From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1452633-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id CB7BB158020
	for <garchives@archives.gentoo.org>; Wed,  2 Nov 2022 14:42:58 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 4147FE0A7D;
	Wed,  2 Nov 2022 14:42:56 +0000 (UTC)
Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 22694E0A7D
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:56 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 42B3F340FED
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:55 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 4412C70D
	for <gentoo-commits@lists.gentoo.org>; Wed,  2 Nov 2022 14:42:52 +0000 (UTC)
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" <concord@gentoo.org>
Message-ID: <1667398033.74c032778f9f1d5b0b4f3af6d91c297fef7f15ea.concord@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/services/glusterfs.fc policy/modules/services/glusterfs.if policy/modules/services/glusterfs.te
X-VCS-Directories: policy/modules/services/
X-VCS-Committer: concord
X-VCS-Committer-Name: Kenton Groombridge
X-VCS-Revision: 74c032778f9f1d5b0b4f3af6d91c297fef7f15ea
X-VCS-Branch: master
Date: Wed,  2 Nov 2022 14:42:52 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 7f9c576f-19ea-473d-8df6-0ad9610a9dab
X-Archives-Hash: 6dda48e38abef419e83c23aef340f980

commit:     74c032778f9f1d5b0b4f3af6d91c297fef7f15ea
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 04:59:10 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:13 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74c03277

glusterfs: various fixes

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/glusterfs.fc | 12 ++++---
 policy/modules/services/glusterfs.if | 70 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/glusterfs.te | 47 ++++++++++++++++++------
 3 files changed, 114 insertions(+), 15 deletions(-)

diff --git a/policy/modules/services/glusterfs.fc b/policy/modules/services/glusterfs.fc
index 8e538dc8e..158a4a85e 100644
--- a/policy/modules/services/glusterfs.fc
+++ b/policy/modules/services/glusterfs.fc
@@ -1,7 +1,7 @@
 /etc/rc\.d/init\.d/gluster.*	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 
-/etc/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterfs(/.*)?		gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_conf_t,s0)
 
 /usr/bin/glusterd	--	gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
 /usr/bin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
@@ -11,9 +11,11 @@
 
 /opt/glusterfs/[^/]+/sbin/glusterfsd	--	gen_context(system_u:object_r:glusterd_exec_t,s0)
 
-/var/lib/gluster.*	gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+/var/lib/gluster.*		gen_context(system_u:object_r:glusterd_var_lib_t,s0)
 
-/var/log/glusterfs(/.*)?	gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/glusterfs(/.*)?		gen_context(system_u:object_r:glusterd_log_t,s0)
 
-/run/glusterd(/.*)?	gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/gluster(/.*)?		gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/glusterd(/.*)?		gen_context(system_u:object_r:glusterd_runtime_t,s0)
 /run/glusterd\.pid	--	gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/glusterd\.socket	-s	gen_context(system_u:object_r:glusterd_runtime_t,s0)

diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if
index 27c6bd6f7..b2b485ede 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -1,5 +1,71 @@
 ## <summary>Cluster File System binary, daemon and command line.</summary>
 
+########################################
+## <summary>
+##	Execute glusterd in the glusterd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`glusterfs_domtrans_daemon',`
+	gen_require(`
+		type glusterd_t, glusterd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+########################################
+## <summary>
+##	Execute glusterd in the glusterd domain, and
+##	allow the specified role the glusterd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterfs_run_daemon',`
+	gen_require(`
+		type glusterd_t;
+	')
+
+	glusterfs_domtrans_daemon($1)
+	role $2 types glusterd_t;
+')
+
+########################################
+## <summary>
+##	Connect to glusterd over a unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterfs_stream_connect_daemon',`
+	gen_require(`
+		type glusterd_t;
+		type glusterd_runtime_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, glusterd_runtime_t, glusterd_runtime_t, glusterd_t)
+	allow $1 glusterd_runtime_t:sock_file read_sock_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to
@@ -24,11 +90,15 @@ interface(`glusterfs_admin',`
 		type glusterd_runtime_t;
 	')
 
+	glusterfs_run_daemon($1, $2)
+
 	init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t)
 
 	allow $1 glusterd_t:process { ptrace signal_perms };
 	ps_process_pattern($1, glusterd_t)
 
+	glusterfs_stream_connect_daemon($1)
+
 	files_search_etc($1)
 	admin_pattern($1, glusterd_conf_t)
 

diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te
index de4f9baea..2d94845d9 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -32,11 +32,11 @@ files_type(glusterd_var_lib_t)
 # Local policy
 #
 
-allow glusterd_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_resource };
-allow glusterd_t self:process { setrlimit signal };
+allow glusterd_t self:capability { chown dac_override dac_read_search fowner ipc_lock sys_admin sys_resource };
+allow glusterd_t self:process { getsched setrlimit signal signull };
 allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:tcp_socket { accept listen };
-allow glusterd_t self:unix_stream_socket { accept listen };
+allow glusterd_t self:tcp_socket create_stream_socket_perms;
+allow glusterd_t self:unix_stream_socket { create_stream_socket_perms connectto };
 
 manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
 manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
@@ -58,17 +58,14 @@ manage_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t)
 manage_sock_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t)
 files_runtime_filetrans(glusterd_t, glusterd_runtime_t, { dir file sock_file })
 
+can_exec(glusterd_t, glusterd_var_lib_t)
 manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
 files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
 
 can_exec(glusterd_t, glusterd_exec_t)
 
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
 corenet_all_recvfrom_netlabel(glusterd_t)
 corenet_tcp_sendrecv_generic_if(glusterd_t)
 corenet_udp_sendrecv_generic_if(glusterd_t)
@@ -77,6 +74,9 @@ corenet_udp_sendrecv_generic_node(glusterd_t)
 corenet_tcp_bind_generic_node(glusterd_t)
 corenet_udp_bind_generic_node(glusterd_t)
 
+corenet_tcp_bind_glusterd_port(glusterd_t)
+corenet_tcp_connect_glusterd_port(glusterd_t)
+
 # Too coarse?
 corenet_sendrecv_all_server_packets(glusterd_t)
 corenet_tcp_bind_all_reserved_ports(glusterd_t)
@@ -86,17 +86,44 @@ corenet_udp_bind_ipp_port(glusterd_t)
 corenet_sendrecv_all_client_packets(glusterd_t)
 corenet_tcp_connect_all_unreserved_ports(glusterd_t)
 
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
 dev_read_sysfs(glusterd_t)
 dev_read_urand(glusterd_t)
 
 domain_read_all_domains_state(glusterd_t)
-
 domain_use_interactive_fds(glusterd_t)
 
 files_read_usr_files(glusterd_t)
+files_mounton_mnt(glusterd_t)
+
+fs_dontaudit_getattr_all_fs(glusterd_t)
+fs_getattr_xattr_fs(glusterd_t)
+fs_mount_fusefs(glusterd_t)
+fs_unmount_fusefs(glusterd_t)
+
+kernel_dontaudit_getattr_proc(glusterd_t)
+kernel_read_kernel_sysctls(glusterd_t)
+kernel_read_net_sysctls(glusterd_t)
+kernel_read_system_state(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
 
 auth_use_nsswitch(glusterd_t)
 
+hostname_exec(glusterd_t)
+
 logging_send_syslog_msg(glusterd_t)
 
+miscfiles_read_generic_certs(glusterd_t)
 miscfiles_read_localization(glusterd_t)
+
+# needed by relabeling hooks when adding bricks
+seutil_domtrans_semanage(glusterd_t)
+seutil_exec_setfiles(glusterd_t)
+seutil_read_default_contexts(glusterd_t)
+
+userdom_dontaudit_search_user_runtime_root(glusterd_t)
+
+xdg_dontaudit_search_data_dirs(glusterd_t)