[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/admin/
commit: 003b8d3e23a2a6b33501dfd95e55c08c22ea81c5 Author: Dave Sugar gmail com> AuthorDate: Thu Sep 12 19:31:16 2024 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 21 22:28:30 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=003b8d3e Additional permissions when fapolicyd.conf more strict When fapolicyd is configured with allow_filesystem_mark = 1 it watches filesysems and mount points When fapolicyd is configured with integrituy = sha256 it mmaps files to perform hash node=localhost type=AVC msg=audit(1726153668.013:418): avc: denied { watch } for pid=1561 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0 node=localhost type=AVC msg=audit(1726154081.718:403): avc: denied { watch } for pid=1598 comm="fapolicyd" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 node=localhost type=AVC msg=audit(1726154081.718:403): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1726154081.718:402): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1726154081.721:404): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/boot" dev="sda2" ino=128 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1726154081.722:406): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/var" dev="dm-9" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1726154706.227:415): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/bin/kmod" dev="dm-1" ino=14600 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1726154743.367:999): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/lib/systemd/systemd" dev="dm-1" ino=17564 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1726154743.403:1030): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/bin/bash" dev="dm-1" ino=3571 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1726154807.975:476): avc: denied { map } for pid=1599 comm="fapolicyd" path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator" dev="dm-1" ino=17589 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:systemd_generator_exec_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar gmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/fapolicyd.te | 4 +++- policy/modules/kernel/files.if | 42 + policy/modules/kernel/filesystem.if | 19 + 3 files changed, 64 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/fapolicyd.te b/policy/modules/admin/fapolicyd.te index 2e716c1aa..ba69a4d55 100644 --- a/policy/modules/admin/fapolicyd.te +++ b/policy/modules/admin/fapolicyd.te @@ -70,14 +70,16 @@ kernel_read_kernel_sysctls(fapolicyd_t) domain_read_all_domains_state(fapolicyd_t) -files_read_all_files(fapolicyd_t) +files_mmap_read_all_files(fapolicyd_t) files_read_all_symlinks(fapolicyd_t) files_runtime_filetrans(fapolicyd_t, fapolicyd_runtime_t, { file fifo_file }) files_map_usr_files(fapolicyd_t) files_watch_all_mountpoints(fapolicyd_t) files_watch_all_mount_perm(fapolicyd_t) +files_watch_all_mount_sb(fapolicyd_t) fs_getattr_xattr_fs(fapolicyd_t) +fs_watch_all_fs(fapolicyd_t) logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file) logging_send_syslog_msg(fapolicyd_t) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index b82a03db5..778e82713 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -736,6 +736,30 @@ interface(`files_read_all_files',` ') ') + +## +## Read and memory map all files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mmap_read_all_files',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:dir list_dir_perms; + mmap_read_files_pattern($1, file_type, file_type) + + optional_policy(` + au
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: c0cd142f78e3bf2ed7a83595f3bbee985b00234a Author: Yi Zhao windriver com> AuthorDate: Fri Aug 30 03:46:34 2024 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 21 22:28:29 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c0cd142f devices: add label vsock_device_t for /dev/vsock Vsock is a Linux socket family designed to allow communication between a VM and its hypervisor. Add a new label vsock_device_t for vsock device. Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/devices.fc | 1 + policy/modules/kernel/devices.if | 54 policy/modules/kernel/devices.te | 6 + 3 files changed, 61 insertions(+) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index fb3010308..5d7d2a4c1 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -134,6 +134,7 @@ ifdef(`distro_suse', ` ') /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.*-c gen_context(system_u:object_r:xserver_misc_device_t,s0) +/dev/vsock -c gen_context(system_u:object_r:vsock_device_t,s0) /dev/vfio/.+ -c gen_context(system_u:object_r:vfio_device_t,s0) /dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index aabc1b8e7..930f164e9 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -5556,6 +5556,60 @@ interface(`dev_rwx_vmware',` allow $1 vmware_device_t:chr_file { execute map }; ') + +## +## Read the vsock device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_read_vsock',` + gen_require(` + type device_t, vsock_device_t; + ') + + read_chr_files_pattern($1, device_t, vsock_device_t) +') + + +## +## Write the vsock device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_write_vsock',` + gen_require(` + type device_t, vsock_device_t; + ') + + write_chr_files_pattern($1, device_t, vsock_device_t) +') + + +## +## Read and write the vsock device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_vsock',` + gen_require(` + type device_t, vsock_device_t; + ') + + rw_chr_files_pattern($1, device_t, vsock_device_t) +') + ## ## Read from watchdog devices. diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index c06a77ade..255a30b09 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -402,6 +402,12 @@ dev_node(vhost_device_t) type vmware_device_t; dev_node(vmware_device_t) +# +# vsock_device_t is the type for /dev/vsock +# +type vsock_device_t; +dev_node(vsock_device_t) + type watchdog_device_t; dev_node(watchdog_device_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 5a4608dfd87f63d1c61c5105f52dd70af5217bd0 Author: Kenton Groombridge gentoo org> AuthorDate: Mon May 6 21:46:06 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue May 14 17:41:54 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a4608df various: various fixes Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/devices.if | 19 +++ policy/modules/services/kubernetes.te | 2 ++ policy/modules/system/authlogin.if| 3 +++ policy/modules/system/authlogin.te| 1 + policy/modules/system/raid.te | 3 ++- policy/modules/system/selinuxutil.te | 1 + 6 files changed, 28 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 344d858cf..c7af194b1 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2897,6 +2897,25 @@ interface(`dev_delete_lvm_control_dev',` delete_chr_files_pattern($1, device_t, lvm_control_t) ') + +## +## Do not audit attempts to read and write the +## Intel Management Engine Interface device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_dontaudit_rw_mei',` + gen_require(` + type mei_device_t; + ') + + dontaudit $1 mei_device_t:chr_file rw_chr_file_perms; +') + ## ## dontaudit getattr raw memory devices (e.g. /dev/mem). diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 3ba666299..839635026 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -618,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain) # kubectl local policy # +dontaudit kubectl_t self:capability { sys_admin sys_resource }; + kernel_dontaudit_getattr_proc(kubectl_t) auth_use_nsswitch(kubectl_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index a91ab7acb..a90ebb3db 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -105,6 +105,9 @@ interface(`auth_use_pam_systemd',` systemd_connect_machined($1) systemd_dbus_chat_logind($1) systemd_read_logind_state($1) + + # to read /etc/machine-id + files_read_etc_runtime_files($1) ') diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 9920ea699..14d2774a1 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -142,6 +142,7 @@ term_dontaudit_use_all_ptys(chkpwd_t) auth_read_shadow_history(chkpwd_t) auth_use_nsswitch(chkpwd_t) +auth_use_pam_systemd(chkpwd_t) logging_send_audit_msgs(chkpwd_t) logging_send_syslog_msg(chkpwd_t) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index c8db38261..e5e649f6b 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -28,7 +28,7 @@ init_unit_file(mdadm_unit_t) # allow mdadm_t self:capability { dac_override ipc_lock sys_admin }; -dontaudit mdadm_t self:capability sys_tty_config; +dontaudit mdadm_t self:capability { net_admin sys_tty_config }; dontaudit mdadm_t self:cap_userns sys_ptrace; allow mdadm_t self:process { getsched setsched signal_perms }; allow mdadm_t self:fifo_file rw_fifo_file_perms; @@ -53,6 +53,7 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) +dev_dontaudit_rw_mei(mdadm_t) dev_read_realtime_clock(mdadm_t) # create links in /dev/md dev_create_generic_symlinks(mdadm_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 6393fadcf..46c275e38 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -515,6 +515,7 @@ seutil_domtrans_semanage(selinux_dbus_t) # allow semanage_t self:capability { audit_write dac_override }; +dontaudit semanage_t self:capability { sys_admin sys_resource }; allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 5c8203bfd90758d92cd93c786de8fe94e6d716ca Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:48 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:52 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c8203bf fs: add support for virtiofs Adopted from https://github.com/fedora-selinux/selinux-policy/commit/5580e9a576f759820dbc3387961ce58a959221dc Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.te | 11 +++ 1 file changed, 11 insertions(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index f21fc71e9..f9aa5f90b 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -41,6 +41,7 @@ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0); fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ubifs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr virtiofs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0); @@ -203,6 +204,16 @@ optional_policy(` init_mountpoint(tracefs_t) ') + +# +# virtiofs_t is the default type for virtio file systems +# and their files. +# +type virtiofs_t; +fs_noxattr_type(virtiofs_t) +files_mountpoint(virtiofs_t) +genfscon virtiofs / gen_context(system_u:object_r:virtiofs_t,s0) + type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: a1f8db5c896e3aef75922cf3ff53ccd53e00f79f Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:43 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:48 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a1f8db5c fs: mark memory pressure type as file Associate the type memory_pressure_t with the attribute file_type, so all attribute based rules apply, e.g. for unconfined_t. Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 7ffac9812..f21fc71e9 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -100,6 +100,7 @@ genfscon cgroup2 / gen_context(system_u:object_r:cgroup_t,s0) # the rest of the cgroup tree. type memory_pressure_t; typeattribute memory_pressure_t cgroup_types; +files_type(memory_pressure_t) dev_associate_sysfs(memory_pressure_t) type configfs_t;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: b093761cac708c6320ea8588f089cb98fd974a24 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:44 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:50 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b093761c systemd: binfmt updates type=PROCTITLE msg=audit(21/02/24 22:54:36.708:53) : proctitle=/usr/lib/systemd/systemd-binfmt type=SYSCALL msg=audit(21/02/24 22:54:36.708:53) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x5 a1=0x7ffc547fbda0 a2=0x0 a3=0x0 items=0 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null) type=AVC msg=audit(21/02/24 22:54:36.708:53) : avc: denied { getattr } for pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=filesystem permissive=1 type=PROCTITLE msg=audit(21/02/24 22:54:36.708:54) : proctitle=/usr/lib/systemd/systemd-binfmt type=PATH msg=audit(21/02/24 22:54:36.708:54) : item=0 name=/proc/self/fd/4 inode=1 dev=00:27 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:binfmt_misc_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:54:36.708:54) : cwd=/ type=SYSCALL msg=audit(21/02/24 22:54:36.708:54) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffc547fbdf0 a1=W_OK a2=0x0 a3=0x0 items=1 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null) type=AVC msg=audit(21/02/24 22:54:36.708:54) : avc: denied { write } for pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 37 + policy/modules/system/systemd.te| 6 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 08ad5503d..ae022b6c0 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -602,6 +602,24 @@ interface(`fs_manage_autofs_symlinks',` manage_lnk_files_pattern($1, autofs_t, autofs_t) ') + +## +## Get the attributes of binfmt_misc filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_binfmt_misc_fs',` + gen_require(` + type binfmt_misc_fs_t; + ') + + allow $1 binfmt_misc_fs_t:filesystem getattr; +') + ## ## Get the attributes of directories on @@ -622,6 +640,25 @@ interface(`fs_getattr_binfmt_misc_dirs',` ') + +## +## Check for permissions using access(2) of directories on +## binfmt_misc filesystems. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_check_write_binfmt_misc_dirs',` + gen_require(` + type binfmt_misc_fs_t; + ') + + allow $1 binfmt_misc_fs_t:dir { getattr write }; +') + ## ## Register an interpreter for new binary diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 6d07466e6..63fef177b 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -401,6 +401,7 @@ fs_search_cgroup_dirs(systemd_backlight_t) # kernel_read_kernel_sysctls(systemd_binfmt_t) +kernel_getattr_proc(systemd_binfmt_t) systemd_log_parse_environment(systemd_binfmt_t) @@ -409,6 +410,11 @@ files_read_etc_files(systemd_binfmt_t) fs_register_binary_executable_type(systemd_binfmt_t) +fs_getattr_binfmt_misc_fs(systemd_binfmt_t) +fs_check_write_binfmt_misc_dirs(systemd_binfmt_t) + +fs_getattr_cgroup(systemd_binfmt_t) +fs_search_cgroup_dirs(systemd_binfmt_t) ## #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 1d66af88aa2d390ac5783557e8d04289d16bc612 Author: Russell Coker coker com au> AuthorDate: Mon Sep 25 15:46:04 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:09 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d66af88 small storage changes (#706) * Changes to storage.fc, smartmon, samba and lvm Signed-off-by: Russell Coker coker.com.au> * Add the interfaces this patch needs Signed-off-by: Russell Coker coker.com.au> * use manage_sock_file_perms for sock_file Signed-off-by: Russell Coker coker.com.au> * Renamed files_watch_all_file_type_dir to files_watch_all_dirs Signed-off-by: Russell Coker coker.com.au> * Use read_files_pattern Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.if | 19 +++ policy/modules/kernel/storage.fc| 1 + policy/modules/services/samba.te| 11 ++- policy/modules/services/smartmon.if | 20 policy/modules/services/smartmon.te | 2 +- policy/modules/system/lvm.te| 1 + policy/modules/system/userdomain.if | 18 ++ 7 files changed, 70 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index d8874ace2..a1113ff7c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1426,6 +1426,25 @@ interface(`files_unmount_all_file_type_fs',` allow $1 file_type:filesystem unmount; ') + +## +## watch all directories of file_type +## +## +## +## Domain allowed access. +## +## +# +interface(`files_watch_all_dirs',` + gen_require(` + attribute file_type; + ') + + allow $1 file_type:dir watch; +') + + ## ## Read all non-authentication related diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 3033ac4de..9cd280c25 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -29,6 +29,7 @@ /dev/lvm -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mcdx? -b gen_context(system_u:object_r:removable_device_t,s0) /dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0) +/dev/megaraid.*-c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mmcblk.* -c gen_context(system_u:object_r:removable_device_t,s0) /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te index 8ec3a1c62..f78d316cc 100644 --- a/policy/modules/services/samba.te +++ b/policy/modules/services/samba.te @@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',` ') tunable_policy(`samba_enable_home_dirs',` + files_watch_home(smbd_t) userdom_manage_user_home_content_dirs(smbd_t) userdom_manage_user_home_content_files(smbd_t) userdom_manage_user_home_content_symlinks(smbd_t) userdom_manage_user_home_content_sockets(smbd_t) userdom_manage_user_home_content_pipes(smbd_t) + userdom_watch_user_home_dirs(smbd_t) ') tunable_policy(`samba_portmapper',` @@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',` fs_read_noxattr_fs_files(smbd_t) files_list_non_auth_dirs(smbd_t) files_read_non_auth_files(smbd_t) + files_watch_all_dirs(smbd_t) ') tunable_policy(`samba_export_all_rw',` fs_read_noxattr_fs_files(smbd_t) files_manage_non_auth_files(smbd_t) + files_watch_all_dirs(smbd_t) ') optional_policy(` @@ -617,13 +621,17 @@ optional_policy(` allow smbcontrol_t self:process signal; allow smbcontrol_t self:fifo_file rw_fifo_file_perms; allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms; +allow smbcontrol_t self:unix_dgram_socket create_socket_perms; allow smbcontrol_t self:process { signal signull }; allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; -read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) +allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto; +manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) +allow smbcontrol_t samba_runtime_t:file map; allow smbcontrol_t samba_runtime_t:dir rw_dir_perms; manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) +allow smbcontrol_t samba_var_t:sock_file manage_sock_file_perms; samba_read_config(smbcontrol_t) samba_search_var(smbcontrol_t) @@ -639,6 +647,7 @@ files_search_var_lib(smbcontrol_t) term_use_console(smbcontrol_t) init_us
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 3cf4d89db3171671a05868dd5ecaf933c49fcaa4 Author: Russell Coker coker com au> AuthorDate: Thu Sep 28 13:55:56 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cf4d89d mon.te patches as well as some fstools patches related to it (#697) * Patches for mon, mostly mon local monitoring. Also added the fsdaemon_read_lib() interface and fstools patch because it also uses fsdaemon_read_lib() and it's called by monitoring scripts Signed-off-by: Russell Coker coker.com.au> * Added the files_dontaudit_tmpfs_file_getattr() and storage_dev_filetrans_fixed_disk_control() interfaces needed Signed-off-by: Russell Coker coker.com.au> * Fixed the issues from the review Signed-off-by: Russell Coker coker.com.au> * Specify name to avoid conflicting file trans Signed-off-by: Russell Coker coker.com.au> * fixed dontaudi_ typo Signed-off-by: Russell Coker coker.com.au> * Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for the object class Signed-off-by: Russell Coker coker.com.au> * Remove fsdaemon_read_lib as it was already merged Signed-off-by: Russell Coker coker.com.au> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.if | 18 ++ policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/storage.if| 7 ++- policy/modules/services/mon.te | 30 ++ policy/modules/services/smartmon.te | 2 +- policy/modules/system/fstools.te| 17 + policy/modules/system/init.te | 2 +- policy/modules/system/lvm.te| 2 +- policy/modules/system/raid.te | 2 +- 9 files changed, 72 insertions(+), 10 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index a1113ff7c..591aa64d6 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -434,6 +434,24 @@ interface(`files_tmpfs_file',` typeattribute $1 tmpfsfile; ') + +## +## dontaudit getattr on tmpfs files +## +## +## +## Domain to not have stat on tmpfs files audited +## +## +# +interface(`files_dontaudit_getattr_all_tmpfs_files',` + gen_require(` + attribute tmpfsfile; + ') + + dontaudit $1 tmpfsfile:file getattr; +') + ## ## Get the attributes of all directories. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 666d0e7e9..8156ac087 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -390,7 +390,7 @@ ifdef(`init_systemd',` ') optional_policy(` - storage_dev_filetrans_fixed_disk(kernel_t) + storage_dev_filetrans_fixed_disk(kernel_t, blk_file) storage_setattr_fixed_disk_dev(kernel_t) storage_create_fixed_disk_dev(kernel_t) storage_delete_fixed_disk_dev(kernel_t) diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 9c581a910..777caea69 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',` ## Domain allowed access. ## ## +## +## +## The class of the object to be created. +## +## ## ## ## Optional filename of the block device to be created @@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',` type fixed_disk_device_t; ') - dev_filetrans($1, fixed_disk_device_t, blk_file, $2) + dev_filetrans($1, fixed_disk_device_t, $2, $3) ') diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te index b9a349871..bbf0496b3 100644 --- a/policy/modules/services/mon.te +++ b/policy/modules/services/mon.te @@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t) allow mon_t self:fifo_file rw_fifo_file_perms; allow mon_t self:tcp_socket create_stream_socket_perms; -# for mailxmpp.alert to set ulimit -allow mon_t self:process setrlimit; +allow mon_t self:process { setrlimit getsched signal }; domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t) @@ -104,6 +103,11 @@ optional_policy(` mta_send_mail(mon_t) ') +optional_policy(` + # for config of xmpp sending program + xdg_read_config_files(mon_t) +') + # # Local policy @@ -151,6 +155,10 @@ optional_policy(` mysql_stream_connect(mon_net_test_t) ') +optional_policy(` + snmp_read_snmp_var_lib_files(mon_net_test_t) +') + # # Local policy @@ -161,9 +169,10 @@ optional_policy(` # # sys_ptrace is for read
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
commit: 345902025b3c03467a48c8b1474cbd3b3bc085cf Author: Russell Coker coker com au> AuthorDate: Thu Sep 21 14:22:36 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:27:06 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34590202 policy for the Reliability Availability servicability daemon (#690) * policy for the Reliability Availability servicability daemon Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 37 policy/modules/services/rasdaemon.fc | 3 +++ policy/modules/services/rasdaemon.if | 10 + policy/modules/services/rasdaemon.te | 41 4 files changed, 91 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 5cdbc5644..5213df5ba 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -6154,6 +6154,43 @@ interface(`fs_getattr_tracefs_files',` allow $1 tracefs_t:file getattr; ') + +## +## Read/write trace filesystem files +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_tracefs_files',` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:dir list_dir_perms; + allow $1 tracefs_t:file rw_file_perms; +') + + +## +## create trace filesystem directories +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_create_tracefs_dirs',` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:dir { create rw_dir_perms }; +') + ## ## Mount a XENFS filesystem. diff --git a/policy/modules/services/rasdaemon.fc b/policy/modules/services/rasdaemon.fc new file mode 100644 index 0..9a83feb4f --- /dev/null +++ b/policy/modules/services/rasdaemon.fc @@ -0,0 +1,3 @@ +/usr/sbin/rasdaemon-- gen_context(system_u:object_r:rasdaemon_exec_t,s0) +/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0) + diff --git a/policy/modules/services/rasdaemon.if b/policy/modules/services/rasdaemon.if new file mode 100644 index 0..9509b0261 --- /dev/null +++ b/policy/modules/services/rasdaemon.if @@ -0,0 +1,10 @@ +## RAS (Reliability, Availability and Serviceability) logging tool +## +## +## rasdaemon is a RAS (Reliability, Availability and Serviceability) logging +## tool. It currently records memory errors, using the EDAC tracing events. +## EDAC are drivers in the Linux kernel that handle detection of ECC errors +## from memory controllers for most chipsets on x86 and ARM architectures. +## +## https://git.infradead.org/users/mchehab/rasdaemon.git +## diff --git a/policy/modules/services/rasdaemon.te b/policy/modules/services/rasdaemon.te new file mode 100644 index 0..9a65d5d74 --- /dev/null +++ b/policy/modules/services/rasdaemon.te @@ -0,0 +1,41 @@ +policy_module(rasdaemon) + + +# +# Declarations +# + +type rasdaemon_t; +type rasdaemon_exec_t; +init_daemon_domain(rasdaemon_t, rasdaemon_exec_t) + +type rasdaemon_var_t; +files_type(rasdaemon_var_t) + + +# +# Local policy +# + +allow rasdaemon_t self:process getsched; +allow rasdaemon_t self:capability sys_rawio; + +allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms; +allow rasdaemon_t rasdaemon_var_t:file manage_file_perms; + +kernel_read_debugfs(rasdaemon_t) +kernel_read_system_state(rasdaemon_t) +kernel_read_vm_overcommit_sysctl(rasdaemon_t) +kernel_search_fs_sysctls(rasdaemon_t) + +dev_read_sysfs(rasdaemon_t) +dev_read_urand(rasdaemon_t) +dev_rw_cpu_microcode(rasdaemon_t) + +files_search_var_lib(rasdaemon_t) +fs_create_tracefs_dirs(rasdaemon_t) +fs_rw_tracefs_files(rasdaemon_t) + +logging_send_syslog_msg(rasdaemon_t) +miscfiles_read_localization(rasdaemon_t) +
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: af8127d982e94211a2a717c9fb3249ef7456ee7a Author: Kenton Groombridge concord sh> AuthorDate: Tue Mar 7 00:19:51 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=af8127d9 fs, init: allow systemd-init to set the attributes of efivarfs files avc: denied { setattr } for pid=1 comm="systemd" name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" ino=1049 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 20 policy/modules/system/init.te | 1 + 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index a1282cf40..528eeafc0 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2439,6 +2439,26 @@ interface(`fs_read_efivarfs_files',` read_files_pattern($1, efivarfs_t, efivarfs_t) ') +### +## +## Set the attributes of files in efivarfs +## - contains Linux Kernel configuration options for UEFI systems +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fs_setattr_efivarfs_files',` + gen_require(` + type efivarfs_t; + ') + + setattr_files_pattern($1, efivarfs_t, efivarfs_t) +') + ## ## Create, read, write, and delete files diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 87d62741e..fca349587 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -464,6 +464,7 @@ ifdef(`init_systemd',` fs_relabel_tmpfs_chr_files(init_t) fs_relabel_tmpfs_fifo_files(init_t) fs_read_efivarfs_files(init_t) + fs_setattr_efivarfs_files(init_t) # for privatetmp functions fs_relabel_tmpfs_dirs(init_t) fs_relabel_tmpfs_files(init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: 71328f3f02d4765b904f1a2a6c9fe140cb116182 Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 18:37:02 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71328f3f files, systemd: allow systemd-tmpfiles to relabel config file symlinks Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.if | 19 +++ policy/modules/system/systemd.te | 3 ++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index a895f3734..6fe764a7a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1713,6 +1713,25 @@ interface(`files_dontaudit_relabel_config_files',` dontaudit $1 configfile:file relabel_file_perms; ') +### +## +## Relabel configuration symlinks. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_relabel_config_symlinks',` + gen_require(` + attribute configfile; + ') + + relabel_lnk_files_pattern($1, configfile, configfile) +') + ## ## Mount a filesystem on all mount points. diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 778052cde..59a3fcfc5 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1704,8 +1704,9 @@ files_manage_all_locks(systemd_tmpfiles_t) files_purge_tmp(systemd_tmpfiles_t) files_read_etc_files(systemd_tmpfiles_t) files_read_etc_runtime_files(systemd_tmpfiles_t) -files_relabel_config_files(systemd_tmpfiles_t) files_relabel_config_dirs(systemd_tmpfiles_t) +files_relabel_config_files(systemd_tmpfiles_t) +files_relabel_config_symlinks(systemd_tmpfiles_t) files_relabel_all_locks(systemd_tmpfiles_t) files_relabel_all_runtime_dirs(systemd_tmpfiles_t) files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: 70226d790395660a9e086b8c0eeec28acf2c7e3b Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 18:18:41 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:32 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70226d79 fs, udev: allow systemd-udevd various cgroup perms Needed for systemd-udevd to create files under /sys/fs/cgroup/system.slice/systemd-udevd.service/udev Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 40 - policy/modules/system/udev.te | 6 +- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index af2023e62..a1282cf40 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -798,7 +798,6 @@ interface(`fs_getattr_cgroup',` interface(`fs_search_cgroup_dirs',` gen_require(` type cgroup_t; - ') search_dirs_pattern($1, cgroup_t, cgroup_t) @@ -843,6 +842,25 @@ interface(`fs_ioctl_cgroup_dirs', ` dev_search_sysfs($1) ') + +## +## Create cgroup directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_create_cgroup_dirs',` + gen_require(` + type cgroup_t; + ') + + create_dirs_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) +') + ## ## Delete cgroup directories. @@ -941,6 +959,26 @@ interface(`fs_read_cgroup_files',` dev_search_sysfs($1) ') + +## +## Create cgroup files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_create_cgroup_files',` + gen_require(` + type cgroup_t; + + ') + + create_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) +') + ## ## Watch cgroup files. diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 56cfa2fb8..2fae88354 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -261,7 +261,11 @@ ifdef(`distro_redhat',` ifdef(`init_systemd',` files_search_kernel_modules(udev_t) - fs_read_cgroup_files(udev_t) + # systemd-udev creates cgroup files under + # /sys/fs/cgroup/system.slice/systemd-udevd.service/udev + fs_create_cgroup_dirs(udev_t) + fs_create_cgroup_files(udev_t) + fs_rw_cgroup_files(udev_t) init_dgram_send(udev_t) init_get_generic_units_status(udev_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: fb931664be3edc23bc7641f910342590f4335e21 Author: Corentin LABBE gmail com> AuthorDate: Tue Jan 3 08:22:11 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:19:30 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fb931664 mcelog: add missing file context for triggers I got the following AVC: allow mcelog_t mcelog_etc_t:file execute; This is due do some trigger, not being set as bin_t -rwxr-xr-x. 1 root root system_u:object_r:bin_t 801 nov. 1 19:11 bus-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t1035 nov. 1 19:11 cache-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t1213 nov. 1 19:11 dimm-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 742 nov. 1 19:11 iomca-error-trigger -rw-r-. 1 root root system_u:object_r:mcelog_etc_t 7415 nov. 1 19:11 mcelog.conf -rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1209 nov. 1 19:11 page-error-counter-replacement-trigger -rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1656 nov. 1 19:11 page-error-post-sync-soft-trigger -rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1640 nov. 1 19:11 page-error-pre-sync-soft-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t1308 nov. 1 19:11 page-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t1057 nov. 1 19:11 socket-memory-error-trigger -rwxr-xr-x. 1 root root system_u:object_r:bin_t 947 nov. 1 19:11 unknown-error-trigger Signed-off-by: Corentin LABBE gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/corecommands.fc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 550f87047..1c3ce84e0 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -54,7 +54,7 @@ ifdef(`distro_redhat',` /etc/mail/make -- gen_context(system_u:object_r:bin_t,s0) -/etc/mcelog/.*-error-trigger -- gen_context(system_u:object_r:bin_t,s0) +/etc/mcelog/.*-trigger -- gen_context(system_u:object_r:bin_t,s0) /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_redhat',`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: d576e9fc8214276f76f7f2a64aa277ce31798276 Author: Corentin LABBE gmail com> AuthorDate: Mon Dec 26 18:47:43 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:19:49 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d576e9fc munin: add file context for common functions file Some Munin plugins need to read the plugin.sh file providing common functions. Signed-off-by: Corentin LABBE gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index 0c2de4bba..b22d97997 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -214,6 +214,8 @@ ifdef(`distro_gentoo',` /usr/share/maven-bin-[^/]*/bin/m2\.conf-- gen_context(system_u:object_r:usr_t,s0) ') +/usr/share/munin/plugins/plugin\.sh-- gen_context(system_u:object_r:usr_t,s0) + /usr/tmp -d gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh) /usr/tmp/.*<>
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 1ebe9e63c80eeabc60fbbbf21343db4d496f6186 Author: Kenton Groombridge concord sh> AuthorDate: Sat Sep 24 04:24:11 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:07:11 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1ebe9e63 corenet: add portcon for glusterfs Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/corenetwork.te.in | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 077aacf0e..749d9bace 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -149,6 +149,7 @@ network_port(gdomap, tcp,538,s0, udp,538,s0) network_port(gds_db, tcp,3050,s0, udp,3050,s0) network_port(git, tcp,9418,s0, udp,9418,s0) network_port(glance_registry, tcp,9191,s0, udp,9191,s0) +network_port(glusterd, tcp,24007,s0, tcp,24009,s0) network_port(gopher, tcp,70,s0, udp,70,s0) network_port(gpsd, tcp,2947,s0) network_port(hadoop_datanode, tcp,50010,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: ba34639d0cd5e156d5a9a21f853703a09a68b1d2 Author: Kenton Groombridge concord sh> AuthorDate: Sat Sep 24 04:00:28 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:07:05 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ba34639d devices: add interface to rw infiniband devices Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/devices.if | 18 ++ 1 file changed, 18 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index ba652e81e..5ef1833c6 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2404,6 +2404,24 @@ interface(`dev_rw_hyperv_vss',` rw_chr_files_pattern($1, device_t, hyperv_vss_device_t) ') + +## +## Allow read/write access to InfiniBand devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_infiniband',` + gen_require(` + type device_t, infiniband_device_t; + ') + + rw_chr_files_pattern($1, device_t, infiniband_device_t) +') + ## ## Read the kernel messages
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 2691ab991317ef15b9fbba6394c678aed2e3d758 Author: Chris PeBenito linux microsoft com> AuthorDate: Tue Sep 20 14:59:19 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:07:00 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2691ab99 Drop audit_access allows. This permission is only used for auditing purposes. It is a no-op for allows. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/devices.te| 6 +++--- policy/modules/kernel/files.te | 14 +++--- policy/modules/kernel/filesystem.te | 14 +++--- policy/modules/kernel/kernel.te | 24 policy/modules/kernel/storage.te| 4 ++-- 5 files changed, 31 insertions(+), 31 deletions(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 49718cc26..5e2c77cbb 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -434,6 +434,6 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; -allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch }; -allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod audit_access watch }; -allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod audit_access watch }; +allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch }; +allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton execmod watch }; +allow devices_unconfined_type mtrr_device_t:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch }; diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 2691a8611..e8fe42214 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -227,13 +227,13 @@ fs_associate_tmpfs(tmpfsfile) # # Create/access any file in a labeled filesystem; -allow files_unconfined_type file_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton audit_access watch }; -allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open audit_access execmod watch }; -allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton audit_access execmod watch }; -allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton audit_access execmod watch }; -allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch }; -allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton audit_access watch }; -allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir audit_access execmod watch }; +allow files_unconfined_type file_type:file { manage_file_perms relabel_file_perms exec_file_perms quotaon mounton watch }; +allow files_unconfined_type file_type:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms append map execute quotaon mounton open execmod watch }; +allow files_unconfined_type file_type:sock_file { manage_sock_file_perms relabel_sock_file_perms map execute quotaon mounton execmod watch }; +allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms map execute quotaon mounton execmod watch }; +allow files_unconfined_type file_type:blk_file { manage_blk_file_perms relabel_blk_file_perms map execute quotaon mounton execmod watch }; +allow files_unconfined_type file_type:chr_file { manage_chr_file_perms relabel_chr_file_perms map execute quotaon mounton watch }; +allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms append map execute quotaon mounton add_name remove_name reparent search rmdir execmod watch }; # Mount/unmount any filesystem with the context= option. allow files_unconfined_type file_type:filesystem { mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget watch }; diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 810bdaaa0..b3fd4abf8 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -339,13 +339,13 @@ allow filesystem_unconfined_type filesystem_type:filesy
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/admin/, ...
commit: 8d05a891d62852e95e4dbcb3f16e299be7cd4644 Author: Chris PeBenito microsoft com> AuthorDate: Wed Mar 9 20:50:22 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 19:07:49 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d05a891 Add cloud-init. This is used by cloud providers to set up VMs during deployment. https://github.com/canonical/cloud-init Signed-off-by: Chris PeBenito microsoft.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/cloudinit.fc | 10 +++ policy/modules/admin/cloudinit.if | 108 policy/modules/admin/cloudinit.te | 108 policy/modules/admin/usermanage.fc | 1 + policy/modules/kernel/corecommands.fc | 1 + policy/modules/kernel/corenetwork.if.in | 18 ++ policy/modules/services/ssh.fc | 2 +- policy/modules/services/ssh.if | 55 policy/modules/system/libraries.if | 44 + policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/systemd.te| 9 +++ 11 files changed, 356 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/cloudinit.fc b/policy/modules/admin/cloudinit.fc new file mode 100644 index ..f5fdc535 --- /dev/null +++ b/policy/modules/admin/cloudinit.fc @@ -0,0 +1,10 @@ +/run/cloud-init(/.*)? gen_context(system_u:object_r:cloud_init_runtime_t,s0) + +/usr/bin/cloud-id -- gen_context(system_u:object_r:cloud_init_exec_t,s0) +/usr/bin/cloud-init -- gen_context(system_u:object_r:cloud_init_exec_t,s0) +/usr/bin/cloud-init-per -- gen_context(system_u:object_r:cloud_init_exec_t,s0) + +/var/lib/cloud(/.*)? gen_context(system_u:object_r:cloud_init_state_t,s0) + +/var/log/cloud-init-output\.log -- gen_context(system_u:object_r:cloud_init_log_t,s0) +/var/log/cloud-init\.log -- gen_context(system_u:object_r:cloud_init_log_t,s0) diff --git a/policy/modules/admin/cloudinit.if b/policy/modules/admin/cloudinit.if new file mode 100644 index ..4469d7b1 --- /dev/null +++ b/policy/modules/admin/cloudinit.if @@ -0,0 +1,108 @@ +## Init scripts for cloud VMs + + +## +## Create cloud-init runtime directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`cloudinit_create_runtime_dirs',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_search_runtime($1) + allow $1 cloud_init_runtime_t:dir create_dir_perms; +') + + +## +## Write cloud-init runtime files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cloudinit_write_runtime_files',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_search_runtime($1) + write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t) +') + + +## +## Create cloud-init runtime files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cloudinit_create_runtime_files',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_search_runtime($1) + create_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t) +') + +### +## +## Create files in /run with the type used for +## cloud-init runtime files. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`cloudinit_filetrans_runtime',` + gen_require(` + type cloud_init_runtime_t; + ') + + files_runtime_filetrans($1, cloud_init_runtime_t, $2, $3) +') + + +## +## Get the attribute of cloud-init state files. +## +## +## +## Domain allowed access. +## +## +# +interface(`cloudinit_getattr_state_files',` + gen_require(` + type cloud_init_state_t; + ') + + files_search_var_lib($1) + allow $1 cloud_init_state_t:dir list_dir_perms; + allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms; + allow $1 cloud_init_state_t:file getattr; +') diff --git a/policy/modules/admin/cloudinit.te b/policy/modules/admin/cloudinit.te new file mode 100644 index ..f531cc5d --- /dev/null +++ b/policy/modules/admin/cloudinit.te @@ -0,0 +1,108 @@ +policy_module(cloudinit) + + +# +# Declarations +# + +type cloud_init_t; +type cloud_init_exec_t; +init_system_domain(cloud_init_t, cloud_init_exec_t) + +type cloud_init_log_t; +logging_log_file(cloud_init_log_t) + +type cloud_init_runtime_t; +files_runtime_file(cloud_init_runtime_t) +files_mountpoint(cloud_init
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 892145a3471364d8e677878406a7884e6557ec2d Author: Daniel Burgener linux microsoft com> AuthorDate: Tue Jul 19 21:47:43 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 18:41:55 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=892145a3 Drop explicit calls to seutil and kernel module interfaces in broad files interfaces Historically, these calls were needed because the interfaces provided an attribute used to check various assertions. However, that attribute was dropped in 2005 with commit 15fefa4. Keeping these calls in prevents removing these permissions from a call to files_manage_all_files() with the $2 argument. Signed-off-by: Daniel Burgener linux.microsoft.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/files.if | 8 1 file changed, 8 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 6a082670..fb27ed18 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1239,10 +1239,6 @@ interface(`files_manage_all_files',` manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 }) manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 }) manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 }) - - # satisfy the assertions: - seutil_create_bin_policy($1) - files_manage_kernel_modules($1) ') @@ -1513,10 +1509,6 @@ interface(`files_manage_non_auth_files',` manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type) manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type) manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type) - - # satisfy the assertions: - seutil_create_bin_policy($1) - files_manage_kernel_modules($1) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: fc0dd40ee53f5a1d45ee160db2d3d1e6727bff90 Author: Kenton Groombridge concord sh> AuthorDate: Wed Nov 10 17:58:42 2021 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 31 02:40:53 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc0dd40e files, init: allow init to remount filesystems mounted on /boot The context= mount option can be used to label, for example, a DOS filesystem mounted on boot to be boot_t instead of dosfs_t. Explicitly allow init (systemd) to remount boot_t filesystems so that options like ProtectSystem=full work properly. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/files.if | 18 ++ policy/modules/system/init.te | 1 + 2 files changed, 19 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index ea29fef3..baedb52e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2238,6 +2238,24 @@ interface(`files_mounton_root',` allow $1 root_t:dir mounton; ') + +## +## Remount a filesystem mounted on /boot. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_remount_boot',` + gen_require(` + type boot_t; + ') + + allow $1 boot_t:filesystem remount; +') + ## ## Get attributes of the /boot directory. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 3f1c7d20..6e1baef9 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -417,6 +417,7 @@ ifdef(`init_systemd',` files_mounton_tmp(init_t) files_manage_urandom_seed(init_t) files_read_boot_files(initrc_t) + files_remount_boot(init_t) files_relabel_all_lock_dirs(init_t) files_search_all(init_t) files_unmount_all_file_type_fs(init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
commit: 5b564f3b243368edd0e083c78a99b059a10e80ed Author: Russell Coker coker com au> AuthorDate: Fri Feb 18 01:21:52 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 27 02:13:17 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b564f3b matrixd-synapse policy V3 Here's the latest version of the matrixd-synapse policy including all the suggestions from a year ago. Probably ready to merge. Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/services/matrixd.fc | 4 + policy/modules/services/matrixd.if | 1 + policy/modules/services/matrixd.te | 126 4 files changed, 132 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 547328be..077aacf0 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -156,7 +156,7 @@ network_port(hadoop_namenode, tcp,8020,s0) network_port(hddtemp, tcp,7634,s0) network_port(howl, tcp,5335,s0, udp,5353,s0) network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,5,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0) -network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port +network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy network_port(i18n_input, tcp,9010,s0) network_port(imaze, tcp,5323,s0, udp,5323,s0) diff --git a/policy/modules/services/matrixd.fc b/policy/modules/services/matrixd.fc new file mode 100644 index ..b59b1c75 --- /dev/null +++ b/policy/modules/services/matrixd.fc @@ -0,0 +1,4 @@ +/var/lib/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_var_t,s0) +/var/log/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_log_t,s0) +/etc/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_conf_t,s0) +/usr/bin/synctl-- gen_context(system_u:object_r:matrixd_exec_t,s0) diff --git a/policy/modules/services/matrixd.if b/policy/modules/services/matrixd.if new file mode 100644 index ..f1eff5f0 --- /dev/null +++ b/policy/modules/services/matrixd.if @@ -0,0 +1 @@ +## Matrixd diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te new file mode 100644 index ..5c217678 --- /dev/null +++ b/policy/modules/services/matrixd.te @@ -0,0 +1,126 @@ +policy_module(matrixd, 1.0.0) + + +# +# Declarations +# + +## +## +## Determine whether Matrixd is allowed to federate +## (bind all UDP ports and connect to all TCP ports). +## +## +gen_tunable(matrix_allow_federation, true) + +## +## +## Determine whether Matrixd can connect to the Postgres database. +## +## +gen_tunable(matrix_postgresql_connect, false) + + +type matrixd_t; +type matrixd_exec_t; +init_daemon_domain(matrixd_t, matrixd_exec_t) + +type matrixd_var_t; +files_type(matrixd_var_t) + +type matrixd_log_t; +logging_log_file(matrixd_log_t) + +type matrixd_conf_t; +files_config_file(matrixd_conf_t) + +type matrixd_tmp_t; +files_tmp_file(matrixd_tmp_t) + + +# +# Local policy +# + +allow matrixd_t self:fifo_file rw_file_perms; +allow matrixd_t self:tcp_socket create_stream_socket_perms; +allow matrixd_t self:netlink_route_socket r_netlink_socket_perms; + +allow matrixd_t self:udp_socket create_socket_perms; +allow matrixd_t self:unix_dgram_socket create_socket_perms; +# execmem is needed for Python callbacks +# https://cffi.readthedocs.io/en/latest/using.html#callbacks +allow matrixd_t self:process execmem; + +allow matrixd_t matrixd_tmp_t:file { manage_file_perms map }; +files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file) +fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file) + +manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t) +files_search_var_lib(matrixd_t) +allow matrixd_t matrixd_var_t:file map; +allow matrixd_t matrixd_var_t:dir manage_dir_perms; + +logging_search_logs(matrixd_t) +manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t) + +read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t) +allow matrixd_t matrixd_conf_t:dir list_dir_perms; + +kernel_read_system_state(matrixd_t) +kernel_read_vm_overcommit_sysctl(matrixd_t) + +# The following in the systemd service file causes a domain transition when +# running python3: +# SELinuxContext=system_u:system_r:matrixd_t:s0 +corecmd_bin_entry_type(matrixd_t) +corecmd_exec_
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 5ee13c254c0451f054558a0f22da48377311c551 Author: Chris PeBenito linux microsoft com> AuthorDate: Tue Feb 1 14:27:06 2022 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 7 02:09:50 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ee13c25 domain: Allow lockdown for all domains. The checks for this class were removed in 5.16. This object class will be removed in the future. For more info: https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/domain.te | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 00cea380..2eff1d34 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -103,6 +103,11 @@ kernel_dontaudit_link_key(domain) # create child processes in the domain allow domain self:process { fork sigchld }; +# lockdown checks were removed in 5.16. The class will be removed +# from the policy in the future. For reference: +# https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly +allow domain self:lockdown { integrity confidentiality }; + # glibc get_nprocs requires read access to /sys/devices/system/cpu/online dev_read_cpu_online(domain)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: fccd438443de08a9d13f8795297efc63f0e6cd19 Author: Kenton Groombridge concord sh> AuthorDate: Thu Dec 2 18:32:04 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 30 01:12:42 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fccd4384 kernel: add filetrans interface for unlabeled dirs Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/kernel.if | 34 ++ 1 file changed, 34 insertions(+) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 30aca9ae..4cd35959 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -2911,6 +2911,40 @@ interface(`kernel_dontaudit_read_unlabeled_files',` dontaudit $1 unlabeled_t:file { getattr read }; ') + +## +## Create an object in unlabeled directories +## with a private type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`kernel_unlabeled_filetrans',` + gen_require(` + type unlabeled_t; + ') + + filetrans_pattern($1, unlabeled_t, $2, $3, $4) +') + ## ## Delete unlabeled symbolic links.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 6b169e5b3fea0ec900448db18586475269f21612 Author: Jason Zaman gentoo org> AuthorDate: Sat Nov 20 22:44:53 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 21 22:38:58 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b169e5b selinux: Add map perms Lots of libselinux functions now map /sys/fs/selinux/status so add map perms to other interfaces as well. $ passwd user1 passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running' failed. Aborted avc: denied { map } for pid=325 comm="passwd" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root: sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file permissive=1 Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/selinux.if | 18 +- policy/modules/kernel/selinux.te | 8 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 13aa1e05..cb610c44 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -295,7 +295,7 @@ interface(`selinux_get_enforce_mode',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; + allow $1 security_t:file mmap_read_file_perms; ') @@ -363,7 +363,7 @@ interface(`selinux_read_policy',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; + allow $1 security_t:file mmap_read_file_perms; allow $1 security_t:security read_policy; ') @@ -533,7 +533,7 @@ interface(`selinux_validate_context',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security check_context; ') @@ -554,7 +554,7 @@ interface(`selinux_dontaudit_validate_context',` ') dontaudit $1 security_t:dir list_dir_perms; - dontaudit $1 security_t:file rw_file_perms; + dontaudit $1 security_t:file mmap_rw_file_perms; dontaudit $1 security_t:security check_context; ') @@ -577,7 +577,7 @@ interface(`selinux_compute_access_vector',` dev_search_sysfs($1) allow $1 self:netlink_selinux_socket create_socket_perms; allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security compute_av; ') @@ -599,7 +599,7 @@ interface(`selinux_compute_create_context',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security compute_create; ') @@ -621,7 +621,7 @@ interface(`selinux_compute_member',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security compute_member; ') @@ -651,7 +651,7 @@ interface(`selinux_compute_relabel_context',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security compute_relabel; ') @@ -672,7 +672,7 @@ interface(`selinux_compute_user_contexts',` dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file mmap_rw_file_perms; allow $1 security_t:security compute_user; ') diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 0726fc44..707517e5 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -53,7 +53,7 @@ genfscon securityfs / gen_context(system_u:object_r:security_t,s0) neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security setenforce; allow can_setenforce security_t:dir list_dir_perms; -allow can_setenforce security_t:file rw_file_perms; +allow can_setenforce security_t:file mmap_rw_file_perms; dev_search_sysfs(can_setenforce) @@ -71,7 +71,7 @@ if(secure_mode_policyload) { neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security load_policy; allow can_load_policy security_t:dir list_dir_perms; -allow can_load_policy security_t:file rw_file_perms; +allow can_load_policy security_t:file mmap_rw_file_perms; dev_search_sysfs(can_load_policy) @@ -89,7 +89,7 @@ if(secure_mode_policyload) { neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security setsecparam; allow can_setsecparam security_t:dir list_dir_perms; -allow can_s
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 0d8e0e0ca09e015b84f3bcfd371d0f3ba3818eec Author: Jonathan Davies protonmail com> AuthorDate: Sun Nov 21 09:39:33 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 21 19:21:13 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d8e0e0c corecommands.if: Added corecmd_manage_bin_symlinks(). Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/corecommands.if | 19 +++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index b20809ef..e5633704 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -333,6 +333,25 @@ interface(`corecmd_manage_bin_files',` manage_files_pattern($1, bin_t, bin_t) ') + +## +## Manage symlinks for bin files. +## +## +## +## Domain allowed access. +## +## +# +interface(`corecmd_manage_bin_symlinks',` + gen_require(` + type bin_t; + ') + + corecmd_search_bin($1) + manage_lnk_files_pattern($1, bin_t, bin_t) +') + ## ## Relabel to and from the bin type.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/, ...
commit: b2361fcf03d445e6710bd4ab3ba3b171fdb4ef7b Author: Chris PeBenito ieee org> AuthorDate: Mon Nov 15 20:34:27 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2361fcf various: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/rpm.te | 2 +- policy/modules/admin/tmpreaper.te | 2 +- policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/kernel/mcs.te| 2 +- policy/modules/services/policykit.te| 2 +- policy/modules/services/postfix.te | 2 +- policy/modules/services/watchdog.te | 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/systemd.te| 2 +- policy/modules/system/udev.te | 2 +- policy/modules/system/unconfined.te | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 6823e6e3..6545e471 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -1,4 +1,4 @@ -policy_module(rpm, 1.26.0) +policy_module(rpm, 1.26.1) # diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te index 1acefd7f..1a2a3036 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -1,4 +1,4 @@ -policy_module(tmpreaper, 1.9.0) +policy_module(tmpreaper, 1.9.1) # diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 9deaa2ed..c1bd804a 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,4 +1,4 @@ -policy_module(corenetwork, 1.29.0) +policy_module(corenetwork, 1.29.1) # diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te index 2da98c25..3bb823f4 100644 --- a/policy/modules/kernel/mcs.te +++ b/policy/modules/kernel/mcs.te @@ -1,4 +1,4 @@ -policy_module(mcs, 1.3.0) +policy_module(mcs, 1.3.1) # diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index f03614d0..2119b8de 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -1,4 +1,4 @@ -policy_module(policykit, 1.12.1) +policy_module(policykit, 1.12.2) # diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index b6a9bb6b..6d071347 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -1,4 +1,4 @@ -policy_module(postfix, 1.25.1) +policy_module(postfix, 1.25.2) # diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te index ab9d9458..5b3c8889 100644 --- a/policy/modules/services/watchdog.te +++ b/policy/modules/services/watchdog.te @@ -1,4 +1,4 @@ -policy_module(watchdog, 1.16.0) +policy_module(watchdog, 1.16.1) # # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 565b7cb7..3802f575 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.11.0) +policy_module(init, 2.11.1) gen_require(` class passwd rootok; diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 118158e4..4233da20 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.12.2) +policy_module(systemd, 1.12.3) # # diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index a13dff43..cbc8c0dc 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.30.1) +policy_module(udev, 1.30.2) # diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index a23a1037..95d08889 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,4 +1,4 @@ -policy_module(unconfined, 3.16.1) +policy_module(unconfined, 3.16.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: d153318cce412ac7ca5bebf1c80a675e33b2065f Author: Kenton Groombridge concord sh> AuthorDate: Wed Oct 13 17:38:09 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d153318c corenet: make netlabel_peer_t mcs constrained Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/corenetwork.te.in | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 2ab19f55..9deaa2ed 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -53,6 +53,7 @@ network_packet_simple(icmp) # type netlabel_peer_t; sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh) +mcs_constrained(netlabel_peer_t) # # port_t is the default type of INET port numbers.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/, ...
commit: 89cbc037a65cd4e6871a32337bb9f0e1c1f4dc95 Author: Kenton Groombridge concord sh> AuthorDate: Wed Oct 13 17:36:25 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Nov 20 22:58:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89cbc037 various: deprecate mcs override interfaces Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/mcs | 2 +- policy/modules/admin/rpm.te | 2 -- policy/modules/admin/tmpreaper.te| 2 -- policy/modules/kernel/mcs.if | 24 policy/modules/services/policykit.te | 2 -- policy/modules/services/postfix.te | 10 -- policy/modules/services/watchdog.te | 2 -- policy/modules/system/init.te| 6 -- policy/modules/system/systemd.te | 1 - policy/modules/system/udev.te| 2 -- policy/modules/system/unconfined.te | 3 --- 11 files changed, 5 insertions(+), 51 deletions(-) diff --git a/policy/mcs b/policy/mcs index cc922a02..c8c573e9 100644 --- a/policy/mcs +++ b/policy/mcs @@ -173,7 +173,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind # because the subject in this particular case is the remote domain which is # writing data out the network node which is acting as the object mlsconstrain { node } { recvfrom sendto } - (( l1 dom l2 ) or ( t1 != msc_constrained_type )); + (( l1 dom l2 ) or ( t1 != mcs_constrained_type )); mlsconstrain { packet peer } { recv } (( l1 dom l2 ) or diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 860207e5..6823e6e3 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -313,8 +313,6 @@ fs_mount_xattr_fs(rpm_script_t) fs_unmount_xattr_fs(rpm_script_t) fs_search_auto_mountpoints(rpm_script_t) -mcs_killall(rpm_script_t) - mls_file_read_all_levels(rpm_script_t) mls_file_write_all_levels(rpm_script_t) diff --git a/policy/modules/admin/tmpreaper.te b/policy/modules/admin/tmpreaper.te index f4ce8dba..1acefd7f 100644 --- a/policy/modules/admin/tmpreaper.te +++ b/policy/modules/admin/tmpreaper.te @@ -34,8 +34,6 @@ files_read_var_lib_files(tmpreaper_t) files_purge_tmp(tmpreaper_t) files_setattr_all_tmp_dirs(tmpreaper_t) -mcs_file_read_all(tmpreaper_t) -mcs_file_write_all(tmpreaper_t) mls_file_read_all_levels(tmpreaper_t) mls_file_write_all_levels(tmpreaper_t) diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if index eb4bcfcb..55b5a7fe 100644 --- a/policy/modules/kernel/mcs.if +++ b/policy/modules/kernel/mcs.if @@ -44,11 +44,7 @@ interface(`mcs_constrained',` ## # interface(`mcs_file_read_all',` - gen_require(` - attribute mcsreadall; - ') - - typeattribute $1 mcsreadall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') @@ -64,11 +60,7 @@ interface(`mcs_file_read_all',` ## # interface(`mcs_file_write_all',` - gen_require(` - attribute mcswriteall; - ') - - typeattribute $1 mcswriteall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') @@ -84,11 +76,7 @@ interface(`mcs_file_write_all',` ## # interface(`mcs_killall',` - gen_require(` - attribute mcskillall; - ') - - typeattribute $1 mcskillall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') @@ -104,11 +92,7 @@ interface(`mcs_killall',` ## # interface(`mcs_ptrace_all',` - gen_require(` - attribute mcsptraceall; - ') - - typeattribute $1 mcsptraceall; + refpolicywarn(`$0() has been deprecated, please remove mcs_constrained() instead.') ') diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te index 7e00d524..f03614d0 100644 --- a/policy/modules/services/policykit.te +++ b/policy/modules/services/policykit.te @@ -267,8 +267,6 @@ can_exec(policykit_resolve_t, policykit_resolve_exec_t) domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t) -mcs_ptrace_all(policykit_resolve_t) - auth_use_nsswitch(policykit_resolve_t) userdom_read_all_users_state(policykit_resolve_t) diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te index 98416368..b6a9bb6b 100644 --- a/policy/modules/services/postfix.te +++ b/policy/modules/services/postfix.te @@ -292,8 +292,6 @@ domain_use_interactive_fds(postfix_master_t) files_search_tmp(postfix_master_t) -mcs_file_read_all(postfix_master_t) - term_dontaudit_search_ptys(postfix_master_t) hostname_exec(postfix_master_t) @@ -568,9 +566,6 @@ allow postfix_pickup_t postfix_s
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 419815b880c47346496b204e90499ace61984606 Author: Kenton Groombridge concord sh> AuthorDate: Mon Nov 1 17:01:43 2021 + Commit: Jason Zaman gentoo org> CommitDate: Thu Nov 11 21:26:50 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=419815b8 devices: make usbfs pseudofs instead of noxattrfs Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/devices.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 56783d53..5a06ea82 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -306,7 +306,7 @@ dev_node(urandom_device_t) # type usbfs_t; files_mountpoint(usbfs_t) -fs_noxattr_type(usbfs_t) +fs_pseudo_type(usbfs_t) genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0) genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: c428d96914b347500d42a2e959950845d52512e6 Author: Kenton Groombridge concord sh> AuthorDate: Mon Nov 1 17:01:20 2021 + Commit: Jason Zaman gentoo org> CommitDate: Thu Nov 11 21:26:50 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c428d969 fs: add pseudofs attribute and interfaces Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/filesystem.if | 21 + policy/modules/kernel/filesystem.te | 3 ++- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 22759baa..1c7beefd 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -43,6 +43,27 @@ interface(`fs_noxattr_type',` typeattribute $1 noxattrfs; ') + +## +## Transform specified type into a filesystem +## type which is a pseudo filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_pseudo_type',` + gen_require(` + attribute pseudofs; + ') + + fs_type($1) + + typeattribute $1 pseudofs; +') + ## ## Transform specified type into a filesystem diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 81a32650..ddd10c2a 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -9,6 +9,7 @@ attribute filesystem_image_file_type; attribute filesystem_type; attribute filesystem_unconfined_type; attribute noxattrfs; +attribute pseudofs; attribute xattrfs; ## @@ -104,7 +105,7 @@ files_mountpoint(ecryptfs_t) genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0) type efivarfs_t; -fs_noxattr_type(efivarfs_t) +fs_pseudo_type(efivarfs_t) files_mountpoint(efivarfs_t) genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: c3d38164d58c31023e6277a742708e11ee537ec7 Author: Christian Göttsche googlemail com> AuthorDate: Wed Oct 27 19:18:27 2021 + Commit: Jason Zaman gentoo org> CommitDate: Thu Nov 11 21:26:50 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c3d38164 filesystem: add fs_use_trans for ramfs Enable extended attributes for inodes on ramfs filesystems, similar to tmpfs filesystems. For example systemd uses ramfs for service credentials[1], and xattr support is needed for per service based labeling[2]. [1]: https://www.freedesktop.org/software/systemd/man/systemd-creds.html [2]: https://github.com/systemd/systemd/pull/21158 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/filesystem.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index b12c65b8..81a32650 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -156,9 +156,9 @@ dev_associate_sysfs(pstore_t) genfscon pstore / gen_context(system_u:object_r:pstore_t,s0) type ramfs_t; -fs_type(ramfs_t) +fs_xattr_type(ramfs_t) files_mountpoint(ramfs_t) -genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0) +fs_use_trans ramfs gen_context(system_u:object_r:ramfs_t,s0); type romfs_t; fs_type(romfs_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: c2cd4a6f79b4949857e4a4bd68bef6ea1496a255 Author: Markus Linnala cybercom com> AuthorDate: Tue Jun 29 12:32:56 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 5 14:26:44 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2cd4a6f policy: files: files_get_etc_unit_status/files_{start,stop}_etc_service: fix require Signed-off-by: Markus Linnala cybercom.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/files.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 83f8b3f4..f772bfe8 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -3228,6 +3228,7 @@ interface(`files_exec_etc_files',` interface(`files_get_etc_unit_status',` gen_require(` type etc_t; + class service status; ') allow $1 etc_t:service status; @@ -3246,6 +3247,7 @@ interface(`files_get_etc_unit_status',` interface(`files_start_etc_service',` gen_require(` type etc_t; + class service start; ') allow $1 etc_t:service start; @@ -3264,6 +3266,7 @@ interface(`files_start_etc_service',` interface(`files_stop_etc_service',` gen_require(` type etc_t; + class service stop; ') allow $1 etc_t:service stop;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 2ecd4fac78c9825154992be76dd941c2386deff4 Author: Jonathan Davies protonmail com> AuthorDate: Tue Jul 6 14:52:27 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 5 14:26:44 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2ecd4fac devices.fc: Added missing Xen character files. Signed-off-by: Jonathan Davies protonmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/devices.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index a167126d..bd08f81d 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -198,8 +198,10 @@ ifdef(`distro_suse', ` /dev/xen/evtchn-c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/gntdev-c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/gntalloc -c gen_context(system_u:object_r:xen_device_t,s0) +/dev/xen/hypercall -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/privcmd -c gen_context(system_u:object_r:xen_device_t,s0) /dev/xen/xenbus-c gen_context(system_u:object_r:xen_device_t,s0) +/dev/xen/xenbus_backend-c gen_context(system_u:object_r:xen_device_t,s0) ifdef(`distro_debian',` # this is a static /dev dir "backup mount"
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 190cf9a6768816df3af34f6e991c5768da97c759 Author: Chris PeBenito ieee org> AuthorDate: Fri Mar 19 19:39:38 2021 + Commit: Jason Zaman gentoo org> CommitDate: Fri Apr 2 18:54:58 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=190cf9a6 selinux: Add dontaudits when secure mode Booleans are enabled. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/selinux.if | 13 +++-- policy/modules/kernel/selinux.te | 20 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 1a750a62..8225d499 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -400,7 +400,10 @@ interface(`selinux_set_generic_booleans',` allow $1 security_t:dir list_dir_perms; allow $1 boolean_t:file read_file_perms; - if(!secure_mode_setbool) { + if(secure_mode_setbool) { + dontaudit $1 { boolean_t security_t }:file write_file_perms; + dontaudit $1 security_t:security setbool; + } else { allow $1 { boolean_t security_t }:file write_file_perms; allow $1 security_t:security setbool; } @@ -441,7 +444,11 @@ interface(`selinux_set_all_booleans',` allow $1 boolean_type:file read_file_perms; allow $1 secure_mode_policyload_t:file read_file_perms; - if (!secure_mode_setbool) { + if (secure_mode_setbool) { + dontaudit $1 security_t:security setbool; + dontaudit $1 security_t:file write_file_perms; + dontaudit $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms; + } else { allow $1 security_t:security setbool; allow $1 security_t:file write_file_perms; allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms; @@ -449,6 +456,8 @@ interface(`selinux_set_all_booleans',` if(!secure_mode_policyload && !secure_mode_setbool) { allow $1 secure_mode_policyload_t:file write_file_perms; + } else { + dontaudit $1 secure_mode_policyload_t:file write_file_perms; } ') diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 5bca43d3..ffe86460 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -57,7 +57,9 @@ allow can_setenforce security_t:file rw_file_perms; dev_search_sysfs(can_setenforce) -if(!secure_mode_policyload) { +if(secure_mode_policyload) { + dontaudit can_setenforce security_t:security setenforce; +} else { allow can_setenforce security_t:security setenforce; } @@ -73,7 +75,9 @@ allow can_load_policy security_t:file rw_file_perms; dev_search_sysfs(can_load_policy) -if(!secure_mode_policyload) { +if(secure_mode_policyload) { + dontaudit can_load_policy security_t:security load_policy; +} else { allow can_load_policy security_t:security load_policy; } @@ -104,18 +108,26 @@ allow selinux_unconfined_type boolean_type:file read_file_perms; # Access the security API. allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans }; -if (!secure_mode_policyload) { +if (secure_mode_policyload) { + dontaudit selinux_unconfined_type security_t:security { load_policy setenforce }; +} else { allow selinux_unconfined_type security_t:security { load_policy setenforce }; } -if (!secure_mode_setbool) { +if (secure_mode_setbool) { + dontaudit selinux_unconfined_type security_t:security setbool; +} else { allow selinux_unconfined_type security_t:security setbool; } if (secure_mode_policyload && !secure_mode_setbool) { allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; +} else { + dontaudit selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; } if (!secure_mode_policyload && !secure_mode_setbool) { allow selinux_unconfined_type boolean_type:file write_file_perms; +} else { + dontaudit selinux_unconfined_type boolean_type:file write_file_perms; }
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: c4d506d919d9584fb61e3ebfce7ee718eb866b27 Author: Chris PeBenito ieee org> AuthorDate: Fri Mar 19 19:50:06 2021 + Commit: Jason Zaman gentoo org> CommitDate: Fri Apr 2 18:54:58 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4d506d9 kernel: Add dontaudits when secure_mode_insmod is enabled. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/files.if | 19 +++ policy/modules/kernel/kernel.te | 15 ++- 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 0687a435..349b8696 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -4369,6 +4369,25 @@ interface(`files_load_kernel_modules',` allow $1 modules_object_t:system module_load; ') + +## +## Load kernel module files. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_dontaudit_load_kernel_modules',` + gen_require(` + type modules_object_t; + ') + + dontaudit $1 modules_object_t:file read_file_perms; + dontaudit $1 modules_object_t:system module_load; +') + ## ## List world-readable directories. diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index c44f49ed..2bd3f924 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -497,7 +497,20 @@ optional_policy(` # Kernel module loading policy # -if( ! secure_mode_insmod ) { +if(secure_mode_insmod) { + dontaudit can_load_kernmodule self:capability sys_module; + dontaudit can_load_kernmodule self:system module_load; + + files_dontaudit_load_kernel_modules(can_load_kernmodule) + + # load_module() calls stop_machine() which + # calls sched_setscheduler() + # gt: there seems to be no trace of the above, at + # least in kernel versions greater than 2.6.37... + dontaudit can_load_kernmodule self:capability sys_nice; + dontaudit can_load_kernmodule kernel_t:process setsched; + dontaudit can_load_kernmodule kernel_t:key search; +} else { allow can_load_kernmodule self:capability sys_module; allow can_load_kernmodule self:system module_load;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 611eb9925f729ca91ddadfefa48fd0c0c39c24d9 Author: Chris PeBenito ieee org> AuthorDate: Sat Mar 27 18:21:06 2021 + Commit: Jason Zaman gentoo org> CommitDate: Fri Apr 2 18:54:58 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=611eb992 files, kernel, selinux: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/files.te | 2 +- policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/selinux.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index d97425eb..ff8f849a 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.30.1) +policy_module(files, 1.30.2) # diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 2bd3f924..ea8196b6 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.29.1) +policy_module(kernel, 1.29.2) # diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index ffe86460..a9efb73b 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -1,4 +1,4 @@ -policy_module(selinux, 1.18.1) +policy_module(selinux, 1.18.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: b5550e17809acca324fa926671fad42be7aa5f73 Author: Chris PeBenito ieee org> AuthorDate: Fri Mar 19 19:04:12 2021 + Commit: Jason Zaman gentoo org> CommitDate: Fri Apr 2 18:54:58 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b5550e17 selinux: Set regular file for labeled Booleans genfscons. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/selinux.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index f8fcba98..1a750a62 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',` # because of this statement, any module which # calls this interface must be in the base module: - genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0) + genfscon selinuxfs /booleans/$2 -- gen_context(system_u:object_r:$1,s0) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: e9c469300bd10185540b0698ed074a98d86f4672 Author: Chris PeBenito ieee org> AuthorDate: Fri Mar 19 19:03:47 2021 + Commit: Jason Zaman gentoo org> CommitDate: Fri Apr 2 18:54:58 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e9c46930 selinux: Change generic Boolean type to boolean_t. This will prevent other security_t writers from setting Boolean pending values, which could be activated unwittingly by setbool processes. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/selinux.if | 7 --- policy/modules/kernel/selinux.te | 5 - 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 21d22ded..f8fcba98 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -391,17 +391,17 @@ interface(`selinux_read_policy',` # interface(`selinux_set_generic_booleans',` gen_require(` - type security_t; + type boolean_t, security_t; bool secure_mode_setbool; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file read_file_perms; + allow $1 boolean_t:file read_file_perms; if(!secure_mode_setbool) { - allow $1 security_t:file write_file_perms; + allow $1 { boolean_t security_t }:file write_file_perms; allow $1 security_t:security setbool; } ') @@ -443,6 +443,7 @@ interface(`selinux_set_all_booleans',` if (!secure_mode_setbool) { allow $1 security_t:security setbool; + allow $1 security_t:file write_file_perms; allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms; } diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 71147210..5bca43d3 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -26,6 +26,9 @@ attribute can_setenforce; attribute can_setsecparam; attribute selinux_unconfined_type; +type boolean_t, boolean_type; +genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0) + type secure_mode_policyload_t; selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload) @@ -34,7 +37,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload) # the permissions in the security class. It is also # applied to selinuxfs inodes. # -type security_t, boolean_type; +type security_t; files_mountpoint(security_t) fs_type(security_t) mls_trusted_object(security_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: c12534ce37ed704aa6b0058c96e9c84ceb769653 Author: Chris PeBenito ieee org> AuthorDate: Fri Mar 12 14:57:36 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Mar 21 21:38:23 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12534ce selinux: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/selinux.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index a1b4ae3e..71147210 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -1,4 +1,4 @@ -policy_module(selinux, 1.18.0) +policy_module(selinux, 1.18.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 0458f4e2ec20f27f0cdc6a29c91e62bb65865075 Author: Chris PeBenito ieee org> AuthorDate: Fri Mar 5 21:06:44 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Mar 21 21:38:23 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0458f4e2 selinux: Add a secure_mode_setbool Boolean. Enabling this will disable all permissions for setting SELinux Booleans, even for unconfined domains. This does not affect setenforce. Enable secure_mode_policyload along with secure_mode_setbool to fully lock the SELinux security interface. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/selinux.if | 19 +-- policy/modules/kernel/selinux.te | 30 +++--- 2 files changed, 36 insertions(+), 13 deletions(-) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 43eebcd0..21d22ded 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -392,14 +392,18 @@ interface(`selinux_read_policy',` interface(`selinux_set_generic_booleans',` gen_require(` type security_t; + bool secure_mode_setbool; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 security_t:file rw_file_perms; + allow $1 security_t:file read_file_perms; - allow $1 security_t:security setbool; + if(!secure_mode_setbool) { + allow $1 security_t:file write_file_perms; + allow $1 security_t:security setbool; + } ') @@ -428,18 +432,21 @@ interface(`selinux_set_all_booleans',` gen_require(` type security_t, secure_mode_policyload_t; attribute boolean_type; - bool secure_mode_policyload; + bool secure_mode_policyload, secure_mode_setbool; ') dev_search_sysfs($1) allow $1 security_t:dir list_dir_perms; - allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms; + allow $1 boolean_type:file read_file_perms; allow $1 secure_mode_policyload_t:file read_file_perms; - allow $1 security_t:security setbool; + if (!secure_mode_setbool) { + allow $1 security_t:security setbool; + allow $1 { boolean_type -secure_mode_policyload_t }:file write_file_perms; + } - if(!secure_mode_policyload) { + if(!secure_mode_policyload && !secure_mode_setbool) { allow $1 secure_mode_policyload_t:file write_file_perms; } ') diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te index 3e4f2000..a1b4ae3e 100644 --- a/policy/modules/kernel/selinux.te +++ b/policy/modules/kernel/selinux.te @@ -7,13 +7,19 @@ policy_module(selinux, 1.18.0) ## ## -## Boolean to determine whether the system permits loading policy, setting -## enforcing mode, and changing boolean values. Set this to true and you -## have to reboot to set it back. +## Boolean to determine whether the system permits loading policy, and setting +## enforcing mode. Set this to true and you have to reboot to set it back. ## ## gen_bool(secure_mode_policyload,false) +## +## +## Boolean to determine whether the system permits setting Booelan values. +## +## +gen_bool(secure_mode_setbool,false) + attribute boolean_type; attribute can_load_policy; attribute can_setenforce; @@ -91,12 +97,22 @@ dev_search_sysfs(can_setsecparam) allow selinux_unconfined_type security_t:dir list_dir_perms; allow selinux_unconfined_type security_t:file rw_file_perms; allow selinux_unconfined_type boolean_type:file read_file_perms; -allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; # Access the security API. -allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setbool setsecparam setcheckreqprot read_policy validate_trans }; +allow selinux_unconfined_type security_t:security { compute_av compute_create compute_member check_context compute_relabel compute_user setsecparam setcheckreqprot read_policy validate_trans }; -if(!secure_mode_policyload) { +if (!secure_mode_policyload) { allow selinux_unconfined_type security_t:security { load_policy setenforce }; - allow selinux_unconfined_type secure_mode_policyload_t:file write_file_perms; +} + +if (!secure_mode_setbool) { + allow selinux_unconfined_type security_t:security setbool; +} + +if (secure_mode_policyload && !secure_mode_setbool) { + allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file write_file_perms; +} + +if (!secure_mode_policyload && !secure_mode_setbool) { + allow selinux_unconfined_type boolean_type:file write_file_perms; }
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: 722e26ffd25c220056e1cdb1b48b14f95011ba1f Author: Krzysztof Nowicki op pl> AuthorDate: Wed Feb 3 09:00:35 2021 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 15 19:49:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=722e26ff Enable factory directory support in systemd-tmpfilesd /usr/share/factory serves as a template directory for systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this directory as a default source for files, which should be placed in the filesystem. This behaiour is controlled via a tunable as it gives systemd-tmpfilesd manage permissions over etc, which could be considered as a security risk. Relevant denials are silenced in case the policy is disabled. Signed-off-by: Krzysztof Nowicki op.pl> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/files.if | 20 policy/modules/system/systemd.fc | 2 ++ policy/modules/system/systemd.te | 24 3 files changed, 46 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index b493a4a1..55fbf783 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -3119,6 +3119,26 @@ interface(`files_manage_etc_files',` read_lnk_files_pattern($1, etc_t, etc_t) ') + +## +## Do not audit attempts to create, read, write, +## and delete generic files in /etc. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`files_dontaudit_manage_etc_files',` + gen_require(` + type etc_t; + ') + + dontaudit $1 etc_t:file manage_file_perms; +') + ## ## Delete system configuration files in /etc. diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index f88fdfb4..8dcae1a9 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -55,6 +55,8 @@ /usr/lib/systemd/system/systemd-rfkill.* -- gen_context(system_u:object_r:systemd_rfkill_unit_t,s0) /usr/lib/systemd/system/systemd-socket-proxyd\.service -- gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0) +/usr/share/factory(/.*)? gen_context(system_u:object_r:systemd_factory_conf_t,s0) + /var/\.updated -- gen_context(system_u:object_r:systemd_update_run_t,s0) /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 5d34e6d2..ed2bce80 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -45,6 +45,14 @@ gen_tunable(systemd_socket_proxyd_bind_any, false) ## gen_tunable(systemd_socket_proxyd_connect_any, false) +## +## +## Allow systemd-tmpfilesd to populate missing configuration files from factory +## template directory. +## +## +gen_tunable(systemd_tmpfilesd_factory, false) + attribute systemd_log_parse_env_type; attribute systemd_tmpfiles_conf_type; attribute systemd_user_session_type; @@ -104,6 +112,9 @@ type systemd_detect_virt_t; type systemd_detect_virt_exec_t; init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t) +type systemd_factory_conf_t; +systemd_tmpfiles_conf_file(systemd_factory_conf_t) + type systemd_generator_t; type systemd_generator_exec_t; typealias systemd_generator_t alias { systemd_fstab_generator_t systemd_gpt_generator_t }; @@ -1283,6 +1294,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir relabel_dir_perms; allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms; allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; +allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms; allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; kernel_getattr_proc(systemd_tmpfiles_t) @@ -1377,6 +1389,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',` files_relabel_non_security_files(systemd_tmpfiles_t) ') +tunable_policy(`systemd_tmpfilesd_factory', ` + allow systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms; + allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms; + + files_manage_etc_files(systemd_tmpfiles_t) +',` + dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms; + dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms; + + files_dontaudit_manage_etc_files(systemd_tmpfiles_t) +') + optional_policy(` dbus_read_lib_files(systemd_tmpfiles_t) dbus_relabel_lib_dirs(systemd_tmpfiles_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: b5319ac6961b49e3f3b83cd390c102cd39bb33fd Author: Krzysztof Nowicki op pl> AuthorDate: Wed Feb 3 14:59:22 2021 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 15 19:49:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b5319ac6 Allow systemd-tmpfilesd to relabel generic files inside /etc Enable this only with the systemd_tmpfilesd_factory tunable, otherwise silence the messages with a dontaudit rule. Fixes: avc: denied { relabelfrom } for comm="systemd-tmpfile" name="pam.d" dev= ino= scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir Signed-off-by: Krzysztof Nowicki op.pl> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/files.if | 38 ++ policy/modules/system/systemd.te | 4 2 files changed, 42 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 55fbf783..0687a435 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1611,6 +1611,25 @@ interface(`files_relabel_config_dirs',` relabel_dirs_pattern($1, configfile, configfile) ') +# +## +## Do not audit attempts to relabel configuration directories +## +## +## +## Domain not to audit. +## +## +## +# +interface(`files_dontaudit_relabel_config_dirs',` + gen_require(` + attribute configfile; + ') + + dontaudit $1 configfile:dir relabel_dir_perms; +') + ## ## Read config files in /etc. @@ -1669,6 +1688,25 @@ interface(`files_relabel_config_files',` relabel_files_pattern($1, configfile, configfile) ') +### +## +## Do not audit attempts to relabel configuration files +## +## +## +## Domain not to audit. +## +## +## +# +interface(`files_dontaudit_relabel_config_files',` + gen_require(` + attribute configfile; + ') + + dontaudit $1 configfile:file relabel_file_perms; +') + ## ## Mount a filesystem on all mount points. diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index ed2bce80..08c26078 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1394,11 +1394,15 @@ tunable_policy(`systemd_tmpfilesd_factory', ` allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms; files_manage_etc_files(systemd_tmpfiles_t) + files_relabel_config_dirs(systemd_tmpfiles_t) + files_relabel_config_files(systemd_tmpfiles_t) ',` dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms; dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms; files_dontaudit_manage_etc_files(systemd_tmpfiles_t) + files_dontaudit_relabel_config_dirs(systemd_tmpfiles_t) + files_dontaudit_relabel_config_files(systemd_tmpfiles_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, doc/, policy/
commit: cecb7fe66611d6e51bec44507fdda4ef2fcc4808 Author: Jason Zaman gentoo org> AuthorDate: Sat Feb 6 21:18:02 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:18:02 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cecb7fe6 Update generated policy and doc files Signed-off-by: Jason Zaman gentoo.org> doc/policy.xml | 779 +-- policy/booleans.conf | 6 + policy/modules/kernel/corenetwork.te | 2 +- 3 files changed, 484 insertions(+), 303 deletions(-) diff --git a/doc/policy.xml b/doc/policy.xml index 0537d461..3c0809a4 100644 --- a/doc/policy.xml +++ b/doc/policy.xml @@ -85508,7 +85508,17 @@ Domain allowed access. - + + +Do not audit attempts to get the attributes of the proc filesystem. + + + +Domain to not audit. + + + + Mount on proc directories. @@ -85519,7 +85529,7 @@ Domain allowed access. - + Do not audit attempts to set the attributes of directories in /proc. @@ -85530,7 +85540,7 @@ Domain to not audit. - + Search directories in /proc. @@ -85540,7 +85550,7 @@ Domain allowed access. - + List the contents of directories in /proc. @@ -85550,7 +85560,7 @@ Domain allowed access. - + Do not audit attempts to list the contents of directories in /proc. @@ -85561,7 +85571,7 @@ Domain to not audit. - + Do not audit attempts to write the directories in /proc. @@ -85572,7 +85582,7 @@ Domain to not audit. - + Mount the directories in /proc. @@ -85582,7 +85592,7 @@ Domain allowed access. - + Get the attributes of files in /proc. @@ -85592,7 +85602,7 @@ Domain allowed access. - + Read generic symbolic links in /proc. @@ -85611,7 +85621,7 @@ Domain allowed access. - + Allows caller to read system state information in /proc. @@ -85642,7 +85652,7 @@ Domain allowed access. - + Write to generic proc entries. @@ -85653,7 +85663,7 @@ Domain allowed access. - + Do not audit attempts by caller to read system state information in proc. @@ -85664,7 +85674,7 @@ Domain to not audit. - + Do not audit attempts by caller to read symbolic links in proc. @@ -85675,7 +85685,7 @@ Domain to not audit. - + Allow caller to read and write state information for AFS. @@ -85686,7 +85696,7 @@ Domain allowed access. - + Allow caller to read the state information for software raid. @@ -85697,7 +85707,7 @@ Domain allowed access. - + Allow caller to read and set the state information for software raid. @@ -85707,7 +85717,7 @@ Domain allowed access. - + Allows caller to get attributes of core kernel interface. @@ -85717,7 +85727,7 @@ Domain allowed access. - + Do not audit attempts to get the attributes of core kernel interfaces. @@ -85728,7 +85738,7 @@ Domain to not audit. - + Allows caller to read the core kernel interface. @@ -85738,7 +85748,7 @@ Domain allowed access. - + Allow caller to read kernel messages using the /proc/kmsg interface. @@ -85749,7 +85759,7 @@ Domain allowed access. - + Allow caller to get the attributes of kernel message interface (/proc/kmsg). @@ -85760,7 +85770,7 @@ Domain allowed access. - + Do not audit attempts by caller to get the attributes of kernel message interfaces. @@ -85771,7 +85781,7 @@ Domain to not audit. - + Mount on kernel message interfaces files. @@ -85782,7 +85792,7 @@ Domain allowed access. - + Do not audit attempts to search the network state directory. @@ -85794,7 +85804,7 @@ Domain to not audit. - + Allow searching of network state directory. @@ -85805,7 +85815,7 @@ Domain allowed access. - + Read the network state information. @@ -85827,7 +85837,7 @@ Domain allowed access. - + Allow caller to read the network state symbolic links. @@ -85837,7 +85847,7 @@ Domain allowed access. - + Allow searching of xen state directory. @@ -85848,7 +85858,7 @@ Domain allowed access. - + Do not audit attempts to search the xen state directory. @@ -85860,7 +85870,7 @@ Domain to not audit. - + Allow caller to read the xen state information. @@ -85871,7 +85881,7 @@ Domain allowed access. - + Allow caller to read the xen state symbolic links. @@ -85882,7 +85892,7 @@ Domain allowed access. - + Allow caller to write xen state information. @@ -85893,7 +85903,7 @@ Domain allowed access. - + Allow attempts to list all proc directories. @@ -85903,7 +85913,7 @@ Domain allowed access. - + Do not audit attempts to list all proc directories. @@ -85913,7 +85923,7 @@ Domain to not audit. - + Do not audit attempts by caller to search the base directory of sysctls. @@ -85925,7 +85935,7 @@ Domain to not audit. - + Mount on sysctl_t dirs. @@ -85936,7 +85946,7 @@ Domain allowed access. - + Allow
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: d5515d5dcba81e818b43721fe0ac36dcd50315a6 Author: Jason Zaman gentoo org> AuthorDate: Sun Jan 10 23:15:56 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 10 23:15:56 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d5515d5d Regenerate corenetwork Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/corenetwork.if | 570 ++- policy/modules/kernel/corenetwork.te | 20 +- 2 files changed, 574 insertions(+), 16 deletions(-) diff --git a/policy/modules/kernel/corenetwork.if b/policy/modules/kernel/corenetwork.if index 9b19cea2..368ad3b7 100644 --- a/policy/modules/kernel/corenetwork.if +++ b/policy/modules/kernel/corenetwork.if @@ -1498,11 +1498,11 @@ interface(`corenet_udp_send_all_ports',` # interface(`corenet_sctp_bind_generic_port',` gen_require(` - type port_t, unreserved_port_t, ephemeral_port_t; + type port_t, unreserved_port_t; attribute defined_port_type; ') - allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; + allow $1 { port_t unreserved_port_t }:sctp_socket name_bind; dontaudit $1 defined_port_type:sctp_socket name_bind; ') @@ -1571,10 +1571,10 @@ interface(`corenet_udp_sendrecv_all_ports',` # interface(`corenet_dontaudit_sctp_bind_generic_port',` gen_require(` - type port_t, unreserved_port_t, ephemeral_port_t; + type port_t, unreserved_port_t; ') - dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; + dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind; ') @@ -1645,10 +1645,10 @@ interface(`corenet_udp_bind_all_ports',` # interface(`corenet_sctp_connect_generic_port',` gen_require(` - type port_t, unreserved_port_t,ephemeral_port_t; + type port_t, unreserved_port_t; ') - allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect; + allow $1 { port_t unreserved_port_t }:sctp_socket name_connect; ') @@ -2761,7 +2761,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',` ## Allow the specified domain to receive packets from an ## unlabeled connection. On machines that do not utilize ## labeled networking, this will be required on all -## networking domains. On machines tha do utilize +## networking domains. On machines that do utilize ## labeled networking, this will be required for any ## networking domain that is allowed to receive ## network traffic that does not have a label. @@ -3339,13 +3339,7 @@ interface(`corenet_relabelto_all_server_packets',` ## # interface(`corenet_sctp_recvfrom_unlabeled',` - gen_require(` - attribute corenet_unlabeled_type; - ') - kernel_recvfrom_unlabeled_peer($1) - - typeattribute $1 corenet_unlabeled_type; kernel_sendrecv_unlabeled_association($1) ') @@ -3529,6 +3523,135 @@ interface(`corenet_unconfined',` ') + +## +## Send icmp packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_send_icmp_packets',` + gen_require(` + type icmp_packet_t; + ') + + allow $1 icmp_packet_t:packet send; +') + + +## +## Do not audit attempts to send icmp packets. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`corenet_dontaudit_send_icmp_packets',` + gen_require(` + type icmp_packet_t; + ') + + dontaudit $1 icmp_packet_t:packet send; +') + + +## +## Receive icmp packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_receive_icmp_packets',` + gen_require(` + type icmp_packet_t; + ') + + allow $1 icmp_packet_t:packet recv; +') + + +## +## Do not audit attempts to receive icmp packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_dontaudit_receive_icmp_packets',` + gen_require(` + type icmp_packet_t; + ') + + dontaudit $1 icmp_packet_t:packet recv; +') + + +## +## Send and receive icmp packets. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`corenet_sendrecv_icmp_packets',` + corenet_send_icmp_packets($1) + corenet_receive_icmp_packets($1) +') + + +## +## Do not audit attempts to send and receive icmp packets. +## +## +## +## Domain to not audit. +## +## +
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: a164a2d6e18255bbc842d3cee8edb63882e9e2c2 Author: Peter Morrow linux microsoft com> AuthorDate: Tue Dec 15 15:19:30 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 10 21:52:17 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a164a2d6 selinux: add selinux_get_all_booleans() interface Allow the caller to read the state of selinuxfs booleans. Signed-off-by: Peter Morrow linux.microsoft.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/selinux.if | 24 1 file changed, 24 insertions(+) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index bf70d3c4..43eebcd0 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -444,6 +444,30 @@ interface(`selinux_set_all_booleans',` } ') + +## +## Allow caller to get the state of all Booleans to +## view conditional portions of the policy. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`selinux_get_all_booleans',` + gen_require(` + type security_t; + attribute boolean_type; + ') + + dev_search_sysfs($1) + + allow $1 security_t:dir list_dir_perms; + allow $1 boolean_type:file read_file_perms; +') + ## ## Allow caller to set SELinux access vector cache parameters.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: 6a9ade8f0070fb55b5e24befa2501644b412fed2 Author: Dave Sugar tresys com> AuthorDate: Mon Dec 7 16:09:15 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 10 21:52:17 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a9ade8f Allow systemd-modules-load to search kernel keys I was seeing the following errors from systemd-modules-load without this search permission. Dec 7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': Required key not available Dec 7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13 Dec 7 14:36:19 systemd: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE Dec 7 14:36:19 audispd: node=loacalhost type=PROCTITLE msg=audit(1607351779.441:3259): proctitle="/usr/lib/systemd/systemd-modules-load" Dec 7 14:36:19 systemd: Failed to start Load Kernel Modules. This is the denial: Dec 7 15:56:52 audispd: node=localhost type=AVC msg=audit(1607356612.877:3815): avc: denied { search } for pid=11715 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1 Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/kernel.te | 1 + policy/modules/system/modutils.te | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 8693e800..d70f625b 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -512,6 +512,7 @@ if( ! secure_mode_insmod ) { # gt: there seems to be no trace of the above, at # least in kernel versions greater than 2.6.37... allow can_load_kernmodule self:capability sys_nice; + kernel_search_key(can_load_kernmodule) kernel_setsched(can_load_kernmodule) } diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index e002e6e3..a7f8e42c 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -62,7 +62,6 @@ kernel_write_proc_files(kmod_t) kernel_mount_debugfs(kmod_t) kernel_mount_kvmfs(kmod_t) kernel_read_debugfs(kmod_t) -kernel_search_key(kmod_t) # Rules for /proc/sys/kernel/tainted kernel_read_kernel_sysctls(kmod_t) kernel_rw_kernel_sysctl(kmod_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: 49688047a9eaf2a136c50ecb7ad5097a9921e870 Author: Chris PeBenito ieee org> AuthorDate: Thu Nov 5 11:55:25 2020 + Commit: Jason Zaman gentoo org> CommitDate: Mon Nov 16 09:03:43 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=49688047 filesystem, xen: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/filesystem.te | 2 +- policy/modules/system/xen.te| 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index f338e207..ef891c09 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.28.2) +policy_module(filesystem, 1.28.3) # diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 82328cbb..232c3ee4 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -1,4 +1,4 @@ -policy_module(xen, 1.18.1) +policy_module(xen, 1.18.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: b84ca9b9648ba7f073ad7513c4b610b7f0dfbdfc Author: Antoine Tenart bootlin com> AuthorDate: Mon Sep 7 15:08:12 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 11 21:14:40 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b84ca9b9 corecommands: add entry for Busybox shell Fixes: vc: denied { execute } for pid=87 comm="login" name="sh" dev="vda" ino=408 scontext=system_u:system_r:local_login_t tcontext=system_u:object_r:bin_t tclass=file permissive=1 Signed-off-by: Antoine Tenart bootlin.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/corecommands.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 5ced3c67..07a09873 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -157,6 +157,7 @@ ifdef(`distro_gentoo',` /usr/bin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/scponly -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/bin/sh-- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/tcsh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/bin/yash -- gen_context(system_u:object_r:shell_exec_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/admin/, policy/modules/apps/, ...
commit: a5831adc8af393b19e3bf83fcd6ea154c31084d6 Author: Chris PeBenito ieee org> AuthorDate: Sat Jan 25 18:48:52 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 15 07:32:05 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5831adc various: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/admin/usermanage.te| 2 +- policy/modules/apps/pulseaudio.te | 2 +- policy/modules/kernel/corecommands.te | 2 +- policy/modules/system/logging.te | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/unconfined.te | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index ef18fd64..5292f3b3 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,4 +1,4 @@ -policy_module(usermanage, 1.23.0) +policy_module(usermanage, 1.23.1) # diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te index a763aae4..85dcdc9b 100644 --- a/policy/modules/apps/pulseaudio.te +++ b/policy/modules/apps/pulseaudio.te @@ -1,4 +1,4 @@ -policy_module(pulseaudio, 1.12.2) +policy_module(pulseaudio, 1.12.3) # diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index ed5bb173..e272ee71 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.27.3) +policy_module(corecommands, 1.27.4) # diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 576ca871..19ef420f 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.30.5) +policy_module(logging, 1.30.6) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index e09bc338..65562380 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.8.10) +policy_module(systemd, 1.8.11) # # diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 069506b0..bf1cf6fd 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,4 +1,4 @@ -policy_module(unconfined, 3.13.2) +policy_module(unconfined, 3.13.3) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: 18b85ee49eaccaf5c2765a65234661513555c5f6 Author: Chris PeBenito ieee org> AuthorDate: Sat Feb 8 14:35:13 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 15 07:32:05 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18b85ee4 systemd, devices: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/devices.te | 2 +- policy/modules/system/systemd.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 70cbc49e..05c087bc 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.25.7) +policy_module(devices, 1.25.8) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 7624d258..0c3fa6c1 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.8.12) +policy_module(systemd, 1.8.13) # #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 19e44f812e0bd3bca6ffdcded4d7e96d41a4e614 Author: bauen1 gmail com> AuthorDate: Sat Jan 25 13:19:00 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 15 07:30:57 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=19e44f81 kernel/corecommands: fix the label of xfce4 helpers (on debian) Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/corecommands.fc | 19 +++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 75667c04..0be85be3 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -244,15 +244,34 @@ ifdef(`distro_gentoo',` /usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/xfce4/exo-2/exo-helper-2 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/panel/wrapper -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/xfce4/panel/wrapper-1\.0 -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/xfce4/panel/wrapper-2\.0 -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/session/balou-export-theme -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/session/balou-install-theme -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0) +ifdef(`distro_debian',` +/usr/lib/[^/]+/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/exo-2/exo-helper-2 -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/panel/wrapper -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/panel/wrapper-1\.0 -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/panel/wrapper-2\.0 -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/session/balou-export-theme -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/session/balou-install-theme -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/session/xfsm-shutdown-helper -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/xfce4/xfwm4/helper-dialog -- gen_context(system_u:object_r:bin_t,s0) +') + /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: /, policy/modules/kernel/, policy/modules/system/, policy/modules/services/, ...
commit: 3ad3fd938f3a06d4170286f9e14bbcd0765e8fb6 Author: Jason Zaman gentoo org> AuthorDate: Tue Dec 17 04:17:02 2019 + Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 24 09:58:27 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3ad3fd93 Fix gentoo-specific lint issues Signed-off-by: Jason Zaman gentoo.org> .travis.yml | 2 +- policy/modules/admin/portage.fc | 2 +- policy/modules/apps/java.fc | 2 +- policy/modules/apps/qemu.fc | 4 ++-- policy/modules/contrib/android.fc | 2 +- policy/modules/contrib/dirsrv.fc | 4 ++-- policy/modules/contrib/openrc.fc | 2 +- policy/modules/contrib/phpfpm.fc | 8 policy/modules/contrib/resolvconf.fc | 2 +- policy/modules/contrib/rtorrent.fc| 6 +++--- policy/modules/contrib/uwsgi.fc | 2 +- policy/modules/contrib/vde.fc | 2 +- policy/modules/kernel/corecommands.fc | 8 policy/modules/services/ntp.fc| 2 +- policy/modules/system/lvm.fc | 5 - policy/modules/system/miscfiles.fc| 6 ++ policy/modules/system/tmpfiles.fc | 6 +++--- 17 files changed, 29 insertions(+), 36 deletions(-) diff --git a/.travis.yml b/.travis.yml index 8be908cc..5dfbe090 100644 --- a/.travis.yml +++ b/.travis.yml @@ -25,7 +25,7 @@ env: matrix: include: - python: 3.7 -env: LINT=true TYPE=standard +env: LINT=true TYPE=standard DISTRO=gentoo sudo: false dist: bionic diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 8a41cfff..26850f9d 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -23,7 +23,7 @@ /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) -/usr/portage/distfiles/git.?-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/git[0-9]-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/go-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/hg-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc index e8804805..d0476be2 100644 --- a/policy/modules/apps/java.fc +++ b/policy/modules/apps/java.fc @@ -34,5 +34,5 @@ HOME_DIR/\.java(/.*)? gen_context(system_u:object_r:java_home_t,s0) ifdef(`distro_gentoo',` # Running maven (mvn) command needs read access to this, yet the file is marked as bin_t otherwise -/usr/share/maven-bin-[^/]*/bin/m2.conf -- gen_context(system_u:object_r:usr_t,s0) +/usr/share/maven-bin-[^/]*/bin/m2\.conf-- gen_context(system_u:object_r:usr_t,s0) ') diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc index df3aa2d3..59dcb78b 100644 --- a/policy/modules/apps/qemu.fc +++ b/policy/modules/apps/qemu.fc @@ -12,8 +12,8 @@ ifdef(`distro_gentoo',` /usr/bin/qemu-ga -- gen_context(system_u:object_r:qemu_ga_exec_t,s0) -/var/log/qemu-ga.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0) +/var/log/qemu-ga\.log -- gen_context(system_u:object_r:qemu_ga_log_t,s0) /var/log/qemu-ga(/.*)? -- gen_context(system_u:object_r:qemu_ga_log_t,s0) -/run/qemu-ga.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0) +/run/qemu-ga\.pid -- gen_context(system_u:object_r:qemu_ga_run_t,s0) ') diff --git a/policy/modules/contrib/android.fc b/policy/modules/contrib/android.fc index af983112..a72f5d9f 100644 --- a/policy/modules/contrib/android.fc +++ b/policy/modules/contrib/android.fc @@ -2,7 +2,7 @@ HOME_DIR/\.AndroidStudio.*(/.*)? gen_context(system_u:object_r:android_home_t,s HOME_DIR/\.android(/.*)? gen_context(system_u:object_r:android_home_t,s0) HOME_DIR/\.gradle(/.*)? gen_context(system_u:object_r:android_home_t,s0) -/opt/android-studio/bin/studio.sh gen_context(system_u:object_r:android_java_exec_t,s0) +/opt/android-studio/bin/studio\.sh gen_context(system_u:object_r:android_java_exec_t,s0) /opt/android-sdk-update-manager/platform-tools/adb -- gen_context(system_u:object_r:android_tools_exec_t,s0) /opt/android-sdk-update-manager/platform-tools/fastboot-- gen_context(system_u:object_r:android_tools_exec_t,s0) diff --git a/policy/modules/contrib/dirsrv.fc b/policy/modules/contrib/dirsrv.fc index 3a33d632..a675110f 100644 --- a/policy/modules/contrib/dirsrv.fc +++ b/policy/modules/contrib/dirsrv.fc @@ -5,8 +5,8 @@ /var/lib/dirsrv(/.*)? gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 86a0e854927db91b4a978fe92a63e3edb5256927 Author: Chris PeBenito linux microsoft com> AuthorDate: Fri May 31 17:44:49 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86a0e854 devices: Add type for /dev/daxX.Y. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/devices.fc | 1 + policy/modules/kernel/devices.te | 6 ++ 2 files changed, 7 insertions(+) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 3b9be43f..bdff6b1a 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -21,6 +21,7 @@ /dev/controlD64-c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/crash -c gen_context(system_u:object_r:crash_device_t,mls_systemhigh) /dev/dahdi/.* -c gen_context(system_u:object_r:sound_device_t,s0) +/dev/dax[0-9]\.[0-9] -c gen_context(system_u:object_r:dax_device_t,mls_systemhigh) /dev/dmfm -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dmmidi.* -c gen_context(system_u:object_r:sound_device_t,s0) /dev/dsp.* -c gen_context(system_u:object_r:sound_device_t,s0) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index a0331212..88a4246e 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -82,6 +82,12 @@ dev_node(crash_device_t) type crypt_device_t; dev_node(crypt_device_t) +# +# Type for /dev/dax*.* +# +type dax_device_t; +dev_node(dax_device_t) + # # dlm_misc_device_t is the type of /dev/misc/dlm.* #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 5ff9a8876e58544ab99a22441e272dcb94b0525b Author: Chris PeBenito linux microsoft com> AuthorDate: Fri May 31 17:42:42 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ff9a887 storage: Add fc entry for /dev/pmem* Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/storage.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 926327bd..b6dfcd9f 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -41,6 +41,7 @@ /dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0) /dev/pd[a-d][^/]* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/pg[0-3] -c gen_context(system_u:object_r:removable_device_t,s0) +/dev/pmem[0-9]*-b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ps3d.*-b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/ram.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/(raw/)?rawctl -c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 98f3eac837bb8fa985f1f3fe7090e17573c9f3a9 Author: Sugar, David tresys com> AuthorDate: Tue Mar 5 22:32:44 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Mar 25 10:05:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98f3eac8 Add interface to allow relabeling of iso 9660 filesystems. I have a case where I'm labeling media with my own types to control access. But that is requiring that I relabel from iso9660_t to my own type. This interface allows that relabel. type=AVC msg=audit(1551621984.372:919): avc: denied { relabelfrom } for pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0 Signed-off-by: Dave Sugar tresys.com> Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/filesystem.if | 19 +++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 6da7cc22..603bfc28 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2505,6 +2505,25 @@ interface(`fs_remount_iso9660_fs',` allow $1 iso9660_t:filesystem remount; ') + +## +## Allow changing of the label of a +## filesystem with iso9660 type +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabelfrom_iso9660_fs',` + gen_require(` + type iso9660_t; + ') + + allow $1 iso9660_t:filesystem relabelfrom; +') + ## ## Unmount an iso9660 filesystem, which
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 0d797afccb4ad5dd993c25bf217303343127901d Author: Jason Zaman perfinion com> AuthorDate: Mon Mar 25 10:03:18 2019 + Commit: Jason Zaman gentoo org> CommitDate: Mon Mar 25 10:05:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d797afc corenetwork: regenerate for query scripts Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/corenetwork.if | 646 +-- policy/modules/kernel/corenetwork.te | 26 +- 2 files changed, 556 insertions(+), 116 deletions(-) diff --git a/policy/modules/kernel/corenetwork.if b/policy/modules/kernel/corenetwork.if index d7473484..e6fbf90f 100644 --- a/policy/modules/kernel/corenetwork.if +++ b/policy/modules/kernel/corenetwork.if @@ -215,6 +215,60 @@ interface(`corenet_spd_type',` typeattribute $1 ipsec_spd_type; ') + +## +## Define type to be an infiniband pkey type +## +## +## +## Define type to be an infiniband pkey type +## +## +## This is for supporting third party modules and its +## use is not allowed in upstream reference policy. +## +## +## +## +## Type to be used for infiniband pkeys. +## +## +# +interface(`corenet_ib_pkey',` + gen_require(` + attribute ibpkey_type; + ') + + typeattribute $1 ibpkey_type; +') + + +## +## Define type to be an infiniband endport +## +## +## +## Define type to be an infiniband endport +## +## +## This is for supporting third party modules and its +## use is not allowed in upstream reference policy. +## +## +## +## +## Type to be used for infiniband endports. +## +## +# +interface(`corenet_ib_endport',` + gen_require(` + attribute ibendport_type; + ') + + typeattribute $1 ibendport_type; +') + ## ## Send and receive TCP network traffic on generic interfaces. @@ -584,6 +638,24 @@ interface(`corenet_raw_send_all_if',` allow $1 netif_type:netif { rawip_send egress }; ') + +## +## Send and receive SCTP network traffic on generic nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_sendrecv_generic_node',` + gen_require(` + type node_t; + ') + + allow $1 node_t:node { sendto recvfrom }; +') + ## ## Receive raw IP packets on all interfaces. @@ -791,6 +863,24 @@ interface(`corenet_raw_sendrecv_generic_node',` corenet_raw_receive_generic_node($1) ') + +## +## Bind SCTP sockets to generic nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_bind_generic_node',` + gen_require(` + type node_t; + ') + + allow $1 node_t:sctp_socket node_bind; +') + ## ## Bind TCP sockets to generic nodes. @@ -985,6 +1075,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',` dontaudit $1 node_type:node { udp_send sendto }; ') + +## +## Send and receive SCTP network traffic on all nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_sendrecv_all_nodes',` + gen_require(` + attribute node_type; + ') + + allow $1 node_type:node { sendto recvfrom }; +') + ## ## Receive UDP network traffic on all nodes. @@ -1177,6 +1285,25 @@ interface(`corenet_tcp_sendrecv_generic_port',` allow $1 port_t:tcp_socket { send_msg recv_msg }; ') + +## +## Bind SCTP sockets to all nodes. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_bind_all_nodes',` + gen_require(` + attribute node_type; + ') + + allow $1 node_type:sctp_socket node_bind; +') + + ## ## Do not audit send and receive TCP network traffic on generic ports. @@ -1384,6 +1511,26 @@ interface(`corenet_udp_send_all_ports',` allow $1 port_type:udp_socket send_msg; ') + +## +## Bind SCTP sockets to generic ports. +## +## +## +## Domain allowed access. +## +## +# +interface(`corenet_sctp_bind_generic_port',` + gen_require(` + type port_t, unreserved_port_t, ephemeral_port_t; + attribute defined_port_type; + ') + + allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind; + dontaudit $1 defined_port_type:sctp_socket name_bind; +') + ##
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: b1b6e9dfd6982086f38e0e4e008d31777ee94255 Author: Jason Zaman perfinion com> AuthorDate: Sun Feb 10 06:09:02 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 06:09:02 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1b6e9df remove duplicated dev_dontaudit_read_sysfs files_dontaudit_read_etc_files Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/devices.if | 20 policy/modules/kernel/files.if | 20 2 files changed, 40 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 84b9d8fb..87fabe6f 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -5236,26 +5236,6 @@ interface(`dev_unconfined',` # We cannot use ifdef distro_gentoo for interfaces - -## -## Dont audit attempts to read hardware state information -## -## -## -## Domain for which the attempts do not need to be audited -## -## -# -interface(`dev_dontaudit_read_sysfs',` - gen_require(` - type sysfs_t; - ') - - dontaudit $1 sysfs_t:file read_file_perms; - dontaudit $1 sysfs_t:dir list_dir_perms; - dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms; -') - ## ## Relabel cpu online hardware state information. diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 0ace4966..b4db9c89 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -7111,26 +7111,6 @@ interface(`files_dontaudit_read_etc_runtime',` dontaudit $1 etc_runtime_t:file read_file_perms; ') - -## -## Do not audit attempts to read files -## in /etc -## -## -## -## Domain to not audit. -## -## -# -interface(`files_dontaudit_read_etc_files',` - gen_require(` - type etc_t; - ') - - dontaudit $1 etc_t:file { getattr read }; -') - - # ## ## List usr/src files
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/contrib/
commit: 148fa790b9e1d17ccf85658047235034a9c4b415 Author: Jason Zaman perfinion com> AuthorDate: Sun Feb 10 06:13:44 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 06:13:44 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=148fa790 Remove upstreamed interface kernel_dontaudit_read_kernel_sysctls Was upstreamed as kernel_dontaudit_read_kernel_sysctl() Signed-off-by: Jason Zaman perfinion.com> policy/modules/contrib/skype.te | 2 +- policy/modules/kernel/kernel.if | 18 -- 2 files changed, 1 insertion(+), 19 deletions(-) diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te index 85ce3c10..dc7f73ec 100644 --- a/policy/modules/contrib/skype.te +++ b/policy/modules/contrib/skype.te @@ -64,7 +64,7 @@ manage_sock_files_pattern(skype_t, skype_tmp_t, skype_tmp_t) files_tmp_filetrans(skype_t, skype_tmp_t, { dir file sock_file }) kernel_dontaudit_search_sysctl(skype_t) -kernel_dontaudit_read_kernel_sysctls(skype_t) +kernel_dontaudit_read_kernel_sysctl(skype_t) kernel_read_network_state(skype_t) kernel_read_system_state(skype_t) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index de5ee946..1ad282aa 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -2049,24 +2049,6 @@ interface(`kernel_read_crypto_sysctls',` list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t) ') -### -## -## Do not audit attempted reading of kernel sysctls -## -## -## -## Domain to not audit accesses from -## -## -# -interface(`kernel_dontaudit_read_kernel_sysctls',` - gen_require(` - type sysctl_kernel_t; - ') - - dontaudit $1 sysctl_kernel_t:file read_file_perms; -') - ## ## Read general kernel sysctls.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/system/, ...
commit: 6821d0d812722efa73ccba5bee8410241b622721 Author: Russell Coker coker com au> AuthorDate: Thu Jan 31 02:58:52 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6821d0d8 more misc stuff Here's the latest stuff, most of which is to make staff_t usable as a login domain. Please merge whatever you think is good and skip the rest. Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/corecommands.fc | 2 ++ policy/modules/roles/staff.te | 4 policy/modules/roles/unprivuser.te| 4 policy/modules/services/ssh.te| 1 + policy/modules/system/locallogin.te | 1 + policy/modules/system/systemd.te | 3 ++- 6 files changed, 14 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 6a94f6ef..3b5f9c4d 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -168,6 +168,7 @@ ifdef(`distro_gentoo',` /usr/lib/at-spi2-core(/.*)?gen_context(system_u:object_r:bin_t,s0) /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/bluetooth/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) #/usr/lib/dhcpcd/dhcpcd-hooks(/.*)?gen_context(system_u:object_r:bin_t,s0) @@ -200,6 +201,7 @@ ifdef(`distro_gentoo',` /usr/lib/gvfs/gvfs.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/kde4/libexec/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/[^/]+/libexec/kf5/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/mailman/mail(/.*)?gen_context(system_u:object_r:bin_t,s0) /usr/lib/mediawiki/math/texvc.* gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 803cca2a..1db51e0f 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -31,6 +31,10 @@ optional_policy(` git_role(staff_r, staff_t) ') +optional_policy(` + modemmanager_dbus_chat(staff_t) +') + optional_policy(` postgresql_role(staff_r, staff_t) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 0e21b2ad..f3241612 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -20,6 +20,10 @@ optional_policy(` git_role(user_r, user_t) ') +optional_policy(` + modemmanager_dbus_chat(user_t) +') + optional_policy(` screen_role_template(user, user_r, user_t) ') diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 9a9b1061..ccc29001 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -178,6 +178,7 @@ logging_read_generic_logs(ssh_t) auth_use_nsswitch(ssh_t) +miscfiles_read_generic_certs(ssh_t) miscfiles_read_localization(ssh_t) seutil_read_config(ssh_t) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 9908a645..adbe775e 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -209,6 +209,7 @@ optional_policy(` ') optional_policy(` + xserver_link_xdm_keys(local_login_t) xserver_read_xdm_tmp_files(local_login_t) xserver_rw_xdm_tmp_files(local_login_t) xserver_rw_xdm_keys(local_login_t) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index e5f37321..34c38cad 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1008,6 +1008,7 @@ files_create_lock_dirs(systemd_tmpfiles_t) files_manage_all_pid_dirs(systemd_tmpfiles_t) files_delete_usr_files(systemd_tmpfiles_t) files_list_home(systemd_tmpfiles_t) +files_list_locks(systemd_tmpfiles_t) files_manage_generic_tmp_dirs(systemd_tmpfiles_t) files_manage_var_dirs(systemd_tmpfiles_t) files_manage_var_lib_dirs(systemd_tmpfiles_t) @@ -1026,8 +1027,8 @@ files_relabelto_etc_dirs(systemd_tmpfiles_t) files_manage_etc_symlinks(systemd_tmpfiles_t) fs_getattr_tmpfs(systemd_tmpfiles_t) -fs_getattr_tmpfs_dirs(systemd_tmpfiles_t) fs_getattr_xattr_fs(systemd_tmpfiles_t) +fs_list_tmpfs(systemd_tmpfiles_t) selinux_get_fs_mount(systemd_tmpfiles_t) selinux_search_fs(systemd_tmpfiles_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
commit: f75896871e29215b93854d20fa218118dc70e45d Author: Alexander Miroshnichenko millerson name> AuthorDate: Sat Jan 26 18:50:12 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f7589687 fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/filesystem.if | 2 +- policy/modules/services/postgresql.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 7d9f0f43..6da7cc22 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2350,7 +2350,7 @@ interface(`fs_rw_hugetlbfs_files',` ## ## # -interface(`fs_rmw_hugetlbfs_files',` +interface(`fs_mmap_rw_hugetlbfs_files',` gen_require(` type hugetlbfs_t; ') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 09824a8b..3bdffe4f 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -331,7 +331,7 @@ dev_read_urand(postgresql_t) fs_getattr_all_fs(postgresql_t) fs_search_auto_mountpoints(postgresql_t) -fs_rmw_hugetlbfs_files(postgresql_t) +fs_mmap_rw_hugetlbfs_files(postgresql_t) selinux_get_enforce_mode(postgresql_t) selinux_validate_context(postgresql_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
commit: d4995122c6b1cdde1674282d58bc69494119f6d8 Author: Chris PeBenito ieee org> AuthorDate: Sun Jan 27 17:58:33 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4995122 filesystem, postgresql: Module version bump. Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/filesystem.te | 2 +- policy/modules/services/postgresql.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 8ddacd76..5cbf319b 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.24.0) +policy_module(filesystem, 1.24.1) # diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 3bdffe4f..8f7043c3 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -1,4 +1,4 @@ -policy_module(postgresql, 1.19.0) +policy_module(postgresql, 1.19.1) gen_require(` class db_database all_db_database_perms;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 136b8a2b8c1ea3bb501b668de7401e01a87e780b Author: Jason Zaman perfinion com> AuthorDate: Sat Jan 12 08:03:41 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=136b8a2b files: introduce files_dontaudit_read_etc_files Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/files.if | 19 +++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 4920809d..0ace4966 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -3405,6 +3405,25 @@ interface(`files_dontaudit_read_etc_runtime_files',` dontaudit $1 etc_runtime_t:file { getattr read }; ') + +## +## Do not audit attempts to read files +## in /etc +## +## +## +## Domain to not audit. +## +## +# +interface(`files_dontaudit_read_etc_files',` + gen_require(` + type etc_t; + ') + + dontaudit $1 etc_t:file { getattr read }; +') + ## ## Do not audit attempts to write
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: f2e3f0187d67264d9511dbbdbc3b40d898ac9eed Author: Jason Zaman perfinion com> AuthorDate: Sat Jan 12 08:03:42 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f2e3f018 kernel: introduce kernel_dontaudit_read_kernel_sysctl Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/kernel.if | 18 ++ 1 file changed, 18 insertions(+) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 5afc4802..de5ee946 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -2012,6 +2012,24 @@ interface(`kernel_dontaudit_search_kernel_sysctl',` dontaudit $1 sysctl_kernel_t:dir search; ') +### +## +## Do not audit attempted reading of kernel sysctls +## +## +## +## Domain to not audit accesses from +## +## +# +interface(`kernel_dontaudit_read_kernel_sysctl',` + gen_require(` + type sysctl_kernel_t; + ') + + dontaudit $1 sysctl_kernel_t:file read_file_perms; +') + ## ## Read generic crypto sysctls.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 63ab6a3846fefa9040bd9a3b21bdfa8c84b5dc31 Author: Jason Zaman perfinion com> AuthorDate: Sat Jan 12 08:03:40 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 10 04:11:25 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63ab6a38 devices: introduce dev_dontaudit_read_sysfs Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/devices.if | 20 1 file changed, 20 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 0966a468..84b9d8fb 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4043,6 +4043,26 @@ interface(`dev_dontaudit_getattr_sysfs',` dontaudit $1 sysfs_t:filesystem getattr; ') + +## +## Dont audit attempts to read hardware state information +## +## +## +## Domain for which the attempts do not need to be audited +## +## +# +interface(`dev_dontaudit_read_sysfs',` + gen_require(` + type sysfs_t; + ') + + dontaudit $1 sysfs_t:file read_file_perms; + dontaudit $1 sysfs_t:dir list_dir_perms; + dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms; +') + ## ## mounton sysfs directories.
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/flask/, policy/modules/system/, policy/
commit: de73378ad96f678ee8882969b84bdcf3b721db1a Author: Chris PeBenito ieee org> AuthorDate: Mon Oct 8 17:46:05 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 11 23:17:31 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de73378a Remove unused translate permission in context userspace class. mcstransd never implemented this permission. To keep permission indices lined up, replace the permission with "unused_perm" to make it clear that it has no effect. Signed-off-by: Jason Zaman perfinion.com> policy/flask/access_vectors | 2 +- policy/mls | 3 --- policy/modules/kernel/domain.te | 6 +- policy/modules/kernel/mls.if | 8 ++-- policy/modules/kernel/mls.te | 4 +--- policy/modules/system/setrans.if | 12 ++-- policy/modules/system/setrans.te | 2 +- 7 files changed, 8 insertions(+), 29 deletions(-) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 0630f012..b011d37e 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -765,7 +765,7 @@ class key class context { - translate + unused_perm contains } diff --git a/policy/mls b/policy/mls index eeca15a8..484e3ca3 100644 --- a/policy/mls +++ b/policy/mls @@ -764,9 +764,6 @@ mlsconstrain association { polmatch } # MLS policy for the context class # -mlsconstrain context translate - (( h1 dom h2 ) or ( t1 == mlstranslate )); - mlsconstrain context contains (( h1 dom h2 ) and ( l1 domby l2)); diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 7a34bb07..41ae69db 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -1,4 +1,4 @@ -policy_module(domain, 1.14.0) +policy_module(domain, 1.14.1) # @@ -137,10 +137,6 @@ optional_policy(` libs_use_shared_libs(domain) ') -optional_policy(` - setrans_translate_context(domain) -') - # xdm passes an open file descriptor to xsession-errors.log which is then audited by all confined domains. optional_policy(` xserver_dontaudit_use_xdm_fds(domain) diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index 2e2bebc2..c11c7b95 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -849,7 +849,7 @@ interface(`mls_fd_share_all_levels',` ## ## Make specified domain MLS trusted -## for translating contexts at all levels. +## for translating contexts at all levels. (Deprecated) ## ## ## @@ -859,11 +859,7 @@ interface(`mls_fd_share_all_levels',` ## # interface(`mls_context_translate_all_levels',` - gen_require(` - attribute mlstranslate; - ') - - typeattribute $1 mlstranslate; + refpolicywarn(`$0($*) has been deprecated') ') diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index 3f842ea3..6fc595e2 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -1,4 +1,4 @@ -policy_module(mls, 1.10.0) +policy_module(mls, 1.10.1) # @@ -69,7 +69,5 @@ attribute mlsrangetrans; attribute mlsfduse; attribute mlsfdshare; -attribute mlstranslate; - attribute mlsdbusrecv; attribute mlsdbussend; diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if index 9478dd9b..03afaa92 100644 --- a/policy/modules/system/setrans.if +++ b/policy/modules/system/setrans.if @@ -21,7 +21,7 @@ interface(`setrans_initrc_domtrans',` ### ## -## Allow a domain to translate contexts. +## Allow a domain to translate contexts. (Deprecated) ## ## ## @@ -30,15 +30,7 @@ interface(`setrans_initrc_domtrans',` ## # interface(`setrans_translate_context',` - gen_require(` - type setrans_t, setrans_var_run_t; - class context translate; - ') - - allow $1 self:unix_stream_socket create_stream_socket_perms; - allow $1 setrans_t:context translate; - stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, setrans_t) - files_list_pids($1) + refpolicywarn(`$0($*) has been deprecated') ') ## diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 3f50e546..24c3577e 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -1,4 +1,4 @@ -policy_module(setrans, 1.14.0) +policy_module(setrans, 1.14.1) gen_require(` class context contains;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: cae8d35ee1c8db81725474f4ffd04b90a2ff2b91 Author: Chris PeBenito ieee org> AuthorDate: Sun Jul 15 20:56:51 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 9 03:07:46 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cae8d35e devices: Module version bump. policy/modules/kernel/devices.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 79b9c8da..473ccf84 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.23.1) +policy_module(devices, 1.23.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: c83e985052c5fac77e8895d4569aad3289f42d1e Author: Jagannathan Raman oracle com> AuthorDate: Fri Jul 13 17:05:36 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 9 03:07:46 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c83e9850 vhost: Add /dev/vhost-scsi device of type vhost_device_t. Signed-off-by: Jagannathan Raman oracle.com> policy/modules/kernel/devices.fc | 1 + policy/modules/kernel/devices.if | 2 +- policy/modules/kernel/devices.te | 3 ++- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index e206720b..5ec14acf 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -120,6 +120,7 @@ ifdef(`distro_suse', ` ') /dev/vfio/.+ -c gen_context(system_u:object_r:vfio_device_t,s0) /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) +/dev/vhost-scsi-c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.*-c gen_context(system_u:object_r:xserver_misc_device_t,s0) /dev/vga_arbiter -c gen_context(system_u:object_r:xserver_misc_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index f68d60ab..0966a468 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4839,7 +4839,7 @@ interface(`dev_relabelfrom_vfio_dev',` ## -## Allow read/write the vhost net device +## Allow read/write the vhost devices ## ## ## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 4ce5fecf..79b9c8da 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -286,7 +286,8 @@ type v4l_device_t; dev_node(v4l_device_t) # -# vhost_device_t is the type for /dev/vhost-net +# vhost_device_t is the type for vhost devices like +# /dev/vhost-net and /dev/vhost-scsi # type vhost_device_t; dev_node(vhost_device_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 792f78b7b4b4289a8044c300fcbe02fb7ceab157 Author: Jason Zaman perfinion com> AuthorDate: Tue Jul 10 15:03:14 2018 + Commit: Jason Zaman gentoo org> CommitDate: Wed Jul 11 14:41:35 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=792f78b7 selinux: compute_access_vector requires creating netlink_selinux_sockets policy/modules/kernel/selinux.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if index 8123b25f..6790e5d0 100644 --- a/policy/modules/kernel/selinux.if +++ b/policy/modules/kernel/selinux.if @@ -534,6 +534,7 @@ interface(`selinux_compute_access_vector',` ') dev_search_sysfs($1) + allow $1 self:netlink_selinux_socket create_socket_perms; allow $1 security_t:dir list_dir_perms; allow $1 security_t:file rw_file_perms; allow $1 security_t:security compute_av;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/admin/, policy/modules/system/, ...
commit: 89ac4d4f33529492c2840cd3df115321a38018a3 Author: Chris PeBenito ieee org> AuthorDate: Sun Jul 1 15:02:33 2018 + Commit: Jason Zaman gentoo org> CommitDate: Mon Jul 2 11:47:17 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89ac4d4f Bump module versions for release. policy/modules/admin/alsa.te | 2 +- policy/modules/admin/apt.te | 2 +- policy/modules/admin/cfengine.te | 2 +- policy/modules/admin/dpkg.te | 2 +- policy/modules/admin/firstboot.te | 2 +- policy/modules/admin/kismet.te| 2 +- policy/modules/admin/logrotate.te | 2 +- policy/modules/admin/portage.te | 2 +- policy/modules/admin/rpm.te | 2 +- policy/modules/admin/samhain.te | 2 +- policy/modules/admin/sectoolm.te | 2 +- policy/modules/admin/shorewall.te | 2 +- policy/modules/admin/sosreport.te | 2 +- policy/modules/apps/evolution.te | 2 +- policy/modules/apps/games.te | 2 +- policy/modules/apps/gnome.te | 2 +- policy/modules/apps/gpg.te| 2 +- policy/modules/apps/irc.te| 2 +- policy/modules/apps/java.te | 2 +- policy/modules/apps/mozilla.te| 2 +- policy/modules/apps/mplayer.te| 2 +- policy/modules/apps/openoffice.te | 2 +- policy/modules/apps/pulseaudio.te | 2 +- policy/modules/apps/qemu.te | 2 +- policy/modules/apps/syncthing.te | 2 +- policy/modules/apps/telepathy.te | 2 +- policy/modules/apps/thunderbird.te| 2 +- policy/modules/apps/wireshark.te | 2 +- policy/modules/apps/wm.te | 2 +- policy/modules/apps/xscreensaver.te | 2 +- policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/files.te| 2 +- policy/modules/kernel/terminal.te | 2 +- policy/modules/services/accountsd.te | 2 +- policy/modules/services/apache.te | 2 +- policy/modules/services/bugzilla.te | 2 +- policy/modules/services/ccs.te| 2 +- policy/modules/services/chronyd.te| 2 +- policy/modules/services/cobbler.te| 2 +- policy/modules/services/colord.te | 2 +- policy/modules/services/cron.te | 2 +- policy/modules/services/cups.te | 2 +- policy/modules/services/dbus.te | 2 +- policy/modules/services/devicekit.te | 2 +- policy/modules/services/dictd.te | 2 +- policy/modules/services/dirmngr.te| 2 +- policy/modules/services/djbdns.te | 2 +- policy/modules/services/dspam.te | 2 +- policy/modules/services/firewalld.te | 2 +- policy/modules/services/ftp.te| 2 +- policy/modules/services/i18n_input.te | 2 +- policy/modules/services/ifplugd.te| 2 +- policy/modules/services/lsm.te| 2 +- policy/modules/services/minidlna.te | 2 +- policy/modules/services/mojomojo.te | 2 +- policy/modules/services/mta.te| 2 +- policy/modules/services/networkmanager.te | 2 +- policy/modules/services/ntp.te| 2 +- policy/modules/services/obex.te | 2 +- policy/modules/services/plymouthd.te | 2 +- policy/modules/services/postfix.te| 2 +- policy/modules/services/rabbitmq.te | 2 +- policy/modules/services/redis.te | 2 +- policy/modules/services/rsync.te | 2 +- policy/modules/services/samba.te | 2 +- policy/modules/services/sendmail.te | 2 +- policy/modules/services/setroubleshoot.te | 2 +- policy/modules/services/sssd.te | 2 +- policy/modules/services/tftp.te | 2 +- policy/modules/services/tor.te| 2 +- policy/modules/services/virt.te | 2 +- policy/modules/services/xserver.te| 2 +- policy/modules/system/authlogin.te| 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/ipsec.te| 2 +- policy/modules/system/iptables.te | 2 +- policy/modules/system/locallogin.te | 2 +- policy/modules/system/logging.te | 2 +- policy/modules/system/lvm.te | 2 +- policy/modules/system/modutils.te | 2 +- policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/udev.te | 2 +- policy/modules/system/unconfined.te | 2 +- policy/modules/system/userdomain.te | 2 +- policy/modules/system/xdg.te | 2 +- 88 files changed, 88 insertions(+), 88 deletions(-) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index 008b6d25..46455184 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -1,4 +1,4 @@ -policy_module(
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 738d5a8078c3e287725862c78041e92f7f92dfcb Author: Jason Zaman perfinion com> AuthorDate: Thu Jun 7 10:29:26 2018 + Commit: Jason Zaman gentoo org> CommitDate: Fri Jun 8 11:10:51 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=738d5a80 corecommands: adjust gcc fcontext to also work on musl policy/modules/kernel/corecommands.fc | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 9bdcb747..3877b5f0 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -351,10 +351,10 @@ ifdef(`distro_debian',` ') ifdef(`distro_gentoo', ` -/usr/[^/]+-[^/]+-linux-gnu/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/[^/]+-[^/]+-linux-gnu/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/[^/]+-[^/]+-linux-gnu/[^/]+/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) -/usr/[^/]+-[^/]+-linux-gnu/[^/]+/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/[^/-]+-[^/-]+-linux-[^/-]+/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/[^/-]+-[^/-]+-linux-[^/-]+/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/[^/-]+-[^/-]+-linux-[^/-]+/[^/]+/gcc-bin/.*(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/[^/-]+-[^/-]+-linux-[^/-]+/[^/]+/binutils-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/rcscripts/sh(/.*)?gen_context(system_u:object_r:bin_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: f062077321cb890d203c806aa51c0e8ff3991990 Author: Nicolas Iooss m4x org> AuthorDate: Fri Dec 15 21:48:23 2017 + Commit: Sven Vermeulen gentoo org> CommitDate: Thu Jan 18 16:31:04 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f0620773 corecommands: label systemd script directories bin_t systemd defines in /usr/lib/systemd several directories which can contain scripts or executable files: - system-environment-generators/ and user-environment-generators/ documented in https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html - system-shutdown/ documented in https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html - system-sleep/ documented in https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html Currently the content of these directories is labelled lib_t, which causes the following AVC on Arch Linux: avc: denied { execute_no_trans } for pid=10308 comm="systemd" path="/usr/lib/systemd/system-environment-generators/10-arch" dev="vda1" ino=543182 scontext=system_u:system_r:init_t tcontext=system_u:object_r:lib_t tclass=file permissive=1 For information /usr/lib/systemd/system-environment-generators/10-arch only defines $PATH and its content is available on https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem policy/modules/kernel/corecommands.fc | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 6409fcdd..9bdcb747 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -225,7 +225,11 @@ ifdef(`distro_gentoo',` /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/system-sleep(/.*)?gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/tumbler-1/tumblerd-- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udev/[^/]*-- gen_context(system_u:object_r:bin_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 3cfa359b54921eda7f449dd445dadd7e231e4eb3 Author: Christian Göttsche googlemail com> AuthorDate: Mon Jan 1 11:32:34 2018 + Commit: Sven Vermeulen gentoo org> CommitDate: Thu Jan 18 16:31:23 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cfa359b filesystem: add fs_rw_inherited_hugetlbfs_files for apache module policy/modules/kernel/filesystem.if | 18 ++ 1 file changed, 18 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 168f204a..7f245e29 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -2306,6 +2306,24 @@ interface(`fs_manage_hugetlbfs_dirs',` ## +## Read and write inherited hugetlbfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_rw_inherited_hugetlbfs_files',` + gen_require(` + type hugetlbfs_t; + ') + + allow $1 hugetlbfs_t:file rw_inherited_file_perms; +') + + +## ## Read and write hugetlbfs files. ## ##
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 1288708d6097b3d28587465b562b038d3df1bb14 Author: Jason Zaman perfinion com> AuthorDate: Wed Dec 13 18:15:36 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 14 04:55:22 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1288708d storage: Add fcontexts for NVMe disks NVMe has several dev nodes for each device: /dev/nvme0 is a char device for communicating with the controller /dev/nvme0n1 is the block device that stores the data. /dev/nvme0n1p1 is the first partition policy/modules/kernel/storage.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc index 375b10bc..c7e3ac0d 100644 --- a/policy/modules/kernel/storage.fc +++ b/policy/modules/kernel/storage.fc @@ -33,6 +33,8 @@ /dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0) /dev/mtd.* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/nb[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/nvme[0-9]+-c gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) +/dev/nvme[0-9]n[^/]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh) /dev/optcd -b gen_context(system_u:object_r:removable_device_t,s0) /dev/p[fg][0-3]-b gen_context(system_u:object_r:removable_device_t,s0) /dev/pcd[0-3] -b gen_context(system_u:object_r:removable_device_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/
commit: 414de294634f9a02b072c433c1aab4387f60925e Author: Chad Hanson gmail com> AuthorDate: Mon Dec 11 04:02:15 2017 + Commit: Jason Zaman gentoo org> CommitDate: Wed Dec 13 11:59:25 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=414de294 Fix implementation of MLS file relabel attributes This patch properly completes the implementation of the MLS file relabel attributes. In the previous patch [http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html], a new attribute, mlsfilerelabetoclr, was created. There should have been a second attribute, mlsfilerelabel, created instead of overloading mlsfilewrite for this privilege. I concur with creating new attributes for this situation. I have created the patch below. Signed-off-by: Chad Hanson gmail.com> policy/mls | 2 +- policy/modules/kernel/mls.if | 28 policy/modules/kernel/mls.te | 3 ++- 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/policy/mls b/policy/mls index 2dadd205..73ff301b 100644 --- a/policy/mls +++ b/policy/mls @@ -72,7 +72,7 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto } mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } relabelto (( h1 dom h2 ) or (( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or - ( t1 == mlsfilewrite )); + ( t1 == mlsfilerelabel )); # the file "read" ops (note the check is dominance of the low level) mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { read getattr execute } diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if index b09c0a5a..2e2bebc2 100644 --- a/policy/modules/kernel/mls.if +++ b/policy/modules/kernel/mls.if @@ -74,6 +74,26 @@ interface(`mls_file_write_to_clearance',` ## ## Make specified domain MLS trusted +## for writing to files at all levels. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`mls_file_write_all_levels',` + gen_require(` + attribute mlsfilewrite; + ') + + typeattribute $1 mlsfilewrite; +') + + +## +## Make specified domain MLS trusted ## for relabelto to files up to its clearance. ## ## @@ -94,7 +114,7 @@ interface(`mls_file_relabel_to_clearance',` ## ## Make specified domain MLS trusted -## for writing to files at all levels. +## for relabelto to files at all levels. ## ## ## @@ -103,12 +123,12 @@ interface(`mls_file_relabel_to_clearance',` ## ## # -interface(`mls_file_write_all_levels',` +interface(`mls_file_relabel',` gen_require(` - attribute mlsfilewrite; + attribute mlsfilerelabel; ') - typeattribute $1 mlsfilewrite; + typeattribute $1 mlsfilerelabel; ') diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index ad74e81f..7c50e75c 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -10,9 +10,10 @@ attribute mlsfilereadtoclr; attribute mlsfilewrite; attribute mlsfilewritetoclr; attribute mlsfilewriteinrange; +attribute mlsfilerelabel; +attribute mlsfilerelabeltoclr; attribute mlsfileupgrade; attribute mlsfiledowngrade; -attribute mlsfilerelabeltoclr; attribute mlsnetread; attribute mlsnetreadtoclr;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/
commit: 94e5bdcfc5d1a49605d019ff465dd9f56bd9686d Author: Chris PeBenito ieee org> AuthorDate: Wed Dec 13 23:29:26 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 14 04:55:22 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=94e5bdcf storage, userdomain: Module version bump. policy/modules/kernel/storage.te| 2 +- policy/modules/system/userdomain.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index eb9b5b8d..d2a49c97 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,4 +1,4 @@ -policy_module(storage, 1.15.0) +policy_module(storage, 1.15.1) # diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index a3a1802e..3db9b0c2 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,4 +1,4 @@ -policy_module(userdomain, 4.14.9) +policy_module(userdomain, 4.14.10) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 11930ca161a01e71abb6f3522e3dea4f91445ac9 Author: Chris PeBenito ieee org> AuthorDate: Sun Dec 3 21:48:54 2017 + Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 12 07:06:26 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=11930ca1 corcmd, fs, xserver, init, systemd, userdomain: Module version bump. policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/services/xserver.te| 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/userdomain.te | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 4bc0a45c..9ea33753 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.24.5) +policy_module(corecommands, 1.24.6) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 62c2a783..d564752f 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.23.1) +policy_module(filesystem, 1.23.2) # diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index e5c5acad..c3380257 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,4 +1,4 @@ -policy_module(xserver, 3.14.4) +policy_module(xserver, 3.14.5) gen_require(` class x_drawable all_x_drawable_perms; diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index f495e386..4ef6d035 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.3.8) +policy_module(init, 2.3.9) gen_require(` class passwd rootok; diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 4f3ed091..5051b87c 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.4.5) +policy_module(systemd, 1.4.6) # # diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index b348ccd0..0e8aa374 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,4 +1,4 @@ -policy_module(userdomain, 4.14.7) +policy_module(userdomain, 4.14.8) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 023d49ed2fe5b7eb20e3b24a786e54993132ed18 Author: David Sugar tresys com> AuthorDate: Wed Nov 29 21:14:17 2017 + Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 12 07:06:26 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=023d49ed RHEL 7.4 has moved the location of /usr/libexec/sesh to /usr/libexec/sudo/sesh Update file context to include label for new location. See https://bugzilla.redhat.com/show_bug.cgi?id=1480791 Signed-off-by: Dave Sugar tresys.com> policy/modules/kernel/corecommands.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 0d2fd27f..6409fcdd 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -265,6 +265,7 @@ ifdef(`distro_gentoo',` /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/libexec/git-core/git-shell-- gen_context(system_u:object_r:shell_exec_t,s0) /usr/libexec/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/libexec/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/libexec/openssh/sftp-server --gen_context(system_u:object_r:bin_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 32b741ef487dcaa91d8cefc873a7cbf8c5d581d2 Author: Jason Zaman perfinion com> AuthorDate: Tue Oct 31 05:37:07 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 5 06:38:35 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=32b741ef files: fcontext for /etc/zfs/zpool.cache policy/modules/kernel/files.fc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index e69a0025..6ed84ef9 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -72,6 +72,8 @@ ifdef(`distro_suse',` /etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/sysconfig/firstboot --gen_context(system_u:object_r:etc_runtime_t,s0) +/etc/zfs/zpool.cache -- gen_context(system_u:object_r:etc_runtime_t,s0) + ifdef(`distro_gentoo', ` /etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: d46e984bba90f703233e36a3c77926f0e4711859 Author: Luis Ressel via refpolicy oss tresys com> AuthorDate: Tue Oct 24 23:46:43 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 29 12:59:50 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d46e984b kernel/files.if: files_list_kernel_modules should grant read perms for symlinks files_search_kernel_modules also grant this; there's a couple of symlinks in /lib/modules/. policy/modules/kernel/files.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index a9557079..05ca46a7 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -3966,6 +3966,7 @@ interface(`files_list_kernel_modules',` ') allow $1 modules_object_t:dir list_dir_perms; + read_lnk_files_pattern($1, modules_object_t, modules_object_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/admin/
commit: 6553262d637d9cb2d3e6f1df5d1cfed968ee80d1 Author: Chris PeBenito ieee org> AuthorDate: Wed Oct 25 21:21:31 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 29 12:59:50 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6553262d files, netutils: Module version bump. policy/modules/admin/netutils.te | 2 +- policy/modules/kernel/files.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 0d3fb75d..315cc3c9 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.17.0) +policy_module(netutils, 1.17.1) # diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index f713d2b6..473931ee 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.24.3) +policy_module(files, 1.24.4) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 92204f8b06a390b2fb39a505d0c48f9dfec4a41d Author: Chris PeBenito ieee org> AuthorDate: Thu Oct 12 21:59:43 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 29 12:59:08 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92204f8b files: Whitespace fix. policy/modules/kernel/files.if | 1 - 1 file changed, 1 deletion(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index ec2c8999..a9557079 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -6757,7 +6757,6 @@ interface(`files_relabel_all_pid_sock_files',` relabel_sock_files_pattern($1, pidfile, pidfile) ') - ## ## Relabel to/from all var_run (pid) files and directories
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: f7b55ae6e614572354d5a6f8449c1ed0f256f485 Author: Chris PeBenito ieee org> AuthorDate: Mon Oct 9 18:51:56 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 29 12:59:08 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f7b55ae6 devices: Module version bump. policy/modules/kernel/devices.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 57ad955b..0882d522 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.21.3) +policy_module(devices, 1.21.4) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 549b6dbb3f5ae4e0645aa0bbc657187776c4f305 Author: Nicolas Iooss m4x org> AuthorDate: Wed Sep 6 20:44:17 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Sep 8 22:39:50 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=549b6dbb corecommands: label Arch Linux pacman's scripts as bin_t On Arch Linux, the package manager uses hooks which execute scripts in /usr/share/libalpm/scripts. policy/modules/kernel/corecommands.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 1b556308..37760a87 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -310,6 +310,7 @@ ifdef(`distro_gentoo',` /usr/share/GNUstep/Makefiles/mkinstalldirs -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/device-manager/hal-device-manager -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/share/libalpm/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/mc/extfs/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/Modules/init(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/org.gnome.Weather/org\.gnome\.Weather\.Application -- gen_context(system_u:object_r:bin_t,s0)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 50d84777aa23e2a300967350c8fcd35c0580d337 Author: Chris PeBenito ieee org> AuthorDate: Fri Sep 8 15:52:12 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Sep 8 22:39:50 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=50d84777 Module version bump for patches from Nicolas Iooss. policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/terminal.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 7a22dc5f..bf025424 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.24.2) +policy_module(corecommands, 1.24.3) # diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index ff9ee502..2102238e 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,4 +1,4 @@ -policy_module(terminal, 1.17.0) +policy_module(terminal, 1.17.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 92348a31d3dba24301e1d48d8d87027c9aca64e3 Author: David Sugar tresys com> AuthorDate: Tue Sep 5 14:17:50 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Sep 8 22:39:36 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92348a31 Separate read and write interface for tun_tap_device_t The following patch creates two additional interfaces for tun_tap_device_t to grant only read or only write access (rather than both read and write access). It is possible to open a tap device for only reading or only writing and this allows policy to match that use. Signed-off-by: Dave Sugar tresys.com> policy/modules/kernel/corenetwork.if.in | 38 + 1 file changed, 38 insertions(+) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 46e10d08..3671fa8e 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -2047,6 +2047,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',` ## +## Read the TUN/TAP virtual network device. +## +## +## +## The domain read allowed access. +## +## +# +interface(`corenet_read_tun_tap_dev',` + gen_require(` + type tun_tap_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tun_tap_device_t:chr_file read_chr_file_perms; +') + + +## +## Write the TUN/TAP virtual network device. +## +## +## +## The domain allowed write access. +## +## +# +interface(`corenet_write_tun_tap_dev',` + gen_require(` + type tun_tap_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tun_tap_device_t:chr_file write_chr_file_perms; +') + + +## ## Read and write the TUN/TAP virtual network device. ## ##
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 5c027610b5a5091d5cb2ae20cf2ed62177128253 Author: Nicolas Iooss via refpolicy oss tresys com> AuthorDate: Sat Aug 12 08:34:59 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Sep 8 22:39:50 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c027610 terminal: /dev/pts exists in /dev filesystem systemd tries to create /dev/pts directly with its context type "devpts_t", but this is not allowed: avc: denied { associate } for pid=1 comm="systemd" name="pts" scontext=system_u:object_r:devpts_t tcontext=system_u:object_r:device_t tclass=filesystem permissive=1 policy/modules/kernel/terminal.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index f71fda4b..ff9ee502 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -25,6 +25,7 @@ dev_node(console_device_t) # the type of the root directory of the file system. # type devpts_t; +dev_associate(devpts_t) files_mountpoint(devpts_t) fs_associate_tmpfs(devpts_t) fs_xattr_type(devpts_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/services/
commit: b0d06664412c0c7baee2b8e12a26206d05a1ee02 Author: cgzones googlemail com> AuthorDate: Thu Jun 8 14:16:15 2017 + Commit: Jason Zaman gentoo org> CommitDate: Tue Jun 13 08:02:15 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0d06664 rkhunter: add interfaces for rkhunter module and sysadm permit policy/modules/kernel/filesystem.if | 18 ++ policy/modules/roles/sysadm.te | 4 policy/modules/services/ssh.if | 19 +++ 3 files changed, 41 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 295f3698..e85169c3 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -4823,6 +4823,24 @@ interface(`fs_getattr_tracefs',` ## +## Get attributes of dirs on tracefs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_tracefs_dirs',` + gen_require(` + type tracefs_t; + ') + + allow $1 tracefs_t:dir getattr; +') + + +## ## search directories on a tracefs filesystem ## ## diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 8912fb6e..6d18020b 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -906,6 +906,10 @@ optional_policy(` ') optional_policy(` + rkhunter_run(sysadm_t, sysadm_r) +') + +optional_policy(` rngd_admin(sysadm_t, sysadm_r) ') diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 3eca8306..22642eb3 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -601,6 +601,25 @@ interface(`ssh_tcp_connect',` ## +## Execute the ssh daemon in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`ssh_exec_sshd',` + gen_require(` + type sshd_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, sshd_exec_t) +') + + +## ## Execute the ssh daemon sshd domain. ## ##
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/system/
commit: cdd50f44b7b658e9478e9c968a299919a679396c Author: cgzones googlemail com> AuthorDate: Fri Jun 9 13:37:16 2017 + Commit: Jason Zaman gentoo org> CommitDate: Tue Jun 13 08:02:15 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdd50f44 chkrootkit: add interfaces and sysadm permit v2: - add bin_t fc to corecommands policy/modules/kernel/corecommands.fc | 1 + policy/modules/roles/sysadm.te| 4 policy/modules/system/init.if | 18 ++ 3 files changed, 23 insertions(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 320044e9..f1cb22b3 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -426,6 +426,7 @@ ifdef(`distro_suse', ` /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /var/lib/asterisk/agi-bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/chkrootkit/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/yp/.+ -- gen_context(system_u:object_r:bin_t,s0) /var/qmail/bin -d gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 17e1e26f..e28a28bd 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -236,6 +236,10 @@ optional_policy(` ') optional_policy(` + chkrootkit_run(sysadm_t, sysadm_r) +') + +optional_policy(` chronyd_admin(sysadm_t, sysadm_r) ') diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 05fa767f..b9878d02 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -679,6 +679,24 @@ interface(`init_getpgid',` ## +## Send init a generic signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_signal',` + gen_require(` + type init_t; + ') + + allow $1 init_t:process signal; +') + + +## ## Send init a null signal. ## ##
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 9db4609a99bf45fc3f716fa52955a4982dffb145 Author: Jason Zaman perfinion com> AuthorDate: Mon Jun 5 17:33:42 2017 + Commit: Jason Zaman gentoo org> CommitDate: Mon Jun 5 17:33:42 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9db4609a filesystem: remove gentoo specific duplicated fs_cgroup_filetrans policy/modules/kernel/filesystem.if | 37 - 1 file changed, 37 deletions(-) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 1db23012..295f3698 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -5399,40 +5399,3 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') - -# gentoo specific under here but not allowed ifdef - - -## -## Create an object in a cgroup tmpfs filesystem, with a private -## type using a type transition. -## -## -## -## Domain allowed access. -## -## -## -## -## The type of the object to be created. -## -## -## -## -## The object class of the object being created. -## -## -## -## -## The name of the object being created. -## -## -# -interface(`fs_cgroup_filetrans',` - gen_require(` - type cgroup_t; - ') - - allow $2 tmpfs_t:filesystem associate; - filetrans_pattern($1, cgroup_t, $2, $3, $4) -')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 4c7c974d4a198a0c31bf95c4a32a9c7b70f5 Author: Chris PeBenito ieee org> AuthorDate: Mon Jun 5 00:45:23 2017 + Commit: Jason Zaman gentoo org> CommitDate: Mon Jun 5 17:16:18 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c7c974d Module version bumps for patches from Jason Zaman. policy/modules/kernel/filesystem.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index afcb3b3f..23d1c0b4 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.22.9) +policy_module(filesystem, 1.22.10) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 8c64d75ad5512d94b6fb4705b546483e2a09837c Author: Jason Zaman perfinion com> AuthorDate: Sun Jun 4 16:33:44 2017 + Commit: Jason Zaman gentoo org> CommitDate: Mon Jun 5 17:16:18 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c64d75a filesystem: introduce fs_cgroup_filetrans interface policy/modules/kernel/filesystem.if | 36 1 file changed, 36 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index c9c67369..f28614f2 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -944,6 +944,42 @@ interface(`fs_mounton_cgroup', ` ## +## Create an object in a cgroup tmpfs filesystem, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`fs_cgroup_filetrans',` + gen_require(` + type cgroup_t, tmpfs_t; + ') + + allow $2 tmpfs_t:filesystem associate; + filetrans_pattern($1, cgroup_t, $2, $3, $4) + fs_search_sysfs($1) +') + + +## ## Do not audit attempts to read ## dirs on a CIFS or SMB filesystem. ##
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 7fba64ce25f075ba187e57d510550999ed6d7094 Author: Chris PeBenito ieee org> AuthorDate: Mon Jun 5 00:45:13 2017 + Commit: Jason Zaman gentoo org> CommitDate: Mon Jun 5 17:16:18 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7fba64ce filesystem: Fix error in fs_cgroup_filetrans(). policy/modules/kernel/filesystem.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index f28614f2..1db23012 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -975,7 +975,7 @@ interface(`fs_cgroup_filetrans',` allow $2 tmpfs_t:filesystem associate; filetrans_pattern($1, cgroup_t, $2, $3, $4) - fs_search_sysfs($1) + dev_search_sysfs($1) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: /, policy/modules/kernel/, policy/modules/roles/, support/, policy/flask/
commit: 51ed8963a91ca0cf0263995205ce5e7ca47d53c2 Author: Daniel Jurgens mellanox com> AuthorDate: Wed May 24 14:14:59 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 16:32:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51ed8963 refpolicy: Infiniband pkeys and endports Every Infiniband network will have a default pkey, so that is labeled. The rest of the pkey configuration is network specific. The policy allows access to the default and unlabeled pkeys for sysadm and staff users. kernel_t is allowed access to all pkeys, which it needs to process and route management datagrams. Endports are all unlabeled by default, sysadm users are allowed to manage the subnet on unlabeled endports. kernel_t is allowed to manage the subnet on all ibendports, which is required for configuring the HCA. This patch requires selinux series: "SELinux user space support for Infiniband RDMA", due to the new ipkeycon labeling mechanism. Signed-off-by: Daniel Jurgens mellanox.com> Makefile| 2 +- Rules.modular | 2 + Rules.monolithic| 2 + policy/flask/access_vectors | 10 +++ policy/flask/security_classes | 4 ++ policy/modules/kernel/corenetwork.if.in | 118 policy/modules/kernel/corenetwork.if.m4 | 64 + policy/modules/kernel/corenetwork.te.in | 8 +++ policy/modules/kernel/corenetwork.te.m4 | 26 +++ policy/modules/kernel/kernel.if | 37 ++ policy/modules/kernel/kernel.te | 5 ++ policy/modules/roles/staff.te | 1 + policy/modules/roles/sysadm.te | 3 + support/comment_move_decl.sed | 2 +- 14 files changed, 282 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index ed3453e0..89387367 100644 --- a/Makefile +++ b/Makefile @@ -372,7 +372,7 @@ $(moddir)/kernel/corenetwork.if: $(moddir)/kernel/corenetwork.te.in $(moddir)/ke @echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@ @echo "#" >> $@ $(verbose) cat $@.in >> $@ - $(verbose) $(GREP) "^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \ + $(verbose) $(GREP) "^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)" $< \ | $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 $(m4undivert) - \ | $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@ diff --git a/Rules.modular b/Rules.modular index 49d3cca9..331a979d 100644 --- a/Rules.modular +++ b/Rules.modular @@ -170,6 +170,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf $(verbose) $(comment_move_decl) $^ > $@ diff --git a/Rules.monolithic b/Rules.monolithic index ce112d78..80e00821 100644 --- a/Rules.monolithic +++ b/Rules.monolithic @@ -150,6 +150,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf $(tmpdir)/post_te_files.con $(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true $(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true + $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || true $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf $(verbose) $(comment_move_decl) $^ > $@ diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index 7652a313..f20e5c1e 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -927,6 +927,16 @@ inherits database set_value } +class infiniband_pkey +{ + access +} + +class infiniband_endport +{ + manage_subnet +} + class db_language inherits database { diff --git a/policy/flask/security_classes b/policy/flask/security_classes index 18c4f974..ce3268da 100644 --- a/policy/flask/security_classes +++ b/policy/flask/security_classes @@ -139,6 +139,10 @@ class netlink_crypto_socket class x_pointer# userspace class x_keyboard # userspace +# Infiniband +class infiniband_pkey +class infiniband_endport + # More Database stuff class db_schema# userspace class db_view # userspace diff --git a/policy/modules/
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/
commit: bf96509f09ff0319b82a07f8f8a858293e82ed8c Author: Chris PeBenito ieee org> AuthorDate: Wed May 24 23:36:04 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 16:32:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf96509f corenet/sysadm: Move lines. policy/modules/kernel/corenetwork.if.in | 138 policy/modules/roles/sysadm.te | 6 +- 2 files changed, 72 insertions(+), 72 deletions(-) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index 46fc4f11..4d618d94 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -213,6 +213,60 @@ interface(`corenet_spd_type',` ## +## Define type to be an infiniband pkey type +## +## +## +## Define type to be an infiniband pkey type +## +## +## This is for supporting third party modules and its +## use is not allowed in upstream reference policy. +## +## +## +## +## Type to be used for infiniband pkeys. +## +## +# +interface(`corenet_ib_pkey',` + gen_require(` + attribute ibpkey_type; + ') + + typeattribute $1 ibpkey_type; +') + + +## +## Define type to be an infiniband endport +## +## +## +## Define type to be an infiniband endport +## +## +## This is for supporting third party modules and its +## use is not allowed in upstream reference policy. +## +## +## +## +## Type to be used for infiniband endports. +## +## +# +interface(`corenet_ib_endport',` + gen_require(` + attribute ibendport_type; + ') + + typeattribute $1 ibendport_type; +') + + +## ## Send and receive TCP network traffic on generic interfaces. ## ## @@ -3138,51 +3192,6 @@ interface(`corenet_relabelto_all_packets',` ## -## Unconfined access to network objects. -## -## -## -## The domain allowed access. -## -## -# -interface(`corenet_unconfined',` - gen_require(` - attribute corenet_unconfined_type; - ') - - typeattribute $1 corenet_unconfined_type; -') - - -## -## Define type to be an infiniband pkey type -## -## -## -## Define type to be an infiniband pkey type -## -## -## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -## -## -## -## -## Type to be used for infiniband pkeys. -## -## -# -interface(`corenet_ib_pkey',` - gen_require(` - attribute ibpkey_type; - ') - - typeattribute $1 ibpkey_type; -') - - -## ## Access unlabeled infiniband pkeys. ## ## @@ -3215,34 +3224,25 @@ interface(`corenet_ib_access_all_pkeys',` ## -## Define type to be an infiniband endport +## Manage subnets on all labeled Infiniband endports ## -## -## -## Define type to be an infiniband endport -## -## -## This is for supporting third party modules and its -## use is not allowed in upstream reference policy. -## -## ## ## -## Type to be used for infiniband endports. +## Domain allowed access. ## ## # -interface(`corenet_ib_endport',` +interface(`corenet_ib_manage_subnet_all_endports',` gen_require(` attribute ibendport_type; ') - typeattribute $1 ibendport_type; + allow $1 ibendport_type:infiniband_endport manage_subnet; ') ## -## Manage subnets on all labeled Infiniband endports +## Manage subnet on all unlabeled Infiniband endports ## ## ## @@ -3250,24 +3250,24 @@ interface(`corenet_ib_endport',` ## ## # -interface(`corenet_ib_manage_subnet_all_endports',` - gen_require(` - attribute ibendport_type; - ') - - allow $1 ibendport_type:infiniband_endport manage_subnet; +interface(`corenet_ib_manage_subnet_unlabeled_endports',` + kernel_ib_manage_subnet_unlabeled_endports($1) ') ## -## Manage subnet on all unlabeled Infiniband endports +## Unconfined access to network objects. ## ## ## -## Domain allowed access. +## The domain allowed access. ## ## # -interface(`corenet_ib_manage_subnet_unlabeled_endports',` - kernel_ib_manage_subnet_unlabeled_endports($1) +interface(`corenet_unconfined',` + gen_require(` + attribute corenet_unconfined_type; + ') + + typeattribute $1 corenet_unconfined_type; ') diff --
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/
commit: 17490d91be530c04b5a4c221c69b58f93dbff7be Author: Chris PeBenito ieee org> AuthorDate: Wed May 24 23:36:49 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 16:32:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17490d91 Module version bump for infiniband policy from Daniel Jurgens. policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/kernel/kernel.te | 2 +- policy/modules/roles/staff.te | 2 +- policy/modules/roles/sysadm.te | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index dbe009c8..08f519ee 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,4 +1,4 @@ -policy_module(corenetwork, 1.23.3) +policy_module(corenetwork, 1.23.4) # diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index b9ae4b6a..685f3d0f 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.22.2) +policy_module(kernel, 1.22.3) # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index c19212c1..6cf73d28 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -1,4 +1,4 @@ -policy_module(staff, 2.8.1) +policy_module(staff, 2.8.2) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 508d2a9f..a4fffc27 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.11.7) +policy_module(sysadm, 2.11.8) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 44fb56ddcb130bb46f67d5bc1a4dc124cb35fe59 Author: Guido Trentalancia trentalancia net> AuthorDate: Sat Apr 29 18:17:47 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 15:53:18 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44fb56dd kernel: low-priority update Update the kernel module with some low priority fixes. Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/kernel/kernel.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 639b8454..87f5f9a4 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -276,6 +276,7 @@ dev_setattr_generic_blk_files(kernel_t) dev_setattr_generic_chr_files(kernel_t) dev_getattr_fs(kernel_t) dev_getattr_sysfs(kernel_t) +dev_write_kmsg(kernel_t) # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem @@ -384,6 +385,7 @@ optional_policy(` optional_policy(` plymouthd_read_lib_files(kernel_t) + plymouthd_read_pid_files(kernel_t) plymouthd_read_spool_files(kernel_t) term_use_ptmx(kernel_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/contrib/
commit: 248905080e2e9840c120f1bb12d589bbec3c89bb Author: Jason Zaman perfinion com> AuthorDate: Sun Apr 30 09:57:08 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 14:17:45 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=24890508 Remove interfaces added upstream policy/modules/contrib/gnome.if | 29 - policy/modules/kernel/files.if | 20 policy/modules/system/init.te | 1 - 3 files changed, 50 deletions(-) diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if index ce436cfd..4fcc6905 100644 --- a/policy/modules/contrib/gnome.if +++ b/policy/modules/contrib/gnome.if @@ -124,12 +124,6 @@ template(`gnome_role_template',` wm_dbus_chat($1, $1_gkeyringd_t) ') ') - - ifdef(`distro_gentoo',` - optional_policy(` - gnome_dbus_chat_gconfd($3) - ') - ') ') @@ -841,29 +835,6 @@ interface(`gnome_stream_connect_all_gkeyringd',` stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain) ') -# From here Gentoo specific but cannot use ifdef distro_gentoo here - -# -## -## Send and receive messages from the gconf daemon -## over dbus. -## -## -## -## Domain allowed access. -## -## -# -interface(`gnome_dbus_chat_gconfd',` - gen_require(` - type gconfd_t; - class dbus send_msg; - ') - - allow $1 gconfd_t:dbus send_msg; - allow gconfd_t $1:dbus send_msg; -') - ## ## Manage gstreamer ORC optimized diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index ef969a95..a74f7913 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -7232,26 +7232,6 @@ interface(`files_unconfined',` ## -## Create PID directories. -## -## -## -## Domain allowed access. -## -## -# -interface(`files_create_pid_dirs',` - gen_require(` - type var_t, var_run_t; - ') - - allow $1 var_t:dir search_dir_perms; - allow $1 var_run_t:lnk_file read_lnk_file_perms; - create_dirs_pattern($1, var_run_t, var_run_t) -') - - -## ## Create, read, write, and delete symbolic links in ## /etc that are dynamically created on boot. ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 5c6830f2..07238399 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1350,7 +1350,6 @@ ifdef(`distro_gentoo',` # needs to chmod some devices in early boot dev_setattr_generic_chr_files(initrc_t) - files_create_pid_dirs(initrc_t) files_dontaudit_write_usr_dirs(initrc_t) files_manage_generic_tmp_dirs(initrc_t) files_manage_generic_tmp_files(initrc_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/
commit: 95b1ba94ad4c7ce6466bd54c4afd73a4a23c36b8 Author: Chris PeBenito ieee org> AuthorDate: Sat Mar 25 17:45:37 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 11:46:17 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95b1ba94 another version of systemd cgroups hostnamed and logind >From Russell Coker policy/modules/kernel/devices.if| 18 ++ policy/modules/kernel/devices.te| 2 +- policy/modules/kernel/filesystem.if | 18 ++ policy/modules/kernel/filesystem.te | 2 +- policy/modules/services/xserver.if | 38 + policy/modules/services/xserver.te | 2 +- policy/modules/system/systemd.te| 108 +++- policy/modules/system/udev.if | 19 +++ policy/modules/system/udev.te | 2 +- policy/modules/system/userdomain.if | 76 + policy/modules/system/userdomain.te | 2 +- 11 files changed, 267 insertions(+), 20 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 28984607..c5af9342 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4949,6 +4949,24 @@ interface(`dev_rw_wireless',` ## +## manage the wireless device. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_wireless',` + gen_require(` + type device_t, wireless_device_t; + ') + + manage_chr_files_pattern($1, device_t, wireless_device_t) +') + + +## ## Read and write Xen devices. ## ## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 571abc30..e15c26c3 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.20.4) +policy_module(devices, 1.20.5) # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 0affdae2..bba3e389 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -4271,6 +4271,24 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` ## +## Relabel from tmpfs_t dir +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabelfrom_tmpfs_dirs',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:dir relabelfrom; +') + + +## ## Relabel directory on tmpfs filesystems. ## ## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 597bf615..3194b0e0 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.22.4) +policy_module(filesystem, 1.22.5) # diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 7af0ab6a..060adbfa 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1331,6 +1331,25 @@ interface(`xserver_kill',` ## +## Allow reading xserver_t files to get cgroup and sessionid +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_read_state',` + gen_require(` + type xserver_t; + ') + + allow $1 xserver_t:dir search; + allow $1 xserver_t:file read_file_perms; +') + + +## ## Read and write X server Sys V Shared ## memory segments. ## @@ -1427,6 +1446,25 @@ interface(`xserver_read_tmp_files',` ## +## talk to xserver_t by dbus +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_dbus_chat',` + gen_require(` + type xserver_t; + ') + + allow $1 xserver_t:dbus send_msg; + allow xserver_t $1:dbus send_msg; +') + + +## ## Interface to provide X object permissions on a given X server to ## an X client domain. Gives the domain permission to read the ## virtual core keyboard and virtual core pointer devices. diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 513915c7..9bfbafcb 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,4 +1,4 @@ -policy_module(xserver, 3.13.3) +policy_module(xserver, 3.13.4) gen_require(` class x_drawable all_x_drawable_perms; diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index d9da70e9..f5af4ce4 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: ee9f1937dfcafbac9c687ee2f79d33bd7b54bec2 Author: Nicolas Iooss m4x org> AuthorDate: Mon Feb 27 21:24:02 2017 + Commit: Sven Vermeulen gentoo org> CommitDate: Thu Mar 2 10:16:52 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ee9f1937 devices: fix Debian file contexts When using setfiles to validate file contexts of Debian modular policy (with DISTRO=debian and MONOLITHIC=n), it fails with: tmp/all_mods.fc: line 527 is missing fields tmp/all_mods.fc: line 527 is missing fields tmp/all_mods.fc: Invalid argument Here is the content of tmp/all_mods.fc around line 527: # this is a static /dev dir "backup mount" # if you want to disable udev, youll have to boot permissive and relabel! /dev/\.static -d system_u:object_r:device_t /dev/\.static/dev -d system_u:object_r:device_t /dev/\.static/dev/(.*)? <> ' The quote of "you'll" has been eaten by m4 and there is a spurious quote on the last line, which is reported by setfiles. Fix this by removing the quote in the comment. Here is an example of a failed build on Travis-CI: https://travis-ci.org/fishilico/selinux-refpolicy-patched/jobs/205951446 policy/modules/kernel/devices.fc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 19cd9724..84219a87 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -185,7 +185,7 @@ ifdef(`distro_suse', ` ifdef(`distro_debian',` # this is a static /dev dir "backup mount" -# if you want to disable udev, you'll have to boot permissive and relabel! +# if you want to disable udev, you will have to boot permissive and relabel! /dev/\.static -d gen_context(system_u:object_r:device_t,s0) /dev/\.static/dev -d gen_context(system_u:object_r:device_t,s0) /dev/\.static/dev/(.*)?<>
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
commit: 2ea4214ce55c1f5dfa9a23bd74e6b8bc01db9611 Author: cgzones googlemail com> AuthorDate: Mon Feb 20 13:20:00 2017 + Commit: Sven Vermeulen gentoo org> CommitDate: Thu Mar 2 10:16:40 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2ea4214c add corecmd_check_exec_bin_files() useful for monit policy/modules/kernel/corecommands.if | 19 +++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/kernel/corecommands.if b/policy/modules/kernel/corecommands.if index 60c1feb7..d7ccec3a 100644 --- a/policy/modules/kernel/corecommands.if +++ b/policy/modules/kernel/corecommands.if @@ -218,6 +218,25 @@ interface(`corecmd_dontaudit_getattr_bin_files',` ## +## Check if files in bin directories are executable (DAC-wise) +## +## +## +## Domain allowed access. +## +## +# +interface(`corecmd_check_exec_bin_files',` + gen_require(` + type bin_t; + ') + + allow $1 bin_t:dir search_dir_perms; + allow $1 bin_t:file { execute getattr }; +') + + +## ## Read files in bin directories. ## ##