* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/
2015-10-26 5:48 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/kernel/ Jason Zaman
@ 2015-10-26 5:36 ` Jason Zaman
0 siblings, 0 replies; 3+ messages in thread
From: Jason Zaman @ 2015-10-26 5:36 UTC (permalink / raw
To: gentoo-commits
commit: eaa1a1b1454ce8ae38f2d84774b3047e9203efd9
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 18:33:56 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:54:24 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eaa1a1b1
Add systemd units for core refpolicy services.
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/services/postgresql.if | 4 ++--
policy/modules/services/postgresql.te | 3 +++
policy/modules/system/init.if | 17 +++++++++++++++++
policy/modules/system/init.te | 3 +++
policy/modules/system/ipsec.if | 3 ++-
policy/modules/system/ipsec.te | 3 +++
policy/modules/system/iptables.fc | 5 +++++
policy/modules/system/iptables.if | 4 ++--
policy/modules/system/iptables.te | 3 +++
policy/modules/system/logging.fc | 2 ++
policy/modules/system/logging.if | 8 ++++----
policy/modules/system/logging.te | 6 ++++++
policy/modules/system/lvm.fc | 6 ++++++
policy/modules/system/lvm.if | 4 ++--
policy/modules/system/lvm.te | 3 +++
policy/modules/system/setrans.if | 4 ++--
policy/modules/system/setrans.te | 3 +++
18 files changed, 86 insertions(+), 13 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index cbb8afe..20acc0e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2892,6 +2892,24 @@ interface(`files_exec_etc_files',`
exec_files_pattern($1, etc_t, etc_t)
')
+########################################
+## <summary>
+## Get etc_t service status.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_get_etc_unit_status',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service status;
+')
+
#######################################
## <summary>
## Relabel from and to generic files in /etc.
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 11526b6..32e5d06 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -587,7 +587,7 @@ interface(`postgresql_admin',`
type postgresql_t, postgresql_var_run_t;
type postgresql_tmp_t, postgresql_db_t;
type postgresql_etc_t, postgresql_log_t;
- type postgresql_initrc_exec_t;
+ type postgresql_initrc_exec_t, postgresql_unit_t;
')
typeattribute $1 sepgsql_admin_type;
@@ -595,7 +595,7 @@ interface(`postgresql_admin',`
allow $1 postgresql_t:process { ptrace signal_perms };
ps_process_pattern($1, postgresql_t)
- init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)
+ init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t)
admin_pattern($1, postgresql_var_run_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index b4ba0f1..6844c35 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t)
type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)
+type postgresql_unit_t;
+init_unit_file(postgresql_unit_t)
+
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 192508f..cfe4bd4 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1392,6 +1392,11 @@ interface(`init_all_labeled_script_domtrans',`
## Labeled init script file.
## </summary>
## </param>
+## <param name="unit" optional="true">
+## <summary>
+## Systemd unit file type.
+## </summary>
+## </param>
#
interface(`init_startstop_service',`
gen_require(`
@@ -1409,6 +1414,18 @@ interface(`init_startstop_service',`
role_transition $2 $4 system_r;
allow $2 system_r;
')
+
+ ifdef(`init_systemd',`
+ # This ifelse condition is temporary, until
+ # all callers are updated to provide unit files.
+ ifelse(`$5',`',`',`
+ gen_require(`
+ class service { start stop };
+ ')
+
+ allow $1 $5:service { start stop };
+ ')
+ ')
')
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 916b895..79400f2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -746,6 +746,9 @@ ifdef(`init_systemd',`
corecmd_shell_domtrans(init_t, initrc_t)
files_read_boot_files(initrc_t)
+ # Allow initrc_t to check /etc/fstab "service." It appears that
+ # systemd is conflating files and services.
+ files_get_etc_unit_status(initrc_t)
files_setattr_pid_dirs(initrc_t)
selinux_set_enforce_mode(initrc_t)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 3d64054..eec93e6 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -393,12 +393,13 @@ interface(`ipsec_admin',`
type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
type ipsec_var_run_t, ipsec_mgmt_lock_t;
type ipsec_mgmt_var_run_t, racoon_tmp_t;
+ type ipsec_unit_t;
')
allow $1 ipsec_t:process { ptrace signal_perms };
ps_process_pattern($1, ipsec_t)
- init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
+ init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t, ipsec_unit_t)
ipsec_exec_mgmt($1)
ipsec_stream_connect($1)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 3dd5c8b..f08fd01 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -38,6 +38,9 @@ corenet_spd_type(ipsec_spd_t)
type ipsec_tmp_t;
files_tmp_file(ipsec_tmp_t)
+type ipsec_unit_t;
+init_unit_file(ipsec_unit_t)
+
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 73a1c4e..b3eda3e 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -14,6 +14,11 @@
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+
/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 26ce647..5d2b406 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -185,13 +185,13 @@ interface(`iptables_manage_config',`
interface(`iptables_admin',`
gen_require(`
type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
- type iptables_tmp_t, iptables_var_run_t;
+ type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
')
allow $1 iptables_t:process { ptrace signal_perms };
ps_process_pattern($1, iptables_t)
- init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+ init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
files_list_etc($1)
admin_pattern($1, iptables_conf_t)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 8840633..aa999fb 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -22,6 +22,9 @@ files_config_file(iptables_conf_t)
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
+type iptables_unit_t;
+init_unit_file(iptables_unit_t)
+
type iptables_var_run_t;
files_pid_file(iptables_var_run_t)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index fb319d4..e504aec 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,8 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 6a279f3..9ededbf 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1043,7 +1043,7 @@ interface(`logging_admin_audit',`
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
- type auditd_initrc_exec_t;
+ type auditd_initrc_exec_t, auditd_unit_t;
')
allow $1 auditd_t:process { ptrace signal_perms };
@@ -1060,7 +1060,7 @@ interface(`logging_admin_audit',`
logging_run_auditctl($1, $2)
- init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t)
+ init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
')
########################################
@@ -1086,7 +1086,7 @@ interface(`logging_admin_syslog',`
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
- type syslogd_initrc_exec_t;
+ type syslogd_initrc_exec_t, syslogd_unit_t;
')
allow $1 syslogd_t:process { ptrace signal_perms };
@@ -1115,7 +1115,7 @@ interface(`logging_admin_syslog',`
logging_manage_all_logs($1)
- init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t)
+ init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)
')
########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 6f7335e..fd941ab 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -30,6 +30,9 @@ init_daemon_domain(auditd_t, auditd_exec_t)
type auditd_initrc_exec_t;
init_script_file(auditd_initrc_exec_t)
+type auditd_unit_t;
+init_unit_file(auditd_unit_t);
+
type auditd_var_run_t;
files_pid_file(auditd_var_run_t)
@@ -71,6 +74,9 @@ init_script_file(syslogd_initrc_exec_t)
type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t)
+type syslogd_unit_t;
+init_unit_file(syslogd_unit_t)
+
type syslogd_var_lib_t;
files_type(syslogd_var_lib_t)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index ea5ba34..83782b0 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -94,6 +94,12 @@ ifdef(`distro_gentoo',`
#
# /usr
#
+
+/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-lvmetad.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+
/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 6561474..5774034 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -162,7 +162,7 @@ interface(`lvm_domtrans_clvmd',`
#
interface(`lvm_admin',`
gen_require(`
- type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t;
+ type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t, lvm_unit_t;
type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t;
')
@@ -170,7 +170,7 @@ interface(`lvm_admin',`
allow $1 clvmd_t:process { ptrace signal_perms };
ps_process_pattern($1, clvmd_t)
- init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t)
+ init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t)
files_search_etc($1)
admin_pattern($1, lvm_etc_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f0bea03..61bd92b 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -32,6 +32,9 @@ files_lock_file(lvm_lock_t)
type lvm_metadata_t;
files_type(lvm_metadata_t)
+type lvm_unit_t;
+init_unit_file(lvm_unit_t)
+
type lvm_var_lib_t;
files_type(lvm_var_lib_t)
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index 2a8ecaa..9478dd9 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -60,13 +60,13 @@ interface(`setrans_translate_context',`
interface(`setrans_admin',`
gen_require(`
type setrans_t, setrans_initrc_exec_t;
- type setrans_var_run_t;
+ type setrans_var_run_t, setrans_unit_t;
')
allow $1 setrans_t:process { ptrace signal_perms };
ps_process_pattern($1, setrans_t)
- init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)
+ init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t)
files_search_pids($1)
admin_pattern($1, setrans_var_run_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 2df8b53..e4d4500 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -16,6 +16,9 @@ init_daemon_domain(setrans_t, setrans_exec_t)
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
+type setrans_unit_t;
+init_unit_file(setrans_unit_t)
+
type setrans_var_run_t;
files_pid_file(setrans_var_run_t)
mls_trusted_object(setrans_var_run_t)
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/
@ 2015-10-26 5:36 Jason Zaman
0 siblings, 0 replies; 3+ messages in thread
From: Jason Zaman @ 2015-10-26 5:36 UTC (permalink / raw
To: gentoo-commits
commit: 5dece5bd67bca8c3df92c74d776119ae9af8ebc2
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 18:48:38 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:52:58 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dece5bd
Add supporting rules for domains tightly-coupled with systemd.
policy/modules/kernel/devices.if | 52 +++++++++++++++++++++++++++++++++----
policy/modules/kernel/kernel.te | 17 ++++++++++++
policy/modules/services/ssh.te | 5 ++++
policy/modules/system/init.te | 1 +
policy/modules/system/locallogin.te | 8 ++++++
policy/modules/system/logging.fc | 1 +
policy/modules/system/logging.te | 22 ++++++++++++++++
policy/modules/system/lvm.te | 6 +++++
policy/modules/system/modutils.te | 8 ++++++
policy/modules/system/sysnetwork.te | 8 ++++++
policy/modules/system/udev.te | 12 +++++++++
11 files changed, 135 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 835ec14..a052db5 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,11 +143,11 @@ interface(`dev_relabel_all_dev_nodes',`
type device_t;
')
- relabelfrom_dirs_pattern($1, device_t, device_node)
- relabelfrom_files_pattern($1, device_t, device_node)
+ relabelfrom_dirs_pattern($1, device_t, { device_t device_node })
+ relabelfrom_files_pattern($1, device_t, { device_t device_node })
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
- relabelfrom_fifo_files_pattern($1, device_t, device_node)
- relabelfrom_sock_files_pattern($1, device_t, device_node)
+ relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node })
+ relabelfrom_sock_files_pattern($1, device_t, { device_t device_node })
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
')
@@ -709,7 +709,7 @@ interface(`dev_relabelfrom_generic_chr_files',`
type device_t;
')
- allow $1 device_t:chr_file relabelfrom;
+ allow $1 device_t:chr_file relabelfrom_chr_file_perms;
')
########################################
@@ -1943,6 +1943,30 @@ interface(`dev_filetrans_dri',`
########################################
## <summary>
+## Automatic type transition to the type
+## for event device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the event devices.
## </summary>
## <param name="domain">
@@ -2017,6 +2041,24 @@ interface(`dev_rw_input_dev',`
########################################
## <summary>
+## Create, read, write, and delete input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ manage_chr_files_pattern($1, device_t, event_device_t)
+')
+
+########################################
+## <summary>
## Get the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 14b5713..f2d5756 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -299,6 +299,23 @@ ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(kernel_t)
')
+ifdef(`init_systemd',`
+ optional_policy(`
+ dev_manage_input_dev(kernel_t)
+ dev_filetrans_input_dev(kernel_t)
+ ')
+
+ optional_policy(`
+ selinux_compute_create_context(kernel_t)
+ ')
+
+ optional_policy(`
+ storage_dev_filetrans_fixed_disk(kernel_t)
+ storage_setattr_fixed_disk_dev(kernel_t)
+ storage_create_fixed_disk_dev(kernel_t)
+ ')
+')
+
optional_policy(`
# loop devices
fstools_use_fds(kernel_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 783d0e7..e5932aa 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -266,6 +266,11 @@ ifdef(`distro_debian',`
allow sshd_t self:process { getcap setcap };
')
+ifdef(`init_systemd',`
+ systemd_dbus_chat_logind(sshd_t)
+ init_rw_stream_sockets(sshd_t)
+')
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d5d7b10..916b895 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -222,6 +222,7 @@ ifdef(`init_systemd',`
dev_rw_autofs(init_t)
dev_create_generic_dirs(init_t)
+ dev_manage_input_dev(init_t)
dev_relabel_all_dev_nodes(init_t)
dev_read_urand(init_t)
dev_write_kmsg(init_t)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 5281665..766614c 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -135,6 +135,14 @@ userdom_use_unpriv_users_fds(local_login_t)
userdom_sigchld_all_users(local_login_t)
userdom_create_all_users_keys(local_login_t)
+ifdef(`init_systemd',`
+ auth_manage_faillog(local_login_t)
+
+ systemd_dbus_chat_logind(local_login_t)
+ systemd_use_logind_fds(local_login_t)
+ systemd_manage_logind_pid_pipes(local_login_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(local_login_t)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index a0e957c..fb319d4 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -72,6 +72,7 @@ ifdef(`distro_redhat',`
/var/run/syslog-ng\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/systemd/journal/socket -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 72b7ff5..6f7335e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -120,6 +120,10 @@ locallogin_dontaudit_use_fds(auditctl_t)
logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t)
+ifdef(`init_systemd',`
+ init_rw_stream_sockets(auditctl_t)
+')
+
########################################
#
# Auditd local policy
@@ -248,6 +252,10 @@ miscfiles_read_localization(audisp_t)
sysnet_dns_name_resolve(audisp_t)
+ifdef(`init_systemd',`
+ kernel_dgram_send(audisp_t)
+')
+
optional_policy(`
dbus_system_bus_client(audisp_t)
')
@@ -480,6 +488,20 @@ miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)
+ifdef(`init_systemd',`
+ allow syslogd_t self:capability { chown setuid setgid };
+
+ kernel_use_fds(syslogd_t)
+ kernel_getattr_dgram_sockets(syslogd_t)
+ kernel_rw_unix_dgram_sockets(syslogd_t)
+ kernel_rw_stream_sockets(syslogd_t)
+
+ init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+ init_dgram_send(syslogd_t)
+
+ udev_read_pid_files(syslogd_t)
+')
+
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
# and high priority messages to /dev/tty12
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 6880656..f0bea03 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -304,6 +304,12 @@ seutil_sigchld_newrole(lvm_t)
userdom_use_user_terminals(lvm_t)
+ifdef(`init_systemd',`
+ init_rw_stream_sockets(lvm_t)
+
+ fs_manage_hugetlbfs_dirs(lvm_t)
+')
+
ifdef(`distro_redhat',`
# this is from the initrd:
kernel_rw_unlabeled_dirs(lvm_t)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index b17ad6c..4a5b572 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -183,6 +183,14 @@ userdom_dontaudit_search_user_home_dirs(insmod_t)
kernel_domtrans_to(insmod_t, insmod_exec_t)
+ifdef(`init_systemd',`
+ kernel_search_key(insmod_t)
+
+ init_rw_stream_sockets(insmod_t)
+
+ systemd_write_kmod_files(insmod_t)
+')
+
optional_policy(`
alsa_domtrans(insmod_t)
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 7a7b479..ff32383 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -162,6 +162,14 @@ ifdef(`distro_ubuntu',`
')
')
+ifdef(`init_systemd',`
+ init_rw_stream_sockets(dhcpc_t)
+ init_read_state(dhcpc_t)
+ init_stream_connect(dhcpc_t)
+ init_get_all_units_status(dhcpc_t)
+ init_search_units(dhcpc_t)
+')
+
optional_policy(`
consoletype_run(dhcpc_t, dhcpc_roles)
')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a9a2296..40868ad 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -218,6 +218,18 @@ ifdef(`distro_redhat',`
')
')
+ifdef(`init_systemd',`
+ kernel_load_module(udev_t)
+
+ files_search_kernel_modules(udev_t)
+
+ fs_read_cgroup_files(udev_t)
+
+ init_dgram_send(udev_t)
+
+ systemd_read_logind_pids(udev_t)
+')
+
optional_policy(`
alsa_domtrans(udev_t)
alsa_read_lib(udev_t)
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/kernel/
@ 2015-10-26 5:48 Jason Zaman
2015-10-26 5:36 ` [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/ Jason Zaman
0 siblings, 1 reply; 3+ messages in thread
From: Jason Zaman @ 2015-10-26 5:48 UTC (permalink / raw
To: gentoo-commits
commit: eaa1a1b1454ce8ae38f2d84774b3047e9203efd9
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 18:33:56 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:54:24 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eaa1a1b1
Add systemd units for core refpolicy services.
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
policy/modules/kernel/files.if | 18 ++++++++++++++++++
policy/modules/services/postgresql.if | 4 ++--
policy/modules/services/postgresql.te | 3 +++
policy/modules/system/init.if | 17 +++++++++++++++++
policy/modules/system/init.te | 3 +++
policy/modules/system/ipsec.if | 3 ++-
policy/modules/system/ipsec.te | 3 +++
policy/modules/system/iptables.fc | 5 +++++
policy/modules/system/iptables.if | 4 ++--
policy/modules/system/iptables.te | 3 +++
policy/modules/system/logging.fc | 2 ++
policy/modules/system/logging.if | 8 ++++----
policy/modules/system/logging.te | 6 ++++++
policy/modules/system/lvm.fc | 6 ++++++
policy/modules/system/lvm.if | 4 ++--
policy/modules/system/lvm.te | 3 +++
policy/modules/system/setrans.if | 4 ++--
policy/modules/system/setrans.te | 3 +++
18 files changed, 86 insertions(+), 13 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index cbb8afe..20acc0e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2892,6 +2892,24 @@ interface(`files_exec_etc_files',`
exec_files_pattern($1, etc_t, etc_t)
')
+########################################
+## <summary>
+## Get etc_t service status.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_get_etc_unit_status',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service status;
+')
+
#######################################
## <summary>
## Relabel from and to generic files in /etc.
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 11526b6..32e5d06 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -587,7 +587,7 @@ interface(`postgresql_admin',`
type postgresql_t, postgresql_var_run_t;
type postgresql_tmp_t, postgresql_db_t;
type postgresql_etc_t, postgresql_log_t;
- type postgresql_initrc_exec_t;
+ type postgresql_initrc_exec_t, postgresql_unit_t;
')
typeattribute $1 sepgsql_admin_type;
@@ -595,7 +595,7 @@ interface(`postgresql_admin',`
allow $1 postgresql_t:process { ptrace signal_perms };
ps_process_pattern($1, postgresql_t)
- init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)
+ init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t)
admin_pattern($1, postgresql_var_run_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index b4ba0f1..6844c35 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t)
type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)
+type postgresql_unit_t;
+init_unit_file(postgresql_unit_t)
+
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 192508f..cfe4bd4 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1392,6 +1392,11 @@ interface(`init_all_labeled_script_domtrans',`
## Labeled init script file.
## </summary>
## </param>
+## <param name="unit" optional="true">
+## <summary>
+## Systemd unit file type.
+## </summary>
+## </param>
#
interface(`init_startstop_service',`
gen_require(`
@@ -1409,6 +1414,18 @@ interface(`init_startstop_service',`
role_transition $2 $4 system_r;
allow $2 system_r;
')
+
+ ifdef(`init_systemd',`
+ # This ifelse condition is temporary, until
+ # all callers are updated to provide unit files.
+ ifelse(`$5',`',`',`
+ gen_require(`
+ class service { start stop };
+ ')
+
+ allow $1 $5:service { start stop };
+ ')
+ ')
')
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 916b895..79400f2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -746,6 +746,9 @@ ifdef(`init_systemd',`
corecmd_shell_domtrans(init_t, initrc_t)
files_read_boot_files(initrc_t)
+ # Allow initrc_t to check /etc/fstab "service." It appears that
+ # systemd is conflating files and services.
+ files_get_etc_unit_status(initrc_t)
files_setattr_pid_dirs(initrc_t)
selinux_set_enforce_mode(initrc_t)
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 3d64054..eec93e6 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -393,12 +393,13 @@ interface(`ipsec_admin',`
type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
type ipsec_var_run_t, ipsec_mgmt_lock_t;
type ipsec_mgmt_var_run_t, racoon_tmp_t;
+ type ipsec_unit_t;
')
allow $1 ipsec_t:process { ptrace signal_perms };
ps_process_pattern($1, ipsec_t)
- init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
+ init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t, ipsec_unit_t)
ipsec_exec_mgmt($1)
ipsec_stream_connect($1)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 3dd5c8b..f08fd01 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -38,6 +38,9 @@ corenet_spd_type(ipsec_spd_t)
type ipsec_tmp_t;
files_tmp_file(ipsec_tmp_t)
+type ipsec_unit_t;
+init_unit_file(ipsec_unit_t)
+
# type for runtime files, including pluto.ctl
type ipsec_var_run_t;
files_pid_file(ipsec_var_run_t)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 73a1c4e..b3eda3e 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -14,6 +14,11 @@
/sbin/ipvsadm-save -- gen_context(system_u:object_r:iptables_exec_t,s0)
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ebtables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*iptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
+
/usr/sbin/conntrack -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 26ce647..5d2b406 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -185,13 +185,13 @@ interface(`iptables_manage_config',`
interface(`iptables_admin',`
gen_require(`
type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
- type iptables_tmp_t, iptables_var_run_t;
+ type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
')
allow $1 iptables_t:process { ptrace signal_perms };
ps_process_pattern($1, iptables_t)
- init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t)
+ init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
files_list_etc($1)
admin_pattern($1, iptables_conf_t)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 8840633..aa999fb 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -22,6 +22,9 @@ files_config_file(iptables_conf_t)
type iptables_tmp_t;
files_tmp_file(iptables_tmp_t)
+type iptables_unit_t;
+init_unit_file(iptables_unit_t)
+
type iptables_var_run_t;
files_pid_file(iptables_var_run_t)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index fb319d4..e504aec 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,8 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 6a279f3..9ededbf 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1043,7 +1043,7 @@ interface(`logging_admin_audit',`
gen_require(`
type auditd_t, auditd_etc_t, auditd_log_t;
type auditd_var_run_t;
- type auditd_initrc_exec_t;
+ type auditd_initrc_exec_t, auditd_unit_t;
')
allow $1 auditd_t:process { ptrace signal_perms };
@@ -1060,7 +1060,7 @@ interface(`logging_admin_audit',`
logging_run_auditctl($1, $2)
- init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t)
+ init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
')
########################################
@@ -1086,7 +1086,7 @@ interface(`logging_admin_syslog',`
type syslogd_tmp_t, syslogd_var_lib_t;
type syslogd_var_run_t, klogd_var_run_t;
type klogd_tmp_t, var_log_t;
- type syslogd_initrc_exec_t;
+ type syslogd_initrc_exec_t, syslogd_unit_t;
')
allow $1 syslogd_t:process { ptrace signal_perms };
@@ -1115,7 +1115,7 @@ interface(`logging_admin_syslog',`
logging_manage_all_logs($1)
- init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t)
+ init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)
')
########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 6f7335e..fd941ab 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -30,6 +30,9 @@ init_daemon_domain(auditd_t, auditd_exec_t)
type auditd_initrc_exec_t;
init_script_file(auditd_initrc_exec_t)
+type auditd_unit_t;
+init_unit_file(auditd_unit_t);
+
type auditd_var_run_t;
files_pid_file(auditd_var_run_t)
@@ -71,6 +74,9 @@ init_script_file(syslogd_initrc_exec_t)
type syslogd_tmp_t;
files_tmp_file(syslogd_tmp_t)
+type syslogd_unit_t;
+init_unit_file(syslogd_unit_t)
+
type syslogd_var_lib_t;
files_type(syslogd_var_lib_t)
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index ea5ba34..83782b0 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -94,6 +94,12 @@ ifdef(`distro_gentoo',`
#
# /usr
#
+
+/usr/lib/systemd/system/blk-availability.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/dm-event.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+/usr/lib/systemd/system/lvm2-lvmetad.* -- gen_context(system_u:object_r:lvm_unit_t,s0)
+
/usr/sbin/clvmd -- gen_context(system_u:object_r:clvmd_exec_t,s0)
/usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 6561474..5774034 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -162,7 +162,7 @@ interface(`lvm_domtrans_clvmd',`
#
interface(`lvm_admin',`
gen_require(`
- type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t;
+ type clvmd_t, clvmd_exec_t, clvmd_initrc_exec_t, lvm_unit_t;
type lvm_etc_t, lvm_lock_t, lvm_metadata_t;
type lvm_var_lib_t, lvm_var_run_t, clvmd_var_run_t, lvm_tmp_t;
')
@@ -170,7 +170,7 @@ interface(`lvm_admin',`
allow $1 clvmd_t:process { ptrace signal_perms };
ps_process_pattern($1, clvmd_t)
- init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t)
+ init_startstop_service($1, $2, clvmd_t, clvmd_initrc_exec_t, lvm_unit_t)
files_search_etc($1)
admin_pattern($1, lvm_etc_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f0bea03..61bd92b 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -32,6 +32,9 @@ files_lock_file(lvm_lock_t)
type lvm_metadata_t;
files_type(lvm_metadata_t)
+type lvm_unit_t;
+init_unit_file(lvm_unit_t)
+
type lvm_var_lib_t;
files_type(lvm_var_lib_t)
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index 2a8ecaa..9478dd9 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -60,13 +60,13 @@ interface(`setrans_translate_context',`
interface(`setrans_admin',`
gen_require(`
type setrans_t, setrans_initrc_exec_t;
- type setrans_var_run_t;
+ type setrans_var_run_t, setrans_unit_t;
')
allow $1 setrans_t:process { ptrace signal_perms };
ps_process_pattern($1, setrans_t)
- init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)
+ init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t, setrans_unit_t)
files_search_pids($1)
admin_pattern($1, setrans_var_run_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 2df8b53..e4d4500 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -16,6 +16,9 @@ init_daemon_domain(setrans_t, setrans_exec_t)
type setrans_initrc_exec_t;
init_script_file(setrans_initrc_exec_t)
+type setrans_unit_t;
+init_unit_file(setrans_unit_t)
+
type setrans_var_run_t;
files_pid_file(setrans_var_run_t)
mls_trusted_object(setrans_var_run_t)
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-10-26 5:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-26 5:48 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/kernel/ Jason Zaman
2015-10-26 5:36 ` [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2015-10-26 5:36 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox