[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/

Kenton Groombridge Fri, 06 Oct 2023 09:44:39 -0700

commit:     3eefa3b065ed81f56fddfb12a372012ef5e2a336
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Sep 25 15:01:12 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:27:06 2023 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3eefa3b0


small ntp and dns changes (#703)

* Small changes for ntp, bind, avahi, and dnsmasq

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/admin/dpkg.te       |  9 +++++++++
 policy/modules/services/avahi.te   |  4 ++++
 policy/modules/services/bind.te    |  7 +++++--
 policy/modules/services/dnsmasq.te |  4 ++++
 policy/modules/services/ntp.fc     |  1 +
 policy/modules/services/ntp.if     | 19 +++++++++++++++++++
 6 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index d6871de21..d4a56e5eb 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -350,8 +350,17 @@ optional_policy(`
        nis_use_ypbind(dpkg_script_t)
 ')
 
+optional_policy(`
+       ntp_filetrans_drift(dpkg_script_t)
+')
+
+optional_policy(`
+       policykit_dbus_chat(dpkg_script_t)
+')
+
 optional_policy(`
        systemd_read_logind_state(dpkg_script_t)
+       systemd_dbus_chat_hostnamed(dpkg_script_t)
        systemd_dbus_chat_logind(dpkg_script_t)
        systemd_run_sysusers(dpkg_script_t, dpkg_roles)
 ')

diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 773d2b8ff..1094e39db 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -111,3 +111,7 @@ optional_policy(`
        seutil_sigchld_newrole(avahi_t)
 ')
 
+optional_policy(`
+       unconfined_dbus_send(avahi_t)
+')
+

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 1b3e674a1..0a08be452 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -213,9 +213,9 @@ optional_policy(`
 # NDC local policy
 #
 
-allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability { dac_override dac_read_search net_admin };
 allow ndc_t self:capability2 block_suspend;
-allow ndc_t self:process signal_perms;
+allow ndc_t self:process { signal_perms getsched setsched };
 allow ndc_t self:fifo_file rw_fifo_file_perms;
 allow ndc_t self:unix_stream_socket { accept listen };
 
@@ -231,6 +231,9 @@ allow ndc_t named_zone_t:dir search_dir_perms;
 
 kernel_read_kernel_sysctls(ndc_t)
 kernel_read_system_state(ndc_t)
+kernel_read_vm_overcommit_sysctl(ndc_t)
+
+dev_read_sysfs(ndc_t)
 
 corenet_all_recvfrom_netlabel(ndc_t)
 corenet_tcp_sendrecv_generic_if(ndc_t)

diff --git a/policy/modules/services/dnsmasq.te 
b/policy/modules/services/dnsmasq.te
index 6d1799ba8..2e492954d 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -108,6 +108,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+       # for the dnsmasq-usb0.leases file
+       networkmanager_manage_lib_files(dnsmasq_t)
+
+       networkmanager_read_etc_files(dnsmasq_t)
        networkmanager_read_runtime_files(dnsmasq_t)
 ')
 

diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
index 4d014d196..4f19959e7 100644
--- a/policy/modules/services/ntp.fc
+++ b/policy/modules/services/ntp.fc
@@ -30,6 +30,7 @@
 
 /var/db/ntp-kod                                --      
gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/ntp(/.*)?                             
gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntpsec(/.*)?                          
gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/sntp-kod(/.*)?                                
gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/systemd/clock                 --      
gen_context(system_u:object_r:ntp_drift_t,s0)
 /var/lib/systemd/timesync(/.*)?                        
gen_context(system_u:object_r:ntp_drift_t,s0)

diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index 4953e9f08..9df5d8d07 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -176,6 +176,25 @@ interface(`ntp_read_drift_files',`
        read_files_pattern($1, ntp_drift_t, ntp_drift_t)
 ')
 
+########################################
+## <summary>
+##     specified domain creates /var/lib/ntpsec/ with the correct type
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ntp_filetrans_drift',`
+       gen_require(`
+               type ntp_drift_t;
+       ')
+
+       files_search_var_lib($1)
+       files_var_lib_filetrans($1, ntp_drift_t, dir)
+')
+
 ########################################
 ## <summary>
 ##     Read and write ntpd shared memory.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/

Reply via email to