* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
@ 2022-06-06 15:08 Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-06-06 15:08 UTC (permalink / raw
To: gentoo-commits
commit: 4c32f9d4dd4a46fe2619359f0fa8fc4e72be1901
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:07 2021 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jun 6 15:07:20 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c32f9d4
apache: add gentoo-specific interface to map httpd sys content
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
policy/modules/services/apache.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 2b3a7f3c..8daa613b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1466,3 +1466,23 @@ interface(`apache_rw_runtime_files',`
allow $1 httpd_runtime_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Map httpd sys content files.
+## This interface is Gentoo-specific.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_map_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_rw_content_t;
+ ')
+
+ allow $1 httpd_sys_content_t:file map;
+ allow $1 httpd_sys_rw_content_t:file map;
+')
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
@ 2022-06-06 15:13 Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-06-06 15:13 UTC (permalink / raw
To: gentoo-commits
commit: 0d5ccab85bdcf69ce73f5702eaed97ee4d539533
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:07 2021 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jun 6 15:13:02 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d5ccab8
apache: add gentoo-specific interface to map httpd sys content
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
policy/modules/services/apache.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 2b3a7f3c..8daa613b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1466,3 +1466,23 @@ interface(`apache_rw_runtime_files',`
allow $1 httpd_runtime_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Map httpd sys content files.
+## This interface is Gentoo-specific.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_map_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_rw_content_t;
+ ')
+
+ allow $1 httpd_sys_content_t:file map;
+ allow $1 httpd_sys_rw_content_t:file map;
+')
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
@ 2022-06-06 15:15 Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-06-06 15:15 UTC (permalink / raw
To: gentoo-commits
commit: a10abea170376871caa2a53b8f103672b09e8acf
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:07 2021 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jun 6 15:15:03 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a10abea1
apache: add gentoo-specific interface to map httpd sys content
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/apache.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 2b3a7f3c..8daa613b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1466,3 +1466,23 @@ interface(`apache_rw_runtime_files',`
allow $1 httpd_runtime_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Map httpd sys content files.
+## This interface is Gentoo-specific.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_map_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_rw_content_t;
+ ')
+
+ allow $1 httpd_sys_content_t:file map;
+ allow $1 httpd_sys_rw_content_t:file map;
+')
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
@ 2022-10-12 13:34 Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 5135e685790073660abb1e0ef52816fb542f75a9
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Fri Aug 26 18:02:45 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:50 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5135e685
firewalld: write tmpfs files
node=localhost type=AVC msg=audit(1661536245.787:9531): avc: denied { write } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661536245.788:9532): avc: denied { map } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661536245.788:9532): avc: denied { read execute } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/firewalld.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index a32e4b93..32e16898 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -24,6 +24,9 @@ logging_log_file(firewalld_var_log_t)
type firewalld_tmp_t;
files_tmp_file(firewalld_tmp_t)
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
+
########################################
#
# Local policy
@@ -54,6 +57,11 @@ manage_dirs_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
+manage_dirs_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+mmap_read_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, { dir file })
+
kernel_read_crypto_sysctls(firewalld_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
@ 2022-10-12 13:34 Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 087ca14923766efc87202a6b8a98f701105ff7a1
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 14:32:45 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:49 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=087ca149
chronyd: Allow to read fips_enabled sysctl
node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { search } for pid=1014 comm="chronyd" name="crypto" dev="proc" ino=10742 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { read } for pid=1014 comm="chronyd" name="fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { open } for pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:356): avc: denied { getattr } for pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/chronyd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 3354485c..0cf41d3d 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -81,6 +81,7 @@ manage_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
manage_sock_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
files_runtime_filetrans(chronyd_t, chronyd_runtime_t, { dir file sock_file })
+kernel_read_crypto_sysctls(chronyd_t)
kernel_read_system_state(chronyd_t)
kernel_read_network_state(chronyd_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
@ 2022-10-12 13:34 Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 639bfc231cae05ce9ff11b367e25f934a59bf23e
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Aug 25 13:28:00 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:50 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=639bfc23
firewalld: read to read fips_enabled sysctl
node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { search } for pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { read } for pid=1014 comm="firewalld" name="fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { open } for pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.361:318): avc: denied { getattr } for pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.664:340): avc: denied { search } for pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/firewalld.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index cb37c98b..b51b7740 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -53,6 +53,7 @@ manage_dirs_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
+kernel_read_crypto_sysctls(firewalld_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
kernel_rw_net_sysctls(firewalld_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
@ 2022-10-12 13:34 Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 86b5f035516e0a10b3af98732667d2c4cb08b79c
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 14:37:54 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:49 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86b5f035
chronyd: allow chronyd to read /usr/share/crypto-policies
With RHEL9 /etc/crypto-policies/back-ends are symlinks to /usr/share/crypto-policies/*/*
node=localhost type=AVC msg=audit(1661344395.351:395): avc: denied { getattr } for pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc: denied { read } for pid=1014 comm="chronyd" name="gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc: denied { open } for pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/chronyd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 0cf41d3d..aca9a63f 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -104,6 +104,8 @@ corenet_udp_bind_chronyd_port(chronyd_t)
dev_rw_realtime_clock(chronyd_t)
+files_read_usr_files(chronyd_t)
+
auth_use_nsswitch(chronyd_t)
logging_send_syslog_msg(chronyd_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
@ 2022-10-12 13:34 Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
To: gentoo-commits
commit: a5a8129939bf361112055e25a0e55531bbbe20b9
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Aug 25 13:31:22 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:50 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5a81299
firewalld: create netfilter socket
node=localhost type=AVC msg=audit(1661396059.060:376): avc: denied { create } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.060:377): avc: denied { setopt } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.436:398): avc: denied { write } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.436:399): avc: denied { read } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.437:400): avc: denied { getopt } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/firewalld.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index b51b7740..099dc32e 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -33,6 +33,7 @@ allow firewalld_t self:capability { dac_override net_admin };
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
+allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
allow firewalld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
@ 2022-10-12 13:34 Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
To: gentoo-commits
commit: d958a662e13f1aaab708bc86cc260e6b582196a0
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Fri Aug 26 18:12:30 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:50 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d958a662
firewalld: firewalld-cmd uses dbus
node=localhost type=USER_AVC msg=audit(1661536843.099:11666): pid=1037 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=system_u:system_r:firewalld_t:s0 tcontext=toor_u:sysadm_r:sysadm_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
node=localhost type=USER_AVC msg=audit(1661536101.833:8373): pid=1037 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=toor_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/firewalld.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
index 4a65cecd..e77b88f8 100644
--- a/policy/modules/services/firewalld.if
+++ b/policy/modules/services/firewalld.if
@@ -105,6 +105,8 @@ interface(`firewalld_admin',`
allow $1 firewalld_t:process { ptrace signal_perms };
ps_process_pattern($1, firewalld_t)
+ firewalld_dbus_chat($1)
+
init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t)
files_search_runtime($1)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
@ 2022-10-12 13:34 Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 2a0d52aa43e15264642fcfacc8996adfd02a0724
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 02:22:41 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:49 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a0d52aa
ssh: allow ssh_keygen to read /usr/share/crypto-policies/
With RHEL9 /etc/crypto-policies/back-ends are symlinks to /usr/share/crypto-policies/*/*
node=localhost type=AVC msg=audit(1661303919.946:335): avc: denied { getattr } for pid=1025 comm="ssh-keygen" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc: denied { read } for pid=1025 comm="ssh-keygen" name="opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc: denied { open } for pid=1025 comm="ssh-keygen" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/ssh.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index ce320c6a..aa0766bb 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -354,6 +354,7 @@ term_dontaudit_use_console(ssh_keygen_t)
domain_use_interactive_fds(ssh_keygen_t)
files_read_etc_files(ssh_keygen_t)
+files_read_usr_files(ssh_keygen_t)
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
@ 2022-10-12 13:34 Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 2053dfa53a3559bc91514f6e05c206850d289e7e
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Aug 25 23:19:24 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 19:07:50 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2053dfa5
firewalld: allow to load kernel modules
node=localhost type=AVC msg=audit(1661468040.428:439): avc: denied { module_request } for pid=1009 comm="firewalld" kmod="nft-chain-1-nat" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/firewalld.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index 099dc32e..a32e4b93 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -57,6 +57,7 @@ files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
kernel_read_crypto_sysctls(firewalld_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
+kernel_request_load_module(firewalld_t)
kernel_rw_net_sysctls(firewalld_t)
corecmd_exec_bin(firewalld_t)
^ permalink raw reply related [flat|nested] 12+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/
2022-09-03 20:04 [gentoo-commits] proj/hardened-refpolicy:master " Kenton Groombridge
@ 2022-10-12 13:34 ` Kenton Groombridge
0 siblings, 0 replies; 12+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
To: gentoo-commits
commit: 139f4bb39aea6b202996abebe7581f1479e9fdf1
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:07 2021 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep 3 20:04:27 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=139f4bb3
apache: add gentoo-specific interface to map httpd sys content
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/apache.if | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 2b3a7f3c..8daa613b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1466,3 +1466,23 @@ interface(`apache_rw_runtime_files',`
allow $1 httpd_runtime_t:file rw_file_perms;
')
+
+########################################
+## <summary>
+## Map httpd sys content files.
+## This interface is Gentoo-specific.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_map_sys_content',`
+ gen_require(`
+ type httpd_sys_content_t, httpd_sys_rw_content_t;
+ ')
+
+ allow $1 httpd_sys_content_t:file map;
+ allow $1 httpd_sys_rw_content_t:file map;
+')
^ permalink raw reply related [flat|nested] 12+ messages in thread
end of thread, other threads:[~2022-10-12 13:35 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-10-12 13:34 [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/ Kenton Groombridge
-- strict thread matches above, loose matches on Subject: below --
2022-10-12 13:34 Kenton Groombridge
2022-10-12 13:34 Kenton Groombridge
2022-10-12 13:34 Kenton Groombridge
2022-10-12 13:34 Kenton Groombridge
2022-10-12 13:34 Kenton Groombridge
2022-10-12 13:34 Kenton Groombridge
2022-10-12 13:34 Kenton Groombridge
2022-09-03 20:04 [gentoo-commits] proj/hardened-refpolicy:master " Kenton Groombridge
2022-10-12 13:34 ` [gentoo-commits] proj/hardened-refpolicy:concord-dev " Kenton Groombridge
2022-06-06 15:15 Kenton Groombridge
2022-06-06 15:13 Kenton Groombridge
2022-06-06 15:08 Kenton Groombridge
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox