[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; only message in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     3eefa3b065ed81f56fddfb12a372012ef5e2a336
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Sep 25 15:01:12 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:27:06 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3eefa3b0

small ntp and dns changes (#703)

* Small changes for ntp, bind, avahi, and dnsmasq

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/dpkg.te       |  9 +++++++++
 policy/modules/services/avahi.te   |  4 ++++
 policy/modules/services/bind.te    |  7 +++++--
 policy/modules/services/dnsmasq.te |  4 ++++
 policy/modules/services/ntp.fc     |  1 +
 policy/modules/services/ntp.if     | 19 +++++++++++++++++++
 6 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index d6871de21..d4a56e5eb 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -350,8 +350,17 @@ optional_policy(`
 	nis_use_ypbind(dpkg_script_t)
 ')
 
+optional_policy(`
+	ntp_filetrans_drift(dpkg_script_t)
+')
+
+optional_policy(`
+	policykit_dbus_chat(dpkg_script_t)
+')
+
 optional_policy(`
 	systemd_read_logind_state(dpkg_script_t)
+	systemd_dbus_chat_hostnamed(dpkg_script_t)
 	systemd_dbus_chat_logind(dpkg_script_t)
 	systemd_run_sysusers(dpkg_script_t, dpkg_roles)
 ')

diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 773d2b8ff..1094e39db 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -111,3 +111,7 @@ optional_policy(`
 	seutil_sigchld_newrole(avahi_t)
 ')
 
+optional_policy(`
+	unconfined_dbus_send(avahi_t)
+')
+

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 1b3e674a1..0a08be452 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -213,9 +213,9 @@ optional_policy(`
 # NDC local policy
 #
 
-allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability { dac_override dac_read_search net_admin };
 allow ndc_t self:capability2 block_suspend;
-allow ndc_t self:process signal_perms;
+allow ndc_t self:process { signal_perms getsched setsched };
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
 
@@ -231,6 +231,9 @@ allow ndc_t named_zone_t:dir search_dir_perms;
 
 kernel_read_kernel_sysctls(ndc_t)
 kernel_read_system_state(ndc_t)
+kernel_read_vm_overcommit_sysctl(ndc_t)
+
+dev_read_sysfs(ndc_t)
 
 corenet_all_recvfrom_netlabel(ndc_t)
 corenet_tcp_sendrecv_generic_if(ndc_t)

diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 6d1799ba8..2e492954d 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -108,6 +108,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	# for the dnsmasq-usb0.leases file
+	networkmanager_manage_lib_files(dnsmasq_t)
+
+	networkmanager_read_etc_files(dnsmasq_t)
 	networkmanager_read_runtime_files(dnsmasq_t)
 ')
 

diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
index 4d014d196..4f19959e7 100644
--- a/policy/modules/services/ntp.fc
+++ b/policy/modules/services/ntp.fc
@@ -30,6 +30,7 @@
 
 /var/db/ntp-kod				--	gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/ntp(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntpsec(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/sntp-kod(/.*)?				gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/systemd/clock			--	gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/systemd/timesync(/.*)?			gen_context(system_u:object_r:ntp_drift_t,s0)

diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index 4953e9f08..9df5d8d07 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -176,6 +176,25 @@ interface(`ntp_read_drift_files',`
 	read_files_pattern($1, ntp_drift_t, ntp_drift_t)
 ')
 
+########################################
+## <summary>
+##	specified domain creates /var/lib/ntpsec/ with the correct type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ntp_filetrans_drift',`
+	gen_require(`
+		type ntp_drift_t;
+	')
+
+	files_search_var_lib($1)
+	files_var_lib_filetrans($1, ntp_drift_t, dir)
+')
+
 ########################################
 ## <summary>
 ##	Read and write ntpd shared memory.


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2023-10-06 16:44 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-06 16:44 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/ Kenton Groombridge

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox