public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2017-01-01 16:36 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2017-01-01 16:36 UTC (permalink / raw
  To: gentoo-commits

commit:     8f2fc33c9f2e053e29b89116692999132221954e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec 18 22:56:17 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f2fc33c

Module version bump for patches from Guido Trentalancia.

 policy/modules/services/xserver.te | 2 +-
 policy/modules/system/udev.te      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 4a730c9..ac86b84 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.12.4)
+policy_module(xserver, 3.12.5)
 
 gen_require(`
 	class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 760b4de..9f00627 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.20.0)
+policy_module(udev, 1.20.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     2046e1cb2cba083d8fbd3f7da6fda00f877c70fe
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Oct 27 19:10:10 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2046e1cb

clamav, ssh, init: Module version bump.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/clamav.te | 2 +-
 policy/modules/services/ssh.te    | 2 +-
 policy/modules/system/init.te     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 2f78260f..b8c53a58 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.15.0)
+policy_module(clamav, 1.15.1)
 
 ## <desc>
 ##	<p>

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 0403842b..fbe6181f 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.11.0)
+policy_module(ssh, 2.11.1)
 
 ########################################
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 475f5fa4..64b3d6c2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.5.1)
+policy_module(init, 2.5.2)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     92c04ff1614029852408d76bd95e07722eac1c0e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Nov 10 00:32:08 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92c04ff1

amavis, apache, clamav, exim, mta, udev: Module version bump.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/amavis.te | 2 +-
 policy/modules/services/apache.te | 2 +-
 policy/modules/services/clamav.te | 2 +-
 policy/modules/services/exim.te   | 2 +-
 policy/modules/services/mta.te    | 2 +-
 policy/modules/system/udev.te     | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index 59d87259..5e97e2da 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,4 +1,4 @@
-policy_module(amavis, 1.18.0)
+policy_module(amavis, 1.18.1)
 
 ########################################
 #

diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index f45cf73b..b83b55c5 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.15.0)
+policy_module(apache, 2.15.1)
 
 ########################################
 #

diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 1de8b4cb..caa51869 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,4 +1,4 @@
-policy_module(clamav, 1.15.1)
+policy_module(clamav, 1.15.2)
 
 ## <desc>
 ##	<p>

diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 6430aee8..ce964a5f 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -1,4 +1,4 @@
-policy_module(exim, 1.12.0)
+policy_module(exim, 1.12.1)
 
 ########################################
 #

diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index a7133c2b..d4079d76 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.11.0)
+policy_module(mta, 2.11.1)
 
 ########################################
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 19f4a4d6..cfe9c36e 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.24.0)
+policy_module(udev, 1.24.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     b5c1b4dc30400df4473bd48bc0b57dc07e8691fd
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Nov 11 20:58:59 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b5c1b4dc

Various modules: Version bump.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/services/irqbalance.te | 2 +-
 policy/modules/services/ntp.te        | 2 +-
 policy/modules/system/iscsi.te        | 2 +-
 policy/modules/system/selinuxutil.te  | 2 +-
 policy/modules/system/sysnetwork.te   | 2 +-
 policy/modules/system/systemd.te      | 2 +-
 policy/modules/system/unconfined.te   | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index ade99be0..ebf4e2be 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -1,4 +1,4 @@
-policy_module(irqbalance, 1.10.0)
+policy_module(irqbalance, 1.10.1)
 
 ########################################
 #

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 76ce4da9..29fb6b7e 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.18.0)
+policy_module(ntp, 1.18.1)
 
 ########################################
 #

diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index dc5f8f52..676a12e7 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -1,4 +1,4 @@
-policy_module(iscsi, 1.12.0)
+policy_module(iscsi, 1.12.1)
 
 ########################################
 #

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 1293616c..76258410 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.24.0)
+policy_module(selinuxutil, 1.24.1)
 
 gen_require(`
 	bool secure_mode;

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index fa6ac5e7..eefbf33c 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.23.0)
+policy_module(sysnetwork, 1.23.1)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e70ccb21..e9b74257 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.6.0)
+policy_module(systemd, 1.6.1)
 
 #########################################
 #

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index b981fa85..d0de897f 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.11.0)
+policy_module(unconfined, 3.11.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2021-02-07  3:20 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2021-02-07  3:20 UTC (permalink / raw
  To: gentoo-commits

commit:     e3b92a0ef1585d742839a59a365a122eb000fb8e
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Feb  2 15:07:12 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:09 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3b92a0e

machined

This patch is for systemd-machined.  Some of it will probably need
discussion but some is obviously good, so Chris maybe you could take
the bits you like for this release?

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.te     |  6 +++++
 policy/modules/services/ssh.te      |  8 ++----
 policy/modules/system/authlogin.if  |  1 +
 policy/modules/system/locallogin.te |  1 +
 policy/modules/system/systemd.if    | 52 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/systemd.te    | 12 +++++++++
 6 files changed, 74 insertions(+), 6 deletions(-)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 26ffe456..cbbbd45b 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -157,6 +157,9 @@ miscfiles_read_generic_certs(system_dbusd_t)
 seutil_read_config(system_dbusd_t)
 seutil_read_default_contexts(system_dbusd_t)
 
+# for machinectl shell
+term_use_ptmx(system_dbusd_t)
+
 userdom_dontaudit_use_unpriv_user_fds(system_dbusd_t)
 userdom_dontaudit_search_user_home_dirs(system_dbusd_t)
 # read a file in ~/.local/share
@@ -190,6 +193,9 @@ optional_policy(`
 	systemd_read_logind_runtime_files(system_dbusd_t)
 	systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
 	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+
+	# for passing around terminal file handles for machinectl shell
+	systemd_use_machined_devpts(system_dbusd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 63a0d824..c5749682 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -267,9 +267,10 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`init_systemd',`
+	auth_use_pam_systemd(sshd_t)
 	init_dbus_chat(sshd_t)
-	systemd_dbus_chat_logind(sshd_t)
 	init_rw_stream_sockets(sshd_t)
+	systemd_write_inherited_logind_sessions_pipes(sshd_t)
 ')
 
 tunable_policy(`ssh_sysadm_login',`
@@ -311,11 +312,6 @@ optional_policy(`
 	rssh_read_ro_content(sshd_t)
 ')
 
-optional_policy(`
-	systemd_write_inherited_logind_sessions_pipes(sshd_t)
-	systemd_dbus_chat_logind(sshd_t)
-')
-
 optional_policy(`
 	xserver_domtrans_xauth(sshd_t)
 	xserver_link_xdm_keys(sshd_t)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 08361bb5..753a7735 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -98,6 +98,7 @@ interface(`auth_use_pam',`
 #
 interface(`auth_use_pam_systemd',`
 	dbus_system_bus_client($1)
+	systemd_connect_machined($1)
 	systemd_dbus_chat_logind($1)
 ')
 

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 0f710243..ed004fb8 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -141,6 +141,7 @@ ifdef(`init_systemd',`
 	auth_manage_faillog(local_login_t)
 
 	init_dbus_chat(local_login_t)
+	systemd_connect_machined(local_login_t)
 	systemd_dbus_chat_logind(local_login_t)
 	systemd_use_logind_fds(local_login_t)
 	systemd_manage_logind_runtime_pipes(local_login_t)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 29a561c7..642d58e2 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -19,12 +19,18 @@
 ##	The user domain for the role.
 ##	</summary>
 ## </param>
+## <param name="pty_type">
+##	<summary>
+##	The type for the user pty
+##	</summary>
+## </param>
 #
 template(`systemd_role_template',`
 	gen_require(`
 		attribute systemd_user_session_type, systemd_log_parse_env_type;
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
 		type systemd_run_exec_t, systemd_analyze_exec_t;
+		type systemd_machined_t;
 	')
 
 	#################################
@@ -56,9 +62,13 @@ template(`systemd_role_template',`
 	allow $1_systemd_t $3:process { setsched rlimitinh };
 	corecmd_shell_domtrans($1_systemd_t, $3)
 	corecmd_bin_domtrans($1_systemd_t, $3)
+	allow $1_systemd_t self:process signal;
+
+	files_search_home($1_systemd_t)
 
 	# Allow using file descriptors for user environment generators
 	allow $3 $1_systemd_t:fd use;
+	allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;
 
 	# systemctl --user
 	stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
@@ -66,6 +76,10 @@ template(`systemd_role_template',`
 	can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
 
 	dbus_system_bus_client($1_systemd_t)
+
+	selinux_use_status_page($1_systemd_t)
+	seutil_read_file_contexts($1_systemd_t)
+	seutil_search_default_contexts($1_systemd_t)
 ')
 
 ######################################
@@ -487,6 +501,24 @@ interface(`systemd_read_machines',`
 	allow $1 systemd_machined_runtime_t:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##     Allow connecting to /run/systemd/userdb/io.systemd.Machine socket
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain that can access the socket
+##     </summary>
+## </param>
+#
+interface(`systemd_connect_machined',`
+	gen_require(`
+		type systemd_machined_t;
+	')
+
+	allow $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##   Send and receive messages from
@@ -1300,3 +1332,23 @@ interface(`systemd_run_sysusers', `
 	systemd_domtrans_sysusers($1)
 	roleattribute $2 systemd_sysusers_roles;
 ')
+
+########################################
+## <summary>
+##  receive and use a systemd_machined_devpts_t file handle
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`systemd_use_machined_devpts', `
+	gen_require(`
+		type systemd_machined_t, systemd_machined_devpts_t;
+	')
+
+	allow $1 systemd_machined_t:fd use;
+	allow $1 systemd_machined_devpts_t:chr_file { read write };
+')

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9e68824e..39c37ac1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -155,6 +155,9 @@ type systemd_machined_runtime_t alias systemd_machined_var_run_t;
 files_runtime_file(systemd_machined_runtime_t)
 init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
 
+type systemd_machined_devpts_t;
+term_login_pty(systemd_machined_devpts_t)
+
 type systemd_modules_load_t;
 type systemd_modules_load_exec_t;
 init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
@@ -559,6 +562,9 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
 allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
 init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 
+# for /run/systemd/userdb/io.systemd.Machine
+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
+
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
@@ -730,6 +736,8 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per
 kernel_read_kernel_sysctls(systemd_machined_t)
 kernel_read_system_state(systemd_machined_t)
 
+dev_getattr_fs(systemd_machined_t)
+
 files_read_etc_files(systemd_machined_t)
 
 fs_getattr_cgroup(systemd_machined_t)
@@ -753,6 +761,10 @@ logging_send_syslog_msg(systemd_machined_t)
 
 seutil_search_default_contexts(systemd_machined_t)
 
+term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
+term_getattr_pty_fs(systemd_machined_t)
+
 optional_policy(`
 	init_dbus_chat(systemd_machined_t)
 	init_dbus_send_script(systemd_machined_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2021-02-07  3:20 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2021-02-07  3:20 UTC (permalink / raw
  To: gentoo-commits

commit:     bf7f2433ab9c0dd622694a8d00e6fc3deca31a8d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb  2 19:11:32 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:09 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf7f2433

systemd: Rename systemd_use_machined_devpts().

Renamed to systemd_use_inherited_machined_ptys().

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dbus.te  | 4 ++--
 policy/modules/system/systemd.if | 2 +-
 policy/modules/system/systemd.te | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 1f1b33c1..95ff7b36 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.29.6)
+policy_module(dbus, 1.29.7)
 
 gen_require(`
 	class dbus all_dbus_perms;
@@ -195,7 +195,7 @@ optional_policy(`
 	systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
 
 	# for passing around terminal file handles for machinectl shell
-	systemd_use_machined_devpts(system_dbusd_t)
+	systemd_use_inherited_machined_ptys(system_dbusd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 48a63cb3..fb20b528 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1344,7 +1344,7 @@ interface(`systemd_run_sysusers', `
 ## </param>
 ## <rolecap/>
 #
-interface(`systemd_use_machined_devpts', `
+interface(`systemd_use_inherited_machined_ptys', `
 	gen_require(`
 		type systemd_machined_t, systemd_machined_devpts_t;
 	')

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index abf62148..7c7d6256 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.10.12)
+policy_module(systemd, 1.10.13)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     5473333c1442dc9d044153734ebc285d024ee300
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jul 14 13:36:17 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5473333c

dhcp, radvd, sysnetwork: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dhcp.te     | 2 +-
 policy/modules/services/radvd.te    | 2 +-
 policy/modules/system/sysnetwork.te | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index d0560268..2bac88c0 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -1,4 +1,4 @@
-policy_module(dhcp, 1.20.0)
+policy_module(dhcp, 1.20.1)
 
 ########################################
 #

diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index 7d01b6ce..718f8721 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,4 +1,4 @@
-policy_module(radvd, 1.20.0)
+policy_module(radvd, 1.20.1)
 
 ########################################
 #

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 81a17898..9aae11dd 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.27.1)
+policy_module(sysnetwork, 1.27.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     aeb656ea428466c9609468be4ac76243e84f73f1
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sun Nov  7 01:53:34 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aeb656ea

policykit, systemd: allow policykit to watch systemd logins and sessions

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/policykit.te |  2 ++
 policy/modules/system/systemd.if     | 38 ++++++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te
index 721534a0..a76f8697 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -137,9 +137,11 @@ optional_policy(`
 
 	# for /run/systemd/seats/seat*
 	systemd_read_logind_sessions_files(policykit_t)
+	systemd_watch_logind_sessions_dirs(policykit_t)
 
 	# for /run/systemd/users/*
 	systemd_read_logind_runtime_files(policykit_t)
+	systemd_watch_logind_runtime_dirs(policykit_t)
 ')
 
 ########################################

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a493f7dc..38adf050 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -763,6 +763,25 @@ interface(`systemd_write_logind_pid_pipes',`
 	systemd_write_logind_runtime_pipes($1)
 ')
 
+######################################
+## <summary>
+##   Watch systemd-logind runtime dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_watch_logind_runtime_dirs',`
+	gen_require(`
+		type systemd_logind_runtime_t;
+	')
+
+	files_search_runtime($1)
+	allow $1 systemd_logind_runtime_t:dir watch;
+')
+
 ######################################
 ## <summary>
 ##   Read systemd-logind runtime files.
@@ -841,6 +860,25 @@ interface(`systemd_use_logind_fds',`
 	allow $1 systemd_logind_t:fd use;
 ')
 
+######################################
+## <summary>
+##      Watch logind sessions dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_watch_logind_sessions_dirs',`
+	gen_require(`
+		type systemd_sessions_runtime_t;
+	')
+
+	init_search_run($1)
+	allow $1 systemd_sessions_runtime_t:dir watch;
+')
+
 ######################################
 ## <summary>
 ##      Read logind sessions files.


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     79b0ec7e2d66dadd3570e99801632ac32cfe0147
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Dec  4 18:43:43 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79b0ec7e

container, iptables: dontaudit iptables rw on /ptmx

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 19 +++++++++++++++++++
 policy/modules/system/iptables.te    |  5 +++++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index d7ad3e84..92b5a2f7 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -611,6 +611,25 @@ interface(`container_manage_sock_files',`
 	manage_sock_files_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read
+##	and write container chr files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_dontaudit_rw_chr_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	dontaudit $1 container_file_t:chr_file rw_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index f61b8af1..39ce924d 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -105,6 +105,11 @@ ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_write_mtrr(iptables_t)
 ')
 
+optional_policy(`
+	# iptables may try to rw /ptmx in a container
+	container_dontaudit_rw_chr_files(iptables_t)
+')
+
 optional_policy(`
 	fail2ban_append_log(iptables_t)
 ')


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2022-02-07  2:14 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2022-02-07  2:14 UTC (permalink / raw
  To: gentoo-commits

commit:     85d6a0dc23d32be6b29c25dfd4b5221346c05d52
Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Mon Jan  3 21:17:56 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  7 02:08:37 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=85d6a0dc

systemd, ssh: Crypto sysctl use.

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ssh.te   | 1 +
 policy/modules/system/systemd.te | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 194e97f8..ce320c6a 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -339,6 +339,7 @@ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
 files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
 
 kernel_read_kernel_sysctls(ssh_keygen_t)
+kernel_read_crypto_sysctls(ssh_keygen_t)
 kernel_dontaudit_getattr_proc(ssh_keygen_t)
 kernel_dontaudit_read_system_state(ssh_keygen_t)
 

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index db8c9979..95939f0f 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -701,6 +701,8 @@ selinux_use_status_page(systemd_hw_t)
 init_read_state(systemd_hw_t)
 init_search_runtime(systemd_hw_t)
 
+kernel_read_crypto_sysctls(systemd_hw_t)
+
 seutil_read_config(systemd_hw_t)
 seutil_read_file_contexts(systemd_hw_t)
 


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2022-02-27  2:52 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2022-02-27  2:52 UTC (permalink / raw
  To: gentoo-commits

commit:     d83e298072d6c11a5ab55195dbd6392f03da472f
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Sun Feb 13 10:10:09 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 27 02:13:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d83e2980

remove aliases from 20210203

This patch against version 20220106 removes the typealias rules that were in
version 20210203.  If we include this now then the typealias rules in
question will have been there for 3 consecutive releases.  But if you think
we should wait until after the next release that's OK.

It's obvious that this patch should be included sooner or later, I think now
is a reasonable time.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/acpi.te         | 1 -
 policy/modules/services/clamav.te       | 1 -
 policy/modules/services/exim.te         | 1 -
 policy/modules/services/ftp.te          | 1 -
 policy/modules/services/irqbalance.te   | 1 -
 policy/modules/services/postfix.te      | 3 +--
 policy/modules/services/spamassassin.te | 1 -
 policy/modules/system/mount.te          | 1 -
 policy/modules/system/selinuxutil.te    | 1 -
 policy/modules/system/systemd.te        | 2 --
 10 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/policy/modules/services/acpi.te b/policy/modules/services/acpi.te
index 92d52182..c4ca7f7f 100644
--- a/policy/modules/services/acpi.te
+++ b/policy/modules/services/acpi.te
@@ -27,7 +27,6 @@ type acpid_log_t;
 logging_log_file(acpid_log_t)
 
 type acpid_runtime_t;
-typealias acpid_runtime_t alias acpid_var_run_t;
 files_runtime_file(acpid_runtime_t)
 
 type acpid_tmp_t;

diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 761de69d..b2ea270c 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -41,7 +41,6 @@ init_script_file(clamd_initrc_exec_t)
 
 type clamd_runtime_t;
 files_runtime_file(clamd_runtime_t)
-typealias clamd_runtime_t alias clamd_var_run_t;
 
 type clamd_tmp_t;
 files_tmp_file(clamd_tmp_t)

diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index dc03379b..65217d7e 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -55,7 +55,6 @@ type exim_log_t;
 logging_log_file(exim_log_t)
 
 type exim_pid_t;
-typealias exim_pid_t alias exim_var_run_t;
 files_runtime_file(exim_pid_t)
 
 type exim_spool_t;

diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 6cffdfc2..a3ff66fe 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -110,7 +110,6 @@ gen_tunable(sftpd_write_ssh_home, false)
 attribute_role ftpdctl_roles;
 
 type anon_sftpd_t;
-typealias anon_sftpd_t alias sftpd_anon_t;
 domain_type(anon_sftpd_t)
 role system_r types anon_sftpd_t;
 

diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te
index 3b86f88c..0a6f4c9b 100644
--- a/policy/modules/services/irqbalance.te
+++ b/policy/modules/services/irqbalance.te
@@ -13,7 +13,6 @@ type irqbalance_initrc_exec_t;
 init_script_file(irqbalance_initrc_exec_t)
 
 type irqbalance_pid_t;
-typealias irqbalance_pid_t alias irqbalance_var_run_t;
 files_runtime_file(irqbalance_pid_t)
 
 type irqbalance_unit_t;

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 4d62f8cf..6b97df10 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -51,8 +51,7 @@ type postfix_map_tmp_t;
 files_tmp_file(postfix_map_tmp_t)
 
 postfix_domain_template(master)
-typealias postfix_master_t alias postfix_t;
-mta_mailserver(postfix_t, postfix_master_exec_t)
+mta_mailserver(postfix_master_t, postfix_master_exec_t)
 
 type postfix_initrc_exec_t;
 init_script_file(postfix_initrc_exec_t)

diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index fc4e54f7..4162995f 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -30,7 +30,6 @@ gen_tunable(spamd_enable_home_dirs, false)
 gen_tunable(rspamd_spamd, false)
 
 type spamd_update_t;
-typealias spamd_update_t alias spamd_gpg_t;
 type spamd_update_exec_t;
 init_system_domain(spamd_update_t, spamd_update_exec_t)
 

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index d577da34..0efbdc7f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -24,7 +24,6 @@ type mount_loopback_t; # customizable
 fs_image_file(mount_loopback_t)
 
 type mount_runtime_t;
-typealias mount_runtime_t alias mount_var_run_t;
 files_runtime_file(mount_runtime_t)
 
 type mount_tmp_t;

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 904c59fc..b596ccb5 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -89,7 +89,6 @@ type restorecond_unit_t;
 init_unit_file(restorecond_unit_t)
 
 type restorecond_run_t;
-typealias restorecond_run_t alias restorecond_var_run_t;
 files_runtime_file(restorecond_run_t)
 
 type run_init_t;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 68fb96ec..d02e7edd 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -111,8 +111,6 @@ systemd_tmpfiles_conf_file(systemd_factory_conf_t)
 
 type systemd_generator_t;
 type systemd_generator_exec_t;
-typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_generator_t };
-typealias systemd_generator_exec_t alias { systemd_fstab_generator_exec_t systemd_gpt_generator_exec_t };
 init_system_domain(systemd_generator_t, systemd_generator_exec_t)
 
 type systemd_homed_t;


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2022-04-09 19:28 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2022-04-09 19:28 UTC (permalink / raw
  To: gentoo-commits

commit:     51c0bb3f83ad430565b85ce7c16608e8174a9014
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Mar 31 19:04:26 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Apr  9 19:28:30 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51c0bb3f

container, init: allow init to remount container filesystems

Allow init to remount container filesystems. This is in support of other
services starting with NoNewPrivileges while already running containers
have mounted filesystems.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/container.if | 19 +++++++++++++++++++
 policy/modules/system/init.te        |  4 ++++
 2 files changed, 23 insertions(+)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index bf5ecfb5..541eb8a5 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -1099,6 +1099,25 @@ interface(`container_relabel_all_content',`
 	allow $1 container_file_t:dir_file_class_set { relabelfrom relabelto };
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to
+##	remount container filesystems.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_remount_fs',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:filesystem remount;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 6e1baef9..db06551c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -543,6 +543,10 @@ ifdef(`init_systemd',`
 		clock_read_adjtime(init_t)
 	')
 
+	optional_policy(`
+		container_remount_fs(init_t)
+	')
+
 	optional_policy(`
 		systemd_dbus_chat_logind(init_t)
 		systemd_search_all_user_keys(init_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 20+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     95006bc2eacf58bf5d47246f7e431aa4ea6f64a1
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 17:05:00 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95006bc2

selinuxutil: allow semanage, setfiles to inherit gluster fds

The Gluster daemon uses a hook which adds a file context for gluster
bricks when they are created via the use of 'semanage fcontex -a'.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/glusterfs.if | 18 ++++++++++++++++++
 policy/modules/system/selinuxutil.te |  9 +++++++++
 2 files changed, 27 insertions(+)

diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if
index 328818ad3..5e6af0ecc 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -66,6 +66,24 @@ interface(`glusterfs_stream_connect_daemon',`
 	allow $1 glusterd_runtime_t:sock_file read_sock_file_perms;
 ')
 
+########################################
+## <summary>
+##	Inherit and use glusterd file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`glusterfs_use_daemon_fds',`
+	gen_require(`
+		type glusterd_t;
+	')
+
+	allow $1 glusterd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	All of the rules required to

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index d3678246a..14a17175f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -208,6 +208,11 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+optional_policy(`
+	# glusterd calls semanage fcontext
+	glusterfs_use_daemon_fds(load_policy_t)
+')
+
 optional_policy(`
 	portage_dontaudit_use_fds(load_policy_t)
 ')
@@ -693,6 +698,10 @@ optional_policy(`
 	apt_use_fds(setfiles_t)
 ')
 
+optional_policy(`
+	glusterfs_use_daemon_fds(setfiles_t)
+')
+
 optional_policy(`
         # leaked file descriptors
         udev_dontaudit_rw_dgram_sockets(setfiles_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 20+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     90affee2271dfbaad7e02781e1c583e886229754
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 28 13:46:14 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:30:52 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90affee2

misc small patches for cron policy (#701)

* Some misc small patches for cron policy

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* added systemd_dontaudit_connect_machined interface

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Remove the line about connecting to tor

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* remove the dontaudit for connecting to machined

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* changed to distro_debian

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* mta: Whitespace changes.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>

* cron: Move lines.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>

---------

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Co-authored-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/cron.if    | 36 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/cron.te    | 11 +++++++++++
 policy/modules/services/mta.te     |  7 ++++++-
 policy/modules/services/postfix.te |  1 +
 policy/modules/system/init.if      | 18 ++++++++++++++++++
 policy/modules/system/systemd.if   | 18 ++++++++++++++++++
 6 files changed, 90 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index 87306cfdb..049b01494 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -755,6 +755,24 @@ interface(`cron_rw_tmp_files',`
 	allow $1 crond_tmp_t:file rw_file_perms;
 ')
 
+########################################
+## <summary>
+##      Read and write inherited crond temporary files.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`cron_rw_inherited_tmp_files',`
+	gen_require(`
+		type crond_tmp_t;
+	')
+
+	allow $1 crond_tmp_t:file rw_inherited_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read system cron job lib files.
@@ -888,6 +906,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',`
 	dontaudit $1 system_cronjob_tmp_t:file append_file_perms;
 ')
 
+########################################
+## <summary>
+##	allow appending temporary system cron job files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow.
+##	</summary>
+## </param>
+#
+interface(`cron_append_system_job_tmp_files',`
+	gen_require(`
+		type system_cronjob_tmp_t;
+	')
+
+	allow $1 system_cronjob_tmp_t:file append_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write to inherited system cron job temporary files.

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index b2de6de31..9df1e3060 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -436,6 +436,8 @@ optional_policy(`
 	systemd_dbus_chat_logind(system_cronjob_t)
 	systemd_read_journal_files(system_cronjob_t)
 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+	# for runuser
+	init_search_keys(system_cronjob_t)
 	# so cron jobs can restart daemons
 	init_stream_connect(system_cronjob_t)
 	init_manage_script_service(system_cronjob_t)
@@ -491,6 +493,7 @@ kernel_getattr_message_if(system_cronjob_t)
 kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
+kernel_read_rpc_sysctls(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
 kernel_read_software_raid_state(system_cronjob_t)
 
@@ -535,6 +538,7 @@ files_read_usr_files(system_cronjob_t)
 files_read_var_files(system_cronjob_t)
 files_dontaudit_search_runtime(system_cronjob_t)
 files_manage_generic_spool(system_cronjob_t)
+files_manage_var_lib_dirs(system_cronjob_t)
 files_create_boot_flag(system_cronjob_t)
 files_read_var_lib_symlinks(system_cronjob_t)
 
@@ -554,6 +558,7 @@ logging_manage_generic_logs(system_cronjob_t)
 logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
+miscfiles_read_generic_certs(system_cronjob_t)
 miscfiles_read_localization(system_cronjob_t)
 
 seutil_read_config(system_cronjob_t)
@@ -654,6 +659,10 @@ optional_policy(`
 	mysql_read_config(system_cronjob_t)
 ')
 
+optional_policy(`
+	ntp_read_config(system_cronjob_t)
+')
+
 optional_policy(`
 	postfix_read_config(system_cronjob_t)
 ')
@@ -678,6 +687,8 @@ optional_policy(`
 
 	# for gpg-connect-agent to access /run/user/0
 	userdom_manage_user_runtime_dirs(system_cronjob_t)
+	# for /run/user/0/gnupg
+	userdom_manage_user_tmp_dirs(system_cronjob_t)
 ')
 
 ########################################

diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 8ed3c8480..63c8562ae 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -285,7 +285,12 @@ optional_policy(`
 	userdom_dontaudit_use_user_ptys(system_mail_t)
 
 	optional_policy(`
-		cron_dontaudit_append_system_job_tmp_files(system_mail_t)
+		ifdef(`distro_debian',`
+			# anacron on Debian gives empty email if this is not permitted
+			cron_append_system_job_tmp_files(system_mail_t)
+		', `
+			cron_dontaudit_append_system_job_tmp_files(system_mail_t)
+		')
 	')
 ')
 

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 7b158e705..528a84de9 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -652,6 +652,7 @@ optional_policy(`
 
 optional_policy(`
 	cron_system_entry(postfix_postdrop_t, postfix_postdrop_exec_t)
+	cron_use_system_job_fds(postfix_postdrop_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index daab804c6..d91eadfb5 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3858,3 +3858,21 @@ interface(`init_getrlimit',`
 
 	allow $1 init_t:process getrlimit;
 ')
+
+########################################
+## <summary>
+##      Allow searching init_t keys
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Source domain
+##      </summary>
+## </param>
+#
+interface(`init_search_keys',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:key search;
+')

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 64455eed5..19b2dbd85 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1517,6 +1517,24 @@ interface(`systemd_connect_machined',`
 	allow $1 systemd_machined_t:unix_stream_socket connectto;
 ')
 
+########################################
+## <summary>
+##     dontaudit connecting to /run/systemd/userdb/io.systemd.Machine socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain that can access the socket
+##	</summary>
+## </param>
+#
+interface(`systemd_dontaudit_connect_machined',`
+	gen_require(`
+		type systemd_machined_t;
+	')
+
+	dontaudit $1 systemd_machined_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##   Send and receive messages from


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 20+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     767814945e7b4302e9c085aba0d2772d051cd005
Author:     Dave Sugar <31021570+dsugar100 <AT> users <DOT> noreply <DOT> github <DOT> com>
AuthorDate: Fri Oct  6 13:06:39 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:31:45 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76781494

Separate label for /run/systemd/notify (#710)

* Separate label for /run/systemd/notify

label systemd_runtime_notify_t
Allow daemon domains to write by default

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>

* systemd: Add -s to /run/systemd/notify socket.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
---------

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Co-authored-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/dbus.te  |  2 +-
 policy/modules/system/init.if    | 19 +++++++++++++++++++
 policy/modules/system/init.te    |  3 ++-
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.if | 22 ++++++++++++++++++++++
 policy/modules/system/systemd.te |  3 +++
 6 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 79089b1c5..9ccd8a424 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -219,7 +219,7 @@ ifdef(`init_systemd', `
 	init_stop_all_units(system_dbusd_t)
 
 	# Recent versions of dbus are started as Type=notify
-	init_write_runtime_socket(system_dbusd_t)
+	systemd_write_notify_socket(system_dbusd_t)
 
 	tunable_policy(`dbus_broker_system_bus',`
 		init_get_system_status(system_dbusd_t)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d91eadfb5..5b0f44381 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1002,6 +1002,25 @@ interface(`init_unix_stream_socket_connectto',`
 	allow $1 init_t:unix_stream_socket connectto;
 ')
 
+########################################
+## <summary>
+##	Send to init with a unix socket.
+##  Without any additional permissions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_unix_stream_socket_sendto',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket sendto;
+')
+
 ########################################
 ## <summary>
 ##	Inherit and use file descriptors from init.

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 457fac072..c83d88b74 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1178,6 +1178,7 @@ ifdef(`init_systemd',`
 
 	systemd_start_power_units(initrc_t)
 	systemd_watch_networkd_runtime_dirs(initrc_t)
+	systemd_write_notify_socket(initrc_t)
 
 	# Ensures the memory.pressure cgroup file is labelled differently, so
 	# that processes can manage it without having access to the rest of the
@@ -1611,7 +1612,7 @@ ifdef(`init_systemd',`
 	fs_search_cgroup_dirs(daemon)
 
 	# need write to /var/run/systemd/notify
-	init_write_runtime_socket(daemon)
+	systemd_write_notify_socket(daemon)
 ')
 
 tunable_policy(`init_daemons_use_tty',`

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index ac64a5d5c..57f746c58 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -103,6 +103,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
 /run/systemd/home(/.*)?         gen_context(system_u:object_r:systemd_homed_runtime_t,s0)
 /run/systemd/network(/.*)?  gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
+/run/systemd/notify		-s	gen_context(system_u:object_r:systemd_runtime_notify_t,s0)
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
 /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 19b2dbd85..68fb1a148 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -126,6 +126,7 @@ template(`systemd_role_template',`
 	systemd_search_user_runtime_unit_dirs($1_systemd_t)
 	systemd_search_user_transient_unit_dirs($1_systemd_t)
 	systemd_read_user_units_files($1_systemd_t)
+	systemd_write_notify_socket($1_systemd_t)
 
 	dbus_system_bus_client($1_systemd_t)
 	dbus_spec_session_bus_client($1, $1_systemd_t)
@@ -276,6 +277,27 @@ interface(`systemd_user_unix_stream_activated_socket',`
 	systemd_user_activated_sock_file($2)
 ')
 
+#######################################
+## <summary>
+##  Allow the specified domain to write to
+##  systemd-notify socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_write_notify_socket',`
+	gen_require(`
+		type systemd_runtime_notify_t;
+	')
+
+	init_list_runtime($1)
+	init_unix_stream_socket_sendto($1)
+	allow $1 systemd_runtime_notify_t:sock_file write;
+')
+
 ######################################
 ## <summary>
 ##	Allow the target domain the permissions necessary

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c9d21bda5..b14511c24 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -317,6 +317,9 @@ xdg_data_content(systemd_data_home_t)
 type systemd_user_runtime_notify_t;
 userdom_user_runtime_content(systemd_user_runtime_notify_t)
 
+type systemd_runtime_notify_t;
+files_runtime_file(systemd_runtime_notify_t)
+
 type systemd_user_runtime_t;
 userdom_user_runtime_content(systemd_user_runtime_t)
 


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 20+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     c102156f10d9ab9ab6a5ebf2ef21d9a36305c759
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Thu Feb 29 16:04:56 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:40:56 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c102156f

cups: Remove PTAL.

This is part of the HPOJ, which was superseded by HPLIP in 2006.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/cups.fc     |  8 ----
 policy/modules/services/cups.if     | 34 ++++-------------
 policy/modules/services/cups.te     | 73 -------------------------------------
 policy/modules/system/userdomain.if |  1 -
 4 files changed, 7 insertions(+), 109 deletions(-)

diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc
index df02e9539..453c394da 100644
--- a/policy/modules/services/cups.fc
+++ b/policy/modules/services/cups.fc
@@ -29,9 +29,6 @@
 /usr/bin/hpijs	--	gen_context(system_u:object_r:hplip_exec_t,s0)
 /usr/bin/hpiod	--	gen_context(system_u:object_r:hplip_exec_t,s0)
 /usr/bin/printconf-backend	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/bin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/bin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/bin/ptal-photod	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 
 /usr/Brother/fax/.*\.log.*	gen_context(system_u:object_r:cupsd_log_t,s0)
 /usr/Brother/(.*/)?inf(/.*)?	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -55,9 +52,6 @@
 /usr/sbin/hal_lpadmin	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
 /usr/sbin/hpiod	--	gen_context(system_u:object_r:hplip_exec_t,s0)
 /usr/sbin/printconf-backend	--	gen_context(system_u:object_r:cupsd_config_exec_t,s0)
-/usr/sbin/ptal-printd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/sbin/ptal-mlcd	--	gen_context(system_u:object_r:ptal_exec_t,s0)
-/usr/sbin/ptal-photod	--	gen_context(system_u:object_r:ptal_exec_t,s0)
 
 /usr/share/cups(/.*)?	gen_context(system_u:object_r:cupsd_etc_t,s0)
 /usr/share/foomatic/db/oldprinterids	--	gen_context(system_u:object_r:cupsd_rw_etc_t,s0)
@@ -80,7 +74,5 @@
 /run/cups(/.*)?	gen_context(system_u:object_r:cupsd_runtime_t,s0)
 /run/hp.*\.pid	--	gen_context(system_u:object_r:hplip_runtime_t,s0)
 /run/hp.*\.port	--	gen_context(system_u:object_r:hplip_runtime_t,s0)
-/run/ptal-printd(/.*)?	gen_context(system_u:object_r:ptal_runtime_t,s0)
-/run/ptal-mlcd(/.*)?	gen_context(system_u:object_r:ptal_runtime_t,s0)
 /run/udev-configure-printer(/.*)?	gen_context(system_u:object_r:cupsd_config_runtime_t,s0)
 /var/turboprint(/.*)?	gen_context(system_u:object_r:cupsd_runtime_t,s0)

diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if
index 852db3d67..a6b3f754a 100644
--- a/policy/modules/services/cups.if
+++ b/policy/modules/services/cups.if
@@ -271,26 +271,6 @@ interface(`cups_write_log',`
 	allow $1 cupsd_log_t:file write_file_perms;
 ')
 
-########################################
-## <summary>
-##	Connect to ptal over an unix
-##	domain stream socket.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`cups_stream_connect_ptal',`
-	gen_require(`
-		type ptal_t, ptal_runtime_t;
-	')
-
-	files_search_runtime($1)
-	stream_connect_pattern($1, ptal_runtime_t, ptal_runtime_t, ptal_t)
-')
-
 ########################################
 ## <summary>
 ##	Read the process state (/proc/pid) of cupsd.
@@ -354,21 +334,21 @@ interface(`cups_admin',`
 		type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t;
 		type cupsd_etc_t, cupsd_log_t;
 		type cupsd_config_runtime_t, cupsd_lpd_runtime_t;
-		type cupsd_runtime_t, ptal_etc_t, cupsd_rw_etc_t;
-		type ptal_runtime_t, hplip_runtime_t, cupsd_initrc_exec_t;
+		type cupsd_runtime_t, cupsd_rw_etc_t;
+		type hplip_runtime_t, cupsd_initrc_exec_t;
 		type cupsd_config_t, cupsd_lpd_t, cups_pdf_t;
-		type hplip_t, ptal_t;
+		type hplip_t;
 	')
 
 	allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms };
-	allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms };
+	allow $1 { cups_pdf_t hplip_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t })
-	ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t })
+	ps_process_pattern($1, { cups_pdf_t hplip_t })
 
 	init_startstop_service($1, $2, cupsd_t, cupsd_initrc_exec_t)
 
 	files_list_etc($1)
-	admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t })
+	admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t })
 
 	logging_list_logs($1)
 	admin_pattern($1, cupsd_log_t)
@@ -380,5 +360,5 @@ interface(`cups_admin',`
 
 	files_list_runtime($1)
 	admin_pattern($1, { cupsd_config_runtime_t cupsd_runtime_t hplip_runtime_t })
-	admin_pattern($1, { ptal_runtime_t cupsd_lpd_runtime_t })
+	admin_pattern($1, cupsd_lpd_runtime_t)
 ')

diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index dacf53b58..136953edc 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -86,16 +86,6 @@ files_tmp_file(hplip_tmp_t)
 type hplip_var_lib_t;
 files_type(hplip_var_lib_t)
 
-type ptal_t;
-type ptal_exec_t;
-init_daemon_domain(ptal_t, ptal_exec_t)
-
-type ptal_etc_t;
-files_config_file(ptal_etc_t)
-
-type ptal_runtime_t alias ptal_var_run_t;
-files_runtime_file(ptal_runtime_t)
-
 ifdef(`enable_mls',`
 	init_ranged_daemon_domain(cupsd_t, cupsd_exec_t, mls_systemhigh)
 ')
@@ -161,9 +151,6 @@ allow cupsd_t hplip_runtime_t:file read_file_perms;
 read_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
 read_lnk_files_pattern(cupsd_t, hplip_var_lib_t, hplip_var_lib_t)
 
-stream_connect_pattern(cupsd_t, ptal_runtime_t, ptal_runtime_t, ptal_t)
-allow cupsd_t ptal_runtime_t:sock_file setattr_sock_file_perms;
-
 can_exec(cupsd_t, { cupsd_exec_t cupsd_interface_t })
 
 kernel_read_system_state(cupsd_t)
@@ -695,63 +682,3 @@ optional_policy(`
 optional_policy(`
 	udev_read_runtime_files(hplip_t)
 ')
-
-########################################
-#
-# PTAL local policy
-#
-
-allow ptal_t self:capability { chown sys_rawio };
-dontaudit ptal_t self:capability sys_tty_config;
-allow ptal_t self:fifo_file rw_fifo_file_perms;
-allow ptal_t self:unix_stream_socket { accept listen };
-allow ptal_t self:tcp_socket create_stream_socket_perms;
-
-allow ptal_t ptal_etc_t:dir list_dir_perms;
-read_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
-read_lnk_files_pattern(ptal_t, ptal_etc_t, ptal_etc_t)
-
-manage_dirs_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_lnk_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_fifo_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-manage_sock_files_pattern(ptal_t, ptal_runtime_t, ptal_runtime_t)
-files_runtime_filetrans(ptal_t, ptal_runtime_t, { dir file lnk_file sock_file fifo_file })
-
-kernel_read_kernel_sysctls(ptal_t)
-kernel_list_proc(ptal_t)
-kernel_read_proc_symlinks(ptal_t)
-
-corenet_all_recvfrom_netlabel(ptal_t)
-corenet_tcp_sendrecv_generic_if(ptal_t)
-corenet_tcp_sendrecv_generic_node(ptal_t)
-corenet_tcp_bind_generic_node(ptal_t)
-
-corenet_sendrecv_ptal_server_packets(ptal_t)
-corenet_tcp_bind_ptal_port(ptal_t)
-
-dev_read_sysfs(ptal_t)
-dev_read_usbfs(ptal_t)
-dev_rw_printer(ptal_t)
-
-domain_use_interactive_fds(ptal_t)
-
-files_read_etc_files(ptal_t)
-files_read_etc_runtime_files(ptal_t)
-
-fs_getattr_all_fs(ptal_t)
-fs_search_auto_mountpoints(ptal_t)
-
-logging_send_syslog_msg(ptal_t)
-
-miscfiles_read_localization(ptal_t)
-
-sysnet_read_config(ptal_t)
-
-userdom_dontaudit_use_unpriv_user_fds(ptal_t)
-userdom_dontaudit_search_user_home_content(ptal_t)
-
-optional_policy(`
-	seutil_sigchld_newrole(ptal_t)
-')
-

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b87f6d48e..401c5e6f7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1051,7 +1051,6 @@ template(`userdom_login_user_template', `
 	optional_policy(`
 		cups_read_config($1_t)
 		cups_stream_connect($1_t)
-		cups_stream_connect_ptal($1_t)
 	')
 
 	optional_policy(`


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 20+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     b2ceb53d4b7b1df545f740ae9b4ed2e77f640dca
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 19:53:46 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:31 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2ceb53d

init: allow systemd to use sshd pidfds

Without this, a lengthy 2 minute delay can be observed SSHing into a
system while pam_systemd tries to create a login session.

May 06 14:22:08 megumin.fuwafuwatime.moe sshd[29384]: pam_systemd(sshd:session): Failed to create session: Connection timed out

type=AVC msg=audit(1715019897.540:13855): avc:  denied  { use } for  pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0 tclass=fd permissive=1

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/ssh.if | 19 +++++++++++++++++++
 policy/modules/system/init.te  |  4 ++++
 2 files changed, 23 insertions(+)

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index dcbabf6b0..4b5fd5d33 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -535,6 +535,25 @@ interface(`ssh_signull',`
 	allow $1 sshd_t:process signull;
 ')
 
+########################################
+## <summary>
+##	Use PIDFD file descriptors from the
+##	ssh server.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ssh_use_sshd_pidfds',`
+	gen_require(`
+		type sshd_t;
+	')
+
+	allow $1 sshd_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Read a ssh server unnamed pipe.

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8f3772dcb..03d0de8ed 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -630,6 +630,10 @@ ifdef(`init_systemd',`
 		fs_rw_rpc_named_pipes(initrc_t)
 	')
 
+	optional_policy(`
+		ssh_use_sshd_pidfds(init_t)
+	')
+
 	optional_policy(`
 		# for systemd --user:
 		unconfined_search_keys(init_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 20+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     b18c0d3743affd70627adf0832b0fef674f50165
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 21:03:59 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:52 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b18c0d37

container, podman: various fixes

Various fixes for containers and podman, mostly centered around quadlet
and netavark updates.

One particular change which may stand out is allowing podman_conmon_t to
IOCTL container_file_t files. I wish I could know why this was hit, but
I don't. The relevant AVC is:

type=PROCTITLE msg=audit(1704734027.100:15951872): proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762
type=EXECVE msg=audit(1704734027.100:15951872): argc=93 a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c" a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u" a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r" a8="/usr/bin/crun" a9="-b" a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata" a11="-p" a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile" a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits" a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level" a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json" a26="--runtime-arg" a27="--log" a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log" a29="--conmon-pidfile" a30="
 /run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid" a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg" a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage" a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg" a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level" a43="--exit-command-arg" a44="warning" a45="--exit-command-arg" a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd" a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg" a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir" a55="--exit-command-arg" a56="" a57="--exit-command-arg" a58="--network-backend" a59="--exit-command-arg" a60="netavark" a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg" a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg" a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-co
 mmand-arg" a70="--transient-store=false" a71="--exit-command-arg" a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg" a76="--storage-driver" a77="--exit-command-arg" a78="overlay" a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg" a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend" a85="--exit-command-arg" a86="journald" a87="--exit-command-arg" a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg" a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7"
type=SYSCALL msg=audit(1704734027.100:15951872): arch=c000003e syscall=59 success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0 ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon" exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null)
type=AVC msg=audit(1704734027.100:15951872): avc:  denied  { ioctl } for  pid=3434219 comm="conmon" path="/var/lib/containers/storage/volumes/harbor-core/_data/key" dev="dm-0" ino=50845175 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/container.if | 36 ++++++++++++++++++++++++++++++++++++
 policy/modules/services/podman.te    | 16 ++++++++++++++--
 policy/modules/system/init.if        | 20 ++++++++++++++++++++
 3 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if
index 268ebec46..009fffc4a 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -876,6 +876,24 @@ interface(`container_signal_all_containers',`
 	allow $1 container_domain:process signal_perms;
 ')
 
+########################################
+## <summary>
+##	Send signals to a system container.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_signal_system_containers',`
+	gen_require(`
+		attribute container_system_domain;
+	')
+
+	allow $1 container_system_domain:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Create objects in /dev with an automatic
@@ -1324,6 +1342,24 @@ interface(`container_manage_files',`
 	manage_files_pattern($1, container_file_t, container_file_t)
 ')
 
+########################################
+## <summary>
+##	IOCTL container files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`container_ioctl_files',`
+	gen_require(`
+		type container_file_t;
+	')
+
+	allow $1 container_file_t:file ioctl;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to relabel

diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te
index d929bb253..78f8fc086 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -39,6 +39,12 @@ userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
 
 allow podman_t podman_conmon_t:process setsched;
 
+kernel_rw_vm_overcommit_sysctl(podman_t)
+
+init_use_fds(podman_t)
+init_setattr_stream_sockets(podman_t)
+init_stream_connect(podman_t)
+
 # for --network=host
 selinux_getattr_dirs(podman_t)
 selinux_mounton_dirs(podman_t)
@@ -67,8 +73,10 @@ podman_spec_rangetrans_conmon(podman_t, s0)
 ifdef(`init_systemd',`
 	init_dbus_chat(podman_t)
 	init_setsched(podman_t)
+	init_get_system_status(podman_t)
 	init_start_system(podman_t)
 	init_stop_system(podman_t)
+	init_reload(podman_t)
 
 	# containers get created as systemd transient units
 	init_get_transient_units_status(podman_t)
@@ -114,7 +122,7 @@ kernel_read_sysctl(podman_user_t)
 
 logging_send_syslog_msg(podman_user_t)
 
-init_write_runtime_socket(podman_user_t)
+init_stream_connect(podman_user_t)
 
 mount_exec(podman_user_t)
 
@@ -191,7 +199,7 @@ ifdef(`init_systemd',`
 # podman conmon local policy
 #
 
-allow podman_conmon_t self:capability { dac_override dac_read_search sys_ptrace sys_resource };
+allow podman_conmon_t self:capability { dac_override dac_read_search kill sys_ptrace sys_resource };
 dontaudit podman_conmon_t self:capability net_admin;
 
 podman_domtrans(podman_conmon_t)
@@ -199,8 +207,12 @@ podman_domtrans(podman_conmon_t)
 init_rw_inherited_stream_socket(podman_conmon_t)
 init_use_fds(podman_conmon_t)
 
+container_signal_system_containers(podman_conmon_t)
+
 container_read_system_container_state(podman_conmon_t)
 
+container_ioctl_files(podman_conmon_t)
+
 container_manage_runtime_files(podman_conmon_t)
 container_manage_runtime_fifo_files(podman_conmon_t)
 container_manage_runtime_sock_files(podman_conmon_t)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 24be1a7a7..5d720ffc3 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1163,6 +1163,26 @@ interface(`init_rw_stream_sockets',`
 	allow $1 init_t:unix_stream_socket rw_stream_socket_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to set the
+##	attributes of init's unix domain stream
+##	sockets.
+##	</summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_setattr_stream_sockets',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket setattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to search init keys.


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     d5789558424072fad44360f6b4f2e05c2b1200dd
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Mon Aug 12 03:09:52 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d5789558

systemd: add policy for systemd-nsresourced

The systemd-nsresourced service was added in systemd v256[1]. Add policy
for this service and allow all domains to connect to it over unix
socket.

Fixes:
avc:  denied  { connectto } for  pid=325 comm="avahi-daemon"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:avahi_t tcontext=system_u:system_r:initrc_t
tclass=unix_stream_socket permissive=1

avc:  denied  { write } for  pid=327 comm="dbus-daemon"
name="io.systemd.NamespaceResource" dev="tmpfs" ino=54
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:init_runtime_t tclass=sock_file permissive=1

avc:  denied  { connectto } for  pid=327 comm="dbus-daemon"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1

avc:  denied  { connectto } for  pid=200 comm="systemd-userwor"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1

avc:  denied  { connectto } for  pid=198 comm="systemd-userwor"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1

[1] https://github.com/systemd/systemd/commit/8aee931e7ae1adb01eeac0e1e4c0aef6ed3969ec

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/avahi.te   |  4 ++++
 policy/modules/services/bind.te    |  4 ++++
 policy/modules/services/dbus.te    |  2 ++
 policy/modules/services/postfix.te |  8 ++++++++
 policy/modules/system/systemd.fc   |  4 ++++
 policy/modules/system/systemd.if   | 21 +++++++++++++++++++++
 policy/modules/system/systemd.te   | 36 ++++++++++++++++++++++++++++++++++++
 7 files changed, 79 insertions(+)

diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 5cdfa08a4..da7473536 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -95,6 +95,10 @@ sysnet_etc_filetrans_config(avahi_t)
 userdom_dontaudit_use_unpriv_user_fds(avahi_t)
 userdom_dontaudit_search_user_home_dirs(avahi_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(avahi_t)
+')
+
 optional_policy(`
 	dbus_system_domain(avahi_t, avahi_exec_t)
 

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 0db949185..a3336c28c 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -168,6 +168,10 @@ miscfiles_read_generic_tls_privkey(named_t)
 userdom_dontaudit_use_unpriv_user_fds(named_t)
 userdom_dontaudit_search_user_home_dirs(named_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(named_t)
+')
+
 tunable_policy(`named_tcp_bind_http_port',`
 	corenet_sendrecv_http_server_packets(named_t)
 	corenet_tcp_bind_http_port(named_t)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index fcb45ccd9..dceeafff8 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -221,6 +221,8 @@ ifdef(`init_systemd', `
 	init_start_all_units(system_dbusd_t)
 	init_stop_all_units(system_dbusd_t)
 
+	systemd_stream_connect_nsresourced(system_dbusd_t)
+
 	# Recent versions of dbus are started as Type=notify
 	systemd_write_notify_socket(system_dbusd_t)
 

diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index 071dc7484..352b090ea 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -575,6 +575,10 @@ allow postfix_pickup_t postfix_spool_maildrop_t:dir list_dir_perms;
 read_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 delete_files_pattern(postfix_pickup_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(postfix_pickup_t)
+')
+
 optional_policy(`
 	dbus_system_bus_client(postfix_pickup_t)
 	init_dbus_chat(postfix_pickup_t)
@@ -729,6 +733,10 @@ files_spool_filetrans(postfix_qmgr_t, postfix_spool_t, dir)
 
 corecmd_exec_bin(postfix_qmgr_t)
 
+ifdef(`init_systemd',`
+	systemd_stream_connect_nsresourced(postfix_qmgr_t)
+')
+
 optional_policy(`
 	dbus_send_system_bus(postfix_qmgr_t)
 	dbus_system_bus_client(postfix_qmgr_t)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index dc41e9971..f42782e53 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -41,6 +41,8 @@
 /usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-nsresourced	--	gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
+/usr/lib/systemd/systemd-nsresourcework	--	gen_context(system_u:object_r:systemd_nsresourced_exec_t,s0)
 /usr/lib/systemd/systemd-pcrextend		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pcrlock		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pcrphase		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
@@ -119,6 +121,8 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_runtime_t,s0)
 /run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
+/run/systemd/nsresource(/.*)?	gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0)
+/run/systemd/io\.systemd\.NamespaceResource	-s	gen_context(system_u:object_r:systemd_nsresourced_runtime_t,s0)
 
 ifdef(`init_systemd',`
 /run/tmpfiles\.d	-d	gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b9dbd97cc..e62e8344a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2234,6 +2234,27 @@ interface(`systemd_read_networkd_runtime',`
 	read_files_pattern($1, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 ')
 
+#######################################
+## <summary>
+##  Connect to systemd-nsresourced over
+##  /run/systemd/io.systemd.NamespaceResource .
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_stream_connect_nsresourced', `
+	gen_require(`
+		type systemd_nsresourced_t;
+		type systemd_nsresourced_runtime_t;
+	')
+
+	init_search_runtime($1)
+	stream_connect_pattern($1, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t, systemd_nsresourced_t)
+')
+
 ########################################
 ## <summary>
 ##     Allow systemd_logind_t to read process state for cgroup file

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5725d7c76..2f9d12fcb 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -233,6 +233,13 @@ files_runtime_file(systemd_nspawn_runtime_t)
 type systemd_nspawn_tmp_t;
 files_tmp_file(systemd_nspawn_tmp_t)
 
+type systemd_nsresourced_t;
+type systemd_nsresourced_exec_t;
+init_daemon_domain(systemd_nsresourced_t, systemd_nsresourced_exec_t)
+
+type systemd_nsresourced_runtime_t;
+files_runtime_file(systemd_nsresourced_runtime_t)
+
 type systemd_pcrphase_t;
 type systemd_pcrphase_exec_t;
 init_system_domain(systemd_pcrphase_t, systemd_pcrphase_exec_t)
@@ -1514,6 +1521,31 @@ optional_policy(`
 	virt_manage_virt_content(systemd_nspawn_t)
 ')
 
+#########################################
+#
+# nsresourced local policy
+#
+
+allow systemd_nsresourced_t self:capability { sys_resource };
+allow systemd_nsresourced_t self:process { getcap signal };
+allow systemd_nsresourced_t systemd_nsresourced_exec_t:file execute_no_trans;
+
+manage_dirs_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t)
+manage_files_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t)
+manage_sock_files_pattern(systemd_nsresourced_t, systemd_nsresourced_runtime_t, systemd_nsresourced_runtime_t)
+init_runtime_filetrans(systemd_nsresourced_t, systemd_nsresourced_runtime_t, dir)
+
+fs_getattr_cgroup(systemd_nsresourced_t)
+
+# for /proc/1/environ
+init_read_state(systemd_nsresourced_t)
+
+kernel_read_kernel_sysctls(systemd_nsresourced_t)
+# for /proc/cmdline
+kernel_read_system_state(systemd_nsresourced_t)
+
+systemd_log_parse_environment(systemd_nsresourced_t)
+
 #######################################
 #
 # systemd_passwd_agent_t local policy
@@ -1831,6 +1863,8 @@ seutil_read_file_contexts(systemd_sysusers_t)
 
 systemd_log_parse_environment(systemd_sysusers_t)
 
+systemd_stream_connect_nsresourced(systemd_sysusers_t)
+
 #########################################
 #
 # Tmpfiles local policy
@@ -2133,6 +2167,8 @@ seutil_search_default_contexts(systemd_userdbd_t)
 
 systemd_log_parse_environment(systemd_userdbd_t)
 
+systemd_stream_connect_nsresourced(systemd_userdbd_t)
+
 #########################################
 #
 # systemd-user-runtime-dir local policy


^ permalink raw reply related	[flat|nested] 20+ messages in thread

* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 20+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     862c31bbaa0af5a4ccba3529cc6876da978d113e
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Nov 28 10:19:06 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=862c31bb

systemd: getattr namespace files

systemd v257 started to access various namespace files, e.g.:

    type=PROCTITLE msg=audit(28/11/24 11:14:28.210:154) : proctitle=/usr/lib/systemd/system-generators/systemd-fstab-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/gene
    type=PATH msg=audit(28/11/24 11:14:28.210:154) : item=0 name=/proc/self/ns/cgroup inode=4026531835 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(28/11/24 11:14:28.210:154) : cwd=/
    type=SYSCALL msg=audit(28/11/24 11:14:28.210:154) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffff9715f90 a2=0x7ffff9715fb0 a3=0x0 items=1 ppid=8046 pid=8049 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-fstab-g exe=/usr/lib/systemd/system-generators/systemd-fstab-generator subj=system_u:system_r:systemd_generator_t:s0 key=(null)
    type=AVC msg=audit(28/11/24 11:14:28.210:154) : avc:  denied  { getattr } for  pid=8049 comm=systemd-fstab-g path=cgroup:[4026531835] dev="nsfs" ino=4026531835 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ntp.te   | 1 +
 policy/modules/system/logging.te | 1 +
 policy/modules/system/systemd.te | 9 +++++++++
 policy/modules/system/udev.te    | 1 +
 4 files changed, 12 insertions(+)

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 27f86ae18..72ef1067e 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -127,6 +127,7 @@ files_watch_runtime_dirs(ntpd_t)
 
 fs_getattr_all_fs(ntpd_t)
 fs_search_auto_mountpoints(ntpd_t)
+fs_getattr_nsfs_files(ntpd_t)
 
 term_use_ptmx(ntpd_t)
 

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index ed01f0e4a..589c756e4 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -532,6 +532,7 @@ ifdef(`init_systemd',`
 
 	fs_list_cgroup_dirs(syslogd_t)
 	fs_watch_memory_pressure(syslogd_t)
+	fs_getattr_nsfs_files(syslogd_t)
 
 	init_create_runtime_dirs(syslogd_t)
 	init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 80ad48873..05c9e55e4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -460,6 +460,7 @@ fs_check_write_binfmt_misc_dirs(systemd_binfmt_t)
 
 fs_getattr_cgroup(systemd_binfmt_t)
 fs_search_cgroup_dirs(systemd_binfmt_t)
+fs_getattr_nsfs_files(systemd_binfmt_t)
 
 ######################################
 #
@@ -575,6 +576,7 @@ files_dontaudit_read_etc_runtime_files(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
 fs_getattr_all_fs(systemd_generator_t)
+fs_getattr_nsfs_files(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
 init_manage_runtime_dirs(systemd_generator_t)
@@ -878,6 +880,7 @@ manage_files_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_
 
 fs_getattr_all_fs(systemd_journal_init_t)
 fs_search_cgroup_dirs(systemd_journal_init_t)
+fs_getattr_nsfs_files(systemd_journal_init_t)
 
 kernel_getattr_proc(systemd_journal_init_t)
 kernel_read_kernel_sysctls(systemd_journal_init_t)
@@ -1023,6 +1026,7 @@ fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
 fs_getattr_xattr_fs(systemd_logind_t)
 fs_watch_memory_pressure(systemd_logind_t)
+fs_getattr_nsfs_files(systemd_logind_t)
 
 logging_send_audit_msgs(systemd_logind_t)
 
@@ -1265,6 +1269,7 @@ init_read_state(systemd_machine_id_setup_t)
 
 fs_getattr_cgroup(systemd_modules_load_t)
 fs_getattr_xattr_fs(systemd_modules_load_t)
+fs_getattr_nsfs_files(systemd_modules_load_t)
 
 kernel_load_module(systemd_modules_load_t)
 kernel_read_kernel_sysctls(systemd_modules_load_t)
@@ -1826,6 +1831,7 @@ fs_getattr_all_fs(systemd_sessions_t)
 fs_search_cgroup_dirs(systemd_sessions_t)
 fs_search_tmpfs(systemd_sessions_t)
 fs_search_ramfs(systemd_sessions_t)
+fs_getattr_nsfs_files(systemd_sessions_t)
 
 kernel_read_kernel_sysctls(systemd_sessions_t)
 kernel_dontaudit_getattr_proc(systemd_sessions_t)
@@ -1860,6 +1866,7 @@ fs_getattr_all_fs(systemd_sysctl_t)
 fs_search_cgroup_dirs(systemd_sysctl_t)
 fs_search_ramfs(systemd_sysctl_t)
 fs_search_tmpfs(systemd_sysctl_t)
+fs_getattr_nsfs_files(systemd_sysctl_t)
 
 systemd_log_parse_environment(systemd_sysctl_t)
 
@@ -1974,6 +1981,7 @@ fs_list_tmpfs(systemd_tmpfiles_t)
 fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
 fs_getattr_all_fs(systemd_tmpfiles_t)
 fs_search_cgroup_dirs(systemd_tmpfiles_t)
+fs_getattr_nsfs_files(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_use_status_page(systemd_tmpfiles_t)
@@ -2224,6 +2232,7 @@ fs_read_cgroup_files(systemd_user_runtime_dir_t)
 fs_getattr_cgroup(systemd_user_runtime_dir_t)
 fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
 fs_getattr_xattr_fs(systemd_user_runtime_dir_t)
+fs_getattr_nsfs_files(systemd_user_runtime_dir_t)
 
 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
 kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index ccf2c310e..bf6b8b53e 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -273,6 +273,7 @@ ifdef(`init_systemd',`
 	fs_create_cgroup_dirs(udev_t)
 	fs_create_cgroup_files(udev_t)
 	fs_rw_cgroup_files(udev_t)
+	fs_getattr_nsfs_files(udev_t)
 
 	init_dgram_send(udev_t)
 	init_get_generic_units_status(udev_t)


^ permalink raw reply related	[flat|nested] 20+ messages in thread

end of thread, other threads:[~2024-12-15  0:30 UTC | newest]

Thread overview: 20+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-12-15  0:30 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/ Jason Zaman
  -- strict thread matches above, loose matches on Subject: below --
2024-09-22  0:03 Jason Zaman
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-04-09 19:28 Jason Zaman
2022-02-27  2:52 Jason Zaman
2022-02-07  2:14 Jason Zaman
2022-01-30  1:22 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-02-07  3:20 Jason Zaman
2021-02-07  3:20 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2017-01-01 16:36 Jason Zaman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox