* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/
@ 2013-12-06 17:33 Sven Vermeulen
0 siblings, 0 replies; 4+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
To: gentoo-commits
commit: 3cacfd54b9c2219d010af9c9a07cffc01fc558d2
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Dec 2 19:22:29 2013 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 6 17:30:54 2013 +0000
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3cacfd54
Module version bump for first batch of patches from Dominick Grift.
---
policy/modules/kernel/kernel.te | 2 +-
policy/modules/services/ssh.te | 2 +-
policy/modules/services/xserver.te | 2 +-
policy/modules/system/authlogin.te | 2 +-
policy/modules/system/fstools.te | 2 +-
policy/modules/system/mount.te | 2 +-
policy/modules/system/setrans.te | 2 +-
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/udev.te | 2 +-
policy/modules/system/unconfined.te | 2 +-
10 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index ab4d21f..a39d803 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.17.1)
+policy_module(kernel, 1.17.2)
########################################
#
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index d7559d8..30726f2 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.4.2)
+policy_module(ssh, 2.4.3)
########################################
#
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8e0d2d4..158c2c1 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.9.4)
+policy_module(xserver, 3.9.5)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 367e920..1e0390f 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.5.1)
+policy_module(authlogin, 2.5.2)
########################################
#
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a912d3d..c7f82a3 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.16.1)
+policy_module(fstools, 1.16.2)
########################################
#
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 49eab00..5e939f7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.16.1)
+policy_module(mount, 1.16.2)
########################################
#
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 83e355c..ac6e607 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,4 +1,4 @@
-policy_module(setrans, 1.8.0)
+policy_module(setrans, 1.8.1)
gen_require(`
class context contains;
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index cde5324..8bb0a25 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.15.4)
+policy_module(sysnetwork, 1.15.5)
########################################
#
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 7a1c29a..626ded7 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.16.2)
+policy_module(udev, 1.16.3)
########################################
#
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 3303b71..3dd0858 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.5.1)
+policy_module(unconfined, 3.5.2)
########################################
#
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/
@ 2017-02-21 7:11 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2017-02-21 7:11 UTC (permalink / raw
To: gentoo-commits
commit: 8a23415215dd0c7be0bf930e02410d9950fe647f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 18 14:39:01 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 06:52:46 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a234152
Little misc patches from Russell Coker.
policy/modules/kernel/files.te | 3 ++-
policy/modules/services/xserver.if | 20 ++++++++++++++++++++
policy/modules/services/xserver.te | 2 +-
policy/modules/system/init.fc | 2 +-
policy/modules/system/init.te | 14 +++++++++-----
policy/modules/system/logging.te | 14 +++++++++-----
policy/modules/system/lvm.te | 4 +++-
policy/modules/system/selinuxutil.te | 14 +++++++++-----
policy/modules/system/sysnetwork.te | 14 +++++++++-----
policy/modules/system/udev.te | 3 ++-
10 files changed, 65 insertions(+), 25 deletions(-)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 625768e2..9b06ff6e 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.2)
+policy_module(files, 1.23.3)
########################################
#
@@ -11,6 +11,7 @@ attribute lockfile;
attribute mountpoint;
attribute pidfile;
attribute configfile;
+attribute spoolfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index f0761c9b..7af0ab6a 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -934,6 +934,26 @@ interface(`xserver_create_xdm_tmp_sockets',`
########################################
## <summary>
+## Delete a named socket in a XDM
+## temporary directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_delete_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ delete_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
## Read XDM pid files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 68014747..71786c59 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.1)
+policy_module(xserver, 3.13.2)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 1fb15ae0..fe085d15 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
# /usr
#
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
@@ -34,7 +35,6 @@ ifdef(`distro_gentoo', `
/usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
')
-
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 03aaae53..cad90ba5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.2)
+policy_module(init, 2.2.3)
gen_require(`
class passwd rootok;
@@ -307,7 +307,9 @@ ifdef(`init_systemd',`
',`
# Run the shell in the sysadm role for single-user mode.
# causes problems with upstart
- sysadm_shell_domtrans(init_t)
+ ifndef(`distro_debian',`
+ sysadm_shell_domtrans(init_t)
+ ')
')
')
@@ -561,9 +563,6 @@ miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
miscfiles_read_generic_certs(initrc_t)
-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
-
seutil_read_config(initrc_t)
userdom_read_user_home_content_files(initrc_t)
@@ -953,6 +952,11 @@ optional_policy(`
')
optional_policy(`
+ modutils_read_module_config(initrc_t)
+ modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 94be02e5..10d2fc9f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.1)
+policy_module(logging, 1.25.2)
########################################
#
@@ -124,8 +124,6 @@ term_use_all_terms(auditctl_t)
init_dontaudit_use_fds(auditctl_t)
-locallogin_dontaudit_use_fds(auditctl_t)
-
logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t)
@@ -133,6 +131,10 @@ ifdef(`init_systemd',`
init_rw_stream_sockets(auditctl_t)
')
+optional_policy(`
+ locallogin_dontaudit_use_fds(auditctl_t)
+')
+
########################################
#
# Auditd local policy
@@ -373,8 +375,8 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
-allow syslogd_t self:capability { chown dac_override fsetid net_admin sys_admin sys_nice sys_resource sys_tty_config };
-dontaudit syslogd_t self:capability { sys_ptrace sys_tty_config };
+allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+dontaudit syslogd_t self:capability { sys_ptrace };
# setpgid for metalog
# setrlimit for syslog-ng
# getsched for syslog-ng
@@ -569,6 +571,8 @@ optional_policy(`
optional_policy(`
udev_read_db(syslogd_t)
+ # for systemd-journal to read seat data from /run/udev/data
+ udev_read_pid_files(syslogd_t)
')
optional_policy(`
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index e04fb18a..58e03ff2 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.1)
+policy_module(lvm, 1.19.2)
########################################
#
@@ -257,6 +257,8 @@ dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
# the following one is needed by cryptsetup
dev_getattr_fs(lvm_t)
+# for systemd-cryptsetup
+dev_write_kmsg(lvm_t)
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 703a4453..67c7418b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.1)
+policy_module(selinuxutil, 1.22.2)
gen_require(`
bool secure_mode;
@@ -363,8 +363,6 @@ files_relabel_non_auth_files(restorecond_t )
files_read_non_auth_files(restorecond_t)
auth_use_nsswitch(restorecond_t)
-locallogin_dontaudit_use_fds(restorecond_t)
-
logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)
@@ -378,6 +376,10 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
+ locallogin_dontaudit_use_fds(restorecond_t)
+')
+
+optional_policy(`
rpm_use_script_fds(restorecond_t)
')
@@ -504,8 +506,6 @@ term_use_all_terms(semanage_t)
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
-locallogin_use_fds(semanage_t)
-
logging_send_syslog_msg(semanage_t)
miscfiles_read_localization(semanage_t)
@@ -542,6 +542,10 @@ optional_policy(`
portage_eselect_module(semanage_t)
')
+optional_policy(`
+ locallogin_use_fds(semanage_t)
+')
+
########################################
#
# Setfiles local policy
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 9518a23d..caec3181 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.20.2)
+policy_module(sysnetwork, 1.20.3)
########################################
#
@@ -147,8 +147,6 @@ logging_send_syslog_msg(dhcpc_t)
miscfiles_read_localization(dhcpc_t)
-modutils_run_insmod(dhcpc_t, dhcpc_roles)
-
sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
userdom_use_user_terminals(dhcpc_t)
@@ -207,6 +205,10 @@ optional_policy(`
')
')
+optional_policy(`
+ modutils_run_insmod(dhcpc_t, dhcpc_roles)
+')
+
# for the dhcp client to run ping to check IP addresses
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
@@ -335,8 +337,6 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
-modutils_domtrans_insmod(ifconfig_t)
-
seutil_use_runinit_fds(ifconfig_t)
sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
@@ -383,6 +383,10 @@ optional_policy(`
')
optional_policy(`
+ modutils_domtrans_insmod(ifconfig_t)
+')
+
+optional_policy(`
nis_use_ypbind(ifconfig_t)
')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index e0405fb1..d6034f30 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.1)
+policy_module(udev, 1.21.2)
########################################
#
@@ -125,6 +125,7 @@ files_search_mnt(udev_t)
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
+fs_read_cgroup_files(udev_t)
fs_rw_anon_inodefs_files(udev_t)
mcs_ptrace_all(udev_t)
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/
@ 2019-07-13 7:01 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2019-07-13 7:01 UTC (permalink / raw
To: gentoo-commits
commit: 8d12e0f32ff8a5776028c854f987b9af4b7adee6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Apr 27 14:51:06 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 28 10:00:55 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d12e0f3
various: Module version bump.
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/kernel/devices.te | 2 +-
policy/modules/kernel/storage.te | 2 +-
policy/modules/services/apache.te | 2 +-
policy/modules/services/devicekit.te | 2 +-
policy/modules/services/tuned.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/mount.te | 2 +-
policy/modules/system/systemd.te | 2 +-
policy/modules/system/unconfined.te | 2 +-
policy/modules/system/userdomain.te | 2 +-
10 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index f36fcdc1..a0331212 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.24.1)
+policy_module(devices, 1.24.2)
########################################
#
diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index c10290c0..8f91eb2d 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,4 +1,4 @@
-policy_module(storage, 1.16.0)
+policy_module(storage, 1.16.1)
########################################
#
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index ea541a9d..ee95b305 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.16.0)
+policy_module(apache, 2.16.1)
########################################
#
diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te
index 7b0226e0..8aadd411 100644
--- a/policy/modules/services/devicekit.te
+++ b/policy/modules/services/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.10.0)
+policy_module(devicekit, 1.10.1)
########################################
#
diff --git a/policy/modules/services/tuned.te b/policy/modules/services/tuned.te
index 349a757b..aafa6be5 100644
--- a/policy/modules/services/tuned.te
+++ b/policy/modules/services/tuned.te
@@ -1,4 +1,4 @@
-policy_module(tuned, 1.5.0)
+policy_module(tuned, 1.5.1)
########################################
#
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b3385fed..aca76caa 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.6.5)
+policy_module(init, 2.6.6)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 0539abfa..1fbf3e2f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.20.0)
+policy_module(mount, 1.20.1)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a5ebfdb3..29d5d4fc 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.7.6)
+policy_module(systemd, 1.7.7)
#########################################
#
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 29ed0217..1ca89af1 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.12.0)
+policy_module(unconfined, 3.12.1)
########################################
#
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e3f0f09b..81d2da73 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.17.0)
+policy_module(userdomain, 4.17.1)
########################################
#
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/
@ 2024-09-22 0:03 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2024-09-22 0:03 UTC (permalink / raw
To: gentoo-commits
commit: 5771206e2319d9616db89272c86f99e50a21ee00
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 9 19:36:57 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5771206e
various: rules required for DV manipulation in kubevirt
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/kernel/kernel.te | 1 +
policy/modules/services/container.te | 3 +++
policy/modules/services/kubernetes.if | 19 +++++++++++++++++++
policy/modules/services/kubernetes.te | 1 +
policy/modules/system/iptables.te | 5 +++++
policy/modules/system/mount.te | 1 +
7 files changed, 48 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 085bd30f0..aabc1b8e7 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -108,6 +108,24 @@ interface(`dev_getattr_fs',`
allow $1 device_t:filesystem getattr;
')
+########################################
+## <summary>
+## Unmount device filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_unmount_fs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:filesystem unmount;
+')
+
########################################
## <summary>
## Remount device filesystems.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b16142608..b791ebc71 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -315,6 +315,7 @@ dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
dev_mounton(kernel_t)
dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_blk_files(kernel_t)
dev_rw_generic_chr_files(kernel_t)
dev_setattr_generic_blk_files(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te
index e91cd18f4..e9f59e516 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -1071,6 +1071,9 @@ dev_dontaudit_relabelto_generic_blk_files(spc_t)
dev_getattr_kvm_dev(spc_t)
dev_getattr_vhost_dev(spc_t)
dev_watch_dev_dirs(spc_t)
+# for DV upload in kubevirt over rook-ceph
+dev_unmount_fs(spc_t)
+dev_remount_fs(spc_t)
fs_read_nsfs_files(spc_t)
fs_mount_xattr_fs(spc_t)
diff --git a/policy/modules/services/kubernetes.if b/policy/modules/services/kubernetes.if
index de14a7b61..2af5b64b3 100644
--- a/policy/modules/services/kubernetes.if
+++ b/policy/modules/services/kubernetes.if
@@ -377,6 +377,25 @@ interface(`kubernetes_run_engine_bpf',`
allow $1 kubernetes_container_engine_domain:bpf prog_run;
')
+########################################
+## <summary>
+## Read and write FIFO files from
+## kubernetes container engines.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kubernetes_rw_container_engine_fifo_files',`
+ gen_require(`
+ attribute kubernetes_container_engine_domain;
+ ')
+
+ allow $1 kubernetes_container_engine_domain:fifo_file rw_fifo_file_perms;
+')
+
########################################
## <summary>
## Search kubernetes config directories.
diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te
index 787cdae30..38b3a545e 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -258,6 +258,7 @@ corecmd_exec_bin(kubelet_t)
corecmd_watch_bin_dirs(kubelet_t)
dev_getattr_mtrr_dev(kubelet_t)
+dev_getattr_generic_blk_files(kubelet_t)
dev_read_kmsg(kubelet_t)
dev_read_sysfs(kubelet_t)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 7c401fa50..5dc07b874 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -128,6 +128,11 @@ optional_policy(`
firstboot_rw_pipes(iptables_t)
')
+optional_policy(`
+ # apply firewall rules from multus
+ kubernetes_rw_container_engine_fifo_files(iptables_t)
+')
+
optional_policy(`
modutils_run(iptables_t, iptables_roles)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 88ffb90f6..01fe24528 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -83,6 +83,7 @@ dev_dontaudit_write_sysfs_dirs(mount_t)
dev_rw_lvm_control(mount_t)
dev_rw_loop_control(mount_t)
dev_dontaudit_getattr_all_chr_files(mount_t)
+dev_dontaudit_getattr_generic_blk_files(mount_t)
dev_dontaudit_getattr_memory_dev(mount_t)
dev_getattr_sound_dev(mount_t)
# Early devtmpfs, before udev relabel
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-09-22 0:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-09-22 0:03 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/, policy/modules/kernel/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2019-07-13 7:01 Jason Zaman
2017-02-21 7:11 Jason Zaman
2013-12-06 17:33 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox