commit: 3eefa3b065ed81f56fddfb12a372012ef5e2a336 Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> AuthorDate: Mon Sep 25 15:01:12 2023 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Fri Oct 6 15:27:06 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3eefa3b0
small ntp and dns changes (#703) * Small changes for ntp, bind, avahi, and dnsmasq Signed-off-by: Russell Coker <russell <AT> coker.com.au> Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/admin/dpkg.te | 9 +++++++++ policy/modules/services/avahi.te | 4 ++++ policy/modules/services/bind.te | 7 +++++-- policy/modules/services/dnsmasq.te | 4 ++++ policy/modules/services/ntp.fc | 1 + policy/modules/services/ntp.if | 19 +++++++++++++++++++ 6 files changed, 42 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index d6871de21..d4a56e5eb 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -350,8 +350,17 @@ optional_policy(` nis_use_ypbind(dpkg_script_t) ') +optional_policy(` + ntp_filetrans_drift(dpkg_script_t) +') + +optional_policy(` + policykit_dbus_chat(dpkg_script_t) +') + optional_policy(` systemd_read_logind_state(dpkg_script_t) + systemd_dbus_chat_hostnamed(dpkg_script_t) systemd_dbus_chat_logind(dpkg_script_t) systemd_run_sysusers(dpkg_script_t, dpkg_roles) ') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 773d2b8ff..1094e39db 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -111,3 +111,7 @@ optional_policy(` seutil_sigchld_newrole(avahi_t) ') +optional_policy(` + unconfined_dbus_send(avahi_t) +') + diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 1b3e674a1..0a08be452 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -213,9 +213,9 @@ optional_policy(` # NDC local policy # -allow ndc_t self:capability { dac_override net_admin }; +allow ndc_t self:capability { dac_override dac_read_search net_admin }; allow ndc_t self:capability2 block_suspend; -allow ndc_t self:process signal_perms; +allow ndc_t self:process { signal_perms getsched setsched }; allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; @@ -231,6 +231,9 @@ allow ndc_t named_zone_t:dir search_dir_perms; kernel_read_kernel_sysctls(ndc_t) kernel_read_system_state(ndc_t) +kernel_read_vm_overcommit_sysctl(ndc_t) + +dev_read_sysfs(ndc_t) corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index 6d1799ba8..2e492954d 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -108,6 +108,10 @@ optional_policy(` ') optional_policy(` + # for the dnsmasq-usb0.leases file + networkmanager_manage_lib_files(dnsmasq_t) + + networkmanager_read_etc_files(dnsmasq_t) networkmanager_read_runtime_files(dnsmasq_t) ') diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc index 4d014d196..4f19959e7 100644 --- a/policy/modules/services/ntp.fc +++ b/policy/modules/services/ntp.fc @@ -30,6 +30,7 @@ /var/db/ntp-kod -- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntpsec(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/systemd/timesync(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index 4953e9f08..9df5d8d07 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -176,6 +176,25 @@ interface(`ntp_read_drift_files',` read_files_pattern($1, ntp_drift_t, ntp_drift_t) ') +######################################## +## <summary> +## specified domain creates /var/lib/ntpsec/ with the correct type +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ntp_filetrans_drift',` + gen_require(` + type ntp_drift_t; + ') + + files_search_var_lib($1) + files_var_lib_filetrans($1, ntp_drift_t, dir) +') + ######################################## ## <summary> ## Read and write ntpd shared memory.