[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
commit: fef16712de5ef8682ec086c0679fb60cc3b85389 Author: Kenton Groombridge concord sh> AuthorDate: Wed Dec 7 15:35:24 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Dec 13 19:07:38 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fef16712 init, sysadm: allow sysadm to manage systemd runtime units On systemd 252, mount units generated from /etc/fstab result in services labeled init_runtime_t. Allow sysadm to manage these services. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/roles/sysadm.te | 6 + policy/modules/system/init.if | 57 ++ 2 files changed, 63 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 002987387..eccfd5171 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -82,6 +82,12 @@ ifndef(`enable_mls',` ') ifdef(`init_systemd',` + # Allow managing runtime units, for example mount units generated + # from /etc/fstab. + init_get_runtime_units_status(sysadm_t) + init_start_runtime_units(sysadm_t) + init_stop_runtime_units(sysadm_t) + # Allow sysadm to resolve the username of dynamic users by calling # LookupDynamicUserByUID on org.freedesktop.systemd1. init_dbus_chat(sysadm_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 1186e6d2c..a091a6bef 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3516,6 +3516,63 @@ interface(`init_reload_generic_units',` allow $1 systemd_unit_t:service reload; ') + +## +## Get the status of runtime systemd units. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_get_runtime_units_status',` + gen_require(` + type init_runtime_t; + class service status; + ') + + allow $1 init_runtime_t:service status; +') + + +## +## Start runtime systemd units. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_start_runtime_units',` + gen_require(` + type init_runtime_t; + class service start; + ') + + allow $1 init_runtime_t:service start; +') + + +## +## Stop runtime systemd units. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_stop_runtime_units',` + gen_require(` + type init_runtime_t; + class service stop; + ') + + allow $1 init_runtime_t:service stop; +') + ## ## Get status of transient systemd units.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
commit: 8e5c3ef52981f7fe7a093add0ea2e774c4a03367 Author: Kenton Groombridge concord sh> AuthorDate: Thu Dec 23 14:54:00 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 30 01:12:42 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e5c3ef5 staff, unconfined: allow container user access Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/roles/staff.te | 4 policy/modules/system/unconfined.te | 4 2 files changed, 8 insertions(+) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 253869d9..4a4867f7 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -23,6 +23,10 @@ optional_policy(` auditadm_role_change(staff_r) ') +optional_policy(` + container_user_role(staff, staff_t, staff_application_exec_domain, staff_r) +') + optional_policy(` dbadm_role_change(staff_r) ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index e30a1197..df6fbdb7 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -80,6 +80,10 @@ optional_policy(` bootloader_run(unconfined_t, unconfined_r) ') +optional_policy(` + container_user_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r) +') + optional_policy(` cron_unconfined_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
commit: cef9e4e41372d7845ec7321525d36469c55b074d Author: Jason Zaman gentoo org> AuthorDate: Sun Nov 21 02:55:15 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 21 02:55:15 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cef9e4e4 roles: Update to use user exec domain attribute Signed-off-by: Jason Zaman gentoo.org> policy/modules/roles/staff.te | 8 ++-- policy/modules/roles/unprivuser.te | 6 +- policy/modules/system/unconfined.te | 2 +- 3 files changed, 4 insertions(+), 12 deletions(-) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 29f68027..e7b711d3 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -240,7 +240,7 @@ ifdef(`distro_gentoo',` ') optional_policy(` - hadoop_role(staff_r, staff_t) + hadoop_role(staff, staff_t, staff_application_exec_domain, staff_r) ') optional_policy(` @@ -269,10 +269,6 @@ ifdef(`distro_gentoo',` ') optional_policy(` - wine_role(staff_r, staff_t) - ') - - optional_policy(` - xscreensaver_role(staff_r, staff_t) + wine_role(staff, staff_t, staff_application_exec_domain, staff_r) ') ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 32c928d7..48f86f15 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -248,10 +248,6 @@ ifdef(`distro_gentoo',` ') optional_policy(` - wine_role(user_r, user_t) - ') - - optional_policy(` - xscreensaver_role(user_r, user_t) + wine_role(user, user_t, user_application_exec_domain, user_r) ') ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 95d08889..a055df6e 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -240,7 +240,7 @@ optional_policy(` ifdef(`distro_gentoo',` optional_policy(` - chromium_role(unconfined_r, unconfined_t) + chromium_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
commit: 090564ca60e3405a73b5c1cea62cbe6a6d5a0eb1
Author: Kenton Groombridge concord sh>
AuthorDate: Sun Nov 7 01:40:44 2021 +
Commit: Jason Zaman gentoo org>
CommitDate: Thu Nov 11 21:26:50 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=090564ca
sysadm, systemd: fixes for systemd-networkd
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/roles/sysadm.te | 4
policy/modules/system/systemd.if | 21 +
policy/modules/system/systemd.te | 3 +++
3 files changed, 28 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1a1fddf4..3deec0a8 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -88,6 +88,10 @@ ifdef(`init_systemd',`
# Allow sysadm to get the status of and set properties of other users,
# sessions, and seats on the system.
systemd_dbus_chat_logind(sysadm_t)
+
+ # Allow sysadm to query and set networking settings on the system.
+ systemd_dbus_chat_networkd(sysadm_t)
+ fs_read_nsfs_files(sysadm_t)
')
tunable_policy(`allow_ptrace',`
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index e5742254..a493f7dc 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1425,6 +1425,27 @@ interface(`systemd_startstop_networkd',`
allow $1 systemd_networkd_unit_t:service { start stop };
')
+
+##
+## Send and receive messages from
+## systemd networkd over dbus.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`systemd_dbus_chat_networkd',`
+ gen_require(`
+ type systemd_networkd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 systemd_networkd_t:dbus send_msg;
+ allow systemd_networkd_t $1:dbus send_msg;
+')
+
##
## Allow specified domain to get status of systemd-networkd
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0f811c77..1e7511b9 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -914,6 +914,9 @@ files_watch_runtime_dirs(systemd_networkd_t)
files_watch_root_dirs(systemd_networkd_t)
files_list_runtime(systemd_networkd_t)
fs_getattr_xattr_fs(systemd_networkd_t)
+fs_getattr_cgroup(systemd_networkd_t)
+fs_search_cgroup_dirs(systemd_networkd_t)
+fs_read_nsfs_files(systemd_networkd_t)
auth_use_nsswitch(systemd_networkd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
commit: 18a557d8e2120c52b059d17bae57811480582f52 Author: Chris PeBenito ieee org> AuthorDate: Sun Mar 17 20:27:34 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Mar 25 10:05:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18a557d8 sysadm, udev: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman perfinion.com> policy/modules/roles/sysadm.te | 2 +- policy/modules/system/udev.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 6827561f..a9bdbee7 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.14.1) +policy_module(sysadm, 2.14.2) # diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index e6c64026..5d26074a 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.25.1) +policy_module(udev, 1.25.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/, policy/modules/kernel/
commit: 70ca70457e34ca1d4a14d57bf953ef63eef324d2
Author: Jason Zaman perfinion com>
AuthorDate: Thu Nov 2 17:30:47 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Nov 5 06:38:35 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70ca7045
gssproxy: Allow others to stream connect
kernel AVC:
* Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
* start-stop-daemon: failed to start `gssproxy'
type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for
pid=25447 comm="gssproxy" path="/run/gssproxy.sock"
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0
tclass=unix_stream_socket permissive=0
policy/modules/kernel/kernel.te | 4
policy/modules/roles/sysadm.te | 4
policy/modules/system/userdomain.if | 4
3 files changed, 12 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5d8404de..432fa86e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -423,6 +423,10 @@ optional_policy(`
rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
+ optional_policy(`
+ gssproxy_stream_connect(kernel_t)
+ ')
+
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
fs_list_noxattr_fs(kernel_t)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 47179088..407ca87f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -455,6 +455,10 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_admin(sysadm_t)
+')
+
+optional_policy(`
hadoop_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 178b5fb7..2f7afd72 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -686,6 +686,10 @@ template(`userdom_common_user_template',`
')
optional_policy(`
+ gssproxy_stream_connect($1_t)
+ ')
+
+ optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/, policy/modules/kernel/, ...
commit: 0dbf608cb52fd74d31d0bcd172e7a52a87109474 Author: Chris PeBenito ieee org> AuthorDate: Sat Nov 4 18:07:40 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 5 06:38:35 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0dbf608c kernel, mls, sysadm, ssh, xserver, authlogin, locallogin, userdomain: Module version bumps. policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/mls.te| 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/services/ssh.te | 2 +- policy/modules/services/xserver.te | 2 +- policy/modules/system/authlogin.te | 2 +- policy/modules/system/locallogin.te | 2 +- policy/modules/system/userdomain.te | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 432fa86e..f4ef97fe 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.23.1) +policy_module(kernel, 1.23.2) # diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index e879ddd3..ad74e81f 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -1,4 +1,4 @@ -policy_module(mls, 1.9.0) +policy_module(mls, 1.9.1) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 407ca87f..628da33e 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.12.1) +policy_module(sysadm, 2.12.2) # diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 69745a31..5274bf74 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -1,4 +1,4 @@ -policy_module(ssh, 2.10.0) +policy_module(ssh, 2.10.1) # diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 16614b2a..60570875 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,4 +1,4 @@ -policy_module(xserver, 3.14.2) +policy_module(xserver, 3.14.3) gen_require(` class x_drawable all_x_drawable_perms; diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 95c47090..c4991114 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,4 +1,4 @@ -policy_module(authlogin, 2.11.1) +policy_module(authlogin, 2.11.2) # diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index ee5f5948..c8ef15ce 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,4 +1,4 @@ -policy_module(locallogin, 1.16.0) +policy_module(locallogin, 1.16.1) # diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 8f954251..b348ccd0 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,4 +1,4 @@ -policy_module(userdomain, 4.14.6) +policy_module(userdomain, 4.14.7) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
commit: bbcc0fa3e3162e0a012c7b740d3e549b10e3709c Author: Christian Göttsche googlemail com> AuthorDate: Thu Sep 14 11:46:04 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 17 03:17:39 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bbcc0fa3 dphysswapfile: add interfaces and sysadm access v2: add swapfile file context policy/modules/roles/sysadm.te | 4 +++ policy/modules/system/fstools.fc | 2 ++ policy/modules/system/fstools.if | 54 3 files changed, 60 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index c7520fac..a6e7ba61 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -379,6 +379,10 @@ optional_policy(` ') optional_policy(` + dphysswapfile_admin(sysadm_t, sysadm_r) +') + +optional_policy(` dpkg_run(sysadm_t, sysadm_r) ') diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc index 71dad308..494d021e 100644 --- a/policy/modules/system/fstools.fc +++ b/policy/modules/system/fstools.fc @@ -106,6 +106,8 @@ /usr/sbin/zstreamdump -- gen_context(system_u:object_r:fsadm_exec_t,s0) /usr/sbin/ztest-- gen_context(system_u:object_r:fsadm_exec_t,s0) +/var/swap -- gen_context(system_u:object_r:swapfile_t,s0) + /var/log/fsck(/.*)?gen_context(system_u:object_r:fsadm_log_t,s0) /run/blkid(/.*)? gen_context(system_u:object_r:fsadm_run_t,s0) diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if index f04d843c..6ebe3800 100644 --- a/policy/modules/system/fstools.if +++ b/policy/modules/system/fstools.if @@ -209,3 +209,57 @@ interface(`fstools_getattr_swap_files',` allow $1 swapfile_t:file getattr; ') + + +## +## Ignore access to a swapfile. +## +## +## +## Domain to not audit. +## +## +# +interface(`fstools_dontaudit_getattr_swap_files',` + gen_require(` + type swapfile_t; + ') + + dontaudit $1 swapfile_t:file getattr; +') + + +## +## Relabel to swapfile. +## +## +## +## Domain allowed access. +## +## +# +interface(`fstools_relabelto_swap_files',` + gen_require(` + type swapfile_t; + ') + + allow $1 swapfile_t:file relabelto; +') + + +## +## Manage swapfile. +## +## +## +## Domain allowed access. +## +## +# +interface(`fstools_manage_swap_files',` + gen_require(` + type swapfile_t; + ') + + allow $1 swapfile_t:file manage_file_perms; +')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
commit: 8f8722e0e188680bf9d1bc518e515685cd424667 Author: Dominick Grift gmail com> AuthorDate: Thu Apr 28 10:06:40 2016 + Commit: Jason Zaman gentoo org> CommitDate: Fri May 13 05:07:33 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f8722e0 Update refpolicy to handle hwloc The Portable Hardware Locality (hwloc) software package provides a portable abstraction (across OS, versions, architectures, ...) of the hierarchical topology of modern architectures, including NUMA memory nodes, sockets, shared caches, cores and simultaneous multithreading. It also gathers various system attributes such as cache and memory information as well as the locality of I/O devices such as network interfaces, InfiniBand HCAs or GPUs. Following changes enable: - add interface to change dirs in /var/run - add optional policies for hwloc-dump-hwdata V3: Remove files_rw_pid_dirs() Call hwloc_admin(sysadm_t) instead of hwloc_manage_runtime(sysadm_t) Adjust calls to renamed hwloc dhwd run and exec interfaces Signed-off-by: Dominick Grift gmail.com> policy/modules/roles/sysadm.te | 5 + policy/modules/system/userdomain.if | 5 + 2 files changed, 10 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 6c46905..e9e3e43 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -458,6 +458,11 @@ optional_policy(` ') optional_policy(` + hwloc_admin(sysadm_t) + hwloc_run_dhwd(sysadm_t, sysadm_r) +') + +optional_policy(` howl_admin(sysadm_t, sysadm_r) ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index e341a1c..9284808 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -645,6 +645,11 @@ template(`userdom_common_user_template',` ') optional_policy(` + hwloc_exec_dhwd($1_t) + hwloc_read_runtime_files($1_t) + ') + + optional_policy(` inetd_use_fds($1_t) inetd_rw_tcp_sockets($1_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
commit: 41f2cdfadbb7cb1fd016839b923846a9946f3cab
Author: Jason Zaman jason AT perfinion DOT com
AuthorDate: Sat Jul 11 09:15:45 2015 +
Commit: Jason Zaman perfinion AT gentoo DOT org
CommitDate: Thu Jul 30 16:41:27 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=41f2cdfa
Introduce ipsec_admin interface
policy/modules/roles/sysadm.te | 8 +--
policy/modules/system/ipsec.if | 51 ++
2 files changed, 52 insertions(+), 7 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1ee88cd..5901b2f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -473,13 +473,7 @@ optional_policy(`
')
optional_policy(`
- # allow system administrator to use the ipsec script to look
- # at things (e.g., ipsec auto --status)
- # probably should create an ipsec_admin role for this kind of thing
- ipsec_exec_mgmt(sysadm_t)
- ipsec_stream_connect(sysadm_t)
- # for lsof
- ipsec_getattr_key_sockets(sysadm_t)
+ ipsec_admin(sysadm_t, sysadm_r)
')
optional_policy(`
diff --git a/policy/modules/system/ipsec.if b/policy/modules/system/ipsec.if
index 0d4c8d3..3d64054 100644
--- a/policy/modules/system/ipsec.if
+++ b/policy/modules/system/ipsec.if
@@ -369,3 +369,54 @@ interface(`ipsec_run_setkey',`
ipsec_domtrans_setkey($1)
role $2 types setkey_t;
')
+
+
+## summary
+## All of the rules required to
+## administrate an ipsec environment.
+## /summary
+## param name=domain
+## summary
+## Domain allowed access.
+## /summary
+## /param
+## param name=role
+## summary
+## Role allowed access.
+## /summary
+## /param
+## rolecap/
+#
+interface(`ipsec_admin',`
+ gen_require(`
+ type ipsec_t, ipsec_initrc_exec_t, ipsec_conf_file_t;
+ type ipsec_key_file_t, ipsec_log_t, ipsec_tmp_t;
+ type ipsec_var_run_t, ipsec_mgmt_lock_t;
+ type ipsec_mgmt_var_run_t, racoon_tmp_t;
+ ')
+
+ allow $1 ipsec_t:process { ptrace signal_perms };
+ ps_process_pattern($1, ipsec_t)
+
+ init_startstop_service($1, $2, ipsec_t, ipsec_initrc_exec_t)
+
+ ipsec_exec_mgmt($1)
+ ipsec_stream_connect($1)
+ # for lsof
+ ipsec_getattr_key_sockets($1)
+
+ files_search_etc($1)
+ admin_pattern($1, { ipsec_conf_file_t ipsec_key_file_t })
+
+ files_search_tmp($1)
+ admin_pattern($1, { ipsec_tmp_t racoon_tmp_t })
+
+ files_search_pids($1)
+ admin_pattern($1, { ipsec_var_run_t ipsec_mgmt_var_run_t })
+
+ files_search_locks($1)
+ admin_pattern($1, ipsec_mgmt_lock_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, ipsec_log_t)
+')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
commit: 7cbd3127de4bc90b6b00f2567edf54efaa6ecd66 Author: Chris PeBenito cpebenito AT tresys DOT com AuthorDate: Tue Jul 14 15:18:35 2015 + Commit: Jason Zaman perfinion AT gentoo DOT org CommitDate: Thu Jul 30 16:41:28 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7cbd3127 Module version bumps for admin interfaces from Jason Zaman. policy/modules/roles/sysadm.te | 2 +- policy/modules/system/ipsec.te | 2 +- policy/modules/system/lvm.te | 2 +- policy/modules/system/setrans.te | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index e96c1fd..b6cf594 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.8.1) +policy_module(sysadm, 2.8.2) # diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 0d2fc22..3734bd4 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -1,4 +1,4 @@ -policy_module(ipsec, 1.15.0) +policy_module(ipsec, 1.15.1) # diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index a1485fb..6880656 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,4 +1,4 @@ -policy_module(lvm, 1.16.0) +policy_module(lvm, 1.16.1) # diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 6d057f8..2df8b53 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -1,4 +1,4 @@ -policy_module(setrans, 1.10.0) +policy_module(setrans, 1.10.1) gen_require(` class context contains;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
commit: d12c961da29084ced47ff21373925c02fc73e022
Author: Jason Zaman jason AT perfinion DOT com
AuthorDate: Sat Jul 11 09:15:46 2015 +
Commit: Jason Zaman perfinion AT gentoo DOT org
CommitDate: Thu Jul 30 16:41:28 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d12c961d
Introduce setrans_admin interface
policy/modules/roles/sysadm.te | 4
policy/modules/system/setrans.if | 31 +++
2 files changed, 35 insertions(+)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 5901b2f..e96c1fd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -952,6 +952,10 @@ optional_policy(`
')
optional_policy(`
+ setrans_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
setroubleshoot_admin(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index efa9c27..2a8ecaa 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -40,3 +40,34 @@ interface(`setrans_translate_context',`
stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t,
setrans_t)
files_list_pids($1)
')
+
+##
+## summary
+## All of the rules required to
+## administrate an setrans environment.
+## /summary
+## param name=domain
+## summary
+## Domain allowed access.
+## /summary
+## /param
+## param name=role
+## summary
+## Role allowed access.
+## /summary
+## /param
+#
+interface(`setrans_admin',`
+ gen_require(`
+ type setrans_t, setrans_initrc_exec_t;
+ type setrans_var_run_t;
+ ')
+
+ allow $1 setrans_t:process { ptrace signal_perms };
+ ps_process_pattern($1, setrans_t)
+
+ init_startstop_service($1, $2, setrans_t, setrans_initrc_exec_t)
+
+ files_search_pids($1)
+ admin_pattern($1, setrans_var_run_t)
+')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/
commit: 08213f5921384c780e0fd9f588a1f997c7f0d1ba Author: Chris PeBenito cpebenito AT tresys DOT com AuthorDate: Tue Jun 9 12:39:18 2015 + Commit: Jason Zaman perfinion AT gentoo DOT org CommitDate: Tue Jun 9 13:06:34 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08213f59 Module version bump for admin interface changes from Jason Zaman. policy/modules/roles/sysadm.te| 2 +- policy/modules/system/iptables.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 4ece2da..13b48c6 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.8.0) +policy_module(sysadm, 2.8.1) # diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index fc97f63..8840633 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,4 +1,4 @@ -policy_module(iptables, 1.15.1) +policy_module(iptables, 1.15.2) #
