[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/, policy/modules/services/

Jason Zaman Sun, 31 Jan 2021 18:10:37 -0800

commit:     9ac5cf61e3dde52271310da0fea9a4210c744927
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Jan 27 17:20:35 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ac5cf61


misc network patches with Dominick's changes*2

I think this one is good for merging now.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/netutils.te    |  5 ++-
 policy/modules/services/dkim.te     |  1 +
 policy/modules/services/mailman.te  |  1 +
 policy/modules/services/mon.te      |  3 ++
 policy/modules/services/samba.if    | 76 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/sysnetwork.fc |  1 +
 policy/modules/system/sysnetwork.te | 20 ++++++++++
 7 files changed, 106 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 06a64a3e..1a0d3d7b 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_socket_perms;
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt 
getattr };
 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
 allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+allow ping_t self:icmp_socket create;
 
 corenet_all_recvfrom_netlabel(ping_t)
 corenet_sendrecv_icmp_packets(ping_t)
@@ -156,13 +157,14 @@ allow traceroute_t self:capability { net_admin net_raw 
setgid setuid };
 allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
 allow traceroute_t self:process signal;
 allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:packet_socket create_socket_perms;
+allow traceroute_t self:packet_socket { map create_socket_perms };
 allow traceroute_t self:udp_socket create_socket_perms;
 
 can_exec(traceroute_t, traceroute_exec_t)
 
 kernel_read_system_state(traceroute_t)
 kernel_read_network_state(traceroute_t)
+kernel_search_fs_sysctls(traceroute_t)
 
 corecmd_search_bin(traceroute_t)
 
@@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t)
 
 logging_send_syslog_msg(traceroute_t)
 
+miscfiles_read_generic_certs(traceroute_t)
 miscfiles_read_localization(traceroute_t)
 
 userdom_use_inherited_user_terminals(traceroute_t)

diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
index e744f3d7..864d5b07 100644
--- a/policy/modules/services/dkim.te
+++ b/policy/modules/services/dkim.te
@@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_milter_t)
 
 corenet_udp_bind_generic_node(dkim_milter_t)
 corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_udp_bind_generic_port(dkim_milter_t)
 
 dev_read_urand(dkim_milter_t)
 # for cpu/online

diff --git a/policy/modules/services/mailman.te 
b/policy/modules/services/mailman.te
index 154eb301..47bb174b 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
 dev_read_urand(mailman_cgi_t)
 
 files_search_locks(mailman_cgi_t)
+files_read_usr_files(mailman_cgi_t)
 
 term_use_controlling_term(mailman_cgi_t)
 

diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index 74a94b89..50a9c82f 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
 manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
 files_runtime_filetrans(mon_t, mon_runtime_t, file)
 
+# to read fips_enabled
+kernel_read_crypto_sysctls(mon_t)
+
 kernel_read_kernel_sysctls(mon_t)
 kernel_read_network_state(mon_t)
 kernel_read_system_state(mon_t)

diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 62c3ae67..5e01db23 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -729,3 +729,79 @@ interface(`samba_admin',`
        files_list_tmp($1)
        admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
 ')
+
+########################################
+## <summary>
+##     start samba daemon
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`samba_start',`
+       gen_require(`
+               type samba_unit_t;
+       ')
+
+       allow $1 samba_unit_t:file getattr;
+       allow $1 samba_unit_t:service start;
+')
+
+########################################
+## <summary>
+##     stop samba daemon
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`samba_stop',`
+       gen_require(`
+               type samba_unit_t;
+       ')
+
+       allow $1 samba_unit_t:file getattr;
+       allow $1 samba_unit_t:service stop;
+')
+
+########################################
+## <summary>
+##     get status of samba daemon
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`samba_status',`
+       gen_require(`
+               type samba_unit_t;
+       ')
+
+       allow $1 samba_unit_t:file getattr;
+       allow $1 samba_unit_t:service status;
+')
+
+########################################
+## <summary>
+##     reload samba daemon
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`samba_reload',`
+       gen_require(`
+               type samba_unit_t;
+       ')
+
+       allow $1 samba_unit_t:file getattr;
+       allow $1 samba_unit_t:service reload;
+')

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index 7666ff87..90d9536f 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -27,6 +27,7 @@ ifdef(`distro_debian',`
 /etc/dhcp3?/dhclient.*         gen_context(system_u:object_r:dhcp_etc_t,s0)
 
 /etc/systemd/network(/.*)?     gen_context(system_u:object_r:net_conf_t,s0)
+/etc/tor/torsocks\.conf        --      
gen_context(system_u:object_r:net_conf_t,s0)
 
 ifdef(`distro_redhat',`
 /etc/sysconfig/network-scripts/.*resolv\.conf -- 
gen_context(system_u:object_r:net_conf_t,s0)

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index b14ffe0c..a8fe42d6 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.5)
 # Declarations
 #
 
+## <desc>
+##      <p>
+##      Determine whether DHCP client
+##      can manage samba
+##      </p>
+## </desc>
+gen_tunable(dhcpc_manage_samba, false)
+
 attribute_role dhcpc_roles;
 roleattribute system_r dhcpc_roles;
 
@@ -176,6 +184,18 @@ ifdef(`init_systemd',`
        init_search_units(dhcpc_t)
 ')
 
+optional_policy(`
+       tunable_policy(`dhcpc_manage_samba',`
+               samba_manage_var_files(dhcpc_t)
+               init_exec_script_files(dhcpc_t)
+               init_get_system_status(dhcpc_t)
+               samba_stop(dhcpc_t)
+               samba_start(dhcpc_t)
+               samba_reload(dhcpc_t)
+               samba_status(dhcpc_t)
+       ')
+')
+
 optional_policy(`
        avahi_domtrans(dhcpc_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/, policy/modules/services/

Reply via email to