[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 5a4608dfd87f63d1c61c5105f52dd70af5217bd0 Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 21:46:06 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:54 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a4608df various: various fixes Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/devices.if | 19 +++ policy/modules/services/kubernetes.te | 2 ++ policy/modules/system/authlogin.if| 3 +++ policy/modules/system/authlogin.te| 1 + policy/modules/system/raid.te | 3 ++- policy/modules/system/selinuxutil.te | 1 + 6 files changed, 28 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 344d858cf..c7af194b1 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2897,6 +2897,25 @@ interface(`dev_delete_lvm_control_dev',` delete_chr_files_pattern($1, device_t, lvm_control_t) ') + +## +## Do not audit attempts to read and write the +## Intel Management Engine Interface device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_dontaudit_rw_mei',` + gen_require(` + type mei_device_t; + ') + + dontaudit $1 mei_device_t:chr_file rw_chr_file_perms; +') + ## ## dontaudit getattr raw memory devices (e.g. /dev/mem). diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 3ba666299..839635026 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -618,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain) # kubectl local policy # +dontaudit kubectl_t self:capability { sys_admin sys_resource }; + kernel_dontaudit_getattr_proc(kubectl_t) auth_use_nsswitch(kubectl_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index a91ab7acb..a90ebb3db 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -105,6 +105,9 @@ interface(`auth_use_pam_systemd',` systemd_connect_machined($1) systemd_dbus_chat_logind($1) systemd_read_logind_state($1) + + # to read /etc/machine-id + files_read_etc_runtime_files($1) ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 9920ea699..14d2774a1 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -142,6 +142,7 @@ term_dontaudit_use_all_ptys(chkpwd_t) auth_read_shadow_history(chkpwd_t) auth_use_nsswitch(chkpwd_t) +auth_use_pam_systemd(chkpwd_t) logging_send_audit_msgs(chkpwd_t) logging_send_syslog_msg(chkpwd_t) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index c8db38261..e5e649f6b 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -28,7 +28,7 @@ init_unit_file(mdadm_unit_t) # allow mdadm_t self:capability { dac_override ipc_lock sys_admin }; -dontaudit mdadm_t self:capability sys_tty_config; +dontaudit mdadm_t self:capability { net_admin sys_tty_config }; dontaudit mdadm_t self:cap_userns sys_ptrace; allow mdadm_t self:process { getsched setsched signal_perms }; allow mdadm_t self:fifo_file rw_fifo_file_perms; @@ -53,6 +53,7 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) +dev_dontaudit_rw_mei(mdadm_t) dev_read_realtime_clock(mdadm_t) # create links in /dev/md dev_create_generic_symlinks(mdadm_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 6393fadcf..46c275e38 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -515,6 +515,7 @@ seutil_domtrans_semanage(selinux_dbus_t) # allow semanage_t self:capability { audit_write dac_override }; +dontaudit semanage_t self:capability { sys_admin sys_resource }; allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: ef89017d69182a71eb3cd46369ba5bb079f6f165 Author: Grzegorz Filo wp pl> AuthorDate: Thu Apr 4 18:09:08 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:43:11 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef89017d remove unnecessary code Signed-off-by: Grzegorz Filo wp.pl> Closes: https://github.com/gentoo/hardened-refpolicy/pull/2 Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/bootloader.te | 5 - policy/modules/admin/portage.te| 1 - 2 files changed, 6 deletions(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 81748a5f3..5a7e1cd4d 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -263,8 +263,3 @@ optional_policy(` optional_policy(` rpm_rw_pipes(bootloader_t) ') - -ifdef(`distro_gentoo',` - # Fix bug #537652 - grub2-mkconfig has search rights needed on current dir (usually user home dir) - userdom_search_user_home_dirs(bootloader_t) -') diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 2cd5d0482..c42552651 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -173,7 +173,6 @@ allow portage_t self:process { setfscreate }; # - kill for mysql merging, at least allow portage_t self:capability { kill setfcap sys_nice }; allow portage_t self:netlink_route_socket create_netlink_socket_perms; -dontaudit portage_t self:capability { dac_read_search }; # user post-sync scripts can_exec(portage_t, portage_conf_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 8271ab906f4389dae37b0470c44cdc6ab15b784d Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:39:41 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:49 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8271ab90 container: allow containers to getcap Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/container.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 9699ac36d..68aa97ae5 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -286,7 +286,7 @@ corenet_port(container_port_t) dontaudit container_domain self:capability fsetid; dontaudit container_domain self:capability2 block_suspend; allow container_domain self:cap_userns { chown dac_override dac_read_search fowner kill setgid setuid }; -allow container_domain self:process { execstack execmem getattr getsched getsession setsched setcap setpgid signal_perms }; +allow container_domain self:process { execstack execmem getattr getcap getsched getsession setsched setcap setpgid signal_perms }; allow container_domain self:dir rw_dir_perms; allow container_domain self:file create_file_perms; allow container_domain self:fifo_file manage_fifo_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: b18c0d3743affd70627adf0832b0fef674f50165 Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 21:03:59 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:52 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b18c0d37 container, podman: various fixes Various fixes for containers and podman, mostly centered around quadlet and netavark updates. One particular change which may stand out is allowing podman_conmon_t to IOCTL container_file_t files. I wish I could know why this was hit, but I don't. The relevant AVC is: type=PROCTITLE msg=audit(1704734027.100:15951872): proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762 type=EXECVE msg=audit(1704734027.100:15951872): argc=93 a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c" a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u" a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r" a8="/usr/bin/crun" a9="-b" a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata" a11="-p" a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile" a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits" a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level" a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json" a26="--runtime-arg" a27="--log" a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log" a29="--conmon-pidfile" a30=" /run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid" a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg" a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage" a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg" a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level" a43="--exit-command-arg" a44="warning" a45="--exit-command-arg" a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd" a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg" a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir" a55="--exit-command-arg" a56="" a57="--exit-command-arg" a58="--network-backend" a59="--exit-command-arg" a60="netavark" a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg" a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg" a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-co mmand-arg" a70="--transient-store=false" a71="--exit-command-arg" a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg" a76="--storage-driver" a77="--exit-command-arg" a78="overlay" a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg" a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend" a85="--exit-command-arg" a86="journald" a87="--exit-command-arg" a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg" a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" type=SYSCALL msg=audit(1704734027.100:15951872): arch=c03e syscall=59 success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0 ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon" exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null) type=AVC msg=audit(1704734027.100:15951872): avc: denied { ioctl } for pid=3434219 comm="conmon" path="/var/lib/containers/storage/volumes/harbor-core/_data/key" dev="dm-0" ino=50845175 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/container.if | 36 policy/modules/services/podman.te| 16 ++-- policy/modules/system/init.if| 20 3 files changed, 70 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index 268ebec46..009fffc4a 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -876,6 +876,24 @@ interface(`container_signal_all_containers',` allow $1 container_domain:process signal_perms; ') + +## +## Send signals to a system container. +## +## +## +## Domain allowed
[gentoo-commits] proj/hardened-refpolicy:master commit in: testing/, .github/workflows/
commit: 88a0ed139bf2bd39ff7e09d50e6dcf9ca6f4e5a4 Author: Chris PeBenito linux microsoft com> AuthorDate: Fri Feb 23 21:12:25 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:20 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=88a0ed13 tests.yml: Add sechecker testing. Add initial privilege and integrity tests. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> .github/workflows/tests.yml | 56 -- .github/workflows/tests.yml.rej | 35 testing/sechecker.ini | 401 3 files changed, 480 insertions(+), 12 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index eac1e30cc..1e3d5b7b0 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -3,21 +3,27 @@ name: Build tests on: [push, pull_request] env: - # Minimum userspace version to build refpolicy. - SELINUX_USERSPACE_VERSION: checkpolicy-3.1 + # Minimum versions to build refpolicy. + PYTHON_VERSION: "3.10" + SELINUX_USERSPACE_VERSION: checkpolicy-3.2 + USERSPACE_SRC: "selinux-src" + # branch for sechecker + SECHECKER_VERSION: "4.4" + SETOOLS_SRC: "setools-src" jobs: lint: -runs-on: ubuntu-20.04 +runs-on: ubuntu-22.04 steps: -- uses: actions/checkout@v3 +- uses: actions/checkout@v4 # This version should be the minimum required to run the fc checker +# or the standard Python version on Ubuntu. - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: -python-version: 3.7 +python-version: "${{env.PYTHON_VERSION}}" - name: Install dependencies run: | @@ -25,7 +31,7 @@ jobs: sudo apt-get install -qy autoconf-archive bison flex libconfuse-dev uthash-dev - name: Checkout SELint - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: repository: SELinuxProject/selint ref: 'v1.5.0' @@ -55,7 +61,7 @@ jobs: selint --source --recursive --summary --fail --disable C-005 --disable C-008 --disable W-005 policy build: -runs-on: ubuntu-20.04 +runs-on: ubuntu-22.04 strategy: fail-fast: false @@ -100,13 +106,29 @@ jobs: - {type: mls, distro: gentoo, monolithic: y, systemd: n, apps-off: unconfined, direct_initrc: y} steps: -- uses: actions/checkout@v3 +- name: Checkout Reference Policy + uses: actions/checkout@v4 + +- name: Checkout SELinux userspace tools and libs + uses: actions/checkout@v4 + with: +repository: SELinuxProject/selinux +ref: "${{env.SELINUX_USERSPACE_VERSION}}" +path: "${{env.USERSPACE_SRC}}" + +- name: Checkout setools + uses: actions/checkout@v4 + with: +repository: SELinuxProject/setools +ref: "${{env.SECHECKER_VERSION}}" +path: "${{env.SETOOLS_SRC}}" # This should be the minimum required Python version to build refpolicy. +# or the standard Python version on Ubuntu. - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@v5 with: -python-version: 3.5 +python-version: "${{env.PYTHON_VERSION}}" - name: Install dependencies run: | @@ -125,7 +147,6 @@ jobs: run: | echo "DESTDIR=/tmp/refpolicy" >> $GITHUB_ENV echo "PYTHON=python" >> $GITHUB_ENV -echo "TEST_TOOLCHAIN_SRC=/tmp/selinux-src" >> $GITHUB_ENV echo "TEST_TOOLCHAIN=/tmp/selinux" >> $GITHUB_ENV echo "TYPE=${{matrix.build-opts.type}}" >> $GITHUB_ENV echo "DISTRO=${{matrix.build-opts.distro}}" >> $GITHUB_ENV @@ -174,3 +195,14 @@ jobs: make install-docs make install-udica-templates make install-appconfig + +# This skips some combinations to keep GitHub actions runtime lower by +# eliminating duplicate analyses. +- name: Validate security goals + run: | +if [[ $MONOLITHIC == "y" ]] && [[ $TYPE != "standard" ]] && [[ $APPS_OFF ]] && [[ $SYSTEMD == "y" ]]; then +policy_file=$(make MONOLITHIC=y --eval='output_filename: ; @echo $(polver)' output_filename) +sechecker testing/sechecker.ini "${policy_file}" +else +echo "Skipped" +fi diff --git a/.github/workflows/tests.yml.rej b/.github/workflows/tests.yml.rej new file mode 100644 index 0..79e14d3d7 --- /dev/null +++ b/.github/workflows/tests.yml.rej @@ -0,0 +1,35 @@ +--- .github/workflows/tests.yml .github/workflows/tests.yml +@@ -173,21 +194,25 @@ jobs: + echo "APPS_OFF=${{matrix.build-opts.apps-off}}" >> $GITHUB_ENV + echo "DIRECT_INITRC=${{matrix.build-opts.direct_initrc}}" >> $GITHUB_ENV + echo "WERROR=y" >> $GITHUB_ENV ++echo "CFLAGS=\"-O2\"" >> $GITHUB_ENV + + - name:
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: 45225bca740493e52132fb53fc609d859ea9deb8 Author: Kenton Groombridge gentoo org> AuthorDate: Tue May 14 17:42:26 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:42:26 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45225bca Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index b40fac216..c86b6a7a6 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -fa84ee8fc04af56cced5ab8ed7abfb1abbd246dc +af26e636973bff8494e2ed2f93795bde8e2d94e7
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: b85214ca8e0a693d0b903fd31da74b6d6be4667b Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:38:43 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:47 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b85214ca container: allow system container engines to mmap runtime files Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/container.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 096d6c23d..9699ac36d 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -866,7 +866,7 @@ filetrans_pattern(container_engine_system_domain, container_var_lib_t, container filetrans_pattern(container_engine_system_domain, container_var_lib_t, container_file_t, dir, "volumes") allow container_engine_system_domain container_runtime_t:dir { manage_dir_perms relabel_dir_perms watch }; -allow container_engine_system_domain container_runtime_t:file { manage_file_perms relabel_file_perms watch }; +allow container_engine_system_domain container_runtime_t:file { mmap_manage_file_perms relabel_file_perms watch }; allow container_engine_system_domain container_runtime_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow container_engine_system_domain container_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow container_engine_system_domain container_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: cdc026e081113bc262a5183640d4fcde761858ce Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 21:19:44 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:53 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdc026e0 container, crio, kubernetes: minor fixes Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/container.te | 1 + policy/modules/services/crio.te | 1 + policy/modules/services/kubernetes.te | 3 +++ 3 files changed, 5 insertions(+) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 68aa97ae5..095308a13 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -982,6 +982,7 @@ allow spc_t self:alg_socket create_stream_socket_perms; allow spc_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; allow spc_t self:netlink_generic_socket create_socket_perms; allow spc_t self:netlink_netfilter_socket create_socket_perms; +allow spc_t self:netlink_tcpdiag_socket nlmsg_read; allow spc_t self:netlink_xfrm_socket create_netlink_socket_perms; allow spc_t self:perf_event { cpu kernel open read }; diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te index 3dd616f7a..91306d80e 100644 --- a/policy/modules/services/crio.te +++ b/policy/modules/services/crio.te @@ -84,6 +84,7 @@ init_use_fds(crio_conmon_t) container_kill_all_containers(crio_conmon_t) container_read_all_container_state(crio_conmon_t) +container_signal_system_containers(crio_conmon_t) # for kubernetes debug pods container_use_container_ptys(crio_conmon_t) diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 58292de85..3ba666299 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -393,6 +393,7 @@ container_relabel_all_content(kubelet_t) container_manage_log_dirs(kubelet_t) container_manage_log_files(kubelet_t) container_manage_log_symlinks(kubelet_t) +container_watch_log_dirs(kubelet_t) container_watch_log_files(kubelet_t) container_log_filetrans(kubelet_t, { dir file }) @@ -617,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain) # kubectl local policy # +kernel_dontaudit_getattr_proc(kubectl_t) + auth_use_nsswitch(kubectl_t) # not required, but convenient for using config commands
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 8c2f46403362398b17348da14c551acad1cdc0b4 Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:33:13 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:45 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c2f4640 matrixd: add tunable for binding to all unreserved ports This is to support using Synapse workers which require binding to multiple TCP ports in lieu of manually labeling unreserved ports for use. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/matrixd.te | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te index c396a3d7c..5f092f31c 100644 --- a/policy/modules/services/matrixd.te +++ b/policy/modules/services/matrixd.te @@ -20,6 +20,16 @@ gen_tunable(matrix_allow_federation, true) ## gen_tunable(matrix_postgresql_connect, false) +## +## +## Determine whether Matrixd is allowed to bind all +## TCP ports. This is intended for more complex Matrix +## server configurations (e.g. Synapse workers) and may +## be used in lieu of manually labeling each port. +## +## +gen_tunable(matrix_bind_all_unreserved_tcp_ports, false) + type matrixd_t; type matrixd_exec_t; init_daemon_domain(matrixd_t, matrixd_exec_t) @@ -117,7 +127,11 @@ tunable_policy(`matrix_postgresql_connect',` postgresql_tcp_connect(matrixd_t) ') +tunable_policy(`matrix_bind_all_unreserved_tcp_ports',` + corenet_tcp_bind_all_unreserved_ports(matrixd_t) +') + optional_policy(` apache_search_config(matrixd_t) ') - +
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 304a909724d2e15445449257a45563751eb88a7c Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 19:59:55 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:35 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=304a9097 dovecot: allow dovecot-auth to read SASL keytab Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/dovecot.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 11ffbb177..937219831 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -321,6 +321,10 @@ optional_policy(` postfix_search_spool(dovecot_auth_t) ') +optional_policy(` + sasl_read_keytab(dovecot_auth_t) +') + optional_policy(` postgresql_unpriv_client(dovecot_auth_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: c5f642792afda4f820b416e1f0e8f82b683b52bf Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:03:10 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:36 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5f64279 userdom: allow users to read user home dir symlinks This is to support user home directories primarily living in another directory with a symlink in /home that points to it. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/userdomain.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 401c5e6f7..1d98629c6 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -318,6 +318,7 @@ interface(`userdom_ro_home_role',` # read-only home directory allow $2 user_home_dir_t:dir list_dir_perms; + allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; allow $2 user_home_t:dir list_dir_perms; allow $2 user_home_t:file entrypoint; read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t) @@ -394,6 +395,8 @@ interface(`userdom_manage_home_role',` type_member $2 user_home_dir_t:dir user_home_dir_t; + allow $2 user_home_dir_t:lnk_file read_lnk_file_perms; + # full control of the home directory allow $2 user_home_t:file entrypoint; manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: dc612e94fc961e4039c1fba11c03e9f872888fbf Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 19:58:20 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:33 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc612e94 fail2ban: allow reading net sysctls type=AVC msg=audit(1696613589.191:194926): avc: denied { search } for pid=1724 comm="f2b/f.dovecot" name="net" dev="proc" ino=2813 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/fail2ban.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index af34769d3..dce03adca 100644 --- a/policy/modules/services/fail2ban.te +++ b/policy/modules/services/fail2ban.te @@ -62,6 +62,7 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t) manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t) files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file) +kernel_read_net_sysctls(fail2ban_t) kernel_read_system_state(fail2ban_t) kernel_read_vm_overcommit_sysctl(fail2ban_t) kernel_search_fs_sysctls(fail2ban_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: eb3fe60b4f0d6bf8c466179cababdfa67ab8aabc Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:21:13 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:41 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eb3fe60b asterisk: allow binding to all unreserved UDP ports This is for RTP streaming. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/asterisk.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index 0c2f9a42d..3cf98e59d 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -110,6 +110,7 @@ corenet_udp_bind_sip_port(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) +corenet_udp_bind_all_unreserved_ports(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_jabber_client_client_packets(asterisk_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 3dd05d4af8614f7e3ffc4038241f1487d61c53bb Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:41:28 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:50 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3dd05d4a systemd: allow systemd-sysctl to search tmpfs Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index cef49e9a3..fca1a6018 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1752,6 +1752,7 @@ files_read_etc_files(systemd_sysctl_t) fs_getattr_all_fs(systemd_sysctl_t) fs_search_cgroup_dirs(systemd_sysctl_t) fs_search_ramfs(systemd_sysctl_t) +fs_search_tmpfs(systemd_sysctl_t) systemd_log_parse_environment(systemd_sysctl_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/
commit: da28221423dba9c102a06afb6c7eac7cd2d0117a Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:31:46 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:44 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da282214 bootloader: allow systemd-boot to manage EFI binaries systemd-boot's bootctl utility is used to install and update its EFI binaries in the EFI partition. If it is mounted with boot_t, bootctl needs to be able to manage boot_t files. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/bootloader.te | 4 policy/modules/kernel/files.if | 19 +++ 2 files changed, 23 insertions(+) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 294ce7e0c..81748a5f3 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -225,6 +225,10 @@ ifdef(`init_systemd',` fs_getattr_cgroup(bootloader_t) init_read_state(bootloader_t) init_rw_inherited_stream_socket(bootloader_t) + + # for systemd-boot-update to manage EFI binaries + domain_obj_id_change_exemption(bootloader_t) + files_mmap_read_boot_files(bootloader_t) ') optional_policy(` diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index e0337d044..b9c451321 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2590,6 +2590,25 @@ interface(`files_read_boot_files',` read_files_pattern($1, boot_t, boot_t) ') + +## +## Read and memory map files in the /boot directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_mmap_read_boot_files',` + gen_require(` + type boot_t; + ') + + mmap_read_files_pattern($1, boot_t, boot_t) +') + ## ## Create, read, write, and delete files
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 30142b2d3d2fbe3e30c81bd7463e8bb8e4f1752d Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:14:04 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:39 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30142b2d postgres: add a standalone execmem tunable Add a separate tunable to allow Postgres to use execmem. This is to support JIT in the Postgres server without enabling it for the entire system. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/postgresql.te | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 810fb0ed4..7eec1b665 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -18,6 +18,13 @@ gen_require(` # Declarations # +## +## +## Allow postgresql to map memory regions as both executable and writable (e.g. for JIT). +## +## +gen_tunable(psql_allow_execmem, false) + ## ## ## Allow unprived users to execute DDL statement @@ -363,7 +370,7 @@ optional_policy(` mta_getattr_spool(postgresql_t) ') -tunable_policy(`allow_execmem',` +tunable_policy(`allow_execmem || psql_allow_execmem',` allow postgresql_t self:process execmem; ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/
commit: e3d5625354b069f68fe3fff6135df2e5bc14f207 Author: Grzegorz Filo wp pl> AuthorDate: Wed Apr 3 11:02:48 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:29 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3d56253 files context for merged-usr profile on gentoo Signed-off-by: Grzegorz Filo wp.pl> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/netutils.fc| 4 policy/modules/admin/shutdown.fc| 5 + policy/modules/services/smartmon.fc | 4 policy/modules/system/authlogin.fc | 3 +++ policy/modules/system/init.fc | 4 policy/modules/system/lvm.fc| 4 6 files changed, 24 insertions(+) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 3a7ccabf2..c8f5dd950 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc @@ -21,3 +21,7 @@ /usr/sbin/ss -- gen_context(system_u:object_r:ss_exec_t,s0) /usr/sbin/tcpdump -- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) + +ifdef(`distro_gentoo',` +/usr/bin/iftop -- gen_context(system_u:object_r:netutils_exec_t,s0) +') diff --git a/policy/modules/admin/shutdown.fc b/policy/modules/admin/shutdown.fc index 89d682d36..2e47783c2 100644 --- a/policy/modules/admin/shutdown.fc +++ b/policy/modules/admin/shutdown.fc @@ -9,3 +9,8 @@ /usr/sbin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) /run/shutdown\.pid -- gen_context(system_u:object_r:shutdown_runtime_t,s0) + +ifdef(`distro_gentoo',` +/usr/bin/halt -- gen_context(system_u:object_r:shutdown_exec_t,s0) +/usr/bin/shutdown -- gen_context(system_u:object_r:shutdown_exec_t,s0) +') diff --git a/policy/modules/services/smartmon.fc b/policy/modules/services/smartmon.fc index efbb8886f..562cf0b04 100644 --- a/policy/modules/services/smartmon.fc +++ b/policy/modules/services/smartmon.fc @@ -9,3 +9,7 @@ /run/smartd\.pid -- gen_context(system_u:object_r:fsdaemon_runtime_t,s0) /var/lib/smartmontools(/.*)? gen_context(system_u:object_r:fsdaemon_var_lib_t,s0) + +ifdef(`distro_gentoo',` +/usr/bin/update-smart-drivedb -- gen_context(system_u:object_r:smartmon_update_drivedb_exec_t,s0) +') diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index adb53a05a..fcdd38d6d 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -40,6 +40,9 @@ ifdef(`distro_redhat', ` ifdef(`distro_suse', ` /usr/sbin/unix2_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0) ') +ifdef(`distro_gentoo',` +/usr/bin/pwhistory_helper -- gen_context(system_u:object_r:updpwd_exec_t,s0) +') /var/cache/coolkey(/.*)? gen_context(system_u:object_r:auth_cache_t,s0) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index 2ce804cde..e350b6adf 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -53,6 +53,10 @@ ifdef(`distro_gentoo',` /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) ifdef(`distro_gentoo', ` +/usr/bin/rc-- gen_context(system_u:object_r:rc_exec_t,s0) +/usr/bin/openrc-- gen_context(system_u:object_r:rc_exec_t,s0) +/usr/bin/openrc-init -- gen_context(system_u:object_r:init_exec_t,s0) +/usr/bin/openrc-shutdown -- gen_context(system_u:object_r:init_exec_t,s0) /usr/lib/rc/cache(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) /usr/lib/rc/console(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) /usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc index bc66de8ad..ba1d88e2b 100644 --- a/policy/modules/system/lvm.fc +++ b/policy/modules/system/lvm.fc @@ -74,6 +74,10 @@ /usr/bin/vgsplit -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/bin/vgwrapper -- gen_context(system_u:object_r:lvm_exec_t,s0) +ifdef(`distro_gentoo',` +/usr/bin/dmeventd -- gen_context(system_u:object_r:lvm_exec_t,s0) +') + /usr/lib/lvm-10/.* -- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/lib/lvm-200/.*-- gen_context(system_u:object_r:lvm_exec_t,s0) /usr/lib/systemd/systemd-cryptsetup-- gen_context(system_u:object_r:lvm_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: b2ceb53d4b7b1df545f740ae9b4ed2e77f640dca Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 19:53:46 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:31 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2ceb53d init: allow systemd to use sshd pidfds Without this, a lengthy 2 minute delay can be observed SSHing into a system while pam_systemd tries to create a login session. May 06 14:22:08 megumin.fuwafuwatime.moe sshd[29384]: pam_systemd(sshd:session): Failed to create session: Connection timed out type=AVC msg=audit(1715019897.540:13855): avc: denied { use } for pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0 tclass=fd permissive=1 Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/ssh.if | 19 +++ policy/modules/system/init.te | 4 2 files changed, 23 insertions(+) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index dcbabf6b0..4b5fd5d33 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -535,6 +535,25 @@ interface(`ssh_signull',` allow $1 sshd_t:process signull; ') + +## +## Use PIDFD file descriptors from the +## ssh server. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_use_sshd_pidfds',` + gen_require(` + type sshd_t; + ') + + allow $1 sshd_t:fd use; +') + ## ## Read a ssh server unnamed pipe. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 8f3772dcb..03d0de8ed 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -630,6 +630,10 @@ ifdef(`init_systemd',` fs_rw_rpc_named_pipes(initrc_t) ') + optional_policy(` + ssh_use_sshd_pidfds(init_t) + ') + optional_policy(` # for systemd --user: unconfined_search_keys(init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c6e72252a0d9ec8e88e28e2512737936cec8c3ea Author: Dave Sugar gmail com> AuthorDate: Sun May 5 01:19:20 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:22 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c6e72252 Need map perm for cockpit 300.4 node=localhost type=AVC msg=audit(1714870999.370:3558): avc: denied { map } for pid=7081 comm="cockpit-bridge" path=2F6465762F23373933202864656C6574656429 dev="devtmpfs" ino=793 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:staff_cockpit_tmpfs_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/cockpit.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if index 1a13f4e5a..bde2bfad5 100644 --- a/policy/modules/services/cockpit.if +++ b/policy/modules/services/cockpit.if @@ -49,7 +49,7 @@ template(`cockpit_role_template',` files_tmpfs_file($1_cockpit_tmpfs_t) dev_filetrans($2, $1_cockpit_tmpfs_t, file) - allow $2 $1_cockpit_tmpfs_t:file { manage_file_perms execute }; + allow $2 $1_cockpit_tmpfs_t:file { mmap_manage_file_perms execute }; dev_dontaudit_execute_dev_nodes($2)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 8b220a9ced8dbe5449cf443a16b782141d6f4772 Author: Chris PeBenito linux microsoft com> AuthorDate: Tue Mar 5 15:18:41 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:01 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8b220a9c certbot: Drop execmem. This is related to FFI use in python3-openssl. Libffi now changes behavior when it detects SELinux, to avoid this type of denial. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/certbot.te | 4 1 file changed, 4 deletions(-) diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te index 9723f7880..6edaac830 100644 --- a/policy/modules/services/certbot.te +++ b/policy/modules/services/certbot.te @@ -54,10 +54,6 @@ files_tmp_filetrans(certbot_t, certbot_tmp_t, { dir file }) manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t) fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file }) -# this is for certbot to have write-exec memory, I know it is bad -# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913544 -# the Debian bug report has background about python-acme and python3-openssl -allow certbot_t self:process execmem; allow certbot_t certbot_tmp_t:file mmap_exec_file_perms; allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms; allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/system/
commit: 89eef551684761379a5dd51221485b025d0014e5 Author: Chris PeBenito linux microsoft com> AuthorDate: Thu Feb 29 18:31:57 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:40:59 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89eef551 xen: Drop xend/xm stack. Xend/xm was replaced with xl in Xen 4.5 (Jan 2015). https://xenproject.org/2015/01/15/less-is-more-in-the-new-xen-project-4-5-release/ Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/brctl.te | 1 - policy/modules/admin/consoletype.te | 2 - policy/modules/admin/sblim.te | 1 - policy/modules/services/nscd.te | 1 - policy/modules/services/pegasus.te | 1 - policy/modules/services/snmp.te | 1 - policy/modules/services/vhostmd.te | 1 - policy/modules/services/virt.te | 8 +- policy/modules/system/hostname.te | 1 - policy/modules/system/lvm.te| 1 - policy/modules/system/sysnetwork.te | 2 - policy/modules/system/xen.fc| 21 +-- policy/modules/system/xen.if| 149 +++- policy/modules/system/xen.te| 272 14 files changed, 54 insertions(+), 408 deletions(-) diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te index 7ce029c05..026b0002d 100644 --- a/policy/modules/admin/brctl.te +++ b/policy/modules/admin/brctl.te @@ -43,5 +43,4 @@ miscfiles_read_localization(brctl_t) optional_policy(` xen_append_log(brctl_t) - xen_dontaudit_rw_unix_stream_sockets(brctl_t) ') diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index dda9e62ff..1989db82c 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -109,6 +109,4 @@ optional_policy(` kernel_read_xen_state(consoletype_t) kernel_write_xen_state(consoletype_t) xen_append_log(consoletype_t) - xen_dontaudit_rw_unix_stream_sockets(consoletype_t) - xen_dontaudit_use_fds(consoletype_t) ') diff --git a/policy/modules/admin/sblim.te b/policy/modules/admin/sblim.te index 5e2978c5f..d9bab1a79 100644 --- a/policy/modules/admin/sblim.te +++ b/policy/modules/admin/sblim.te @@ -106,7 +106,6 @@ optional_policy(` ') optional_policy(` - xen_stream_connect(sblim_gatherd_t) xen_stream_connect_xenstore(sblim_gatherd_t) ') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index f63b75f4f..ffc60497c 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -132,6 +132,5 @@ optional_policy(` ') optional_policy(` - xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index a5aa3a285..e7287b49a 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -184,6 +184,5 @@ optional_policy(` ') optional_policy(` - xen_stream_connect(pegasus_t) xen_stream_connect_xenstore(pegasus_t) ') diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index 846ab288a..b498e894b 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -167,6 +167,5 @@ optional_policy(` kernel_read_xen_state(snmpd_t) kernel_write_xen_state(snmpd_t) - xen_stream_connect(snmpd_t) xen_stream_connect_xenstore(snmpd_t) ') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te index 94ee048d1..9a866deea 100644 --- a/policy/modules/services/vhostmd.te +++ b/policy/modules/services/vhostmd.te @@ -79,7 +79,6 @@ optional_policy(` optional_policy(` xen_domtrans_xm(vhostmd_t) - xen_stream_connect(vhostmd_t) xen_stream_connect_xenstore(vhostmd_t) xen_stream_connect_xm(vhostmd_t) ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index a6161d739..f0c4c2d65 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -820,8 +820,8 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) - xen_exec(virtd_t) - xen_stream_connect(virtd_t) + xen_domtrans_xm(virtd_t) + xen_stream_connect_xm(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) ') @@ -944,9 +944,9 @@ optional_policy(` optional_policy(` xen_manage_image_dirs(virsh_t) xen_append_log(virsh_t) - xen_domtrans(virsh_t) + xen_domtrans_xm(virsh_t) xen_read_xenstored_runtime_files(virsh_t) - xen_stream_connect(virsh_t) + xen_stream_connect_xm(virsh_t) xen_stream_connect_xenstore(virsh_t) ') diff --git a/policy/modules/system/hostname.te
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 4f530e384d56b9f11d4846e1018c56fe3df86e05 Author: Chris PeBenito linux microsoft com> AuthorDate: Tue Mar 5 15:20:13 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:02 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4f530e38 cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/cockpit.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/cockpit.if b/policy/modules/services/cockpit.if index 4c452484c..1a13f4e5a 100644 --- a/policy/modules/services/cockpit.if +++ b/policy/modules/services/cockpit.if @@ -46,7 +46,7 @@ template(`cockpit_role_template',` type $1_cockpit_tmpfs_t; - files_runtime_file($1_cockpit_tmpfs_t) + files_tmpfs_file($1_cockpit_tmpfs_t) dev_filetrans($2, $1_cockpit_tmpfs_t, file) allow $2 $1_cockpit_tmpfs_t:file { manage_file_perms execute };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 9e64cef53a9a17bce38b43e1a8476b4132c186ea Author: Matt Sheets linux microsoft com> AuthorDate: Sat Apr 27 00:09:53 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:40:58 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e64cef5 Allow systemd to pass down sig mask IgnoreSIGPIPE is a feature that requires systemd to passdown the signal mask down to the fork process. To allow this the siginh permission must be allowed for all process domains that can be forked by systemd. Signed-off-by: Matt Sheets linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/init.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 597fd169a..24be1a7a7 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -189,6 +189,7 @@ interface(`init_domain',` allow $1 init_t:unix_stream_socket { getattr read write ioctl }; + allow init_t $1:process siginh; allow init_t $1:process2 { nnp_transition nosuid_transition }; # StandardInputText uses a memfd rw shm segment.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 7a7d1e4a5e7e532b93be215172976e2fa2556e1e Author: Chris PeBenito linux microsoft com> AuthorDate: Thu Feb 29 15:14:01 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:40:54 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a7d1e4a xen: Revoke kernel module loading permissions. This domain also calls kernel_request_load_module(), which should be sufficient. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/xen.te | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 5311f3a34..d633dfef7 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -500,7 +500,6 @@ xen_stream_connect_xenstore(xm_t) can_exec(xm_t, xm_exec_t) -kernel_load_module(xm_t) kernel_request_load_module(xm_t) kernel_read_system_state(xm_t) kernel_read_network_state(xm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: c102156f10d9ab9ab6a5ebf2ef21d9a36305c759 Author: Chris PeBenito linux microsoft com> AuthorDate: Thu Feb 29 16:04:56 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:40:56 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c102156f cups: Remove PTAL. This is part of the HPOJ, which was superseded by HPLIP in 2006. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/cups.fc | 8 policy/modules/services/cups.if | 34 - policy/modules/services/cups.te | 73 - policy/modules/system/userdomain.if | 1 - 4 files changed, 7 insertions(+), 109 deletions(-) diff --git a/policy/modules/services/cups.fc b/policy/modules/services/cups.fc index df02e9539..453c394da 100644 --- a/policy/modules/services/cups.fc +++ b/policy/modules/services/cups.fc @@ -29,9 +29,6 @@ /usr/bin/hpijs -- gen_context(system_u:object_r:hplip_exec_t,s0) /usr/bin/hpiod -- gen_context(system_u:object_r:hplip_exec_t,s0) /usr/bin/printconf-backend -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/bin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) -/usr/bin/ptal-mlcd -- gen_context(system_u:object_r:ptal_exec_t,s0) -/usr/bin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/Brother/fax/.*\.log.* gen_context(system_u:object_r:cupsd_log_t,s0) /usr/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -55,9 +52,6 @@ /usr/sbin/hal_lpadmin -- gen_context(system_u:object_r:cupsd_config_exec_t,s0) /usr/sbin/hpiod-- gen_context(system_u:object_r:hplip_exec_t,s0) /usr/sbin/printconf-backend-- gen_context(system_u:object_r:cupsd_config_exec_t,s0) -/usr/sbin/ptal-printd -- gen_context(system_u:object_r:ptal_exec_t,s0) -/usr/sbin/ptal-mlcd-- gen_context(system_u:object_r:ptal_exec_t,s0) -/usr/sbin/ptal-photod -- gen_context(system_u:object_r:ptal_exec_t,s0) /usr/share/cups(/.*)? gen_context(system_u:object_r:cupsd_etc_t,s0) /usr/share/foomatic/db/oldprinterids -- gen_context(system_u:object_r:cupsd_rw_etc_t,s0) @@ -80,7 +74,5 @@ /run/cups(/.*)?gen_context(system_u:object_r:cupsd_runtime_t,s0) /run/hp.*\.pid -- gen_context(system_u:object_r:hplip_runtime_t,s0) /run/hp.*\.port-- gen_context(system_u:object_r:hplip_runtime_t,s0) -/run/ptal-printd(/.*)? gen_context(system_u:object_r:ptal_runtime_t,s0) -/run/ptal-mlcd(/.*)? gen_context(system_u:object_r:ptal_runtime_t,s0) /run/udev-configure-printer(/.*)? gen_context(system_u:object_r:cupsd_config_runtime_t,s0) /var/turboprint(/.*)? gen_context(system_u:object_r:cupsd_runtime_t,s0) diff --git a/policy/modules/services/cups.if b/policy/modules/services/cups.if index 852db3d67..a6b3f754a 100644 --- a/policy/modules/services/cups.if +++ b/policy/modules/services/cups.if @@ -271,26 +271,6 @@ interface(`cups_write_log',` allow $1 cupsd_log_t:file write_file_perms; ') - -## -## Connect to ptal over an unix -## domain stream socket. -## -## -## -## Domain allowed access. -## -## -# -interface(`cups_stream_connect_ptal',` - gen_require(` - type ptal_t, ptal_runtime_t; - ') - - files_search_runtime($1) - stream_connect_pattern($1, ptal_runtime_t, ptal_runtime_t, ptal_t) -') - ## ## Read the process state (/proc/pid) of cupsd. @@ -354,21 +334,21 @@ interface(`cups_admin',` type cupsd_t, cupsd_tmp_t, cupsd_lpd_tmp_t; type cupsd_etc_t, cupsd_log_t; type cupsd_config_runtime_t, cupsd_lpd_runtime_t; - type cupsd_runtime_t, ptal_etc_t, cupsd_rw_etc_t; - type ptal_runtime_t, hplip_runtime_t, cupsd_initrc_exec_t; + type cupsd_runtime_t, cupsd_rw_etc_t; + type hplip_runtime_t, cupsd_initrc_exec_t; type cupsd_config_t, cupsd_lpd_t, cups_pdf_t; - type hplip_t, ptal_t; + type hplip_t; ') allow $1 { cupsd_t cupsd_config_t cupsd_lpd_t }:process { ptrace signal_perms }; - allow $1 { cups_pdf_t hplip_t ptal_t }:process { ptrace signal_perms }; + allow $1 { cups_pdf_t hplip_t }:process { ptrace signal_perms }; ps_process_pattern($1, { cupsd_t cupsd_config_t cupsd_lpd_t }) - ps_process_pattern($1, { cups_pdf_t hplip_t ptal_t }) + ps_process_pattern($1, { cups_pdf_t hplip_t }) init_startstop_service($1, $2, cupsd_t, cupsd_initrc_exec_t) files_list_etc($1) - admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t ptal_etc_t }) + admin_pattern($1, { cupsd_etc_t cupsd_rw_etc_t })
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 007072b1c66cfb28310f9d0449f8167f496be2ae Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:52 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:56 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=007072b1 systemd: logind update type=PROCTITLE msg=audit(21/02/24 23:31:52.659:83) : proctitle=/usr/lib/systemd/systemd-logind type=SYSCALL msg=audit(21/02/24 23:31:52.659:83) : arch=x86_64 syscall=recvmsg success=yes exit=24 a0=0xf a1=0x7ffdec4e7bc0 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=909 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(21/02/24 23:31:52.659:83) : avc: denied { use } for pid=909 comm=systemd-logind path=anon_inode:[pidfd] dev="anon_inodefs" ino=1051 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=1 p.s.: this might need an overhaul after pidfd handling in the kernel has been improved. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index e3af88033..cef49e9a3 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1053,6 +1053,9 @@ storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader optional_policy(` dbus_connect_system_bus(systemd_logind_t) dbus_system_bus_client(systemd_logind_t) + + # pidfd + dbus_use_system_bus_fds(systemd_logind_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 5c8203bfd90758d92cd93c786de8fe94e6d716ca Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:48 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:52 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c8203bf fs: add support for virtiofs Adopted from https://github.com/fedora-selinux/selinux-policy/commit/5580e9a576f759820dbc3387961ce58a959221dc Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.te | 11 +++ 1 file changed, 11 insertions(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index f21fc71e9..f9aa5f90b 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -41,6 +41,7 @@ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0); fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ubifs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr virtiofs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); @@ -203,6 +204,16 @@ optional_policy(` init_mountpoint(tracefs_t) ') + +# +# virtiofs_t is the default type for virtio file systems +# and their files. +# +type virtiofs_t; +fs_noxattr_type(virtiofs_t) +files_mountpoint(virtiofs_t) +genfscon virtiofs / gen_context(system_u:object_r:virtiofs_t,s0) + type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: f6e3b01a354b974ffc259994385d03909c4be93e Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:42 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:47 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6e3b01a userdom: permit reading PSI as admin Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/userdomain.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index aadbe34c3..b87f6d48e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1382,6 +1382,7 @@ template(`userdom_admin_user_template',` kernel_change_ring_buffer_level($1_t) kernel_clear_ring_buffer($1_t) kernel_read_ring_buffer($1_t) + kernel_read_psi($1_t) kernel_get_sysvipc_info($1_t) kernel_rw_all_sysctls($1_t) # signal unlabeled processes:
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: 1949397458a649cf876a4a758a28d65626ad2709 Author: Chris PeBenito ieee org> AuthorDate: Mon Feb 26 18:38:45 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:06:00 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=19493974 Update Changelog and VERSION for release 2.20240226. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> Changelog | 487 ++ VERSION | 2 +- 2 files changed, 488 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 76cd60fdc..a1938b4f0 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,490 @@ +* Mon Feb 26 2024 Chris PeBenito - 2.20240226 +Chris PeBenito (174): + tests.yml: Pin ubuntu 20.04. + tests.yml: Pin ubuntu 20.04. + fstools: Move lines. + munin: Move munin_rw_tcp_sockets() implementation. + munin: Whitespace change. + systemd: Tmpfilesd can correct seusers on files. + iscsi: Read initiatorname.iscsi. + lvm: Add fc entry for /etc/multipath/* + sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets() + Define user_namespace object class. + chromium: Allow user namespace creation. + mozilla: Allow user namespace creation. + systemd: Allow user namespace creation. + container: Allow user namespace creation for all container engines. + Update eg25manager.te + switcheroo: Whitespace fix. + unconfined: Keys are linkable by systemd. + postgresql: Move lines + Add append to rw and manage lnk_file permission sets for consistency. + domain: Manage own fds. + systemd: systemd-cgroups reads kernel.cap_last_cap sysctl. + kernel: hv_utils shutdown on systemd systems. + Container: Minor fixes from interactive container use. + systemd: Minor coredump fixes. + rpm: Minor fixes + init: Allow nnp/nosuid transitions from systemd initrc_t. + selinuxutil: Semanage reads policy for export. + sysnetwork: ifconfig searches debugfs. + usermanage: Add sysctl access for groupadd to get number of groups. + files: Handle symlinks for /media and /srv. + cloudinit: Add support for installing RPMs and setting passwords. + kdump: Fixes from testing kdumpctl. + usermanage: Handle symlinks in /usr/share/cracklib. + unconfined: Add remaining watch_* permissions. + chronyd: Read /dev/urandom. + cloud-init: Allow use of sudo in runcmd. + cloud-init: Add systemd permissions. + cloud-init: Change udev rules + systemd: Updates for systemd-locale. + cloudinit: Add permissions derived from sysadm. + +Christian Göttsche (28): + git: add fcontext for default binary + init: only grant getattr in init_getattr_generic_units_files() + ci: bump SELint version to 1.5.0 + SELint userspace class tweaks + systemd: reorder optional block + devicedisk: reorder optional block + access_vectors: define io_uring { cmd } + support/genhomedircon: support usr prefixed paths + fix misc typos + Support multi-line interface calls + policy_capabilities: remove estimated from released versions + Rules.monolithic: pre-compile fcontexts on install + Rules.modular: use temporary file to not ignore error + Makefile: use sepolgen-ifgen-attr-helper from test toolchain + Makefile: set PYTHONPATH for test toolchain + virt: label qemu configuration directory + selinuxutil: setfiles updates + selinuxutil: ignore getattr proc in newrole + userdom: permit reading PSI as admin + fs: mark memory pressure type as file + systemd: binfmt updates + vnstatd: update + fs: add support for virtiofs + systemd: generator updates + udev: update + systemd: logind update + consolesetup: update + libraries: drop space in empty line + +Christian Schneider (1): + systemd-generator: systemd_generator_t load kernel modules used for e.g. + zram-generator + +Corentin LABBE (20): + udev: permit to read hwdb + fstools: handle gentoo place for drivedb.h + mount: dbus interface must be optional + mcelog: add missing file context for triggers + munin: add file context for common functions file + rsyslog: add label for /var/empty/dev/log + munin: disk-plugin: transition to fsadm + munin: add fc for munin-node plugin state + usermanage: permit groupadd to read kernel sysctl + portage: Remove old binary location + portage: add go/hg source control files + portage: add new location for portage commands + portage: add missing go/hg context in new distfiles location + mandb: permit to read inherited cron files + selinuxutil: do not audit load_policy trying to use portage ptys + selinuxutil: permit run_init to read kernel sysctl + portage: add misc
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 1f6f6eca2f76f7fa1354acdae20898666823bebc Author: Christian Göttsche googlemail com> AuthorDate: Fri Feb 23 17:04:11 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:59 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1f6f6eca libraries: drop space in empty line Drop a line containing a single space from the file context file to avoid SELint stumble on it: libraries.mod.fc: 130: (E): Bad file context format (E-002) Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/libraries.fc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc index 757b18bcb..b5491aa8a 100644 --- a/policy/modules/system/libraries.fc +++ b/policy/modules/system/libraries.fc @@ -284,7 +284,7 @@ HOME_DIR/\.mozilla/plugins/nprhapengine\.so.* -- gen_context(system_u:object_r:t /usr/lib/acroread/.+\.api -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/acroread/(.*/)?ADMPlugin\.apl -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib/.*/program(/.*)?\.so gen_context(system_u:object_r:lib_t,s0) -') dnl end distro_redhat +')dnl end distro_redhat # # /var
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 3676555ed89c3a47ec1f553710f70bf547bd7245 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:55 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:57 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3676555e consolesetup: update AVC avc: denied { read } for pid=770 comm="mkdir" name="filesystems" dev="proc" ino=4026532069 scontext=system_u:system_r:consolesetup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/consolesetup.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/consolesetup.te b/policy/modules/services/consolesetup.te index 7756ef6c9..023ec5d23 100644 --- a/policy/modules/services/consolesetup.te +++ b/policy/modules/services/consolesetup.te @@ -37,6 +37,8 @@ files_runtime_filetrans(consolesetup_t, consolesetup_runtime_t, dir, "console-se manage_files_pattern(consolesetup_t, consolesetup_tmp_t, consolesetup_tmp_t) files_tmp_filetrans(consolesetup_t, consolesetup_tmp_t, file) +kernel_read_system_state(consolesetup_t) + corecmd_exec_bin(consolesetup_t) corecmd_exec_shell(consolesetup_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 9127b63127407012150cc1257dab821bc300477d Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:51 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:55 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9127b631 udev: update AVC avc: denied { create } for pid=685 comm="ifquery" name="network" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/sysnetwork.if | 30 ++ policy/modules/system/udev.te | 3 +++ 2 files changed, 33 insertions(+) diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index f41024669..884f3735d 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -489,6 +489,7 @@ interface(`sysnet_create_config',` ') files_search_etc($1) + allow $1 net_conf_t:dir { add_entry_dir_perms create_dir_perms }; allow $1 net_conf_t:file create_file_perms; ') @@ -535,6 +536,35 @@ interface(`sysnet_etc_filetrans_config',` files_etc_filetrans($1, net_conf_t, file, $2) ') +### +## +## Create files in /run with the type used for +## the network config files. +## +## +## +## Domain allowed access. +## +## +## +## +## The object class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`sysnet_runtime_filetrans_config',` + gen_require(` + type net_conf_t; + ') + + files_runtime_filetrans($1, net_conf_t, $2, $3) +') + ### ## ## Create, read, write, and delete network config files. diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 6e24d515f..8ecc17bc7 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -217,6 +217,9 @@ ifdef(`distro_debian',` files_runtime_filetrans(udev_t, udev_runtime_t, dir, "xen-hotplug") + sysnet_runtime_filetrans_config(udev_t, dir, "network") + sysnet_create_config(udev_t) + optional_policy(` # for /usr/lib/avahi/avahi-daemon-check-dns.sh kernel_read_vm_sysctls(udev_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: cf1d8825dd74db410aca630202e62d0e0ad5169e Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 19:21:35 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:42 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cf1d8825 Makefile: set PYTHONPATH for test toolchain In case of a non-default toolchain also set the environment variable PTYHONPATH to run sepolgen related python code from that toolchain. See scripts/env_use_destdir in the SELinux userland repository. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> Makefile | 13 ++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 82df20454..42d6484bc 100644 --- a/Makefile +++ b/Makefile @@ -47,9 +47,16 @@ endif BINDIR ?= /usr/bin SBINDIR ?= /usr/sbin ifdef TEST_TOOLCHAIN -tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)$(BINDIR) -tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)$(SBINDIR) -tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" $(TEST_TOOLCHAIN)/sbin +python_path_plat := $(shell python3 -c "import sysconfig; print(sysconfig.get_path('platlib', vars={'platbase': '/usr', 'base': '/usr'}))") +python_path_pure := $(shell python3 -c "import sysconfig; print(sysconfig.get_path('purelib', vars={'platbase': '/usr', 'base': '/usr'}))") +ifdef PYTHONPATH +python_path := "$(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure):$(PYTHONPATH)" +else +python_path := "$(TEST_TOOLCHAIN)$(python_path_plat):$(TEST_TOOLCHAIN)$(python_path_pure)" +endif +tc_usrbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(BINDIR) +tc_usrsbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)$(SBINDIR) +tc_sbindir := env LD_LIBRARY_PATH="$(TEST_TOOLCHAIN)/lib:$(TEST_TOOLCHAIN)/usr/lib" PYTHONPATH="$(python_path)" $(TEST_TOOLCHAIN)/sbin else tc_usrbindir := $(BINDIR) tc_usrsbindir := $(SBINDIR)
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: d98d3461c9fd467af7308047b5f6a496259a4104 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Mar 1 17:06:33 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:06:33 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d98d3461 Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index 1265cd5d3..b40fac216 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -f3865abfc25a395c877a27074bd03c5fc22992dd +fa84ee8fc04af56cced5ab8ed7abfb1abbd246dc
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: b1a213b26e58f32d250057fcb9e1af3a9f05a63d Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:46 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:51 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1a213b2 vnstatd: update type=PROCTITLE msg=audit(21/02/24 22:54:36.792:69) : proctitle=/usr/sbin/vnstatd -n type=PATH msg=audit(21/02/24 22:54:36.792:69) : item=0 name=/dev/urandom inode=18 dev=00:2b mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:54:36.792:69) : cwd=/ type=SYSCALL msg=audit(21/02/24 22:54:36.792:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f197cc66865 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=900 auid=unset uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null) type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { open } for pid=900 comm=vnstatd path=/dev/urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { read } for pid=900 comm=vnstatd name=urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/vnstatd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/vnstatd.te b/policy/modules/services/vnstatd.te index f8274d451..3be384a9a 100644 --- a/policy/modules/services/vnstatd.te +++ b/policy/modules/services/vnstatd.te @@ -48,6 +48,7 @@ kernel_read_system_state(vnstatd_t) # read /sys/class/net/eth0 dev_read_sysfs(vnstatd_t) +dev_read_urand(vnstatd_t) files_read_etc_files(vnstatd_t) files_search_var_lib(vnstatd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 2ce9c1574e77cfedf075413013b6247ff0e7f8ce Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:49 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:54 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2ce9c157 systemd: generator updates type=1400 audit(1708552475.580:3): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/etc/init.d/auditd" dev="vda1" ino=262124 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_initrc_exec_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:4): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/auditd.service" dev="vda1" ino=395421 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:5): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/etc/init.d/vnstat" dev="vda1" ino=261247 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_initrc_exec_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:6): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/vnstat.service" dev="vda1" ino=394196 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:7): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/dbus-broker.service" dev="vda1" ino=394383 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:dbusd_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.584:8): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/qemu-guest-agent.service" dev="vda1" ino=392981 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:qemu_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.584:9): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/ssh.service" dev="vda1" ino=393521 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:sshd_unit_t:s0 tclass=file permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/init.if| 20 policy/modules/system/systemd.te | 3 ++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 3e4192eb4..597fd169a 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3858,6 +3858,26 @@ interface(`init_list_all_units',` read_lnk_files_pattern($1, systemdunit, systemdunit) ') + +## +## Get the attributes of systemd unit directories and the files in them. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getattr_all_unit_files',` + gen_require(` + attribute systemdunit; + ') + + list_dirs_pattern($1, systemdunit, systemdunit) + getattr_files_pattern($1, systemdunit, systemdunit) + read_lnk_files_pattern($1, systemdunit, systemdunit) +') + ## ## Manage systemd unit dirs and the files in them diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 63fef177b..e3af88033 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -536,10 +536,11 @@ init_rename_runtime_files(systemd_generator_t) init_search_runtime(systemd_generator_t) init_setattr_runtime_files(systemd_generator_t) init_write_runtime_files(systemd_generator_t) -init_list_all_units(systemd_generator_t) init_read_generic_units_files(systemd_generator_t) init_read_generic_units_symlinks(systemd_generator_t) init_read_script_files(systemd_generator_t) +init_getattr_all_unit_files(systemd_generator_t) +init_getattr_all_script_files(systemd_generator_t) kernel_use_fds(systemd_generator_t) kernel_read_system_state(systemd_generator_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 2742ffe56eb2a1943c6ddbbd47071a6fa5437875 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:40 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:44 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2742ffe5 selinuxutil: setfiles updates type=PROCTITLE msg=audit(21/02/24 22:31:50.044:122) : proctitle=restorecon -vRn -T0 / type=SYSCALL msg=audit(21/02/24 22:31:50.044:122) : arch=x86_64 syscall=sched_getaffinity success=yes exit=8 a0=0x0 a1=0x1000 a2=0x7fc235649bf0 a3=0x0 items=0 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:31:50.044:122) : avc: denied { getsched } for pid=13398 comm=restorecon scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process permissive=1 type=PROCTITLE msg=audit(21/02/24 22:31:55.040:123) : proctitle=restorecon -vRn -T0 / type=PATH msg=audit(21/02/24 22:31:55.040:123) : item=0 name=/sys/fs/cgroup/user.slice/user-0.slice/user 0.service/memory.pressure inode=2455 dev=00:1b mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:memory_pressure_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:31:55.040:123) : cwd=/root/workspace/selinux/refpolicy/refpolicy type=SYSCALL msg=audit(21/02/24 22:31:55.040:123) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x557264466530 a2=0x7fc2004cacc0 a3=0x100 items=1 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:31:55.040:123) : avc: denied { getattr } for pid=13398 comm=restorecon path=/sys/fs/cgroup/user.slice/user-0.slice/user 0.service/memory.pressure dev="cgroup2" ino=2455 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_pressure_t:s0 tclass=file permissive=1 type=PROCTITLE msg=audit(21/02/24 22:32:15.512:126) : proctitle=restorecon -vRFn -T0 /usr/ type=PATH msg=audit(21/02/24 22:32:15.512:126) : item=0 name=/proc/sys/vm/overcommit_memory inode=41106 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_overcommit_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:32:15.512:126) : cwd=/root/workspace/selinux/refpolicy/refpolicy type=SYSCALL msg=audit(21/02/24 22:32:15.512:126) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7f59f7316810 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1103 pid=13491 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { open } for pid=13491 comm=restorecon path=/proc/sys/vm/overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1 type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { read } for pid=13491 comm=restorecon name=overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 18 ++ policy/modules/system/selinuxutil.te | 3 +++ 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index e529b187f..08ad5503d 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1271,6 +1271,24 @@ interface(`fs_cgroup_filetrans_memory_pressure',` fs_cgroup_filetrans($1, memory_pressure_t, $2, $3) ') + +## +## Get the attributes of cgroup's memory.pressure files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_memory_pressure',` + gen_require(` + type memory_pressure_t; + ') + + allow $1 memory_pressure_t:file getattr; +') + ## ## Allow managing a cgroup's memory.pressure file to get notifications diff --git a/policy/modules/system/selinuxutil.te
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: a1f8db5c896e3aef75922cf3ff53ccd53e00f79f Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:43 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:48 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a1f8db5c fs: mark memory pressure type as file Associate the type memory_pressure_t with the attribute file_type, so all attribute based rules apply, e.g. for unconfined_t. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 7ffac9812..f21fc71e9 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -100,6 +100,7 @@ genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) # the rest of the cgroup tree. type memory_pressure_t; typeattribute memory_pressure_t cgroup_types; +files_type(memory_pressure_t) dev_associate_sysfs(memory_pressure_t) type configfs_t;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: b093761cac708c6320ea8588f089cb98fd974a24 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:44 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:50 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b093761c systemd: binfmt updates type=PROCTITLE msg=audit(21/02/24 22:54:36.708:53) : proctitle=/usr/lib/systemd/systemd-binfmt type=SYSCALL msg=audit(21/02/24 22:54:36.708:53) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x5 a1=0x7ffc547fbda0 a2=0x0 a3=0x0 items=0 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null) type=AVC msg=audit(21/02/24 22:54:36.708:53) : avc: denied { getattr } for pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=filesystem permissive=1 type=PROCTITLE msg=audit(21/02/24 22:54:36.708:54) : proctitle=/usr/lib/systemd/systemd-binfmt type=PATH msg=audit(21/02/24 22:54:36.708:54) : item=0 name=/proc/self/fd/4 inode=1 dev=00:27 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:binfmt_misc_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:54:36.708:54) : cwd=/ type=SYSCALL msg=audit(21/02/24 22:54:36.708:54) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffc547fbdf0 a1=W_OK a2=0x0 a3=0x0 items=1 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null) type=AVC msg=audit(21/02/24 22:54:36.708:54) : avc: denied { write } for pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 37 + policy/modules/system/systemd.te| 6 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 08ad5503d..ae022b6c0 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -602,6 +602,24 @@ interface(`fs_manage_autofs_symlinks',` manage_lnk_files_pattern($1, autofs_t, autofs_t) ') + +## +## Get the attributes of binfmt_misc filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_binfmt_misc_fs',` + gen_require(` + type binfmt_misc_fs_t; + ') + + allow $1 binfmt_misc_fs_t:filesystem getattr; +') + ## ## Get the attributes of directories on @@ -622,6 +640,25 @@ interface(`fs_getattr_binfmt_misc_dirs',` ') + +## +## Check for permissions using access(2) of directories on +## binfmt_misc filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_check_write_binfmt_misc_dirs',` + gen_require(` + type binfmt_misc_fs_t; + ') + + allow $1 binfmt_misc_fs_t:dir { getattr write }; +') + ## ## Register an interpreter for new binary diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 6d07466e6..63fef177b 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -401,6 +401,7 @@ fs_search_cgroup_dirs(systemd_backlight_t) # kernel_read_kernel_sysctls(systemd_binfmt_t) +kernel_getattr_proc(systemd_binfmt_t) systemd_log_parse_environment(systemd_binfmt_t) @@ -409,6 +410,11 @@ files_read_etc_files(systemd_binfmt_t) fs_register_binary_executable_type(systemd_binfmt_t) +fs_getattr_binfmt_misc_fs(systemd_binfmt_t) +fs_check_write_binfmt_misc_dirs(systemd_binfmt_t) + +fs_getattr_cgroup(systemd_binfmt_t) +fs_search_cgroup_dirs(systemd_binfmt_t) ## #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 6d1c3e8b33d3134dbe1767539363491a5f1600ea Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:33 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:43 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6d1c3e8b virt: label qemu configuration directory Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/virt.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc index ab5d0885d..9c209d8f0 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -9,6 +9,8 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/qemu(/.*)?gen_context(system_u:object_r:virt_etc_t,s0) + /etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) /etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 103deadfb6e257799ebf9026cae8a409e0c5a353 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:41 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:46 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=103deadf selinuxutil: ignore getattr proc in newrole type=PROCTITLE msg=audit(02/21/24 22:42:44.555:112) : proctitle=newrole -r sysadm_r type=SYSCALL msg=audit(02/21/24 22:42:44.555:112) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffc75fe1990 a2=0x0 a3=0x0 items=0 ppid=946 pid=1001 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=newrole exe=/usr/bin/newrole subj=root:staff_r:newrole_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/21/24 22:42:44.555:112) : avc: denied { getattr } for pid=1001 comm=newrole name=/ dev=proc ino=1 scontext=root:staff_r:newrole_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/selinuxutil.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index b1213aa76..4d8624c6b 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -251,6 +251,7 @@ read_lnk_files_pattern(newrole_t, default_context_t, default_context_t) kernel_read_system_state(newrole_t) kernel_read_kernel_sysctls(newrole_t) +kernel_dontaudit_getattr_proc(newrole_t) corecmd_list_bin(newrole_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: d4a01ab0b955623422eade1f35368a2ee3983db9 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:41:28 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:41 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4a01ab0 Makefile: use sepolgen-ifgen-attr-helper from test toolchain When building with a non default toolchain by setting the environment variable TEST_TOOLCHAIN also use the sepolgen-ifgen helper binary sepolgen-ifgen-attr-helper from this toolchain. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> Makefile | 4 1 file changed, 4 insertions(+) diff --git a/Makefile b/Makefile index 3f1d30605..82df20454 100644 --- a/Makefile +++ b/Makefile @@ -62,7 +62,11 @@ SEMOD_PKG ?= $(tc_usrbindir)/semodule_package SEMOD_LNK ?= $(tc_usrbindir)/semodule_link SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand LOADPOLICY ?= $(tc_usrsbindir)/load_policy +ifdef TEST_TOOLCHAIN +SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen --attr-helper $(TEST_TOOLCHAIN)$(BINDIR)/sepolgen-ifgen-attr-helper +else SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen +endif SETFILES ?= $(tc_sbindir)/setfiles SEFCONTEXT_COMPILE ?= $(tc_usrsbindir)/sefcontext_compile XMLLINT ?= $(BINDIR)/xmllint
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 35167ff4b12c7285fcfed384d4a3bac2ca6eed85 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:27:36 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:35 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=35167ff4 Support multi-line interface calls Support splitting the call of an interface over multiple lines, e.g. for interfaces with a long list as argument: term_control_unallocated_ttys(udev_t, { ioctl_kdgkbtype ioctl_kdgetmode ioctl_pio_unimap ioctl_pio_unimapclr ioctl_kdfontop ioctl_tcgets }) Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/support/loadable_module.spt | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt index 1f6163054..93e793961 100644 --- a/policy/support/loadable_module.spt +++ b/policy/support/loadable_module.spt @@ -53,6 +53,11 @@ define(`policy_m4_comment',` # $2 depth: $1 ')dnl +define(NL,` +')dnl + +define(`chomp', `translit(`$1',NL,` ')')dnl + ## # # In the future interfaces should be in loadable modules @@ -63,10 +68,10 @@ define(`template',` dnl ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl `define(`$1',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl $2 dnl popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl '') ') @@ -80,10 +85,10 @@ define(`interface',` dnl ifdef(`$1',`refpolicyerr(`duplicate definition of $1(). Original definition on '$1.) define(`__if_error')',`define(`$1',__file__:__line__)') dnl `define(`$1',` dnl pushdef(`policy_call_depth',incr(policy_call_depth)) dnl - policy_m4_comment(policy_call_depth,begin `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,begin `$1'(chomp(dollarsstar))) dnl $2 dnl popdef(`policy_call_depth') dnl - policy_m4_comment(policy_call_depth,end `$1'(dollarsstar)) dnl + policy_m4_comment(policy_call_depth,end `$1'(chomp(dollarsstar))) dnl '') ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: 2dce7975e36e015abbe53d9749d5db5344d79d34 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:38:21 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:39 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2dce7975 Rules.modular: use temporary file to not ignore error Save the result of the m4 command into a temporary file and split the commands, to avoid ignoring failures of the first command. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> Rules.modular | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Rules.modular b/Rules.modular index f7ee2c11f..c731ea01d 100644 --- a/Rules.modular +++ b/Rules.modular @@ -119,8 +119,8 @@ $(tmpdir)/seusers: $(seusers) $(users_extra): $(m4support) $(user_files) @test -d $(tmpdir) || mkdir -p $(tmpdir) - $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \ - $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@ + $(verbose) $(M4) $(M4PARAM) -D users_extra $^ > $(tmpdir)/$(@F).tmp + $(verbose) $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' $(tmpdir)/$(@F).tmp > $@ #
[gentoo-commits] proj/hardened-refpolicy:master commit in: support/, policy/support/
commit: 85d57ceba1e3c39f6fac27a32b39fb6539166552 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:22:50 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:34 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=85d57ceb fix misc typos Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/support/loadable_module.spt | 2 +- policy/support/mls_mcs_macros.spt | 2 +- support/genhomedircon.py | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/support/loadable_module.spt b/policy/support/loadable_module.spt index 606ee80d0..1f6163054 100644 --- a/policy/support/loadable_module.spt +++ b/policy/support/loadable_module.spt @@ -47,7 +47,7 @@ define(`gen_require',` ') ') -# helper function, since m4 wont expand macros +# helper function, since m4 will not expand macros # if a line is a comment (#): define(`policy_m4_comment',` # $2 depth: $1 diff --git a/policy/support/mls_mcs_macros.spt b/policy/support/mls_mcs_macros.spt index 7593e20d0..7d1293301 100644 --- a/policy/support/mls_mcs_macros.spt +++ b/policy/support/mls_mcs_macros.spt @@ -15,7 +15,7 @@ define(`gen_cats',`decl_cats(0,decr($1))') # # gen_sens(N) # -# declares sensitivites s0 to s(N-1) with dominance +# declares sensitivities s0 to s(N-1) with dominance # in increasing numeric order with s0 lowest, s(N-1) highest # define(`decl_sens',`dnl diff --git a/support/genhomedircon.py b/support/genhomedircon.py index d5177ee4a..b865a07c8 100644 --- a/support/genhomedircon.py +++ b/support/genhomedircon.py @@ -51,7 +51,7 @@ def getStartingUID(): rc=getstatusoutput("grep -h '^UID_MIN' /etc/login.defs") if rc[0] == 0: uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1]) - #stip any comment from the end of the line + #strip any comment from the end of the line uid_min = uid_min.split("#")[0] uid_min = uid_min.strip() if int(uid_min) < starting_uid: @@ -59,7 +59,7 @@ def getStartingUID(): rc=getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf") if rc[0] == 0: lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1]) - #stip any comment from the end of the line + #strip any comment from the end of the line lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber) lu_uidnumber = lu_uidnumber.split("#")[0] lu_uidnumber = lu_uidnumber.strip()
[gentoo-commits] proj/hardened-refpolicy:master commit in: /
commit: 70c06276d352e4513bd68ca085b07e5e2d8e6205 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:32:50 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:38 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70c06276 Rules.monolithic: pre-compile fcontexts on install On install pre-compile the file contexts. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> Makefile | 1 + Rules.monolithic | 6 ++ 2 files changed, 7 insertions(+) diff --git a/Makefile b/Makefile index b93e133be..3f1d30605 100644 --- a/Makefile +++ b/Makefile @@ -64,6 +64,7 @@ SEMOD_EXP ?= $(tc_usrbindir)/semodule_expand LOADPOLICY ?= $(tc_usrsbindir)/load_policy SEPOLGEN_IFGEN ?= $(tc_usrbindir)/sepolgen-ifgen SETFILES ?= $(tc_sbindir)/setfiles +SEFCONTEXT_COMPILE ?= $(tc_usrsbindir)/sefcontext_compile XMLLINT ?= $(BINDIR)/xmllint SECHECK ?= $(BINDIR)/sechecker diff --git a/Rules.monolithic b/Rules.monolithic index d6d0e6f28..d6e20a371 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -232,6 +232,12 @@ $(fcpath): $(fc) $(loadpath) $(userpath)/system.users $(verbose) $(INSTALL) -m 0644 $(fc) $(fcpath) $(verbose) $(INSTALL) -m 0644 $(homedir_template) $(homedirpath) $(verbose) $(UMASK) 022 ; $(genhomedircon) -d $(topdir) -t $(NAME) + $(verbose) if $(SEFCONTEXT_COMPILE) -i > /dev/null 2>&1 ; then \ + $(SEFCONTEXT_COMPILE) $(fcpath) ;\ + $(SEFCONTEXT_COMPILE) $(fcpath).homedirs ;\ + else \ + echo "$@ Pre-compiled file context not generated! Please install the sefcontext_compile tool (commonly part of libselinux-utils)." ;\ + fi #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/
commit: 28556c70623efdadf8cb93fd004bd8385638be65 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:28:11 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:37 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=28556c70 policy_capabilities: remove estimated from released versions Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/policy_capabilities | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/policy_capabilities b/policy/policy_capabilities index b800997f3..c6b84d8c7 100644 --- a/policy/policy_capabilities +++ b/policy/policy_capabilities @@ -108,7 +108,7 @@ policycap nnp_nosuid_transition; #policycap genfs_seclabel_symlinks; # Always allow FIOCLEX and FIONCLEX ioctl. -# Requires libsepol 3.4 (estimated) and kernel 5.18 (estimated). +# Requires libsepol 3.4 and kernel 5.18. # # Removed checks: # common file/socket: ioctl { 0x5450 0x5451 }
[gentoo-commits] proj/hardened-refpolicy:master commit in: support/
commit: 83d40084db8ceeaa3225e915ea8d8e9ebfbe878e Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:12:56 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:33 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83d40084 support/genhomedircon: support usr prefixed paths Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> support/genhomedircon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/support/genhomedircon.py b/support/genhomedircon.py index 2721bd7df..d5177ee4a 100644 --- a/support/genhomedircon.py +++ b/support/genhomedircon.py @@ -43,7 +43,7 @@ import sys, pwd, getopt, re, os from subprocess import getstatusoutput -EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] +EXCLUDE_LOGINS=["/sbin/nologin", "/usr/sbin/nologin", "/bin/false", "/usr/bin/false"] def getStartingUID():
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/flask/
commit: 9002ef977497033f6d26368ceaa12fbd154ce38d Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 16:12:36 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:31 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9002ef97 access_vectors: define io_uring { cmd } Added in Linux 6.0. Link: https://github.com/SELinuxProject/selinux-kernel/commit/f4d653dcaa4e4056e1630423e6a8ece4869b544f Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/flask/access_vectors | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index a22b11a7e..b260f9d24 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -1071,6 +1071,7 @@ class io_uring { override_creds sqpoll + cmd } class user_namespace
[gentoo-commits] proj/hardened-refpolicy:master commit in: doc/
commit: 8c8f4a31a3896a10963b987691b7c7b87ce18842 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 20 21:29:46 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:30:05 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c8f4a31 Update generated policy and doc files Signed-off-by: Kenton Groombridge gentoo.org> doc/policy.xml | 670 ++--- 1 file changed, 350 insertions(+), 320 deletions(-) diff --git a/doc/policy.xml b/doc/policy.xml index e96f1ea28..8ae22432d 100644 --- a/doc/policy.xml +++ b/doc/policy.xml @@ -58392,7 +58392,17 @@ Domain allow access. - + + +unmount a sysfs filesystem + + + +Domain allowed access. + + + + Do not audit getting the attributes of sysfs filesystem @@ -58402,7 +58412,7 @@ Domain to dontaudit access from - + Dont audit attempts to read hardware state information @@ -58412,7 +58422,7 @@ Domain for which the attempts do not need to be audited - + Mount on sysfs directories. @@ -58422,7 +58432,7 @@ Domain allowed access. - + Search the sysfs directories. @@ -58432,7 +58442,7 @@ Domain allowed access. - + Do not audit attempts to search sysfs. @@ -58442,7 +58452,7 @@ Domain to not audit. - + List the contents of the sysfs directories. @@ -58452,7 +58462,7 @@ Domain allowed access. - + Write in a sysfs directories. @@ -58462,7 +58472,7 @@ Domain allowed access. - + Do not audit attempts to write in a sysfs directory. @@ -58472,7 +58482,7 @@ Domain to not audit. - + Do not audit attempts to write to a sysfs file. @@ -58482,7 +58492,7 @@ Domain to not audit. - + Create, read, write, and delete sysfs directories. @@ -58493,7 +58503,7 @@ Domain allowed access. - + Read hardware state information. @@ -58512,7 +58522,7 @@ Domain allowed access. - + Write to hardware state information. @@ -58529,7 +58539,7 @@ Domain allowed access. - + Allow caller to modify hardware state information. @@ -58539,7 +58549,7 @@ Domain allowed access. - + Add a sysfs file @@ -58549,7 +58559,7 @@ Domain allowed access. - + Relabel hardware state directories. @@ -58559,7 +58569,7 @@ Domain allowed access. - + Relabel from/to all sysfs types. @@ -58569,7 +58579,7 @@ Domain allowed access. - + Set the attributes of sysfs files, directories and symlinks. @@ -58579,7 +58589,7 @@ Domain allowed access. - + Read and write the TPM device. @@ -58589,7 +58599,7 @@ Domain allowed access. - + Read from pseudo random number generator devices (e.g., /dev/urandom). @@ -58622,7 +58632,7 @@ Domain allowed access. - + Do not audit attempts to read from pseudo random devices (e.g., /dev/urandom) @@ -58633,7 +58643,7 @@ Domain to not audit. - + Write to the pseudo random device (e.g., /dev/urandom). This sets the random number generator seed. @@ -58644,7 +58654,7 @@ Domain allowed access. - + Create the urandom device (/dev/urandom). @@ -58654,7 +58664,7 @@ Domain allowed access. - + Set attributes on the urandom device (/dev/urandom). @@ -58664,7 +58674,7 @@ Domain allowed access. - + Getattr generic the USB devices. @@ -58674,7 +58684,7 @@ Domain allowed access. - + Setattr generic the USB devices. @@ -58684,7 +58694,7 @@ Domain allowed access. - + Read generic the USB devices. @@ -58694,7 +58704,7 @@ Domain allowed access. - + Read and write generic the USB devices. @@ -58704,7 +58714,7 @@ Domain allowed access. - + Relabel generic the USB devices. @@ -58714,7 +58724,7 @@ Domain allowed access. - + Read USB monitor devices. @@ -58724,7 +58734,7 @@ Domain allowed access. - + Write USB monitor devices. @@ -58734,7 +58744,7 @@ Domain allowed access. - + Mount a usbfs filesystem. @@ -58744,7 +58754,7 @@ Domain allowed access. - + Associate a file to a usbfs filesystem. @@ -58754,7 +58764,7 @@ The type of the file to be associated to usbfs. - + Get the attributes of a directory in the usb filesystem. @@ -58764,7 +58774,7 @@ Domain allowed access. - + Do not audit attempts to get the attributes of a directory in the usb filesystem. @@ -58775,7 +58785,7 @@ Domain to not audit. - + Search the directory containing USB hardware information. @@ -58785,7 +58795,7 @@ Domain allowed access. - + Allow caller to get a list of usb hardware. @@ -58795,7 +58805,7 @@ Domain allowed access. - + Set the attributes of usbfs filesystem. @@ -58805,7 +58815,7 @@ Domain allowed access. - + Read USB hardware information using the usbfs filesystem interface. @@ -58816,7 +58826,7 @@ Domain allowed access. - + Allow caller to modify usb hardware configuration files. @@ -58826,7 +58836,7 @@ Domain
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 4751bfa9ef38a4d38494cadea1fa83a69881d5fa Author: Russell Coker coker com au> AuthorDate: Sat Oct 7 02:56:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:28:39 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4751bfa9 Changes to eg25manager and modemmanager needed for firmware upload on pinephonepro Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/eg25manager.te | 11 ++- policy/modules/services/modemmanager.te | 18 -- 2 files changed, 26 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/eg25manager.te b/policy/modules/services/eg25manager.te index 92fd3e4f8..f305a9a01 100644 --- a/policy/modules/services/eg25manager.te +++ b/policy/modules/services/eg25manager.te @@ -57,8 +57,10 @@ files_read_usr_files(eg25manager_t) logging_send_syslog_msg(eg25manager_t) miscfiles_read_generic_certs(eg25manager_t) +miscfiles_read_localization(eg25manager_t) -modemmanager_dbus_chat(eg25manager_t) +# will not upload to pinephone modem without this +selinux_get_fs_mount(eg25manager_t) sysnet_read_config(eg25manager_t) @@ -66,3 +68,10 @@ systemd_dbus_chat_logind(eg25manager_t) systemd_read_resolved_runtime(eg25manager_t) systemd_use_logind_fds(eg25manager_t) systemd_write_inherited_logind_inhibit_pipes(eg25manager_t) + +term_use_unallocated_ttys(eg25manager_t) + +optional_policy(` + modemmanager_dbus_chat(eg25manager_t) +') + diff --git a/policy/modules/services/modemmanager.te b/policy/modules/services/modemmanager.te index 5801baedd..b94117bff 100644 --- a/policy/modules/services/modemmanager.te +++ b/policy/modules/services/modemmanager.te @@ -15,16 +15,30 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t) # allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config }; -allow modemmanager_t self:process { getsched signal }; +allow modemmanager_t self:process { getsched setsched signal setpgid }; allow modemmanager_t self:fifo_file rw_fifo_file_perms; -allow modemmanager_t self:unix_stream_socket create_stream_socket_perms; +allow modemmanager_t self:unix_stream_socket { connectto create_stream_socket_perms }; allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms; +allow modemmanager_t self:netlink_route_socket { create getattr getopt nlmsg_write read write }; +allow modemmanager_t self:qipcrtr_socket { create getattr getopt read write }; + +# ModemManager calls mmap(PROT_READ|PROT_WRITE|PROT_EXEC) +allow modemmanager_t self:process execmem; kernel_read_system_state(modemmanager_t) +kernel_request_load_module(modemmanager_t) + +# for qmi/pass_through +dev_create_sysfs_files(modemmanager_t) +dev_getattr_sysfs(modemmanager_t) dev_read_sysfs(modemmanager_t) +dev_write_sysfs(modemmanager_t) dev_rw_modem(modemmanager_t) +# for /usr/libexec/qmi-proxy +corecmd_exec_bin(modemmanager_t) + files_read_etc_files(modemmanager_t) term_use_generic_ptys(modemmanager_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 3b0568041bb3c496b5d776b1961763a32d184379 Author: Yi Zhao windriver com> AuthorDate: Sat Oct 7 02:33:31 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:28:39 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3b056804 systemd: use init_daemon_domain instead of init_system_domain for systemd-networkd and systemd-resolved Systemd-networkd and systemd-resolved are daemons. Fixes: avc: denied { write } for pid=277 comm="systemd-resolve" name="notify" dev="tmpfs" ino=31 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file permissive=1 avc: denied { write } for pid=324 comm="systemd-network" name="notify" dev="tmpfs" ino=31 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file permissive=1 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index b14511c24..bf3a0e14e 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -199,7 +199,7 @@ init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t) type systemd_networkd_t; type systemd_networkd_exec_t; -init_system_domain(systemd_networkd_t, systemd_networkd_exec_t) +init_daemon_domain(systemd_networkd_t, systemd_networkd_exec_t) type systemd_networkd_runtime_t alias systemd_networkd_var_run_t; files_runtime_file(systemd_networkd_runtime_t) @@ -235,7 +235,7 @@ files_type(systemd_pstore_var_lib_t) type systemd_resolved_t; type systemd_resolved_exec_t; -init_system_domain(systemd_resolved_t, systemd_resolved_exec_t) +init_daemon_domain(systemd_resolved_t, systemd_resolved_exec_t) type systemd_resolved_runtime_t alias systemd_resolved_var_run_t; files_runtime_file(systemd_resolved_runtime_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: d26d077b9a6a665bf5c89ab460ef0a89a7cf7f24 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 20 21:29:27 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:29:27 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d26d077b Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index 1f7d780e5..1265cd5d3 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -d542d53698339cd3b3bb80e6e36fb4add4016e9d +f3865abfc25a395c877a27074bd03c5fc22992dd
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/support/
commit: b6e3f0c899ce4061496cdf71bd4d83374aea339d Author: Russell Coker coker com au> AuthorDate: Mon Oct 9 13:32:38 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:28:39 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6e3f0c8 patches for nspawn policy (#721) * patches to nspawn policy. Allow it netlink operations and creating udp sockets Allow remounting and reading sysfs Allow stat cgroup filesystem Make it create fifos and sock_files in the right context Allow mounting the selinux fs Signed-off-by: Russell Coker coker.com.au> * Use the new mounton_dir_perms and mounton_file_perms macros Signed-off-by: Russell Coker coker.com.au> * Corrected macro name Signed-off-by: Russell Coker coker.com.au> * Fixed description of files_mounton_kernel_symbol_table Signed-off-by: Russell Coker coker.com.au> * systemd: Move lines in nspawn. No rule changes. Signed-off-by: Chris PeBenito ieee.org> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Chris PeBenito ieee.org> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/devices.if | 18 ++ policy/modules/kernel/files.if | 27 +++ policy/modules/kernel/kernel.if | 8 policy/modules/kernel/selinux.if | 18 ++ policy/modules/system/systemd.te | 17 + policy/support/obj_perm_sets.spt | 2 ++ 6 files changed, 82 insertions(+), 8 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index be2429a91..a2d55dedb 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4386,6 +4386,24 @@ interface(`dev_remount_sysfs',` allow $1 sysfs_t:filesystem remount; ') + +## +## unmount a sysfs filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_unmount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem unmount; +') + ## ## Do not audit getting the attributes of sysfs filesystem diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 591aa64d6..370ac0931 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -542,8 +542,8 @@ interface(`files_mounton_non_security',` attribute non_security_file_type; ') - allow $1 non_security_file_type:dir { getattr search mounton }; - allow $1 non_security_file_type:file { getattr mounton }; + allow $1 non_security_file_type:dir { search mounton_dir_perms }; + allow $1 non_security_file_type:file mounton_file_perms; ') @@ -1785,7 +1785,7 @@ interface(`files_mounton_all_mountpoints',` ') allow $1 mountpoint:dir { search_dir_perms mounton }; - allow $1 mountpoint:file { getattr mounton }; + allow $1 mountpoint:file mounton_file_perms; kernel_mounton_unlabeled_dirs($1) ') @@ -5750,6 +5750,25 @@ interface(`files_delete_kernel_symbol_table',` delete_files_pattern($1, boot_t, system_map_t) ') + +## +## Mount on a system.map in the /boot directory (for bind mounts). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_kernel_symbol_table',` + gen_require(` + type boot_t, system_map_t; + ') + + allow $1 boot_t:dir search_dir_perms; + allow $1 system_map_t:file mounton_file_perms; +') + ## ## Search the contents of /var. @@ -7630,7 +7649,7 @@ interface(`files_polyinstantiate_all',` # Need to give access to parent directories where original # is remounted for polyinstantiation aware programs (like gdm) - allow $1 polyparent:dir { getattr mounton }; + allow $1 polyparent:dir mounton_dir_perms; # Need to give permission to create directories where applicable allow $1 self:process setfscreate; diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 6abcc1be6..022affde3 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -1440,7 +1440,7 @@ interface(`kernel_mounton_message_if',` ') allow $1 proc_t:dir list_dir_perms; - allow $1 proc_kmsg_t:file { getattr mounton }; + allow $1 proc_kmsg_t:file mounton_file_perms; ') @@ -1792,7 +1792,7 @@ interface(`kernel_mounton_sysctl_dirs',` ') allow $1 proc_t:dir list_dir_perms; - allow $1 sysctl_t:dir { getattr mounton }; + allow $1 sysctl_t:dir mounton_dir_perms; ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 4bb6b12fe1a936a0db91fc133ca30dfd8e5be32a Author: Dave Sugar gmail com> AuthorDate: Wed Oct 4 23:28:38 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:28:39 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4bb6b12f Use interface that already exists. Signed-off-by: Dave Sugar gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.if | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 68fb1a148..6054b5038 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -29,7 +29,6 @@ template(`systemd_role_template',` type systemd_user_runtime_t, systemd_user_runtime_notify_t; type systemd_user_unit_t; type systemd_user_runtime_unit_t, systemd_user_transient_unit_t; - type systemd_machined_t; ') # @@ -151,10 +150,9 @@ template(`systemd_role_template',` allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; # for "machinectl shell" - allow $1_systemd_t systemd_machined_t:fd use; - allow $3 systemd_machined_t:fd use; - allow $3 systemd_machined_t:dbus send_msg; - allow systemd_machined_t $3:dbus send_msg; + systemd_use_inherited_machined_ptys($1_systemd_t) + systemd_use_inherited_machined_ptys($3) + systemd_dbus_chat_machined($3) allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: b2b5270fcce158aedf71a5be0b2fa15822ecb069 Author: Russell Coker coker com au> AuthorDate: Thu Oct 5 11:13:54 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2b5270f https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ While cgroups2 doesn't have the "feature" of having the kernel run a program specified in the cgroup the history of this exploit suggests that writing to cgroups should be restricted and not granted to all users Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/userdomain.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 642da35cd..676a76241 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -690,7 +690,7 @@ template(`userdom_common_user_template',` files_watch_etc_dirs($1_t) files_watch_usr_dirs($1_t) - fs_rw_cgroup_files($1_t) + fs_read_cgroup_files($1_t) # cjp: some of this probably can be removed selinux_get_fs_mount($1_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: ca3332b1b3ad6b6cc3b52bf8cff26e4407f93c92 Author: Russell Coker coker com au> AuthorDate: Fri Oct 6 10:48:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca3332b1 Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited from cron, and dontaudit ps type operations from it Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/corecommands.fc | 1 - policy/modules/system/raid.fc | 2 ++ policy/modules/system/raid.te | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index da5db80a2..21ec61464 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -320,7 +320,6 @@ ifdef(`distro_debian',` /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh-- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/share/mdadm/checkarray-- gen_context(system_u:object_r:bin_t,s0) /usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/ajaxterm\.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/qweb\.py.* -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc index 84f1ab02a..ca16bdfdf 100644 --- a/policy/modules/system/raid.fc +++ b/policy/modules/system/raid.fc @@ -11,6 +11,8 @@ /usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/bin/raid-check-- gen_context(system_u:object_r:mdadm_exec_t,s0) +/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:mdadm_exec_t,s0) + # Systemd unit files /usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) /usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 907facf8d..c8db38261 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -57,6 +57,7 @@ dev_read_realtime_clock(mdadm_t) # create links in /dev/md dev_create_generic_symlinks(mdadm_t) +domain_dontaudit_search_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) @@ -95,6 +96,7 @@ userdom_dontaudit_search_user_home_content(mdadm_t) optional_policy(` cron_system_entry(mdadm_t, mdadm_exec_t) + cron_rw_inherited_tmp_files(mdadm_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: f9bb068485de922f97495d4795c3cc475cdb32e7 Author: Yi Zhao windriver com> AuthorDate: Mon Oct 2 08:05:49 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9bb0684 bind: fix for named service Fixes: avc: denied { sqpoll } for pid=373 comm="named" scontext=system_u:system_r:named_t:s0-s15:c0.c1023 tcontext=system_u:system_r:named_t:s0-s15:c0.c1023 tclass=io_uring permissive=0 avc: denied { create } for pid=373 comm="named" anonclass=[io_uring] scontext=system_u:system_r:named_t:s0-s15:c0.c1023 tcontext=system_u:object_r:named_t:s0 tclass=anon_inode permissive=0 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/bind.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 0a08be452..37f2fdd1f 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -80,6 +80,8 @@ allow named_t self:process { setsched getsched getcap setcap setrlimit signal_pe allow named_t self:fifo_file rw_fifo_file_perms; allow named_t self:unix_stream_socket { accept listen }; allow named_t self:tcp_socket { accept listen }; +allow named_t self:anon_inode { create map read write }; +allow named_t self:io_uring sqpoll; manage_files_pattern(named_t, dnssec_t, dnssec_t) filetrans_pattern(named_t, named_conf_t, dnssec_t, dir, "cache")
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: 767814945e7b4302e9c085aba0d2772d051cd005 Author: Dave Sugar <31021570+dsugar100 users noreply github com> AuthorDate: Fri Oct 6 13:06:39 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76781494 Separate label for /run/systemd/notify (#710) * Separate label for /run/systemd/notify label systemd_runtime_notify_t Allow daemon domains to write by default Signed-off-by: Dave Sugar gmail.com> * systemd: Add -s to /run/systemd/notify socket. Signed-off-by: Chris PeBenito ieee.org> - Signed-off-by: Dave Sugar gmail.com> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/dbus.te | 2 +- policy/modules/system/init.if| 19 +++ policy/modules/system/init.te| 3 ++- policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.if | 22 ++ policy/modules/system/systemd.te | 3 +++ 6 files changed, 48 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 79089b1c5..9ccd8a424 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -219,7 +219,7 @@ ifdef(`init_systemd', ` init_stop_all_units(system_dbusd_t) # Recent versions of dbus are started as Type=notify - init_write_runtime_socket(system_dbusd_t) + systemd_write_notify_socket(system_dbusd_t) tunable_policy(`dbus_broker_system_bus',` init_get_system_status(system_dbusd_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index d91eadfb5..5b0f44381 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1002,6 +1002,25 @@ interface(`init_unix_stream_socket_connectto',` allow $1 init_t:unix_stream_socket connectto; ') + +## +## Send to init with a unix socket. +## Without any additional permissions. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_unix_stream_socket_sendto',` + gen_require(` + type init_t; + ') + + allow $1 init_t:unix_stream_socket sendto; +') + ## ## Inherit and use file descriptors from init. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 457fac072..c83d88b74 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1178,6 +1178,7 @@ ifdef(`init_systemd',` systemd_start_power_units(initrc_t) systemd_watch_networkd_runtime_dirs(initrc_t) + systemd_write_notify_socket(initrc_t) # Ensures the memory.pressure cgroup file is labelled differently, so # that processes can manage it without having access to the rest of the @@ -1611,7 +1612,7 @@ ifdef(`init_systemd',` fs_search_cgroup_dirs(daemon) # need write to /var/run/systemd/notify - init_write_runtime_socket(daemon) + systemd_write_notify_socket(daemon) ') tunable_policy(`init_daemons_use_tty',` diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index ac64a5d5c..57f746c58 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -103,6 +103,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data /run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_runtime_t,s0) /run/systemd/home(/.*)? gen_context(system_u:object_r:systemd_homed_runtime_t,s0) /run/systemd/network(/.*)? gen_context(system_u:object_r:systemd_networkd_runtime_t,s0) +/run/systemd/notify-s gen_context(system_u:object_r:systemd_runtime_notify_t,s0) /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0) /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 19b2dbd85..68fb1a148 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -126,6 +126,7 @@ template(`systemd_role_template',` systemd_search_user_runtime_unit_dirs($1_systemd_t) systemd_search_user_transient_unit_dirs($1_systemd_t) systemd_read_user_units_files($1_systemd_t) + systemd_write_notify_socket($1_systemd_t) dbus_system_bus_client($1_systemd_t) dbus_spec_session_bus_client($1, $1_systemd_t) @@ -276,6 +277,27 @@ interface(`systemd_user_unix_stream_activated_socket',` systemd_user_activated_sock_file($2) ') +### +## +## Allow the specified domain to
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: a214ace3c7ac557196b58ab0342bf8e7023aca38 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Oct 6 15:32:33 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:32:33 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a214ace3 Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index b2d61aa8e..1f7d780e5 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -86a7f884a5af56076ae4829b25e73a74b2f56024 +d542d53698339cd3b3bb80e6e36fb4add4016e9d
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 0d4b9fb48fc13aa0e545fdc17905a1060db3c5ef Author: Russell Coker coker com au> AuthorDate: Thu Sep 28 13:57:18 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d4b9fb4 misc small email changes (#704) * Small changes to courier, dovecot, exim, postfix, amd sendmail policy. Signed-off-by: Russell Coker coker.com.au> * Removed an obsolete patch Signed-off-by: Russell Coker coker.com.au> * Added interfaces cron_rw_inherited_tmp_files and systemd_dontaudit_connect_machined Signed-off-by: Russell Coker coker.com.au> * Use create_stream_socket_perms for unix connection to itself Signed-off-by: Russell Coker coker.com.au> * Removed unconfined_run_to Signed-off-by: Russell Coker coker.com.au> * Remove change for it to run from a user session Signed-off-by: Russell Coker coker.com.au> * Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and moved it out of the postfix section Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/courier.fc | 4 ++-- policy/modules/services/courier.te | 21 +++-- policy/modules/services/dovecot.te | 3 +++ policy/modules/services/exim.te | 3 ++- policy/modules/services/mta.if | 1 + policy/modules/services/mta.te | 32 policy/modules/services/postfix.if | 3 +++ policy/modules/services/postfix.te | 4 policy/modules/services/sendmail.te | 4 9 files changed, 70 insertions(+), 5 deletions(-) diff --git a/policy/modules/services/courier.fc b/policy/modules/services/courier.fc index 0f56d60d8..28594264f 100644 --- a/policy/modules/services/courier.fc +++ b/policy/modules/services/courier.fc @@ -23,8 +23,8 @@ /usr/lib/courier/courier/courierpop.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib/courier/courier/imaplogin -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib/courier/courier/pcpd -- gen_context(system_u:object_r:courier_pcp_exec_t,s0) -/usr/lib/courier/imapd -- gen_context(system_u:object_r:courier_pop_exec_t,s0) -/usr/lib/courier/pop3d -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib/courier/imapd.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) +/usr/lib/courier/pop3d.* -- gen_context(system_u:object_r:courier_pop_exec_t,s0) /usr/lib/courier/rootcerts(/.*)? gen_context(system_u:object_r:courier_etc_t,s0) /usr/lib/courier/sqwebmail/cleancache\.pl -- gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0) /usr/lib/courier-imap/couriertcpd -- gen_context(system_u:object_r:courier_tcpd_exec_t,s0) diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te index 00ca1db6e..b5fa0c163 100644 --- a/policy/modules/services/courier.te +++ b/policy/modules/services/courier.te @@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_pe can_exec(courier_authdaemon_t, courier_exec_t) +kernel_getattr_proc(courier_authdaemon_t) + corecmd_exec_shell(courier_authdaemon_t) domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t) @@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t) miscfiles_read_localization(courier_authdaemon_t) selinux_getattr_fs(courier_authdaemon_t) +seutil_search_default_contexts(courier_authdaemon_t) userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t) @@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t) # POP3/IMAP local policy # -allow courier_pop_t self:capability { setgid setuid }; +allow courier_pop_t self:capability { chown dac_read_search fowner setgid setuid }; +dontaudit courier_pop_t self:capability fsetid; +allow courier_pop_t self:unix_stream_socket create_stream_socket_perms; +allow courier_pop_t self:process setrlimit; + allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms; allow courier_pop_t courier_authdaemon_t:process sigchld; allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms; -allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms; +allow courier_pop_t courier_var_lib_t:dir rw_dir_perms; +allow courier_pop_t courier_var_lib_t:file manage_file_perms; +allow courier_pop_t courier_etc_t:file map; + +can_exec(courier_pop_t, courier_exec_t) +can_exec(courier_pop_t, courier_tcpd_exec_t) stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t, courier_authdaemon_t) domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t, courier_authdaemon_t) corecmd_exec_shell(courier_pop_t) +corenet_tcp_bind_generic_node(courier_pop_t) +corenet_tcp_bind_pop_port(courier_pop_t) +
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/support/
commit: 6f8208d24c132738f65741594de5b1b3b11d1a9c Author: Chris PeBenito linux microsoft com> AuthorDate: Mon Oct 2 12:44:00 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f8208d2 Add append to rw and manage lnk_file permission sets for consistency. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/support/obj_perm_sets.spt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt index d1784fae1..4b2b7c874 100644 --- a/policy/support/obj_perm_sets.spt +++ b/policy/support/obj_perm_sets.spt @@ -181,11 +181,11 @@ define(`setattr_lnk_file_perms',`{ setattr }') define(`read_lnk_file_perms',`{ getattr read }') define(`append_lnk_file_perms',`{ getattr append lock ioctl }') define(`write_lnk_file_perms',`{ getattr append write lock ioctl }') -define(`rw_lnk_file_perms',`{ getattr read write lock ioctl }') +define(`rw_lnk_file_perms',`{ getattr read write append lock ioctl }') define(`create_lnk_file_perms',`{ create getattr }') define(`rename_lnk_file_perms',`{ getattr rename }') define(`delete_lnk_file_perms',`{ getattr unlink }') -define(`manage_lnk_file_perms',`{ create read write getattr setattr link unlink rename ioctl lock }') +define(`manage_lnk_file_perms',`{ create read write append getattr setattr link unlink rename ioctl lock }') define(`relabelfrom_lnk_file_perms',`{ getattr relabelfrom }') define(`relabelto_lnk_file_perms',`{ getattr relabelto }') define(`relabel_lnk_file_perms',`{ getattr relabelfrom relabelto }')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 6a26a817c369000f602f81d7f5da7b0fd5a1bff0 Author: Yi Zhao windriver com> AuthorDate: Sat Sep 30 10:00:38 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a26a817 systemd: allow journalctl to create /var/lib/systemd/catalog If /var/lib/systemd/catalog doesn't exist at first boot, systemd-journal-catalog-update.service would fail: $ systemctl status systemd-journal-catalog-update.service systemd-journal-catalog-update.service - Rebuild Journal Catalog Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static) Active: failed (Result: exit-code) since Sat 2023-09-30 09:46:46 UTC; 50s ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Process: 247 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE) Main PID: 247 (code=exited, status=1/FAILURE) Sep 30 09:46:45 qemux86-64 systemd[1]: Starting Rebuild Journal Catalog... Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to create parent directories of /var/lib/systemd/catalog/database: Permission denied Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to write /var/lib/systemd/catalog/database: Permission denied Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to list catalog: Permission denied Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'. Sep 30 09:46:46 qemux86-64 systemd[1]: Failed to start Rebuild Journal Catalog. Fixes: AVC avc: denied { getattr } for pid=247 comm="journalctl" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_journal_init_t tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0 AVC avc: denied { write } for pid=247 comm="journalctl" name="systemd" dev="vda" ino=13634 scontext=system_u:system_r:systemd_journal_init_t tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 4f1c4c856..c9d21bda5 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -787,9 +787,10 @@ seutil_read_file_contexts(systemd_hw_t) dontaudit systemd_journal_init_t self:capability net_admin; +manage_dirs_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t) manage_files_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t) -fs_getattr_cgroup(systemd_journal_init_t) +fs_getattr_all_fs(systemd_journal_init_t) fs_search_cgroup_dirs(systemd_journal_init_t) kernel_getattr_proc(systemd_journal_init_t) @@ -798,6 +799,7 @@ kernel_read_system_state(systemd_journal_init_t) init_read_state(systemd_journal_init_t) init_search_var_lib_dirs(systemd_journal_init_t) +init_var_lib_filetrans(systemd_journal_init_t, systemd_journal_t, dir) logging_send_syslog_msg(systemd_journal_init_t) logging_stream_connect_journald_varlink(systemd_journal_init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/
commit: 90affee2271dfbaad7e02781e1c583e886229754 Author: Russell Coker coker com au> AuthorDate: Thu Sep 28 13:46:14 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90affee2 misc small patches for cron policy (#701) * Some misc small patches for cron policy Signed-off-by: Russell Coker coker.com.au> * added systemd_dontaudit_connect_machined interface Signed-off-by: Russell Coker coker.com.au> * Remove the line about connecting to tor Signed-off-by: Russell Coker coker.com.au> * remove the dontaudit for connecting to machined Signed-off-by: Russell Coker coker.com.au> * changed to distro_debian Signed-off-by: Russell Coker coker.com.au> * mta: Whitespace changes. Signed-off-by: Chris PeBenito ieee.org> * cron: Move lines. Signed-off-by: Chris PeBenito ieee.org> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Chris PeBenito ieee.org> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/cron.if| 36 policy/modules/services/cron.te| 11 +++ policy/modules/services/mta.te | 7 ++- policy/modules/services/postfix.te | 1 + policy/modules/system/init.if | 18 ++ policy/modules/system/systemd.if | 18 ++ 6 files changed, 90 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if index 87306cfdb..049b01494 100644 --- a/policy/modules/services/cron.if +++ b/policy/modules/services/cron.if @@ -755,6 +755,24 @@ interface(`cron_rw_tmp_files',` allow $1 crond_tmp_t:file rw_file_perms; ') + +## +## Read and write inherited crond temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cron_rw_inherited_tmp_files',` + gen_require(` + type crond_tmp_t; + ') + + allow $1 crond_tmp_t:file rw_inherited_file_perms; +') + ## ## Read system cron job lib files. @@ -888,6 +906,24 @@ interface(`cron_dontaudit_append_system_job_tmp_files',` dontaudit $1 system_cronjob_tmp_t:file append_file_perms; ') + +## +## allow appending temporary system cron job files. +## +## +## +## Domain to allow. +## +## +# +interface(`cron_append_system_job_tmp_files',` + gen_require(` + type system_cronjob_tmp_t; + ') + + allow $1 system_cronjob_tmp_t:file append_file_perms; +') + ## ## Read and write to inherited system cron job temporary files. diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index b2de6de31..9df1e3060 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -436,6 +436,8 @@ optional_policy(` systemd_dbus_chat_logind(system_cronjob_t) systemd_read_journal_files(system_cronjob_t) systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) + # for runuser + init_search_keys(system_cronjob_t) # so cron jobs can restart daemons init_stream_connect(system_cronjob_t) init_manage_script_service(system_cronjob_t) @@ -491,6 +493,7 @@ kernel_getattr_message_if(system_cronjob_t) kernel_read_irq_sysctls(system_cronjob_t) kernel_read_kernel_sysctls(system_cronjob_t) kernel_read_network_state(system_cronjob_t) +kernel_read_rpc_sysctls(system_cronjob_t) kernel_read_system_state(system_cronjob_t) kernel_read_software_raid_state(system_cronjob_t) @@ -535,6 +538,7 @@ files_read_usr_files(system_cronjob_t) files_read_var_files(system_cronjob_t) files_dontaudit_search_runtime(system_cronjob_t) files_manage_generic_spool(system_cronjob_t) +files_manage_var_lib_dirs(system_cronjob_t) files_create_boot_flag(system_cronjob_t) files_read_var_lib_symlinks(system_cronjob_t) @@ -554,6 +558,7 @@ logging_manage_generic_logs(system_cronjob_t) logging_send_audit_msgs(system_cronjob_t) logging_send_syslog_msg(system_cronjob_t) +miscfiles_read_generic_certs(system_cronjob_t) miscfiles_read_localization(system_cronjob_t) seutil_read_config(system_cronjob_t) @@ -654,6 +659,10 @@ optional_policy(` mysql_read_config(system_cronjob_t) ') +optional_policy(` + ntp_read_config(system_cronjob_t) +') + optional_policy(` postfix_read_config(system_cronjob_t) ') @@ -678,6 +687,8 @@ optional_policy(` # for gpg-connect-agent to access /run/user/0 userdom_manage_user_runtime_dirs(system_cronjob_t) + # for /run/user/0/gnupg + userdom_manage_user_tmp_dirs(system_cronjob_t) ') diff --git
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: a4c6f2483b5025b63c5d42837f9eabd73d9866fe Author: Guido Trentalancia trentalancia com> AuthorDate: Fri Sep 29 20:30:14 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4c6f248 Let openoffice perform temporary file transitions and manage link files. Signed-off-by: Guido Trentalancia trentalancia.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/apps/openoffice.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/modules/apps/openoffice.te b/policy/modules/apps/openoffice.te index 37ac6720c..f8cccacd4 100644 --- a/policy/modules/apps/openoffice.te +++ b/policy/modules/apps/openoffice.te @@ -61,8 +61,9 @@ userdom_user_home_dir_filetrans(ooffice_t, ooffice_home_t, dir, ".openoffice") manage_dirs_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) manage_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) +manage_lnk_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) manage_sock_files_pattern(ooffice_t, ooffice_tmp_t, ooffice_tmp_t) -files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file sock_file }) +files_tmp_filetrans(ooffice_t, ooffice_tmp_t, { dir file lnk_file sock_file }) can_exec(ooffice_t, ooffice_exec_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 634b4ae6e433169248722aa27c12b75c302ddac6 Author: Dave Sugar gmail com> AuthorDate: Thu Sep 14 19:44:07 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=634b4ae6 separate domain for journalctl during init During system boot, when systemd-journal-catalog-update.service is started, it fails becuase initrc_t doesn't have access to write systemd_journal_t files/dirs. This change is to run journalctl in a different domain during system startup (systemd_journal_init_t) to allow the access necessary to run. × systemd-journal-catalog-update.service - Rebuild Journal Catalog Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static) Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT; 10min ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Process: 1626 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE) Main PID: 1626 (code=exited, status=1/FAILURE) CPU: 102ms Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog... Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for writing: /var/lib/systemd/catalog/database: Permission denied Sep 13 12:51:28 localhost journalctl[1626]: Failed to write /var/lib/systemd/catalog/database: Permission denied Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog: Permission denied Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'. Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal Catalog. node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { write } for pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { add_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { create } for pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { write } for pid=1631 comm="journalctl" path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:137): avc: denied { setattr } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { rename } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { unlink } for pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/logging.if | 19 +++ policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.te | 35 ++- 3 files changed, 54 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 681385d50..763926dac 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -845,6 +845,25 @@ interface(`logging_watch_runtime_dirs',` allow $1 syslogd_runtime_t:dir watch; ') + +## +## Connect syslog varlink socket files. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_stream_connect_journald_varlink',` + gen_require(` + type
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 1d66af88aa2d390ac5783557e8d04289d16bc612 Author: Russell Coker coker com au> AuthorDate: Mon Sep 25 15:46:04 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:09 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d66af88 small storage changes (#706) * Changes to storage.fc, smartmon, samba and lvm Signed-off-by: Russell Coker coker.com.au> * Add the interfaces this patch needs Signed-off-by: Russell Coker coker.com.au> * use manage_sock_file_perms for sock_file Signed-off-by: Russell Coker coker.com.au> * Renamed files_watch_all_file_type_dir to files_watch_all_dirs Signed-off-by: Russell Coker coker.com.au> * Use read_files_pattern Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.if | 19 +++ policy/modules/kernel/storage.fc| 1 + policy/modules/services/samba.te| 11 ++- policy/modules/services/smartmon.if | 20 policy/modules/services/smartmon.te | 2 +- policy/modules/system/lvm.te| 1 + policy/modules/system/userdomain.if | 18 ++ 7 files changed, 70 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index d8874ace2..a1113ff7c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1426,6 +1426,25 @@ interface(`files_unmount_all_file_type_fs',` allow $1 file_type:filesystem unmount; ') + +## +## watch all directories of file_type +## +## +## +## Domain allowed access. +## +## +# +interface(`files_watch_all_dirs',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:dir watch; +') + + ## ## Read all non-authentication related diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 3033ac4de..9cd280c25 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -29,6 +29,7 @@ /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) +/dev/megaraid.*-c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mmcblk.* -c gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 8ec3a1c62..f78d316cc 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',` ') tunable_policy(`samba_enable_home_dirs',` + files_watch_home(smbd_t) userdom_manage_user_home_content_dirs(smbd_t) userdom_manage_user_home_content_files(smbd_t) userdom_manage_user_home_content_symlinks(smbd_t) userdom_manage_user_home_content_sockets(smbd_t) userdom_manage_user_home_content_pipes(smbd_t) + userdom_watch_user_home_dirs(smbd_t) ') tunable_policy(`samba_portmapper',` @@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) files_list_non_auth_dirs(smbd_t) files_read_non_auth_files(smbd_t) + files_watch_all_dirs(smbd_t) ') tunable_policy(`samba_export_all_rw',` fs_read_noxattr_fs_files(smbd_t) files_manage_non_auth_files(smbd_t) + files_watch_all_dirs(smbd_t) ') optional_policy(` @@ -617,13 +621,17 @@ optional_policy(` allow smbcontrol_t self:process signal; allow smbcontrol_t self:fifo_file rw_fifo_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; +allow smbcontrol_t self:unix_dgram_socket create_socket_perms; allow smbcontrol_t self:process { signal signull }; allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; -read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) +allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto; +manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) +allow smbcontrol_t samba_runtime_t:file map; allow smbcontrol_t samba_runtime_t:dir rw_dir_perms; manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) +allow smbcontrol_t samba_var_t:sock_file manage_sock_file_perms; samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) @@ -639,6 +647,7 @@ files_search_var_lib(smbcontrol_t) term_use_console(smbcontrol_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/, policy/modules/admin/
commit: ab9b49a1d782ac96a73b4b1553992528a599d8d6 Author: Russell Coker coker com au> AuthorDate: Mon Sep 25 15:44:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:09 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab9b49a1 small network patches (#707) * Small changes for netutils(ping), firewalld, ftp, inetd, networkmanager, openvpn ppp and rpc Signed-off-by: Russell Coker coker.com.au> * Fixed typo in interface name Signed-off-by: Russell Coker coker.com.au> * Add interface libs_watch_shared_libs_dir Signed-off-by: Russell Coker coker.com.au> * Added sysnet_watch_config_dir interface Signed-off-by: Russell Coker coker.com.au> * renamed libs_watch_shared_libs_dir to libs_watch_shared_libs_dirs Signed-off-by: Russell Coker coker.com.au> * rename sysnet_watch_config_dir to sysnet_watch_config_dirs Signed-off-by: Russell Coker coker.com.au> * Reverted a change as I can't remember why I did it. Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/netutils.te | 1 + policy/modules/services/firewalld.te | 3 +++ policy/modules/services/ftp.fc| 6 +- policy/modules/services/ftp.te| 9 + policy/modules/services/inetd.te | 2 +- policy/modules/services/networkmanager.te | 11 ++- policy/modules/services/openvpn.te| 1 + policy/modules/services/ppp.fc| 1 + policy/modules/services/ppp.te| 2 ++ policy/modules/services/rpc.te| 6 +- policy/modules/system/libraries.if| 18 ++ policy/modules/system/sysnetwork.if | 18 ++ 12 files changed, 74 insertions(+), 4 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 5fef6a31a..3c43a1d84 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -146,6 +146,7 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) userdom_use_inherited_user_terminals(ping_t) +term_use_unallocated_ttys(ping_t) optional_policy(` munin_append_log(ping_t) diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te index 954a348f0..eb097753f 100644 --- a/policy/modules/services/firewalld.te +++ b/policy/modules/services/firewalld.te @@ -38,11 +38,13 @@ allow firewalld_t self:fifo_file rw_fifo_file_perms; allow firewalld_t self:unix_stream_socket { accept listen }; allow firewalld_t self:netlink_netfilter_socket create_socket_perms; allow firewalld_t self:udp_socket create_socket_perms; +allow firewalld_t self:netlink_netfilter_socket create_socket_perms; allow firewalld_t firewalld_etc_rw_t:dir watch; manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t) dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto }; +allow firewalld_t firewalld_etc_rw_t:dir watch; allow firewalld_t firewalld_var_log_t:file append_file_perms; allow firewalld_t firewalld_var_log_t:file create_file_perms; @@ -86,6 +88,7 @@ logging_send_syslog_msg(firewalld_t) libs_watch_lib_dirs(firewalld_t) +miscfiles_read_generic_certs(firewalld_t) miscfiles_read_localization(firewalld_t) seutil_exec_setfiles(firewalld_t) diff --git a/policy/modules/services/ftp.fc b/policy/modules/services/ftp.fc index b90598fed..a58851e58 100644 --- a/policy/modules/services/ftp.fc +++ b/policy/modules/services/ftp.fc @@ -1,4 +1,5 @@ /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0) +/etc/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_etc_t,s0) /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) @@ -22,8 +23,10 @@ /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0) +/usr/sbin/pure-ftpd-- gen_context(system_u:object_r:ftpd_exec_t,s0) -/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0) +/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0) +/run/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_runtime_t,s0) /usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0) @@ -31,6 +34,7 @@ /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) +/var/log/pure-ftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0) /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0) /var/log/xferlog.* --
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 3cf4d89db3171671a05868dd5ecaf933c49fcaa4 Author: Russell Coker coker com au> AuthorDate: Thu Sep 28 13:55:56 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cf4d89d mon.te patches as well as some fstools patches related to it (#697) * Patches for mon, mostly mon local monitoring. Also added the fsdaemon_read_lib() interface and fstools patch because it also uses fsdaemon_read_lib() and it's called by monitoring scripts Signed-off-by: Russell Coker coker.com.au> * Added the files_dontaudit_tmpfs_file_getattr() and storage_dev_filetrans_fixed_disk_control() interfaces needed Signed-off-by: Russell Coker coker.com.au> * Fixed the issues from the review Signed-off-by: Russell Coker coker.com.au> * Specify name to avoid conflicting file trans Signed-off-by: Russell Coker coker.com.au> * fixed dontaudi_ typo Signed-off-by: Russell Coker coker.com.au> * Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class Signed-off-by: Russell Coker coker.com.au> * Remove fsdaemon_read_lib as it was already merged Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.if | 18 ++ policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/storage.if| 7 ++- policy/modules/services/mon.te | 30 ++ policy/modules/services/smartmon.te | 2 +- policy/modules/system/fstools.te| 17 + policy/modules/system/init.te | 2 +- policy/modules/system/lvm.te| 2 +- policy/modules/system/raid.te | 2 +- 9 files changed, 72 insertions(+), 10 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index a1113ff7c..591aa64d6 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -434,6 +434,24 @@ interface(`files_tmpfs_file',` typeattribute $1 tmpfsfile; ') + +## +## dontaudit getattr on tmpfs files +## +## +## +## Domain to not have stat on tmpfs files audited +## +## +# +interface(`files_dontaudit_getattr_all_tmpfs_files',` + gen_require(` + attribute tmpfsfile; + ') + + dontaudit $1 tmpfsfile:file getattr; +') + ## ## Get the attributes of all directories. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 666d0e7e9..8156ac087 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -390,7 +390,7 @@ ifdef(`init_systemd',` ') optional_policy(` - storage_dev_filetrans_fixed_disk(kernel_t) + storage_dev_filetrans_fixed_disk(kernel_t, blk_file) storage_setattr_fixed_disk_dev(kernel_t) storage_create_fixed_disk_dev(kernel_t) storage_delete_fixed_disk_dev(kernel_t) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 9c581a910..777caea69 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',` ## Domain allowed access. ## ## +## +## +## The class of the object to be created. +## +## ## ## ## Optional filename of the block device to be created @@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',` type fixed_disk_device_t; ') - dev_filetrans($1, fixed_disk_device_t, blk_file, $2) + dev_filetrans($1, fixed_disk_device_t, $2, $3) ') diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te index b9a349871..bbf0496b3 100644 --- a/policy/modules/services/mon.te +++ b/policy/modules/services/mon.te @@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t) allow mon_t self:fifo_file rw_fifo_file_perms; allow mon_t self:tcp_socket create_stream_socket_perms; -# for mailxmpp.alert to set ulimit -allow mon_t self:process setrlimit; +allow mon_t self:process { setrlimit getsched signal }; domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t) @@ -104,6 +103,11 @@ optional_policy(` mta_send_mail(mon_t) ') +optional_policy(` + # for config of xmpp sending program + xdg_read_config_files(mon_t) +') + # # Local policy @@ -151,6 +155,10 @@ optional_policy(` mysql_stream_connect(mon_net_test_t) ') +optional_policy(` + snmp_read_snmp_var_lib_files(mon_net_test_t) +') + # # Local policy @@ -161,9 +169,10 @@ optional_policy(` # # sys_ptrace is for
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c476335905f6b809c1f4ba083b071fab067aa1e5 Author: Russell Coker coker com au> AuthorDate: Tue Sep 26 13:48:31 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:09 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4763359 allow jabbers to create sock file and allow matrixd to read sysfs (#705) * Allow jabberd_domain to create sockets in it's var/lib dir Allow matrixd_t to read sysfs Signed-off-by: Russell Coker coker.com.au> * Changed to manage_sock_file_perms to allow unlink Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/jabber.te | 1 + policy/modules/services/matrixd.te | 1 + 2 files changed, 2 insertions(+) diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te index 6003cc9fb..6c8e45de5 100644 --- a/policy/modules/services/jabber.te +++ b/policy/modules/services/jabber.te @@ -39,6 +39,7 @@ allow jabberd_domain self:tcp_socket { accept listen }; manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t) allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms; +allow jabberd_domain jabberd_var_lib_t:sock_file manage_sock_file_perms; kernel_read_system_state(jabberd_domain) diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te index 4ac31d901..c396a3d7c 100644 --- a/policy/modules/services/matrixd.te +++ b/policy/modules/services/matrixd.te @@ -83,6 +83,7 @@ corenet_udp_bind_generic_node(matrixd_t) corenet_udp_bind_generic_port(matrixd_t) corenet_udp_bind_reserved_port(matrixd_t) +dev_read_sysfs(matrixd_t) dev_read_urand(matrixd_t) files_read_etc_files(matrixd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/
commit: 3eefa3b065ed81f56fddfb12a372012ef5e2a336 Author: Russell Coker coker com au> AuthorDate: Mon Sep 25 15:01:12 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3eefa3b0 small ntp and dns changes (#703) * Small changes for ntp, bind, avahi, and dnsmasq Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/dpkg.te | 9 + policy/modules/services/avahi.te | 4 policy/modules/services/bind.te| 7 +-- policy/modules/services/dnsmasq.te | 4 policy/modules/services/ntp.fc | 1 + policy/modules/services/ntp.if | 19 +++ 6 files changed, 42 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index d6871de21..d4a56e5eb 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -350,8 +350,17 @@ optional_policy(` nis_use_ypbind(dpkg_script_t) ') +optional_policy(` + ntp_filetrans_drift(dpkg_script_t) +') + +optional_policy(` + policykit_dbus_chat(dpkg_script_t) +') + optional_policy(` systemd_read_logind_state(dpkg_script_t) + systemd_dbus_chat_hostnamed(dpkg_script_t) systemd_dbus_chat_logind(dpkg_script_t) systemd_run_sysusers(dpkg_script_t, dpkg_roles) ') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 773d2b8ff..1094e39db 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -111,3 +111,7 @@ optional_policy(` seutil_sigchld_newrole(avahi_t) ') +optional_policy(` + unconfined_dbus_send(avahi_t) +') + diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 1b3e674a1..0a08be452 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -213,9 +213,9 @@ optional_policy(` # NDC local policy # -allow ndc_t self:capability { dac_override net_admin }; +allow ndc_t self:capability { dac_override dac_read_search net_admin }; allow ndc_t self:capability2 block_suspend; -allow ndc_t self:process signal_perms; +allow ndc_t self:process { signal_perms getsched setsched }; allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; @@ -231,6 +231,9 @@ allow ndc_t named_zone_t:dir search_dir_perms; kernel_read_kernel_sysctls(ndc_t) kernel_read_system_state(ndc_t) +kernel_read_vm_overcommit_sysctl(ndc_t) + +dev_read_sysfs(ndc_t) corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index 6d1799ba8..2e492954d 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -108,6 +108,10 @@ optional_policy(` ') optional_policy(` + # for the dnsmasq-usb0.leases file + networkmanager_manage_lib_files(dnsmasq_t) + + networkmanager_read_etc_files(dnsmasq_t) networkmanager_read_runtime_files(dnsmasq_t) ') diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc index 4d014d196..4f19959e7 100644 --- a/policy/modules/services/ntp.fc +++ b/policy/modules/services/ntp.fc @@ -30,6 +30,7 @@ /var/db/ntp-kod-- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntpsec(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/systemd/timesync(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index 4953e9f08..9df5d8d07 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -176,6 +176,25 @@ interface(`ntp_read_drift_files',` read_files_pattern($1, ntp_drift_t, ntp_drift_t) ') + +## +## specified domain creates /var/lib/ntpsec/ with the correct type +## +## +## +## Domain allowed access. +## +## +# +interface(`ntp_filetrans_drift',` + gen_require(` + type ntp_drift_t; + ') + + files_search_var_lib($1) + files_var_lib_filetrans($1, ntp_drift_t, dir) +') + ## ## Read and write ntpd shared memory.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: e17a5ea822384af3d15da14be3bc593037950d21 Author: Russell Coker coker com au> AuthorDate: Fri Sep 22 09:09:12 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e17a5ea8 Added tmpfs file type for postgresql Small mysql stuff including anon_inode Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/mysql.te | 4 +++- policy/modules/services/postgresql.te | 9 - 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te index 2e7621471..4d1124bbf 100644 --- a/policy/modules/services/mysql.te +++ b/policy/modules/services/mysql.te @@ -67,11 +67,12 @@ files_runtime_file(mysqlmanagerd_runtime_t) allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource }; dontaudit mysqld_t self:capability sys_tty_config; -allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; +allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh }; allow mysqld_t self:fifo_file rw_fifo_file_perms; allow mysqld_t self:shm create_shm_perms; allow mysqld_t self:unix_stream_socket { connectto accept listen }; allow mysqld_t self:tcp_socket { accept listen }; +allow mysqld_t self:anon_inode { create map read write }; manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) @@ -191,6 +192,7 @@ dev_read_sysfs(mysqld_safe_t) domain_read_all_domains_state(mysqld_safe_t) +files_dontaudit_write_root_dirs(mysqld_safe_t) files_read_etc_files(mysqld_safe_t) files_read_usr_files(mysqld_safe_t) files_search_runtime(mysqld_safe_t) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 1b2d8ab0d..11b3936b0 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -65,6 +65,9 @@ init_daemon_runtime_file(postgresql_runtime_t, dir, "postgresql") type postgresql_tmp_t; files_tmp_file(postgresql_tmp_t) +type postgresql_tmpfs_t; +files_tmpfs_file(postgresql_tmpfs_t) + type postgresql_unit_t; init_unit_file(postgresql_unit_t) @@ -282,7 +285,10 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) -fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file fifo_file }) +fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file }) +allow postgresql_t postgresql_tmpfs_t:file map; +manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t) manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t) manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t) @@ -342,6 +348,7 @@ init_read_utmp(postgresql_t) logging_send_syslog_msg(postgresql_t) logging_send_audit_msgs(postgresql_t) +miscfiles_read_generic_tls_privkey(postgresql_t) miscfiles_read_localization(postgresql_t) seutil_libselinux_linked(postgresql_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 8f51e189a7c8f8680f84fc11841257c19ab9fa51 Author: Russell Coker coker com au> AuthorDate: Wed Sep 27 13:20:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f51e189 small systemd patches (#708) * Some small systemd patches Signed-off-by: Russell Coker coker.com.au> * Fixed error where systemd.if had a reference to user_devpts_t Signed-off-by: Russell Coker coker.com.au> * removed the init_var_run_t:service stuff as there's already interfaces and a type for it Signed-off-by: Russell Coker coker.com.au> * corecmd_shell_entry_type doesn't seem to be needed Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/locallogin.te | 3 ++- policy/modules/system/systemd.if| 12 +++- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index f40f15c1c..4dc9981bc 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -131,7 +131,8 @@ auth_domtrans_pam_console(local_login_t) auth_read_pam_motd_dynamic(local_login_t) auth_read_shadow_history(local_login_t) -init_dontaudit_use_fds(local_login_t) +# if local_login_t can not inherit fd from init it takes ages to login +init_use_fds(local_login_t) miscfiles_read_localization(local_login_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 77a59c662..64455eed5 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -19,11 +19,6 @@ ## The user domain for the role. ## ## -## -## -## The type for the user pty -## -## # template(`systemd_role_template',` gen_require(` @@ -34,6 +29,7 @@ template(`systemd_role_template',` type systemd_user_runtime_t, systemd_user_runtime_notify_t; type systemd_user_unit_t; type systemd_user_runtime_unit_t, systemd_user_transient_unit_t; + type systemd_machined_t; ') # @@ -153,6 +149,12 @@ template(`systemd_role_template',` allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; + # for "machinectl shell" + allow $1_systemd_t systemd_machined_t:fd use; + allow $3 systemd_machined_t:fd use; + allow $3 systemd_machined_t:dbus send_msg; + allow systemd_machined_t $3:dbus send_msg; + allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow $3 systemd_user_unit_t:service { reload start status stop };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: d7890fb6d1c7bfd1c75d454d457b5fcdc869efe1 Author: Chris PeBenito ieee org> AuthorDate: Tue Sep 26 13:43:40 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:09 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d7890fb6 postgresql: Move lines Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/postgresql.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 11b3936b0..810fb0ed4 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -286,9 +286,10 @@ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file fifo_file }) -fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file }) + allow postgresql_t postgresql_tmpfs_t:file map; manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t) +fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file }) manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t) manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: fde90b82b10e32324d96deca43928f448d8dd932 Author: Yi Zhao windriver com> AuthorDate: Thu Sep 21 03:31:31 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fde90b82 systemd: allow systemd-networkd to create file in /run/systemd directory systemd-networkd creates files in /run/systemd directory which should be labeled appropriately. Fixes: avc: denied { create } for pid=136 comm="systemd-network" name=".#networkd2c6a2ac2dbf34a8" scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1 avc: denied { write } for pid=136 comm="systemd-network" path="/run/systemd/.#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1 avc: denied { setattr } for pid=136 comm="systemd-network" name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1 avc: denied { rename } for pid=136 comm="systemd-network" name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index f74ab30b4..b60d5729d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1168,7 +1168,7 @@ auth_use_nsswitch(systemd_networkd_t) init_dgram_send(systemd_networkd_t) init_read_state(systemd_networkd_t) init_read_runtime_files(systemd_networkd_t) -init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, dir) +init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, { dir file }) logging_send_syslog_msg(systemd_networkd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
commit: 345902025b3c03467a48c8b1474cbd3b3bc085cf Author: Russell Coker coker com au> AuthorDate: Thu Sep 21 14:22:36 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34590202 policy for the Reliability Availability servicability daemon (#690) * policy for the Reliability Availability servicability daemon Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 37 policy/modules/services/rasdaemon.fc | 3 +++ policy/modules/services/rasdaemon.if | 10 + policy/modules/services/rasdaemon.te | 41 4 files changed, 91 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 5cdbc5644..5213df5ba 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -6154,6 +6154,43 @@ interface(`fs_getattr_tracefs_files',` allow $1 tracefs_t:file getattr; ') + +## +## Read/write trace filesystem files +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_tracefs_files',` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:dir list_dir_perms; + allow $1 tracefs_t:file rw_file_perms; +') + + +## +## create trace filesystem directories +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_create_tracefs_dirs',` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:dir { create rw_dir_perms }; +') + ## ## Mount a XENFS filesystem. diff --git a/policy/modules/services/rasdaemon.fc b/policy/modules/services/rasdaemon.fc new file mode 100644 index 0..9a83feb4f --- /dev/null +++ b/policy/modules/services/rasdaemon.fc @@ -0,0 +1,3 @@ +/usr/sbin/rasdaemon-- gen_context(system_u:object_r:rasdaemon_exec_t,s0) +/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0) + diff --git a/policy/modules/services/rasdaemon.if b/policy/modules/services/rasdaemon.if new file mode 100644 index 0..9509b0261 --- /dev/null +++ b/policy/modules/services/rasdaemon.if @@ -0,0 +1,10 @@ +## RAS (Reliability, Availability and Serviceability) logging tool +## +## +## rasdaemon is a RAS (Reliability, Availability and Serviceability) logging +## tool. It currently records memory errors, using the EDAC tracing events. +## EDAC are drivers in the Linux kernel that handle detection of ECC errors +## from memory controllers for most chipsets on x86 and ARM architectures. +## +## https://git.infradead.org/users/mchehab/rasdaemon.git +## diff --git a/policy/modules/services/rasdaemon.te b/policy/modules/services/rasdaemon.te new file mode 100644 index 0..9a65d5d74 --- /dev/null +++ b/policy/modules/services/rasdaemon.te @@ -0,0 +1,41 @@ +policy_module(rasdaemon) + + +# +# Declarations +# + +type rasdaemon_t; +type rasdaemon_exec_t; +init_daemon_domain(rasdaemon_t, rasdaemon_exec_t) + +type rasdaemon_var_t; +files_type(rasdaemon_var_t) + + +# +# Local policy +# + +allow rasdaemon_t self:process getsched; +allow rasdaemon_t self:capability sys_rawio; + +allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms; +allow rasdaemon_t rasdaemon_var_t:file manage_file_perms; + +kernel_read_debugfs(rasdaemon_t) +kernel_read_system_state(rasdaemon_t) +kernel_read_vm_overcommit_sysctl(rasdaemon_t) +kernel_search_fs_sysctls(rasdaemon_t) + +dev_read_sysfs(rasdaemon_t) +dev_read_urand(rasdaemon_t) +dev_rw_cpu_microcode(rasdaemon_t) + +files_search_var_lib(rasdaemon_t) +fs_create_tracefs_dirs(rasdaemon_t) +fs_rw_tracefs_files(rasdaemon_t) + +logging_send_syslog_msg(rasdaemon_t) +miscfiles_read_localization(rasdaemon_t) +
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/apps/
commit: 9139acd456b4a49f7d8286023ac6abc09725ccb7 Author: Yi Zhao windriver com> AuthorDate: Wed Sep 20 06:43:34 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9139acd4 loadkeys: do not audit attempts to get attributes for all directories Fixes: avc: denied { getattr } for pid=239 comm="loadkeys" path="/boot" dev="vda" ino=15 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1 avc: denied { getattr } for pid=239 comm="loadkeys" path="/home" dev="vda" ino=806 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:home_root_t:s0-s15:c0.c1023 tclass=dir permissive=1 avc: denied { getattr } for pid=239 comm="loadkeys" path="/lost+found" dev="vda" ino=11 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:lost_found_t:s15:c0.c1023 tclass=dir permissive=1 avc: denied { getattr } for pid=239 comm="loadkeys" path="/media" dev="vda" ino=810 scontext=system_u:system_r:loadkeys_t:s0-s15:c0.c1023 tcontext=system_u:object_r:mnt_t:s0 tclass=dir permissive=1 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/apps/loadkeys.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/apps/loadkeys.te b/policy/modules/apps/loadkeys.te index b9558dccc..56fb45114 100644 --- a/policy/modules/apps/loadkeys.te +++ b/policy/modules/apps/loadkeys.te @@ -35,6 +35,7 @@ files_read_usr_files(loadkeys_t) files_search_runtime(loadkeys_t) files_search_src(loadkeys_t) files_search_tmp(loadkeys_t) +files_dontaudit_getattr_all_dirs(loadkeys_t) term_dontaudit_use_console(loadkeys_t) term_use_unallocated_ttys(loadkeys_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
commit: 9a761587cf212b96c093e2ea1d9c3ed66ff7c37d Author: Russell Coker coker com au> AuthorDate: Thu Sep 21 14:21:25 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9a761587 debian motd.d directory (#689) * policy for Debian motd.d dir Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/xserver.te | 1 + policy/modules/system/authlogin.fc | 1 + policy/modules/system/authlogin.if | 1 + 3 files changed, 3 insertions(+) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 68d9bd34b..58cd85626 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -472,6 +472,7 @@ auth_manage_pam_runtime_dirs(xdm_t) auth_manage_pam_runtime_files(xdm_t) auth_manage_pam_console_data(xdm_t) auth_read_shadow_history(xdm_t) +auth_use_pam_motd_dynamic(xdm_t) auth_write_login_records(xdm_t) # Run telinit->init to shutdown. diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index b47da01a5..adb53a05a 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -59,6 +59,7 @@ ifdef(`distro_suse', ` /run/motd -- gen_context(system_u:object_r:pam_motd_runtime_t,s0) /run/motd\.dynamic -- gen_context(system_u:object_r:pam_motd_runtime_t,s0) /run/motd\.dynamic\.new-- gen_context(system_u:object_r:pam_motd_runtime_t,s0) +/run/motd\.d(/.*)? gen_context(system_u:object_r:pam_motd_runtime_t,s0) /run/pam_mount(/.*)? gen_context(system_u:object_r:pam_runtime_t,s0) /run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /run/sepermit(/.*)?gen_context(system_u:object_r:pam_runtime_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 4d11800aa..cd5ab2d7f 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -129,6 +129,7 @@ interface(`auth_use_pam_motd_dynamic',` corecmd_exec_shell($1) allow $1 pam_motd_runtime_t:file manage_file_perms; + allow $1 pam_motd_runtime_t:dir rw_dir_perms; files_runtime_filetrans($1, pam_motd_runtime_t, file, "motd.dynamic.new") ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 98ebbf0f2916e7541905c03eef89330b51c9ff97 Author: Russell Coker coker com au> AuthorDate: Thu Sep 21 16:01:24 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98ebbf0f policy patches for anti-spam daemons (#698) * Patches for anti-spam related policy * Added a seperate tunable for execmem, can be enabled for people who need it which means Debian rspam users and some of the less common SpamAssassin configurations Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/clamav.te | 5 ++-- policy/modules/services/dkim.fc | 1 + policy/modules/services/dkim.te | 2 +- policy/modules/services/milter.fc | 2 ++ policy/modules/services/milter.te | 41 + policy/modules/services/spamassassin.te | 16 - 6 files changed, 63 insertions(+), 4 deletions(-) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te index c171fd7dc..a9476a561 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -75,7 +75,7 @@ logging_log_file(freshclam_var_log_t) allow clamd_t self:capability { chown fowner fsetid kill setgid setuid dac_override }; dontaudit clamd_t self:capability sys_tty_config; -allow clamd_t self:process signal; +allow clamd_t self:process { signal getsched }; allow clamd_t self:fifo_file rw_fifo_file_perms; allow clamd_t self:unix_stream_socket { accept connectto listen }; allow clamd_t self:tcp_socket { listen accept }; @@ -174,7 +174,7 @@ optional_policy(` # Freshclam local policy # -allow freshclam_t self:capability { dac_override setgid setuid }; +allow freshclam_t self:capability { chown dac_override setgid setuid }; allow freshclam_t self:fifo_file rw_fifo_file_perms; allow freshclam_t self:unix_stream_socket { accept listen }; allow freshclam_t self:tcp_socket { accept listen }; @@ -225,6 +225,7 @@ dev_read_urand(freshclam_t) domain_use_interactive_fds(freshclam_t) files_read_etc_runtime_files(freshclam_t) +files_read_usr_files(freshclam_t) files_search_var_lib(freshclam_t) auth_use_nsswitch(freshclam_t) diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc index 08b652630..0b269c0af 100644 --- a/policy/modules/services/dkim.fc +++ b/policy/modules/services/dkim.fc @@ -1,4 +1,5 @@ /etc/opendkim/keys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) +/etc/dkimkeys(/.*)? gen_context(system_u:object_r:dkim_milter_private_key_t,s0) /etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) -- gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0) diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te index 32468194b..e960818da 100644 --- a/policy/modules/services/dkim.te +++ b/policy/modules/services/dkim.te @@ -24,7 +24,7 @@ init_daemon_runtime_file(dkim_milter_data_t, dir, "opendkim") # allow dkim_milter_t self:capability { dac_read_search dac_override setgid setuid }; -allow dkim_milter_t self:process { signal signull }; +allow dkim_milter_t self:process { signal signull getsched }; allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms; read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t) diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc index 42fe5e941..71b168061 100644 --- a/policy/modules/services/milter.fc +++ b/policy/modules/services/milter.fc @@ -8,6 +8,7 @@ /usr/sbin/milter-greylist -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) /usr/sbin/sqlgrey -- gen_context(system_u:object_r:greylist_milter_exec_t,s0) /usr/sbin/milter-regex -- gen_context(system_u:object_r:regex_milter_exec_t,s0) +/usr/sbin/postfwd.*-- gen_context(system_u:object_r:postfwd_milter_exec_t,s0) /usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0) /var/lib/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) @@ -16,6 +17,7 @@ /run/milter-greylist(/.*)? gen_context(system_u:object_r:greylist_milter_data_t,s0) /run/milter-greylist\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) +/run/postfwd\.pid -- gen_context(system_u:object_r:postfwd_milter_runtime_t,s0) /run/spamass(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) /run/sqlgrey\.pid -- gen_context(system_u:object_r:greylist_milter_data_t,s0) /run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0) diff --git a/policy/modules/services/milter.te
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 53ba841c22c8b23bacc7fe0f2116c123943d10f3 Author: Yi Zhao windriver com> AuthorDate: Wed Mar 15 02:57:55 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53ba841c systemd: allow systemd-resolved to search directories on tmpfs and ramfs Fixes: avc: denied { search } for pid=233 comm="systemd-resolve" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1 avc: denied { search } for pid=233 comm="systemd-resolve" name="/" dev="ramfs" ino=813 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:ramfs_t tclass=dir permissive=1 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index bb62c67fc..da64b11b3 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1530,6 +1530,8 @@ files_list_runtime(systemd_resolved_t) fs_getattr_all_fs(systemd_resolved_t) fs_search_cgroup_dirs(systemd_resolved_t) +fs_search_tmpfs(systemd_resolved_t) +fs_search_ramfs(systemd_resolved_t) init_dgram_send(systemd_resolved_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: b08912707a9b728f5c35760cf1b2464594cdaad1 Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 15:25:29 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0891270 init, systemd: allow init to create userdb runtime symlinks At boot, systemd-init will create symlinks in /run/systemd/userdb. This fixes these AVCs: avc: denied { create } for pid=1 comm="systemd" name="io.systemd.NameServiceSwitch" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0 avc: denied { create } for pid=1 comm="systemd" name="io.systemd.DropIn" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0 Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/init.te| 1 + policy/modules/system/systemd.if | 18 ++ 2 files changed, 19 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 562b45c59..a2b0693b6 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -532,6 +532,7 @@ ifdef(`init_systemd',` systemd_relabelto_tmpfiles_conf_files(init_t) systemd_manage_userdb_runtime_sock_files(init_t) systemd_manage_userdb_runtime_dirs(init_t) + systemd_manage_userdb_runtime_symlinks(init_t) systemd_filetrans_userdb_runtime_dirs(init_t) systemd_relabelto_journal_dirs(init_t) systemd_relabelto_journal_files(init_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 1dd302851..a903282f0 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -1402,6 +1402,24 @@ interface(`systemd_read_userdb_runtime_files', ` read_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) ') + +## +## Manage symbolic links under /run/systemd/userdb. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_manage_userdb_runtime_symlinks', ` + gen_require(` + type systemd_userdbd_runtime_t; + ') + + manage_lnk_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t) +') + ## ## Manage socket files under /run/systemd/userdb .
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: b4cec33d59df11ea1f88917140d254b3e32a4feb Author: Kenton Groombridge concord sh> AuthorDate: Tue Mar 7 00:12:16 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b4cec33d fstools: allow fsadm to read utab Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/fstools.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 079aacad3..0e3a98967 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -164,7 +164,7 @@ logging_send_syslog_msg(fsadm_t) miscfiles_read_localization(fsadm_t) # for /run/mount/utab -mount_getattr_runtime_files(fsadm_t) +mount_read_runtime_files(fsadm_t) seutil_read_config(fsadm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 396ba1dae4fa1576c1c9ab3e10a4d3bbae2fe990 Author: Kenton Groombridge concord sh> AuthorDate: Tue Mar 7 01:21:54 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=396ba1da glusterfs: allow glusterd to bind to all TCP unreserved ports Port 32767 seems to be needed by glfs_timer type=SYSCALL msg=audit(1678151692.991:193): arch=c03e syscall=49 success=no exit=-13 a0=7 a1=43bc7241350 a2=10 a3=3968 items=0 ppid=1 pid=2401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glfs_timer" exe="/usr/bin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null) type=AVC msg=audit(1678151692.991:193): avc: denied { name_bind } for pid=2401 comm="glfs_timer" src=32767 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0 Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/glusterfs.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te index d9c77d384..fe80b732a 100644 --- a/policy/modules/services/glusterfs.te +++ b/policy/modules/services/glusterfs.te @@ -108,6 +108,7 @@ corenet_tcp_connect_glusterd_port(glusterd_t) # Too coarse? corenet_sendrecv_all_server_packets(glusterd_t) corenet_tcp_bind_all_reserved_ports(glusterd_t) +corenet_tcp_bind_all_unreserved_ports(glusterd_t) corenet_udp_bind_all_rpc_ports(glusterd_t) corenet_udp_bind_ipp_port(glusterd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 34127751552f504b35300a30876eda61b0f38733 Author: Kenton Groombridge concord sh> AuthorDate: Tue Mar 7 00:15:24 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34127751 init: allow initrc_t to create netlink_kobject_uevent_sockets Needed by rdma-rdd, which is automatically started by udev when an RDMA device with a node description is present. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 936b212eb..999721551 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -705,6 +705,7 @@ allow initrc_t self:process { getcap getpgid setsched setpgid setrlimit getsched allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; allow initrc_t self:capability2 { wake_alarm block_suspend }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this +allow initrc_t self:netlink_kobject_uevent_socket create_socket_perms; # needed by rdma-ndd allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: gentoo/
commit: 3c90b2cd2f70bcea324e5182bdcb50059b92 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Mar 31 17:18:18 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 18:08:02 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3c90b2cd Merge upstream Signed-off-by: Kenton Groombridge gentoo.org> gentoo/STATE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gentoo/STATE b/gentoo/STATE index ac81362f9..b2d61aa8e 100644 --- a/gentoo/STATE +++ b/gentoo/STATE @@ -1 +1 @@ -aedf310cdb63b9dd99da0efb97167c611ae4ea90 +86a7f884a5af56076ae4829b25e73a74b2f56024
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: af8127d982e94211a2a717c9fb3249ef7456ee7a Author: Kenton Groombridge concord sh> AuthorDate: Tue Mar 7 00:19:51 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=af8127d9 fs, init: allow systemd-init to set the attributes of efivarfs files avc: denied { setattr } for pid=1 comm="systemd" name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=1049 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 20 policy/modules/system/init.te | 1 + 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index a1282cf40..528eeafc0 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2439,6 +2439,26 @@ interface(`fs_read_efivarfs_files',` read_files_pattern($1, efivarfs_t, efivarfs_t) ') +### +## +## Set the attributes of files in efivarfs +## - contains Linux Kernel configuration options for UEFI systems +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_setattr_efivarfs_files',` + gen_require(` + type efivarfs_t; + ') + + setattr_files_pattern($1, efivarfs_t, efivarfs_t) +') + ## ## Create, read, write, and delete files diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 87d62741e..fca349587 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -464,6 +464,7 @@ ifdef(`init_systemd',` fs_relabel_tmpfs_chr_files(init_t) fs_relabel_tmpfs_fifo_files(init_t) fs_read_efivarfs_files(init_t) + fs_setattr_efivarfs_files(init_t) # for privatetmp functions fs_relabel_tmpfs_dirs(init_t) fs_relabel_tmpfs_files(init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 87862dc56b934bf6ffc76a8a4864bb919cd7542c Author: Kenton Groombridge concord sh> AuthorDate: Wed Mar 8 18:19:36 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=87862dc5 kubernetes: allow kubelet to read etc runtime files To read /etc/machine-id. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/kubernetes.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index b89ffb1bc..e9d8fcdd2 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -240,6 +240,8 @@ files_search_mnt(kubelet_t) files_read_kernel_symbol_table(kubelet_t) # read /usr/share/mime/globs2 files_read_usr_files(kubelet_t) +# read /etc/machine-id +files_read_etc_runtime_files(kubelet_t) fs_getattr_tmpfs(kubelet_t) fs_search_tmpfs(kubelet_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: 71328f3f02d4765b904f1a2a6c9fe140cb116182 Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 18:37:02 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71328f3f files, systemd: allow systemd-tmpfiles to relabel config file symlinks Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.if | 19 +++ policy/modules/system/systemd.te | 3 ++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index a895f3734..6fe764a7a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1713,6 +1713,25 @@ interface(`files_dontaudit_relabel_config_files',` dontaudit $1 configfile:file relabel_file_perms; ') +### +## +## Relabel configuration symlinks. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_relabel_config_symlinks',` + gen_require(` + attribute configfile; + ') + + relabel_lnk_files_pattern($1, configfile, configfile) +') + ## ## Mount a filesystem on all mount points. diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 778052cde..59a3fcfc5 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1704,8 +1704,9 @@ files_manage_all_locks(systemd_tmpfiles_t) files_purge_tmp(systemd_tmpfiles_t) files_read_etc_files(systemd_tmpfiles_t) files_read_etc_runtime_files(systemd_tmpfiles_t) -files_relabel_config_files(systemd_tmpfiles_t) files_relabel_config_dirs(systemd_tmpfiles_t) +files_relabel_config_files(systemd_tmpfiles_t) +files_relabel_config_symlinks(systemd_tmpfiles_t) files_relabel_all_locks(systemd_tmpfiles_t) files_relabel_all_runtime_dirs(systemd_tmpfiles_t) files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: cf0d634a0c0ea69374f2cf0c13bd08a5567e36f6 Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 15:28:22 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cf0d634a raid: allow mdadm to read udev runtime files This fixes this AVC: avc: denied { getattr } for pid=2238 comm="mdadm" path="/run/udev" dev="tmpfs" ino=52 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0 Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/raid.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 5d44696cf..bd0c4bb85 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -85,6 +85,8 @@ logging_send_syslog_msg(mdadm_t) miscfiles_read_localization(mdadm_t) +udev_read_runtime_files(mdadm_t) + userdom_use_user_terminals(mdadm_t) userdom_dontaudit_use_unpriv_user_fds(mdadm_t) userdom_dontaudit_search_user_home_content(mdadm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 74e2d5f1c31152d2cacfed90feb309c6ff6b8e4a Author: Kenton Groombridge concord sh> AuthorDate: Tue Mar 7 00:46:45 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74e2d5f1 init: allow systemd-init to set the attributes of unallocated terminals type=AVC msg=audit(1678150061.367:292): avc: denied { setattr } for pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index fca349587..936b212eb 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -542,6 +542,7 @@ ifdef(`init_systemd',` term_create_devpts_dirs(init_t) term_create_ptmx(init_t) term_create_controlling_term(init_t) + term_setattr_unallocated_ttys(init_t) term_watch_unallocated_ttys(init_t) term_watch_reads_unallocated_ttys(init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 0d6f57a780a16b50c470ddab492a3e75fc4446e0 Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 15:33:07 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d6f57a7 raid: allow mdadm to create generic links in /dev/md Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/raid.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index bd0c4bb85..e10e31850 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -54,6 +54,8 @@ dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) dev_read_realtime_clock(mdadm_t) +# create links in /dev/md +dev_create_generic_symlinks(mdadm_t) domain_use_interactive_fds(mdadm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: e2edd05e623a39191528f2f4eb8c254e6a2e360f Author: Kenton Groombridge concord sh> AuthorDate: Tue Mar 7 01:04:08 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2edd05e systemd: allow systemd-resolved to bind to UDP port 5353 Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index b6d597c71..bb62c67fc 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1518,6 +1518,7 @@ corenet_tcp_bind_llmnr_port(systemd_resolved_t) corenet_udp_bind_generic_node(systemd_resolved_t) corenet_udp_bind_dns_port(systemd_resolved_t) corenet_udp_bind_llmnr_port(systemd_resolved_t) +corenet_udp_bind_howl_port(systemd_resolved_t) selinux_use_status_page(systemd_resolved_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: c57e41297654848b0226c69a4dce44d992e91d04 Author: Kenton Groombridge concord sh> AuthorDate: Tue Mar 7 00:17:03 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c57e4129 systemd: allow systemd-pcrphase to read generic certs Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 030dcbd67..b6d597c71 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1436,6 +1436,8 @@ init_read_state(systemd_pcrphase_t) logging_send_syslog_msg(systemd_pcrphase_t) +miscfiles_read_generic_certs(systemd_pcrphase_t) + # # # systemd-pstore local policy
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 8cdb1e582a7c164d6a0f6b39aa3f819eb8d5fc1b Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 23:20:57 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cdb1e58 systemd: add rules for systemd-zram-generator Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 59a3fcfc5..030dcbd67 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -481,8 +481,8 @@ seutil_search_default_contexts(systemd_coredump_t) # allow systemd_generator_t self:fifo_file rw_fifo_file_perms; -allow systemd_generator_t self:capability { dac_override sys_admin }; -allow systemd_generator_t self:process { getsched setfscreate signal }; +allow systemd_generator_t self:capability { dac_override sys_admin sys_resource }; +allow systemd_generator_t self:process { getcap getsched setfscreate signal }; corecmd_exec_shell(systemd_generator_t) corecmd_exec_bin(systemd_generator_t) @@ -491,6 +491,8 @@ dev_read_sysfs(systemd_generator_t) dev_write_kmsg(systemd_generator_t) dev_write_sysfs_dirs(systemd_generator_t) dev_read_urand(systemd_generator_t) +dev_create_sysfs_files(systemd_generator_t) +dev_write_sysfs(systemd_generator_t) files_read_etc_files(systemd_generator_t) files_read_etc_runtime_files(systemd_generator_t) @@ -526,7 +528,8 @@ kernel_dontaudit_getattr_proc(systemd_generator_t) # Where an unlabeled mountpoint is encounted: kernel_dontaudit_search_unlabeled(systemd_generator_t) -storage_raw_read_fixed_disk(systemd_generator_t) +# write for systemd-zram-generator +storage_raw_rw_fixed_disk(systemd_generator_t) storage_raw_read_removable_device(systemd_generator_t) # needed to resolve hostnames for NFS mounts
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 5979688e9262dcd53700afcc47f3a053d906ec3b Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 18:23:11 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5979688e logging, systemd: allow relabelfrom,relabelto on systemd journal files by systemd-journald journald's journal-offline will relabel log files. It should be noted however that this happens even if the files already have the correct label. avc: granted { relabelfrom } for pid=11440 comm="journal-offline" name=".#system 97c1c6b7d7ed4333b671d09d9deee851-003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0 avc: granted { relabelto } for pid=11440 comm="journal-offline" name=".#system 97c1c6b7d7ed4333b671d09d9deee851-003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/logging.te | 2 ++ policy/modules/system/systemd.if | 18 ++ 2 files changed, 20 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index aa436b639..227dc6776 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -566,6 +566,8 @@ ifdef(`init_systemd',` systemd_manage_journal_files(syslogd_t) systemd_watch_journal_dirs(syslogd_t) + systemd_relabelfrom_journal_files(syslogd_t) + systemd_relabelto_journal_files(syslogd_t) udev_read_runtime_files(syslogd_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index a903282f0..77a59c662 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -1775,6 +1775,24 @@ interface(`systemd_watch_journal_dirs',` allow $1 systemd_journal_t:dir watch; ') + +## +## Relabel from systemd-journald file type. +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_relabelfrom_journal_files',` + gen_require(` + type systemd_journal_t; + ') + + allow $1 systemd_journal_t:file relabelfrom_file_perms; +') + ## ## Relabel to systemd-journald directory type.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 79c09b22f530dd92c44143533fb87991a3417169 Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 16:23:23 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79c09b22 init: allow initrc_t to getcap Many AVCs are observed on a systemd system and various services. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/init.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a2b0693b6..87d62741e 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -699,7 +699,7 @@ optional_policy(` # Init script local policy # -allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; +allow initrc_t self:process { getcap getpgid setsched setpgid setrlimit getsched }; allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; allow initrc_t self:capability2 { wake_alarm block_suspend }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: 8fa021ce9d6739f69b2b35b1de05faacf38cab8e Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 16:22:38 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8fa021ce systemd: allow systemd-userdbd to getcap Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/systemd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index db594e615..778052cde 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1905,7 +1905,7 @@ seutil_libselinux_linked(systemd_user_session_type) # allow systemd_userdbd_t self:capability { dac_read_search sys_resource }; -allow systemd_userdbd_t self:process signal; +allow systemd_userdbd_t self:process { getcap signal }; allow systemd_userdbd_t self:unix_stream_socket create_stream_socket_perms; stream_connect_pattern(systemd_userdbd_t, systemd_homed_runtime_t, systemd_homed_runtime_t, systemd_homed_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: 70226d790395660a9e086b8c0eeec28acf2c7e3b Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 18:18:41 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70226d79 fs, udev: allow systemd-udevd various cgroup perms Needed for systemd-udevd to create files under /sys/fs/cgroup/system.slice/systemd-udevd.service/udev Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 40 - policy/modules/system/udev.te | 6 +- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index af2023e62..a1282cf40 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -798,7 +798,6 @@ interface(`fs_getattr_cgroup',` interface(`fs_search_cgroup_dirs',` gen_require(` type cgroup_t; - ') search_dirs_pattern($1, cgroup_t, cgroup_t) @@ -843,6 +842,25 @@ interface(`fs_ioctl_cgroup_dirs', ` dev_search_sysfs($1) ') + +## +## Create cgroup directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_create_cgroup_dirs',` + gen_require(` + type cgroup_t; + ') + + create_dirs_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) +') + ## ## Delete cgroup directories. @@ -941,6 +959,26 @@ interface(`fs_read_cgroup_files',` dev_search_sysfs($1) ') + +## +## Create cgroup files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_create_cgroup_files',` + gen_require(` + type cgroup_t; + + ') + + create_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) +') + ## ## Watch cgroup files. diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 56cfa2fb8..2fae88354 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -261,7 +261,11 @@ ifdef(`distro_redhat',` ifdef(`init_systemd',` files_search_kernel_modules(udev_t) - fs_read_cgroup_files(udev_t) + # systemd-udev creates cgroup files under + # /sys/fs/cgroup/system.slice/systemd-udevd.service/udev + fs_create_cgroup_dirs(udev_t) + fs_create_cgroup_files(udev_t) + fs_rw_cgroup_files(udev_t) init_dgram_send(udev_t) init_get_generic_units_status(udev_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
commit: f51734fce8fa91c19540d6da00ffd33fdb4a8327 Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 15:40:53 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f51734fc logging: allow systemd-journald to list cgroups Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/logging.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 69b7aa41f..aa436b639 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -548,6 +548,8 @@ ifdef(`init_systemd',` domain_getattr_all_domains(syslogd_t) domain_read_all_domains_state(syslogd_t) + fs_list_cgroup_dirs(syslogd_t) + init_create_runtime_dirs(syslogd_t) init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd") init_getattr(syslogd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 940f87312855109a81014f446bd89c332fb3a883 Author: Kenton Groombridge concord sh> AuthorDate: Sun Mar 5 23:03:34 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:22 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=940f8731 zfs: add runtime filetrans for dirs Needed by zfs recv. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/zfs.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te index bba787136..ed1ae77ba 100644 --- a/policy/modules/services/zfs.te +++ b/policy/modules/services/zfs.te @@ -85,7 +85,7 @@ read_files_pattern(zfs_t, zfs_config_t, zfs_config_t) read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t) manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t) -files_runtime_filetrans(zfs_t, zfs_runtime_t, file) +files_runtime_filetrans(zfs_t, zfs_runtime_t, { dir file }) # to execute scripts in /usr/libexec/zfs corecmd_exec_bin(zfs_t)