[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: ef89017d69182a71eb3cd46369ba5bb079f6f165
Author: Grzegorz Filo wp pl>
AuthorDate: Thu Apr 4 18:09:08 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:43:11 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef89017d
remove unnecessary code
Signed-off-by: Grzegorz Filo wp.pl>
Closes: https://github.com/gentoo/hardened-refpolicy/pull/2
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/admin/bootloader.te | 5 -
policy/modules/admin/portage.te| 1 -
2 files changed, 6 deletions(-)
diff --git a/policy/modules/admin/bootloader.te
b/policy/modules/admin/bootloader.te
index 81748a5f3..5a7e1cd4d 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -263,8 +263,3 @@ optional_policy(`
optional_policy(`
rpm_rw_pipes(bootloader_t)
')
-
-ifdef(`distro_gentoo',`
- # Fix bug #537652 - grub2-mkconfig has search rights needed on current
dir (usually user home dir)
- userdom_search_user_home_dirs(bootloader_t)
-')
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 2cd5d0482..c42552651 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -173,7 +173,6 @@ allow portage_t self:process { setfscreate };
# - kill for mysql merging, at least
allow portage_t self:capability { kill setfcap sys_nice };
allow portage_t self:netlink_route_socket create_netlink_socket_perms;
-dontaudit portage_t self:capability { dac_read_search };
# user post-sync scripts
can_exec(portage_t, portage_conf_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/
commit: da28221423dba9c102a06afb6c7eac7cd2d0117a Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:31:46 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:44 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da282214 bootloader: allow systemd-boot to manage EFI binaries systemd-boot's bootctl utility is used to install and update its EFI binaries in the EFI partition. If it is mounted with boot_t, bootctl needs to be able to manage boot_t files. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/bootloader.te | 4 policy/modules/kernel/files.if | 19 +++ 2 files changed, 23 insertions(+) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 294ce7e0c..81748a5f3 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -225,6 +225,10 @@ ifdef(`init_systemd',` fs_getattr_cgroup(bootloader_t) init_read_state(bootloader_t) init_rw_inherited_stream_socket(bootloader_t) + + # for systemd-boot-update to manage EFI binaries + domain_obj_id_change_exemption(bootloader_t) + files_mmap_read_boot_files(bootloader_t) ') optional_policy(` diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index e0337d044..b9c451321 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2590,6 +2590,25 @@ interface(`files_read_boot_files',` read_files_pattern($1, boot_t, boot_t) ') + +## +## Read and memory map files in the /boot directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_mmap_read_boot_files',` + gen_require(` + type boot_t; + ') + + mmap_read_files_pattern($1, boot_t, boot_t) +') + ## ## Create, read, write, and delete files
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/system/
commit: 89eef551684761379a5dd51221485b025d0014e5 Author: Chris PeBenito linux microsoft com> AuthorDate: Thu Feb 29 18:31:57 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:40:59 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89eef551 xen: Drop xend/xm stack. Xend/xm was replaced with xl in Xen 4.5 (Jan 2015). https://xenproject.org/2015/01/15/less-is-more-in-the-new-xen-project-4-5-release/ Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/brctl.te | 1 - policy/modules/admin/consoletype.te | 2 - policy/modules/admin/sblim.te | 1 - policy/modules/services/nscd.te | 1 - policy/modules/services/pegasus.te | 1 - policy/modules/services/snmp.te | 1 - policy/modules/services/vhostmd.te | 1 - policy/modules/services/virt.te | 8 +- policy/modules/system/hostname.te | 1 - policy/modules/system/lvm.te| 1 - policy/modules/system/sysnetwork.te | 2 - policy/modules/system/xen.fc| 21 +-- policy/modules/system/xen.if| 149 +++- policy/modules/system/xen.te| 272 14 files changed, 54 insertions(+), 408 deletions(-) diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te index 7ce029c05..026b0002d 100644 --- a/policy/modules/admin/brctl.te +++ b/policy/modules/admin/brctl.te @@ -43,5 +43,4 @@ miscfiles_read_localization(brctl_t) optional_policy(` xen_append_log(brctl_t) - xen_dontaudit_rw_unix_stream_sockets(brctl_t) ') diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index dda9e62ff..1989db82c 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -109,6 +109,4 @@ optional_policy(` kernel_read_xen_state(consoletype_t) kernel_write_xen_state(consoletype_t) xen_append_log(consoletype_t) - xen_dontaudit_rw_unix_stream_sockets(consoletype_t) - xen_dontaudit_use_fds(consoletype_t) ') diff --git a/policy/modules/admin/sblim.te b/policy/modules/admin/sblim.te index 5e2978c5f..d9bab1a79 100644 --- a/policy/modules/admin/sblim.te +++ b/policy/modules/admin/sblim.te @@ -106,7 +106,6 @@ optional_policy(` ') optional_policy(` - xen_stream_connect(sblim_gatherd_t) xen_stream_connect_xenstore(sblim_gatherd_t) ') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index f63b75f4f..ffc60497c 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -132,6 +132,5 @@ optional_policy(` ') optional_policy(` - xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index a5aa3a285..e7287b49a 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -184,6 +184,5 @@ optional_policy(` ') optional_policy(` - xen_stream_connect(pegasus_t) xen_stream_connect_xenstore(pegasus_t) ') diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index 846ab288a..b498e894b 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -167,6 +167,5 @@ optional_policy(` kernel_read_xen_state(snmpd_t) kernel_write_xen_state(snmpd_t) - xen_stream_connect(snmpd_t) xen_stream_connect_xenstore(snmpd_t) ') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te index 94ee048d1..9a866deea 100644 --- a/policy/modules/services/vhostmd.te +++ b/policy/modules/services/vhostmd.te @@ -79,7 +79,6 @@ optional_policy(` optional_policy(` xen_domtrans_xm(vhostmd_t) - xen_stream_connect(vhostmd_t) xen_stream_connect_xenstore(vhostmd_t) xen_stream_connect_xm(vhostmd_t) ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index a6161d739..f0c4c2d65 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -820,8 +820,8 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) - xen_exec(virtd_t) - xen_stream_connect(virtd_t) + xen_domtrans_xm(virtd_t) + xen_stream_connect_xm(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) ') @@ -944,9 +944,9 @@ optional_policy(` optional_policy(` xen_manage_image_dirs(virsh_t) xen_append_log(virsh_t) - xen_domtrans(virsh_t) + xen_domtrans_xm(virsh_t) xen_read_xenstored_runtime_files(virsh_t) - xen_stream_connect(virsh_t) + xen_stream_connect_xm(virsh_t) xen_stream_connect_xenstore(virsh_t) ') diff --git a/policy/modules/system/hostname.te
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/
commit: 3eefa3b065ed81f56fddfb12a372012ef5e2a336
Author: Russell Coker coker com au>
AuthorDate: Mon Sep 25 15:01:12 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3eefa3b0
small ntp and dns changes (#703)
* Small changes for ntp, bind, avahi, and dnsmasq
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/admin/dpkg.te | 9 +
policy/modules/services/avahi.te | 4
policy/modules/services/bind.te| 7 +--
policy/modules/services/dnsmasq.te | 4
policy/modules/services/ntp.fc | 1 +
policy/modules/services/ntp.if | 19 +++
6 files changed, 42 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index d6871de21..d4a56e5eb 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -350,8 +350,17 @@ optional_policy(`
nis_use_ypbind(dpkg_script_t)
')
+optional_policy(`
+ ntp_filetrans_drift(dpkg_script_t)
+')
+
+optional_policy(`
+ policykit_dbus_chat(dpkg_script_t)
+')
+
optional_policy(`
systemd_read_logind_state(dpkg_script_t)
+ systemd_dbus_chat_hostnamed(dpkg_script_t)
systemd_dbus_chat_logind(dpkg_script_t)
systemd_run_sysusers(dpkg_script_t, dpkg_roles)
')
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index 773d2b8ff..1094e39db 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -111,3 +111,7 @@ optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
+optional_policy(`
+ unconfined_dbus_send(avahi_t)
+')
+
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 1b3e674a1..0a08be452 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -213,9 +213,9 @@ optional_policy(`
# NDC local policy
#
-allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability { dac_override dac_read_search net_admin };
allow ndc_t self:capability2 block_suspend;
-allow ndc_t self:process signal_perms;
+allow ndc_t self:process { signal_perms getsched setsched };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
@@ -231,6 +231,9 @@ allow ndc_t named_zone_t:dir search_dir_perms;
kernel_read_kernel_sysctls(ndc_t)
kernel_read_system_state(ndc_t)
+kernel_read_vm_overcommit_sysctl(ndc_t)
+
+dev_read_sysfs(ndc_t)
corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_generic_if(ndc_t)
diff --git a/policy/modules/services/dnsmasq.te
b/policy/modules/services/dnsmasq.te
index 6d1799ba8..2e492954d 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -108,6 +108,10 @@ optional_policy(`
')
optional_policy(`
+ # for the dnsmasq-usb0.leases file
+ networkmanager_manage_lib_files(dnsmasq_t)
+
+ networkmanager_read_etc_files(dnsmasq_t)
networkmanager_read_runtime_files(dnsmasq_t)
')
diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc
index 4d014d196..4f19959e7 100644
--- a/policy/modules/services/ntp.fc
+++ b/policy/modules/services/ntp.fc
@@ -30,6 +30,7 @@
/var/db/ntp-kod--
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/ntp(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/ntpsec(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/systemd/clock --
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/systemd/timesync(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index 4953e9f08..9df5d8d07 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -176,6 +176,25 @@ interface(`ntp_read_drift_files',`
read_files_pattern($1, ntp_drift_t, ntp_drift_t)
')
+
+##
+## specified domain creates /var/lib/ntpsec/ with the correct type
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`ntp_filetrans_drift',`
+ gen_require(`
+ type ntp_drift_t;
+ ')
+
+ files_search_var_lib($1)
+ files_var_lib_filetrans($1, ntp_drift_t, dir)
+')
+
##
## Read and write ntpd shared memory.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: a54fe39b3f5462bb0bbb22cfe883c8d38dfe9168 Author: Corentin LABBE gmail com> AuthorDate: Tue Jan 10 09:11:56 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:23:57 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a54fe39b portage: add new location for portage commands There are missing lot of portage commands location, add them following the gentoo SELinux repo. Signed-off-by: Corentin LABBE gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/portage.fc | 7 +++ 1 file changed, 7 insertions(+) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 7cf6e7855..620ade57a 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -5,11 +5,17 @@ /etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0) /usr/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) /usr/bin/gcc-config-- gen_context(system_u:object_r:gcc_config_exec_t,s0) /usr/bin/glsa-check-- gen_context(system_u:object_r:portage_exec_t,s0) /usr/bin/layman-- gen_context(system_u:object_r:portage_fetch_exec_t,s0) /usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check-- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/layman-- gen_context(system_u:object_r:portage_fetch_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint-- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge-- gen_context(system_u:object_r:portage_exec_t,s0) + /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) @@ -31,6 +37,7 @@ /var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0) /var/log/emerge-fetch\.log -- gen_context(system_u:object_r:portage_log_t,s0) /var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) +/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0) /var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) /var/tmp/binpkgs(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 1c5e100deea50d51456ec8b55b3a84c11ef84e96 Author: Kenton Groombridge gentoo org> AuthorDate: Mon Feb 13 15:31:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:34:51 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c5e100d portage: cleanup duplicated file contexts Some file contexts were upstreamed from Gentoo's policy. Remove these now duplicated lines. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/portage.fc | 9 - 1 file changed, 9 deletions(-) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 4fc9c880a..a042aff8b 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -46,12 +46,3 @@ /var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) /var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) /var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) - -ifdef(`distro_gentoo',` -/usr/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) -/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check-- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/python-exec/python[0-9]\.[0-9]*/layman-- gen_context(system_u:object_r:portage_fetch_exec_t,s0) -/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint-- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge-- gen_context(system_u:object_r:portage_exec_t,s0) -/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0) -')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 2cec96ddfb5cdb3f78f9a380ab06fa8fdc0478d2
Author: Corentin LABBE gmail com>
AuthorDate: Mon Jan 9 08:33:10 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Feb 13 15:19:58 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2cec96dd
usermanage: permit groupadd to read kernel sysctl
When using groupadd, I got some AVC due to groupadd reading
/proc/sys/kernel/cap_last_cap
Signed-off-by: Corentin LABBE gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/admin/usermanage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/usermanage.te
b/policy/modules/admin/usermanage.te
index b5d443dd4..fd2da2ffc 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -227,6 +227,8 @@ files_relabel_etc_files(groupadd_t)
files_read_etc_runtime_files(groupadd_t)
files_read_usr_symlinks(groupadd_t)
+kernel_read_kernel_sysctls(groupadd_t)
+
# Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}.
corecmd_exec_bin(groupadd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: b541f2c178bdcafd132f99124f7e4e7fb18524c7 Author: Corentin LABBE gmail com> AuthorDate: Tue Jan 10 09:00:41 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:22:54 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b541f2c1 portage: Remove old binary location /usr/lib/portage/bin is not used anymore Signed-off-by: Corentin LABBE gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/portage.fc | 7 --- 1 file changed, 7 deletions(-) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 6911cb48c..7cf6e7855 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -10,13 +10,6 @@ /usr/bin/layman-- gen_context(system_u:object_r:portage_fetch_exec_t,s0) /usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/emerge-- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) -/usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/regenworld-- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) - - /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: c13b9d0ad5d447db396972111c4534dbdb00e3d9
Author: Kenton Groombridge concord sh>
AuthorDate: Wed Dec 7 14:49:14 2022 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue Dec 13 19:07:31 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c13b9d0a
netutils: minor fixes for nmap and traceroute
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/admin/netutils.te | 5 +
1 file changed, 5 insertions(+)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 3f85d1a57..85c9a33d5 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -40,6 +40,8 @@ init_system_domain(traceroute_t, traceroute_exec_t)
allow netutils_t self:capability { dac_read_search net_admin net_raw setgid
setpcap setuid sys_chroot };
dontaudit netutils_t self:capability { dac_override sys_tty_config };
allow netutils_t self:process { getcap setcap signal_perms };
+# netlink_generic_socket for nmap.
+allow netutils_t self:netlink_generic_socket create_socket_perms;
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
# For tcpdump.
@@ -73,6 +75,8 @@ fs_getattr_xattr_fs(netutils_t)
domain_use_interactive_fds(netutils_t)
+kernel_dontaudit_getattr_proc(netutils_t)
+
files_read_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)
@@ -177,6 +181,7 @@ userdom_use_inherited_user_terminals(ss_t)
allow traceroute_t self:capability { net_admin net_raw setgid setuid };
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
allow traceroute_t self:process signal;
+allow traceroute_t self:netlink_generic_socket create_socket_perms;
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket { map create_socket_perms };
allow traceroute_t self:udp_socket create_socket_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: bd1a6b7906f6d0d7df6af70e91d8eb11a6fc8c7b
Author: Dave Sugar gmail com>
AuthorDate: Mon Oct 3 20:54:41 2022 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Nov 2 14:07:25 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd1a6b79
fapolicyd: fagenrules chgrp's the compiled.rules
node=localhost type=AVC msg=audit(1664829990.107:8051): avc: denied { chown }
for pid=3709 comm="chgrp" capability=0
scontext=toor_u:sysadm_r:fagenrules_t:s0
tcontext=sysadm_u:sysadm_r:fagenrules_t:s0 tclass=capability permissive=0
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/admin/fapolicyd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/admin/fapolicyd.te
b/policy/modules/admin/fapolicyd.te
index 9effdb04a..2e716c1aa 100644
--- a/policy/modules/admin/fapolicyd.te
+++ b/policy/modules/admin/fapolicyd.te
@@ -93,7 +93,7 @@ optional_policy(`
# fagenrules local policy
#
-allow fagenrules_t self:capability { fsetid kill };
+allow fagenrules_t self:capability { chown fsetid kill };
allow fagenrules_t self:fifo_file rw_inherited_fifo_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: c735ad15b5bc4ebb73d3995c1c43a59d36fbd0d4 Author: Dave Sugar gmail com> AuthorDate: Mon Oct 3 11:54:03 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:07:23 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c735ad15 fix: issue #550 - compile failed when DIRECT_INITRC=y Signed-off-by: Dave Sugar gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/fapolicyd.if | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/fapolicyd.if b/policy/modules/admin/fapolicyd.if index aaa4c14eb..4ae2590ac 100644 --- a/policy/modules/admin/fapolicyd.if +++ b/policy/modules/admin/fapolicyd.if @@ -152,6 +152,8 @@ interface(`fapolicyd_admin',` files_search_runtime($1) admin_pattern($1, fapolicyd_runtime_t) - fapolicyd_run_fagenrules($1, $2) + ifndef(`direct_sysadm_daemon',` + fapolicyd_run_fagenrules($1, $2) + ') fapolicyd_run_cli($1, $2) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 922e518a0609288260db0a8207b9e3a81dbff89f
Author: Chris PeBenito linux microsoft com>
AuthorDate: Tue Sep 20 13:52:11 2022 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Nov 2 14:06:52 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=922e518a
fapolicyd: Fix selint issue.
Signed-off-by: Chris PeBenito linux.microsoft.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/admin/fapolicyd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/admin/fapolicyd.te
b/policy/modules/admin/fapolicyd.te
index 35e475340..9effdb04a 100644
--- a/policy/modules/admin/fapolicyd.te
+++ b/policy/modules/admin/fapolicyd.te
@@ -103,7 +103,7 @@ ps_process_pattern(fagenrules_t, fapolicyd_t)
# /sbin/fagenrules copies compiled rules into /etc/faplicyd then calls
restorecon
# on new /etc/fapolicy/compiled.rules
-allow fagenrules_t fapolicyd_compiled_rules_t:file { relabelfrom relabelto };
+allow fagenrules_t fapolicyd_compiled_rules_t:file relabel_file_perms;
filetrans_pattern(fagenrules_t, fapolicyd_config_t,
fapolicyd_compiled_rules_t, file)
manage_files_pattern(fagenrules_t, fapolicyd_config_t,
fapolicyd_compiled_rules_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 7d41f1b7b4f4d675b62835be6d2416eb2368a1a1 Author: Kenton Groombridge gentoo org> AuthorDate: Tue Apr 19 22:53:44 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Sat Sep 3 20:04:23 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d41f1b7 portage: allow portage to map ebuild files When portage syncs a repo with git, git will mmap() ebuild files. Allow portage to map ebuild files to fix permission denied errors on syncing. Bug: https://bugs.gentoo.org/833017 Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/portage.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 86966705..e3a19574 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -200,6 +200,8 @@ domain_dontaudit_read_all_domains_state(portage_t) files_manage_all_files(portage_t) # eselect uses file, which mmap()s its db files_map_usr_files(portage_t) +# portage executing git mmap()s ebuild files when syncing +allow portage_t portage_ebuild_t:file map; selinux_get_fs_mount(portage_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 7e3534c4597019c27f590644345ee64d3b45ceb0
Author: Dave Sugar gmail com>
AuthorDate: Thu Aug 25 01:56:56 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 19:07:50 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e3534c4
usbguard: Allow to read fips_enabled sysctl
node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { search }
for pid=1031 comm="usbguard-daemon" name="crypto" dev="proc" ino=20463
scontext=system_u:system_r:usbguard_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { read }
for pid=1031 comm="usbguard-daemon" name="fips_enabled" dev="proc" ino=20464
scontext=system_u:system_r:usbguard_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { open }
for pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661391275.238:340): avc: denied { getattr
} for pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/usbguard.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te
index 26d9028b..4e8be854 100644
--- a/policy/modules/admin/usbguard.te
+++ b/policy/modules/admin/usbguard.te
@@ -65,6 +65,7 @@ setattr_files_pattern(usbguard_t, usbguard_log_t,
usbguard_log_t)
dev_rw_sysfs(usbguard_t)
+kernel_read_crypto_sysctls(usbguard_t)
kernel_read_kernel_sysctls(usbguard_t)
kernel_dontaudit_getattr_proc(usbguard_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 1308dbe2fce172abaee054dbeaa489cb0ca60a94 Author: Kenton Groombridge concord sh> AuthorDate: Wed Nov 10 17:14:46 2021 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 31 02:40:53 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1308dbe2 sudo: fixes for polyinstantiation PAM can be configured to allow sudo to unmount/remount private tmp directories when invoked. Allow this access if enabled. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/sudo.if | 6 ++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index d4249ec0..fb2c8333 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -145,6 +145,12 @@ template(`sudo_role_template',` userdom_dontaudit_search_user_home_content($1_sudo_t) userdom_dontaudit_search_user_home_dirs($1_sudo_t) + tunable_policy(`allow_polyinstantiation',` + allow $1_sudo_t self:capability sys_admin; + fs_mount_xattr_fs($1_sudo_t) + fs_unmount_xattr_fs($1_sudo_t) + ') + tunable_policy(`sudo_allow_user_exec_domains',` allow $1_sudo_t $3:key search;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 300f017b1807980f57f1578f8ac1ffdf49a4285e
Author: Chris PeBenito ieee org>
AuthorDate: Fri Feb 18 18:25:04 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Feb 27 02:13:17 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=300f017b
puppet: Style fixes.
Signed-off-by: Chris PeBenito ieee.org>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/puppet.fc | 1 +
policy/modules/admin/puppet.te | 14 +++---
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/policy/modules/admin/puppet.fc b/policy/modules/admin/puppet.fc
index 001f21fe..42f3b7b2 100644
--- a/policy/modules/admin/puppet.fc
+++ b/policy/modules/admin/puppet.fc
@@ -12,6 +12,7 @@
/usr/sbin/puppetmasterd--
gen_context(system_u:object_r:puppetmaster_exec_t,s0)
/var/cache/puppet(/.*)?gen_context(system_u:object_r:puppet_cache_t,s0)
+
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te
index 7ef5ab83..9e312a17 100644
--- a/policy/modules/admin/puppet.te
+++ b/policy/modules/admin/puppet.te
@@ -20,6 +20,9 @@ type puppet_t;
type puppet_exec_t;
init_daemon_domain(puppet_t, puppet_exec_t)
+type puppet_cache_t;
+files_type(puppet_cache_t)
+
type puppet_etc_t;
files_config_file(puppet_etc_t)
@@ -36,9 +39,6 @@ init_daemon_runtime_file(puppet_runtime_t, dir, "puppet")
type puppet_tmp_t;
files_tmp_file(puppet_tmp_t)
-type puppet_cache_t;
-files_type(puppet_cache_t)
-
type puppet_var_lib_t;
files_type(puppet_var_lib_t)
@@ -73,10 +73,6 @@ allow puppet_t puppet_etc_t:dir list_dir_perms;
allow puppet_t puppet_etc_t:file read_file_perms;
allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
-manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
-can_exec(puppet_t, puppet_var_lib_t)
-
manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
@@ -84,6 +80,10 @@ setattr_dirs_pattern(puppet_t, puppet_runtime_t,
puppet_runtime_t)
manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir })
+manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+can_exec(puppet_t, puppet_var_lib_t)
+
allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 4b1f697b6a9ee59734e0cdf1067cc6d57a3b0799
Author: Russell Coker coker com au>
AuthorDate: Thu Feb 17 14:45:38 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Feb 27 02:13:17 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b1f697b
puppet V3
Removed the entrypoint stuff that was controversial, the rest should be fine.
I think it's ready to merge.
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/puppet.fc | 1 +
policy/modules/admin/puppet.te | 9 +++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/policy/modules/admin/puppet.fc b/policy/modules/admin/puppet.fc
index f45bdc6a..001f21fe 100644
--- a/policy/modules/admin/puppet.fc
+++ b/policy/modules/admin/puppet.fc
@@ -11,6 +11,7 @@
/usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
/usr/sbin/puppetmasterd--
gen_context(system_u:object_r:puppetmaster_exec_t,s0)
+/var/cache/puppet(/.*)?gen_context(system_u:object_r:puppet_cache_t,s0)
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te
index 3d5a832b..7ef5ab83 100644
--- a/policy/modules/admin/puppet.te
+++ b/policy/modules/admin/puppet.te
@@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_t, dir, "puppet")
type puppet_tmp_t;
files_tmp_file(puppet_tmp_t)
+type puppet_cache_t;
+files_type(puppet_cache_t)
+
type puppet_var_lib_t;
files_type(puppet_var_lib_t)
@@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t,
puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
can_exec(puppet_t, puppet_var_lib_t)
+manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
+manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t)
+
setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t)
files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir })
@@ -182,8 +188,6 @@ optional_policy(`
')
optional_policy(`
- files_rw_var_files(puppet_t)
-
rpm_domtrans(puppet_t)
rpm_manage_db(puppet_t)
rpm_manage_log(puppet_t)
@@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_file
read_lnk_file_perms;
allow puppetmaster_t puppet_log_t:dir setattr_dir_perms;
append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
+read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t)
logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 545b803c06726d7b5f28a244b7ae4f9a92a353ef
Author: Jason Zaman gentoo org>
AuthorDate: Mon Jan 31 19:25:33 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Mon Jan 31 19:25:33 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=545b803c
puppet: Update gentoo-specific tunable to fix selint error
Can use files_relabel_all_non_security_file_types instead of the
gen_require hack
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/puppet.te | 24 ++--
1 file changed, 2 insertions(+), 22 deletions(-)
diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te
index 8e7c20c3..3d5a832b 100644
--- a/policy/modules/admin/puppet.te
+++ b/policy/modules/admin/puppet.te
@@ -370,28 +370,8 @@ ifdef(`distro_gentoo',`
usermanage_domtrans_passwd(puppet_t)
tunable_policy(`puppet_manage_all_files',`
- # We should use files_relabel_all_files here, but it calls
- # seutil_relabelto_bin_policy which sets a "typeattribute type
attr",
- # which is not allowed within a tunable_policy.
- # So, we duplicate the content of files_relabel_all_files
except for
- # the policy configuration stuff and hope users do that through
Portage
-
- gen_require(` #selint-disable:S-001
- attribute file_type;
- attribute security_file_type;
- type policy_config_t;
- ')
-
- allow puppet_t { file_type -policy_config_t -security_file_type
}:dir list_dir_perms;
- relabel_dirs_pattern(puppet_t, { file_type -policy_config_t
-security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_files_pattern(puppet_t, { file_type -policy_config_t
-security_file_type }, { file_type -policy_config_t -security_file_type })
- relabel_lnk_files_pattern(puppet_t, { file_type
-policy_config_t -security_file_type }, { file_type -policy_config_t
-security_file_type })
- relabel_fifo_files_pattern(puppet_t, { file_type
-policy_config_t -security_file_type }, { file_type -policy_config_t
-security_file_type })
- relabel_sock_files_pattern(puppet_t, { file_type
-policy_config_t -security_file_type }, { file_type -policy_config_t
-security_file_type })
- # this is only relabelfrom since there should be no
- # device nodes with file types.
- relabelfrom_blk_files_pattern(puppet_t, { file_type
-policy_config_t -security_file_type }, { file_type -policy_config_t
-security_file_type })
- relabelfrom_chr_files_pattern(puppet_t, { file_type
-policy_config_t -security_file_type }, { file_type -policy_config_t
-security_file_type })
+ # Also allows relabelfrom blk and chr_files which are not in
files_manage_non_auth_files
+ files_relabel_all_non_security_file_types(puppet_t)
')
optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 943fe93787010a8bded9d75728cc3ab097ef3aeb Author: Jonathan Davies protonmail com> AuthorDate: Thu Jan 27 19:48:57 2022 + Commit: Jason Zaman gentoo org> CommitDate: Mon Jan 31 17:55:20 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=943fe937 portage.te: Allow gcc_config_t to manage portage_tmp_t Allows /etc/env.d/04gcc-x86_64-gentoo-linux-musl to be correctly generated. Closes: https://github.com/perfinion/hardened-refpolicy/pull/26 Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index cd66e6e7..9abbdc37 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -435,6 +435,9 @@ gen_tunable(portage_enable_test, false) can_exec(gcc_config_t, gcc_config_tmp_t) # libffi support files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file) + allow gcc_config_t portage_tmp_t:dir manage_dir_perms; + allow gcc_config_t portage_tmp_t:file manage_file_perms; + files_manage_etc_runtime_files(gcc_config_t) files_manage_etc_runtime_lnk_files(gcc_config_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 192f62919b5866ad4de5558b7a69f03f81ed4ad3 Author: Jason Zaman gentoo org> AuthorDate: Sun Nov 21 23:12:40 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 21 23:14:49 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=192f6291 portage: Allow sandbox to map /dev/zero Bug: https://bugs.gentoo.org/738546 Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 6cab80bd..1db76efe 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -511,6 +511,7 @@ gen_tunable(portage_enable_test, false) dontaudit portage_sandbox_t self:capability sys_admin; dev_getattr_xserver_misc_dev(portage_sandbox_t) + dev_rwx_zero(portage_sandbox_t) kernel_read_vm_overcommit_sysctl(portage_sandbox_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 1d839d4ab07f3bb2002f07cc397ef3e057472d23 Author: Jonathan Davies protonmail com> AuthorDate: Sun Nov 21 09:41:18 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 21 19:21:13 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d839d4a portage.te: Added corecmd_manage_bin_symlinks() for gcc_config_t. Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index da0aecf0..9a6c6083 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -111,6 +111,7 @@ kernel_read_kernel_sysctls(gcc_config_t) corecmd_exec_shell(gcc_config_t) corecmd_exec_bin(gcc_config_t) corecmd_manage_bin_files(gcc_config_t) +corecmd_manage_bin_symlinks(gcc_config_t) domain_use_interactive_fds(gcc_config_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 9f82ed8fe322e0bfb84ec9991772faf1887d5f71 Author: Jonathan Davies protonmail com> AuthorDate: Sun Nov 21 09:35:48 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 21 19:25:43 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f82ed8f portage.te: Added libs_manage_lib_symlinks() for gcc_config_t. Closes: https://github.com/perfinion/hardened-refpolicy/pull/20 Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 9a6c6083..6cab80bd 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -132,6 +132,7 @@ libs_run_ldconfig(gcc_config_t, portage_roles) libs_manage_shared_libs(gcc_config_t) # gcc-config creates a temp dir for the libs libs_manage_lib_dirs(gcc_config_t) +libs_manage_lib_symlinks(gcc_config_t) logging_send_syslog_msg(gcc_config_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 5a876bd1d15b448dd0cf6fc86b0ce31dc730f8d0
Author: Kenton Groombridge concord sh>
AuthorDate: Sun Aug 8 21:35:23 2021 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a876bd1
su: add tunable to control user exec domain access
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/su.if | 40
policy/modules/admin/su.te | 10 ++
2 files changed, 38 insertions(+), 12 deletions(-)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 2d0143d6..62a6cf9d 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -156,8 +156,6 @@ template(`su_role_template',`
domain_interactive_fd($1_su_t)
role $4 types $1_su_t;
- allow $2 $1_su_t:process signal;
-
allow $1_su_t self:capability { audit_control audit_write chown
dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
dontaudit $1_su_t self:capability { net_admin sys_tty_config };
allow $1_su_t self:process { setexec setsched setrlimit };
@@ -165,18 +163,8 @@ template(`su_role_template',`
allow $1_su_t self:netlink_audit_socket { nlmsg_relay
create_netlink_socket_perms };
allow $1_su_t self:key { search write };
- allow $1_su_t $2:key search;
-
- # Transition from the user domain to this domain.
- domtrans_pattern($2, su_exec_t, $1_su_t)
-
- ps_process_pattern($2, $1_su_t)
-
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_su_t, $2)
- allow $2 $1_su_t:fd use;
- allow $2 $1_su_t:fifo_file rw_inherited_fifo_file_perms;
- allow $2 $1_su_t:process sigchld;
kernel_read_system_state($1_su_t)
kernel_read_kernel_sysctls($1_su_t)
@@ -235,6 +223,34 @@ template(`su_role_template',`
auth_use_pam_systemd($1_su_t)
')
+ tunable_policy(`su_allow_user_exec_domains',`
+ allow $3 $1_su_t:process signal;
+
+ allow $1_su_t $3:key search;
+
+ # Transition from the user domain to this domain.
+ domtrans_pattern($3, su_exec_t, $1_su_t)
+
+ ps_process_pattern($3, $1_su_t)
+
+ allow $3 $1_su_t:fd use;
+ allow $3 $1_su_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $3 $1_su_t:process sigchld;
+ ',`
+ allow $2 $1_su_t:process signal;
+
+ allow $1_su_t $2:key search;
+
+ # Transition from the user domain to this domain.
+ domtrans_pattern($2, su_exec_t, $1_su_t)
+
+ ps_process_pattern($2, $1_su_t)
+
+ allow $2 $1_su_t:fd use;
+ allow $2 $1_su_t:fifo_file rw_inherited_fifo_file_perms;
+ allow $2 $1_su_t:process sigchld;
+ ')
+
tunable_policy(`allow_polyinstantiation',`
fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t)
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index 295f31bd..479469c5 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -1,5 +1,15 @@
policy_module(su, 1.16.0)
+##
+##
+## Determine whether the user application
+## exec domain attribute should be respected
+## for su access. If not enabled, only user
+## domains themselves may use su.
+##
+##
+gen_tunable(su_allow_user_exec_domains, false)
+
#
# Declarations
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: a9b9720b82e797983be0c4af4a7fbfdfa9c7f8f1
Author: Kenton Groombridge concord sh>
AuthorDate: Fri Oct 8 20:02:50 2021 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a9b9720b
shutdown: add tunable to control user exec domain access
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/shutdown.if | 16 +---
policy/modules/admin/shutdown.te | 10 ++
2 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
index 2a428398..3a86edeb 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
@@ -28,13 +28,23 @@
#
template(`shutdown_role',`
gen_require(`
+ attribute_role shutdown_roles;
type shutdown_t;
')
- shutdown_run($3, $4)
+ roleattribute $4 shutdown_roles;
+
+ tunable_policy(`shutdown_allow_user_exec_domains',`
+ shutdown_domtrans($3)
- allow $3 shutdown_t:process { ptrace signal_perms };
- ps_process_pattern($3, shutdown_t)
+ allow $3 shutdown_t:process { ptrace signal_perms };
+ ps_process_pattern($3, shutdown_t)
+ ',`
+ shutdown_domtrans($2)
+
+ allow $2 shutdown_t:process { ptrace signal_perms };
+ ps_process_pattern($2, shutdown_t)
+ ')
optional_policy(`
systemd_user_app_status($1, shutdown_t)
diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te
index cb8a6c6b..d3302a76 100644
--- a/policy/modules/admin/shutdown.te
+++ b/policy/modules/admin/shutdown.te
@@ -1,5 +1,15 @@
policy_module(shutdown, 1.7.0)
+##
+##
+## Determine whether the user application exec
+## domain attribute should be respected for
+## shutdown access. If not enabled, only user
+## domains themselves may use shutdown.
+##
+##
+gen_tunable(shutdown_allow_user_exec_domains, false)
+
#
# Declarations
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/
commit: f8e43b61c56e5b79784c73c58548143056bee6b5
Author: Kenton Groombridge concord sh>
AuthorDate: Sun Aug 8 16:53:48 2021 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f8e43b61
shutdown, roles: use user exec domain attribute
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/shutdown.if | 29 ++---
policy/modules/roles/sysadm.te | 2 +-
2 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
index 05eb8c89..2a428398 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
@@ -4,26 +4,41 @@
##
## Role access for shutdown.
##
-##
+##
##
-## Role allowed access.
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
##
##
-##
+##
##
## User domain for the role.
##
##
+##
+##
+## User exec domain for execute and transition access.
+##
+##
+##
+##
+## Role allowed access
+##
+##
#
-interface(`shutdown_role',`
+template(`shutdown_role',`
gen_require(`
type shutdown_t;
')
- shutdown_run($2, $1)
+ shutdown_run($3, $4)
+
+ allow $3 shutdown_t:process { ptrace signal_perms };
+ ps_process_pattern($3, shutdown_t)
- allow $2 shutdown_t:process { ptrace signal_perms };
- ps_process_pattern($2, shutdown_t)
+ optional_policy(`
+ systemd_user_app_status($1, shutdown_t)
+ ')
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7774ec0a..44b80516 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -959,7 +959,7 @@ optional_policy(`
')
optional_policy(`
- shutdown_role(sysadm_r, sysadm_t)
+ shutdown_role(sysadm, sysadm_t, sysadm_application_exec_domain,
sysadm_r)
')
optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: c15fd881704f72bfba0381c433d090ece731374d
Author: Kenton Groombridge concord sh>
AuthorDate: Sun Aug 8 15:10:47 2021 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c15fd881
sudo: add tunable to control user exec domain access
The tunable 'sudo_allow_user_exec_domains' only allows user domains
themselves to use sudo if disabled (default), otherwise any domain with
the corresponding user exec domain attribute may use sudo.
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/sudo.if | 37 ++---
policy/modules/admin/sudo.te | 10 ++
2 files changed, 36 insertions(+), 11 deletions(-)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 4e2d7830..bab07e31 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -73,20 +73,9 @@ template(`sudo_role_template',`
allow $1_sudo_t self:key manage_key_perms;
dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
- allow $1_sudo_t $3:key search;
-
- # Transmit SIGWINCH to children
- allow $1_sudo_t $3:process signal;
-
- # Enter this derived domain from the user domain
- domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
-
# By default, revert to the calling domain when a shell is executed.
corecmd_shell_domtrans($1_sudo_t, $2)
corecmd_bin_domtrans($1_sudo_t, $2)
- allow $3 $1_sudo_t:fd use;
- allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
- allow $3 $1_sudo_t:process signal_perms;
kernel_read_kernel_sysctls($1_sudo_t)
kernel_read_system_state($1_sudo_t)
@@ -158,6 +147,32 @@ template(`sudo_role_template',`
dontaudit $1_sudo_t $3:socket_class_set { read write };
')
+ tunable_policy(`sudo_allow_user_exec_domains',`
+ allow $1_sudo_t $3:key search;
+
+ # Transmit SIGWINCH to children
+ allow $1_sudo_t $3:process signal;
+
+ # Enter this derived domain from the user domain
+ domtrans_pattern($3, sudo_exec_t, $1_sudo_t)
+
+ allow $3 $1_sudo_t:fd use;
+ allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms;
+ allow $3 $1_sudo_t:process signal_perms;
+ ',`
+ allow $1_sudo_t $2:key search;
+
+ # Transmit SIGWINCH to children
+ allow $1_sudo_t $2:process signal;
+
+ # Enter this derived domain from the user domain
+ domtrans_pattern($2, sudo_exec_t, $1_sudo_t)
+
+ allow $2 $1_sudo_t:fd use;
+ allow $2 $1_sudo_t:fifo_file rw_fifo_file_perms;
+ allow $2 $1_sudo_t:process signal_perms;
+ ')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files($1_sudo_t)
')
diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te
index 8704a154..f6618cd9 100644
--- a/policy/modules/admin/sudo.te
+++ b/policy/modules/admin/sudo.te
@@ -11,6 +11,16 @@ policy_module(sudo, 1.17.0)
##
gen_tunable(sudo_all_tcp_connect_http_port, false)
+##
+##
+## Determine whether the user application exec
+## domain attribute should be respected for sudo
+## access. If not enabled, only user domains
+## themselves may use sudo.
+##
+##
+gen_tunable(sudo_allow_user_exec_domains, false)
+
#
# Declarations
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 42a6dc478442e531cd701638057210d9b1c58ec1 Author: Jonathan Davies protonmail com> AuthorDate: Fri May 28 14:00:30 2021 + Commit: Jason Zaman gentoo org> CommitDate: Fri Nov 12 01:53:00 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42a6dc47 logrotate.te: Added boolean for allowing logrotate to rotate the audit log. Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/logrotate.te | 13 + 1 file changed, 13 insertions(+) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 1c704120..1419d878 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -5,6 +5,14 @@ policy_module(logrotate, 1.26.0) # Declarations # +## +## +## Determine whether logrotate can manage +## audit log files +## +## +gen_tunable(logrotate_manage_audit_log, false) + attribute_role logrotate_roles; roleattribute system_r logrotate_roles; @@ -138,6 +146,11 @@ ifdef(`distro_debian',` logging_read_syslog_config(logrotate_t) ') +tunable_policy(`logrotate_manage_audit_log',` + logging_manage_audit_log(logrotate_t) +') + + optional_policy(` abrt_manage_cache(logrotate_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/, policy/modules/system/, ...
commit: 9f2bab2173d07f9337a6003bf39f771d22b9df22 Author: Chris PeBenito ieee org> AuthorDate: Tue Nov 9 16:13:37 2021 + Commit: Jason Zaman gentoo org> CommitDate: Thu Nov 11 21:26:50 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f2bab21 various: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/netutils.te| 2 +- policy/modules/admin/usbguard.te| 2 +- policy/modules/admin/usermanage.te | 2 +- policy/modules/kernel/devices.te| 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/services/apache.te | 2 +- policy/modules/services/asterisk.te | 2 +- policy/modules/services/bind.te | 2 +- policy/modules/services/certbot.te | 2 +- policy/modules/services/dbus.te | 2 +- policy/modules/services/dovecot.te | 2 +- policy/modules/services/exim.te | 2 +- policy/modules/services/git.te | 2 +- policy/modules/services/jabber.te | 2 +- policy/modules/services/mta.te | 2 +- policy/modules/services/policykit.te| 2 +- policy/modules/services/postfix.te | 2 +- policy/modules/services/rngd.te | 2 +- policy/modules/services/spamassassin.te | 2 +- policy/modules/services/ssh.te | 2 +- policy/modules/services/virt.te | 2 +- policy/modules/system/systemd.te| 2 +- policy/modules/system/userdomain.te | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index ec753a88..7210c776 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.21.0) +policy_module(netutils, 1.21.1) # diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te index cca00cdb..cdca7ff0 100644 --- a/policy/modules/admin/usbguard.te +++ b/policy/modules/admin/usbguard.te @@ -1,4 +1,4 @@ -policy_module(usbguard, 1.2.0) +policy_module(usbguard, 1.2.1) # diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index ca60a09e..6ead66f2 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,4 +1,4 @@ -policy_module(usermanage, 1.25.1) +policy_module(usermanage, 1.25.2) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 5a06ea82..50bfdecf 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.29.0) +policy_module(devices, 1.29.1) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index ddd10c2a..d39648b3 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.30.2) +policy_module(filesystem, 1.30.3) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 3deec0a8..f52086cf 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.19.0) +policy_module(sysadm, 2.19.1) # diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 79fdf1ae..d3b6c829 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,4 +1,4 @@ -policy_module(apache, 2.21.1) +policy_module(apache, 2.21.2) # diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index e1dbff10..a188c2f4 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -1,4 +1,4 @@ -policy_module(asterisk, 1.21.0) +policy_module(asterisk, 1.21.1) # diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 0081ed52..fcf74fa1 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,4 +1,4 @@ -policy_module(bind, 1.23.0) +policy_module(bind, 1.23.1) # diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te index 19ebe75f..3f2778f3 100644 --- a/policy/modules/services/certbot.te +++ b/policy/modules/services/certbot.te @@ -1,4 +1,4 @@ -policy_module(certbot, 1.1.0) +policy_module(certbot, 1.1.1) ## ## diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 9d2942f5..7535509d 100644 --- a/policy/modules/services/dbus.te +++
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: c752ecf2cdb6694584af6306b148263d7bcd8378
Author: Kenton Groombridge concord sh>
AuthorDate: Sun Nov 7 01:49:32 2021 +
Commit: Jason Zaman gentoo org>
CommitDate: Thu Nov 11 21:26:50 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c752ecf2
netutils: fix ping
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/netutils.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 93a2fe8b..ec753a88 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -109,7 +109,7 @@ allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt
getattr };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
-allow ping_t self:icmp_socket create;
+allow ping_t self:icmp_socket create_socket_perms;
corenet_all_recvfrom_netlabel(ping_t)
corenet_sendrecv_icmp_packets(ping_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: b90cb8704ffb2d1e57e38107076206f780ea7561
Author: Yi Zhao windriver com>
AuthorDate: Tue Sep 28 07:46:50 2021 +
Commit: Jason Zaman gentoo org>
CommitDate: Thu Nov 11 21:26:50 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b90cb870
passwd: allow passwd to map SELinux status page
We encountered a passwd runtime error with selinux 3.3:
$ passwd user1
passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running'
failed.
Aborted
Fixes:
avc: denied { map } for pid=325 comm="passwd"
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:
sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file
permissive=1
Signed-off-by: Yi Zhao windriver.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/usermanage.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/usermanage.te
b/policy/modules/admin/usermanage.te
index 19290878..ca60a09e 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -322,6 +322,7 @@ mls_file_write_all_levels(passwd_t)
mls_file_downgrade(passwd_t)
selinux_get_fs_mount(passwd_t)
+selinux_use_status_page(passwd_t)
selinux_validate_context(passwd_t)
selinux_compute_access_vector(passwd_t)
selinux_compute_create_context(passwd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: abdb4768109d7b7251122ef03c200517eeada4cc Author: Jonathan Davies protonmail com> AuthorDate: Tue Jul 6 14:48:28 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 5 14:26:44 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=abdb4768 dmesg.te: Added files_read_etc_files() as some distros store terminfo files in /etc/. Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/dmesg.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index a254f13e..8c5337b1 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -38,6 +38,7 @@ term_dontaudit_use_console(dmesg_t) domain_use_interactive_fds(dmesg_t) files_list_etc(dmesg_t) +files_read_etc_files(dmesg_t) files_read_usr_files(dmesg_t) init_use_fds(dmesg_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/, policy/modules/kernel/
commit: 8f26b7cec0bdcb591e5caa650014bb5ae00293f2 Author: Chris PeBenito ieee org> AuthorDate: Thu Jul 8 13:45:15 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 5 14:26:44 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f26b7ce dmesg, devices, sysadm: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/dmesg.te| 2 +- policy/modules/kernel/devices.te | 2 +- policy/modules/roles/sysadm.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 8c5337b1..d347614c 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -1,4 +1,4 @@ -policy_module(dmesg, 1.8.0) +policy_module(dmesg, 1.8.1) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 000e5ebe..7dee3d17 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.28.2) +policy_module(devices, 1.28.3) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 3aa6b9d5..ba26bbfe 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.18.4) +policy_module(sysadm, 2.18.5) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/
commit: 9c2a5171c53779f30d0cd3a89668809045277af1
Author: Jason Zaman perfinion com>
AuthorDate: Sun Sep 15 08:31:09 2019 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Mar 21 22:07:35 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9c2a5171
systemd: Add elogind support
Elogind is based off systemd-logind extracted to stand alone.
Signed-off-by: Jason Zaman perfinion.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/sudo.if | 2 ++
policy/modules/system/authlogin.if | 5 +
policy/modules/system/systemd.fc | 5 +
policy/modules/system/systemd.te | 29 -
4 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 51bc9343..eada7c28 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -160,6 +160,8 @@ template(`sudo_role_template',`
optional_policy(`
dbus_system_bus_client($1_sudo_t)
+ systemd_dbus_chat_logind($1_sudo_t)
+ systemd_write_inherited_logind_sessions_pipes($1_sudo_t)
ifdef(`init_systemd',`
init_dbus_chat($1_sudo_t)
diff --git a/policy/modules/system/authlogin.if
b/policy/modules/system/authlogin.if
index 753a7735..e807f91f 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -67,6 +67,11 @@ interface(`auth_use_pam',`
optional_policy(`
fprintd_dbus_chat($1)
')
+
+ optional_policy(`
+ systemd_dbus_chat_logind($1)
+ systemd_write_inherited_logind_sessions_pipes($1)
+ ')
')
optional_policy(`
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 7de7e677..67e81209 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -16,6 +16,10 @@
/usr/bin/systemd-tty-ask-password-agent--
gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
/usr/bin/systemd-notify--
gen_context(system_u:object_r:systemd_notify_exec_t,s0)
+/usr/lib/elogind/elogind --
gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-cgroups-agent --
gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+/usr/lib/elogind/elogind-uaccess-command --
gen_context(system_u:object_r:systemd_logind_exec_t,s0)
+
# Systemd generators
/usr/lib/systemd/system-environment-generators/.*
-- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
/usr/lib/systemd/system-generators/.*
-- gen_context(system_u:object_r:systemd_generator_exec_t,s0)
@@ -71,6 +75,7 @@ HOME_DIR/\.local/share/systemd(/.*)?
gen_context(system_u:object_r:systemd_data
/var/lib/systemd/rfkill(/.*)?
gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
/run/\.nologin[^/]*--
gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
+/run/elogind\.pid --
gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
/run/nologin --
gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
/run/user/%{USERID}/systemd-d
gen_context(system_u:object_r:systemd_user_runtime_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f5b5b07a..8a294661 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -144,6 +144,9 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t)
type systemd_logind_t;
type systemd_logind_exec_t;
+optional_policy(`
+ dbus_system_domain(systemd_logind_t, systemd_logind_exec_t)
+')
init_daemon_domain(systemd_logind_t, systemd_logind_exec_t)
init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t)
@@ -154,6 +157,7 @@ init_mountpoint(systemd_logind_inhibit_runtime_t)
type systemd_logind_runtime_t alias systemd_logind_var_run_t;
files_runtime_file(systemd_logind_runtime_t)
init_daemon_runtime_file(systemd_logind_runtime_t, dir, "systemd_logind")
+init_daemon_runtime_file(systemd_logind_runtime_t, file, "elogind.pid")
init_mountpoint(systemd_logind_runtime_t)
type systemd_logind_var_lib_t;
@@ -585,7 +589,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
# Logind local policy
#
-allow systemd_logind_t self:capability { chown dac_override dac_read_search
fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:capability { chown dac_override dac_read_search
fowner fsetid sys_admin sys_resource sys_tty_config };
allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/apps/
commit: 758c98fc22b0795287736330c416d9f3e03fdf00
Author: Russell Coker coker com au>
AuthorDate: Tue Feb 2 14:55:38 2021 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Feb 6 21:15:09 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=758c98fc
misc apps and admin patches
Send again without the section Dominick didn't like. I think it's ready for
inclusion.
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/apt.fc| 4 +++-
policy/modules/admin/apt.te| 8
policy/modules/admin/bootloader.te | 3 +++
policy/modules/admin/logrotate.te | 2 ++
policy/modules/apps/games.te | 14 ++
policy/modules/apps/mplayer.if | 2 +-
policy/modules/apps/mplayer.te | 7 ++-
7 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
index 8a539f06..66fec023 100644
--- a/policy/modules/admin/apt.fc
+++ b/policy/modules/admin/apt.fc
@@ -5,6 +5,8 @@
/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/update-apt-xapian-index --
gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/share/unattended-upgrades/unattended-upgrade-shutdown --
gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
ifndef(`distro_redhat',`
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
@@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
/var/log/aptitude.*gen_context(system_u:object_r:apt_var_log_t,s0)
-
+/var/log/unattended-upgrades(/.*)
gen_context(system_u:object_r:apt_var_log_t,s0)
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 841b8c4f..8e5f72b7 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -154,6 +154,10 @@ optional_policy(`
dpkg_lock_db(apt_t)
')
+optional_policy(`
+ networkmanager_dbus_chat(apt_t)
+')
+
optional_policy(`
nis_use_ypbind(apt_t)
')
@@ -168,6 +172,10 @@ optional_policy(`
rpm_domtrans(apt_t)
')
+optional_policy(`
+ systemd_dbus_chat_logind(apt_t)
+')
+
optional_policy(`
unconfined_domain(apt_t)
')
diff --git a/policy/modules/admin/bootloader.te
b/policy/modules/admin/bootloader.te
index 172e5157..78b34125 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -186,6 +186,9 @@ ifdef(`distro_debian',`
dpkg_read_db(bootloader_t)
dpkg_rw_pipes(bootloader_t)
+
+ apt_use_fds(bootloader_t)
+ apt_use_ptys(bootloader_t)
')
ifdef(`distro_redhat',`
diff --git a/policy/modules/admin/logrotate.te
b/policy/modules/admin/logrotate.te
index 7169d260..c13f0a73 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
logging_exec_all_logs(logrotate_t)
+miscfiles_read_generic_certs(logrotate_t)
miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
@@ -242,6 +243,7 @@ optional_policy(`
')
optional_policy(`
+ samba_domtrans_smbcontrol(logrotate_t)
samba_exec_log(logrotate_t)
')
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 1de63166..c66b382b 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file
sock_file fifo_file }
can_exec(games_t, games_exec_t)
+kernel_read_kernel_sysctls(games_t)
kernel_read_system_state(games_t)
corecmd_exec_bin(games_t)
+corecmd_exec_shell(games_t)
corenet_all_recvfrom_netlabel(games_t)
corenet_tcp_sendrecv_generic_if(games_t)
@@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
logging_dontaudit_search_logs(games_t)
+miscfiles_read_generic_certs(games_t)
miscfiles_read_man_pages(games_t)
miscfiles_read_localization(games_t)
@@ -161,9 +164,15 @@ tunable_policy(`allow_execmem',`
allow games_t self:process execmem;
')
+optional_policy(`
+ alsa_read_config(games_t)
+')
+
optional_policy(`
dbus_all_session_bus_client(games_t)
dbus_connect_all_session_bus(games_t)
+ dbus_read_lib_files(games_t)
+ dbus_system_bus_client(games_t)
')
optional_policy(`
@@ -174,6 +183,11 @@ optional_policy(`
pulseaudio_run(games_t, games_roles)
')
+optional_policy(`
+ xdg_read_config_files(games_t)
+ xdg_read_data_files(games_t)
+')
+
optional_policy(`
xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
xserver_create_xdm_tmp_sockets(games_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 71f9eaa40d0cca90e45ad49ae78e0ce3767ebb7a Author: Chris PeBenito ieee org> AuthorDate: Tue Feb 2 18:32:42 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:09 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71f9eaa4 apt, bootloader: Move lines. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/apt.fc| 6 -- policy/modules/admin/bootloader.te | 5 ++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc index 66fec023..456375f9 100644 --- a/policy/modules/admin/apt.fc +++ b/policy/modules/admin/apt.fc @@ -4,9 +4,11 @@ /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0) + /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0) + /usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0) ifndef(`distro_redhat',` /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) @@ -25,5 +27,5 @@ ifndef(`distro_redhat',` /var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) /var/log/aptitude.*gen_context(system_u:object_r:apt_var_log_t,s0) -/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0) /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) +/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 78b34125..cbaf65cd 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -180,15 +180,14 @@ ifdef(`distro_debian',` libs_relabelto_lib_files(bootloader_t) + apt_use_fds(bootloader_t) + apt_use_ptys(bootloader_t) # for apt-cache apt_read_db(bootloader_t) apt_manage_cache(bootloader_t) dpkg_read_db(bootloader_t) dpkg_rw_pipes(bootloader_t) - - apt_use_fds(bootloader_t) - apt_use_ptys(bootloader_t) ') ifdef(`distro_redhat',`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/, policy/modules/services/
commit: e57bc26069d27c092d703ab9e323c9590552a73e Author: Chris PeBenito ieee org> AuthorDate: Tue Feb 2 13:46:41 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:09 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e57bc260 dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces. Rename interfaces from a7f3fdabadd47279800688d5ee2e19662b7fc58b. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/dpkg.te | 8 policy/modules/services/aptcacher.if | 2 +- policy/modules/services/milter.if| 2 +- policy/modules/services/mysql.if | 4 ++-- policy/modules/system/systemd.if | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index 6830c795..da365bb2 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -309,7 +309,7 @@ optional_policy(` optional_policy(` aptcacher_filetrans_cache_dir(dpkg_script_t) - aptcacher_filetrans_conf_dir(dpkg_script_t) + aptcacher_etc_filetrans_conf_dir(dpkg_script_t) aptcacher_filetrans_log_dir(dpkg_script_t) ') @@ -330,7 +330,7 @@ optional_policy(` ') optional_policy(` - milter_filetrans_spamass_state(dpkg_script_t) + milter_var_lib_filetrans_spamass_state(dpkg_script_t) ') optional_policy(` @@ -342,8 +342,8 @@ optional_policy(` ') optional_policy(` - mysql_create_db_dir(dpkg_script_t) - mysql_create_log_dir(dpkg_script_t) + mysql_var_lib_filetrans_db_dir(dpkg_script_t) + mysql_log_filetrans_log_dir(dpkg_script_t) ') optional_policy(` diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if index bef83332..40f19560 100644 --- a/policy/modules/services/aptcacher.if +++ b/policy/modules/services/aptcacher.if @@ -110,7 +110,7 @@ interface(`aptcacher_filetrans_cache_dir',` ## ## # -interface(`aptcacher_filetrans_conf_dir',` +interface(`aptcacher_etc_filetrans_conf_dir',` gen_require(` type aptcacher_conf_t; ') diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if index 13b05498..5323b6e0 100644 --- a/policy/modules/services/milter.if +++ b/policy/modules/services/milter.if @@ -108,7 +108,7 @@ interface(`milter_manage_spamass_state',` ## ## # -interface(`milter_filetrans_spamass_state',` +interface(`milter_var_lib_filetrans_spamass_state',` gen_require(` type spamass_milter_state_t; ') diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index e89a66d9..0b2e5685 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -251,7 +251,7 @@ interface(`mysql_manage_db_files',` ## ## # -interface(`mysql_create_db_dir',` +interface(`mysql_var_lib_filetrans_db_dir',` gen_require(` type mysqld_db_t; ') @@ -357,7 +357,7 @@ interface(`mysql_write_log',` ## ## # -interface(`mysql_create_log_dir',` +interface(`mysql_log_filetrans_log_dir',` gen_require(` type mysqld_log_t; ') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index ac431aba..29a561c7 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -546,7 +546,7 @@ interface(`systemd_run_passwd_agent',` type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; ') - domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) + domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) allow systemd_passwd_agent_t $1:fd use; role $2 types systemd_passwd_agent_t; ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 21ac5d4937112c4cca29d52c36c91b240c2abb5f Author: Kenton Groombridge concord sh> AuthorDate: Tue Jan 26 23:08:54 2021 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 1 01:21:42 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=21ac5d49 sudo: add tunable for HTTP connections Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/sudo.te | 15 +++ 1 file changed, 15 insertions(+) diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index 2cebeef7..2ac111d6 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -1,5 +1,16 @@ policy_module(sudo, 1.15.0) +## +## +## Determine whether all sudo domains +## can connect to TCP HTTP ports. This +## is needed if an additional authentication +## mechanism via an HTTP server is +## required for users to use sudo. +## +## +gen_tunable(sudo_all_tcp_connect_http_port, false) + # # Declarations @@ -7,3 +18,7 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) + +tunable_policy(`sudo_all_tcp_connect_http_port',` + corenet_tcp_connect_http_port(sudodomain) +')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/system/
commit: 56d8835e88a2d97f33e8ed66fa8914979378b9c6 Author: Chris PeBenito ieee org> AuthorDate: Thu Jan 28 16:39:49 2021 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 1 01:21:42 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=56d8835e various: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/netutils.te | 2 +- policy/modules/services/apache.te| 2 +- policy/modules/services/aptcacher.te | 2 +- policy/modules/services/bind.te | 2 +- policy/modules/services/colord.te| 2 +- policy/modules/services/cron.te | 2 +- policy/modules/services/cups.te | 2 +- policy/modules/services/devicekit.te | 2 +- policy/modules/services/dkim.te | 2 +- policy/modules/services/entropyd.te | 2 +- policy/modules/services/fail2ban.te | 2 +- policy/modules/services/jabber.te| 2 +- policy/modules/services/l2tp.te | 2 +- policy/modules/services/mailman.te | 2 +- policy/modules/services/mon.te | 2 +- policy/modules/services/mysql.te | 2 +- policy/modules/services/openvpn.te | 2 +- policy/modules/services/postgrey.te | 2 +- policy/modules/services/rpc.te | 2 +- policy/modules/services/samba.te | 2 +- policy/modules/services/smartmon.te | 2 +- policy/modules/services/squid.te | 2 +- policy/modules/services/tor.te | 2 +- policy/modules/services/watchdog.te | 2 +- policy/modules/services/xserver.te | 2 +- policy/modules/system/sysnetwork.te | 2 +- 26 files changed, 26 insertions(+), 26 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 1a0d3d7b..c4fc0286 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.20.1) +policy_module(netutils, 1.20.2) # diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 35fafe56..229848c0 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,4 +1,4 @@ -policy_module(apache, 2.19.2) +policy_module(apache, 2.19.3) # diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te index d9089a77..fa3b2dd0 100644 --- a/policy/modules/services/aptcacher.te +++ b/policy/modules/services/aptcacher.te @@ -1,4 +1,4 @@ -policy_module(aptcacher, 1.1.0) +policy_module(aptcacher, 1.1.1) # diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 57ae7be3..11949946 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,4 +1,4 @@ -policy_module(bind, 1.22.2) +policy_module(bind, 1.22.3) # diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te index ca035d5e..c41d827b 100644 --- a/policy/modules/services/colord.te +++ b/policy/modules/services/colord.te @@ -1,4 +1,4 @@ -policy_module(colord, 1.6.1) +policy_module(colord, 1.6.2) # diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index c4342f05..23e990ad 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,4 +1,4 @@ -policy_module(cron, 2.18.3) +policy_module(cron, 2.18.4) gen_require(` class passwd rootok; diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index f6e4a0e6..b6d8d41c 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -1,4 +1,4 @@ -policy_module(cups, 1.25.2) +policy_module(cups, 1.25.3) # diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index 25f93898..feff1026 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -1,4 +1,4 @@ -policy_module(devicekit, 1.13.2) +policy_module(devicekit, 1.13.3) # diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te index 864d5b07..0b111b46 100644 --- a/policy/modules/services/dkim.te +++ b/policy/modules/services/dkim.te @@ -1,4 +1,4 @@ -policy_module(dkim, 1.8.0) +policy_module(dkim, 1.8.1) # diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te index f2405692..c46f0445 100644 --- a/policy/modules/services/entropyd.te +++ b/policy/modules/services/entropyd.te @@ -1,4 +1,4 @@ -policy_module(entropyd, 1.14.1) +policy_module(entropyd, 1.14.2) # diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index 1e97cdfa..640905d4 100644 ---
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/, policy/modules/services/
commit: 9ac5cf61e3dde52271310da0fea9a4210c744927
Author: Russell Coker coker com au>
AuthorDate: Wed Jan 27 17:20:35 2021 +
Commit: Jason Zaman gentoo org>
CommitDate: Mon Feb 1 01:21:42 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ac5cf61
misc network patches with Dominick's changes*2
I think this one is good for merging now.
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/netutils.te| 5 ++-
policy/modules/services/dkim.te | 1 +
policy/modules/services/mailman.te | 1 +
policy/modules/services/mon.te | 3 ++
policy/modules/services/samba.if| 76 +
policy/modules/system/sysnetwork.fc | 1 +
policy/modules/system/sysnetwork.te | 20 ++
7 files changed, 106 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 06a64a3e..1a0d3d7b 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt
getattr };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+allow ping_t self:icmp_socket create;
corenet_all_recvfrom_netlabel(ping_t)
corenet_sendrecv_icmp_packets(ping_t)
@@ -156,13 +157,14 @@ allow traceroute_t self:capability { net_admin net_raw
setgid setuid };
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
allow traceroute_t self:process signal;
allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:packet_socket create_socket_perms;
+allow traceroute_t self:packet_socket { map create_socket_perms };
allow traceroute_t self:udp_socket create_socket_perms;
can_exec(traceroute_t, traceroute_exec_t)
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
+kernel_search_fs_sysctls(traceroute_t)
corecmd_search_bin(traceroute_t)
@@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
+miscfiles_read_generic_certs(traceroute_t)
miscfiles_read_localization(traceroute_t)
userdom_use_inherited_user_terminals(traceroute_t)
diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
index e744f3d7..864d5b07 100644
--- a/policy/modules/services/dkim.te
+++ b/policy/modules/services/dkim.te
@@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_milter_t)
corenet_udp_bind_generic_node(dkim_milter_t)
corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_udp_bind_generic_port(dkim_milter_t)
dev_read_urand(dkim_milter_t)
# for cpu/online
diff --git a/policy/modules/services/mailman.te
b/policy/modules/services/mailman.te
index 154eb301..47bb174b 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
dev_read_urand(mailman_cgi_t)
files_search_locks(mailman_cgi_t)
+files_read_usr_files(mailman_cgi_t)
term_use_controlling_term(mailman_cgi_t)
diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index 74a94b89..50a9c82f 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
files_runtime_filetrans(mon_t, mon_runtime_t, file)
+# to read fips_enabled
+kernel_read_crypto_sysctls(mon_t)
+
kernel_read_kernel_sysctls(mon_t)
kernel_read_network_state(mon_t)
kernel_read_system_state(mon_t)
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
index 62c3ae67..5e01db23 100644
--- a/policy/modules/services/samba.if
+++ b/policy/modules/services/samba.if
@@ -729,3 +729,79 @@ interface(`samba_admin',`
files_list_tmp($1)
admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
')
+
+
+##
+## start samba daemon
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_start',`
+ gen_require(`
+ type samba_unit_t;
+ ')
+
+ allow $1 samba_unit_t:file getattr;
+ allow $1 samba_unit_t:service start;
+')
+
+
+##
+## stop samba daemon
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_stop',`
+ gen_require(`
+ type samba_unit_t;
+ ')
+
+ allow $1 samba_unit_t:file getattr;
+ allow $1 samba_unit_t:service stop;
+')
+
+
+##
+## get status of samba daemon
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`samba_status',`
+ gen_require(`
+
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: b3f7bbec02352eb175391b51119180bad035b096 Author: Jonathan Davies protonmail com> AuthorDate: Tue Nov 17 15:58:31 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 29 01:32:30 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3f7bbec portage.te: Allow portage_fetch_t to read /dev/urandom through interface. Closes: https://github.com/perfinion/hardened-refpolicy/pull/3 Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index c0d6cace..8e9865e2 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -303,6 +303,7 @@ corenet_udp_bind_generic_node(portage_fetch_t) corenet_udp_bind_all_unreserved_ports(portage_fetch_t) dev_read_rand(portage_fetch_t) +dev_read_urand(portage_fetch_t) domain_use_interactive_fds(portage_fetch_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: b0b027157f3d12f12c5f859343ae4c28224c5629 Author: Jonathan Davies protonmail com> AuthorDate: Tue Nov 17 03:46:23 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 28 22:55:59 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0b02715 portage: Added /var/cache/distfiles path. Closes: https://github.com/perfinion/hardened-refpolicy/pull/1 Signed-off-by: Jason Zaman perfinion.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 5757deaa..b1b28f3e 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -28,6 +28,7 @@ /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) /var/db/repos(/.*)?gen_context(system_u:object_r:portage_ebuild_t,s0) /var/cache/binpkgs(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) +/var/cache/distfiles(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /var/cache/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /var/cache/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /var/cache/distfiles/git[0-9]-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/contrib/, policy/modules/apps/
commit: fd6ef0c54af495c90e7f5335923ba6274fdb36ac Author: Jason Zaman gentoo org> AuthorDate: Sat Feb 15 08:28:18 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 15 08:31:07 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd6ef0c5 access_vectors: Remove gentoo-specific unused permissions Follow-on to commit 8c38998a0c3024ef16de5fdc1bc12cef5c521759 tcp/udp sendrecv permissions are obsolete and removed from the policy completely. Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 1 - policy/modules/admin/puppet.te | 1 - policy/modules/apps/mozilla.te | 4 policy/modules/contrib/bitcoin.te| 2 -- policy/modules/contrib/dirsrv.te | 1 - policy/modules/contrib/dropbox.te| 1 - policy/modules/contrib/kdeconnect.te | 2 -- policy/modules/contrib/mutt.te | 2 -- policy/modules/contrib/pan.te| 1 - policy/modules/contrib/rtorrent.te | 1 - policy/modules/contrib/skype.te | 1 - 11 files changed, 17 deletions(-) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 63393962..671ee7f0 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -525,7 +525,6 @@ gen_tunable(portage_enable_test, false) corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t) corenet_udp_bind_all_unreserved_ports(portage_sandbox_t) corenet_udp_bind_generic_node(portage_sandbox_t) - corenet_udp_sendrecv_all_ports(portage_sandbox_t) ') ## diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te index f2b11568..3670df76 100644 --- a/policy/modules/admin/puppet.te +++ b/policy/modules/admin/puppet.te @@ -368,7 +368,6 @@ ifdef(`distro_gentoo',` corenet_sendrecv_puppetclient_server_packets(puppet_t) corenet_tcp_bind_puppetclient_port(puppet_t) - corenet_tcp_sendrecv_puppetclient_port(puppet_t) usermanage_domtrans_passwd(puppet_t) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 744c7df2..c4ac2c7e 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -724,10 +724,8 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false) allow mozilla_t mozilla_xdg_cache_t:file map; corenet_dontaudit_tcp_bind_generic_port(mozilla_t) - corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) corenet_sendrecv_tor_client_packets(mozilla_t) corenet_tcp_connect_tor_port(mozilla_t) - corenet_tcp_sendrecv_tor_port(mozilla_t) domain_use_interactive_fds(mozilla_t) @@ -738,7 +736,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false) tunable_policy(`mozilla_bind_all_unreserved_ports',` corenet_sendrecv_all_server_packets(mozilla_t) corenet_tcp_bind_all_unreserved_ports(mozilla_t) - corenet_tcp_sendrecv_all_ports(mozilla_t) ') optional_policy(` @@ -771,7 +768,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false) corenet_sendrecv_pulseaudio_client_packets(mozilla_plugin_t) corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) - corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t) userdom_dontaudit_use_user_terminals(mozilla_plugin_t) userdom_rw_user_tmpfs_files(mozilla_plugin_t) diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te index c5667519..6cc82f77 100644 --- a/policy/modules/contrib/bitcoin.te +++ b/policy/modules/contrib/bitcoin.te @@ -69,12 +69,10 @@ corenet_tcp_bind_bitcoin_port(bitcoin_t) corenet_tcp_connect_bitcoin_port(bitcoin_t) corenet_tcp_connect_http_port(bitcoin_t) corenet_tcp_bind_generic_node(bitcoin_t) -corenet_tcp_sendrecv_bitcoin_port(bitcoin_t) corenet_tcp_sendrecv_generic_if(bitcoin_t) corenet_tcp_sendrecv_generic_node(bitcoin_t) #corenet_sendrecv_dns_server_packets(bitcoin_t) #corenet_udp_bind_dns_port(bitcoin_t) -#corenet_udp_sendrecv_dns_port(bitcoin_t) dev_read_sysfs(bitcoin_t) dev_read_urand(bitcoin_t) diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te index e7c8d06e..0fa0b069 100644 --- a/policy/modules/contrib/dirsrv.te +++ b/policy/modules/contrib/dirsrv.te @@ -125,7 +125,6 @@ corenet_all_recvfrom_unlabeled(dirsrv_t) corenet_all_recvfrom_netlabel(dirsrv_t) corenet_tcp_sendrecv_generic_if(dirsrv_t) corenet_tcp_sendrecv_generic_node(dirsrv_t) -corenet_tcp_sendrecv_all_ports(dirsrv_t) corenet_tcp_bind_all_nodes(dirsrv_t) corenet_tcp_bind_ldap_port(dirsrv_t) corenet_tcp_bind_all_rpc_ports(dirsrv_t) diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te index 80d8af37..2aa9a93b 100644 --- a/policy/modules/contrib/dropbox.te +++ b/policy/modules/contrib/dropbox.te @@ -108,7 +108,6 @@
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 79c6971616012abf80e22b1678be2826a2860b42
Author: Nicolas Iooss m4x org>
AuthorDate: Wed Jan 15 21:01:08 2020 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Feb 15 07:32:05 2020 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79c69716
usermanage: allow groupadd to lookup dynamic users from systemd
On a Debian 10 test virtual machine, when installing packages adds a
group, the following AVC occurs:
type=USER_AVC msg=audit(1578863991.588:575): pid=381 uid=104
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc: denied { send_msg } for msgtype=method_call
interface=org.freedesktop.systemd1.Manager
member=LookupDynamicUserByName dest=org.freedesktop.systemd1
spid=13759 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t
tcontext=system_u:system_r:init_t tclass=dbus permissive=1
exe="/usr/bin/dbus-daemon" sauid=104 hostname=? addr=? terminal=?'
Allow groupadd to use nss-systemd, which calls DBUS method
LookupDynamicUserByName().
Signed-off-by: Nicolas Iooss m4x.org>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/usermanage.te | 4
1 file changed, 4 insertions(+)
diff --git a/policy/modules/admin/usermanage.te
b/policy/modules/admin/usermanage.te
index 3605da43..ef18fd64 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -277,6 +277,10 @@ optional_policy(`
rpm_rw_pipes(groupadd_t)
')
+optional_policy(`
+ systemd_use_nss(groupadd_t)
+')
+
optional_policy(`
unconfined_use_fds(groupadd_t)
')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: d7af41866897c6ec751ea4b95413a850a3e04e10
Author: Laurent Bigonville bigon be>
AuthorDate: Sun Oct 6 10:01:48 2019 +
Commit: Jason Zaman gentoo org>
CommitDate: Mon Dec 16 13:13:11 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d7af4186
Allow alsa_t to create alsa_runtime_t file as well
When alsactl is started as a daemon, it creates a pidfile
(/run/alsactl.pid), that needs to be allowed
time->Sun Oct 6 10:59:09 2019
type=AVC msg=audit(1570352349.743:45): avc: denied { write open } for
pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882
scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=file permissive=1
type=AVC msg=audit(1570352349.743:45): avc: denied { create } for pid=804
comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
time->Sun Oct 6 11:54:38 2019
type=AVC msg=audit(1570355678.226:657): avc: denied { open } for pid=9186
comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882
scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=file permissive=1
type=AVC msg=audit(1570355678.226:657): avc: denied { read } for pid=9186
comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882
scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=file permissive=1
time->Sun Oct 6 11:54:38 2019
type=AVC msg=audit(1570355678.230:659): avc: denied { unlink } for pid=804
comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882
scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0
tclass=file permissive=1
Signed-off-by: Laurent Bigonville bigon.be>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/alsa.fc | 1 +
policy/modules/admin/alsa.te | 3 ++-
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
index 75ea9ebf..3f52f370 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
@@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc --
gen_context(system_u:object_r:alsa_home_t,s0)
/etc/asound\.conf --
gen_context(system_u:object_r:alsa_etc_t,s0)
/run/alsa(/.*)?
gen_context(system_u:object_r:alsa_runtime_t,s0)
+/run/alsactl\.pid --
gen_context(system_u:object_r:alsa_runtime_t,s0)
/usr/bin/ainit --
gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsactl --
gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 06c7635c..6a0e6fa0 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -58,8 +58,9 @@ allow alsa_t alsa_etc_t:file map;
can_exec(alsa_t, alsa_exec_t)
allow alsa_t alsa_runtime_t:dir manage_dir_perms;
+allow alsa_t alsa_runtime_t:file manage_file_perms;
allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
-files_pid_filetrans(alsa_t, alsa_runtime_t, dir)
+files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file })
manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/, policy/modules/services/
commit: b61d15df3fda629ab5519ac0aff28bf6e7668ba2 Author: Chris PeBenito ieee org> AuthorDate: Sat Nov 23 14:54:36 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Dec 16 13:13:11 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b61d15df various: Module version bump. Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/alsa.te| 2 +- policy/modules/services/dbus.te | 2 +- policy/modules/services/geoclue.te | 2 +- policy/modules/services/realmd.te | 2 +- policy/modules/system/unconfined.te | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index 1f27ee28..df47f781 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -1,4 +1,4 @@ -policy_module(alsa, 1.19.1) +policy_module(alsa, 1.19.2) # diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 1d7123ba..fb444aa8 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,4 +1,4 @@ -policy_module(dbus, 1.27.1) +policy_module(dbus, 1.27.2) gen_require(` class dbus all_dbus_perms; diff --git a/policy/modules/services/geoclue.te b/policy/modules/services/geoclue.te index a36bcb80..306d8c87 100644 --- a/policy/modules/services/geoclue.te +++ b/policy/modules/services/geoclue.te @@ -1,4 +1,4 @@ -policy_module(geoclue, 1.1.0) +policy_module(geoclue, 1.1.1) # diff --git a/policy/modules/services/realmd.te b/policy/modules/services/realmd.te index 841b02a4..5c8bfb54 100644 --- a/policy/modules/services/realmd.te +++ b/policy/modules/services/realmd.te @@ -1,4 +1,4 @@ -policy_module(realmd, 1.1.0) +policy_module(realmd, 1.1.1) # diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 2bb15219..c8723860 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,4 +1,4 @@ -policy_module(unconfined, 3.13.0) +policy_module(unconfined, 3.13.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 747810c85068a0c6e3820733e05f4ee9fd820454
Author: Laurent Bigonville bigon be>
AuthorDate: Sun Oct 6 10:32:03 2019 +
Commit: Jason Zaman gentoo org>
CommitDate: Mon Dec 16 13:13:11 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=747810c8
Allow alsa_t to set scheduling priority and send signal to itself
When alsactl is running as a daemon with systemd, it sets its process
priority to be nice to other processes. When stopping the service, it's
signaling to itself that it needs to exit.
time->Sun Oct 6 11:59:59 2019
type=AVC msg=audit(1570355999.755:43): avc: denied { setsched } for pid=794
comm="alsactl" scontext=system_u:system_r:alsa_t:s0
tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
time->Sun Oct 6 11:59:59 2019
type=AVC msg=audit(1570355999.755:44): avc: denied { getsched } for pid=794
comm="alsactl" scontext=system_u:system_r:alsa_t:s0
tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
time->Sun Oct 6 12:07:26 2019
type=AVC msg=audit(1570356446.747:292): avc: denied { signal } for pid=3585
comm="alsactl" scontext=system_u:system_r:alsa_t:s0
tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
Signed-off-by: Laurent Bigonville bigon.be>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/alsa.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 6a0e6fa0..1f27ee28 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -44,6 +44,7 @@ files_lock_file(alsa_var_lock_t)
allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid
setuid };
# kill : kill pulseaudio
dontaudit alsa_t self:capability { kill sys_admin };
+allow alsa_t self:process { getsched setsched signal };
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 1a367564756b5ecefb06c3dfe204ca068f75c0c0
Author: Sugar, David tresys com>
AuthorDate: Tue Jul 2 15:30:31 2019 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Jul 13 06:43:14 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a367564
Allow rpm scripts to alter systemd services
In RPM scripts it is common to enable/start services that are being
installed. This allows rpm_script_t to manage sysemd units
type=USER_AVC msg=audit(1561033935.758:283): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable }
for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpdate.service"
cmdline="systemctl preset ntpdate.service"
scontext=system_u:system_r:rpm_script_t:s0
tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1561033935.837:286): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable }
for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service"
cmdline="systemctl preset ntpd.service"
scontext=system_u:system_r:rpm_script_t:s0
tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service
exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1561059114.937:239): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload }
for auid=n/a uid=0 gid=0 cmdline="systemctl preset ntpdate.service"
scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0
tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?
terminal=?'
Signed-off-by: Dave Sugar tresys.com>
Signed-off-by: Jason Zaman perfinion.com>
policy/modules/admin/rpm.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index a7b13467..e74113fc 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -345,6 +345,8 @@ auth_dontaudit_getattr_shadow(rpm_script_t)
auth_use_nsswitch(rpm_script_t)
init_domtrans_script(rpm_script_t)
+init_manage_all_units(rpm_script_t)
+init_reload(rpm_script_t)
init_telinit(rpm_script_t)
libs_exec_ld_so(rpm_script_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 6ad26170be5e95a49bdbeb1a4c45a080ae7fe6b2
Author: Sugar, David tresys com>
AuthorDate: Tue Jul 2 15:30:31 2019 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Jul 13 06:43:14 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ad26170
Allow rpm to map file contexts
type=AVC msg=audit(1560944465.365:270): avc: denied { map } for pid=1265
comm="rpm" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-0"
ino=44911 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar tresys.com>
Signed-off-by: Jason Zaman perfinion.com>
policy/modules/admin/rpm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index e385a8ba..a7b13467 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -211,6 +211,7 @@ miscfiles_read_localization(rpm_t)
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
+seutil_read_file_contexts(rpm_t)
userdom_use_user_terminals(rpm_t)
userdom_use_unpriv_users_fds(rpm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 069c0408e5a33a230222f6bde4904dab51dcfff3
Author: Sugar, David tresys com>
AuthorDate: Tue Jul 2 15:30:29 2019 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Jul 13 06:43:14 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=069c0408
grant rpm permission to map rpm_var_lib_t
type=AVC msg=audit(1560913896.432:218): avc: denied { map } for pid=1265
comm="rpm" path="/var/lib/rpm/__db.001" dev="dm-0" ino=2223
scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0
tclass=file permissive=1
Signed-off-by: Dave Sugar tresys.com>
Signed-off-by: Jason Zaman perfinion.com>
policy/modules/admin/rpm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 2b15088a..85e32b3e 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -111,6 +111,7 @@ files_lock_filetrans(rpm_t, rpm_lock_t, file)
manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
+mmap_read_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file })
manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 5fcc3d0770d58a36c657164ff60d81a276c39d79 Author: Chris PeBenito microsoft com> AuthorDate: Thu May 16 12:57:36 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5fcc3d07 logrotate: Make MTA optional. Signed-off-by: Chris PeBenito microsoft.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.te | 22 +- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 52cb35a5..37bab0aa 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -29,8 +29,6 @@ files_type(logrotate_var_lib_t) type logrotate_unit_t; init_unit_file(logrotate_unit_t) -mta_base_mail_template(logrotate) -role system_r types logrotate_mail_t; # @@ -131,8 +129,6 @@ userdom_use_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) -mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) - ifdef(`distro_debian',` allow logrotate_t logrotate_tmp_t:file relabel_file_perms; can_exec(logrotate_t, logrotate_exec_t) @@ -279,13 +275,21 @@ optional_policy(` # Mail local policy # -allow logrotate_mail_t logrotate_t:fd use; -allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; -allow logrotate_mail_t logrotate_t:process sigchld; +optional_policy(` + mta_base_mail_template(logrotate) + role system_r types logrotate_mail_t; + + allow logrotate_mail_t logrotate_t:fd use; + allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; + allow logrotate_mail_t logrotate_t:process sigchld; -manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) + manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) + + mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) + + logging_read_all_logs(logrotate_mail_t) +') -logging_read_all_logs(logrotate_mail_t) ifdef(`distro_gentoo',` # Fix bug 534256 - fail2ban installs a logrotate file that calls fail2ban-client so allow transition
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 848ab47ce8e072e0485216d113b49ec3ecdc8e19 Author: Chris PeBenito ieee org> AuthorDate: Mon May 27 23:30:24 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=848ab47c logrotate: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 37bab0aa..adc3101d 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -1,4 +1,4 @@ -policy_module(logrotate, 1.22.1) +policy_module(logrotate, 1.22.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 9f421ae98022ed24ccc66e2c6d32f09d61d3427e Author: Chris PeBenito ieee org> AuthorDate: Tue Jul 9 00:49:31 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f421ae9 rpm: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/rpm.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index e74113fc..a73be953 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,4 +1,4 @@ -policy_module(rpm, 1.23.0) +policy_module(rpm, 1.23.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: eae38520b58bfb213ab8db6792a6c2ba94fc9161
Author: Sugar, David tresys com>
AuthorDate: Tue Jul 2 15:30:30 2019 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Jul 13 06:43:14 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eae38520
grant rpm permissions to map locale_t
type=AVC msg=audit(1560913896.408:217): avc: denied { map } for pid=1265
comm="rpm" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=24721
scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:locale_t:s0
tclass=file permissive=1
Signed-off-by: Dave Sugar tresys.com>
Signed-off-by: Jason Zaman perfinion.com>
policy/modules/admin/rpm.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index ff1dbf15..e385a8ba 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -207,6 +207,8 @@ libs_run_ldconfig(rpm_t, rpm_roles)
logging_send_audit_msgs(rpm_t)
logging_send_syslog_msg(rpm_t)
+miscfiles_read_localization(rpm_t)
+
seutil_manage_src_policy(rpm_t)
seutil_manage_bin_policy(rpm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 6b8e7ca613d74efbe08d3ad4aabafe2361cba20c Author: Laurent Bigonville bigon be> AuthorDate: Fri May 3 11:32:04 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b8e7ca6 Allow logrotate to execute fail2ban-client fail2ban logrotate configuration runs "fail2ban-client flushlogs" after rotating the logs Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index e66f15ef..e6e2a97b 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -193,6 +193,7 @@ optional_policy(` ') optional_policy(` + fail2ban_domtrans_client(logrotate_t) fail2ban_stream_connect(logrotate_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: ff958f25ddf696b09e9a0b91dd2883262abcaa7c
Author: Sugar, David tresys com>
AuthorDate: Tue Jul 2 17:59:43 2019 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Jul 13 06:43:14 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff958f25
grant permission for rpm to write to audit log
Messages like this are added to the audit log when an rpm is installed:
type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0
msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0
root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=? terminal=?
res=success'
These are the denials that I'm seeing:
type=AVC msg=audit(1560913896.581:243): avc: denied { audit_write } for
pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1
type=AVC msg=audit(1561298132.446:240): avc: denied { create } for pid=1266
comm="rpm" scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc: denied { write } for pid=1266
comm="rpm" scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.446:241): avc: denied { nlmsg_relay } for
pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
type=AVC msg=audit(1561298132.447:243): avc: denied { read } for pid=1266
comm="rpm" scontext=system_u:system_r:rpm_t:s0
tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1
v2 - Use interface rather than adding permissions here - this change may
confuse subsequent patches in this set, if so let me know and I will
submit a pull request on github.
Signed-off-by: Dave Sugar tresys.com>
Signed-off-by: Jason Zaman perfinion.com>
policy/modules/admin/rpm.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 85e32b3e..ff1dbf15 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -204,6 +204,7 @@ libs_exec_ld_so(rpm_t)
libs_exec_lib_files(rpm_t)
libs_run_ldconfig(rpm_t, rpm_roles)
+logging_send_audit_msgs(rpm_t)
logging_send_syslog_msg(rpm_t)
seutil_manage_src_policy(rpm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 45581b7ac1b5fafd180b6bc43c1ea329c416b1ec Author: Sugar, David tresys com> AuthorDate: Mon Feb 25 23:37:47 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Mar 25 10:05:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45581b7a Allow AIDE to mmap files AIDE has a compile time option WITH_MMAP which allows AIDE to map files during scanning. RHEL7 has set this option in the aide rpm they distribute. Changes made to add a tunable to enable permissions allowing aide to map files that it needs. I have set the default to false as this seems perfered (in my mind). Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/aide.te | 13 + 1 file changed, 13 insertions(+) diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te index f58ba850..fe52a280 100644 --- a/policy/modules/admin/aide.te +++ b/policy/modules/admin/aide.te @@ -5,6 +5,15 @@ policy_module(aide, 1.8.0) # Declarations # +## +## +## Control if AIDE can mmap files. +## AIDE can be compiled with the option 'with-mmap' in which case it will +## attempt to mmap files while running. +## +## +gen_tunable(aide_mmap_files, false) + attribute_role aide_roles; type aide_t; @@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t) userdom_use_user_terminals(aide_t) +tunable_policy(`aide_mmap_files',` + files_map_non_auth_files(aide_t) +') + optional_policy(` seutil_use_newrole_fds(aide_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: d4a52c8d5636dc5c0ca411704137cee945f1071d
Author: Sugar, David tresys com>
AuthorDate: Mon Feb 25 23:37:47 2019 +
Commit: Jason Zaman gentoo org>
CommitDate: Mon Mar 25 10:05:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4a52c8d
Allow AIDE to read kernel sysctl_crypto_t
type=AVC msg=audit(1550799594.212:164): avc: denied { search } for pid=7182
comm="aide" name="crypto" dev="proc" ino=10257
scontext=system_u:system_r:aide_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { read } for pid=7182
comm="aide" name="fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:aide_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { open } for pid=7182
comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:aide_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc: denied { getattr } for pid=7182
comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:aide_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar tresys.com>
Signed-off-by: Jason Zaman perfinion.com>
policy/modules/admin/aide.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index 6297b60e..f58ba850 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -36,6 +36,7 @@ files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
kernel_dgram_send(aide_t)
+kernel_read_crypto_sysctls(aide_t)
logging_send_audit_msgs(aide_t)
logging_send_syslog_msg(aide_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/
commit: 4266a333c75861d4030687bafa5e26606230abbf Author: Chris PeBenito ieee org> AuthorDate: Tue Mar 12 00:57:05 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Mar 25 10:05:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4266a333 systemd, udev, usermanage: Module version bump. Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/usermanage.te | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/udev.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index d8ba89e6..f9a224a1 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,4 +1,4 @@ -policy_module(usermanage, 1.22.0) +policy_module(usermanage, 1.22.1) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 25e9550d..07529a5d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.7.3) +policy_module(systemd, 1.7.4) # # diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index f6a9d652..8149ea9a 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.25.0) +policy_module(udev, 1.25.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 52cb621762b5a0e7c4276d1c527623181f2ee454
Author: Chris PeBenito ieee org>
AuthorDate: Tue Mar 12 00:56:46 2019 +
Commit: Jason Zaman gentoo org>
CommitDate: Mon Mar 25 10:05:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52cb6217
usermanage: Move kernel_dgram_send(passwd_t) to systemd block.
Signed-off-by: Jason Zaman perfinion.com>
policy/modules/admin/usermanage.te | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/usermanage.te
b/policy/modules/admin/usermanage.te
index 0f874b1a..d8ba89e6 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -304,7 +304,6 @@ allow passwd_t self:msg { send receive };
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
-kernel_dgram_send(passwd_t)
kernel_read_crypto_sysctls(passwd_t)
kernel_read_kernel_sysctls(passwd_t)
@@ -367,6 +366,11 @@ userdom_read_user_tmp_files(passwd_t)
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
+ifdef(`init_systemd',`
+ # for journald /dev/log
+ kernel_dgram_send(passwd_t)
+')
+
optional_policy(`
nscd_run(passwd_t, passwd_roles)
')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 17daafd3ec8af0e3e870d7b9aa2e4a68dcd5d00c
Author: Sugar, David tresys com>
AuthorDate: Mon Mar 11 16:02:29 2019 +
Commit: Jason Zaman gentoo org>
CommitDate: Mon Mar 25 10:05:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17daafd3
Resolve denial while changing password
I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging. This resolves those denials.
type=AVC msg=audit(155811.419:470): avc: denied { search } for pid=7739
comm="passwd" name="crypto" dev="proc" ino=2253
scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(155811.419:470): avc: denied { read } for pid=7739
comm="passwd" name="fips_enabled" dev="proc" ino=2254
scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(155811.419:470): avc: denied { open } for pid=7739
comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254
scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(155811.419:471): avc: denied { getattr } for pid=7739
comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254
scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(155811.431:476): avc: denied { sendto } for pid=7739
comm="passwd" path="/dev/log"
scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar tresys.com>
Signed-off-by: Jason Zaman perfinion.com>
policy/modules/admin/usermanage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/usermanage.te
b/policy/modules/admin/usermanage.te
index a91c0b7c..0f874b1a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -304,6 +304,8 @@ allow passwd_t self:msg { send receive };
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)
+kernel_dgram_send(passwd_t)
+kernel_read_crypto_sysctls(passwd_t)
kernel_read_kernel_sysctls(passwd_t)
# for SSP
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: fd2f4ebf4bfebbf0660ea15a84a9e5fd9db217b8 Author: Luis Ressel aixah de> AuthorDate: Tue Oct 23 23:14:28 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 18 10:59:17 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd2f4ebf Allow portage_sandbox_t to read /proc/sys/vm/overcommit_memory git uses this. Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/portage.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 33547b6e..bdf5d412 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -515,6 +515,8 @@ gen_tunable(portage_enable_test, false) dev_getattr_xserver_misc_dev(portage_sandbox_t) + kernel_read_vm_overcommit_sysctl(portage_sandbox_t) + tunable_policy(`portage_enable_test',` # lots of tests connect over loopback corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 9ef8aea97d654eb4b3659ca1aaa87caae7665d0b Author: Chris PeBenito ieee org> AuthorDate: Sat Oct 13 17:38:18 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 11 23:17:31 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ef8aea9 logrotate: Module version bump. Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 01e99b12..c43cf4ba 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -1,4 +1,4 @@ -policy_module(logrotate, 1.21.0) +policy_module(logrotate, 1.21.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: da4fa3729e32c0af8e0cda241986ba0600e584f1 Author: Luis Ressel aixah de> AuthorDate: Fri Oct 12 22:23:04 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 11 23:17:31 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da4fa372 Add fc for /var/lib/misc/logrotate.status Some distros configure logrotate to put its status file somewhere else than the default /var/lib/logrotate.status. Debian puts it in /var/lib/logrotate/, and Gentoo uses /var/lib/misc/. Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.fc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/logrotate.fc b/policy/modules/admin/logrotate.fc index dac1af39..cd43ab28 100644 --- a/policy/modules/admin/logrotate.fc +++ b/policy/modules/admin/logrotate.fc @@ -9,4 +9,4 @@ /usr/sbin/logrotate-- gen_context(system_u:object_r:logrotate_exec_t,s0) /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) -/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) +/var/lib/(misc/)?logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: da88f8dde868a0fa49d6e786b4296a26ee03d065 Author: Luis Ressel aixah de> AuthorDate: Fri Oct 12 22:23:05 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 11 23:17:31 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da88f8dd Realign logrotate.fc, remove an obvious comment Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.fc | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/policy/modules/admin/logrotate.fc b/policy/modules/admin/logrotate.fc index cd43ab28..fd5497f3 100644 --- a/policy/modules/admin/logrotate.fc +++ b/policy/modules/admin/logrotate.fc @@ -1,12 +1,11 @@ /etc/cron\.(daily|weekly)/logrotate-- gen_context(system_u:object_r:logrotate_exec_t,s0) /etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) -/usr/bin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) +/usr/bin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) -# Systemd unit file -/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0) +/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0) -/usr/sbin/logrotate-- gen_context(system_u:object_r:logrotate_exec_t,s0) +/usr/sbin/logrotate-- gen_context(system_u:object_r:logrotate_exec_t,s0) -/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) +/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) /var/lib/(misc/)?logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 2183738fdf2058f431c6eb7fbdadf9c398eb0eac Author: Jason Zaman perfinion com> AuthorDate: Mon Jul 9 13:04:40 2018 + Commit: Jason Zaman gentoo org> CommitDate: Wed Jul 11 14:42:50 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2183738f portage: allow getattr xserver_misc_device for cuda policy/modules/admin/portage.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 4d1a4955..33547b6e 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -477,6 +477,8 @@ gen_tunable(portage_enable_test, false) auth_use_nsswitch(portage_t) + dev_getattr_xserver_misc_dev(portage_t) + # Support cgroup FEATURES fs_mount_cgroup(portage_t) fs_mounton_cgroup(portage_t) @@ -511,6 +513,8 @@ gen_tunable(portage_enable_test, false) # install-xattr does listxattr() which throws a lot of this dontaudit portage_sandbox_t self:capability sys_admin; + dev_getattr_xserver_misc_dev(portage_sandbox_t) + tunable_policy(`portage_enable_test',` # lots of tests connect over loopback corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/contrib/
commit: 0465c1dcb9656c6dc51c33144b7280369a32c776
Author: Jason Zaman perfinion com>
AuthorDate: Sun Jun 24 08:44:51 2018 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Jun 24 08:44:51 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0465c1dc
move additional .rst files out of contrib
policy/modules/{contrib => admin}/aide.rst | 0
policy/modules/{contrib => admin}/portage.rst | 0
policy/modules/{contrib => services}/cron.rst | 0
policy/modules/{contrib => services}/munin.rst | 0
4 files changed, 0 insertions(+), 0 deletions(-)
diff --git a/policy/modules/contrib/aide.rst b/policy/modules/admin/aide.rst
similarity index 100%
rename from policy/modules/contrib/aide.rst
rename to policy/modules/admin/aide.rst
diff --git a/policy/modules/contrib/portage.rst
b/policy/modules/admin/portage.rst
similarity index 100%
rename from policy/modules/contrib/portage.rst
rename to policy/modules/admin/portage.rst
diff --git a/policy/modules/contrib/cron.rst b/policy/modules/services/cron.rst
similarity index 100%
rename from policy/modules/contrib/cron.rst
rename to policy/modules/services/cron.rst
diff --git a/policy/modules/contrib/munin.rst
b/policy/modules/services/munin.rst
similarity index 100%
rename from policy/modules/contrib/munin.rst
rename to policy/modules/services/munin.rst
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: ab221a14bbcdcf910a655ce840f6f75fbad8a869
Author: Luis Ressel via refpolicy oss tresys
com>
AuthorDate: Tue Oct 24 23:46:30 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Oct 29 12:59:50 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab221a14
netutils: Grant netutils_t map perms for the packet_socket class
This is required for the PACKET_RX_RING feature used by tcpdump.
policy/modules/admin/netutils.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index f0995ef3..0d3fb75d 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -40,7 +40,7 @@ allow netutils_t self:netlink_route_socket
create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
# For tcpdump.
allow netutils_t self:netlink_netfilter_socket create_socket_perms;
-allow netutils_t self:packet_socket create_socket_perms;
+allow netutils_t self:packet_socket { create_socket_perms map };
allow netutils_t self:udp_socket create_socket_perms;
allow netutils_t self:tcp_socket create_stream_socket_perms;
allow netutils_t self:socket create_socket_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: fe17c9fa110210e65e9eee5122c787048256e667
Author: cgzones googlemail com>
AuthorDate: Fri Jun 9 13:30:24 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Tue Jun 13 08:02:15 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fe17c9fa
netutils: update
v2:
- keep files_read_etc_files interfaces
policy/modules/admin/netutils.fc | 1 +
policy/modules/admin/netutils.te | 15 +++
2 files changed, 4 insertions(+), 12 deletions(-)
diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc
index 4f77e1cc..54c0793f 100644
--- a/policy/modules/admin/netutils.fc
+++ b/policy/modules/admin/netutils.fc
@@ -3,6 +3,7 @@
/usr/bin/hping2--
gen_context(system_u:object_r:ping_exec_t,s0)
/usr/bin/iptstate --
gen_context(system_u:object_r:netutils_exec_t,s0)
/usr/bin/lft --
gen_context(system_u:object_r:traceroute_exec_t,s0)
+/usr/bin/mtr --
gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/nmap --
gen_context(system_u:object_r:traceroute_exec_t,s0)
/usr/bin/ping.*-- gen_context(system_u:object_r:ping_exec_t,s0)
/usr/bin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 19af9a5d..f881cf8b 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -49,7 +49,6 @@ manage_dirs_pattern(netutils_t, netutils_tmp_t,
netutils_tmp_t)
manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t)
files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
-kernel_search_proc(netutils_t)
kernel_read_network_state(netutils_t)
kernel_read_all_sysctls(netutils_t)
@@ -86,9 +85,7 @@ logging_send_syslog_msg(netutils_t)
miscfiles_read_localization(netutils_t)
-term_dontaudit_use_console(netutils_t)
-userdom_use_user_terminals(netutils_t)
-userdom_use_all_users_fds(netutils_t)
+userdom_use_inherited_user_terminals(netutils_t)
optional_policy(`
nis_use_ypbind(netutils_t)
@@ -127,12 +124,9 @@ corenet_tcp_sendrecv_all_ports(ping_t)
dev_read_urand(ping_t)
-fs_dontaudit_getattr_xattr_fs(ping_t)
-
domain_use_interactive_fds(ping_t)
files_read_etc_files(ping_t)
-files_dontaudit_search_var(ping_t)
kernel_read_system_state(ping_t)
@@ -142,7 +136,7 @@ logging_send_syslog_msg(ping_t)
miscfiles_read_localization(ping_t)
-userdom_use_user_terminals(ping_t)
+userdom_use_inherited_user_terminals(ping_t)
ifdef(`hide_broken_symptoms',`
init_dontaudit_use_fds(ping_t)
@@ -197,12 +191,9 @@ corenet_tcp_connect_all_ports(traceroute_t)
corenet_sendrecv_all_client_packets(traceroute_t)
corenet_sendrecv_traceroute_server_packets(traceroute_t)
-fs_dontaudit_getattr_xattr_fs(traceroute_t)
-
domain_use_interactive_fds(traceroute_t)
files_read_etc_files(traceroute_t)
-files_dontaudit_search_var(traceroute_t)
init_use_fds(traceroute_t)
@@ -212,7 +203,7 @@ logging_send_syslog_msg(traceroute_t)
miscfiles_read_localization(traceroute_t)
-userdom_use_user_terminals(traceroute_t)
+userdom_use_inherited_user_terminals(traceroute_t)
#rules needed for nmap
dev_read_rand(traceroute_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/, policy/modules/kernel/, ...
commit: 87ec6e61fcc535a8a26b187e0d5d677e535eb320 Author: Chris PeBenito ieee org> AuthorDate: Mon Jun 12 22:48:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Tue Jun 13 08:02:15 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=87ec6e61 Module version bump for patches from cgzones. policy/modules/admin/netutils.te | 2 +- policy/modules/kernel/corecommands.te | 2 +- policy/modules/roles/sysadm.te| 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/iptables.te | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index f881cf8b..eef4930a 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.16.3) +policy_module(netutils, 1.16.4) # diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 1ee2a9e3..6c5bb761 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.23.10) +policy_module(corecommands, 1.23.11) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index e28a28bd..7acb7f43 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.11.10) +policy_module(sysadm, 2.11.11) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index e44dfded..f91cf23d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.2.23) +policy_module(init, 2.2.24) gen_require(` class passwd rootok; diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 33cd9343..32c08ec5 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,4 +1,4 @@ -policy_module(iptables, 1.18.5) +policy_module(iptables, 1.18.6) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/
commit: f45e0db0dcd22534c2ab32160e56e10795010ebf Author: Chris PeBenito ieee org> AuthorDate: Sun Feb 26 17:08:02 2017 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 10:38:00 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f45e0db0 auth: Move optional out of auth_use_pam_systemd() to callers. policy/modules/admin/su.if | 5 - policy/modules/system/authlogin.if | 6 ++ policy/modules/system/selinuxutil.te | 5 - 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index cd137d59..8e21b217 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -190,7 +190,6 @@ template(`su_role_template',` auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) auth_rw_faillog($1_su_t) - auth_use_pam_systemd($1_su_t) corecmd_search_bin($1_su_t) @@ -227,6 +226,10 @@ template(`su_role_template',` ') ') + optional_policy(` + auth_use_pam_systemd($1_su_t) + ') + tunable_policy(`allow_polyinstantiation',` fs_mount_xattr_fs($1_su_t) fs_unmount_xattr_fs($1_su_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index fb92132d..2b70d124 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -100,10 +100,8 @@ interface(`auth_use_pam',` ## # interface(`auth_use_pam_systemd',` - optional_policy(` - dbus_system_bus_client($1) - systemd_dbus_chat_logind($1) - ') + dbus_system_bus_client($1) + systemd_dbus_chat_logind($1) ') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 5f624126..931d8591 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -283,7 +283,6 @@ auth_use_nsswitch(newrole_t) auth_run_chk_passwd(newrole_t, newrole_roles) auth_run_upd_passwd(newrole_t, newrole_roles) auth_rw_faillog(newrole_t) -auth_use_pam_systemd(newrole_t) # Write to utmp. init_rw_utmp(newrole_t) @@ -313,6 +312,10 @@ ifdef(`init_systemd',` ') optional_policy(` + auth_use_pam_systemd(newrole_t) +') + +optional_policy(` dbus_system_bus_client(newrole_t) optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/
commit: 0895cfaab9cc3c372810ab7d3b47c12066c74e74
Author: cgzones googlemail com>
AuthorDate: Thu Jan 5 11:10:30 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Mon Feb 27 10:37:10 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0895cfaa
su: some adjustments
* systemd fixes
* remove unused attribute su_domain_type
* remove hide_broken_symptoms sections
* dontaudit init_t proc files access
* dontaudit net_admin capability due to setsockopt
policy/modules/admin/su.if| 20 +---
policy/modules/admin/su.te| 2 --
policy/modules/system/init.if | 20
3 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 4a434b84..cd137d59 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -1,4 +1,4 @@
-## Run shells with substitute user and group
+## Run shells with substitute user and group.
###
##
@@ -100,11 +100,6 @@ template(`su_restricted_domain_template', `
')
')
- ifdef(`hide_broken_symptoms',`
- # dontaudit leaked sockets from parent
- dontaudit $1_su_t $2:socket_class_set { read write };
- ')
-
optional_policy(`
cron_read_pipes($1_su_t)
')
@@ -148,12 +143,10 @@ template(`su_restricted_domain_template', `
#
template(`su_role_template',`
gen_require(`
- attribute su_domain_type;
type su_exec_t;
- bool secure_mode;
')
- type $1_su_t, su_domain_type;
+ type $1_su_t;
userdom_user_application_domain($1_su_t, su_exec_t)
domain_interactive_fd($1_su_t)
role $2 types $1_su_t;
@@ -161,7 +154,7 @@ template(`su_role_template',`
allow $3 $1_su_t:process signal;
allow $1_su_t self:capability { audit_control audit_write chown
dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
- dontaudit $1_su_t self:capability sys_tty_config;
+ dontaudit $1_su_t self:capability { net_admin sys_tty_config };
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_fifo_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay
create_netlink_socket_perms };
@@ -197,6 +190,7 @@ template(`su_role_template',`
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
+ auth_use_pam_systemd($1_su_t)
corecmd_search_bin($1_su_t)
@@ -208,6 +202,7 @@ template(`su_role_template',`
files_dontaudit_getattr_tmp_dirs($1_su_t)
init_dontaudit_use_fds($1_su_t)
+ init_dontaudit_read_state($1_su_t)
# Write to utmp.
init_rw_utmp($1_su_t)
@@ -232,11 +227,6 @@ template(`su_role_template',`
')
')
- ifdef(`hide_broken_symptoms',`
- # dontaudit leaked sockets from parent
- dontaudit $1_su_t $3:socket_class_set { read write };
- ')
-
tunable_policy(`allow_polyinstantiation',`
fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t)
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index e5537697..1264d7a6 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -5,7 +5,5 @@ policy_module(su, 1.14.1)
# Declarations
#
-attribute su_domain_type;
-
type su_exec_t;
corecmd_executable_file(su_exec_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 6de0a2d7..6a067ab2 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1695,6 +1695,26 @@ interface(`init_read_state',`
##
+## Dontaudit read the process state (/proc/pid) of init.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`init_dontaudit_read_state',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dontaudit $1 init_t:dir search_dir_perms;
+ dontaudit $1 init_t:file read_file_perms;
+ dontaudit $1 init_t:lnk_file read_lnk_file_perms;
+')
+
+
+##
## Ptrace init
##
##
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6
Author: Chris PeBenito ieee org>
AuthorDate: Sat Feb 11 19:26:48 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Fri Feb 17 08:13:37 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26534d63
Revert "bootloader: stricter permissions and more tailored file contexts"
This reverts commit b0c13980d224c49207315154905eb7fcb90f289d.
policy/modules/admin/bootloader.fc | 6 --
policy/modules/admin/bootloader.te | 17 -
2 files changed, 4 insertions(+), 19 deletions(-)
diff --git a/policy/modules/admin/bootloader.fc
b/policy/modules/admin/bootloader.fc
index d3925950..cdd6d3dd 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,12 +1,6 @@
-/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0)
-/boot/grub.*/.*
gen_context(system_u:object_r:bootloader_run_t,s0)
-
-/boot/grub.*/grub.cfg --
gen_context(system_u:object_r:bootloader_etc_t,s0)
-/boot/grub.*/grub.conf --
gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* --
gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.*--
gen_context(system_u:object_r:bootloader_etc_t,s0)
-/etc/grub.d(/.*)? --
gen_context(system_u:object_r:bootloader_etc_t,s0)
/usr/sbin/grub --
gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-bios-setup--
gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.te
b/policy/modules/admin/bootloader.te
index fd9df5c8..bd69d431 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -22,13 +22,6 @@ application_domain(bootloader_t, bootloader_exec_t)
role bootloader_roles types bootloader_t;
#
-# bootloader_run_t are image and other runtime
-# files
-#
-type bootloader_run_t alias run_bootloader_t;
-files_type(bootloader_run_t)
-
-#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
#
@@ -52,7 +45,7 @@ allow bootloader_t self:capability { dac_override
dac_read_search fsetid sys_raw
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
-allow bootloader_t bootloader_etc_t:file exec_file_perms;
+allow bootloader_t bootloader_etc_t:file read_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
@@ -66,11 +59,6 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir
file lnk_file chr_file
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
-manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
-files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })
-
kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
@@ -108,7 +96,10 @@ corecmd_exec_all_executables(bootloader_t)
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
+files_manage_boot_files(bootloader_t)
+files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
+files_exec_etc_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/, policy/modules/kernel/, ...
commit: b8090bfeb7461011bfbbfc43d47caab6fc863d3d
Author: Chris PeBenito ieee org>
AuthorDate: Wed Feb 15 23:47:33 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Fri Feb 17 08:13:38 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8090bfe
Sort capabilities permissions from Russell Coker.
policy/modules/admin/bootloader.te| 2 +-
policy/modules/admin/netutils.te | 6 +++---
policy/modules/admin/su.if| 4 ++--
policy/modules/admin/sudo.if | 2 +-
policy/modules/admin/usermanage.te| 10 +-
policy/modules/apps/seunshare.te | 2 +-
policy/modules/kernel/files.if| 2 +-
policy/modules/roles/auditadm.te | 2 +-
policy/modules/roles/logadm.te| 2 +-
policy/modules/roles/secadm.te| 2 +-
policy/modules/services/postgresql.te | 4 ++--
policy/modules/services/ssh.if| 4 ++--
policy/modules/services/ssh.te| 2 +-
policy/modules/services/xserver.te| 4 ++--
policy/modules/system/fstools.te | 2 +-
policy/modules/system/getty.te| 2 +-
policy/modules/system/hotplug.te | 4 ++--
policy/modules/system/ipsec.te| 4 ++--
policy/modules/system/iptables.te | 2 +-
policy/modules/system/locallogin.te | 2 +-
policy/modules/system/logging.if | 2 +-
policy/modules/system/logging.te | 10 +-
policy/modules/system/lvm.te | 4 ++--
policy/modules/system/mount.te| 2 +-
policy/modules/system/selinuxutil.te | 4 ++--
policy/modules/system/sysnetwork.te | 6 +++---
policy/modules/system/systemd.te | 4 ++--
policy/modules/system/udev.te | 2 +-
policy/modules/system/userdomain.if | 8
29 files changed, 53 insertions(+), 53 deletions(-)
diff --git a/policy/modules/admin/bootloader.te
b/policy/modules/admin/bootloader.te
index 8ed70327..8b7c18cd 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t)
# bootloader local policy
#
-allow bootloader_t self:capability { dac_override dac_read_search fsetid
sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { chown dac_override dac_read_search fsetid
mknod sys_admin sys_rawio };
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 9eabff3a..744a2aa3 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
#
# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid
setgid sys_chroot };
+allow netutils_t self:capability { dac_read_search net_admin net_raw setgid
setuid sys_chroot };
dontaudit netutils_t self:capability { dac_override sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
@@ -107,7 +107,7 @@ optional_policy(`
# Ping local policy
#
-allow ping_t self:capability { setuid net_raw };
+allow ping_t self:capability { net_raw setuid };
# When ping is installed with capabilities instead of setuid
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
@@ -168,7 +168,7 @@ optional_policy(`
# Traceroute local policy
#
-allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+allow traceroute_t self:capability { net_admin net_raw setgid setuid };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 02aabd81..4a434b84 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -41,7 +41,7 @@ template(`su_restricted_domain_template', `
allow $2 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid
net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { audit_control audit_write chown
dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
@@ -160,7 +160,7 @@ template(`su_role_template',`
allow $3 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid
net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { audit_control audit_write chown
dac_override fowner net_bind_service
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/
commit: b3a86dde9757f48af1abc124e9b000f47dbf0cfd Author: Chris PeBenito ieee org> AuthorDate: Sat Feb 11 19:51:21 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:13:37 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3a86dde Module version bump for bootloader patch revert. Plus compat alias. policy/modules/admin/bootloader.te | 2 +- policy/modules/kernel/files.te | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index bd69d431..8ed70327 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,4 +1,4 @@ -policy_module(bootloader, 1.17.1) +policy_module(bootloader, 1.17.2) # diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 2d8fa232..625768e2 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.23.1) +policy_module(files, 1.23.2) # @@ -48,6 +48,8 @@ attribute usercanread; # type boot_t; files_mountpoint(boot_t) +# compatibility aliases for removed types: +typealias boot_t alias bootloader_run_t; # default_t is the default type for files that do not # match any specification in the file_contexts configuration
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 6071ad267042af00ae73aa58d7c07d5e78a3e0b3
Author: Jason Zaman perfinion com>
AuthorDate: Sun Feb 5 07:42:30 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Feb 5 08:45:23 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6071ad26
bootloader: grub needs to manage grub.cfg
commit b0c13980d224c49207315154905eb7fcb90f289d
broke grub-mkconfig which needs to be able to update the grub.cfg file.
Remove the fcontext for grub.cfg so it can update the file.
$ grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
mv: cannot move '/boot/grub/grub.cfg.new' to '/boot/grub/grub.cfg':
Permission denied
type=AVC msg=audit(1486273313.557:26703): avc: denied { unlink } for
pid=10757 comm="mv" name="grub.cfg" dev="md1" ino=10070
scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bootloader_etc_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1486273313.557:26703): arch=c03e syscall=82
success=no exit=-13 a0=3a93725fbef a1=3a93725fc07 a2=0 a3=2 items=4 ppid=9489
pid=10757 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts3 ses=4 comm="mv" exe="/bin/mv"
subj=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1486273313.557:26703): cwd="/root"
type=PATH msg=audit(1486273313.557:26703): item=0 name="/boot/grub/"
inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
type=PATH msg=audit(1486273313.557:26703): item=1 name="/boot/grub/"
inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT
type=PATH msg=audit(1486273313.557:26703): item=2
name="/boot/grub/grub.cfg.new" inode=10072 dev=09:01 mode=0100600 ouid=0 ogid=0
rdev=00:00 obj=staff_u:object_r:bootloader_run_t:s0 nametype=DELETE
type=PATH msg=audit(1486273313.557:26703): item=3 name="/boot/grub/grub.cfg"
inode=10070 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:bootloader_etc_t:s0 nametype=DELETE
policy/modules/admin/bootloader.fc | 3 ---
1 file changed, 3 deletions(-)
diff --git a/policy/modules/admin/bootloader.fc
b/policy/modules/admin/bootloader.fc
index c43c428..d62e8e3 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,9 +1,6 @@
/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0)
/boot/grub.*/.*
gen_context(system_u:object_r:bootloader_run_t,s0)
-/boot/grub.*/grub.cfg --
gen_context(system_u:object_r:bootloader_etc_t,s0)
-/boot/grub.*/grub.conf --
gen_context(system_u:object_r:bootloader_etc_t,s0)
-
/etc/lilo\.conf.* --
gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.*--
gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/grub.d(/.*)? --
gen_context(system_u:object_r:bootloader_etc_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 7c30c8834c281dc9a151d1d11f68aac9d86067b1
Author: Guido Trentalancia trentalancia net>
AuthorDate: Fri Dec 23 00:22:39 2016 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Jan 1 16:26:28 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c30c883
bootloader: stricter permissions and more tailored file contexts
Update the bootloader module so that it can manage only its
own runtime files and not all boot_t files (which include,
for example, the common locations for kernel images and
initramfs archives) and so that it can execute only its own
etc files (needed by grub2-mkconfig) and not all etc_t files
which is more dangerous.
Signed-off-by: Guido Trentalancia trentalancia.net>
policy/modules/admin/bootloader.fc | 6 ++
policy/modules/admin/bootloader.te | 17 +
2 files changed, 19 insertions(+), 4 deletions(-)
diff --git a/policy/modules/admin/bootloader.fc
b/policy/modules/admin/bootloader.fc
index d908d56..5b67c16 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -1,6 +1,12 @@
+/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0)
+/boot/grub.*/.*
gen_context(system_u:object_r:bootloader_run_t,s0)
+
+/boot/grub.*/grub.cfg --
gen_context(system_u:object_r:bootloader_etc_t,s0)
+/boot/grub.*/grub.conf --
gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/lilo\.conf.* --
gen_context(system_u:object_r:bootloader_etc_t,s0)
/etc/yaboot\.conf.*--
gen_context(system_u:object_r:bootloader_etc_t,s0)
+/etc/grub.d(/.*)? --
gen_context(system_u:object_r:bootloader_etc_t,s0)
/sbin/grub --
gen_context(system_u:object_r:bootloader_exec_t,s0)
/sbin/lilo.* --
gen_context(system_u:object_r:bootloader_exec_t,s0)
diff --git a/policy/modules/admin/bootloader.te
b/policy/modules/admin/bootloader.te
index fcaa6d4..e3f2a72 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -22,6 +22,13 @@ application_domain(bootloader_t, bootloader_exec_t)
role bootloader_roles types bootloader_t;
#
+# bootloader_run_t are image and other runtime
+# files
+#
+type bootloader_run_t alias run_bootloader_t;
+files_type(bootloader_run_t)
+
+#
# bootloader_etc_t is the configuration file,
# grub.conf, lilo.conf, etc.
#
@@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac_override
dac_read_search fsetid sys_raw
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
-allow bootloader_t bootloader_etc_t:file read_file_perms;
+allow bootloader_t bootloader_etc_t:file exec_file_perms;
# uncomment the following lines if you use "lilo -p"
#allow bootloader_t bootloader_etc_t:file manage_file_perms;
#files_etc_filetrans(bootloader_t,bootloader_etc_t,file)
@@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir
file lnk_file chr_file
# for tune2fs (cjp: ?)
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
+manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t)
+files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file })
+
kernel_getattr_core_if(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
@@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_t)
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
-files_manage_boot_files(bootloader_t)
-files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
-files_exec_etc_files(bootloader_t)
files_read_usr_src_files(bootloader_t)
files_read_usr_files(bootloader_t)
files_read_var_files(bootloader_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: dc478cb2c42a8b5d120203a1aa1157873a131cb3 Author: Chris PeBenito tresys com> AuthorDate: Fri Mar 25 14:24:59 2016 + Commit: Jason Zaman gentoo org> CommitDate: Fri May 13 05:07:33 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc478cb2 Update su for libselinux-2.5 changes. su is linked against libselinux via pam_unix.so. Use the selinuxutil interface so future libselinux changes are pulled in. policy/modules/admin/su.if | 3 +++ policy/modules/admin/su.te | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index a069cb8..02aabd8 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -217,6 +217,9 @@ template(`su_role_template',` miscfiles_read_localization($1_su_t) + # pam_unix is linked against libselinux + seutil_libselinux_linked($1_su_t) + userdom_use_user_terminals($1_su_t) userdom_search_user_home_dirs($1_su_t) diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index 85bb77e..d936e3b 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -1,4 +1,4 @@ -policy_module(su, 1.12.0) +policy_module(su, 1.12.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/system/, ...
commit: 6aedb1c71685c30a248572bd798bff287f911347 Author: Chris PeBenito tresys com> AuthorDate: Tue Dec 8 14:53:02 2015 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 17 15:25:22 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6aedb1c7 Bump module versions for release. policy/modules/admin/netutils.te | 2 +- policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/domain.te | 2 +- policy/modules/kernel/files.te| 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/selinux.te | 2 +- policy/modules/kernel/terminal.te | 2 +- policy/modules/roles/sysadm.te| 2 +- policy/modules/services/postgresql.te | 2 +- policy/modules/services/ssh.te| 2 +- policy/modules/system/authlogin.te| 2 +- policy/modules/system/fstools.te | 2 +- policy/modules/system/ipsec.te| 2 +- policy/modules/system/iptables.te | 2 +- policy/modules/system/locallogin.te | 2 +- policy/modules/system/logging.te | 2 +- policy/modules/system/lvm.te | 2 +- policy/modules/system/modutils.te | 2 +- policy/modules/system/netlabel.te | 2 +- policy/modules/system/selinuxutil.te | 2 +- policy/modules/system/setrans.te | 2 +- policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/udev.te | 2 +- 26 files changed, 26 insertions(+), 26 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 407685f..6f3c0ce 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.14.1) +policy_module(netutils, 1.15.0) # diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index faa15bf..89fbb84 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.20.2) +policy_module(corecommands, 1.21.0) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index f9733a3..ed045d9 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.17.2) +policy_module(devices, 1.18.0) # diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index b6f46d9..dfcf4a7 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -1,4 +1,4 @@ -policy_module(domain, 1.12.1) +policy_module(domain, 1.13.0) # diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 90c1209..7a0e0f2 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.20.1) +policy_module(files, 1.21.0) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 412fe81..d8c5271 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.19.2) +policy_module(filesystem, 1.20.0) # diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index bcc57b3..0de538c 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.19.2) +policy_module(kernel, 1.20.0) # diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 6e9315d..1efa6bb 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -1,4 +1,4 @@ -policy_module(selinux, 1.14.1) +policy_module(selinux, 1.15.0) # diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index e2f8a7d..01e1516 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,4 +1,4 @@ -policy_module(terminal, 1.13.1) +policy_module(terminal, 1.14.0) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index bf4ab0d..865b3c2 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.8.4) +policy_module(sysadm, 2.9.0) # diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 82acf89..627983d 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 770ab52d286978f77fc9ebc650cbf0a8f04663ce
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Wed Jul 15 13:44:53 2015 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Wed Jul 15 13:44:53 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=770ab52d
Fix avc_context_to_raw assertion in su domains (bug #554080)
Although earlier investigations on the same matter [1] did not result in
a good fix (it seemed that the permissions where needed for the wrong
reasons, but would most likely require a fix in either the application
that is SELinux-aware or in how the permissions are handled). It does
not look like we will see a proper solution in the near future.
[1] http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html
So allow the permissions (without write / send/recv_msg) to allow su
domains to go forward.
X-Gentoo-Bug: 554080
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=554080
policy/modules/admin/su.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index aea8a4f..a069cb8 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -119,6 +119,8 @@ template(`su_restricted_domain_template', `
')
ifdef(`distro_gentoo',`
+ # Fix bug 554080 - Allow su to query SELinux subsystem
(netlink_selinux_socket)
+ allow $1_su_t self:netlink_selinux_socket { create bind read };
selinux_get_fs_mount($1_su_t)
')
')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/
commit: 10c63ed8138317cf7a362ca1102290d37ad6def7 Author: Chris PeBenito cpebenito AT tresys DOT com AuthorDate: Fri May 22 12:38:53 2015 + Commit: Jason Zaman perfinion AT gentoo DOT org CommitDate: Fri May 22 19:16:43 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=10c63ed8 Module version bump for updated netlink sockets from Stephen Smalley policy/modules/admin/netutils.te| 2 +- policy/modules/system/iptables.te | 2 +- policy/modules/system/netlabel.te | 2 +- policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/udev.te | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 1c64781..b8169a8 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.14.0) +policy_module(netutils, 1.14.1) # diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 1ad1046..fc97f63 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,4 +1,4 @@ -policy_module(iptables, 1.15.0) +policy_module(iptables, 1.15.1) # diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te index f6d14b1..b396893 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te @@ -1,4 +1,4 @@ -policy_module(netlabel, 1.3.0) +policy_module(netlabel, 1.3.1) # diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index b922597..7a7b479 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -1,4 +1,4 @@ -policy_module(sysnetwork, 1.17.1) +policy_module(sysnetwork, 1.17.2) # diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index e7c7f9f..a9a2296 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.18.0) +policy_module(udev, 1.18.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 6021047ffb0b923335185c9a879a7ebb994acedb Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Sun Jan 25 14:03:05 2015 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Jan 25 14:03:05 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6021047f Fix bug #537652 - Allow grub2-mkconfig to be executed from the user home dir (default location when executing commands for a user) --- policy/modules/admin/bootloader.te | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 197791f..fcaa6d4 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -208,3 +208,8 @@ optional_policy(` optional_policy(` rpm_rw_pipes(bootloader_t) ') + +ifdef(`distro_gentoo',` + # Fix bug #537652 - grub2-mkconfig has search rights needed on current dir (usually user home dir) + userdom_search_user_home_dirs(bootloader_t) +')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 4d16571c5e3d0449b38cdd8619db04e93526fcf9 Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Thu Nov 27 22:22:02 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Thu Nov 27 22:22:02 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d16571c Missing quote --- policy/modules/admin/dmesg.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if index 1b6e1b2..6271b3c 100644 --- a/policy/modules/admin/dmesg.if +++ b/policy/modules/admin/dmesg.if @@ -58,7 +58,7 @@ interface(`dmesg_exec',` ## /param ## rolecap/ # -interface(`dmesg_run,` +interface(`dmesg_run',` gen_require(` type dmesg_t; ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 364faaa731277dee24837e0781cb3cc520f36406
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Sat Nov 22 17:28:47 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Sat Nov 22 17:28:47 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=364faaa7
Add upstream feedback when sent but needs some work
---
policy/modules/admin/usermanage.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/usermanage.te
b/policy/modules/admin/usermanage.te
index 4855693..e11f53a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -571,11 +571,13 @@ ifdef(`distro_gentoo',`
# groupadd_t
# fix bug #499036
+ # Upstream:
http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html
allow groupadd_t self:netlink_selinux_socket { create bind };
# useradd_t
# fix bug #499036
+ # Upstream:
http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html
allow useradd_t self:netlink_selinux_socket { create bind };
')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 282116096675c76b306401b6dd93ee63e22e5931 Author: Laurent Bigonville bigon AT bigon DOT be AuthorDate: Fri Oct 3 12:29:05 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Oct 12 08:24:31 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28211609 On Debian iputils-arping is installed in /usr/bin/arping --- policy/modules/admin/netutils.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 407078f..355714d 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc @@ -4,6 +4,7 @@ /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) +/usr/bin/arping-- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: d211e0e619833fd7743396651109e91eb09d620d Author: Laurent Bigonville bigon AT bigon DOT be AuthorDate: Fri Oct 3 12:35:58 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Oct 12 08:24:33 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d211e0e6 Debian also ship a different arping implementation In addition to the iputils arping implementation, Debian also ships an other implementation which is installed under /usr/sbin/arping --- policy/modules/admin/netutils.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 355714d..a4672ca 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc @@ -9,6 +9,7 @@ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/sbin/fping-- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: f591616e559675fd9ebec18575267d125d4eb135 Author: Chris PeBenito cpebenito AT tresys DOT com AuthorDate: Mon Oct 6 13:50:58 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Oct 12 08:24:40 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f591616e Module version bump for Debian arping fc entries from Laurent Bigonville. --- policy/modules/admin/netutils.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index cfd9700..5f4c84e 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.13.1) +policy_module(netutils, 1.13.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: a2c27b5797c6d7420fe0bb36ee364406d260c960 Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Sun Aug 31 18:14:16 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Aug 31 18:14:16 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a2c27b57 Mark mkconfig as bootloader executable too --- policy/modules/admin/bootloader.fc | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index d56f931..2503c58 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -10,3 +10,7 @@ /usr/sbin/grub2?-bios-setup-- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0) + +ifdef(`distro_gentoo',` +/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0) +')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: e28086742e431918f0a742b4a8bc458b83032f40 Author: Chris PeBenito cpebenito AT tresys DOT com AuthorDate: Mon Aug 18 14:30:28 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Tue Aug 19 20:06:38 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e2808674 Module version bump for ping rawip socket fix from Luis Ressel. --- policy/modules/admin/netutils.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 570bf2c..cfd9700 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.13.0) +policy_module(netutils, 1.13.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: ed4c234f64e2e952f796563b8a7bb4a23b3210cc
Author: Luis Ressel aranea AT aixah DOT de
AuthorDate: Thu Jun 26 21:22:07 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Tue Aug 19 20:06:36 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed4c234f
Grant ping_t getattr on rawip_socket
If the (sadly nearly undocumented) Linux kernel feature which allows
specific user groups to send ICMP echos without CAP_NET_RAW
(configurable with the sysctl net.ipv4.ping_group_range, available since
3.0) is used, ping needs the getattr permission of the rawip_socket
class in order to work.
---
policy/modules/admin/netutils.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 7aa7384..570bf2c 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -110,7 +110,7 @@ allow ping_t self:capability { setuid net_raw };
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
allow ping_t self:tcp_socket create_socket_perms;
-allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
+allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt
getattr };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 6f89ead94bb14f55eca319a101c791159faa9739 Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Tue Mar 25 20:30:04 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Tue Apr 8 15:20:56 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6f89ead9 Hide getattr denials upon sudo invocation When sudo is invoked (sudo -i) the audit log gets quite a lot of denials related to the getattr permission against tty_device_t:chr_file for the *_sudo_t domain. However, no additional logging (that would hint at a need) by sudo, nor any functional issues come up. Hence the dontaudit call. Signed-off-by: Sven Vermeulen sven.vermeulen AT siphos.be --- policy/modules/admin/sudo.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 4bb2245..07e5db8 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -110,6 +110,7 @@ template(`sudo_role_template',` selinux_compute_relabel_context($1_sudo_t) term_getattr_pty_fs($1_sudo_t) + term_dontaudit_getattr_unallocated_ttys($1_sudo_t) term_relabel_all_ttys($1_sudo_t) term_relabel_all_ptys($1_sudo_t)
