[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/
commit: f8e43b61c56e5b79784c73c58548143056bee6b5 Author: Kenton Groombridge concord sh> AuthorDate: Sun Aug 8 16:53:48 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f8e43b61 shutdown, roles: use user exec domain attribute Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/shutdown.if | 29 ++--- policy/modules/roles/sysadm.te | 2 +- 2 files changed, 23 insertions(+), 8 deletions(-) diff --git a/policy/modules/admin/shutdown.if b/policy/modules/admin/shutdown.if index 05eb8c89..2a428398 100644 --- a/policy/modules/admin/shutdown.if +++ b/policy/modules/admin/shutdown.if @@ -4,26 +4,41 @@ ## ## Role access for shutdown. ## -## +## ## -## Role allowed access. +## The prefix of the user role (e.g., user +## is the prefix for user_r). ## ## -## +## ## ## User domain for the role. ## ## +## +## +## User exec domain for execute and transition access. +## +## +## +## +## Role allowed access +## +## # -interface(`shutdown_role',` +template(`shutdown_role',` gen_require(` type shutdown_t; ') - shutdown_run($2, $1) + shutdown_run($3, $4) + + allow $3 shutdown_t:process { ptrace signal_perms }; + ps_process_pattern($3, shutdown_t) - allow $2 shutdown_t:process { ptrace signal_perms }; - ps_process_pattern($2, shutdown_t) + optional_policy(` + systemd_user_app_status($1, shutdown_t) + ') ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 7774ec0a..44b80516 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -959,7 +959,7 @@ optional_policy(` ') optional_policy(` - shutdown_role(sysadm_r, sysadm_t) + shutdown_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/, policy/modules/kernel/
commit: 8f26b7cec0bdcb591e5caa650014bb5ae00293f2 Author: Chris PeBenito ieee org> AuthorDate: Thu Jul 8 13:45:15 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 5 14:26:44 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f26b7ce dmesg, devices, sysadm: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/dmesg.te| 2 +- policy/modules/kernel/devices.te | 2 +- policy/modules/roles/sysadm.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 8c5337b1..d347614c 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -1,4 +1,4 @@ -policy_module(dmesg, 1.8.0) +policy_module(dmesg, 1.8.1) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 000e5ebe..7dee3d17 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.28.2) +policy_module(devices, 1.28.3) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 3aa6b9d5..ba26bbfe 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.18.4) +policy_module(sysadm, 2.18.5) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/roles/, policy/modules/kernel/, ...
commit: b8090bfeb7461011bfbbfc43d47caab6fc863d3d Author: Chris PeBenito ieee org> AuthorDate: Wed Feb 15 23:47:33 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:13:38 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8090bfe Sort capabilities permissions from Russell Coker. policy/modules/admin/bootloader.te| 2 +- policy/modules/admin/netutils.te | 6 +++--- policy/modules/admin/su.if| 4 ++-- policy/modules/admin/sudo.if | 2 +- policy/modules/admin/usermanage.te| 10 +- policy/modules/apps/seunshare.te | 2 +- policy/modules/kernel/files.if| 2 +- policy/modules/roles/auditadm.te | 2 +- policy/modules/roles/logadm.te| 2 +- policy/modules/roles/secadm.te| 2 +- policy/modules/services/postgresql.te | 4 ++-- policy/modules/services/ssh.if| 4 ++-- policy/modules/services/ssh.te| 2 +- policy/modules/services/xserver.te| 4 ++-- policy/modules/system/fstools.te | 2 +- policy/modules/system/getty.te| 2 +- policy/modules/system/hotplug.te | 4 ++-- policy/modules/system/ipsec.te| 4 ++-- policy/modules/system/iptables.te | 2 +- policy/modules/system/locallogin.te | 2 +- policy/modules/system/logging.if | 2 +- policy/modules/system/logging.te | 10 +- policy/modules/system/lvm.te | 4 ++-- policy/modules/system/mount.te| 2 +- policy/modules/system/selinuxutil.te | 4 ++-- policy/modules/system/sysnetwork.te | 6 +++--- policy/modules/system/systemd.te | 4 ++-- policy/modules/system/udev.te | 2 +- policy/modules/system/userdomain.if | 8 29 files changed, 53 insertions(+), 53 deletions(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 8ed70327..8b7c18cd 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -41,7 +41,7 @@ dev_node(bootloader_tmp_t) # bootloader local policy # -allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown }; +allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod sys_admin sys_rawio }; allow bootloader_t self:process { signal_perms execmem }; allow bootloader_t self:fifo_file rw_fifo_file_perms; diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 9eabff3a..744a2aa3 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -33,7 +33,7 @@ init_system_domain(traceroute_t, traceroute_exec_t) # # Perform network administration operations and have raw access to the network. -allow netutils_t self:capability { dac_read_search net_admin net_raw setuid setgid sys_chroot }; +allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setuid sys_chroot }; dontaudit netutils_t self:capability { dac_override sys_tty_config }; allow netutils_t self:process { setcap signal_perms }; allow netutils_t self:netlink_route_socket create_netlink_socket_perms; @@ -107,7 +107,7 @@ optional_policy(` # Ping local policy # -allow ping_t self:capability { setuid net_raw }; +allow ping_t self:capability { net_raw setuid }; # When ping is installed with capabilities instead of setuid allow ping_t self:process { getcap setcap }; dontaudit ping_t self:capability sys_tty_config; @@ -168,7 +168,7 @@ optional_policy(` # Traceroute local policy # -allow traceroute_t self:capability { net_admin net_raw setuid setgid }; +allow traceroute_t self:capability { net_admin net_raw setgid setuid }; allow traceroute_t self:rawip_socket create_socket_perms; allow traceroute_t self:packet_socket create_socket_perms; allow traceroute_t self:udp_socket create_socket_perms; diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index 02aabd81..4a434b84 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -41,7 +41,7 @@ template(`su_restricted_domain_template', ` allow $2 $1_su_t:process signal; - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource }; dontaudit $1_su_t self:capability sys_tty_config; allow $1_su_t self:key { search write }; allow $1_su_t self:process { setexec setsched setrlimit }; @@ -160,7 +160,7 @@ template(`su_role_template',` allow $3 $1_su_t:process signal; - allow $1_su_t self:capability { audit_control audit_write setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource }; + allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service