commit:     5a4608dfd87f63d1c61c5105f52dd70af5217bd0
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 21:46:06 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:54 2024 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a4608df

various: various fixes

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/kernel/devices.if      | 19 +++++++++++++++++++
 policy/modules/services/kubernetes.te |  2 ++
 policy/modules/system/authlogin.if    |  3 +++
 policy/modules/system/authlogin.te    |  1 +
 policy/modules/system/raid.te         |  3 ++-
 policy/modules/system/selinuxutil.te  |  1 +
 6 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 344d858cf..c7af194b1 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2897,6 +2897,25 @@ interface(`dev_delete_lvm_control_dev',`
        delete_chr_files_pattern($1, device_t, lvm_control_t)
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to read and write the
+##     Intel Management Engine Interface device.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`dev_dontaudit_rw_mei',`
+       gen_require(`
+               type mei_device_t;
+       ')
+
+       dontaudit $1 mei_device_t:chr_file rw_chr_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     dontaudit getattr raw memory devices (e.g. /dev/mem).

diff --git a/policy/modules/services/kubernetes.te 
b/policy/modules/services/kubernetes.te
index 3ba666299..839635026 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -618,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain)
 # kubectl local policy
 #
 
+dontaudit kubectl_t self:capability { sys_admin sys_resource };
+
 kernel_dontaudit_getattr_proc(kubectl_t)
 
 auth_use_nsswitch(kubectl_t)

diff --git a/policy/modules/system/authlogin.if 
b/policy/modules/system/authlogin.if
index a91ab7acb..a90ebb3db 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -105,6 +105,9 @@ interface(`auth_use_pam_systemd',`
        systemd_connect_machined($1)
        systemd_dbus_chat_logind($1)
        systemd_read_logind_state($1)
+
+       # to read /etc/machine-id
+       files_read_etc_runtime_files($1)
 ')
 
 ########################################

diff --git a/policy/modules/system/authlogin.te 
b/policy/modules/system/authlogin.te
index 9920ea699..14d2774a1 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -142,6 +142,7 @@ term_dontaudit_use_all_ptys(chkpwd_t)
 
 auth_read_shadow_history(chkpwd_t)
 auth_use_nsswitch(chkpwd_t)
+auth_use_pam_systemd(chkpwd_t)
 
 logging_send_audit_msgs(chkpwd_t)
 logging_send_syslog_msg(chkpwd_t)

diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index c8db38261..e5e649f6b 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -28,7 +28,7 @@ init_unit_file(mdadm_unit_t)
 #
 
 allow mdadm_t self:capability { dac_override ipc_lock sys_admin };
-dontaudit mdadm_t self:capability sys_tty_config;
+dontaudit mdadm_t self:capability { net_admin sys_tty_config };
 dontaudit mdadm_t self:cap_userns sys_ptrace;
 allow mdadm_t self:process { getsched setsched signal_perms };
 allow mdadm_t self:fifo_file rw_fifo_file_perms;
@@ -53,6 +53,7 @@ corecmd_exec_shell(mdadm_t)
 dev_rw_sysfs(mdadm_t)
 dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
+dev_dontaudit_rw_mei(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
 # create links in /dev/md
 dev_create_generic_symlinks(mdadm_t)

diff --git a/policy/modules/system/selinuxutil.te 
b/policy/modules/system/selinuxutil.te
index 6393fadcf..46c275e38 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -515,6 +515,7 @@ seutil_domtrans_semanage(selinux_dbus_t)
 #
 
 allow semanage_t self:capability { audit_write dac_override };
+dontaudit semanage_t self:capability { sys_admin sys_resource };
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms 
nlmsg_relay };

Reply via email to