/cvs.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index f2f60556..61589228 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -15,7 +15,6 @@ gen_tunable(allow_cvs_read_shadow, false)
 
 type cvs_t;
 type cvs_exec_t;
-inetd_tcp_service_domain(cvs_t, cvs_exec_t)
 init_daemon_domain(cvs_t, cvs_exec_t)
 application_executable_file(cvs_exec_t)
 
@@ -98,6 +97,10 @@ tunable_policy(`allow_cvs_read_shadow',`
 	auth_tunable_read_shadow(cvs_t)
 ')
 
+optional_policy(`
+	inetd_tcp_service_domain(cvs_t, cvs_exec_t)
+')
+
 optional_policy(`
 	kerberos_read_config(cvs_t)
 	kerberos_read_keytab(cvs_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     32dc5265e1ec91a095161cdd6da680f1b6741bfa
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Jul 16 13:41:24 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=32dc5265

virt: Move lines.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/virt.te | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 47c6042c..8d822e2a 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -503,6 +503,11 @@ manage_dirs_pattern(virtd_t, virt_cache_t, virt_cache_t)
 manage_files_pattern(virtd_t, virt_cache_t, virt_cache_t)
 files_var_filetrans(virtd_t, virt_cache_t, { file dir })
 
+allow virtd_t virt_common_runtime_t:file append_file_perms;
+manage_dirs_pattern(virtd_t, virt_common_runtime_t, virt_common_runtime_t)
+manage_files_pattern(virtd_t, virt_common_runtime_t, virt_common_runtime_t)
+filetrans_pattern(virtd_t, virt_runtime_t, virt_common_runtime_t, dir, "common")
+
 manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
 manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
 filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos")
@@ -584,11 +589,6 @@ manage_files_pattern(virtd_t, virt_runtime_t, virt_runtime_t)
 manage_sock_files_pattern(virtd_t, virt_runtime_t, virt_runtime_t)
 files_runtime_filetrans(virtd_t, virt_runtime_t, { file dir })
 
-allow virtd_t virt_common_runtime_t:file append_file_perms;
-manage_dirs_pattern(virtd_t, virt_common_runtime_t, virt_common_runtime_t)
-manage_files_pattern(virtd_t, virt_common_runtime_t, virt_common_runtime_t)
-filetrans_pattern(virtd_t, virt_runtime_t, virt_common_runtime_t, dir, "common")
-
 manage_dirs_pattern(virtd_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t)
 manage_files_pattern(virtd_t, virtd_lxc_runtime_t, virtd_lxc_runtime_t)
 filetrans_pattern(virtd_t, virt_runtime_t, virtd_lxc_runtime_t, dir, "lxc")


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     97fef06309db4270e3979d056b138e77f9494935
Author:     Fabrice Fontaine <fontaine.fabrice <AT> gmail <DOT> com>
AuthorDate: Mon Aug  9 20:51:46 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=97fef063

policy/modules/services/ifplugd.te: make netutils optional

Make netutils optional to avoid the following build failure:

 Compiling targeted policy.30
 env LD_LIBRARY_PATH="/tmp/instance-3/output-1/host/lib:/tmp/instance-3/output-1/host/usr/lib" /tmp/instance-3/output-1/host/usr/bin/checkpolicy -c 30 -U deny -S -O -E policy.conf -o policy.30
 policy/modules/services/ifplugd.te:62:ERROR 'type netutils_exec_t is not within scope' at token ';' on line 73694:
 #line 62
 	allow ifplugd_t netutils_exec_t:file { getattr open map read execute ioctl };
 checkpolicy:  error(s) encountered while parsing configuration

Fixes:
 - http://autobuild.buildroot.org/results/1e27f5b193d40dfb7c73fbe15d1bef91cb92c27d

Signed-off-by: Fabrice Fontaine <fontaine.fabrice <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ifplugd.te | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/ifplugd.te b/policy/modules/services/ifplugd.te
index f49b147f..550eecca 100644
--- a/policy/modules/services/ifplugd.te
+++ b/policy/modules/services/ifplugd.te
@@ -59,8 +59,6 @@ logging_send_syslog_msg(ifplugd_t)
 
 miscfiles_read_localization(ifplugd_t)
 
-netutils_domtrans(ifplugd_t)
-
 sysnet_domtrans_ifconfig(ifplugd_t)
 sysnet_domtrans_dhcpc(ifplugd_t)
 sysnet_delete_dhcpc_runtime_files(ifplugd_t)
@@ -70,3 +68,7 @@ sysnet_signal_dhcpc(ifplugd_t)
 optional_policy(`
 	consoletype_exec(ifplugd_t)
 ')
+
+optional_policy(`
+	netutils_domtrans(ifplugd_t)
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     6568c3111734cbf1ad0065d55e920e3835f3d259
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Sun Sep 26 05:56:36 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6568c311

dbus: allow dbus-daemon to map SELinux status page

Fixes:
avc: denied { map } for pid=328 comm="dbus-daemon"
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:security_t tclass=file permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index a6865834..9d2942f5 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -129,6 +129,7 @@ mls_socket_read_to_clearance(system_dbusd_t)
 mls_dbus_recv_all_levels(system_dbusd_t)
 
 selinux_get_fs_mount(system_dbusd_t)
+selinux_use_status_page(system_dbusd_t)
 selinux_validate_context(system_dbusd_t)
 selinux_compute_access_vector(system_dbusd_t)
 selinux_compute_create_context(system_dbusd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     80a9de80df53b7ad4160b0fcb38a6b38a580f575
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Mon Oct 18 06:56:45 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=80a9de80

rngd: fixes for rngd

* allow rngd_t to read certificates
* allow rngd_t to getsched/setsched

Fixes:
avc: denied { search } for pid=332 comm="rngd" name="ssl" dev="vda"
ino=588 scontext=system_u:system_r:rngd_t
tcontext=system_u:object_r:cert_t tclass=dir permissive=1

avc: denied { read } for pid=332 comm="rngd" name="openssl.cnf"
dev="vda" ino=849 scontext=system_u:system_r:rngd_t
tcontext=system_u:object_r:cert_t tclass=file permissive=1

avc: denied { open } for pid=332 comm="rngd" path="/etc/ssl/openssl.cnf"
dev="vda" ino=849 scontext=system_u:system_r:rngd_t
tcontext=system_u:object_r:cert_t tclass=file permissive=1

avc: denied { getattr } for  pid=332 comm="rngd"
path="/etc/ssl/openssl.cnf" dev="vda" ino=849
scontext=system_u:system_r:rngd_t tcontext=system_u:object_r:cert_t
tclass=file permissive=1

avc: denied { getsched } for pid=370 comm="rngd"
scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t
tclass=process permissive=1

avc: denied { setsched } for pid=370 comm="rngd"
scontext=system_u:system_r:rngd_t tcontext=system_u:system_r:rngd_t
tclass=process permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/rngd.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te
index 29dff428..177199e8 100644
--- a/policy/modules/services/rngd.te
+++ b/policy/modules/services/rngd.te
@@ -21,7 +21,7 @@ files_runtime_file(rngd_runtime_t)
 #
 
 allow rngd_t self:capability { ipc_lock sys_admin };
-allow rngd_t self:process signal;
+allow rngd_t self:process { setsched getsched signal };
 allow rngd_t self:fifo_file rw_fifo_file_perms;
 allow rngd_t self:unix_stream_socket { accept listen };
 
@@ -41,3 +41,4 @@ files_read_etc_files(rngd_t)
 logging_send_syslog_msg(rngd_t)
 
 miscfiles_read_localization(rngd_t)
+miscfiles_read_generic_certs(rngd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     add661402e877f3191bc9c7438b4bd5181991eb7
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:13:43 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=add66140

mta, spamassassin: fixes for rspamd

rspamc needs to be able to read the mail spool when learning spam and
ham.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/mta.if          | 36 +++++++++++++++++++++++++++++++++
 policy/modules/services/spamassassin.te |  3 +++
 2 files changed, 39 insertions(+)

diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 939ed4b7..c3c6069d 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -789,6 +789,42 @@ interface(`mta_dontaudit_rw_delivery_tcp_sockets',`
 	dontaudit $1 mailserver_delivery:tcp_socket { read write };
 ')
 
+#######################################
+## <summary>
+##	Allow listing the mail spool.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`mta_list_spool',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	allow $1 mail_spool_t:dir list_dir_perms;
+')
+
+#######################################
+## <summary>
+##	Allow reading mail spool symlinks.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`mta_read_spool_symlinks',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	allow $1 mail_spool_t:lnk_file read;
+')
+
 #######################################
 ## <summary>
 ##	Do not audit attempts to read

diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 4bd18541..89f7c70b 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -183,6 +183,7 @@ allow spamc_t self:fifo_file rw_fifo_file_perms;
 allow spamc_t self:unix_dgram_socket sendto;
 allow spamc_t self:unix_stream_socket { accept connectto listen };
 allow spamc_t self:tcp_socket { accept listen };
+dontaudit spamc_t self:capability dac_read_search;
 
 manage_dirs_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
 manage_files_pattern(spamc_t, spamc_tmp_t, spamc_tmp_t)
@@ -266,7 +267,9 @@ optional_policy(`
 optional_policy(`
 	mta_send_mail(spamc_t)
 	mta_getattr_spool(spamc_t)
+	mta_list_spool(spamc_t)
 	mta_read_spool_files(spamc_t)
+	mta_read_spool_symlinks(spamc_t)
 	mta_read_config(spamc_t)
 	mta_read_queue(spamc_t)
 	sendmail_rw_pipes(spamc_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     c1abcfe2a688ab2fc08722e4565ec5a98455d8fa
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Tue Mar  2 05:41:55 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c1abcfe2

bind: fixes for bind

* add fcontext for /etc/rc.d/init.d/bind and /etc/bind/rndc.conf
* add getsched for named process

Fixes:
avc: denied { getsched } for pid=418 comm="named"
scontext=system_u:system_r:named_t tcontext=system_u:system_r:named_t
tclass=process permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/bind.fc | 2 ++
 policy/modules/services/bind.te | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index ce68a0af..585103eb 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
@@ -1,8 +1,10 @@
 /etc/rc\.d/init\.d/named	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/bind	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/unbound	--	gen_context(system_u:object_r:named_initrc_exec_t,s0)
 
 /etc/bind(/.*)?	gen_context(system_u:object_r:named_zone_t,s0)
 /etc/bind/named\.conf.*	--	gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.conf.*	--	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/bind/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 /etc/dnssec-trigger/dnssec_trigger_server\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 /etc/named\.rfc1912\.zones	--	gen_context(system_u:object_r:named_conf_t,s0)

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index bf50763b..623437e9 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -76,7 +76,7 @@ role ndc_roles types ndc_t;
 
 allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
 dontaudit named_t self:capability sys_tty_config;
-allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
+allow named_t self:process { setsched getsched getcap setcap setrlimit signal_perms };
 allow named_t self:fifo_file rw_fifo_file_perms;
 allow named_t self:unix_stream_socket { accept listen };
 allow named_t self:tcp_socket { accept listen };


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     6d94401f337e269e4d915141530d913f7d0a00d8
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Mon Nov  8 15:59:36 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6d94401f

virt.te: Fixed typo in virtlogd_t virt_common_runtime_t manage_files_pattern.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/virt.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 85a132f0..bb81a0e3 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1380,7 +1380,7 @@ filetrans_pattern(virtlogd_t, virt_runtime_t, virtlogd_run_t, sock_file)
 files_runtime_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 allow virtlogd_t virt_common_runtime_t:file append_file_perms;
-manage_files_pattern(virtlogd_t, virt_runtime_t, virt_common_runtime_t)
+manage_files_pattern(virtlogd_t, virt_common_runtime_t, virt_common_runtime_t)
 
 kernel_read_system_state(virtlogd_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     14f5549af3808b0830f511ab951e534e8ac93a94
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Nov  8 16:59:03 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=14f5549a

git: fix typo in git hook exec access

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/git.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/git.if b/policy/modules/services/git.if
index 0e72e667..3684aa00 100644
--- a/policy/modules/services/git.if
+++ b/policy/modules/services/git.if
@@ -104,7 +104,7 @@ template(`git_client_role_template',`
 	auth_use_nsswitch($1_git_t)
 
 	# allow userdomains to exec git hooks
-	exec_files_pattern($3, git_home_t, git_home_t)
+	exec_files_pattern($3, git_home_hook_t, git_home_hook_t)
 	# transition back to the user domain when executing git hooks
 	domtrans_pattern($1_git_t, git_home_t, $3)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     d9d9625aac1689fb43498015b6ac36274ad21912
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:35:24 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d9d9625a

ssh: fix for polyinstantiation

If using polyinstantiation, sshd needs to be able to create a new tmp
directory for remote users.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ssh.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index e386032f..96038e49 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -289,6 +289,11 @@ tunable_policy(`ssh_sysadm_login',`
 	userdom_signal_unpriv_users(sshd_t)
 ')
 
+tunable_policy(`allow_polyinstantiation',`
+	allow sshd_t self:capability dac_override;
+	files_relabel_generic_tmp_dirs(sshd_t)
+')
+
 optional_policy(`
 	daemontools_service_domain(sshd_t, sshd_exec_t)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     04720823ab3408327def53ef33eb0e9ae07b0918
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:06:27 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04720823

dovecot, spamassassin: allow dovecot to execute spamc

Allow dovecot to execute spamc in order to learn spam and ham when a
user manipulates spam mails in their mailbox.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dovecot.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 04922bec..e6ca365a 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -226,6 +226,12 @@ optional_policy(`
 	sendmail_domtrans(dovecot_t)
 ')
 
+optional_policy(`
+	# execute the spamassassin or other spamd clients
+	# to learn spam and ham
+	spamassassin_exec_client(dovecot_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(dovecot_t)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     525fb46b40e90c3149d8807139a4ed407f069007
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:23:18 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=525fb46b

certbot, various: allow various services to read certbot certs

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/apache.te  |  4 ++++
 policy/modules/services/certbot.if | 20 ++++++++++++++++++++
 policy/modules/services/dovecot.te |  4 ++++
 policy/modules/services/exim.te    |  4 ++++
 policy/modules/services/jabber.te  |  4 ++++
 policy/modules/services/postfix.te | 12 ++++++++++++
 6 files changed, 48 insertions(+)

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 435297c1..79fdf1ae 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -757,6 +757,10 @@ optional_policy(`
 	calamaris_read_www_files(httpd_t)
 ')
 
+optional_policy(`
+	certbot_read_lib(httpd_t)
+')
+
 optional_policy(`
 	clamav_domtrans_clamscan(httpd_t)
 ')

diff --git a/policy/modules/services/certbot.if b/policy/modules/services/certbot.if
index d2276ef2..3a1141dc 100644
--- a/policy/modules/services/certbot.if
+++ b/policy/modules/services/certbot.if
@@ -44,3 +44,23 @@ interface(`certbot_run',`
 	certbot_domtrans($1)
 	role $2 types certbot_t;
 ')
+
+########################################
+## <summary>
+##	Read TLS certificates and keys
+##	generated by certbot.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`certbot_read_lib',`
+	gen_require(`
+		type certbot_lib_t;
+	')
+
+	search_dirs_pattern($1, certbot_lib_t, certbot_lib_t)
+	read_files_pattern($1, certbot_lib_t, certbot_lib_t)
+')

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index e6ca365a..b73c2211 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -198,6 +198,10 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_symlinks(dovecot_t)
 ')
 
+optional_policy(`
+	certbot_read_lib(dovecot_t)
+')
+
 optional_policy(`
 	kerberos_manage_host_rcache(dovecot_t)
 	kerberos_read_keytab(dovecot_t)

diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 6e106976..541747ba 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -182,6 +182,10 @@ tunable_policy(`exim_manage_user_files',`
 	userdom_manage_user_tmp_files(exim_t)
 ')
 
+optional_policy(`
+	certbot_read_lib(exim_t)
+')
+
 optional_policy(`
 	clamav_domtrans_clamscan(exim_t)
 	clamav_scannable_files(exim_spool_t)

diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 16f2d82d..827f9a20 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -121,6 +121,10 @@ sysnet_read_config(jabberd_t)
 userdom_dontaudit_use_unpriv_user_fds(jabberd_t)
 userdom_dontaudit_search_user_home_dirs(jabberd_t)
 
+optional_policy(`
+	certbot_read_lib(jabberd_t)
+')
+
 ########################################
 #
 # Router local policy

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 25e31623..d6e284e4 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -312,6 +312,10 @@ mta_spec_filetrans_aliases(postfix_master_t, postfix_etc_t, file)
 mta_read_sendmail_bin(postfix_master_t)
 mta_getattr_spool(postfix_master_t)
 
+optional_policy(`
+	certbot_read_lib(postfix_master_t)
+')
+
 optional_policy(`
 	cyrus_stream_connect(postfix_master_t)
 ')
@@ -763,6 +767,10 @@ rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildro
 
 corenet_tcp_bind_generic_node(postfix_smtp_t)
 
+optional_policy(`
+	certbot_read_lib(postfix_smtp_t)
+')
+
 optional_policy(`
 	cyrus_stream_connect(postfix_smtp_t)
 ')
@@ -800,6 +808,10 @@ fs_getattr_all_fs(postfix_smtpd_t)
 mta_read_aliases(postfix_smtpd_t)
 mta_map_aliases(postfix_smtpd_t)
 
+optional_policy(`
+	certbot_read_lib(postfix_smtpd_t)
+')
+
 optional_policy(`
 	dbus_send_system_bus(postfix_smtp_t)
 	dbus_system_bus_client(postfix_smtp_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     e91a62ad6b10e91e8723c5fc3600842758710bd4
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Nov  9 16:00:29 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e91a62ad

spamassassin: fix file contexts for rspamd symlinks

rspamd installs symlinks to /usr/bin that point to the real rspam*
binaries. Make these files bin_t so that other programs can read them
without any additional access needed.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/spamassassin.fc | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index e42f44fa..9229ad2f 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@@ -16,11 +16,8 @@ HOME_DIR/\.spamd(/.*)?			gen_context(system_u:object_r:spamd_home_t,s0)
 /usr/bin/spamd			--	gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/spampd			--	gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/sa-update		--	gen_context(system_u:object_r:spamd_update_exec_t,s0)
-/usr/bin/rspamd			-l	gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/rspamd-[^/]+	--	gen_context(system_u:object_r:spamd_exec_t,s0)
-/usr/bin/rspamc			-l	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/rspamc-[^/]+	--	gen_context(system_u:object_r:spamc_exec_t,s0)
-/usr/bin/rspamadm		-l	gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/rspamadm-[^/]+	--	gen_context(system_u:object_r:spamc_exec_t,s0)
 
 /usr/sbin/spamd			--	gen_context(system_u:object_r:spamd_exec_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     e1e9dd3440862901e12b6a5bf5206f4939bf75e0
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:46:08 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e1e9dd34

bind: fixes for unbound

Unbound maintains a copy of the root key in /etc/unbound/cache and needs
to be able to manage it.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/bind.fc | 1 +
 policy/modules/services/bind.te | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index 585103eb..04d402cf 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
@@ -15,6 +15,7 @@
 /etc/rndc\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
 /etc/unbound(/.*)?	gen_context(system_u:object_r:named_conf_t,s0)
 /etc/unbound/.*\.key	--	gen_context(system_u:object_r:dnssec_t,s0)
+/etc/unbound/cache(/.*)?		gen_context(system_u:object_r:dnssec_t,s0)
 
 /usr/bin/lwresd	--	gen_context(system_u:object_r:named_exec_t,s0)
 /usr/bin/named	--	gen_context(system_u:object_r:named_exec_t,s0)

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 623437e9..0081ed52 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -81,7 +81,8 @@ allow named_t self:fifo_file rw_fifo_file_perms;
 allow named_t self:unix_stream_socket { accept listen };
 allow named_t self:tcp_socket { accept listen };
 
-allow named_t dnssec_t:file read_file_perms;
+allow named_t dnssec_t:file manage_file_perms;
+filetrans_pattern(named_t, named_conf_t, dnssec_t, dir, "cache")
 
 allow named_t named_conf_t:dir list_dir_perms;
 read_files_pattern(named_t, named_conf_t, named_conf_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     51e798e67270a76df71dcbda0fe71600824ef02b
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:41:34 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51e798e6

asterisk: allow reading generic certs

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/asterisk.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index 81891eb9..e1dbff10 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -147,6 +147,7 @@ auth_use_nsswitch(asterisk_t)
 logging_search_logs(asterisk_t)
 logging_send_syslog_msg(asterisk_t)
 
+miscfiles_read_generic_certs(asterisk_t)
 miscfiles_read_localization(asterisk_t)
 
 userdom_dontaudit_use_unpriv_user_fds(asterisk_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2021-11-21 23:02 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2021-11-21 23:02 UTC (permalink / raw
  To: gentoo-commits

commit:     2b170190d1cf06ef79112b72ebf226799de128de
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Sat Nov 20 22:48:37 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 21 22:38:58 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b170190

dbus: Add filetrans for /tmp/dbus-* session socket

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 7535509d..96983349 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -253,7 +253,8 @@ userdom_user_home_dir_filetrans(session_bus_type, session_dbusd_home_t, dir, ".d
 
 manage_dirs_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
 manage_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
-files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file })
+manage_sock_files_pattern(session_bus_type, session_dbusd_tmp_t, session_dbusd_tmp_t)
+files_tmp_filetrans(session_bus_type, session_dbusd_tmp_t, { dir file sock_file })
 
 manage_dirs_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
 manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     7312b188899d6ea718be9c885eb4a6f15ccd8aa7
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Dec 23 15:55:53 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7312b188

container: add policy for privileged containers

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 86 ++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 7ab2765e..483cdcb2 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -22,6 +22,9 @@ attribute container_engine_user_domain;
 # containers which require network access
 attribute container_net_domain;
 
+# containers considered privileged
+attribute privileged_container_domain;
+
 attribute container_engine_exec_type;
 
 attribute container_mountpoint_type;
@@ -43,6 +46,13 @@ ifdef(`enable_mls',`
 ')
 mls_trusted_object(container_engine_t)
 
+type spc_t, container_domain, container_net_domain, container_system_domain, privileged_container_domain;
+domain_type(spc_t)
+role system_r types spc_t;
+
+type spc_user_t, container_domain, container_net_domain, container_user_domain, privileged_container_domain;
+domain_type(spc_user_t)
+
 type container_unit_t;
 init_unit_file(container_unit_t)
 
@@ -562,3 +572,79 @@ filetrans_pattern(container_engine_user_domain, container_data_home_t, container
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_ro_file_t, dir, "overlay2-images")
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_ro_file_t, dir, "overlay2-layers")
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_file_t, dir, "volumes")
+
+########################################
+#
+# Common privileged container local policy
+#
+
+allow privileged_container_domain container_file_t:file entrypoint;
+allow privileged_container_domain container_ro_file_t:file entrypoint;
+allow privileged_container_domain container_var_lib_t:file entrypoint;
+
+optional_policy(`
+	systemd_dbus_chat_machined(privileged_container_domain)
+	systemd_dbus_chat_logind(privileged_container_domain)
+')
+
+########################################
+#
+# spc local policy
+#
+# spc_t is the default type for containers created
+# with the --privileged (or similar) argument
+#
+
+# Containers run from an engine with the --privileged argument are not
+# restricted by the engine. One of these restrictions is a manual
+# transition to the default context for containers, usually container_t.
+# Instead of performing a manual transition when creating a restricted
+# container (default), we do an automatic transition to spc_t when
+# restrictions are disabled.
+domtrans_pattern(container_engine_system_domain, container_file_t, spc_t)
+domtrans_pattern(container_engine_system_domain, container_ro_file_t, spc_t)
+domtrans_pattern(container_engine_system_domain, container_var_lib_t, spc_t)
+
+allow container_engine_system_domain spc_t:process { setsched signal_perms };
+
+allow spc_t container_engine_system_domain:fifo_file rw_fifo_file_perms;
+
+init_dbus_chat(spc_t)
+
+optional_policy(`
+	dbus_system_bus_client(spc_t)
+	dbus_all_session_bus_client(spc_t)
+')
+
+optional_policy(`
+# If unconfined domains are enabled, spc is also unconfined
+	unconfined_domain_noaudit(spc_t)
+	domain_ptrace_all_domains(spc_t)
+')
+
+########################################
+#
+# spc user local policy
+#
+
+# Similar to above, automatically transition to spc_user_t when a
+# container engine runs a container with the --privileged argument
+domtrans_pattern(container_engine_user_domain, container_file_t, spc_user_t)
+domtrans_pattern(container_engine_user_domain, container_ro_file_t, spc_user_t)
+domtrans_pattern(container_engine_user_domain, container_var_lib_t, spc_user_t)
+fs_fusefs_domtrans(container_engine_user_domain, spc_user_t)
+
+allow container_engine_user_domain spc_user_t:process { setsched signal_perms };
+
+allow spc_user_t container_engine_user_domain:fifo_file rw_fifo_file_perms;
+
+optional_policy(`
+       dbus_system_bus_client(spc_user_t)
+       dbus_all_session_bus_client(spc_user_t)
+')
+
+optional_policy(`
+       # If unconfined domains are enabled, spc is also unconfined
+       unconfined_domain_noaudit(spc_user_t)
+       domain_ptrace_all_domains(spc_user_t)
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     9a4bd55ce8206aae6be8fcba774d5659d9daf8ce
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Dec 31 19:04:16 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9a4bd55c

container: allow containers to read read-only container files

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 483cdcb2..87ceaeda 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -137,6 +137,13 @@ rw_chr_files_pattern(container_domain, container_file_t, container_file_t)
 rw_blk_files_pattern(container_domain, container_file_t, container_file_t)
 allow container_domain container_file_t:dir_file_class_set watch;
 
+allow container_domain container_ro_file_t:blk_file read_blk_file_perms;
+allow container_domain container_ro_file_t:dir list_dir_perms;
+allow container_domain container_ro_file_t:chr_file read_chr_file_perms;
+allow container_domain container_ro_file_t:file { exec_file_perms read_file_perms };
+allow container_domain container_ro_file_t:lnk_file read_lnk_file_perms;
+allow container_domain container_ro_file_t:sock_file read_sock_file_perms;
+
 can_exec(container_domain, container_file_t)
 
 kernel_getattr_proc(container_domain)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     95d8a0674bc68569a236d0ee1fee0962829e360b
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Jan 21 19:05:06 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95d8a067

container: call podman access in container access

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 3a229ead..d7ad3e84 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -283,6 +283,10 @@ template(`container_user_role',`
 
 		systemd_user_app_status($1, container_user_domain)
 	')
+
+	optional_policy(`
+		podman_user_role($1, $2, $3, $4)
+	')
 ')
 
 ########################################
@@ -797,4 +801,8 @@ interface(`container_admin',`
 
 	fs_search_tmpfs($1)
 	admin_pattern($1, container_engine_tmpfs_t)
+
+	optional_policy(`
+		podman_admin($1, $2)
+	')
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     dec4d917db0fc74b940f6e21dc10d41f99920f7a
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Nov 13 01:33:52 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dec4d917

container: add tunable for containers to manage cgroups

systemd running inside containers needs to be able to manage cgroups.
Add this feature behind a tunable.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 87ceaeda..015d9f2d 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -1,5 +1,14 @@
 policy_module(container)
 
+## <desc>
+##	<p>
+##	Allow containers to manage cgroups.
+##	This is required for systemd to run inside
+##	containers.
+##	</p>
+## </desc>
+gen_tunable(container_manage_cgroup, false)
+
 ########################################
 #
 # Declarations
@@ -202,6 +211,11 @@ mta_dontaudit_read_spool_symlinks(container_domain)
 
 container_use_container_ptys(container_domain)
 
+tunable_policy(`container_manage_cgroup',`
+	fs_manage_cgroup_dirs(container_domain)
+	fs_manage_cgroup_files(container_domain)
+')
+
 optional_policy(`
 	udev_read_runtime_files(container_domain)
 ')
@@ -280,7 +294,6 @@ dev_read_urand(container_t)
 files_read_kernel_modules(container_t)
 
 fs_mount_cgroup(container_t)
-fs_manage_cgroup_dirs(container_t)
 fs_rw_cgroup_files(container_t)
 
 auth_use_nsswitch(container_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     3973d1bd59980dc6e122e2b8b759c03937de9173
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Jan 21 19:05:31 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3973d1bd

container: call docker access in container access

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 58e8c470..28699f52 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -284,6 +284,10 @@ template(`container_user_role',`
 		systemd_user_app_status($1, container_user_domain)
 	')
 
+	optional_policy(`
+		docker_user_role($1, $2, $3, $4)
+	')
+
 	optional_policy(`
 		podman_user_role($1, $2, $3, $4)
 	')
@@ -1323,6 +1327,10 @@ interface(`container_admin',`
 	fs_search_tmpfs($1)
 	admin_pattern($1, container_engine_tmpfs_t)
 
+	optional_policy(`
+		docker_admin($1, $2)
+	')
+
 	optional_policy(`
 		podman_admin($1, $2)
 	')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     08ba013322d222832ac979d0ca4b72dbdd153511
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Dec  2 20:04:22 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08ba0133

container: add tunable to allow engines to mounton non security

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 35613b23..82de38ee 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -9,6 +9,13 @@ policy_module(container)
 ## </desc>
 gen_tunable(container_manage_cgroup, false)
 
+## <desc>
+##	<p>
+##	Allow container engines to mount on all non-security files.
+##	</p>
+## </desc>
+gen_tunable(container_mounton_non_security, false)
+
 ## <desc>
 ##	<p>
 ##	Allow containers to use NFS filesystems.
@@ -506,6 +513,10 @@ ifdef(`init_systemd',`
 	init_run_bpf(container_engine_domain)
 ')
 
+tunable_policy(`container_mounton_non_security',`
+	files_mounton_non_security(container_engine_domain)
+')
+
 tunable_policy(`container_use_nfs',`
 	fs_manage_nfs_dirs(container_engine_domain)
 	fs_manage_nfs_files(container_engine_domain)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     12977dbcd922fd1bc6175ed523033d08133e7718
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Dec 31 19:47:00 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=12977dbc

container, podman: add policy for conmon

Make conmon run in a separate domain and allow podman types to
transition to it.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 406 +++++++++++++++++++++++++++++++++++
 policy/modules/services/podman.fc    |   1 +
 policy/modules/services/podman.if    |  98 +++++++++
 policy/modules/services/podman.te    | 162 +++++++++++++-
 4 files changed, 665 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 92b5a2f7..1c1950c7 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -356,6 +356,52 @@ interface(`container_engine_executable_file',`
 	application_executable_file($1)
 ')
 
+########################################
+## <summary>
+##	Execute a generic container engine
+##	executable with an automatic transition
+##	to a private type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	The type of the new process.
+##	</summary>
+## </param>
+#
+interface(`container_generic_engine_domtrans',`
+	gen_require(`
+		type container_engine_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, container_engine_exec_t, $2)
+')
+
+########################################
+## <summary>
+##	Allow the generic container engine
+##	executables to be an entrypoint
+##	for the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_engine_executable_entrypoint',`
+	gen_require(`
+		type container_engine_exec_t;
+	')
+
+	allow $1 container_engine_exec_t:file entrypoint;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive messages from
@@ -377,6 +423,115 @@ interface(`container_engine_dbus_chat',`
 	allow container_engine_domain $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	container engine temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_engine_tmp_files',`
+	gen_require(`
+		type container_engine_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 container_engine_tmp_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	container engine temporary named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_engine_tmp_sock_files',`
+	gen_require(`
+		type container_engine_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 container_engine_tmp_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	objects in generic temporary directories
+##	with an automatic type transition to
+##	the container engine temporary file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_engine_tmp_filetrans',`
+	gen_require(`
+		type container_engine_tmp_t;
+	')
+
+	files_tmp_filetrans($1, container_engine_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid)
+##	of all system containers.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_system_container_state',`
+	gen_require(`
+		attribute container_system_domain;
+	')
+
+	ps_process_pattern($1, container_system_domain)
+')
+
+########################################
+## <summary>
+##	Read the process state (/proc/pid)
+##	of all user containers.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_read_user_container_state',`
+	gen_require(`
+		attribute container_user_domain;
+	')
+
+	ps_process_pattern($1, container_user_domain)
+')
+
 ########################################
 ## <summary>
 ##	All of the permissions necessary
@@ -611,6 +766,25 @@ interface(`container_manage_sock_files',`
 	manage_sock_files_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to read
+##	and write container chr files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_rw_chr_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:chr_file rw_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read
@@ -701,6 +875,65 @@ interface(`container_config_home_filetrans',`
 	xdg_config_filetrans($1, container_conf_home_t, $2, $3)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	manage container data home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_home_data_files',`
+	gen_require(`
+		type container_data_home_t;
+	')
+
+	manage_files_pattern($1, container_data_home_t, container_data_home_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	manage container data home named
+##	pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_home_data_fifo_files',`
+	gen_require(`
+		type container_data_home_t;
+	')
+
+	manage_fifo_files_pattern($1, container_data_home_t, container_data_home_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	manage container data home named
+##	sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_home_data_sock_files',`
+	gen_require(`
+		type container_data_home_t;
+	')
+
+	manage_sock_files_pattern($1, container_data_home_t, container_data_home_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -760,6 +993,179 @@ interface(`container_getattr_fs',`
 	allow $1 container_file_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to search
+##	runtime container directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_search_runtime',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	files_search_runtime($1)
+	allow $1 container_runtime_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	runtime container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_runtime_files',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	manage_files_pattern($1, container_runtime_t, container_runtime_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	runtime container named pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_runtime_fifo_files',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	manage_fifo_files_pattern($1, container_runtime_t, container_runtime_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	runtime container named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_runtime_sock_files',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	manage_sock_files_pattern($1, container_runtime_t, container_runtime_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	user runtime container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_user_runtime_files',`
+	gen_require(`
+		type container_user_runtime_t;
+	')
+
+	manage_files_pattern($1, container_user_runtime_t, container_user_runtime_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to search
+##	container directories in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_search_var_lib',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 container_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	container files in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_var_lib_files',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	manage_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	container named pipes in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_var_lib_fifo_files',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	manage_fifo_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to manage
+##	container named sockets in /var/lib.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_var_lib_sock_files',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	manage_sock_files_pattern($1, container_var_lib_t, container_var_lib_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to

diff --git a/policy/modules/services/podman.fc b/policy/modules/services/podman.fc
index fbf11fed..ece2d0dc 100644
--- a/policy/modules/services/podman.fc
+++ b/policy/modules/services/podman.fc
@@ -1 +1,2 @@
 /usr/bin/podman	--	gen_context(system_u:object_r:podman_exec_t,s0)
+/usr/bin/conmon	--	gen_context(system_u:object_r:podman_conmon_exec_t,s0)

diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if
index a57ca9dc..3d03884e 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -94,6 +94,100 @@ interface(`podman_run_user',`
 	podman_domtrans_user($1)
 ')
 
+########################################
+## <summary>
+##	Execute conmon in the conmon domain.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`podman_domtrans_conmon',`
+	gen_require(`
+		type podman_conmon_t, podman_conmon_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_t)
+')
+
+########################################
+## <summary>
+##	Execute conmon in the conmon domain,
+##	and allow the specified role the
+##	conmon domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the conmon domain.
+##	</summary>
+## </param>
+#
+interface(`podman_run_conmon',`
+	gen_require(`
+		type podman_conmon_t;
+	')
+
+	role $2 types podman_conmon_t;
+
+	podman_domtrans_conmon($1)
+')
+
+########################################
+## <summary>
+##	Execute conmon in the conmon user
+##	domain (rootless podman).
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed to transition.
+## 	</summary>
+## </param>
+#
+interface(`podman_domtrans_conmon_user',`
+	gen_require(`
+		type podman_conmon_user_t, podman_conmon_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_user_t)
+')
+
+########################################
+## <summary>
+##	Execute conmon in the conmon user
+##	domain, and allow the specified role
+##	the conmon user domain (rootless
+##	podman).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the conmon domain.
+##	</summary>
+## </param>
+#
+interface(`podman_run_conmon_user',`
+	gen_require(`
+		type podman_conmon_user_t;
+	')
+
+	role $2 types podman_conmon_user_t;
+
+	podman_domtrans_conmon_user($1)
+')
+
 ########################################
 ## <summary>
 ##	Role access for rootless podman.
@@ -124,9 +218,11 @@ interface(`podman_run_user',`
 template(`podman_user_role',`
 	gen_require(`
 		type podman_user_t;
+		type podman_conmon_user_t;
 	')
 
 	podman_run_user($3, $4)
+	podman_run_conmon_user($3, $4)
 
 	optional_policy(`
 		dbus_spec_session_bus_client($1, podman_user_t)
@@ -134,6 +230,7 @@ template(`podman_user_role',`
 
 	optional_policy(`
 		systemd_user_app_status($1, podman_user_t)
+		systemd_user_app_status($1, podman_conmon_user_t)
 	')
 ')
 
@@ -157,4 +254,5 @@ template(`podman_user_role',`
 #
 interface(`podman_admin',`
 	podman_run($1, $2)
+	podman_run_conmon($1, $2)
 ')

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index 2bdd2f27..6efd2cd1 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -17,14 +17,30 @@ ifdef(`enable_mls',`
 mls_trusted_object(podman_t)
 
 container_engine_domain_template(podman_user)
+container_user_engine(podman_user_t)
 application_domain(podman_user_t, podman_exec_t)
 mls_trusted_object(podman_user_t)
 
+type podman_conmon_t;
+type podman_conmon_exec_t;
+application_domain(podman_conmon_t, podman_conmon_exec_t)
+
+type podman_conmon_user_t;
+application_domain(podman_conmon_user_t, podman_conmon_exec_t)
+
 ########################################
 #
 # Podman local policy
 #
 
+allow podman_t podman_conmon_t:process { setsched signull };
+allow podman_t podman_conmon_t:fifo_file setattr;
+allow podman_t podman_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms };
+
+container_engine_executable_entrypoint(podman_t)
+
+domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t)
+
 logging_send_syslog_msg(podman_t)
 
 userdom_list_user_home_content(podman_t)
@@ -38,11 +54,11 @@ userdom_relabel_generic_user_home_files(podman_t)
 container_config_home_filetrans(podman_t, dir)
 container_manage_home_config(podman_t)
 
+container_manage_sock_files(podman_t)
+
 ifdef(`init_systemd',`
 	init_dbus_chat(podman_t)
 	init_setsched(podman_t)
-	init_get_generic_units_status(podman_t)
-	init_start_generic_units(podman_t)
 	init_start_system(podman_t)
 	init_stop_system(podman_t)
 
@@ -58,6 +74,14 @@ ifdef(`init_systemd',`
 # Rootless Podman local policy
 #
 
+allow podman_user_t podman_conmon_user_t:process signull;
+allow podman_user_t podman_conmon_user_t:fifo_file setattr;
+allow podman_user_t podman_conmon_user_t:unix_stream_socket { connectto rw_stream_socket_perms };
+
+container_engine_executable_entrypoint(podman_user_t)
+
+domtrans_pattern(podman_user_t, podman_conmon_exec_t, podman_conmon_user_t)
+
 # required by slirp4netns
 files_mounton_etc_dirs(podman_user_t)
 # required by slirp4netns
@@ -110,3 +134,137 @@ ifdef(`init_systemd',`
 	systemd_list_journal_dirs(podman_user_t)
 	systemd_read_journal_files(podman_user_t)
 ')
+
+########################################
+#
+# conmon local policy
+#
+
+allow podman_conmon_t self:process signal;
+allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
+allow podman_conmon_t self:cap_userns sys_ptrace;
+allow podman_conmon_t self:fifo_file { rw_fifo_file_perms setattr };
+allow podman_conmon_t self:unix_dgram_socket create_socket_perms;
+dontaudit podman_conmon_t self:capability net_admin;
+
+# conmon will execute crun/runc to create the container
+container_generic_engine_domtrans(podman_conmon_t, podman_t)
+podman_domtrans(podman_conmon_t)
+
+allow podman_conmon_t podman_t:tcp_socket rw_stream_socket_perms;
+allow podman_conmon_t podman_t:unix_stream_socket rw_stream_socket_perms;
+allow podman_conmon_t podman_t:unix_dgram_socket rw_socket_perms;
+ps_process_pattern(podman_conmon_t, podman_t)
+
+domain_use_interactive_fds(podman_conmon_t)
+
+fs_getattr_cgroup(podman_conmon_t)
+fs_search_cgroup_dirs(podman_conmon_t)
+fs_read_cgroup_files(podman_conmon_t)
+fs_watch_cgroup_files(podman_conmon_t)
+
+fs_getattr_tmpfs(podman_conmon_t)
+fs_getattr_xattr_fs(podman_conmon_t)
+
+logging_send_syslog_msg(podman_conmon_t)
+
+miscfiles_read_localization(podman_conmon_t)
+
+userdom_use_user_ptys(podman_conmon_t)
+
+container_read_system_container_state(podman_conmon_t)
+
+# to send/receive data from container ttys
+container_rw_chr_files(podman_conmon_t)
+
+container_manage_runtime_files(podman_conmon_t)
+container_manage_runtime_fifo_files(podman_conmon_t)
+container_manage_runtime_sock_files(podman_conmon_t)
+
+container_search_var_lib(podman_conmon_t)
+container_manage_var_lib_files(podman_conmon_t)
+container_manage_var_lib_fifo_files(podman_conmon_t)
+container_manage_var_lib_sock_files(podman_conmon_t)
+
+container_engine_tmp_filetrans(podman_conmon_t, { file sock_file })
+container_manage_engine_tmp_files(podman_conmon_t)
+container_manage_engine_tmp_sock_files(podman_conmon_t)
+
+ifdef(`init_systemd',`
+	init_get_generic_units_status(podman_conmon_t)
+	init_start_generic_units(podman_conmon_t)
+	init_start_system(podman_conmon_t)
+	init_stop_system(podman_conmon_t)
+
+	# conmon can read logs from containers which are
+	# sent to the system journal
+	logging_search_logs(podman_conmon_t)
+	systemd_list_journal_dirs(podman_conmon_t)
+	systemd_read_journal_files(podman_conmon_t)
+')
+
+optional_policy(`
+	iptables_domtrans(podman_conmon_t)
+')
+
+########################################
+#
+# Rootless conmon local policy
+#
+
+allow podman_conmon_user_t self:process signal;
+allow podman_conmon_user_t self:cap_userns sys_ptrace;
+allow podman_conmon_user_t self:fifo_file { rw_fifo_file_perms setattr };
+allow podman_conmon_user_t self:unix_dgram_socket create_socket_perms;
+
+ps_process_pattern(podman_conmon_user_t, podman_user_t)
+allow podman_conmon_user_t podman_user_t:process signal;
+allow podman_conmon_user_t podman_user_t:unix_stream_socket rw_stream_socket_perms;
+allow podman_conmon_user_t podman_user_t:unix_dgram_socket rw_socket_perms;
+
+# conmon will execute crun/runc to create the container
+container_generic_engine_domtrans(podman_conmon_user_t, podman_user_t)
+podman_domtrans_user(podman_conmon_user_t)
+
+domain_use_interactive_fds(podman_conmon_user_t)
+
+fs_getattr_cgroup(podman_conmon_user_t)
+fs_search_cgroup_dirs(podman_conmon_user_t)
+fs_read_cgroup_files(podman_conmon_user_t)
+fs_watch_cgroup_files(podman_conmon_user_t)
+
+fs_getattr_tmpfs(podman_conmon_user_t)
+fs_getattr_xattr_fs(podman_conmon_user_t)
+
+logging_send_syslog_msg(podman_conmon_user_t)
+
+miscfiles_read_localization(podman_conmon_user_t)
+
+userdom_use_user_ptys(podman_conmon_user_t)
+
+container_read_user_container_state(podman_conmon_user_t)
+
+# to send/receive data from container ttys
+container_rw_chr_files(podman_conmon_user_t)
+
+userdom_search_user_home_dirs(podman_conmon_user_t)
+xdg_search_data_dirs(podman_conmon_user_t)
+container_manage_home_data_files(podman_conmon_user_t)
+container_manage_home_data_fifo_files(podman_conmon_user_t)
+container_manage_home_data_sock_files(podman_conmon_user_t)
+
+userdom_search_user_runtime_root(podman_conmon_user_t)
+userdom_search_user_runtime(podman_conmon_user_t)
+container_manage_user_runtime_files(podman_conmon_user_t)
+
+container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file })
+container_manage_engine_tmp_files(podman_conmon_user_t)
+container_manage_engine_tmp_sock_files(podman_conmon_user_t)
+
+ifdef(`init_systemd',`
+	# conmon can read logs from containers which are
+	# sent to the system journal
+	logging_search_logs(podman_conmon_user_t)
+	systemd_list_journal_dirs(podman_conmon_user_t)
+	systemd_read_journal_files(podman_conmon_user_t)
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     c293797e2f2a99b76d81bb1fc89ffbd4d5955e0f
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Nov 27 20:08:52 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c293797e

container: add tunables for containers to use nfs and cifs

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 51 ++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 015d9f2d..35613b23 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -9,6 +9,20 @@ policy_module(container)
 ## </desc>
 gen_tunable(container_manage_cgroup, false)
 
+## <desc>
+##	<p>
+##	Allow containers to use NFS filesystems.
+##	</p>
+## </desc>
+gen_tunable(container_use_nfs, false)
+
+## <desc>
+##	<p>
+##	Allow containers to use CIFS filesystems.
+##	</p>
+## </desc>
+gen_tunable(container_use_samba, false)
+
 ########################################
 #
 # Declarations
@@ -216,6 +230,22 @@ tunable_policy(`container_manage_cgroup',`
 	fs_manage_cgroup_files(container_domain)
 ')
 
+tunable_policy(`container_use_nfs',`
+	fs_manage_nfs_dirs(container_domain)
+	fs_manage_nfs_files(container_domain)
+	fs_manage_nfs_named_sockets(container_domain)
+	fs_read_nfs_symlinks(container_domain)
+	fs_exec_nfs_files(container_domain)
+')
+
+tunable_policy(`container_use_samba',`
+	fs_manage_cifs_dirs(container_domain)
+	fs_manage_cifs_files(container_domain)
+	fs_manage_cifs_named_sockets(container_domain)
+	fs_read_cifs_symlinks(container_domain)
+	fs_exec_cifs_files(container_domain)
+')
+
 optional_policy(`
 	udev_read_runtime_files(container_domain)
 ')
@@ -476,6 +506,27 @@ ifdef(`init_systemd',`
 	init_run_bpf(container_engine_domain)
 ')
 
+tunable_policy(`container_use_nfs',`
+	fs_manage_nfs_dirs(container_engine_domain)
+	fs_manage_nfs_files(container_engine_domain)
+	fs_manage_nfs_named_sockets(container_engine_domain)
+	fs_read_nfs_symlinks(container_engine_domain)
+	fs_mount_nfs(container_engine_domain)
+	fs_unmount_nfs(container_engine_domain)
+	fs_exec_nfs_files(container_engine_domain)
+	kernel_rw_fs_sysctls(container_engine_domain)
+',`
+	kernel_dontaudit_search_fs_sysctls(container_engine_domain)
+')
+
+tunable_policy(`container_use_samba',`
+	fs_manage_cifs_dirs(container_engine_domain)
+	fs_manage_cifs_files(container_engine_domain)
+	fs_manage_cifs_named_sockets(container_engine_domain)
+	fs_read_cifs_symlinks(container_engine_domain)
+	fs_exec_cifs_files(container_engine_domain)
+')
+
 optional_policy(`
 	# to verify container image signatures
 	gpg_exec(container_engine_domain)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     5555bf53167e28f78a0f7f80784ee5ea5999c434
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Dec 31 19:20:49 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5555bf53

container, docker: add initial support for docker

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.fc | 25 ++++++++++
 policy/modules/services/container.if | 96 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/docker.fc    |  8 +++
 policy/modules/services/docker.if    | 69 ++++++++++++++++++++++++++
 policy/modules/services/docker.te    | 85 +++++++++++++++++++++++++++++++
 5 files changed, 283 insertions(+)

diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index 9de5a68d..524ccedb 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -13,13 +13,24 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]+/.*		gen_context(system_u
 /usr/bin/crun	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
 /usr/bin/runc	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
 
+/usr/lib/systemd/system/docker.*	--	gen_context(system_u:object_r:container_unit_t,s0)
+/usr/lib/systemd/system/containerd.*	--	gen_context(system_u:object_r:container_unit_t,s0)
+
 /etc/containers(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /etc/cni(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/docker(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
+/etc/containerd(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 
 /run/containers(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
 /run/libpod(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
 /run/runc(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
 
+/run/docker(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
+/run/docker\.pid	--	gen_context(system_u:object_r:container_runtime_t,s0)
+/run/docker\.sock	-s	gen_context(system_u:object_r:container_runtime_t,s0)
+/run/containerd(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
+/run/containerd/[^/]+/sandboxes/[^/]+/shm(/.*)?		gen_context(system_u:object_r:container_engine_tmpfs_t,s0)
+
 /run/user/%{USERID}/netns(/.*)?		gen_context(system_u:object_r:container_runtime_t,s0)
 
 /var/cache/containers(/.*)?		gen_context(system_u:object_r:container_engine_cache_t,s0)
@@ -42,5 +53,19 @@ HOME_DIR/\.local/share/containers/storage/volumes/[^/]+/.*		gen_context(system_u
 /var/lib/containers/storage/overlay2-images(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 /var/lib/containers/storage/volumes/[^/]+/.*		gen_context(system_u:object_r:container_file_t,s0)
 
+/var/lib/docker(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/docker/.*/config\.env	--	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/containers/.*/.*\.log	--	gen_context(system_u:object_r:container_log_t,s0)
+/var/lib/docker/containers/.*/hostname	--	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/containers/.*/hosts	--	gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/init(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/overlay(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/overlay2(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/docker/volumes/[^/]+/.*		gen_context(system_u:object_r:container_file_t,s0)
+
+/var/lib/containerd(/.*)?		gen_context(system_u:object_r:container_var_lib_t,s0)
+/var/lib/containerd/[^/]+/sandboxes(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+/var/lib/containerd/[^/]+/snapshots(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+
 /var/log/containers(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?		gen_context(system_u:object_r:container_log_t,s0)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 1c1950c7..58e8c470 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -423,6 +423,27 @@ interface(`container_engine_dbus_chat',`
 	allow container_engine_domain $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to be started
+##	by systemd socket activation using a
+##	named socket labeled the container
+##	runtime type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_runtime_named_socket_activation',`
+	gen_require(`
+		type container_runtime_t;
+	')
+
+	init_named_socket_activation($1, container_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to manage
@@ -572,6 +593,28 @@ interface(`container_domtrans',`
 	allow $1 container_domain:process transition;
 ')
 
+########################################
+## <summary>
+##	Connect to a system container domain
+##	over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_stream_connect_system_containers',`
+	gen_require(`
+		attribute container_system_domain;
+		type container_runtime_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, container_runtime_t, container_runtime_t, container_system_domain)
+	allow $1 container_runtime_t:sock_file read_sock_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to a container domain
@@ -591,6 +634,7 @@ interface(`container_stream_connect_all_containers',`
 
 	files_search_runtime($1)
 	stream_connect_pattern($1, container_runtime_t, container_runtime_t, container_domain)
+	allow $1 container_runtime_t:sock_file read_sock_file_perms;
 ')
 
 ########################################
@@ -650,6 +694,25 @@ interface(`container_mountpoint',`
 	typeattribute $1 container_mountpoint_type;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	manage container config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_manage_config_files',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	manage_files_pattern($1, container_config_t, container_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -1166,6 +1229,39 @@ interface(`container_manage_var_lib_sock_files',`
 	manage_sock_files_pattern($1, container_var_lib_t, container_var_lib_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	objects in unlabeled directories with
+##	an automatic type transition to the
+##	container var lib type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`container_unlabeled_var_lib_filetrans',`
+	gen_require(`
+		type container_var_lib_t;
+	')
+
+	# This access is to workaround an issue in Docker
+	# See: https://github.com/moby/moby/issues/43088
+	kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to

diff --git a/policy/modules/services/docker.fc b/policy/modules/services/docker.fc
new file mode 100644
index 00000000..577d148f
--- /dev/null
+++ b/policy/modules/services/docker.fc
@@ -0,0 +1,8 @@
+/usr/bin/docker	--	gen_context(system_u:object_r:dockerc_exec_t,s0)
+/usr/bin/dockerd	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/docker-proxy	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/containerd	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/containerd-shim	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/containerd-shim-runc-v1	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/containerd-shim-runc-v2	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/bin/containerd-stress	--	gen_context(system_u:object_r:dockerd_exec_t,s0)

diff --git a/policy/modules/services/docker.if b/policy/modules/services/docker.if
new file mode 100644
index 00000000..28965cdb
--- /dev/null
+++ b/policy/modules/services/docker.if
@@ -0,0 +1,69 @@
+## <summary>Policy for docker</summary>
+
+########################################
+## <summary>
+##	Execute docker CLI in the docker CLI domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`docker_domtrans_cli',`
+	gen_require(`
+		type dockerc_t, dockerc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dockerc_exec_t, dockerc_t)
+')
+
+########################################
+## <summary>
+##	Execute docker CLI in the docker CLI
+##	domain, and allow the specified role
+##	the docker CLI domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the docker domain.
+##	</summary>
+## </param>
+#
+interface(`docker_run_cli',`
+	gen_require(`
+		type dockerc_t;
+	')
+
+	role $2 types dockerc_t;
+
+	docker_domtrans_cli($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate a docker
+##	environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`docker_admin',`
+	docker_run_cli($1, $2)
+')

diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
new file mode 100644
index 00000000..27278127
--- /dev/null
+++ b/policy/modules/services/docker.te
@@ -0,0 +1,85 @@
+policy_module(docker)
+
+########################################
+#
+# Declarations
+#
+
+container_engine_domain_template(dockerd)
+container_system_engine(dockerd_t)
+type dockerd_exec_t;
+container_engine_executable_file(dockerd_exec_t)
+application_domain(dockerd_t, dockerd_exec_t)
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(dockerd_t, dockerd_exec_t, s0 - mls_systemhigh)
+')
+mls_trusted_object(dockerd_t)
+
+type dockerc_t;
+type dockerc_exec_t;
+container_engine_executable_file(dockerc_t)
+application_domain(dockerc_t, dockerc_exec_t)
+
+########################################
+#
+# Docker daemon local policy
+#
+
+allow dockerd_t self:netlink_netfilter_socket create_socket_perms;
+allow dockerd_t self:netlink_xfrm_socket create_socket_perms;
+
+init_write_runtime_socket(dockerd_t)
+container_runtime_named_socket_activation(dockerd_t)
+
+# docker fails to start if /proc/kallsyms is unreadable,
+# but only when btrfs support is disabled
+files_read_kernel_symbol_table(dockerd_t)
+files_dontaudit_write_usr_dirs(dockerd_t)
+
+kernel_relabelfrom_unlabeled_dirs(dockerd_t)
+# docker wants to load binfmt_misc
+kernel_request_load_module(dockerd_t)
+kernel_dontaudit_search_fs_sysctls(dockerd_t)
+
+logging_send_syslog_msg(dockerd_t)
+
+container_stream_connect_system_containers(dockerd_t)
+
+# docker manages key.json in /etc/docker
+container_manage_config_files(dockerd_t)
+
+# In btrfs mode, docker creates subvolumes which are unlabeled
+# in /var/lib/docker/btrfs/subvolumes. The files inside will
+# become labeled with a file transition, but the subvolume
+# root will always be unlabeled.
+container_unlabeled_var_lib_filetrans(dockerd_t, dir)
+
+ifdef(`init_systemd',`
+	init_dbus_chat(dockerd_t)
+	init_get_generic_units_status(dockerd_t)
+	init_start_generic_units(dockerd_t)
+	init_start_system(dockerd_t)
+	init_stop_system(dockerd_t)
+')
+
+########################################
+#
+# Docker CLI local policy
+#
+
+allow dockerc_t self:process { getsched signal };
+allow dockerc_t self:fifo_file rw_fifo_file_perms;
+
+allow dockerc_t dockerd_t:unix_stream_socket connectto;
+
+corecmd_dontaudit_search_bin(dockerc_t)
+
+domain_use_interactive_fds(dockerc_t)
+
+auth_use_nsswitch(dockerc_t)
+
+miscfiles_read_localization(dockerc_t)
+
+userdom_use_user_ptys(dockerc_t)
+
+container_stream_connect_system_containers(dockerc_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     1841ac553d3131121749274fe165af7af8d6865d
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Jan 21 19:03:38 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1841ac55

docker: call rootlesskit access in docker access

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/docker.if | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/docker.if b/policy/modules/services/docker.if
index 6460ed6e..c3ac8174 100644
--- a/policy/modules/services/docker.if
+++ b/policy/modules/services/docker.if
@@ -178,6 +178,8 @@ template(`docker_user_role',`
 	docker_run_user_daemon($3, $4)
 	docker_run_user_cli($3, $4)
 
+	rootlesskit_role($1, $2, $3, $4)
+
 	ifdef(`init_systemd',`
 		systemd_user_daemon_domain($1, dockerd_exec_t, dockerd_user_t)
 		systemd_user_send_systemd_notify($1, dockerd_user_t)
@@ -226,4 +228,6 @@ interface(`docker_signal_user_daemon',`
 #
 interface(`docker_admin',`
 	docker_run_cli($1, $2)
+
+	rootlesskit_run($1, $2)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     16711830e9075fd6d36b32875cde26c286a98b5d
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Jan 24 16:08:50 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=16711830

container: allow containers to getsession

Found to be required by a jellyfin container when testing.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 1291768c..d5f79b15 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -150,7 +150,7 @@ corenet_port(container_port_t)
 
 allow container_domain self:capability { dac_override kill setgid setuid sys_boot sys_chroot };
 allow container_domain self:cap_userns { chown dac_override fowner setgid setuid };
-allow container_domain self:process { execstack execmem getattr signal_perms getsched setsched setcap setpgid };
+allow container_domain self:process { execstack execmem getattr getsched getsession setsched setcap setpgid signal_perms };
 allow container_domain self:fifo_file manage_fifo_file_perms;
 allow container_domain self:sem create_sem_perms;
 allow container_domain self:shm create_shm_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     362646fea58e06a59f257c4c0f7e96cfd3105de6
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Jan 11 20:56:38 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=362646fe

rootlesskit: new policy module

Rootlesskit is required by rootless docker

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/rootlesskit.fc |   3 +
 policy/modules/services/rootlesskit.if | 106 +++++++++++++++++++++++++++++++++
 policy/modules/services/rootlesskit.te |  43 +++++++++++++
 3 files changed, 152 insertions(+)

diff --git a/policy/modules/services/rootlesskit.fc b/policy/modules/services/rootlesskit.fc
new file mode 100644
index 00000000..613ebd9b
--- /dev/null
+++ b/policy/modules/services/rootlesskit.fc
@@ -0,0 +1,3 @@
+/usr/bin/rootlesskit	--	gen_context(system_u:object_r:rootlesskit_exec_t,s0)
+/usr/bin/rootlessctl	--	gen_context(system_u:object_r:rootlesskit_exec_t,s0)
+/usr/bin/rootlesskit-docker-proxy	--	gen_context(system_u:object_r:rootlesskit_exec_t,s0)

diff --git a/policy/modules/services/rootlesskit.if b/policy/modules/services/rootlesskit.if
new file mode 100644
index 00000000..2be598d7
--- /dev/null
+++ b/policy/modules/services/rootlesskit.if
@@ -0,0 +1,106 @@
+## <summary>Policy for RootlessKit</summary>
+
+########################################
+## <summary>
+##	Execute rootlesskit in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rootlesskit_exec',`
+	gen_require(`
+		type rootlesskit_exec_t;
+	')
+
+	can_exec($1, rootlesskit_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute rootlesskit in the rootlesskit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`rootlesskit_domtrans',`
+	gen_require(`
+		type rootlesskit_t, rootlesskit_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, rootlesskit_exec_t, rootlesskit_t)
+')
+
+########################################
+## <summary>
+##	Execute rootlesskit in the rootlesskit
+##	domain, and allow the specified role
+##	the rootlesskit domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the rootlesskit domain.
+##	</summary>
+## </param>
+#
+interface(`rootlesskit_run',`
+	gen_require(`
+		type rootlesskit_t;
+	')
+
+	role $2 types rootlesskit_t;
+
+	rootlesskit_domtrans($1)
+')
+
+########################################
+## <summary>
+##	Role access for rootlesskit.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`rootlesskit_role',`
+	gen_require(`
+		type rootlesskit_t;
+		type rootlesskit_exec_t;
+	')
+
+	rootlesskit_run($3, $4)
+
+	optional_policy(`
+		systemd_user_daemon_domain($1, rootlesskit_exec_t, rootlesskit_t)
+	')
+')
+

diff --git a/policy/modules/services/rootlesskit.te b/policy/modules/services/rootlesskit.te
new file mode 100644
index 00000000..31168801
--- /dev/null
+++ b/policy/modules/services/rootlesskit.te
@@ -0,0 +1,43 @@
+policy_module(rootlesskit)
+
+########################################
+#
+# Declarations
+#
+
+container_engine_domain_template(rootlesskit)
+type rootlesskit_exec_t;
+container_user_engine(rootlesskit_t)
+application_domain(rootlesskit_t, rootlesskit_exec_t)
+mls_trusted_object(rootlesskit_t)
+
+########################################
+#
+# Rootlesskit local policy
+#
+
+# rootlesskit fails without this access
+allow rootlesskit_t self:tun_socket { relabelfrom relabelto };
+
+can_exec(rootlesskit_t, rootlesskit_exec_t)
+
+domain_use_interactive_fds(rootlesskit_t)
+
+# any dir not readable or file not stat-able causes rootlesskit to hang
+# when --copy-up would access it; the below rules cover at least the
+# access needed for rootless docker (copying /etc and /run)
+files_list_all(rootlesskit_t)
+files_getattr_all_files(rootlesskit_t)
+files_getattr_all_pipes(rootlesskit_t)
+files_getattr_all_sockets(rootlesskit_t)
+
+kernel_read_sysctl(rootlesskit_t)
+
+auth_use_nsswitch(rootlesskit_t)
+
+userdom_exec_user_bin_files(rootlesskit_t)
+
+optional_policy(`
+	dbus_list_system_bus_runtime(rootlesskit_t)
+	dbus_system_bus_client(rootlesskit_t)
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     4c30d6c3518839622475b09cd70011ad9bb6f757
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Jan 24 22:34:27 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c30d6c3

docker: make rootlesskit optional

Avoid a potential build error and circular dependency by making
rootlesskit optional. Note that rootlesskit is still required in order
for rootless docker to function.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/docker.if | 10 +++++++---
 policy/modules/services/docker.te |  6 ++++--
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/policy/modules/services/docker.if b/policy/modules/services/docker.if
index c3ac8174..532fa441 100644
--- a/policy/modules/services/docker.if
+++ b/policy/modules/services/docker.if
@@ -178,8 +178,6 @@ template(`docker_user_role',`
 	docker_run_user_daemon($3, $4)
 	docker_run_user_cli($3, $4)
 
-	rootlesskit_role($1, $2, $3, $4)
-
 	ifdef(`init_systemd',`
 		systemd_user_daemon_domain($1, dockerd_exec_t, dockerd_user_t)
 		systemd_user_send_systemd_notify($1, dockerd_user_t)
@@ -188,6 +186,10 @@ template(`docker_user_role',`
 	optional_policy(`
 		dbus_spec_session_bus_client($1, dockerd_user_t)
 	')
+
+	optional_policy(`
+		rootlesskit_role($1, $2, $3, $4)
+	')
 ')
 
 ########################################
@@ -229,5 +231,7 @@ interface(`docker_signal_user_daemon',`
 interface(`docker_admin',`
 	docker_run_cli($1, $2)
 
-	rootlesskit_run($1, $2)
+	optional_policy(`
+		rootlesskit_run($1, $2)
+	')
 ')

diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
index 0e2e2e68..bb5eeb49 100644
--- a/policy/modules/services/docker.te
+++ b/policy/modules/services/docker.te
@@ -125,8 +125,6 @@ mount_exec(dockerd_user_t)
 container_setattr_container_ptys(dockerd_user_t)
 container_use_container_ptys(dockerd_user_t)
 
-rootlesskit_exec(dockerd_user_t)
-
 ifdef(`init_systemd',`
 	systemd_search_user_runtime(dockerd_user_t)
 	systemd_write_user_runtime_socket(dockerd_user_t)
@@ -140,6 +138,10 @@ optional_policy(`
 	dbus_write_session_runtime_socket(dockerd_user_t)
 ')
 
+optional_policy(`
+	rootlesskit_exec(dockerd_user_t)
+')
+
 ########################################
 #
 # Rootless Docker CLI local policy


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     e6119d9b84916327586cd41094684567ff29a69d
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Jan 18 01:09:47 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e6119d9b

container: drop old commented rules

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 82de38ee..1291768c 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -192,7 +192,6 @@ files_dontaudit_getattr_all_pipes(container_domain)
 files_dontaudit_getattr_all_sockets(container_domain)
 files_dontaudit_list_all_mountpoints(container_domain)
 files_dontaudit_write_etc_runtime_files(container_domain)
-# files_entrypoint_all_files(container_domain)
 files_list_var(container_domain)
 files_list_var_lib(container_domain)
 files_search_all(container_domain)
@@ -209,10 +208,6 @@ fs_manage_fusefs_symlinks(container_domain)
 fs_exec_fusefs_files(container_domain)
 fs_fusefs_entry_type(container_domain)
 
-# fs_rw_inherited_tmpfs_files(container_domain)
-# fs_rw_inherited_cifs_files(container_domain)
-# fs_rw_inherited_noxattr_fs_files(container_domain)
-
 auth_dontaudit_read_login_records(container_domain)
 auth_dontaudit_write_login_records(container_domain)
 auth_search_pam_console_data(container_domain)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     dbbe51a3b5cddeb4105fffecc3c29be701b10360
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Jan 11 19:15:24 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dbbe51a3

container, docker, rootlesskit: add support for rootless docker

Rootless docker runs as root in a user namespace. Because of this,
rootless docker containers will run as spc_user_t as docker cannot be
SELinux-aware in its own container.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.fc   |   8 ++
 policy/modules/services/container.if   |  59 ++++++++++++
 policy/modules/services/docker.if      | 160 +++++++++++++++++++++++++++++++++
 policy/modules/services/docker.te      |  82 +++++++++++++++++
 policy/modules/services/rootlesskit.te |   3 +
 5 files changed, 312 insertions(+)

diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index 524ccedb..ef5ad3b6 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -9,6 +9,14 @@ HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)?		gen_context(sys
 HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
 HOME_DIR/\.local/share/containers/storage/volumes/[^/]+/.*		gen_context(system_u:object_r:container_file_t,s0)
+HOME_DIR/\.local/share/docker(/.*)?		gen_context(system_u:object_r:container_data_home_t,s0)
+HOME_DIR/\.local/share/docker/.*/config\.env	--	gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/docker/containers/.*/.*\.log	--	gen_context(system_u:object_r:container_log_t,s0)
+HOME_DIR/\.local/share/docker/containers/.*/hostname	--	gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/docker/containers/.*/hosts	--	gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/docker/init(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/docker/fuse-overlayfs(/.*)?		gen_context(system_u:object_r:container_ro_file_t,s0)
+HOME_DIR/\.local/share/docker/volumes(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 
 /usr/bin/crun	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
 /usr/bin/runc	--	gen_context(system_u:object_r:container_engine_exec_t,s0)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 28699f52..e9217f63 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -619,6 +619,28 @@ interface(`container_stream_connect_system_containers',`
 	allow $1 container_runtime_t:sock_file read_sock_file_perms;
 ')
 
+########################################
+## <summary>
+##	Connect to a user container domain
+##	over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_stream_connect_user_containers',`
+	gen_require(`
+		attribute container_user_domain;
+		type container_runtime_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, container_runtime_t, container_runtime_t, container_user_domain)
+	allow $1 container_runtime_t:sock_file read_sock_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to a container domain
@@ -661,6 +683,24 @@ interface(`container_signal_all_containers',`
 	allow $1 container_domain:process signal_perms;
 ')
 
+########################################
+## <summary>
+##	Set the attributes of container ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_setattr_container_ptys',`
+	gen_require(`
+		type container_devpts_t;
+	')
+
+	allow $1 container_devpts_t:chr_file setattr;
+')
+
 ########################################
 ## <summary>
 ##	Read and write container ptys.
@@ -1156,6 +1196,25 @@ interface(`container_manage_user_runtime_files',`
 	manage_files_pattern($1, container_user_runtime_t, container_user_runtime_t)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to read and
+##	write user runtime container named sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_rw_user_runtime_sock_files',`
+	gen_require(`
+		type container_user_runtime_t;
+	')
+
+	allow $1 container_user_runtime_t:sock_file rw_sock_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to search

diff --git a/policy/modules/services/docker.if b/policy/modules/services/docker.if
index 28965cdb..6460ed6e 100644
--- a/policy/modules/services/docker.if
+++ b/policy/modules/services/docker.if
@@ -46,6 +46,166 @@ interface(`docker_run_cli',`
 	docker_domtrans_cli($1)
 ')
 
+########################################
+## <summary>
+##	Execute docker in the docker user domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`docker_domtrans_user_daemon',`
+	gen_require(`
+		type dockerd_user_t, dockerd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dockerd_exec_t, dockerd_user_t)
+')
+
+########################################
+## <summary>
+##	Execute docker in the docker user
+##	domain, and allow the specified
+##	role the docker user domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the docker domain.
+##	</summary>
+## </param>
+#
+interface(`docker_run_user_daemon',`
+	gen_require(`
+		type dockerd_user_t;
+	')
+
+	role $2 types dockerd_user_t;
+
+	docker_domtrans_user_daemon($1)
+')
+
+########################################
+## <summary>
+##	Execute docker CLI in the docker CLI
+##	user domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`docker_domtrans_user_cli',`
+	gen_require(`
+		type dockerc_user_t, dockerc_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, dockerc_exec_t, dockerc_user_t)
+')
+
+########################################
+## <summary>
+##	Execute docker CLI in the docker CLI
+##	user domain, and allow the specified
+##	role the docker CLI user domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the docker
+##	user domain.
+##	</summary>
+## </param>
+#
+interface(`docker_run_user_cli',`
+	gen_require(`
+		type dockerc_user_t;
+	')
+
+	role $2 types dockerc_user_t;
+
+	docker_domtrans_user_cli($1)
+')
+
+########################################
+## <summary>
+##	Role access for rootless docker.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+template(`docker_user_role',`
+	gen_require(`
+		type dockerd_user_t;
+		type dockerd_exec_t;
+	')
+
+	role $4 types dockerd_user_t;
+
+	docker_run_user_daemon($3, $4)
+	docker_run_user_cli($3, $4)
+
+	ifdef(`init_systemd',`
+		systemd_user_daemon_domain($1, dockerd_exec_t, dockerd_user_t)
+		systemd_user_send_systemd_notify($1, dockerd_user_t)
+	')
+
+	optional_policy(`
+		dbus_spec_session_bus_client($1, dockerd_user_t)
+	')
+')
+
+########################################
+## <summary>
+##	Send signals to the rootless docker daemon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`docker_signal_user_daemon',`
+	gen_require(`
+		type dockerd_user_t;
+	')
+
+	allow $1 dockerd_user_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to

diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
index 27278127..0e2e2e68 100644
--- a/policy/modules/services/docker.te
+++ b/policy/modules/services/docker.te
@@ -20,6 +20,14 @@ type dockerc_exec_t;
 container_engine_executable_file(dockerc_t)
 application_domain(dockerc_t, dockerc_exec_t)
 
+container_engine_domain_template(dockerd_user)
+container_user_engine(dockerd_user_t)
+application_domain(dockerd_user_t, dockerd_exec_t)
+mls_trusted_object(dockerd_user_t)
+
+type dockerc_user_t;
+application_domain(dockerc_user_t, dockerc_exec_t)
+
 ########################################
 #
 # Docker daemon local policy
@@ -83,3 +91,77 @@ miscfiles_read_localization(dockerc_t)
 userdom_use_user_ptys(dockerc_t)
 
 container_stream_connect_system_containers(dockerc_t)
+
+########################################
+#
+# Rootless Docker daemon local policy
+#
+
+# rootless docker is really just docker running as root, but in a user namespace
+
+allow dockerd_user_t self:netlink_netfilter_socket create_socket_perms;
+allow dockerd_user_t self:netlink_xfrm_socket create_socket_perms;
+
+fs_getattr_fusefs(dockerd_user_t)
+fs_mount_fusefs(dockerd_user_t)
+fs_unmount_fusefs(dockerd_user_t)
+fs_remount_fusefs(dockerd_user_t)
+fs_manage_fusefs_dirs(dockerd_user_t)
+fs_manage_fusefs_files(dockerd_user_t)
+fs_manage_fusefs_symlinks(dockerd_user_t)
+fs_exec_fusefs_files(dockerd_user_t)
+fs_mounton_fusefs(dockerd_user_t)
+
+kernel_dontaudit_request_load_module(dockerd_user_t)
+
+storage_rw_fuse(dockerd_user_t)
+
+init_write_runtime_socket(dockerd_user_t)
+
+logging_send_syslog_msg(dockerd_user_t)
+
+mount_exec(dockerd_user_t)
+
+container_setattr_container_ptys(dockerd_user_t)
+container_use_container_ptys(dockerd_user_t)
+
+rootlesskit_exec(dockerd_user_t)
+
+ifdef(`init_systemd',`
+	systemd_search_user_runtime(dockerd_user_t)
+	systemd_write_user_runtime_socket(dockerd_user_t)
+	systemd_start_user_runtime_units(dockerd_user_t)
+	systemd_stop_user_runtime_units(dockerd_user_t)
+	systemd_status_user_runtime_units(dockerd_user_t)
+')
+
+optional_policy(`
+	dbus_getattr_session_runtime_socket(dockerd_user_t)
+	dbus_write_session_runtime_socket(dockerd_user_t)
+')
+
+########################################
+#
+# Rootless Docker CLI local policy
+#
+
+allow dockerc_user_t self:process { getsched signal };
+allow dockerc_user_t self:fifo_file rw_fifo_file_perms;
+
+allow dockerc_user_t dockerd_user_t:unix_stream_socket connectto;
+
+corecmd_search_bin(dockerc_user_t)
+
+domain_use_interactive_fds(dockerc_user_t)
+
+auth_use_nsswitch(dockerc_user_t)
+
+miscfiles_read_localization(dockerc_user_t)
+
+userdom_use_user_ptys(dockerc_user_t)
+userdom_search_user_home_dirs(dockerc_user_t)
+userdom_search_user_runtime(dockerc_user_t)
+
+xdg_search_data_dirs(dockerc_user_t)
+
+container_stream_connect_user_containers(dockerc_user_t)

diff --git a/policy/modules/services/rootlesskit.te b/policy/modules/services/rootlesskit.te
index 31168801..208143c6 100644
--- a/policy/modules/services/rootlesskit.te
+++ b/policy/modules/services/rootlesskit.te
@@ -37,6 +37,9 @@ auth_use_nsswitch(rootlesskit_t)
 
 userdom_exec_user_bin_files(rootlesskit_t)
 
+docker_domtrans_user_daemon(rootlesskit_t)
+docker_signal_user_daemon(rootlesskit_t)
+
 optional_policy(`
 	dbus_list_system_bus_runtime(rootlesskit_t)
 	dbus_system_bus_client(rootlesskit_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-01-31 19:31 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-01-31 19:31 UTC (permalink / raw
  To: gentoo-commits

commit:     9a6e04ea1f7da6812ea463bd509862a77f0da623
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Jan 30 23:09:12 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 31 17:55:20 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9a6e04ea

docker: add missing call to init_daemon_domain()

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/docker.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te
index bb5eeb49..7a657e15 100644
--- a/policy/modules/services/docker.te
+++ b/policy/modules/services/docker.te
@@ -10,6 +10,7 @@ container_system_engine(dockerd_t)
 type dockerd_exec_t;
 container_engine_executable_file(dockerd_exec_t)
 application_domain(dockerd_t, dockerd_exec_t)
+init_daemon_domain(dockerd_t, dockerd_exec_t)
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(dockerd_t, dockerd_exec_t, s0 - mls_systemhigh)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-02-07  2:14 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-02-07  2:14 UTC (permalink / raw
  To: gentoo-commits

commit:     08e6022ae0fe8d137a6946961c87ef9ef5208465
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Feb  2 11:34:02 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  7 02:09:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08e6022a

container: On Debian, runc is installed in /usr/sbin

Signed-off-by: Laurent Bigonville <bigon <AT> bigon.be>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index ef5ad3b6..63f1537d 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -24,6 +24,8 @@ HOME_DIR/\.local/share/docker/volumes(/.*)?		gen_context(system_u:object_r:conta
 /usr/lib/systemd/system/docker.*	--	gen_context(system_u:object_r:container_unit_t,s0)
 /usr/lib/systemd/system/containerd.*	--	gen_context(system_u:object_r:container_unit_t,s0)
 
+/usr/sbin/runc	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
+
 /etc/containers(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /etc/cni(/.*)?		gen_context(system_u:object_r:container_config_t,s0)
 /etc/docker(/.*)?		gen_context(system_u:object_r:container_config_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-02-07  2:14 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-02-07  2:14 UTC (permalink / raw
  To: gentoo-commits

commit:     d2b6ae4f280b27859aeeda5c720a625297b72b2b
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Feb  2 10:25:52 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  7 02:09:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2b6ae4f

docker: On debian dockerd and docker-proxy are in /usr/sbin

Signed-off-by: Laurent Bigonville <bigon <AT> bigon.be>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/docker.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/docker.fc b/policy/modules/services/docker.fc
index 577d148f..a5d0868e 100644
--- a/policy/modules/services/docker.fc
+++ b/policy/modules/services/docker.fc
@@ -6,3 +6,5 @@
 /usr/bin/containerd-shim-runc-v1	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
 /usr/bin/containerd-shim-runc-v2	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
 /usr/bin/containerd-stress	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/sbin/dockerd	--	gen_context(system_u:object_r:dockerd_exec_t,s0)
+/usr/sbin/docker-proxy	--	gen_context(system_u:object_r:dockerd_exec_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-02-07  2:14 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-02-07  2:14 UTC (permalink / raw
  To: gentoo-commits

commit:     9fe987d0d2703cbfec2a88e4a559bc83fdd15fcb
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Fri Jan 28 00:22:55 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  7 02:07:41 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9fe987d0

node_exporter: Added initial policy.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/node_exporter.fc |  6 +++
 policy/modules/services/node_exporter.if |  1 +
 policy/modules/services/node_exporter.te | 73 ++++++++++++++++++++++++++++++++
 3 files changed, 80 insertions(+)

diff --git a/policy/modules/services/node_exporter.fc b/policy/modules/services/node_exporter.fc
new file mode 100644
index 00000000..f2527d15
--- /dev/null
+++ b/policy/modules/services/node_exporter.fc
@@ -0,0 +1,6 @@
+/run/node_exporter\.pid	--	gen_context(system_u:object_r:node_exporter_runtime_t,s0)
+
+/usr/sbin/node_exporter	--	gen_context(system_u:object_r:node_exporter_exec_t,s0)
+
+/var/lib/node_exporter(/.*)?	gen_context(system_u:object_r:node_exporter_var_lib_t,s0)
+/var/log/node_exporter(/.*)?	gen_context(system_u:object_r:node_exporter_log_t,s0)

diff --git a/policy/modules/services/node_exporter.if b/policy/modules/services/node_exporter.if
new file mode 100644
index 00000000..0cceb87e
--- /dev/null
+++ b/policy/modules/services/node_exporter.if
@@ -0,0 +1 @@
+## <summary>Prometheus Node Exporter</summary>

diff --git a/policy/modules/services/node_exporter.te b/policy/modules/services/node_exporter.te
new file mode 100644
index 00000000..7b74a327
--- /dev/null
+++ b/policy/modules/services/node_exporter.te
@@ -0,0 +1,73 @@
+policy_module(node_exporter)
+
+########################################
+#
+# Declarations
+#
+
+type node_exporter_t;
+type node_exporter_exec_t;
+init_daemon_domain(node_exporter_t, node_exporter_exec_t)
+
+type node_exporter_runtime_t;
+files_runtime_file(node_exporter_runtime_t)
+
+type node_exporter_var_lib_t;
+files_type(node_exporter_var_lib_t)
+
+type node_exporter_log_t;
+logging_log_file(node_exporter_log_t)
+
+########################################
+#
+# Local policy
+#
+
+allow node_exporter_t self:fifo_file rw_fifo_file_perms;
+allow node_exporter_t self:process { getsched signal };
+allow node_exporter_t self:netlink_route_socket r_netlink_socket_perms;
+allow node_exporter_t self:tcp_socket create_stream_socket_perms;
+allow node_exporter_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(node_exporter_t, node_exporter_runtime_t, node_exporter_runtime_t)
+files_runtime_filetrans(node_exporter_t, node_exporter_runtime_t, file)
+
+manage_dirs_pattern(node_exporter_t, node_exporter_var_lib_t, node_exporter_var_lib_t)
+manage_files_pattern(node_exporter_t, node_exporter_var_lib_t, node_exporter_var_lib_t)
+files_var_lib_filetrans(node_exporter_t, node_exporter_var_lib_t, { dir file })
+
+append_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)
+create_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)
+setattr_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)
+logging_log_filetrans(node_exporter_t, node_exporter_log_t, { dir file })
+
+# Also uses port 9100
+corenet_tcp_bind_hplip_port(node_exporter_t)
+corenet_tcp_bind_generic_node(node_exporter_t)
+
+dev_read_sysfs(node_exporter_t)
+
+fs_getattr_all_fs(node_exporter_t)
+
+init_read_state(node_exporter_t)
+
+kernel_read_fs_sysctls(node_exporter_t)
+kernel_read_kernel_sysctls(node_exporter_t)
+kernel_read_net_sysctls(node_exporter_t)
+kernel_read_network_state(node_exporter_t)
+kernel_read_software_raid_state(node_exporter_t)
+kernel_read_system_state(node_exporter_t)
+
+ifdef(`init_systemd',`
+	dbus_system_bus_client(node_exporter_t)
+
+	init_dbus_chat(node_exporter_t)
+	init_get_all_units_status(node_exporter_t)
+	init_get_system_status(node_exporter_t)
+')
+
+optional_policy(`
+	kernel_read_rpc_sysctls(node_exporter_t)
+
+	rpc_search_nfs_state_data(node_exporter_t)
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-02-27  2:52 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-02-27  2:52 UTC (permalink / raw
  To: gentoo-commits

commit:     598805d2225387890f55a77e17567edbc788d824
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 18 19:56:40 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 27 02:13:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=598805d2

matrixd: SELint fixes.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/matrixd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te
index 2c7f384c..d3950cda 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -41,7 +41,7 @@ files_type(matrixd_var_t)
 # Local policy
 #
 
-allow matrixd_t self:fifo_file rw_file_perms;
+allow matrixd_t self:fifo_file rw_fifo_file_perms;
 allow matrixd_t self:tcp_socket create_stream_socket_perms;
 allow matrixd_t self:netlink_route_socket r_netlink_socket_perms;
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-02-27  2:52 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-02-27  2:52 UTC (permalink / raw
  To: gentoo-commits

commit:     4234b23d214dd8b53dd631560f9c98778f1c9ac5
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 18 18:46:24 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 27 02:13:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4234b23d

matrixd: Cleanups.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/matrixd.fc |  6 ++++--
 policy/modules/services/matrixd.if |  2 +-
 policy/modules/services/matrixd.te | 35 ++++++++++++++++-------------------
 3 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/policy/modules/services/matrixd.fc b/policy/modules/services/matrixd.fc
index b59b1c75..6db2d7ed 100644
--- a/policy/modules/services/matrixd.fc
+++ b/policy/modules/services/matrixd.fc
@@ -1,4 +1,6 @@
-/var/lib/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_var_t,s0)
-/var/log/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_log_t,s0)
 /etc/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_conf_t,s0)
+
 /usr/bin/synctl			--	gen_context(system_u:object_r:matrixd_exec_t,s0)
+
+/var/lib/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_var_t,s0)
+/var/log/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_log_t,s0)

diff --git a/policy/modules/services/matrixd.if b/policy/modules/services/matrixd.if
index f1eff5f0..8cf2a845 100644
--- a/policy/modules/services/matrixd.if
+++ b/policy/modules/services/matrixd.if
@@ -1 +1 @@
-## <summary>Matrixd</summary>
+## <summary>matrix.org synapse reference server.</summary>

diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te
index 5c217678..2c7f384c 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -1,4 +1,4 @@
-policy_module(matrixd, 1.0.0)
+policy_module(matrixd)
 
 ########################################
 #
@@ -20,23 +20,22 @@ gen_tunable(matrix_allow_federation, true)
 ## </desc>
 gen_tunable(matrix_postgresql_connect, false)
 
-
 type matrixd_t;
 type matrixd_exec_t;
 init_daemon_domain(matrixd_t, matrixd_exec_t)
 
-type matrixd_var_t;
-files_type(matrixd_var_t)
+type matrixd_conf_t;
+files_config_file(matrixd_conf_t)
 
 type matrixd_log_t;
 logging_log_file(matrixd_log_t)
 
-type matrixd_conf_t;
-files_config_file(matrixd_conf_t)
-
 type matrixd_tmp_t;
 files_tmp_file(matrixd_tmp_t)
 
+type matrixd_var_t;
+files_type(matrixd_var_t)
+
 ########################################
 #
 # Local policy
@@ -56,16 +55,15 @@ allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
 files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
 fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
 
-manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
-files_search_var_lib(matrixd_t)
-allow matrixd_t matrixd_var_t:file map;
-allow matrixd_t matrixd_var_t:dir manage_dir_perms;
+allow matrixd_t matrixd_conf_t:dir list_dir_perms;
+read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
 
 logging_search_logs(matrixd_t)
 manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
 
-read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
-allow matrixd_t matrixd_conf_t:dir list_dir_perms;
+mmap_manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
+manage_dirs_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
+files_search_var_lib(matrixd_t)
 
 kernel_read_system_state(matrixd_t)
 kernel_read_vm_overcommit_sysctl(matrixd_t)
@@ -81,7 +79,6 @@ corenet_tcp_bind_generic_node(matrixd_t)
 corenet_tcp_bind_http_port(matrixd_t)
 corenet_tcp_connect_http_cache_port(matrixd_t)
 corenet_tcp_connect_http_port(matrixd_t)
-
 corenet_udp_bind_generic_node(matrixd_t)
 corenet_udp_bind_generic_port(matrixd_t)
 corenet_udp_bind_reserved_port(matrixd_t)
@@ -91,11 +88,11 @@ dev_read_urand(matrixd_t)
 files_read_etc_files(matrixd_t)
 files_read_etc_runtime_files(matrixd_t)
 files_read_etc_symlinks(matrixd_t)
-
 # for /usr/share/ca-certificates
 files_read_usr_files(matrixd_t)
 
 init_search_runtime(matrixd_t)
+
 logging_send_syslog_msg(matrixd_t)
 
 miscfiles_read_generic_tls_privkey(matrixd_t)
@@ -106,10 +103,6 @@ sysnet_read_config(matrixd_t)
 
 userdom_search_user_runtime_root(matrixd_t)
 
-optional_policy(`
-	apache_search_config(matrixd_t)
-')
-
 tunable_policy(`matrix_allow_federation',`
 	corenet_tcp_connect_all_unreserved_ports(matrixd_t)
 	corenet_tcp_connect_generic_port(matrixd_t)
@@ -124,3 +117,7 @@ tunable_policy(`matrix_postgresql_connect',`
 	postgresql_tcp_connect(matrixd_t)
 ')
 
+optional_policy(`
+	apache_search_config(matrixd_t)
+')
+ 
\ No newline at end of file


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-02-27  2:52 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-02-27  2:52 UTC (permalink / raw
  To: gentoo-commits

commit:     e312e5bdbbf8d7c76b13d94b02ad56372d6d8b37
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Feb 16 13:07:30 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 27 02:13:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e312e5bd

dontaudit net_admin without hide_broken_symptoms

Sending this patch again without the ifdef, I agree that the ifdef isn't very
useful nowadays.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/cron.te      | 2 ++
 policy/modules/services/dbus.te      | 2 ++
 policy/modules/services/policykit.te | 2 ++
 policy/modules/services/postfix.te   | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 03268277..9ecbe4d6 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -209,6 +209,8 @@ tunable_policy(`fcron_crond',`
 # Daemon local policy
 #
 
+# for changing buffer sizes
+dontaudit crond_t self:capability net_admin;
 allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
 dontaudit crond_t self:capability { sys_resource sys_tty_config };
 

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index c0b98558..9a1e6b30 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -67,6 +67,8 @@ ifdef(`enable_mls',`
 # Local policy
 #
 
+# for changing buffer sizes
+dontaudit system_dbusd_t self:capability net_admin;
 allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
 dontaudit system_dbusd_t self:capability sys_tty_config;
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };

diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index ee8f4c2d..46f5568f 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -68,6 +68,8 @@ miscfiles_read_localization(policykit_domain)
 # Local policy
 #
 
+# for changing buffer sizes
+dontaudit policykit_t self:capability net_admin;
 allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
 allow policykit_t self:process { getsched setsched signal };
 allow policykit_t self:unix_stream_socket { accept connectto listen };

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 6b97df10..6fe06887 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -107,6 +107,8 @@ mta_mailserver_delivery(postfix_virtual_t)
 # Common postfix domain local policy
 #
 
+# for changing buffer sizes
+dontaudit postfix_domain self:capability net_admin;
 allow postfix_domain self:capability { sys_chroot sys_nice };
 dontaudit postfix_domain self:capability sys_tty_config;
 allow postfix_domain self:process { signal_perms setpgid setsched };


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-02-27  2:52 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-02-27  2:52 UTC (permalink / raw
  To: gentoo-commits

commit:     a6f1a4be5244df25381bdc9d270765134f4d802b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 16 16:04:33 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 27 02:13:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a6f1a4be

cron, dbus, policykit, postfix: Minor style fixes.

No rule changes.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/cron.te      | 4 ++--
 policy/modules/services/dbus.te      | 5 ++---
 policy/modules/services/policykit.te | 2 +-
 policy/modules/services/postfix.te   | 5 ++---
 4 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 9ecbe4d6..b36fc709 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -209,10 +209,10 @@ tunable_policy(`fcron_crond',`
 # Daemon local policy
 #
 
-# for changing buffer sizes
 dontaudit crond_t self:capability net_admin;
 allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+# net_admin for changing buffer sizes
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
 
 allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow crond_t self:fd use;

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 9a1e6b30..31fc905c 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -67,10 +67,9 @@ ifdef(`enable_mls',`
 # Local policy
 #
 
-# for changing buffer sizes
-dontaudit system_dbusd_t self:capability net_admin;
 allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource };
-dontaudit system_dbusd_t self:capability sys_tty_config;
+# net_admin for changing buffer sizes
+dontaudit system_dbusd_t self:capability { net_admin sys_tty_config };
 allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
 allow system_dbusd_t self:dbus { send_msg acquire_svc };

diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 46f5568f..197dc13c 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -68,9 +68,9 @@ miscfiles_read_localization(policykit_domain)
 # Local policy
 #
 
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
 # for changing buffer sizes
 dontaudit policykit_t self:capability net_admin;
-allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace };
 allow policykit_t self:process { getsched setsched signal };
 allow policykit_t self:unix_stream_socket { accept connectto listen };
 

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 6fe06887..5c324bc7 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -107,10 +107,9 @@ mta_mailserver_delivery(postfix_virtual_t)
 # Common postfix domain local policy
 #
 
-# for changing buffer sizes
-dontaudit postfix_domain self:capability net_admin;
 allow postfix_domain self:capability { sys_chroot sys_nice };
-dontaudit postfix_domain self:capability sys_tty_config;
+# net_admin for changing buffer sizes
+dontaudit postfix_domain self:capability { net_admin sys_tty_config };
 allow postfix_domain self:process { signal_perms setpgid setsched };
 allow postfix_domain self:fifo_file rw_fifo_file_perms;
 allow postfix_domain self:unix_stream_socket { accept connectto listen };


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-02-27  2:52 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-02-27  2:52 UTC (permalink / raw
  To: gentoo-commits

commit:     ea8252c7f327f34621e7d81da48fae7b7a5aede9
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb 16 12:03:34 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 27 02:13:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea8252c7

postfix, spamassassin: Fix missed type renames after alias removals.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/postfix.if      | 4 ++--
 policy/modules/services/spamassassin.if | 8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index 42b96b36..847022bf 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -683,13 +683,13 @@ interface(`postfix_admin',`
 		type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
 		type postfix_data_t, postfix_runtime_t, postfix_public_t;
 		type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
-		type postfix_keytab_t, postfix_t;
+		type postfix_keytab_t, postfix_master_t;
 	')
 
 	allow $1 postfix_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, postfix_domain)
 
-	init_startstop_service($1, $2, postfix_t, postfix_initrc_exec_t)
+	init_startstop_service($1, $2, postfix_master_t, postfix_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t postfix_keytab_t })

diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 9fbae73d..b530a76f 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -72,10 +72,10 @@ template(`spamassassin_role',`
 #
 interface(`spamassassin_run_update',`
 	gen_require(`
-		type spamd_gpg_t, spamd_update_exec_t, spamd_update_t;
+		type spamd_update_t, spamd_update_exec_t, spamd_update_t;
 	')
 
-	role $2 types { spamd_gpg_t spamd_update_t };
+	role $2 types { spamd_update_t spamd_update_t };
 	domtrans_pattern($1, spamd_update_exec_t, spamd_update_t)
 ')
 
@@ -476,10 +476,10 @@ interface(`spamassassin_admin',`
 		type spamd_t, spamd_tmp_t, spamd_log_t;
 		type spamd_spool_t, spamd_var_lib_t, spamd_runtime_t;
 		type spamd_initrc_exec_t, spamassassin_unit_t;
-		type spamd_gpg_t, spamd_update_t, spamd_update_tmp_t;
+		type spamd_update_t, spamd_update_t, spamd_update_tmp_t;
 	')
 
-	admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t })
+	admin_process_pattern($1, { spamd_t spamd_update_t spamd_update_t })
 
 	init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t, spamassassin_unit_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     c2bcc69a341396ee6249308575615c68d30926bd
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Mar 25 15:29:37 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2bcc69a

apache: Remove unnecessary require in apache_exec().

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/apache.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index dd86c618..2b3a7f3c 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -248,7 +248,7 @@ interface(`apache_domtrans',`
 #
 interface(`apache_exec',`
 	gen_require(`
-		type httpd_t, httpd_exec_t;
+		type httpd_exec_t;
 	')
 
 	can_exec($1, httpd_exec_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     11a7bdcff19d577062c451a8e0099b5c77092559
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  1 14:13:52 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=11a7bdcf

networkmanager: allow getting systemd system status

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/networkmanager.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index e16d0d2b..db92cbff 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -165,6 +165,7 @@ storage_getattr_fixed_disk_dev(NetworkManager_t)
 init_read_utmp(NetworkManager_t)
 init_dontaudit_write_utmp(NetworkManager_t)
 init_domtrans_script(NetworkManager_t)
+init_get_system_status(NetworkManager_t)
 
 auth_use_nsswitch(NetworkManager_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     d953a2fbae3db9cea8136566782294d6206a717a
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Mar 24 14:34:49 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d953a2fb

certbot V3

Same as the last one but with the directory names for the auto trans rules
removed.  I think it's ready for merging.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/apache.if  | 36 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/certbot.te | 22 +++++++++++++++++++---
 2 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 11a7120e..dd86c618 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -236,6 +236,24 @@ interface(`apache_domtrans',`
 	domtrans_pattern($1, httpd_exec_t, httpd_t)
 ')
 
+########################################
+## <summary>
+##	Execute httpd
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to execute it.
+##	</summary>
+## </param>
+#
+interface(`apache_exec',`
+	gen_require(`
+		type httpd_t, httpd_exec_t;
+	')
+
+	can_exec($1, httpd_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute httpd server in the httpd domain.
@@ -1430,3 +1448,21 @@ interface(`apache_admin',`
 	apache_run_all_scripts($1, $2)
 	apache_run_helper($1, $2)
 ')
+
+########################################
+## <summary>
+##	rw httpd_runtime_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_rw_runtime_files',`
+	gen_require(`
+		type httpd_runtime_t;
+	')
+
+	allow $1 httpd_runtime_t:file rw_file_perms;
+')

diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te
index fc979c5f..ac609795 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -43,7 +43,7 @@ allow certbot_t self:udp_socket all_udp_socket_perms;
 allow certbot_t self:tcp_socket all_tcp_socket_perms;
 allow certbot_t self:netlink_route_socket create_netlink_socket_perms;
 
-files_search_var_lib(certbot_t)
+files_var_lib_filetrans(certbot_t, certbot_lib_t, dir)
 manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
 manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
 
@@ -62,7 +62,7 @@ allow certbot_t certbot_tmp_t:file mmap_exec_file_perms;
 allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
 allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;
 
-logging_search_logs(certbot_t)
+logging_log_filetrans(certbot_t, certbot_log_t, dir)
 allow certbot_t certbot_log_t:dir manage_dir_perms;
 allow certbot_t certbot_log_t:file manage_file_perms;
 
@@ -80,11 +80,15 @@ corenet_tcp_connect_dns_port(certbot_t)
 # bind to http port for standalone mode
 corenet_tcp_bind_http_port(certbot_t)
 
+dev_read_urand(certbot_t)
+
 domain_use_interactive_fds(certbot_t)
 
 files_read_etc_files(certbot_t)
 files_read_usr_files(certbot_t)
 
+# dontaudit for attempts to write python cache files
+libs_dontaudit_write_lib_dirs(certbot_t)
 libs_exec_ldconfig(certbot_t)
 # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
 libs_exec_lib_files(certbot_t)
@@ -110,5 +114,17 @@ optional_policy(`
 	# for writing to webroot
 	apache_manage_sys_content(certbot_t)
 
-	apache_search_config(certbot_t)
+	apache_append_log(certbot_t)
+	apache_exec(certbot_t)
+	apache_exec_modules(certbot_t)
+
+	# for certbot to create nginx config
+	apache_manage_config(certbot_t)
+
+	apache_rw_runtime_files(certbot_t)
+	apache_signal(certbot_t)
+')
+
+optional_policy(`
+	xdg_search_config_dirs(certbot_t)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     96b25ec181556bbae727bb32714c6d4438f6ce67
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Feb 17 14:47:40 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=96b25ec1

init dbus patch for GetDynamicUsers with systemd_use_nss() V2

Same as before but moved to the top of my patch list so it will apply to the
git policy.

Should be ready to merge now.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dictd.te   |  3 +++
 policy/modules/services/postfix.te | 18 ++++++++++--------
 2 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
index a6bc5336..a286f7de 100644
--- a/policy/modules/services/dictd.te
+++ b/policy/modules/services/dictd.te
@@ -79,3 +79,6 @@ optional_policy(`
 	seutil_sigchld_newrole(dictd_t)
 ')
 
+ifdef(`init_systemd',`
+	systemd_use_nss(dictd_t)
+')

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 5c324bc7..0f865b00 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -374,11 +374,7 @@ manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bou
 manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 
 optional_policy(`
-	init_dbus_chat(postfix_bounce_t)
-')
-
-optional_policy(`
-	dbus_system_bus_client(postfix_bounce_t)
+	systemd_use_nss(postfix_bounce_t)
 ')
 
 ########################################
@@ -765,6 +761,10 @@ optional_policy(`
 	cyrus_stream_connect(postfix_smtp_t)
 ')
 
+optional_policy(`
+	systemd_use_nss(postfix_smtp_t)
+')
+
 optional_policy(`
 	dovecot_stream_connect(postfix_smtp_t)
 ')
@@ -773,6 +773,10 @@ optional_policy(`
 	milter_stream_connect_all(postfix_smtp_t)
 ')
 
+optional_policy(`
+	systemd_use_nss(postfix_showq_t)
+')
+
 ########################################
 #
 # Smtpd local policy
@@ -803,9 +807,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	dbus_send_system_bus(postfix_smtp_t)
-	dbus_system_bus_client(postfix_smtp_t)
-	init_dbus_chat(postfix_smtp_t)
+	systemd_use_nss(postfix_smtpd_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     04b123f76086ec111c475bd22b81b2da5be95037
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Mar 25 12:45:21 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04b123f7

postfix: Move lines.

No rule change.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/postfix.te | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 0f865b00..a61882d4 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -738,6 +738,10 @@ allow postfix_showq_t postfix_spool_t:file read_file_perms;
 term_use_all_ptys(postfix_showq_t)
 term_use_all_ttys(postfix_showq_t)
 
+optional_policy(`
+	systemd_use_nss(postfix_showq_t)
+')
+
 ########################################
 #
 # Smtp delivery local policy
@@ -761,10 +765,6 @@ optional_policy(`
 	cyrus_stream_connect(postfix_smtp_t)
 ')
 
-optional_policy(`
-	systemd_use_nss(postfix_smtp_t)
-')
-
 optional_policy(`
 	dovecot_stream_connect(postfix_smtp_t)
 ')
@@ -774,7 +774,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	systemd_use_nss(postfix_showq_t)
+	systemd_use_nss(postfix_smtp_t)
 ')
 
 ########################################
@@ -806,10 +806,6 @@ optional_policy(`
 	certbot_read_lib(postfix_smtpd_t)
 ')
 
-optional_policy(`
-	systemd_use_nss(postfix_smtpd_t)
-')
-
 optional_policy(`
 	dovecot_stream_connect_auth(postfix_smtpd_t)
 	dovecot_stream_connect(postfix_smtpd_t)
@@ -840,6 +836,10 @@ optional_policy(`
 	spamassassin_stream_connect_spamd(postfix_smtpd_t)
 ')
 
+optional_policy(`
+	systemd_use_nss(postfix_smtpd_t)
+')
+
 ########################################
 #
 # Virtual local policy


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-04-09 19:28 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-04-09 19:28 UTC (permalink / raw
  To: gentoo-commits

commit:     502084fa7b0f2a22c1d6c2f25f3dae7a54008dee
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Mar 31 19:02:13 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr  9 19:28:30 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=502084fa

podman: add rules for systemd container units

Allow conmon to use init file descriptors and read-write init unix
stream sockets. This is in support of containers started as systemd
units.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/podman.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index e5158720..f8600a7a 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -175,6 +175,9 @@ fs_watch_cgroup_files(podman_conmon_t)
 fs_getattr_tmpfs(podman_conmon_t)
 fs_getattr_xattr_fs(podman_conmon_t)
 
+init_rw_inherited_stream_socket(podman_conmon_t)
+init_use_fds(podman_conmon_t)
+
 logging_send_syslog_msg(podman_conmon_t)
 
 miscfiles_read_localization(podman_conmon_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-04-09 19:28 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-04-09 19:28 UTC (permalink / raw
  To: gentoo-commits

commit:     bd72a9299a732f01958ce28f616be3313eb13536
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Mar 31 18:22:01 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr  9 19:28:30 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd72a929

podman: fix role associations

Add conmon to the system role and make podman/conmon user domains user
applications.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/podman.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index 316db505..e5158720 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -18,15 +18,16 @@ mls_trusted_object(podman_t)
 
 container_engine_domain_template(podman_user)
 container_user_engine(podman_user_t)
-application_domain(podman_user_t, podman_exec_t)
+userdom_user_application_domain(podman_user_t, podman_exec_t)
 mls_trusted_object(podman_user_t)
 
 type podman_conmon_t;
 type podman_conmon_exec_t;
 application_domain(podman_conmon_t, podman_conmon_exec_t)
+role system_r types podman_conmon_t;
 
 type podman_conmon_user_t;
-application_domain(podman_conmon_user_t, podman_conmon_exec_t)
+userdom_user_application_domain(podman_conmon_user_t, podman_conmon_exec_t)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-04-09 19:28 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-04-09 19:28 UTC (permalink / raw
  To: gentoo-commits

commit:     01b153cb47331dc2ba354100c74acb4e37393fc1
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Mar 31 18:44:24 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr  9 19:28:30 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=01b153cb

container, podman: allow containers to interact with conmon

Allow containers to use inherited conmon file descriptors and read and
write unnamed conmon pipes.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te |  5 +++++
 policy/modules/services/podman.if    | 41 ++++++++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index d5f79b15..3d623229 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -248,6 +248,11 @@ tunable_policy(`container_use_samba',`
 	fs_exec_cifs_files(container_domain)
 ')
 
+optional_policy(`
+	podman_rw_conmon_pipes(container_domain)
+	podman_use_conmon_fds(container_domain)
+')
+
 optional_policy(`
 	udev_read_runtime_files(container_domain)
 ')

diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if
index 3d03884e..7523e33d 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -188,6 +188,47 @@ interface(`podman_run_conmon_user',`
 	podman_domtrans_conmon_user($1)
 ')
 
+########################################
+## <summary>
+##	Read and write conmon unnamed pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`podman_rw_conmon_pipes',`
+	gen_require(`
+		type podman_conmon_t;
+		type podman_conmon_user_t;
+	')
+
+	allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms;
+	allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to inherit
+##	file descriptors from conmon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`podman_use_conmon_fds',`
+	gen_require(`
+		type podman_conmon_t;
+		type podman_conmon_user_t;
+	')
+
+	allow $1 podman_conmon_t:fd use;
+	allow $1 podman_conmon_user_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Role access for rootless podman.


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-04-09 19:28 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-04-09 19:28 UTC (permalink / raw
  To: gentoo-commits

commit:     dd3730338d07fb8b8a96350f84148eb07ab40769
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Mar 31 19:09:25 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr  9 19:28:30 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dd373033

container: add tunables to allow containers to access public content

Note that container engines only need read access to these files even if
manage access is enabled.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index d7d27d7c..fa4145e3 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -16,6 +16,20 @@ gen_tunable(container_manage_cgroup, false)
 ## </desc>
 gen_tunable(container_mounton_non_security, false)
 
+## <desc>
+##	<p>
+##	Allow containers to manage all read-writable public content.
+##	</p>
+## </desc>
+gen_tunable(container_manage_public_content, false)
+
+## <desc>
+##	<p>
+##	Allow containers to read all public content.
+##	</p>
+## </desc>
+gen_tunable(container_read_public_content, false)
+
 ## <desc>
 ##	<p>
 ##	Allow containers to use NFS filesystems.
@@ -232,6 +246,14 @@ tunable_policy(`container_manage_cgroup',`
 	fs_manage_cgroup_files(container_domain)
 ')
 
+tunable_policy(`container_manage_public_content',`
+	miscfiles_manage_public_files(container_domain)
+')
+
+tunable_policy(`container_read_public_content',`
+	miscfiles_read_public_files(container_domain)
+')
+
 tunable_policy(`container_use_nfs',`
 	fs_manage_nfs_dirs(container_domain)
 	fs_manage_nfs_files(container_domain)
@@ -515,6 +537,14 @@ ifdef(`init_systemd',`
 	init_run_bpf(container_engine_domain)
 ')
 
+tunable_policy(`container_manage_public_content',`
+	miscfiles_read_public_files(container_engine_domain)
+')
+
+tunable_policy(`container_read_public_content',`
+	miscfiles_read_public_files(container_engine_domain)
+')
+
 tunable_policy(`container_mounton_non_security',`
 	files_mounton_non_security(container_engine_domain)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-04-09 19:28 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-04-09 19:28 UTC (permalink / raw
  To: gentoo-commits

commit:     07995718de36b9b849fa92fcbfca9ce7716a4d3d
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Mar 31 19:09:45 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr  9 19:28:30 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=07995718

container: allow generic containers to read the vm_overcommit sysctl

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 3d623229..d7d27d7c 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -333,6 +333,8 @@ files_read_kernel_modules(container_t)
 fs_mount_cgroup(container_t)
 fs_rw_cgroup_files(container_t)
 
+kernel_read_vm_overcommit_sysctl(container_t)
+
 auth_use_nsswitch(container_t)
 
 logging_send_audit_msgs(container_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-04-09 19:28 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-04-09 19:28 UTC (permalink / raw
  To: gentoo-commits

commit:     2c2c9b394efb09bf61c6bd82d470d76d3e8d30b4
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Mar 11 05:07:56 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr  9 19:28:30 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c2c9b39

container, podman: allow podman to create and write config files

Podman 4.0 now creates the CNI network config files if they do not
exist.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 38 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/podman.te    |  4 ++++
 2 files changed, 42 insertions(+)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index e9217f63..bf5ecfb5 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -738,6 +738,44 @@ interface(`container_mountpoint',`
 	typeattribute $1 container_mountpoint_type;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	create container config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_create_config_files',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	create_files_pattern($1, container_config_t, container_config_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to
+##	write container config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_write_config_files',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	write_files_pattern($1, container_config_t, container_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index dfb8e5da..5df45d32 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -39,6 +39,10 @@ allow podman_t podman_conmon_t:unix_stream_socket { connectto rw_stream_socket_p
 
 container_engine_executable_entrypoint(podman_t)
 
+# podman 4.0.0 now creates OCI networking configs
+container_create_config_files(podman_t)
+container_write_config_files(podman_t)
+
 domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t)
 
 logging_send_syslog_msg(podman_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-04-09 19:28 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-04-09 19:28 UTC (permalink / raw
  To: gentoo-commits

commit:     9db82cfc59aa9ff8c525adf9f378d415177d91eb
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Mar 31 18:18:55 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr  9 19:28:30 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9db82cfc

podman: allow system podman to interact with container transient units

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/podman.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index 5df45d32..316db505 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -66,6 +66,10 @@ ifdef(`init_systemd',`
 	init_start_system(podman_t)
 	init_stop_system(podman_t)
 
+	# containers get created as systemd transient units
+	init_get_transient_units_status(podman_t)
+	init_start_transient_units(podman_t)
+
 	# podman can read logs from containers which are
 	# sent to the system journal
 	logging_search_logs(podman_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-04-09 19:28 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-04-09 19:28 UTC (permalink / raw
  To: gentoo-commits

commit:     fdaca38de2e7dfa2356925c3e195891ddbb035ad
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Mar 31 19:16:26 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr  9 19:28:30 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fdaca38d

container: add missing capabilities

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index fa4145e3..a243eb4a 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -163,7 +163,7 @@ corenet_port(container_port_t)
 #
 
 allow container_domain self:capability { dac_override kill setgid setuid sys_boot sys_chroot };
-allow container_domain self:cap_userns { chown dac_override fowner setgid setuid };
+allow container_domain self:cap_userns { chown dac_override dac_read_search fowner kill setgid setuid };
 allow container_domain self:process { execstack execmem getattr getsched getsession setsched setcap setpgid signal_perms };
 allow container_domain self:fifo_file manage_fifo_file_perms;
 allow container_domain self:sem create_sem_perms;
@@ -302,7 +302,7 @@ optional_policy(`
 #
 
 allow container_net_domain self:capability { net_admin net_raw };
-allow container_net_domain self:cap_userns { net_admin net_raw };
+allow container_net_domain self:cap_userns { net_admin net_bind_service net_raw };
 allow container_net_domain self:tcp_socket create_stream_socket_perms;
 allow container_net_domain self:udp_socket create_socket_perms;
 allow container_net_domain self:tun_socket create_socket_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     31f53036b53e062550260d6da598fe58ca5dd63c
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Apr 30 01:38:53 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31f53036

container: allow container engines to manage tmp symlinks

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 36a7163a..166a42ae 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -509,6 +509,8 @@ read_lnk_files_pattern(container_engine_domain, container_config_t, container_co
 allow container_engine_domain container_engine_tmp_t:dir manage_dir_perms;
 allow container_engine_domain container_engine_tmp_t:file manage_file_perms;
 allow container_engine_domain container_engine_tmp_t:fifo_file manage_fifo_file_perms;
+# podman uses temporary symlinks when loading container images
+allow container_engine_domain container_engine_tmp_t:lnk_file manage_lnk_file_perms;
 # needed when manually spawning processes inside containers
 allow container_engine_domain container_engine_tmp_t:sock_file manage_sock_file_perms;
 files_tmp_filetrans(container_engine_domain, container_engine_tmp_t, { dir file sock_file })


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     b1eeb204c510ac91225cbd0d05c94475017f2779
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Apr 30 01:36:10 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1eeb204

container: allow containers to manipulate own fds

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 3f6e7aea..36a7163a 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -165,6 +165,8 @@ corenet_port(container_port_t)
 allow container_domain self:capability { dac_override kill setgid setuid sys_boot sys_chroot };
 allow container_domain self:cap_userns { chown dac_override dac_read_search fowner kill setgid setuid };
 allow container_domain self:process { execstack execmem getattr getsched getsession setsched setcap setpgid signal_perms };
+allow container_domain self:dir rw_dir_perms;
+allow container_domain self:file create_file_perms;
 allow container_domain self:fifo_file manage_fifo_file_perms;
 allow container_domain self:sem create_sem_perms;
 allow container_domain self:shm create_shm_perms;
@@ -192,6 +194,7 @@ can_exec(container_domain, container_file_t)
 
 kernel_getattr_proc(container_domain)
 kernel_list_all_proc(container_domain)
+kernel_associate_proc(container_domain)
 kernel_read_kernel_sysctls(container_domain)
 kernel_rw_net_sysctls(container_domain)
 kernel_read_system_state(container_domain)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     7ac185ee67556768743991f953476fb8c6c80bf2
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon May  2 19:37:06 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ac185ee

ssh: add tunable to allow sshd to use remote port forwarding

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ssh.if | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index b9ed26bc..c438985e 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -174,6 +174,14 @@ template(`ssh_server_template', `
 		attribute ssh_server;
 		type sshd_exec_t, sshd_key_t;
 	')
+
+	## <desc>
+	## <p>
+	##	Allow sshd to use remote port forwarding (bind to any TCP port)
+	## </p>
+	## </desc>
+	gen_tunable($1_port_forwarding, false)
+
 	type $1_t, ssh_server;
 	auth_login_pgm_domain($1_t)
 
@@ -265,6 +273,10 @@ template(`ssh_server_template', `
 		fs_read_cifs_files($1_t)
 	')
 
+	tunable_policy(`$1_port_forwarding',`
+		corenet_tcp_bind_all_ports($1_t)
+	')
+
 	optional_policy(`
 		kerberos_use($1_t)
 		kerberos_manage_host_rcache($1_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     cd84d1468359c3bbf0c2c482a1474a9ebd18e3b3
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Apr  2 19:55:24 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd84d146

container, podman: allow podman to restart container units

podman auto-update will automatically start the container unit when it
is updated.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 20 ++++++++++++++++++++
 policy/modules/services/podman.te    |  4 ++++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 541eb8a5..07ef8873 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1382,6 +1382,26 @@ interface(`container_unlabeled_var_lib_filetrans',`
 	kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3)
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to start
+##	systemd units for containers.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_start_units',`
+	gen_require(`
+		type container_unit_t;
+		class service start;
+	')
+
+	allow $1 container_unit_t:service start;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index 3169c0da..12c67145 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -77,6 +77,10 @@ ifdef(`init_systemd',`
 	systemd_list_journal_dirs(podman_t)
 	systemd_read_journal_files(podman_t)
 	systemd_watch_journal_dirs(podman_t)
+
+	# podman auto-update will restart the unit for
+	# the container when it is updated
+	container_start_units(podman_t)
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     25276f575f723fb140c1bd889771da4b7f529f09
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Apr  2 19:45:37 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25276f57

container: add separate type for container engine units

and add a filecon for container units themselves.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.fc | 5 +++--
 policy/modules/services/container.te | 3 +++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index 63f1537d..540df680 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -21,8 +21,9 @@ HOME_DIR/\.local/share/docker/volumes(/.*)?		gen_context(system_u:object_r:conta
 /usr/bin/crun	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
 /usr/bin/runc	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
 
-/usr/lib/systemd/system/docker.*	--	gen_context(system_u:object_r:container_unit_t,s0)
-/usr/lib/systemd/system/containerd.*	--	gen_context(system_u:object_r:container_unit_t,s0)
+/usr/lib/systemd/system/docker.*	--	gen_context(system_u:object_r:container_engine_unit_t,s0)
+/usr/lib/systemd/system/containerd.*	--	gen_context(system_u:object_r:container_engine_unit_t,s0)
+/usr/lib/systemd/system/container-.*	--	gen_context(system_u:object_r:container_unit_t,s0)
 
 /usr/sbin/runc	--	gen_context(system_u:object_r:container_engine_exec_t,s0)
 

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 166a42ae..09fa6635 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -97,6 +97,9 @@ role system_r types spc_t;
 type spc_user_t, container_domain, container_net_domain, container_user_domain, privileged_container_domain;
 domain_type(spc_user_t)
 
+type container_engine_unit_t;
+init_unit_file(container_engine_unit_t)
+
 type container_unit_t;
 init_unit_file(container_unit_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     04b08d98853038ae67ee57607755fb8ac1b7f7a0
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Apr 27 22:47:57 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04b08d98

container: add unconfined role

Add a specific template for unconfined role access. This is mostly
identical to the user role except container engines will run in the
caller domain.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 217 +++++++++++++++++++++++++++--------
 1 file changed, 171 insertions(+), 46 deletions(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 07ef8873..bc4a12f4 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -130,7 +130,6 @@ interface(`container_user_engine',`
 #
 template(`container_base_role',`
 	gen_require(`
-		type container_file_t, container_ro_file_t;
 		type container_config_t;
 	')
 
@@ -143,19 +142,8 @@ template(`container_base_role',`
 	files_search_etc($2)
 	read_files_pattern($2, container_config_t, container_config_t)
 
-	allow $2 container_file_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_file_t:file { manage_file_perms relabel_file_perms };
-	allow $2 container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $2 container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	allow $2 container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-	allow $2 container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
-
-	allow $2 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_ro_file_t:file { manage_file_perms relabel_file_perms };
-	allow $2 container_ro_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $2 container_ro_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	allow $2 container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-	allow $2 container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+	container_admin_all_files($2)
+	container_admin_all_ro_files($2)
 ')
 
 ########################################
@@ -230,10 +218,6 @@ template(`container_user_role',`
 	gen_require(`
 		attribute container_user_domain;
 		attribute container_engine_user_domain;
-		type container_file_t, container_ro_file_t;
-		type container_user_runtime_t;
-		type container_cache_home_t, container_conf_home_t;
-		type container_data_home_t;
 	')
 
 	role $4 types container_user_domain;
@@ -245,34 +229,8 @@ template(`container_user_role',`
 	allow $3 container_user_domain:process { ptrace signal_perms };
 	ps_process_pattern($3, container_user_domain)
 
-	allow $2 container_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_user_runtime_t:file { manage_file_perms relabel_file_perms };
-	allow $2 container_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-	allow $2 container_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-
-	allow $2 container_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_cache_home_t:file { manage_file_perms relabel_file_perms };
-	xdg_cache_filetrans($2, container_cache_home_t, dir, "containers")
-
-	allow $2 container_conf_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_conf_home_t:file { manage_file_perms relabel_file_perms };
-	xdg_config_filetrans($2, container_conf_home_t, dir, "containers")
-
-	allow $2 container_data_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 container_data_home_t:file { manage_file_perms relabel_file_perms };
-	allow $2 container_data_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $2 container_data_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-	allow $2 container_data_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	allow $2 container_data_home_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-	allow $2 container_data_home_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
-	xdg_data_filetrans($2, container_data_home_t, dir, "containers")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay-images")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay-layers")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2-images")
-	filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir, "overlay2-layers")
-	filetrans_pattern($2, container_data_home_t, container_file_t, dir, "volumes")
+	container_admin_all_home_content($2)
+	container_admin_all_user_runtime_content($2)
 
 	optional_policy(`
 		systemd_read_user_manager_state($1, container_engine_user_domain)
@@ -293,6 +251,60 @@ template(`container_user_role',`
 	')
 ')
 
+########################################
+## <summary>
+##	Unconfined role access for containers.
+## </summary>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+template(`container_unconfined_role',`
+	gen_require(`
+		attribute container_domain;
+		type container_config_t;
+	')
+
+	role $4 types container_domain;
+
+	allow $3 container_domain:process transition;
+	allow $3 container_domain:process2 { nnp_transition nosuid_transition };
+	allow container_domain $3:fd use;
+	allow container_domain $3:unix_stream_socket rw_stream_socket_perms;
+
+	allow $3 self:cap_userns { kill sys_ptrace };
+
+	allow $3 container_domain:process { ptrace signal_perms };
+	ps_process_pattern($3, container_domain)
+
+	files_search_etc($2)
+	read_files_pattern($2, container_config_t, container_config_t)
+
+	container_admin_all_files($2)
+	container_admin_all_ro_files($2)
+
+	container_admin_all_home_content($2)
+	container_admin_all_user_runtime_content($2)
+')
+
 ########################################
 ## <summary>
 ##	Execute generic container engines in the
@@ -1079,6 +1091,119 @@ interface(`container_manage_home_data_sock_files',`
 	manage_sock_files_pattern($1, container_data_home_t, container_data_home_t)
 ')
 
+########################################
+## <summary>
+##	Administrate all container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_admin_all_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_file_t:file { manage_file_perms relabel_file_perms };
+	allow $1 container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $1 container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+	allow $1 container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
+	allow $1 container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+')
+
+########################################
+## <summary>
+##	Administrate all container read-only files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_admin_all_ro_files',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+	allow $1 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_ro_file_t:file { manage_file_perms relabel_file_perms };
+	allow $1 container_ro_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $1 container_ro_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+	allow $1 container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
+	allow $1 container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+')
+
+########################################
+## <summary>
+##	All of the rules necessary for a user
+##	to manage user container runtime data
+##	in their user runtime directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_admin_all_user_runtime_content',`
+	gen_require(`
+		type container_user_runtime_t;
+	')
+
+	allow $1 container_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_user_runtime_t:file { manage_file_perms relabel_file_perms };
+	allow $1 container_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+	allow $1 container_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+')
+
+########################################
+## <summary>
+##	All of the rules necessary for a user
+##	to manage container data in their home
+##	directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_admin_all_home_content',`
+	gen_require(`
+		type container_file_t, container_ro_file_t;
+		type container_cache_home_t, container_conf_home_t;
+		type container_data_home_t;
+	')
+
+	allow $1 container_cache_home_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_cache_home_t:file { manage_file_perms relabel_file_perms };
+	xdg_cache_filetrans($1, container_cache_home_t, dir, "containers")
+
+	allow $1 container_conf_home_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_conf_home_t:file { manage_file_perms relabel_file_perms };
+	xdg_config_filetrans($1, container_conf_home_t, dir, "containers")
+
+	allow $1 container_data_home_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 container_data_home_t:file { manage_file_perms relabel_file_perms };
+	allow $1 container_data_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $1 container_data_home_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
+	allow $1 container_data_home_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+	allow $1 container_data_home_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
+	allow $1 container_data_home_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+	xdg_data_filetrans($1, container_data_home_t, dir, "containers")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay-images")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay-layers")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2-images")
+	filetrans_pattern($1, container_data_home_t, container_ro_file_t, dir, "overlay2-layers")
+	filetrans_pattern($1, container_data_home_t, container_file_t, dir, "volumes")
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     71ed39d2252dac86660e9e67c0cee49af7acf983
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Apr  2 20:00:22 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71ed39d2

spamassassin: add file context for rspamd log directory

rspamd's default log location is /var/log/rspamd.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/spamassassin.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc
index 9229ad2f..67052143 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@@ -37,6 +37,7 @@ HOME_DIR/\.spamd(/.*)?			gen_context(system_u:object_r:spamd_home_t,s0)
 /var/lib/rspamd/rspamd\.sock	-s gen_context(system_u:object_r:spamd_runtime_t,s0)
 
 /var/log/spamd\.log.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
+/var/log/rspamd(/.*)?		gen_context(system_u:object_r:spamd_log_t,s0)
 /var/log/rspamd\.log.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
 /var/log/mimedefang.*		--	gen_context(system_u:object_r:spamd_log_t,s0)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     b8f614bfbcc1fe34a9664de1b1937a6e6cfbcf40
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon May 16 13:56:29 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8f614bf

podman: add interface to rangetrans when executing conmon

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/podman.if | 29 +++++++++++++++++++++++++++++
 policy/modules/services/podman.te | 20 ++++----------------
 2 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if
index 7523e33d..626af3af 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -188,6 +188,35 @@ interface(`podman_run_conmon_user',`
 	podman_domtrans_conmon_user($1)
 ')
 
+########################################
+## <summary>
+##	Make the specified domain perform a
+##	range transition when executing conmon.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to transition ranges.
+##	</summary>
+## </param>
+## <param name="range">
+##	<summary>
+##	MLS range to transition to.
+##	</summary>
+## </param>
+#
+interface(`podman_spec_rangetrans_conmon',`
+	gen_require(`
+		type podman_conmon_exec_t;
+	')
+
+	ifdef(`enable_mcs',`
+		range_transition $1 podman_conmon_exec_t:process $2;
+	')
+	ifdef(`enable_mls',`
+		range_transition $1 podman_conmon_exec_t:process $2;
+	')
+')
+
 ########################################
 ## <summary>
 ##	Read and write conmon unnamed pipes.

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index 12c67145..bb0f67bd 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -61,6 +61,8 @@ container_manage_home_config(podman_t)
 
 container_manage_sock_files(podman_t)
 
+podman_spec_rangetrans_conmon(podman_t, s0)
+
 ifdef(`init_systemd',`
 	init_dbus_chat(podman_t)
 	init_setsched(podman_t)
@@ -129,6 +131,8 @@ storage_rw_fuse(podman_user_t)
 userdom_relabel_generic_user_home_dirs(podman_user_t)
 userdom_relabel_generic_user_home_files(podman_user_t)
 
+podman_spec_rangetrans_conmon(podman_user_t, s0)
+
 ifdef(`init_systemd',`
 	# podman queries the cgroup manager (systemd) over the session bus socket
 	dbus_getattr_session_runtime_socket(podman_user_t)
@@ -208,14 +212,6 @@ container_engine_tmp_filetrans(podman_conmon_t, { file sock_file })
 container_manage_engine_tmp_files(podman_conmon_t)
 container_manage_engine_tmp_sock_files(podman_conmon_t)
 
-# Ensure conmon runs in s0 so that it can talk to the container
-ifdef(`enable_mcs',`
-	range_transition podman_t podman_conmon_exec_t:process s0;
-')
-ifdef(`enable_mls',`
-	range_transition podman_t podman_conmon_exec_t:process s0;
-')
-
 ifdef(`init_systemd',`
 	init_get_transient_units_status(podman_conmon_t)
 	init_start_transient_units(podman_conmon_t)
@@ -287,14 +283,6 @@ container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file })
 container_manage_engine_tmp_files(podman_conmon_user_t)
 container_manage_engine_tmp_sock_files(podman_conmon_user_t)
 
-# Ensure conmon runs in s0 so that it can talk to the container
-ifdef(`enable_mcs',`
-	range_transition podman_user_t podman_conmon_exec_t:process s0;
-')
-ifdef(`enable_mls',`
-	range_transition podman_user_t podman_conmon_exec_t:process s0;
-')
-
 ifdef(`init_systemd',`
 	# conmon can read logs from containers which are
 	# sent to the system journal


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     303b29dde89cf3974eb2efd6927b7664df3e20e6
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue May 17 17:47:20 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=303b29dd

certbot: various fixes

Allow acme-sh to send syslog msgs and dontaudit reading /proc.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/certbot.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te
index ac609795..9723f788 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -69,6 +69,7 @@ allow certbot_t certbot_log_t:file manage_file_perms;
 manage_files_pattern(certbot_t, certbot_runtime_t, certbot_runtime_t)
 files_runtime_filetrans(certbot_t, certbot_runtime_t, file)
 
+kernel_dontaudit_read_system_state(certbot_t)
 kernel_search_fs_sysctls(certbot_t)
 
 corecmd_list_bin(certbot_t)
@@ -108,6 +109,8 @@ userdom_use_user_ptys(certbot_t)
 tunable_policy(`certbot_acmesh',`
 	corecmd_exec_bin(certbot_t)
 	corecmd_exec_shell(certbot_t)
+
+	logging_send_syslog_msg(certbot_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     2765267d6d80ad23b388bd85d7c42c3e79b77864
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri May 20 14:58:25 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2765267d

container: rework combined role interfaces

Rename and rework slightly some of the newly added interfaces. Namely,
make the "admin" interfaces use admin_pattern().

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 29 ++++++++++-------------------
 1 file changed, 10 insertions(+), 19 deletions(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index bc4a12f4..16b14602 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -229,8 +229,8 @@ template(`container_user_role',`
 	allow $3 container_user_domain:process { ptrace signal_perms };
 	ps_process_pattern($3, container_user_domain)
 
-	container_admin_all_home_content($2)
 	container_admin_all_user_runtime_content($2)
+	container_manage_all_home_content($2)
 
 	optional_policy(`
 		systemd_read_user_manager_state($1, container_engine_user_domain)
@@ -301,8 +301,8 @@ template(`container_unconfined_role',`
 	container_admin_all_files($2)
 	container_admin_all_ro_files($2)
 
-	container_admin_all_home_content($2)
 	container_admin_all_user_runtime_content($2)
+	container_manage_all_home_content($2)
 ')
 
 ########################################
@@ -1106,12 +1106,9 @@ interface(`container_admin_all_files',`
 		type container_file_t;
 	')
 
-	allow $1 container_file_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $1 container_file_t:file { manage_file_perms relabel_file_perms };
-	allow $1 container_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $1 container_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	allow $1 container_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-	allow $1 container_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+	admin_pattern($1, container_file_t, container_file_t)
+	allow $1 container_file_t:chr_file manage_chr_file_perms;
+	allow $1 container_file_t:blk_file manage_blk_file_perms;
 ')
 
 ########################################
@@ -1129,12 +1126,9 @@ interface(`container_admin_all_ro_files',`
 		type container_ro_file_t;
 	')
 
-	allow $1 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $1 container_ro_file_t:file { manage_file_perms relabel_file_perms };
-	allow $1 container_ro_file_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-	allow $1 container_ro_file_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-	allow $1 container_ro_file_t:chr_file { manage_chr_file_perms relabel_chr_file_perms };
-	allow $1 container_ro_file_t:blk_file { manage_blk_file_perms relabel_blk_file_perms };
+	admin_pattern($1, container_ro_file_t, container_ro_file_t)
+	allow $1 container_ro_file_t:chr_file manage_chr_file_perms;
+	allow $1 container_ro_file_t:blk_file manage_blk_file_perms;
 ')
 
 ########################################
@@ -1154,10 +1148,7 @@ interface(`container_admin_all_user_runtime_content',`
 		type container_user_runtime_t;
 	')
 
-	allow $1 container_user_runtime_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $1 container_user_runtime_t:file { manage_file_perms relabel_file_perms };
-	allow $1 container_user_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
-	allow $1 container_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
+	admin_pattern($1, container_user_runtime_t, container_user_runtime_t)
 ')
 
 ########################################
@@ -1172,7 +1163,7 @@ interface(`container_admin_all_user_runtime_content',`
 ##	</summary>
 ## </param>
 #
-interface(`container_admin_all_home_content',`
+interface(`container_manage_all_home_content',`
 	gen_require(`
 		type container_file_t, container_ro_file_t;
 		type container_cache_home_t, container_conf_home_t;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     ba5303bd6e351b8808575be29f2482c4d291236e
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri May 20 15:01:36 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ba5303bd

podman: typealias podman_user_conmon_t to podman_conmon_user_t

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/podman.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index aef0fac9..e4393643 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -28,6 +28,7 @@ podman_conmon_domain_template(podman, podman_t)
 role system_r types podman_conmon_t;
 
 podman_conmon_domain_template(podman_user, podman_user_t)
+typealias podman_user_conmon_t alias podman_conmon_user_t;
 userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
 
 ########################################


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     2f03c3cca1ba622b2378892fadbce31ea5cfb317
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon May 16 15:28:49 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2f03c3cc

podman: rework conmon rules

Use a template to generate conmon domains and add a common attribute for
them. This is so that domains who use conmon can execute it and have
conmon transition back to the original domain instead of to the generic
podman domain. This is used by CRI-O, for example.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/podman.fc |   2 +-
 policy/modules/services/podman.if |  96 +++++++++++++++-------
 policy/modules/services/podman.te | 166 +++++++++++++-------------------------
 3 files changed, 128 insertions(+), 136 deletions(-)

diff --git a/policy/modules/services/podman.fc b/policy/modules/services/podman.fc
index ece2d0dc..31c45273 100644
--- a/policy/modules/services/podman.fc
+++ b/policy/modules/services/podman.fc
@@ -1,2 +1,2 @@
 /usr/bin/podman	--	gen_context(system_u:object_r:podman_exec_t,s0)
-/usr/bin/conmon	--	gen_context(system_u:object_r:podman_conmon_exec_t,s0)
+/usr/bin/conmon	--	gen_context(system_u:object_r:conmon_exec_t,s0)

diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if
index 626af3af..09b4f031 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -1,5 +1,47 @@
 ## <summary>Policy for podman</summary>
 
+########################################
+## <summary>
+##	Template for conmon domains.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for generated types.
+##	</summary>
+## </param>
+## <param name="source_domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+template(`podman_conmon_domain_template',`
+	gen_require(`
+		attribute conmon_domain;
+		type conmon_exec_t;
+	')
+
+	type $1_conmon_t, conmon_domain;
+	application_domain($1_conmon_t, conmon_exec_t)
+
+	domtrans_pattern($2, conmon_exec_t, $1_conmon_t)
+
+	allow $2 $1_conmon_t:process signull;
+	allow $2 $1_conmon_t:fifo_file setattr;
+	allow $2 $1_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms };
+
+	allow $1_conmon_t $2:tcp_socket rw_stream_socket_perms;
+	allow $1_conmon_t $2:unix_stream_socket rw_stream_socket_perms;
+	allow $1_conmon_t $2:unix_dgram_socket rw_socket_perms;
+	ps_process_pattern($1_conmon_t, $2)
+
+	corecmd_search_bin($1_conmon_t)
+	# conmon will execute crun/runc to create the container,
+	# so transition back to the source domain when creating it
+	container_generic_engine_domtrans($1_conmon_t, $2)
+	container_engine_executable_entrypoint($2)
+')
+
 ########################################
 ## <summary>
 ##	Execute podman in the podman domain.
@@ -96,7 +138,7 @@ interface(`podman_run_user',`
 
 ########################################
 ## <summary>
-##	Execute conmon in the conmon domain.
+##	Execute conmon in the podman conmon domain.
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
@@ -106,18 +148,18 @@ interface(`podman_run_user',`
 #
 interface(`podman_domtrans_conmon',`
 	gen_require(`
-		type podman_conmon_t, podman_conmon_exec_t;
+		type podman_conmon_t, conmon_exec_t;
 	')
 
 	corecmd_search_bin($1)
-	domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_t)
+	domtrans_pattern($1, conmon_exec_t, podman_conmon_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute conmon in the conmon domain,
-##	and allow the specified role the
-##	conmon domain.
+##	Execute conmon in the podman conmon
+##	domain, and allow the specified role
+##	the podman conmon domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -142,8 +184,8 @@ interface(`podman_run_conmon',`
 
 ########################################
 ## <summary>
-##	Execute conmon in the conmon user
-##	domain (rootless podman).
+##	Execute conmon in the podman conmon
+##	user domain (rootless podman).
 ## </summary>
 ## <param name="domain">
 ## 	<summary>
@@ -153,19 +195,19 @@ interface(`podman_run_conmon',`
 #
 interface(`podman_domtrans_conmon_user',`
 	gen_require(`
-		type podman_conmon_user_t, podman_conmon_exec_t;
+		type podman_user_conmon_t, conmon_exec_t;
 	')
 
 	corecmd_search_bin($1)
-	domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_user_t)
+	domtrans_pattern($1, conmon_exec_t, podman_user_conmon_t)
 ')
 
 ########################################
 ## <summary>
-##	Execute conmon in the conmon user
-##	domain, and allow the specified role
-##	the conmon user domain (rootless
-##	podman).
+##	Execute conmon in the podman conmon
+##	user domain, and allow the specified
+##	role the podman conmon user domain
+##	(rootless podman).
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -180,10 +222,10 @@ interface(`podman_domtrans_conmon_user',`
 #
 interface(`podman_run_conmon_user',`
 	gen_require(`
-		type podman_conmon_user_t;
+		type podman_user_conmon_t;
 	')
 
-	role $2 types podman_conmon_user_t;
+	role $2 types podman_user_conmon_t;
 
 	podman_domtrans_conmon_user($1)
 ')
@@ -206,20 +248,20 @@ interface(`podman_run_conmon_user',`
 #
 interface(`podman_spec_rangetrans_conmon',`
 	gen_require(`
-		type podman_conmon_exec_t;
+		type conmon_exec_t;
 	')
 
 	ifdef(`enable_mcs',`
-		range_transition $1 podman_conmon_exec_t:process $2;
+		range_transition $1 conmon_exec_t:process $2;
 	')
 	ifdef(`enable_mls',`
-		range_transition $1 podman_conmon_exec_t:process $2;
+		range_transition $1 conmon_exec_t:process $2;
 	')
 ')
 
 ########################################
 ## <summary>
-##	Read and write conmon unnamed pipes.
+##	Read and write podman conmon unnamed pipes.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -230,17 +272,17 @@ interface(`podman_spec_rangetrans_conmon',`
 interface(`podman_rw_conmon_pipes',`
 	gen_require(`
 		type podman_conmon_t;
-		type podman_conmon_user_t;
+		type podman_user_conmon_t;
 	')
 
 	allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms;
-	allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms;
+	allow $1 podman_user_conmon_t:fifo_file rw_fifo_file_perms;
 ')
 
 ########################################
 ## <summary>
 ##	Allow the specified domain to inherit
-##	file descriptors from conmon.
+##	file descriptors from podman conmon.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -251,11 +293,11 @@ interface(`podman_rw_conmon_pipes',`
 interface(`podman_use_conmon_fds',`
 	gen_require(`
 		type podman_conmon_t;
-		type podman_conmon_user_t;
+		type podman_user_conmon_t;
 	')
 
 	allow $1 podman_conmon_t:fd use;
-	allow $1 podman_conmon_user_t:fd use;
+	allow $1 podman_user_conmon_t:fd use;
 ')
 
 ########################################
@@ -288,7 +330,7 @@ interface(`podman_use_conmon_fds',`
 template(`podman_user_role',`
 	gen_require(`
 		type podman_user_t;
-		type podman_conmon_user_t;
+		type podman_user_conmon_t;
 	')
 
 	podman_run_user($3, $4)
@@ -300,7 +342,7 @@ template(`podman_user_role',`
 
 	optional_policy(`
 		systemd_user_app_status($1, podman_user_t)
-		systemd_user_app_status($1, podman_conmon_user_t)
+		systemd_user_app_status($1, podman_user_conmon_t)
 	')
 ')
 

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index bb0f67bd..aef0fac9 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -21,31 +21,26 @@ container_user_engine(podman_user_t)
 userdom_user_application_domain(podman_user_t, podman_exec_t)
 mls_trusted_object(podman_user_t)
 
-type podman_conmon_t;
-type podman_conmon_exec_t;
-application_domain(podman_conmon_t, podman_conmon_exec_t)
+attribute conmon_domain;
+type conmon_exec_t;
+
+podman_conmon_domain_template(podman, podman_t)
 role system_r types podman_conmon_t;
 
-type podman_conmon_user_t;
-userdom_user_application_domain(podman_conmon_user_t, podman_conmon_exec_t)
+podman_conmon_domain_template(podman_user, podman_user_t)
+userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
 
 ########################################
 #
 # Podman local policy
 #
 
-allow podman_t podman_conmon_t:process { setsched signull };
-allow podman_t podman_conmon_t:fifo_file setattr;
-allow podman_t podman_conmon_t:unix_stream_socket { connectto rw_stream_socket_perms };
-
-container_engine_executable_entrypoint(podman_t)
+allow podman_t podman_conmon_t:process setsched;
 
 # podman 4.0.0 now creates OCI networking configs
 container_create_config_files(podman_t)
 container_write_config_files(podman_t)
 
-domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t)
-
 logging_send_syslog_msg(podman_t)
 
 userdom_list_user_home_content(podman_t)
@@ -90,14 +85,6 @@ ifdef(`init_systemd',`
 # Rootless Podman local policy
 #
 
-allow podman_user_t podman_conmon_user_t:process signull;
-allow podman_user_t podman_conmon_user_t:fifo_file setattr;
-allow podman_user_t podman_conmon_user_t:unix_stream_socket { connectto rw_stream_socket_perms };
-
-container_engine_executable_entrypoint(podman_user_t)
-
-domtrans_pattern(podman_user_t, podman_conmon_exec_t, podman_conmon_user_t)
-
 # required by slirp4netns
 files_mounton_etc_dirs(podman_user_t)
 # required by slirp4netns
@@ -154,50 +141,58 @@ ifdef(`init_systemd',`
 	systemd_watch_journal_dirs(podman_user_t)
 ')
 
+
 ########################################
 #
-# conmon local policy
+# common conmon local policy
 #
 
-allow podman_conmon_t self:process signal;
-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
-allow podman_conmon_t self:cap_userns sys_ptrace;
-allow podman_conmon_t self:fifo_file { rw_fifo_file_perms setattr };
-allow podman_conmon_t self:unix_dgram_socket create_socket_perms;
-dontaudit podman_conmon_t self:capability net_admin;
+allow conmon_domain self:process signal;
+allow conmon_domain self:cap_userns sys_ptrace;
+allow conmon_domain self:fifo_file { rw_fifo_file_perms setattr };
+allow conmon_domain self:unix_dgram_socket create_socket_perms;
 
-# conmon will execute crun/runc to create the container
-container_generic_engine_domtrans(podman_conmon_t, podman_t)
-podman_domtrans(podman_conmon_t)
+domain_use_interactive_fds(conmon_domain)
 
-allow podman_conmon_t podman_t:tcp_socket rw_stream_socket_perms;
-allow podman_conmon_t podman_t:unix_stream_socket rw_stream_socket_perms;
-allow podman_conmon_t podman_t:unix_dgram_socket rw_socket_perms;
-ps_process_pattern(podman_conmon_t, podman_t)
+fs_getattr_cgroup(conmon_domain)
+fs_search_cgroup_dirs(conmon_domain)
+fs_read_cgroup_files(conmon_domain)
+fs_watch_cgroup_files(conmon_domain)
 
-domain_use_interactive_fds(podman_conmon_t)
+fs_getattr_tmpfs(conmon_domain)
+fs_getattr_xattr_fs(conmon_domain)
 
-fs_getattr_cgroup(podman_conmon_t)
-fs_search_cgroup_dirs(podman_conmon_t)
-fs_read_cgroup_files(podman_conmon_t)
-fs_watch_cgroup_files(podman_conmon_t)
+logging_send_syslog_msg(conmon_domain)
 
-fs_getattr_tmpfs(podman_conmon_t)
-fs_getattr_xattr_fs(podman_conmon_t)
+miscfiles_read_localization(conmon_domain)
 
-init_rw_inherited_stream_socket(podman_conmon_t)
-init_use_fds(podman_conmon_t)
+userdom_use_user_ptys(conmon_domain)
 
-logging_send_syslog_msg(podman_conmon_t)
+# to send/receive data from container ttys
+container_rw_chr_files(conmon_domain)
 
-miscfiles_read_localization(podman_conmon_t)
+ifdef(`init_systemd',`
+	# conmon can read logs from containers which are
+	# sent to the system journal
+	logging_search_logs(conmon_domain)
+	systemd_list_journal_dirs(conmon_domain)
+	systemd_read_journal_files(conmon_domain)
+')
 
-userdom_use_user_ptys(podman_conmon_t)
+########################################
+#
+# podman conmon local policy
+#
 
-container_read_system_container_state(podman_conmon_t)
+allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
+dontaudit podman_conmon_t self:capability net_admin;
 
-# to send/receive data from container ttys
-container_rw_chr_files(podman_conmon_t)
+podman_domtrans(podman_conmon_t)
+
+init_rw_inherited_stream_socket(podman_conmon_t)
+init_use_fds(podman_conmon_t)
+
+container_read_system_container_state(podman_conmon_t)
 
 container_manage_runtime_files(podman_conmon_t)
 container_manage_runtime_fifo_files(podman_conmon_t)
@@ -217,12 +212,6 @@ ifdef(`init_systemd',`
 	init_start_transient_units(podman_conmon_t)
 	init_start_system(podman_conmon_t)
 	init_stop_system(podman_conmon_t)
-
-	# conmon can read logs from containers which are
-	# sent to the system journal
-	logging_search_logs(podman_conmon_t)
-	systemd_list_journal_dirs(podman_conmon_t)
-	systemd_read_journal_files(podman_conmon_t)
 ')
 
 optional_policy(`
@@ -231,62 +220,23 @@ optional_policy(`
 
 ########################################
 #
-# Rootless conmon local policy
+# Rootless podman conmon local policy
 #
 
-allow podman_conmon_user_t self:process signal;
-allow podman_conmon_user_t self:cap_userns sys_ptrace;
-allow podman_conmon_user_t self:fifo_file { rw_fifo_file_perms setattr };
-allow podman_conmon_user_t self:unix_dgram_socket create_socket_perms;
-
-ps_process_pattern(podman_conmon_user_t, podman_user_t)
-allow podman_conmon_user_t podman_user_t:process signal;
-allow podman_conmon_user_t podman_user_t:unix_stream_socket rw_stream_socket_perms;
-allow podman_conmon_user_t podman_user_t:unix_dgram_socket rw_socket_perms;
-
-# conmon will execute crun/runc to create the container
-container_generic_engine_domtrans(podman_conmon_user_t, podman_user_t)
-podman_domtrans_user(podman_conmon_user_t)
-
-domain_use_interactive_fds(podman_conmon_user_t)
+podman_domtrans_user(podman_user_conmon_t)
 
-fs_getattr_cgroup(podman_conmon_user_t)
-fs_search_cgroup_dirs(podman_conmon_user_t)
-fs_read_cgroup_files(podman_conmon_user_t)
-fs_watch_cgroup_files(podman_conmon_user_t)
+container_read_user_container_state(podman_user_conmon_t)
 
-fs_getattr_tmpfs(podman_conmon_user_t)
-fs_getattr_xattr_fs(podman_conmon_user_t)
+userdom_search_user_home_dirs(podman_user_conmon_t)
+xdg_search_data_dirs(podman_user_conmon_t)
+container_manage_home_data_files(podman_user_conmon_t)
+container_manage_home_data_fifo_files(podman_user_conmon_t)
+container_manage_home_data_sock_files(podman_user_conmon_t)
 
-logging_send_syslog_msg(podman_conmon_user_t)
+userdom_search_user_runtime_root(podman_user_conmon_t)
+userdom_search_user_runtime(podman_user_conmon_t)
+container_manage_user_runtime_files(podman_user_conmon_t)
 
-miscfiles_read_localization(podman_conmon_user_t)
-
-userdom_use_user_ptys(podman_conmon_user_t)
-
-container_read_user_container_state(podman_conmon_user_t)
-
-# to send/receive data from container ttys
-container_rw_chr_files(podman_conmon_user_t)
-
-userdom_search_user_home_dirs(podman_conmon_user_t)
-xdg_search_data_dirs(podman_conmon_user_t)
-container_manage_home_data_files(podman_conmon_user_t)
-container_manage_home_data_fifo_files(podman_conmon_user_t)
-container_manage_home_data_sock_files(podman_conmon_user_t)
-
-userdom_search_user_runtime_root(podman_conmon_user_t)
-userdom_search_user_runtime(podman_conmon_user_t)
-container_manage_user_runtime_files(podman_conmon_user_t)
-
-container_engine_tmp_filetrans(podman_conmon_user_t, { file sock_file })
-container_manage_engine_tmp_files(podman_conmon_user_t)
-container_manage_engine_tmp_sock_files(podman_conmon_user_t)
-
-ifdef(`init_systemd',`
-	# conmon can read logs from containers which are
-	# sent to the system journal
-	logging_search_logs(podman_conmon_user_t)
-	systemd_list_journal_dirs(podman_conmon_user_t)
-	systemd_read_journal_files(podman_conmon_user_t)
-')
+container_engine_tmp_filetrans(podman_user_conmon_t, { file sock_file })
+container_manage_engine_tmp_files(podman_user_conmon_t)
+container_manage_engine_tmp_sock_files(podman_user_conmon_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     9c0342adf69784b946a548573cc1a8133b2d08a0
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon May 16 16:39:52 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9c0342ad

podman: add file context for podman in /usr/libexec

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/podman.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/podman.fc b/policy/modules/services/podman.fc
index 31c45273..b0243088 100644
--- a/policy/modules/services/podman.fc
+++ b/policy/modules/services/podman.fc
@@ -1,2 +1,4 @@
 /usr/bin/podman	--	gen_context(system_u:object_r:podman_exec_t,s0)
 /usr/bin/conmon	--	gen_context(system_u:object_r:conmon_exec_t,s0)
+
+/usr/libexec/podman/conmon	--	gen_context(system_u:object_r:conmon_exec_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     dc4934ce2c12df07b50c5c20b759c2ea27e4fa90
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue May 24 03:00:56 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc4934ce

podman: add alias for conmon executable

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/podman.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index e4393643..24c7092f 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -23,6 +23,7 @@ mls_trusted_object(podman_user_t)
 
 attribute conmon_domain;
 type conmon_exec_t;
+typealias conmon_exec_t alias podman_conmon_exec_t;
 
 podman_conmon_domain_template(podman, podman_t)
 role system_r types podman_conmon_t;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:54 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
  To: gentoo-commits

commit:     5135e685790073660abb1e0ef52816fb542f75a9
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Fri Aug 26 18:02:45 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5135e685

firewalld: write tmpfs files

node=localhost type=AVC msg=audit(1661536245.787:9531): avc:  denied  { write } for  pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661536245.788:9532): avc:  denied  { map } for  pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661536245.788:9532): avc:  denied  { read execute } for  pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/firewalld.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index a32e4b93..32e16898 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -24,6 +24,9 @@ logging_log_file(firewalld_var_log_t)
 type firewalld_tmp_t;
 files_tmp_file(firewalld_tmp_t)
 
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
+
 ########################################
 #
 # Local policy
@@ -54,6 +57,11 @@ manage_dirs_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
 manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
 files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
 
+manage_dirs_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+mmap_read_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, { dir file })
+
 kernel_read_crypto_sysctls(firewalld_t)
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:54 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
  To: gentoo-commits

commit:     087ca14923766efc87202a6b8a98f701105ff7a1
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 14:32:45 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:49 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=087ca149

chronyd: Allow to read fips_enabled sysctl

node=localhost type=AVC msg=audit(1661344394.902:355): avc:  denied  { search } for  pid=1014 comm="chronyd" name="crypto" dev="proc" ino=10742 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc:  denied  { read } for  pid=1014 comm="chronyd" name="fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc:  denied  { open } for  pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:356): avc:  denied  { getattr } for  pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/chronyd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 3354485c..0cf41d3d 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -81,6 +81,7 @@ manage_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
 manage_sock_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
 files_runtime_filetrans(chronyd_t, chronyd_runtime_t, { dir file sock_file })
 
+kernel_read_crypto_sysctls(chronyd_t)
 kernel_read_system_state(chronyd_t)
 kernel_read_network_state(chronyd_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:54 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
  To: gentoo-commits

commit:     2053dfa53a3559bc91514f6e05c206850d289e7e
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Aug 25 23:19:24 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2053dfa5

firewalld: allow to load kernel modules

node=localhost type=AVC msg=audit(1661468040.428:439): avc:  denied  { module_request } for  pid=1009 comm="firewalld" kmod="nft-chain-1-nat" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/firewalld.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index 099dc32e..a32e4b93 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -57,6 +57,7 @@ files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
 kernel_read_crypto_sysctls(firewalld_t)
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)
+kernel_request_load_module(firewalld_t)
 kernel_rw_net_sysctls(firewalld_t)
 
 corecmd_exec_bin(firewalld_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:54 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
  To: gentoo-commits

commit:     a5a8129939bf361112055e25a0e55531bbbe20b9
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Aug 25 13:31:22 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5a81299

firewalld: create netfilter socket

node=localhost type=AVC msg=audit(1661396059.060:376): avc:  denied  { create } for  pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.060:377): avc:  denied  { setopt } for  pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.436:398): avc:  denied  { write } for  pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.436:399): avc:  denied  { read } for  pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.437:400): avc:  denied  { getopt } for  pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/firewalld.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index b51b7740..099dc32e 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -33,6 +33,7 @@ allow firewalld_t self:capability { dac_override net_admin };
 dontaudit firewalld_t self:capability sys_tty_config;
 allow firewalld_t self:fifo_file rw_fifo_file_perms;
 allow firewalld_t self:unix_stream_socket { accept listen };
+allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
 allow firewalld_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:54 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
  To: gentoo-commits

commit:     2a0d52aa43e15264642fcfacc8996adfd02a0724
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 02:22:41 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:49 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a0d52aa

ssh: allow ssh_keygen to read /usr/share/crypto-policies/

With RHEL9 /etc/crypto-policies/back-ends are symlinks to /usr/share/crypto-policies/*/*

node=localhost type=AVC msg=audit(1661303919.946:335): avc: denied { getattr } for pid=1025 comm="ssh-keygen" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc:  denied  { read } for  pid=1025 comm="ssh-keygen" name="opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc:  denied  { open } for  pid=1025 comm="ssh-keygen" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ssh.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index ce320c6a..aa0766bb 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -354,6 +354,7 @@ term_dontaudit_use_console(ssh_keygen_t)
 domain_use_interactive_fds(ssh_keygen_t)
 
 files_read_etc_files(ssh_keygen_t)
+files_read_usr_files(ssh_keygen_t)
 
 init_use_fds(ssh_keygen_t)
 init_use_script_ptys(ssh_keygen_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:54 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
  To: gentoo-commits

commit:     d958a662e13f1aaab708bc86cc260e6b582196a0
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Fri Aug 26 18:12:30 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d958a662

firewalld: firewalld-cmd uses dbus

node=localhost type=USER_AVC msg=audit(1661536843.099:11666): pid=1037 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:firewalld_t:s0 tcontext=toor_u:sysadm_r:sysadm_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
node=localhost type=USER_AVC msg=audit(1661536101.833:8373): pid=1037 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for  scontext=toor_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/firewalld.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
index 4a65cecd..e77b88f8 100644
--- a/policy/modules/services/firewalld.if
+++ b/policy/modules/services/firewalld.if
@@ -105,6 +105,8 @@ interface(`firewalld_admin',`
 	allow $1 firewalld_t:process { ptrace signal_perms };
 	ps_process_pattern($1, firewalld_t)
 
+	firewalld_dbus_chat($1)
+
 	init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t)
 
 	files_search_runtime($1)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:54 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
  To: gentoo-commits

commit:     86b5f035516e0a10b3af98732667d2c4cb08b79c
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 14:37:54 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:49 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86b5f035

chronyd: allow chronyd to read /usr/share/crypto-policies

With RHEL9 /etc/crypto-policies/back-ends are symlinks to /usr/share/crypto-policies/*/*

node=localhost type=AVC msg=audit(1661344395.351:395): avc:  denied  { getattr } for  pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc:  denied  { read } for  pid=1014 comm="chronyd" name="gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc:  denied  { open } for  pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/chronyd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 0cf41d3d..aca9a63f 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -104,6 +104,8 @@ corenet_udp_bind_chronyd_port(chronyd_t)
 
 dev_rw_realtime_clock(chronyd_t)
 
+files_read_usr_files(chronyd_t)
+
 auth_use_nsswitch(chronyd_t)
 
 logging_send_syslog_msg(chronyd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 19:54 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
  To: gentoo-commits

commit:     639bfc231cae05ce9ff11b367e25f934a59bf23e
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Aug 25 13:28:00 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=639bfc23

firewalld: read to read fips_enabled sysctl

node=localhost type=AVC msg=audit(1661396058.360:317): avc:  denied  { search } for  pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661396058.360:317): avc:  denied  { read } for  pid=1014 comm="firewalld" name="fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.360:317): avc:  denied  { open } for  pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.361:318): avc:  denied  { getattr } for  pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.664:340): avc:  denied  { search } for  pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/firewalld.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index cb37c98b..b51b7740 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -53,6 +53,7 @@ manage_dirs_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
 manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
 files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
 
+kernel_read_crypto_sysctls(firewalld_t)
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)
 kernel_rw_net_sysctls(firewalld_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-09-03 20:04 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-09-03 20:04 UTC (permalink / raw
  To: gentoo-commits

commit:     139f4bb39aea6b202996abebe7581f1479e9fdf1
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:07 2021 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 20:04:27 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=139f4bb3

apache: add gentoo-specific interface to map httpd sys content

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/apache.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 2b3a7f3c..8daa613b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1466,3 +1466,23 @@ interface(`apache_rw_runtime_files',`
 
 	allow $1 httpd_runtime_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Map httpd sys content files.
+##	This interface is Gentoo-specific.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_map_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t, httpd_sys_rw_content_t;
+	')
+
+	allow $1 httpd_sys_content_t:file map;
+	allow $1 httpd_sys_rw_content_t:file map;
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     d517c019baf5d3610277a30198bc6d6583024353
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Sep 19 23:38:51 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:04 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d517c019

mta: add support for nullmailer

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/mta.fc | 2 ++
 policy/modules/services/mta.te | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 66634b0c7..f5738937f 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -38,3 +38,5 @@ HOME_DIR/\.maildir(/.*)?	gen_context(system_u:object_r:mail_home_rw_t,s0)
 /var/spool/(client)?mqueue(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mqueue\.in(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mail(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/nullmailer(/.*)?	gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/nullmailer/queue(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)

diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index e68a6bb75..bcdc903bb 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -69,6 +69,8 @@ read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t
 
 manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
 read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, { mqueue_spool_t mail_spool_t })
+# allow IPC with nullmailer via /var/spool/nullmailer/trigger
+allow user_mail_domain mail_spool_t:fifo_file rw_fifo_file_perms;
 
 allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     c9c22b083349a39d29ab0e530e9a4545fe7e7708
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Sep 19 23:06:34 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:03 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9c22b08

zfs: various fixes

Minor fixes for ZFS, including allowing Zed to use sendmail and write
LED statuses to enclosure devices.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/zfs.te | 47 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 44 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index 05e0d3e5f..519295e96 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -50,39 +50,49 @@ files_runtime_filetrans(zed_t, zfs_runtime_t, file)
 corecmd_exec_bin(zed_t)
 corecmd_exec_shell(zed_t)
 
-dev_read_sysfs(zed_t)
+dev_rw_sysfs(zed_t)
 
 files_search_etc(zed_t)
 
+kernel_read_system_state(zed_t)
 kernel_read_vm_overcommit_sysctl(zed_t)
 
 storage_raw_rw_fixed_disk(zed_t)
 
 auth_use_nsswitch(zed_t)
 
+hostname_exec(zed_t)
+
 logging_send_syslog_msg(zed_t)
 
 miscfiles_read_localization(zed_t)
 
 udev_search_runtime(zed_t)
 
+zfs_rw_zpool_cache(zed_t)
+
 ########################################
 #
 # zfs local policy
 #
 
-allow zfs_t self:process getsched;
-allow zfs_t self:capability sys_admin;
+allow zfs_t self:process { getsched signull };
+allow zfs_t self:capability { sys_admin sys_rawio };
 allow zfs_t self:fifo_file rw_fifo_file_perms;
 
 list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t)
 read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
 read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
 
+manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
+files_runtime_filetrans(zfs_t, zfs_runtime_t, file)
+
 # to execute scripts in /usr/libexec/zfs
 corecmd_exec_bin(zfs_t)
 corecmd_exec_shell(zfs_t)
 
+dev_delete_generic_symlinks(zfs_t)
+dev_getattr_sysfs(zfs_t)
 dev_read_sysfs(zfs_t)
 
 domain_use_interactive_fds(zfs_t)
@@ -104,6 +114,8 @@ kernel_read_kernel_sysctls(zfs_t)
 
 storage_raw_rw_fixed_disk(zfs_t)
 
+udev_read_runtime_files(zfs_t)
+
 miscfiles_read_localization(zfs_t)
 
 auth_use_nsswitch(zfs_t)
@@ -112,9 +124,38 @@ mount_exec(zfs_t)
 
 userdom_use_user_terminals(zfs_t)
 
+zfs_rw_zpool_cache(zfs_t)
+
 optional_policy(`
 	kernel_rw_rpc_sysctls(zfs_t)
 
 	rpc_manage_nfs_state_data(zfs_t)
 	rpc_read_exports(zfs_t)
 ')
+
+#######################################
+#
+# Mail local policy
+#
+
+optional_policy(`
+	mta_base_mail_template(zed)
+	role system_r types zed_mail_t;
+
+	allow zed_mail_t zed_t:fd use;
+	allow zed_mail_t zed_t:fifo_file rw_fifo_file_perms;
+	allow zed_mail_t zed_t:process sigchld;
+
+	manage_dirs_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
+	manage_files_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
+	files_tmp_filetrans(zed_t, zed_mail_tmp_t, { dir file })
+
+	allow zfs_t zed_mail_tmp_t:file write_file_perms;
+
+	mta_sendmail_domtrans(zed_t, zed_mail_t)
+
+	allow zed_mail_t self:capability { dac_override dac_read_search };
+
+	storage_dontaudit_read_fixed_disk(zed_mail_t)
+	storage_dontaudit_write_fixed_disk(zed_mail_t)
+')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     74c032778f9f1d5b0b4f3af6d91c297fef7f15ea
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 04:59:10 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:13 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74c03277

glusterfs: various fixes

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/glusterfs.fc | 12 ++++---
 policy/modules/services/glusterfs.if | 70 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/glusterfs.te | 47 ++++++++++++++++++------
 3 files changed, 114 insertions(+), 15 deletions(-)

diff --git a/policy/modules/services/glusterfs.fc b/policy/modules/services/glusterfs.fc
index 8e538dc8e..158a4a85e 100644
--- a/policy/modules/services/glusterfs.fc
+++ b/policy/modules/services/glusterfs.fc
@@ -1,7 +1,7 @@
 /etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 
-/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterfs(/.*)?		gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_conf_t,s0)
 
 /usr/bin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 /usr/bin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
@@ -11,9 +11,11 @@
 
 /opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 
-/var/lib/gluster.*	gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+/var/lib/gluster.*		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
 
-/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/glusterfs(/.*)?		gen_context(system_u:object_r:glusterd_log_t,s0)
 
-/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/gluster(/.*)?		gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_runtime_t,s0)
 /run/glusterd\.pid	--	gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/glusterd\.socket	-s	gen_context(system_u:object_r:glusterd_runtime_t,s0)

diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if
index 27c6bd6f7..b2b485ede 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -1,5 +1,71 @@
 ## <summary>Cluster File System binary, daemon and command line.</summary>
 
+########################################
+## <summary>
+##	Execute glusterd in the glusterd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`glusterfs_domtrans_daemon',`
+	gen_require(`
+		type glusterd_t, glusterd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+########################################
+## <summary>
+##	Execute glusterd in the glusterd domain, and
+##	allow the specified role the glusterd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterfs_run_daemon',`
+	gen_require(`
+		type glusterd_t;
+	')
+
+	glusterfs_domtrans_daemon($1)
+	role $2 types glusterd_t;
+')
+
+########################################
+## <summary>
+##	Connect to glusterd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterfs_stream_connect_daemon',`
+	gen_require(`
+		type glusterd_t;
+		type glusterd_runtime_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, glusterd_runtime_t, glusterd_runtime_t, glusterd_t)
+	allow $1 glusterd_runtime_t:sock_file read_sock_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -24,11 +90,15 @@ interface(`glusterfs_admin',`
 		type glusterd_runtime_t;
 	')
 
+	glusterfs_run_daemon($1, $2)
+
 	init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t)
 
 	allow $1 glusterd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, glusterd_t)
 
+	glusterfs_stream_connect_daemon($1)
+
 	files_search_etc($1)
 	admin_pattern($1, glusterd_conf_t)
 

diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index de4f9baea..2d94845d9 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -32,11 +32,11 @@ files_type(glusterd_var_lib_t)
 # Local policy
 #
 
-allow glusterd_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_resource };
-allow glusterd_t self:process { setrlimit signal };
+allow glusterd_t self:capability { chown dac_override dac_read_search fowner ipc_lock sys_admin sys_resource };
+allow glusterd_t self:process { getsched setrlimit signal signull };
 allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:tcp_socket { accept listen };
-allow glusterd_t self:unix_stream_socket { accept listen };
+allow glusterd_t self:tcp_socket create_stream_socket_perms;
+allow glusterd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
 manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
@@ -58,17 +58,14 @@ manage_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t)
 manage_sock_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t)
 files_runtime_filetrans(glusterd_t, glusterd_runtime_t, { dir file sock_file })
 
+can_exec(glusterd_t, glusterd_var_lib_t)
 manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
 
 can_exec(glusterd_t, glusterd_exec_t)
 
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
 corenet_all_recvfrom_netlabel(glusterd_t)
 corenet_tcp_sendrecv_generic_if(glusterd_t)
 corenet_udp_sendrecv_generic_if(glusterd_t)
@@ -77,6 +74,9 @@ corenet_udp_sendrecv_generic_node(glusterd_t)
 corenet_tcp_bind_generic_node(glusterd_t)
 corenet_udp_bind_generic_node(glusterd_t)
 
+corenet_tcp_bind_glusterd_port(glusterd_t)
+corenet_tcp_connect_glusterd_port(glusterd_t)
+
 # Too coarse?
 corenet_sendrecv_all_server_packets(glusterd_t)
 corenet_tcp_bind_all_reserved_ports(glusterd_t)
@@ -86,17 +86,44 @@ corenet_udp_bind_ipp_port(glusterd_t)
 corenet_sendrecv_all_client_packets(glusterd_t)
 corenet_tcp_connect_all_unreserved_ports(glusterd_t)
 
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
 dev_read_sysfs(glusterd_t)
 dev_read_urand(glusterd_t)
 
 domain_read_all_domains_state(glusterd_t)
-
 domain_use_interactive_fds(glusterd_t)
 
 files_read_usr_files(glusterd_t)
+files_mounton_mnt(glusterd_t)
+
+fs_dontaudit_getattr_all_fs(glusterd_t)
+fs_getattr_xattr_fs(glusterd_t)
+fs_mount_fusefs(glusterd_t)
+fs_unmount_fusefs(glusterd_t)
+
+kernel_dontaudit_getattr_proc(glusterd_t)
+kernel_read_kernel_sysctls(glusterd_t)
+kernel_read_net_sysctls(glusterd_t)
+kernel_read_system_state(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
 
 auth_use_nsswitch(glusterd_t)
 
+hostname_exec(glusterd_t)
+
 logging_send_syslog_msg(glusterd_t)
 
+miscfiles_read_generic_certs(glusterd_t)
 miscfiles_read_localization(glusterd_t)
+
+# needed by relabeling hooks when adding bricks
+seutil_domtrans_semanage(glusterd_t)
+seutil_exec_setfiles(glusterd_t)
+seutil_read_default_contexts(glusterd_t)
+
+userdom_dontaudit_search_user_runtime_root(glusterd_t)
+
+xdg_dontaudit_search_data_dirs(glusterd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     22d7dd88e5e3463edc65c36b2262ab9a22746fd2
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Fri Jul  3 02:32:41 2020 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:22 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=22d7dd88

radius: fixes for freeradius

* Add dac_read_search capability to radiusd_t
* Add getcap to radiusd_t process

Fixes:
avc: denied { dac_read_search } for pid=473 comm="radiusd" capability=2
scontext=system_u:system_r:radiusd_t
tcontext=system_u:system_r:radiusd_t tclass=capability permissive=1

avc: denied { getcap } for pid=473 comm="radiusd"
scontext=system_u:system_r:radiusd_t
tcontext=system_u:system_r:radiusd_t tclass=process permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/radius.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index e5d37e722..8ac766c39 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -32,9 +32,9 @@ files_type(radiusd_var_lib_t)
 # Local policy
 #
 
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
+allow radiusd_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_resource sys_tty_config };
 dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:process { getcap getsched setrlimit setsched sigkill signal };
 allow radiusd_t self:fifo_file rw_fifo_file_perms;
 allow radiusd_t self:unix_stream_socket { accept listen };
 allow radiusd_t self:tcp_socket { accept listen };


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     44a2c3d605250b5c60034683bbcf5eaed59981d5
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 05:32:41 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:14 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44a2c3d6

glusterfs: add type for gluster bricks

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/glusterfs.if |  6 +++++-
 policy/modules/services/glusterfs.te | 10 ++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if
index b2b485ede..328818ad3 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -87,7 +87,7 @@ interface(`glusterfs_admin',`
 	gen_require(`
 		type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
 		type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
-		type glusterd_runtime_t;
+		type glusterd_runtime_t, glusterd_brick_t;
 	')
 
 	glusterfs_run_daemon($1, $2)
@@ -113,4 +113,8 @@ interface(`glusterfs_admin',`
 
 	files_search_runtime($1)
 	admin_pattern($1, glusterd_runtime_t)
+
+	# searching var for /srv
+	files_search_var($1)
+	admin_pattern($1, glusterd_brick_t)
 ')

diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index 2d94845d9..690aa828a 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -27,6 +27,9 @@ files_tmp_file(glusterd_tmp_t)
 type glusterd_var_lib_t;
 files_type(glusterd_var_lib_t)
 
+type glusterd_brick_t;
+files_type(glusterd_brick_t)
+
 ########################################
 #
 # Local policy
@@ -64,6 +67,13 @@ manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
 
+manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+manage_sock_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
+
 can_exec(glusterd_t, glusterd_exec_t)
 
 corenet_all_recvfrom_netlabel(glusterd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     b806992f1bc6fa8187730296a708320ee0e18266
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 04:09:19 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:09 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b806992f

opensm: initial policy

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/opensm.fc | 10 +++++
 policy/modules/services/opensm.if | 86 +++++++++++++++++++++++++++++++++++++++
 policy/modules/services/opensm.te | 45 ++++++++++++++++++++
 3 files changed, 141 insertions(+)

diff --git a/policy/modules/services/opensm.fc b/policy/modules/services/opensm.fc
new file mode 100644
index 000000000..6d9566bb1
--- /dev/null
+++ b/policy/modules/services/opensm.fc
@@ -0,0 +1,10 @@
+/usr/bin/opensm	--	gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/usr/sbin/opensm	--	gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/etc/opensm(/.*)?		gen_context(system_u:object_r:opensm_conf_t,s0)
+
+/var/cache/opensm(/.*)?		gen_context(system_u:object_r:opensm_cache_t,s0)
+
+/var/log/opensm\.log	--	gen_context(system_u:object_r:opensm_log_t,s0)
+/var/log/opensm-subnet\.lst	--	gen_context(system_u:object_r:opensm_log_t,s0)

diff --git a/policy/modules/services/opensm.if b/policy/modules/services/opensm.if
new file mode 100644
index 000000000..47664ce15
--- /dev/null
+++ b/policy/modules/services/opensm.if
@@ -0,0 +1,86 @@
+## <summary>OpenSM is a software implementation of an InfiniBand subnet manager.</summary>
+
+########################################
+## <summary>
+##	Execute opensm in the opensm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`opensm_domtrans',`
+	gen_require(`
+		type opensm_t, opensm_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, opensm_exec_t, opensm_t)
+')
+
+########################################
+## <summary>
+##	Execute opensm in the opensm domain, and
+##	allow the specified role the opensm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`opensm_run',`
+	gen_require(`
+		type opensm_t;
+	')
+
+	opensm_domtrans($1)
+	role $2 types opensm_t;
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an opensm environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`opensm_admin',`
+	gen_require(`
+		type opensm_t;
+		type opensm_conf_t, opensm_cache_t;
+		type opensm_log_t;
+	')
+
+	opensm_run($1, $2)
+
+	allow $1 opensm_t:process { ptrace signal_perms };
+	ps_process_pattern($1, opensm_t)
+
+	files_search_etc($1)
+	admin_pattern($1, opensm_conf_t)
+
+	files_search_var($1)
+	admin_pattern($1, opensm_cache_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, opensm_log_t)
+')

diff --git a/policy/modules/services/opensm.te b/policy/modules/services/opensm.te
new file mode 100644
index 000000000..1d5c2f57d
--- /dev/null
+++ b/policy/modules/services/opensm.te
@@ -0,0 +1,45 @@
+policy_module(opensm)
+
+########################################
+#
+# Declarations
+#
+
+type opensm_t;
+type opensm_exec_t;
+init_daemon_domain(opensm_t, opensm_exec_t)
+
+type opensm_conf_t;
+files_config_file(opensm_conf_t)
+
+type opensm_cache_t;
+files_type(opensm_cache_t)
+
+type opensm_log_t;
+logging_log_file(opensm_log_t)
+
+########################################
+#
+# opensm local policy
+#
+
+allow opensm_t self:process { getsched signal };
+allow opensm_t self:unix_dgram_socket create_socket_perms;
+
+read_files_pattern(opensm_t, opensm_conf_t, opensm_conf_t)
+
+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+files_var_filetrans(opensm_t, opensm_cache_t, dir)
+
+create_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+append_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+rw_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+logging_log_filetrans(opensm_t, opensm_log_t, file)
+
+dev_read_sysfs(opensm_t)
+dev_rw_infiniband(opensm_t)
+
+logging_send_syslog_msg(opensm_t)
+
+miscfiles_read_localization(opensm_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     42804a679a2ca17bb67d9c0cb887202f95d105ee
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Sep 26 21:00:18 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:20 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42804a67

glusterfs: add type for glusterd hooks

Add a private type for glusterd hooks in order to enforce W^X for them.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/glusterfs.fc | 1 +
 policy/modules/services/glusterfs.if | 3 ++-
 policy/modules/services/glusterfs.te | 8 ++++++++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/glusterfs.fc b/policy/modules/services/glusterfs.fc
index 158a4a85e..50bd93604 100644
--- a/policy/modules/services/glusterfs.fc
+++ b/policy/modules/services/glusterfs.fc
@@ -12,6 +12,7 @@
 /opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 
 /var/lib/gluster.*		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+/var/lib/glusterd/hooks(/.*)?		gen_context(system_u:object_r:glusterd_hook_t,s0)
 
 /var/log/glusterfs(/.*)?		gen_context(system_u:object_r:glusterd_log_t,s0)
 

diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if
index 5e6af0ecc..ab5c8a4da 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -105,7 +105,7 @@ interface(`glusterfs_admin',`
 	gen_require(`
 		type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t;
 		type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t;
-		type glusterd_runtime_t, glusterd_brick_t;
+		type glusterd_hook_t, glusterd_runtime_t, glusterd_brick_t;
 	')
 
 	glusterfs_run_daemon($1, $2)
@@ -128,6 +128,7 @@ interface(`glusterfs_admin',`
 
 	files_search_var_lib($1)
 	admin_pattern($1, glusterd_var_lib_t)
+	admin_pattern($1, glusterd_hook_t)
 
 	files_search_runtime($1)
 	admin_pattern($1, glusterd_runtime_t)

diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index 85a55ed5b..c46215be1 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -40,6 +40,9 @@ files_type(glusterd_var_lib_t)
 type glusterd_brick_t;
 files_type(glusterd_brick_t)
 
+type glusterd_hook_t;
+files_type(glusterd_hook_t)
+
 ########################################
 #
 # Local policy
@@ -77,6 +80,11 @@ manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
 
+list_dirs_pattern(glusterd_t, glusterd_hook_t, glusterd_hook_t)
+read_files_pattern(glusterd_t, glusterd_hook_t, glusterd_hook_t)
+read_lnk_files_pattern(glusterd_t, glusterd_hook_t, glusterd_hook_t)
+can_exec(glusterd_t, glusterd_hook_t)
+
 manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
 manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
 manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     d800e3e8f46a54c1ab5b041deaafbe090b168c83
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 14:45:49 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:29 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d800e3e8

hddtemp: add missing rules for interactive usage

Add missing rules required for hddtemp admins to interactively run
hddtemp.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/hddtemp.if | 29 +++++++++++++++++++++++++++++
 policy/modules/services/hddtemp.te |  4 ++++
 2 files changed, 33 insertions(+)

diff --git a/policy/modules/services/hddtemp.if b/policy/modules/services/hddtemp.if
index 269bafd18..2cecebd4e 100644
--- a/policy/modules/services/hddtemp.if
+++ b/policy/modules/services/hddtemp.if
@@ -19,6 +19,33 @@ interface(`hddtemp_domtrans',`
 	domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
 ')
 
+########################################
+## <summary>
+##	Execute hddtemp in the hddtemp domain, and
+##	allow the specified role the hdd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`hddtemp_run',`
+	gen_require(`
+		type hddtemp_t;
+	')
+
+	hddtemp_domtrans($1)
+	role $2 types hddtemp_t;
+')
+
+
 ######################################
 ## <summary>
 ##	Execute hddtemp in the caller domain.
@@ -60,6 +87,8 @@ interface(`hddtemp_admin',`
 		type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
 	')
 
+	hddtemp_run($1, $2)
+
 	allow $1 hddtemp_t:process { ptrace signal_perms };
 	ps_process_pattern($1, hddtemp_t)
 

diff --git a/policy/modules/services/hddtemp.te b/policy/modules/services/hddtemp.te
index 35361704b..9357031f9 100644
--- a/policy/modules/services/hddtemp.te
+++ b/policy/modules/services/hddtemp.te
@@ -34,6 +34,8 @@ corenet_tcp_bind_generic_node(hddtemp_t)
 corenet_tcp_bind_hddtemp_port(hddtemp_t)
 corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
 
+domain_use_interactive_fds(hddtemp_t)
+
 files_search_etc(hddtemp_t)
 files_read_usr_files(hddtemp_t)
 
@@ -45,3 +47,5 @@ auth_use_nsswitch(hddtemp_t)
 logging_send_syslog_msg(hddtemp_t)
 
 miscfiles_read_localization(hddtemp_t)
+
+userdom_use_user_terminals(hddtemp_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     c3c8df115b607376bebaa6401e8839475ee93c3c
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 14:53:58 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:33 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c3c8df11

container: add rules required for metallb BGP speakers

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/container.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 458e392d9..534d6f4c5 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -425,6 +425,8 @@ corenet_tcp_sendrecv_generic_node(container_net_domain)
 corenet_udp_sendrecv_generic_node(container_net_domain)
 corenet_tcp_bind_generic_node(container_net_domain)
 corenet_udp_bind_generic_node(container_net_domain)
+# for metallb BGP speakers
+corenet_raw_bind_generic_node(container_net_domain)
 
 corenet_sendrecv_all_server_packets(container_net_domain)
 corenet_tcp_bind_all_ports(container_net_domain)
@@ -456,6 +458,8 @@ files_read_kernel_modules(container_t)
 
 fs_mount_cgroup(container_t)
 fs_rw_cgroup_files(container_t)
+# for metallb BGP speakers
+fs_read_nsfs_files(container_t)
 
 kernel_read_vm_overcommit_sysctl(container_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     0da05b608cbcb4f4545f5eade4b1c3a8269dc9a5
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Nov 23 13:17:41 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:04:21 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0da05b60

rng-tools updated to 6.15 (on RHEL9) seeing the following denials:

node=localhost type=AVC msg=audit(1669206851.792:438): avc:  denied  { getattr } for  pid=1008 comm="rngd" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1669206851.792:439): avc:  denied  { read } for  pid=1008 comm="rngd" name="opensslcnf.config" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1669206851.792:439): avc:  denied  { open } for  pid=1008 comm="rngd" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

rngd now drops privlidges rather than having user/group set in .service file:
node=localhost type=AVC msg=audit(1669206851.856:440): avc:  denied  { setgid } for  pid=1008 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1
node=localhost type=AVC msg=audit(1669206851.881:441): avc:  denied  { setuid } for  pid=1008 comm="rngd" capability=7 scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1
node=localhost type=AVC msg=audit(1669206851.910:442): avc:  denied  { setcap } for  pid=1008 comm="rngd" scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:system_r:rngd_t:s0 tclass=process permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/rngd.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te
index f33d6a401..d317520ee 100644
--- a/policy/modules/services/rngd.te
+++ b/policy/modules/services/rngd.te
@@ -20,8 +20,8 @@ files_runtime_file(rngd_runtime_t)
 # Local policy
 #
 
-allow rngd_t self:capability { ipc_lock sys_admin };
-allow rngd_t self:process { setsched getsched signal };
+allow rngd_t self:capability { ipc_lock setgid setuid sys_admin };
+allow rngd_t self:process { getsched setcap setsched signal };
 allow rngd_t self:fifo_file rw_fifo_file_perms;
 allow rngd_t self:unix_stream_socket { accept listen };
 
@@ -37,6 +37,7 @@ dev_rw_tpm(rngd_t)
 dev_write_rand(rngd_t)
 
 files_read_etc_files(rngd_t)
+files_read_usr_files(rngd_t)
 
 logging_send_syslog_msg(rngd_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     cd933e49cc9a613b6145f236d324a79a669ea463
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 15:55:27 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:43 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd933e49

postfix: allow postfix master to map data files

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/postfix.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 1a5c24517..c58b11e0b 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -207,7 +207,7 @@ allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
 allow postfix_master_t postfix_etc_t:file rw_file_perms;
 
 allow postfix_master_t postfix_data_t:dir manage_dir_perms;
-allow postfix_master_t postfix_data_t:file manage_file_perms;
+allow postfix_master_t postfix_data_t:file mmap_manage_file_perms;
 
 allow postfix_master_t postfix_keytab_t:file read_file_perms;
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     ca1a8970f1e7ae224de8001e460f232815eeb187
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 15:55:39 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:44 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca1a8970

sasl: add filecon for /etc/sasl2 keytab

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/sasl.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/sasl.fc b/policy/modules/services/sasl.fc
index 06ee9710c..8165ee72a 100644
--- a/policy/modules/services/sasl.fc
+++ b/policy/modules/services/sasl.fc
@@ -1,5 +1,7 @@
 /etc/rc\.d/init\.d/sasl	--	gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
 
+/etc/sasl2(/.*)?		gen_context(system_u:object_r:saslauthd_keytab_t,s0)
+
 /usr/bin/saslauthd	--	gen_context(system_u:object_r:saslauthd_exec_t,s0)
 
 /usr/sbin/saslauthd	--	gen_context(system_u:object_r:saslauthd_exec_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     0e83470473b17ec633fe876ed2a99a9f1575e0a4
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 15:45:43 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:39 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e834704

podman: allow podman to stop systemd transient units

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/podman.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index 5cc13da70..3d16e64d1 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -69,6 +69,7 @@ ifdef(`init_systemd',`
 	# containers get created as systemd transient units
 	init_get_transient_units_status(podman_t)
 	init_start_transient_units(podman_t)
+	init_stop_transient_units(podman_t)
 
 	# podman can read logs from containers which are
 	# sent to the system journal
@@ -212,6 +213,7 @@ container_manage_engine_tmp_sock_files(podman_conmon_t)
 ifdef(`init_systemd',`
 	init_get_transient_units_status(podman_conmon_t)
 	init_start_transient_units(podman_conmon_t)
+	init_stop_transient_units(podman_conmon_t)
 	init_start_system(podman_conmon_t)
 	init_stop_system(podman_conmon_t)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     add37312bb35e4b3c6a802074c75f3f94e2a9fc6
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 16:00:03 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:48 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=add37312

postfix, sasl: allow postfix smtp daemon to read SASL keytab

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/postfix.te |  1 +
 policy/modules/services/sasl.if    | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index e546e7e62..7b158e705 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -839,6 +839,7 @@ optional_policy(`
 
 optional_policy(`
 	sasl_connect(postfix_smtpd_t)
+	sasl_read_keytab(postfix_smtpd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if
index e1e15648f..87caf806e 100644
--- a/policy/modules/services/sasl.if
+++ b/policy/modules/services/sasl.if
@@ -19,6 +19,25 @@ interface(`sasl_connect',`
 	stream_connect_pattern($1, saslauthd_runtime_t, saslauthd_runtime_t, saslauthd_t)
 ')
 
+########################################
+## <summary>
+##	Read SASL keytab files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sasl_read_keytab',`
+	gen_require(`
+		type saslauthd_keytab_t;
+	')
+
+	files_search_etc($1)
+	read_files_pattern($1, saslauthd_keytab_t, saslauthd_keytab_t)
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     c20ec6e6418b8d1d19736e3beef6080684eec3d5
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 15:49:39 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:41 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c20ec6e6

container: allow container admins the sysadm capability in user namespaces

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/container.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 55f8e4f3d..8fd3832fb 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -2518,7 +2518,7 @@ interface(`container_admin',`
 	allow $1 container_engine_domain:process { ptrace signal_perms };
 	ps_process_pattern($1, container_engine_domain)
 
-	allow $1 self:cap_userns { kill sys_ptrace };
+	allow $1 self:cap_userns { kill sys_ptrace sys_admin };
 
 	files_search_var_lib($1)
 	admin_pattern($1, container_var_lib_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     deea45506e562694254d217047c39d0b7abdc893
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Jan  6 14:58:09 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:56 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=deea4550

munin: Whitespace change.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/munin.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
index ac9100350..8773bd740 100644
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
@@ -68,6 +68,7 @@
 
 /var/lib/munin(/.*)?	gen_context(system_u:object_r:munin_var_lib_t,s0)
 /var/lib/munin/plugin-state(/.*)?	gen_context(system_u:object_r:munin_plugin_state_t,s0)
+
 ifdef(`distro_gentoo',`
 /var/lib/munin-node(/.*)?	gen_context(system_u:object_r:munin_var_lib_t,s0)
 /var/lib/munin-node/plugin-state(/.*)?	gen_context(system_u:object_r:munin_plugin_state_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     962ff462a7346415433a829e84b9ef212466196f
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Wed Dec 28 08:38:30 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:55 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=962ff462

munin: add fc for munin-node plugin state

Gentoo deploy munin-node plugin state in /var/lib/munin-node

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/munin.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc
index c24f24c60..ac9100350 100644
--- a/policy/modules/services/munin.fc
+++ b/policy/modules/services/munin.fc
@@ -68,6 +68,10 @@
 
 /var/lib/munin(/.*)?	gen_context(system_u:object_r:munin_var_lib_t,s0)
 /var/lib/munin/plugin-state(/.*)?	gen_context(system_u:object_r:munin_plugin_state_t,s0)
+ifdef(`distro_gentoo',`
+/var/lib/munin-node(/.*)?	gen_context(system_u:object_r:munin_var_lib_t,s0)
+/var/lib/munin-node/plugin-state(/.*)?	gen_context(system_u:object_r:munin_plugin_state_t,s0)
+')
 
 /var/log/munin.*	gen_context(system_u:object_r:munin_log_t,s0)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     f2c017c30c28288b218688c561a32d04931535e1
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jan  4 19:32:19 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:54 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f2c017c3

munin: Move munin_rw_tcp_sockets() implementation.

No rule changes.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/munin.if | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index de654d4ea..b70f1ad91 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -41,6 +41,23 @@ template(`munin_plugin_template',`
 	files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir file })
 ')
 
+########################################
+## <summary>
+##	Permit to read/write Munin TCP sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`munin_rw_tcp_sockets',`
+	gen_require(`
+		type munin_t;
+	')
+	allow $1 munin_t:tcp_socket rw_socket_perms;
+')
+
 ########################################
 ## <summary>
 ##	Connect to munin over a unix domain
@@ -189,20 +206,3 @@ interface(`munin_admin',`
 
 	admin_pattern($1, httpd_munin_content_t)
 ')
-
-########################################
-## <summary>
-##	Permit to read/write Munin TCP sockets
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`munin_rw_tcp_sockets',`
-	gen_require(`
-		type munin_t;
-	')
-	allow $1 munin_t:tcp_socket rw_socket_perms;
-')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     c891d981f2fd465d682c8129865613927308c30e
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Feb 10 18:30:56 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:11 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c891d981

container: add missing filetrans and filecon for containerd/docker

Add a missing file transition for the docker socket in /run as well as a
missing file context for /var/log/containerd.

Thanks-to: zen_desu
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/container.fc | 1 +
 policy/modules/services/container.te | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc
index 29a02b1d3..056aa6023 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -100,6 +100,7 @@ HOME_DIR/\.docker(/.*)?		gen_context(system_u:object_r:container_conf_home_t,s0)
 /var/lib/etcd(/.*)?             gen_context(system_u:object_r:container_file_t,s0)
 /var/lib/kube-proxy(/.*)?		gen_context(system_u:object_r:container_file_t,s0)
 
+/var/log/containerd(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/containers(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/crio(/.*)?		gen_context(system_u:object_r:container_log_t,s0)
 /var/log/pods(/.*)?		gen_context(system_u:object_r:container_log_t,s0)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 534d6f4c5..15d1e8c88 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -747,7 +747,7 @@ allow container_engine_system_domain container_runtime_t:file { manage_file_perm
 allow container_engine_system_domain container_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 allow container_engine_system_domain container_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 allow container_engine_system_domain container_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
-files_runtime_filetrans(container_engine_system_domain, container_runtime_t, { dir file })
+files_runtime_filetrans(container_engine_system_domain, container_runtime_t, { dir file sock_file })
 
 allow container_engine_system_domain container_engine_cache_t:dir manage_dir_perms;
 allow container_engine_system_domain container_engine_cache_t:file manage_file_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     a196620b5a540acc33ced5f9541974489bd30605
Author:     David Sommerseth <davids <AT> openvpn <DOT> net>
AuthorDate: Fri Jan 27 08:50:22 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:07 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a196620b

openvpn: Allow netlink genl

OpenVPN 2.6 can use an OpenVPN specific kernel module to handle the VPN
data channel.  The communication via userspace and kernel space happens
over a generic netlink interface.

Without this access, the following denials can be found in the logs

  [...] denied  { create } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket
  [...] denied  { setopt } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket
  [...] denied  { bind } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket
  [...] denied  { getattr } for pid=... comm="openvpn" scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0 tclass=netlink_generic_socket

Signed-off-by: David Sommerseth <davids <AT> openvpn.net>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/openvpn.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index be3642ec6..e97730fbd 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -62,6 +62,7 @@ allow openvpn_t self:unix_stream_socket { accept connectto listen };
 allow openvpn_t self:tcp_socket server_stream_socket_perms;
 allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow openvpn_t self:netlink_route_socket nlmsg_write;
+allow openvpn_t self:netlink_generic_socket create_socket_perms;
 
 allow openvpn_t openvpn_etc_t:dir list_dir_perms;
 allow openvpn_t openvpn_etc_t:file read_file_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     940f87312855109a81014f446bd89c332fb3a883
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Mar  5 23:03:34 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:22 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=940f8731

zfs: add runtime filetrans for dirs

Needed by zfs recv.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/zfs.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index bba787136..ed1ae77ba 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -85,7 +85,7 @@ read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
 read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
 
 manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
-files_runtime_filetrans(zfs_t, zfs_runtime_t, file)
+files_runtime_filetrans(zfs_t, zfs_runtime_t, { dir file })
 
 # to execute scripts in /usr/libexec/zfs
 corecmd_exec_bin(zfs_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     78f22e0b8a1383ea39c7621a85f8172010b2a7fb
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Mar  2 07:04:40 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:22 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=78f22e0b

zfs: allow sending signals to itself

Required for zfs snapshot.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/zfs.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index ebe389e05..bba787136 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -76,7 +76,7 @@ zfs_rw_zpool_cache(zed_t)
 # zfs local policy
 #
 
-allow zfs_t self:process { getsched signull };
+allow zfs_t self:process { getsched signal signull };
 allow zfs_t self:capability { sys_admin sys_rawio };
 allow zfs_t self:fifo_file rw_fifo_file_perms;
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     87862dc56b934bf6ffc76a8a4864bb919cd7542c
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Mar  8 18:19:36 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=87862dc5

kubernetes: allow kubelet to read etc runtime files

To read /etc/machine-id.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/kubernetes.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index b89ffb1bc..e9d8fcdd2 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -240,6 +240,8 @@ files_search_mnt(kubelet_t)
 files_read_kernel_symbol_table(kubelet_t)
 # read /usr/share/mime/globs2
 files_read_usr_files(kubelet_t)
+# read /etc/machine-id
+files_read_etc_runtime_files(kubelet_t)
 
 fs_getattr_tmpfs(kubelet_t)
 fs_search_tmpfs(kubelet_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     396ba1dae4fa1576c1c9ab3e10a4d3bbae2fe990
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Mar  7 01:21:54 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=396ba1da

glusterfs: allow glusterd to bind to all TCP unreserved ports

Port 32767 seems to be needed by glfs_timer

type=SYSCALL msg=audit(1678151692.991:193): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=43bc7241350 a2=10 a3=3968 items=0 ppid=1 pid=2401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glfs_timer" exe="/usr/bin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1678151692.991:193): avc:  denied  { name_bind } for pid=2401 comm="glfs_timer" src=32767 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/glusterfs.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index d9c77d384..fe80b732a 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -108,6 +108,7 @@ corenet_tcp_connect_glusterd_port(glusterd_t)
 # Too coarse?
 corenet_sendrecv_all_server_packets(glusterd_t)
 corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
 corenet_udp_bind_all_rpc_ports(glusterd_t)
 corenet_udp_bind_ipp_port(glusterd_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     98ebbf0f2916e7541905c03eef89330b51c9ff97
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 21 16:01:24 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:27:06 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98ebbf0f

policy patches for anti-spam daemons (#698)

* Patches for anti-spam related policy

* Added a seperate tunable for execmem, can be enabled for people who need it
which means Debian rspam users and some of the less common SpamAssassin
configurations

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/clamav.te       |  5 ++--
 policy/modules/services/dkim.fc         |  1 +
 policy/modules/services/dkim.te         |  2 +-
 policy/modules/services/milter.fc       |  2 ++
 policy/modules/services/milter.te       | 41 +++++++++++++++++++++++++++++++++
 policy/modules/services/spamassassin.te | 16 ++++++++++++-
 6 files changed, 63 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index c171fd7dc..a9476a561 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -75,7 +75,7 @@ logging_log_file(freshclam_var_log_t)
 
 allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override };
 dontaudit clamd_t self:capability sys_tty_config;
-allow clamd_t self:process signal;
+allow clamd_t self:process { signal getsched };
 allow clamd_t self:fifo_file rw_fifo_file_perms;
 allow clamd_t self:unix_stream_socket { accept connectto listen };
 allow clamd_t self:tcp_socket { listen accept };
@@ -174,7 +174,7 @@ optional_policy(`
 # Freshclam local policy
 #
 
-allow freshclam_t self:capability { dac_override setgid setuid };
+allow freshclam_t self:capability { chown dac_override setgid setuid };
 allow freshclam_t self:fifo_file rw_fifo_file_perms;
 allow freshclam_t self:unix_stream_socket { accept listen };
 allow freshclam_t self:tcp_socket { accept listen };
@@ -225,6 +225,7 @@ dev_read_urand(freshclam_t)
 domain_use_interactive_fds(freshclam_t)
 
 files_read_etc_runtime_files(freshclam_t)
+files_read_usr_files(freshclam_t)
 files_search_var_lib(freshclam_t)
 
 auth_use_nsswitch(freshclam_t)

diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
index 08b652630..0b269c0af 100644
--- a/policy/modules/services/dkim.fc
+++ b/policy/modules/services/dkim.fc
@@ -1,4 +1,5 @@
 /etc/opendkim/keys(/.*)?				gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/etc/dkimkeys(/.*)?					gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
 
 /etc/rc\.d/init\.d/((opendkim)|(dkim-milter))	--	gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
 

diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
index 32468194b..e960818da 100644
--- a/policy/modules/services/dkim.te
+++ b/policy/modules/services/dkim.te
@@ -24,7 +24,7 @@ init_daemon_runtime_file(dkim_milter_data_t, dir, "opendkim")
 #
 
 allow dkim_milter_t self:capability { dac_read_search dac_override setgid setuid };
-allow dkim_milter_t self:process { signal signull };
+allow dkim_milter_t self:process { signal signull getsched };
 allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 
 read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)

diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 42fe5e941..71b168061 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -8,6 +8,7 @@
 /usr/sbin/milter-greylist	--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/sbin/sqlgrey		--	gen_context(system_u:object_r:greylist_milter_exec_t,s0)
 /usr/sbin/milter-regex		--	gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/postfwd.*		--	gen_context(system_u:object_r:postfwd_milter_exec_t,s0)
 /usr/sbin/spamass-milter	--	gen_context(system_u:object_r:spamass_milter_exec_t,s0)
 
 /var/lib/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
@@ -16,6 +17,7 @@
 
 /run/milter-greylist(/.*)?		gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /run/milter-greylist\.pid	--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/run/postfwd\.pid		--	gen_context(system_u:object_r:postfwd_milter_runtime_t,s0)
 /run/spamass(/.*)?			gen_context(system_u:object_r:spamass_milter_data_t,s0)
 /run/sqlgrey\.pid		--	gen_context(system_u:object_r:greylist_milter_data_t,s0)
 /run/spamass-milter(/.*)?		gen_context(system_u:object_r:spamass_milter_data_t,s0)

diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
index a8a7c1f29..01e45842c 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -9,9 +9,16 @@ attribute milter_domains;
 attribute milter_data_type;
 
 milter_template(greylist)
+milter_template(postfwd)
 milter_template(regex)
 milter_template(spamass)
 
+type postfwd_milter_runtime_t;
+files_runtime_file(postfwd_milter_runtime_t)
+
+type postfwd_milter_tmp_t;
+files_tmp_file(postfwd_milter_tmp_t)
+
 type spamass_milter_initrc_exec_t;
 init_script_file(spamass_milter_initrc_exec_t)
 
@@ -74,6 +81,40 @@ optional_policy(`
 	mysql_stream_connect(greylist_milter_t)
 ')
 
+########################################
+#
+# postfwd local policy
+#
+
+allow postfwd_milter_t self:process { signal signull };
+allow postfwd_milter_t self:capability { chown dac_override dac_read_search kill setgid setuid };
+allow postfwd_milter_t self:unix_stream_socket connectto;
+
+files_runtime_filetrans(postfwd_milter_t, postfwd_milter_runtime_t, file, "postfwd.pid")
+allow postfwd_milter_t postfwd_milter_runtime_t:file manage_file_perms;
+
+allow postfwd_milter_t postfwd_milter_tmp_t:sock_file manage_sock_file_perms;
+allow postfwd_milter_t postfwd_milter_tmp_t:file manage_file_perms;
+files_tmp_filetrans(postfwd_milter_t, postfwd_milter_tmp_t, { file sock_file })
+
+kernel_read_kernel_sysctls(postfwd_milter_t)
+
+corecmd_exec_bin(postfwd_milter_t)
+corecmd_exec_shell(postfwd_milter_t)
+corecmd_mmap_bin_files(postfwd_milter_t)
+corenet_tcp_bind_all_unreserved_ports(postfwd_milter_t)
+corenet_tcp_connect_all_unreserved_ports(postfwd_milter_t)
+
+dev_read_urand(postfwd_milter_t)
+
+files_read_usr_files(postfwd_milter_t)
+files_read_usr_symlinks(postfwd_milter_t)
+files_search_tmp(postfwd_milter_t)
+
+optional_policy(`
+	postfix_read_config(postfwd_milter_t)
+')
+
 ########################################
 #
 # regex local policy

diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index ac3c340f6..1d28b3069 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -39,6 +39,14 @@ gen_tunable(spamassassin_network_update, true)
 ## </desc>
 gen_tunable(rspamd_spamd, false)
 
+## <desc>
+##	<p>
+##	Determine whether execmem should be allowed
+##	Needed if LUA JIT is enabled for rspamd
+##	</p>
+## </desc>
+gen_tunable(spamd_execmem, false)
+
 attribute_role spamd_update_roles;
 
 type spamassassin_t;
@@ -415,10 +423,16 @@ tunable_policy(`spamd_enable_home_dirs',`
 	userdom_manage_user_home_content_symlinks(spamd_t)
 ')
 
+tunable_policy(`spamd_execmem',`
+	allow spamd_t self:process execmem;
+')
+
 tunable_policy(`rspamd_spamd',`
 	allow spamd_t self:process setrlimit;
 	allow spamc_t self:process setrlimit;
 
+	kernel_read_network_state(spamd_t)
+
 	list_dirs_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
 	mmap_read_files_pattern(spamd_t, spamd_etc_t, spamd_etc_t)
 	allow spamd_t spamd_etc_t:dir watch;
@@ -427,7 +441,7 @@ tunable_policy(`rspamd_spamd',`
 	allow spamd_t spamd_var_lib_t:dir watch;
 	filetrans_pattern(spamd_t, spamd_var_lib_t, spamd_runtime_t, sock_file)
 
-	search_dirs_pattern(spamd_t, spamd_log_t, spamd_log_t)
+	allow spamd_t spamd_log_t:dir rw_dir_perms;
 
 	fs_search_tmpfs(spamd_t)
 	manage_dirs_pattern(spamd_t, spamd_tmpfs_t, spamd_tmpfs_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     e17a5ea822384af3d15da14be3bc593037950d21
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Fri Sep 22 09:09:12 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:27:06 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e17a5ea8

Added tmpfs file type for postgresql Small mysql stuff including anon_inode

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/mysql.te      | 4 +++-
 policy/modules/services/postgresql.te | 9 ++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 2e7621471..4d1124bbf 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -67,11 +67,12 @@ files_runtime_file(mysqlmanagerd_runtime_t)
 
 allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
 dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_t self:shm create_shm_perms;
 allow mysqld_t self:unix_stream_socket { connectto accept listen };
 allow mysqld_t self:tcp_socket { accept listen };
+allow mysqld_t self:anon_inode { create map read write };
 
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
 mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -191,6 +192,7 @@ dev_read_sysfs(mysqld_safe_t)
 
 domain_read_all_domains_state(mysqld_safe_t)
 
+files_dontaudit_write_root_dirs(mysqld_safe_t)
 files_read_etc_files(mysqld_safe_t)
 files_read_usr_files(mysqld_safe_t)
 files_search_runtime(mysqld_safe_t)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 1b2d8ab0d..11b3936b0 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -65,6 +65,9 @@ init_daemon_runtime_file(postgresql_runtime_t, dir, "postgresql")
 type postgresql_tmp_t;
 files_tmp_file(postgresql_tmp_t)
 
+type postgresql_tmpfs_t;
+files_tmpfs_file(postgresql_tmpfs_t)
+
 type postgresql_unit_t;
 init_unit_file(postgresql_unit_t)
 
@@ -282,7 +285,10 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
-fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
+allow postgresql_t postgresql_tmpfs_t:file map;
+manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
 
 manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
 manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
@@ -342,6 +348,7 @@ init_read_utmp(postgresql_t)
 logging_send_syslog_msg(postgresql_t)
 logging_send_audit_msgs(postgresql_t)
 
+miscfiles_read_generic_tls_privkey(postgresql_t)
 miscfiles_read_localization(postgresql_t)
 
 seutil_libselinux_linked(postgresql_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     d7890fb6d1c7bfd1c75d454d457b5fcdc869efe1
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Sep 26 13:43:40 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:30:09 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d7890fb6

postgresql: Move lines

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/postgresql.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 11b3936b0..810fb0ed4 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -286,9 +286,10 @@ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
 fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file fifo_file })
-fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
+
 allow postgresql_t postgresql_tmpfs_t:file map;
 manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
 
 manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
 manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     c476335905f6b809c1f4ba083b071fab067aa1e5
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Sep 26 13:48:31 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:30:09 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4763359

allow jabbers to create sock file and allow matrixd to read sysfs (#705)

* Allow jabberd_domain to create sockets in it's var/lib dir
Allow matrixd_t to read sysfs

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Changed to manage_sock_file_perms to allow unlink

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

---------

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/jabber.te  | 1 +
 policy/modules/services/matrixd.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index 6003cc9fb..6c8e45de5 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -39,6 +39,7 @@ allow jabberd_domain self:tcp_socket { accept listen };
 
 manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
 allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
+allow jabberd_domain jabberd_var_lib_t:sock_file manage_sock_file_perms;
 
 kernel_read_system_state(jabberd_domain)
 

diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te
index 4ac31d901..c396a3d7c 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -83,6 +83,7 @@ corenet_udp_bind_generic_node(matrixd_t)
 corenet_udp_bind_generic_port(matrixd_t)
 corenet_udp_bind_reserved_port(matrixd_t)
 
+dev_read_sysfs(matrixd_t)
 dev_read_urand(matrixd_t)
 
 files_read_etc_files(matrixd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     f9bb068485de922f97495d4795c3cc475cdb32e7
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Mon Oct  2 08:05:49 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:31:45 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9bb0684

bind: fix for named service

Fixes:
avc:  denied  { sqpoll } for  pid=373 comm="named"
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:system_r:named_t:s0-s15:c0.c1023 tclass=io_uring
permissive=0

avc:  denied  { create } for  pid=373 comm="named" anonclass=[io_uring]
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:object_r:named_t:s0 tclass=anon_inode permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/bind.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 0a08be452..37f2fdd1f 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -80,6 +80,8 @@ allow named_t self:process { setsched getsched getcap setcap setrlimit signal_pe
 allow named_t self:fifo_file rw_fifo_file_perms;
 allow named_t self:unix_stream_socket { accept listen };
 allow named_t self:tcp_socket { accept listen };
+allow named_t self:anon_inode { create map read write };
+allow named_t self:io_uring sqpoll;
 
 manage_files_pattern(named_t, dnssec_t, dnssec_t)
 filetrans_pattern(named_t, named_conf_t, dnssec_t, dir, "cache")


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     0d4b9fb48fc13aa0e545fdc17905a1060db3c5ef
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 28 13:57:18 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:31:45 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d4b9fb4

misc small email changes (#704)

* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Removed an obsolete patch

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Use create_stream_socket_perms for unix connection to itself

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Removed unconfined_run_to

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Remove change for it to run from a user session

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

---------

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/courier.fc  |  4 ++--
 policy/modules/services/courier.te  | 21 +++++++++++++++++++--
 policy/modules/services/dovecot.te  |  3 +++
 policy/modules/services/exim.te     |  3 ++-
 policy/modules/services/mta.if      |  1 +
 policy/modules/services/mta.te      | 32 ++++++++++++++++++++++++++++++++
 policy/modules/services/postfix.if  |  3 +++
 policy/modules/services/postfix.te  |  4 ++++
 policy/modules/services/sendmail.te |  4 ++++
 9 files changed, 70 insertions(+), 5 deletions(-)

diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc
index 0f56d60d8..28594264f 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -23,8 +23,8 @@
 /usr/lib/courier/courier/courierpop.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/imaplogin	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/courier/pcpd	--	gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/imapd.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d.*	--	gen_context(system_u:object_r:courier_pop_exec_t,s0)
 /usr/lib/courier/rootcerts(/.*)?	gen_context(system_u:object_r:courier_etc_t,s0)
 /usr/lib/courier/sqwebmail/cleancache\.pl	--	gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
 /usr/lib/courier-imap/couriertcpd	--	gen_context(system_u:object_r:courier_tcpd_exec_t,s0)

diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 00ca1db6e..b5fa0c163 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_pe
 
 can_exec(courier_authdaemon_t, courier_exec_t)
 
+kernel_getattr_proc(courier_authdaemon_t)
+
 corecmd_exec_shell(courier_authdaemon_t)
 
 domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
@@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t)
 miscfiles_read_localization(courier_authdaemon_t)
 
 selinux_getattr_fs(courier_authdaemon_t)
+seutil_search_default_contexts(courier_authdaemon_t)
 
 userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
 
@@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t)
 # POP3/IMAP local policy
 #
 
-allow courier_pop_t self:capability { setgid setuid };
+allow courier_pop_t self:capability { chown dac_read_search fowner setgid setuid };
+dontaudit courier_pop_t self:capability fsetid;
+allow courier_pop_t self:unix_stream_socket create_stream_socket_perms;
+allow courier_pop_t self:process setrlimit;
+
 allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
 
-allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+allow courier_pop_t courier_var_lib_t:dir rw_dir_perms;
+allow courier_pop_t courier_var_lib_t:file manage_file_perms;
 
+allow courier_pop_t courier_etc_t:file map;
+
+can_exec(courier_pop_t, courier_exec_t)
+can_exec(courier_pop_t, courier_tcpd_exec_t)
 stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t)
 
 domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t)
 
 corecmd_exec_shell(courier_pop_t)
+corenet_tcp_bind_generic_node(courier_pop_t)
+corenet_tcp_bind_pop_port(courier_pop_t)
+
+files_search_var_lib(courier_pop_t)
 
+miscfiles_read_generic_certs(courier_pop_t)
 miscfiles_read_localization(courier_pop_t)
 
 mta_manage_mail_home_rw_content(courier_pop_t)

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 370478770..11ffbb177 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -216,6 +216,7 @@ optional_policy(`
 	mta_manage_mail_home_rw_content(dovecot_t)
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
 	mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
+	mta_home_filetrans_mail_home_rw(dovecot_t, dir, "mail")
 ')
 
 optional_policy(`
@@ -269,6 +270,8 @@ allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_p
 
 kernel_dontaudit_getattr_proc(dovecot_auth_t)
 
+kernel_getattr_proc(dovecot_auth_t)
+
 files_search_runtime(dovecot_auth_t)
 files_read_usr_files(dovecot_auth_t)
 files_read_var_lib_files(dovecot_auth_t)

diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 5e001b37b..80d828466 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -72,7 +72,7 @@ ifdef(`distro_debian',`
 # Local policy
 #
 
-allow exim_t self:capability { chown dac_override fowner setgid setuid sys_resource };
+allow exim_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_resource };
 allow exim_t self:process { setrlimit setpgid };
 allow exim_t self:fifo_file rw_fifo_file_perms;
 allow exim_t self:unix_stream_socket { accept listen };
@@ -192,6 +192,7 @@ optional_policy(`
 
 optional_policy(`
 	cron_read_pipes(exim_t)
+	cron_rw_inherited_tmp_files(exim_t)
 	cron_rw_system_job_pipes(exim_t)
 	cron_use_system_job_fds(exim_t)
 ')

diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index cdc3cf590..1c15a6b20 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -268,6 +268,7 @@ interface(`mta_manage_mail_home_rw_content',`
 	manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
 	allow $1 mail_home_rw_t:file map;
 	manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+	allow $1 mail_home_rw_t:{ dir file } watch;
 ')
 
 ########################################

diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 63c8562ae..1099ccab5 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -15,6 +15,7 @@ attribute mailserver_sender;
 attribute user_mail_domain;
 
 attribute_role user_mail_roles;
+attribute_role admin_mail_roles;
 
 type etc_aliases_t;
 files_type(etc_aliases_t)
@@ -44,6 +45,10 @@ mta_base_mail_template(user)
 userdom_user_application_type(user_mail_t)
 role user_mail_roles types user_mail_t;
 
+mta_base_mail_template(admin)
+userdom_user_application_type(admin_mail_t)
+role admin_mail_roles types admin_mail_t;
+
 userdom_user_tmp_file(user_mail_tmp_t)
 
 ########################################
@@ -435,3 +440,30 @@ ifdef(`distro_gentoo',`
 		at_rw_inherited_job_log_files(system_mail_t)
 	')
 ')
+
+########################################
+#
+# Admin local policy
+#
+
+manage_files_pattern(admin_mail_t, mail_home_t, mail_home_t)
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".esmtp_queue")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".forward")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, ".mailrc")
+userdom_user_home_dir_filetrans(admin_mail_t, mail_home_t, file, "dead.letter")
+
+dev_read_sysfs(admin_mail_t)
+
+userdom_use_user_terminals(admin_mail_t)
+
+files_etc_filetrans(admin_mail_t, etc_aliases_t, file)
+allow admin_mail_t etc_aliases_t:file manage_file_perms;
+
+optional_policy(`
+	allow admin_mail_t self:capability dac_override;
+
+	userdom_rw_user_tmp_files(admin_mail_t)
+
+	postfix_read_config(admin_mail_t)
+	postfix_list_spool(admin_mail_t)
+')

diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index 847022bf4..5168017b9 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -50,6 +50,9 @@ template(`postfix_domain_template',`
 	can_exec(postfix_$1_t, postfix_$1_exec_t)
 
 	auth_use_nsswitch(postfix_$1_t)
+	ifdef(`init_systemd',`
+		systemd_dontaudit_connect_machined(postfix_$1_t)
+	')
 ')
 
 #######################################

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 528a84de9..f327af47a 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -516,9 +516,12 @@ manage_files_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
 files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
 
 kernel_read_kernel_sysctls(postfix_map_t)
+kernel_read_network_state(postfix_map_t)
 kernel_dontaudit_list_proc(postfix_map_t)
 kernel_dontaudit_read_system_state(postfix_map_t)
 
+dev_read_urand(postfix_map_t)
+
 corenet_all_recvfrom_netlabel(postfix_map_t)
 corenet_tcp_sendrecv_generic_if(postfix_map_t)
 corenet_tcp_sendrecv_generic_node(postfix_map_t)
@@ -745,6 +748,7 @@ allow postfix_showq_t postfix_spool_maildrop_t:file read_file_perms;
 allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
 
 allow postfix_showq_t postfix_spool_t:file read_file_perms;
+allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
 
 term_use_all_ptys(postfix_showq_t)
 term_use_all_ttys(postfix_showq_t)

diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index f12dd77cd..ba31f3e3a 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -193,6 +193,10 @@ optional_policy(`
 	sasl_connect(sendmail_t)
 ')
 
+optional_policy(`
+	userdom_use_inherited_user_terminals(sendmail_t)
+')
+
 optional_policy(`
 	uucp_domtrans_uux(sendmail_t)
 ')


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2023-10-20 22:05 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2023-10-20 22:05 UTC (permalink / raw
  To: gentoo-commits

commit:     4751bfa9ef38a4d38494cadea1fa83a69881d5fa
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sat Oct  7 02:56:52 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 20 21:28:39 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4751bfa9

Changes to eg25manager and modemmanager needed for firmware upload on pinephonepro

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/eg25manager.te  | 11 ++++++++++-
 policy/modules/services/modemmanager.te | 18 ++++++++++++++++--
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/eg25manager.te b/policy/modules/services/eg25manager.te
index 92fd3e4f8..f305a9a01 100644
--- a/policy/modules/services/eg25manager.te
+++ b/policy/modules/services/eg25manager.te
@@ -57,8 +57,10 @@ files_read_usr_files(eg25manager_t)
 logging_send_syslog_msg(eg25manager_t)
 
 miscfiles_read_generic_certs(eg25manager_t)
+miscfiles_read_localization(eg25manager_t)
 
-modemmanager_dbus_chat(eg25manager_t)
+# will not upload to pinephone modem without this
+selinux_get_fs_mount(eg25manager_t)
 
 sysnet_read_config(eg25manager_t)
 
@@ -66,3 +68,10 @@ systemd_dbus_chat_logind(eg25manager_t)
 systemd_read_resolved_runtime(eg25manager_t)
 systemd_use_logind_fds(eg25manager_t)
 systemd_write_inherited_logind_inhibit_pipes(eg25manager_t)
+
+term_use_unallocated_ttys(eg25manager_t)
+
+optional_policy(`
+	modemmanager_dbus_chat(eg25manager_t)
+')
+

diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te
index 5801baedd..b94117bff 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -15,16 +15,30 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
 #
 
 allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-allow modemmanager_t self:process { getsched signal };
+allow modemmanager_t self:process { getsched setsched signal setpgid };
 allow modemmanager_t self:fifo_file rw_fifo_file_perms;
-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow modemmanager_t self:netlink_route_socket { create getattr getopt nlmsg_write read write };
+allow modemmanager_t self:qipcrtr_socket { create getattr getopt read write };
+
+# ModemManager  calls mmap(PROT_READ|PROT_WRITE|PROT_EXEC)
+allow modemmanager_t self:process execmem;
 
 kernel_read_system_state(modemmanager_t)
+kernel_request_load_module(modemmanager_t)
+
+# for qmi/pass_through
+dev_create_sysfs_files(modemmanager_t)
 
+dev_getattr_sysfs(modemmanager_t)
 dev_read_sysfs(modemmanager_t)
+dev_write_sysfs(modemmanager_t)
 dev_rw_modem(modemmanager_t)
 
+# for /usr/libexec/qmi-proxy
+corecmd_exec_bin(modemmanager_t)
+
 files_read_etc_files(modemmanager_t)
 
 term_use_generic_ptys(modemmanager_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-03-01 19:56 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
  To: gentoo-commits

commit:     6d1c3e8b33d3134dbe1767539363491a5f1600ea
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:33 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:43 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6d1c3e8b

virt: label qemu configuration directory

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/virt.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
index ab5d0885d..9c209d8f0 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -9,6 +9,8 @@ HOME_DIR/VirtualMachines/isos(/.*)?	gen_context(system_u:object_r:virt_content_t
 /etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 /etc/libvirt/.*/.*	gen_context(system_u:object_r:virt_etc_rw_t,s0)
 
+/etc/qemu(/.*)?		gen_context(system_u:object_r:virt_etc_t,s0)
+
 /etc/rc\.d/init\.d/(libvirt-bin|libvirtd)	--	gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
 
 /etc/xen	-d	gen_context(system_u:object_r:virt_etc_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-03-01 19:56 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
  To: gentoo-commits

commit:     b1a213b26e58f32d250057fcb9e1af3a9f05a63d
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:46 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:51 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1a213b2

vnstatd: update

    type=PROCTITLE msg=audit(21/02/24 22:54:36.792:69) : proctitle=/usr/sbin/vnstatd -n
    type=PATH msg=audit(21/02/24 22:54:36.792:69) : item=0 name=/dev/urandom inode=18 dev=00:2b mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(21/02/24 22:54:36.792:69) : cwd=/
    type=SYSCALL msg=audit(21/02/24 22:54:36.792:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f197cc66865 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=900 auid=unset uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc:  denied  { open } for  pid=900 comm=vnstatd path=/dev/urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
    type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc:  denied  { read } for  pid=900 comm=vnstatd name=urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/vnstatd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te
index f8274d451..3be384a9a 100644
--- a/policy/modules/services/vnstatd.te
+++ b/policy/modules/services/vnstatd.te
@@ -48,6 +48,7 @@ kernel_read_system_state(vnstatd_t)
 
 # read /sys/class/net/eth0
 dev_read_sysfs(vnstatd_t)
+dev_read_urand(vnstatd_t)
 
 files_read_etc_files(vnstatd_t)
 files_search_var_lib(vnstatd_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-03-01 19:56 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
  To: gentoo-commits

commit:     3676555ed89c3a47ec1f553710f70bf547bd7245
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:55 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:57 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3676555e

consolesetup: update

    AVC avc:  denied  { read } for  pid=770 comm="mkdir" name="filesystems" dev="proc" ino=4026532069 scontext=system_u:system_r:consolesetup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/consolesetup.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/consolesetup.te b/policy/modules/services/consolesetup.te
index 7756ef6c9..023ec5d23 100644
--- a/policy/modules/services/consolesetup.te
+++ b/policy/modules/services/consolesetup.te
@@ -37,6 +37,8 @@ files_runtime_filetrans(consolesetup_t, consolesetup_runtime_t, dir, "console-se
 manage_files_pattern(consolesetup_t, consolesetup_tmp_t, consolesetup_tmp_t)
 files_tmp_filetrans(consolesetup_t, consolesetup_tmp_t, file)
 
+kernel_read_system_state(consolesetup_t)
+
 corecmd_exec_bin(consolesetup_t)
 corecmd_exec_shell(consolesetup_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     4f530e384d56b9f11d4846e1018c56fe3df86e05
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Mar  5 15:20:13 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:02 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4f530e38

cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/cockpit.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if
index 4c452484c..1a13f4e5a 100644
--- a/policy/modules/services/cockpit.if
+++ b/policy/modules/services/cockpit.if
@@ -46,7 +46,7 @@
 template(`cockpit_role_template',`
 
 	type $1_cockpit_tmpfs_t;
-	files_runtime_file($1_cockpit_tmpfs_t)
+	files_tmpfs_file($1_cockpit_tmpfs_t)
 	dev_filetrans($2, $1_cockpit_tmpfs_t, file)
 
 	allow $2 $1_cockpit_tmpfs_t:file { manage_file_perms execute };


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     8b220a9ced8dbe5449cf443a16b782141d6f4772
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Mar  5 15:18:41 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:01 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8b220a9c

certbot: Drop execmem.

This is related to FFI use in python3-openssl. Libffi now changes behavior
when it detects SELinux, to avoid this type of denial.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/certbot.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te
index 9723f7880..6edaac830 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -54,10 +54,6 @@ files_tmp_filetrans(certbot_t, certbot_tmp_t, { dir file })
 manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
 fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
 
-# this is for certbot to have write-exec memory, I know it is bad
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913544
-# the Debian bug report has background about python-acme and python3-openssl
-allow certbot_t self:process execmem;
 allow certbot_t certbot_tmp_t:file mmap_exec_file_perms;
 allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
 allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     eb3fe60b4f0d6bf8c466179cababdfa67ab8aabc
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 20:21:13 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:41 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eb3fe60b

asterisk: allow binding to all unreserved UDP ports

This is for RTP streaming.

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/asterisk.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index 0c2f9a42d..3cf98e59d 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -110,6 +110,7 @@ corenet_udp_bind_sip_port(asterisk_t)
 corenet_sendrecv_generic_server_packets(asterisk_t)
 corenet_tcp_bind_generic_port(asterisk_t)
 corenet_udp_bind_generic_port(asterisk_t)
+corenet_udp_bind_all_unreserved_ports(asterisk_t)
 corenet_dontaudit_udp_bind_all_ports(asterisk_t)
 
 corenet_sendrecv_jabber_client_client_packets(asterisk_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     8271ab906f4389dae37b0470c44cdc6ab15b784d
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 20:39:41 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:49 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8271ab90

container: allow containers to getcap

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/container.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 9699ac36d..68aa97ae5 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -286,7 +286,7 @@ corenet_port(container_port_t)
 dontaudit container_domain self:capability fsetid;
 dontaudit container_domain self:capability2 block_suspend;
 allow container_domain self:cap_userns { chown dac_override dac_read_search fowner kill setgid setuid };
-allow container_domain self:process { execstack execmem getattr getsched getsession setsched setcap setpgid signal_perms };
+allow container_domain self:process { execstack execmem getattr getcap getsched getsession setsched setcap setpgid signal_perms };
 allow container_domain self:dir rw_dir_perms;
 allow container_domain self:file create_file_perms;
 allow container_domain self:fifo_file manage_fifo_file_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     30142b2d3d2fbe3e30c81bd7463e8bb8e4f1752d
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 20:14:04 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:39 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30142b2d

postgres: add a standalone execmem tunable

Add a separate tunable to allow Postgres to use execmem. This is to
support JIT in the Postgres server without enabling it for the entire
system.

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/postgresql.te | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 810fb0ed4..7eec1b665 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -18,6 +18,13 @@ gen_require(`
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow postgresql to map memory regions as both executable and writable (e.g. for JIT).
+## </p>
+## </desc>
+gen_tunable(psql_allow_execmem, false)
+
 ## <desc>
 ## <p>
 ## Allow unprived users to execute DDL statement
@@ -363,7 +370,7 @@ optional_policy(`
 	mta_getattr_spool(postgresql_t)
 ')
 
-tunable_policy(`allow_execmem',`
+tunable_policy(`allow_execmem || psql_allow_execmem',`
 	allow postgresql_t self:process execmem;
 ')
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     8c2f46403362398b17348da14c551acad1cdc0b4
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 20:33:13 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:45 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c2f4640

matrixd: add tunable for binding to all unreserved ports

This is to support using Synapse workers which require binding to
multiple TCP ports in lieu of manually labeling unreserved ports for
use.

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/matrixd.te | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te
index c396a3d7c..5f092f31c 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -20,6 +20,16 @@ gen_tunable(matrix_allow_federation, true)
 ## </desc>
 gen_tunable(matrix_postgresql_connect, false)
 
+## <desc>
+##  <p>
+##  Determine whether Matrixd is allowed to bind all
+##  TCP ports. This is intended for more complex Matrix
+##	server configurations (e.g. Synapse workers) and may
+##	be used in lieu of manually labeling each port.
+##  </p>
+## </desc>
+gen_tunable(matrix_bind_all_unreserved_tcp_ports, false)
+
 type matrixd_t;
 type matrixd_exec_t;
 init_daemon_domain(matrixd_t, matrixd_exec_t)
@@ -117,7 +127,11 @@ tunable_policy(`matrix_postgresql_connect',`
 	postgresql_tcp_connect(matrixd_t)
 ')
 
+tunable_policy(`matrix_bind_all_unreserved_tcp_ports',`
+	corenet_tcp_bind_all_unreserved_ports(matrixd_t)
+')
+
 optional_policy(`
 	apache_search_config(matrixd_t)
 ')
- 
+


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     b85214ca8e0a693d0b903fd31da74b6d6be4667b
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 20:38:43 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:47 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b85214ca

container: allow system container engines to mmap runtime files

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/container.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 096d6c23d..9699ac36d 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -866,7 +866,7 @@ filetrans_pattern(container_engine_system_domain, container_var_lib_t, container
 filetrans_pattern(container_engine_system_domain, container_var_lib_t, container_file_t, dir, "volumes")
 
 allow container_engine_system_domain container_runtime_t:dir { manage_dir_perms relabel_dir_perms watch };
-allow container_engine_system_domain container_runtime_t:file { manage_file_perms relabel_file_perms watch };
+allow container_engine_system_domain container_runtime_t:file { mmap_manage_file_perms relabel_file_perms watch };
 allow container_engine_system_domain container_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
 allow container_engine_system_domain container_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 allow container_engine_system_domain container_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     c6e72252a0d9ec8e88e28e2512737936cec8c3ea
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Sun May  5 01:19:20 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:22 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c6e72252

Need map perm for cockpit 300.4

node=localhost type=AVC msg=audit(1714870999.370:3558): avc:  denied  { map } for  pid=7081 comm="cockpit-bridge" path=2F6465762F23373933202864656C6574656429 dev="devtmpfs" ino=793 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:staff_cockpit_tmpfs_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/cockpit.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if
index 1a13f4e5a..bde2bfad5 100644
--- a/policy/modules/services/cockpit.if
+++ b/policy/modules/services/cockpit.if
@@ -49,7 +49,7 @@ template(`cockpit_role_template',`
 	files_tmpfs_file($1_cockpit_tmpfs_t)
 	dev_filetrans($2, $1_cockpit_tmpfs_t, file)
 
-	allow $2 $1_cockpit_tmpfs_t:file { manage_file_perms execute };
+	allow $2 $1_cockpit_tmpfs_t:file { mmap_manage_file_perms execute };
 
 	dev_dontaudit_execute_dev_nodes($2)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     304a909724d2e15445449257a45563751eb88a7c
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 19:59:55 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:35 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=304a9097

dovecot: allow dovecot-auth to read SASL keytab

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/dovecot.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index 11ffbb177..937219831 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -321,6 +321,10 @@ optional_policy(`
 	postfix_search_spool(dovecot_auth_t)
 ')
 
+optional_policy(`
+	sasl_read_keytab(dovecot_auth_t)
+')
+
 optional_policy(`
         postgresql_unpriv_client(dovecot_auth_t)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     dc612e94fc961e4039c1fba11c03e9f872888fbf
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 19:58:20 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:33 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc612e94

fail2ban: allow reading net sysctls

type=AVC msg=audit(1696613589.191:194926): avc:  denied  { search } for  pid=1724 comm="f2b/f.dovecot" name="net" dev="proc" ino=2813 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/fail2ban.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index af34769d3..dce03adca 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -62,6 +62,7 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
 manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
 files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
 
+kernel_read_net_sysctls(fail2ban_t)
 kernel_read_system_state(fail2ban_t)
 kernel_read_vm_overcommit_sysctl(fail2ban_t)
 kernel_search_fs_sysctls(fail2ban_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     cdc026e081113bc262a5183640d4fcde761858ce
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 21:19:44 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:53 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdc026e0

container, crio, kubernetes: minor fixes

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/container.te  | 1 +
 policy/modules/services/crio.te       | 1 +
 policy/modules/services/kubernetes.te | 3 +++
 3 files changed, 5 insertions(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 68aa97ae5..095308a13 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -982,6 +982,7 @@ allow spc_t self:alg_socket create_stream_socket_perms;
 allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 allow spc_t self:netlink_generic_socket create_socket_perms;
 allow spc_t self:netlink_netfilter_socket create_socket_perms;
+allow spc_t self:netlink_tcpdiag_socket nlmsg_read;
 allow spc_t self:netlink_xfrm_socket create_netlink_socket_perms;
 allow spc_t self:perf_event { cpu kernel open read };
 

diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te
index 3dd616f7a..91306d80e 100644
--- a/policy/modules/services/crio.te
+++ b/policy/modules/services/crio.te
@@ -84,6 +84,7 @@ init_use_fds(crio_conmon_t)
 
 container_kill_all_containers(crio_conmon_t)
 container_read_all_container_state(crio_conmon_t)
+container_signal_system_containers(crio_conmon_t)
 
 # for kubernetes debug pods
 container_use_container_ptys(crio_conmon_t)

diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 58292de85..3ba666299 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -393,6 +393,7 @@ container_relabel_all_content(kubelet_t)
 container_manage_log_dirs(kubelet_t)
 container_manage_log_files(kubelet_t)
 container_manage_log_symlinks(kubelet_t)
+container_watch_log_dirs(kubelet_t)
 container_watch_log_files(kubelet_t)
 container_log_filetrans(kubelet_t, { dir file })
 
@@ -617,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain)
 # kubectl local policy
 #
 
+kernel_dontaudit_getattr_proc(kubectl_t)
+
 auth_use_nsswitch(kubectl_t)
 
 # not required, but convenient for using config commands


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     7f5c42c7e77b42d5b92e77fff62ffb2a243e1007
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug  9 19:30:01 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7f5c42c7

container: add container_kvm_t and supporting kubevirt rules

container_kvm_t is the type for containers with access to KVM for
running virtual machines.

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 2353092e4..e91cd18f4 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -180,6 +180,12 @@ ifdef(`enable_mls',`
 ')
 mls_trusted_object(container_engine_t)
 
+container_domain_template(container_kvm)
+typeattribute container_kvm_t container_system_domain, container_net_domain;
+optional_policy(`
+	kubernetes_container(container_kvm_t)
+')
+
 type spc_t, container_domain, container_net_domain, container_system_domain, privileged_container_domain;
 domain_type(spc_t)
 role system_r types spc_t;
@@ -942,6 +948,28 @@ filetrans_pattern(container_engine_user_domain, container_data_home_t, container
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_ro_file_t, dir, "overlay2-layers")
 filetrans_pattern(container_engine_user_domain, container_data_home_t, container_file_t, dir, "volumes")
 
+########################################
+#
+# KVM container local policy
+#
+
+allow container_kvm_t self:process { getcap setrlimit };
+allow container_kvm_t self:capability { net_admin sys_resource };
+allow container_kvm_t self:tun_socket { relabelfrom relabelto };
+
+dev_getattr_mtrr_dev(container_kvm_t)
+dev_read_sysfs(container_kvm_t)
+
+fs_read_cgroup_files(container_kvm_t)
+
+kernel_read_device_sysctls(container_kvm_t)
+kernel_read_irq_sysctls(container_kvm_t)
+kernel_read_vm_overcommit_sysctl(container_kvm_t)
+
+allow container_kvm_t spc_t:fd use;
+allow container_kvm_t spc_t:fifo_file write;
+allow container_kvm_t spc_t:tun_socket relabelfrom;
+
 ########################################
 #
 # Common privileged container local policy
@@ -974,7 +1002,7 @@ domtrans_pattern(container_engine_system_domain, container_file_t, spc_t)
 domtrans_pattern(container_engine_system_domain, container_ro_file_t, spc_t)
 domtrans_pattern(container_engine_system_domain, container_var_lib_t, spc_t)
 
-allow spc_t self:process { getcap setrlimit };
+allow spc_t self:process { getcap setexec setrlimit };
 # Normally triggered when rook-ceph executes lvm tools which creates noise.
 # This can be allowed if actually needed.
 dontaudit spc_t self:process setfscreate;
@@ -1127,6 +1155,10 @@ allow spc_t container_config_t:dir watch;
 allow spc_t container_runtime_t:lnk_file manage_lnk_file_perms;
 allow spc_t container_runtime_t:file watch;
 
+# for kubevirt
+allow spc_t container_kvm_t:process transition;
+ps_process_pattern(spc_t, container_kvm_t)
+
 ifdef(`init_systemd',`
 	init_dbus_chat(spc_t)
 	init_run_bpf(spc_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     dc89cc3c50ff1f821e6940f9d1aecc3b1f054f6d
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Wed Aug  7 20:55:28 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc89cc3c

dbus: dontaudit session bus domains the netadmin capability

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 572b84c00..58ac501d3 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -300,7 +300,7 @@ optional_policy(`
 # Common session bus local policy
 #
 
-dontaudit session_bus_type self:capability sys_resource;
+dontaudit session_bus_type self:capability { net_admin sys_resource };
 allow session_bus_type self:process { getattr sigkill signal };
 dontaudit session_bus_type self:process { ptrace setrlimit };
 allow session_bus_type self:file rw_inherited_file_perms;


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     cd58aee691e5b70af9fd0a22beb97e635ef981e1
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug  9 19:08:33 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd58aee6

container, kubernetes: add supporting rules for kubevirt and multus

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if  | 39 +++++++++++++++++++++++++++++++++++
 policy/modules/services/container.te  |  9 ++++++++
 policy/modules/services/kubernetes.te |  2 ++
 3 files changed, 50 insertions(+)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index ceb9de817..c9f4aa934 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1207,6 +1207,25 @@ interface(`container_watch_config_dirs',`
 	allow $1 container_config_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	create container config directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_create_config_dirs',`
+	gen_require(`
+		type container_config_t;
+	')
+
+	create_dirs_pattern($1, container_config_t, container_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to
@@ -1607,6 +1626,26 @@ interface(`container_list_ro_dirs',`
 	allow $1 container_ro_file_t:dir list_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to get
+##	the attributes of all read-only
+##	container file character devices.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_getattr_all_ro_chr_files',`
+	gen_require(`
+		type container_ro_file_t;
+	')
+
+	allow $1 container_ro_file_t:chr_file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to get

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index 66b16e4e4..cc700c038 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -224,6 +224,9 @@ container_mountpoint(container_runtime_t)
 type container_tmpfs_t;
 files_tmpfs_file(container_tmpfs_t)
 
+type container_tmp_t;
+files_tmp_file(container_tmp_t)
+
 type container_log_t;
 logging_log_file(container_log_t)
 optional_policy(`
@@ -1093,6 +1096,7 @@ container_manage_config_files(spc_t)
 container_list_plugin_dirs(spc_t)
 container_manage_plugin_files(spc_t)
 
+container_create_config_dirs(spc_t)
 container_create_config_files(spc_t)
 container_rw_config_files(spc_t)
 
@@ -1104,6 +1108,11 @@ container_manage_var_lib_dirs(spc_t)
 container_manage_var_lib_files(spc_t)
 container_map_var_lib_files(spc_t)
 
+manage_dirs_pattern(spc_t, container_tmp_t, container_tmp_t)
+manage_files_pattern(spc_t, container_tmp_t, container_tmp_t)
+files_tmp_filetrans(spc_t, container_tmp_t, { dir file })
+
+files_runtime_filetrans(spc_t, container_runtime_t, dir)
 # for cilium
 allow spc_t container_config_t:dir watch;
 allow spc_t container_runtime_t:lnk_file manage_lnk_file_perms;

diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 95d5f9f42..787cdae30 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -82,6 +82,7 @@ corenet_tcp_connect_all_ports(kubernetes_container_engine_domain)
 dev_create_generic_blk_files(kubernetes_container_engine_domain)
 
 files_getattr_kernel_modules(kubernetes_container_engine_domain)
+files_mounton_runtime_dirs(kubernetes_container_engine_domain)
 # for replicated storage that may be mounted in /mnt
 files_search_mnt(kubernetes_container_engine_domain)
 
@@ -411,6 +412,7 @@ fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
 # for metrics and accounting
 container_getattr_all_files(kubelet_t)
 container_getattr_all_ro_files(kubelet_t)
+container_getattr_all_ro_chr_files(kubelet_t)
 container_getattr_all_var_lib_files(kubelet_t)
 
 ifdef(`init_systemd',`


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     d677a6374ad09c7af0b615a291f9ccb3c12f2432
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 16 18:36:06 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d677a637

kubernetes: allow kubelet to connect all TCP ports

For pod health checks.

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/kubernetes.te | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 38b3a545e..99e76d2e9 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -249,10 +249,8 @@ fs_tmpfs_filetrans(kubelet_t, kubernetes_tmpfs_t, { dir file lnk_file })
 
 corenet_tcp_bind_generic_node(kubelet_t)
 
-corenet_tcp_connect_http_port(kubelet_t)
 corenet_tcp_bind_kubernetes_port(kubelet_t)
-corenet_tcp_connect_kubernetes_port(kubelet_t)
-corenet_tcp_connect_all_unreserved_ports(kubelet_t)
+corenet_tcp_connect_all_ports(kubelet_t)
 
 corecmd_exec_bin(kubelet_t)
 corecmd_watch_bin_dirs(kubelet_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     d3f848f176741b7a2df860ec4ffba055e5bcc5e6
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug  9 14:35:43 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d3f848f1

container: allow reading generic certs

There are cases where one may want to mount certs on the host into a
container.

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index e9f59e516..8fcd88e1e 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -389,6 +389,7 @@ libs_dontaudit_setattr_lib_files(container_domain)
 miscfiles_read_localization(container_domain)
 miscfiles_dontaudit_setattr_fonts_cache_dirs(container_domain)
 miscfiles_read_fonts(container_domain)
+miscfiles_read_generic_certs(container_domain)
 
 mta_dontaudit_read_spool_symlinks(container_domain)
 


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     bf2e1aefe8bc29b3e5191ddd395193e12106c0c7
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Aug 19 12:18:52 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf2e1aef

bluetooth: Move line.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/bluetooth.te | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index baf1016f0..f981af2ab 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -77,9 +77,6 @@ filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file
 allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
 files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
 
-bluetooth_use_inherited_helper_stream_sockets(bluetooth_t)
-
-
 manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
 manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
 files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })
@@ -94,6 +91,8 @@ files_runtime_filetrans(bluetooth_t, bluetooth_runtime_t, { file sock_file })
 
 can_exec(bluetooth_t, bluetooth_helper_exec_t)
 
+bluetooth_use_inherited_helper_stream_sockets(bluetooth_t)
+
 kernel_read_kernel_sysctls(bluetooth_t)
 kernel_read_system_state(bluetooth_t)
 kernel_read_network_state(bluetooth_t)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     4b469439447303847f750af5853231ea880985dc
Author:     Naga Bhavani Akella <quic_nakella <AT> quicinc <DOT> com>
AuthorDate: Fri Aug 16 05:24:24 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b469439

Adding SE Policy rules to allow usage of unix stream sockets by dbus and bluetooth contexts when Gatt notifications are turned on by remote.

Below are the avc denials that are resolved -

1. AVC avc:  denied  { use } for  pid=916 comm="dbus-daemon"
path="socket:[71126]" dev="sockfs" ino=71126
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=fd permissive=0

2. AVC avc:  denied  { read write } for  pid=913 comm="dbus-daemon"
path="socket:[25037]" dev="sockfs" ino=25037
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=0

3. AVC avc:  denied  { use } for  pid=910 comm="bluetoothd"
path="socket:[23966]" dev="sockfs" ino=23966
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=fd permissive=0

4. AVC avc:  denied  { read write } for  pid=2229 comm="bluetoothd"
path="socket:[27264]" dev="sockfs" ino=27264
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=0

Signed-off-by: Naga Bhavani Akella <quic_nakella <AT> quicinc.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/bluetooth.if | 22 ++++++++++++++++++++++
 policy/modules/services/bluetooth.te |  3 +++
 policy/modules/services/dbus.te      |  1 +
 3 files changed, 26 insertions(+)

diff --git a/policy/modules/services/bluetooth.if b/policy/modules/services/bluetooth.if
index 0f45a8cc2..bc3a72c15 100644
--- a/policy/modules/services/bluetooth.if
+++ b/policy/modules/services/bluetooth.if
@@ -188,6 +188,28 @@ interface(`bluetooth_dontaudit_read_helper_state',`
 	dontaudit $1 bluetooth_helper_t:file read_file_perms;
 ')
 
+#####################################
+## <summary>
+##	Connect to bluetooth over a unix domain
+##	stream socket. The socket can be used
+##      for read and write. This is required for
+#       bluetooth helper context.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`bluetooth_use_inherited_helper_stream_sockets',`
+	gen_require(`
+		type bluetooth_helper_t;
+	')
+
+	allow $1 bluetooth_helper_t:unix_stream_socket rw_socket_perms;
+	allow $1 bluetooth_helper_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to

diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index 10d099d3d..baf1016f0 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -77,6 +77,9 @@ filetrans_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_rw_t, { dir file
 allow bluetooth_t bluetooth_lock_t:file manage_file_perms;
 files_lock_filetrans(bluetooth_t, bluetooth_lock_t, file)
 
+bluetooth_use_inherited_helper_stream_sockets(bluetooth_t)
+
+
 manage_dirs_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
 manage_files_pattern(bluetooth_t, bluetooth_tmp_t, bluetooth_tmp_t)
 files_tmp_filetrans(bluetooth_t, bluetooth_tmp_t, { dir file })

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 58ac501d3..fcb45ccd9 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -272,6 +272,7 @@ optional_policy(`
 
 optional_policy(`
 	bluetooth_use(system_dbusd_t)
+	bluetooth_use_inherited_helper_stream_sockets(system_dbusd_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 299+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     93d85a091c30d39a52afe6f7bc3068ee5f196e34
Author:     nisbet-hubbard <87453615+nisbet-hubbard <AT> users <DOT> noreply <DOT> github <DOT> com>
AuthorDate: Sat Sep 14 23:58:57 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:30 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=93d85a09

Update mysql.fc

Signed-off-by: nisbet-hubbard <87453615+nisbet-hubbard <AT> users.noreply.github.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/mysql.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
index 7b7b45b34..96fa72a16 100644
--- a/policy/modules/services/mysql.fc
+++ b/policy/modules/services/mysql.fc
@@ -1,4 +1,5 @@
 HOME_DIR/\.my\.cnf	--	gen_context(system_u:object_r:mysqld_home_t,s0)
+HOME_DIR/\.mylogin\.cnf	 --	 gen_context(system_u:object_r:mysqld_home_t,s0)
 
 /etc/my\.cnf	--	gen_context(system_u:object_r:mysqld_etc_t,s0)
 /etc/my\.cnf\.d(/.*)?	gen_context(system_u:object_r:mysqld_etc_t,s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2025-01-06 21:08 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2025-01-06 21:08 UTC (permalink / raw
  To: gentoo-commits

commit:     42fb434d46f64e73d5458ea4b444db1f80ee5ed3
Author:     Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
AuthorDate: Wed Dec  4 21:40:25 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jan  6 21:08:09 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42fb434d

services/zfs: allow auto-snapshots being created via systemd-timer

for reading compatibility file /usr/share/zfs/compatibility.d/openzfs-2.2
-rw-r--r--. 1 root root system_u:object_r:usr_t:s0 584 30. Aug 01:15 /usr/share/zfs/compatibility.d/openzfs-2.2

files_read_usr_files(zfs_t)
files_mmap_read_usr_files(zfs_t)

 auto-snapshots through systemd-timer not working without this:
  scontext="system_u:system_r:zfs_t:s0" tcontext="system_u:object_r:zfs_exec_t:s0"
  class="file" perms="execute_no_trans"
  comm="env" exe="" path=""
  message="type=AVC msg=audit(1726998333.913:106): avc:  denied  {
   execute_no_trans } for  pid=1708 comm="env" path="/usr/bin/zpool" dev="zfs"
   ino=405615 scontext=system_u:system_r:zfs_t:s0
   tcontext=system_u:object_r:zfs_exec_t:s0 tclass=file permissive=0 "

allow zfs_t zfs_exec_t:file execute_no_trans;

Signed-off-by: Marc Schiffbauer <mschiff <AT> gentoo.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/zfs.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index 57dbe0582..68ce14c76 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -135,6 +135,13 @@ userdom_use_user_terminals(zfs_t)
 
 zfs_rw_zpool_cache(zfs_t)
 
+# for reading compatibility file in /usr/share/zfs/compatibility.d/
+files_read_usr_files(zfs_t)
+files_mmap_read_usr_files(zfs_t)
+
+# auto-snapshots through systemd-timer not working without this
+allow zfs_t zfs_exec_t:file execute_no_trans;
+
 optional_policy(`
 	fstools_manage_runtime_files(zfs_t)
 	fstools_runtime_filetrans(zfs_t, dir, "blkid")


^ permalink raw reply related	[flat|nested] 299+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
@ 2025-01-06 22:49 Kenton Groombridge
  0 siblings, 0 replies; 299+ messages in thread
From: Kenton Groombridge @ 2025-01-06 22:49 UTC (permalink / raw
  To: gentoo-commits

commit:     5d5cd5aa4b27f066010097c1779f96bcaa6fc5d8
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Sun Jan  5 14:55:07 2025 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jan  6 22:48:58 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5d5cd5aa

xserver: add xdm user with role access to system_r and xdm_r

Sync with upstream's xserver changes.

Previously reverted in dada9b3defc6c44e73d56adf245a5812c3f08404. The
reasoning for the revert:
```
This commit added the sddm user to the xserver module.
This caused problems loading the xserver module if the user did not
exist on the system.
```
no longer applies, as upstream hit this issue here:
https://github.com/SELinuxProject/refpolicy/issues/488 and resolved it.

Fixes: https://github.com/gentoo/hardened-refpolicy/issues/7

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Closes: https://github.com/gentoo/hardened-refpolicy/pull/8
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/xserver.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index c5d7a0f03..1b843b466 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -86,6 +86,10 @@ gen_tunable(xserver_object_manager, false)
 ## </desc>
 gen_tunable(xserver_allow_dri, false)
 
+# for sddm to use pam for greeter
+role xdm_r;
+allow system_r xdm_r;
+
 attribute x_domain;
 
 # X Events
@@ -169,6 +173,7 @@ fs_associate_tmpfs(xconsole_device_t)
 files_associate_tmp(xconsole_device_t)
 
 type xdm_t;
+role xdm_r types xdm_t;
 type xdm_exec_t;
 auth_login_pgm_domain(xdm_t)
 init_domain(xdm_t, xdm_exec_t)
@@ -891,6 +896,9 @@ manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t)
 
+# for sddm to use pam for greeter, sddm greeter needs execmod
+allow xdm_t xdm_tmpfs_t:file execmod;
+
 # Run Xorg.wrap
 can_exec(xserver_t, xserver_exec_t)
 
@@ -1091,3 +1099,6 @@ ifdef(`distro_gentoo',`
 		cgmanager_stream_connect(xdm_t)
 	')
 ')
+
+# for sddm to use pam for greeter
+gen_user(xdm,, xdm_r system_r, s0, s0)


^ permalink raw reply related	[flat|nested] 299+ messages in thread

end of thread, other threads:[~2025-01-06 22:49 UTC | newest]

Thread overview: 299+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-01-30  1:22 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ Jason Zaman
  -- strict thread matches above, loose matches on Subject: below --
2025-01-06 22:49 Kenton Groombridge
2025-01-06 21:08 Kenton Groombridge
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2023-10-20 22:05 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-09-03 20:04 Kenton Groombridge
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-04-09 19:28 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-02-27  2:52 Jason Zaman
2022-02-27  2:52 Jason Zaman
2022-02-27  2:52 Jason Zaman
2022-02-27  2:52 Jason Zaman
2022-02-27  2:52 Jason Zaman
2022-02-07  2:14 Jason Zaman
2022-02-07  2:14 Jason Zaman
2022-02-07  2:14 Jason Zaman
2022-01-31 19:31 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2021-11-21 23:02 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-03-22  0:21 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-02-07  3:21 Jason Zaman
2021-02-07  3:21 Jason Zaman
2021-02-07  3:21 Jason Zaman
2021-02-07  3:20 Jason Zaman
2021-02-07  3:20 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-01  2:10 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-02-15  7:33 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-07-13  7:01 Jason Zaman
2019-07-13  7:01 Jason Zaman
2019-07-13  7:01 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-02-10  4:14 Jason Zaman
2019-02-10  4:14 Jason Zaman
2019-02-10  4:14 Jason Zaman
2019-02-10  4:14 Jason Zaman
2019-02-10  4:14 Jason Zaman
2019-02-10  4:14 Jason Zaman
2019-02-10  4:14 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-07-12 14:37 Jason Zaman
2018-06-25  5:33 Jason Zaman
2018-06-24  8:46 Jason Zaman
2017-12-14  5:15 Jason Zaman
2017-12-12  7:59 Jason Zaman
2017-12-12  7:59 Jason Zaman
2017-12-12  7:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-02-05  6:29 Jason Zaman
2017-01-26  3:32 Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-01 16:37 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-01-01 16:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-01-01 16:36 Jason Zaman
2017-01-01 16:36 Jason Zaman
2016-12-06 14:24 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2015-10-10 16:11 Jason Zaman
2015-08-02 19:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-02 19:23 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-02 19:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-02 19:23 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-05-27 20:00 Jason Zaman
2015-03-04 17:03 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2015-03-04 16:45 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-21 17:31 Sven Vermeulen
2014-08-21 17:31 Sven Vermeulen
2014-08-21 17:31 Sven Vermeulen
2014-08-13 20:02 Sven Vermeulen
2014-08-13 20:02 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2014-04-18 20:06 Sven Vermeulen
2014-04-17 19:04 Sven Vermeulen
2014-04-17 19:04 Sven Vermeulen
2014-03-25 20:41 Sven Vermeulen
2014-03-17  8:24 Sven Vermeulen
2014-03-17  8:24 Sven Vermeulen
2014-03-17  8:24 Sven Vermeulen
2014-03-17  8:24 Sven Vermeulen
2014-03-17  8:24 Sven Vermeulen
2014-03-17  8:24 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-01-19 19:01 Sven Vermeulen
2014-01-19 19:01 Sven Vermeulen
2013-12-09 14:37 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-07-23 12:02 Sven Vermeulen
2013-01-03 16:49 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-25 21:39 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-10 19:52 Sven Vermeulen
2012-08-21 17:52 Sven Vermeulen
2012-08-21 17:52 Sven Vermeulen
2012-05-28 12:39 Sven Vermeulen

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox