[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

[Kenton Groombridge]

commit:     3cf4d89db3171671a05868dd5ecaf933c49fcaa4
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 28 13:55:56 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:30:52 2023 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cf4d89d

mon.te patches as well as some fstools patches related to it (#697)

* Patches for mon, mostly mon local monitoring.

Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Fixed the issues from the review

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Specify name to avoid conflicting file trans

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* fixed dontaudi_ typo

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for 
the object class

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Remove fsdaemon_read_lib as it was already merged

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

---------

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/kernel/files.if      | 18 ++++++++++++++++++
 policy/modules/kernel/kernel.te     |  2 +-
 policy/modules/kernel/storage.if    |  7 ++++++-
 policy/modules/services/mon.te      | 30 ++++++++++++++++++++++++++----
 policy/modules/services/smartmon.te |  2 +-
 policy/modules/system/fstools.te    | 17 +++++++++++++++++
 policy/modules/system/init.te       |  2 +-
 policy/modules/system/lvm.te        |  2 +-
 policy/modules/system/raid.te       |  2 +-
 9 files changed, 72 insertions(+), 10 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a1113ff7c..591aa64d6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -434,6 +434,24 @@ interface(`files_tmpfs_file',`
        typeattribute $1 tmpfsfile;
 ')
 
+########################################
+## <summary>
+##     dontaudit getattr on tmpfs files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not have stat on tmpfs files audited
+##     </summary>
+## </param>
+#
+interface(`files_dontaudit_getattr_all_tmpfs_files',`
+       gen_require(`
+               attribute tmpfsfile;
+       ')
+
+       dontaudit $1 tmpfsfile:file getattr;
+')
+
 ########################################
 ## <summary>
 ##     Get the attributes of all directories.

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 666d0e7e9..8156ac087 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -390,7 +390,7 @@ ifdef(`init_systemd',`
        ')
 
        optional_policy(`
-               storage_dev_filetrans_fixed_disk(kernel_t)
+               storage_dev_filetrans_fixed_disk(kernel_t, blk_file)
                storage_setattr_fixed_disk_dev(kernel_t)
                storage_create_fixed_disk_dev(kernel_t)
                storage_delete_fixed_disk_dev(kernel_t)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 9c581a910..777caea69 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',`
 ##     Domain allowed access.
 ##     </summary>
 ## </param>
+## <param name="object_class">
+##     <summary>
+##     The class of the object to be created.
+##     </summary>
+## </param>
 ## <param name="filename" optional="true">
 ##     <summary>
 ##     Optional filename of the block device to be created
@@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',`
                type fixed_disk_device_t;
        ')
 
-       dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
+       dev_filetrans($1, fixed_disk_device_t, $2, $3)
 ')
 
 ########################################

diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index b9a349871..bbf0496b3 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t)
 
 allow mon_t self:fifo_file rw_fifo_file_perms;
 allow mon_t self:tcp_socket create_stream_socket_perms;
-# for mailxmpp.alert to set ulimit
-allow mon_t self:process setrlimit;
+allow mon_t self:process { setrlimit getsched signal };
 
 domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
 
@@ -104,6 +103,11 @@ optional_policy(`
        mta_send_mail(mon_t)
 ')
 
+optional_policy(`
+       # for config of xmpp sending program
+       xdg_read_config_files(mon_t)
+')
+
 ########################################
 #
 # Local policy
@@ -151,6 +155,10 @@ optional_policy(`
        mysql_stream_connect(mon_net_test_t)
 ')
 
+optional_policy(`
+       snmp_read_snmp_var_lib_files(mon_net_test_t)
+')
+
 ########################################
 #
 # Local policy
@@ -161,9 +169,10 @@ optional_policy(`
 #
 
 # sys_ptrace is for reading /proc/1/maps etc
-allow mon_local_test_t self:capability { sys_ptrace sys_admin };
+allow mon_local_test_t self:capability { dac_override dac_read_search setgid 
setuid sys_ptrace sys_admin };
 allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
-allow mon_local_test_t self:process getsched;
+allow mon_local_test_t self:process { getsched sigkill sigstop signal };
+allow mon_local_test_t self:cap_userns sys_ptrace;
 
 can_exec(mon_local_test_t, mon_local_test_exec_t)
 
@@ -184,8 +193,10 @@ dev_getattr_sysfs(mon_local_test_t)
 dev_read_urand(mon_local_test_t)
 dev_read_sysfs(mon_local_test_t)
 
+domain_getattr_all_domains(mon_local_test_t)
 domain_read_all_domains_state(mon_local_test_t)
 
+files_dontaudit_getattr_all_tmpfs_files(mon_local_test_t)
 files_read_usr_files(mon_local_test_t)
 files_search_mnt(mon_local_test_t)
 files_search_spool(mon_local_test_t)
@@ -194,9 +205,18 @@ files_list_boot(mon_local_test_t)
 fs_search_auto_mountpoints(mon_local_test_t)
 fs_getattr_nfs(mon_local_test_t)
 fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_cgroup_dirs(mon_local_test_t)
 fs_list_hugetlbfs(mon_local_test_t)
 fs_list_tmpfs(mon_local_test_t)
+fs_read_cgroup_files(mon_local_test_t)
+fs_search_cgroup_dirs(mon_local_test_t)
 fs_search_nfs(mon_local_test_t)
+fstools_domtrans(mon_local_test_t)
+
+# for selinux.monitor
+selinux_get_enforce_mode(mon_local_test_t)
+selinux_getattr_fs(mon_local_test_t)
+seutil_search_default_contexts(mon_local_test_t)
 
 storage_getattr_fixed_disk_dev(mon_local_test_t)
 storage_getattr_removable_dev(mon_local_test_t)
@@ -208,12 +228,14 @@ application_exec_all(mon_local_test_t)
 
 auth_use_nsswitch(mon_local_test_t)
 
+fsdaemon_read_lib(mon_local_test_t)
 init_getattr_initctl(mon_local_test_t)
 
 logging_send_syslog_msg(mon_local_test_t)
 
 miscfiles_read_generic_certs(mon_t)
 miscfiles_read_localization(mon_local_test_t)
+storage_raw_read_fixed_disk(mon_local_test_t)
 
 sysnet_read_config(mon_local_test_t)
 

diff --git a/policy/modules/services/smartmon.te 
b/policy/modules/services/smartmon.te
index b21fab5fb..32c80f712 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -108,7 +108,7 @@ tunable_policy(`smartmon_3ware',`
 
        storage_create_fixed_disk_dev(fsdaemon_t)
        storage_delete_fixed_disk_dev(fsdaemon_t)
-       storage_dev_filetrans_fixed_disk(fsdaemon_t)
+       storage_dev_filetrans_fixed_disk(fsdaemon_t, blk_file)
 
        selinux_validate_context(fsdaemon_t)
 

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 0e3a98967..b2d22e90a 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -34,6 +34,7 @@ ifdef(`distro_gentoo',`
 
 # ipc_lock is for losetup
 allow fsadm_t self:capability { dac_override dac_read_search ipc_lock 
sys_admin sys_rawio sys_resource sys_tty_config };
+dontaudit fsadm_t self:capability net_admin;
 allow fsadm_t self:process { transition signal_perms getsched setsched 
getsession getpgid setpgid getcap setcap share getattr noatsecure siginh 
rlimitinh dyntransition execstack setkeycreate setsockcreate getrlimit };
 allow fsadm_t self:fd use;
 allow fsadm_t self:fifo_file rw_fifo_file_perms;
@@ -123,6 +124,8 @@ files_manage_lost_found(fsadm_t)
 files_manage_etc_runtime_files(fsadm_t)
 files_etc_filetrans_etc_runtime(fsadm_t, file)
 
+fs_getattr_cgroup(fsadm_t)
+fs_getattr_dos_fs(fsadm_t)
 fs_rw_all_image_files(fsadm_t)
 fs_search_auto_mountpoints(fsadm_t)
 fs_getattr_xattr_fs(fsadm_t)
@@ -135,6 +138,8 @@ fs_list_auto_mountpoints(fsadm_t)
 fs_search_tmpfs(fsadm_t)
 fs_getattr_tmpfs_dirs(fsadm_t)
 fs_read_tmpfs_symlinks(fsadm_t)
+# for fstrim
+files_manage_boot_dirs(fsadm_t)
 # Recreate /mnt/cdrom.
 files_manage_mnt_dirs(fsadm_t)
 # for tune2fs
@@ -145,6 +150,8 @@ mls_file_write_all_levels(fsadm_t)
 
 selinux_getattr_fs(fsadm_t)
 
+storage_dev_filetrans_fixed_disk(fsadm_t, chr_file, "megaraid_sas_ioctl_node")
+storage_manage_fixed_disk(fsadm_t)
 storage_raw_read_fixed_disk(fsadm_t)
 storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)
@@ -157,6 +164,8 @@ term_use_console(fsadm_t)
 init_use_fds(fsadm_t)
 init_use_script_ptys(fsadm_t)
 init_dontaudit_getattr_initctl(fsadm_t)
+# for systemd-fsckd to access /proc/1/environ
+init_read_state(fsadm_t)
 init_rw_script_stream_sockets(fsadm_t)
 
 logging_send_syslog_msg(fsadm_t)
@@ -199,6 +208,10 @@ optional_policy(`
        devicekit_append_inherited_log_files(fsadm_t)
 ')
 
+optional_policy(`
+       fsdaemon_read_lib(fsadm_t)
+')
+
 optional_policy(`
        livecd_rw_tmp_files(fsadm_t)
 ')
@@ -212,6 +225,10 @@ optional_policy(`
        munin_rw_tcp_sockets(fsadm_t)
 ')
 
+optional_policy(`
+       mon_dontaudit_use_fds(fsadm_t)
+')
+
 optional_policy(`
        nis_use_ypbind(fsadm_t)
 ')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 713558ad2..457fac072 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1043,7 +1043,7 @@ ifdef(`distro_redhat',`
        fs_manage_tmpfs_files(initrc_t)
 
        storage_manage_fixed_disk(initrc_t)
-       storage_dev_filetrans_fixed_disk(initrc_t)
+       storage_dev_filetrans_fixed_disk(initrc_t, blk_file)
        storage_getattr_removable_dev(initrc_t)
 
        # readahead asks for these

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f82dd8f8b..82c4844d0 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -190,7 +190,7 @@ storage_dontaudit_read_removable_device(lvm_t)
 # LVM(2) needs to create directories (/dev/mapper, /dev/<vg>)
 # and links from /dev/<vg> to /dev/mapper/<vg>-<lv>
 # cjp: needs to create an interface here for fixed disk create
-storage_dev_filetrans_fixed_disk(lvm_t)
+storage_dev_filetrans_fixed_disk(lvm_t, blk_file)
 # Access raw devices and old /dev/lvm (c 109,0).  Is this needed?
 storage_manage_fixed_disk(lvm_t)
 

diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index e10e31850..907facf8d 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -73,7 +73,7 @@ fs_dontaudit_list_tmpfs(mdadm_t)
 mls_file_read_all_levels(mdadm_t)
 mls_file_write_all_levels(mdadm_t)
 
-storage_dev_filetrans_fixed_disk(mdadm_t)
+storage_dev_filetrans_fixed_disk(mdadm_t, blk_file)
 storage_manage_fixed_disk(mdadm_t)
 storage_read_scsi_generic(mdadm_t)
 storage_write_scsi_generic(mdadm_t)