commit: 1d66af88aa2d390ac5783557e8d04289d16bc612 Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> AuthorDate: Mon Sep 25 15:46:04 2023 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Fri Oct 6 15:30:09 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d66af88
small storage changes (#706) * Changes to storage.fc, smartmon, samba and lvm Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Add the interfaces this patch needs Signed-off-by: Russell Coker <russell <AT> coker.com.au> * use manage_sock_file_perms for sock_file Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Renamed files_watch_all_file_type_dir to files_watch_all_dirs Signed-off-by: Russell Coker <russell <AT> coker.com.au> * Use read_files_pattern Signed-off-by: Russell Coker <russell <AT> coker.com.au> --------- Signed-off-by: Russell Coker <russell <AT> coker.com.au> Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/kernel/files.if | 19 +++++++++++++++++++ policy/modules/kernel/storage.fc | 1 + policy/modules/services/samba.te | 11 ++++++++++- policy/modules/services/smartmon.if | 20 ++++++++++++++++++++ policy/modules/services/smartmon.te | 2 +- policy/modules/system/lvm.te | 1 + policy/modules/system/userdomain.if | 18 ++++++++++++++++++ 7 files changed, 70 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index d8874ace2..a1113ff7c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1426,6 +1426,25 @@ interface(`files_unmount_all_file_type_fs',` allow $1 file_type:filesystem unmount; ') +######################################## +## <summary> +## watch all directories of file_type +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_watch_all_dirs',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:dir watch; +') + + ######################################## ## <summary> ## Read all non-authentication related diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 3033ac4de..9cd280c25 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -29,6 +29,7 @@ /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) +/dev/megaraid.* -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mmcblk.* -c gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 8ec3a1c62..f78d316cc 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',` ') tunable_policy(`samba_enable_home_dirs',` + files_watch_home(smbd_t) userdom_manage_user_home_content_dirs(smbd_t) userdom_manage_user_home_content_files(smbd_t) userdom_manage_user_home_content_symlinks(smbd_t) userdom_manage_user_home_content_sockets(smbd_t) userdom_manage_user_home_content_pipes(smbd_t) + userdom_watch_user_home_dirs(smbd_t) ') tunable_policy(`samba_portmapper',` @@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) files_list_non_auth_dirs(smbd_t) files_read_non_auth_files(smbd_t) + files_watch_all_dirs(smbd_t) ') tunable_policy(`samba_export_all_rw',` fs_read_noxattr_fs_files(smbd_t) files_manage_non_auth_files(smbd_t) + files_watch_all_dirs(smbd_t) ') optional_policy(` @@ -617,13 +621,17 @@ optional_policy(` allow smbcontrol_t self:process signal; allow smbcontrol_t self:fifo_file rw_fifo_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; +allow smbcontrol_t self:unix_dgram_socket create_socket_perms; allow smbcontrol_t self:process { signal signull }; allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; -read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) +allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto; +manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) +allow smbcontrol_t samba_runtime_t:file map; allow smbcontrol_t samba_runtime_t:dir rw_dir_perms; manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) +allow smbcontrol_t samba_var_t:sock_file manage_sock_file_perms; samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) @@ -639,6 +647,7 @@ files_search_var_lib(smbcontrol_t) term_use_console(smbcontrol_t) init_use_fds(smbcontrol_t) +init_rw_inherited_stream_socket(smbcontrol_t) miscfiles_read_localization(smbcontrol_t) diff --git a/policy/modules/services/smartmon.if b/policy/modules/services/smartmon.if index 0783dc9e5..0ec35d7b3 100644 --- a/policy/modules/services/smartmon.if +++ b/policy/modules/services/smartmon.if @@ -56,3 +56,23 @@ interface(`smartmon_admin',` files_list_var_lib($1) admin_pattern($1, fsdaemon_var_lib_t) ') + +######################################## +## <summary> +## Read fsdaemon /var/lib files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`fsdaemon_read_lib',` + gen_require(` + type fsdaemon_var_lib_t; + ') + + read_files_pattern($1, fsdaemon_var_lib_t, fsdaemon_var_lib_t) +') + diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te index 9818546bf..b21fab5fb 100644 --- a/policy/modules/services/smartmon.te +++ b/policy/modules/services/smartmon.te @@ -43,7 +43,7 @@ init_system_domain(smartmon_update_drivedb_t, smartmon_update_drivedb_exec_t) # allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio }; -dontaudit fsdaemon_t self:capability sys_tty_config; +dontaudit fsdaemon_t self:capability { net_admin sys_tty_config }; allow fsdaemon_t self:process { getcap setcap signal_perms }; allow fsdaemon_t self:fifo_file rw_fifo_file_perms; allow fsdaemon_t self:unix_stream_socket { accept listen }; diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 256d0cde3..f82dd8f8b 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -163,6 +163,7 @@ files_read_etc_files(lvm_t) files_watch_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) +fs_getattr_cgroup(lvm_t) fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) fs_list_tmpfs(lvm_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 0ae43ee6e..642da35cd 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -4576,6 +4576,24 @@ interface(`userdom_search_user_home_content',` allow $1 { user_home_dir_t user_home_t }:dir search_dir_perms; ') +######################################## +## <summary> +## watch users home directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_watch_user_home_dirs',` + gen_require(` + type user_home_dir_t; + ') + + allow $1 user_home_dir_t:dir watch; +') + ######################################## ## <summary> ## Send signull to unprivileged user domains.