[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: ef89017d69182a71eb3cd46369ba5bb079f6f165 Author: Grzegorz Filo wp pl> AuthorDate: Thu Apr 4 18:09:08 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:43:11 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef89017d remove unnecessary code Signed-off-by: Grzegorz Filo wp.pl> Closes: https://github.com/gentoo/hardened-refpolicy/pull/2 Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/bootloader.te | 5 - policy/modules/admin/portage.te| 1 - 2 files changed, 6 deletions(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 81748a5f3..5a7e1cd4d 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -263,8 +263,3 @@ optional_policy(` optional_policy(` rpm_rw_pipes(bootloader_t) ') - -ifdef(`distro_gentoo',` - # Fix bug #537652 - grub2-mkconfig has search rights needed on current dir (usually user home dir) - userdom_search_user_home_dirs(bootloader_t) -') diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 2cd5d0482..c42552651 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -173,7 +173,6 @@ allow portage_t self:process { setfscreate }; # - kill for mysql merging, at least allow portage_t self:capability { kill setfcap sys_nice }; allow portage_t self:netlink_route_socket create_netlink_socket_perms; -dontaudit portage_t self:capability { dac_read_search }; # user post-sync scripts can_exec(portage_t, portage_conf_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/
commit: da28221423dba9c102a06afb6c7eac7cd2d0117a Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:31:46 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:44 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da282214 bootloader: allow systemd-boot to manage EFI binaries systemd-boot's bootctl utility is used to install and update its EFI binaries in the EFI partition. If it is mounted with boot_t, bootctl needs to be able to manage boot_t files. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/bootloader.te | 4 policy/modules/kernel/files.if | 19 +++ 2 files changed, 23 insertions(+) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 294ce7e0c..81748a5f3 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -225,6 +225,10 @@ ifdef(`init_systemd',` fs_getattr_cgroup(bootloader_t) init_read_state(bootloader_t) init_rw_inherited_stream_socket(bootloader_t) + + # for systemd-boot-update to manage EFI binaries + domain_obj_id_change_exemption(bootloader_t) + files_mmap_read_boot_files(bootloader_t) ') optional_policy(` diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index e0337d044..b9c451321 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2590,6 +2590,25 @@ interface(`files_read_boot_files',` read_files_pattern($1, boot_t, boot_t) ') + +## +## Read and memory map files in the /boot directory. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_mmap_read_boot_files',` + gen_require(` + type boot_t; + ') + + mmap_read_files_pattern($1, boot_t, boot_t) +') + ## ## Create, read, write, and delete files
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/system/
commit: 89eef551684761379a5dd51221485b025d0014e5 Author: Chris PeBenito linux microsoft com> AuthorDate: Thu Feb 29 18:31:57 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:40:59 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89eef551 xen: Drop xend/xm stack. Xend/xm was replaced with xl in Xen 4.5 (Jan 2015). https://xenproject.org/2015/01/15/less-is-more-in-the-new-xen-project-4-5-release/ Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/brctl.te | 1 - policy/modules/admin/consoletype.te | 2 - policy/modules/admin/sblim.te | 1 - policy/modules/services/nscd.te | 1 - policy/modules/services/pegasus.te | 1 - policy/modules/services/snmp.te | 1 - policy/modules/services/vhostmd.te | 1 - policy/modules/services/virt.te | 8 +- policy/modules/system/hostname.te | 1 - policy/modules/system/lvm.te| 1 - policy/modules/system/sysnetwork.te | 2 - policy/modules/system/xen.fc| 21 +-- policy/modules/system/xen.if| 149 +++- policy/modules/system/xen.te| 272 14 files changed, 54 insertions(+), 408 deletions(-) diff --git a/policy/modules/admin/brctl.te b/policy/modules/admin/brctl.te index 7ce029c05..026b0002d 100644 --- a/policy/modules/admin/brctl.te +++ b/policy/modules/admin/brctl.te @@ -43,5 +43,4 @@ miscfiles_read_localization(brctl_t) optional_policy(` xen_append_log(brctl_t) - xen_dontaudit_rw_unix_stream_sockets(brctl_t) ') diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index dda9e62ff..1989db82c 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -109,6 +109,4 @@ optional_policy(` kernel_read_xen_state(consoletype_t) kernel_write_xen_state(consoletype_t) xen_append_log(consoletype_t) - xen_dontaudit_rw_unix_stream_sockets(consoletype_t) - xen_dontaudit_use_fds(consoletype_t) ') diff --git a/policy/modules/admin/sblim.te b/policy/modules/admin/sblim.te index 5e2978c5f..d9bab1a79 100644 --- a/policy/modules/admin/sblim.te +++ b/policy/modules/admin/sblim.te @@ -106,7 +106,6 @@ optional_policy(` ') optional_policy(` - xen_stream_connect(sblim_gatherd_t) xen_stream_connect_xenstore(sblim_gatherd_t) ') diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index f63b75f4f..ffc60497c 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -132,6 +132,5 @@ optional_policy(` ') optional_policy(` - xen_dontaudit_rw_unix_stream_sockets(nscd_t) xen_append_log(nscd_t) ') diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te index a5aa3a285..e7287b49a 100644 --- a/policy/modules/services/pegasus.te +++ b/policy/modules/services/pegasus.te @@ -184,6 +184,5 @@ optional_policy(` ') optional_policy(` - xen_stream_connect(pegasus_t) xen_stream_connect_xenstore(pegasus_t) ') diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te index 846ab288a..b498e894b 100644 --- a/policy/modules/services/snmp.te +++ b/policy/modules/services/snmp.te @@ -167,6 +167,5 @@ optional_policy(` kernel_read_xen_state(snmpd_t) kernel_write_xen_state(snmpd_t) - xen_stream_connect(snmpd_t) xen_stream_connect_xenstore(snmpd_t) ') diff --git a/policy/modules/services/vhostmd.te b/policy/modules/services/vhostmd.te index 94ee048d1..9a866deea 100644 --- a/policy/modules/services/vhostmd.te +++ b/policy/modules/services/vhostmd.te @@ -79,7 +79,6 @@ optional_policy(` optional_policy(` xen_domtrans_xm(vhostmd_t) - xen_stream_connect(vhostmd_t) xen_stream_connect_xenstore(vhostmd_t) xen_stream_connect_xm(vhostmd_t) ') diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te index a6161d739..f0c4c2d65 100644 --- a/policy/modules/services/virt.te +++ b/policy/modules/services/virt.te @@ -820,8 +820,8 @@ optional_policy(` kernel_read_xen_state(virtd_t) kernel_write_xen_state(virtd_t) - xen_exec(virtd_t) - xen_stream_connect(virtd_t) + xen_domtrans_xm(virtd_t) + xen_stream_connect_xm(virtd_t) xen_stream_connect_xenstore(virtd_t) xen_read_image_files(virtd_t) ') @@ -944,9 +944,9 @@ optional_policy(` optional_policy(` xen_manage_image_dirs(virsh_t) xen_append_log(virsh_t) - xen_domtrans(virsh_t) + xen_domtrans_xm(virsh_t) xen_read_xenstored_runtime_files(virsh_t) - xen_stream_connect(virsh_t) + xen_stream_connect_xm(virsh_t) xen_stream_connect_xenstore(virsh_t) ') diff --git a/policy/modules/system/hostname.te
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/
commit: 3eefa3b065ed81f56fddfb12a372012ef5e2a336 Author: Russell Coker coker com au> AuthorDate: Mon Sep 25 15:01:12 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3eefa3b0 small ntp and dns changes (#703) * Small changes for ntp, bind, avahi, and dnsmasq Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/dpkg.te | 9 + policy/modules/services/avahi.te | 4 policy/modules/services/bind.te| 7 +-- policy/modules/services/dnsmasq.te | 4 policy/modules/services/ntp.fc | 1 + policy/modules/services/ntp.if | 19 +++ 6 files changed, 42 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index d6871de21..d4a56e5eb 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -350,8 +350,17 @@ optional_policy(` nis_use_ypbind(dpkg_script_t) ') +optional_policy(` + ntp_filetrans_drift(dpkg_script_t) +') + +optional_policy(` + policykit_dbus_chat(dpkg_script_t) +') + optional_policy(` systemd_read_logind_state(dpkg_script_t) + systemd_dbus_chat_hostnamed(dpkg_script_t) systemd_dbus_chat_logind(dpkg_script_t) systemd_run_sysusers(dpkg_script_t, dpkg_roles) ') diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te index 773d2b8ff..1094e39db 100644 --- a/policy/modules/services/avahi.te +++ b/policy/modules/services/avahi.te @@ -111,3 +111,7 @@ optional_policy(` seutil_sigchld_newrole(avahi_t) ') +optional_policy(` + unconfined_dbus_send(avahi_t) +') + diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 1b3e674a1..0a08be452 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -213,9 +213,9 @@ optional_policy(` # NDC local policy # -allow ndc_t self:capability { dac_override net_admin }; +allow ndc_t self:capability { dac_override dac_read_search net_admin }; allow ndc_t self:capability2 block_suspend; -allow ndc_t self:process signal_perms; +allow ndc_t self:process { signal_perms getsched setsched }; allow ndc_t self:fifo_file rw_fifo_file_perms; allow ndc_t self:unix_stream_socket { accept listen }; @@ -231,6 +231,9 @@ allow ndc_t named_zone_t:dir search_dir_perms; kernel_read_kernel_sysctls(ndc_t) kernel_read_system_state(ndc_t) +kernel_read_vm_overcommit_sysctl(ndc_t) + +dev_read_sysfs(ndc_t) corenet_all_recvfrom_netlabel(ndc_t) corenet_tcp_sendrecv_generic_if(ndc_t) diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te index 6d1799ba8..2e492954d 100644 --- a/policy/modules/services/dnsmasq.te +++ b/policy/modules/services/dnsmasq.te @@ -108,6 +108,10 @@ optional_policy(` ') optional_policy(` + # for the dnsmasq-usb0.leases file + networkmanager_manage_lib_files(dnsmasq_t) + + networkmanager_read_etc_files(dnsmasq_t) networkmanager_read_runtime_files(dnsmasq_t) ') diff --git a/policy/modules/services/ntp.fc b/policy/modules/services/ntp.fc index 4d014d196..4f19959e7 100644 --- a/policy/modules/services/ntp.fc +++ b/policy/modules/services/ntp.fc @@ -30,6 +30,7 @@ /var/db/ntp-kod-- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) +/var/lib/ntpsec(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0) /var/lib/systemd/timesync(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0) diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if index 4953e9f08..9df5d8d07 100644 --- a/policy/modules/services/ntp.if +++ b/policy/modules/services/ntp.if @@ -176,6 +176,25 @@ interface(`ntp_read_drift_files',` read_files_pattern($1, ntp_drift_t, ntp_drift_t) ') + +## +## specified domain creates /var/lib/ntpsec/ with the correct type +## +## +## +## Domain allowed access. +## +## +# +interface(`ntp_filetrans_drift',` + gen_require(` + type ntp_drift_t; + ') + + files_search_var_lib($1) + files_var_lib_filetrans($1, ntp_drift_t, dir) +') + ## ## Read and write ntpd shared memory.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: a54fe39b3f5462bb0bbb22cfe883c8d38dfe9168 Author: Corentin LABBE gmail com> AuthorDate: Tue Jan 10 09:11:56 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:23:57 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a54fe39b portage: add new location for portage commands There are missing lot of portage commands location, add them following the gentoo SELinux repo. Signed-off-by: Corentin LABBE gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/portage.fc | 7 +++ 1 file changed, 7 insertions(+) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 7cf6e7855..620ade57a 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -5,11 +5,17 @@ /etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0) /usr/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) /usr/bin/gcc-config-- gen_context(system_u:object_r:gcc_config_exec_t,s0) /usr/bin/glsa-check-- gen_context(system_u:object_r:portage_exec_t,s0) /usr/bin/layman-- gen_context(system_u:object_r:portage_fetch_exec_t,s0) /usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check-- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/layman-- gen_context(system_u:object_r:portage_fetch_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint-- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge-- gen_context(system_u:object_r:portage_exec_t,s0) + /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) @@ -31,6 +37,7 @@ /var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0) /var/log/emerge-fetch\.log -- gen_context(system_u:object_r:portage_log_t,s0) /var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) +/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0) /var/lib/layman(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) /var/tmp/binpkgs(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 1c5e100deea50d51456ec8b55b3a84c11ef84e96 Author: Kenton Groombridge gentoo org> AuthorDate: Mon Feb 13 15:31:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:34:51 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c5e100d portage: cleanup duplicated file contexts Some file contexts were upstreamed from Gentoo's policy. Remove these now duplicated lines. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/portage.fc | 9 - 1 file changed, 9 deletions(-) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 4fc9c880a..a042aff8b 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -46,12 +46,3 @@ /var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) /var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) /var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) - -ifdef(`distro_gentoo',` -/usr/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) -/usr/lib/python-exec/python[0-9]\.[0-9]*/glsa-check-- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/python-exec/python[0-9]\.[0-9]*/layman-- gen_context(system_u:object_r:portage_fetch_exec_t,s0) -/usr/lib/python-exec/python[0-9]\.[0-9]*/emaint-- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge-- gen_context(system_u:object_r:portage_exec_t,s0) -/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0) -')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 2cec96ddfb5cdb3f78f9a380ab06fa8fdc0478d2 Author: Corentin LABBE gmail com> AuthorDate: Mon Jan 9 08:33:10 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:19:58 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2cec96dd usermanage: permit groupadd to read kernel sysctl When using groupadd, I got some AVC due to groupadd reading /proc/sys/kernel/cap_last_cap Signed-off-by: Corentin LABBE gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/usermanage.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index b5d443dd4..fd2da2ffc 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -227,6 +227,8 @@ files_relabel_etc_files(groupadd_t) files_read_etc_runtime_files(groupadd_t) files_read_usr_symlinks(groupadd_t) +kernel_read_kernel_sysctls(groupadd_t) + # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}. corecmd_exec_bin(groupadd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: b541f2c178bdcafd132f99124f7e4e7fb18524c7 Author: Corentin LABBE gmail com> AuthorDate: Tue Jan 10 09:00:41 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:22:54 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b541f2c1 portage: Remove old binary location /usr/lib/portage/bin is not used anymore Signed-off-by: Corentin LABBE gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/portage.fc | 7 --- 1 file changed, 7 deletions(-) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 6911cb48c..7cf6e7855 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -10,13 +10,6 @@ /usr/bin/layman-- gen_context(system_u:object_r:portage_fetch_exec_t,s0) /usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/emerge-- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_fetch_exec_t,s0) -/usr/lib/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/regenworld-- gen_context(system_u:object_r:portage_exec_t,s0) -/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) - - /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: c13b9d0ad5d447db396972111c4534dbdb00e3d9 Author: Kenton Groombridge concord sh> AuthorDate: Wed Dec 7 14:49:14 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Dec 13 19:07:31 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c13b9d0a netutils: minor fixes for nmap and traceroute Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/netutils.te | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 3f85d1a57..85c9a33d5 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -40,6 +40,8 @@ init_system_domain(traceroute_t, traceroute_exec_t) allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot }; dontaudit netutils_t self:capability { dac_override sys_tty_config }; allow netutils_t self:process { getcap setcap signal_perms }; +# netlink_generic_socket for nmap. +allow netutils_t self:netlink_generic_socket create_socket_perms; allow netutils_t self:netlink_route_socket create_netlink_socket_perms; allow netutils_t self:netlink_socket create_socket_perms; # For tcpdump. @@ -73,6 +75,8 @@ fs_getattr_xattr_fs(netutils_t) domain_use_interactive_fds(netutils_t) +kernel_dontaudit_getattr_proc(netutils_t) + files_read_etc_files(netutils_t) # for nscd files_dontaudit_search_var(netutils_t) @@ -177,6 +181,7 @@ userdom_use_inherited_user_terminals(ss_t) allow traceroute_t self:capability { net_admin net_raw setgid setuid }; allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms; allow traceroute_t self:process signal; +allow traceroute_t self:netlink_generic_socket create_socket_perms; allow traceroute_t self:rawip_socket create_socket_perms; allow traceroute_t self:packet_socket { map create_socket_perms }; allow traceroute_t self:udp_socket create_socket_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: bd1a6b7906f6d0d7df6af70e91d8eb11a6fc8c7b Author: Dave Sugar gmail com> AuthorDate: Mon Oct 3 20:54:41 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:07:25 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd1a6b79 fapolicyd: fagenrules chgrp's the compiled.rules node=localhost type=AVC msg=audit(1664829990.107:8051): avc: denied { chown } for pid=3709 comm="chgrp" capability=0 scontext=toor_u:sysadm_r:fagenrules_t:s0 tcontext=sysadm_u:sysadm_r:fagenrules_t:s0 tclass=capability permissive=0 Signed-off-by: Dave Sugar gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/fapolicyd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/fapolicyd.te b/policy/modules/admin/fapolicyd.te index 9effdb04a..2e716c1aa 100644 --- a/policy/modules/admin/fapolicyd.te +++ b/policy/modules/admin/fapolicyd.te @@ -93,7 +93,7 @@ optional_policy(` # fagenrules local policy # -allow fagenrules_t self:capability { fsetid kill }; +allow fagenrules_t self:capability { chown fsetid kill }; allow fagenrules_t self:fifo_file rw_inherited_fifo_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: c735ad15b5bc4ebb73d3995c1c43a59d36fbd0d4 Author: Dave Sugar gmail com> AuthorDate: Mon Oct 3 11:54:03 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:07:23 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c735ad15 fix: issue #550 - compile failed when DIRECT_INITRC=y Signed-off-by: Dave Sugar gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/fapolicyd.if | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/fapolicyd.if b/policy/modules/admin/fapolicyd.if index aaa4c14eb..4ae2590ac 100644 --- a/policy/modules/admin/fapolicyd.if +++ b/policy/modules/admin/fapolicyd.if @@ -152,6 +152,8 @@ interface(`fapolicyd_admin',` files_search_runtime($1) admin_pattern($1, fapolicyd_runtime_t) - fapolicyd_run_fagenrules($1, $2) + ifndef(`direct_sysadm_daemon',` + fapolicyd_run_fagenrules($1, $2) + ') fapolicyd_run_cli($1, $2) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 922e518a0609288260db0a8207b9e3a81dbff89f Author: Chris PeBenito linux microsoft com> AuthorDate: Tue Sep 20 13:52:11 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:06:52 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=922e518a fapolicyd: Fix selint issue. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/fapolicyd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/fapolicyd.te b/policy/modules/admin/fapolicyd.te index 35e475340..9effdb04a 100644 --- a/policy/modules/admin/fapolicyd.te +++ b/policy/modules/admin/fapolicyd.te @@ -103,7 +103,7 @@ ps_process_pattern(fagenrules_t, fapolicyd_t) # /sbin/fagenrules copies compiled rules into /etc/faplicyd then calls restorecon # on new /etc/fapolicy/compiled.rules -allow fagenrules_t fapolicyd_compiled_rules_t:file { relabelfrom relabelto }; +allow fagenrules_t fapolicyd_compiled_rules_t:file relabel_file_perms; filetrans_pattern(fagenrules_t, fapolicyd_config_t, fapolicyd_compiled_rules_t, file) manage_files_pattern(fagenrules_t, fapolicyd_config_t, fapolicyd_compiled_rules_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 7d41f1b7b4f4d675b62835be6d2416eb2368a1a1 Author: Kenton Groombridge gentoo org> AuthorDate: Tue Apr 19 22:53:44 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Sat Sep 3 20:04:23 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d41f1b7 portage: allow portage to map ebuild files When portage syncs a repo with git, git will mmap() ebuild files. Allow portage to map ebuild files to fix permission denied errors on syncing. Bug: https://bugs.gentoo.org/833017 Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/admin/portage.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 86966705..e3a19574 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -200,6 +200,8 @@ domain_dontaudit_read_all_domains_state(portage_t) files_manage_all_files(portage_t) # eselect uses file, which mmap()s its db files_map_usr_files(portage_t) +# portage executing git mmap()s ebuild files when syncing +allow portage_t portage_ebuild_t:file map; selinux_get_fs_mount(portage_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 7e3534c4597019c27f590644345ee64d3b45ceb0 Author: Dave Sugar gmail com> AuthorDate: Thu Aug 25 01:56:56 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 19:07:50 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e3534c4 usbguard: Allow to read fips_enabled sysctl node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { search } for pid=1031 comm="usbguard-daemon" name="crypto" dev="proc" ino=20463 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { read } for pid=1031 comm="usbguard-daemon" name="fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { open } for pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661391275.238:340): avc: denied { getattr } for pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar gmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/usbguard.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te index 26d9028b..4e8be854 100644 --- a/policy/modules/admin/usbguard.te +++ b/policy/modules/admin/usbguard.te @@ -65,6 +65,7 @@ setattr_files_pattern(usbguard_t, usbguard_log_t, usbguard_log_t) dev_rw_sysfs(usbguard_t) +kernel_read_crypto_sysctls(usbguard_t) kernel_read_kernel_sysctls(usbguard_t) kernel_dontaudit_getattr_proc(usbguard_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 1308dbe2fce172abaee054dbeaa489cb0ca60a94 Author: Kenton Groombridge concord sh> AuthorDate: Wed Nov 10 17:14:46 2021 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 31 02:40:53 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1308dbe2 sudo: fixes for polyinstantiation PAM can be configured to allow sudo to unmount/remount private tmp directories when invoked. Allow this access if enabled. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/sudo.if | 6 ++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index d4249ec0..fb2c8333 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -145,6 +145,12 @@ template(`sudo_role_template',` userdom_dontaudit_search_user_home_content($1_sudo_t) userdom_dontaudit_search_user_home_dirs($1_sudo_t) + tunable_policy(`allow_polyinstantiation',` + allow $1_sudo_t self:capability sys_admin; + fs_mount_xattr_fs($1_sudo_t) + fs_unmount_xattr_fs($1_sudo_t) + ') + tunable_policy(`sudo_allow_user_exec_domains',` allow $1_sudo_t $3:key search;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 300f017b1807980f57f1578f8ac1ffdf49a4285e Author: Chris PeBenito ieee org> AuthorDate: Fri Feb 18 18:25:04 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 27 02:13:17 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=300f017b puppet: Style fixes. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/puppet.fc | 1 + policy/modules/admin/puppet.te | 14 +++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/policy/modules/admin/puppet.fc b/policy/modules/admin/puppet.fc index 001f21fe..42f3b7b2 100644 --- a/policy/modules/admin/puppet.fc +++ b/policy/modules/admin/puppet.fc @@ -12,6 +12,7 @@ /usr/sbin/puppetmasterd-- gen_context(system_u:object_r:puppetmaster_exec_t,s0) /var/cache/puppet(/.*)?gen_context(system_u:object_r:puppet_cache_t,s0) + /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te index 7ef5ab83..9e312a17 100644 --- a/policy/modules/admin/puppet.te +++ b/policy/modules/admin/puppet.te @@ -20,6 +20,9 @@ type puppet_t; type puppet_exec_t; init_daemon_domain(puppet_t, puppet_exec_t) +type puppet_cache_t; +files_type(puppet_cache_t) + type puppet_etc_t; files_config_file(puppet_etc_t) @@ -36,9 +39,6 @@ init_daemon_runtime_file(puppet_runtime_t, dir, "puppet") type puppet_tmp_t; files_tmp_file(puppet_tmp_t) -type puppet_cache_t; -files_type(puppet_cache_t) - type puppet_var_lib_t; files_type(puppet_var_lib_t) @@ -73,10 +73,6 @@ allow puppet_t puppet_etc_t:dir list_dir_perms; allow puppet_t puppet_etc_t:file read_file_perms; allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms; -manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) -can_exec(puppet_t, puppet_var_lib_t) - manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t) manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t) @@ -84,6 +80,10 @@ setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir }) +manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) +can_exec(puppet_t, puppet_var_lib_t) + allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms }; append_files_pattern(puppet_t, puppet_log_t, puppet_log_t) create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 4b1f697b6a9ee59734e0cdf1067cc6d57a3b0799 Author: Russell Coker coker com au> AuthorDate: Thu Feb 17 14:45:38 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 27 02:13:17 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b1f697b puppet V3 Removed the entrypoint stuff that was controversial, the rest should be fine. I think it's ready to merge. Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/puppet.fc | 1 + policy/modules/admin/puppet.te | 9 +++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/puppet.fc b/policy/modules/admin/puppet.fc index f45bdc6a..001f21fe 100644 --- a/policy/modules/admin/puppet.fc +++ b/policy/modules/admin/puppet.fc @@ -11,6 +11,7 @@ /usr/sbin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0) /usr/sbin/puppetmasterd-- gen_context(system_u:object_r:puppetmaster_exec_t,s0) +/var/cache/puppet(/.*)?gen_context(system_u:object_r:puppet_cache_t,s0) /var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0) /var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0) diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te index 3d5a832b..7ef5ab83 100644 --- a/policy/modules/admin/puppet.te +++ b/policy/modules/admin/puppet.te @@ -36,6 +36,9 @@ init_daemon_runtime_file(puppet_runtime_t, dir, "puppet") type puppet_tmp_t; files_tmp_file(puppet_tmp_t) +type puppet_cache_t; +files_type(puppet_cache_t) + type puppet_var_lib_t; files_type(puppet_var_lib_t) @@ -74,6 +77,9 @@ manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t) can_exec(puppet_t, puppet_var_lib_t) +manage_dirs_pattern(puppet_t, puppet_cache_t, puppet_cache_t) +manage_files_pattern(puppet_t, puppet_cache_t, puppet_cache_t) + setattr_dirs_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) manage_files_pattern(puppet_t, puppet_runtime_t, puppet_runtime_t) files_runtime_filetrans(puppet_t, puppet_runtime_t, { file dir }) @@ -182,8 +188,6 @@ optional_policy(` ') optional_policy(` - files_rw_var_files(puppet_t) - rpm_domtrans(puppet_t) rpm_manage_db(puppet_t) rpm_manage_log(puppet_t) @@ -267,6 +271,7 @@ allow puppetmaster_t puppet_etc_t:lnk_file read_lnk_file_perms; allow puppetmaster_t puppet_log_t:dir setattr_dir_perms; append_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) create_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) +read_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) setattr_files_pattern(puppetmaster_t, puppet_log_t, puppet_log_t) logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 545b803c06726d7b5f28a244b7ae4f9a92a353ef Author: Jason Zaman gentoo org> AuthorDate: Mon Jan 31 19:25:33 2022 + Commit: Jason Zaman gentoo org> CommitDate: Mon Jan 31 19:25:33 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=545b803c puppet: Update gentoo-specific tunable to fix selint error Can use files_relabel_all_non_security_file_types instead of the gen_require hack Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/puppet.te | 24 ++-- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te index 8e7c20c3..3d5a832b 100644 --- a/policy/modules/admin/puppet.te +++ b/policy/modules/admin/puppet.te @@ -370,28 +370,8 @@ ifdef(`distro_gentoo',` usermanage_domtrans_passwd(puppet_t) tunable_policy(`puppet_manage_all_files',` - # We should use files_relabel_all_files here, but it calls - # seutil_relabelto_bin_policy which sets a "typeattribute type attr", - # which is not allowed within a tunable_policy. - # So, we duplicate the content of files_relabel_all_files except for - # the policy configuration stuff and hope users do that through Portage - - gen_require(` #selint-disable:S-001 - attribute file_type; - attribute security_file_type; - type policy_config_t; - ') - - allow puppet_t { file_type -policy_config_t -security_file_type }:dir list_dir_perms; - relabel_dirs_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_lnk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_fifo_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabel_sock_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - # this is only relabelfrom since there should be no - # device nodes with file types. - relabelfrom_blk_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) - relabelfrom_chr_files_pattern(puppet_t, { file_type -policy_config_t -security_file_type }, { file_type -policy_config_t -security_file_type }) + # Also allows relabelfrom blk and chr_files which are not in files_manage_non_auth_files + files_relabel_all_non_security_file_types(puppet_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 943fe93787010a8bded9d75728cc3ab097ef3aeb Author: Jonathan Davies protonmail com> AuthorDate: Thu Jan 27 19:48:57 2022 + Commit: Jason Zaman gentoo org> CommitDate: Mon Jan 31 17:55:20 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=943fe937 portage.te: Allow gcc_config_t to manage portage_tmp_t Allows /etc/env.d/04gcc-x86_64-gentoo-linux-musl to be correctly generated. Closes: https://github.com/perfinion/hardened-refpolicy/pull/26 Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index cd66e6e7..9abbdc37 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -435,6 +435,9 @@ gen_tunable(portage_enable_test, false) can_exec(gcc_config_t, gcc_config_tmp_t) # libffi support files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file) + allow gcc_config_t portage_tmp_t:dir manage_dir_perms; + allow gcc_config_t portage_tmp_t:file manage_file_perms; + files_manage_etc_runtime_files(gcc_config_t) files_manage_etc_runtime_lnk_files(gcc_config_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 192f62919b5866ad4de5558b7a69f03f81ed4ad3 Author: Jason Zaman gentoo org> AuthorDate: Sun Nov 21 23:12:40 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 21 23:14:49 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=192f6291 portage: Allow sandbox to map /dev/zero Bug: https://bugs.gentoo.org/738546 Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 6cab80bd..1db76efe 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -511,6 +511,7 @@ gen_tunable(portage_enable_test, false) dontaudit portage_sandbox_t self:capability sys_admin; dev_getattr_xserver_misc_dev(portage_sandbox_t) + dev_rwx_zero(portage_sandbox_t) kernel_read_vm_overcommit_sysctl(portage_sandbox_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 1d839d4ab07f3bb2002f07cc397ef3e057472d23 Author: Jonathan Davies protonmail com> AuthorDate: Sun Nov 21 09:41:18 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 21 19:21:13 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d839d4a portage.te: Added corecmd_manage_bin_symlinks() for gcc_config_t. Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index da0aecf0..9a6c6083 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -111,6 +111,7 @@ kernel_read_kernel_sysctls(gcc_config_t) corecmd_exec_shell(gcc_config_t) corecmd_exec_bin(gcc_config_t) corecmd_manage_bin_files(gcc_config_t) +corecmd_manage_bin_symlinks(gcc_config_t) domain_use_interactive_fds(gcc_config_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 9f82ed8fe322e0bfb84ec9991772faf1887d5f71 Author: Jonathan Davies protonmail com> AuthorDate: Sun Nov 21 09:35:48 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 21 19:25:43 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f82ed8f portage.te: Added libs_manage_lib_symlinks() for gcc_config_t. Closes: https://github.com/perfinion/hardened-refpolicy/pull/20 Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 9a6c6083..6cab80bd 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -132,6 +132,7 @@ libs_run_ldconfig(gcc_config_t, portage_roles) libs_manage_shared_libs(gcc_config_t) # gcc-config creates a temp dir for the libs libs_manage_lib_dirs(gcc_config_t) +libs_manage_lib_symlinks(gcc_config_t) logging_send_syslog_msg(gcc_config_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 5a876bd1d15b448dd0cf6fc86b0ce31dc730f8d0 Author: Kenton Groombridge concord sh> AuthorDate: Sun Aug 8 21:35:23 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a876bd1 su: add tunable to control user exec domain access Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/su.if | 40 policy/modules/admin/su.te | 10 ++ 2 files changed, 38 insertions(+), 12 deletions(-) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 2d0143d6..62a6cf9d 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -156,8 +156,6 @@ template(`su_role_template',` domain_interactive_fd($1_su_t) role $4 types $1_su_t; - allow $2 $1_su_t:process signal; - allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource }; dontaudit $1_su_t self:capability { net_admin sys_tty_config }; allow $1_su_t self:process { setexec setsched setrlimit }; @@ -165,18 +163,8 @@ template(`su_role_template',` allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; allow $1_su_t self:key { search write }; - allow $1_su_t $2:key search; - - # Transition from the user domain to this domain. - domtrans_pattern($2, su_exec_t, $1_su_t) - - ps_process_pattern($2, $1_su_t) - # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_su_t, $2) - allow $2 $1_su_t:fd use; - allow $2 $1_su_t:fifo_file rw_inherited_fifo_file_perms; - allow $2 $1_su_t:process sigchld; kernel_read_system_state($1_su_t) kernel_read_kernel_sysctls($1_su_t) @@ -235,6 +223,34 @@ template(`su_role_template',` auth_use_pam_systemd($1_su_t) ') + tunable_policy(`su_allow_user_exec_domains',` + allow $3 $1_su_t:process signal; + + allow $1_su_t $3:key search; + + # Transition from the user domain to this domain. + domtrans_pattern($3, su_exec_t, $1_su_t) + + ps_process_pattern($3, $1_su_t) + + allow $3 $1_su_t:fd use; + allow $3 $1_su_t:fifo_file rw_inherited_fifo_file_perms; + allow $3 $1_su_t:process sigchld; + ',` + allow $2 $1_su_t:process signal; + + allow $1_su_t $2:key search; + + # Transition from the user domain to this domain. + domtrans_pattern($2, su_exec_t, $1_su_t) + + ps_process_pattern($2, $1_su_t) + + allow $2 $1_su_t:fd use; + allow $2 $1_su_t:fifo_file rw_inherited_fifo_file_perms; + allow $2 $1_su_t:process sigchld; + ') + tunable_policy(`allow_polyinstantiation',` fs_mount_xattr_fs($1_su_t) fs_unmount_xattr_fs($1_su_t) diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index 295f31bd..479469c5 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -1,5 +1,15 @@ policy_module(su, 1.16.0) +## +## +## Determine whether the user application +## exec domain attribute should be respected +## for su access. If not enabled, only user +## domains themselves may use su. +## +## +gen_tunable(su_allow_user_exec_domains, false) + # # Declarations
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: a9b9720b82e797983be0c4af4a7fbfdfa9c7f8f1 Author: Kenton Groombridge concord sh> AuthorDate: Fri Oct 8 20:02:50 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a9b9720b shutdown: add tunable to control user exec domain access Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/shutdown.if | 16 +--- policy/modules/admin/shutdown.te | 10 ++ 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if index 2a428398..3a86edeb 100644 --- a/policy/modules/admin/shutdown.if +++ b/policy/modules/admin/shutdown.if @@ -28,13 +28,23 @@ # template(`shutdown_role',` gen_require(` + attribute_role shutdown_roles; type shutdown_t; ') - shutdown_run($3, $4) + roleattribute $4 shutdown_roles; + + tunable_policy(`shutdown_allow_user_exec_domains',` + shutdown_domtrans($3) - allow $3 shutdown_t:process { ptrace signal_perms }; - ps_process_pattern($3, shutdown_t) + allow $3 shutdown_t:process { ptrace signal_perms }; + ps_process_pattern($3, shutdown_t) + ',` + shutdown_domtrans($2) + + allow $2 shutdown_t:process { ptrace signal_perms }; + ps_process_pattern($2, shutdown_t) + ') optional_policy(` systemd_user_app_status($1, shutdown_t) diff --git a/policy/modules/admin/shutdown.te b/policy/modules/admin/shutdown.te index cb8a6c6b..d3302a76 100644 --- a/policy/modules/admin/shutdown.te +++ b/policy/modules/admin/shutdown.te @@ -1,5 +1,15 @@ policy_module(shutdown, 1.7.0) +## +## +## Determine whether the user application exec +## domain attribute should be respected for +## shutdown access. If not enabled, only user +## domains themselves may use shutdown. +## +## +gen_tunable(shutdown_allow_user_exec_domains, false) + # # Declarations
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/
commit: f8e43b61c56e5b79784c73c58548143056bee6b5 Author: Kenton Groombridge concord sh> AuthorDate: Sun Aug 8 16:53:48 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f8e43b61 shutdown, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/shutdown.if | 29 ++--- policy/modules/roles/sysadm.te | 2 +- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if index 05eb8c89..2a428398 100644 --- a/policy/modules/admin/shutdown.if +++ b/policy/modules/admin/shutdown.if @@ -4,26 +4,41 @@ ## ## Role access for shutdown. ## -## +## ## -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## ## User domain for the role. ## ## +## +## +## User exec domain for execute and transition access. +## +## +## +## +## Role allowed access +## +## # -interface(`shutdown_role',` +template(`shutdown_role',` gen_require(` type shutdown_t; ') - shutdown_run($2, $1) + shutdown_run($3, $4) + + allow $3 shutdown_t:process { ptrace signal_perms }; + ps_process_pattern($3, shutdown_t) - allow $2 shutdown_t:process { ptrace signal_perms }; - ps_process_pattern($2, shutdown_t) + optional_policy(` + systemd_user_app_status($1, shutdown_t) + ') ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 7774ec0a..44b80516 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -959,7 +959,7 @@ optional_policy(` ') optional_policy(` - shutdown_role(sysadm_r, sysadm_t) + shutdown_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: c15fd881704f72bfba0381c433d090ece731374d Author: Kenton Groombridge concord sh> AuthorDate: Sun Aug 8 15:10:47 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c15fd881 sudo: add tunable to control user exec domain access The tunable 'sudo_allow_user_exec_domains' only allows user domains themselves to use sudo if disabled (default), otherwise any domain with the corresponding user exec domain attribute may use sudo. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/sudo.if | 37 ++--- policy/modules/admin/sudo.te | 10 ++ 2 files changed, 36 insertions(+), 11 deletions(-) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 4e2d7830..bab07e31 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -73,20 +73,9 @@ template(`sudo_role_template',` allow $1_sudo_t self:key manage_key_perms; dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace }; - allow $1_sudo_t $3:key search; - - # Transmit SIGWINCH to children - allow $1_sudo_t $3:process signal; - - # Enter this derived domain from the user domain - domtrans_pattern($3, sudo_exec_t, $1_sudo_t) - # By default, revert to the calling domain when a shell is executed. corecmd_shell_domtrans($1_sudo_t, $2) corecmd_bin_domtrans($1_sudo_t, $2) - allow $3 $1_sudo_t:fd use; - allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; - allow $3 $1_sudo_t:process signal_perms; kernel_read_kernel_sysctls($1_sudo_t) kernel_read_system_state($1_sudo_t) @@ -158,6 +147,32 @@ template(`sudo_role_template',` dontaudit $1_sudo_t $3:socket_class_set { read write }; ') + tunable_policy(`sudo_allow_user_exec_domains',` + allow $1_sudo_t $3:key search; + + # Transmit SIGWINCH to children + allow $1_sudo_t $3:process signal; + + # Enter this derived domain from the user domain + domtrans_pattern($3, sudo_exec_t, $1_sudo_t) + + allow $3 $1_sudo_t:fd use; + allow $3 $1_sudo_t:fifo_file rw_fifo_file_perms; + allow $3 $1_sudo_t:process signal_perms; + ',` + allow $1_sudo_t $2:key search; + + # Transmit SIGWINCH to children + allow $1_sudo_t $2:process signal; + + # Enter this derived domain from the user domain + domtrans_pattern($2, sudo_exec_t, $1_sudo_t) + + allow $2 $1_sudo_t:fd use; + allow $2 $1_sudo_t:fifo_file rw_fifo_file_perms; + allow $2 $1_sudo_t:process signal_perms; + ') + tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_files($1_sudo_t) ') diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index 8704a154..f6618cd9 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -11,6 +11,16 @@ policy_module(sudo, 1.17.0) ## gen_tunable(sudo_all_tcp_connect_http_port, false) +## +## +## Determine whether the user application exec +## domain attribute should be respected for sudo +## access. If not enabled, only user domains +## themselves may use sudo. +## +## +gen_tunable(sudo_allow_user_exec_domains, false) + # # Declarations
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 42a6dc478442e531cd701638057210d9b1c58ec1 Author: Jonathan Davies protonmail com> AuthorDate: Fri May 28 14:00:30 2021 + Commit: Jason Zaman gentoo org> CommitDate: Fri Nov 12 01:53:00 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42a6dc47 logrotate.te: Added boolean for allowing logrotate to rotate the audit log. Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/logrotate.te | 13 + 1 file changed, 13 insertions(+) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 1c704120..1419d878 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -5,6 +5,14 @@ policy_module(logrotate, 1.26.0) # Declarations # +## +## +## Determine whether logrotate can manage +## audit log files +## +## +gen_tunable(logrotate_manage_audit_log, false) + attribute_role logrotate_roles; roleattribute system_r logrotate_roles; @@ -138,6 +146,11 @@ ifdef(`distro_debian',` logging_read_syslog_config(logrotate_t) ') +tunable_policy(`logrotate_manage_audit_log',` + logging_manage_audit_log(logrotate_t) +') + + optional_policy(` abrt_manage_cache(logrotate_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/, policy/modules/system/, ...
commit: 9f2bab2173d07f9337a6003bf39f771d22b9df22 Author: Chris PeBenito ieee org> AuthorDate: Tue Nov 9 16:13:37 2021 + Commit: Jason Zaman gentoo org> CommitDate: Thu Nov 11 21:26:50 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f2bab21 various: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/netutils.te| 2 +- policy/modules/admin/usbguard.te| 2 +- policy/modules/admin/usermanage.te | 2 +- policy/modules/kernel/devices.te| 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/services/apache.te | 2 +- policy/modules/services/asterisk.te | 2 +- policy/modules/services/bind.te | 2 +- policy/modules/services/certbot.te | 2 +- policy/modules/services/dbus.te | 2 +- policy/modules/services/dovecot.te | 2 +- policy/modules/services/exim.te | 2 +- policy/modules/services/git.te | 2 +- policy/modules/services/jabber.te | 2 +- policy/modules/services/mta.te | 2 +- policy/modules/services/policykit.te| 2 +- policy/modules/services/postfix.te | 2 +- policy/modules/services/rngd.te | 2 +- policy/modules/services/spamassassin.te | 2 +- policy/modules/services/ssh.te | 2 +- policy/modules/services/virt.te | 2 +- policy/modules/system/systemd.te| 2 +- policy/modules/system/userdomain.te | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index ec753a88..7210c776 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.21.0) +policy_module(netutils, 1.21.1) # diff --git a/policy/modules/admin/usbguard.te b/policy/modules/admin/usbguard.te index cca00cdb..cdca7ff0 100644 --- a/policy/modules/admin/usbguard.te +++ b/policy/modules/admin/usbguard.te @@ -1,4 +1,4 @@ -policy_module(usbguard, 1.2.0) +policy_module(usbguard, 1.2.1) # diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index ca60a09e..6ead66f2 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,4 +1,4 @@ -policy_module(usermanage, 1.25.1) +policy_module(usermanage, 1.25.2) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 5a06ea82..50bfdecf 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.29.0) +policy_module(devices, 1.29.1) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index ddd10c2a..d39648b3 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.30.2) +policy_module(filesystem, 1.30.3) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 3deec0a8..f52086cf 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.19.0) +policy_module(sysadm, 2.19.1) # diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 79fdf1ae..d3b6c829 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,4 +1,4 @@ -policy_module(apache, 2.21.1) +policy_module(apache, 2.21.2) # diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index e1dbff10..a188c2f4 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -1,4 +1,4 @@ -policy_module(asterisk, 1.21.0) +policy_module(asterisk, 1.21.1) # diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 0081ed52..fcf74fa1 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,4 +1,4 @@ -policy_module(bind, 1.23.0) +policy_module(bind, 1.23.1) # diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te index 19ebe75f..3f2778f3 100644 --- a/policy/modules/services/certbot.te +++ b/policy/modules/services/certbot.te @@ -1,4 +1,4 @@ -policy_module(certbot, 1.1.0) +policy_module(certbot, 1.1.1) ## ## diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 9d2942f5..7535509d 100644 --- a/policy/modules/services/dbus.te +++
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: c752ecf2cdb6694584af6306b148263d7bcd8378 Author: Kenton Groombridge concord sh> AuthorDate: Sun Nov 7 01:49:32 2021 + Commit: Jason Zaman gentoo org> CommitDate: Thu Nov 11 21:26:50 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c752ecf2 netutils: fix ping Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/netutils.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 93a2fe8b..ec753a88 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -109,7 +109,7 @@ allow ping_t self:tcp_socket create_socket_perms; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr }; allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; allow ping_t self:netlink_route_socket create_netlink_socket_perms; -allow ping_t self:icmp_socket create; +allow ping_t self:icmp_socket create_socket_perms; corenet_all_recvfrom_netlabel(ping_t) corenet_sendrecv_icmp_packets(ping_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: b90cb8704ffb2d1e57e38107076206f780ea7561 Author: Yi Zhao windriver com> AuthorDate: Tue Sep 28 07:46:50 2021 + Commit: Jason Zaman gentoo org> CommitDate: Thu Nov 11 21:26:50 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b90cb870 passwd: allow passwd to map SELinux status page We encountered a passwd runtime error with selinux 3.3: $ passwd user1 passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running' failed. Aborted Fixes: avc: denied { map } for pid=325 comm="passwd" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root: sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file permissive=1 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/usermanage.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 19290878..ca60a09e 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -322,6 +322,7 @@ mls_file_write_all_levels(passwd_t) mls_file_downgrade(passwd_t) selinux_get_fs_mount(passwd_t) +selinux_use_status_page(passwd_t) selinux_validate_context(passwd_t) selinux_compute_access_vector(passwd_t) selinux_compute_create_context(passwd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: abdb4768109d7b7251122ef03c200517eeada4cc Author: Jonathan Davies protonmail com> AuthorDate: Tue Jul 6 14:48:28 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 5 14:26:44 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=abdb4768 dmesg.te: Added files_read_etc_files() as some distros store terminfo files in /etc/. Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/dmesg.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index a254f13e..8c5337b1 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -38,6 +38,7 @@ term_dontaudit_use_console(dmesg_t) domain_use_interactive_fds(dmesg_t) files_list_etc(dmesg_t) +files_read_etc_files(dmesg_t) files_read_usr_files(dmesg_t) init_use_fds(dmesg_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/, policy/modules/kernel/
commit: 8f26b7cec0bdcb591e5caa650014bb5ae00293f2 Author: Chris PeBenito ieee org> AuthorDate: Thu Jul 8 13:45:15 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 5 14:26:44 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f26b7ce dmesg, devices, sysadm: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/dmesg.te| 2 +- policy/modules/kernel/devices.te | 2 +- policy/modules/roles/sysadm.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 8c5337b1..d347614c 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -1,4 +1,4 @@ -policy_module(dmesg, 1.8.0) +policy_module(dmesg, 1.8.1) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 000e5ebe..7dee3d17 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.28.2) +policy_module(devices, 1.28.3) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 3aa6b9d5..ba26bbfe 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.18.4) +policy_module(sysadm, 2.18.5) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/
commit: 9c2a5171c53779f30d0cd3a89668809045277af1 Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 15 08:31:09 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Mar 21 22:07:35 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9c2a5171 systemd: Add elogind support Elogind is based off systemd-logind extracted to stand alone. Signed-off-by: Jason Zaman perfinion.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/sudo.if | 2 ++ policy/modules/system/authlogin.if | 5 + policy/modules/system/systemd.fc | 5 + policy/modules/system/systemd.te | 29 - 4 files changed, 40 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 51bc9343..eada7c28 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -160,6 +160,8 @@ template(`sudo_role_template',` optional_policy(` dbus_system_bus_client($1_sudo_t) + systemd_dbus_chat_logind($1_sudo_t) + systemd_write_inherited_logind_sessions_pipes($1_sudo_t) ifdef(`init_systemd',` init_dbus_chat($1_sudo_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 753a7735..e807f91f 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -67,6 +67,11 @@ interface(`auth_use_pam',` optional_policy(` fprintd_dbus_chat($1) ') + + optional_policy(` + systemd_dbus_chat_logind($1) + systemd_write_inherited_logind_sessions_pipes($1) + ') ') optional_policy(` diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 7de7e677..67e81209 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -16,6 +16,10 @@ /usr/bin/systemd-tty-ask-password-agent-- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0) /usr/bin/systemd-notify-- gen_context(system_u:object_r:systemd_notify_exec_t,s0) +/usr/lib/elogind/elogind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) +/usr/lib/elogind/elogind-cgroups-agent -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) +/usr/lib/elogind/elogind-uaccess-command -- gen_context(system_u:object_r:systemd_logind_exec_t,s0) + # Systemd generators /usr/lib/systemd/system-environment-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0) /usr/lib/systemd/system-generators/.* -- gen_context(system_u:object_r:systemd_generator_exec_t,s0) @@ -71,6 +75,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data /var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0) /run/\.nologin[^/]*-- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) +/run/elogind\.pid -- gen_context(system_u:object_r:systemd_logind_runtime_t,s0) /run/nologin -- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) /run/user/%{USERID}/systemd-d gen_context(system_u:object_r:systemd_user_runtime_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index f5b5b07a..8a294661 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -144,6 +144,9 @@ init_system_domain(systemd_locale_t, systemd_locale_exec_t) type systemd_logind_t; type systemd_logind_exec_t; +optional_policy(` + dbus_system_domain(systemd_logind_t, systemd_logind_exec_t) +') init_daemon_domain(systemd_logind_t, systemd_logind_exec_t) init_named_socket_activation(systemd_logind_t, systemd_logind_runtime_t) @@ -154,6 +157,7 @@ init_mountpoint(systemd_logind_inhibit_runtime_t) type systemd_logind_runtime_t alias systemd_logind_var_run_t; files_runtime_file(systemd_logind_runtime_t) init_daemon_runtime_file(systemd_logind_runtime_t, dir, "systemd_logind") +init_daemon_runtime_file(systemd_logind_runtime_t, file, "elogind.pid") init_mountpoint(systemd_logind_runtime_t) type systemd_logind_var_lib_t; @@ -585,7 +589,7 @@ logging_send_syslog_msg(systemd_log_parse_env_type) # Logind local policy # -allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config }; +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner fsetid sys_admin sys_resource sys_tty_config }; allow systemd_logind_t self:process { getcap setfscreate }; allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; allow systemd_logind_t self:unix_dgram_socket
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/apps/
commit: 758c98fc22b0795287736330c416d9f3e03fdf00 Author: Russell Coker coker com au> AuthorDate: Tue Feb 2 14:55:38 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:09 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=758c98fc misc apps and admin patches Send again without the section Dominick didn't like. I think it's ready for inclusion. Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/apt.fc| 4 +++- policy/modules/admin/apt.te| 8 policy/modules/admin/bootloader.te | 3 +++ policy/modules/admin/logrotate.te | 2 ++ policy/modules/apps/games.te | 14 ++ policy/modules/apps/mplayer.if | 2 +- policy/modules/apps/mplayer.te | 7 ++- 7 files changed, 37 insertions(+), 3 deletions(-) diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc index 8a539f06..66fec023 100644 --- a/policy/modules/admin/apt.fc +++ b/policy/modules/admin/apt.fc @@ -5,6 +5,8 @@ /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0) ifndef(`distro_redhat',` /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) @@ -23,5 +25,5 @@ ifndef(`distro_redhat',` /var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) /var/log/aptitude.*gen_context(system_u:object_r:apt_var_log_t,s0) - +/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0) /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te index 841b8c4f..8e5f72b7 100644 --- a/policy/modules/admin/apt.te +++ b/policy/modules/admin/apt.te @@ -154,6 +154,10 @@ optional_policy(` dpkg_lock_db(apt_t) ') +optional_policy(` + networkmanager_dbus_chat(apt_t) +') + optional_policy(` nis_use_ypbind(apt_t) ') @@ -168,6 +172,10 @@ optional_policy(` rpm_domtrans(apt_t) ') +optional_policy(` + systemd_dbus_chat_logind(apt_t) +') + optional_policy(` unconfined_domain(apt_t) ') diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 172e5157..78b34125 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -186,6 +186,9 @@ ifdef(`distro_debian',` dpkg_read_db(bootloader_t) dpkg_rw_pipes(bootloader_t) + + apt_use_fds(bootloader_t) + apt_use_ptys(bootloader_t) ') ifdef(`distro_redhat',` diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 7169d260..c13f0a73 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t) logging_send_audit_msgs(logrotate_t) logging_exec_all_logs(logrotate_t) +miscfiles_read_generic_certs(logrotate_t) miscfiles_read_localization(logrotate_t) seutil_dontaudit_read_config(logrotate_t) @@ -242,6 +243,7 @@ optional_policy(` ') optional_policy(` + samba_domtrans_smbcontrol(logrotate_t) samba_exec_log(logrotate_t) ') diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te index 1de63166..c66b382b 100644 --- a/policy/modules/apps/games.te +++ b/policy/modules/apps/games.te @@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file } can_exec(games_t, games_exec_t) +kernel_read_kernel_sysctls(games_t) kernel_read_system_state(games_t) corecmd_exec_bin(games_t) +corecmd_exec_shell(games_t) corenet_all_recvfrom_netlabel(games_t) corenet_tcp_sendrecv_generic_if(games_t) @@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t) logging_dontaudit_search_logs(games_t) +miscfiles_read_generic_certs(games_t) miscfiles_read_man_pages(games_t) miscfiles_read_localization(games_t) @@ -161,9 +164,15 @@ tunable_policy(`allow_execmem',` allow games_t self:process execmem; ') +optional_policy(` + alsa_read_config(games_t) +') + optional_policy(` dbus_all_session_bus_client(games_t) dbus_connect_all_session_bus(games_t) + dbus_read_lib_files(games_t) + dbus_system_bus_client(games_t) ') optional_policy(` @@ -174,6 +183,11 @@ optional_policy(` pulseaudio_run(games_t, games_roles) ') +optional_policy(` + xdg_read_config_files(games_t) + xdg_read_data_files(games_t) +') + optional_policy(` xserver_user_x_domain_template(games, games_t, games_tmpfs_t) xserver_create_xdm_tmp_sockets(games_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 71f9eaa40d0cca90e45ad49ae78e0ce3767ebb7a Author: Chris PeBenito ieee org> AuthorDate: Tue Feb 2 18:32:42 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:09 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71f9eaa4 apt, bootloader: Move lines. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/apt.fc| 6 -- policy/modules/admin/bootloader.te | 5 ++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc index 66fec023..456375f9 100644 --- a/policy/modules/admin/apt.fc +++ b/policy/modules/admin/apt.fc @@ -4,9 +4,11 @@ /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0) + /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0) + /usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0) ifndef(`distro_redhat',` /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) @@ -25,5 +27,5 @@ ifndef(`distro_redhat',` /var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) /var/log/aptitude.*gen_context(system_u:object_r:apt_var_log_t,s0) -/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0) /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) +/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 78b34125..cbaf65cd 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -180,15 +180,14 @@ ifdef(`distro_debian',` libs_relabelto_lib_files(bootloader_t) + apt_use_fds(bootloader_t) + apt_use_ptys(bootloader_t) # for apt-cache apt_read_db(bootloader_t) apt_manage_cache(bootloader_t) dpkg_read_db(bootloader_t) dpkg_rw_pipes(bootloader_t) - - apt_use_fds(bootloader_t) - apt_use_ptys(bootloader_t) ') ifdef(`distro_redhat',`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/, policy/modules/services/
commit: e57bc26069d27c092d703ab9e323c9590552a73e Author: Chris PeBenito ieee org> AuthorDate: Tue Feb 2 13:46:41 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:09 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e57bc260 dpkg, aptcatcher, milter, mysql, systemd: Rename interfaces. Rename interfaces from a7f3fdabadd47279800688d5ee2e19662b7fc58b. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/dpkg.te | 8 policy/modules/services/aptcacher.if | 2 +- policy/modules/services/milter.if| 2 +- policy/modules/services/mysql.if | 4 ++-- policy/modules/system/systemd.if | 2 +- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index 6830c795..da365bb2 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -309,7 +309,7 @@ optional_policy(` optional_policy(` aptcacher_filetrans_cache_dir(dpkg_script_t) - aptcacher_filetrans_conf_dir(dpkg_script_t) + aptcacher_etc_filetrans_conf_dir(dpkg_script_t) aptcacher_filetrans_log_dir(dpkg_script_t) ') @@ -330,7 +330,7 @@ optional_policy(` ') optional_policy(` - milter_filetrans_spamass_state(dpkg_script_t) + milter_var_lib_filetrans_spamass_state(dpkg_script_t) ') optional_policy(` @@ -342,8 +342,8 @@ optional_policy(` ') optional_policy(` - mysql_create_db_dir(dpkg_script_t) - mysql_create_log_dir(dpkg_script_t) + mysql_var_lib_filetrans_db_dir(dpkg_script_t) + mysql_log_filetrans_log_dir(dpkg_script_t) ') optional_policy(` diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if index bef83332..40f19560 100644 --- a/policy/modules/services/aptcacher.if +++ b/policy/modules/services/aptcacher.if @@ -110,7 +110,7 @@ interface(`aptcacher_filetrans_cache_dir',` ## ## # -interface(`aptcacher_filetrans_conf_dir',` +interface(`aptcacher_etc_filetrans_conf_dir',` gen_require(` type aptcacher_conf_t; ') diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if index 13b05498..5323b6e0 100644 --- a/policy/modules/services/milter.if +++ b/policy/modules/services/milter.if @@ -108,7 +108,7 @@ interface(`milter_manage_spamass_state',` ## ## # -interface(`milter_filetrans_spamass_state',` +interface(`milter_var_lib_filetrans_spamass_state',` gen_require(` type spamass_milter_state_t; ') diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index e89a66d9..0b2e5685 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -251,7 +251,7 @@ interface(`mysql_manage_db_files',` ## ## # -interface(`mysql_create_db_dir',` +interface(`mysql_var_lib_filetrans_db_dir',` gen_require(` type mysqld_db_t; ') @@ -357,7 +357,7 @@ interface(`mysql_write_log',` ## ## # -interface(`mysql_create_log_dir',` +interface(`mysql_log_filetrans_log_dir',` gen_require(` type mysqld_log_t; ') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index ac431aba..29a561c7 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -546,7 +546,7 @@ interface(`systemd_run_passwd_agent',` type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; ') - domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) + domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) allow systemd_passwd_agent_t $1:fd use; role $2 types systemd_passwd_agent_t; ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 21ac5d4937112c4cca29d52c36c91b240c2abb5f Author: Kenton Groombridge concord sh> AuthorDate: Tue Jan 26 23:08:54 2021 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 1 01:21:42 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=21ac5d49 sudo: add tunable for HTTP connections Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/sudo.te | 15 +++ 1 file changed, 15 insertions(+) diff --git a/policy/modules/admin/sudo.te b/policy/modules/admin/sudo.te index 2cebeef7..2ac111d6 100644 --- a/policy/modules/admin/sudo.te +++ b/policy/modules/admin/sudo.te @@ -1,5 +1,16 @@ policy_module(sudo, 1.15.0) +## +## +## Determine whether all sudo domains +## can connect to TCP HTTP ports. This +## is needed if an additional authentication +## mechanism via an HTTP server is +## required for users to use sudo. +## +## +gen_tunable(sudo_all_tcp_connect_http_port, false) + # # Declarations @@ -7,3 +18,7 @@ attribute sudodomain; type sudo_exec_t; application_executable_file(sudo_exec_t) + +tunable_policy(`sudo_all_tcp_connect_http_port',` + corenet_tcp_connect_http_port(sudodomain) +')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/system/
commit: 56d8835e88a2d97f33e8ed66fa8914979378b9c6 Author: Chris PeBenito ieee org> AuthorDate: Thu Jan 28 16:39:49 2021 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 1 01:21:42 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=56d8835e various: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/netutils.te | 2 +- policy/modules/services/apache.te| 2 +- policy/modules/services/aptcacher.te | 2 +- policy/modules/services/bind.te | 2 +- policy/modules/services/colord.te| 2 +- policy/modules/services/cron.te | 2 +- policy/modules/services/cups.te | 2 +- policy/modules/services/devicekit.te | 2 +- policy/modules/services/dkim.te | 2 +- policy/modules/services/entropyd.te | 2 +- policy/modules/services/fail2ban.te | 2 +- policy/modules/services/jabber.te| 2 +- policy/modules/services/l2tp.te | 2 +- policy/modules/services/mailman.te | 2 +- policy/modules/services/mon.te | 2 +- policy/modules/services/mysql.te | 2 +- policy/modules/services/openvpn.te | 2 +- policy/modules/services/postgrey.te | 2 +- policy/modules/services/rpc.te | 2 +- policy/modules/services/samba.te | 2 +- policy/modules/services/smartmon.te | 2 +- policy/modules/services/squid.te | 2 +- policy/modules/services/tor.te | 2 +- policy/modules/services/watchdog.te | 2 +- policy/modules/services/xserver.te | 2 +- policy/modules/system/sysnetwork.te | 2 +- 26 files changed, 26 insertions(+), 26 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 1a0d3d7b..c4fc0286 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.20.1) +policy_module(netutils, 1.20.2) # diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index 35fafe56..229848c0 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,4 +1,4 @@ -policy_module(apache, 2.19.2) +policy_module(apache, 2.19.3) # diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te index d9089a77..fa3b2dd0 100644 --- a/policy/modules/services/aptcacher.te +++ b/policy/modules/services/aptcacher.te @@ -1,4 +1,4 @@ -policy_module(aptcacher, 1.1.0) +policy_module(aptcacher, 1.1.1) # diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te index 57ae7be3..11949946 100644 --- a/policy/modules/services/bind.te +++ b/policy/modules/services/bind.te @@ -1,4 +1,4 @@ -policy_module(bind, 1.22.2) +policy_module(bind, 1.22.3) # diff --git a/policy/modules/services/colord.te b/policy/modules/services/colord.te index ca035d5e..c41d827b 100644 --- a/policy/modules/services/colord.te +++ b/policy/modules/services/colord.te @@ -1,4 +1,4 @@ -policy_module(colord, 1.6.1) +policy_module(colord, 1.6.2) # diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index c4342f05..23e990ad 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -1,4 +1,4 @@ -policy_module(cron, 2.18.3) +policy_module(cron, 2.18.4) gen_require(` class passwd rootok; diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te index f6e4a0e6..b6d8d41c 100644 --- a/policy/modules/services/cups.te +++ b/policy/modules/services/cups.te @@ -1,4 +1,4 @@ -policy_module(cups, 1.25.2) +policy_module(cups, 1.25.3) # diff --git a/policy/modules/services/devicekit.te b/policy/modules/services/devicekit.te index 25f93898..feff1026 100644 --- a/policy/modules/services/devicekit.te +++ b/policy/modules/services/devicekit.te @@ -1,4 +1,4 @@ -policy_module(devicekit, 1.13.2) +policy_module(devicekit, 1.13.3) # diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te index 864d5b07..0b111b46 100644 --- a/policy/modules/services/dkim.te +++ b/policy/modules/services/dkim.te @@ -1,4 +1,4 @@ -policy_module(dkim, 1.8.0) +policy_module(dkim, 1.8.1) # diff --git a/policy/modules/services/entropyd.te b/policy/modules/services/entropyd.te index f2405692..c46f0445 100644 --- a/policy/modules/services/entropyd.te +++ b/policy/modules/services/entropyd.te @@ -1,4 +1,4 @@ -policy_module(entropyd, 1.14.1) +policy_module(entropyd, 1.14.2) # diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te index 1e97cdfa..640905d4 100644 ---
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/, policy/modules/services/
commit: 9ac5cf61e3dde52271310da0fea9a4210c744927 Author: Russell Coker coker com au> AuthorDate: Wed Jan 27 17:20:35 2021 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 1 01:21:42 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ac5cf61 misc network patches with Dominick's changes*2 I think this one is good for merging now. Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/netutils.te| 5 ++- policy/modules/services/dkim.te | 1 + policy/modules/services/mailman.te | 1 + policy/modules/services/mon.te | 3 ++ policy/modules/services/samba.if| 76 + policy/modules/system/sysnetwork.fc | 1 + policy/modules/system/sysnetwork.te | 20 ++ 7 files changed, 106 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 06a64a3e..1a0d3d7b 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_socket_perms; allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr }; allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; allow ping_t self:netlink_route_socket create_netlink_socket_perms; +allow ping_t self:icmp_socket create; corenet_all_recvfrom_netlabel(ping_t) corenet_sendrecv_icmp_packets(ping_t) @@ -156,13 +157,14 @@ allow traceroute_t self:capability { net_admin net_raw setgid setuid }; allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms; allow traceroute_t self:process signal; allow traceroute_t self:rawip_socket create_socket_perms; -allow traceroute_t self:packet_socket create_socket_perms; +allow traceroute_t self:packet_socket { map create_socket_perms }; allow traceroute_t self:udp_socket create_socket_perms; can_exec(traceroute_t, traceroute_exec_t) kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) +kernel_search_fs_sysctls(traceroute_t) corecmd_search_bin(traceroute_t) @@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t) logging_send_syslog_msg(traceroute_t) +miscfiles_read_generic_certs(traceroute_t) miscfiles_read_localization(traceroute_t) userdom_use_inherited_user_terminals(traceroute_t) diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te index e744f3d7..864d5b07 100644 --- a/policy/modules/services/dkim.te +++ b/policy/modules/services/dkim.te @@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_milter_t) corenet_udp_bind_generic_node(dkim_milter_t) corenet_udp_bind_all_unreserved_ports(dkim_milter_t) +corenet_udp_bind_generic_port(dkim_milter_t) dev_read_urand(dkim_milter_t) # for cpu/online diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te index 154eb301..47bb174b 100644 --- a/policy/modules/services/mailman.te +++ b/policy/modules/services/mailman.te @@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t) dev_read_urand(mailman_cgi_t) files_search_locks(mailman_cgi_t) +files_read_usr_files(mailman_cgi_t) term_use_controlling_term(mailman_cgi_t) diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te index 74a94b89..50a9c82f 100644 --- a/policy/modules/services/mon.te +++ b/policy/modules/services/mon.te @@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t) manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t) files_runtime_filetrans(mon_t, mon_runtime_t, file) +# to read fips_enabled +kernel_read_crypto_sysctls(mon_t) + kernel_read_kernel_sysctls(mon_t) kernel_read_network_state(mon_t) kernel_read_system_state(mon_t) diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if index 62c3ae67..5e01db23 100644 --- a/policy/modules/services/samba.if +++ b/policy/modules/services/samba.if @@ -729,3 +729,79 @@ interface(`samba_admin',` files_list_tmp($1) admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) ') + + +## +## start samba daemon +## +## +## +## Domain allowed access. +## +## +# +interface(`samba_start',` + gen_require(` + type samba_unit_t; + ') + + allow $1 samba_unit_t:file getattr; + allow $1 samba_unit_t:service start; +') + + +## +## stop samba daemon +## +## +## +## Domain allowed access. +## +## +# +interface(`samba_stop',` + gen_require(` + type samba_unit_t; + ') + + allow $1 samba_unit_t:file getattr; + allow $1 samba_unit_t:service stop; +') + + +## +## get status of samba daemon +## +## +## +## Domain allowed access. +## +## +# +interface(`samba_status',` + gen_require(` +
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: b3f7bbec02352eb175391b51119180bad035b096 Author: Jonathan Davies protonmail com> AuthorDate: Tue Nov 17 15:58:31 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 29 01:32:30 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3f7bbec portage.te: Allow portage_fetch_t to read /dev/urandom through interface. Closes: https://github.com/perfinion/hardened-refpolicy/pull/3 Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index c0d6cace..8e9865e2 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -303,6 +303,7 @@ corenet_udp_bind_generic_node(portage_fetch_t) corenet_udp_bind_all_unreserved_ports(portage_fetch_t) dev_read_rand(portage_fetch_t) +dev_read_urand(portage_fetch_t) domain_use_interactive_fds(portage_fetch_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: b0b027157f3d12f12c5f859343ae4c28224c5629 Author: Jonathan Davies protonmail com> AuthorDate: Tue Nov 17 03:46:23 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 28 22:55:59 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0b02715 portage: Added /var/cache/distfiles path. Closes: https://github.com/perfinion/hardened-refpolicy/pull/1 Signed-off-by: Jason Zaman perfinion.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 5757deaa..b1b28f3e 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -28,6 +28,7 @@ /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) /var/db/repos(/.*)?gen_context(system_u:object_r:portage_ebuild_t,s0) /var/cache/binpkgs(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) +/var/cache/distfiles(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /var/cache/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /var/cache/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /var/cache/distfiles/git[0-9]-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/contrib/, policy/modules/apps/
commit: fd6ef0c54af495c90e7f5335923ba6274fdb36ac Author: Jason Zaman gentoo org> AuthorDate: Sat Feb 15 08:28:18 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 15 08:31:07 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd6ef0c5 access_vectors: Remove gentoo-specific unused permissions Follow-on to commit 8c38998a0c3024ef16de5fdc1bc12cef5c521759 tcp/udp sendrecv permissions are obsolete and removed from the policy completely. Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/portage.te | 1 - policy/modules/admin/puppet.te | 1 - policy/modules/apps/mozilla.te | 4 policy/modules/contrib/bitcoin.te| 2 -- policy/modules/contrib/dirsrv.te | 1 - policy/modules/contrib/dropbox.te| 1 - policy/modules/contrib/kdeconnect.te | 2 -- policy/modules/contrib/mutt.te | 2 -- policy/modules/contrib/pan.te| 1 - policy/modules/contrib/rtorrent.te | 1 - policy/modules/contrib/skype.te | 1 - 11 files changed, 17 deletions(-) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 63393962..671ee7f0 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -525,7 +525,6 @@ gen_tunable(portage_enable_test, false) corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t) corenet_udp_bind_all_unreserved_ports(portage_sandbox_t) corenet_udp_bind_generic_node(portage_sandbox_t) - corenet_udp_sendrecv_all_ports(portage_sandbox_t) ') ## diff --git a/policy/modules/admin/puppet.te b/policy/modules/admin/puppet.te index f2b11568..3670df76 100644 --- a/policy/modules/admin/puppet.te +++ b/policy/modules/admin/puppet.te @@ -368,7 +368,6 @@ ifdef(`distro_gentoo',` corenet_sendrecv_puppetclient_server_packets(puppet_t) corenet_tcp_bind_puppetclient_port(puppet_t) - corenet_tcp_sendrecv_puppetclient_port(puppet_t) usermanage_domtrans_passwd(puppet_t) diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te index 744c7df2..c4ac2c7e 100644 --- a/policy/modules/apps/mozilla.te +++ b/policy/modules/apps/mozilla.te @@ -724,10 +724,8 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false) allow mozilla_t mozilla_xdg_cache_t:file map; corenet_dontaudit_tcp_bind_generic_port(mozilla_t) - corenet_dontaudit_tcp_sendrecv_generic_port(mozilla_t) corenet_sendrecv_tor_client_packets(mozilla_t) corenet_tcp_connect_tor_port(mozilla_t) - corenet_tcp_sendrecv_tor_port(mozilla_t) domain_use_interactive_fds(mozilla_t) @@ -738,7 +736,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false) tunable_policy(`mozilla_bind_all_unreserved_ports',` corenet_sendrecv_all_server_packets(mozilla_t) corenet_tcp_bind_all_unreserved_ports(mozilla_t) - corenet_tcp_sendrecv_all_ports(mozilla_t) ') optional_policy(` @@ -771,7 +768,6 @@ gen_tunable(mozilla_plugin_connect_all_unreserved, false) corenet_sendrecv_pulseaudio_client_packets(mozilla_plugin_t) corenet_tcp_connect_pulseaudio_port(mozilla_plugin_t) - corenet_tcp_sendrecv_pulseaudio_port(mozilla_plugin_t) userdom_dontaudit_use_user_terminals(mozilla_plugin_t) userdom_rw_user_tmpfs_files(mozilla_plugin_t) diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te index c5667519..6cc82f77 100644 --- a/policy/modules/contrib/bitcoin.te +++ b/policy/modules/contrib/bitcoin.te @@ -69,12 +69,10 @@ corenet_tcp_bind_bitcoin_port(bitcoin_t) corenet_tcp_connect_bitcoin_port(bitcoin_t) corenet_tcp_connect_http_port(bitcoin_t) corenet_tcp_bind_generic_node(bitcoin_t) -corenet_tcp_sendrecv_bitcoin_port(bitcoin_t) corenet_tcp_sendrecv_generic_if(bitcoin_t) corenet_tcp_sendrecv_generic_node(bitcoin_t) #corenet_sendrecv_dns_server_packets(bitcoin_t) #corenet_udp_bind_dns_port(bitcoin_t) -#corenet_udp_sendrecv_dns_port(bitcoin_t) dev_read_sysfs(bitcoin_t) dev_read_urand(bitcoin_t) diff --git a/policy/modules/contrib/dirsrv.te b/policy/modules/contrib/dirsrv.te index e7c8d06e..0fa0b069 100644 --- a/policy/modules/contrib/dirsrv.te +++ b/policy/modules/contrib/dirsrv.te @@ -125,7 +125,6 @@ corenet_all_recvfrom_unlabeled(dirsrv_t) corenet_all_recvfrom_netlabel(dirsrv_t) corenet_tcp_sendrecv_generic_if(dirsrv_t) corenet_tcp_sendrecv_generic_node(dirsrv_t) -corenet_tcp_sendrecv_all_ports(dirsrv_t) corenet_tcp_bind_all_nodes(dirsrv_t) corenet_tcp_bind_ldap_port(dirsrv_t) corenet_tcp_bind_all_rpc_ports(dirsrv_t) diff --git a/policy/modules/contrib/dropbox.te b/policy/modules/contrib/dropbox.te index 80d8af37..2aa9a93b 100644 --- a/policy/modules/contrib/dropbox.te +++ b/policy/modules/contrib/dropbox.te @@ -108,7 +108,6 @@
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 79c6971616012abf80e22b1678be2826a2860b42 Author: Nicolas Iooss m4x org> AuthorDate: Wed Jan 15 21:01:08 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 15 07:32:05 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79c69716 usermanage: allow groupadd to lookup dynamic users from systemd On a Debian 10 test virtual machine, when installing packages adds a group, the following AVC occurs: type=USER_AVC msg=audit(1578863991.588:575): pid=381 uid=104 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByName dest=org.freedesktop.systemd1 spid=13759 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t tcontext=system_u:system_r:init_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=104 hostname=? addr=? terminal=?' Allow groupadd to use nss-systemd, which calls DBUS method LookupDynamicUserByName(). Signed-off-by: Nicolas Iooss m4x.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/usermanage.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 3605da43..ef18fd64 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -277,6 +277,10 @@ optional_policy(` rpm_rw_pipes(groupadd_t) ') +optional_policy(` + systemd_use_nss(groupadd_t) +') + optional_policy(` unconfined_use_fds(groupadd_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: d7af41866897c6ec751ea4b95413a850a3e04e10 Author: Laurent Bigonville bigon be> AuthorDate: Sun Oct 6 10:01:48 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Dec 16 13:13:11 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d7af4186 Allow alsa_t to create alsa_runtime_t file as well When alsactl is started as a daemon, it creates a pidfile (/run/alsactl.pid), that needs to be allowed time->Sun Oct 6 10:59:09 2019 type=AVC msg=audit(1570352349.743:45): avc: denied { write open } for pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570352349.743:45): avc: denied { create } for pid=804 comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 time->Sun Oct 6 11:54:38 2019 type=AVC msg=audit(1570355678.226:657): avc: denied { open } for pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570355678.226:657): avc: denied { read } for pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 time->Sun Oct 6 11:54:38 2019 type=AVC msg=audit(1570355678.230:659): avc: denied { unlink } for pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 Signed-off-by: Laurent Bigonville bigon.be> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/alsa.fc | 1 + policy/modules/admin/alsa.te | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc index 75ea9ebf..3f52f370 100644 --- a/policy/modules/admin/alsa.fc +++ b/policy/modules/admin/alsa.fc @@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) /etc/asound\.conf -- gen_context(system_u:object_r:alsa_etc_t,s0) /run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0) +/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_runtime_t,s0) /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) /usr/bin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index 06c7635c..6a0e6fa0 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -58,8 +58,9 @@ allow alsa_t alsa_etc_t:file map; can_exec(alsa_t, alsa_exec_t) allow alsa_t alsa_runtime_t:dir manage_dir_perms; +allow alsa_t alsa_runtime_t:file manage_file_perms; allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms; -files_pid_filetrans(alsa_t, alsa_runtime_t, dir) +files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file }) manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/, policy/modules/services/
commit: b61d15df3fda629ab5519ac0aff28bf6e7668ba2 Author: Chris PeBenito ieee org> AuthorDate: Sat Nov 23 14:54:36 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Dec 16 13:13:11 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b61d15df various: Module version bump. Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/alsa.te| 2 +- policy/modules/services/dbus.te | 2 +- policy/modules/services/geoclue.te | 2 +- policy/modules/services/realmd.te | 2 +- policy/modules/system/unconfined.te | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index 1f27ee28..df47f781 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -1,4 +1,4 @@ -policy_module(alsa, 1.19.1) +policy_module(alsa, 1.19.2) # diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 1d7123ba..fb444aa8 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,4 +1,4 @@ -policy_module(dbus, 1.27.1) +policy_module(dbus, 1.27.2) gen_require(` class dbus all_dbus_perms; diff --git a/policy/modules/services/geoclue.te b/policy/modules/services/geoclue.te index a36bcb80..306d8c87 100644 --- a/policy/modules/services/geoclue.te +++ b/policy/modules/services/geoclue.te @@ -1,4 +1,4 @@ -policy_module(geoclue, 1.1.0) +policy_module(geoclue, 1.1.1) # diff --git a/policy/modules/services/realmd.te b/policy/modules/services/realmd.te index 841b02a4..5c8bfb54 100644 --- a/policy/modules/services/realmd.te +++ b/policy/modules/services/realmd.te @@ -1,4 +1,4 @@ -policy_module(realmd, 1.1.0) +policy_module(realmd, 1.1.1) # diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 2bb15219..c8723860 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,4 +1,4 @@ -policy_module(unconfined, 3.13.0) +policy_module(unconfined, 3.13.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 747810c85068a0c6e3820733e05f4ee9fd820454 Author: Laurent Bigonville bigon be> AuthorDate: Sun Oct 6 10:32:03 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Dec 16 13:13:11 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=747810c8 Allow alsa_t to set scheduling priority and send signal to itself When alsactl is running as a daemon with systemd, it sets its process priority to be nice to other processes. When stopping the service, it's signaling to itself that it needs to exit. time->Sun Oct 6 11:59:59 2019 type=AVC msg=audit(1570355999.755:43): avc: denied { setsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1 time->Sun Oct 6 11:59:59 2019 type=AVC msg=audit(1570355999.755:44): avc: denied { getsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1 time->Sun Oct 6 12:07:26 2019 type=AVC msg=audit(1570356446.747:292): avc: denied { signal } for pid=3585 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1 Signed-off-by: Laurent Bigonville bigon.be> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/alsa.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index 6a0e6fa0..1f27ee28 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -44,6 +44,7 @@ files_lock_file(alsa_var_lock_t) allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid }; # kill : kill pulseaudio dontaudit alsa_t self:capability { kill sys_admin }; +allow alsa_t self:process { getsched setsched signal }; allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket { accept listen };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 1a367564756b5ecefb06c3dfe204ca068f75c0c0 Author: Sugar, David tresys com> AuthorDate: Tue Jul 2 15:30:31 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a367564 Allow rpm scripts to alter systemd services In RPM scripts it is common to enable/start services that are being installed. This allows rpm_script_t to manage sysemd units type=USER_AVC msg=audit(1561033935.758:283): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpdate.service" cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1561033935.837:286): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { enable } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/ntpd.service" cmdline="systemctl preset ntpd.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:object_r:ntpd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1561059114.937:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="systemctl preset ntpdate.service" scontext=system_u:system_r:rpm_script_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/rpm.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index a7b13467..e74113fc 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -345,6 +345,8 @@ auth_dontaudit_getattr_shadow(rpm_script_t) auth_use_nsswitch(rpm_script_t) init_domtrans_script(rpm_script_t) +init_manage_all_units(rpm_script_t) +init_reload(rpm_script_t) init_telinit(rpm_script_t) libs_exec_ld_so(rpm_script_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 6ad26170be5e95a49bdbeb1a4c45a080ae7fe6b2 Author: Sugar, David tresys com> AuthorDate: Tue Jul 2 15:30:31 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ad26170 Allow rpm to map file contexts type=AVC msg=audit(1560944465.365:270): avc: denied { map } for pid=1265 comm="rpm" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-0" ino=44911 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/rpm.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index e385a8ba..a7b13467 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -211,6 +211,7 @@ miscfiles_read_localization(rpm_t) seutil_manage_src_policy(rpm_t) seutil_manage_bin_policy(rpm_t) +seutil_read_file_contexts(rpm_t) userdom_use_user_terminals(rpm_t) userdom_use_unpriv_users_fds(rpm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 069c0408e5a33a230222f6bde4904dab51dcfff3 Author: Sugar, David tresys com> AuthorDate: Tue Jul 2 15:30:29 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=069c0408 grant rpm permission to map rpm_var_lib_t type=AVC msg=audit(1560913896.432:218): avc: denied { map } for pid=1265 comm="rpm" path="/var/lib/rpm/__db.001" dev="dm-0" ino=2223 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/rpm.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 2b15088a..85e32b3e 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -111,6 +111,7 @@ files_lock_filetrans(rpm_t, rpm_lock_t, file) manage_dirs_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) +mmap_read_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t) files_var_lib_filetrans(rpm_t, rpm_var_lib_t, { dir file }) manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 5fcc3d0770d58a36c657164ff60d81a276c39d79 Author: Chris PeBenito microsoft com> AuthorDate: Thu May 16 12:57:36 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5fcc3d07 logrotate: Make MTA optional. Signed-off-by: Chris PeBenito microsoft.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.te | 22 +- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 52cb35a5..37bab0aa 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -29,8 +29,6 @@ files_type(logrotate_var_lib_t) type logrotate_unit_t; init_unit_file(logrotate_unit_t) -mta_base_mail_template(logrotate) -role system_r types logrotate_mail_t; # @@ -131,8 +129,6 @@ userdom_use_user_terminals(logrotate_t) userdom_list_user_home_dirs(logrotate_t) userdom_use_unpriv_users_fds(logrotate_t) -mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) - ifdef(`distro_debian',` allow logrotate_t logrotate_tmp_t:file relabel_file_perms; can_exec(logrotate_t, logrotate_exec_t) @@ -279,13 +275,21 @@ optional_policy(` # Mail local policy # -allow logrotate_mail_t logrotate_t:fd use; -allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; -allow logrotate_mail_t logrotate_t:process sigchld; +optional_policy(` + mta_base_mail_template(logrotate) + role system_r types logrotate_mail_t; + + allow logrotate_mail_t logrotate_t:fd use; + allow logrotate_mail_t logrotate_t:fifo_file rw_fifo_file_perms; + allow logrotate_mail_t logrotate_t:process sigchld; -manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) + manage_files_pattern(logrotate_mail_t, logrotate_tmp_t, logrotate_tmp_t) + + mta_sendmail_domtrans(logrotate_t, logrotate_mail_t) + + logging_read_all_logs(logrotate_mail_t) +') -logging_read_all_logs(logrotate_mail_t) ifdef(`distro_gentoo',` # Fix bug 534256 - fail2ban installs a logrotate file that calls fail2ban-client so allow transition
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 848ab47ce8e072e0485216d113b49ec3ecdc8e19 Author: Chris PeBenito ieee org> AuthorDate: Mon May 27 23:30:24 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=848ab47c logrotate: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 37bab0aa..adc3101d 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -1,4 +1,4 @@ -policy_module(logrotate, 1.22.1) +policy_module(logrotate, 1.22.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 9f421ae98022ed24ccc66e2c6d32f09d61d3427e Author: Chris PeBenito ieee org> AuthorDate: Tue Jul 9 00:49:31 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f421ae9 rpm: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/rpm.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index e74113fc..a73be953 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,4 +1,4 @@ -policy_module(rpm, 1.23.0) +policy_module(rpm, 1.23.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: eae38520b58bfb213ab8db6792a6c2ba94fc9161 Author: Sugar, David tresys com> AuthorDate: Tue Jul 2 15:30:30 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eae38520 grant rpm permissions to map locale_t type=AVC msg=audit(1560913896.408:217): avc: denied { map } for pid=1265 comm="rpm" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=24721 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/rpm.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index ff1dbf15..e385a8ba 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -207,6 +207,8 @@ libs_run_ldconfig(rpm_t, rpm_roles) logging_send_audit_msgs(rpm_t) logging_send_syslog_msg(rpm_t) +miscfiles_read_localization(rpm_t) + seutil_manage_src_policy(rpm_t) seutil_manage_bin_policy(rpm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 6b8e7ca613d74efbe08d3ad4aabafe2361cba20c Author: Laurent Bigonville bigon be> AuthorDate: Fri May 3 11:32:04 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b8e7ca6 Allow logrotate to execute fail2ban-client fail2ban logrotate configuration runs "fail2ban-client flushlogs" after rotating the logs Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index e66f15ef..e6e2a97b 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -193,6 +193,7 @@ optional_policy(` ') optional_policy(` + fail2ban_domtrans_client(logrotate_t) fail2ban_stream_connect(logrotate_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: ff958f25ddf696b09e9a0b91dd2883262abcaa7c Author: Sugar, David tresys com> AuthorDate: Tue Jul 2 17:59:43 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff958f25 grant permission for rpm to write to audit log Messages like this are added to the audit log when an rpm is installed: type=SOFTWARE_UPDATE msg=audit(1560913896.581:244): pid=1265 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:rpm_t:s0 msg='sw="ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=rpm key_enforce=0 gpg_res=0 root_dir="/" comm="rpm" exe="/usr/bin/rpm" hostname=? addr=? terminal=? res=success' These are the denials that I'm seeing: type=AVC msg=audit(1560913896.581:243): avc: denied { audit_write } for pid=1265 comm="rpm" capability=29 scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=capability permissive=1 type=AVC msg=audit(1561298132.446:240): avc: denied { create } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1561298132.446:241): avc: denied { write } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1561298132.446:241): avc: denied { nlmsg_relay } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 type=AVC msg=audit(1561298132.447:243): avc: denied { read } for pid=1266 comm="rpm" scontext=system_u:system_r:rpm_t:s0 tcontext=system_u:system_r:rpm_t:s0 tclass=netlink_audit_socket permissive=1 v2 - Use interface rather than adding permissions here - this change may confuse subsequent patches in this set, if so let me know and I will submit a pull request on github. Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/rpm.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 85e32b3e..ff1dbf15 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -204,6 +204,7 @@ libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) libs_run_ldconfig(rpm_t, rpm_roles) +logging_send_audit_msgs(rpm_t) logging_send_syslog_msg(rpm_t) seutil_manage_src_policy(rpm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 45581b7ac1b5fafd180b6bc43c1ea329c416b1ec Author: Sugar, David tresys com> AuthorDate: Mon Feb 25 23:37:47 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Mar 25 10:05:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45581b7a Allow AIDE to mmap files AIDE has a compile time option WITH_MMAP which allows AIDE to map files during scanning. RHEL7 has set this option in the aide rpm they distribute. Changes made to add a tunable to enable permissions allowing aide to map files that it needs. I have set the default to false as this seems perfered (in my mind). Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/aide.te | 13 + 1 file changed, 13 insertions(+) diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te index f58ba850..fe52a280 100644 --- a/policy/modules/admin/aide.te +++ b/policy/modules/admin/aide.te @@ -5,6 +5,15 @@ policy_module(aide, 1.8.0) # Declarations # +## +## +## Control if AIDE can mmap files. +## AIDE can be compiled with the option 'with-mmap' in which case it will +## attempt to mmap files while running. +## +## +gen_tunable(aide_mmap_files, false) + attribute_role aide_roles; type aide_t; @@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t) userdom_use_user_terminals(aide_t) +tunable_policy(`aide_mmap_files',` + files_map_non_auth_files(aide_t) +') + optional_policy(` seutil_use_newrole_fds(aide_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: d4a52c8d5636dc5c0ca411704137cee945f1071d Author: Sugar, David tresys com> AuthorDate: Mon Feb 25 23:37:47 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Mar 25 10:05:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4a52c8d Allow AIDE to read kernel sysctl_crypto_t type=AVC msg=audit(1550799594.212:164): avc: denied { search } for pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1550799594.212:164): avc: denied { read } for pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1550799594.212:164): avc: denied { open } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1550799594.213:165): avc: denied { getattr } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/aide.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te index 6297b60e..f58ba850 100644 --- a/policy/modules/admin/aide.te +++ b/policy/modules/admin/aide.te @@ -36,6 +36,7 @@ files_read_all_files(aide_t) files_read_all_symlinks(aide_t) kernel_dgram_send(aide_t) +kernel_read_crypto_sysctls(aide_t) logging_send_audit_msgs(aide_t) logging_send_syslog_msg(aide_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/
commit: 4266a333c75861d4030687bafa5e26606230abbf Author: Chris PeBenito ieee org> AuthorDate: Tue Mar 12 00:57:05 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Mar 25 10:05:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4266a333 systemd, udev, usermanage: Module version bump. Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/usermanage.te | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/udev.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index d8ba89e6..f9a224a1 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,4 +1,4 @@ -policy_module(usermanage, 1.22.0) +policy_module(usermanage, 1.22.1) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 25e9550d..07529a5d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.7.3) +policy_module(systemd, 1.7.4) # # diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index f6a9d652..8149ea9a 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.25.0) +policy_module(udev, 1.25.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 52cb621762b5a0e7c4276d1c527623181f2ee454 Author: Chris PeBenito ieee org> AuthorDate: Tue Mar 12 00:56:46 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Mar 25 10:05:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52cb6217 usermanage: Move kernel_dgram_send(passwd_t) to systemd block. Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/usermanage.te | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 0f874b1a..d8ba89e6 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -304,7 +304,6 @@ allow passwd_t self:msg { send receive }; allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) -kernel_dgram_send(passwd_t) kernel_read_crypto_sysctls(passwd_t) kernel_read_kernel_sysctls(passwd_t) @@ -367,6 +366,11 @@ userdom_read_user_tmp_files(passwd_t) # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) +ifdef(`init_systemd',` + # for journald /dev/log + kernel_dgram_send(passwd_t) +') + optional_policy(` nscd_run(passwd_t, passwd_roles) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 17daafd3ec8af0e3e870d7b9aa2e4a68dcd5d00c Author: Sugar, David tresys com> AuthorDate: Mon Mar 11 16:02:29 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Mar 25 10:05:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17daafd3 Resolve denial while changing password I'm seeing the following denials reading /proc/sys/crypto/fips_enabled and sending message for logging. This resolves those denials. type=AVC msg=audit(155811.419:470): avc: denied { search } for pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(155811.419:470): avc: denied { read } for pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(155811.419:470): avc: denied { open } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(155811.419:471): avc: denied { getattr } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(155811.431:476): avc: denied { sendto } for pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/usermanage.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index a91c0b7c..0f874b1a 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -304,6 +304,8 @@ allow passwd_t self:msg { send receive }; allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) +kernel_dgram_send(passwd_t) +kernel_read_crypto_sysctls(passwd_t) kernel_read_kernel_sysctls(passwd_t) # for SSP
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: fd2f4ebf4bfebbf0660ea15a84a9e5fd9db217b8 Author: Luis Ressel aixah de> AuthorDate: Tue Oct 23 23:14:28 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 18 10:59:17 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd2f4ebf Allow portage_sandbox_t to read /proc/sys/vm/overcommit_memory git uses this. Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/portage.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 33547b6e..bdf5d412 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -515,6 +515,8 @@ gen_tunable(portage_enable_test, false) dev_getattr_xserver_misc_dev(portage_sandbox_t) + kernel_read_vm_overcommit_sysctl(portage_sandbox_t) + tunable_policy(`portage_enable_test',` # lots of tests connect over loopback corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 9ef8aea97d654eb4b3659ca1aaa87caae7665d0b Author: Chris PeBenito ieee org> AuthorDate: Sat Oct 13 17:38:18 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 11 23:17:31 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ef8aea9 logrotate: Module version bump. Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 01e99b12..c43cf4ba 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -1,4 +1,4 @@ -policy_module(logrotate, 1.21.0) +policy_module(logrotate, 1.21.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: da4fa3729e32c0af8e0cda241986ba0600e584f1 Author: Luis Ressel aixah de> AuthorDate: Fri Oct 12 22:23:04 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 11 23:17:31 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da4fa372 Add fc for /var/lib/misc/logrotate.status Some distros configure logrotate to put its status file somewhere else than the default /var/lib/logrotate.status. Debian puts it in /var/lib/logrotate/, and Gentoo uses /var/lib/misc/. Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.fc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/logrotate.fc b/policy/modules/admin/logrotate.fc index dac1af39..cd43ab28 100644 --- a/policy/modules/admin/logrotate.fc +++ b/policy/modules/admin/logrotate.fc @@ -9,4 +9,4 @@ /usr/sbin/logrotate-- gen_context(system_u:object_r:logrotate_exec_t,s0) /var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) -/var/lib/logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0) +/var/lib/(misc/)?logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: da88f8dde868a0fa49d6e786b4296a26ee03d065 Author: Luis Ressel aixah de> AuthorDate: Fri Oct 12 22:23:05 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 11 23:17:31 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da88f8dd Realign logrotate.fc, remove an obvious comment Signed-off-by: Jason Zaman perfinion.com> policy/modules/admin/logrotate.fc | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/policy/modules/admin/logrotate.fc b/policy/modules/admin/logrotate.fc index cd43ab28..fd5497f3 100644 --- a/policy/modules/admin/logrotate.fc +++ b/policy/modules/admin/logrotate.fc @@ -1,12 +1,11 @@ /etc/cron\.(daily|weekly)/logrotate-- gen_context(system_u:object_r:logrotate_exec_t,s0) /etc/cron\.(daily|weekly)/sysklogd -- gen_context(system_u:object_r:logrotate_exec_t,s0) -/usr/bin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) +/usr/bin/logrotate -- gen_context(system_u:object_r:logrotate_exec_t,s0) -# Systemd unit file -/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0) +/usr/lib/systemd/system/[^/]*logrotate.* -- gen_context(system_u:object_r:logrotate_unit_t,s0) -/usr/sbin/logrotate-- gen_context(system_u:object_r:logrotate_exec_t,s0) +/usr/sbin/logrotate-- gen_context(system_u:object_r:logrotate_exec_t,s0) -/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) +/var/lib/logrotate(/.*)? gen_context(system_u:object_r:logrotate_var_lib_t,s0) /var/lib/(misc/)?logrotate\.status -- gen_context(system_u:object_r:logrotate_var_lib_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 2183738fdf2058f431c6eb7fbdadf9c398eb0eac Author: Jason Zaman perfinion com> AuthorDate: Mon Jul 9 13:04:40 2018 + Commit: Jason Zaman gentoo org> CommitDate: Wed Jul 11 14:42:50 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2183738f portage: allow getattr xserver_misc_device for cuda policy/modules/admin/portage.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 4d1a4955..33547b6e 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -477,6 +477,8 @@ gen_tunable(portage_enable_test, false) auth_use_nsswitch(portage_t) + dev_getattr_xserver_misc_dev(portage_t) + # Support cgroup FEATURES fs_mount_cgroup(portage_t) fs_mounton_cgroup(portage_t) @@ -511,6 +513,8 @@ gen_tunable(portage_enable_test, false) # install-xattr does listxattr() which throws a lot of this dontaudit portage_sandbox_t self:capability sys_admin; + dev_getattr_xserver_misc_dev(portage_sandbox_t) + tunable_policy(`portage_enable_test',` # lots of tests connect over loopback corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/contrib/
commit: 0465c1dcb9656c6dc51c33144b7280369a32c776 Author: Jason Zaman perfinion com> AuthorDate: Sun Jun 24 08:44:51 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jun 24 08:44:51 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0465c1dc move additional .rst files out of contrib policy/modules/{contrib => admin}/aide.rst | 0 policy/modules/{contrib => admin}/portage.rst | 0 policy/modules/{contrib => services}/cron.rst | 0 policy/modules/{contrib => services}/munin.rst | 0 4 files changed, 0 insertions(+), 0 deletions(-) diff --git a/policy/modules/contrib/aide.rst b/policy/modules/admin/aide.rst similarity index 100% rename from policy/modules/contrib/aide.rst rename to policy/modules/admin/aide.rst diff --git a/policy/modules/contrib/portage.rst b/policy/modules/admin/portage.rst similarity index 100% rename from policy/modules/contrib/portage.rst rename to policy/modules/admin/portage.rst diff --git a/policy/modules/contrib/cron.rst b/policy/modules/services/cron.rst similarity index 100% rename from policy/modules/contrib/cron.rst rename to policy/modules/services/cron.rst diff --git a/policy/modules/contrib/munin.rst b/policy/modules/services/munin.rst similarity index 100% rename from policy/modules/contrib/munin.rst rename to policy/modules/services/munin.rst
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: ab221a14bbcdcf910a655ce840f6f75fbad8a869 Author: Luis Ressel via refpolicy oss tresys com> AuthorDate: Tue Oct 24 23:46:30 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 29 12:59:50 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab221a14 netutils: Grant netutils_t map perms for the packet_socket class This is required for the PACKET_RX_RING feature used by tcpdump. policy/modules/admin/netutils.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index f0995ef3..0d3fb75d 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -40,7 +40,7 @@ allow netutils_t self:netlink_route_socket create_netlink_socket_perms; allow netutils_t self:netlink_socket create_socket_perms; # For tcpdump. allow netutils_t self:netlink_netfilter_socket create_socket_perms; -allow netutils_t self:packet_socket create_socket_perms; +allow netutils_t self:packet_socket { create_socket_perms map }; allow netutils_t self:udp_socket create_socket_perms; allow netutils_t self:tcp_socket create_stream_socket_perms; allow netutils_t self:socket create_socket_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: fe17c9fa110210e65e9eee5122c787048256e667 Author: cgzones googlemail com> AuthorDate: Fri Jun 9 13:30:24 2017 + Commit: Jason Zaman gentoo org> CommitDate: Tue Jun 13 08:02:15 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fe17c9fa netutils: update v2: - keep files_read_etc_files interfaces policy/modules/admin/netutils.fc | 1 + policy/modules/admin/netutils.te | 15 +++ 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 4f77e1cc..54c0793f 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc @@ -3,6 +3,7 @@ /usr/bin/hping2-- gen_context(system_u:object_r:ping_exec_t,s0) /usr/bin/iptstate -- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/bin/mtr -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/ping.*-- gen_context(system_u:object_r:ping_exec_t,s0) /usr/bin/send_arp -- gen_context(system_u:object_r:ping_exec_t,s0) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 19af9a5d..f881cf8b 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -49,7 +49,6 @@ manage_dirs_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) manage_files_pattern(netutils_t, netutils_tmp_t, netutils_tmp_t) files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir }) -kernel_search_proc(netutils_t) kernel_read_network_state(netutils_t) kernel_read_all_sysctls(netutils_t) @@ -86,9 +85,7 @@ logging_send_syslog_msg(netutils_t) miscfiles_read_localization(netutils_t) -term_dontaudit_use_console(netutils_t) -userdom_use_user_terminals(netutils_t) -userdom_use_all_users_fds(netutils_t) +userdom_use_inherited_user_terminals(netutils_t) optional_policy(` nis_use_ypbind(netutils_t) @@ -127,12 +124,9 @@ corenet_tcp_sendrecv_all_ports(ping_t) dev_read_urand(ping_t) -fs_dontaudit_getattr_xattr_fs(ping_t) - domain_use_interactive_fds(ping_t) files_read_etc_files(ping_t) -files_dontaudit_search_var(ping_t) kernel_read_system_state(ping_t) @@ -142,7 +136,7 @@ logging_send_syslog_msg(ping_t) miscfiles_read_localization(ping_t) -userdom_use_user_terminals(ping_t) +userdom_use_inherited_user_terminals(ping_t) ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) @@ -197,12 +191,9 @@ corenet_tcp_connect_all_ports(traceroute_t) corenet_sendrecv_all_client_packets(traceroute_t) corenet_sendrecv_traceroute_server_packets(traceroute_t) -fs_dontaudit_getattr_xattr_fs(traceroute_t) - domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) -files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) @@ -212,7 +203,7 @@ logging_send_syslog_msg(traceroute_t) miscfiles_read_localization(traceroute_t) -userdom_use_user_terminals(traceroute_t) +userdom_use_inherited_user_terminals(traceroute_t) #rules needed for nmap dev_read_rand(traceroute_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/, policy/modules/kernel/, ...
commit: 87ec6e61fcc535a8a26b187e0d5d677e535eb320 Author: Chris PeBenito ieee org> AuthorDate: Mon Jun 12 22:48:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Tue Jun 13 08:02:15 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=87ec6e61 Module version bump for patches from cgzones. policy/modules/admin/netutils.te | 2 +- policy/modules/kernel/corecommands.te | 2 +- policy/modules/roles/sysadm.te| 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/iptables.te | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index f881cf8b..eef4930a 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.16.3) +policy_module(netutils, 1.16.4) # diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 1ee2a9e3..6c5bb761 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.23.10) +policy_module(corecommands, 1.23.11) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index e28a28bd..7acb7f43 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.11.10) +policy_module(sysadm, 2.11.11) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index e44dfded..f91cf23d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.2.23) +policy_module(init, 2.2.24) gen_require(` class passwd rootok; diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 33cd9343..32c08ec5 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,4 +1,4 @@ -policy_module(iptables, 1.18.5) +policy_module(iptables, 1.18.6) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/
commit: f45e0db0dcd22534c2ab32160e56e10795010ebf Author: Chris PeBenito ieee org> AuthorDate: Sun Feb 26 17:08:02 2017 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 10:38:00 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f45e0db0 auth: Move optional out of auth_use_pam_systemd() to callers. policy/modules/admin/su.if | 5 - policy/modules/system/authlogin.if | 6 ++ policy/modules/system/selinuxutil.te | 5 - 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index cd137d59..8e21b217 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -190,7 +190,6 @@ template(`su_role_template',` auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) auth_rw_faillog($1_su_t) - auth_use_pam_systemd($1_su_t) corecmd_search_bin($1_su_t) @@ -227,6 +226,10 @@ template(`su_role_template',` ') ') + optional_policy(` + auth_use_pam_systemd($1_su_t) + ') + tunable_policy(`allow_polyinstantiation',` fs_mount_xattr_fs($1_su_t) fs_unmount_xattr_fs($1_su_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index fb92132d..2b70d124 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -100,10 +100,8 @@ interface(`auth_use_pam',` ## # interface(`auth_use_pam_systemd',` - optional_policy(` - dbus_system_bus_client($1) - systemd_dbus_chat_logind($1) - ') + dbus_system_bus_client($1) + systemd_dbus_chat_logind($1) ') diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 5f624126..931d8591 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -283,7 +283,6 @@ auth_use_nsswitch(newrole_t) auth_run_chk_passwd(newrole_t, newrole_roles) auth_run_upd_passwd(newrole_t, newrole_roles) auth_rw_faillog(newrole_t) -auth_use_pam_systemd(newrole_t) # Write to utmp. init_rw_utmp(newrole_t) @@ -313,6 +312,10 @@ ifdef(`init_systemd',` ') optional_policy(` + auth_use_pam_systemd(newrole_t) +') + +optional_policy(` dbus_system_bus_client(newrole_t) optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/
commit: 0895cfaab9cc3c372810ab7d3b47c12066c74e74 Author: cgzones googlemail com> AuthorDate: Thu Jan 5 11:10:30 2017 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 10:37:10 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0895cfaa su: some adjustments * systemd fixes * remove unused attribute su_domain_type * remove hide_broken_symptoms sections * dontaudit init_t proc files access * dontaudit net_admin capability due to setsockopt policy/modules/admin/su.if| 20 +--- policy/modules/admin/su.te| 2 -- policy/modules/system/init.if | 20 3 files changed, 25 insertions(+), 17 deletions(-) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 4a434b84..cd137d59 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -1,4 +1,4 @@ -## Run shells with substitute user and group +## Run shells with substitute user and group. ### ## @@ -100,11 +100,6 @@ template(`su_restricted_domain_template', ` ') ') - ifdef(`hide_broken_symptoms',` - # dontaudit leaked sockets from parent - dontaudit $1_su_t $2:socket_class_set { read write }; - ') - optional_policy(` cron_read_pipes($1_su_t) ') @@ -148,12 +143,10 @@ template(`su_restricted_domain_template', ` # template(`su_role_template',` gen_require(` - attribute su_domain_type; type su_exec_t; - bool secure_mode; ') - type $1_su_t, su_domain_type; + type $1_su_t; userdom_user_application_domain($1_su_t, su_exec_t) domain_interactive_fd($1_su_t) role $2 types $1_su_t; @@ -161,7 +154,7 @@ template(`su_role_template',` allow $3 $1_su_t:process signal; allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource }; - dontaudit $1_su_t self:capability sys_tty_config; + dontaudit $1_su_t self:capability { net_admin sys_tty_config }; allow $1_su_t self:process { setexec setsched setrlimit }; allow $1_su_t self:fifo_file rw_fifo_file_perms; allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; @@ -197,6 +190,7 @@ template(`su_role_template',` auth_dontaudit_read_shadow($1_su_t) auth_use_nsswitch($1_su_t) auth_rw_faillog($1_su_t) + auth_use_pam_systemd($1_su_t) corecmd_search_bin($1_su_t) @@ -208,6 +202,7 @@ template(`su_role_template',` files_dontaudit_getattr_tmp_dirs($1_su_t) init_dontaudit_use_fds($1_su_t) + init_dontaudit_read_state($1_su_t) # Write to utmp. init_rw_utmp($1_su_t) @@ -232,11 +227,6 @@ template(`su_role_template',` ') ') - ifdef(`hide_broken_symptoms',` - # dontaudit leaked sockets from parent - dontaudit $1_su_t $3:socket_class_set { read write }; - ') - tunable_policy(`allow_polyinstantiation',` fs_mount_xattr_fs($1_su_t) fs_unmount_xattr_fs($1_su_t) diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index e5537697..1264d7a6 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -5,7 +5,5 @@ policy_module(su, 1.14.1) # Declarations # -attribute su_domain_type; - type su_exec_t; corecmd_executable_file(su_exec_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 6de0a2d7..6a067ab2 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1695,6 +1695,26 @@ interface(`init_read_state',` ## +## Dontaudit read the process state (/proc/pid) of init. +## +## +## +## Domain to not audit. +## +## +# +interface(`init_dontaudit_read_state',` + gen_require(` + type init_t; + ') + + dontaudit $1 init_t:dir search_dir_perms; + dontaudit $1 init_t:file read_file_perms; + dontaudit $1 init_t:lnk_file read_lnk_file_perms; +') + + +## ## Ptrace init ## ##
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 26534d6388eb4e76eb8dc7c4f35b7d2a80cb45a6 Author: Chris PeBenito ieee org> AuthorDate: Sat Feb 11 19:26:48 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:13:37 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=26534d63 Revert "bootloader: stricter permissions and more tailored file contexts" This reverts commit b0c13980d224c49207315154905eb7fcb90f289d. policy/modules/admin/bootloader.fc | 6 -- policy/modules/admin/bootloader.te | 17 - 2 files changed, 4 insertions(+), 19 deletions(-) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index d3925950..cdd6d3dd 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -1,12 +1,6 @@ -/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0) -/boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0) - -/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.*-- gen_context(system_u:object_r:bootloader_etc_t,s0) -/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0) /usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-bios-setup-- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index fd9df5c8..bd69d431 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -22,13 +22,6 @@ application_domain(bootloader_t, bootloader_exec_t) role bootloader_roles types bootloader_t; # -# bootloader_run_t are image and other runtime -# files -# -type bootloader_run_t alias run_bootloader_t; -files_type(bootloader_run_t) - -# # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. # @@ -52,7 +45,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; -allow bootloader_t bootloader_etc_t:file exec_file_perms; +allow bootloader_t bootloader_etc_t:file read_file_perms; # uncomment the following lines if you use "lilo -p" #allow bootloader_t bootloader_etc_t:file manage_file_perms; #files_etc_filetrans(bootloader_t,bootloader_etc_t,file) @@ -66,11 +59,6 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file # for tune2fs (cjp: ?) files_root_filetrans(bootloader_t, bootloader_tmp_t, file) -manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) -manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) -manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) -files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file }) - kernel_getattr_core_if(bootloader_t) kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) @@ -108,7 +96,10 @@ corecmd_exec_all_executables(bootloader_t) domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) +files_manage_boot_files(bootloader_t) +files_manage_boot_symlinks(bootloader_t) files_read_etc_files(bootloader_t) +files_exec_etc_files(bootloader_t) files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) files_read_var_files(bootloader_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/, policy/modules/kernel/, ...
commit: b8090bfeb7461011bfbbfc43d47caab6fc863d3d Author: Chris PeBenito ieee org> AuthorDate: Wed Feb 15 23:47:33 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:13:38 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8090bfe Sort capabilities permissions from Russell Coker. policy/modules/admin/bootloader.te| 2 +- policy/modules/admin/netutils.te | 6 +++--- policy/modules/admin/su.if| 4 ++-- policy/modules/admin/sudo.if | 2 +- policy/modules/admin/usermanage.te| 10 +- policy/modules/apps/seunshare.te | 2 +- policy/modules/kernel/files.if| 2 +- policy/modules/roles/auditadm.te | 2 +- policy/modules/roles/logadm.te| 2 +- policy/modules/roles/secadm.te| 2 +- policy/modules/services/postgresql.te | 4 ++-- policy/modules/services/ssh.if| 4 ++-- policy/modules/services/ssh.te| 2 +- policy/modules/services/xserver.te| 4 ++-- policy/modules/system/fstools.te | 2 +- policy/modules/system/getty.te| 2 +- policy/modules/system/hotplug.te | 4 ++-- policy/modules/system/ipsec.te| 4 ++-- policy/modules/system/iptables.te | 2 +- policy/modules/system/locallogin.te | 2 +- policy/modules/system/logging.if | 2 +- policy/modules/system/logging.te | 10 +- policy/modules/system/lvm.te | 4 ++-- policy/modules/system/mount.te| 2 +- policy/modules/system/selinuxutil.te | 4 ++-- policy/modules/system/sysnetwork.te | 6 +++--- policy/modules/system/systemd.te | 4 ++-- policy/modules/system/udev.te | 2 +- policy/modules/system/userdomain.if | 8 29 files changed, 53 insertions(+), 53 deletions(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 8ed70327..8b7c18cd 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t) # bootloader local policy # -allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; +allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod sys_admin sys_rawio }; allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 9eabff3a..744a2aa3 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t) # # Perform network administration operations and have raw access to the network. -allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot }; +allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setuid sys_chroot }; dontaudit netutils_t self:capability { dac_override sys_tty_config }; allow netutils_t self:process { setcap signal_perms }; allow netutils_t self:netlink_route_socket create_netlink_socket_perms; @@ -107,7 +107,7 @@ optional_policy(` # Ping local policy # -allow ping_t self:capability { setuid net_raw }; +allow ping_t self:capability { net_raw setuid }; # When ping is installed with capabilities instead of setuid allow ping_t self:process { getcap setcap }; dontaudit ping_t self:capability sys_tty_config; @@ -168,7 +168,7 @@ optional_policy(` # Traceroute local policy # -allow traceroute_t self:capability { net_admin net_raw setuid setgid }; +allow traceroute_t self:capability { net_admin net_raw setgid setuid }; allow traceroute_t self:rawip_socket create_socket_perms; allow traceroute_t self:packet_socket create_socket_perms; allow traceroute_t self:udp_socket create_socket_perms; diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 02aabd81..4a434b84 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -41,7 +41,7 @@ template(`su_restricted_domain_template', ` allow $2 $1_su_t:process signal; - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; allow $1_su_t self:key { search write }; allow $1_su_t self:process { setexec setsched setrlimit }; @@ -160,7 +160,7 @@ template(`su_role_template',` allow $3 $1_su_t:process signal; - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/
commit: b3a86dde9757f48af1abc124e9b000f47dbf0cfd Author: Chris PeBenito ieee org> AuthorDate: Sat Feb 11 19:51:21 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:13:37 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3a86dde Module version bump for bootloader patch revert. Plus compat alias. policy/modules/admin/bootloader.te | 2 +- policy/modules/kernel/files.te | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index bd69d431..8ed70327 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,4 +1,4 @@ -policy_module(bootloader, 1.17.1) +policy_module(bootloader, 1.17.2) # diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 2d8fa232..625768e2 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.23.1) +policy_module(files, 1.23.2) # @@ -48,6 +48,8 @@ attribute usercanread; # type boot_t; files_mountpoint(boot_t) +# compatibility aliases for removed types: +typealias boot_t alias bootloader_run_t; # default_t is the default type for files that do not # match any specification in the file_contexts configuration
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 6071ad267042af00ae73aa58d7c07d5e78a3e0b3 Author: Jason Zaman perfinion com> AuthorDate: Sun Feb 5 07:42:30 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 5 08:45:23 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6071ad26 bootloader: grub needs to manage grub.cfg commit b0c13980d224c49207315154905eb7fcb90f289d broke grub-mkconfig which needs to be able to update the grub.cfg file. Remove the fcontext for grub.cfg so it can update the file. $ grub-mkconfig -o /boot/grub/grub.cfg Generating grub configuration file ... mv: cannot move '/boot/grub/grub.cfg.new' to '/boot/grub/grub.cfg': Permission denied type=AVC msg=audit(1486273313.557:26703): avc: denied { unlink } for pid=10757 comm="mv" name="grub.cfg" dev="md1" ino=10070 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bootloader_etc_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1486273313.557:26703): arch=c03e syscall=82 success=no exit=-13 a0=3a93725fbef a1=3a93725fc07 a2=0 a3=2 items=4 ppid=9489 pid=10757 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=4 comm="mv" exe="/bin/mv" subj=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1486273313.557:26703): cwd="/root" type=PATH msg=audit(1486273313.557:26703): item=0 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT type=PATH msg=audit(1486273313.557:26703): item=1 name="/boot/grub/" inode=10041 dev=09:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_run_t:s0 nametype=PARENT type=PATH msg=audit(1486273313.557:26703): item=2 name="/boot/grub/grub.cfg.new" inode=10072 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:bootloader_run_t:s0 nametype=DELETE type=PATH msg=audit(1486273313.557:26703): item=3 name="/boot/grub/grub.cfg" inode=10070 dev=09:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bootloader_etc_t:s0 nametype=DELETE policy/modules/admin/bootloader.fc | 3 --- 1 file changed, 3 deletions(-) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index c43c428..d62e8e3 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -1,9 +1,6 @@ /boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0) /boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0) -/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0) -/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0) - /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.*-- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 7c30c8834c281dc9a151d1d11f68aac9d86067b1 Author: Guido Trentalancia trentalancia net> AuthorDate: Fri Dec 23 00:22:39 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:26:28 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c30c883 bootloader: stricter permissions and more tailored file contexts Update the bootloader module so that it can manage only its own runtime files and not all boot_t files (which include, for example, the common locations for kernel images and initramfs archives) and so that it can execute only its own etc files (needed by grub2-mkconfig) and not all etc_t files which is more dangerous. Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/admin/bootloader.fc | 6 ++ policy/modules/admin/bootloader.te | 17 + 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index d908d56..5b67c16 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -1,6 +1,12 @@ +/boot/grub.* -d gen_context(system_u:object_r:bootloader_run_t,s0) +/boot/grub.*/.* gen_context(system_u:object_r:bootloader_run_t,s0) + +/boot/grub.*/grub.cfg -- gen_context(system_u:object_r:bootloader_etc_t,s0) +/boot/grub.*/grub.conf -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0) /etc/yaboot\.conf.*-- gen_context(system_u:object_r:bootloader_etc_t,s0) +/etc/grub.d(/.*)? -- gen_context(system_u:object_r:bootloader_etc_t,s0) /sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0) /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index fcaa6d4..e3f2a72 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -22,6 +22,13 @@ application_domain(bootloader_t, bootloader_exec_t) role bootloader_roles types bootloader_t; # +# bootloader_run_t are image and other runtime +# files +# +type bootloader_run_t alias run_bootloader_t; +files_type(bootloader_run_t) + +# # bootloader_etc_t is the configuration file, # grub.conf, lilo.conf, etc. # @@ -45,7 +52,7 @@ allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_raw allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; -allow bootloader_t bootloader_etc_t:file read_file_perms; +allow bootloader_t bootloader_etc_t:file exec_file_perms; # uncomment the following lines if you use "lilo -p" #allow bootloader_t bootloader_etc_t:file manage_file_perms; #files_etc_filetrans(bootloader_t,bootloader_etc_t,file) @@ -59,6 +66,11 @@ files_tmp_filetrans(bootloader_t, bootloader_tmp_t, { dir file lnk_file chr_file # for tune2fs (cjp: ?) files_root_filetrans(bootloader_t, bootloader_tmp_t, file) +manage_dirs_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) +manage_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) +manage_lnk_files_pattern(bootloader_t, bootloader_run_t, bootloader_run_t) +files_boot_filetrans(bootloader_t, bootloader_run_t, { dir file lnk_file }) + kernel_getattr_core_if(bootloader_t) kernel_read_network_state(bootloader_t) kernel_read_system_state(bootloader_t) @@ -96,10 +108,7 @@ corecmd_exec_all_executables(bootloader_t) domain_use_interactive_fds(bootloader_t) files_create_boot_dirs(bootloader_t) -files_manage_boot_files(bootloader_t) -files_manage_boot_symlinks(bootloader_t) files_read_etc_files(bootloader_t) -files_exec_etc_files(bootloader_t) files_read_usr_src_files(bootloader_t) files_read_usr_files(bootloader_t) files_read_var_files(bootloader_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: dc478cb2c42a8b5d120203a1aa1157873a131cb3 Author: Chris PeBenito tresys com> AuthorDate: Fri Mar 25 14:24:59 2016 + Commit: Jason Zaman gentoo org> CommitDate: Fri May 13 05:07:33 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc478cb2 Update su for libselinux-2.5 changes. su is linked against libselinux via pam_unix.so. Use the selinuxutil interface so future libselinux changes are pulled in. policy/modules/admin/su.if | 3 +++ policy/modules/admin/su.te | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index a069cb8..02aabd8 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -217,6 +217,9 @@ template(`su_role_template',` miscfiles_read_localization($1_su_t) + # pam_unix is linked against libselinux + seutil_libselinux_linked($1_su_t) + userdom_use_user_terminals($1_su_t) userdom_search_user_home_dirs($1_su_t) diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index 85bb77e..d936e3b 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -1,4 +1,4 @@ -policy_module(su, 1.12.0) +policy_module(su, 1.12.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/system/, ...
commit: 6aedb1c71685c30a248572bd798bff287f911347 Author: Chris PeBenito tresys com> AuthorDate: Tue Dec 8 14:53:02 2015 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 17 15:25:22 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6aedb1c7 Bump module versions for release. policy/modules/admin/netutils.te | 2 +- policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/domain.te | 2 +- policy/modules/kernel/files.te| 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/selinux.te | 2 +- policy/modules/kernel/terminal.te | 2 +- policy/modules/roles/sysadm.te| 2 +- policy/modules/services/postgresql.te | 2 +- policy/modules/services/ssh.te| 2 +- policy/modules/system/authlogin.te| 2 +- policy/modules/system/fstools.te | 2 +- policy/modules/system/ipsec.te| 2 +- policy/modules/system/iptables.te | 2 +- policy/modules/system/locallogin.te | 2 +- policy/modules/system/logging.te | 2 +- policy/modules/system/lvm.te | 2 +- policy/modules/system/modutils.te | 2 +- policy/modules/system/netlabel.te | 2 +- policy/modules/system/selinuxutil.te | 2 +- policy/modules/system/setrans.te | 2 +- policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/udev.te | 2 +- 26 files changed, 26 insertions(+), 26 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 407685f..6f3c0ce 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.14.1) +policy_module(netutils, 1.15.0) # diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index faa15bf..89fbb84 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.20.2) +policy_module(corecommands, 1.21.0) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index f9733a3..ed045d9 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.17.2) +policy_module(devices, 1.18.0) # diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index b6f46d9..dfcf4a7 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -1,4 +1,4 @@ -policy_module(domain, 1.12.1) +policy_module(domain, 1.13.0) # diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 90c1209..7a0e0f2 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.20.1) +policy_module(files, 1.21.0) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 412fe81..d8c5271 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.19.2) +policy_module(filesystem, 1.20.0) # diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index bcc57b3..0de538c 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.19.2) +policy_module(kernel, 1.20.0) # diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 6e9315d..1efa6bb 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -1,4 +1,4 @@ -policy_module(selinux, 1.14.1) +policy_module(selinux, 1.15.0) # diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index e2f8a7d..01e1516 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,4 +1,4 @@ -policy_module(terminal, 1.13.1) +policy_module(terminal, 1.14.0) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index bf4ab0d..865b3c2 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.8.4) +policy_module(sysadm, 2.9.0) # diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 82acf89..627983d 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 770ab52d286978f77fc9ebc650cbf0a8f04663ce Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Wed Jul 15 13:44:53 2015 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Wed Jul 15 13:44:53 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=770ab52d Fix avc_context_to_raw assertion in su domains (bug #554080) Although earlier investigations on the same matter [1] did not result in a good fix (it seemed that the permissions where needed for the wrong reasons, but would most likely require a fix in either the application that is SELinux-aware or in how the permissions are handled). It does not look like we will see a proper solution in the near future. [1] http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html So allow the permissions (without write / send/recv_msg) to allow su domains to go forward. X-Gentoo-Bug: 554080 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=554080 policy/modules/admin/su.if | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index aea8a4f..a069cb8 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -119,6 +119,8 @@ template(`su_restricted_domain_template', ` ') ifdef(`distro_gentoo',` + # Fix bug 554080 - Allow su to query SELinux subsystem (netlink_selinux_socket) + allow $1_su_t self:netlink_selinux_socket { create bind read }; selinux_get_fs_mount($1_su_t) ') ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/
commit: 10c63ed8138317cf7a362ca1102290d37ad6def7 Author: Chris PeBenito cpebenito AT tresys DOT com AuthorDate: Fri May 22 12:38:53 2015 + Commit: Jason Zaman perfinion AT gentoo DOT org CommitDate: Fri May 22 19:16:43 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=10c63ed8 Module version bump for updated netlink sockets from Stephen Smalley policy/modules/admin/netutils.te| 2 +- policy/modules/system/iptables.te | 2 +- policy/modules/system/netlabel.te | 2 +- policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/udev.te | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 1c64781..b8169a8 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.14.0) +policy_module(netutils, 1.14.1) # diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 1ad1046..fc97f63 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,4 +1,4 @@ -policy_module(iptables, 1.15.0) +policy_module(iptables, 1.15.1) # diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te index f6d14b1..b396893 100644 --- a/policy/modules/system/netlabel.te +++ b/policy/modules/system/netlabel.te @@ -1,4 +1,4 @@ -policy_module(netlabel, 1.3.0) +policy_module(netlabel, 1.3.1) # diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index b922597..7a7b479 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -1,4 +1,4 @@ -policy_module(sysnetwork, 1.17.1) +policy_module(sysnetwork, 1.17.2) # diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index e7c7f9f..a9a2296 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.18.0) +policy_module(udev, 1.18.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 6021047ffb0b923335185c9a879a7ebb994acedb Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Sun Jan 25 14:03:05 2015 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Jan 25 14:03:05 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6021047f Fix bug #537652 - Allow grub2-mkconfig to be executed from the user home dir (default location when executing commands for a user) --- policy/modules/admin/bootloader.te | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 197791f..fcaa6d4 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -208,3 +208,8 @@ optional_policy(` optional_policy(` rpm_rw_pipes(bootloader_t) ') + +ifdef(`distro_gentoo',` + # Fix bug #537652 - grub2-mkconfig has search rights needed on current dir (usually user home dir) + userdom_search_user_home_dirs(bootloader_t) +')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 4d16571c5e3d0449b38cdd8619db04e93526fcf9 Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Thu Nov 27 22:22:02 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Thu Nov 27 22:22:02 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4d16571c Missing quote --- policy/modules/admin/dmesg.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/dmesg.if b/policy/modules/admin/dmesg.if index 1b6e1b2..6271b3c 100644 --- a/policy/modules/admin/dmesg.if +++ b/policy/modules/admin/dmesg.if @@ -58,7 +58,7 @@ interface(`dmesg_exec',` ## /param ## rolecap/ # -interface(`dmesg_run,` +interface(`dmesg_run',` gen_require(` type dmesg_t; ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 364faaa731277dee24837e0781cb3cc520f36406 Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Sat Nov 22 17:28:47 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sat Nov 22 17:28:47 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=364faaa7 Add upstream feedback when sent but needs some work --- policy/modules/admin/usermanage.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 4855693..e11f53a 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -571,11 +571,13 @@ ifdef(`distro_gentoo',` # groupadd_t # fix bug #499036 + # Upstream: http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html allow groupadd_t self:netlink_selinux_socket { create bind }; # useradd_t # fix bug #499036 + # Upstream: http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html allow useradd_t self:netlink_selinux_socket { create bind }; ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 282116096675c76b306401b6dd93ee63e22e5931 Author: Laurent Bigonville bigon AT bigon DOT be AuthorDate: Fri Oct 3 12:29:05 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Oct 12 08:24:31 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28211609 On Debian iputils-arping is installed in /usr/bin/arping --- policy/modules/admin/netutils.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 407078f..355714d 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc @@ -4,6 +4,7 @@ /sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) +/usr/bin/arping-- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/bin/lft -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: d211e0e619833fd7743396651109e91eb09d620d Author: Laurent Bigonville bigon AT bigon DOT be AuthorDate: Fri Oct 3 12:35:58 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Oct 12 08:24:33 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d211e0e6 Debian also ship a different arping implementation In addition to the iputils arping implementation, Debian also ships an other implementation which is installed under /usr/sbin/arping --- policy/modules/admin/netutils.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/netutils.fc b/policy/modules/admin/netutils.fc index 355714d..a4672ca 100644 --- a/policy/modules/admin/netutils.fc +++ b/policy/modules/admin/netutils.fc @@ -9,6 +9,7 @@ /usr/bin/nmap -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/bin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) +/usr/sbin/arping -- gen_context(system_u:object_r:netutils_exec_t,s0) /usr/sbin/fping-- gen_context(system_u:object_r:ping_exec_t,s0) /usr/sbin/traceroute.* -- gen_context(system_u:object_r:traceroute_exec_t,s0) /usr/sbin/hping2 -- gen_context(system_u:object_r:ping_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: f591616e559675fd9ebec18575267d125d4eb135 Author: Chris PeBenito cpebenito AT tresys DOT com AuthorDate: Mon Oct 6 13:50:58 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Oct 12 08:24:40 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f591616e Module version bump for Debian arping fc entries from Laurent Bigonville. --- policy/modules/admin/netutils.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index cfd9700..5f4c84e 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.13.1) +policy_module(netutils, 1.13.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: a2c27b5797c6d7420fe0bb36ee364406d260c960 Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Sun Aug 31 18:14:16 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Aug 31 18:14:16 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a2c27b57 Mark mkconfig as bootloader executable too --- policy/modules/admin/bootloader.fc | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index d56f931..2503c58 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -10,3 +10,7 @@ /usr/sbin/grub2?-bios-setup-- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0) + +ifdef(`distro_gentoo',` +/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0) +')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: e28086742e431918f0a742b4a8bc458b83032f40 Author: Chris PeBenito cpebenito AT tresys DOT com AuthorDate: Mon Aug 18 14:30:28 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Tue Aug 19 20:06:38 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e2808674 Module version bump for ping rawip socket fix from Luis Ressel. --- policy/modules/admin/netutils.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 570bf2c..cfd9700 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.13.0) +policy_module(netutils, 1.13.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: ed4c234f64e2e952f796563b8a7bb4a23b3210cc Author: Luis Ressel aranea AT aixah DOT de AuthorDate: Thu Jun 26 21:22:07 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Tue Aug 19 20:06:36 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed4c234f Grant ping_t getattr on rawip_socket If the (sadly nearly undocumented) Linux kernel feature which allows specific user groups to send ICMP echos without CAP_NET_RAW (configurable with the sysctl net.ipv4.ping_group_range, available since 3.0) is used, ping needs the getattr permission of the rawip_socket class in order to work. --- policy/modules/admin/netutils.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 7aa7384..570bf2c 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -110,7 +110,7 @@ allow ping_t self:capability { setuid net_raw }; allow ping_t self:process { getcap setcap }; dontaudit ping_t self:capability sys_tty_config; allow ping_t self:tcp_socket create_socket_perms; -allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt }; +allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr }; allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; allow ping_t self:netlink_route_socket create_netlink_socket_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/
commit: 6f89ead94bb14f55eca319a101c791159faa9739 Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Tue Mar 25 20:30:04 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Tue Apr 8 15:20:56 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6f89ead9 Hide getattr denials upon sudo invocation When sudo is invoked (sudo -i) the audit log gets quite a lot of denials related to the getattr permission against tty_device_t:chr_file for the *_sudo_t domain. However, no additional logging (that would hint at a need) by sudo, nor any functional issues come up. Hence the dontaudit call. Signed-off-by: Sven Vermeulen sven.vermeulen AT siphos.be --- policy/modules/admin/sudo.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 4bb2245..07e5db8 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -110,6 +110,7 @@ template(`sudo_role_template',` selinux_compute_relabel_context($1_sudo_t) term_getattr_pty_fs($1_sudo_t) + term_dontaudit_getattr_unallocated_ttys($1_sudo_t) term_relabel_all_ttys($1_sudo_t) term_relabel_all_ptys($1_sudo_t)