[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 80dc75218a97e01f1cd48b239e7c6eb731b8c892 Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 13:38:15 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:38:15 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=80dc7521 miscfiles: map fonts cache policy/modules/system/miscfiles.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index e39c387e..05968866 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -181,6 +181,7 @@ interface(`miscfiles_read_fonts',` allow $1 fonts_cache_t:dir list_dir_perms; read_files_pattern($1, fonts_cache_t, fonts_cache_t) + allow $1 fonts_cache_t:file map; read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: ab5e77931352bf9a38c3bd273b833329de9cb050 Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 12:51:09 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 12:51:09 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab5e7793 userdomain: allow map user_tmpfs_t files policy/modules/system/userdomain.if | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 88704b71..84e9c57e 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -401,6 +401,7 @@ interface(`userdom_manage_tmpfs_role',` type user_tmpfs_t; ') + allow $2 user_tmpfs_t:file map; manage_dirs_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_files_pattern($2, user_tmpfs_t, user_tmpfs_t) manage_lnk_files_pattern($2, user_tmpfs_t, user_tmpfs_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: d9d2a067d727b222feb528d67103b4aec0e3c77a
Author: Jason Zaman perfinion com>
AuthorDate: Sun Sep 10 13:09:48 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Sep 10 13:10:44 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d9d2a067
selinuxutil: allow semanage map perms
policy/modules/system/selinuxutil.te | 4 +++-
policy/modules/system/userdomain.if | 18 ++
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index 0629d437..35ba57c2 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -489,7 +489,7 @@ allow semanage_t policy_src_t:dir search;
filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir,
"modules")
allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
+allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms map };
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
kernel_read_system_state(semanage_t)
@@ -540,7 +540,9 @@ seutil_manage_default_contexts(semanage_t)
# Handle pp files created in homedir and /tmp
userdom_read_user_home_content_files(semanage_t)
+userdom_mmap_user_home_content_files(semanage_t)
userdom_read_user_tmp_files(semanage_t)
+userdom_mmap_user_tmp_files(semanage_t)
ifdef(`distro_debian',`
files_read_var_lib_files(semanage_t)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 16789a3c..88fdb823 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2565,6 +2565,24 @@ interface(`userdom_read_user_tmp_files',`
##
+## Mmap user temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_mmap_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ allow $1 user_tmp_t:file map;
+')
+
+
+##
## Do not audit attempts to read users
## temporary files.
##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: bfbc6bd14be977d19cadd03be8e1ed57b9568496 Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 12:49:14 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 12:49:14 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bfbc6bd1 Introduce userdom_map_user_tmpfs_files interface policy/modules/system/userdomain.if | 18 ++ 1 file changed, 18 insertions(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index cc019898..88704b71 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -3212,6 +3212,24 @@ interface(`userdom_rw_user_tmpfs_files',` ## +## Map user tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_map_user_tmpfs_files',` + gen_require(` + type user_tmpfs_t; + ') + + allow $1 user_tmpfs_t:file map; +') + + +## ## Delete user tmpfs files. ## ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 58da6a68ade7d4c28dfbc679d901af98573cf441 Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 13:32:17 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:32:17 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=58da6a68 logging: audit map config files and fcontext for /etc/audisp policy/modules/system/logging.fc | 1 + policy/modules/system/logging.te | 5 + 2 files changed, 6 insertions(+) diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index 9174f94b..55bb640b 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -3,6 +3,7 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) +/etc/audisp(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 6d09c8bd..de255723 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -105,6 +105,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; +allow auditctl_t auditd_etc_t:file map; # Needed for adding watches files_getattr_all_dirs(auditctl_t) @@ -245,6 +246,10 @@ allow audisp_t self:unix_dgram_socket create_socket_perms; allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; +read_files_pattern(audisp_t, auditd_etc_t, auditd_etc_t) +allow audisp_t auditd_etc_t:dir list_dir_perms; +allow audisp_t auditd_etc_t:file map; + manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: a529ea9e146a0a040d183a69c2840d1d36d034e4
Author: Jason Zaman perfinion com>
AuthorDate: Sun Sep 10 13:51:28 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Sep 10 13:53:02 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a529ea9e
authlogin: shadow map perms
update can_read_shadow_passwords neverallow to check map perm too
policy/modules/system/authlogin.if | 2 +-
policy/modules/system/authlogin.te | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/authlogin.if
b/policy/modules/system/authlogin.if
index 738b1e6f..1ab047bc 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -606,7 +606,7 @@ interface(`auth_tunable_read_shadow',`
')
files_list_etc($1)
- allow $1 shadow_t:file read_file_perms;
+ allow $1 shadow_t:file { read_file_perms map };
')
diff --git a/policy/modules/system/authlogin.te
b/policy/modules/system/authlogin.te
index 69337c89..8ddcd226 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -60,7 +60,7 @@ files_pid_file(pam_var_run_t)
type shadow_t;
files_auth_file(shadow_t)
-neverallow ~can_read_shadow_passwords shadow_t:file read;
+neverallow ~can_read_shadow_passwords shadow_t:file { read map };
neverallow ~can_write_shadow_passwords shadow_t:file { create write };
neverallow ~can_relabelto_shadow_passwords shadow_t:file relabelto;
@@ -99,7 +99,7 @@ allow chkpwd_t self:capability { dac_override setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
allow chkpwd_t self:process { getattr signal };
-allow chkpwd_t shadow_t:file read_file_perms;
+allow chkpwd_t shadow_t:file { read_file_perms map };
files_list_etc(chkpwd_t)
kernel_read_crypto_sysctls(chkpwd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: f32eef0d86cbdfc1f28a91528c365c9607f5e268
Author: Jason Zaman perfinion com>
AuthorDate: Sun Sep 10 13:21:05 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Sep 10 13:21:05 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f32eef0d
modutils: allow kmod map perms
policy/modules/system/modutils.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/modutils.te
b/policy/modules/system/modutils.te
index baa75129..297a2e42 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -50,6 +50,7 @@ filetrans_add_pattern(kmod_t, modules_object_t,
modules_dep_t, file)
create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
+allow kmod_t { modules_dep_t modules_object_t }:file map;
can_exec(kmod_t, kmod_exec_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: dcabf74f03c4b6e531814174a6853849687db7d3 Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 13:35:16 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:35:16 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dcabf74f getty: allow nsswitch policy/modules/system/getty.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te index 6d3c4284..3a7564ab 100644 --- a/policy/modules/system/getty.te +++ b/policy/modules/system/getty.te @@ -82,6 +82,7 @@ term_setattr_unallocated_ttys(getty_t) term_setattr_console(getty_t) auth_rw_login_records(getty_t) +auth_use_nsswitch(getty_t) init_rw_utmp(getty_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/contrib/, policy/modules/kernel/
commit: 7e4da077a1af550ffa4f87ab8bcbbeed80887710
Author: Jason Zaman perfinion com>
AuthorDate: Thu Mar 30 07:30:55 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun May 7 17:40:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e4da077
gssproxy: Allow others to stream connect
kernel AVC:
* Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
* start-stop-daemon: failed to start `gssproxy'
type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for
pid=25447 comm="gssproxy" path="/run/gssproxy.sock"
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0
tclass=unix_stream_socket permissive=0
policy/modules/contrib/rpc.te | 3 +++
policy/modules/kernel/kernel.te | 4
policy/modules/system/userdomain.if | 4
3 files changed, 11 insertions(+)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index a8a83400..c7855fef 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -339,6 +339,9 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index a2869be7..16e5c64b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -418,6 +418,10 @@ optional_policy(`
rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
+ optional_policy(`
+ gssproxy_stream_connect(kernel_t)
+ ')
+
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
fs_list_noxattr_fs(kernel_t)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index dbfb33da..55512c04 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -726,6 +726,10 @@ template(`userdom_common_user_template',`
')
optional_policy(`
+ gssproxy_stream_connect($1_t)
+ ')
+
+ optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/contrib/
commit: afdf0aec496a794732bd8e6d84f6fbb2adab985e
Author: Jason Zaman perfinion com>
AuthorDate: Thu Mar 30 07:30:55 2017 +
Commit: Jason Zaman gentoo org>
CommitDate: Thu Mar 30 16:50:40 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=afdf0aec
gssproxy: Allow others to stream connect
kernel AVC:
* Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
* start-stop-daemon: failed to start `gssproxy'
type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for
pid=25447 comm="gssproxy" path="/run/gssproxy.sock"
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0
tclass=unix_stream_socket permissive=0
policy/modules/contrib/rpc.te | 3 +++
policy/modules/kernel/kernel.te | 4
policy/modules/system/userdomain.if | 4
3 files changed, 11 insertions(+)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 0b9a71fc..5dd5d781 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -339,6 +339,9 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 034d6a0b..0f82fda9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -416,6 +416,10 @@ optional_policy(`
rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
+ optional_policy(`
+ gssproxy_stream_connect(kernel_t)
+ ')
+
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
fs_list_noxattr_fs(kernel_t)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 50100dd1..915e363e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -700,6 +700,10 @@ template(`userdom_common_user_template',`
')
optional_policy(`
+ gssproxy_stream_connect($1_t)
+ ')
+
+ optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 989ddb737f2e045e534d3238a9ed8248faf55c83
Author: Guido Trentalancia trentalancia net>
AuthorDate: Tue Dec 27 15:33:57 2016 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Jan 1 16:26:28 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=989ddb73
base: use new genhomedircon template for username
Use the new genhomedircon templates for username-dependant
file contexts (requires libsemanage >= 2.6).
This is the base policy part (1/2).
policy/modules/system/userdomain.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/userdomain.fc
b/policy/modules/system/userdomain.fc
index c8b881e..6c813b4 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -2,7 +2,7 @@ HOME_DIR-d
gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+gen_context(system_u:object_r:user_home_t,s0)
HOME_DIR/\.pki(/.*)? gen_context(system_u:object_r:user_cert_t,s0)
-/tmp/gconfd-USER -dgen_context(system_u:object_r:user_tmp_t,s0)
+/tmp/gconfd-%{USERNAME} -d gen_context(system_u:object_r:user_tmp_t,s0)
/run/user -d
gen_context(system_u:object_r:user_runtime_root_t,s0)
/run/user/[^/]+-d gen_context(system_u:object_r:user_runtime_t,s0)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: b2555d98366d548d5bffc6cf5d07f4314e5815e4
Author: Jason Zaman perfinion com>
AuthorDate: Sun Oct 9 05:08:41 2016 +
Commit: Sven Vermeulen gentoo org>
CommitDate: Mon Oct 24 17:13:49 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2555d98
DO NOT MERGE. sync user_cert_t cert_home_t with upstream
Need to upstream userdom_user_home_dir_filetrans_user_cert interface
policy/modules/system/userdomain.if | 30 ++
policy/modules/system/userdomain.te | 2 +-
2 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index c4bef2b..e8659da 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2465,6 +2465,36 @@ interface(`userdom_manage_user_certs',`
##
+## Automatically use the user_cert_t label for
+## selected resources created in a users home
+## directory
+##
+##
+##
+## Domain allowed access
+##
+##
+##
+##
+## Resource type(s) for which the label should be used
+##
+##
+##
+##
+## Name of the resource that is being created
+##
+##
+#
+interface(`userdom_user_home_dir_filetrans_user_cert',`
+ gen_require(`
+ type user_cert_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
+')
+
+
+##
## Write to user temporary named sockets.
##
##
diff --git a/policy/modules/system/userdomain.te
b/policy/modules/system/userdomain.te
index d147a56..43ac9a2 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,7 +93,7 @@ files_associate_tmp(user_home_t)
files_poly_parent(user_home_t)
files_mountpoint(user_home_t)
-type user_cert_t;
+type user_cert_t alias cert_home_t;
userdom_user_home_content(user_cert_t)
type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t
auditadm_devpts_t unconfined_devpts_t };
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 975c23d83a8f52c93dffdfd7899bfb561769e711 Author: Jason Zaman perfinion com> AuthorDate: Sun Oct 9 05:08:41 2016 + Commit: Sven Vermeulen gentoo org> CommitDate: Mon Oct 24 16:02:52 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=975c23d8 DO NOT MERGE. sync user_cert_t cert_home_t with upstream Need to upstream userdom_user_home_dir_filetrans_user_cert interface policy/modules/system/miscfiles.fc | 2 -- policy/modules/system/miscfiles.if | 46 - policy/modules/system/miscfiles.te | 7 -- policy/modules/system/userdomain.if | 33 +++--- policy/modules/system/userdomain.te | 2 +- 5 files changed, 36 insertions(+), 54 deletions(-) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index be0b6a1..42ac30b 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -103,8 +103,6 @@ ifdef(`distro_redhat',` /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') -HOME_DIR/.pki(/.*)?gen_context(system_u:object_r:cert_home_t,s0) - ifdef(`distro_gentoo',` /etc/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 63ed47f..d89c7c0 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -97,15 +97,8 @@ interface(`miscfiles_read_generic_certs',` ## # interface(`miscfiles_manage_user_certs',` - gen_require(` - type cert_home_t; - ') - - manage_dirs_pattern($1, cert_home_t, cert_home_t) - manage_files_pattern($1, cert_home_t, cert_home_t) - manage_lnk_files_pattern($1, cert_home_t, cert_home_t) - - userdom_search_user_home_dirs($1) + userdom_manage_user_certs($1) + refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_certs() instead.') ') @@ -213,35 +206,6 @@ interface(`miscfiles_manage_cert_files',` ## -## Automatically use the cert_home_t label for selected resources created -## in a users home directory -## -## -## -## Domain allowed access -## -## -## -## -## Resource type(s) for which the label should be used -## -## -## -## -## Name of the resource that is being created -## -## -# -interface(`miscfiles_user_home_dir_filetrans_cert_home',` - gen_require(` - type cert_home_t; - ') - - userdom_user_home_dir_filetrans($1, cert_home_t, $2, $3) -') - - -## ## Read fonts. ## ## @@ -823,8 +787,7 @@ interface(`miscfiles_read_test_files',` ## -## Create files in etc directories -## with localization file type. +## Execute test files. ## ## ## @@ -843,7 +806,8 @@ interface(`miscfiles_exec_test_files',` ## -## Execute test files. +## Create files in etc directories +## with localization file type. ## ## ## diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 246ac6a..85a29e3 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -14,13 +14,6 @@ type cert_t; miscfiles_cert_type(cert_t) # -# cert_home_t is the type of files in the users' home directories. -# -type cert_home_t; -miscfiles_cert_type(cert_home_t) -userdom_user_home_content(cert_home_t) - -# # fonts_t is the type of various font # files in /usr # diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 1572b51..d2b1df0 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -272,9 +272,6 @@ interface(`userdom_manage_home_role',` ') ifdef(`distro_gentoo',` - miscfiles_manage_user_certs($2) - miscfiles_relabel_user_certs($2) - optional_policy(` flash_manage_home($2) flash_relabel_home($2) @@ -2467,6 +2464,36 @@ interface(`userdom_manage_user_certs',` ## +## Automatically use the user_cert_t label for +## selected resources created in a users home +## directory +## +## +## +## Domain allowed access +## +## +## +## +## Resource type(s) for which the label should be used +## +## +## +## +## Name of the resource that is being created +## +## +# +interface(`userdom_user_home_dir_filetrans_user_cert',` + gen_require(` + type user_cert_t; + ') + + userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3) +') +
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 9cb0a2815f7612f77003747262f8b32e52a072aa Author: Jason Zaman perfinion com> AuthorDate: Sun Oct 9 05:08:41 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Oct 9 05:41:23 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9cb0a281 DO NOT MERGE. sync user_cert_t cert_home_t with upstream Need to upstream userdom_user_home_dir_filetrans_user_cert interface policy/modules/system/miscfiles.fc | 2 -- policy/modules/system/miscfiles.if | 46 - policy/modules/system/miscfiles.te | 7 -- policy/modules/system/userdomain.if | 33 +++--- policy/modules/system/userdomain.te | 2 +- 5 files changed, 36 insertions(+), 54 deletions(-) diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc index be0b6a1..42ac30b 100644 --- a/policy/modules/system/miscfiles.fc +++ b/policy/modules/system/miscfiles.fc @@ -103,8 +103,6 @@ ifdef(`distro_redhat',` /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0) ') -HOME_DIR/.pki(/.*)?gen_context(system_u:object_r:cert_home_t,s0) - ifdef(`distro_gentoo',` /etc/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0) ') diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 63ed47f..d89c7c0 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -97,15 +97,8 @@ interface(`miscfiles_read_generic_certs',` ## # interface(`miscfiles_manage_user_certs',` - gen_require(` - type cert_home_t; - ') - - manage_dirs_pattern($1, cert_home_t, cert_home_t) - manage_files_pattern($1, cert_home_t, cert_home_t) - manage_lnk_files_pattern($1, cert_home_t, cert_home_t) - - userdom_search_user_home_dirs($1) + userdom_manage_user_certs($1) + refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_certs() instead.') ') @@ -213,35 +206,6 @@ interface(`miscfiles_manage_cert_files',` ## -## Automatically use the cert_home_t label for selected resources created -## in a users home directory -## -## -## -## Domain allowed access -## -## -## -## -## Resource type(s) for which the label should be used -## -## -## -## -## Name of the resource that is being created -## -## -# -interface(`miscfiles_user_home_dir_filetrans_cert_home',` - gen_require(` - type cert_home_t; - ') - - userdom_user_home_dir_filetrans($1, cert_home_t, $2, $3) -') - - -## ## Read fonts. ## ## @@ -823,8 +787,7 @@ interface(`miscfiles_read_test_files',` ## -## Create files in etc directories -## with localization file type. +## Execute test files. ## ## ## @@ -843,7 +806,8 @@ interface(`miscfiles_exec_test_files',` ## -## Execute test files. +## Create files in etc directories +## with localization file type. ## ## ## diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index 246ac6a..85a29e3 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -14,13 +14,6 @@ type cert_t; miscfiles_cert_type(cert_t) # -# cert_home_t is the type of files in the users' home directories. -# -type cert_home_t; -miscfiles_cert_type(cert_home_t) -userdom_user_home_content(cert_home_t) - -# # fonts_t is the type of various font # files in /usr # diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index bf78a2b..70d39d9 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -272,9 +272,6 @@ interface(`userdom_manage_home_role',` ') ifdef(`distro_gentoo',` - miscfiles_manage_user_certs($2) - miscfiles_relabel_user_certs($2) - optional_policy(` flash_manage_home($2) flash_relabel_home($2) @@ -2464,6 +2461,36 @@ interface(`userdom_manage_user_certs',` ## +## Automatically use the user_cert_t label for +## selected resources created in a users home +## directory +## +## +## +## Domain allowed access +## +## +## +## +## Resource type(s) for which the label should be used +## +## +## +## +## Name of the resource that is being created +## +## +# +interface(`userdom_user_home_dir_filetrans_user_cert',` + gen_require(` + type user_cert_t; + ') + + userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3) +') +
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: c2e01eedeb6884cfd367f4ca160c6b35cdcc3e38
Author: Jason Zaman perfinion com>
AuthorDate: Thu May 26 15:09:27 2016 +
Commit: Jason Zaman gentoo org>
CommitDate: Thu May 26 18:44:57 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2e01eed
userdomain: filetrans interfaces for user_runtime
policy/modules/system/userdomain.if | 99 +
1 file changed, 99 insertions(+)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 0d6d9b1..044bf81 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -324,6 +324,7 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file
fifo_file })
+ userdom_user_runtime_dir_filetrans_user_tmp($2, { dir file lnk_file
sock_file fifo_file })
')
###
@@ -2753,6 +2754,104 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
+## Create objects in the pid directory
+## with an automatic type transition to
+## the user runtime root type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+
+##
+## Create objects in a user runtime
+## directory with an automatic type
+## transition to a specified private
+## type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_user_runtime_dir_filetrans',`
+ gen_require(`
+ type user_runtime_root_t, user_runtime_dir_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4)
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
+')
+
+
+##
+## Create objects in the user runtime directory
+## with an automatic type transition to
+## the user temporary type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_user_runtime_dir_filetrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3)
+')
+
+
+##
## Read and write user tmpfs files.
##
##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: caeaab82769e2525cde308a0101ea6542472f209
Author: Jason Zaman perfinion com>
AuthorDate: Thu May 26 15:09:27 2016 +
Commit: Jason Zaman gentoo org>
CommitDate: Thu May 26 16:11:13 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=caeaab82
userdomain: filetrans interfaces for user_runtime
policy/modules/system/userdomain.if | 99 +
1 file changed, 99 insertions(+)
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 0d6d9b1..90edc21 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -324,6 +324,7 @@ interface(`userdom_manage_tmp_role',`
manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file
fifo_file })
+ userdom_user_runtime_dir_filetrans_user_tmp($2, { dir file lnk_file
sock_file fifo_file })
')
###
@@ -2753,6 +2754,104 @@ interface(`userdom_tmp_filetrans_user_tmp',`
##
+## Create objects in the pid directory
+## with an automatic type transition to
+## the user runtime root type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+
+##
+## Create objects in a user runtime
+## directory with an automatic type
+## transition to a specified private
+## type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The type of the object to create.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_user_runtime_dir_filetrans',`
+ gen_require(`
+ type user_runtime_dir_t;
+ ')
+
+ filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4)
+ allow $1 user_runtime_root_t:dir search_dir_perms;
+ files_search_pids($1)
+')
+
+
+##
+## Create objects in the user runtime directory
+## with an automatic type transition to
+## the user temporary type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The class of the object to be created.
+##
+##
+##
+##
+## The name of the object being created.
+##
+##
+#
+interface(`userdom_user_runtime_dir_filetrans_user_tmp',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3)
+')
+
+
+##
## Read and write user tmpfs files.
##
##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: e46ed57244089ec585dcce05d50ea3b708e55196 Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 19:12:24 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 26 15:33:31 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e46ed572 userdomain: user_tmp requires searching /run/user policy/modules/system/userdomain.if | 65 + 1 file changed, 52 insertions(+), 13 deletions(-) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 9284808..0d6d9b1 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -339,11 +339,14 @@ interface(`userdom_manage_tmp_role',` # interface(`userdom_exec_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') exec_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') ### @@ -2368,11 +2371,14 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',` # interface(`userdom_write_user_tmp_sockets',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') allow $1 user_tmp_t:sock_file write_sock_file_perms; files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') @@ -2387,11 +2393,14 @@ interface(`userdom_write_user_tmp_sockets',` # interface(`userdom_list_user_tmp',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') allow $1 user_tmp_t:dir list_dir_perms; + allow $1 user_runtime_dir_t:dir list_dir_perms; files_search_tmp($1) + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') @@ -2444,12 +2453,15 @@ interface(`userdom_dontaudit_manage_user_tmp_dirs',` # interface(`userdom_read_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') read_files_pattern($1, user_tmp_t, user_tmp_t) allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') @@ -2502,12 +2514,15 @@ interface(`userdom_dontaudit_append_user_tmp_files',` # interface(`userdom_rw_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') allow $1 user_tmp_t:dir list_dir_perms; rw_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') @@ -2541,12 +2556,15 @@ interface(`userdom_dontaudit_manage_user_tmp_files',` # interface(`userdom_read_user_tmp_symlinks',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') read_lnk_files_pattern($1, user_tmp_t, user_tmp_t) allow $1 user_tmp_t:dir list_dir_perms; files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') @@ -2562,11 +2580,14 @@ interface(`userdom_read_user_tmp_symlinks',` # interface(`userdom_manage_user_tmp_dirs',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_dirs_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1 user_runtime_dir_t:dir search_dir_perms; + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) ') @@ -2582,11 +2603,14 @@ interface(`userdom_manage_user_tmp_dirs',` # interface(`userdom_manage_user_tmp_files',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_root_t, user_runtime_dir_t; ') manage_files_pattern($1, user_tmp_t, user_tmp_t) files_search_tmp($1) + allow $1
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 17881c395704cfc066a765dccdd2f812053a795c Author: Jason Zaman perfinion com> AuthorDate: Thu May 26 15:09:27 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 26 15:33:31 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17881c39 userdomain: filetrans interfaces for user_runtime policy/modules/system/userdomain.if | 98 + 1 file changed, 98 insertions(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 0d6d9b1..4029359 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -2753,6 +2753,104 @@ interface(`userdom_tmp_filetrans_user_tmp',` ## +## Create objects in the pid directory +## with an automatic type transition to +## the user runtime root type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_pid_filetrans_user_runtime_root',` + gen_require(` + type user_runtime_root_t; + ') + + files_pid_filetrans($1, user_runtime_root_t, $2, $3) +') + + +## +## Create objects in a user runtime +## directory with an automatic type +## transition to a specified private +## type. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to create. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_runtime_dir_filetrans',` + gen_require(` + type user_runtime_dir_t; + ') + + filetrans_pattern($1, user_runtime_dir_t, $2, $3, $4) + allow $1 user_runtime_root_t:dir search_dir_perms; + files_search_pids($1) +') + + +## +## Create objects in the user runtime directory +## with an automatic type transition to +## the user temporary type. +## +## +## +## Domain allowed access. +## +## +## +## +## The class of the object to be created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`userdom_user_runtime_dir_filetrans_user_tmp',` + gen_require(` + type user_tmp_t; + ') + + userdom_user_runtime_dir_filetrans($1, user_tmp_t, $2, $3) +') + + +## ## Read and write user tmpfs files. ## ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: c0af8525d36cdc24bd03dde87d83066657e315e2
Author: Jason Zaman perfinion com>
AuthorDate: Thu May 12 16:29:31 2016 +
Commit: Jason Zaman gentoo org>
CommitDate: Thu May 26 15:33:31 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c0af8525
userdomain: Introduce types for /run/user
These are the types for /run/user, analogous to /home's home_root_t and
home_dir_t.
policy/modules/system/userdomain.fc | 4
policy/modules/system/userdomain.te | 20
2 files changed, 24 insertions(+)
diff --git a/policy/modules/system/userdomain.fc
b/policy/modules/system/userdomain.fc
index db75976..30708ca 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -2,3 +2,7 @@ HOME_DIR-d
gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+gen_context(system_u:object_r:user_home_t,s0)
/tmp/gconfd-USER -dgen_context(system_u:object_r:user_tmp_t,s0)
+
+/var/run/user -d
gen_context(system_u:object_r:user_runtime_root_t,s0)
+/var/run/user/%{USERID}-d
gen_context(system_u:object_r:user_runtime_dir_t,s0)
+/var/run/user/%{USERID}/.+ <>
diff --git a/policy/modules/system/userdomain.te
b/policy/modules/system/userdomain.te
index 2a36851..c613553 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,3 +93,23 @@ userdom_user_home_content(user_tmpfs_t)
type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t
secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
dev_node(user_tty_device_t)
ubac_constrained(user_tty_device_t)
+
+type user_runtime_root_t;
+fs_associate_tmpfs(user_runtime_root_t)
+files_type(user_runtime_root_t)
+files_mountpoint(user_runtime_root_t)
+files_associate_tmp(user_runtime_root_t)
+files_poly(user_runtime_root_t)
+files_poly_member(user_runtime_root_t)
+files_poly_parent(user_runtime_root_t)
+ubac_constrained(user_runtime_root_t)
+
+type user_runtime_dir_t;
+fs_associate_tmpfs(user_runtime_dir_t)
+files_type(user_runtime_dir_t)
+files_mountpoint(user_runtime_dir_t)
+files_associate_tmp(user_runtime_dir_t)
+files_poly(user_runtime_dir_t)
+files_poly_member(user_runtime_dir_t)
+files_poly_parent(user_runtime_dir_t)
+ubac_constrained(user_runtime_dir_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
commit: 05e541d9d101d8d8f38b94bfd6f80e62da38cb92
Author: Jason Zaman perfinion com>
AuthorDate: Thu Dec 17 18:38:24 2015 +
Commit: Jason Zaman gentoo org>
CommitDate: Thu Dec 17 18:51:56 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05e541d9
Add permissions for ZFS
zfs list uses a pipe to get info from the kernel
avc: granted { write } for pid=31602 comm="dump_list_strat"
path="pipe:[4471132]" dev="pipefs" ino=4471132
scontext=system_u:system_r:kernel_t:s0
tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
avc: granted { read } for pid=31601 comm="zfs" path="pipe:[4471132]"
dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511
tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
zfs send / recv is usually piped somewhere by sysadm
zfs send tank@snap | ssh foo tank@snap
policy/modules/kernel/kernel.te | 5 +
policy/modules/system/mount.te | 3 +++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 4ac22e0..f964a7b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -461,4 +461,9 @@ ifdef(`distro_gentoo',`
# See also bug 535992
#dev_manage_all_dev_nodes(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
+
+ # ZFS send/recv writes to an fd
+ sysadm_use_fds(kernel_t)
+ # zfs list writes to a pipe
+ mount_rw_pipes(kernel_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 497fa59..920abc7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t)
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override
chown sys_tty_config setuid setgid };
+allow mount_t self:process signal;
+# zfs list uses pipes
+allow mount_t self:fifo_file rw_fifo_file_perms;
mount_read_loopback_files(mount_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 77e1231041b150b0180a556504e30cbdcd8fdfb7 Author: Jason Zaman perfinion com> AuthorDate: Thu Dec 17 18:15:37 2015 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 17 18:51:56 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=77e12310 introduce mount_rw_pipes interface policy/modules/system/mount.if | 20 1 file changed, 20 insertions(+) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 8a2105b..279f6d7 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -209,3 +209,23 @@ interface(`mount_rw_loopback_files',` allow $1 mount_loopback_t:file rw_file_perms; ') + +# gentoo specific under here + + +## +## Read and write mount unnamed pipes +## +## +## +## Domain allowed access. +## +## +# +interface(`mount_rw_pipes',` + gen_require(` + type mount_t; + ') + + allow $1 mount_t:fifo_file rw_fifo_file_perms; +')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 8e6b99973ad02847bd3c1c6176c2d6b8dc0be32c Author: Jason Zaman perfinion com> AuthorDate: Thu Dec 17 18:15:37 2015 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 17 18:46:19 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e6b9997 introduce mount_rw_pipes interface policy/modules/system/mount.if | 20 1 file changed, 20 insertions(+) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 8a2105b..279f6d7 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -209,3 +209,23 @@ interface(`mount_rw_loopback_files',` allow $1 mount_loopback_t:file rw_file_perms; ') + +# gentoo specific under here + + +## +## Read and write mount unnamed pipes +## +## +## +## Domain allowed access. +## +## +# +interface(`mount_rw_pipes',` + gen_require(` + type mount_t; + ') + + allow $1 mount_t:fifo_file rw_fifo_file_perms; +')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
commit: 41757a4654c651d5c9533d165d58a3487c75b4c7
Author: Jason Zaman perfinion com>
AuthorDate: Thu Dec 17 18:38:24 2015 +
Commit: Jason Zaman gentoo org>
CommitDate: Thu Dec 17 18:46:19 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=41757a46
Add permissions for ZFS
zfs list uses a pipe to get info from the kernel
avc: granted { write } for pid=31602 comm="dump_list_strat"
path="pipe:[4471132]" dev="pipefs" ino=4471132
scontext=system_u:system_r:kernel_t:s0
tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
avc: granted { read } for pid=31601 comm="zfs" path="pipe:[4471132]"
dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511
tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
zfs send / recv is usually piped somewhere by sysadm
zfs send tank@snap | ssh foo tank@snap
policy/modules/kernel/kernel.te | 5 +
policy/modules/system/mount.te | 3 +++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 4ac22e0..f964a7b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -461,4 +461,9 @@ ifdef(`distro_gentoo',`
# See also bug 535992
#dev_manage_all_dev_nodes(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
+
+ # ZFS send/recv writes to an fd
+ sysadm_use_fds(kernel_t)
+ # zfs list writes to a pipe
+ mount_rw_pipes(kernel_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 497fa59..920abc7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t)
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override
chown sys_tty_config setuid setgid };
+allow mount_t self:process signal;
+# zfs list uses pipes
+allow mount_t self:fifo_file rw_fifo_file_perms;
mount_read_loopback_files(mount_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
commit: 32b74e9b8029ee9d345c560dd7e59964fd829f62
Author: Jason Zaman perfinion com>
AuthorDate: Thu Dec 17 18:38:24 2015 +
Commit: Jason Zaman gentoo org>
CommitDate: Fri Dec 18 03:32:59 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=32b74e9b
Add permissions for ZFS
zfs list uses a pipe to get info from the kernel
avc: granted { write } for pid=31602 comm="dump_list_strat"
path="pipe:[4471132]" dev="pipefs" ino=4471132
scontext=system_u:system_r:kernel_t:s0
tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
avc: granted { read } for pid=31601 comm="zfs" path="pipe:[4471132]"
dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511
tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
zfs send / recv is usually piped somewhere by sysadm
zfs send tank@snap | ssh foo tank@snap
policy/modules/kernel/kernel.te | 9 +
policy/modules/system/mount.te | 3 +++
2 files changed, 12 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 4ac22e0..f1016a3 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -461,4 +461,13 @@ ifdef(`distro_gentoo',`
# See also bug 535992
#dev_manage_all_dev_nodes(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
+
+ # ZFS send/recv writes to an fd
+ optional_policy(`
+ sysadm_use_fds(kernel_t)
+ ')
+ # zfs list writes to a pipe
+ optional_policy(`
+ mount_rw_pipes(kernel_t)
+ ')
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 497fa59..920abc7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t)
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override
chown sys_tty_config setuid setgid };
+allow mount_t self:process signal;
+# zfs list uses pipes
+allow mount_t self:fifo_file rw_fifo_file_perms;
mount_read_loopback_files(mount_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 0460b12a0cbc61b25ebcbf20f283534cc49b98f5 Author: Jason Zaman perfinion com> AuthorDate: Thu Dec 17 18:15:37 2015 + Commit: Jason Zaman gentoo org> CommitDate: Fri Dec 18 04:12:29 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0460b12a Introduce mount_rw_pipes interface policy/modules/system/mount.if | 20 1 file changed, 20 insertions(+) diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if index 8a2105b..279f6d7 100644 --- a/policy/modules/system/mount.if +++ b/policy/modules/system/mount.if @@ -209,3 +209,23 @@ interface(`mount_rw_loopback_files',` allow $1 mount_loopback_t:file rw_file_perms; ') + +# gentoo specific under here + + +## +## Read and write mount unnamed pipes +## +## +## +## Domain allowed access. +## +## +# +interface(`mount_rw_pipes',` + gen_require(` + type mount_t; + ') + + allow $1 mount_t:fifo_file rw_fifo_file_perms; +')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
commit: bac1f46765f49a73cdfb5a482f45f3a83487ee06
Author: Chris PeBenito tresys com>
AuthorDate: Tue Oct 20 17:23:35 2015 +
Commit: Jason Zaman gentoo org>
CommitDate: Mon Oct 26 03:55:45 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bac1f467
Add sysfs_types attribute.
Collect all types used to label sysfs entries.
policy/modules/kernel/devices.if | 20
policy/modules/kernel/devices.te | 5 +++--
policy/modules/system/init.te| 1 +
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a052db5..591b932 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4130,6 +4130,26 @@ interface(`dev_rw_sysfs',`
##
+## Relabel from/to all sysfs types.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`dev_relabel_all_sysfs',`
+ gen_require(`
+ attribute sysfs_types;
+ ')
+
+ allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms };
+ allow $1 sysfs_types:file relabel_file_perms;
+ allow $1 sysfs_types:lnk_file relabel_lnk_file_perms;
+')
+
+
+##
## Read and write the TPM device.
##
##
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index e5bcfcd..9274a82 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -9,6 +9,7 @@ attribute device_node;
attribute memory_raw_read;
attribute memory_raw_write;
attribute devices_unconfined_type;
+attribute sysfs_types;
#
# device_t is the type of /dev.
@@ -62,7 +63,7 @@ dev_node(cpu_device_t)
#
# /sys/devices/system/cpu/online device
#
-type cpu_online_t;
+type cpu_online_t, sysfs_types;
files_type(cpu_online_t)
dev_associate_sysfs(cpu_online_t)
@@ -229,7 +230,7 @@ dev_node(sound_device_t)
#
# sysfs_t is the type for the /sys pseudofs
#
-type sysfs_t;
+type sysfs_t, sysfs_types;
files_mountpoint(sysfs_t)
fs_xattr_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 79400f2..8c9cffa 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -224,6 +224,7 @@ ifdef(`init_systemd',`
dev_create_generic_dirs(init_t)
dev_manage_input_dev(init_t)
dev_relabel_all_dev_nodes(init_t)
+ dev_relabel_all_sysfs(init_t)
dev_read_urand(init_t)
dev_write_kmsg(init_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: a51ba0a947d3824df1342367d7fd6fd955e6410b Author: Jason Zaman perfinion com> AuthorDate: Mon Oct 26 04:27:25 2015 + Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 26 04:27:25 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a51ba0a9 system/logging: Remove duplicate filetrans on cron.log policy/modules/system/logging.te:534:ERROR 'duplicate filename transition for: filename_trans cron.log syslogd_t var_log_t:file' at type_transition syslogd_t var_log_t:file cron_log_t "cron.log"; The cron type is gentoo only so make the logging one ifndef policy/modules/system/logging.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 902ff63..d0c4d31 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -533,7 +533,9 @@ optional_policy(` optional_policy(` cron_manage_log_files(syslogd_t) + ifndef(`distro_gentoo',` cron_generic_log_filetrans_log(syslogd_t, file, "cron.log") + ') ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 360b075cbb2c37b12a039e12d4ac0f6d68c2e0f8 Author: Chris PeBenito tresys com> AuthorDate: Tue Oct 20 17:25:57 2015 + Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 26 03:55:52 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=360b075c Add refpolicy core socket-activated services. policy/modules/system/logging.te | 1 + policy/modules/system/lvm.te | 1 + policy/modules/system/udev.te| 1 + 3 files changed, 3 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index fd941ab..ef56179 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -67,6 +67,7 @@ files_config_file(syslog_conf_t) type syslogd_t; type syslogd_exec_t; init_daemon_domain(syslogd_t, syslogd_exec_t) +init_named_socket_activation(syslogd_t, syslogd_var_run_t) type syslogd_initrc_exec_t; init_script_file(syslogd_initrc_exec_t) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index 61bd92b..d15ea3c 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -18,6 +18,7 @@ files_pid_file(clvmd_var_run_t) type lvm_t; type lvm_exec_t; init_system_domain(lvm_t, lvm_exec_t) +init_named_socket_activation(lvm_t, lvm_var_run_t) # needs privowner because it assigns the identity system_u to device nodes # but runs as the identity of the sysadmin domain_obj_id_change_exemption(lvm_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 40868ad..c9091f3 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -13,6 +13,7 @@ domain_obj_id_change_exemption(udev_t) domain_entry_file(udev_t, udev_helper_exec_t) domain_interactive_fd(udev_t) init_daemon_domain(udev_t, udev_exec_t) +init_named_socket_activation(udev_t, udev_var_run_t) type udev_etc_t alias etc_udev_t; files_config_file(udev_etc_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 2b1fd1cb76055efbf37feb023a65831b79932f2b Author: Jason Zaman perfinion com> AuthorDate: Mon Oct 26 04:59:35 2015 + Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 26 04:59:35 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b1fd1cb system/logging: Remove duplicate filetrans on news logs policy/modules/system/logging.te:541:ERROR 'duplicate filename transition for: filename_trans news.crit syslogd_t var_log_t:file' type_transition syslogd_t var_log_t:file innd_log_t "news.crit"; The news type is gentoo only so make the logging one ifndef policy/modules/system/logging.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index d0c4d31..52c86e5 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -540,9 +540,11 @@ optional_policy(` optional_policy(` inn_manage_log(syslogd_t) + ifndef(`distro_gentoo',` inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit") inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err") inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.notice") + ') ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 978ce09db2ebb2af831a04aae9e973d2706a25dd Author: Jason Zaman perfinion com> AuthorDate: Wed Oct 14 18:34:53 2015 + Commit: Jason Zaman gentoo org> CommitDate: Wed Oct 14 18:34:53 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=978ce09d ipsec: Allow ipsec to run resolvconf policy/modules/system/ipsec.te | 9 + 1 file changed, 9 insertions(+) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index 02fad03..3dd5c8b 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -514,4 +514,13 @@ ifdef(`distro_gentoo',` # domain_use_interactive_fds(setkey_t) + + + # + # ipsec_mgmt Local policy + # + + optional_policy(` + resolvconf_client_domain(ipsec_mgmt_t) + ') ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 84d4e9d4f9c40980dd9f8c7a57c556d807990c26
Author: Jason Zaman perfinion com>
AuthorDate: Sun Oct 11 08:40:25 2015 +
Commit: Jason Zaman gentoo org>
CommitDate: Sun Oct 11 08:40:25 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=84d4e9d4
system/ipsec: Add policy for StrongSwan
Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work regarding this.
policy/modules/system/ipsec.fc | 17
policy/modules/system/ipsec.te | 61 +++---
2 files changed, 75 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 0f1e351..d42b08e 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -10,6 +10,14 @@
/etc/ipsec\.d(/.*)?
gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/strongswan\.conf --
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/strongswan\.d(/.*)?
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/swanctl/(.*)?
gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/swanctl -d
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/swanctl/swanctl.conf --
gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
/sbin/setkey --
gen_context(system_u:object_r:setkey_exec_t,s0)
/usr/lib/ipsec/_plutoload --
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -19,17 +27,25 @@
/usr/lib/ipsec/pluto --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/lib/ipsec/spi --
gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/_copyright --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/_plutoload --
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/libexec/ipsec/_plutorun --
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/_updown --
gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/charon --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/eroute --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/klipsdebug --
gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/lookip --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/pluto --
gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/scepclient --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/ipsec/spi --
gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/starter --
gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
+/usr/libexec/ipsec/stroke --
gen_context(system_u:object_r:ipsec_exec_t,s0)
/usr/libexec/nm-openswan-service --
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/ipsec--
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/usr/sbin/racoon --
gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey --
gen_context(system_u:object_r:setkey_exec_t,s0)
+/usr/sbin/swanctl --
gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
/var/lib/racoon(/.*)?
gen_context(system_u:object_r:ipsec_var_run_t,s0)
@@ -39,5 +55,6 @@
/var/racoon(/.*)?
gen_context(system_u:object_r:ipsec_var_run_t,s0)
+/var/run/charon\.(.*)? --
gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/pluto(/.*)?
gen_context(system_u:object_r:ipsec_var_run_t,s0)
/var/run/racoon\.pid --
gen_context(system_u:object_r:ipsec_var_run_t,s0)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 3734bd4..2d8b686 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -67,19 +67,25 @@ type setkey_exec_t;
init_system_domain(setkey_t, setkey_exec_t)
role system_r types setkey_t;
+type ipsec_supervisor_t;
+type ipsec_supervisor_exec_t;
+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
+role system_r types ipsec_supervisor_t;
+
#
# ipsec Local policy
#
-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap
sys_nice };
+allow ipsec_t self:capability { chown dac_override dac_read_search setgid
setuid setpcap net_admin sys_nice };
dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
allow ipsec_t self:process { getcap setcap getsched signal setsched };
allow ipsec_t self:tcp_socket create_stream_socket_perms;
allow ipsec_t self:udp_socket create_socket_perms;
allow ipsec_t self:key_socket create_socket_perms;
-allow ipsec_t self:fifo_file
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/services/, policy/modules/roles/, ...
commit: bd8629a0cd85a8b4cb40f463b4e8d28c54ab4d26 Author: Jason Zaman jason AT perfinion DOT com AuthorDate: Wed Aug 26 06:21:08 2015 + Commit: Jason Zaman perfinion AT gentoo DOT org CommitDate: Thu Aug 27 17:59:35 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd8629a0 Add cgmanager client domains policy/modules/contrib/consolekit.te | 4 policy/modules/roles/sysadm.te | 4 policy/modules/services/xserver.te | 9 + policy/modules/system/locallogin.te | 14 +- 4 files changed, 26 insertions(+), 5 deletions(-) diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te index 1adb72e..cd02890 100644 --- a/policy/modules/contrib/consolekit.te +++ b/policy/modules/contrib/consolekit.te @@ -161,4 +161,8 @@ ifdef(`distro_gentoo',` optional_policy(` devicekit_manage_log_files(consolekit_t) ') + + optional_policy(` + cgmanager_stream_connect(consolekit_t) + ') ') diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index e479d77..40420c7 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -1281,6 +1281,10 @@ ifdef(`distro_gentoo',` ') optional_policy(` + cgmanager_stream_connect(sysadm_t) + ') + + optional_policy(` # Bug 529208 dmesg_run(sysadm_t, sysadm_r) ') diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index ecc5587..82b9501 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1027,4 +1027,13 @@ ifdef(`distro_gentoo',` xdg_data_home_filetrans(xserver_t, xserver_xdg_data_home_t, dir) userdom_read_user_tmp_files(xserver_t) + + + # + # xdm_t policy + # + + optional_policy(` + cgmanager_stream_connect(xdm_t) + ') ') diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index d8b56c8..5281665 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -267,9 +267,13 @@ optional_policy(` ifdef(`distro_gentoo',` -# Enable polyinstantiation of directories -tunable_policy(`allow_polyinstantiation',` - # Execute /etc/security/namespace.init - corecmd_exec_bin(local_login_t) -') + # Enable polyinstantiation of directories + tunable_policy(`allow_polyinstantiation',` + # Execute /etc/security/namespace.init + corecmd_exec_bin(local_login_t) + ') + + optional_policy(` + cgmanager_stream_connect(local_login_t) + ') ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 76b213703ff1b7bbcbfb0876388c764918290070
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Sat Jul 11 13:36:30 2015 +
Commit: Jason Zaman perfinion AT gentoo DOT org
CommitDate: Sat Jul 11 13:36:30 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76b21370
Allow run_init_t to read all named init scripts
When OpenRC wants to execute a labeled init script, it fails if this is
a symlink:
~$ sudo /etc/init.d/ceph-mon.0 start
openrc-run should not be run directly
The denial shows that a read on the symlink is denied:
type=AVC msg=audit(1436621093.701:1165): avc: denied { read } for
pid=30786 comm=openrc name=ceph-mon.0 dev=vda3 ino=1966780
scontext=staff_u:staff_r:run_init_t:s0
tcontext=system_u:object_r:ceph_initrc_exec_t:s0 tclass=lnk_file
permissive=0
After granting this, the behavior is as expected:
~$ sudo /etc/init.d/ceph-mon.0 start
* Starting Ceph mon.0 ... [ ok ]
X-Gentoo-Bug: 554514
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=554514
policy/modules/system/init.if| 5 +
policy/modules/system/selinuxutil.te | 2 ++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ed65609..211d434 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1195,6 +1195,11 @@ interface(`init_read_all_script_files',`
files_search_etc($1)
allow $1 init_script_file_type:file read_file_perms;
+
+ ifdef(`distro_gentoo',`
+ # Bug 554514
+ allow $1 init_script_file_type:lnk_file read_lnk_file_perms;
+ ')
')
###
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index 51c64be..d25a0fd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -418,6 +418,8 @@ userdom_use_user_terminals(run_init_t)
ifndef(`direct_sysadm_daemon',`
ifdef(`distro_gentoo',`
# Gentoo integrated run_init:
+ # Bug 554514
+ init_read_all_script_files(run_init_t)
init_script_file_entry_type(run_init_t)
init_exec_rc(run_init_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: da18ddd7ef66f60538a69f41d1c4ff3a7970c071 Author: Jason Zaman jason AT perfinion DOT com AuthorDate: Tue Mar 24 07:27:56 2015 + Commit: Jason Zaman perfinion AT gentoo DOT org CommitDate: Tue Mar 24 07:27:56 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da18ddd7 init: add /lib64/rc/cache as an init state dir policy/modules/system/init.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc index b4391ce..02ec851 100644 --- a/policy/modules/system/init.fc +++ b/policy/modules/system/init.fc @@ -87,6 +87,7 @@ ifdef(`distro_gentoo',` # /lib # /lib/rc/console(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) +/lib/rc/cache(/.*)?gen_context(system_u:object_r:initrc_state_t,s0) # # /sbin
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 1d291587f6308317bfd3a37227a00d68092e9c40 Author: Jason Zaman jason AT perfinion DOT com AuthorDate: Mon Feb 9 08:40:08 2015 + Commit: Jason Zaman perfinion AT gentoo DOT org CommitDate: Mon Feb 9 09:52:54 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d291587 Revert Reshuffle and update with upstream This reverts commit fe62598f2fb87fe0dfca34f82311ffd29df37795. the domtrans pattern part broke openrc without run_init, that part relies on being in the run_init domain and then does the transition. this was transitioning directly into initrc_t but that does not work with being in sysadm_r. --- policy/modules/system/init.if | 82 +++ 1 file changed, 36 insertions(+), 46 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 4d923d6..7cdf3a8 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -150,6 +150,39 @@ interface(`init_ranged_domain',` ## summary +## Mark the file type as a daemon pid file, allowing initrc_t +## to create it +## /summary +## param name=filetype +## summary +## Type to mark as a daemon pid file +## /summary +## /param +## param name=class +## summary +## Class on which the type is applied +## /summary +## /param +## param name=filename +## summary +## Filename of the file that the init script creates +## /summary +## /param +# +interface(`init_daemon_pid_file',` + gen_require(` + attribute daemonpidfile; + type initrc_t; + ') + + typeattribute $1 daemonpidfile; + + files_pid_file($1) + files_pid_filetrans(initrc_t, $1, $2, $3) +') + + +## summary ## Create a domain for long running processes ## (daemons/services) which are started by init scripts. ## /summary @@ -388,50 +421,16 @@ interface(`init_ranged_system_domain',` ## summary -## Mark the file type as a daemon pid file, allowing initrc_t -## to create it +## Mark the type as a daemon run dir ## /summary -## param name=filetype -## summary -## Type to mark as a daemon pid file -## /summary -## /param -## param name=class -## summary -## Class on which the type is applied -## /summary -## /param -## param name=filename -## summary -## Filename of the file that the init script creates -## /summary -## /param -# -interface(`init_daemon_pid_file',` - gen_require(` - attribute daemonpidfile; - type initrc_t; - ') - - typeattribute $1 daemonpidfile; - - files_pid_file($1) - files_pid_filetrans(initrc_t, $1, $2, $3) -') - - -## summary -## Mark the file type as a daemon run dir, allowing initrc_t -## to create it -## /summary -## param name=filetype +## param name=rundirtype ## summary ## Type to mark as a daemon run dir ## /summary ## /param ## param name=filename ## summary -## Filename of the directory that the init script creates +## Name of the run dir directory ## /summary ## /param # @@ -844,14 +843,6 @@ interface(`init_spec_domtrans_script',` files_list_etc($1) spec_domtrans_pattern($1, initrc_exec_t, initrc_t) - ifdef(`distro_gentoo',` - gen_require(` - type rc_exec_t; - ') - - domtrans_pattern($1, rc_exec_t, initrc_t) - ') - ifdef(`enable_mcs',` range_transition $1 initrc_exec_t:process s0; ') @@ -891,7 +882,6 @@ interface(`init_domtrans_script',` gen_require(` type rc_exec_t; ') - domtrans_pattern($1, rc_exec_t, initrc_t) ') ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 0897e2ba7152ef4752b2fb292fe9bde72b88b465 Author: Jason Zaman jason AT perfinion DOT com AuthorDate: Mon Feb 9 09:20:21 2015 + Commit: Jason Zaman perfinion AT gentoo DOT org CommitDate: Mon Feb 9 09:54:18 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0897e2ba add back the working parts of commit fe62598f2fb87 --- policy/modules/system/init.if | 74 ++- 1 file changed, 38 insertions(+), 36 deletions(-) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 7cdf3a8..1f897d2 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -150,39 +150,6 @@ interface(`init_ranged_domain',` ## summary -## Mark the file type as a daemon pid file, allowing initrc_t -## to create it -## /summary -## param name=filetype -## summary -## Type to mark as a daemon pid file -## /summary -## /param -## param name=class -## summary -## Class on which the type is applied -## /summary -## /param -## param name=filename -## summary -## Filename of the file that the init script creates -## /summary -## /param -# -interface(`init_daemon_pid_file',` - gen_require(` - attribute daemonpidfile; - type initrc_t; - ') - - typeattribute $1 daemonpidfile; - - files_pid_file($1) - files_pid_filetrans(initrc_t, $1, $2, $3) -') - - -## summary ## Create a domain for long running processes ## (daemons/services) which are started by init scripts. ## /summary @@ -421,16 +388,50 @@ interface(`init_ranged_system_domain',` ## summary -## Mark the type as a daemon run dir +## Mark the file type as a daemon pid file, allowing initrc_t +## to create it ## /summary -## param name=rundirtype +## param name=filetype +## summary +## Type to mark as a daemon pid file +## /summary +## /param +## param name=class +## summary +## Class on which the type is applied +## /summary +## /param +## param name=filename +## summary +## Filename of the file that the init script creates +## /summary +## /param +# +interface(`init_daemon_pid_file',` + gen_require(` + attribute daemonpidfile; + type initrc_t; + ') + + typeattribute $1 daemonpidfile; + + files_pid_file($1) + files_pid_filetrans(initrc_t, $1, $2, $3) +') + + +## summary +## Mark the file type as a daemon run dir, allowing initrc_t +## to create it +## /summary +## param name=filetype ## summary ## Type to mark as a daemon run dir ## /summary ## /param ## param name=filename ## summary -## Name of the run dir directory +## Filename of the directory that the init script creates ## /summary ## /param # @@ -882,6 +883,7 @@ interface(`init_domtrans_script',` gen_require(` type rc_exec_t; ') + domtrans_pattern($1, rc_exec_t, initrc_t) ') ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 996d64d63da9b3510b66053b8a82fd0bce7ac3fc
Author: Jason Zaman jason AT perfinion DOT com
AuthorDate: Tue Jan 20 14:21:00 2015 +
Commit: Jason Zaman gentoo AT perfinion DOT com
CommitDate: Thu Jan 29 08:03:50 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=996d64d6
udev: allow netlink_socket perms
udev needs these perms for CRDA communication (Central Regulatory Domain
Agent for wifi)
type=AVC msg=audit(1421753429.771:3718): avc: denied { create } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3719): avc: denied { setopt } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3720): avc: denied { bind } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3721): avc: denied { getattr } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3722): avc: denied { write } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3723): avc: denied { read } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
---
policy/modules/system/udev.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 78e4328..d4d77f2 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -334,6 +334,8 @@ ifdef(`distro_gentoo',`
# needed for predictable network interfaces naming
allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+ # needed for crda, bug #538110
+ allow udev_t self:netlink_socket create_socket_perms;
manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: a0f63a5ebdaa7a52d2ea96dc1f3299f741313f93 Author: Jason Zaman jason AT perfinion DOT com AuthorDate: Tue Jan 20 14:31:35 2015 + Commit: Jason Zaman gentoo AT perfinion DOT com CommitDate: Thu Jan 29 08:32:53 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a0f63a5e init: needs access to networkmanager rawip sockets --- policy/modules/system/init.te | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 5d83a49..c265e53 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -977,6 +977,11 @@ ifdef(`distro_gentoo',` ') optional_policy(` + networkmanager_rw_rawip_sockets(initrc_t) + networkmanager_stream_connect(initrc_t) + ') + + optional_policy(` fail2ban_stream_connect(initrc_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: e19b8a6df341e3dc10334f39c5ffed42035da210
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Sun Jan 25 13:49:11 2015 +
Commit: Jason Zaman gentoo AT perfinion DOT com
CommitDate: Sun Jan 25 13:49:11 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e19b8a6d
Allow dhcpc_script_t to create /run/dhcpcd directory, otherwise resolv.conf
generation fails
---
policy/modules/system/sysnetwork.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index b65117e..e5c63d6 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -455,6 +455,7 @@ ifdef(`distro_gentoo',`
files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
+ create_dirs_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
kernel_read_network_state(dhcpc_script_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 9aa77e954db9e5408670b89080db02425c9c06df Author: Jason Zaman jason AT perfinion DOT com AuthorDate: Tue Jan 20 14:31:35 2015 + Commit: Jason Zaman gentoo AT perfinion DOT com CommitDate: Mon Jan 26 06:42:28 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9aa77e95 init: needs access to networkmanager rawip sockets --- policy/modules/system/init.te | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 5d83a49..c265e53 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -977,6 +977,11 @@ ifdef(`distro_gentoo',` ') optional_policy(` + networkmanager_rw_rawip_sockets(initrc_t) + networkmanager_stream_connect(initrc_t) + ') + + optional_policy(` fail2ban_stream_connect(initrc_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 75224d9c038ddc5e136838767f0cfcbce01ad8d8
Author: Jason Zaman jason AT perfinion DOT com
AuthorDate: Tue Jan 20 14:21:00 2015 +
Commit: Jason Zaman gentoo AT perfinion DOT com
CommitDate: Mon Jan 26 06:01:05 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=75224d9c
udev: allow netlink_socket perms
udev needs these perms for CRDA communication (Central Regulatory Domain
Agent for wifi)
type=AVC msg=audit(1421753429.771:3718): avc: denied { create } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3719): avc: denied { setopt } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3720): avc: denied { bind } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3721): avc: denied { getattr } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3722): avc: denied { write } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3723): avc: denied { read } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
---
policy/modules/system/udev.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 78e4328..810d135 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -334,6 +334,8 @@ ifdef(`distro_gentoo',`
# needed for predictable network interfaces naming
allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+ # needed for crda
+ allow udev_t self:netlink_socket create_socket_perms;
manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 1cad3696a2d8379f4c39588580ab51a2cdb2f601 Author: Jason Zaman jason AT perfinion DOT com AuthorDate: Tue Jan 20 14:31:35 2015 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Jan 25 13:45:20 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1cad3696 init: needs access to networkmanager rawip sockets --- policy/modules/system/init.te | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 5d83a49..c265e53 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -977,6 +977,11 @@ ifdef(`distro_gentoo',` ') optional_policy(` + networkmanager_rw_rawip_sockets(initrc_t) + networkmanager_stream_connect(initrc_t) + ') + + optional_policy(` fail2ban_stream_connect(initrc_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 9b58424a4d94e678b364bcc24869aa142abdaa62
Author: Jason Zaman jason AT perfinion DOT com
AuthorDate: Tue Jan 20 14:21:00 2015 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Sun Jan 25 13:45:20 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b58424a
udev: allow netlink_socket perms
udev needs these perms for CRDA communication (Central Regulatory Domain
Agent for wifi)
type=AVC msg=audit(1421753429.771:3718): avc: denied { create } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3719): avc: denied { setopt } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3720): avc: denied { bind } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3721): avc: denied { getattr } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3722): avc: denied { write } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3723): avc: denied { read } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
---
policy/modules/system/udev.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 78e4328..810d135 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -334,6 +334,8 @@ ifdef(`distro_gentoo',`
# needed for predictable network interfaces naming
allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+ # needed for crda
+ allow udev_t self:netlink_socket create_socket_perms;
manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 7afc5feae4c17be7e24c75561cf5605509481284 Author: Jason Zaman jason AT perfinion DOT com AuthorDate: Tue Jan 20 14:31:35 2015 + Commit: Jason Zaman gentoo AT perfinion DOT com CommitDate: Tue Jan 20 14:32:32 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7afc5fea init: needs access to networkmanager rawip sockets --- policy/modules/system/init.te | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 5d83a49..c265e53 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -977,6 +977,11 @@ ifdef(`distro_gentoo',` ') optional_policy(` + networkmanager_rw_rawip_sockets(initrc_t) + networkmanager_stream_connect(initrc_t) + ') + + optional_policy(` fail2ban_stream_connect(initrc_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 3abae898c6fd25e2aa8e2b877c464942b980dfa8
Author: Jason Zaman jason AT perfinion DOT com
AuthorDate: Tue Jan 20 14:21:00 2015 +
Commit: Jason Zaman gentoo AT perfinion DOT com
CommitDate: Tue Jan 20 14:32:31 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3abae898
udev: allow netlink_socket perms
udev needs these perms for CRDA communication (Central Regulatory Domain
Agent for wifi)
type=AVC msg=audit(1421753429.771:3718): avc: denied { create } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3719): avc: denied { setopt } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3720): avc: denied { bind } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3721): avc: denied { getattr } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3722): avc: denied { write } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3723): avc: denied { read } for
pid=28698 comm=crda scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
---
policy/modules/system/udev.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 78e4328..810d135 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -334,6 +334,8 @@ ifdef(`distro_gentoo',`
# needed for predictable network interfaces naming
allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+ # needed for crda
+ allow udev_t self:netlink_socket create_socket_perms;
manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 30ac48af98cd4789dcfcb897a969d51233844db4 Author: Jason Zaman jason AT perfinion DOT com AuthorDate: Tue Nov 25 20:04:56 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Wed Nov 26 12:28:11 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=30ac48af Allow admin users to manage user tmp chr_files Needed when building initrds. --- policy/modules/system/userdomain.if | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index eba23be..1d5370c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1249,6 +1249,8 @@ template(`userdom_admin_user_template',` allow $1_t self:netlink_kobject_uevent_socket create_socket_perms; # Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise seutil_relabelto_bin_policy($1_t) + # allow to manage chr_files in user_tmp (for initrd's) + userdom_manage_user_tmp_chr_files($1_t) ') ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 3f6c14f9b89350b60e83e5f7764b7a095df7b005 Author: Jason Zaman jason AT perfinion DOT com AuthorDate: Tue Nov 25 20:00:07 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Wed Nov 26 12:28:11 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3f6c14f9 Introduce userdom_manage_user_tmp_chr_files interface --- policy/modules/system/userdomain.if | 20 1 file changed, 20 insertions(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 16a95cc..eba23be 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -3630,3 +3630,23 @@ interface(`userdom_manage_all_user_home_content',` manage_fifo_files_pattern($1, user_home_content_type, user_home_content_type) manage_sock_files_pattern($1, user_home_content_type, user_home_content_type) ') + + +## summary +## Create, read, write, and delete user +## temporary character files. +## /summary +## param name=domain +## summary +## Domain allowed access. +## /summary +## /param +# +interface(`userdom_manage_user_tmp_chr_files',` + gen_require(` + type user_tmp_t; + ') + + manage_chr_files_pattern($1, user_tmp_t, user_tmp_t) + files_search_tmp($1) +')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: 9f1063357d52895b54c477bdc498d2a2b21895da
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Fri Nov 28 10:13:54 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Fri Nov 28 10:13:54 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9f106335
Fix bug 529204 - Support a dhcpc_script_t domain
We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.
Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.
The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.
---
policy/modules/system/sysnetwork.fc | 3 +++
policy/modules/system/sysnetwork.te | 32
2 files changed, 35 insertions(+)
diff --git a/policy/modules/system/sysnetwork.fc
b/policy/modules/system/sysnetwork.fc
index fbb935c..b1c6404 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks --
gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
+')
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index 3576536..fad8fce 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,36 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+ #
+ #
+ # dhcpc_script_t
+ #
+
+ # The purpose of the dhcpc_script_t domain is to handle the
post-processing of
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and
I would
+ # assume others do as well. With the dhcpc_script_t domain we can
isolate the
+ # privileges of the DHCP client itself from the hooks / flexibility
that the developers
+ # introduced.
+
+ type dhcpc_script_t;
+ domain_type(dhcpc_script_t)
+ role dhcpc_roles types dhcpc_script_t;
+
+ type dhcpc_script_exec_t;
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+ type dhcpc_script_tmp_t;
+ files_tmp_file(dhcpc_script_tmp_t)
+
+
+ #
+ # dhcpc script policy
+ #
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t,
dhcpc_script_tmp_t)
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+ corecmd_exec_bin(dhcpc_script_t)
+ corecmd_exec_shell(dhcpc_script_t)
')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
commit: 7c41301a215662b550962c3440879d302d4fc6ee
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Fri Nov 28 10:13:54 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Fri Nov 28 10:43:29 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7c41301a
Fix bug 529204 - Support a dhcpc_script_t domain
We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.
Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.
The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.
---
policy/modules/kernel/corecommands.fc | 2 +-
policy/modules/system/sysnetwork.fc | 3 +++
policy/modules/system/sysnetwork.te | 49 +++
3 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.fc
b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)?
gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/sysnetwork.fc
b/policy/modules/system/sysnetwork.fc
index fbb935c..b1c6404 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks --
gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
+')
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index 3576536..7ee4bf7 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,53 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+ #
+ #
+ # dhcpc_script_t
+ #
+
+ # The purpose of the dhcpc_script_t domain is to handle the
post-processing of
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and
I would
+ # assume others do as well. With the dhcpc_script_t domain we can
isolate the
+ # privileges of the DHCP client itself from the hooks / flexibility
that the developers
+ # introduced.
+
+ type dhcpc_script_t;
+ domain_type(dhcpc_script_t)
+ role dhcpc_roles types dhcpc_script_t;
+
+ type dhcpc_script_exec_t;
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+ type dhcpc_script_var_run_t;
+ files_pid_file(dhcpc_script_var_run_t)
+
+ type dhcpc_script_tmp_t;
+ files_tmp_file(dhcpc_script_tmp_t)
+
+
+ #
+ # dhcpc script policy
+ #
+
+ allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t,
dhcpc_script_tmp_t)
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_var_run_t,
dhcpc_script_var_run_t)
+ filetrans_pattern(dhcpc_script_t, dhcpc_var_run_t,
dhcpc_script_var_run_t, { file dir })
+
+ corecmd_exec_bin(dhcpc_script_t)
+ corecmd_exec_shell(dhcpc_script_t)
+
+ # Perhaps sysnet_domtrans_dhcpc_script could be used instead and
positioned in the dhcpc_t section
+ domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t)
+
+ sysnet_manage_config(dhcpc_script_t)
+
+ optional_policy(`
+ ntp_manage_config(dhcpc_script_t)
+ ')
')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
commit: cd096ca629a742975a21fc68736329d5a49b44a0
Author: Sven Vermeulen sven.vermeulen AT siphos DOT be
AuthorDate: Fri Nov 28 10:13:54 2014 +
Commit: Sven Vermeulen swift AT gentoo DOT org
CommitDate: Fri Nov 28 11:00:14 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cd096ca6
Fix bug 529204 - Support a dhcpc_script_t domain
We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.
Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.
The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.
---
policy/modules/kernel/corecommands.fc | 2 +-
policy/modules/system/sysnetwork.fc | 3 +++
policy/modules/system/sysnetwork.te | 46 +++
3 files changed, 50 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.fc
b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)?
gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/sysnetwork.fc
b/policy/modules/system/sysnetwork.fc
index fbb935c..b1c6404 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks --
gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
+')
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index 3576536..8adbcfa 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,50 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+ #
+ #
+ # dhcpc_script_t
+ #
+
+ # The purpose of the dhcpc_script_t domain is to handle the
post-processing of
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and
I would
+ # assume others do as well. With the dhcpc_script_t domain we can
isolate the
+ # privileges of the DHCP client itself from the hooks / flexibility
that the developers
+ # introduced.
+
+ type dhcpc_script_t;
+ domain_type(dhcpc_script_t)
+ role dhcpc_roles types dhcpc_script_t;
+
+ type dhcpc_script_exec_t;
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+ type dhcpc_script_tmp_t;
+ files_tmp_file(dhcpc_script_tmp_t)
+
+
+ #
+ # dhcpc script policy
+ #
+
+ allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t,
dhcpc_script_tmp_t)
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
+ files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
+
+ corecmd_exec_bin(dhcpc_script_t)
+ corecmd_exec_shell(dhcpc_script_t)
+
+ # Perhaps sysnet_domtrans_dhcpc_script could be used instead and
positioned in the dhcpc_t section
+ domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t)
+
+ sysnet_manage_config(dhcpc_script_t)
+
+ optional_policy(`
+ ntp_manage_config(dhcpc_script_t)
+ ')
')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
commit: eaef7e0bc37c62511400aaf136f8bb6e4e63241a Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Sun Oct 12 08:38:37 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Sun Oct 12 08:38:37 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eaef7e0b Add auth_pid_filetrans_pam_var_run This interface allows a domain to create resources inside the generic pid location (/var/run) and have them created with the pam_var_run_t type. --- policy/modules/system/authlogin.if | 34 ++ 1 file changed, 34 insertions(+) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 8225390..f20a6a6 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -1805,3 +1805,37 @@ interface(`auth_unconfined',` typeattribute $1 can_write_shadow_passwords; typeattribute $1 can_relabelto_shadow_passwords; ') + +# Should be in an ifdef distro_gentoo but that is not supported in the global if file + + +## summary +## Create specified objects in +## pid directories with the pam var +## run file type using a +## file type transition. +## /summary +## param name=domain +## summary +## Domain allowed access. +## /summary +## /param +## param name=object_class +## summary +## Class of the object being created. +## /summary +## /param +## param name=name optional=true +## summary +## The name of the object being created. +## /summary +## /param +# +interface(`auth_pid_filetrans_pam_var_run',` + gen_require(` + type pam_var_run_t; + ') + + files_pid_filetrans($1, pam_var_run_t, $2, $3) +') +
