commit: 27908db261c5fee5edc8ea06e1fb2c0a59e72bad
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 19 00:37:39 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=27908db2
misc daemons from Russell Coker.
Put in libx32 subs entries that refer to directories with fc entries.
Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.
Some dontaudit rules for mta processes spawned by mon for notification.
Lots of tiny changes that are obvious.
policy/modules/contrib/backup.te | 4 ++--
policy/modules/contrib/bitlbee.te | 3 ++-
policy/modules/contrib/dpkg.te | 9 ++++++++-
policy/modules/contrib/fetchmail.te | 3 ++-
policy/modules/contrib/kerneloops.te | 4 +++-
policy/modules/contrib/loadkeys.te | 4 +++-
policy/modules/contrib/mon.if | 37 ++++++++++++++++++++++++++++++++++++
policy/modules/contrib/mon.te | 3 ++-
policy/modules/contrib/mta.te | 10 +++++++++-
policy/modules/contrib/munin.te | 5 ++++-
policy/modules/contrib/ntp.te | 4 ++--
policy/modules/contrib/rtkit.te | 6 +++++-
policy/modules/contrib/smartmon.te | 3 ++-
13 files changed, 81 insertions(+), 14 deletions(-)
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te
index c207d5a2..135f94a3 100644
--- a/policy/modules/contrib/backup.te
+++ b/policy/modules/contrib/backup.te
@@ -1,4 +1,4 @@
-policy_module(backup, 1.7.0)
+policy_module(backup, 1.7.1)
########################################
#
@@ -21,7 +21,7 @@ files_type(backup_store_t)
# Local policy
#
-allow backup_t self:capability dac_override;
+allow backup_t self:capability { chown dac_override fsetid };
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
diff --git a/policy/modules/contrib/bitlbee.te
b/policy/modules/contrib/bitlbee.te
index 93d4385d..90ff0dc6 100644
--- a/policy/modules/contrib/bitlbee.te
+++ b/policy/modules/contrib/bitlbee.te
@@ -1,4 +1,4 @@
-policy_module(bitlbee, 1.7.0)
+policy_module(bitlbee, 1.7.1)
########################################
#
@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file
sock_file })
kernel_read_kernel_sysctls(bitlbee_t)
kernel_read_system_state(bitlbee_t)
+kernel_read_crypto_sysctls(bitlbee_t)
corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 3ea9e3e0..a3d3f2e5 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.4)
+policy_module(dpkg, 1.11.5)
########################################
#
@@ -34,6 +34,7 @@ domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
+corecmd_bin_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
@@ -87,6 +88,8 @@ files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)
+corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
+
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
@@ -307,6 +310,10 @@ optional_policy(`
')
optional_policy(`
+ devicekit_dbus_chat_power(dpkg_script_t)
+')
+
+optional_policy(`
modutils_run(dpkg_script_t, dpkg_roles)
')
diff --git a/policy/modules/contrib/fetchmail.te
b/policy/modules/contrib/fetchmail.te
index a15bc538..7e796c31 100644
--- a/policy/modules/contrib/fetchmail.te
+++ b/policy/modules/contrib/fetchmail.te
@@ -1,4 +1,4 @@
-policy_module(fetchmail, 1.16.1)
+policy_module(fetchmail, 1.16.2)
########################################
#
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)
files_read_etc_runtime_files(fetchmail_t)
+files_search_tmp(fetchmail_t)
files_dontaudit_search_home(fetchmail_t)
fs_getattr_all_fs(fetchmail_t)
diff --git a/policy/modules/contrib/kerneloops.te
b/policy/modules/contrib/kerneloops.te
index 4ecba0ae..58ee9516 100644
--- a/policy/modules/contrib/kerneloops.te
+++ b/policy/modules/contrib/kerneloops.te
@@ -1,4 +1,4 @@
-policy_module(kerneloops, 1.6.1)
+policy_module(kerneloops, 1.6.2)
########################################
#
@@ -30,6 +30,8 @@ files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
kernel_read_ring_buffer(kerneloops_t)
kernel_read_system_state(kerneloops_t)
+dev_read_urand(kerneloops_t)
+
domain_use_interactive_fds(kerneloops_t)
corenet_all_recvfrom_unlabeled(kerneloops_t)
diff --git a/policy/modules/contrib/loadkeys.te
b/policy/modules/contrib/loadkeys.te
index ca8e7015..d99a28bf 100644
--- a/policy/modules/contrib/loadkeys.te
+++ b/policy/modules/contrib/loadkeys.te
@@ -1,4 +1,4 @@
-policy_module(loadkeys, 1.11.1)
+policy_module(loadkeys, 1.11.2)
########################################
#
@@ -37,6 +37,8 @@ files_search_tmp(loadkeys_t)
term_dontaudit_use_console(loadkeys_t)
term_use_unallocated_ttys(loadkeys_t)
+init_read_script_tmp_files(loadkeys_t)
+
locallogin_use_fds(loadkeys_t)
miscfiles_read_localization(loadkeys_t)
diff --git a/policy/modules/contrib/mon.if b/policy/modules/contrib/mon.if
index d9aee2be..4701724e 100644
--- a/policy/modules/contrib/mon.if
+++ b/policy/modules/contrib/mon.if
@@ -1 +1,38 @@
## <summary>mon network monitoring daemon.</summary>
+
+######################################
+## <summary>
+## dontaudit using an inherited fd from mon_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`mon_dontaudit_use_fds',`
+ gen_require(`
+ type mon_t;
+ ')
+
+ dontaudit $1 mon_t:fd use;
+')
+
+######################################
+## <summary>
+## dontaudit searching /var/lib/mon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`mon_dontaudit_search_var_lib',`
+ gen_require(`
+ type mon_var_lib_t;
+ ')
+
+ dontaudit $1 mon_var_lib_t:dir search;
+')
+
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te
index 5db41833..0207d0ac 100644
--- a/policy/modules/contrib/mon.te
+++ b/policy/modules/contrib/mon.te
@@ -1,4 +1,4 @@
-policy_module(mon, 1.0.2)
+policy_module(mon, 1.0.3)
########################################
#
@@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t)
files_read_etc_files(mon_t)
files_read_etc_runtime_files(mon_t)
files_read_usr_files(mon_t)
+files_search_var_lib(mon_t)
fs_getattr_all_fs(mon_t)
fs_search_auto_mountpoints(mon_t)
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 68f3e91f..2baa07c9 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.4)
+policy_module(mta, 2.8.5)
########################################
#
@@ -324,6 +324,10 @@ optional_policy(`
')
')
+optional_policy(`
+ mon_dontaudit_use_fds(mta_user_agent)
+')
+
########################################
#
# Mailserver delivery local policy
@@ -379,6 +383,10 @@ optional_policy(`
')
optional_policy(`
+ mon_dontaudit_search_var_lib(mailserver_delivery)
+')
+
+optional_policy(`
postfix_rw_inherited_master_pipes(mailserver_delivery)
')
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te
index 16f15ddd..fba6470b 100644
--- a/policy/modules/contrib/munin.te
+++ b/policy/modules/contrib/munin.te
@@ -1,4 +1,4 @@
-policy_module(munin, 1.12.0)
+policy_module(munin, 1.12.1)
########################################
#
@@ -385,6 +385,7 @@ optional_policy(`
# System local policy
#
+allow system_munin_plugin_t self:capability net_admin;
allow system_munin_plugin_t self:udp_socket create_socket_perms;
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
@@ -399,6 +400,8 @@ dev_read_urand(system_munin_plugin_t)
domain_read_all_domains_state(system_munin_plugin_t)
+files_read_usr_files(system_munin_plugin_t)
+
init_read_utmp(system_munin_plugin_t)
logging_search_logs(system_munin_plugin_t)
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index aae4f194..89b31bf3 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.3)
+policy_module(ntp, 1.16.4)
########################################
#
@@ -71,7 +71,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t, file)
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
-allow ntpd_t ntpd_lock_t:file write_file_perms;
+allow ntpd_t ntpd_lock_t:file rw_file_perms;
allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te
index c5e77836..cfee1a14 100644
--- a/policy/modules/contrib/rtkit.te
+++ b/policy/modules/contrib/rtkit.te
@@ -1,4 +1,4 @@
-policy_module(rtkit, 1.5.0)
+policy_module(rtkit, 1.5.1)
########################################
#
@@ -30,12 +30,16 @@ domain_read_all_domains_state(rtkit_daemon_t)
fs_rw_anon_inodefs_files(rtkit_daemon_t)
+selinux_getattr_fs(rtkit_daemon_t)
+
auth_use_nsswitch(rtkit_daemon_t)
logging_send_syslog_msg(rtkit_daemon_t)
miscfiles_read_localization(rtkit_daemon_t)
+seutil_search_default_contexts(rtkit_daemon_t)
+
optional_policy(`
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
diff --git a/policy/modules/contrib/smartmon.te
b/policy/modules/contrib/smartmon.te
index 4a7cafa7..1ad706c7 100644
--- a/policy/modules/contrib/smartmon.te
+++ b/policy/modules/contrib/smartmon.te
@@ -1,4 +1,4 @@
-policy_module(smartmon, 1.14.0)
+policy_module(smartmon, 1.14.1)
########################################
#
@@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t)
files_read_etc_files(fsdaemon_t)
files_read_etc_runtime_files(fsdaemon_t)
files_read_usr_files(fsdaemon_t)
+files_search_var_lib(fsdaemon_t)
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
