From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4D754158087 for ; Mon, 7 Feb 2022 02:15:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C5A062BC012; Mon, 7 Feb 2022 02:15:01 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 90A6F2BC012 for ; Mon, 7 Feb 2022 02:15:01 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 46FE8342D50 for ; Mon, 7 Feb 2022 02:15:00 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 911E32D1 for ; Mon, 7 Feb 2022 02:14:58 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1644199765.06fc14861d2845562804a6ffef47402b13fcbad0.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/systemd.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 06fc14861d2845562804a6ffef47402b13fcbad0 X-VCS-Branch: master Date: Mon, 7 Feb 2022 02:14:58 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 5453fd42-d0e4-483e-8ea3-24c693d89ec8 X-Archives-Hash: 9adf9288e85196a49fa8fbc3c1737532 commit: 06fc14861d2845562804a6ffef47402b13fcbad0 Author: Chris PeBenito microsoft com> AuthorDate: Mon Jan 3 21:21:59 2022 +0000 Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 7 02:09:25 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=06fc1486 systemd: Additional fixes for fs getattrs. This may need to be allowed more broadly. Signed-off-by: Chris PeBenito microsoft.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/system/systemd.te | 36 +++++++++++++++++++++++++++++------- 1 file changed, 29 insertions(+), 7 deletions(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 95939f0f..7ccfbaf2 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -482,8 +482,7 @@ files_search_all_mountpoints(systemd_generator_t) files_list_usr(systemd_generator_t) fs_list_efivars(systemd_generator_t) -fs_getattr_cgroup(systemd_generator_t) -fs_getattr_xattr_fs(systemd_generator_t) +fs_getattr_all_fs(systemd_generator_t) init_create_runtime_files(systemd_generator_t) init_manage_runtime_dirs(systemd_generator_t) @@ -695,6 +694,9 @@ files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file) files_search_runtime(systemd_hw_t) +fs_getattr_all_fs(systemd_hw_t) +fs_search_cgroup_dirs(systemd_hw_t) + selinux_get_fs_mount(systemd_hw_t) selinux_use_status_page(systemd_hw_t) @@ -822,6 +824,7 @@ fs_read_cgroup_files(systemd_logind_t) fs_read_efivarfs_files(systemd_logind_t) fs_relabelfrom_tmpfs_dirs(systemd_logind_t) fs_unmount_tmpfs(systemd_logind_t) +fs_getattr_xattr_fs(systemd_logind_t) logging_send_audit_msgs(systemd_logind_t) @@ -905,7 +908,6 @@ ifdef(`distro_redhat',` tunable_policy(`systemd_logind_get_bootloader',` fs_getattr_dos_fs(systemd_logind_t) - fs_getattr_xattr_fs(systemd_logind_t) fs_list_dos(systemd_logind_t) fs_read_dos_files(systemd_logind_t) @@ -1072,8 +1074,8 @@ files_read_etc_files(systemd_networkd_t) files_watch_runtime_dirs(systemd_networkd_t) files_watch_root_dirs(systemd_networkd_t) files_list_runtime(systemd_networkd_t) -fs_getattr_xattr_fs(systemd_networkd_t) -fs_getattr_cgroup(systemd_networkd_t) + +fs_getattr_all_fs(systemd_networkd_t) fs_search_cgroup_dirs(systemd_networkd_t) fs_read_nsfs_files(systemd_networkd_t) @@ -1412,6 +1414,9 @@ files_watch_root_dirs(systemd_resolved_t) files_watch_runtime_dirs(systemd_resolved_t) files_list_runtime(systemd_resolved_t) +fs_getattr_all_fs(systemd_resolved_t) +fs_search_cgroup_dirs(systemd_resolved_t) + init_dgram_send(systemd_resolved_t) seutil_read_file_contexts(systemd_resolved_t) @@ -1462,6 +1467,9 @@ allow systemd_sessions_t self:process setfscreate; allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms; files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file) +fs_getattr_all_fs(systemd_sessions_t) +fs_search_cgroup_dirs(systemd_sessions_t) + kernel_read_kernel_sysctls(systemd_sessions_t) kernel_dontaudit_getattr_proc(systemd_sessions_t) @@ -1491,6 +1499,9 @@ kernel_dontaudit_getattr_proc(systemd_sysctl_t) files_read_etc_files(systemd_sysctl_t) +fs_getattr_all_fs(systemd_sysctl_t) +fs_search_cgroup_dirs(systemd_sysctl_t) + systemd_log_parse_environment(systemd_sysctl_t) ######################################### @@ -1504,6 +1515,9 @@ allow systemd_sysusers_t self:unix_dgram_socket sendto; files_manage_etc_files(systemd_sysusers_t) +fs_getattr_all_fs(systemd_sysusers_t) +fs_search_cgroup_dirs(systemd_sysusers_t) + kernel_read_kernel_sysctls(systemd_sysusers_t) selinux_use_status_page(systemd_sysusers_t) @@ -1587,10 +1601,10 @@ files_setattr_lock_dirs(systemd_tmpfiles_t) # for /etc/mtab files_manage_etc_symlinks(systemd_tmpfiles_t) -fs_getattr_tmpfs(systemd_tmpfiles_t) -fs_getattr_xattr_fs(systemd_tmpfiles_t) fs_list_tmpfs(systemd_tmpfiles_t) fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t) +fs_getattr_all_fs(systemd_tmpfiles_t) +fs_search_cgroup_dirs(systemd_tmpfiles_t) selinux_get_fs_mount(systemd_tmpfiles_t) selinux_use_status_page(systemd_tmpfiles_t) @@ -1679,6 +1693,9 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms; files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file) files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file) +fs_getattr_all_fs(systemd_update_done_t) +fs_search_cgroup_dirs(systemd_update_done_t) + kernel_read_kernel_sysctls(systemd_update_done_t) selinux_use_status_page(systemd_update_done_t) @@ -1787,8 +1804,12 @@ files_read_etc_files(systemd_userdbd_t) files_read_etc_runtime_files(systemd_userdbd_t) files_read_usr_files(systemd_userdbd_t) +fs_getattr_all_fs(systemd_userdbd_t) +fs_search_cgroup_dirs(systemd_userdbd_t) fs_read_efivarfs_files(systemd_userdbd_t) +kernel_read_system_state(systemd_userdbd_t) + init_stream_connect(systemd_userdbd_t) init_search_runtime(systemd_userdbd_t) init_read_state(systemd_userdbd_t) @@ -1819,6 +1840,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t) fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t) fs_read_cgroup_files(systemd_user_runtime_dir_t) fs_getattr_cgroup(systemd_user_runtime_dir_t) +fs_getattr_xattr_fs(systemd_user_runtime_dir_t) kernel_read_kernel_sysctls(systemd_user_runtime_dir_t) kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)