[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 2742ffe56eb2a1943c6ddbbd47071a6fa5437875 Author: Christian Göttsche googlemail com> AuthorDate: Thu Feb 22 17:00:40 2024 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 1 17:05:44 2024 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2742ffe5 selinuxutil: setfiles updates type=PROCTITLE msg=audit(21/02/24 22:31:50.044:122) : proctitle=restorecon -vRn -T0 / type=SYSCALL msg=audit(21/02/24 22:31:50.044:122) : arch=x86_64 syscall=sched_getaffinity success=yes exit=8 a0=0x0 a1=0x1000 a2=0x7fc235649bf0 a3=0x0 items=0 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:31:50.044:122) : avc: denied { getsched } for pid=13398 comm=restorecon scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process permissive=1 type=PROCTITLE msg=audit(21/02/24 22:31:55.040:123) : proctitle=restorecon -vRn -T0 / type=PATH msg=audit(21/02/24 22:31:55.040:123) : item=0 name=/sys/fs/cgroup/user.slice/user-0.slice/user 0.service/memory.pressure inode=2455 dev=00:1b mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:memory_pressure_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:31:55.040:123) : cwd=/root/workspace/selinux/refpolicy/refpolicy type=SYSCALL msg=audit(21/02/24 22:31:55.040:123) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x557264466530 a2=0x7fc2004cacc0 a3=0x100 items=1 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:31:55.040:123) : avc: denied { getattr } for pid=13398 comm=restorecon path=/sys/fs/cgroup/user.slice/user-0.slice/user 0.service/memory.pressure dev="cgroup2" ino=2455 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_pressure_t:s0 tclass=file permissive=1 type=PROCTITLE msg=audit(21/02/24 22:32:15.512:126) : proctitle=restorecon -vRFn -T0 /usr/ type=PATH msg=audit(21/02/24 22:32:15.512:126) : item=0 name=/proc/sys/vm/overcommit_memory inode=41106 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_overcommit_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:32:15.512:126) : cwd=/root/workspace/selinux/refpolicy/refpolicy type=SYSCALL msg=audit(21/02/24 22:32:15.512:126) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7f59f7316810 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1103 pid=13491 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { open } for pid=13491 comm=restorecon path=/proc/sys/vm/overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1 type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { read } for pid=13491 comm=restorecon name=overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1 Signed-off-by: Christian Göttsche googlemail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 18 ++ policy/modules/system/selinuxutil.te | 3 +++ 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index e529b187f..08ad5503d 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -1271,6 +1271,24 @@ interface(`fs_cgroup_filetrans_memory_pressure',` fs_cgroup_filetrans($1, memory_pressure_t, $2, $3) ') + +## +## Get the attributes of cgroup's memory.pressure files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_memory_pressure',` + gen_require(` + type memory_pressure_t; + ') + + allow $1 memory_pressure_t:file getattr; +') + ## ## Allow managing a cgroup's memory.pressure file to get notifications diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/sys
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/support/
commit: b6e3f0c899ce4061496cdf71bd4d83374aea339d Author: Russell Coker coker com au> AuthorDate: Mon Oct 9 13:32:38 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 20 21:28:39 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6e3f0c8 patches for nspawn policy (#721) * patches to nspawn policy. Allow it netlink operations and creating udp sockets Allow remounting and reading sysfs Allow stat cgroup filesystem Make it create fifos and sock_files in the right context Allow mounting the selinux fs Signed-off-by: Russell Coker coker.com.au> * Use the new mounton_dir_perms and mounton_file_perms macros Signed-off-by: Russell Coker coker.com.au> * Corrected macro name Signed-off-by: Russell Coker coker.com.au> * Fixed description of files_mounton_kernel_symbol_table Signed-off-by: Russell Coker coker.com.au> * systemd: Move lines in nspawn. No rule changes. Signed-off-by: Chris PeBenito ieee.org> - Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Chris PeBenito ieee.org> Co-authored-by: Chris PeBenito ieee.org> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/devices.if | 18 ++ policy/modules/kernel/files.if | 27 +++ policy/modules/kernel/kernel.if | 8 policy/modules/kernel/selinux.if | 18 ++ policy/modules/system/systemd.te | 17 + policy/support/obj_perm_sets.spt | 2 ++ 6 files changed, 82 insertions(+), 8 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index be2429a91..a2d55dedb 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4386,6 +4386,24 @@ interface(`dev_remount_sysfs',` allow $1 sysfs_t:filesystem remount; ') + +## +## unmount a sysfs filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_unmount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem unmount; +') + ## ## Do not audit getting the attributes of sysfs filesystem diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 591aa64d6..370ac0931 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -542,8 +542,8 @@ interface(`files_mounton_non_security',` attribute non_security_file_type; ') - allow $1 non_security_file_type:dir { getattr search mounton }; - allow $1 non_security_file_type:file { getattr mounton }; + allow $1 non_security_file_type:dir { search mounton_dir_perms }; + allow $1 non_security_file_type:file mounton_file_perms; ') @@ -1785,7 +1785,7 @@ interface(`files_mounton_all_mountpoints',` ') allow $1 mountpoint:dir { search_dir_perms mounton }; - allow $1 mountpoint:file { getattr mounton }; + allow $1 mountpoint:file mounton_file_perms; kernel_mounton_unlabeled_dirs($1) ') @@ -5750,6 +5750,25 @@ interface(`files_delete_kernel_symbol_table',` delete_files_pattern($1, boot_t, system_map_t) ') + +## +## Mount on a system.map in the /boot directory (for bind mounts). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_kernel_symbol_table',` + gen_require(` + type boot_t, system_map_t; + ') + + allow $1 boot_t:dir search_dir_perms; + allow $1 system_map_t:file mounton_file_perms; +') + ## ## Search the contents of /var. @@ -7630,7 +7649,7 @@ interface(`files_polyinstantiate_all',` # Need to give access to parent directories where original # is remounted for polyinstantiation aware programs (like gdm) - allow $1 polyparent:dir { getattr mounton }; + allow $1 polyparent:dir mounton_dir_perms; # Need to give permission to create directories where applicable allow $1 self:process setfscreate; diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 6abcc1be6..022affde3 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -1440,7 +1440,7 @@ interface(`kernel_mounton_message_if',` ') allow $1 proc_t:dir list_dir_perms; - allow $1 proc_kmsg_t:file { getattr mounton }; + allow $1 proc_kmsg_t:file mounton_file_perms; ') @@ -1792,7 +1792,7 @@ interface(`kernel_mounton_sysctl_dirs',` ') allow $1 proc_t:dir list_dir_perms; - allow $1 sysctl_t:dir { getattr mounton }; + allow $1 sysctl_t:dir mounton_dir_perms; ') ##
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: ca3332b1b3ad6b6cc3b52bf8cff26e4407f93c92 Author: Russell Coker coker com au> AuthorDate: Fri Oct 6 10:48:52 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:31:45 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca3332b1 Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited from cron, and dontaudit ps type operations from it Signed-off-by: Russell Coker coker.com.au> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/corecommands.fc | 1 - policy/modules/system/raid.fc | 2 ++ policy/modules/system/raid.te | 2 ++ 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index da5db80a2..21ec61464 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -320,7 +320,6 @@ ifdef(`distro_debian',` /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh-- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/share/mdadm/checkarray-- gen_context(system_u:object_r:bin_t,s0) /usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/ajaxterm\.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/qweb\.py.* -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/raid.fc b/policy/modules/system/raid.fc index 84f1ab02a..ca16bdfdf 100644 --- a/policy/modules/system/raid.fc +++ b/policy/modules/system/raid.fc @@ -11,6 +11,8 @@ /usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/bin/raid-check-- gen_context(system_u:object_r:mdadm_exec_t,s0) +/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:mdadm_exec_t,s0) + # Systemd unit files /usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) /usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index 907facf8d..c8db38261 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -57,6 +57,7 @@ dev_read_realtime_clock(mdadm_t) # create links in /dev/md dev_create_generic_symlinks(mdadm_t) +domain_dontaudit_search_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) @@ -95,6 +96,7 @@ userdom_dontaudit_search_user_home_content(mdadm_t) optional_policy(` cron_system_entry(mdadm_t, mdadm_exec_t) + cron_rw_inherited_tmp_files(mdadm_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
commit: c26f03fa94aa2e08b219d5040970d21c1c26869c Author: Kenton Groombridge concord sh> AuthorDate: Mon Mar 6 15:14:55 2023 + Commit: Kenton Groombridge gentoo org> CommitDate: Fri Mar 31 17:11:27 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c26f03fa various: make /etc/machine-id etc_runtime_t This file is updated at boot by systemd. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/files.fc | 1 + policy/modules/services/dbus.te | 2 ++ policy/modules/system/systemd.te | 6 ++ 3 files changed, 9 insertions(+) diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc index b22d97997..708abd32e 100644 --- a/policy/modules/kernel/files.fc +++ b/policy/modules/kernel/files.fc @@ -53,6 +53,7 @@ ifdef(`distro_suse',` /etc/ioctl\.save -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/killpower -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/localtime -l gen_context(system_u:object_r:etc_t,s0) +/etc/machine-id-- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/mtab -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/mtab~[0-9]* -- gen_context(system_u:object_r:etc_runtime_t,s0) /etc/mtab\.tmp -- gen_context(system_u:object_r:etc_runtime_t,s0) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 29ada52aa..f6d502940 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -197,6 +197,8 @@ ifdef(`init_systemd', ` dev_rw_dri(system_dbusd_t) dev_rw_input_dev(system_dbusd_t) + files_read_etc_runtime_files(system_dbusd_t) + # for /run/systemd/dynamic-uid/ init_list_runtime(system_dbusd_t) init_read_runtime_symlinks(system_dbusd_t) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index cf91547e2..db594e615 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -493,6 +493,7 @@ dev_write_sysfs_dirs(systemd_generator_t) dev_read_urand(systemd_generator_t) files_read_etc_files(systemd_generator_t) +files_read_etc_runtime_files(systemd_generator_t) files_search_runtime(systemd_generator_t) files_list_boot(systemd_generator_t) files_read_boot_files(systemd_generator_t) @@ -857,6 +858,7 @@ dev_setattr_dri_dev(systemd_logind_t) dev_setattr_generic_usb_dev(systemd_logind_t) dev_setattr_input_dev(systemd_logind_t) dev_setattr_kvm_dev(systemd_logind_t) +files_read_etc_runtime_files(systemd_logind_t) dev_setattr_sound_dev(systemd_logind_t) dev_setattr_video_dev(systemd_logind_t) @@ -1140,6 +1142,7 @@ dev_read_sysfs(systemd_networkd_t) dev_write_kmsg(systemd_networkd_t) files_read_etc_files(systemd_networkd_t) +files_read_etc_runtime_files(systemd_networkd_t) files_watch_runtime_dirs(systemd_networkd_t) files_watch_root_dirs(systemd_networkd_t) files_list_runtime(systemd_networkd_t) @@ -1415,6 +1418,9 @@ dontaudit systemd_pcrphase_t self:capability net_admin; dev_rw_tpm(systemd_pcrphase_t) dev_write_kmsg(systemd_pcrphase_t) +# read /etc/machine-id +files_read_etc_runtime_files(systemd_pcrphase_t) + fs_read_efivarfs_files(systemd_pcrphase_t) fs_getattr_cgroup(systemd_pcrphase_t) fs_search_cgroup_dirs(systemd_pcrphase_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: ef6668a7d48e72ecd3513518f32449c4c0bc8423 Author: Corentin LABBE gmail com> AuthorDate: Fri Dec 16 07:15:19 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Mon Feb 13 15:19:51 2023 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef6668a7 rsyslog: add label for /var/empty/dev/log On gentoo, starting rsyslog give this: allow syslogd_t var_t:dir { add_name remove_name }; allow syslogd_t var_t:sock_file { create setattr unlink }; This is due to the following piece of code in configuration: """ Create an additional socket for the default chroot location (used by net-misc/openssh[hpn], see https://bugs.gentoo.org/490744) input(type="imuxsock" Socket="/var/empty/dev/log") """ So let's add correct label for this file Signed-off-by: Corentin LABBE gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/devices.fc | 4 policy/modules/system/logging.fc | 4 2 files changed, 8 insertions(+) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 84427423c..da21259b8 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -236,3 +236,7 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') + +ifdef(`distro_gentoo',` +/var/empty/dev -d gen_context(system_u:object_r:device_t,s0) +') diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index 5681acb51..3b0dea51b 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -68,6 +68,10 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0) ') +ifdef(`distro_gentoo',` +/var/empty/dev/log -s gen_context(system_u:object_r:devlog_t,s0) +') + /run/audit_events -s gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh) /run/audispd_events-s gen_context(system_u:object_r:audisp_runtime_t,mls_systemhigh) /run/auditd\.pid -- gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 495622d3b23f95f5645afa087020240af0951f97 Author: Kenton Groombridge concord sh> AuthorDate: Wed Dec 7 15:27:48 2022 + Commit: Kenton Groombridge gentoo org> CommitDate: Tue Dec 13 19:07:34 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=495622d3 filesystem, init: allow systemd to setattr on ramfs dirs This is needed by systemd-creds on system boot. Without this access, many services fail to start. Observed on systemd-252 on Gentoo. type=PROCTITLE msg=audit(1670295099.238:180306): proctitle="(sd-mkdcreds)" type=PATH msg=audit(1670295099.238:180306): item=0 name=(null) inode=16711 dev=00:2c mode=040700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ramfs_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1670295099.238:180306): cwd="/" type=SYSCALL msg=audit(1670295099.238:180306): arch=c03e syscall=91 success=no exit=-13 a0=3 a1=140 a2=77fb64c2bd90 a3=e9dbd3ce8cce3dba items=1 ppid=23082 pid=23083 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(sd-mkdcreds)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1670295099.238:180306): avc: denied { setattr } for pid=23083 comm="(sd-mkdcreds)" name="/" dev="ramfs" ino=16711 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ramfs_t:s0 tclass=dir permissive=0 Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/kernel/filesystem.if | 19 +++ policy/modules/system/init.te | 2 ++ 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index c1078d796..af2023e62 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -4778,6 +4778,25 @@ interface(`fs_dontaudit_search_ramfs',` dontaudit $1 ramfs_t:dir search_dir_perms; ') + +## +## Set the attributes of directories on +## a ramfs. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_setattr_ramfs_dirs',` + gen_require(` + type ramfs_t; + ') + + allow $1 ramfs_t:dir setattr; +') + ## ## Create, read, write, and delete diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 310655045..7249dd13f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -473,6 +473,8 @@ ifdef(`init_systemd',` fs_create_pstore_dirs(init_t) # for network namespaces fs_read_nsfs_files(init_t) + # needed by systemd-creds + fs_setattr_ramfs_dirs(init_t) init_manage_all_unit_files(init_t) init_read_script_state(init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
commit: 813eb9b92bf4f592dcedf24a2e18d2645d07ea4a Author: Chris PeBenito linux microsoft com> AuthorDate: Wed Aug 17 17:54:09 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 19:07:49 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=813eb9b9 hypervkvp: Port updated module from Fedora policy. Change to refpolicy interfaces and fix optional blocks. Signed-off-by: Chris PeBenito linux.microsoft.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/devices.fc | 3 + policy/modules/kernel/devices.if | 36 policy/modules/kernel/devices.te | 9 ++ policy/modules/kernel/files.if | 18 policy/modules/services/dbus.if | 19 + policy/modules/services/hypervkvp.fc | 8 +- policy/modules/services/hypervkvp.te | 154 +-- policy/modules/system/sysnetwork.if | 18 8 files changed, 258 insertions(+), 7 deletions(-) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 19b06ab7..84427423 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -196,6 +196,9 @@ ifdef(`distro_suse', ` /dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0) /dev/usb/scanner.* -c gen_context(system_u:object_r:scanner_device_t,s0) +/dev/vmbus/hv_kvp -c gen_context(system_u:object_r:hyperv_kvp_device_t,s0) +/dev/vmbus/hv_vss -c gen_context(system_u:object_r:hyperv_vss_device_t,s0) + /dev/wmi/dell-smbios -c gen_context(system_u:object_r:acpi_bios_t,s0) /dev/xen/blktap.* -c gen_context(system_u:object_r:xen_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index bfb08b21..ba652e81 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2368,6 +2368,42 @@ interface(`dev_rw_framebuffer',` rw_chr_files_pattern($1, device_t, framebuf_device_t) ') + +## +## Allow read/write the hypervkvp device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_hyperv_kvp',` + gen_require(` + type device_t, hyperv_kvp_device_t; + ') + + rw_chr_files_pattern($1, device_t, hyperv_kvp_device_t) +') + + +## +## Allow read/write the hypervvssd device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_hyperv_vss',` + gen_require(` + type device_t, hyperv_vss_device_t; + ') + + rw_chr_files_pattern($1, device_t, hyperv_vss_device_t) +') + ## ## Read the kernel messages diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 8ac7c212..49718cc2 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -122,6 +122,15 @@ dev_node(freefall_device_t) type gpiochip_device_t; dev_node(gpiochip_device_t) +# +# Types for Hyper-V guest devices +# +type hyperv_kvp_device_t; +dev_node(hyperv_kvp_device_t) + +type hyperv_vss_device_t; +dev_node(hyperv_vss_device_t) + # # Type for /dev/infiniband/* # diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index fb27ed18..eeed098c 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1846,6 +1846,24 @@ interface(`files_dontaudit_list_all_mountpoints',` dontaudit $1 mountpoint:dir list_dir_perms; ') + +## +## Check if all mountpoints are writable. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_write_all_mountpoints',` + gen_require(` + attribute mountpoint; + ') + + allow $1 mountpoint:dir write; +') + ## ## Do not audit attempts to write to mount points. diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index 3dfeadf9..432eae55 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -647,6 +647,25 @@ interface(`dbus_watch_system_bus_runtime_dirs',` allow $1 system_dbusd_runtime_t:dir watch; ') + +## +## Read system bus runtime files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dbus_read_system_bus_runtime_files',` + gen_require(` + type system_dbusd_runtime_t; + ') + + allow $1 system_dbusd_runtime_t:file read; +') + + ## ## List system bus runtime directories. diff --git a/policy/modules/services/hypervkvp.fc b/policy/modules/services/hypervkvp.fc index d1bbb44c..aa585191 100644 --- a/policy/modules/services/hypervkvp.fc +++ b/policy/modules/
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 9f6c6ae09df158fda4a027209642d9393c471b03 Author: Kenton Groombridge concord sh> AuthorDate: Sat May 7 01:16:29 2022 + Commit: Jason Zaman gentoo org> CommitDate: Sat Sep 3 18:41:55 2022 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f6c6ae0 term, init: allow systemd to watch and watch reads on unallocated ttys As of systemd 250, systemd needs to be able to add a watch on and watch reads on unallocated ttys in order to start getty. systemd[55548]: getty tty1.service: Failed to set up standard input: Permission denied systemd[55548]: getty tty1.service: Failed at step STDIN spawning /sbin/agetty: Permission denied time->Fri May 6 21:17:58 2022 type=PROCTITLE msg=audit(1651886278.452:1770): proctitle="(agetty)" type=PATH msg=audit(1651886278.452:1770): item=0 name="/dev/tty1" inode=18 dev=00:05 mode=020620 ouid=0 ogid=5 rdev=04:01 obj=system_u:object_r:tty_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(1651886278.452:1770): cwd="/" type=SYSCALL msg=audit(1651886278.452:1770): arch=c03e syscall=254 success=no exit=-13 a0=3 a1=60ba5c21e020 a2=18 a3=23 items=1 ppid=1 pid=1 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(agetty)" exe="/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null) type=AVC msg=audit(1651886278.452:1770): avc: denied { watch watch_reads } for pid=1 comm="(agetty)" path="/dev/tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0 Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/terminal.if | 38 ++ policy/modules/system/init.te | 2 ++ 2 files changed, 40 insertions(+) diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index 55c18dff..e5645c7c 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -1284,6 +1284,44 @@ interface(`term_dontaudit_use_unallocated_ttys',` dontaudit $1 tty_device_t:chr_file rw_chr_file_perms; ') + +## +## Watch unallocated ttys. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_watch_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tty_device_t:chr_file watch; +') + + +## +## Watch reads on unallocated ttys. +## +## +## +## Domain allowed access. +## +## +# +interface(`term_watch_reads_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tty_device_t:chr_file watch_reads; +') + ## ## Get the attributes of all tty device nodes. diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index db06551c..a93eefed 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -523,6 +523,8 @@ ifdef(`init_systemd',` term_create_devpts_dirs(init_t) term_create_ptmx(init_t) term_create_controlling_term(init_t) + term_watch_unallocated_ttys(init_t) + term_watch_reads_unallocated_ttys(init_t) # udevd is a "systemd kobject uevent socket activated daemon" udev_create_kobject_uevent_sockets(init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 4ca347319929cb5a24faf7eb587cabda640f28bd Author: Krzysztof Nowicki op pl> AuthorDate: Thu Aug 13 06:44:22 2020 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 15 19:49:24 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4ca34731 Allow use of systemd UNIX sockets created at initrd execution Systemd uses a number of UNIX sockets for communication (notify socket [1], journald socket). These sockets are normally created at start-up after the SELinux policy is loaded, which means that the kernel socket objects have proper security contexts of the creating processes. Unfortunately things look different when the system is started with an initrd that is also running systemd (e.g. dracut). In such case the sockets are created in the initrd systemd environment before the SELinux policy is loaded and therefore the socket object is assigned the default kernel context (system_u:system_r:kernel_t). When the initrd systemd transfers control to the main systemd the notify socket descriptors are passed to the main systemd process [2]. This means that when the main system is running the sockets will use the default kernel securint context until they are recreated, which for some sockets (notify socket) never happens. Until there is a way to change the context of an already open socket object all processes, that wish to use systemd sockets need to be able to send datagrams to system_u:system_r:kernel_t sockets. Parts of this workaround were earlier hidden behind RedHat-specific rules, since this distribution is the prime user of systemd+dracut combo. Since other distros may want to use similar configuration it makes sense to enable this globally. [1] sd_notify(3) [2] https://github.com/systemd/systemd/issues/16714 Signed-off-by: Krzysztof Nowicki op.pl> tmp Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/kernel.if | 18 ++ policy/modules/system/init.te| 5 + policy/modules/system/logging.if | 5 ++--- policy/modules/system/logging.te | 7 --- 4 files changed, 29 insertions(+), 6 deletions(-) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index ebd73aca..18002e67 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -365,6 +365,24 @@ interface(`kernel_dgram_send',` allow $1 kernel_t:unix_dgram_socket sendto; ') + +## +## Send messages to kernel netlink audit sockets. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_rw_netlink_audit_sockets',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:netlink_audit_socket { rw_netlink_socket_perms }; +') + ## ## Allows caller to load kernel modules diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index ba82d84a..f711e535 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -312,6 +312,8 @@ ifdef(`init_systemd',` kernel_setsched(init_t) kernel_link_key(init_t) kernel_rw_unix_sysctls(init_t) + kernel_rw_stream_sockets(init_t) + kernel_rw_unix_dgram_sockets(init_t) # run systemd misc initializations # in the initrc_t domain, as would be @@ -1032,6 +1034,9 @@ ifdef(`init_systemd',` allow initrc_t systemdunit:service reload; allow initrc_t init_script_file_type:service { stop start status reload }; + # Access to notify socket for services with Type=notify + kernel_dgram_send(initrc_t) + # run systemd misc initializations # in the initrc_t domain, as would be # done in traditional sysvinit/upstart. diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 0f6efef8..e3851303 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -681,10 +681,9 @@ interface(`logging_send_syslog_msg',` # Allow systemd-journald to check whether the process died allow syslogd_t $1:process signull; - ifdef(`distro_redhat',` - kernel_dgram_send($1) - ') + kernel_dgram_send($1) ') + ') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index fb0fe124..a6868af0 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -501,9 +501,6 @@ auth_use_nsswitch(syslogd_t) init_use_fds(syslogd_t) -# cjp: this doesnt make sense -logging_send_syslog_msg(syslogd_t) - miscfiles_read_localization(syslogd_t) seutil_read_config(syslogd_t) @@ -525,6 +522,7 @@ ifdef(`init_systemd',` kernel_read_ring_buffer(syslogd_t) kernel_rw_stream_sockets(syslogd_t) kernel_rw_unix_dgram_sockets(syslogd_t) +
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
commit: 38249e1e570984cbc60f21a12e0323a2e852a463 Author: Kenton Groombridge concord sh> AuthorDate: Tue Feb 2 15:52:59 2021 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 6 21:15:09 2021 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=38249e1e Various fixes Allow dovecot to watch the mail spool, and add various dontaudit rules for several other domains. Signed-off-by: Kenton Groombridge concord.sh> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/kernel.if | 18 ++ policy/modules/services/dovecot.te | 3 +++ policy/modules/services/mta.if | 18 ++ policy/modules/services/ssh.te | 2 ++ policy/modules/system/authlogin.te | 3 +++ policy/modules/system/selinuxutil.te | 1 + 6 files changed, 45 insertions(+) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 5869eb50..ebd73aca 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -910,6 +910,24 @@ interface(`kernel_getattr_proc',` allow $1 proc_t:filesystem getattr; ') + +## +## Do not audit attempts to get the attributes of the proc filesystem. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_getattr_proc',` + gen_require(` + type proc_t; + ') + + dontaudit $1 proc_t:filesystem getattr; +') + ## ## Mount on proc directories. diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index a2d1cc5e..16fa4e52 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -207,6 +207,7 @@ optional_policy(` optional_policy(` mta_manage_spool(dovecot_t) + mta_watch_spool(dovecot_t) mta_manage_mail_home_rw_content(dovecot_t) mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir") mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir") @@ -255,6 +256,8 @@ manage_sock_files_pattern(dovecot_auth_t, dovecot_runtime_t, dovecot_runtime_t) allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; +kernel_dontaudit_getattr_proc(dovecot_auth_t) + files_search_runtime(dovecot_auth_t) files_read_usr_files(dovecot_auth_t) files_read_var_lib_files(dovecot_auth_t) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 7039a7f0..5266d52c 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -991,6 +991,24 @@ interface(`mta_manage_spool',` manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') + +## +## Watch mail spool content. +## +## +## +## Domain allowed access. +## +## +# +interface(`mta_watch_spool',` + gen_require(` + type mail_spool_t; + ') + + allow $1 mail_spool_t:{ dir file } watch; +') + ### ## ## Create specified objects in the diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 16e86fbf..63a0d824 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -262,6 +262,8 @@ corenet_sendrecv_xserver_server_packets(sshd_t) ifdef(`distro_debian',` allow sshd_t self:process { getcap setcap }; auth_use_pam_motd_dynamic(sshd_t) +',` + dontaudit sshd_t self:process { getcap setcap }; ') ifdef(`init_systemd',` diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 96ebfa27..f5da5048 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -104,6 +104,9 @@ allow chkpwd_t shadow_t:file read_file_perms; files_list_etc(chkpwd_t) kernel_read_crypto_sysctls(chkpwd_t) +kernel_dontaudit_search_kernel_sysctl(chkpwd_t) +kernel_dontaudit_read_kernel_sysctl(chkpwd_t) +kernel_dontaudit_getattr_proc(chkpwd_t) domain_dontaudit_use_interactive_fds(chkpwd_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 560e6c8a..ec65eb88 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -500,6 +500,7 @@ files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) kernel_read_system_state(semanage_t) kernel_read_kernel_sysctls(semanage_t) +kernel_dontaudit_getattr_proc(semanage_t) corecmd_exec_bin(semanage_t) corecmd_exec_shell(semanage_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: de9c38bc9643b4d761a7eff93400c2232d75220c Author: Anthony PERARD citrix com> AuthorDate: Tue Oct 27 17:22:28 2020 + Commit: Jason Zaman gentoo org> CommitDate: Mon Nov 16 09:03:43 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de9c38bc xen: Allow xenstored to map /proc/xen/xsd_kva xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux boolean "domain_can_mmap_files" in CentOS is set to false the mmap() call fails. Signed-off-by: Anthony PERARD citrix.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/filesystem.if | 18 ++ policy/modules/system/xen.te| 1 + 2 files changed, 19 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index aa855bd0..05ddc598 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -5328,6 +5328,24 @@ interface(`fs_manage_xenfs_files',` manage_files_pattern($1, xenfs_t, xenfs_t) ') + +## +## Map files a XENFS filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mmap_xenfs_files',` + gen_require(` + type xenfs_t; + ') + + allow $1 xenfs_t:file map; +') + ## ## Do not audit attempts to create, diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te index 2c95d0ca..82328cbb 100644 --- a/policy/modules/system/xen.te +++ b/policy/modules/system/xen.te @@ -459,6 +459,7 @@ files_read_usr_files(xenstored_t) fs_search_xenfs(xenstored_t) fs_manage_xenfs_files(xenstored_t) +fs_mmap_xenfs_files(xenstored_t) term_use_generic_ptys(xenstored_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 405b164fb380ec576ac7b278436180f2df4efbdc Author: Deepak Rawat gmail com> AuthorDate: Mon Oct 5 18:18:28 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 11 21:14:40 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=405b164f Add selinux-policy for systemd-pstore service systemd-pstore is a service to archive contents of pstore. Signed-off-by: Deepak Rawat gmail.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/devices.if| 26 + policy/modules/kernel/filesystem.if | 58 + policy/modules/system/systemd.fc| 2 ++ policy/modules/system/systemd.te| 37 +++ 4 files changed, 123 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index f1808c5c..1fae36ed 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4499,6 +4499,32 @@ interface(`dev_read_sysfs',` list_dirs_pattern($1, sysfs_t, sysfs_t) ') + +## +## Write to hardware state information. +## +## +## +## Allow the specified domain to write to the sysfs +## filesystem. +## +## +## +## +## Domain allowed access. +## +## +## +# +interface(`dev_write_sysfs',` + gen_require(` + type sysfs_t; + ') + + list_dirs_pattern($1, sysfs_t, sysfs_t) + write_files_pattern($1, sysfs_t, sysfs_t) +') + ## ## Allow caller to modify hardware state information. diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 79e87e0f..aa855bd0 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -3868,6 +3868,64 @@ interface(`fs_relabel_pstore_dirs',` relabel_dirs_pattern($1, pstore_t, pstore_t) ') + +## +## List the directories +## of a pstore filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_list_pstore_dirs',` + gen_require(` + type pstore_t; + ') + + allow $1 pstore_t:dir list_dir_perms; + dev_search_sysfs($1) +') + + +## +## Read pstore_t files +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_read_pstore_files',` + gen_require(` + type pstore_t; + ') + + allow $1 pstore_t:file read_file_perms; +') + + +## +## Delete the files +## of a pstore filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_delete_pstore_files',` + gen_require(` + type pstore_t; + ') + + delete_files_pattern($1, pstore_t, pstore_t) + dev_search_sysfs($1) +') + ## ## Allow the type to associate to ramfs filesystems. diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index f61850b2..34637068 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -33,6 +33,7 @@ /usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0) /usr/lib/systemd/systemd-modules-load -- gen_context(system_u:object_r:systemd_modules_load_exec_t,s0) /usr/lib/systemd/systemd-networkd -- gen_context(system_u:object_r:systemd_networkd_exec_t,s0) +/usr/lib/systemd/systemd-pstore-- gen_context(system_u:object_r:systemd_pstore_exec_t,s0) /usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0) /usr/lib/systemd/systemd-rfkill-- gen_context(system_u:object_r:systemd_rfkill_exec_t,s0) /usr/lib/systemd/systemd-update-done -- gen_context(system_u:object_r:systemd_update_done_exec_t,s0) @@ -57,6 +58,7 @@ /var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0) /var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0) /var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0) +/var/lib/systemd/pstore(/.*)? gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0) /var/lib/systemd/rfkill(/.*)? gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0) /run/\.nologin[^/]*-- gen_context(system_u:object_r:systemd_sessions_runtime_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index a1c00d62..495e9e08 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -168,6 +168,13 @@ files_runtime_file(systemd_nspawn_runtime_t) type systemd_nspawn_tmp_t; files_tmp_file(systemd_nspawn_tmp_t) +t
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
commit: de272a83fd640df62020dd924780ccd76e7b67a4 Author: Chris PeBenito ieee org> AuthorDate: Tue Sep 22 12:27:05 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 11 21:14:40 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de272a83 corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/corecommands.te | 2 +- policy/modules/services/dbus.te | 2 +- policy/modules/system/locallogin.te | 2 +- policy/modules/system/logging.te | 2 +- policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/systemd.te | 2 +- policy/modules/system/udev.te | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index b0a67367..a20d41fe 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.29.0) +policy_module(corecommands, 1.29.1) # diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 2637c898..f123c6d9 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,4 +1,4 @@ -policy_module(dbus, 1.29.1) +policy_module(dbus, 1.29.2) gen_require(` class dbus all_dbus_perms; diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index c0072289..6ab8c353 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,4 +1,4 @@ -policy_module(locallogin, 1.21.0) +policy_module(locallogin, 1.21.1) # diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 820fc8d3..0141b178 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.32.1) +policy_module(logging, 1.32.2) # diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 9099802e..632ebdb5 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -1,4 +1,4 @@ -policy_module(sysnetwork, 1.26.1) +policy_module(sysnetwork, 1.26.2) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index b19a20ac..a1c00d62 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.10.2) +policy_module(systemd, 1.10.3) # # diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 2ef2337e..753caab0 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.28.0) +policy_module(udev, 1.28.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
commit: fd0f05a88a59cad71dde39c9234eaddabf75565b Author: Chris PeBenito ieee org> AuthorDate: Fri Oct 9 13:45:11 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 11 21:14:40 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fd0f05a8 devices, filesystem, systemd, ntp: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/devices.te| 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/services/ntp.te | 2 +- policy/modules/system/systemd.te| 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 0137af03..8e72f90a 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.27.1) +policy_module(devices, 1.27.2) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 6439f410..f338e207 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.28.1) +policy_module(filesystem, 1.28.2) # diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te index 34c674e1..98ae0267 100644 --- a/policy/modules/services/ntp.te +++ b/policy/modules/services/ntp.te @@ -1,4 +1,4 @@ -policy_module(ntp, 1.22.0) +policy_module(ntp, 1.22.1) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 7acbc551..74f3fc55 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.10.3) +policy_module(systemd, 1.10.4) # #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: bdf027e057879dbba76e032570be27e1cc8ba4cc Author: Peter Morrow linux microsoft com> AuthorDate: Wed Feb 5 15:47:47 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 15 07:32:05 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bdf027e0 systemd_tmpfiles_t: Allow systemd_tempfiles_t to change permissions in sysfs Rules specified in system tmpfiles.d configuration files are often used to change permissions on files in sysfs. https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html Signed-off-by: Peter Morrow linux.microsoft.com> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/devices.if | 20 policy/modules/system/systemd.te | 1 + 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index afbd6d4a..1b83ea68 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4413,6 +4413,26 @@ interface(`dev_relabel_all_sysfs',` allow $1 sysfs_types:lnk_file relabel_lnk_file_perms; ') + +## +## Set the attributes of sysfs files, directories and symlinks. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_all_sysfs',` +gen_require(` +attribute sysfs_types; +') + +allow $1 sysfs_types:dir { search_dir_perms setattr }; +allow $1 sysfs_types:file setattr; +allow $1 sysfs_types:lnk_file { read_lnk_file_perms setattr }; +') + ## ## Read and write the TPM device. diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 4d906e5c..7624d258 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1112,6 +1112,7 @@ dev_manage_all_dev_nodes(systemd_tmpfiles_t) dev_read_urand(systemd_tmpfiles_t) dev_relabel_all_sysfs(systemd_tmpfiles_t) dev_read_urand(systemd_tmpfiles_t) +dev_setattr_all_sysfs(systemd_tmpfiles_t) dev_manage_all_dev_nodes(systemd_tmpfiles_t) files_create_lock_dirs(systemd_tmpfiles_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: ea1528fd616d5b6275d955ca913b87f73b875bcb Author: Chris PeBenito ieee org> AuthorDate: Sat Jan 25 19:55:31 2020 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 15 07:32:05 2020 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea1528fd storage, systemd: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman gentoo.org> policy/modules/kernel/storage.te | 2 +- policy/modules/system/systemd.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index 61a35406..fca93d16 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,4 +1,4 @@ -policy_module(storage, 1.17.2) +policy_module(storage, 1.17.3) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 65562380..d039e2a1 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.8.11) +policy_module(systemd, 1.8.12) # #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
commit: 4050c64063918cc72b7db5d5e41fe26b202092d6 Author: Chris PeBenito ieee org> AuthorDate: Sun Jun 9 17:37:51 2019 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 13 06:43:14 2019 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4050c640 various: Module version bump. Signed-off-by: Chris PeBenito ieee.org> Signed-off-by: Jason Zaman perfinion.com> policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/storage.te | 2 +- policy/modules/services/apache.te | 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/systemd.te | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 88a4246e..5f793c52 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.24.2) +policy_module(devices, 1.24.3) # diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te index 8f91eb2d..0b5a4245 100644 --- a/policy/modules/kernel/storage.te +++ b/policy/modules/kernel/storage.te @@ -1,4 +1,4 @@ -policy_module(storage, 1.16.1) +policy_module(storage, 1.16.2) # diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te index e87a74ac..ff524cc1 100644 --- a/policy/modules/services/apache.te +++ b/policy/modules/services/apache.te @@ -1,4 +1,4 @@ -policy_module(apache, 2.16.1) +policy_module(apache, 2.16.2) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index aca76caa..97a6d2b7 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.6.6) +policy_module(init, 2.6.7) gen_require(` class passwd rootok; diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index a08ee785..bc8ebaf0 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.7.7) +policy_module(systemd, 1.7.8) # #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: d2dc3b997dbff09cdebf35491d7615a98a486674 Author: Chris PeBenito ieee org> AuthorDate: Wed Mar 21 18:17:22 2018 + Commit: Sven Vermeulen gentoo org> CommitDate: Sun Mar 25 10:28:12 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2dc3b99 corenetwork, init: Module version bump. policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/system/init.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index cb3d4718..56ca81ac 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,4 +1,4 @@ -policy_module(corenetwork, 1.24.0) +policy_module(corenetwork, 1.24.1) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 94234055..95da9f8d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.4.1) +policy_module(init, 2.4.2) gen_require(` class passwd rootok;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 61c77a5671934cc8a2210c166a544e556e68ab49 Author: Chris PeBenito ieee org> AuthorDate: Thu Feb 15 22:10:34 2018 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 18 11:25:18 2018 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61c77a56 Simple map patch from Russell Coker. policy/modules/kernel/files.if| 30 ++ policy/modules/kernel/files.te| 2 +- policy/modules/system/logging.te | 7 ++- policy/modules/system/lvm.te | 3 ++- policy/modules/system/modutils.te | 4 +++- policy/modules/system/systemd.if | 1 + policy/modules/system/systemd.te | 2 +- 7 files changed, 44 insertions(+), 5 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 05ca46a7..4920809d 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2944,6 +2944,36 @@ interface(`files_read_etc_files',` read_lnk_files_pattern($1, etc_t, etc_t) ') + +## +## Map generic files in /etc. +## +## +## +## Allow the specified domain to map generic files in /etc. +## +## +## Related interfaces: +## +## +## files_read_etc_files() +## +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_map_etc_files',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:file map; +') + ## ## Do not audit attempts to write generic files in /etc. diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index bfbd4b8d..f7cf321f 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.25.0) +policy_module(files, 1.25.1) # diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 474d3644..1f3de07d 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.27.0) +policy_module(logging, 1.27.1) # @@ -257,6 +257,7 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) +files_map_etc_files(audisp_t) files_read_etc_files(audisp_t) files_read_etc_runtime_files(audisp_t) @@ -418,6 +419,8 @@ files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log") # manage temporary files manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +allow syslogd_t syslogd_tmp_t:file map; + files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) @@ -426,6 +429,8 @@ files_search_var_lib(syslogd_t) # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +allow syslogd_t syslogd_var_run_t:file map; + files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) allow syslogd_t syslogd_var_run_t:dir create_dir_perms; diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 7c601fad..9df06823 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,4 +1,4 @@ -policy_module(lvm, 1.20.0) +policy_module(lvm, 1.20.1) # @@ -212,6 +212,7 @@ files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) allow lvm_t lvm_etc_t:file map; + read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t) diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 850a2af4..54393d93 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,4 +1,4 @@ -policy_module(modutils, 1.19.0) +policy_module(modutils, 1.19.1) # @@ -132,7 +132,9 @@ optional_policy(` ') optional_policy(` + # for postinst of a new kernel package dpkg_manage_script_tmp_files(kmod_t) + dpkg_map_script_tmp_files(kmod_t) ') optional_policy(` diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index d875098a..f6e34102 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -366,6 +366,7 @@ interface(`systemd_manage_journal_files',` manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t) manage_files_pattern($1, systemd_journal_t, systemd_journal_t) + allow $1 systemd_journal_t:file map; ') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 0f6b4a45..66eaea42 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 209fa945a8cbd918155deda616f3e954895df6c0 Author: Chris PeBenito ieee org> AuthorDate: Wed Nov 1 23:03:30 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 5 06:38:35 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=209fa945 files, userdomain: Module version bump. policy/modules/kernel/files.te | 2 +- policy/modules/system/userdomain.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 473931ee..9242965c 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.24.4) +policy_module(files, 1.24.5) # diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index e36a92f7..8f954251 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,4 +1,4 @@ -policy_module(userdomain, 4.14.5) +policy_module(userdomain, 4.14.6) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
commit: 8cbd03f7b3ebb7b5a4d45f43816fa98e760a32a5 Author: Jason Zaman perfinion com> AuthorDate: Thu Nov 2 17:30:46 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 5 06:38:35 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cbd03f7 Add key interfaces and perms Mostly taken from the fedora rawhide policy policy/modules/kernel/kernel.if | 36 ++ policy/modules/services/ssh.if | 1 + policy/modules/services/ssh.te | 1 + policy/modules/services/xserver.if | 18 + policy/modules/services/xserver.te | 1 + policy/modules/system/authlogin.te | 2 + policy/modules/system/locallogin.te | 1 + policy/modules/system/userdomain.if | 73 + 8 files changed, 133 insertions(+) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index bda4c163..5afc4802 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',` ## +## Allow view the kernel key ring. +## +## +## +## Domain allowed access. +## +## +# +interface(`kernel_view_key',` + gen_require(` + type kernel_t; + ') + + allow $1 kernel_t:key view; +') + + +## +## dontaudit view the kernel key ring. +## +## +## +## Domain to not audit. +## +## +# +interface(`kernel_dontaudit_view_key',` + gen_require(` + type kernel_t; + ') + + dontaudit $1 kernel_t:key view; +') + + +## ## Allows caller to read the ring buffer. ## ## diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index aa906680..4f20137a 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -338,6 +338,7 @@ template(`ssh_role_template',` # for rsync allow ssh_t $3:unix_stream_socket rw_socket_perms; allow ssh_t $3:unix_stream_socket connectto; + allow ssh_t $3:key manage_key_perms; # user can manage the keys and config manage_files_pattern($3, ssh_home_t, ssh_home_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 32f09f80..69745a31 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid }; allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow ssh_t self:fd use; allow ssh_t self:fifo_file rw_fifo_file_perms; +allow ssh_t self:key manage_key_perms; allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow ssh_t self:shm create_shm_perms; diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 0718d016..f08db931 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',` typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') + + +## +## Manage keys for xdm. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_rw_xdm_keys',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:key { read write setattr }; +') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 9c028714..16614b2a 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t) kernel_read_kernel_sysctls(xdm_t) kernel_read_net_sysctls(xdm_t) kernel_read_network_state(xdm_t) +kernel_view_key(xdm_t) corecmd_exec_shell(xdm_t) corecmd_exec_bin(xdm_t) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 5ee69fcf..95c47090 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -419,6 +419,8 @@ optional_policy(` # nsswitch_domain local policy # +allow nsswitch_domain self:key manage_key_perms; + files_list_var_lib(nsswitch_domain) # read /etc/nsswitch.conf diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index a9b8f7e5..ee5f5948 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -209,6 +209,7 @@ optional_policy(` optional_policy(` xserver_read_xdm_tmp_files(local_login_t) xserver_rw_xdm_tmp_files(local_login_t) + xserver_rw_xdm_keys(local_login_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 6ef62a4b426e033b53667e32b5c0922b475c41db Author: Chris PeBenito ieee org> AuthorDate: Thu Oct 12 22:48:29 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 29 12:59:50 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ef62a4b files, init, sysnetwork, systemd: Module version bumps. policy/modules/kernel/files.te | 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/systemd.te| 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 28824331..f713d2b6 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.24.2) +policy_module(files, 1.24.3) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 02a9e3b8..4f2247f7 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.3.7) +policy_module(init, 2.3.8) gen_require(` class passwd rootok; diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index bda695bd..1fec9b9b 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -1,4 +1,4 @@ -policy_module(sysnetwork, 1.21.1) +policy_module(sysnetwork, 1.21.2) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 56aa9198..2d0393a3 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.4.4) +policy_module(systemd, 1.4.5) # #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 08fff4870eab9cec72d17019d21d832176fd5905 Author: David Sugar tresys com> AuthorDate: Thu Oct 12 16:16:17 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 29 12:59:08 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08fff487 Denial relabeling /run/systemd/private I am seeing the following denial (in dmesg) during system startup: [4.623332] type=1400 audit(1507767947.042:3): avc: denied { relabelto } for pid=1 comm="systemd" name="private" dev="tmpfs" ino=5865 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file It appears that systemd is attempting to relablel the socket file /run/systemd/private to init_var_run_t but doesn't have permission. Updated to create new interface for relabeling of sock_files rather than adding to existing interface Signed-off-by: Dave Sugar tresys.com> policy/modules/kernel/files.if | 19 +++ policy/modules/system/init.te | 1 + 2 files changed, 20 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 12a1210c..ec2c8999 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -6741,6 +6741,25 @@ interface(`files_relabel_all_pid_dirs',` ## +## Relabel to/from all var_run (pid) socket files +## +## +## +## Domain alloed access. +## +## +# +interface(`files_relabel_all_pid_sock_files',` + gen_require(` + attribute pidfile; + ') + + relabel_sock_files_pattern($1, pidfile, pidfile) +') + + + +## ## Relabel to/from all var_run (pid) files and directories ## ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 75da7a62..350554d3 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -320,6 +320,7 @@ ifdef(`init_systemd',` files_mounton_root(init_t) files_search_pids(init_t) files_relabel_all_pids(init_t) + files_relabel_all_pid_sock_files(init_t) files_relabelto_etc_runtime_dirs(init_t) files_relabelto_etc_runtime_files(init_t) files_read_all_locks(init_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 01f8128928b31a303f1521c742e8545366c72352 Author: Chris PeBenito ieee org> AuthorDate: Wed May 24 23:58:32 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 16:36:54 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=01f81289 Module version bump for mmap fixes from Stephen Smalley. policy/modules/kernel/devices.te | 2 +- policy/modules/system/libraries.te | 2 +- policy/modules/system/logging.te | 2 +- policy/modules/system/miscfiles.te | 2 +- policy/modules/system/selinuxutil.te | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 9f75d8ce..b0eab749 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.20.8) +policy_module(devices, 1.20.9) # diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 1bee4fa0..1ddbf29a 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,4 +1,4 @@ -policy_module(libraries, 2.14.4) +policy_module(libraries, 2.14.5) # diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 8086ca97..79c981bc 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.25.11) +policy_module(logging, 1.25.12) # diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 3b180a36..c0acc2b4 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -1,4 +1,4 @@ -policy_module(miscfiles, 1.12.2) +policy_module(miscfiles, 1.12.3) # diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 557e935c..d63a322f 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,4 +1,4 @@ -policy_module(selinuxutil, 1.22.11) +policy_module(selinuxutil, 1.22.12) gen_require(` bool secure_mode;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: f9f01e684dcb23519fcd03e6efdbff754dbef7be Author: Chris PeBenito ieee org> AuthorDate: Mon May 1 22:45:01 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 15:53:18 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9f01e68 Module version bump for minor fixes from Guido Trentalancia. policy/modules/kernel/kernel.te | 2 +- policy/modules/system/init.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 87f5f9a4..a2869be7 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.22.1) +policy_module(kernel, 1.22.2) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a01b5093..a572300d 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.2.20) +policy_module(init, 2.2.21) gen_require(` class passwd rootok;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: a223ccaf9ede7fc52fdb9d5ba5a62b0c8d72ae30 Author: Chris PeBenito ieee org> AuthorDate: Sat Apr 1 16:08:42 2017 + Commit: Sven Vermeulen gentoo org> CommitDate: Mon Apr 10 16:44:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a223ccaf systemd-nspawn again This patch doesn't do everything that is needed to have systemd-nspawn work. But it does everything that is needed and which I have written in a clear and uncontroversial way. I think it's best to get this upstream now and then either have a separate discussion about the more difficult issues, or wait until I devise a way of solving those problems that's not too hacky. Who knows, maybe someone else will devise a brilliant solution to the remaining issues after this is accepted upstream. Also there's a tiny patch for systemd_machined_t that is required by systemd_nspawn_t. Description: systemd-nspawn Author: Russell Coker coker.com.au> Last-Update: 2017-03-29 policy/modules/kernel/devices.if| 36 ++ policy/modules/kernel/devices.te| 2 +- policy/modules/kernel/files.if | 18 + policy/modules/kernel/files.te | 2 +- policy/modules/kernel/filesystem.if | 18 + policy/modules/kernel/filesystem.te | 2 +- policy/modules/kernel/kernel.if | 135 policy/modules/kernel/kernel.te | 2 +- policy/modules/kernel/terminal.if | 18 + policy/modules/kernel/terminal.te | 2 +- policy/modules/system/init.if | 48 +++-- policy/modules/system/init.te | 2 +- policy/modules/system/systemd.te| 119 ++- 13 files changed, 375 insertions(+), 29 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index c5af9342..1f1fbca6 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4064,6 +4064,24 @@ interface(`dev_getattr_sysfs',` ## +## mount a sysfs filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem mount; +') + + +## ## Do not audit getting the attributes of sysfs filesystem ## ## @@ -4082,6 +4100,24 @@ interface(`dev_dontaudit_getattr_sysfs',` ## +## mounton sysfs directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_mounton_sysfs_dirs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:dir mounton; +') + + +## ## Search the sysfs directories. ## ## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index e15c26c3..277a6a19 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.20.5) +policy_module(devices, 1.20.6) # diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 9d7a929a..9f9fdded 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -6340,6 +6340,24 @@ interface(`files_dontaudit_getattr_pid_dirs',` ## +## mounton a /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_pid_dirs',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir mounton; +') + + +## ## Set the attributes of the /var/run directory. ## ## diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 10001b15..33c92c70 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.23.8) +policy_module(files, 1.23.9) # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index bba3e389..cfaa3e85 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -4160,6 +4160,24 @@ interface(`fs_mounton_tmpfs',` ## +## Mount on tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_mounton_tmpfs_files',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:file mounton; +') + + +## ## Set the attributes of tmpfs directories. ## ## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 3194b0e0..11ada353 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/mod
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/
commit: 13afa3ec8591b0522048fab442bb7f66bbeb5787 Author: Chris PeBenito ieee org> AuthorDate: Tue Mar 28 22:51:35 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 11:46:48 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=13afa3ec systemd-resolvd, sessions, and tmpfiles take2 I believe that I have addressed all the issues Chris raised, so here's a newer version of the patch which applies to today's git version. Description: systemd-resolved, sessions, and tmpfiles patches Author: Russell Coker coker.com.au> Last-Update: 2017-03-26 policy/modules/kernel/files.if | 92 policy/modules/kernel/files.te | 2 +- policy/modules/services/xserver.if | 56 - policy/modules/services/xserver.te | 2 +- policy/modules/system/init.if | 36 +++ policy/modules/system/init.te | 2 +- policy/modules/system/logging.if| 116 policy/modules/system/logging.te| 2 +- policy/modules/system/miscfiles.if | 19 ++ policy/modules/system/miscfiles.te | 2 +- policy/modules/system/systemd.te| 84 +- policy/modules/system/userdomain.if | 18 ++ policy/modules/system/userdomain.te | 2 +- 13 files changed, 423 insertions(+), 10 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 0d6fe3c5..9d7a929a 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2835,6 +2835,24 @@ interface(`files_manage_etc_dirs',` ## +## Relabel directories to etc_t. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelto_etc_dirs',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:dir relabelto; +') + + +## ## Read generic files in /etc. ## ## @@ -3813,6 +3831,24 @@ interface(`files_relabelto_home',` ## +## Relabel from user home root (/home). +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabelfrom_home',` + gen_require(` + type home_root_t; + ') + + allow $1 home_root_t:dir relabelfrom; +') + + +## ## Create objects in /home. ## ## @@ -5500,6 +5536,24 @@ interface(`files_manage_var_dirs',` ## +## relabelto/from var directories +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_var_dirs',` + gen_require(` + type var_t; + ') + + allow $1 var_t:dir { relabelfrom relabelto }; +') + + +## ## Read files in the /var directory. ## ## @@ -5767,6 +5821,44 @@ interface(`files_rw_var_lib_dirs',` ## +## manage var_lib_t dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_var_lib_dirs',` + gen_require(` + type var_t, var_lib_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lib_t:dir manage_dir_perms; +') + + +## +## relabel var_lib_t dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_var_lib_dirs',` + gen_require(` + type var_t, var_lib_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lib_t:dir { relabelfrom relabelto }; +') + + +## ## Create objects in the /var/lib directory ## ## diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 9f911efd..10001b15 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.23.7) +policy_module(files, 1.23.8) # diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 060adbfa..eae74b67 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -700,6 +700,42 @@ interface(`xserver_rw_console',` ## +## Create the X windows console named pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_create_console_pipes',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:fifo_file create; +') + + +## +## relabel the X windows console named pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_relabel_console_pipes',` + gen_requir
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 1411282ba15da370f51a5b1444a0e087352d12ea Author: Chris PeBenito ieee org> AuthorDate: Wed Mar 1 00:42:24 2017 + Commit: Sven Vermeulen gentoo org> CommitDate: Thu Mar 2 10:16:56 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1411282b Module version bump for misc fixes from cgzones. policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/system/init.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 08b3ff7d..ac0a7ce1 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.23.3) +policy_module(corecommands, 1.23.4) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 23705cd3..597bf615 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.22.3) +policy_module(filesystem, 1.22.4) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index c784280e..f783614f 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.2.8) +policy_module(init, 2.2.9) gen_require(` class passwd rootok;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 4cad32c069d96e1f34d90a2fc05d3d05b65c8ae3 Author: Chris PeBenito ieee org> AuthorDate: Sat Feb 25 16:20:19 2017 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 10:38:00 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4cad32c0 Network daemon patches from Russell Coker. policy/modules/kernel/corenetwork.te.in | 6 +++--- policy/modules/system/iptables.te | 4 +++- policy/modules/system/sysnetwork.fc | 2 ++ policy/modules/system/sysnetwork.te | 6 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 68aba14c..b3db0139 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,4 +1,4 @@ -policy_module(corenetwork, 1.23.2) +policy_module(corenetwork, 1.23.3) # @@ -216,7 +216,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tc network_port(portmap, udp,111,s0, tcp,111,s0) network_port(postfix_policyd, tcp,10031,s0) network_port(postgresql, tcp,5432,s0) -network_port(postgrey, tcp,6,s0) +network_port(postgrey, tcp,10023,s0, tcp,6,s0) network_port(pptp, tcp,1723,s0, udp,1723,s0) network_port(prelude, tcp,4690,s0, udp,4690,s0) network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0) @@ -236,7 +236,7 @@ network_port(repository, tcp, 6363, s0) network_port(ricci, tcp,1,s0, udp,1,s0) network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0) network_port(rlogind, tcp,513,s0) -network_port(rndc, tcp,953,s0, udp,953,s0) +network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0, udp,8953,s0) network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0) network_port(rsh, tcp,514,s0) network_port(rsync, tcp,873,s0, udp,873,s0) diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te index 0380f55b..e8063b99 100644 --- a/policy/modules/system/iptables.te +++ b/policy/modules/system/iptables.te @@ -1,4 +1,4 @@ -policy_module(iptables, 1.18.1) +policy_module(iptables, 1.18.2) # @@ -153,4 +153,6 @@ optional_policy(` optional_policy(` udev_read_db(iptables_t) + # this is for iptables_t to inherit a file hande from xen vif-bridge + udev_manage_pid_files(iptables_t) ') diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index e887076b..817d620b 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -58,6 +58,7 @@ ifdef(`distro_redhat',` /var/lib/dhcp3?-d gen_context(system_u:object_r:dhcp_state_t,s0) /var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0) /var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) +/var/lib/dhcpv6(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) /var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) /var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0) @@ -70,6 +71,7 @@ ifdef(`distro_gentoo',` ifdef(`distro_debian',` /run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) +/var/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0) ') ifdef(`distro_gentoo',` diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index caec3181..d21a2d64 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -1,4 +1,4 @@ -policy_module(sysnetwork, 1.20.3) +policy_module(sysnetwork, 1.20.4) # @@ -244,6 +244,10 @@ optional_policy(` ') optional_policy(` + samba_manage_config(dhcpc_t) +') + +optional_policy(` seutil_sigchld_newrole(dhcpc_t) seutil_dontaudit_search_config(dhcpc_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 4b4fbc24ce430965cce854d871cefa9666be2569 Author: Chris PeBenito ieee org> AuthorDate: Sat Feb 25 14:35:10 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 16:43:11 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b4fbc24 systemd: Further revisions from Russell Coker. policy/modules/kernel/devices.if| 18 +++ policy/modules/kernel/devices.te| 2 +- policy/modules/kernel/filesystem.if | 20 policy/modules/kernel/filesystem.te | 2 +- policy/modules/system/init.if | 18 +++ policy/modules/system/init.te | 2 +- policy/modules/system/lvm.if| 18 +++ policy/modules/system/lvm.te| 2 +- policy/modules/system/systemd.te| 221 +++- 9 files changed, 270 insertions(+), 33 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index b51a25ac..7e09e6f2 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -880,6 +880,24 @@ interface(`dev_relabel_generic_symlinks',` ## +## write generic sock files in /dev. +## +## +## +## Domain to not audit. +## +## +# +interface(`dev_write_generic_sock_files',` + gen_require(` + type device_t; + ') + + write_sock_files_pattern($1, device_t, device_t) +') + + +## ## Create, delete, read, and write device nodes in device directories. ## ## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 470f0f00..571abc30 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.20.3) +policy_module(devices, 1.20.4) # diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index bd6084b3..9069b0c2 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',` ## +## Get attributes of cgroup files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_getattr_cgroup_files',` + gen_require(` + type cgroup_t; + ') + + getattr_files_pattern($1, cgroup_t, cgroup_t) + fs_search_tmpfs($1) + dev_search_sysfs($1) +') + + +## ## Read cgroup files. ## ## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index be04ea8c..23705cd3 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.22.2) +policy_module(filesystem, 1.22.3) # diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 8d65e648..6de0a2d7 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1068,6 +1068,24 @@ interface(`init_dbus_chat',` ## +## List /var/lib/systemd/ dir +## +## +## +## Domain allowed access. +## +## +# +interface(`init_list_var_lib_dirs',` + gen_require(` + type init_var_lib_t; + ') + + allow $1 init_var_lib_t:dir list_dir_perms; +') + + +## ## Manage files in /var/lib/systemd/. ## ## diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 54ca2ceb..c9c1eb6b 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.2.6) +policy_module(init, 2.2.7) gen_require(` class passwd rootok; diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if index 88fa9442..49cee54d 100644 --- a/policy/modules/system/lvm.if +++ b/policy/modules/system/lvm.if @@ -65,6 +65,24 @@ interface(`lvm_run',` ## +## Send lvm a null signal. +## +## +## +## Domain allowed access. +## +## +# +interface(`lvm_signull',` + gen_require(` + type lvm_t; + ') + + allow $1 lvm_t:process signull; +') + + +## ## Read LVM configuration files. ## ## diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index f8fed91d..e6984249 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,4 +1,4 @@ -policy_module(lvm, 1.19.3) +policy_module(lvm, 1.19.4) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 40719e93..6c8caa8d 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 70c735ee60f9f82af114a3ea3479955a3659a101 Author: Chris PeBenito ieee org> AuthorDate: Wed Feb 8 21:56:09 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:13:37 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70c735ee mon policy from Russell Coker. policy/modules/kernel/corenetwork.te.in | 3 ++- policy/modules/system/init.if | 18 ++ policy/modules/system/init.te | 2 +- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index efae68ae..68aba14c 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,4 +1,4 @@ -policy_module(corenetwork, 1.23.1) +policy_module(corenetwork, 1.23.2) # @@ -179,6 +179,7 @@ network_port(matahari, tcp,49000,s0, udp,49000,s0) network_port(memcache, tcp,11211,s0, udp,11211,s0) network_port(milter) # no defined portcon network_port(mmcc, tcp,5050,s0, udp,5050,s0) +network_port(mon, tcp,2583,s0, udp,2583,s0) network_port(monit, tcp,2812,s0) network_port(monopd, tcp,1234,s0) network_port(mountd, tcp,20048,s0, udp,20048,s0) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 82f94548..fdf3f034 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1088,11 +1088,21 @@ interface(`init_pid_filetrans',` ## # interface(`init_getattr_initctl',` - gen_require(` - type initctl_t; - ') + ifdef(`init_systemd',` + # stat /run/systemd/initctl/fifo + gen_require(` + type init_var_run_t; + ') - allow $1 initctl_t:fifo_file getattr; + allow $1 init_var_run_t:fifo_file getattr; + allow $1 init_var_run_t:dir list_dir_perms; + ',` + gen_require(` + type initctl_t; + ') + + allow $1 initctl_t:fifo_file getattr; + ') ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index c688c89b..03aaae53 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.2.1) +policy_module(init, 2.2.2) gen_require(` class passwd rootok;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/admin/
commit: 37ef0b2bc209a69bc70fff44bac0457c079df83e Author: Chris PeBenito ieee org> AuthorDate: Wed Dec 28 19:38:05 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:31:26 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=37ef0b2b Module version bump for fc updates from Nicolas Iooss. policy/modules/admin/bootloader.te | 2 +- policy/modules/admin/consoletype.te | 2 +- policy/modules/admin/dmesg.te | 2 +- policy/modules/admin/netutils.te| 2 +- policy/modules/admin/su.te | 2 +- policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/kernel/devices.te| 2 +- policy/modules/kernel/files.te | 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/kernel/storage.te| 2 +- policy/modules/system/authlogin.te | 2 +- policy/modules/system/clock.te | 2 +- policy/modules/system/fstools.te| 2 +- policy/modules/system/getty.te | 2 +- policy/modules/system/hostname.te | 2 +- policy/modules/system/hotplug.te| 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/iptables.te | 2 +- policy/modules/system/libraries.te | 2 +- policy/modules/system/locallogin.te | 2 +- policy/modules/system/logging.te| 2 +- policy/modules/system/lvm.te| 2 +- policy/modules/system/modutils.te | 2 +- policy/modules/system/mount.te | 2 +- policy/modules/system/netlabel.te | 2 +- policy/modules/system/selinuxutil.te| 2 +- policy/modules/system/setrans.te| 2 +- policy/modules/system/sysnetwork.te | 2 +- policy/modules/system/systemd.te| 2 +- policy/modules/system/udev.te | 2 +- 31 files changed, 31 insertions(+), 31 deletions(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index ab25f9e..dc8c896 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,4 +1,4 @@ -policy_module(bootloader, 1.16.1) +policy_module(bootloader, 1.16.2) # diff --git a/policy/modules/admin/consoletype.te b/policy/modules/admin/consoletype.te index cd5e005..15eb182 100644 --- a/policy/modules/admin/consoletype.te +++ b/policy/modules/admin/consoletype.te @@ -1,4 +1,4 @@ -policy_module(consoletype, 1.10.0) +policy_module(consoletype, 1.10.1) # diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 544a430..744dfb8 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -1,4 +1,4 @@ -policy_module(dmesg, 1.4.0) +policy_module(dmesg, 1.4.1) # diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te index 4080900..3b7b48d 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -1,4 +1,4 @@ -policy_module(netutils, 1.15.1) +policy_module(netutils, 1.15.2) # diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te index e417554..1909cfd 100644 --- a/policy/modules/admin/su.te +++ b/policy/modules/admin/su.te @@ -1,4 +1,4 @@ -policy_module(su, 1.13.0) +policy_module(su, 1.13.1) # diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 099b05b..056ee00 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.22.0) +policy_module(corecommands, 1.22.1) # diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index a0075e2..bac6665 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,4 +1,4 @@ -policy_module(corenetwork, 1.22.0) +policy_module(corenetwork, 1.22.1) # diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index fd7e826..9b1f207 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.19.1) +policy_module(devices, 1.19.2) # diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 4cf374b..484c7c8 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.22.2) +policy_module(files, 1.22.3) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 0471647..5ca0608 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 1cd6b4275bef63da2c4c37ad68574230fad38a3f Author: Guido Trentalancia trentalancia net> AuthorDate: Fri Dec 23 01:15:14 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:26:28 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1cd6b427 modutils: update to run in confined mode Update the modutils module so that it can run in confined mode instead of unconfined mode. Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/kernel/files.if| 1 + policy/modules/system/modutils.te | 10 ++ 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 82901bc..3fc0487 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -4102,6 +4102,7 @@ interface(`files_manage_kernel_modules',` type modules_object_t; ') + allow $1 modules_object_t:dir rw_dir_perms; manage_files_pattern($1, modules_object_t, modules_object_t) ') diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index 2448f06..1a138a8 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -89,8 +89,8 @@ files_read_usr_files(kmod_t) files_exec_etc_files(kmod_t) # for nscd: files_dontaudit_search_pids(kmod_t) -# for locking: (cjp: ) -files_write_kernel_modules(kmod_t) +# to manage modules.dep +files_manage_kernel_modules(kmod_t) fs_getattr_xattr_fs(kmod_t) fs_dontaudit_use_tmpfs_chr_dev(kmod_t) @@ -166,12 +166,6 @@ optional_policy(` ') optional_policy(` - unconfined_domain(kmod_t) - unconfined_dontaudit_rw_pipes(kmod_t) - unconfined_domtrans_to(kmod_t, kmod_exec_t) -') - -optional_policy(` # cjp: why is this needed: dev_rw_xserver_misc(kmod_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 40723b89de76f03758e907073b07c3ca5b6de1bf Author: Russell Coker coker com au> AuthorDate: Fri Oct 21 08:35:53 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Nov 27 15:12:11 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=40723b89 single binary modutils On Tuesday, 2 August 2016 7:59:28 PM AEDT Chris PeBenito wrote: > On 07/31/16 08:34, Russell Coker wrote: > > The following patch deals with a single binary for modutils, so depmod_t, > > and insmod_t are merged. > > Since the main SELinux distros (including RHEL/CentOS 7) all have merged > modutils these days, I'm open to taking a patch that fully merges these > domains (in which case renaming to kmod_t, with proper aliasing seems > the best idea). > > However, it's been some time since I used a busybox-based system; does > busybox still have separated tools? Yes, this is a bit of an obvious > question since busybox is also single-binary, but IIRC, the embedded > guys made some tiny helper scripts or executables so proper > transitioning could occur. Separate domains may still make sense. As we have had no response from Busybox users in the last 3 months and also no response to the thread Luis started in 2013 I think it's safe to assume that they don't need this. I've attached a new patch which renames to kmod_t as you suggested. Please consider it for inclusion. -- My Main Blog http://etbe.coker.com.au/ My Documents Bloghttp://doc.coker.com.au/ Description: Change modutils policy to match the use of a single binary Author: Russell Coker coker.com.au> Last-Update: 2014-06-25 policy/modules/kernel/kernel.te | 3 + policy/modules/kernel/terminal.if | 20 +++ policy/modules/system/modutils.fc | 19 +- policy/modules/system/modutils.if | 4 +- policy/modules/system/modutils.te | 352 +++--- 5 files changed, 136 insertions(+), 262 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index ec05ca1..811494f 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -278,6 +278,9 @@ selinux_load_policy(kernel_t) term_use_console(kernel_t) +# for kdevtmpfs +term_setattr_unlink_unallocated_ttys(kernel_t) + corecmd_exec_shell(kernel_t) corecmd_list_bin(kernel_t) # /proc/sys/kernel/modprobe is set to /bin/true if not using modules. diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if index ed52733..86692b0 100644 --- a/policy/modules/kernel/terminal.if +++ b/policy/modules/kernel/terminal.if @@ -1103,6 +1103,26 @@ interface(`term_getattr_unallocated_ttys',` ## +## Setattr and unlink unallocated tty device nodes. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`term_setattr_unlink_unallocated_ttys',` + gen_require(` + type tty_device_t; + ') + + dev_list_all_dev_nodes($1) + allow $1 tty_device_t:chr_file { getattr setattr unlink }; +') + + +## ## Do not audit attempts to get the attributes ## of all unallocated tty device nodes. ## diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc index 9933677..7adbbd7 100644 --- a/policy/modules/system/modutils.fc +++ b/policy/modules/system/modutils.fc @@ -1,4 +1,4 @@ -/bin/kmod -- gen_context(system_u:object_r:insmod_exec_t,s0) +/bin/kmod -- gen_context(system_u:object_r:kmod_exec_t,s0) /etc/modules\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) /etc/modprobe\.conf.* -- gen_context(system_u:object_r:modules_conf_t,s0) @@ -14,12 +14,13 @@ ifdef(`distro_gentoo',` /lib/modules/modprobe\.conf -- gen_context(system_u:object_r:modules_conf_t,s0) -/sbin/depmod.* -- gen_context(system_u:object_r:depmod_exec_t,s0) -/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:update_modules_exec_t,s0) -/sbin/insmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) -/sbin/modprobe.* -- gen_context(system_u:object_r:insmod_exec_t,s0) -/sbin/modules-update -- gen_context(system_u:object_r:update_modules_exec_t,s0) -/sbin/rmmod.* -- gen_context(system_u:object_r:insmod_exec_t,s0) -/sbin/update-modules -- gen_context(system_u:object_r:update_modules_exec_t,s0) +/sbin/depmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0) +/sbin/generate-modprobe\.conf -- gen_context(system_u:object_r:kmod_exec_t,s0) +/sbin/insmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0) +/sbin/modprobe.* -- gen_context(system_u:object_r:kmod_exec_t,s0) +/sbin/modules-update -- gen_context(system_u:object_r:kmod_exec_t,s0) +/sbin/rmmod.* -- gen_context(system_u:object_r:kmod_exec_t,s0) +/sbin/update-modules -- gen
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/roles/
commit: 04ebc427cb7b60ea5e3236931a612c7bd1627ba9 Author: Chris PeBenito ieee org> AuthorDate: Sun Oct 9 11:51:51 2016 + Commit: Sven Vermeulen gentoo org> CommitDate: Mon Oct 24 16:00:23 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04ebc427 Module version bumps for syncthing from Naftuli Tzvi Kay. policy/modules/kernel/corenetwork.te.in | 2 +- policy/modules/roles/staff.te | 2 +- policy/modules/roles/unprivuser.te | 2 +- policy/modules/system/unconfined.te | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 26a5ed4..7008c61 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -1,4 +1,4 @@ -policy_module(corenetwork, 1.21.3) +policy_module(corenetwork, 1.21.4) # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 37ec803..94b5cdd 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -1,4 +1,4 @@ -policy_module(staff, 2.6.0) +policy_module(staff, 2.6.1) # diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index b8135fd..f14f82b 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,4 +1,4 @@ -policy_module(unprivuser, 2.6.0) +policy_module(unprivuser, 2.6.1) # this module should be named user, but that is # a compile error since user is a keyword. diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 21fbbca..49495de 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,4 +1,4 @@ -policy_module(unconfined, 3.7.0) +policy_module(unconfined, 3.7.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/roles/
commit: 6794d4c77463f54668d91995a143378411d0c339 Author: Naftuli Tzvi Kay gmail com> AuthorDate: Sun Aug 21 07:06:32 2016 + Commit: Sven Vermeulen gentoo org> CommitDate: Mon Oct 24 16:00:17 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6794d4c7 Add Syncthing Support to Policy For now, optionally add the Syncthing role to user_r, staff_r, and unconfined_r, and define the Syncthing ports in core network. policy/modules/kernel/corenetwork.te.in | 3 +++ policy/modules/roles/staff.te | 4 policy/modules/roles/unprivuser.te | 4 policy/modules/system/unconfined.te | 4 4 files changed, 15 insertions(+) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 30d1617..26a5ed4 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -261,6 +261,9 @@ network_port(stunnel) # no defined portcon network_port(svn, tcp,3690,s0, udp,3690,s0) network_port(svrloc, tcp,427,s0, udp,427,s0) network_port(swat, tcp,901,s0) +network_port(syncthing, tcp,22000,s0) +network_port(syncthing_admin, tcp,8384,s0) +network_port(syncthing_discovery, udp,21027,s0) network_port(sype_transport, tcp,9911,s0, udp,9911,s0) network_port(syslogd, udp,514,s0) network_port(syslog_tls, tcp,6514,s0, udp,6514,s0) diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 30e13d2..37ec803 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -52,6 +52,10 @@ optional_policy(` ') optional_policy(` + syncthing_role(staff_r, staff_t) +') + +optional_policy(` vlock_run(staff_t, staff_r) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index eca14f1..b8135fd 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -146,6 +146,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + syncthing_role(user_r, user_t) + ') + + optional_policy(` thunderbird_role(user_r, user_t) ') diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 3f1acb5..21fbbca 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -174,6 +174,10 @@ optional_policy(` ') optional_policy(` + syncthing_role(unconfined_r, unconfined_t) +') + +optional_policy(` sysnet_run_dhcpc(unconfined_t, unconfined_r) sysnet_dbus_chat_dhcpc(unconfined_t) ')
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: a401ae8d3246a7b6bbf23913fa2d01cc56d8d406 Author: Chris PeBenito tresys com> AuthorDate: Tue May 31 13:15:40 2016 + Commit: Jason Zaman gentoo org> CommitDate: Wed Jun 1 18:20:07 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a401ae8d Module version bump for mlstrustedsocket from qqo. policy/modules/kernel/mls.te | 2 +- policy/modules/system/logging.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te index 832f83f..e508050 100644 --- a/policy/modules/kernel/mls.te +++ b/policy/modules/kernel/mls.te @@ -1,4 +1,4 @@ -policy_module(mls, 1.8.0) +policy_module(mls, 1.8.1) # diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 08cff69..d9737d0 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.23.1) +policy_module(logging, 1.23.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 2c944c6b0d0251dc5e1e2f73ab40b7d175411a83 Author: Chris PeBenito tresys com> AuthorDate: Mon Mar 28 13:59:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Fri May 13 05:07:33 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c944c6b Module version bump for Debian fc entries from Laurent Bigonville. policy/modules/kernel/corecommands.te | 2 +- policy/modules/system/selinuxutil.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index eee1a19..e944817 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.21.3) +policy_module(corecommands, 1.21.4) # diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 76abb95..50015ad 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,4 +1,4 @@ -policy_module(selinuxutil, 1.20.0) +policy_module(selinuxutil, 1.20.1) gen_require(` bool secure_mode;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: c2a314c9ce3a40f510564217177f9ae420447bf1 Author: Laurent Bigonville bigon be> AuthorDate: Fri Mar 25 21:35:17 2016 + Commit: Jason Zaman gentoo org> CommitDate: Fri May 13 05:07:33 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2a314c9 Add some labels for SELinux tools path in Debian policy/modules/kernel/corecommands.fc | 2 ++ policy/modules/system/selinuxutil.fc | 1 + 2 files changed, 3 insertions(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index c228d79..35752e7 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -268,6 +268,8 @@ ifdef(`distro_gentoo',` /usr/lib/debug/usr/bin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/debug/usr/sbin(/.*)? -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/selinux/hll(/.*)? gen_context(system_u:object_r:bin_t,s0) + /usr/lib/[^/]*thunderbird[^/]*/thunderbird -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*thunderbird[^/]*/thunderbird-bin -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/[^/]*thunderbird[^/]*/open-browser\.sh -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc index 59ae92a..8f0db04 100644 --- a/policy/modules/system/selinuxutil.fc +++ b/policy/modules/system/selinuxutil.fc @@ -49,6 +49,7 @@ /var/lib/selinux(/.*)? gen_context(system_u:object_r:semanage_store_t,s0) /var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0) /var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0) +/usr/lib/selinux/semanage_migrate_store-- gen_context(system_u:object_r:semanage_exec_t,s0) # # /var/run
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 328fabd9384f9ae1ade19b5186e6174901c3 Author: Chris PeBenito tresys com> AuthorDate: Wed Jan 6 14:22:11 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sat Jan 30 17:16:56 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=328fabd9 Module version bump for syslog and systemd changes from Laurent Bigonville policy/modules/kernel/corecommands.te | 2 +- policy/modules/system/logging.te | 2 +- policy/modules/system/systemd.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index f8cd213..f2cb295 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.21.1) +policy_module(corecommands, 1.21.2) # diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index f2e4984..79f8084 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.23.0) +policy_module(logging, 1.23.1) # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 2376af3..8892447 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.1.1) +policy_module(systemd, 1.1.2) # #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 6383a0207e2bad0f98f684b20e96da9115686850 Author: Chris PeBenito tresys com> AuthorDate: Thu Dec 10 20:46:13 2015 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 17 15:25:22 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6383a020 Module version bumps for 2 patches from Dominick Grift. policy/modules/kernel/kernel.te| 2 +- policy/modules/system/authlogin.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 2625e2f..7fe0a70 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.20.0) +policy_module(kernel, 1.20.1) # diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 98ebecd..587b289 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,4 +1,4 @@ -policy_module(authlogin, 2.8.0) +policy_module(authlogin, 2.8.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, man/man8/
commit: 384a7ab97439bd150d51c938062a2b90c5441a66 Author: Sven Vermeulen siphos be> AuthorDate: Fri Nov 28 10:13:54 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Mon Dec 15 18:56:22 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=384a7ab9 Fix bug 529204 - Support a dhcpc_script_t domain We introduce an executable domain (dhcpc_script_t) through which the hooks can be executed for the DHCP clients. This domain is separate in order to keep the privileges of the application small, but also because this domain will execute commands that are not in the responsibility of the DHCP client code itself (code-wise) but is provided by administrators. Security-wise, as these are scripts, it is more difficult to guarantee correctness. As such, we want to isolate these privileges into its own domain. The domain will have basic privileges to support the majority of installations, but we also include a sysnet_dhcpc_script_entry() interface so that domain transitions can be easily added without the need for augmenting the privileges of the dhcpc_script_t domain. --- man/man8/sysnetwork_selinux.8 | 110 ++ policy/modules/kernel/corecommands.fc | 2 +- policy/modules/system/sysnetwork.fc | 1 + policy/modules/system/sysnetwork.if | 29 + policy/modules/system/sysnetwork.rst | 91 policy/modules/system/sysnetwork.te | 58 ++ 6 files changed, 290 insertions(+), 1 deletion(-) diff --git a/man/man8/sysnetwork_selinux.8 b/man/man8/sysnetwork_selinux.8 new file mode 100644 index 000..217c020 --- /dev/null +++ b/man/man8/sysnetwork_selinux.8 @@ -0,0 +1,110 @@ +.\" Man page generated from reStructuredText. +. +.TH SYSNETWORK_SELINUX 8 "2014-11-28" "" "SELinux" +.SH NAME +sysnetwork_selinux \- SELinux policy module for system networking +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH DESCRIPTION +.sp +The \fBsysnetwork\fP SELinux module supports the following core networking +domains: DHCP client and ifconfig. +.SS DHCP Client +.sp +The DHCP client policy works around the \fIdhcpc_t\fP domain. It is usually +executed from within an init script, and interacts with the network subsystems +in the Linux kernel in order to obtain an IP address and manage the network +configuration of the system. +.sp +Some DHCP clients also have the ability to call additional scripts when an IP +address is obtained (or released), allowing administrators to automate certain +tasks on the system further. Within the SELinux policy, we (Gentoo) try to +handle the hooks through the \fIdhcp_script_t\fP domain. +.SS Ifconfig +.sp +The \fIifconfig\fP command (and associated \fIifconfig_t\fP domain) is used to manually +set the IP address and other network configurations of the system. +.SH BOOLEANS +.sp +No booleans are managed through this module. +.SH DOMAINS +.INDENT 0.0 +.TP +.B dhcpc_t +The main domain for the DHCP client +.TP +.B dhcpc_script_t +The domain in which the hooks (pre\- and post processing of DHCP operations) +run +.TP +.B ifconfig_t +The domain for manual IP address handling (for instance through the +\fIifconfig\fP or \fIip\fP commands) +.UNINDENT +.SH POLICY +.sp +The following interfaces can be used to enhance the default policy with +sysnetwork\-related provileges. More details on these interfaces can be found in the +interface HTML documentation, we will not list all available interfaces here. +.SS Domain interaction +.sp +The most interesting definition in the policy is the \fBsysnet_dhcpc_script_entry\fP +interface. It allows for the DHCP script domain (\fIdhcpc_script_t\fP) to +execute a particular type (second argument) and transition to a given domain +(first argument). +.sp +For instance, to allow a DHCP hook to execute any portage commands: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +sysnet_dhcpc_script_entry(portage_t, portage_exec_t) +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +It is generally preferred to transition a DHCP hook script as fast as possible +to a specific domain rather than enhancing the \fIdhcpc_script_t\fP domain with +additional privileges. +.SH BUGS +.sp +No specific bugs known. +.SH SEE ALSO +.INDENT 0.0 +.IP \(bu 2 +Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP +.IP \(bu 2 +Gentoo Hardened SELinux
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 095f93a76e79fb0a58e8262c0711ca5845b8ce24 Author: Nicolas Iooss m4x org> AuthorDate: Sun Sep 7 21:28:14 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Sat Sep 13 09:30:10 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=095f93a7 Allow journald to read the kernel ring buffer and to use /dev/kmsg audit.log shows that journald needs to read the kernel read buffer: avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 Moreover journald uses RW access to /dev/kmsg, according to its code: http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394 --- policy/modules/kernel/devices.if | 18 ++ policy/modules/system/logging.te | 3 +++ 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 2963f91..5ab0f6e 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2198,6 +2198,24 @@ interface(`dev_write_kmsg',` ## +## Read and write to the kernel messages device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_kmsg',` + gen_require(` + type device_t, kmsg_device_t; + ') + + rw_chr_files_pattern($1, device_t, kmsg_device_t) +') + + +## ## Get the attributes of the ksm devices. ## ## diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 1ece825..f254279 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -406,6 +406,7 @@ kernel_read_messages(syslogd_t) kernel_read_vm_sysctls(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) +kernel_read_ring_buffer(syslogd_t) # /initrd is not umounted before minilog starts kernel_dontaudit_search_unlabeled(syslogd_t) @@ -437,6 +438,8 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) +# Allow access to /dev/kmsg for journald +dev_rw_kmsg(syslogd_t) domain_use_interactive_fds(syslogd_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: b5f4e7285985d1a6adfba1aaed6c17acdaae9c79 Author: Chris PeBenito tresys com> AuthorDate: Fri Sep 12 15:30:05 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Sat Sep 13 09:30:26 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b5f4e728 Module version bumps for systemd/journald patches from Nicolas Iooss. --- policy/modules/kernel/devices.te | 2 +- policy/modules/system/init.te| 2 +- policy/modules/system/logging.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 00605a8..b862665 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.16.3) +policy_module(devices, 1.16.4) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 94a5516..cd2b0e4 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 1.21.3) +policy_module(init, 1.21.4) gen_require(` class passwd rootok; diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 4008931..c56577e 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.21.1) +policy_module(logging, 1.21.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: c7f51ec56d714296eba9de60054556fb0a5e15cf Author: Chris PeBenito tresys com> AuthorDate: Tue Aug 19 12:45:38 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Tue Aug 19 20:06:51 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c7f51ec5 Module version bump for losetup fixes from Luis Ressel. --- policy/modules/kernel/kernel.te | 2 +- policy/modules/system/fstools.te | 2 +- policy/modules/system/mount.te | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 7178d93..d5f2864 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.18.2) +policy_module(kernel, 1.18.3) # diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index a2a12c4..b0475ea 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -1,4 +1,4 @@ -policy_module(fstools, 1.17.1) +policy_module(fstools, 1.17.2) # diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index 5cd97be..83854fd 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -1,4 +1,4 @@ -policy_module(mount, 1.17.0) +policy_module(mount, 1.17.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: edf8cf3543282583fa5e07f644f07465d8fe7713 Author: Luis Ressel aixah de> AuthorDate: Mon Aug 11 22:24:15 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Tue Aug 19 20:06:47 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=edf8cf35 Add neccessary permissions for losetup This allows losetup to bind mount_loopback_t files to loop devices. --- policy/modules/kernel/kernel.te | 5 + policy/modules/system/fstools.te | 5 + 2 files changed, 10 insertions(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 4e39c2c..7178d93 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -300,6 +300,11 @@ ifdef(`distro_redhat',` ') optional_policy(` + # loop devices + fstools_use_fds(kernel_t) +') + +optional_policy(` hotplug_search_config(kernel_t) ') diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 5c77a4f..7ce8171 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -94,6 +94,8 @@ dev_rw_sysfs(fsadm_t) dev_getattr_usbfs_dirs(fsadm_t) # Access to /dev/mapper/control dev_rw_lvm_control(fsadm_t) +# for losetup +dev_rw_loop_control(fsadm_t) domain_use_interactive_fds(fsadm_t) @@ -125,6 +127,9 @@ files_search_all(fsadm_t) mls_file_read_all_levels(fsadm_t) mls_file_write_all_levels(fsadm_t) +# losetup: bind mount_loopback_t files to loop devices +mount_rw_loopback_files(fsadm_t) + storage_raw_read_fixed_disk(fsadm_t) storage_raw_write_fixed_disk(fsadm_t) storage_raw_read_removable_device(fsadm_t)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: a7acfa6001b742d245b462b31fe8581625d4a431 Author: Elia Pinto gmail com> AuthorDate: Fri Jun 6 08:04:25 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Tue Jun 10 18:14:33 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a7acfa60 Fix misspelling Fix misspelling using http://github.com/lyda/misspell-check Signed-off-by: Elia Pinto gmail.com> --- policy/modules/kernel/files.te | 2 +- policy/modules/kernel/storage.if| 14 +++--- policy/modules/system/miscfiles.if | 2 +- policy/modules/system/udev.te | 2 +- policy/modules/system/userdomain.if | 4 ++-- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index cdc1801..852bd46 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -71,7 +71,7 @@ typealias etc_t alias snmpd_etc_t; # type etc_runtime_t; files_type(etc_runtime_t) -#Temporarily in policy until FC5 dissappears +#Temporarily in policy until FC5 disappears typealias etc_runtime_t alias firstboot_rw_t; # diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 64c4cd0..5c1be6b 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -82,7 +82,7 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',` ## ## Allow the caller to directly read from a fixed disk. -## This is extremly dangerous as it can bypass the +## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## @@ -128,7 +128,7 @@ interface(`storage_dontaudit_read_fixed_disk',` ## ## Allow the caller to directly write to a fixed disk. -## This is extremly dangerous as it can bypass the +## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## @@ -173,7 +173,7 @@ interface(`storage_dontaudit_write_fixed_disk',` ## ## Allow the caller to directly read and write to a fixed disk. -## This is extremly dangerous as it can bypass the +## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## @@ -432,7 +432,7 @@ interface(`storage_setattr_scsi_generic_dev',` ## ## Allow the caller to directly read, in a ## generic fashion, from any SCSI device. -## This is extremly dangerous as it can bypass the +## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## @@ -457,7 +457,7 @@ interface(`storage_read_scsi_generic',` ## ## Allow the caller to directly write, in a ## generic fashion, from any SCSI device. -## This is extremly dangerous as it can bypass the +## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## @@ -638,7 +638,7 @@ interface(`storage_dontaudit_setattr_removable_dev',` ## ## Allow the caller to directly read from ## a removable device. -## This is extremly dangerous as it can bypass the +## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## @@ -679,7 +679,7 @@ interface(`storage_dontaudit_raw_read_removable_device',` ## ## Allow the caller to directly write to ## a removable device. -## This is extremly dangerous as it can bypass the +## This is extremely dangerous as it can bypass the ## SELinux protections for filesystem objects, and ## should only be used by trusted domains. ## diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 8b9072c..d9220f7 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -1,4 +1,4 @@ -## Miscelaneous files. +## Miscellaneous files. ## diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 78652da..95de10c 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -193,7 +193,7 @@ ifdef(`distro_debian',` ifdef(`distro_gentoo',` # during boot, init scripts use /dev/.rcsysinit - # existance to determine if we are in early booting + # existence to determine if we are in early booting init_getattr_script_status_files(udev_t) ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 3cec4f1..7ad8e5b 100644 --
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/roles/
commit: 2660dc2c8c1c68742a9f57f53b6389b9fc5b810b Author: Nicolas Iooss m4x org> AuthorDate: Fri May 23 18:18:10 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Wed May 28 15:39:01 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2660dc2c No longer use deprecated MLS interfaces Since commit 2d0c9cec mls_file_read_up and mls_file_write_down interfaces are deprecated even though they are still present. Replace mls_file_read_up with mls_file_read_all_levels and mls_file_write_down with mls_file_write_all_levels. --- policy/modules/kernel/kernel.te | 4 ++-- policy/modules/roles/secadm.te | 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/system/init.te | 6 +++--- policy/modules/system/setrans.te| 2 +- policy/modules/system/udev.te | 2 +- policy/modules/system/userdomain.if | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 196c2c2..b56ffce 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -289,8 +289,8 @@ files_read_usr_files(kernel_t) mcs_process_set_categories(kernel_t) -mls_process_read_up(kernel_t) -mls_process_write_down(kernel_t) +mls_process_read_all_levels(kernel_t) +mls_process_write_all_levels(kernel_t) mls_file_write_all_levels(kernel_t) mls_file_read_all_levels(kernel_t) diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te index da11120..2da0b26 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -23,7 +23,7 @@ dev_relabel_all_dev_nodes(secadm_t) domain_obj_id_change_exemption(secadm_t) -mls_process_read_up(secadm_t) +mls_process_read_all_levels(secadm_t) mls_file_read_all_levels(secadm_t) mls_file_write_all_levels(secadm_t) mls_file_upgrade(secadm_t) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 4acf417..c826abf 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -27,7 +27,7 @@ ifndef(`enable_mls',` corecmd_exec_shell(sysadm_t) -mls_process_read_up(sysadm_t) +mls_process_read_all_levels(sysadm_t) ubac_process_exempt(sysadm_t) ubac_file_exempt(sysadm_t) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 20d17da..d84f199 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -154,7 +154,7 @@ mcs_killall(init_t) mls_file_read_all_levels(init_t) mls_file_write_all_levels(init_t) -mls_process_write_down(init_t) +mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) selinux_set_all_booleans(init_t) @@ -385,8 +385,8 @@ mcs_process_set_categories(initrc_t) mls_file_read_all_levels(initrc_t) mls_file_write_all_levels(initrc_t) -mls_process_read_up(initrc_t) -mls_process_write_down(initrc_t) +mls_process_read_all_levels(initrc_t) +mls_process_write_all_levels(initrc_t) mls_rangetrans_source(initrc_t) mls_fd_share_all_levels(initrc_t) diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index d98b5b2..5dba88e 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -68,7 +68,7 @@ mls_file_read_all_levels(setrans_t) mls_file_write_all_levels(setrans_t) mls_net_receive_all_levels(setrans_t) mls_socket_write_all_levels(setrans_t) -mls_process_read_up(setrans_t) +mls_process_read_all_levels(setrans_t) mls_socket_read_all_levels(setrans_t) selinux_compute_access_vector(setrans_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 95ad555..49a6ca3 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -130,7 +130,7 @@ mls_file_read_all_levels(udev_t) mls_file_write_all_levels(udev_t) mls_file_upgrade(udev_t) mls_file_downgrade(udev_t) -mls_process_write_down(udev_t) +mls_process_write_all_levels(udev_t) selinux_get_fs_mount(udev_t) selinux_validate_context(udev_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 2f51389..3cec4f1 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1283,7 +1283,7 @@ template(`userdom_security_admin_template',` # Necessary for managing /boot/efi fs_manage_dos_files($1) - mls_process_read_up($1) + mls_process_read_all_levels($1) mls_file_read_all_levels($1) mls_file_upgrade($1) mls_file_downgrade($1)
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/roles/
commit: be9f9cab9e1cba95d0b6fee0aec85834717244fb Author: Chris PeBenito tresys com> AuthorDate: Tue May 27 13:23:29 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Wed May 28 15:39:03 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=be9f9cab Module version bump for deprecated interface usage removal from Nicolas Iooss. --- policy/modules/kernel/kernel.te | 2 +- policy/modules/roles/secadm.te | 2 +- policy/modules/roles/sysadm.te | 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/setrans.te| 2 +- policy/modules/system/udev.te | 2 +- policy/modules/system/userdomain.te | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index b56ffce..5d6da7f 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -1,4 +1,4 @@ -policy_module(kernel, 1.18.0) +policy_module(kernel, 1.18.1) # diff --git a/policy/modules/roles/secadm.te b/policy/modules/roles/secadm.te index 2da0b26..f7791d0 100644 --- a/policy/modules/roles/secadm.te +++ b/policy/modules/roles/secadm.te @@ -1,4 +1,4 @@ -policy_module(secadm, 2.4.0) +policy_module(secadm, 2.4.1) # diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index c826abf..4f85745 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1,4 +1,4 @@ -policy_module(sysadm, 2.7.0) +policy_module(sysadm, 2.7.1) # diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index d84f199..a4a7872 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 1.21.0) +policy_module(init, 1.21.1) gen_require(` class passwd rootok; diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te index 5dba88e..a840e70 100644 --- a/policy/modules/system/setrans.te +++ b/policy/modules/system/setrans.te @@ -1,4 +1,4 @@ -policy_module(setrans, 1.9.0) +policy_module(setrans, 1.9.1) gen_require(` class context contains; diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 49a6ca3..78652da 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.17.1) +policy_module(udev, 1.17.2) # diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 43ec88f..912849c 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,4 +1,4 @@ -policy_module(userdomain, 4.10.1) +policy_module(userdomain, 4.10.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: ed4ee5529ecaf691d2fafd6e24beda22754073d9 Author: Chris PeBenito tresys com> AuthorDate: Mon Apr 21 14:37:44 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Mon Apr 21 15:19:54 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ed4ee552 Module version bumps for fc fixes from Nicolas Iooss. --- policy/modules/kernel/corecommands.te | 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/system/logging.te | 2 +- policy/modules/system/udev.te | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policy/modules/kernel/corecommands.te b/policy/modules/kernel/corecommands.te index 3c243cb..99dc2dc 100644 --- a/policy/modules/kernel/corecommands.te +++ b/policy/modules/kernel/corecommands.te @@ -1,4 +1,4 @@ -policy_module(corecommands, 1.19.0) +policy_module(corecommands, 1.19.1) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 30a107d..fd1e7fe 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.18.2) +policy_module(filesystem, 1.18.3) # diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 37a3368..1ece825 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.21.0) +policy_module(logging, 1.21.1) # diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 4cda050..95ad555 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.17.0) +policy_module(udev, 1.17.1) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
commit: 12f37a40ba367dd101ea17e4e9d30ceac2334db8 Author: Chris PeBenito tresys com> AuthorDate: Mon Apr 21 13:24:28 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Mon Apr 21 15:18:01 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=12f37a40 Module version bump for fixes from Laurent Bigonville. --- policy/modules/kernel/filesystem.te | 2 +- policy/modules/system/miscfiles.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 1e5b262..30a107d 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.18.1) +policy_module(filesystem, 1.18.2) # diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 920ae21..f572fce 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -1,4 +1,4 @@ -policy_module(miscfiles, 1.11.1) +policy_module(miscfiles, 1.11.2) #
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/roles/
commit: dfb102dc02c13d63bf69cb88edf5ea11601f5e81 Author: Chris PeBenito tresys com> AuthorDate: Fri Apr 11 15:21:03 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Fri Apr 11 17:48:06 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dfb102dc Module version bump for 2 patch sets from Laurent Bigonville. * xattrfs attribute * Misc Debian fixes --- policy/modules/kernel/devices.te | 2 +- policy/modules/kernel/filesystem.te | 2 +- policy/modules/kernel/terminal.te| 2 +- policy/modules/roles/staff.te| 2 +- policy/modules/roles/unprivuser.te | 2 +- policy/modules/system/miscfiles.te | 2 +- policy/modules/system/selinuxutil.te | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 2fdb01b..3e03a9d 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.16.1) +policy_module(devices, 1.16.2) # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 31058f0..bad3d16 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.18.0) +policy_module(filesystem, 1.18.1) # diff --git a/policy/modules/kernel/terminal.te b/policy/modules/kernel/terminal.te index 01dbf46..94f7dac 100644 --- a/policy/modules/kernel/terminal.te +++ b/policy/modules/kernel/terminal.te @@ -1,4 +1,4 @@ -policy_module(terminal, 1.12.0) +policy_module(terminal, 1.12.1) # diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 247f898..27b49b1 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -1,4 +1,4 @@ -policy_module(staff, 2.5.0) +policy_module(staff, 2.5.1) # diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index c40c34c..65600f4 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,4 +1,4 @@ -policy_module(unprivuser, 2.5.0) +policy_module(unprivuser, 2.5.1) # this module should be named user, but that is # a compile error since user is a keyword. diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index e60f80d..920ae21 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -1,4 +1,4 @@ -policy_module(miscfiles, 1.11.0) +policy_module(miscfiles, 1.11.1) # diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index cf0c693..2b99c9b 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,4 +1,4 @@ -policy_module(selinuxutil, 1.18.0) +policy_module(selinuxutil, 1.18.1) gen_require(` bool secure_mode;
[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/admin/
commit: 606ce20297b1815ca6ea395c19c0471fdad55d46 Author: Sven Vermeulen siphos be> AuthorDate: Tue Apr 8 15:54:11 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Tue Apr 8 15:54:11 2014 + URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=606ce202 Remove merged code, reshuffle gentoo specific ones --- policy/modules/admin/sudo.if| 5 -- policy/modules/kernel/devices.fc| 4 - policy/modules/kernel/devices.if| 155 ++-- policy/modules/system/userdomain.if | 40 +- 4 files changed, 99 insertions(+), 105 deletions(-) diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if index 07e5db8..d9114b3 100644 --- a/policy/modules/admin/sudo.if +++ b/policy/modules/admin/sudo.if @@ -160,11 +160,6 @@ template(`sudo_role_template',` fprintd_dbus_chat($1_sudo_t) ') - ifdef(`distro_gentoo',` - # Massive amount of getattr denials but no mention in logs or functional issues, so dontaudit it - term_dontaudit_getattr_unallocated_ttys($1_sudo_t) - ') - ') diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index 053cfa7..d6ebfcd 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -208,7 +208,3 @@ ifdef(`distro_redhat',` /var/named/chroot/dev/random -c gen_context(system_u:object_r:random_device_t,s0) /var/named/chroot/dev/zero -c gen_context(system_u:object_r:zero_device_t,s0) ') - -ifdef(`distro_gentoo',` -/sys/devices/system/cpu/online -- gen_context(system_u:object_r:cpu_online_t,s0) -') diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 56dd021..8c14b43 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -588,25 +588,6 @@ interface(`dev_dontaudit_setattr_generic_chr_files',` ## -## Setattr for generic character device files. -## -## -## -## Domain allowed access -## -## -# -interface(`dev_setattr_generic_chr_files',` - gen_require(` - type device_t; - ') - - allow $1 device_t:chr_file setattr; -') - - - -## ## Read generic character device files. ## ## @@ -3856,42 +3837,6 @@ interface(`dev_manage_smartcard',` ## -## Get the attributes of sysfs filesystem -## -## -## -## Domain allowed access. -## -## -# -interface(`dev_getattr_sysfs_fs',` - gen_require(` - type sysfs_t; - ') - - allow $1 sysfs_t:filesystem getattr; -') - - -## -## Do not audit getting the attributes of sysfs filesystem -## -## -## -## Domain to dontaudit access from -## -## -# -interface(`dev_dontaudit_getattr_sysfs_fs',` - gen_require(` - type sysfs_t; - ') - - dontaudit $1 sysfs_t:filesystem getattr; -') - - -## ## Associate a file to a sysfs filesystem. ## ## @@ -4038,26 +3983,6 @@ interface(`dev_manage_sysfs_dirs',` ## -## Dont audit attempts to read hardware state information -## -## -## -## Domain for which the attempts do not need to be audited -## -## -# -interface(`dev_dontaudit_read_sysfs',` - gen_require(` - type sysfs_t; - ') - - dontaudit $1 sysfs_t:file read_file_perms; - dontaudit $1 sysfs_t:dir list_dir_perms; - dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms; -') - - -## ## Read hardware state information. ## ## @@ -4947,11 +4872,11 @@ interface(`dev_read_cpu_online',` type cpu_online_t; ') + allow $1 cpu_online_t:file read_file_perms; + dev_search_sysfs($1) - read_files_pattern($1, cpu_online_t, cpu_online_t) ') - ## ## Unconfined access to devices. @@ -4974,6 +4899,82 @@ interface(`dev_unconfined',` ## +## Dont audit attempts to read hardware state information +## +## +## +## Domain for which the attempts do not need to be audited +## +## +# +interface(`dev_dontaudit_read_sysfs',` + gen_require(` + type sysfs_t; + ') + + dontaudit $1 sysfs_t:file read_file_perms; + dontaudit $1 sysfs_t:dir list_dir_perms; + dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms; +') + + +## +## Do not audit getting the attributes of sysfs filesystem +## +## +## +## Domain to dontaudit access from +## +## +# +interface(`dev_dontaudit_