From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5FBE9158089 for ; Fri, 6 Oct 2023 16:44:40 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6A7A22BC036; Fri, 6 Oct 2023 16:44:37 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3D5C12BC035 for ; Fri, 6 Oct 2023 16:44:37 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 64A02335D27 for ; Fri, 6 Oct 2023 16:44:36 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 0FC199ED for ; Fri, 6 Oct 2023 16:44:34 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1696606252.90affee2271dfbaad7e02781e1c583e886229754.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/cron.if policy/modules/services/cron.te policy/modules/services/mta.te policy/modules/services/postfix.te policy/modules/system/init.if policy/modules/system/systemd.if X-VCS-Directories: policy/modules/services/ policy/modules/system/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: 90affee2271dfbaad7e02781e1c583e886229754 X-VCS-Branch: master Date: Fri, 6 Oct 2023 16:44:34 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: d924a3f1-6b0b-47db-8fdb-f735b0672450 X-Archives-Hash: 1bbcab8162ca45aa642ed12aa0c627f8 commit: 90affee2271dfbaad7e02781e1c583e886229754 Author: Russell Coker coker com au> AuthorDate: Thu Sep 28 13:46:14 2023 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90affee2 misc small patches for cron policy (#701) * Some misc small patches for cron policy Signed-off-by: Russell Coker coker.com.au> * added systemd_dontaudit_connect_machined interface Signed-off-by: Russell Coker coker.com.au> * Remove the line about connecting to tor Signed-off-by: Russell Coker coker.com.au> * remove the dontaudit for connecting to machined Signed-off-by: Russell Coker coker.com.au> * changed to distro_debian Signed-off-by: Russell Coker coker.com.au> * mta: Whitespace changes. Signed-off-by: Chris PeBenito ieee.org> * cron: Move lines. Signed-off-by: Chris PeBenito ieee.org> --------- Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Chris PeBenito ieee.org> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/cron.if | 36 ++++++++++++++++++++++++++++++++++++ policy/modules/services/cron.te | 11 +++++++++++ policy/modules/services/mta.te | 7 ++++++- policy/modules/services/postfix.te | 1 + policy/modules/system/init.if | 18 ++++++++++++++++++ policy/modules/system/systemd.if | 18 ++++++++++++++++++ 6 files changed, 90 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 87306cfdb..049b01494 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -755,6 +755,24 @@ interface(`cron_rw_tmp_files',` allow $1 crond_tmp_t:file rw_file_perms; ') +######################################## +## +## Read and write inherited crond temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_inherited_tmp_files',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_inherited_file_perms; +') + ######################################## ## ## Read system cron job lib files. @@ -888,6 +906,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` dontaudit $1 system_cronjob_tmp_t:file append_file_perms; ') +######################################## +## +## allow appending temporary system cron job files. +## +## +## +## Domain to allow. +## +## +# +interface(`cron_append_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + allow $1 system_cronjob_tmp_t:file append_file_perms; +') + ######################################## ## ## Read and write to inherited system cron job temporary files. diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index b2de6de31..9df1e3060 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -436,6 +436,8 @@ optional_policy(` systemd_dbus_chat_logind(system_cronjob_t) systemd_read_journal_files(system_cronjob_t) systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) + # for runuser + init_search_keys(system_cronjob_t) # so cron jobs can restart daemons init_stream_connect(system_cronjob_t) init_manage_script_service(system_cronjob_t) @@ -491,6 +493,7 @@ kernel_getattr_message_if(system_cronjob_t) kernel_read_irq_sysctls(system_cronjob_t) kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) +kernel_read_rpc_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -535,6 +538,7 @@ files_read_usr_files(system_cronjob_t) files_read_var_files(system_cronjob_t) files_dontaudit_search_runtime(system_cronjob_t) files_manage_generic_spool(system_cronjob_t) +files_manage_var_lib_dirs(system_cronjob_t) files_create_boot_flag(system_cronjob_t) files_read_var_lib_symlinks(system_cronjob_t) @@ -554,6 +558,7 @@ logging_manage_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) +miscfiles_read_generic_certs(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -654,6 +659,10 @@ optional_policy(` mysql_read_config(system_cronjob_t) ') +optional_policy(` + ntp_read_config(system_cronjob_t) +') + optional_policy(` postfix_read_config(system_cronjob_t) ') @@ -678,6 +687,8 @@ optional_policy(` # for gpg-connect-agent to access /run/user/0 userdom_manage_user_runtime_dirs(system_cronjob_t) + # for /run/user/0/gnupg + userdom_manage_user_tmp_dirs(system_cronjob_t) ') ######################################## diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te index 8ed3c8480..63c8562ae 100644 --- a/policy/modules/services/mta.te +++ b/policy/modules/services/mta.te @@ -285,7 +285,12 @@ optional_policy(` userdom_dontaudit_use_user_ptys(system_mail_t) optional_policy(` - cron_dontaudit_append_system_job_tmp_files(system_mail_t) + ifdef(`distro_debian',` + # anacron on Debian gives empty email if this is not permitted + cron_append_system_job_tmp_files(system_mail_t) + ', ` + cron_dontaudit_append_system_job_tmp_files(system_mail_t) + ') ') ') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 7b158e705..528a84de9 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -652,6 +652,7 @@ optional_policy(` optional_policy(` cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t) + cron_use_system_job_fds(postfix_postdrop_t) ') optional_policy(` diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index daab804c6..d91eadfb5 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3858,3 +3858,21 @@ interface(`init_getrlimit',` allow $1 init_t:process getrlimit; ') + +######################################## +## +## Allow searching init_t keys +## +## +## +## Source domain +## +## +# +interface(`init_search_keys',` + gen_require(` + type init_t; + ') + + allow $1 init_t:key search; +') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 64455eed5..19b2dbd85 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -1517,6 +1517,24 @@ interface(`systemd_connect_machined',` allow $1 systemd_machined_t:unix_stream_socket connectto; ') +######################################## +## +## dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket +## +## +## +## Domain that can access the socket +## +## +# +interface(`systemd_dontaudit_connect_machined',` + gen_require(` + type systemd_machined_t; + ') + + dontaudit $1 systemd_machined_t:unix_stream_socket connectto; +') + ######################################## ## ## Send and receive messages from