[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
commit: 345902025b3c03467a48c8b1474cbd3b3bc085cf Author: Russell Coker coker com au> AuthorDate: Thu Sep 21 14:22:36 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34590202 policy for the Reliability Availability servicability daemon (#690) * policy for the Reliability Availability servicability daemon Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 37 policy/modules/services/rasdaemon.fc | 3 +++ policy/modules/services/rasdaemon.if | 10 + policy/modules/services/rasdaemon.te | 41 4 files changed, 91 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 5cdbc5644..5213df5ba 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -6154,6 +6154,43 @@ interface(`fs_getattr_tracefs_files',` allow $1 tracefs_t:file getattr; ') + +## +## Read/write trace filesystem files +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_tracefs_files',` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:dir list_dir_perms; + allow $1 tracefs_t:file rw_file_perms; +') + + +## +## create trace filesystem directories +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_create_tracefs_dirs',` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:dir { create rw_dir_perms }; +') + ## ## Mount a XENFS filesystem. diff --git a/policy/modules/services/rasdaemon.fc b/policy/modules/services/rasdaemon.fc new file mode 100644 index 0..9a83feb4f --- /dev/null +++ b/policy/modules/services/rasdaemon.fc @@ -0,0 +1,3 @@ +/usr/sbin/rasdaemon-- gen_context(system_u:object_r:rasdaemon_exec_t,s0) +/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0) + diff --git a/policy/modules/services/rasdaemon.if b/policy/modules/services/rasdaemon.if new file mode 100644 index 0..9509b0261 --- /dev/null +++ b/policy/modules/services/rasdaemon.if @@ -0,0 +1,10 @@ +## RAS (Reliability, Availability and Serviceability) logging tool +## +## +## rasdaemon is a RAS (Reliability, Availability and Serviceability) logging +## tool. It currently records memory errors, using the EDAC tracing events. +## EDAC are drivers in the Linux kernel that handle detection of ECC errors +## from memory controllers for most chipsets on x86 and ARM architectures. +## +## https://git.infradead.org/users/mchehab/rasdaemon.git +## diff --git a/policy/modules/services/rasdaemon.te b/policy/modules/services/rasdaemon.te new file mode 100644 index 0..9a65d5d74 --- /dev/null +++ b/policy/modules/services/rasdaemon.te @@ -0,0 +1,41 @@ +policy_module(rasdaemon) + + +# +# Declarations +# + +type rasdaemon_t; +type rasdaemon_exec_t; +init_daemon_domain(rasdaemon_t, rasdaemon_exec_t) + +type rasdaemon_var_t; +files_type(rasdaemon_var_t) + + +# +# Local policy +# + +allow rasdaemon_t self:process getsched; +allow rasdaemon_t self:capability sys_rawio; + +allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms; +allow rasdaemon_t rasdaemon_var_t:file manage_file_perms; + +kernel_read_debugfs(rasdaemon_t) +kernel_read_system_state(rasdaemon_t) +kernel_read_vm_overcommit_sysctl(rasdaemon_t) +kernel_search_fs_sysctls(rasdaemon_t) + +dev_read_sysfs(rasdaemon_t) +dev_read_urand(rasdaemon_t) +dev_rw_cpu_microcode(rasdaemon_t) + +files_search_var_lib(rasdaemon_t) +fs_create_tracefs_dirs(rasdaemon_t) +fs_rw_tracefs_files(rasdaemon_t) + +logging_send_syslog_msg(rasdaemon_t) +miscfiles_read_localization(rasdaemon_t) +
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/admin/, ...
commit: 8d05a891d62852e95e4dbcb3f16e299be7cd4644 Author: Chris PeBenito microsoft com> AuthorDate: Wed Mar 9 20:50:22 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 19:07:49 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d05a891 Add cloud-init. This is used by cloud providers to set up VMs during deployment. https://github.com/canonical/cloud-init Signed-off-by: Chris PeBenito microsoft.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/cloudinit.fc | 10 +++ policy/modules/admin/cloudinit.if | 108 policy/modules/admin/cloudinit.te | 108 policy/modules/admin/usermanage.fc | 1 + policy/modules/kernel/corecommands.fc | 1 + policy/modules/kernel/corenetwork.if.in | 18 ++ policy/modules/services/ssh.fc | 2 +- policy/modules/services/ssh.if | 55 policy/modules/system/libraries.if | 44 + policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/systemd.te| 9 +++ 11 files changed, 356 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/cloudinit.fc b/policy/modules/admin/cloudinit.fc new file mode 100644 index ..f5fdc535 --- /dev/null +++ b/policy/modules/admin/cloudinit.fc @@ -0,0 +1,10 @@ +/run/cloud-init(/.*)? gen_context(system_u:object_r:cloud_init_runtime_t,s0) + +/usr/bin/cloud-id -- gen_context(system_u:object_r:cloud_init_exec_t,s0) +/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0) +/usr/bin/cloud-init-per -- gen_context(system_u:object_r:cloud_init_exec_t,s0) + +/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_init_state_t,s0) + +/var/log/cloud-init-output\.log -- gen_context(system_u:object_r:cloud_init_log_t,s0) +/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_init_log_t,s0) diff --git a/policy/modules/admin/cloudinit.if b/policy/modules/admin/cloudinit.if new file mode 100644 index ..4469d7b1 --- /dev/null +++ b/policy/modules/admin/cloudinit.if @@ -0,0 +1,108 @@ +## Init scripts for cloud VMs + + +## +## Create cloud-init runtime directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`cloudinit_create_runtime_dirs',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_search_runtime($1) + allow $1 cloud_init_runtime_t:dir create_dir_perms; +') + + +## +## Write cloud-init runtime files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cloudinit_write_runtime_files',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_search_runtime($1) + write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t) +') + + +## +## Create cloud-init runtime files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cloudinit_create_runtime_files',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_search_runtime($1) + create_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t) +') + +### +## +## Create files in /run with the type used for +## cloud-init runtime files. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`cloudinit_filetrans_runtime',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_runtime_filetrans($1, cloud_init_runtime_t, $2, $3) +') + + +## +## Get the attribute of cloud-init state files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cloudinit_getattr_state_files',` + gen_require(` + type cloud_init_state_t; + ') + + files_search_var_lib($1) + allow $1 cloud_init_state_t:dir list_dir_perms; + allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms; + allow $1 cloud_init_state_t:file getattr; +') diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te new file mode 100644 index ..f531cc5d --- /dev/null +++ b/policy/modules/admin/cloudinit.te @@ -0,0 +1,108 @@ +policy_module(cloudinit) + + +# +# Declarations +# + +type cloud_init_t; +type cloud_init_exec_t; +init_system_domain(cloud_init_t, cloud_init_exec_t) + +type cloud_init_log_t; +logging_log_file(cloud_init_log_t) + +type cloud_init_runtime_t; +files_runtime_file(cloud_init_runtime_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
commit: 5b564f3b243368edd0e083c78a99b059a10e80ed Author: Russell Coker coker com au> AuthorDate: Fri Feb 18 01:21:52 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 27 02:13:17 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b564f3b matrixd-synapse policy V3 Here's the latest version of the matrixd-synapse policy including all the suggestions from a year ago. Probably ready to merge. Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/services/matrixd.fc | 4 + policy/modules/services/matrixd.if | 1 + policy/modules/services/matrixd.te | 126 4 files changed, 132 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 547328be..077aacf0 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -156,7 +156,7 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,5,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port +network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) diff --git a/policy/modules/services/matrixd.fc b/policy/modules/services/matrixd.fc new file mode 100644 index ..b59b1c75 --- /dev/null +++ b/policy/modules/services/matrixd.fc @@ -0,0 +1,4 @@ +/var/lib/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_var_t,s0) +/var/log/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_log_t,s0) +/etc/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_conf_t,s0) +/usr/bin/synctl-- gen_context(system_u:object_r:matrixd_exec_t,s0) diff --git a/policy/modules/services/matrixd.if b/policy/modules/services/matrixd.if new file mode 100644 index ..f1eff5f0 --- /dev/null +++ b/policy/modules/services/matrixd.if @@ -0,0 +1 @@ +## Matrixd diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te new file mode 100644 index ..5c217678 --- /dev/null +++ b/policy/modules/services/matrixd.te @@ -0,0 +1,126 @@ +policy_module(matrixd, 1.0.0) + + +# +# Declarations +# + +## +## +## Determine whether Matrixd is allowed to federate +## (bind all UDP ports and connect to all TCP ports). +## +## +gen_tunable(matrix_allow_federation, true) + +## +## +## Determine whether Matrixd can connect to the Postgres database. +## +## +gen_tunable(matrix_postgresql_connect, false) + + +type matrixd_t; +type matrixd_exec_t; +init_daemon_domain(matrixd_t, matrixd_exec_t) + +type matrixd_var_t; +files_type(matrixd_var_t) + +type matrixd_log_t; +logging_log_file(matrixd_log_t) + +type matrixd_conf_t; +files_config_file(matrixd_conf_t) + +type matrixd_tmp_t; +files_tmp_file(matrixd_tmp_t) + + +# +# Local policy +# + +allow matrixd_t self:fifo_file rw_file_perms; +allow matrixd_t self:tcp_socket create_stream_socket_perms; +allow matrixd_t self:netlink_route_socket r_netlink_socket_perms; + +allow matrixd_t self:udp_socket create_socket_perms; +allow matrixd_t self:unix_dgram_socket create_socket_perms; +# execmem is needed for Python callbacks +# https://cffi.readthedocs.io/en/latest/using.html#callbacks +allow matrixd_t self:process execmem; + +allow matrixd_t matrixd_tmp_t:file { manage_file_perms map }; +files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file) +fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file) + +manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t) +files_search_var_lib(matrixd_t) +allow matrixd_t matrixd_var_t:file map; +allow matrixd_t matrixd_var_t:dir manage_dir_perms; + +logging_search_logs(matrixd_t) +manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t) + +read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t) +allow matrixd_t matrixd_conf_t:dir list_dir_perms; + +kernel_read_system_state(matrixd_t) +kernel_read_vm_overcommit_sysctl(matrixd_t) + +# The following in the systemd service file causes a domain transition when +# running python3: +# SELinuxContext=system_u:system_r:matrixd_t:s0 +corecmd_bin_entry_type(matrixd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/, ...
commit: b2361fcf03d445e6710bd4ab3ba3b171fdb4ef7b Author: Chris PeBenito ieee org> AuthorDate: Mon Nov 15 20:34:27 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2361fcf various: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/rpm.te | 2 +- policy/modules/admin/tmpreaper.te | 2 +- policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/kernel/mcs.te| 2 +- policy/modules/services/policykit.te| 2 +- policy/modules/services/postfix.te | 2 +- policy/modules/services/watchdog.te | 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/systemd.te| 2 +- policy/modules/system/udev.te | 2 +- policy/modules/system/unconfined.te | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 6823e6e3..6545e471 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,4 +1,4 @@ -policy_module(rpm, 1.26.0) +policy_module(rpm, 1.26.1) # diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te index 1acefd7f..1a2a3036 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -1,4 +1,4 @@ -policy_module(tmpreaper, 1.9.0) +policy_module(tmpreaper, 1.9.1) # diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 9deaa2ed..c1bd804a 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,4 +1,4 @@ -policy_module(corenetwork, 1.29.0) +policy_module(corenetwork, 1.29.1) # diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index 2da98c25..3bb823f4 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -1,4 +1,4 @@ -policy_module(mcs, 1.3.0) +policy_module(mcs, 1.3.1) # diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index f03614d0..2119b8de 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -1,4 +1,4 @@ -policy_module(policykit, 1.12.1) +policy_module(policykit, 1.12.2) # diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index b6a9bb6b..6d071347 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,4 +1,4 @@ -policy_module(postfix, 1.25.1) +policy_module(postfix, 1.25.2) # diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te index ab9d9458..5b3c8889 100644 --- a/policy/modules/services/watchdog.te +++ b/policy/modules/services/watchdog.te @@ -1,4 +1,4 @@ -policy_module(watchdog, 1.16.0) +policy_module(watchdog, 1.16.1) # # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 565b7cb7..3802f575 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.11.0) +policy_module(init, 2.11.1) gen_require(` class passwd rootok; diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 118158e4..4233da20 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.12.2) +policy_module(systemd, 1.12.3) # # diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index a13dff43..cbc8c0dc 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.30.1) +policy_module(udev, 1.30.2) # diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index a23a1037..95d08889 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,4 +1,4 @@ -policy_module(unconfined, 3.16.1) +policy_module(unconfined, 3.16.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/, ...
commit: 89cbc037a65cd4e6871a32337bb9f0e1c1f4dc95 Author: Kenton Groombridge concord sh> AuthorDate: Wed Oct 13 17:36:25 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89cbc037 various: deprecate mcs override interfaces Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/mcs | 2 +- policy/modules/admin/rpm.te | 2 -- policy/modules/admin/tmpreaper.te| 2 -- policy/modules/kernel/mcs.if | 24 policy/modules/services/policykit.te | 2 -- policy/modules/services/postfix.te | 10 -- policy/modules/services/watchdog.te | 2 -- policy/modules/system/init.te| 6 -- policy/modules/system/systemd.te | 1 - policy/modules/system/udev.te| 2 -- policy/modules/system/unconfined.te | 3 --- 11 files changed, 5 insertions(+), 51 deletions(-) diff --git a/policy/mcs b/policy/mcs index cc922a02..c8c573e9 100644 --- a/policy/mcs +++ b/policy/mcs @@ -173,7 +173,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind # because the subject in this particular case is the remote domain which is # writing data out the network node which is acting as the object mlsconstrain { node } { recvfrom sendto } - (( l1 dom l2 ) or ( t1 != msc_constrained_type )); + (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { packet peer } { recv } (( l1 dom l2 ) or diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 860207e5..6823e6e3 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -313,8 +313,6 @@ fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) -mcs_killall(rpm_script_t) - mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te index f4ce8dba..1acefd7f 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -34,8 +34,6 @@ files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) files_setattr_all_tmp_dirs(tmpreaper_t) -mcs_file_read_all(tmpreaper_t) -mcs_file_write_all(tmpreaper_t) mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index eb4bcfcb..55b5a7fe 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -44,11 +44,7 @@ interface(`mcs_constrained',` ## # interface(`mcs_file_read_all',` - gen_require(` - attribute mcsreadall; - ') - - typeattribute $1 mcsreadall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') @@ -64,11 +60,7 @@ interface(`mcs_file_read_all',` ## # interface(`mcs_file_write_all',` - gen_require(` - attribute mcswriteall; - ') - - typeattribute $1 mcswriteall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') @@ -84,11 +76,7 @@ interface(`mcs_file_write_all',` ## # interface(`mcs_killall',` - gen_require(` - attribute mcskillall; - ') - - typeattribute $1 mcskillall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') @@ -104,11 +92,7 @@ interface(`mcs_killall',` ## # interface(`mcs_ptrace_all',` - gen_require(` - attribute mcsptraceall; - ') - - typeattribute $1 mcsptraceall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index 7e00d524..f03614d0 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -267,8 +267,6 @@ can_exec(policykit_resolve_t, policykit_resolve_exec_t) domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) -mcs_ptrace_all(policykit_resolve_t) - auth_use_nsswitch(policykit_resolve_t) userdom_read_all_users_state(policykit_resolve_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 98416368..b6a9bb6b 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -292,8 +292,6 @@ domain_use_interactive_fds(postfix_master_t) files_search_tmp(postfix_master_t) -mcs_file_read_all(postfix_master_t) - term_dontaudit_search_ptys(postfix_master_t) hostname_exec(postfix_master_t) @@ -568,9 +566,6 @@ allow postfix_pickup_t
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
commit: f75896871e29215b93854d20fa218118dc70e45d Author: Alexander Miroshnichenko millerson name> AuthorDate: Sat Jan 26 18:50:12 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f7589687 fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/filesystem.if | 2 +- policy/modules/services/postgresql.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 7d9f0f43..6da7cc22 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2350,7 +2350,7 @@ interface(`fs_rw_hugetlbfs_files',` ## ## # -interface(`fs_rmw_hugetlbfs_files',` +interface(`fs_mmap_rw_hugetlbfs_files',` gen_require(` type hugetlbfs_t; ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 09824a8b..3bdffe4f 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -331,7 +331,7 @@ dev_read_urand(postgresql_t) fs_getattr_all_fs(postgresql_t) fs_search_auto_mountpoints(postgresql_t) -fs_rmw_hugetlbfs_files(postgresql_t) +fs_mmap_rw_hugetlbfs_files(postgresql_t) selinux_get_enforce_mode(postgresql_t) selinux_validate_context(postgresql_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
commit: d4995122c6b1cdde1674282d58bc69494119f6d8 Author: Chris PeBenito ieee org> AuthorDate: Sun Jan 27 17:58:33 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4995122 filesystem, postgresql: Module version bump. Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/filesystem.te | 2 +- policy/modules/services/postgresql.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 8ddacd76..5cbf319b 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.24.0) +policy_module(filesystem, 1.24.1) # diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 3bdffe4f..8f7043c3 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -1,4 +1,4 @@ -policy_module(postgresql, 1.19.0) +policy_module(postgresql, 1.19.1) gen_require(` class db_database all_db_database_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/admin/, ...
commit: 8253183963f78c69d401d0740f2f35d4cc7726b4 Author: Jason Zaman jason AT perfinion DOT com AuthorDate: Tue Dec 2 21:20:40 2014 + Commit: Jason Zaman gentoo AT perfinion DOT com CommitDate: Tue Dec 2 21:20:40 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=82531839 remove things that have been upstreamed --- policy/modules/admin/bootloader.fc| 4 policy/modules/admin/sudo.if | 7 --- policy/modules/kernel/corecommands.fc | 2 -- policy/modules/services/xserver.fc| 7 --- policy/modules/system/authlogin.if| 34 -- policy/modules/system/fstools.fc | 2 -- policy/modules/system/ipsec.fc| 4 7 files changed, 60 deletions(-) diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc index 6bd044c..d908d56 100644 --- a/policy/modules/admin/bootloader.fc +++ b/policy/modules/admin/bootloader.fc @@ -11,7 +11,3 @@ /usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0) /usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0) - -ifdef(`distro_gentoo',` -/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0) -') diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index c6140e3..56ce11c 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -160,13 +160,6 @@ template(`sudo_role_template',` optional_policy(` fprintd_dbus_chat($1_sudo_t) ') - - ifdef(`distro_gentoo',` - # Set ownership of ts directory (timestamp keeping) - allow $1_sudo_t self:capability { chown }; - # Create /var/run/sudo - auth_pid_filetrans_pam_var_run($1_sudo_t, dir, sudo) - ') ') diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index e61b52b..fdf1915 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -422,6 +422,4 @@ ifdef(`distro_suse',` ifdef(`distro_gentoo',` /usr/lib/python-exec/python-exec2 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/python-exec/python.*/.* -- gen_context(system_u:object_r:bin_t,s0) - -/usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0) ') diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc index 49eeac1..5ef36fb 100644 --- a/policy/modules/services/xserver.fc +++ b/policy/modules/services/xserver.fc @@ -128,11 +128,4 @@ ifdef(`distro_suse',` ifdef(`distro_gentoo',` HOME_DIR/\.local/share/xorg(/.*)? gen_context(system_u:object_r:xserver_xdg_data_home_t,s0) - -/etc/lightdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) - -/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) -/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) -/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) ') diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 41004c5..f05d7bf 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -1836,37 +1836,3 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') - -# Should be in an ifdef distro_gentoo but that is not supported in the global if file - - -## summary -## Create specified objects in -## pid directories with the pam var -## run file type using a -## file type transition. -## /summary -## param name=domain -## summary -## Domain allowed access. -## /summary -## /param -## param name=object_class -## summary -## Class of the object being created. -## /summary -## /param -## param name=name optional=true -## summary -## The name of the object being created. -## /summary -## /param -# -interface(`auth_pid_filetrans_pam_var_run',` - gen_require(` - type pam_var_run_t; - ') - - files_pid_filetrans($1, pam_var_run_t, $2, $3) -') - diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc index fb132f9..be77216 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -66,6 +66,4 @@ ifdef(`distro_gentoo',` /sbin/mkfs\.f2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/mkfs\.f2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0) -/usr/sbin/gdisk--