[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     4c32f9d4dd4a46fe2619359f0fa8fc4e72be1901
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:07 2021 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jun  6 15:07:20 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c32f9d4

apache: add gentoo-specific interface to map httpd sys content

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>

 policy/modules/services/apache.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 2b3a7f3c..8daa613b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1466,3 +1466,23 @@ interface(`apache_rw_runtime_files',`
 
 	allow $1 httpd_runtime_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Map httpd sys content files.
+##	This interface is Gentoo-specific.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_map_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t, httpd_sys_rw_content_t;
+	')
+
+	allow $1 httpd_sys_content_t:file map;
+	allow $1 httpd_sys_rw_content_t:file map;
+')

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     0d5ccab85bdcf69ce73f5702eaed97ee4d539533
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:07 2021 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jun  6 15:13:02 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d5ccab8

apache: add gentoo-specific interface to map httpd sys content

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>

 policy/modules/services/apache.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 2b3a7f3c..8daa613b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1466,3 +1466,23 @@ interface(`apache_rw_runtime_files',`
 
 	allow $1 httpd_runtime_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Map httpd sys content files.
+##	This interface is Gentoo-specific.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_map_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t, httpd_sys_rw_content_t;
+	')
+
+	allow $1 httpd_sys_content_t:file map;
+	allow $1 httpd_sys_rw_content_t:file map;
+')

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     a10abea170376871caa2a53b8f103672b09e8acf
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:07 2021 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jun  6 15:15:03 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a10abea1

apache: add gentoo-specific interface to map httpd sys content

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/apache.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 2b3a7f3c..8daa613b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1466,3 +1466,23 @@ interface(`apache_rw_runtime_files',`
 
 	allow $1 httpd_runtime_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Map httpd sys content files.
+##	This interface is Gentoo-specific.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_map_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t, httpd_sys_rw_content_t;
+	')
+
+	allow $1 httpd_sys_content_t:file map;
+	allow $1 httpd_sys_rw_content_t:file map;
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

[Kenton Groombridge]

commit:     139f4bb39aea6b202996abebe7581f1479e9fdf1
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:07 2021 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 20:04:27 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=139f4bb3

apache: add gentoo-specific interface to map httpd sys content

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/apache.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 2b3a7f3c..8daa613b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1466,3 +1466,23 @@ interface(`apache_rw_runtime_files',`
 
 	allow $1 httpd_runtime_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Map httpd sys content files.
+##	This interface is Gentoo-specific.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_map_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t, httpd_sys_rw_content_t;
+	')
+
+	allow $1 httpd_sys_content_t:file map;
+	allow $1 httpd_sys_rw_content_t:file map;
+')

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     087ca14923766efc87202a6b8a98f701105ff7a1
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 14:32:45 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:49 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=087ca149

chronyd: Allow to read fips_enabled sysctl

node=localhost type=AVC msg=audit(1661344394.902:355): avc:  denied  { search } for  pid=1014 comm="chronyd" name="crypto" dev="proc" ino=10742 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc:  denied  { read } for  pid=1014 comm="chronyd" name="fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc:  denied  { open } for  pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:356): avc:  denied  { getattr } for  pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/chronyd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 3354485c..0cf41d3d 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -81,6 +81,7 @@ manage_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
 manage_sock_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
 files_runtime_filetrans(chronyd_t, chronyd_runtime_t, { dir file sock_file })
 
+kernel_read_crypto_sysctls(chronyd_t)
 kernel_read_system_state(chronyd_t)
 kernel_read_network_state(chronyd_t)
 

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     639bfc231cae05ce9ff11b367e25f934a59bf23e
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Aug 25 13:28:00 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=639bfc23

firewalld: read to read fips_enabled sysctl

node=localhost type=AVC msg=audit(1661396058.360:317): avc:  denied  { search } for  pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661396058.360:317): avc:  denied  { read } for  pid=1014 comm="firewalld" name="fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.360:317): avc:  denied  { open } for  pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.361:318): avc:  denied  { getattr } for  pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.664:340): avc:  denied  { search } for  pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/firewalld.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index cb37c98b..b51b7740 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -53,6 +53,7 @@ manage_dirs_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
 manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
 files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
 
+kernel_read_crypto_sysctls(firewalld_t)
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)
 kernel_rw_net_sysctls(firewalld_t)

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     86b5f035516e0a10b3af98732667d2c4cb08b79c
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 14:37:54 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:49 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86b5f035

chronyd: allow chronyd to read /usr/share/crypto-policies

With RHEL9 /etc/crypto-policies/back-ends are symlinks to /usr/share/crypto-policies/*/*

node=localhost type=AVC msg=audit(1661344395.351:395): avc:  denied  { getattr } for  pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc:  denied  { read } for  pid=1014 comm="chronyd" name="gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc:  denied  { open } for  pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/chronyd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/chronyd.te b/policy/modules/services/chronyd.te
index 0cf41d3d..aca9a63f 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -104,6 +104,8 @@ corenet_udp_bind_chronyd_port(chronyd_t)
 
 dev_rw_realtime_clock(chronyd_t)
 
+files_read_usr_files(chronyd_t)
+
 auth_use_nsswitch(chronyd_t)
 
 logging_send_syslog_msg(chronyd_t)

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     a5a8129939bf361112055e25a0e55531bbbe20b9
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Aug 25 13:31:22 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5a81299

firewalld: create netfilter socket

node=localhost type=AVC msg=audit(1661396059.060:376): avc:  denied  { create } for  pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.060:377): avc:  denied  { setopt } for  pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.436:398): avc:  denied  { write } for  pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.436:399): avc:  denied  { read } for  pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.437:400): avc:  denied  { getopt } for  pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/firewalld.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index b51b7740..099dc32e 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -33,6 +33,7 @@ allow firewalld_t self:capability { dac_override net_admin };
 dontaudit firewalld_t self:capability sys_tty_config;
 allow firewalld_t self:fifo_file rw_fifo_file_perms;
 allow firewalld_t self:unix_stream_socket { accept listen };
+allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
 allow firewalld_t self:udp_socket create_socket_perms;
 
 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     d958a662e13f1aaab708bc86cc260e6b582196a0
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Fri Aug 26 18:12:30 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d958a662

firewalld: firewalld-cmd uses dbus

node=localhost type=USER_AVC msg=audit(1661536843.099:11666): pid=1037 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:firewalld_t:s0 tcontext=toor_u:sysadm_r:sysadm_t:s0 tclass=dbus permissive=1  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
node=localhost type=USER_AVC msg=audit(1661536101.833:8373): pid=1037 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for  scontext=toor_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0  exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/firewalld.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/firewalld.if b/policy/modules/services/firewalld.if
index 4a65cecd..e77b88f8 100644
--- a/policy/modules/services/firewalld.if
+++ b/policy/modules/services/firewalld.if
@@ -105,6 +105,8 @@ interface(`firewalld_admin',`
 	allow $1 firewalld_t:process { ptrace signal_perms };
 	ps_process_pattern($1, firewalld_t)
 
+	firewalld_dbus_chat($1)
+
 	init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t)
 
 	files_search_runtime($1)

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     2a0d52aa43e15264642fcfacc8996adfd02a0724
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Aug 24 02:22:41 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:49 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a0d52aa

ssh: allow ssh_keygen to read /usr/share/crypto-policies/

With RHEL9 /etc/crypto-policies/back-ends are symlinks to /usr/share/crypto-policies/*/*

node=localhost type=AVC msg=audit(1661303919.946:335): avc: denied { getattr } for pid=1025 comm="ssh-keygen" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc:  denied  { read } for  pid=1025 comm="ssh-keygen" name="opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc:  denied  { open } for  pid=1025 comm="ssh-keygen" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/ssh.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index ce320c6a..aa0766bb 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -354,6 +354,7 @@ term_dontaudit_use_console(ssh_keygen_t)
 domain_use_interactive_fds(ssh_keygen_t)
 
 files_read_etc_files(ssh_keygen_t)
+files_read_usr_files(ssh_keygen_t)
 
 init_use_fds(ssh_keygen_t)
 init_use_script_ptys(ssh_keygen_t)

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     2053dfa53a3559bc91514f6e05c206850d289e7e
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Aug 25 23:19:24 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2053dfa5

firewalld: allow to load kernel modules

node=localhost type=AVC msg=audit(1661468040.428:439): avc:  denied  { module_request } for  pid=1009 comm="firewalld" kmod="nft-chain-1-nat" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/firewalld.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index 099dc32e..a32e4b93 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -57,6 +57,7 @@ files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
 kernel_read_crypto_sysctls(firewalld_t)
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)
+kernel_request_load_module(firewalld_t)
 kernel_rw_net_sysctls(firewalld_t)
 
 corecmd_exec_bin(firewalld_t)

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     5135e685790073660abb1e0ef52816fb542f75a9
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Fri Aug 26 18:02:45 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5135e685

firewalld: write tmpfs files

node=localhost type=AVC msg=audit(1661536245.787:9531): avc:  denied  { write } for  pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661536245.788:9532): avc:  denied  { map } for  pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661536245.788:9532): avc:  denied  { read execute } for  pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/firewalld.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te
index a32e4b93..32e16898 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -24,6 +24,9 @@ logging_log_file(firewalld_var_log_t)
 type firewalld_tmp_t;
 files_tmp_file(firewalld_tmp_t)
 
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
+
 ########################################
 #
 # Local policy
@@ -54,6 +57,11 @@ manage_dirs_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
 manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
 files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
 
+manage_dirs_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+mmap_read_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, { dir file })
+
 kernel_read_crypto_sysctls(firewalld_t)
 kernel_read_network_state(firewalld_t)
 kernel_read_system_state(firewalld_t)

[gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/services/

[Kenton Groombridge]

commit:     139f4bb39aea6b202996abebe7581f1479e9fdf1
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 12 01:24:07 2021 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 20:04:27 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=139f4bb3

apache: add gentoo-specific interface to map httpd sys content

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/apache.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 2b3a7f3c..8daa613b 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -1466,3 +1466,23 @@ interface(`apache_rw_runtime_files',`
 
 	allow $1 httpd_runtime_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Map httpd sys content files.
+##	This interface is Gentoo-specific.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apache_map_sys_content',`
+	gen_require(`
+		type httpd_sys_content_t, httpd_sys_rw_content_t;
+	')
+
+	allow $1 httpd_sys_content_t:file map;
+	allow $1 httpd_sys_rw_content_t:file map;
+')