* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/
@ 2021-02-07 3:20 Jason Zaman
0 siblings, 0 replies; 3+ messages in thread
From: Jason Zaman @ 2021-02-07 3:20 UTC (permalink / raw
To: gentoo-commits
commit: 6b6d9fc0d2ae76f8c137b5c3bcb1f184d0c62c57
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Feb 1 04:57:13 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 21:15:09 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b6d9fc0
new version of filetrans patch
Name changes suggested by Dominick and some more additions.
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/dpkg.te | 20 +++++++++++++
policy/modules/services/aptcacher.if | 54 ++++++++++++++++++++++++++++++++++++
policy/modules/services/clamav.if | 36 ++++++++++++++++++++++++
policy/modules/services/ftp.if | 18 ++++++++++++
policy/modules/services/milter.if | 18 ++++++++++++
policy/modules/services/mysql.fc | 4 +--
policy/modules/services/mysql.if | 38 +++++++++++++++++++++++++
policy/modules/system/authlogin.if | 7 ++++-
policy/modules/system/init.te | 5 ++++
policy/modules/system/systemd.if | 25 +++++++++++++++++
policy/modules/system/unconfined.te | 1 +
11 files changed, 223 insertions(+), 3 deletions(-)
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index ee37e504..6830c795 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t)
files_manage_non_auth_files(dpkg_script_t)
+auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")
auth_manage_shadow(dpkg_script_t)
init_all_labeled_script_domtrans(dpkg_script_t)
@@ -306,10 +307,20 @@ optional_policy(`
apt_use_fds(dpkg_script_t)
')
+optional_policy(`
+ aptcacher_filetrans_cache_dir(dpkg_script_t)
+ aptcacher_filetrans_conf_dir(dpkg_script_t)
+ aptcacher_filetrans_log_dir(dpkg_script_t)
+')
+
optional_policy(`
bootloader_run(dpkg_script_t, dpkg_roles)
')
+optional_policy(`
+ clamav_filetrans_log(dpkg_script_t)
+')
+
optional_policy(`
devicekit_dbus_chat_power(dpkg_script_t)
')
@@ -318,6 +329,10 @@ optional_policy(`
init_dbus_chat(dpkg_script_t)
')
+optional_policy(`
+ milter_filetrans_spamass_state(dpkg_script_t)
+')
+
optional_policy(`
modutils_run(dpkg_script_t, dpkg_roles)
')
@@ -326,6 +341,11 @@ optional_policy(`
mta_send_mail(dpkg_script_t)
')
+optional_policy(`
+ mysql_create_db_dir(dpkg_script_t)
+ mysql_create_log_dir(dpkg_script_t)
+')
+
optional_policy(`
nis_use_ypbind(dpkg_script_t)
')
diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if
index 12c1335a..bef83332 100644
--- a/policy/modules/services/aptcacher.if
+++ b/policy/modules/services/aptcacher.if
@@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
')
+
+########################################
+## <summary>
+## create /var/log/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_log_dir',`
+ gen_require(`
+ type aptcacher_log_t;
+ ')
+
+ logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /var/cache/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_cache_dir',`
+ gen_require(`
+ type aptcacher_cache_t;
+ ')
+
+ files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /etc/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_conf_dir',`
+ gen_require(`
+ type aptcacher_conf_t;
+ ')
+
+ files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng")
+')
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 33909248..29d00c98 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -430,3 +430,39 @@ interface(`clamav_admin',`
files_list_tmp($1)
admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
')
+
+########################################
+## <summary>
+## specified domain creates /var/log/clamav/freshclam.log with correct type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_filetrans_log',`
+ gen_require(`
+ type clamd_var_log_t, freshclam_var_log_t;
+ ')
+
+ filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log")
+')
+
+########################################
+## <summary>
+## specified domain creates /run/clamav with correct type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_filetrans_runtime_dir',`
+ gen_require(`
+ type clamd_runtime_t;
+ ')
+
+ files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav")
+')
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 56ac12bd..27af355f 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -189,3 +189,21 @@ interface(`ftp_admin',`
ftp_run_ftpdctl($1, $2)
')
+
+########################################
+## <summary>
+## create /run/pure-ftpd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_filetrans_pure_ftpd_runtime',`
+ gen_require(`
+ type ftpd_runtime_t;
+ ')
+
+ files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd")
+')
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
index d024d152..13b05498 100644
--- a/policy/modules/services/milter.if
+++ b/policy/modules/services/milter.if
@@ -98,6 +98,24 @@ interface(`milter_manage_spamass_state',`
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
')
+########################################
+## <summary>
+## create spamass milter state dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_filetrans_spamass_state',`
+ gen_require(`
+ type spamass_milter_state_t;
+ ')
+
+ files_var_lib_filetrans($1, spamass_milter_state_t, dir, "spamass-milter")
+')
+
########################################
## <summary>
## Get the attributes of the spamassissin milter data dir.
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
index d23f2636..7b7b45b3 100644
--- a/policy/modules/services/mysql.fc
+++ b/policy/modules/services/mysql.fc
@@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0)
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
-/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0)
/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index afdfbc6b..e89a66d9 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -241,6 +241,24 @@ interface(`mysql_manage_db_files',`
manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
')
+########################################
+## <summary>
+## create mysqld db dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_db_dir',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql")
+')
+
########################################
## <summary>
## Create, read, write, and delete
@@ -325,9 +343,29 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
+ allow $1 mysqld_log_t:dir search_dir_perms;
allow $1 mysqld_log_t:file write_file_perms;
')
+########################################
+## <summary>
+## create mysqld log dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_log_dir',`
+ gen_require(`
+ type mysqld_log_t;
+ ')
+
+ logging_search_logs($1)
+ logging_log_filetrans($1, mysqld_log_t, dir, "mysql")
+')
+
######################################
## <summary>
## Execute mysqld safe in the
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 8f8b8009..08361bb5 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -719,13 +719,18 @@ interface(`auth_manage_shadow',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`auth_etc_filetrans_shadow',`
gen_require(`
type shadow_t;
')
- files_etc_filetrans($1, shadow_t, file)
+ files_etc_filetrans($1, shadow_t, file, $2)
')
#######################################
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index de5bca5e..1c9a5cdd 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1097,6 +1097,7 @@ optional_policy(`
')
optional_policy(`
+ clamav_filetrans_runtime_dir(initrc_t)
clamav_read_config(initrc_t)
')
@@ -1289,6 +1290,10 @@ optional_policy(`
fs_search_ramfs(initrc_t)
')
+optional_policy(`
+ ftp_filetrans_pure_ftpd_runtime(initrc_t)
+')
+
optional_policy(`
rpc_read_exports(initrc_t)
')
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8e58c0d7..ac431aba 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -526,6 +526,31 @@ interface(`systemd_use_passwd_agent_fds',`
allow systemd_passwd_agent_t $1:fd use;
')
+########################################
+## <summary>
+## allow systemd_passwd_agent to be run by admin
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that runs it
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## role that it runs in
+## </summary>
+## </param>
+#
+interface(`systemd_run_passwd_agent',`
+ gen_require(`
+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+ ')
+
+ domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+ allow systemd_passwd_agent_t $1:fd use;
+ role $2 types systemd_passwd_agent_t;
+')
+
#######################################
## <summary>
## Allow a systemd_passwd_agent_t process to interact with a daemon
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eac4d285..42879fb7 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -66,6 +66,7 @@ ifdef(`init_systemd',`
optional_policy(`
systemd_dbus_chat_resolved(unconfined_t)
+ systemd_filetrans_passwd_runtime_dirs(unconfined_t)
')
')
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/
@ 2023-10-06 16:44 Kenton Groombridge
0 siblings, 0 replies; 3+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
To: gentoo-commits
commit: ab9b49a1d782ac96a73b4b1553992528a599d8d6
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Sep 25 15:44:52 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:30:09 2023 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab9b49a1
small network patches (#707)
* Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Fixed typo in interface name
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Add interface libs_watch_shared_libs_dir
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Added sysnet_watch_config_dir interface
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* rename sysnet_watch_config_dir to sysnet_watch_config_dirs
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
* Reverted a change as I can't remember why I did it.
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
---------
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/admin/netutils.te | 1 +
policy/modules/services/firewalld.te | 3 +++
policy/modules/services/ftp.fc | 6 +++++-
policy/modules/services/ftp.te | 9 +++++++++
policy/modules/services/inetd.te | 2 +-
policy/modules/services/networkmanager.te | 11 ++++++++++-
policy/modules/services/openvpn.te | 1 +
policy/modules/services/ppp.fc | 1 +
policy/modules/services/ppp.te | 2 ++
policy/modules/services/rpc.te | 6 +++++-
policy/modules/system/libraries.if | 18 ++++++++++++++++++
policy/modules/system/sysnetwork.if | 18 ++++++++++++++++++
12 files changed, 74 insertions(+), 4 deletions(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 5fef6a31a..3c43a1d84 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -146,6 +146,7 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
userdom_use_inherited_user_terminals(ping_t)
+term_use_unallocated_ttys(ping_t)
optional_policy(`
munin_append_log(ping_t)
diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index 954a348f0..eb097753f 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -38,11 +38,13 @@ allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
allow firewalld_t self:udp_socket create_socket_perms;
+allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
allow firewalld_t firewalld_etc_rw_t:dir watch;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto };
+allow firewalld_t firewalld_etc_rw_t:dir watch;
allow firewalld_t firewalld_var_log_t:file append_file_perms;
allow firewalld_t firewalld_var_log_t:file create_file_perms;
@@ -86,6 +88,7 @@ logging_send_syslog_msg(firewalld_t)
libs_watch_lib_dirs(firewalld_t)
+miscfiles_read_generic_certs(firewalld_t)
miscfiles_read_localization(firewalld_t)
seutil_exec_setfiles(firewalld_t)
diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc
index b90598fed..a58851e58 100644
--- a/policy/modules/services/ftp.fc
+++ b/policy/modules/services/ftp.fc
@@ -1,4 +1,5 @@
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_etc_t,s0)
/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
@@ -22,8 +23,10 @@
/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/pure-ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_runtime_t,s0)
/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
@@ -31,6 +34,7 @@
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/pure-ftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index a3ff66feb..3a638a72c 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -175,6 +175,7 @@ allow ftpd_t self:tcp_socket { accept listen };
allow ftpd_t self:shm create_shm_perms;
allow ftpd_t self:key manage_key_perms;
+allow ftpd_t ftpd_etc_t:dir list_dir_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
allow ftpd_t ftpd_keytab_t:file read_file_perms;
@@ -191,6 +192,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t, { dir file lnk_file sock_file fifo_file
manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
+allow ftpd_t ftpd_runtime_t:file map;
manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir })
@@ -400,6 +402,13 @@ optional_policy(`
seutil_sigchld_newrole(ftpd_t)
')
+optional_policy(`
+ systemd_connect_machined(ftpd_t)
+ systemd_dbus_chat_logind(ftpd_t)
+ systemd_read_logind_state(ftpd_t)
+ systemd_write_inherited_logind_sessions_pipes(ftpd_t)
+')
+
########################################
#
# Ctl local policy
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index a74722c23..33af29d9b 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -33,7 +33,7 @@ files_tmp_file(inetd_child_tmp_t)
# Local policy
#
-allow inetd_t self:capability { setgid setuid sys_resource };
+allow inetd_t self:capability { kill setgid setuid sys_resource };
dontaudit inetd_t self:capability sys_tty_config;
allow inetd_t self:process { setsched setexec setrlimit };
allow inetd_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 1f521643b..4494d0012 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -47,7 +47,7 @@ ifdef(`distro_gentoo',`
# Local policy
#
-allow NetworkManager_t self:capability { chown dac_override fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice };
+allow NetworkManager_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill net_admin net_raw setgid setuid sys_nice };
dontaudit NetworkManager_t self:capability { sys_module sys_ptrace sys_tty_config };
allow NetworkManager_t self:capability2 wake_alarm;
allow NetworkManager_t self:process { ptrace getcap setcap setpgid getsched setsched signal_perms };
@@ -153,7 +153,9 @@ files_read_usr_src_files(NetworkManager_t)
files_watch_etc_dirs(NetworkManager_t)
fs_getattr_all_fs(NetworkManager_t)
+fs_read_nsfs_files(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
+fs_search_tmpfs(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
mls_file_read_all_levels(NetworkManager_t)
@@ -169,6 +171,8 @@ init_get_system_status(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
+libs_watch_shared_libs_dirs(NetworkManager_t)
+
logging_send_audit_msgs(NetworkManager_t)
logging_send_syslog_msg(NetworkManager_t)
@@ -192,6 +196,7 @@ sysnet_delete_dhcpc_state(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
sysnet_manage_config(NetworkManager_t)
sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_watch_config_dirs(NetworkManager_t)
# certificates in user home directories (cert_home_t in ~/\.pki)
userdom_read_user_certs(NetworkManager_t)
@@ -223,6 +228,10 @@ optional_policy(`
consoletype_exec(NetworkManager_t)
')
+optional_policy(`
+ chronyd_domtrans_cli(NetworkManager_t)
+')
+
optional_policy(`
cron_read_system_job_lib_files(NetworkManager_t)
')
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index e97730fbd..c92925ca1 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -129,6 +129,7 @@ files_read_etc_runtime_files(openvpn_t)
fs_getattr_all_fs(openvpn_t)
fs_search_auto_mountpoints(openvpn_t)
+fs_search_tmpfs(openvpn_t)
auth_use_pam(openvpn_t)
diff --git a/policy/modules/services/ppp.fc b/policy/modules/services/ppp.fc
index 98b57f108..c4dd850f9 100644
--- a/policy/modules/services/ppp.fc
+++ b/policy/modules/services/ppp.fc
@@ -8,6 +8,7 @@ HOME_DIR/\.ppprc -- gen_context(system_u:object_r:ppp_home_t,s0)
/etc/ppp/.*secrets -- gen_context(system_u:object_r:pppd_secret_t,s0)
/etc/ppp/resolv\.conf -- gen_context(system_u:object_r:pppd_etc_rw_t,s0)
/etc/ppp/(auth|ip(v6|x)?)-(up|down) -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
+/etc/ppp/ip-pre-up -- gen_context(system_u:object_r:pppd_initrc_exec_t,s0)
/usr/bin/ipppd -- gen_context(system_u:object_r:pppd_exec_t,s0)
/usr/bin/ppp-watch -- gen_context(system_u:object_r:pppd_exec_t,s0)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 47111375d..70d52ca44 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -86,6 +86,7 @@ allow pppd_t self:socket create_socket_perms;
allow pppd_t self:netlink_route_socket nlmsg_write;
allow pppd_t self:tcp_socket { accept listen };
allow pppd_t self:packet_socket create_socket_perms;
+allow pppd_t self:pppox_socket { connect create ioctl };
allow pppd_t pppd_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };
@@ -108,6 +109,7 @@ files_tmp_filetrans(pppd_t, pppd_tmp_t, { dir file})
manage_dirs_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t)
manage_files_pattern(pppd_t, pppd_runtime_t, pppd_runtime_t)
+allow pppd_t pppd_runtime_t:file map;
files_runtime_filetrans(pppd_t, pppd_runtime_t, { dir file })
can_exec(pppd_t, pppd_exec_t)
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 63693603f..bfcb8fa8a 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -121,6 +121,7 @@ corenet_udp_bind_all_rpc_ports(rpc_domain)
fs_rw_rpc_named_pipes(rpc_domain)
fs_search_auto_mountpoints(rpc_domain)
+fs_watch_rpc_pipefs_dirs(rpc_domain)
files_read_etc_runtime_files(rpc_domain)
files_read_usr_files(rpc_domain)
@@ -312,7 +313,8 @@ optional_policy(`
# NFSD local policy
#
-allow nfsd_t self:capability { dac_override dac_read_search sys_admin sys_resource };
+allow nfsd_t self:capability { dac_override dac_read_search setpcap sys_admin sys_resource lease };
+allow nfsd_t self:process setcap;
allow nfsd_t exports_t:file read_file_perms;
allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir list_dir_perms;
@@ -342,6 +344,8 @@ fs_mount_nfsd_fs(nfsd_t)
fs_getattr_all_fs(nfsd_t)
fs_getattr_all_dirs(nfsd_t)
fs_list_nfsd_fs(nfsd_t)
+fs_list_rpc(nfsd_t)
+
fs_watch_nfsd_dirs(nfsd_t)
fs_watch_nfsd_files(nfsd_t)
fs_rw_nfsd_fs(nfsd_t)
diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index faf172ce3..00128ef6d 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -530,6 +530,24 @@ interface(`libs_legacy_use_shared_libs',`
allow $1 lib_t:file execmod;
')
+########################################
+## <summary>
+## watch lib dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_watch_shared_libs_dirs',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir watch;
+')
+
########################################
## <summary>
## Relabel to and from the type used for
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 70e873fe6..f41024669 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -567,6 +567,24 @@ interface(`sysnet_manage_config',`
')
')
+#######################################
+## <summary>
+## Watch a network config dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_watch_config_dirs',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 net_conf_t:dir watch;
+')
+
#######################################
## <summary>
## Read dhcp client runtime files.
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/
@ 2024-05-14 19:42 Kenton Groombridge
0 siblings, 0 replies; 3+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
To: gentoo-commits
commit: e3d5625354b069f68fe3fff6135df2e5bc14f207
Author: Grzegorz Filo <gf578 <AT> wp <DOT> pl>
AuthorDate: Wed Apr 3 11:02:48 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:29 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3d56253
files context for merged-usr profile on gentoo
Signed-off-by: Grzegorz Filo <gf578 <AT> wp.pl>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/admin/netutils.fc | 4 ++++
policy/modules/admin/shutdown.fc | 5 +++++
policy/modules/services/smartmon.fc | 4 ++++
policy/modules/system/authlogin.fc | 3 +++
policy/modules/system/init.fc | 4 ++++
policy/modules/system/lvm.fc | 4 ++++
6 files changed, 24 insertions(+)
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 3a7ccabf2..c8f5dd950 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -21,3 +21,7 @@
/usr/sbin/ss -- gen_context(system_u:object_r:ss_exec_t,s0)
/usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/iftop -- gen_context(system_u:object_r:netutils_exec_t,s0)
+')
diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc
index 89d682d36..2e47783c2 100644
--- a/policy/modules/admin/shutdown.fc
+++ b/policy/modules/admin/shutdown.fc
@@ -9,3 +9,8 @@
/usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
/run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/halt -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+/usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0)
+')
diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc
index efbb8886f..562cf0b04 100644
--- a/policy/modules/services/smartmon.fc
+++ b/policy/modules/services/smartmon.fc
@@ -9,3 +9,7 @@
/run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_runtime_t,s0)
/var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/bin/update-smart-drivedb -- gen_context(system_u:object_r:smartmon_update_drivedb_exec_t,s0)
+')
diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index adb53a05a..fcdd38d6d 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -40,6 +40,9 @@ ifdef(`distro_redhat', `
ifdef(`distro_suse', `
/usr/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
')
+ifdef(`distro_gentoo',`
+/usr/bin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0)
+')
/var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 2ce804cde..e350b6adf 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -53,6 +53,10 @@ ifdef(`distro_gentoo',`
/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', `
+/usr/bin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
+/usr/bin/openrc -- gen_context(system_u:object_r:rc_exec_t,s0)
+/usr/bin/openrc-init -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/bin/openrc-shutdown -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/lib/rc/cache(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
/usr/lib/rc/console(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
/usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index bc66de8ad..ba1d88e2b 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -74,6 +74,10 @@
/usr/bin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/bin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0)
+ifdef(`distro_gentoo',`
+/usr/bin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0)
+')
+
/usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/lvm-200/.* -- gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/systemd/systemd-cryptsetup -- gen_context(system_u:object_r:lvm_exec_t,s0)
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-05-14 19:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-14 19:42 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/ Kenton Groombridge
-- strict thread matches above, loose matches on Subject: below --
2023-10-06 16:44 Kenton Groombridge
2021-02-07 3:20 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox