public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Kenton Groombridge" <concord@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
Date: Fri,  6 Oct 2023 16:44:34 +0000 (UTC)	[thread overview]
Message-ID: <1696606252.90affee2271dfbaad7e02781e1c583e886229754.concord@gentoo> (raw)

commit:     90affee2271dfbaad7e02781e1c583e886229754
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 28 13:46:14 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:30:52 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90affee2

misc small patches for cron policy (#701)

* Some misc small patches for cron policy

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* added systemd_dontaudit_connect_machined interface

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Remove the line about connecting to tor

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* remove the dontaudit for connecting to machined

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* changed to distro_debian

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* mta: Whitespace changes.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>

* cron: Move lines.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>

---------

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Co-authored-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/cron.if    | 36 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/cron.te    | 11 +++++++++++
 policy/modules/services/mta.te     |  7 ++++++-
 policy/modules/services/postfix.te |  1 +
 policy/modules/system/init.if      | 18 ++++++++++++++++++
 policy/modules/system/systemd.if   | 18 ++++++++++++++++++
 6 files changed, 90 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 87306cfdb..049b01494 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -755,6 +755,24 @@ interface(`cron_rw_tmp_files',`
 	allow $1 crond_tmp_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##      Read and write inherited crond temporary files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`cron_rw_inherited_tmp_files',`
+	gen_require(`
+		type crond_tmp_t;
+	')
+
+	allow $1 crond_tmp_t:file rw_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read system cron job lib files.
@@ -888,6 +906,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
 	dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
 ')
 
+########################################
+## <summary>
+##	allow appending temporary system cron job files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow.
+##	</summary>
+## </param>
+#
+interface(`cron_append_system_job_tmp_files',`
+	gen_require(`
+		type system_cronjob_tmp_t;
+	')
+
+	allow $1 system_cronjob_tmp_t:file append_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write to inherited system cron job temporary files.

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index b2de6de31..9df1e3060 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -436,6 +436,8 @@ optional_policy(`
 	systemd_dbus_chat_logind(system_cronjob_t)
 	systemd_read_journal_files(system_cronjob_t)
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+	# for runuser
+	init_search_keys(system_cronjob_t)
 	# so cron jobs can restart daemons
 	init_stream_connect(system_cronjob_t)
 	init_manage_script_service(system_cronjob_t)
@@ -491,6 +493,7 @@ kernel_getattr_message_if(system_cronjob_t)
 kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
+kernel_read_rpc_sysctls(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
 kernel_read_software_raid_state(system_cronjob_t)
 
@@ -535,6 +538,7 @@ files_read_usr_files(system_cronjob_t)
 files_read_var_files(system_cronjob_t)
 files_dontaudit_search_runtime(system_cronjob_t)
 files_manage_generic_spool(system_cronjob_t)
+files_manage_var_lib_dirs(system_cronjob_t)
 files_create_boot_flag(system_cronjob_t)
 files_read_var_lib_symlinks(system_cronjob_t)
 
@@ -554,6 +558,7 @@ logging_manage_generic_logs(system_cronjob_t)
 logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
+miscfiles_read_generic_certs(system_cronjob_t)
 miscfiles_read_localization(system_cronjob_t)
 
 seutil_read_config(system_cronjob_t)
@@ -654,6 +659,10 @@ optional_policy(`
 	mysql_read_config(system_cronjob_t)
 ')
 
+optional_policy(`
+	ntp_read_config(system_cronjob_t)
+')
+
 optional_policy(`
 	postfix_read_config(system_cronjob_t)
 ')
@@ -678,6 +687,8 @@ optional_policy(`
 
 	# for gpg-connect-agent to access /run/user/0
 	userdom_manage_user_runtime_dirs(system_cronjob_t)
+	# for /run/user/0/gnupg
+	userdom_manage_user_tmp_dirs(system_cronjob_t)
 ')
 
 ########################################

diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 8ed3c8480..63c8562ae 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -285,7 +285,12 @@ optional_policy(`
 	userdom_dontaudit_use_user_ptys(system_mail_t)
 
 	optional_policy(`
-		cron_dontaudit_append_system_job_tmp_files(system_mail_t)
+		ifdef(`distro_debian',`
+			# anacron on Debian gives empty email if this is not permitted
+			cron_append_system_job_tmp_files(system_mail_t)
+		', `
+			cron_dontaudit_append_system_job_tmp_files(system_mail_t)
+		')
 	')
 ')
 

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 7b158e705..528a84de9 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -652,6 +652,7 @@ optional_policy(`
 
 optional_policy(`
 	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
+	cron_use_system_job_fds(postfix_postdrop_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index daab804c6..d91eadfb5 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3858,3 +3858,21 @@ interface(`init_getrlimit',`
 
 	allow $1 init_t:process getrlimit;
 ')
+
+########################################
+## <summary>
+##      Allow searching init_t keys
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Source domain
+##      </summary>
+## </param>
+#
+interface(`init_search_keys',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:key search;
+')

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 64455eed5..19b2dbd85 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1517,6 +1517,24 @@ interface(`systemd_connect_machined',`
 	allow $1 systemd_machined_t:unix_stream_socket connectto;
 ')
 
+########################################
+## <summary>
+##     dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can access the socket
+##	</summary>
+## </param>
+#
+interface(`systemd_dontaudit_connect_machined',`
+	gen_require(`
+		type systemd_machined_t;
+	')
+
+	dontaudit $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##   Send and receive messages from


             reply	other threads:[~2023-10-06 16:44 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-06 16:44 Kenton Groombridge [this message]
  -- strict thread matches above, loose matches on Subject: below --
2024-12-15  0:30 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/ Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-04-09 19:28 Jason Zaman
2022-02-27  2:52 Jason Zaman
2022-02-07  2:14 Jason Zaman
2022-01-30  1:22 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-02-07  3:20 Jason Zaman
2021-02-07  3:20 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2017-01-01 16:36 Jason Zaman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1696606252.90affee2271dfbaad7e02781e1c583e886229754.concord@gentoo \
    --to=concord@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox