[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 8271ab906f4389dae37b0470c44cdc6ab15b784d
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 20:39:41 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:49 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8271ab90
container: allow containers to getcap
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/container.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 9699ac36d..68aa97ae5 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -286,7 +286,7 @@ corenet_port(container_port_t)
dontaudit container_domain self:capability fsetid;
dontaudit container_domain self:capability2 block_suspend;
allow container_domain self:cap_userns { chown dac_override dac_read_search
fowner kill setgid setuid };
-allow container_domain self:process { execstack execmem getattr getsched
getsession setsched setcap setpgid signal_perms };
+allow container_domain self:process { execstack execmem getattr getcap
getsched getsession setsched setcap setpgid signal_perms };
allow container_domain self:dir rw_dir_perms;
allow container_domain self:file create_file_perms;
allow container_domain self:fifo_file manage_fifo_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: b85214ca8e0a693d0b903fd31da74b6d6be4667b
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 20:38:43 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:47 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b85214ca
container: allow system container engines to mmap runtime files
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/container.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 096d6c23d..9699ac36d 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -866,7 +866,7 @@ filetrans_pattern(container_engine_system_domain,
container_var_lib_t, container
filetrans_pattern(container_engine_system_domain, container_var_lib_t,
container_file_t, dir, "volumes")
allow container_engine_system_domain container_runtime_t:dir {
manage_dir_perms relabel_dir_perms watch };
-allow container_engine_system_domain container_runtime_t:file {
manage_file_perms relabel_file_perms watch };
+allow container_engine_system_domain container_runtime_t:file {
mmap_manage_file_perms relabel_file_perms watch };
allow container_engine_system_domain container_runtime_t:fifo_file {
manage_fifo_file_perms relabel_fifo_file_perms };
allow container_engine_system_domain container_runtime_t:lnk_file {
manage_lnk_file_perms relabel_lnk_file_perms };
allow container_engine_system_domain container_runtime_t:sock_file {
manage_sock_file_perms relabel_sock_file_perms };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: cdc026e081113bc262a5183640d4fcde761858ce
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 21:19:44 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:53 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdc026e0
container, crio, kubernetes: minor fixes
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/container.te | 1 +
policy/modules/services/crio.te | 1 +
policy/modules/services/kubernetes.te | 3 +++
3 files changed, 5 insertions(+)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 68aa97ae5..095308a13 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -982,6 +982,7 @@ allow spc_t self:alg_socket create_stream_socket_perms;
allow spc_t self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };
allow spc_t self:netlink_generic_socket create_socket_perms;
allow spc_t self:netlink_netfilter_socket create_socket_perms;
+allow spc_t self:netlink_tcpdiag_socket nlmsg_read;
allow spc_t self:netlink_xfrm_socket create_netlink_socket_perms;
allow spc_t self:perf_event { cpu kernel open read };
diff --git a/policy/modules/services/crio.te b/policy/modules/services/crio.te
index 3dd616f7a..91306d80e 100644
--- a/policy/modules/services/crio.te
+++ b/policy/modules/services/crio.te
@@ -84,6 +84,7 @@ init_use_fds(crio_conmon_t)
container_kill_all_containers(crio_conmon_t)
container_read_all_container_state(crio_conmon_t)
+container_signal_system_containers(crio_conmon_t)
# for kubernetes debug pods
container_use_container_ptys(crio_conmon_t)
diff --git a/policy/modules/services/kubernetes.te
b/policy/modules/services/kubernetes.te
index 58292de85..3ba666299 100644
--- a/policy/modules/services/kubernetes.te
+++ b/policy/modules/services/kubernetes.te
@@ -393,6 +393,7 @@ container_relabel_all_content(kubelet_t)
container_manage_log_dirs(kubelet_t)
container_manage_log_files(kubelet_t)
container_manage_log_symlinks(kubelet_t)
+container_watch_log_dirs(kubelet_t)
container_watch_log_files(kubelet_t)
container_log_filetrans(kubelet_t, { dir file })
@@ -617,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain)
# kubectl local policy
#
+kernel_dontaudit_getattr_proc(kubectl_t)
+
auth_use_nsswitch(kubectl_t)
# not required, but convenient for using config commands
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 8c2f46403362398b17348da14c551acad1cdc0b4 Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:33:13 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:45 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c2f4640 matrixd: add tunable for binding to all unreserved ports This is to support using Synapse workers which require binding to multiple TCP ports in lieu of manually labeling unreserved ports for use. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/matrixd.te | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te index c396a3d7c..5f092f31c 100644 --- a/policy/modules/services/matrixd.te +++ b/policy/modules/services/matrixd.te @@ -20,6 +20,16 @@ gen_tunable(matrix_allow_federation, true) ## gen_tunable(matrix_postgresql_connect, false) +## +## +## Determine whether Matrixd is allowed to bind all +## TCP ports. This is intended for more complex Matrix +## server configurations (e.g. Synapse workers) and may +## be used in lieu of manually labeling each port. +## +## +gen_tunable(matrix_bind_all_unreserved_tcp_ports, false) + type matrixd_t; type matrixd_exec_t; init_daemon_domain(matrixd_t, matrixd_exec_t) @@ -117,7 +127,11 @@ tunable_policy(`matrix_postgresql_connect',` postgresql_tcp_connect(matrixd_t) ') +tunable_policy(`matrix_bind_all_unreserved_tcp_ports',` + corenet_tcp_bind_all_unreserved_ports(matrixd_t) +') + optional_policy(` apache_search_config(matrixd_t) ') - +
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 304a909724d2e15445449257a45563751eb88a7c Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 19:59:55 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:35 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=304a9097 dovecot: allow dovecot-auth to read SASL keytab Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/dovecot.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index 11ffbb177..937219831 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -321,6 +321,10 @@ optional_policy(` postfix_search_spool(dovecot_auth_t) ') +optional_policy(` + sasl_read_keytab(dovecot_auth_t) +') + optional_policy(` postgresql_unpriv_client(dovecot_auth_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: dc612e94fc961e4039c1fba11c03e9f872888fbf
Author: Kenton Groombridge gentoo org>
AuthorDate: Mon May 6 19:58:20 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:33 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc612e94
fail2ban: allow reading net sysctls
type=AVC msg=audit(1696613589.191:194926): avc: denied { search } for
pid=1724 comm="f2b/f.dovecot" name="net" dev="proc" ino=2813
scontext=system_u:system_r:fail2ban_t:s0
tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/fail2ban.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/fail2ban.te
b/policy/modules/services/fail2ban.te
index af34769d3..dce03adca 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -62,6 +62,7 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_runtime_t,
fail2ban_runtime_t)
manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
+kernel_read_net_sysctls(fail2ban_t)
kernel_read_system_state(fail2ban_t)
kernel_read_vm_overcommit_sysctl(fail2ban_t)
kernel_search_fs_sysctls(fail2ban_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: eb3fe60b4f0d6bf8c466179cababdfa67ab8aabc Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:21:13 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:41 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eb3fe60b asterisk: allow binding to all unreserved UDP ports This is for RTP streaming. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/asterisk.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te index 0c2f9a42d..3cf98e59d 100644 --- a/policy/modules/services/asterisk.te +++ b/policy/modules/services/asterisk.te @@ -110,6 +110,7 @@ corenet_udp_bind_sip_port(asterisk_t) corenet_sendrecv_generic_server_packets(asterisk_t) corenet_tcp_bind_generic_port(asterisk_t) corenet_udp_bind_generic_port(asterisk_t) +corenet_udp_bind_all_unreserved_ports(asterisk_t) corenet_dontaudit_udp_bind_all_ports(asterisk_t) corenet_sendrecv_jabber_client_client_packets(asterisk_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 30142b2d3d2fbe3e30c81bd7463e8bb8e4f1752d Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 20:14:04 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:39 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30142b2d postgres: add a standalone execmem tunable Add a separate tunable to allow Postgres to use execmem. This is to support JIT in the Postgres server without enabling it for the entire system. Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/postgresql.te | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 810fb0ed4..7eec1b665 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -18,6 +18,13 @@ gen_require(` # Declarations # +## +## +## Allow postgresql to map memory regions as both executable and writable (e.g. for JIT). +## +## +gen_tunable(psql_allow_execmem, false) + ## ## ## Allow unprived users to execute DDL statement @@ -363,7 +370,7 @@ optional_policy(` mta_getattr_spool(postgresql_t) ') -tunable_policy(`allow_execmem',` +tunable_policy(`allow_execmem || psql_allow_execmem',` allow postgresql_t self:process execmem; ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c6e72252a0d9ec8e88e28e2512737936cec8c3ea
Author: Dave Sugar gmail com>
AuthorDate: Sun May 5 01:19:20 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:22 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c6e72252
Need map perm for cockpit 300.4
node=localhost type=AVC msg=audit(1714870999.370:3558): avc: denied { map }
for pid=7081 comm="cockpit-bridge" path=2F6465762F23373933202864656C6574656429
dev="devtmpfs" ino=793 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
tcontext=staff_u:object_r:staff_cockpit_tmpfs_t:s0 tclass=file permissive=0
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/cockpit.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/cockpit.if
b/policy/modules/services/cockpit.if
index 1a13f4e5a..bde2bfad5 100644
--- a/policy/modules/services/cockpit.if
+++ b/policy/modules/services/cockpit.if
@@ -49,7 +49,7 @@ template(`cockpit_role_template',`
files_tmpfs_file($1_cockpit_tmpfs_t)
dev_filetrans($2, $1_cockpit_tmpfs_t, file)
- allow $2 $1_cockpit_tmpfs_t:file { manage_file_perms execute };
+ allow $2 $1_cockpit_tmpfs_t:file { mmap_manage_file_perms execute };
dev_dontaudit_execute_dev_nodes($2)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 8b220a9ced8dbe5449cf443a16b782141d6f4772
Author: Chris PeBenito linux microsoft com>
AuthorDate: Tue Mar 5 15:18:41 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:01 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8b220a9c
certbot: Drop execmem.
This is related to FFI use in python3-openssl. Libffi now changes behavior
when it detects SELinux, to avoid this type of denial.
Signed-off-by: Chris PeBenito linux.microsoft.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/certbot.te | 4
1 file changed, 4 deletions(-)
diff --git a/policy/modules/services/certbot.te
b/policy/modules/services/certbot.te
index 9723f7880..6edaac830 100644
--- a/policy/modules/services/certbot.te
+++ b/policy/modules/services/certbot.te
@@ -54,10 +54,6 @@ files_tmp_filetrans(certbot_t, certbot_tmp_t, { dir file })
manage_files_pattern(certbot_t, certbot_tmpfs_t, certbot_tmpfs_t)
fs_tmpfs_filetrans(certbot_t, certbot_tmpfs_t, { file })
-# this is for certbot to have write-exec memory, I know it is bad
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913544
-# the Debian bug report has background about python-acme and python3-openssl
-allow certbot_t self:process execmem;
allow certbot_t certbot_tmp_t:file mmap_exec_file_perms;
allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 4f530e384d56b9f11d4846e1018c56fe3df86e05
Author: Chris PeBenito linux microsoft com>
AuthorDate: Tue Mar 5 15:20:13 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue May 14 17:41:02 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4f530e38
cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type.
Signed-off-by: Chris PeBenito linux.microsoft.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/cockpit.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/cockpit.if
b/policy/modules/services/cockpit.if
index 4c452484c..1a13f4e5a 100644
--- a/policy/modules/services/cockpit.if
+++ b/policy/modules/services/cockpit.if
@@ -46,7 +46,7 @@
template(`cockpit_role_template',`
type $1_cockpit_tmpfs_t;
- files_runtime_file($1_cockpit_tmpfs_t)
+ files_tmpfs_file($1_cockpit_tmpfs_t)
dev_filetrans($2, $1_cockpit_tmpfs_t, file)
allow $2 $1_cockpit_tmpfs_t:file { manage_file_perms execute };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 3676555ed89c3a47ec1f553710f70bf547bd7245
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 17:00:55 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:57 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3676555e
consolesetup: update
AVC avc: denied { read } for pid=770 comm="mkdir" name="filesystems"
dev="proc" ino=4026532069 scontext=system_u:system_r:consolesetup_t:s0
tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/consolesetup.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/consolesetup.te
b/policy/modules/services/consolesetup.te
index 7756ef6c9..023ec5d23 100644
--- a/policy/modules/services/consolesetup.te
+++ b/policy/modules/services/consolesetup.te
@@ -37,6 +37,8 @@ files_runtime_filetrans(consolesetup_t,
consolesetup_runtime_t, dir, "console-se
manage_files_pattern(consolesetup_t, consolesetup_tmp_t, consolesetup_tmp_t)
files_tmp_filetrans(consolesetup_t, consolesetup_tmp_t, file)
+kernel_read_system_state(consolesetup_t)
+
corecmd_exec_bin(consolesetup_t)
corecmd_exec_shell(consolesetup_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: b1a213b26e58f32d250057fcb9e1af3a9f05a63d
Author: Christian Göttsche googlemail com>
AuthorDate: Thu Feb 22 17:00:46 2024 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 1 17:05:51 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1a213b2
vnstatd: update
type=PROCTITLE msg=audit(21/02/24 22:54:36.792:69) :
proctitle=/usr/sbin/vnstatd -n
type=PATH msg=audit(21/02/24 22:54:36.792:69) : item=0 name=/dev/urandom
inode=18 dev=00:2b mode=character,666 ouid=root ogid=root rdev=01:09
obj=system_u:object_r:urandom_device_t:s0 nametype=NORMAL cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:54:36.792:69) : cwd=/
type=SYSCALL msg=audit(21/02/24 22:54:36.792:69) : arch=x86_64
syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f197cc66865
a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=900 auid=unset uid=vnstat
gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat sgid=vnstat
fsgid=vnstat tty=(none) ses=unset comm=vnstatd exe=/usr/sbin/vnstatd
subj=system_u:system_r:vnstatd_t:s0 key=(null)
type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { open } for
pid=900 comm=vnstatd path=/dev/urandom dev=tmpfs ino=18
scontext=system_u:system_r:vnstatd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { read } for
pid=900 comm=vnstatd name=urandom dev=tmpfs ino=18
scontext=system_u:system_r:vnstatd_t:s0
tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
Signed-off-by: Christian Göttsche googlemail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/vnstatd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/vnstatd.te
b/policy/modules/services/vnstatd.te
index f8274d451..3be384a9a 100644
--- a/policy/modules/services/vnstatd.te
+++ b/policy/modules/services/vnstatd.te
@@ -48,6 +48,7 @@ kernel_read_system_state(vnstatd_t)
# read /sys/class/net/eth0
dev_read_sysfs(vnstatd_t)
+dev_read_urand(vnstatd_t)
files_read_etc_files(vnstatd_t)
files_search_var_lib(vnstatd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 6d1c3e8b33d3134dbe1767539363491a5f1600ea Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:33 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:43 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6d1c3e8b virt: label qemu configuration directory Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/virt.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc index ab5d0885d..9c209d8f0 100644 --- a/policy/modules/services/virt.fc +++ b/policy/modules/services/virt.fc @@ -9,6 +9,8 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0) /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0) +/etc/qemu(/.*)?gen_context(system_u:object_r:virt_etc_t,s0) + /etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0) /etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 4751bfa9ef38a4d38494cadea1fa83a69881d5fa
Author: Russell Coker coker com au>
AuthorDate: Sat Oct 7 02:56:52 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 20 21:28:39 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4751bfa9
Changes to eg25manager and modemmanager needed for firmware upload on
pinephonepro
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/eg25manager.te | 11 ++-
policy/modules/services/modemmanager.te | 18 --
2 files changed, 26 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/eg25manager.te
b/policy/modules/services/eg25manager.te
index 92fd3e4f8..f305a9a01 100644
--- a/policy/modules/services/eg25manager.te
+++ b/policy/modules/services/eg25manager.te
@@ -57,8 +57,10 @@ files_read_usr_files(eg25manager_t)
logging_send_syslog_msg(eg25manager_t)
miscfiles_read_generic_certs(eg25manager_t)
+miscfiles_read_localization(eg25manager_t)
-modemmanager_dbus_chat(eg25manager_t)
+# will not upload to pinephone modem without this
+selinux_get_fs_mount(eg25manager_t)
sysnet_read_config(eg25manager_t)
@@ -66,3 +68,10 @@ systemd_dbus_chat_logind(eg25manager_t)
systemd_read_resolved_runtime(eg25manager_t)
systemd_use_logind_fds(eg25manager_t)
systemd_write_inherited_logind_inhibit_pipes(eg25manager_t)
+
+term_use_unallocated_ttys(eg25manager_t)
+
+optional_policy(`
+ modemmanager_dbus_chat(eg25manager_t)
+')
+
diff --git a/policy/modules/services/modemmanager.te
b/policy/modules/services/modemmanager.te
index 5801baedd..b94117bff 100644
--- a/policy/modules/services/modemmanager.te
+++ b/policy/modules/services/modemmanager.te
@@ -15,16 +15,30 @@ init_daemon_domain(modemmanager_t, modemmanager_exec_t)
#
allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-allow modemmanager_t self:process { getsched signal };
+allow modemmanager_t self:process { getsched setsched signal setpgid };
allow modemmanager_t self:fifo_file rw_fifo_file_perms;
-allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
+allow modemmanager_t self:unix_stream_socket { connectto
create_stream_socket_perms };
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow modemmanager_t self:netlink_route_socket { create getattr getopt
nlmsg_write read write };
+allow modemmanager_t self:qipcrtr_socket { create getattr getopt read write };
+
+# ModemManager calls mmap(PROT_READ|PROT_WRITE|PROT_EXEC)
+allow modemmanager_t self:process execmem;
kernel_read_system_state(modemmanager_t)
+kernel_request_load_module(modemmanager_t)
+
+# for qmi/pass_through
+dev_create_sysfs_files(modemmanager_t)
+dev_getattr_sysfs(modemmanager_t)
dev_read_sysfs(modemmanager_t)
+dev_write_sysfs(modemmanager_t)
dev_rw_modem(modemmanager_t)
+# for /usr/libexec/qmi-proxy
+corecmd_exec_bin(modemmanager_t)
+
files_read_etc_files(modemmanager_t)
term_use_generic_ptys(modemmanager_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: f9bb068485de922f97495d4795c3cc475cdb32e7
Author: Yi Zhao windriver com>
AuthorDate: Mon Oct 2 08:05:49 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9bb0684
bind: fix for named service
Fixes:
avc: denied { sqpoll } for pid=373 comm="named"
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:system_r:named_t:s0-s15:c0.c1023 tclass=io_uring
permissive=0
avc: denied { create } for pid=373 comm="named" anonclass=[io_uring]
scontext=system_u:system_r:named_t:s0-s15:c0.c1023
tcontext=system_u:object_r:named_t:s0 tclass=anon_inode permissive=0
Signed-off-by: Yi Zhao windriver.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/bind.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 0a08be452..37f2fdd1f 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -80,6 +80,8 @@ allow named_t self:process { setsched getsched getcap setcap
setrlimit signal_pe
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
allow named_t self:tcp_socket { accept listen };
+allow named_t self:anon_inode { create map read write };
+allow named_t self:io_uring sqpoll;
manage_files_pattern(named_t, dnssec_t, dnssec_t)
filetrans_pattern(named_t, named_conf_t, dnssec_t, dir, "cache")
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 0d4b9fb48fc13aa0e545fdc17905a1060db3c5ef
Author: Russell Coker coker com au>
AuthorDate: Thu Sep 28 13:57:18 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:31:45 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d4b9fb4
misc small email changes (#704)
* Small changes to courier, dovecot, exim, postfix, amd sendmail policy.
Signed-off-by: Russell Coker coker.com.au>
* Removed an obsolete patch
Signed-off-by: Russell Coker coker.com.au>
* Added interfaces cron_rw_inherited_tmp_files and
systemd_dontaudit_connect_machined
Signed-off-by: Russell Coker coker.com.au>
* Use create_stream_socket_perms for unix connection to itself
Signed-off-by: Russell Coker coker.com.au>
* Removed unconfined_run_to
Signed-off-by: Russell Coker coker.com.au>
* Remove change for it to run from a user session
Signed-off-by: Russell Coker coker.com.au>
* Changed userdom_use_user_ttys to userdom_use_inherited_user_terminals and
moved it out of the postfix section
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/courier.fc | 4 ++--
policy/modules/services/courier.te | 21 +++--
policy/modules/services/dovecot.te | 3 +++
policy/modules/services/exim.te | 3 ++-
policy/modules/services/mta.if | 1 +
policy/modules/services/mta.te | 32
policy/modules/services/postfix.if | 3 +++
policy/modules/services/postfix.te | 4
policy/modules/services/sendmail.te | 4
9 files changed, 70 insertions(+), 5 deletions(-)
diff --git a/policy/modules/services/courier.fc
b/policy/modules/services/courier.fc
index 0f56d60d8..28594264f 100644
--- a/policy/modules/services/courier.fc
+++ b/policy/modules/services/courier.fc
@@ -23,8 +23,8 @@
/usr/lib/courier/courier/courierpop.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/imaplogin --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/courier/pcpd --
gen_context(system_u:object_r:courier_pcp_exec_t,s0)
-/usr/lib/courier/imapd --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
-/usr/lib/courier/pop3d --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/imapd.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
+/usr/lib/courier/pop3d.* --
gen_context(system_u:object_r:courier_pop_exec_t,s0)
/usr/lib/courier/rootcerts(/.*)?
gen_context(system_u:object_r:courier_etc_t,s0)
/usr/lib/courier/sqwebmail/cleancache\.pl --
gen_context(system_u:object_r:courier_sqwebmail_exec_t,s0)
/usr/lib/courier-imap/couriertcpd --
gen_context(system_u:object_r:courier_tcpd_exec_t,s0)
diff --git a/policy/modules/services/courier.te
b/policy/modules/services/courier.te
index 00ca1db6e..b5fa0c163 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -96,6 +96,8 @@ allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket
rw_stream_socket_pe
can_exec(courier_authdaemon_t, courier_exec_t)
+kernel_getattr_proc(courier_authdaemon_t)
+
corecmd_exec_shell(courier_authdaemon_t)
domtrans_pattern(courier_authdaemon_t, courier_pop_exec_t, courier_pop_t)
@@ -112,6 +114,7 @@ libs_read_lib_files(courier_authdaemon_t)
miscfiles_read_localization(courier_authdaemon_t)
selinux_getattr_fs(courier_authdaemon_t)
+seutil_search_default_contexts(courier_authdaemon_t)
userdom_dontaudit_search_user_home_dirs(courier_authdaemon_t)
@@ -129,20 +132,34 @@ dev_read_rand(courier_pcp_t)
# POP3/IMAP local policy
#
-allow courier_pop_t self:capability { setgid setuid };
+allow courier_pop_t self:capability { chown dac_read_search fowner setgid
setuid };
+dontaudit courier_pop_t self:capability fsetid;
+allow courier_pop_t self:unix_stream_socket create_stream_socket_perms;
+allow courier_pop_t self:process setrlimit;
+
allow courier_pop_t courier_authdaemon_t:tcp_socket rw_stream_socket_perms;
allow courier_pop_t courier_authdaemon_t:process sigchld;
allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket }
rw_stream_socket_perms;
-allow courier_pop_t courier_var_lib_t:file rw_inherited_file_perms;
+allow courier_pop_t courier_var_lib_t:dir rw_dir_perms;
+allow courier_pop_t courier_var_lib_t:file manage_file_perms;
+allow courier_pop_t courier_etc_t:file map;
+
+can_exec(courier_pop_t, courier_exec_t)
+can_exec(courier_pop_t, courier_tcpd_exec_t)
stream_connect_pattern(courier_pop_t, courier_var_lib_t, courier_var_lib_t,
courier_authdaemon_t)
domtrans_pattern(courier_pop_t, courier_authdaemon_exec_t,
courier_authdaemon_t)
corecmd_exec_shell(courier_pop_t)
+corenet_tcp_bind_generic_node(courier_pop_t)
+corenet_tcp_bind_pop_port(courier_pop_t)
+
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c476335905f6b809c1f4ba083b071fab067aa1e5
Author: Russell Coker coker com au>
AuthorDate: Tue Sep 26 13:48:31 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4763359
allow jabbers to create sock file and allow matrixd to read sysfs (#705)
* Allow jabberd_domain to create sockets in it's var/lib dir
Allow matrixd_t to read sysfs
Signed-off-by: Russell Coker coker.com.au>
* Changed to manage_sock_file_perms to allow unlink
Signed-off-by: Russell Coker coker.com.au>
-
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/jabber.te | 1 +
policy/modules/services/matrixd.te | 1 +
2 files changed, 2 insertions(+)
diff --git a/policy/modules/services/jabber.te
b/policy/modules/services/jabber.te
index 6003cc9fb..6c8e45de5 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -39,6 +39,7 @@ allow jabberd_domain self:tcp_socket { accept listen };
manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
+allow jabberd_domain jabberd_var_lib_t:sock_file manage_sock_file_perms;
kernel_read_system_state(jabberd_domain)
diff --git a/policy/modules/services/matrixd.te
b/policy/modules/services/matrixd.te
index 4ac31d901..c396a3d7c 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -83,6 +83,7 @@ corenet_udp_bind_generic_node(matrixd_t)
corenet_udp_bind_generic_port(matrixd_t)
corenet_udp_bind_reserved_port(matrixd_t)
+dev_read_sysfs(matrixd_t)
dev_read_urand(matrixd_t)
files_read_etc_files(matrixd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: e17a5ea822384af3d15da14be3bc593037950d21
Author: Russell Coker coker com au>
AuthorDate: Fri Sep 22 09:09:12 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e17a5ea8
Added tmpfs file type for postgresql Small mysql stuff including anon_inode
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/mysql.te | 4 +++-
policy/modules/services/postgresql.te | 9 -
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index 2e7621471..4d1124bbf 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -67,11 +67,12 @@ files_runtime_file(mysqlmanagerd_runtime_t)
allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid
setuid sys_resource };
dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched setrlimit signal_perms
rlimitinh };
+allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms
rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
allow mysqld_t self:unix_stream_socket { connectto accept listen };
allow mysqld_t self:tcp_socket { accept listen };
+allow mysqld_t self:anon_inode { create map read write };
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
mmap_manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -191,6 +192,7 @@ dev_read_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
+files_dontaudit_write_root_dirs(mysqld_safe_t)
files_read_etc_files(mysqld_safe_t)
files_read_usr_files(mysqld_safe_t)
files_search_runtime(mysqld_safe_t)
diff --git a/policy/modules/services/postgresql.te
b/policy/modules/services/postgresql.te
index 1b2d8ab0d..11b3936b0 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -65,6 +65,9 @@ init_daemon_runtime_file(postgresql_runtime_t, dir,
"postgresql")
type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)
+type postgresql_tmpfs_t;
+files_tmpfs_file(postgresql_tmpfs_t)
+
type postgresql_unit_t;
init_unit_file(postgresql_unit_t)
@@ -282,7 +285,10 @@ manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t,
postgresql_tmp_t)
manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
-fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file
sock_file fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file
fifo_file })
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
+allow postgresql_t postgresql_tmpfs_t:file map;
+manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
@@ -342,6 +348,7 @@ init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
+miscfiles_read_generic_tls_privkey(postgresql_t)
miscfiles_read_localization(postgresql_t)
seutil_libselinux_linked(postgresql_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: d7890fb6d1c7bfd1c75d454d457b5fcdc869efe1
Author: Chris PeBenito ieee org>
AuthorDate: Tue Sep 26 13:43:40 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d7890fb6
postgresql: Move lines
Signed-off-by: Chris PeBenito ieee.org>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/postgresql.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/postgresql.te
b/policy/modules/services/postgresql.te
index 11b3936b0..810fb0ed4 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -286,9 +286,10 @@ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t,
postgresql_tmp_t)
manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file
fifo_file })
-fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
+
allow postgresql_t postgresql_tmpfs_t:file map;
manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
+fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })
manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
commit: 9a761587cf212b96c093e2ea1d9c3ed66ff7c37d Author: Russell Coker coker com au> AuthorDate: Thu Sep 21 14:21:25 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9a761587 debian motd.d directory (#689) * policy for Debian motd.d dir Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/xserver.te | 1 + policy/modules/system/authlogin.fc | 1 + policy/modules/system/authlogin.if | 1 + 3 files changed, 3 insertions(+) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 68d9bd34b..58cd85626 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -472,6 +472,7 @@ auth_manage_pam_runtime_dirs(xdm_t) auth_manage_pam_runtime_files(xdm_t) auth_manage_pam_console_data(xdm_t) auth_read_shadow_history(xdm_t) +auth_use_pam_motd_dynamic(xdm_t) auth_write_login_records(xdm_t) # Run telinit->init to shutdown. diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc index b47da01a5..adb53a05a 100644 --- a/policy/modules/system/authlogin.fc +++ b/policy/modules/system/authlogin.fc @@ -59,6 +59,7 @@ ifdef(`distro_suse', ` /run/motd -- gen_context(system_u:object_r:pam_motd_runtime_t,s0) /run/motd\.dynamic -- gen_context(system_u:object_r:pam_motd_runtime_t,s0) /run/motd\.dynamic\.new-- gen_context(system_u:object_r:pam_motd_runtime_t,s0) +/run/motd\.d(/.*)? gen_context(system_u:object_r:pam_motd_runtime_t,s0) /run/pam_mount(/.*)? gen_context(system_u:object_r:pam_runtime_t,s0) /run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0) /run/sepermit(/.*)?gen_context(system_u:object_r:pam_runtime_t,s0) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 4d11800aa..cd5ab2d7f 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -129,6 +129,7 @@ interface(`auth_use_pam_motd_dynamic',` corecmd_exec_shell($1) allow $1 pam_motd_runtime_t:file manage_file_perms; + allow $1 pam_motd_runtime_t:dir rw_dir_perms; files_runtime_filetrans($1, pam_motd_runtime_t, file, "motd.dynamic.new") ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 98ebbf0f2916e7541905c03eef89330b51c9ff97
Author: Russell Coker coker com au>
AuthorDate: Thu Sep 21 16:01:24 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Oct 6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98ebbf0f
policy patches for anti-spam daemons (#698)
* Patches for anti-spam related policy
* Added a seperate tunable for execmem, can be enabled for people who need it
which means Debian rspam users and some of the less common SpamAssassin
configurations
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/clamav.te | 5 ++--
policy/modules/services/dkim.fc | 1 +
policy/modules/services/dkim.te | 2 +-
policy/modules/services/milter.fc | 2 ++
policy/modules/services/milter.te | 41 +
policy/modules/services/spamassassin.te | 16 -
6 files changed, 63 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/clamav.te
b/policy/modules/services/clamav.te
index c171fd7dc..a9476a561 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -75,7 +75,7 @@ logging_log_file(freshclam_var_log_t)
allow clamd_t self:capability { chown fowner fsetid kill setgid setuid
dac_override };
dontaudit clamd_t self:capability sys_tty_config;
-allow clamd_t self:process signal;
+allow clamd_t self:process { signal getsched };
allow clamd_t self:fifo_file rw_fifo_file_perms;
allow clamd_t self:unix_stream_socket { accept connectto listen };
allow clamd_t self:tcp_socket { listen accept };
@@ -174,7 +174,7 @@ optional_policy(`
# Freshclam local policy
#
-allow freshclam_t self:capability { dac_override setgid setuid };
+allow freshclam_t self:capability { chown dac_override setgid setuid };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket { accept listen };
allow freshclam_t self:tcp_socket { accept listen };
@@ -225,6 +225,7 @@ dev_read_urand(freshclam_t)
domain_use_interactive_fds(freshclam_t)
files_read_etc_runtime_files(freshclam_t)
+files_read_usr_files(freshclam_t)
files_search_var_lib(freshclam_t)
auth_use_nsswitch(freshclam_t)
diff --git a/policy/modules/services/dkim.fc b/policy/modules/services/dkim.fc
index 08b652630..0b269c0af 100644
--- a/policy/modules/services/dkim.fc
+++ b/policy/modules/services/dkim.fc
@@ -1,4 +1,5 @@
/etc/opendkim/keys(/.*)?
gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
+/etc/dkimkeys(/.*)?
gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
/etc/rc\.d/init\.d/((opendkim)|(dkim-milter)) --
gen_context(system_u:object_r:dkim_milter_initrc_exec_t,s0)
diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
index 32468194b..e960818da 100644
--- a/policy/modules/services/dkim.te
+++ b/policy/modules/services/dkim.te
@@ -24,7 +24,7 @@ init_daemon_runtime_file(dkim_milter_data_t, dir, "opendkim")
#
allow dkim_milter_t self:capability { dac_read_search dac_override setgid
setuid };
-allow dkim_milter_t self:process { signal signull };
+allow dkim_milter_t self:process { signal signull getsched };
allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
read_files_pattern(dkim_milter_t, dkim_milter_private_key_t,
dkim_milter_private_key_t)
diff --git a/policy/modules/services/milter.fc
b/policy/modules/services/milter.fc
index 42fe5e941..71b168061 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -8,6 +8,7 @@
/usr/sbin/milter-greylist --
gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/sqlgrey --
gen_context(system_u:object_r:greylist_milter_exec_t,s0)
/usr/sbin/milter-regex --
gen_context(system_u:object_r:regex_milter_exec_t,s0)
+/usr/sbin/postfwd.*--
gen_context(system_u:object_r:postfwd_milter_exec_t,s0)
/usr/sbin/spamass-milter --
gen_context(system_u:object_r:spamass_milter_exec_t,s0)
/var/lib/milter-greylist(/.*)?
gen_context(system_u:object_r:greylist_milter_data_t,s0)
@@ -16,6 +17,7 @@
/run/milter-greylist(/.*)?
gen_context(system_u:object_r:greylist_milter_data_t,s0)
/run/milter-greylist\.pid --
gen_context(system_u:object_r:greylist_milter_data_t,s0)
+/run/postfwd\.pid --
gen_context(system_u:object_r:postfwd_milter_runtime_t,s0)
/run/spamass(/.*)?
gen_context(system_u:object_r:spamass_milter_data_t,s0)
/run/sqlgrey\.pid --
gen_context(system_u:object_r:greylist_milter_data_t,s0)
/run/spamass-milter(/.*)?
gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/services/milter.te
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 396ba1dae4fa1576c1c9ab3e10a4d3bbae2fe990
Author: Kenton Groombridge concord sh>
AuthorDate: Tue Mar 7 01:21:54 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 31 17:11:32 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=396ba1da
glusterfs: allow glusterd to bind to all TCP unreserved ports
Port 32767 seems to be needed by glfs_timer
type=SYSCALL msg=audit(1678151692.991:193): arch=c03e syscall=49 success=no
exit=-13 a0=7 a1=43bc7241350 a2=10 a3=3968 items=0 ppid=1 pid=2401
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="glfs_timer" exe="/usr/bin/glusterfsd"
subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1678151692.991:193): avc: denied { name_bind } for
pid=2401 comm="glfs_timer" src=32767 scontext=system_u:system_r:glusterd_t:s0
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/glusterfs.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/glusterfs.te
b/policy/modules/services/glusterfs.te
index d9c77d384..fe80b732a 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -108,6 +108,7 @@ corenet_tcp_connect_glusterd_port(glusterd_t)
# Too coarse?
corenet_sendrecv_all_server_packets(glusterd_t)
corenet_tcp_bind_all_reserved_ports(glusterd_t)
+corenet_tcp_bind_all_unreserved_ports(glusterd_t)
corenet_udp_bind_all_rpc_ports(glusterd_t)
corenet_udp_bind_ipp_port(glusterd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 87862dc56b934bf6ffc76a8a4864bb919cd7542c Author: Kenton Groombridge concord sh> AuthorDate: Wed Mar 8 18:19:36 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=87862dc5 kubernetes: allow kubelet to read etc runtime files To read /etc/machine-id. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/kubernetes.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index b89ffb1bc..e9d8fcdd2 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -240,6 +240,8 @@ files_search_mnt(kubelet_t) files_read_kernel_symbol_table(kubelet_t) # read /usr/share/mime/globs2 files_read_usr_files(kubelet_t) +# read /etc/machine-id +files_read_etc_runtime_files(kubelet_t) fs_getattr_tmpfs(kubelet_t) fs_search_tmpfs(kubelet_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 940f87312855109a81014f446bd89c332fb3a883
Author: Kenton Groombridge concord sh>
AuthorDate: Sun Mar 5 23:03:34 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 31 17:11:22 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=940f8731
zfs: add runtime filetrans for dirs
Needed by zfs recv.
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/zfs.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index bba787136..ed1ae77ba 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -85,7 +85,7 @@ read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
-files_runtime_filetrans(zfs_t, zfs_runtime_t, file)
+files_runtime_filetrans(zfs_t, zfs_runtime_t, { dir file })
# to execute scripts in /usr/libexec/zfs
corecmd_exec_bin(zfs_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 78f22e0b8a1383ea39c7621a85f8172010b2a7fb
Author: Kenton Groombridge concord sh>
AuthorDate: Thu Mar 2 07:04:40 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Fri Mar 31 17:11:22 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=78f22e0b
zfs: allow sending signals to itself
Required for zfs snapshot.
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/zfs.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index ebe389e05..bba787136 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -76,7 +76,7 @@ zfs_rw_zpool_cache(zed_t)
# zfs local policy
#
-allow zfs_t self:process { getsched signull };
+allow zfs_t self:process { getsched signal signull };
allow zfs_t self:capability { sys_admin sys_rawio };
allow zfs_t self:fifo_file rw_fifo_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: a196620b5a540acc33ced5f9541974489bd30605
Author: David Sommerseth openvpn net>
AuthorDate: Fri Jan 27 08:50:22 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Feb 13 15:24:07 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a196620b
openvpn: Allow netlink genl
OpenVPN 2.6 can use an OpenVPN specific kernel module to handle the VPN
data channel. The communication via userspace and kernel space happens
over a generic netlink interface.
Without this access, the following denials can be found in the logs
[...] denied { create } for pid=... comm="openvpn"
scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0
tclass=netlink_generic_socket
[...] denied { setopt } for pid=... comm="openvpn"
scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0
tclass=netlink_generic_socket
[...] denied { bind } for pid=... comm="openvpn"
scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0
tclass=netlink_generic_socket
[...] denied { getattr } for pid=... comm="openvpn"
scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:system_r:openvpn_t:s0
tclass=netlink_generic_socket
Signed-off-by: David Sommerseth openvpn.net>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/openvpn.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/openvpn.te
b/policy/modules/services/openvpn.te
index be3642ec6..e97730fbd 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -62,6 +62,7 @@ allow openvpn_t self:unix_stream_socket { accept connectto
listen };
allow openvpn_t self:tcp_socket server_stream_socket_perms;
allow openvpn_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow openvpn_t self:netlink_route_socket nlmsg_write;
+allow openvpn_t self:netlink_generic_socket create_socket_perms;
allow openvpn_t openvpn_etc_t:dir list_dir_perms;
allow openvpn_t openvpn_etc_t:file read_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c891d981f2fd465d682c8129865613927308c30e
Author: Kenton Groombridge concord sh>
AuthorDate: Fri Feb 10 18:30:56 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Feb 13 15:24:11 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c891d981
container: add missing filetrans and filecon for containerd/docker
Add a missing file transition for the docker socket in /run as well as a
missing file context for /var/log/containerd.
Thanks-to: zen_desu
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/container.fc | 1 +
policy/modules/services/container.te | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/container.fc
b/policy/modules/services/container.fc
index 29a02b1d3..056aa6023 100644
--- a/policy/modules/services/container.fc
+++ b/policy/modules/services/container.fc
@@ -100,6 +100,7 @@ HOME_DIR/\.docker(/.*)?
gen_context(system_u:object_r:container_conf_home_t,s0)
/var/lib/etcd(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
/var/lib/kube-proxy(/.*)?
gen_context(system_u:object_r:container_file_t,s0)
+/var/log/containerd(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
/var/log/containers(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
/var/log/crio(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
/var/log/pods(/.*)?
gen_context(system_u:object_r:container_log_t,s0)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 534d6f4c5..15d1e8c88 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -747,7 +747,7 @@ allow container_engine_system_domain
container_runtime_t:file { manage_file_perm
allow container_engine_system_domain container_runtime_t:fifo_file {
manage_fifo_file_perms relabel_fifo_file_perms };
allow container_engine_system_domain container_runtime_t:lnk_file {
manage_lnk_file_perms relabel_lnk_file_perms };
allow container_engine_system_domain container_runtime_t:sock_file {
manage_sock_file_perms relabel_sock_file_perms };
-files_runtime_filetrans(container_engine_system_domain, container_runtime_t, {
dir file })
+files_runtime_filetrans(container_engine_system_domain, container_runtime_t, {
dir file sock_file })
allow container_engine_system_domain container_engine_cache_t:dir
manage_dir_perms;
allow container_engine_system_domain container_engine_cache_t:file
manage_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: deea45506e562694254d217047c39d0b7abdc893 Author: Chris PeBenito ieee org> AuthorDate: Fri Jan 6 14:58:09 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:19:56 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=deea4550 munin: Whitespace change. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/munin.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc index ac9100350..8773bd740 100644 --- a/policy/modules/services/munin.fc +++ b/policy/modules/services/munin.fc @@ -68,6 +68,7 @@ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) + ifdef(`distro_gentoo',` /var/lib/munin-node(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/lib/munin-node/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 962ff462a7346415433a829e84b9ef212466196f Author: Corentin LABBE gmail com> AuthorDate: Wed Dec 28 08:38:30 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:19:55 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=962ff462 munin: add fc for munin-node plugin state Gentoo deploy munin-node plugin state in /var/lib/munin-node Signed-off-by: Corentin LABBE gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/munin.fc | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/munin.fc b/policy/modules/services/munin.fc index c24f24c60..ac9100350 100644 --- a/policy/modules/services/munin.fc +++ b/policy/modules/services/munin.fc @@ -68,6 +68,10 @@ /var/lib/munin(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) /var/lib/munin/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) +ifdef(`distro_gentoo',` +/var/lib/munin-node(/.*)? gen_context(system_u:object_r:munin_var_lib_t,s0) +/var/lib/munin-node/plugin-state(/.*)? gen_context(system_u:object_r:munin_plugin_state_t,s0) +') /var/log/munin.* gen_context(system_u:object_r:munin_log_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
commit: e19a19f4bb6fdd3d55ee981413ee48bd34f4860a Author: Corentin LABBE gmail com> AuthorDate: Mon Dec 26 09:25:59 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:19:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e19a19f4 munin: disk-plugin: transition to fsadm smart_ plugin currently execute smartctl on the disk_munin_plugin_t domain. But lot of rules are still missing for a correct smartctl execution. Instead of duplicating most of all fsadm rules, it is easier to transition to the correct domain. Signed-off-by: Corentin LABBE gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/munin.if | 17 + policy/modules/services/munin.te | 6 +++--- policy/modules/system/fstools.te | 4 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if index 9cf4cb20e..de654d4ea 100644 --- a/policy/modules/services/munin.if +++ b/policy/modules/services/munin.if @@ -189,3 +189,20 @@ interface(`munin_admin',` admin_pattern($1, httpd_munin_content_t) ') + + +## +## Permit to read/write Munin TCP sockets +## +## +## +## Domain allowed access. +## +## +# +interface(`munin_rw_tcp_sockets',` + gen_require(` + type munin_t; + ') + allow $1 munin_t:tcp_socket rw_socket_perms; +') diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te index 2e6b1542a..9fc77c8e9 100644 --- a/policy/modules/services/munin.te +++ b/policy/modules/services/munin.te @@ -52,8 +52,6 @@ munin_plugin_template(unconfined) allow munin_plugin_domain self:process signal; allow munin_plugin_domain self:fifo_file rw_fifo_file_perms; -allow munin_plugin_domain munin_t:tcp_socket rw_socket_perms; - read_lnk_files_pattern(munin_plugin_domain, munin_etc_t, munin_etc_t) allow munin_plugin_domain munin_exec_t:file read_file_perms; @@ -79,6 +77,8 @@ fs_getattr_all_fs(munin_plugin_domain) miscfiles_read_localization(munin_plugin_domain) +munin_rw_tcp_sockets(munin_plugin_domain) + optional_policy(` nscd_use(munin_plugin_domain) ') @@ -260,7 +260,7 @@ optional_policy(` ') optional_policy(` - fstools_exec(disk_munin_plugin_t) + fstools_domtrans(disk_munin_plugin_t) ') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 3d5525cc4..079aacad3 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -208,6 +208,10 @@ optional_policy(` modutils_read_module_deps(fsadm_t) ') +optional_policy(` + munin_rw_tcp_sockets(fsadm_t) +') + optional_policy(` nis_use_ypbind(fsadm_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: f2c017c30c28288b218688c561a32d04931535e1
Author: Chris PeBenito ieee org>
AuthorDate: Wed Jan 4 19:32:19 2023 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Mon Feb 13 15:19:54 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f2c017c3
munin: Move munin_rw_tcp_sockets() implementation.
No rule changes.
Signed-off-by: Chris PeBenito ieee.org>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/munin.if | 34 +-
1 file changed, 17 insertions(+), 17 deletions(-)
diff --git a/policy/modules/services/munin.if b/policy/modules/services/munin.if
index de654d4ea..b70f1ad91 100644
--- a/policy/modules/services/munin.if
+++ b/policy/modules/services/munin.if
@@ -41,6 +41,23 @@ template(`munin_plugin_template',`
files_tmp_filetrans($1_munin_plugin_t, $1_munin_plugin_tmp_t, { dir
file })
')
+
+##
+## Permit to read/write Munin TCP sockets
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`munin_rw_tcp_sockets',`
+ gen_require(`
+ type munin_t;
+ ')
+ allow $1 munin_t:tcp_socket rw_socket_perms;
+')
+
##
## Connect to munin over a unix domain
@@ -189,20 +206,3 @@ interface(`munin_admin',`
admin_pattern($1, httpd_munin_content_t)
')
-
-
-##
-## Permit to read/write Munin TCP sockets
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`munin_rw_tcp_sockets',`
- gen_require(`
- type munin_t;
- ')
- allow $1 munin_t:tcp_socket rw_socket_perms;
-')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: add37312bb35e4b3c6a802074c75f3f94e2a9fc6 Author: Kenton Groombridge concord sh> AuthorDate: Wed Dec 7 16:00:03 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Dec 13 19:07:48 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=add37312 postfix, sasl: allow postfix smtp daemon to read SASL keytab Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/postfix.te | 1 + policy/modules/services/sasl.if| 19 +++ 2 files changed, 20 insertions(+) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index e546e7e62..7b158e705 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -839,6 +839,7 @@ optional_policy(` optional_policy(` sasl_connect(postfix_smtpd_t) + sasl_read_keytab(postfix_smtpd_t) ') optional_policy(` diff --git a/policy/modules/services/sasl.if b/policy/modules/services/sasl.if index e1e15648f..87caf806e 100644 --- a/policy/modules/services/sasl.if +++ b/policy/modules/services/sasl.if @@ -19,6 +19,25 @@ interface(`sasl_connect',` stream_connect_pattern($1, saslauthd_runtime_t, saslauthd_runtime_t, saslauthd_t) ') + +## +## Read SASL keytab files. +## +## +## +## Domain allowed access. +## +## +# +interface(`sasl_read_keytab',` + gen_require(` + type saslauthd_keytab_t; + ') + + files_search_etc($1) + read_files_pattern($1, saslauthd_keytab_t, saslauthd_keytab_t) +') + ## ## All of the rules required to
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 0da05b608cbcb4f4545f5eade4b1c3a8269dc9a5
Author: Dave Sugar gmail com>
AuthorDate: Wed Nov 23 13:17:41 2022 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue Dec 13 19:04:21 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0da05b60
rng-tools updated to 6.15 (on RHEL9) seeing the following denials:
node=localhost type=AVC msg=audit(1669206851.792:438): avc: denied { getattr
} for pid=1008 comm="rngd"
path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=401368
scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file permissive=1
node=localhost type=AVC msg=audit(1669206851.792:439): avc: denied { read }
for pid=1008 comm="rngd" name="opensslcnf.config" dev="dm-0" ino=401368
scontext=system_u:system_r:rngd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file permissive=1
node=localhost type=AVC msg=audit(1669206851.792:439): avc: denied { open }
for pid=1008 comm="rngd" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt"
dev="dm-0" ino=401368 scontext=system_u:system_r:rngd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
rngd now drops privlidges rather than having user/group set in .service file:
node=localhost type=AVC msg=audit(1669206851.856:440): avc: denied { setgid }
for pid=1008 comm="rngd" capability=6 scontext=system_u:system_r:rngd_t:s0
tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1
node=localhost type=AVC msg=audit(1669206851.881:441): avc: denied { setuid }
for pid=1008 comm="rngd" capability=7 scontext=system_u:system_r:rngd_t:s0
tcontext=system_u:system_r:rngd_t:s0 tclass=capability permissive=1
node=localhost type=AVC msg=audit(1669206851.910:442): avc: denied { setcap }
for pid=1008 comm="rngd" scontext=system_u:system_r:rngd_t:s0
tcontext=system_u:system_r:rngd_t:s0 tclass=process permissive=1
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/rngd.te | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/rngd.te b/policy/modules/services/rngd.te
index f33d6a401..d317520ee 100644
--- a/policy/modules/services/rngd.te
+++ b/policy/modules/services/rngd.te
@@ -20,8 +20,8 @@ files_runtime_file(rngd_runtime_t)
# Local policy
#
-allow rngd_t self:capability { ipc_lock sys_admin };
-allow rngd_t self:process { setsched getsched signal };
+allow rngd_t self:capability { ipc_lock setgid setuid sys_admin };
+allow rngd_t self:process { getsched setcap setsched signal };
allow rngd_t self:fifo_file rw_fifo_file_perms;
allow rngd_t self:unix_stream_socket { accept listen };
@@ -37,6 +37,7 @@ dev_rw_tpm(rngd_t)
dev_write_rand(rngd_t)
files_read_etc_files(rngd_t)
+files_read_usr_files(rngd_t)
logging_send_syslog_msg(rngd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: ca1a8970f1e7ae224de8001e460f232815eeb187 Author: Kenton Groombridge concord sh> AuthorDate: Wed Dec 7 15:55:39 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Dec 13 19:07:44 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca1a8970 sasl: add filecon for /etc/sasl2 keytab Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/sasl.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/sasl.fc b/policy/modules/services/sasl.fc index 06ee9710c..8165ee72a 100644 --- a/policy/modules/services/sasl.fc +++ b/policy/modules/services/sasl.fc @@ -1,5 +1,7 @@ /etc/rc\.d/init\.d/sasl-- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0) +/etc/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_keytab_t,s0) + /usr/bin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0) /usr/sbin/saslauthd-- gen_context(system_u:object_r:saslauthd_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c20ec6e6418b8d1d19736e3beef6080684eec3d5
Author: Kenton Groombridge concord sh>
AuthorDate: Wed Dec 7 15:49:39 2022 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue Dec 13 19:07:41 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c20ec6e6
container: allow container admins the sysadm capability in user namespaces
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/container.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/container.if
b/policy/modules/services/container.if
index 55f8e4f3d..8fd3832fb 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -2518,7 +2518,7 @@ interface(`container_admin',`
allow $1 container_engine_domain:process { ptrace signal_perms };
ps_process_pattern($1, container_engine_domain)
- allow $1 self:cap_userns { kill sys_ptrace };
+ allow $1 self:cap_userns { kill sys_ptrace sys_admin };
files_search_var_lib($1)
admin_pattern($1, container_var_lib_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: cd933e49cc9a613b6145f236d324a79a669ea463 Author: Kenton Groombridge concord sh> AuthorDate: Wed Dec 7 15:55:27 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Dec 13 19:07:43 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd933e49 postfix: allow postfix master to map data files Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/postfix.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 1a5c24517..c58b11e0b 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -207,7 +207,7 @@ allow postfix_master_t postfix_etc_t:dir rw_dir_perms; allow postfix_master_t postfix_etc_t:file rw_file_perms; allow postfix_master_t postfix_data_t:dir manage_dir_perms; -allow postfix_master_t postfix_data_t:file manage_file_perms; +allow postfix_master_t postfix_data_t:file mmap_manage_file_perms; allow postfix_master_t postfix_keytab_t:file read_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 0e83470473b17ec633fe876ed2a99a9f1575e0a4 Author: Kenton Groombridge concord sh> AuthorDate: Wed Dec 7 15:45:43 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Dec 13 19:07:39 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0e834704 podman: allow podman to stop systemd transient units Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/podman.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te index 5cc13da70..3d16e64d1 100644 --- a/policy/modules/services/podman.te +++ b/policy/modules/services/podman.te @@ -69,6 +69,7 @@ ifdef(`init_systemd',` # containers get created as systemd transient units init_get_transient_units_status(podman_t) init_start_transient_units(podman_t) + init_stop_transient_units(podman_t) # podman can read logs from containers which are # sent to the system journal @@ -212,6 +213,7 @@ container_manage_engine_tmp_sock_files(podman_conmon_t) ifdef(`init_systemd',` init_get_transient_units_status(podman_conmon_t) init_start_transient_units(podman_conmon_t) + init_stop_transient_units(podman_conmon_t) init_start_system(podman_conmon_t) init_stop_system(podman_conmon_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: d800e3e8f46a54c1ab5b041deaafbe090b168c83
Author: Kenton Groombridge concord sh>
AuthorDate: Wed Dec 7 14:45:49 2022 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Tue Dec 13 19:07:29 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d800e3e8
hddtemp: add missing rules for interactive usage
Add missing rules required for hddtemp admins to interactively run
hddtemp.
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/hddtemp.if | 29 +
policy/modules/services/hddtemp.te | 4
2 files changed, 33 insertions(+)
diff --git a/policy/modules/services/hddtemp.if
b/policy/modules/services/hddtemp.if
index 269bafd18..2cecebd4e 100644
--- a/policy/modules/services/hddtemp.if
+++ b/policy/modules/services/hddtemp.if
@@ -19,6 +19,33 @@ interface(`hddtemp_domtrans',`
domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
')
+
+##
+## Execute hddtemp in the hddtemp domain, and
+## allow the specified role the hdd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`hddtemp_run',`
+ gen_require(`
+ type hddtemp_t;
+ ')
+
+ hddtemp_domtrans($1)
+ role $2 types hddtemp_t;
+')
+
+
##
##
## Execute hddtemp in the caller domain.
@@ -60,6 +87,8 @@ interface(`hddtemp_admin',`
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
')
+ hddtemp_run($1, $2)
+
allow $1 hddtemp_t:process { ptrace signal_perms };
ps_process_pattern($1, hddtemp_t)
diff --git a/policy/modules/services/hddtemp.te
b/policy/modules/services/hddtemp.te
index 35361704b..9357031f9 100644
--- a/policy/modules/services/hddtemp.te
+++ b/policy/modules/services/hddtemp.te
@@ -34,6 +34,8 @@ corenet_tcp_bind_generic_node(hddtemp_t)
corenet_tcp_bind_hddtemp_port(hddtemp_t)
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
+domain_use_interactive_fds(hddtemp_t)
+
files_search_etc(hddtemp_t)
files_read_usr_files(hddtemp_t)
@@ -45,3 +47,5 @@ auth_use_nsswitch(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
miscfiles_read_localization(hddtemp_t)
+
+userdom_use_user_terminals(hddtemp_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c3c8df115b607376bebaa6401e8839475ee93c3c Author: Kenton Groombridge concord sh> AuthorDate: Wed Dec 7 14:53:58 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Dec 13 19:07:33 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c3c8df11 container: add rules required for metallb BGP speakers Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/container.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 458e392d9..534d6f4c5 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -425,6 +425,8 @@ corenet_tcp_sendrecv_generic_node(container_net_domain) corenet_udp_sendrecv_generic_node(container_net_domain) corenet_tcp_bind_generic_node(container_net_domain) corenet_udp_bind_generic_node(container_net_domain) +# for metallb BGP speakers +corenet_raw_bind_generic_node(container_net_domain) corenet_sendrecv_all_server_packets(container_net_domain) corenet_tcp_bind_all_ports(container_net_domain) @@ -456,6 +458,8 @@ files_read_kernel_modules(container_t) fs_mount_cgroup(container_t) fs_rw_cgroup_files(container_t) +# for metallb BGP speakers +fs_read_nsfs_files(container_t) kernel_read_vm_overcommit_sysctl(container_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/
commit: 0d854a362ee5625add66fcb2212d27a035639f48 Author: Kenton Groombridge concord sh> AuthorDate: Sat Sep 24 17:51:14 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:07:18 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d854a36 glusterfs, selinuxutil: make modifying fcontexts a tunable Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/glusterfs.te | 26 +- policy/modules/system/selinuxutil.if | 36 policy/modules/system/selinuxutil.te | 11 +++ 3 files changed, 64 insertions(+), 9 deletions(-) diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te index 690aa828a..85a55ed5b 100644 --- a/policy/modules/services/glusterfs.te +++ b/policy/modules/services/glusterfs.te @@ -1,5 +1,15 @@ policy_module(glusterfs) +## +## +## Allow the gluster daemon to automatically +## add and remove file contexts from the local +## SELinux policy when adding and removing +## bricks. +## +## +gen_tunable(glusterfs_modify_policy, false) + # # Declarations @@ -129,11 +139,17 @@ logging_send_syslog_msg(glusterd_t) miscfiles_read_generic_certs(glusterd_t) miscfiles_read_localization(glusterd_t) -# needed by relabeling hooks when adding bricks -seutil_domtrans_semanage(glusterd_t) -seutil_exec_setfiles(glusterd_t) -seutil_read_default_contexts(glusterd_t) - userdom_dontaudit_search_user_runtime_root(glusterd_t) xdg_dontaudit_search_data_dirs(glusterd_t) + +tunable_policy(`glusterfs_modify_policy',` + # needed by relabeling hooks when adding bricks + seutil_domtrans_semanage(glusterd_t) + seutil_exec_setfiles(glusterd_t) + seutil_read_default_contexts(glusterd_t) +',` + seutil_dontaudit_exec_semanage(glusterd_t) + seutil_dontaudit_exec_setfiles(glusterd_t) + seutil_dontaudit_read_file_contexts(glusterd_t) +') diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index c0735f2b8..30db6a094 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -574,6 +574,24 @@ interface(`seutil_exec_setfiles',` can_exec($1, setfiles_exec_t) ') + +## +## Do not audit attempts to execute setfiles. +## +## +## +## Domain to not audit. +## +## +# +interface(`seutil_dontaudit_exec_setfiles',` + gen_require(` + type setfiles_exec_t; + ') + + dontaudit $1 setfiles_exec_t:file exec_file_perms; +') + ## ## Do not audit attempts to search the SELinux @@ -1028,6 +1046,24 @@ interface(`seutil_run_semanage',` roleattribute $2 semanage_roles; ') + +## +## Do not audit attempts to execute semanage. +## +## +## +## Domain to not audit. +## +## +# +interface(`seutil_dontaudit_exec_semanage',` + gen_require(` + type semanage_exec_t; + ') + + dontaudit $1 semanage_exec_t:file exec_file_perms; +') + ## ## Read the semanage module store. diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 14a17175f..2b823b543 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -209,8 +209,9 @@ ifdef(`distro_ubuntu',` ') optional_policy(` - # glusterd calls semanage fcontext - glusterfs_use_daemon_fds(load_policy_t) + tunable_policy(`glusterfs_modify_policy',` + glusterfs_use_daemon_fds(load_policy_t) + ') ') optional_policy(` @@ -695,11 +696,13 @@ ifdef(`distro_ubuntu',` ') optional_policy(` - apt_use_fds(setfiles_t) + tunable_policy(`glusterfs_modify_policy',` + glusterfs_use_daemon_fds(setfiles_t) + ') ') optional_policy(` - glusterfs_use_daemon_fds(setfiles_t) + apt_use_fds(setfiles_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 42804a679a2ca17bb67d9c0cb887202f95d105ee Author: Kenton Groombridge concord sh> AuthorDate: Mon Sep 26 21:00:18 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:07:20 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42804a67 glusterfs: add type for glusterd hooks Add a private type for glusterd hooks in order to enforce W^X for them. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/glusterfs.fc | 1 + policy/modules/services/glusterfs.if | 3 ++- policy/modules/services/glusterfs.te | 8 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/glusterfs.fc b/policy/modules/services/glusterfs.fc index 158a4a85e..50bd93604 100644 --- a/policy/modules/services/glusterfs.fc +++ b/policy/modules/services/glusterfs.fc @@ -12,6 +12,7 @@ /opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) /var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) +/var/lib/glusterd/hooks(/.*)? gen_context(system_u:object_r:glusterd_hook_t,s0) /var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if index 5e6af0ecc..ab5c8a4da 100644 --- a/policy/modules/services/glusterfs.if +++ b/policy/modules/services/glusterfs.if @@ -105,7 +105,7 @@ interface(`glusterfs_admin',` gen_require(` type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t; type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t; - type glusterd_runtime_t, glusterd_brick_t; + type glusterd_hook_t, glusterd_runtime_t, glusterd_brick_t; ') glusterfs_run_daemon($1, $2) @@ -128,6 +128,7 @@ interface(`glusterfs_admin',` files_search_var_lib($1) admin_pattern($1, glusterd_var_lib_t) + admin_pattern($1, glusterd_hook_t) files_search_runtime($1) admin_pattern($1, glusterd_runtime_t) diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te index 85a55ed5b..c46215be1 100644 --- a/policy/modules/services/glusterfs.te +++ b/policy/modules/services/glusterfs.te @@ -40,6 +40,9 @@ files_type(glusterd_var_lib_t) type glusterd_brick_t; files_type(glusterd_brick_t) +type glusterd_hook_t; +files_type(glusterd_hook_t) + # # Local policy @@ -77,6 +80,11 @@ manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) +list_dirs_pattern(glusterd_t, glusterd_hook_t, glusterd_hook_t) +read_files_pattern(glusterd_t, glusterd_hook_t, glusterd_hook_t) +read_lnk_files_pattern(glusterd_t, glusterd_hook_t, glusterd_hook_t) +can_exec(glusterd_t, glusterd_hook_t) + manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 74c032778f9f1d5b0b4f3af6d91c297fef7f15ea
Author: Kenton Groombridge concord sh>
AuthorDate: Sat Sep 24 04:59:10 2022 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Nov 2 14:07:13 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74c03277
glusterfs: various fixes
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/glusterfs.fc | 12 ---
policy/modules/services/glusterfs.if | 70
policy/modules/services/glusterfs.te | 47 ++--
3 files changed, 114 insertions(+), 15 deletions(-)
diff --git a/policy/modules/services/glusterfs.fc
b/policy/modules/services/glusterfs.fc
index 8e538dc8e..158a4a85e 100644
--- a/policy/modules/services/glusterfs.fc
+++ b/policy/modules/services/glusterfs.fc
@@ -1,7 +1,7 @@
/etc/rc\.d/init\.d/gluster.* --
gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)?gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterfs(/.*)?
gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)?
gen_context(system_u:object_r:glusterd_conf_t,s0)
/usr/bin/glusterd --
gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
/usr/bin/glusterfsd--
gen_context(system_u:object_r:glusterd_exec_t,s0)
@@ -11,9 +11,11 @@
/opt/glusterfs/[^/]+/sbin/glusterfsd --
gen_context(system_u:object_r:glusterd_exec_t,s0)
-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+/var/lib/gluster.*
gen_context(system_u:object_r:glusterd_var_lib_t,s0)
-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/glusterfs(/.*)?
gen_context(system_u:object_r:glusterd_log_t,s0)
-/run/glusterd(/.*)?gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/gluster(/.*)?
gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/glusterd(/.*)?
gen_context(system_u:object_r:glusterd_runtime_t,s0)
/run/glusterd\.pid --
gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/glusterd\.socket -s
gen_context(system_u:object_r:glusterd_runtime_t,s0)
diff --git a/policy/modules/services/glusterfs.if
b/policy/modules/services/glusterfs.if
index 27c6bd6f7..b2b485ede 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -1,5 +1,71 @@
## Cluster File System binary, daemon and command line.
+
+##
+## Execute glusterd in the glusterd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`glusterfs_domtrans_daemon',`
+ gen_require(`
+ type glusterd_t, glusterd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+
+##
+## Execute glusterd in the glusterd domain, and
+## allow the specified role the glusterd domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`glusterfs_run_daemon',`
+ gen_require(`
+ type glusterd_t;
+ ')
+
+ glusterfs_domtrans_daemon($1)
+ role $2 types glusterd_t;
+')
+
+
+##
+## Connect to glusterd over a unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`glusterfs_stream_connect_daemon',`
+ gen_require(`
+ type glusterd_t;
+ type glusterd_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ stream_connect_pattern($1, glusterd_runtime_t, glusterd_runtime_t,
glusterd_t)
+ allow $1 glusterd_runtime_t:sock_file read_sock_file_perms;
+')
+
##
## All of the rules required to
@@ -24,11 +90,15 @@ interface(`glusterfs_admin',`
type glusterd_runtime_t;
')
+ glusterfs_run_daemon($1, $2)
+
init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t)
allow $1 glusterd_t:process { ptrace signal_perms };
ps_process_pattern($1, glusterd_t)
+ glusterfs_stream_connect_daemon($1)
+
files_search_etc($1)
admin_pattern($1, glusterd_conf_t)
diff --git a/policy/modules/services/glusterfs.te
b/policy/modules/services/glusterfs.te
index de4f9baea..2d94845d9 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -32,11 +32,11 @@ files_type(glusterd_var_lib_t)
# Local policy
#
-allow glusterd_t self:capability { chown dac_override dac_read_search fowner
sys_admin sys_resource };
-allow glusterd_t
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 22d7dd88e5e3463edc65c36b2262ab9a22746fd2
Author: Yi Zhao windriver com>
AuthorDate: Fri Jul 3 02:32:41 2020 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Nov 2 14:07:22 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=22d7dd88
radius: fixes for freeradius
* Add dac_read_search capability to radiusd_t
* Add getcap to radiusd_t process
Fixes:
avc: denied { dac_read_search } for pid=473 comm="radiusd" capability=2
scontext=system_u:system_r:radiusd_t
tcontext=system_u:system_r:radiusd_t tclass=capability permissive=1
avc: denied { getcap } for pid=473 comm="radiusd"
scontext=system_u:system_r:radiusd_t
tcontext=system_u:system_r:radiusd_t tclass=process permissive=1
Signed-off-by: Yi Zhao windriver.com>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/radius.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/radius.te
b/policy/modules/services/radius.te
index e5d37e722..8ac766c39 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -32,9 +32,9 @@ files_type(radiusd_var_lib_t)
# Local policy
#
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid
sys_resource sys_tty_config };
+allow radiusd_t self:capability { chown dac_override dac_read_search fsetid
kill setgid setuid sys_resource sys_tty_config };
dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:process { getcap getsched setrlimit setsched sigkill
signal };
allow radiusd_t self:fifo_file rw_fifo_file_perms;
allow radiusd_t self:unix_stream_socket { accept listen };
allow radiusd_t self:tcp_socket { accept listen };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 44a2c3d605250b5c60034683bbcf5eaed59981d5 Author: Kenton Groombridge concord sh> AuthorDate: Sat Sep 24 05:32:41 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:07:14 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44a2c3d6 glusterfs: add type for gluster bricks Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/glusterfs.if | 6 +- policy/modules/services/glusterfs.te | 10 ++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if index b2b485ede..328818ad3 100644 --- a/policy/modules/services/glusterfs.if +++ b/policy/modules/services/glusterfs.if @@ -87,7 +87,7 @@ interface(`glusterfs_admin',` gen_require(` type glusterd_t, glusterd_initrc_exec_t, glusterd_log_t; type glusterd_tmp_t, glusterd_conf_t, glusterd_var_lib_t; - type glusterd_runtime_t; + type glusterd_runtime_t, glusterd_brick_t; ') glusterfs_run_daemon($1, $2) @@ -113,4 +113,8 @@ interface(`glusterfs_admin',` files_search_runtime($1) admin_pattern($1, glusterd_runtime_t) + + # searching var for /srv + files_search_var($1) + admin_pattern($1, glusterd_brick_t) ') diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te index 2d94845d9..690aa828a 100644 --- a/policy/modules/services/glusterfs.te +++ b/policy/modules/services/glusterfs.te @@ -27,6 +27,9 @@ files_tmp_file(glusterd_tmp_t) type glusterd_var_lib_t; files_type(glusterd_var_lib_t) +type glusterd_brick_t; +files_type(glusterd_brick_t) + # # Local policy @@ -64,6 +67,13 @@ manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) +manage_dirs_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +manage_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +manage_chr_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +manage_fifo_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +manage_lnk_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) +manage_sock_files_pattern(glusterd_t, glusterd_brick_t, glusterd_brick_t) + can_exec(glusterd_t, glusterd_exec_t) corenet_all_recvfrom_netlabel(glusterd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c9c22b083349a39d29ab0e530e9a4545fe7e7708
Author: Kenton Groombridge concord sh>
AuthorDate: Mon Sep 19 23:06:34 2022 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Nov 2 14:07:03 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9c22b08
zfs: various fixes
Minor fixes for ZFS, including allowing Zed to use sendmail and write
LED statuses to enclosure devices.
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/zfs.te | 47 +++---
1 file changed, 44 insertions(+), 3 deletions(-)
diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
index 05e0d3e5f..519295e96 100644
--- a/policy/modules/services/zfs.te
+++ b/policy/modules/services/zfs.te
@@ -50,39 +50,49 @@ files_runtime_filetrans(zed_t, zfs_runtime_t, file)
corecmd_exec_bin(zed_t)
corecmd_exec_shell(zed_t)
-dev_read_sysfs(zed_t)
+dev_rw_sysfs(zed_t)
files_search_etc(zed_t)
+kernel_read_system_state(zed_t)
kernel_read_vm_overcommit_sysctl(zed_t)
storage_raw_rw_fixed_disk(zed_t)
auth_use_nsswitch(zed_t)
+hostname_exec(zed_t)
+
logging_send_syslog_msg(zed_t)
miscfiles_read_localization(zed_t)
udev_search_runtime(zed_t)
+zfs_rw_zpool_cache(zed_t)
+
#
# zfs local policy
#
-allow zfs_t self:process getsched;
-allow zfs_t self:capability sys_admin;
+allow zfs_t self:process { getsched signull };
+allow zfs_t self:capability { sys_admin sys_rawio };
allow zfs_t self:fifo_file rw_fifo_file_perms;
list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t)
read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
+manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
+files_runtime_filetrans(zfs_t, zfs_runtime_t, file)
+
# to execute scripts in /usr/libexec/zfs
corecmd_exec_bin(zfs_t)
corecmd_exec_shell(zfs_t)
+dev_delete_generic_symlinks(zfs_t)
+dev_getattr_sysfs(zfs_t)
dev_read_sysfs(zfs_t)
domain_use_interactive_fds(zfs_t)
@@ -104,6 +114,8 @@ kernel_read_kernel_sysctls(zfs_t)
storage_raw_rw_fixed_disk(zfs_t)
+udev_read_runtime_files(zfs_t)
+
miscfiles_read_localization(zfs_t)
auth_use_nsswitch(zfs_t)
@@ -112,9 +124,38 @@ mount_exec(zfs_t)
userdom_use_user_terminals(zfs_t)
+zfs_rw_zpool_cache(zfs_t)
+
optional_policy(`
kernel_rw_rpc_sysctls(zfs_t)
rpc_manage_nfs_state_data(zfs_t)
rpc_read_exports(zfs_t)
')
+
+###
+#
+# Mail local policy
+#
+
+optional_policy(`
+ mta_base_mail_template(zed)
+ role system_r types zed_mail_t;
+
+ allow zed_mail_t zed_t:fd use;
+ allow zed_mail_t zed_t:fifo_file rw_fifo_file_perms;
+ allow zed_mail_t zed_t:process sigchld;
+
+ manage_dirs_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
+ manage_files_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
+ files_tmp_filetrans(zed_t, zed_mail_tmp_t, { dir file })
+
+ allow zfs_t zed_mail_tmp_t:file write_file_perms;
+
+ mta_sendmail_domtrans(zed_t, zed_mail_t)
+
+ allow zed_mail_t self:capability { dac_override dac_read_search };
+
+ storage_dontaudit_read_fixed_disk(zed_mail_t)
+ storage_dontaudit_write_fixed_disk(zed_mail_t)
+')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: b806992f1bc6fa8187730296a708320ee0e18266
Author: Kenton Groombridge concord sh>
AuthorDate: Sat Sep 24 04:09:19 2022 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Nov 2 14:07:09 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b806992f
opensm: initial policy
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/opensm.fc | 10 +
policy/modules/services/opensm.if | 86 +++
policy/modules/services/opensm.te | 45
3 files changed, 141 insertions(+)
diff --git a/policy/modules/services/opensm.fc
b/policy/modules/services/opensm.fc
new file mode 100644
index 0..6d9566bb1
--- /dev/null
+++ b/policy/modules/services/opensm.fc
@@ -0,0 +1,10 @@
+/usr/bin/opensm-- gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/usr/sbin/opensm -- gen_context(system_u:object_r:opensm_exec_t,s0)
+
+/etc/opensm(/.*)? gen_context(system_u:object_r:opensm_conf_t,s0)
+
+/var/cache/opensm(/.*)?
gen_context(system_u:object_r:opensm_cache_t,s0)
+
+/var/log/opensm\.log -- gen_context(system_u:object_r:opensm_log_t,s0)
+/var/log/opensm-subnet\.lst--
gen_context(system_u:object_r:opensm_log_t,s0)
diff --git a/policy/modules/services/opensm.if
b/policy/modules/services/opensm.if
new file mode 100644
index 0..47664ce15
--- /dev/null
+++ b/policy/modules/services/opensm.if
@@ -0,0 +1,86 @@
+## OpenSM is a software implementation of an InfiniBand subnet
manager.
+
+
+##
+## Execute opensm in the opensm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`opensm_domtrans',`
+ gen_require(`
+ type opensm_t, opensm_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, opensm_exec_t, opensm_t)
+')
+
+
+##
+## Execute opensm in the opensm domain, and
+## allow the specified role the opensm domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`opensm_run',`
+ gen_require(`
+ type opensm_t;
+ ')
+
+ opensm_domtrans($1)
+ role $2 types opensm_t;
+')
+
+
+
+##
+## All of the rules required to administrate
+## an opensm environment.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+interface(`opensm_admin',`
+ gen_require(`
+ type opensm_t;
+ type opensm_conf_t, opensm_cache_t;
+ type opensm_log_t;
+ ')
+
+ opensm_run($1, $2)
+
+ allow $1 opensm_t:process { ptrace signal_perms };
+ ps_process_pattern($1, opensm_t)
+
+ files_search_etc($1)
+ admin_pattern($1, opensm_conf_t)
+
+ files_search_var($1)
+ admin_pattern($1, opensm_cache_t)
+
+ logging_search_logs($1)
+ admin_pattern($1, opensm_log_t)
+')
diff --git a/policy/modules/services/opensm.te
b/policy/modules/services/opensm.te
new file mode 100644
index 0..1d5c2f57d
--- /dev/null
+++ b/policy/modules/services/opensm.te
@@ -0,0 +1,45 @@
+policy_module(opensm)
+
+
+#
+# Declarations
+#
+
+type opensm_t;
+type opensm_exec_t;
+init_daemon_domain(opensm_t, opensm_exec_t)
+
+type opensm_conf_t;
+files_config_file(opensm_conf_t)
+
+type opensm_cache_t;
+files_type(opensm_cache_t)
+
+type opensm_log_t;
+logging_log_file(opensm_log_t)
+
+
+#
+# opensm local policy
+#
+
+allow opensm_t self:process { getsched signal };
+allow opensm_t self:unix_dgram_socket create_socket_perms;
+
+read_files_pattern(opensm_t, opensm_conf_t, opensm_conf_t)
+
+manage_dirs_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+manage_files_pattern(opensm_t, opensm_cache_t, opensm_cache_t)
+files_var_filetrans(opensm_t, opensm_cache_t, dir)
+
+create_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+append_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+rw_files_pattern(opensm_t, opensm_log_t, opensm_log_t)
+logging_log_filetrans(opensm_t, opensm_log_t, file)
+
+dev_read_sysfs(opensm_t)
+dev_rw_infiniband(opensm_t)
+
+logging_send_syslog_msg(opensm_t)
+
+miscfiles_read_localization(opensm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: d517c019baf5d3610277a30198bc6d6583024353
Author: Kenton Groombridge concord sh>
AuthorDate: Mon Sep 19 23:38:51 2022 +
Commit: Kenton Groombridge gentoo org>
CommitDate: Wed Nov 2 14:07:04 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d517c019
mta: add support for nullmailer
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Kenton Groombridge gentoo.org>
policy/modules/services/mta.fc | 2 ++
policy/modules/services/mta.te | 2 ++
2 files changed, 4 insertions(+)
diff --git a/policy/modules/services/mta.fc b/policy/modules/services/mta.fc
index 66634b0c7..f5738937f 100644
--- a/policy/modules/services/mta.fc
+++ b/policy/modules/services/mta.fc
@@ -38,3 +38,5 @@ HOME_DIR/\.maildir(/.*)?
gen_context(system_u:object_r:mail_home_rw_t,s0)
/var/spool/(client)?mqueue(/.*)?
gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mqueue\.in(/.*)?gen_context(system_u:object_r:mqueue_spool_t,s0)
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/nullmailer(/.*)?gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/nullmailer/queue(/.*)?
gen_context(system_u:object_r:mqueue_spool_t,s0)
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index e68a6bb75..bcdc903bb 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -69,6 +69,8 @@ read_files_pattern(user_mail_domain, { etc_mail_t
etc_aliases_t }, { etc_mail_t
manage_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, {
mqueue_spool_t mail_spool_t })
read_lnk_files_pattern(user_mail_domain, { mqueue_spool_t mail_spool_t }, {
mqueue_spool_t mail_spool_t })
+# allow IPC with nullmailer via /var/spool/nullmailer/trigger
+allow user_mail_domain mail_spool_t:fifo_file rw_fifo_file_perms;
allow user_mail_domain sendmail_exec_t:lnk_file read_lnk_file_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 139f4bb39aea6b202996abebe7581f1479e9fdf1 Author: Kenton Groombridge gentoo org> AuthorDate: Fri Nov 12 01:24:07 2021 + Commit: Kenton Groombridge gentoo org> CommitDate: Sat Sep 3 20:04:27 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=139f4bb3 apache: add gentoo-specific interface to map httpd sys content Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/apache.if | 20 1 file changed, 20 insertions(+) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 2b3a7f3c..8daa613b 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -1466,3 +1466,23 @@ interface(`apache_rw_runtime_files',` allow $1 httpd_runtime_t:file rw_file_perms; ') + + +## +## Map httpd sys content files. +## This interface is Gentoo-specific. +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_map_sys_content',` + gen_require(` + type httpd_sys_content_t, httpd_sys_rw_content_t; + ') + + allow $1 httpd_sys_content_t:file map; + allow $1 httpd_sys_rw_content_t:file map; +')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: d958a662e13f1aaab708bc86cc260e6b582196a0
Author: Dave Sugar gmail com>
AuthorDate: Fri Aug 26 18:12:30 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 19:07:50 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d958a662
firewalld: firewalld-cmd uses dbus
node=localhost type=USER_AVC msg=audit(1661536843.099:11666): pid=1037 uid=81
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0
msg='avc: denied { send_msg } for scontext=system_u:system_r:firewalld_t:s0
tcontext=toor_u:sysadm_r:sysadm_t:s0 tclass=dbus permissive=1
exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus"
AUID="unset" SAUID="dbus"
node=localhost type=USER_AVC msg=audit(1661536101.833:8373): pid=1037 uid=81
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0
msg='avc: denied { send_msg } for scontext=toor_u:sysadm_r:sysadm_t:s0
tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0
exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus"
AUID="unset" SAUID="dbus"
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/firewalld.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/firewalld.if
b/policy/modules/services/firewalld.if
index 4a65cecd..e77b88f8 100644
--- a/policy/modules/services/firewalld.if
+++ b/policy/modules/services/firewalld.if
@@ -105,6 +105,8 @@ interface(`firewalld_admin',`
allow $1 firewalld_t:process { ptrace signal_perms };
ps_process_pattern($1, firewalld_t)
+ firewalld_dbus_chat($1)
+
init_startstop_service($1, $2, firewalld_t, firewalld_initrc_exec_t)
files_search_runtime($1)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, config/appconfig-mls/, config/appconfig-mcs/, ...
commit: a9fe3da3996138ab9d9a7b634bdf072d84c95187 Author: Jason Zaman gentoo org> AuthorDate: Sat Sep 3 19:42:40 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 19:42:40 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a9fe3da3 xserver: Revert the rest of the sddm changes Tried a partial revert in order to match upstream but validation still fails so fully revert again. Signed-off-by: Jason Zaman gentoo.org> config/appconfig-mcs/xdm_default_contexts | 1 - config/appconfig-mls/xdm_default_contexts | 1 - config/appconfig-standard/xdm_default_contexts | 1 - policy/modules/services/xserver.te | 11 --- 4 files changed, 14 deletions(-) diff --git a/config/appconfig-mcs/xdm_default_contexts b/config/appconfig-mcs/xdm_default_contexts deleted file mode 100644 index 08c88c0f.. --- a/config/appconfig-mcs/xdm_default_contexts +++ /dev/null @@ -1 +0,0 @@ -system_r:xdm_t:s0 system_r:xdm_t:s0 diff --git a/config/appconfig-mls/xdm_default_contexts b/config/appconfig-mls/xdm_default_contexts deleted file mode 100644 index 08c88c0f.. --- a/config/appconfig-mls/xdm_default_contexts +++ /dev/null @@ -1 +0,0 @@ -system_r:xdm_t:s0 system_r:xdm_t:s0 diff --git a/config/appconfig-standard/xdm_default_contexts b/config/appconfig-standard/xdm_default_contexts deleted file mode 100644 index af1cb2e7.. --- a/config/appconfig-standard/xdm_default_contexts +++ /dev/null @@ -1 +0,0 @@ -system_r:xdm_t system_r:xdm_t diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 24cea45b..347e96c2 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -62,10 +62,6 @@ gen_tunable(xserver_object_manager, false) ## gen_tunable(xserver_allow_dri, false) -# for sddm to use pam for greeter -role xdm_r; -allow system_r xdm_r; - attribute x_domain; # X Events @@ -149,7 +145,6 @@ fs_associate_tmpfs(xconsole_device_t) files_associate_tmp(xconsole_device_t) type xdm_t; -role xdm_r types xdm_t; type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) @@ -848,9 +843,6 @@ manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) -# for sddm to use pam for greeter, sddm greeter needs execmod -allow xdm_t xdm_tmpfs_t:file execmod; - # Run Xorg.wrap can_exec(xserver_t, xserver_exec_t) @@ -1054,6 +1046,3 @@ ifdef(`distro_gentoo',` cgmanager_stream_connect(xdm_t) ') ') - -# for sddm to use pam for greeter -gen_user(xdm,, xdm_r, s0, s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 2053dfa53a3559bc91514f6e05c206850d289e7e
Author: Dave Sugar gmail com>
AuthorDate: Thu Aug 25 23:19:24 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 19:07:50 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2053dfa5
firewalld: allow to load kernel modules
node=localhost type=AVC msg=audit(1661468040.428:439): avc: denied {
module_request } for pid=1009 comm="firewalld" kmod="nft-chain-1-nat"
scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/firewalld.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/firewalld.te
b/policy/modules/services/firewalld.te
index 099dc32e..a32e4b93 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -57,6 +57,7 @@ files_runtime_filetrans(firewalld_t, firewalld_runtime_t, {
dir file })
kernel_read_crypto_sysctls(firewalld_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
+kernel_request_load_module(firewalld_t)
kernel_rw_net_sysctls(firewalld_t)
corecmd_exec_bin(firewalld_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: a5a8129939bf361112055e25a0e55531bbbe20b9
Author: Dave Sugar gmail com>
AuthorDate: Thu Aug 25 13:31:22 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 19:07:50 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5a81299
firewalld: create netfilter socket
node=localhost type=AVC msg=audit(1661396059.060:376): avc: denied { create }
for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket
permissive=1
node=localhost type=AVC msg=audit(1661396059.060:377): avc: denied { setopt }
for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket
permissive=1
node=localhost type=AVC msg=audit(1661396059.436:398): avc: denied { write }
for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket
permissive=1
node=localhost type=AVC msg=audit(1661396059.436:399): avc: denied { read }
for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket
permissive=1
node=localhost type=AVC msg=audit(1661396059.437:400): avc: denied { getopt }
for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket
permissive=1
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/firewalld.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/firewalld.te
b/policy/modules/services/firewalld.te
index b51b7740..099dc32e 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -33,6 +33,7 @@ allow firewalld_t self:capability { dac_override net_admin };
dontaudit firewalld_t self:capability sys_tty_config;
allow firewalld_t self:fifo_file rw_fifo_file_perms;
allow firewalld_t self:unix_stream_socket { accept listen };
+allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
allow firewalld_t self:udp_socket create_socket_perms;
manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 639bfc231cae05ce9ff11b367e25f934a59bf23e
Author: Dave Sugar gmail com>
AuthorDate: Thu Aug 25 13:28:00 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 19:07:50 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=639bfc23
firewalld: read to read fips_enabled sysctl
node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { search }
for pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510
scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { read }
for pid=1014 comm="firewalld" name="fips_enabled" dev="proc" ino=10511
scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { open }
for pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10511 scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.361:318): avc: denied { getattr
} for pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.664:340): avc: denied { search }
for pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510
scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/firewalld.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/firewalld.te
b/policy/modules/services/firewalld.te
index cb37c98b..b51b7740 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -53,6 +53,7 @@ manage_dirs_pattern(firewalld_t, firewalld_runtime_t,
firewalld_runtime_t)
manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
+kernel_read_crypto_sysctls(firewalld_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
kernel_rw_net_sysctls(firewalld_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 5135e685790073660abb1e0ef52816fb542f75a9
Author: Dave Sugar gmail com>
AuthorDate: Fri Aug 26 18:02:45 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 19:07:50 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5135e685
firewalld: write tmpfs files
node=localhost type=AVC msg=audit(1661536245.787:9531): avc: denied { write }
for pid=1008 comm="firewalld"
path=2F6D656D66643A6C696269202864656C6574656429 dev="tmpfs" ino=2564
scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=file permissive=1
node=localhost type=AVC msg=audit(1661536245.788:9532): avc: denied { map }
for pid=1008 comm="firewalld"
path=2F6D656D66643A6C696269202864656C6574656429 dev="tmpfs" ino=2564
scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=file permissive=1
node=localhost type=AVC msg=audit(1661536245.788:9532): avc: denied { read
execute } for pid=1008 comm="firewalld"
path=2F6D656D66643A6C696269202864656C6574656429 dev="tmpfs" ino=2564
scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=file permissive=1
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/firewalld.te | 8
1 file changed, 8 insertions(+)
diff --git a/policy/modules/services/firewalld.te
b/policy/modules/services/firewalld.te
index a32e4b93..32e16898 100644
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@@ -24,6 +24,9 @@ logging_log_file(firewalld_var_log_t)
type firewalld_tmp_t;
files_tmp_file(firewalld_tmp_t)
+type firewalld_tmpfs_t;
+files_tmpfs_file(firewalld_tmpfs_t)
+
#
# Local policy
@@ -54,6 +57,11 @@ manage_dirs_pattern(firewalld_t, firewalld_runtime_t,
firewalld_runtime_t)
manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })
+manage_dirs_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+manage_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+mmap_read_files_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
+fs_tmpfs_filetrans(firewalld_t, firewalld_tmpfs_t, { dir file })
+
kernel_read_crypto_sysctls(firewalld_t)
kernel_read_network_state(firewalld_t)
kernel_read_system_state(firewalld_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 087ca14923766efc87202a6b8a98f701105ff7a1
Author: Dave Sugar gmail com>
AuthorDate: Wed Aug 24 14:32:45 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 19:07:49 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=087ca149
chronyd: Allow to read fips_enabled sysctl
node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { search }
for pid=1014 comm="chronyd" name="crypto" dev="proc" ino=10742
scontext=system_u:system_r:chronyd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { read }
for pid=1014 comm="chronyd" name="fips_enabled" dev="proc" ino=10743
scontext=system_u:system_r:chronyd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { open }
for pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10743 scontext=system_u:system_r:chronyd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:356): avc: denied { getattr
} for pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10743 scontext=system_u:system_r:chronyd_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/chronyd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/chronyd.te
b/policy/modules/services/chronyd.te
index 3354485c..0cf41d3d 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -81,6 +81,7 @@ manage_files_pattern(chronyd_t, chronyd_runtime_t,
chronyd_runtime_t)
manage_sock_files_pattern(chronyd_t, chronyd_runtime_t, chronyd_runtime_t)
files_runtime_filetrans(chronyd_t, chronyd_runtime_t, { dir file sock_file })
+kernel_read_crypto_sysctls(chronyd_t)
kernel_read_system_state(chronyd_t)
kernel_read_network_state(chronyd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 86b5f035516e0a10b3af98732667d2c4cb08b79c
Author: Dave Sugar gmail com>
AuthorDate: Wed Aug 24 14:37:54 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 19:07:49 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86b5f035
chronyd: allow chronyd to read /usr/share/crypto-policies
With RHEL9 /etc/crypto-policies/back-ends are symlinks to
/usr/share/crypto-policies/*/*
node=localhost type=AVC msg=audit(1661344395.351:395): avc: denied { getattr
} for pid=1014 comm="chronyd"
path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142
scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc: denied { read }
for pid=1014 comm="chronyd" name="gnutls.txt" dev="dm-0" ino=402142
scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc: denied { open }
for pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt"
dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0
tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/chronyd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/chronyd.te
b/policy/modules/services/chronyd.te
index 0cf41d3d..aca9a63f 100644
--- a/policy/modules/services/chronyd.te
+++ b/policy/modules/services/chronyd.te
@@ -104,6 +104,8 @@ corenet_udp_bind_chronyd_port(chronyd_t)
dev_rw_realtime_clock(chronyd_t)
+files_read_usr_files(chronyd_t)
+
auth_use_nsswitch(chronyd_t)
logging_send_syslog_msg(chronyd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 2a0d52aa43e15264642fcfacc8996adfd02a0724
Author: Dave Sugar gmail com>
AuthorDate: Wed Aug 24 02:22:41 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 19:07:49 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a0d52aa
ssh: allow ssh_keygen to read /usr/share/crypto-policies/
With RHEL9 /etc/crypto-policies/back-ends are symlinks to
/usr/share/crypto-policies/*/*
node=localhost type=AVC msg=audit(1661303919.946:335): avc: denied { getattr }
for pid=1025 comm="ssh-keygen"
path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589
scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc: denied { read }
for pid=1025 comm="ssh-keygen" name="opensslcnf.txt" dev="dm-0" ino=396589
scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc: denied { open }
for pid=1025 comm="ssh-keygen"
path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589
scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file permissive=1
Signed-off-by: Dave Sugar gmail.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/ssh.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index ce320c6a..aa0766bb 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -354,6 +354,7 @@ term_dontaudit_use_console(ssh_keygen_t)
domain_use_interactive_fds(ssh_keygen_t)
files_read_etc_files(ssh_keygen_t)
+files_read_usr_files(ssh_keygen_t)
init_use_fds(ssh_keygen_t)
init_use_script_ptys(ssh_keygen_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: b8f614bfbcc1fe34a9664de1b1937a6e6cfbcf40
Author: Kenton Groombridge concord sh>
AuthorDate: Mon May 16 13:56:29 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 18:41:55 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b8f614bf
podman: add interface to rangetrans when executing conmon
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/podman.if | 29 +
policy/modules/services/podman.te | 20
2 files changed, 33 insertions(+), 16 deletions(-)
diff --git a/policy/modules/services/podman.if
b/policy/modules/services/podman.if
index 7523e33d..626af3af 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -188,6 +188,35 @@ interface(`podman_run_conmon_user',`
podman_domtrans_conmon_user($1)
')
+
+##
+## Make the specified domain perform a
+## range transition when executing conmon.
+##
+##
+##
+## Domain to transition ranges.
+##
+##
+##
+##
+## MLS range to transition to.
+##
+##
+#
+interface(`podman_spec_rangetrans_conmon',`
+ gen_require(`
+ type podman_conmon_exec_t;
+ ')
+
+ ifdef(`enable_mcs',`
+ range_transition $1 podman_conmon_exec_t:process $2;
+ ')
+ ifdef(`enable_mls',`
+ range_transition $1 podman_conmon_exec_t:process $2;
+ ')
+')
+
##
## Read and write conmon unnamed pipes.
diff --git a/policy/modules/services/podman.te
b/policy/modules/services/podman.te
index 12c67145..bb0f67bd 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -61,6 +61,8 @@ container_manage_home_config(podman_t)
container_manage_sock_files(podman_t)
+podman_spec_rangetrans_conmon(podman_t, s0)
+
ifdef(`init_systemd',`
init_dbus_chat(podman_t)
init_setsched(podman_t)
@@ -129,6 +131,8 @@ storage_rw_fuse(podman_user_t)
userdom_relabel_generic_user_home_dirs(podman_user_t)
userdom_relabel_generic_user_home_files(podman_user_t)
+podman_spec_rangetrans_conmon(podman_user_t, s0)
+
ifdef(`init_systemd',`
# podman queries the cgroup manager (systemd) over the session bus
socket
dbus_getattr_session_runtime_socket(podman_user_t)
@@ -208,14 +212,6 @@ container_engine_tmp_filetrans(podman_conmon_t, { file
sock_file })
container_manage_engine_tmp_files(podman_conmon_t)
container_manage_engine_tmp_sock_files(podman_conmon_t)
-# Ensure conmon runs in s0 so that it can talk to the container
-ifdef(`enable_mcs',`
- range_transition podman_t podman_conmon_exec_t:process s0;
-')
-ifdef(`enable_mls',`
- range_transition podman_t podman_conmon_exec_t:process s0;
-')
-
ifdef(`init_systemd',`
init_get_transient_units_status(podman_conmon_t)
init_start_transient_units(podman_conmon_t)
@@ -287,14 +283,6 @@ container_engine_tmp_filetrans(podman_conmon_user_t, {
file sock_file })
container_manage_engine_tmp_files(podman_conmon_user_t)
container_manage_engine_tmp_sock_files(podman_conmon_user_t)
-# Ensure conmon runs in s0 so that it can talk to the container
-ifdef(`enable_mcs',`
- range_transition podman_user_t podman_conmon_exec_t:process s0;
-')
-ifdef(`enable_mls',`
- range_transition podman_user_t podman_conmon_exec_t:process s0;
-')
-
ifdef(`init_systemd',`
# conmon can read logs from containers which are
# sent to the system journal
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 04b08d98853038ae67ee57607755fb8ac1b7f7a0
Author: Kenton Groombridge concord sh>
AuthorDate: Wed Apr 27 22:47:57 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 18:41:55 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04b08d98
container: add unconfined role
Add a specific template for unconfined role access. This is mostly
identical to the user role except container engines will run in the
caller domain.
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/container.if | 217 +++
1 file changed, 171 insertions(+), 46 deletions(-)
diff --git a/policy/modules/services/container.if
b/policy/modules/services/container.if
index 07ef8873..bc4a12f4 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -130,7 +130,6 @@ interface(`container_user_engine',`
#
template(`container_base_role',`
gen_require(`
- type container_file_t, container_ro_file_t;
type container_config_t;
')
@@ -143,19 +142,8 @@ template(`container_base_role',`
files_search_etc($2)
read_files_pattern($2, container_config_t, container_config_t)
- allow $2 container_file_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 container_file_t:file { manage_file_perms relabel_file_perms };
- allow $2 container_file_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- allow $2 container_file_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
- allow $2 container_file_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
- allow $2 container_file_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
-
- allow $2 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
- allow $2 container_ro_file_t:file { manage_file_perms
relabel_file_perms };
- allow $2 container_ro_file_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- allow $2 container_ro_file_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
- allow $2 container_ro_file_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
- allow $2 container_ro_file_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
+ container_admin_all_files($2)
+ container_admin_all_ro_files($2)
')
@@ -230,10 +218,6 @@ template(`container_user_role',`
gen_require(`
attribute container_user_domain;
attribute container_engine_user_domain;
- type container_file_t, container_ro_file_t;
- type container_user_runtime_t;
- type container_cache_home_t, container_conf_home_t;
- type container_data_home_t;
')
role $4 types container_user_domain;
@@ -245,34 +229,8 @@ template(`container_user_role',`
allow $3 container_user_domain:process { ptrace signal_perms };
ps_process_pattern($3, container_user_domain)
- allow $2 container_user_runtime_t:dir { manage_dir_perms
relabel_dir_perms };
- allow $2 container_user_runtime_t:file { manage_file_perms
relabel_file_perms };
- allow $2 container_user_runtime_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms };
- allow $2 container_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
-
- allow $2 container_cache_home_t:dir { manage_dir_perms
relabel_dir_perms };
- allow $2 container_cache_home_t:file { manage_file_perms
relabel_file_perms };
- xdg_cache_filetrans($2, container_cache_home_t, dir, "containers")
-
- allow $2 container_conf_home_t:dir { manage_dir_perms relabel_dir_perms
};
- allow $2 container_conf_home_t:file { manage_file_perms
relabel_file_perms };
- xdg_config_filetrans($2, container_conf_home_t, dir, "containers")
-
- allow $2 container_data_home_t:dir { manage_dir_perms relabel_dir_perms
};
- allow $2 container_data_home_t:file { manage_file_perms
relabel_file_perms };
- allow $2 container_data_home_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- allow $2 container_data_home_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms };
- allow $2 container_data_home_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
- allow $2 container_data_home_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
- allow $2 container_data_home_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
- xdg_data_filetrans($2, container_data_home_t, dir, "containers")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir,
"overlay")
- filetrans_pattern($2, container_data_home_t, container_ro_file_t, dir,
"overlay-images")
-
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 2765267d6d80ad23b388bd85d7c42c3e79b77864
Author: Kenton Groombridge concord sh>
AuthorDate: Fri May 20 14:58:25 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 18:41:55 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2765267d
container: rework combined role interfaces
Rename and rework slightly some of the newly added interfaces. Namely,
make the "admin" interfaces use admin_pattern().
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/container.if | 29 ++---
1 file changed, 10 insertions(+), 19 deletions(-)
diff --git a/policy/modules/services/container.if
b/policy/modules/services/container.if
index bc4a12f4..16b14602 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -229,8 +229,8 @@ template(`container_user_role',`
allow $3 container_user_domain:process { ptrace signal_perms };
ps_process_pattern($3, container_user_domain)
- container_admin_all_home_content($2)
container_admin_all_user_runtime_content($2)
+ container_manage_all_home_content($2)
optional_policy(`
systemd_read_user_manager_state($1,
container_engine_user_domain)
@@ -301,8 +301,8 @@ template(`container_unconfined_role',`
container_admin_all_files($2)
container_admin_all_ro_files($2)
- container_admin_all_home_content($2)
container_admin_all_user_runtime_content($2)
+ container_manage_all_home_content($2)
')
@@ -1106,12 +1106,9 @@ interface(`container_admin_all_files',`
type container_file_t;
')
- allow $1 container_file_t:dir { manage_dir_perms relabel_dir_perms };
- allow $1 container_file_t:file { manage_file_perms relabel_file_perms };
- allow $1 container_file_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- allow $1 container_file_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
- allow $1 container_file_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
- allow $1 container_file_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
+ admin_pattern($1, container_file_t, container_file_t)
+ allow $1 container_file_t:chr_file manage_chr_file_perms;
+ allow $1 container_file_t:blk_file manage_blk_file_perms;
')
@@ -1129,12 +1126,9 @@ interface(`container_admin_all_ro_files',`
type container_ro_file_t;
')
- allow $1 container_ro_file_t:dir { manage_dir_perms relabel_dir_perms };
- allow $1 container_ro_file_t:file { manage_file_perms
relabel_file_perms };
- allow $1 container_ro_file_t:lnk_file { manage_lnk_file_perms
relabel_lnk_file_perms };
- allow $1 container_ro_file_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
- allow $1 container_ro_file_t:chr_file { manage_chr_file_perms
relabel_chr_file_perms };
- allow $1 container_ro_file_t:blk_file { manage_blk_file_perms
relabel_blk_file_perms };
+ admin_pattern($1, container_ro_file_t, container_ro_file_t)
+ allow $1 container_ro_file_t:chr_file manage_chr_file_perms;
+ allow $1 container_ro_file_t:blk_file manage_blk_file_perms;
')
@@ -1154,10 +1148,7 @@ interface(`container_admin_all_user_runtime_content',`
type container_user_runtime_t;
')
- allow $1 container_user_runtime_t:dir { manage_dir_perms
relabel_dir_perms };
- allow $1 container_user_runtime_t:file { manage_file_perms
relabel_file_perms };
- allow $1 container_user_runtime_t:fifo_file { manage_fifo_file_perms
relabel_fifo_file_perms };
- allow $1 container_user_runtime_t:sock_file { manage_sock_file_perms
relabel_sock_file_perms };
+ admin_pattern($1, container_user_runtime_t, container_user_runtime_t)
')
@@ -1172,7 +1163,7 @@ interface(`container_admin_all_user_runtime_content',`
##
##
#
-interface(`container_admin_all_home_content',`
+interface(`container_manage_all_home_content',`
gen_require(`
type container_file_t, container_ro_file_t;
type container_cache_home_t, container_conf_home_t;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 9c0342adf69784b946a548573cc1a8133b2d08a0 Author: Kenton Groombridge concord sh> AuthorDate: Mon May 16 16:39:52 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 18:41:55 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9c0342ad podman: add file context for podman in /usr/libexec Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/podman.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/podman.fc b/policy/modules/services/podman.fc index 31c45273..b0243088 100644 --- a/policy/modules/services/podman.fc +++ b/policy/modules/services/podman.fc @@ -1,2 +1,4 @@ /usr/bin/podman-- gen_context(system_u:object_r:podman_exec_t,s0) /usr/bin/conmon-- gen_context(system_u:object_r:conmon_exec_t,s0) + +/usr/libexec/podman/conmon -- gen_context(system_u:object_r:conmon_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: ba5303bd6e351b8808575be29f2482c4d291236e Author: Kenton Groombridge concord sh> AuthorDate: Fri May 20 15:01:36 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 18:41:55 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ba5303bd podman: typealias podman_user_conmon_t to podman_conmon_user_t Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/podman.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te index aef0fac9..e4393643 100644 --- a/policy/modules/services/podman.te +++ b/policy/modules/services/podman.te @@ -28,6 +28,7 @@ podman_conmon_domain_template(podman, podman_t) role system_r types podman_conmon_t; podman_conmon_domain_template(podman_user, podman_user_t) +typealias podman_user_conmon_t alias podman_conmon_user_t; userdom_user_application_domain(podman_user_conmon_t, conmon_exec_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: dc4934ce2c12df07b50c5c20b759c2ea27e4fa90 Author: Kenton Groombridge concord sh> AuthorDate: Tue May 24 03:00:56 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 18:41:55 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc4934ce podman: add alias for conmon executable Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/podman.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te index e4393643..24c7092f 100644 --- a/policy/modules/services/podman.te +++ b/policy/modules/services/podman.te @@ -23,6 +23,7 @@ mls_trusted_object(podman_user_t) attribute conmon_domain; type conmon_exec_t; +typealias conmon_exec_t alias podman_conmon_exec_t; podman_conmon_domain_template(podman, podman_t) role system_r types podman_conmon_t;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 2f03c3cca1ba622b2378892fadbce31ea5cfb317
Author: Kenton Groombridge concord sh>
AuthorDate: Mon May 16 15:28:49 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 18:41:55 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2f03c3cc
podman: rework conmon rules
Use a template to generate conmon domains and add a common attribute for
them. This is so that domains who use conmon can execute it and have
conmon transition back to the original domain instead of to the generic
podman domain. This is used by CRI-O, for example.
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/podman.fc | 2 +-
policy/modules/services/podman.if | 96 +++---
policy/modules/services/podman.te | 166 +-
3 files changed, 128 insertions(+), 136 deletions(-)
diff --git a/policy/modules/services/podman.fc
b/policy/modules/services/podman.fc
index ece2d0dc..31c45273 100644
--- a/policy/modules/services/podman.fc
+++ b/policy/modules/services/podman.fc
@@ -1,2 +1,2 @@
/usr/bin/podman-- gen_context(system_u:object_r:podman_exec_t,s0)
-/usr/bin/conmon--
gen_context(system_u:object_r:podman_conmon_exec_t,s0)
+/usr/bin/conmon-- gen_context(system_u:object_r:conmon_exec_t,s0)
diff --git a/policy/modules/services/podman.if
b/policy/modules/services/podman.if
index 626af3af..09b4f031 100644
--- a/policy/modules/services/podman.if
+++ b/policy/modules/services/podman.if
@@ -1,5 +1,47 @@
## Policy for podman
+
+##
+## Template for conmon domains.
+##
+##
+##
+## Prefix for generated types.
+##
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+template(`podman_conmon_domain_template',`
+ gen_require(`
+ attribute conmon_domain;
+ type conmon_exec_t;
+ ')
+
+ type $1_conmon_t, conmon_domain;
+ application_domain($1_conmon_t, conmon_exec_t)
+
+ domtrans_pattern($2, conmon_exec_t, $1_conmon_t)
+
+ allow $2 $1_conmon_t:process signull;
+ allow $2 $1_conmon_t:fifo_file setattr;
+ allow $2 $1_conmon_t:unix_stream_socket { connectto
rw_stream_socket_perms };
+
+ allow $1_conmon_t $2:tcp_socket rw_stream_socket_perms;
+ allow $1_conmon_t $2:unix_stream_socket rw_stream_socket_perms;
+ allow $1_conmon_t $2:unix_dgram_socket rw_socket_perms;
+ ps_process_pattern($1_conmon_t, $2)
+
+ corecmd_search_bin($1_conmon_t)
+ # conmon will execute crun/runc to create the container,
+ # so transition back to the source domain when creating it
+ container_generic_engine_domtrans($1_conmon_t, $2)
+ container_engine_executable_entrypoint($2)
+')
+
##
## Execute podman in the podman domain.
@@ -96,7 +138,7 @@ interface(`podman_run_user',`
##
-## Execute conmon in the conmon domain.
+## Execute conmon in the podman conmon domain.
##
##
##
@@ -106,18 +148,18 @@ interface(`podman_run_user',`
#
interface(`podman_domtrans_conmon',`
gen_require(`
- type podman_conmon_t, podman_conmon_exec_t;
+ type podman_conmon_t, conmon_exec_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_t)
+ domtrans_pattern($1, conmon_exec_t, podman_conmon_t)
')
##
-## Execute conmon in the conmon domain,
-## and allow the specified role the
-## conmon domain.
+## Execute conmon in the podman conmon
+## domain, and allow the specified role
+## the podman conmon domain.
##
##
##
@@ -142,8 +184,8 @@ interface(`podman_run_conmon',`
##
-## Execute conmon in the conmon user
-## domain (rootless podman).
+## Execute conmon in the podman conmon
+## user domain (rootless podman).
##
##
##
@@ -153,19 +195,19 @@ interface(`podman_run_conmon',`
#
interface(`podman_domtrans_conmon_user',`
gen_require(`
- type podman_conmon_user_t, podman_conmon_exec_t;
+ type podman_user_conmon_t, conmon_exec_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, podman_conmon_exec_t, podman_conmon_user_t)
+ domtrans_pattern($1, conmon_exec_t, podman_user_conmon_t)
')
##
-## Execute conmon in the conmon user
-## domain, and allow the specified role
-## the conmon user domain (rootless
-## podman).
+## Execute conmon in the podman conmon
+## user domain, and allow the specified
+## role the podman conmon user domain
+## (rootless podman).
##
##
##
@@ -180,10 +222,10
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 71ed39d2252dac86660e9e67c0cee49af7acf983 Author: Kenton Groombridge concord sh> AuthorDate: Sat Apr 2 20:00:22 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 18:41:55 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71ed39d2 spamassassin: add file context for rspamd log directory rspamd's default log location is /var/log/rspamd. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/spamassassin.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/spamassassin.fc b/policy/modules/services/spamassassin.fc index 9229ad2f..67052143 100644 --- a/policy/modules/services/spamassassin.fc +++ b/policy/modules/services/spamassassin.fc @@ -37,6 +37,7 @@ HOME_DIR/\.spamd(/.*)? gen_context(system_u:object_r:spamd_home_t,s0) /var/lib/rspamd/rspamd\.sock -s gen_context(system_u:object_r:spamd_runtime_t,s0) /var/log/spamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) +/var/log/rspamd(/.*)? gen_context(system_u:object_r:spamd_log_t,s0) /var/log/rspamd\.log.* -- gen_context(system_u:object_r:spamd_log_t,s0) /var/log/mimedefang.* -- gen_context(system_u:object_r:spamd_log_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 303b29dde89cf3974eb2efd6927b7664df3e20e6 Author: Kenton Groombridge concord sh> AuthorDate: Tue May 17 17:47:20 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 18:41:55 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=303b29dd certbot: various fixes Allow acme-sh to send syslog msgs and dontaudit reading /proc. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/certbot.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te index ac609795..9723f788 100644 --- a/policy/modules/services/certbot.te +++ b/policy/modules/services/certbot.te @@ -69,6 +69,7 @@ allow certbot_t certbot_log_t:file manage_file_perms; manage_files_pattern(certbot_t, certbot_runtime_t, certbot_runtime_t) files_runtime_filetrans(certbot_t, certbot_runtime_t, file) +kernel_dontaudit_read_system_state(certbot_t) kernel_search_fs_sysctls(certbot_t) corecmd_list_bin(certbot_t) @@ -108,6 +109,8 @@ userdom_use_user_ptys(certbot_t) tunable_policy(`certbot_acmesh',` corecmd_exec_bin(certbot_t) corecmd_exec_shell(certbot_t) + + logging_send_syslog_msg(certbot_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: cd84d1468359c3bbf0c2c482a1474a9ebd18e3b3 Author: Kenton Groombridge concord sh> AuthorDate: Sat Apr 2 19:55:24 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 18:41:55 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd84d146 container, podman: allow podman to restart container units podman auto-update will automatically start the container unit when it is updated. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/container.if | 20 policy/modules/services/podman.te| 4 2 files changed, 24 insertions(+) diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index 541eb8a5..07ef8873 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -1382,6 +1382,26 @@ interface(`container_unlabeled_var_lib_filetrans',` kernel_unlabeled_filetrans($1, container_var_lib_t, $2, $3) ') + +## +## Allow the specified domain to start +## systemd units for containers. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_start_units',` + gen_require(` + type container_unit_t; + class service start; + ') + + allow $1 container_unit_t:service start; +') + ## ## All of the rules required to diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te index 3169c0da..12c67145 100644 --- a/policy/modules/services/podman.te +++ b/policy/modules/services/podman.te @@ -77,6 +77,10 @@ ifdef(`init_systemd',` systemd_list_journal_dirs(podman_t) systemd_read_journal_files(podman_t) systemd_watch_journal_dirs(podman_t) + + # podman auto-update will restart the unit for + # the container when it is updated + container_start_units(podman_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 7ac185ee67556768743991f953476fb8c6c80bf2 Author: Kenton Groombridge concord sh> AuthorDate: Mon May 2 19:37:06 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 18:41:55 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ac185ee ssh: add tunable to allow sshd to use remote port forwarding Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/ssh.if | 12 1 file changed, 12 insertions(+) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index b9ed26bc..c438985e 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -174,6 +174,14 @@ template(`ssh_server_template', ` attribute ssh_server; type sshd_exec_t, sshd_key_t; ') + + ## + ## + ## Allow sshd to use remote port forwarding (bind to any TCP port) + ## + ## + gen_tunable($1_port_forwarding, false) + type $1_t, ssh_server; auth_login_pgm_domain($1_t) @@ -265,6 +273,10 @@ template(`ssh_server_template', ` fs_read_cifs_files($1_t) ') + tunable_policy(`$1_port_forwarding',` + corenet_tcp_bind_all_ports($1_t) + ') + optional_policy(` kerberos_use($1_t) kerberos_manage_host_rcache($1_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 25276f575f723fb140c1bd889771da4b7f529f09 Author: Kenton Groombridge concord sh> AuthorDate: Sat Apr 2 19:45:37 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 18:41:55 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25276f57 container: add separate type for container engine units and add a filecon for container units themselves. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/container.fc | 5 +++-- policy/modules/services/container.te | 3 +++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc index 63f1537d..540df680 100644 --- a/policy/modules/services/container.fc +++ b/policy/modules/services/container.fc @@ -21,8 +21,9 @@ HOME_DIR/\.local/share/docker/volumes(/.*)? gen_context(system_u:object_r:conta /usr/bin/crun -- gen_context(system_u:object_r:container_engine_exec_t,s0) /usr/bin/runc -- gen_context(system_u:object_r:container_engine_exec_t,s0) -/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_t,s0) -/usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_t,s0) +/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_engine_unit_t,s0) +/usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_engine_unit_t,s0) +/usr/lib/systemd/system/container-.* -- gen_context(system_u:object_r:container_unit_t,s0) /usr/sbin/runc -- gen_context(system_u:object_r:container_engine_exec_t,s0) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 166a42ae..09fa6635 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -97,6 +97,9 @@ role system_r types spc_t; type spc_user_t, container_domain, container_net_domain, container_user_domain, privileged_container_domain; domain_type(spc_user_t) +type container_engine_unit_t; +init_unit_file(container_engine_unit_t) + type container_unit_t; init_unit_file(container_unit_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: b1eeb204c510ac91225cbd0d05c94475017f2779
Author: Kenton Groombridge concord sh>
AuthorDate: Sat Apr 30 01:36:10 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 18:41:55 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1eeb204
container: allow containers to manipulate own fds
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/container.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 3f6e7aea..36a7163a 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -165,6 +165,8 @@ corenet_port(container_port_t)
allow container_domain self:capability { dac_override kill setgid setuid
sys_boot sys_chroot };
allow container_domain self:cap_userns { chown dac_override dac_read_search
fowner kill setgid setuid };
allow container_domain self:process { execstack execmem getattr getsched
getsession setsched setcap setpgid signal_perms };
+allow container_domain self:dir rw_dir_perms;
+allow container_domain self:file create_file_perms;
allow container_domain self:fifo_file manage_fifo_file_perms;
allow container_domain self:sem create_sem_perms;
allow container_domain self:shm create_shm_perms;
@@ -192,6 +194,7 @@ can_exec(container_domain, container_file_t)
kernel_getattr_proc(container_domain)
kernel_list_all_proc(container_domain)
+kernel_associate_proc(container_domain)
kernel_read_kernel_sysctls(container_domain)
kernel_rw_net_sysctls(container_domain)
kernel_read_system_state(container_domain)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 31f53036b53e062550260d6da598fe58ca5dd63c
Author: Kenton Groombridge concord sh>
AuthorDate: Sat Apr 30 01:38:53 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Sep 3 18:41:55 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31f53036
container: allow container engines to manage tmp symlinks
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/container.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 36a7163a..166a42ae 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -509,6 +509,8 @@ read_lnk_files_pattern(container_engine_domain,
container_config_t, container_co
allow container_engine_domain container_engine_tmp_t:dir manage_dir_perms;
allow container_engine_domain container_engine_tmp_t:file manage_file_perms;
allow container_engine_domain container_engine_tmp_t:fifo_file
manage_fifo_file_perms;
+# podman uses temporary symlinks when loading container images
+allow container_engine_domain container_engine_tmp_t:lnk_file
manage_lnk_file_perms;
# needed when manually spawning processes inside containers
allow container_engine_domain container_engine_tmp_t:sock_file
manage_sock_file_perms;
files_tmp_filetrans(container_engine_domain, container_engine_tmp_t, { dir
file sock_file })
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 9db82cfc59aa9ff8c525adf9f378d415177d91eb Author: Kenton Groombridge concord sh> AuthorDate: Thu Mar 31 18:18:55 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Apr 9 19:28:30 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9db82cfc podman: allow system podman to interact with container transient units Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/podman.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te index 5df45d32..316db505 100644 --- a/policy/modules/services/podman.te +++ b/policy/modules/services/podman.te @@ -66,6 +66,10 @@ ifdef(`init_systemd',` init_start_system(podman_t) init_stop_system(podman_t) + # containers get created as systemd transient units + init_get_transient_units_status(podman_t) + init_start_transient_units(podman_t) + # podman can read logs from containers which are # sent to the system journal logging_search_logs(podman_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: dd3730338d07fb8b8a96350f84148eb07ab40769 Author: Kenton Groombridge concord sh> AuthorDate: Thu Mar 31 19:09:25 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Apr 9 19:28:30 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dd373033 container: add tunables to allow containers to access public content Note that container engines only need read access to these files even if manage access is enabled. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/container.te | 30 ++ 1 file changed, 30 insertions(+) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index d7d27d7c..fa4145e3 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -16,6 +16,20 @@ gen_tunable(container_manage_cgroup, false) ## gen_tunable(container_mounton_non_security, false) +## +## +## Allow containers to manage all read-writable public content. +## +## +gen_tunable(container_manage_public_content, false) + +## +## +## Allow containers to read all public content. +## +## +gen_tunable(container_read_public_content, false) + ## ## ## Allow containers to use NFS filesystems. @@ -232,6 +246,14 @@ tunable_policy(`container_manage_cgroup',` fs_manage_cgroup_files(container_domain) ') +tunable_policy(`container_manage_public_content',` + miscfiles_manage_public_files(container_domain) +') + +tunable_policy(`container_read_public_content',` + miscfiles_read_public_files(container_domain) +') + tunable_policy(`container_use_nfs',` fs_manage_nfs_dirs(container_domain) fs_manage_nfs_files(container_domain) @@ -515,6 +537,14 @@ ifdef(`init_systemd',` init_run_bpf(container_engine_domain) ') +tunable_policy(`container_manage_public_content',` + miscfiles_read_public_files(container_engine_domain) +') + +tunable_policy(`container_read_public_content',` + miscfiles_read_public_files(container_engine_domain) +') + tunable_policy(`container_mounton_non_security',` files_mounton_non_security(container_engine_domain) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 07995718de36b9b849fa92fcbfca9ce7716a4d3d Author: Kenton Groombridge concord sh> AuthorDate: Thu Mar 31 19:09:45 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Apr 9 19:28:30 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=07995718 container: allow generic containers to read the vm_overcommit sysctl Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/container.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index 3d623229..d7d27d7c 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -333,6 +333,8 @@ files_read_kernel_modules(container_t) fs_mount_cgroup(container_t) fs_rw_cgroup_files(container_t) +kernel_read_vm_overcommit_sysctl(container_t) + auth_use_nsswitch(container_t) logging_send_audit_msgs(container_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 01b153cb47331dc2ba354100c74acb4e37393fc1 Author: Kenton Groombridge concord sh> AuthorDate: Thu Mar 31 18:44:24 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Apr 9 19:28:30 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=01b153cb container, podman: allow containers to interact with conmon Allow containers to use inherited conmon file descriptors and read and write unnamed conmon pipes. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/container.te | 5 + policy/modules/services/podman.if| 41 2 files changed, 46 insertions(+) diff --git a/policy/modules/services/container.te b/policy/modules/services/container.te index d5f79b15..3d623229 100644 --- a/policy/modules/services/container.te +++ b/policy/modules/services/container.te @@ -248,6 +248,11 @@ tunable_policy(`container_use_samba',` fs_exec_cifs_files(container_domain) ') +optional_policy(` + podman_rw_conmon_pipes(container_domain) + podman_use_conmon_fds(container_domain) +') + optional_policy(` udev_read_runtime_files(container_domain) ') diff --git a/policy/modules/services/podman.if b/policy/modules/services/podman.if index 3d03884e..7523e33d 100644 --- a/policy/modules/services/podman.if +++ b/policy/modules/services/podman.if @@ -188,6 +188,47 @@ interface(`podman_run_conmon_user',` podman_domtrans_conmon_user($1) ') + +## +## Read and write conmon unnamed pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`podman_rw_conmon_pipes',` + gen_require(` + type podman_conmon_t; + type podman_conmon_user_t; + ') + + allow $1 podman_conmon_t:fifo_file rw_fifo_file_perms; + allow $1 podman_conmon_user_t:fifo_file rw_fifo_file_perms; +') + + +## +## Allow the specified domain to inherit +## file descriptors from conmon. +## +## +## +## Domain allowed access. +## +## +# +interface(`podman_use_conmon_fds',` + gen_require(` + type podman_conmon_t; + type podman_conmon_user_t; + ') + + allow $1 podman_conmon_t:fd use; + allow $1 podman_conmon_user_t:fd use; +') + ## ## Role access for rootless podman.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: fdaca38de2e7dfa2356925c3e195891ddbb035ad
Author: Kenton Groombridge concord sh>
AuthorDate: Thu Mar 31 19:16:26 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Apr 9 19:28:30 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fdaca38d
container: add missing capabilities
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/container.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index fa4145e3..a243eb4a 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -163,7 +163,7 @@ corenet_port(container_port_t)
#
allow container_domain self:capability { dac_override kill setgid setuid
sys_boot sys_chroot };
-allow container_domain self:cap_userns { chown dac_override fowner setgid
setuid };
+allow container_domain self:cap_userns { chown dac_override dac_read_search
fowner kill setgid setuid };
allow container_domain self:process { execstack execmem getattr getsched
getsession setsched setcap setpgid signal_perms };
allow container_domain self:fifo_file manage_fifo_file_perms;
allow container_domain self:sem create_sem_perms;
@@ -302,7 +302,7 @@ optional_policy(`
#
allow container_net_domain self:capability { net_admin net_raw };
-allow container_net_domain self:cap_userns { net_admin net_raw };
+allow container_net_domain self:cap_userns { net_admin net_bind_service
net_raw };
allow container_net_domain self:tcp_socket create_stream_socket_perms;
allow container_net_domain self:udp_socket create_socket_perms;
allow container_net_domain self:tun_socket create_socket_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: bd72a9299a732f01958ce28f616be3313eb13536 Author: Kenton Groombridge concord sh> AuthorDate: Thu Mar 31 18:22:01 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Apr 9 19:28:30 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd72a929 podman: fix role associations Add conmon to the system role and make podman/conmon user domains user applications. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/podman.te | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te index 316db505..e5158720 100644 --- a/policy/modules/services/podman.te +++ b/policy/modules/services/podman.te @@ -18,15 +18,16 @@ mls_trusted_object(podman_t) container_engine_domain_template(podman_user) container_user_engine(podman_user_t) -application_domain(podman_user_t, podman_exec_t) +userdom_user_application_domain(podman_user_t, podman_exec_t) mls_trusted_object(podman_user_t) type podman_conmon_t; type podman_conmon_exec_t; application_domain(podman_conmon_t, podman_conmon_exec_t) +role system_r types podman_conmon_t; type podman_conmon_user_t; -application_domain(podman_conmon_user_t, podman_conmon_exec_t) +userdom_user_application_domain(podman_conmon_user_t, podman_conmon_exec_t) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 2c2c9b394efb09bf61c6bd82d470d76d3e8d30b4
Author: Kenton Groombridge concord sh>
AuthorDate: Fri Mar 11 05:07:56 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sat Apr 9 19:28:30 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c2c9b39
container, podman: allow podman to create and write config files
Podman 4.0 now creates the CNI network config files if they do not
exist.
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/container.if | 38
policy/modules/services/podman.te| 4
2 files changed, 42 insertions(+)
diff --git a/policy/modules/services/container.if
b/policy/modules/services/container.if
index e9217f63..bf5ecfb5 100644
--- a/policy/modules/services/container.if
+++ b/policy/modules/services/container.if
@@ -738,6 +738,44 @@ interface(`container_mountpoint',`
typeattribute $1 container_mountpoint_type;
')
+
+##
+## Allow the specified domain to
+## create container config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_create_config_files',`
+ gen_require(`
+ type container_config_t;
+ ')
+
+ create_files_pattern($1, container_config_t, container_config_t)
+')
+
+
+##
+## Allow the specified domain to
+## write container config files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`container_write_config_files',`
+ gen_require(`
+ type container_config_t;
+ ')
+
+ write_files_pattern($1, container_config_t, container_config_t)
+')
+
##
## Allow the specified domain to
diff --git a/policy/modules/services/podman.te
b/policy/modules/services/podman.te
index dfb8e5da..5df45d32 100644
--- a/policy/modules/services/podman.te
+++ b/policy/modules/services/podman.te
@@ -39,6 +39,10 @@ allow podman_t podman_conmon_t:unix_stream_socket {
connectto rw_stream_socket_p
container_engine_executable_entrypoint(podman_t)
+# podman 4.0.0 now creates OCI networking configs
+container_create_config_files(podman_t)
+container_write_config_files(podman_t)
+
domtrans_pattern(podman_t, podman_conmon_exec_t, podman_conmon_t)
logging_send_syslog_msg(podman_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 502084fa7b0f2a22c1d6c2f25f3dae7a54008dee Author: Kenton Groombridge concord sh> AuthorDate: Thu Mar 31 19:02:13 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Apr 9 19:28:30 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=502084fa podman: add rules for systemd container units Allow conmon to use init file descriptors and read-write init unix stream sockets. This is in support of containers started as systemd units. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/podman.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/services/podman.te b/policy/modules/services/podman.te index e5158720..f8600a7a 100644 --- a/policy/modules/services/podman.te +++ b/policy/modules/services/podman.te @@ -175,6 +175,9 @@ fs_watch_cgroup_files(podman_conmon_t) fs_getattr_tmpfs(podman_conmon_t) fs_getattr_xattr_fs(podman_conmon_t) +init_rw_inherited_stream_socket(podman_conmon_t) +init_use_fds(podman_conmon_t) + logging_send_syslog_msg(podman_conmon_t) miscfiles_read_localization(podman_conmon_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 96b25ec181556bbae727bb32714c6d4438f6ce67 Author: Russell Coker coker com au> AuthorDate: Thu Feb 17 14:47:40 2022 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 31 02:40:53 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=96b25ec1 init dbus patch for GetDynamicUsers with systemd_use_nss() V2 Same as before but moved to the top of my patch list so it will apply to the git policy. Should be ready to merge now. Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/dictd.te | 3 +++ policy/modules/services/postfix.te | 18 ++ 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te index a6bc5336..a286f7de 100644 --- a/policy/modules/services/dictd.te +++ b/policy/modules/services/dictd.te @@ -79,3 +79,6 @@ optional_policy(` seutil_sigchld_newrole(dictd_t) ') +ifdef(`init_systemd',` + systemd_use_nss(dictd_t) +') diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 5c324bc7..0f865b00 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -374,11 +374,7 @@ manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bou manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) optional_policy(` - init_dbus_chat(postfix_bounce_t) -') - -optional_policy(` - dbus_system_bus_client(postfix_bounce_t) + systemd_use_nss(postfix_bounce_t) ') @@ -765,6 +761,10 @@ optional_policy(` cyrus_stream_connect(postfix_smtp_t) ') +optional_policy(` + systemd_use_nss(postfix_smtp_t) +') + optional_policy(` dovecot_stream_connect(postfix_smtp_t) ') @@ -773,6 +773,10 @@ optional_policy(` milter_stream_connect_all(postfix_smtp_t) ') +optional_policy(` + systemd_use_nss(postfix_showq_t) +') + # # Smtpd local policy @@ -803,9 +807,7 @@ optional_policy(` ') optional_policy(` - dbus_send_system_bus(postfix_smtp_t) - dbus_system_bus_client(postfix_smtp_t) - init_dbus_chat(postfix_smtp_t) + systemd_use_nss(postfix_smtpd_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 04b123f76086ec111c475bd22b81b2da5be95037 Author: Chris PeBenito ieee org> AuthorDate: Fri Mar 25 12:45:21 2022 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 31 02:40:53 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04b123f7 postfix: Move lines. No rule change. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/postfix.te | 18 +- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 0f865b00..a61882d4 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -738,6 +738,10 @@ allow postfix_showq_t postfix_spool_t:file read_file_perms; term_use_all_ptys(postfix_showq_t) term_use_all_ttys(postfix_showq_t) +optional_policy(` + systemd_use_nss(postfix_showq_t) +') + # # Smtp delivery local policy @@ -761,10 +765,6 @@ optional_policy(` cyrus_stream_connect(postfix_smtp_t) ') -optional_policy(` - systemd_use_nss(postfix_smtp_t) -') - optional_policy(` dovecot_stream_connect(postfix_smtp_t) ') @@ -774,7 +774,7 @@ optional_policy(` ') optional_policy(` - systemd_use_nss(postfix_showq_t) + systemd_use_nss(postfix_smtp_t) ') @@ -806,10 +806,6 @@ optional_policy(` certbot_read_lib(postfix_smtpd_t) ') -optional_policy(` - systemd_use_nss(postfix_smtpd_t) -') - optional_policy(` dovecot_stream_connect_auth(postfix_smtpd_t) dovecot_stream_connect(postfix_smtpd_t) @@ -840,6 +836,10 @@ optional_policy(` spamassassin_stream_connect_spamd(postfix_smtpd_t) ') +optional_policy(` + systemd_use_nss(postfix_smtpd_t) +') + # # Virtual local policy
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: d953a2fbae3db9cea8136566782294d6206a717a Author: Russell Coker coker com au> AuthorDate: Thu Mar 24 14:34:49 2022 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 31 02:40:53 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d953a2fb certbot V3 Same as the last one but with the directory names for the auto trans rules removed. I think it's ready for merging. Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/apache.if | 36 policy/modules/services/certbot.te | 22 +++--- 2 files changed, 55 insertions(+), 3 deletions(-) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index 11a7120e..dd86c618 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -236,6 +236,24 @@ interface(`apache_domtrans',` domtrans_pattern($1, httpd_exec_t, httpd_t) ') + +## +## Execute httpd +## +## +## +## Domain allowed to execute it. +## +## +# +interface(`apache_exec',` + gen_require(` + type httpd_t, httpd_exec_t; + ') + + can_exec($1, httpd_exec_t) +') + ## ## Execute httpd server in the httpd domain. @@ -1430,3 +1448,21 @@ interface(`apache_admin',` apache_run_all_scripts($1, $2) apache_run_helper($1, $2) ') + + +## +## rw httpd_runtime_t files +## +## +## +## Domain allowed access. +## +## +# +interface(`apache_rw_runtime_files',` + gen_require(` + type httpd_runtime_t; + ') + + allow $1 httpd_runtime_t:file rw_file_perms; +') diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te index fc979c5f..ac609795 100644 --- a/policy/modules/services/certbot.te +++ b/policy/modules/services/certbot.te @@ -43,7 +43,7 @@ allow certbot_t self:udp_socket all_udp_socket_perms; allow certbot_t self:tcp_socket all_tcp_socket_perms; allow certbot_t self:netlink_route_socket create_netlink_socket_perms; -files_search_var_lib(certbot_t) +files_var_lib_filetrans(certbot_t, certbot_lib_t, dir) manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t) manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t) @@ -62,7 +62,7 @@ allow certbot_t certbot_tmp_t:file mmap_exec_file_perms; allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms; allow certbot_t certbot_runtime_t:file mmap_exec_file_perms; -logging_search_logs(certbot_t) +logging_log_filetrans(certbot_t, certbot_log_t, dir) allow certbot_t certbot_log_t:dir manage_dir_perms; allow certbot_t certbot_log_t:file manage_file_perms; @@ -80,11 +80,15 @@ corenet_tcp_connect_dns_port(certbot_t) # bind to http port for standalone mode corenet_tcp_bind_http_port(certbot_t) +dev_read_urand(certbot_t) + domain_use_interactive_fds(certbot_t) files_read_etc_files(certbot_t) files_read_usr_files(certbot_t) +# dontaudit for attempts to write python cache files +libs_dontaudit_write_lib_dirs(certbot_t) libs_exec_ldconfig(certbot_t) # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2 libs_exec_lib_files(certbot_t) @@ -110,5 +114,17 @@ optional_policy(` # for writing to webroot apache_manage_sys_content(certbot_t) - apache_search_config(certbot_t) + apache_append_log(certbot_t) + apache_exec(certbot_t) + apache_exec_modules(certbot_t) + + # for certbot to create nginx config + apache_manage_config(certbot_t) + + apache_rw_runtime_files(certbot_t) + apache_signal(certbot_t) +') + +optional_policy(` + xdg_search_config_dirs(certbot_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 11a7bdcff19d577062c451a8e0099b5c77092559 Author: Kenton Groombridge concord sh> AuthorDate: Wed Dec 1 14:13:52 2021 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 31 02:40:53 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=11a7bdcf networkmanager: allow getting systemd system status Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/networkmanager.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te index e16d0d2b..db92cbff 100644 --- a/policy/modules/services/networkmanager.te +++ b/policy/modules/services/networkmanager.te @@ -165,6 +165,7 @@ storage_getattr_fixed_disk_dev(NetworkManager_t) init_read_utmp(NetworkManager_t) init_dontaudit_write_utmp(NetworkManager_t) init_domtrans_script(NetworkManager_t) +init_get_system_status(NetworkManager_t) auth_use_nsswitch(NetworkManager_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: c2bcc69a341396ee6249308575615c68d30926bd Author: Chris PeBenito ieee org> AuthorDate: Fri Mar 25 15:29:37 2022 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 31 02:40:53 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2bcc69a apache: Remove unnecessary require in apache_exec(). Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/apache.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if index dd86c618..2b3a7f3c 100644 --- a/policy/modules/services/apache.if +++ b/policy/modules/services/apache.if @@ -248,7 +248,7 @@ interface(`apache_domtrans',` # interface(`apache_exec',` gen_require(` - type httpd_t, httpd_exec_t; + type httpd_exec_t; ') can_exec($1, httpd_exec_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, config/appconfig-standard/, config/appconfig-mls/, ...
commit: c5fa13989512397b4ae3c75feb99a8f4cf4c5376 Author: Russell Coker coker com au> AuthorDate: Sun Mar 27 12:15:11 2022 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 31 03:11:59 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5fa1398 new sddm V2 This patch addresses all previous issues and I think it's ready to merge. Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Jason Zaman gentoo.org> config/appconfig-mcs/seusers | 1 + config/appconfig-mcs/xdm_default_contexts | 1 + config/appconfig-mls/seusers | 1 + config/appconfig-mls/xdm_default_contexts | 1 + config/appconfig-standard/seusers | 1 + config/appconfig-standard/xdm_default_contexts | 1 + policy/modules/services/xserver.te | 11 +++ 7 files changed, 17 insertions(+) diff --git a/config/appconfig-mcs/seusers b/config/appconfig-mcs/seusers index ce614b41..e87000a5 100644 --- a/config/appconfig-mcs/seusers +++ b/config/appconfig-mcs/seusers @@ -1,2 +1,3 @@ root:root:s0-mcs_systemhigh __default__:user_u:s0 +sddm:xdm:s0 diff --git a/config/appconfig-mcs/xdm_default_contexts b/config/appconfig-mcs/xdm_default_contexts new file mode 100644 index ..08c88c0f --- /dev/null +++ b/config/appconfig-mcs/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t:s0 system_r:xdm_t:s0 diff --git a/config/appconfig-mls/seusers b/config/appconfig-mls/seusers index 4e500b09..38414fee 100644 --- a/config/appconfig-mls/seusers +++ b/config/appconfig-mls/seusers @@ -1,2 +1,3 @@ root:root:s0-mls_systemhigh __default__:user_u:s0 +sddm:xdm:s0 diff --git a/config/appconfig-mls/xdm_default_contexts b/config/appconfig-mls/xdm_default_contexts new file mode 100644 index ..08c88c0f --- /dev/null +++ b/config/appconfig-mls/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t:s0 system_r:xdm_t:s0 diff --git a/config/appconfig-standard/seusers b/config/appconfig-standard/seusers index f7c5bd27..f6066b50 100644 --- a/config/appconfig-standard/seusers +++ b/config/appconfig-standard/seusers @@ -1,2 +1,3 @@ root:root __default__:user_u +sddm:xdm:s0 diff --git a/config/appconfig-standard/xdm_default_contexts b/config/appconfig-standard/xdm_default_contexts new file mode 100644 index ..af1cb2e7 --- /dev/null +++ b/config/appconfig-standard/xdm_default_contexts @@ -0,0 +1 @@ +system_r:xdm_t system_r:xdm_t diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 347e96c2..24cea45b 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -62,6 +62,10 @@ gen_tunable(xserver_object_manager, false) ## gen_tunable(xserver_allow_dri, false) +# for sddm to use pam for greeter +role xdm_r; +allow system_r xdm_r; + attribute x_domain; # X Events @@ -145,6 +149,7 @@ fs_associate_tmpfs(xconsole_device_t) files_associate_tmp(xconsole_device_t) type xdm_t; +role xdm_r types xdm_t; type xdm_exec_t; auth_login_pgm_domain(xdm_t) init_domain(xdm_t, xdm_exec_t) @@ -843,6 +848,9 @@ manage_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_lnk_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) manage_sock_files_pattern(xserver_t, xdm_tmp_t, xdm_tmp_t) +# for sddm to use pam for greeter, sddm greeter needs execmod +allow xdm_t xdm_tmpfs_t:file execmod; + # Run Xorg.wrap can_exec(xserver_t, xserver_exec_t) @@ -1046,3 +1054,6 @@ ifdef(`distro_gentoo',` cgmanager_stream_connect(xdm_t) ') ') + +# for sddm to use pam for greeter +gen_user(xdm,, xdm_r, s0, s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 598805d2225387890f55a77e17567edbc788d824 Author: Chris PeBenito ieee org> AuthorDate: Fri Feb 18 19:56:40 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 27 02:13:17 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=598805d2 matrixd: SELint fixes. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/matrixd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te index 2c7f384c..d3950cda 100644 --- a/policy/modules/services/matrixd.te +++ b/policy/modules/services/matrixd.te @@ -41,7 +41,7 @@ files_type(matrixd_var_t) # Local policy # -allow matrixd_t self:fifo_file rw_file_perms; +allow matrixd_t self:fifo_file rw_fifo_file_perms; allow matrixd_t self:tcp_socket create_stream_socket_perms; allow matrixd_t self:netlink_route_socket r_netlink_socket_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: e312e5bdbbf8d7c76b13d94b02ad56372d6d8b37
Author: Russell Coker coker com au>
AuthorDate: Wed Feb 16 13:07:30 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Feb 27 02:13:17 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e312e5bd
dontaudit net_admin without hide_broken_symptoms
Sending this patch again without the ifdef, I agree that the ifdef isn't very
useful nowadays.
Signed-off-by: Russell Coker coker.com.au>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/cron.te | 2 ++
policy/modules/services/dbus.te | 2 ++
policy/modules/services/policykit.te | 2 ++
policy/modules/services/postfix.te | 2 ++
4 files changed, 8 insertions(+)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 03268277..9ecbe4d6 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -209,6 +209,8 @@ tunable_policy(`fcron_crond',`
# Daemon local policy
#
+# for changing buffer sizes
+dontaudit crond_t self:capability net_admin;
allow crond_t self:capability { chown dac_override dac_read_search fowner
setgid setuid sys_nice };
dontaudit crond_t self:capability { sys_resource sys_tty_config };
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index c0b98558..9a1e6b30 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -67,6 +67,8 @@ ifdef(`enable_mls',`
# Local policy
#
+# for changing buffer sizes
+dontaudit system_dbusd_t self:capability net_admin;
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid
sys_resource };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid
getcap setcap setrlimit };
diff --git a/policy/modules/services/policykit.te
b/policy/modules/services/policykit.te
index ee8f4c2d..46f5568f 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -68,6 +68,8 @@ miscfiles_read_localization(policykit_domain)
# Local policy
#
+# for changing buffer sizes
+dontaudit policykit_t self:capability net_admin;
allow policykit_t self:capability { dac_override dac_read_search setgid setuid
sys_nice sys_ptrace };
allow policykit_t self:process { getsched setsched signal };
allow policykit_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/services/postfix.te
b/policy/modules/services/postfix.te
index 6b97df10..6fe06887 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -107,6 +107,8 @@ mta_mailserver_delivery(postfix_virtual_t)
# Common postfix domain local policy
#
+# for changing buffer sizes
+dontaudit postfix_domain self:capability net_admin;
allow postfix_domain self:capability { sys_chroot sys_nice };
dontaudit postfix_domain self:capability sys_tty_config;
allow postfix_domain self:process { signal_perms setpgid setsched };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 4234b23d214dd8b53dd631560f9c98778f1c9ac5
Author: Chris PeBenito ieee org>
AuthorDate: Fri Feb 18 18:46:24 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Feb 27 02:13:17 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4234b23d
matrixd: Cleanups.
Signed-off-by: Chris PeBenito ieee.org>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/matrixd.fc | 6 --
policy/modules/services/matrixd.if | 2 +-
policy/modules/services/matrixd.te | 35 ---
3 files changed, 21 insertions(+), 22 deletions(-)
diff --git a/policy/modules/services/matrixd.fc
b/policy/modules/services/matrixd.fc
index b59b1c75..6db2d7ed 100644
--- a/policy/modules/services/matrixd.fc
+++ b/policy/modules/services/matrixd.fc
@@ -1,4 +1,6 @@
-/var/lib/matrix-synapse(/.*)?
gen_context(system_u:object_r:matrixd_var_t,s0)
-/var/log/matrix-synapse(/.*)?
gen_context(system_u:object_r:matrixd_log_t,s0)
/etc/matrix-synapse(/.*)?
gen_context(system_u:object_r:matrixd_conf_t,s0)
+
/usr/bin/synctl--
gen_context(system_u:object_r:matrixd_exec_t,s0)
+
+/var/lib/matrix-synapse(/.*)?
gen_context(system_u:object_r:matrixd_var_t,s0)
+/var/log/matrix-synapse(/.*)?
gen_context(system_u:object_r:matrixd_log_t,s0)
diff --git a/policy/modules/services/matrixd.if
b/policy/modules/services/matrixd.if
index f1eff5f0..8cf2a845 100644
--- a/policy/modules/services/matrixd.if
+++ b/policy/modules/services/matrixd.if
@@ -1 +1 @@
-## Matrixd
+## matrix.org synapse reference server.
diff --git a/policy/modules/services/matrixd.te
b/policy/modules/services/matrixd.te
index 5c217678..2c7f384c 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -1,4 +1,4 @@
-policy_module(matrixd, 1.0.0)
+policy_module(matrixd)
#
@@ -20,23 +20,22 @@ gen_tunable(matrix_allow_federation, true)
##
gen_tunable(matrix_postgresql_connect, false)
-
type matrixd_t;
type matrixd_exec_t;
init_daemon_domain(matrixd_t, matrixd_exec_t)
-type matrixd_var_t;
-files_type(matrixd_var_t)
+type matrixd_conf_t;
+files_config_file(matrixd_conf_t)
type matrixd_log_t;
logging_log_file(matrixd_log_t)
-type matrixd_conf_t;
-files_config_file(matrixd_conf_t)
-
type matrixd_tmp_t;
files_tmp_file(matrixd_tmp_t)
+type matrixd_var_t;
+files_type(matrixd_var_t)
+
#
# Local policy
@@ -56,16 +55,15 @@ allow matrixd_t matrixd_tmp_t:file { manage_file_perms map
};
files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
-manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
-files_search_var_lib(matrixd_t)
-allow matrixd_t matrixd_var_t:file map;
-allow matrixd_t matrixd_var_t:dir manage_dir_perms;
+allow matrixd_t matrixd_conf_t:dir list_dir_perms;
+read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
logging_search_logs(matrixd_t)
manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
-read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
-allow matrixd_t matrixd_conf_t:dir list_dir_perms;
+mmap_manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
+manage_dirs_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
+files_search_var_lib(matrixd_t)
kernel_read_system_state(matrixd_t)
kernel_read_vm_overcommit_sysctl(matrixd_t)
@@ -81,7 +79,6 @@ corenet_tcp_bind_generic_node(matrixd_t)
corenet_tcp_bind_http_port(matrixd_t)
corenet_tcp_connect_http_cache_port(matrixd_t)
corenet_tcp_connect_http_port(matrixd_t)
-
corenet_udp_bind_generic_node(matrixd_t)
corenet_udp_bind_generic_port(matrixd_t)
corenet_udp_bind_reserved_port(matrixd_t)
@@ -91,11 +88,11 @@ dev_read_urand(matrixd_t)
files_read_etc_files(matrixd_t)
files_read_etc_runtime_files(matrixd_t)
files_read_etc_symlinks(matrixd_t)
-
# for /usr/share/ca-certificates
files_read_usr_files(matrixd_t)
init_search_runtime(matrixd_t)
+
logging_send_syslog_msg(matrixd_t)
miscfiles_read_generic_tls_privkey(matrixd_t)
@@ -106,10 +103,6 @@ sysnet_read_config(matrixd_t)
userdom_search_user_runtime_root(matrixd_t)
-optional_policy(`
- apache_search_config(matrixd_t)
-')
-
tunable_policy(`matrix_allow_federation',`
corenet_tcp_connect_all_unreserved_ports(matrixd_t)
corenet_tcp_connect_generic_port(matrixd_t)
@@ -124,3 +117,7 @@ tunable_policy(`matrix_postgresql_connect',`
postgresql_tcp_connect(matrixd_t)
')
+optional_policy(`
+ apache_search_config(matrixd_t)
+')
+
\ No newline at end of file
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: a6f1a4be5244df25381bdc9d270765134f4d802b
Author: Chris PeBenito ieee org>
AuthorDate: Wed Feb 16 16:04:33 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Feb 27 02:13:17 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a6f1a4be
cron, dbus, policykit, postfix: Minor style fixes.
No rule changes.
Signed-off-by: Chris PeBenito ieee.org>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/cron.te | 4 ++--
policy/modules/services/dbus.te | 5 ++---
policy/modules/services/policykit.te | 2 +-
policy/modules/services/postfix.te | 5 ++---
4 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 9ecbe4d6..b36fc709 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -209,10 +209,10 @@ tunable_policy(`fcron_crond',`
# Daemon local policy
#
-# for changing buffer sizes
dontaudit crond_t self:capability net_admin;
allow crond_t self:capability { chown dac_override dac_read_search fowner
setgid setuid sys_nice };
-dontaudit crond_t self:capability { sys_resource sys_tty_config };
+# net_admin for changing buffer sizes
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config };
allow crond_t self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr setexec setfscreate
noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate
getrlimit };
allow crond_t self:fd use;
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 9a1e6b30..31fc905c 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -67,10 +67,9 @@ ifdef(`enable_mls',`
# Local policy
#
-# for changing buffer sizes
-dontaudit system_dbusd_t self:capability net_admin;
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid
sys_resource };
-dontaudit system_dbusd_t self:capability sys_tty_config;
+# net_admin for changing buffer sizes
+dontaudit system_dbusd_t self:capability { net_admin sys_tty_config };
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid
getcap setcap setrlimit };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
allow system_dbusd_t self:dbus { send_msg acquire_svc };
diff --git a/policy/modules/services/policykit.te
b/policy/modules/services/policykit.te
index 46f5568f..197dc13c 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -68,9 +68,9 @@ miscfiles_read_localization(policykit_domain)
# Local policy
#
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid
sys_nice sys_ptrace };
# for changing buffer sizes
dontaudit policykit_t self:capability net_admin;
-allow policykit_t self:capability { dac_override dac_read_search setgid setuid
sys_nice sys_ptrace };
allow policykit_t self:process { getsched setsched signal };
allow policykit_t self:unix_stream_socket { accept connectto listen };
diff --git a/policy/modules/services/postfix.te
b/policy/modules/services/postfix.te
index 6fe06887..5c324bc7 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -107,10 +107,9 @@ mta_mailserver_delivery(postfix_virtual_t)
# Common postfix domain local policy
#
-# for changing buffer sizes
-dontaudit postfix_domain self:capability net_admin;
allow postfix_domain self:capability { sys_chroot sys_nice };
-dontaudit postfix_domain self:capability sys_tty_config;
+# net_admin for changing buffer sizes
+dontaudit postfix_domain self:capability { net_admin sys_tty_config };
allow postfix_domain self:process { signal_perms setpgid setsched };
allow postfix_domain self:fifo_file rw_fifo_file_perms;
allow postfix_domain self:unix_stream_socket { accept connectto listen };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: ea8252c7f327f34621e7d81da48fae7b7a5aede9
Author: Chris PeBenito ieee org>
AuthorDate: Wed Feb 16 12:03:34 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Feb 27 02:13:17 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea8252c7
postfix, spamassassin: Fix missed type renames after alias removals.
Signed-off-by: Chris PeBenito ieee.org>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/postfix.if | 4 ++--
policy/modules/services/spamassassin.if | 8
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/policy/modules/services/postfix.if
b/policy/modules/services/postfix.if
index 42b96b36..847022bf 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -683,13 +683,13 @@ interface(`postfix_admin',`
type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t;
type postfix_data_t, postfix_runtime_t, postfix_public_t;
type postfix_private_t, postfix_map_tmp_t, postfix_exec_t;
- type postfix_keytab_t, postfix_t;
+ type postfix_keytab_t, postfix_master_t;
')
allow $1 postfix_domain:process { ptrace signal_perms };
ps_process_pattern($1, postfix_domain)
- init_startstop_service($1, $2, postfix_t, postfix_initrc_exec_t)
+ init_startstop_service($1, $2, postfix_master_t, postfix_initrc_exec_t)
files_search_etc($1)
admin_pattern($1, { postfix_prng_t postfix_etc_t postfix_exec_t
postfix_keytab_t })
diff --git a/policy/modules/services/spamassassin.if
b/policy/modules/services/spamassassin.if
index 9fbae73d..b530a76f 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -72,10 +72,10 @@ template(`spamassassin_role',`
#
interface(`spamassassin_run_update',`
gen_require(`
- type spamd_gpg_t, spamd_update_exec_t, spamd_update_t;
+ type spamd_update_t, spamd_update_exec_t, spamd_update_t;
')
- role $2 types { spamd_gpg_t spamd_update_t };
+ role $2 types { spamd_update_t spamd_update_t };
domtrans_pattern($1, spamd_update_exec_t, spamd_update_t)
')
@@ -476,10 +476,10 @@ interface(`spamassassin_admin',`
type spamd_t, spamd_tmp_t, spamd_log_t;
type spamd_spool_t, spamd_var_lib_t, spamd_runtime_t;
type spamd_initrc_exec_t, spamassassin_unit_t;
- type spamd_gpg_t, spamd_update_t, spamd_update_tmp_t;
+ type spamd_update_t, spamd_update_t, spamd_update_tmp_t;
')
- admin_process_pattern($1, { spamd_t spamd_gpg_t spamd_update_t })
+ admin_process_pattern($1, { spamd_t spamd_update_t spamd_update_t })
init_startstop_service($1, $2, spamd_t, spamd_initrc_exec_t,
spamassassin_unit_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 08e6022ae0fe8d137a6946961c87ef9ef5208465 Author: Laurent Bigonville bigon be> AuthorDate: Wed Feb 2 11:34:02 2022 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 7 02:09:50 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08e6022a container: On Debian, runc is installed in /usr/sbin Signed-off-by: Laurent Bigonville bigon.be> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/container.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc index ef5ad3b6..63f1537d 100644 --- a/policy/modules/services/container.fc +++ b/policy/modules/services/container.fc @@ -24,6 +24,8 @@ HOME_DIR/\.local/share/docker/volumes(/.*)? gen_context(system_u:object_r:conta /usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:container_unit_t,s0) /usr/lib/systemd/system/containerd.* -- gen_context(system_u:object_r:container_unit_t,s0) +/usr/sbin/runc -- gen_context(system_u:object_r:container_engine_exec_t,s0) + /etc/containers(/.*)? gen_context(system_u:object_r:container_config_t,s0) /etc/cni(/.*)? gen_context(system_u:object_r:container_config_t,s0) /etc/docker(/.*)? gen_context(system_u:object_r:container_config_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: d2b6ae4f280b27859aeeda5c720a625297b72b2b Author: Laurent Bigonville bigon be> AuthorDate: Wed Feb 2 10:25:52 2022 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 7 02:09:50 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2b6ae4f docker: On debian dockerd and docker-proxy are in /usr/sbin Signed-off-by: Laurent Bigonville bigon.be> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/docker.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/docker.fc b/policy/modules/services/docker.fc index 577d148f..a5d0868e 100644 --- a/policy/modules/services/docker.fc +++ b/policy/modules/services/docker.fc @@ -6,3 +6,5 @@ /usr/bin/containerd-shim-runc-v1 -- gen_context(system_u:object_r:dockerd_exec_t,s0) /usr/bin/containerd-shim-runc-v2 -- gen_context(system_u:object_r:dockerd_exec_t,s0) /usr/bin/containerd-stress -- gen_context(system_u:object_r:dockerd_exec_t,s0) +/usr/sbin/dockerd -- gen_context(system_u:object_r:dockerd_exec_t,s0) +/usr/sbin/docker-proxy -- gen_context(system_u:object_r:dockerd_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 9fe987d0d2703cbfec2a88e4a559bc83fdd15fcb
Author: Jonathan Davies protonmail com>
AuthorDate: Fri Jan 28 00:22:55 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Mon Feb 7 02:07:41 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9fe987d0
node_exporter: Added initial policy.
Signed-off-by: Jonathan Davies protonmail.com>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/node_exporter.fc | 6 +++
policy/modules/services/node_exporter.if | 1 +
policy/modules/services/node_exporter.te | 73
3 files changed, 80 insertions(+)
diff --git a/policy/modules/services/node_exporter.fc
b/policy/modules/services/node_exporter.fc
new file mode 100644
index ..f2527d15
--- /dev/null
+++ b/policy/modules/services/node_exporter.fc
@@ -0,0 +1,6 @@
+/run/node_exporter\.pid--
gen_context(system_u:object_r:node_exporter_runtime_t,s0)
+
+/usr/sbin/node_exporter--
gen_context(system_u:object_r:node_exporter_exec_t,s0)
+
+/var/lib/node_exporter(/.*)?
gen_context(system_u:object_r:node_exporter_var_lib_t,s0)
+/var/log/node_exporter(/.*)?
gen_context(system_u:object_r:node_exporter_log_t,s0)
diff --git a/policy/modules/services/node_exporter.if
b/policy/modules/services/node_exporter.if
new file mode 100644
index ..0cceb87e
--- /dev/null
+++ b/policy/modules/services/node_exporter.if
@@ -0,0 +1 @@
+## Prometheus Node Exporter
diff --git a/policy/modules/services/node_exporter.te
b/policy/modules/services/node_exporter.te
new file mode 100644
index ..7b74a327
--- /dev/null
+++ b/policy/modules/services/node_exporter.te
@@ -0,0 +1,73 @@
+policy_module(node_exporter)
+
+
+#
+# Declarations
+#
+
+type node_exporter_t;
+type node_exporter_exec_t;
+init_daemon_domain(node_exporter_t, node_exporter_exec_t)
+
+type node_exporter_runtime_t;
+files_runtime_file(node_exporter_runtime_t)
+
+type node_exporter_var_lib_t;
+files_type(node_exporter_var_lib_t)
+
+type node_exporter_log_t;
+logging_log_file(node_exporter_log_t)
+
+
+#
+# Local policy
+#
+
+allow node_exporter_t self:fifo_file rw_fifo_file_perms;
+allow node_exporter_t self:process { getsched signal };
+allow node_exporter_t self:netlink_route_socket r_netlink_socket_perms;
+allow node_exporter_t self:tcp_socket create_stream_socket_perms;
+allow node_exporter_t self:udp_socket create_socket_perms;
+
+manage_files_pattern(node_exporter_t, node_exporter_runtime_t,
node_exporter_runtime_t)
+files_runtime_filetrans(node_exporter_t, node_exporter_runtime_t, file)
+
+manage_dirs_pattern(node_exporter_t, node_exporter_var_lib_t,
node_exporter_var_lib_t)
+manage_files_pattern(node_exporter_t, node_exporter_var_lib_t,
node_exporter_var_lib_t)
+files_var_lib_filetrans(node_exporter_t, node_exporter_var_lib_t, { dir file })
+
+append_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)
+create_files_pattern(node_exporter_t, node_exporter_log_t, node_exporter_log_t)
+setattr_files_pattern(node_exporter_t, node_exporter_log_t,
node_exporter_log_t)
+logging_log_filetrans(node_exporter_t, node_exporter_log_t, { dir file })
+
+# Also uses port 9100
+corenet_tcp_bind_hplip_port(node_exporter_t)
+corenet_tcp_bind_generic_node(node_exporter_t)
+
+dev_read_sysfs(node_exporter_t)
+
+fs_getattr_all_fs(node_exporter_t)
+
+init_read_state(node_exporter_t)
+
+kernel_read_fs_sysctls(node_exporter_t)
+kernel_read_kernel_sysctls(node_exporter_t)
+kernel_read_net_sysctls(node_exporter_t)
+kernel_read_network_state(node_exporter_t)
+kernel_read_software_raid_state(node_exporter_t)
+kernel_read_system_state(node_exporter_t)
+
+ifdef(`init_systemd',`
+ dbus_system_bus_client(node_exporter_t)
+
+ init_dbus_chat(node_exporter_t)
+ init_get_all_units_status(node_exporter_t)
+ init_get_system_status(node_exporter_t)
+')
+
+optional_policy(`
+ kernel_read_rpc_sysctls(node_exporter_t)
+
+ rpc_search_nfs_state_data(node_exporter_t)
+')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 9a6e04ea1f7da6812ea463bd509862a77f0da623 Author: Kenton Groombridge concord sh> AuthorDate: Sun Jan 30 23:09:12 2022 + Commit: Jason Zaman gentoo org> CommitDate: Mon Jan 31 17:55:20 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9a6e04ea docker: add missing call to init_daemon_domain() Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/docker.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/docker.te b/policy/modules/services/docker.te index bb5eeb49..7a657e15 100644 --- a/policy/modules/services/docker.te +++ b/policy/modules/services/docker.te @@ -10,6 +10,7 @@ container_system_engine(dockerd_t) type dockerd_exec_t; container_engine_executable_file(dockerd_exec_t) application_domain(dockerd_t, dockerd_exec_t) +init_daemon_domain(dockerd_t, dockerd_exec_t) ifdef(`enable_mls',` init_ranged_daemon_domain(dockerd_t, dockerd_exec_t, s0 - mls_systemhigh) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 1841ac553d3131121749274fe165af7af8d6865d Author: Kenton Groombridge concord sh> AuthorDate: Fri Jan 21 19:03:38 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 30 01:15:06 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1841ac55 docker: call rootlesskit access in docker access Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/docker.if | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/services/docker.if b/policy/modules/services/docker.if index 6460ed6e..c3ac8174 100644 --- a/policy/modules/services/docker.if +++ b/policy/modules/services/docker.if @@ -178,6 +178,8 @@ template(`docker_user_role',` docker_run_user_daemon($3, $4) docker_run_user_cli($3, $4) + rootlesskit_role($1, $2, $3, $4) + ifdef(`init_systemd',` systemd_user_daemon_domain($1, dockerd_exec_t, dockerd_user_t) systemd_user_send_systemd_notify($1, dockerd_user_t) @@ -226,4 +228,6 @@ interface(`docker_signal_user_daemon',` # interface(`docker_admin',` docker_run_cli($1, $2) + + rootlesskit_run($1, $2) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 362646fea58e06a59f257c4c0f7e96cfd3105de6
Author: Kenton Groombridge concord sh>
AuthorDate: Tue Jan 11 20:56:38 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Jan 30 01:15:06 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=362646fe
rootlesskit: new policy module
Rootlesskit is required by rootless docker
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/rootlesskit.fc | 3 +
policy/modules/services/rootlesskit.if | 106 +
policy/modules/services/rootlesskit.te | 43 +
3 files changed, 152 insertions(+)
diff --git a/policy/modules/services/rootlesskit.fc
b/policy/modules/services/rootlesskit.fc
new file mode 100644
index ..613ebd9b
--- /dev/null
+++ b/policy/modules/services/rootlesskit.fc
@@ -0,0 +1,3 @@
+/usr/bin/rootlesskit --
gen_context(system_u:object_r:rootlesskit_exec_t,s0)
+/usr/bin/rootlessctl --
gen_context(system_u:object_r:rootlesskit_exec_t,s0)
+/usr/bin/rootlesskit-docker-proxy --
gen_context(system_u:object_r:rootlesskit_exec_t,s0)
diff --git a/policy/modules/services/rootlesskit.if
b/policy/modules/services/rootlesskit.if
new file mode 100644
index ..2be598d7
--- /dev/null
+++ b/policy/modules/services/rootlesskit.if
@@ -0,0 +1,106 @@
+## Policy for RootlessKit
+
+
+##
+## Execute rootlesskit in the caller domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`rootlesskit_exec',`
+ gen_require(`
+ type rootlesskit_exec_t;
+ ')
+
+ can_exec($1, rootlesskit_exec_t)
+')
+
+
+##
+## Execute rootlesskit in the rootlesskit domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`rootlesskit_domtrans',`
+ gen_require(`
+ type rootlesskit_t, rootlesskit_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, rootlesskit_exec_t, rootlesskit_t)
+')
+
+
+##
+## Execute rootlesskit in the rootlesskit
+## domain, and allow the specified role
+## the rootlesskit domain.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+##
+##
+## The role to be allowed the rootlesskit domain.
+##
+##
+#
+interface(`rootlesskit_run',`
+ gen_require(`
+ type rootlesskit_t;
+ ')
+
+ role $2 types rootlesskit_t;
+
+ rootlesskit_domtrans($1)
+')
+
+
+##
+## Role access for rootlesskit.
+##
+##
+##
+## The prefix of the user role (e.g., user
+## is the prefix for user_r).
+##
+##
+##
+##
+## User domain for the role.
+##
+##
+##
+##
+## User exec domain for execute and transition access.
+##
+##
+##
+##
+## Role allowed access.
+##
+##
+##
+#
+template(`rootlesskit_role',`
+ gen_require(`
+ type rootlesskit_t;
+ type rootlesskit_exec_t;
+ ')
+
+ rootlesskit_run($3, $4)
+
+ optional_policy(`
+ systemd_user_daemon_domain($1, rootlesskit_exec_t,
rootlesskit_t)
+ ')
+')
+
diff --git a/policy/modules/services/rootlesskit.te
b/policy/modules/services/rootlesskit.te
new file mode 100644
index ..31168801
--- /dev/null
+++ b/policy/modules/services/rootlesskit.te
@@ -0,0 +1,43 @@
+policy_module(rootlesskit)
+
+
+#
+# Declarations
+#
+
+container_engine_domain_template(rootlesskit)
+type rootlesskit_exec_t;
+container_user_engine(rootlesskit_t)
+application_domain(rootlesskit_t, rootlesskit_exec_t)
+mls_trusted_object(rootlesskit_t)
+
+
+#
+# Rootlesskit local policy
+#
+
+# rootlesskit fails without this access
+allow rootlesskit_t self:tun_socket { relabelfrom relabelto };
+
+can_exec(rootlesskit_t, rootlesskit_exec_t)
+
+domain_use_interactive_fds(rootlesskit_t)
+
+# any dir not readable or file not stat-able causes rootlesskit to hang
+# when --copy-up would access it; the below rules cover at least the
+# access needed for rootless docker (copying /etc and /run)
+files_list_all(rootlesskit_t)
+files_getattr_all_files(rootlesskit_t)
+files_getattr_all_pipes(rootlesskit_t)
+files_getattr_all_sockets(rootlesskit_t)
+
+kernel_read_sysctl(rootlesskit_t)
+
+auth_use_nsswitch(rootlesskit_t)
+
+userdom_exec_user_bin_files(rootlesskit_t)
+
+optional_policy(`
+ dbus_list_system_bus_runtime(rootlesskit_t)
+ dbus_system_bus_client(rootlesskit_t)
+')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 16711830e9075fd6d36b32875cde26c286a98b5d
Author: Kenton Groombridge concord sh>
AuthorDate: Mon Jan 24 16:08:50 2022 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Jan 30 01:15:06 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=16711830
container: allow containers to getsession
Found to be required by a jellyfin container when testing.
Signed-off-by: Kenton Groombridge concord.sh>
Signed-off-by: Jason Zaman gentoo.org>
policy/modules/services/container.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/container.te
b/policy/modules/services/container.te
index 1291768c..d5f79b15 100644
--- a/policy/modules/services/container.te
+++ b/policy/modules/services/container.te
@@ -150,7 +150,7 @@ corenet_port(container_port_t)
allow container_domain self:capability { dac_override kill setgid setuid
sys_boot sys_chroot };
allow container_domain self:cap_userns { chown dac_override fowner setgid
setuid };
-allow container_domain self:process { execstack execmem getattr signal_perms
getsched setsched setcap setpgid };
+allow container_domain self:process { execstack execmem getattr getsched
getsession setsched setcap setpgid signal_perms };
allow container_domain self:fifo_file manage_fifo_file_perms;
allow container_domain self:sem create_sem_perms;
allow container_domain self:shm create_shm_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: dbbe51a3b5cddeb4105fffecc3c29be701b10360 Author: Kenton Groombridge concord sh> AuthorDate: Tue Jan 11 19:15:24 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 30 01:15:06 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dbbe51a3 container, docker, rootlesskit: add support for rootless docker Rootless docker runs as root in a user namespace. Because of this, rootless docker containers will run as spc_user_t as docker cannot be SELinux-aware in its own container. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/container.fc | 8 ++ policy/modules/services/container.if | 59 policy/modules/services/docker.if | 160 + policy/modules/services/docker.te | 82 + policy/modules/services/rootlesskit.te | 3 + 5 files changed, 312 insertions(+) diff --git a/policy/modules/services/container.fc b/policy/modules/services/container.fc index 524ccedb..ef5ad3b6 100644 --- a/policy/modules/services/container.fc +++ b/policy/modules/services/container.fc @@ -9,6 +9,14 @@ HOME_DIR/\.local/share/containers/storage/overlay2-layers(/.*)? gen_context(sys HOME_DIR/\.local/share/containers/storage/overlay-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/overlay2-images(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) HOME_DIR/\.local/share/containers/storage/volumes/[^/]+/.* gen_context(system_u:object_r:container_file_t,s0) +HOME_DIR/\.local/share/docker(/.*)? gen_context(system_u:object_r:container_data_home_t,s0) +HOME_DIR/\.local/share/docker/.*/config\.env -- gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/docker/containers/.*/.*\.log-- gen_context(system_u:object_r:container_log_t,s0) +HOME_DIR/\.local/share/docker/containers/.*/hostname -- gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/docker/containers/.*/hosts -- gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/docker/init(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/docker/fuse-overlayfs(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0) +HOME_DIR/\.local/share/docker/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0) /usr/bin/crun -- gen_context(system_u:object_r:container_engine_exec_t,s0) /usr/bin/runc -- gen_context(system_u:object_r:container_engine_exec_t,s0) diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index 28699f52..e9217f63 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -619,6 +619,28 @@ interface(`container_stream_connect_system_containers',` allow $1 container_runtime_t:sock_file read_sock_file_perms; ') + +## +## Connect to a user container domain +## over a unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_stream_connect_user_containers',` + gen_require(` + attribute container_user_domain; + type container_runtime_t; + ') + + files_search_runtime($1) + stream_connect_pattern($1, container_runtime_t, container_runtime_t, container_user_domain) + allow $1 container_runtime_t:sock_file read_sock_file_perms; +') + ## ## Connect to a container domain @@ -661,6 +683,24 @@ interface(`container_signal_all_containers',` allow $1 container_domain:process signal_perms; ') + +## +## Set the attributes of container ptys. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_setattr_container_ptys',` + gen_require(` + type container_devpts_t; + ') + + allow $1 container_devpts_t:chr_file setattr; +') + ## ## Read and write container ptys. @@ -1156,6 +1196,25 @@ interface(`container_manage_user_runtime_files',` manage_files_pattern($1, container_user_runtime_t, container_user_runtime_t) ') + +## +## Allow the specified domain to read and +## write user runtime container named sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_rw_user_runtime_sock_files',` + gen_require(` + type container_user_runtime_t; + ') + + allow $1 container_user_runtime_t:sock_file rw_sock_file_perms; +') + ## ## Allow
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
commit: 12977dbcd922fd1bc6175ed523033d08133e7718 Author: Kenton Groombridge concord sh> AuthorDate: Fri Dec 31 19:47:00 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 30 01:12:42 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=12977dbc container, podman: add policy for conmon Make conmon run in a separate domain and allow podman types to transition to it. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/container.if | 406 +++ policy/modules/services/podman.fc| 1 + policy/modules/services/podman.if| 98 + policy/modules/services/podman.te| 162 +- 4 files changed, 665 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/container.if b/policy/modules/services/container.if index 92b5a2f7..1c1950c7 100644 --- a/policy/modules/services/container.if +++ b/policy/modules/services/container.if @@ -356,6 +356,52 @@ interface(`container_engine_executable_file',` application_executable_file($1) ') + +## +## Execute a generic container engine +## executable with an automatic transition +## to a private type. +## +## +## +## Domain allowed to transition. +## +## +## +## +## The type of the new process. +## +## +# +interface(`container_generic_engine_domtrans',` + gen_require(` + type container_engine_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, container_engine_exec_t, $2) +') + + +## +## Allow the generic container engine +## executables to be an entrypoint +## for the specified domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_engine_executable_entrypoint',` + gen_require(` + type container_engine_exec_t; + ') + + allow $1 container_engine_exec_t:file entrypoint; +') + ## ## Send and receive messages from @@ -377,6 +423,115 @@ interface(`container_engine_dbus_chat',` allow container_engine_domain $1:dbus send_msg; ') + +## +## Allow the specified domain to manage +## container engine temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_engine_tmp_files',` + gen_require(` + type container_engine_tmp_t; + ') + + files_search_tmp($1) + allow $1 container_engine_tmp_t:file manage_file_perms; +') + + +## +## Allow the specified domain to manage +## container engine temporary named sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_manage_engine_tmp_sock_files',` + gen_require(` + type container_engine_tmp_t; + ') + + files_search_tmp($1) + allow $1 container_engine_tmp_t:sock_file manage_sock_file_perms; +') + + +## +## Allow the specified domain to create +## objects in generic temporary directories +## with an automatic type transition to +## the container engine temporary file type. +## +## +## +## Domain allowed access. +## +## +## +## +## The object class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`container_engine_tmp_filetrans',` + gen_require(` + type container_engine_tmp_t; + ') + + files_tmp_filetrans($1, container_engine_tmp_t, $2, $3) +') + + +## +## Read the process state (/proc/pid) +## of all system containers. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_system_container_state',` + gen_require(` + attribute container_system_domain; + ') + + ps_process_pattern($1, container_system_domain) +') + + +## +## Read the process state (/proc/pid) +## of all user containers. +## +## +## +## Domain allowed access. +## +## +# +interface(`container_read_user_container_state',` + gen_require(` + attribute container_user_domain; + ') + + ps_process_pattern($1, container_user_domain) +') + ## ## All of the permissions necessary @@ -611,6 +766,25 @@ interface(`container_manage_sock_files',` manage_sock_files_pattern($1, container_file_t, container_file_t) ') + +## +## Allow the specified domain to read +## and write container chr files. +## +## +##
