[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/
commit: f8e43b61c56e5b79784c73c58548143056bee6b5
Author: Kenton Groombridge concord sh>
AuthorDate: Sun Aug 8 16:53:48 2021 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f8e43b61
shutdown, roles: use user exec domain attribute
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/admin/shutdown.if | 29 ++---
policy/modules/roles/sysadm.te | 2 +-
2 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if
index 05eb8c89..2a428398 100644
--- a/policy/modules/admin/shutdown.if
+++ b/policy/modules/admin/shutdown.if
@@ -4,26 +4,41 @@
##
## Role access for shutdown.
##
-##
+##
##
-## Role allowed access.
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
##
##
-##
+##
##
## User domain for the role.
##
##
+##
+##
+## User exec domain for execute and transition access.
+##
+##
+##
+##
+## Role allowed access
+##
+##
#
-interface(`shutdown_role',`
+template(`shutdown_role',`
gen_require(`
type shutdown_t;
')
- shutdown_run($2, $1)
+ shutdown_run($3, $4)
+
+ allow $3 shutdown_t:process { ptrace signal_perms };
+ ps_process_pattern($3, shutdown_t)
- allow $2 shutdown_t:process { ptrace signal_perms };
- ps_process_pattern($2, shutdown_t)
+ optional_policy(`
+ systemd_user_app_status($1, shutdown_t)
+ ')
')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7774ec0a..44b80516 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -959,7 +959,7 @@ optional_policy(`
')
optional_policy(`
- shutdown_role(sysadm_r, sysadm_t)
+ shutdown_role(sysadm, sysadm_t, sysadm_application_exec_domain,
sysadm_r)
')
optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/, policy/modules/kernel/
commit: 8f26b7cec0bdcb591e5caa650014bb5ae00293f2 Author: Chris PeBenito ieee org> AuthorDate: Thu Jul 8 13:45:15 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 5 14:26:44 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f26b7ce dmesg, devices, sysadm: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/dmesg.te| 2 +- policy/modules/kernel/devices.te | 2 +- policy/modules/roles/sysadm.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 8c5337b1..d347614c 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -1,4 +1,4 @@ -policy_module(dmesg, 1.8.0) +policy_module(dmesg, 1.8.1) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 000e5ebe..7dee3d17 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.28.2) +policy_module(devices, 1.28.3) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 3aa6b9d5..ba26bbfe 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.18.4) +policy_module(sysadm, 2.18.5) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/, policy/modules/kernel/, ...
commit: b8090bfeb7461011bfbbfc43d47caab6fc863d3d
Author: Chris PeBenito ieee org>
AuthorDate: Wed Feb 15 23:47:33 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Fri Feb 17 08:13:38 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8090bfe
Sort capabilities permissions from Russell Coker.
policy/modules/admin/bootloader.te| 2 +-
policy/modules/admin/netutils.te | 6 +++---
policy/modules/admin/su.if| 4 ++--
policy/modules/admin/sudo.if | 2 +-
policy/modules/admin/usermanage.te| 10 +-
policy/modules/apps/seunshare.te | 2 +-
policy/modules/kernel/files.if| 2 +-
policy/modules/roles/auditadm.te | 2 +-
policy/modules/roles/logadm.te| 2 +-
policy/modules/roles/secadm.te| 2 +-
policy/modules/services/postgresql.te | 4 ++--
policy/modules/services/ssh.if| 4 ++--
policy/modules/services/ssh.te| 2 +-
policy/modules/services/xserver.te| 4 ++--
policy/modules/system/fstools.te | 2 +-
policy/modules/system/getty.te| 2 +-
policy/modules/system/hotplug.te | 4 ++--
policy/modules/system/ipsec.te| 4 ++--
policy/modules/system/iptables.te | 2 +-
policy/modules/system/locallogin.te | 2 +-
policy/modules/system/logging.if | 2 +-
policy/modules/system/logging.te | 10 +-
policy/modules/system/lvm.te | 4 ++--
policy/modules/system/mount.te| 2 +-
policy/modules/system/selinuxutil.te | 4 ++--
policy/modules/system/sysnetwork.te | 6 +++---
policy/modules/system/systemd.te | 4 ++--
policy/modules/system/udev.te | 2 +-
policy/modules/system/userdomain.if | 8
29 files changed, 53 insertions(+), 53 deletions(-)
diff --git a/policy/modules/admin/bootloader.te
b/policy/modules/admin/bootloader.te
index 8ed70327..8b7c18cd 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t)
# bootloader local policy
#
-allow bootloader_t self:capability { dac_override dac_read_search fsetid
sys_rawio sys_admin mknod chown };
+allow bootloader_t self:capability { chown dac_override dac_read_search fsetid
mknod sys_admin sys_rawio };
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 9eabff3a..744a2aa3 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
#
# Perform network administration operations and have raw access to the network.
-allow netutils_t self:capability { dac_read_search net_admin net_raw setuid
setgid sys_chroot };
+allow netutils_t self:capability { dac_read_search net_admin net_raw setgid
setuid sys_chroot };
dontaudit netutils_t self:capability { dac_override sys_tty_config };
allow netutils_t self:process { setcap signal_perms };
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
@@ -107,7 +107,7 @@ optional_policy(`
# Ping local policy
#
-allow ping_t self:capability { setuid net_raw };
+allow ping_t self:capability { net_raw setuid };
# When ping is installed with capabilities instead of setuid
allow ping_t self:process { getcap setcap };
dontaudit ping_t self:capability sys_tty_config;
@@ -168,7 +168,7 @@ optional_policy(`
# Traceroute local policy
#
-allow traceroute_t self:capability { net_admin net_raw setuid setgid };
+allow traceroute_t self:capability { net_admin net_raw setgid setuid };
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket create_socket_perms;
allow traceroute_t self:udp_socket create_socket_perms;
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 02aabd81..4a434b84 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -41,7 +41,7 @@ template(`su_restricted_domain_template', `
allow $2 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid
net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { audit_control audit_write chown
dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
dontaudit $1_su_t self:capability sys_tty_config;
allow $1_su_t self:key { search write };
allow $1_su_t self:process { setexec setsched setrlimit };
@@ -160,7 +160,7 @@ template(`su_role_template',`
allow $3 $1_su_t:process signal;
- allow $1_su_t self:capability { audit_control audit_write setuid setgid
net_bind_service chown dac_override fowner sys_nice sys_resource };
+ allow $1_su_t self:capability { audit_control audit_write chown
dac_override fowner net_bind_service
