[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Kenton Groombridge]

commit: 5c8203bfd90758d92cd93c786de8fe94e6d716ca
Author: Christian Göttsche  googlemail  com>
AuthorDate: Thu Feb 22 17:00:48 2024 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Mar  1 17:05:52 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c8203bf

fs: add support for virtiofs

Adopted from 
https://github.com/fedora-selinux/selinux-policy/commit/5580e9a576f759820dbc3387961ce58a959221dc

Signed-off-by: Christian Göttsche  googlemail.com>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/filesystem.te | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index f21fc71e9..f9aa5f90b 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -41,6 +41,7 @@ fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ubifs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr virtiofs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
 
@@ -203,6 +204,16 @@ optional_policy(`
init_mountpoint(tracefs_t)
 ')
 
+
+#
+# virtiofs_t is the default type for virtio file systems
+# and their files.
+#
+type virtiofs_t;
+fs_noxattr_type(virtiofs_t)
+files_mountpoint(virtiofs_t)
+genfscon virtiofs / gen_context(system_u:object_r:virtiofs_t,s0)
+
 type vmblock_t;
 fs_noxattr_type(vmblock_t)
 files_mountpoint(vmblock_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Kenton Groombridge]

commit: a1f8db5c896e3aef75922cf3ff53ccd53e00f79f
Author: Christian Göttsche  googlemail  com>
AuthorDate: Thu Feb 22 17:00:43 2024 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Mar  1 17:05:48 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a1f8db5c

fs: mark memory pressure type as file

Associate the type memory_pressure_t with the attribute file_type, so
all attribute based rules apply, e.g. for unconfined_t.

Signed-off-by: Christian Göttsche  googlemail.com>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/filesystem.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 7ffac9812..f21fc71e9 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -100,6 +100,7 @@ genfscon cgroup2 / 
gen_context(system_u:object_r:cgroup_t,s0)
 # the rest of the cgroup tree.
 type memory_pressure_t;
 typeattribute memory_pressure_t cgroup_types;
+files_type(memory_pressure_t)
 dev_associate_sysfs(memory_pressure_t)
 
 type configfs_t;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit: b093761cac708c6320ea8588f089cb98fd974a24
Author: Christian Göttsche  googlemail  com>
AuthorDate: Thu Feb 22 17:00:44 2024 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Mar  1 17:05:50 2024 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b093761c

systemd: binfmt updates

type=PROCTITLE msg=audit(21/02/24 22:54:36.708:53) : 
proctitle=/usr/lib/systemd/systemd-binfmt
type=SYSCALL msg=audit(21/02/24 22:54:36.708:53) : arch=x86_64 
syscall=fstatfs success=yes exit=0 a0=0x5 a1=0x7ffc547fbda0 a2=0x0 a3=0x0 
items=0 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root 
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset 
comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt 
subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
type=AVC msg=audit(21/02/24 22:54:36.708:53) : avc:  denied  { getattr } 
for  pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 
scontext=system_u:system_r:systemd_binfmt_t:s0 
tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=filesystem permissive=1

type=PROCTITLE msg=audit(21/02/24 22:54:36.708:54) : 
proctitle=/usr/lib/systemd/systemd-binfmt
type=PATH msg=audit(21/02/24 22:54:36.708:54) : item=0 name=/proc/self/fd/4 
inode=1 dev=00:27 mode=dir,755 ouid=root ogid=root rdev=00:00 
obj=system_u:object_r:binfmt_misc_fs_t:s0 nametype=NORMAL cap_fp=none 
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:54:36.708:54) : cwd=/
type=SYSCALL msg=audit(21/02/24 22:54:36.708:54) : arch=x86_64 
syscall=access success=yes exit=0 a0=0x7ffc547fbdf0 a1=W_OK a2=0x0 a3=0x0 
items=1 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root 
fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset 
comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt 
subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
type=AVC msg=audit(21/02/24 22:54:36.708:54) : avc:  denied  { write } for  
pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 
scontext=system_u:system_r:systemd_binfmt_t:s0 
tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir permissive=1

Signed-off-by: Christian Göttsche  googlemail.com>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/filesystem.if | 37 +
 policy/modules/system/systemd.te|  6 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 08ad5503d..ae022b6c0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -602,6 +602,24 @@ interface(`fs_manage_autofs_symlinks',`
manage_lnk_files_pattern($1, autofs_t, autofs_t)
 ')
 
+
+## 
+## Get the attributes of binfmt_misc filesystems.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_getattr_binfmt_misc_fs',`
+   gen_require(`
+   type binfmt_misc_fs_t;
+   ')
+
+   allow $1 binfmt_misc_fs_t:filesystem getattr;
+')
+
 
 ## 
 ## Get the attributes of directories on
@@ -622,6 +640,25 @@ interface(`fs_getattr_binfmt_misc_dirs',`
 
 ')
 
+
+## 
+## Check for permissions using access(2) of directories on
+## binfmt_misc filesystems.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_check_write_binfmt_misc_dirs',`
+   gen_require(`
+   type binfmt_misc_fs_t;
+   ')
+
+   allow $1 binfmt_misc_fs_t:dir { getattr write };
+')
+
 
 ## 
 ## Register an interpreter for new binary

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6d07466e6..63fef177b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -401,6 +401,7 @@ fs_search_cgroup_dirs(systemd_backlight_t)
 #
 
 kernel_read_kernel_sysctls(systemd_binfmt_t)
+kernel_getattr_proc(systemd_binfmt_t)
 
 systemd_log_parse_environment(systemd_binfmt_t)
 
@@ -409,6 +410,11 @@ files_read_etc_files(systemd_binfmt_t)
 
 fs_register_binary_executable_type(systemd_binfmt_t)
 
+fs_getattr_binfmt_misc_fs(systemd_binfmt_t)
+fs_check_write_binfmt_misc_dirs(systemd_binfmt_t)
+
+fs_getattr_cgroup(systemd_binfmt_t)
+fs_search_cgroup_dirs(systemd_binfmt_t)
 
 ##
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

[Kenton Groombridge]

commit: 1d66af88aa2d390ac5783557e8d04289d16bc612
Author: Russell Coker  coker  com  au>
AuthorDate: Mon Sep 25 15:46:04 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Oct  6 15:30:09 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d66af88

small storage changes (#706)

* Changes to storage.fc, smartmon, samba and lvm

Signed-off-by: Russell Coker  coker.com.au>

* Add the interfaces this patch needs

Signed-off-by: Russell Coker  coker.com.au>

* use manage_sock_file_perms for sock_file

Signed-off-by: Russell Coker  coker.com.au>

* Renamed files_watch_all_file_type_dir to files_watch_all_dirs

Signed-off-by: Russell Coker  coker.com.au>

* Use read_files_pattern

Signed-off-by: Russell Coker  coker.com.au>

-

Signed-off-by: Russell Coker  coker.com.au>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/files.if  | 19 +++
 policy/modules/kernel/storage.fc|  1 +
 policy/modules/services/samba.te| 11 ++-
 policy/modules/services/smartmon.if | 20 
 policy/modules/services/smartmon.te |  2 +-
 policy/modules/system/lvm.te|  1 +
 policy/modules/system/userdomain.if | 18 ++
 7 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index d8874ace2..a1113ff7c 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1426,6 +1426,25 @@ interface(`files_unmount_all_file_type_fs',`
allow $1 file_type:filesystem unmount;
 ')
 
+
+## 
+## watch all directories of file_type
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_watch_all_dirs',`
+   gen_require(`
+   attribute file_type;
+   ')
+
+   allow $1 file_type:dir watch;
+')
+
+
 
 ## 
 ## Read all non-authentication related

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 3033ac4de..9cd280c25 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -29,6 +29,7 @@
 /dev/lvm   -c  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mcdx? -b  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/megadev.* -c  
gen_context(system_u:object_r:removable_device_t,s0)
+/dev/megaraid.*-c  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mmcblk.*  -b  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mmcblk.*  -c  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*  -b  
gen_context(system_u:object_r:removable_device_t,s0)

diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index 8ec3a1c62..f78d316cc 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -408,11 +408,13 @@ tunable_policy(`samba_create_home_dirs',`
 ')
 
 tunable_policy(`samba_enable_home_dirs',`
+   files_watch_home(smbd_t)
userdom_manage_user_home_content_dirs(smbd_t)
userdom_manage_user_home_content_files(smbd_t)
userdom_manage_user_home_content_symlinks(smbd_t)
userdom_manage_user_home_content_sockets(smbd_t)
userdom_manage_user_home_content_pipes(smbd_t)
+   userdom_watch_user_home_dirs(smbd_t)
 ')
 
 tunable_policy(`samba_portmapper',`
@@ -444,11 +446,13 @@ tunable_policy(`samba_export_all_ro',`
fs_read_noxattr_fs_files(smbd_t)
files_list_non_auth_dirs(smbd_t)
files_read_non_auth_files(smbd_t)
+   files_watch_all_dirs(smbd_t)
 ')
 
 tunable_policy(`samba_export_all_rw',`
fs_read_noxattr_fs_files(smbd_t)
files_manage_non_auth_files(smbd_t)
+   files_watch_all_dirs(smbd_t)
 ')
 
 optional_policy(`
@@ -617,13 +621,17 @@ optional_policy(`
 allow smbcontrol_t self:process signal;
 allow smbcontrol_t self:fifo_file rw_fifo_file_perms;
 allow smbcontrol_t self:unix_stream_socket create_stream_socket_perms;
+allow smbcontrol_t self:unix_dgram_socket create_socket_perms;
 allow smbcontrol_t self:process { signal signull };
 
 allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t { smbd_t nmbd_t }:unix_dgram_socket sendto;
+manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:file map;
 allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
 
 manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
+allow smbcontrol_t samba_var_t:sock_file manage_sock_file_perms;
 
 samba_read_config(smbcontrol_t)
 samba_search_var(smbcontrol_t)
@@ -639,6 +647,7 @@ files_search_var_lib(smbcontrol_t)
 term_use_console(smbcontrol_t)
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

[Kenton Groombridge]

commit: 3cf4d89db3171671a05868dd5ecaf933c49fcaa4
Author: Russell Coker  coker  com  au>
AuthorDate: Thu Sep 28 13:55:56 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Oct  6 15:30:52 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cf4d89d

mon.te patches as well as some fstools patches related to it (#697)

* Patches for mon, mostly mon local monitoring.

Also added the fsdaemon_read_lib() interface and fstools patch because it
also uses fsdaemon_read_lib() and it's called by monitoring scripts

Signed-off-by: Russell Coker  coker.com.au>

* Added the files_dontaudit_tmpfs_file_getattr() and
storage_dev_filetrans_fixed_disk_control() interfaces needed

Signed-off-by: Russell Coker  coker.com.au>

* Fixed the issues from the review

Signed-off-by: Russell Coker  coker.com.au>

* Specify name to avoid conflicting file trans

Signed-off-by: Russell Coker  coker.com.au>

* fixed dontaudi_ typo

Signed-off-by: Russell Coker  coker.com.au>

* Changed storage_dev_filetrans_fixed_disk to have a mandatory parameter for 
the object class

Signed-off-by: Russell Coker  coker.com.au>

* Remove fsdaemon_read_lib as it was already merged

Signed-off-by: Russell Coker  coker.com.au>

-

Signed-off-by: Russell Coker  coker.com.au>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/files.if  | 18 ++
 policy/modules/kernel/kernel.te |  2 +-
 policy/modules/kernel/storage.if|  7 ++-
 policy/modules/services/mon.te  | 30 ++
 policy/modules/services/smartmon.te |  2 +-
 policy/modules/system/fstools.te| 17 +
 policy/modules/system/init.te   |  2 +-
 policy/modules/system/lvm.te|  2 +-
 policy/modules/system/raid.te   |  2 +-
 9 files changed, 72 insertions(+), 10 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a1113ff7c..591aa64d6 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -434,6 +434,24 @@ interface(`files_tmpfs_file',`
typeattribute $1 tmpfsfile;
 ')
 
+
+## 
+## dontaudit getattr on tmpfs files
+## 
+## 
+## 
+## Domain to not have stat on tmpfs files audited
+## 
+## 
+#
+interface(`files_dontaudit_getattr_all_tmpfs_files',`
+   gen_require(`
+   attribute tmpfsfile;
+   ')
+
+   dontaudit $1 tmpfsfile:file getattr;
+')
+
 
 ## 
 ## Get the attributes of all directories.

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 666d0e7e9..8156ac087 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -390,7 +390,7 @@ ifdef(`init_systemd',`
')
 
optional_policy(`
-   storage_dev_filetrans_fixed_disk(kernel_t)
+   storage_dev_filetrans_fixed_disk(kernel_t, blk_file)
storage_setattr_fixed_disk_dev(kernel_t)
storage_create_fixed_disk_dev(kernel_t)
storage_delete_fixed_disk_dev(kernel_t)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 9c581a910..777caea69 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -296,6 +296,11 @@ interface(`storage_manage_fixed_disk',`
 ## Domain allowed access.
 ## 
 ## 
+## 
+## 
+## The class of the object to be created.
+## 
+## 
 ## 
 ## 
 ## Optional filename of the block device to be created
@@ -307,7 +312,7 @@ interface(`storage_dev_filetrans_fixed_disk',`
type fixed_disk_device_t;
')
 
-   dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
+   dev_filetrans($1, fixed_disk_device_t, $2, $3)
 ')
 
 

diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
index b9a349871..bbf0496b3 100644
--- a/policy/modules/services/mon.te
+++ b/policy/modules/services/mon.te
@@ -42,8 +42,7 @@ files_tmp_file(mon_tmp_t)
 
 allow mon_t self:fifo_file rw_fifo_file_perms;
 allow mon_t self:tcp_socket create_stream_socket_perms;
-# for mailxmpp.alert to set ulimit
-allow mon_t self:process setrlimit;
+allow mon_t self:process { setrlimit getsched signal };
 
 domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
 
@@ -104,6 +103,11 @@ optional_policy(`
mta_send_mail(mon_t)
 ')
 
+optional_policy(`
+   # for config of xmpp sending program
+   xdg_read_config_files(mon_t)
+')
+
 
 #
 # Local policy
@@ -151,6 +155,10 @@ optional_policy(`
mysql_stream_connect(mon_net_test_t)
 ')
 
+optional_policy(`
+   snmp_read_snmp_var_lib_files(mon_net_test_t)
+')
+
 
 #
 # Local policy
@@ -161,9 +169,10 @@ optional_policy(`
 #
 
 # sys_ptrace is for 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[Kenton Groombridge]

commit: 345902025b3c03467a48c8b1474cbd3b3bc085cf
Author: Russell Coker  coker  com  au>
AuthorDate: Thu Sep 21 14:22:36 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Oct  6 15:27:06 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34590202

policy for the Reliability Availability servicability daemon (#690)

* policy for the Reliability Availability servicability daemon

Signed-off-by: Russell Coker  coker.com.au>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/filesystem.if  | 37 
 policy/modules/services/rasdaemon.fc |  3 +++
 policy/modules/services/rasdaemon.if | 10 +
 policy/modules/services/rasdaemon.te | 41 
 4 files changed, 91 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 5cdbc5644..5213df5ba 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -6154,6 +6154,43 @@ interface(`fs_getattr_tracefs_files',`
 allow $1 tracefs_t:file getattr;
 ')
 
+
+## 
+## Read/write trace filesystem files
+## 
+## 
+##  
+##  Domain allowed access.
+##  
+## 
+#
+interface(`fs_rw_tracefs_files',`
+   gen_require(`
+   type tracefs_t;
+   ')
+
+   allow $1 tracefs_t:dir list_dir_perms;
+   allow $1 tracefs_t:file rw_file_perms;
+')
+
+
+## 
+## create trace filesystem directories
+## 
+## 
+##  
+##  Domain allowed access.
+##  
+## 
+#
+interface(`fs_create_tracefs_dirs',`
+   gen_require(`
+   type tracefs_t;
+   ')
+
+   allow $1 tracefs_t:dir { create rw_dir_perms };
+')
+
 
 ## 
 ## Mount a XENFS filesystem.

diff --git a/policy/modules/services/rasdaemon.fc 
b/policy/modules/services/rasdaemon.fc
new file mode 100644
index 0..9a83feb4f
--- /dev/null
+++ b/policy/modules/services/rasdaemon.fc
@@ -0,0 +1,3 @@
+/usr/sbin/rasdaemon--  
gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+/var/lib/rasdaemon(/.*)?   
gen_context(system_u:object_r:rasdaemon_var_t,s0)
+

diff --git a/policy/modules/services/rasdaemon.if 
b/policy/modules/services/rasdaemon.if
new file mode 100644
index 0..9509b0261
--- /dev/null
+++ b/policy/modules/services/rasdaemon.if
@@ -0,0 +1,10 @@
+## RAS (Reliability, Availability and Serviceability) logging 
tool
+##
+## 
+## rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
+## tool.  It currently records memory errors, using the EDAC tracing events.
+## EDAC are drivers in the Linux kernel that handle detection of ECC errors
+## from memory controllers for most chipsets on x86 and ARM architectures.
+##
+## https://git.infradead.org/users/mchehab/rasdaemon.git
+## 

diff --git a/policy/modules/services/rasdaemon.te 
b/policy/modules/services/rasdaemon.te
new file mode 100644
index 0..9a65d5d74
--- /dev/null
+++ b/policy/modules/services/rasdaemon.te
@@ -0,0 +1,41 @@
+policy_module(rasdaemon)
+
+
+#
+# Declarations
+#
+
+type rasdaemon_t;
+type rasdaemon_exec_t;
+init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
+
+type rasdaemon_var_t;
+files_type(rasdaemon_var_t)
+
+
+#
+# Local policy
+#
+
+allow rasdaemon_t self:process getsched;
+allow rasdaemon_t self:capability sys_rawio;
+
+allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms;
+allow rasdaemon_t rasdaemon_var_t:file manage_file_perms;
+
+kernel_read_debugfs(rasdaemon_t)
+kernel_read_system_state(rasdaemon_t)
+kernel_read_vm_overcommit_sysctl(rasdaemon_t)
+kernel_search_fs_sysctls(rasdaemon_t)
+
+dev_read_sysfs(rasdaemon_t)
+dev_read_urand(rasdaemon_t)
+dev_rw_cpu_microcode(rasdaemon_t)
+
+files_search_var_lib(rasdaemon_t)
+fs_create_tracefs_dirs(rasdaemon_t)
+fs_rw_tracefs_files(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+miscfiles_read_localization(rasdaemon_t)
+

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit: af8127d982e94211a2a717c9fb3249ef7456ee7a
Author: Kenton Groombridge  concord  sh>
AuthorDate: Tue Mar  7 00:19:51 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Mar 31 17:11:32 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=af8127d9

fs, init: allow systemd-init to set the attributes of efivarfs files

avc:  denied  { setattr } for  pid=1 comm="systemd" 
name="LoaderSystemToken-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f" dev="efivarfs" 
ino=1049 scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/filesystem.if | 20 
 policy/modules/system/init.te   |  1 +
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index a1282cf40..528eeafc0 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2439,6 +2439,26 @@ interface(`fs_read_efivarfs_files',`
read_files_pattern($1, efivarfs_t, efivarfs_t)
 ')
 
+###
+## 
+##  Set the attributes of files in efivarfs
+##  - contains Linux Kernel configuration options for UEFI systems
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`fs_setattr_efivarfs_files',`
+   gen_require(`
+   type efivarfs_t;
+   ')
+
+   setattr_files_pattern($1, efivarfs_t, efivarfs_t)
+')
+
 
 ## 
 ## Create, read, write, and delete files

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 87d62741e..fca349587 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -464,6 +464,7 @@ ifdef(`init_systemd',`
fs_relabel_tmpfs_chr_files(init_t)
fs_relabel_tmpfs_fifo_files(init_t)
fs_read_efivarfs_files(init_t)
+   fs_setattr_efivarfs_files(init_t)
# for privatetmp functions
fs_relabel_tmpfs_dirs(init_t)
fs_relabel_tmpfs_files(init_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit: 71328f3f02d4765b904f1a2a6c9fe140cb116182
Author: Kenton Groombridge  concord  sh>
AuthorDate: Mon Mar  6 18:37:02 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Mar 31 17:11:32 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71328f3f

files, systemd: allow systemd-tmpfiles to relabel config file symlinks

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/files.if   | 19 +++
 policy/modules/system/systemd.te |  3 ++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a895f3734..6fe764a7a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1713,6 +1713,25 @@ interface(`files_dontaudit_relabel_config_files',`
dontaudit $1 configfile:file relabel_file_perms;
 ')
 
+###
+## 
+## Relabel configuration symlinks.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+##
+#
+interface(`files_relabel_config_symlinks',`
+   gen_require(`
+   attribute configfile;
+   ')
+
+   relabel_lnk_files_pattern($1, configfile, configfile)
+')
+
 
 ## 
 ## Mount a filesystem on all mount points.

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 778052cde..59a3fcfc5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1704,8 +1704,9 @@ files_manage_all_locks(systemd_tmpfiles_t)
 files_purge_tmp(systemd_tmpfiles_t)
 files_read_etc_files(systemd_tmpfiles_t)
 files_read_etc_runtime_files(systemd_tmpfiles_t)
-files_relabel_config_files(systemd_tmpfiles_t)
 files_relabel_config_dirs(systemd_tmpfiles_t)
+files_relabel_config_files(systemd_tmpfiles_t)
+files_relabel_config_symlinks(systemd_tmpfiles_t)
 files_relabel_all_locks(systemd_tmpfiles_t)
 files_relabel_all_runtime_dirs(systemd_tmpfiles_t)
 files_relabel_all_tmp_dirs(systemd_tmpfiles_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Kenton Groombridge]

commit: 70226d790395660a9e086b8c0eeec28acf2c7e3b
Author: Kenton Groombridge  concord  sh>
AuthorDate: Mon Mar  6 18:18:41 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Fri Mar 31 17:11:32 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70226d79

fs, udev: allow systemd-udevd various cgroup perms

Needed for systemd-udevd to create files under
/sys/fs/cgroup/system.slice/systemd-udevd.service/udev

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/filesystem.if | 40 -
 policy/modules/system/udev.te   |  6 +-
 2 files changed, 44 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index af2023e62..a1282cf40 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -798,7 +798,6 @@ interface(`fs_getattr_cgroup',`
 interface(`fs_search_cgroup_dirs',`
gen_require(`
type cgroup_t;
-
')
 
search_dirs_pattern($1, cgroup_t, cgroup_t)
@@ -843,6 +842,25 @@ interface(`fs_ioctl_cgroup_dirs', `
dev_search_sysfs($1)
 ')
 
+
+## 
+## Create cgroup directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_create_cgroup_dirs',`
+   gen_require(`
+   type cgroup_t;
+   ')
+
+   create_dirs_pattern($1, cgroup_t, cgroup_t)
+   dev_search_sysfs($1)
+')
+
 
 ## 
 ## Delete cgroup directories.
@@ -941,6 +959,26 @@ interface(`fs_read_cgroup_files',`
dev_search_sysfs($1)
 ')
 
+
+## 
+## Create cgroup files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_create_cgroup_files',`
+   gen_require(`
+   type cgroup_t;
+
+   ')
+
+   create_files_pattern($1, cgroup_t, cgroup_t)
+   dev_search_sysfs($1)
+')
+
 
 ## 
 ## Watch cgroup files.

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 56cfa2fb8..2fae88354 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -261,7 +261,11 @@ ifdef(`distro_redhat',`
 ifdef(`init_systemd',`
files_search_kernel_modules(udev_t)
 
-   fs_read_cgroup_files(udev_t)
+   # systemd-udev creates cgroup files under
+   # /sys/fs/cgroup/system.slice/systemd-udevd.service/udev
+   fs_create_cgroup_dirs(udev_t)
+   fs_create_cgroup_files(udev_t)
+   fs_rw_cgroup_files(udev_t)
 
init_dgram_send(udev_t)
init_get_generic_units_status(udev_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Kenton Groombridge]

commit: fb931664be3edc23bc7641f910342590f4335e21
Author: Corentin LABBE  gmail  com>
AuthorDate: Tue Jan  3 08:22:11 2023 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Mon Feb 13 15:19:30 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fb931664

mcelog: add missing file context for triggers

I got the following AVC:
allow mcelog_t mcelog_etc_t:file execute;

This is due do some trigger, not being set as bin_t
-rwxr-xr-x. 1 root root system_u:object_r:bin_t 801 nov.   1 19:11 
bus-error-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t1035 nov.   1 19:11 
cache-error-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t1213 nov.   1 19:11 
dimm-error-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t 742 nov.   1 19:11 
iomca-error-trigger
-rw-r-. 1 root root system_u:object_r:mcelog_etc_t 7415 nov.   1 19:11 
mcelog.conf
-rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1209 nov.   1 19:11 
page-error-counter-replacement-trigger
-rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1656 nov.   1 19:11 
page-error-post-sync-soft-trigger
-rwxr-xr-x. 1 root root system_u:object_r:mcelog_etc_t 1640 nov.   1 19:11 
page-error-pre-sync-soft-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t1308 nov.   1 19:11 
page-error-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t1057 nov.   1 19:11 
socket-memory-error-trigger
-rwxr-xr-x. 1 root root system_u:object_r:bin_t 947 nov.   1 19:11 
unknown-error-trigger

Signed-off-by: Corentin LABBE  gmail.com>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/corecommands.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 550f87047..1c3ce84e0 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -54,7 +54,7 @@ ifdef(`distro_redhat',`
 
 /etc/mail/make --  gen_context(system_u:object_r:bin_t,s0)
 
-/etc/mcelog/.*-error-trigger   --  gen_context(system_u:object_r:bin_t,s0)
+/etc/mcelog/.*-trigger --  gen_context(system_u:object_r:bin_t,s0)
 /etc/mcelog/.*\.local  --  gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_redhat',`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Kenton Groombridge]

commit: d576e9fc8214276f76f7f2a64aa277ce31798276
Author: Corentin LABBE  gmail  com>
AuthorDate: Mon Dec 26 18:47:43 2022 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Mon Feb 13 15:19:49 2023 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d576e9fc

munin: add file context for common functions file

Some Munin plugins need to read the plugin.sh file providing common functions.

Signed-off-by: Corentin LABBE  gmail.com>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/files.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index 0c2de4bba..b22d97997 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -214,6 +214,8 @@ ifdef(`distro_gentoo',`
 /usr/share/maven-bin-[^/]*/bin/m2\.conf--  
gen_context(system_u:object_r:usr_t,s0)
 ')
 
+/usr/share/munin/plugins/plugin\.sh--  
gen_context(system_u:object_r:usr_t,s0)
+
 /usr/tmp   -d  
gen_context(system_u:object_r:tmp_t,s0-mls_systemhigh)
 /usr/tmp/.*<>
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Kenton Groombridge]

commit: 1ebe9e63c80eeabc60fbbbf21343db4d496f6186
Author: Kenton Groombridge  concord  sh>
AuthorDate: Sat Sep 24 04:24:11 2022 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Wed Nov  2 14:07:11 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1ebe9e63

corenet: add portcon for glusterfs

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/corenetwork.te.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index 077aacf0e..749d9bace 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -149,6 +149,7 @@ network_port(gdomap, tcp,538,s0, udp,538,s0)
 network_port(gds_db, tcp,3050,s0, udp,3050,s0)
 network_port(git, tcp,9418,s0, udp,9418,s0)
 network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
+network_port(glusterd, tcp,24007,s0, tcp,24009,s0)
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(gpsd, tcp,2947,s0)
 network_port(hadoop_datanode, tcp,50010,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Kenton Groombridge]

commit: ba34639d0cd5e156d5a9a21f853703a09a68b1d2
Author: Kenton Groombridge  concord  sh>
AuthorDate: Sat Sep 24 04:00:28 2022 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Wed Nov  2 14:07:05 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ba34639d

devices: add interface to rw infiniband devices

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/devices.if | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index ba652e81e..5ef1833c6 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2404,6 +2404,24 @@ interface(`dev_rw_hyperv_vss',`
rw_chr_files_pattern($1, device_t, hyperv_vss_device_t)
 ')
 
+
+## 
+## Allow read/write access to InfiniBand devices.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dev_rw_infiniband',`
+   gen_require(`
+   type device_t, infiniband_device_t;
+   ')
+
+   rw_chr_files_pattern($1, device_t, infiniband_device_t)
+')
+
 
 ## 
 ## Read the kernel messages

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Kenton Groombridge]

commit: 2691ab991317ef15b9fbba6394c678aed2e3d758
Author: Chris PeBenito  linux  microsoft  com>
AuthorDate: Tue Sep 20 14:59:19 2022 +
Commit: Kenton Groombridge  gentoo  org>
CommitDate: Wed Nov  2 14:07:00 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2691ab99

Drop audit_access allows.

This permission is only used for auditing purposes. It is a no-op for allows.

Signed-off-by: Chris PeBenito  linux.microsoft.com>
Signed-off-by: Kenton Groombridge  gentoo.org>

 policy/modules/kernel/devices.te|  6 +++---
 policy/modules/kernel/files.te  | 14 +++---
 policy/modules/kernel/filesystem.te | 14 +++---
 policy/modules/kernel/kernel.te | 24 
 policy/modules/kernel/storage.te|  4 ++--
 5 files changed, 31 insertions(+), 31 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 49718cc26..5e2c77cbb 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -434,6 +434,6 @@ files_associate_tmp(device_node)
 #
 
 allow devices_unconfined_type self:capability sys_rawio;
-allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms 
relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch };
-allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms 
relabel_chr_file_perms map execute quotaon mounton execmod audit_access watch };
-allow devices_unconfined_type mtrr_device_t:file { manage_file_perms 
relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod 
audit_access watch };
+allow devices_unconfined_type device_node:blk_file { manage_blk_file_perms 
relabel_blk_file_perms map execute quotaon mounton execmod watch };
+allow devices_unconfined_type device_node:chr_file { manage_chr_file_perms 
relabel_chr_file_perms map execute quotaon mounton execmod watch };
+allow devices_unconfined_type mtrr_device_t:file { manage_file_perms 
relabel_file_perms exec_file_perms quotaon mounton entrypoint execmod watch };

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 2691a8611..e8fe42214 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -227,13 +227,13 @@ fs_associate_tmpfs(tmpfsfile)
 #
 
 # Create/access any file in a labeled filesystem;
-allow files_unconfined_type file_type:file { manage_file_perms 
relabel_file_perms exec_file_perms quotaon mounton audit_access watch };
-allow files_unconfined_type file_type:lnk_file  { manage_lnk_file_perms 
relabel_lnk_file_perms append map execute quotaon mounton open audit_access 
execmod watch };
-allow files_unconfined_type file_type:sock_file { manage_sock_file_perms 
relabel_sock_file_perms map execute quotaon mounton audit_access execmod watch 
};
-allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms 
relabel_fifo_file_perms map execute quotaon mounton audit_access execmod watch 
};
-allow files_unconfined_type file_type:blk_file { manage_blk_file_perms 
relabel_blk_file_perms map execute quotaon mounton audit_access execmod watch };
-allow files_unconfined_type file_type:chr_file { manage_chr_file_perms 
relabel_chr_file_perms map execute quotaon mounton audit_access watch };
-allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms 
append map execute quotaon mounton add_name remove_name reparent search rmdir 
audit_access execmod watch };
+allow files_unconfined_type file_type:file { manage_file_perms 
relabel_file_perms exec_file_perms quotaon mounton watch };
+allow files_unconfined_type file_type:lnk_file  { manage_lnk_file_perms 
relabel_lnk_file_perms append map execute quotaon mounton open execmod watch };
+allow files_unconfined_type file_type:sock_file { manage_sock_file_perms 
relabel_sock_file_perms map execute quotaon mounton execmod watch };
+allow files_unconfined_type file_type:fifo_file { manage_fifo_file_perms 
relabel_fifo_file_perms map execute quotaon mounton execmod watch };
+allow files_unconfined_type file_type:blk_file { manage_blk_file_perms 
relabel_blk_file_perms map execute quotaon mounton execmod watch };
+allow files_unconfined_type file_type:chr_file { manage_chr_file_perms 
relabel_chr_file_perms map execute quotaon mounton watch };
+allow files_unconfined_type file_type:dir { manage_dir_perms relabel_dir_perms 
append map execute quotaon mounton add_name remove_name reparent search rmdir 
execmod watch };
 
 # Mount/unmount any filesystem with the context= option.
 allow files_unconfined_type file_type:filesystem { mount remount unmount 
getattr relabelfrom relabelto associate quotamod quotaget watch };

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 810bdaaa0..b3fd4abf8 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -339,13 +339,13 @@ allow filesystem_unconfined_type 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/admin/, ...

[Jason Zaman]

commit: 8d05a891d62852e95e4dbcb3f16e299be7cd4644
Author: Chris PeBenito  microsoft  com>
AuthorDate: Wed Mar  9 20:50:22 2022 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Sep  3 19:07:49 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d05a891

Add cloud-init.

This is used by cloud providers to set up VMs during deployment.

https://github.com/canonical/cloud-init

Signed-off-by: Chris PeBenito  microsoft.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/admin/cloudinit.fc   |  10 +++
 policy/modules/admin/cloudinit.if   | 108 
 policy/modules/admin/cloudinit.te   | 108 
 policy/modules/admin/usermanage.fc  |   1 +
 policy/modules/kernel/corecommands.fc   |   1 +
 policy/modules/kernel/corenetwork.if.in |  18 ++
 policy/modules/services/ssh.fc  |   2 +-
 policy/modules/services/ssh.if  |  55 
 policy/modules/system/libraries.if  |  44 +
 policy/modules/system/sysnetwork.te |   2 +-
 policy/modules/system/systemd.te|   9 +++
 11 files changed, 356 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/cloudinit.fc 
b/policy/modules/admin/cloudinit.fc
new file mode 100644
index ..f5fdc535
--- /dev/null
+++ b/policy/modules/admin/cloudinit.fc
@@ -0,0 +1,10 @@
+/run/cloud-init(/.*)?   
gen_context(system_u:object_r:cloud_init_runtime_t,s0)
+
+/usr/bin/cloud-id   --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/cloud-init --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
+/usr/bin/cloud-init-per --  gen_context(system_u:object_r:cloud_init_exec_t,s0)
+
+/var/lib/cloud(/.*)?
gen_context(system_u:object_r:cloud_init_state_t,s0)
+
+/var/log/cloud-init-output\.log -- 
gen_context(system_u:object_r:cloud_init_log_t,s0)
+/var/log/cloud-init\.log --  gen_context(system_u:object_r:cloud_init_log_t,s0)

diff --git a/policy/modules/admin/cloudinit.if 
b/policy/modules/admin/cloudinit.if
new file mode 100644
index ..4469d7b1
--- /dev/null
+++ b/policy/modules/admin/cloudinit.if
@@ -0,0 +1,108 @@
+## Init scripts for cloud VMs
+
+
+## 
+## Create cloud-init runtime directory.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`cloudinit_create_runtime_dirs',`
+   gen_require(`
+   type cloud_init_runtime_t;
+   ')
+
+   files_search_runtime($1)
+   allow $1 cloud_init_runtime_t:dir create_dir_perms;
+')
+
+
+## 
+## Write cloud-init runtime files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`cloudinit_write_runtime_files',`
+   gen_require(`
+   type cloud_init_runtime_t;
+   ')
+
+   files_search_runtime($1)
+   write_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
+')
+
+
+## 
+## Create cloud-init runtime files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`cloudinit_create_runtime_files',`
+   gen_require(`
+   type cloud_init_runtime_t;
+   ')
+
+   files_search_runtime($1)
+   create_files_pattern($1, cloud_init_runtime_t, cloud_init_runtime_t)
+')
+
+###
+## 
+## Create files in /run with the type used for
+## cloud-init runtime files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+## 
+## The class of the object to be created.
+## 
+## 
+## 
+## 
+## The name of the object being created.
+## 
+## 
+#
+interface(`cloudinit_filetrans_runtime',`
+   gen_require(`
+   type cloud_init_runtime_t;
+   ')
+
+   files_runtime_filetrans($1, cloud_init_runtime_t, $2, $3)
+')
+
+
+## 
+## Get the attribute of cloud-init state files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`cloudinit_getattr_state_files',`
+   gen_require(`
+   type cloud_init_state_t;
+   ')
+
+   files_search_var_lib($1)
+   allow $1 cloud_init_state_t:dir list_dir_perms;
+   allow $1 cloud_init_state_t:lnk_file read_lnk_file_perms;
+   allow $1 cloud_init_state_t:file getattr;
+')

diff --git a/policy/modules/admin/cloudinit.te 
b/policy/modules/admin/cloudinit.te
new file mode 100644
index ..f531cc5d
--- /dev/null
+++ b/policy/modules/admin/cloudinit.te
@@ -0,0 +1,108 @@
+policy_module(cloudinit)
+
+
+#
+# Declarations
+#
+
+type cloud_init_t;
+type cloud_init_exec_t;
+init_system_domain(cloud_init_t, cloud_init_exec_t)
+
+type cloud_init_log_t;
+logging_log_file(cloud_init_log_t)
+
+type cloud_init_runtime_t;
+files_runtime_file(cloud_init_runtime_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 892145a3471364d8e677878406a7884e6557ec2d
Author: Daniel Burgener  linux  microsoft  com>
AuthorDate: Tue Jul 19 21:47:43 2022 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Sep  3 18:41:55 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=892145a3

Drop explicit calls to seutil and kernel module interfaces in broad files 
interfaces

Historically, these calls were needed because the interfaces provided an
attribute used to check various assertions. However, that attribute was
dropped in 2005 with commit 15fefa4.

Keeping these calls in prevents removing these permissions from a call
to files_manage_all_files() with the $2 argument.

Signed-off-by: Daniel Burgener  linux.microsoft.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/files.if | 8 
 1 file changed, 8 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 6a082670..fb27ed18 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1239,10 +1239,6 @@ interface(`files_manage_all_files',`
manage_lnk_files_pattern($1, { file_type $2 }, { file_type $2 })
manage_fifo_files_pattern($1, { file_type $2 }, { file_type $2 })
manage_sock_files_pattern($1, { file_type $2 }, { file_type $2 })
-
-   # satisfy the assertions:
-   seutil_create_bin_policy($1)
-   files_manage_kernel_modules($1)
 ')
 
 
@@ -1513,10 +1509,6 @@ interface(`files_manage_non_auth_files',`
manage_lnk_files_pattern($1, non_auth_file_type, non_auth_file_type)
manage_fifo_files_pattern($1, non_auth_file_type, non_auth_file_type)
manage_sock_files_pattern($1, non_auth_file_type, non_auth_file_type)
-
-   # satisfy the assertions:
-   seutil_create_bin_policy($1)
-   files_manage_kernel_modules($1)
 ')
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: fc0dd40ee53f5a1d45ee160db2d3d1e6727bff90
Author: Kenton Groombridge  concord  sh>
AuthorDate: Wed Nov 10 17:58:42 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Mar 31 02:40:53 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc0dd40e

files, init: allow init to remount filesystems mounted on /boot

The context= mount option can be used to label, for example, a DOS
filesystem mounted on boot to be boot_t instead of dosfs_t. Explicitly
allow init (systemd) to remount boot_t filesystems so that options like
ProtectSystem=full work properly.

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/files.if | 18 ++
 policy/modules/system/init.te  |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ea29fef3..baedb52e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2238,6 +2238,24 @@ interface(`files_mounton_root',`
allow $1 root_t:dir mounton;
 ')
 
+
+## 
+## Remount a filesystem mounted on /boot.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_remount_boot',`
+   gen_require(`
+   type boot_t;
+   ')
+
+   allow $1 boot_t:filesystem remount;
+')
+
 
 ## 
 ## Get attributes of the /boot directory.

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 3f1c7d20..6e1baef9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -417,6 +417,7 @@ ifdef(`init_systemd',`
files_mounton_tmp(init_t)
files_manage_urandom_seed(init_t)
files_read_boot_files(initrc_t)
+   files_remount_boot(init_t)
files_relabel_all_lock_dirs(init_t)
files_search_all(init_t)
files_unmount_all_file_type_fs(init_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[Jason Zaman]

commit: 5b564f3b243368edd0e083c78a99b059a10e80ed
Author: Russell Coker  coker  com  au>
AuthorDate: Fri Feb 18 01:21:52 2022 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 27 02:13:17 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b564f3b

matrixd-synapse policy V3

Here's the latest version of the matrixd-synapse policy including all the
suggestions from a year ago.

Probably ready to merge.
Signed-off-by: Russell Coker  coker.com.au>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/corenetwork.te.in |   2 +-
 policy/modules/services/matrixd.fc  |   4 +
 policy/modules/services/matrixd.if  |   1 +
 policy/modules/services/matrixd.te  | 126 
 4 files changed, 132 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index 547328be..077aacf0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -156,7 +156,7 @@ network_port(hadoop_namenode, tcp,8020,s0)
 network_port(hddtemp, tcp,7634,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, 
tcp,5,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, 
tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, 
tcp,9290,s0, tcp,9291,s0)
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, 
tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, 
tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port
 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, 
tcp,10001-10010,s0) # 8118 is for privoxy
 network_port(i18n_input, tcp,9010,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)

diff --git a/policy/modules/services/matrixd.fc 
b/policy/modules/services/matrixd.fc
new file mode 100644
index ..b59b1c75
--- /dev/null
+++ b/policy/modules/services/matrixd.fc
@@ -0,0 +1,4 @@
+/var/lib/matrix-synapse(/.*)?  
gen_context(system_u:object_r:matrixd_var_t,s0)
+/var/log/matrix-synapse(/.*)?  
gen_context(system_u:object_r:matrixd_log_t,s0)
+/etc/matrix-synapse(/.*)?  
gen_context(system_u:object_r:matrixd_conf_t,s0)
+/usr/bin/synctl--  
gen_context(system_u:object_r:matrixd_exec_t,s0)

diff --git a/policy/modules/services/matrixd.if 
b/policy/modules/services/matrixd.if
new file mode 100644
index ..f1eff5f0
--- /dev/null
+++ b/policy/modules/services/matrixd.if
@@ -0,0 +1 @@
+## Matrixd

diff --git a/policy/modules/services/matrixd.te 
b/policy/modules/services/matrixd.te
new file mode 100644
index ..5c217678
--- /dev/null
+++ b/policy/modules/services/matrixd.te
@@ -0,0 +1,126 @@
+policy_module(matrixd, 1.0.0)
+
+
+#
+# Declarations
+#
+
+## 
+##  
+##  Determine whether Matrixd is allowed to federate
+##  (bind all UDP ports and connect to all TCP ports).
+##  
+## 
+gen_tunable(matrix_allow_federation, true)
+
+## 
+##  
+##  Determine whether Matrixd can connect to the Postgres database.
+##  
+## 
+gen_tunable(matrix_postgresql_connect, false)
+
+
+type matrixd_t;
+type matrixd_exec_t;
+init_daemon_domain(matrixd_t, matrixd_exec_t)
+
+type matrixd_var_t;
+files_type(matrixd_var_t)
+
+type matrixd_log_t;
+logging_log_file(matrixd_log_t)
+
+type matrixd_conf_t;
+files_config_file(matrixd_conf_t)
+
+type matrixd_tmp_t;
+files_tmp_file(matrixd_tmp_t)
+
+
+#
+# Local policy
+#
+
+allow matrixd_t self:fifo_file rw_file_perms;
+allow matrixd_t self:tcp_socket create_stream_socket_perms;
+allow matrixd_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow matrixd_t self:udp_socket create_socket_perms;
+allow matrixd_t self:unix_dgram_socket create_socket_perms;
+# execmem is needed for Python callbacks
+# https://cffi.readthedocs.io/en/latest/using.html#callbacks
+allow matrixd_t self:process execmem;
+
+allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
+files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
+fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
+
+manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
+files_search_var_lib(matrixd_t)
+allow matrixd_t matrixd_var_t:file map;
+allow matrixd_t matrixd_var_t:dir manage_dir_perms;
+
+logging_search_logs(matrixd_t)
+manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
+
+read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
+allow matrixd_t matrixd_conf_t:dir list_dir_perms;
+
+kernel_read_system_state(matrixd_t)
+kernel_read_vm_overcommit_sysctl(matrixd_t)
+
+# The following in the systemd service file causes a domain transition when
+# running python3:
+# SELinuxContext=system_u:system_r:matrixd_t:s0
+corecmd_bin_entry_type(matrixd_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 5ee13c254c0451f054558a0f22da48377311c551
Author: Chris PeBenito  linux  microsoft  com>
AuthorDate: Tue Feb  1 14:27:06 2022 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb  7 02:09:50 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ee13c25

domain: Allow lockdown for all domains.

The checks for this class were removed in 5.16.  This object
class will be removed in the future.

For more info:
https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly

Signed-off-by: Chris PeBenito  linux.microsoft.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/domain.te | 5 +
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 00cea380..2eff1d34 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -103,6 +103,11 @@ kernel_dontaudit_link_key(domain)
 # create child processes in the domain
 allow domain self:process { fork sigchld };
 
+# lockdown checks were removed in 5.16.  The class will be removed
+# from the policy in the future. For reference:
+# 
https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly
+allow domain self:lockdown { integrity confidentiality };
+
 # glibc get_nprocs requires read access to /sys/devices/system/cpu/online
 dev_read_cpu_online(domain)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: fccd438443de08a9d13f8795297efc63f0e6cd19
Author: Kenton Groombridge  concord  sh>
AuthorDate: Thu Dec  2 18:32:04 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan 30 01:12:42 2022 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fccd4384

kernel: add filetrans interface for unlabeled dirs

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/kernel.if | 34 ++
 1 file changed, 34 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 30aca9ae..4cd35959 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2911,6 +2911,40 @@ interface(`kernel_dontaudit_read_unlabeled_files',`
dontaudit $1 unlabeled_t:file { getattr read };
 ')
 
+
+## 
+## Create an object in unlabeled directories
+## with a private type.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+## 
+## The type of the object to be created.
+## 
+## 
+## 
+## 
+## The object class of the object being created.
+## 
+## 
+## 
+## 
+## The name of the object being created.
+## 
+## 
+#
+interface(`kernel_unlabeled_filetrans',`
+   gen_require(`
+   type unlabeled_t;
+   ')
+
+   filetrans_pattern($1, unlabeled_t, $2, $3, $4)
+')
+
 
 ## 
 ## Delete unlabeled symbolic links.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 6b169e5b3fea0ec900448db18586475269f21612
Author: Jason Zaman  gentoo  org>
AuthorDate: Sat Nov 20 22:44:53 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Nov 21 22:38:58 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b169e5b

selinux: Add map perms

Lots of libselinux functions now map /sys/fs/selinux/status so add map
perms to other interfaces as well.

$ passwd user1
passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running'
failed.
Aborted

avc: denied { map } for pid=325 comm="passwd"
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:
sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file
permissive=1

Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/selinux.if | 18 +-
 policy/modules/kernel/selinux.te |  8 
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 13aa1e05..cb610c44 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -295,7 +295,7 @@ interface(`selinux_get_enforce_mode',`
 
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
-   allow $1 security_t:file read_file_perms;
+   allow $1 security_t:file mmap_read_file_perms;
 ')
 
 
@@ -363,7 +363,7 @@ interface(`selinux_read_policy',`
 
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
-   allow $1 security_t:file read_file_perms;
+   allow $1 security_t:file mmap_read_file_perms;
allow $1 security_t:security read_policy;
 ')
 
@@ -533,7 +533,7 @@ interface(`selinux_validate_context',`
 
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
-   allow $1 security_t:file rw_file_perms;
+   allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security check_context;
 ')
 
@@ -554,7 +554,7 @@ interface(`selinux_dontaudit_validate_context',`
')
 
dontaudit $1 security_t:dir list_dir_perms;
-   dontaudit $1 security_t:file rw_file_perms;
+   dontaudit $1 security_t:file mmap_rw_file_perms;
dontaudit $1 security_t:security check_context;
 ')
 
@@ -577,7 +577,7 @@ interface(`selinux_compute_access_vector',`
dev_search_sysfs($1)
allow $1 self:netlink_selinux_socket create_socket_perms;
allow $1 security_t:dir list_dir_perms;
-   allow $1 security_t:file rw_file_perms;
+   allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_av;
 ')
 
@@ -599,7 +599,7 @@ interface(`selinux_compute_create_context',`
 
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
-   allow $1 security_t:file rw_file_perms;
+   allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_create;
 ')
 
@@ -621,7 +621,7 @@ interface(`selinux_compute_member',`
 
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
-   allow $1 security_t:file rw_file_perms;
+   allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_member;
 ')
 
@@ -651,7 +651,7 @@ interface(`selinux_compute_relabel_context',`
 
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
-   allow $1 security_t:file rw_file_perms;
+   allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_relabel;
 ')
 
@@ -672,7 +672,7 @@ interface(`selinux_compute_user_contexts',`
 
dev_search_sysfs($1)
allow $1 security_t:dir list_dir_perms;
-   allow $1 security_t:file rw_file_perms;
+   allow $1 security_t:file mmap_rw_file_perms;
allow $1 security_t:security compute_user;
 ')
 

diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 0726fc44..707517e5 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -53,7 +53,7 @@ genfscon securityfs / 
gen_context(system_u:object_r:security_t,s0)
 neverallow ~{ selinux_unconfined_type can_setenforce } security_t:security 
setenforce;
 
 allow can_setenforce security_t:dir list_dir_perms;
-allow can_setenforce security_t:file rw_file_perms;
+allow can_setenforce security_t:file mmap_rw_file_perms;
 
 dev_search_sysfs(can_setenforce)
 
@@ -71,7 +71,7 @@ if(secure_mode_policyload) {
 neverallow ~{ selinux_unconfined_type can_load_policy } security_t:security 
load_policy;
 
 allow can_load_policy security_t:dir list_dir_perms;
-allow can_load_policy security_t:file rw_file_perms;
+allow can_load_policy security_t:file mmap_rw_file_perms;
 
 dev_search_sysfs(can_load_policy)
 
@@ -89,7 +89,7 @@ if(secure_mode_policyload) {
 neverallow ~{ selinux_unconfined_type can_setsecparam } security_t:security 
setsecparam;
 
 allow can_setsecparam security_t:dir list_dir_perms;
-allow 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 0d8e0e0ca09e015b84f3bcfd371d0f3ba3818eec
Author: Jonathan Davies  protonmail  com>
AuthorDate: Sun Nov 21 09:39:33 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Nov 21 19:21:13 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d8e0e0c

corecommands.if: Added corecmd_manage_bin_symlinks().

Signed-off-by: Jonathan Davies  protonmail.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/corecommands.if | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/corecommands.if 
b/policy/modules/kernel/corecommands.if
index b20809ef..e5633704 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -333,6 +333,25 @@ interface(`corecmd_manage_bin_files',`
manage_files_pattern($1, bin_t, bin_t)
 ')
 
+
+## 
+## Manage symlinks for bin files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`corecmd_manage_bin_symlinks',`
+   gen_require(`
+   type bin_t;
+   ')
+
+   corecmd_search_bin($1)
+   manage_lnk_files_pattern($1, bin_t, bin_t)
+')
+
 
 ## 
 ## Relabel to and from the bin type.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/, ...

[Jason Zaman]

commit: b2361fcf03d445e6710bd4ab3ba3b171fdb4ef7b
Author: Chris PeBenito  ieee  org>
AuthorDate: Mon Nov 15 20:34:27 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2361fcf

various: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/admin/rpm.te | 2 +-
 policy/modules/admin/tmpreaper.te   | 2 +-
 policy/modules/kernel/corenetwork.te.in | 2 +-
 policy/modules/kernel/mcs.te| 2 +-
 policy/modules/services/policykit.te| 2 +-
 policy/modules/services/postfix.te  | 2 +-
 policy/modules/services/watchdog.te | 2 +-
 policy/modules/system/init.te   | 2 +-
 policy/modules/system/systemd.te| 2 +-
 policy/modules/system/udev.te   | 2 +-
 policy/modules/system/unconfined.te | 2 +-
 11 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 6823e6e3..6545e471 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,4 +1,4 @@
-policy_module(rpm, 1.26.0)
+policy_module(rpm, 1.26.1)
 
 
 #

diff --git a/policy/modules/admin/tmpreaper.te 
b/policy/modules/admin/tmpreaper.te
index 1acefd7f..1a2a3036 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -1,4 +1,4 @@
-policy_module(tmpreaper, 1.9.0)
+policy_module(tmpreaper, 1.9.1)
 
 
 #

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index 9deaa2ed..c1bd804a 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.29.0)
+policy_module(corenetwork, 1.29.1)
 
 
 #

diff --git a/policy/modules/kernel/mcs.te b/policy/modules/kernel/mcs.te
index 2da98c25..3bb823f4 100644
--- a/policy/modules/kernel/mcs.te
+++ b/policy/modules/kernel/mcs.te
@@ -1,4 +1,4 @@
-policy_module(mcs, 1.3.0)
+policy_module(mcs, 1.3.1)
 
 
 #

diff --git a/policy/modules/services/policykit.te 
b/policy/modules/services/policykit.te
index f03614d0..2119b8de 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.12.1)
+policy_module(policykit, 1.12.2)
 
 
 #

diff --git a/policy/modules/services/postfix.te 
b/policy/modules/services/postfix.te
index b6a9bb6b..6d071347 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,4 +1,4 @@
-policy_module(postfix, 1.25.1)
+policy_module(postfix, 1.25.2)
 
 
 #

diff --git a/policy/modules/services/watchdog.te 
b/policy/modules/services/watchdog.te
index ab9d9458..5b3c8889 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -1,4 +1,4 @@
-policy_module(watchdog, 1.16.0)
+policy_module(watchdog, 1.16.1)
 
 #
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 565b7cb7..3802f575 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.11.0)
+policy_module(init, 2.11.1)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 118158e4..4233da20 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.12.2)
+policy_module(systemd, 1.12.3)
 
 #
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a13dff43..cbc8c0dc 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.30.1)
+policy_module(udev, 1.30.2)
 
 
 #

diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
index a23a1037..95d08889 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.16.1)
+policy_module(unconfined, 3.16.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: d153318cce412ac7ca5bebf1c80a675e33b2065f
Author: Kenton Groombridge  concord  sh>
AuthorDate: Wed Oct 13 17:38:09 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d153318c

corenet: make netlabel_peer_t mcs constrained

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/corenetwork.te.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index 2ab19f55..9deaa2ed 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -53,6 +53,7 @@ network_packet_simple(icmp)
 #
 type netlabel_peer_t;
 sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+mcs_constrained(netlabel_peer_t)
 
 #
 # port_t is the default type of INET port numbers.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/, policy/, ...

[Jason Zaman]

commit: 89cbc037a65cd4e6871a32337bb9f0e1c1f4dc95
Author: Kenton Groombridge  concord  sh>
AuthorDate: Wed Oct 13 17:36:25 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Nov 20 22:58:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89cbc037

various: deprecate mcs override interfaces

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/mcs   |  2 +-
 policy/modules/admin/rpm.te  |  2 --
 policy/modules/admin/tmpreaper.te|  2 --
 policy/modules/kernel/mcs.if | 24 
 policy/modules/services/policykit.te |  2 --
 policy/modules/services/postfix.te   | 10 --
 policy/modules/services/watchdog.te  |  2 --
 policy/modules/system/init.te|  6 --
 policy/modules/system/systemd.te |  1 -
 policy/modules/system/udev.te|  2 --
 policy/modules/system/unconfined.te  |  3 ---
 11 files changed, 5 insertions(+), 51 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index cc922a02..c8c573e9 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -173,7 +173,7 @@ mlsconstrain { tcp_socket udp_socket rawip_socket } 
node_bind
 # because the subject in this particular case is the remote domain which is
 # writing data out the network node which is acting as the object
 mlsconstrain { node } { recvfrom sendto }
-   (( l1 dom l2 ) or ( t1 != msc_constrained_type ));
+   (( l1 dom l2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { packet peer } { recv }
(( l1 dom l2 ) or

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 860207e5..6823e6e3 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -313,8 +313,6 @@ fs_mount_xattr_fs(rpm_script_t)
 fs_unmount_xattr_fs(rpm_script_t)
 fs_search_auto_mountpoints(rpm_script_t)
 
-mcs_killall(rpm_script_t)
-
 mls_file_read_all_levels(rpm_script_t)
 mls_file_write_all_levels(rpm_script_t)
 

diff --git a/policy/modules/admin/tmpreaper.te 
b/policy/modules/admin/tmpreaper.te
index f4ce8dba..1acefd7f 100644
--- a/policy/modules/admin/tmpreaper.te
+++ b/policy/modules/admin/tmpreaper.te
@@ -34,8 +34,6 @@ files_read_var_lib_files(tmpreaper_t)
 files_purge_tmp(tmpreaper_t)
 files_setattr_all_tmp_dirs(tmpreaper_t)
 
-mcs_file_read_all(tmpreaper_t)
-mcs_file_write_all(tmpreaper_t)
 mls_file_read_all_levels(tmpreaper_t)
 mls_file_write_all_levels(tmpreaper_t)
 

diff --git a/policy/modules/kernel/mcs.if b/policy/modules/kernel/mcs.if
index eb4bcfcb..55b5a7fe 100644
--- a/policy/modules/kernel/mcs.if
+++ b/policy/modules/kernel/mcs.if
@@ -44,11 +44,7 @@ interface(`mcs_constrained',`
 ## 
 #
 interface(`mcs_file_read_all',`
-   gen_require(`
-   attribute mcsreadall;
-   ')
-
-   typeattribute $1 mcsreadall;
+   refpolicywarn(`$0() has been deprecated, please remove 
mcs_constrained() instead.')
 ')
 
 
@@ -64,11 +60,7 @@ interface(`mcs_file_read_all',`
 ## 
 #
 interface(`mcs_file_write_all',`
-   gen_require(`
-   attribute mcswriteall;
-   ')
-
-   typeattribute $1 mcswriteall;
+   refpolicywarn(`$0() has been deprecated, please remove 
mcs_constrained() instead.')
 ')
 
 
@@ -84,11 +76,7 @@ interface(`mcs_file_write_all',`
 ## 
 #
 interface(`mcs_killall',`
-   gen_require(`
-   attribute mcskillall;
-   ')
-
-   typeattribute $1 mcskillall;
+   refpolicywarn(`$0() has been deprecated, please remove 
mcs_constrained() instead.')
 ')
 
 
@@ -104,11 +92,7 @@ interface(`mcs_killall',`
 ## 
 #
 interface(`mcs_ptrace_all',`
-   gen_require(`
-   attribute mcsptraceall;
-   ')
-
-   typeattribute $1 mcsptraceall;
+   refpolicywarn(`$0() has been deprecated, please remove 
mcs_constrained() instead.')
 ')
 
 

diff --git a/policy/modules/services/policykit.te 
b/policy/modules/services/policykit.te
index 7e00d524..f03614d0 100644
--- a/policy/modules/services/policykit.te
+++ b/policy/modules/services/policykit.te
@@ -267,8 +267,6 @@ can_exec(policykit_resolve_t, policykit_resolve_exec_t)
 
 domtrans_pattern(policykit_resolve_t, policykit_auth_exec_t, policykit_auth_t)
 
-mcs_ptrace_all(policykit_resolve_t)
-
 auth_use_nsswitch(policykit_resolve_t)
 
 userdom_read_all_users_state(policykit_resolve_t)

diff --git a/policy/modules/services/postfix.te 
b/policy/modules/services/postfix.te
index 98416368..b6a9bb6b 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -292,8 +292,6 @@ domain_use_interactive_fds(postfix_master_t)
 
 files_search_tmp(postfix_master_t)
 
-mcs_file_read_all(postfix_master_t)
-
 term_dontaudit_search_ptys(postfix_master_t)
 
 hostname_exec(postfix_master_t)
@@ -568,9 +566,6 @@ allow postfix_pickup_t 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 419815b880c47346496b204e90499ace61984606
Author: Kenton Groombridge  concord  sh>
AuthorDate: Mon Nov  1 17:01:43 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Nov 11 21:26:50 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=419815b8

devices: make usbfs pseudofs instead of noxattrfs

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/devices.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 56783d53..5a06ea82 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -306,7 +306,7 @@ dev_node(urandom_device_t)
 #
 type usbfs_t;
 files_mountpoint(usbfs_t)
-fs_noxattr_type(usbfs_t)
+fs_pseudo_type(usbfs_t)
 genfscon usbfs / gen_context(system_u:object_r:usbfs_t,s0)
 genfscon usbdevfs / gen_context(system_u:object_r:usbfs_t,s0)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: c428d96914b347500d42a2e959950845d52512e6
Author: Kenton Groombridge  concord  sh>
AuthorDate: Mon Nov  1 17:01:20 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Nov 11 21:26:50 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c428d969

fs: add pseudofs attribute and interfaces

Signed-off-by: Kenton Groombridge  concord.sh>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/filesystem.if | 21 +
 policy/modules/kernel/filesystem.te |  3 ++-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 22759baa..1c7beefd 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -43,6 +43,27 @@ interface(`fs_noxattr_type',`
typeattribute $1 noxattrfs;
 ')
 
+
+## 
+## Transform specified type into a filesystem
+## type which is a pseudo filesystem.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_pseudo_type',`
+   gen_require(`
+   attribute pseudofs;
+   ')
+
+   fs_type($1)
+
+   typeattribute $1 pseudofs;
+')
+
 
 ## 
 ## Transform specified type into a filesystem

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 81a32650..ddd10c2a 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -9,6 +9,7 @@ attribute filesystem_image_file_type;
 attribute filesystem_type;
 attribute filesystem_unconfined_type;
 attribute noxattrfs;
+attribute pseudofs;
 attribute xattrfs;
 
 ##
@@ -104,7 +105,7 @@ files_mountpoint(ecryptfs_t)
 genfscon ecryptfs / gen_context(system_u:object_r:ecryptfs_t,s0)
 
 type efivarfs_t;
-fs_noxattr_type(efivarfs_t)
+fs_pseudo_type(efivarfs_t)
 files_mountpoint(efivarfs_t)
 genfscon efivarfs / gen_context(system_u:object_r:efivarfs_t,s0)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: c3d38164d58c31023e6277a742708e11ee537ec7
Author: Christian Göttsche  googlemail  com>
AuthorDate: Wed Oct 27 19:18:27 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Nov 11 21:26:50 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c3d38164

filesystem: add fs_use_trans for ramfs

Enable extended attributes for inodes on ramfs filesystems, similar to
tmpfs filesystems.

For example systemd uses ramfs for service credentials[1], and xattr
support is needed for per service based labeling[2].

[1]: https://www.freedesktop.org/software/systemd/man/systemd-creds.html
[2]: https://github.com/systemd/systemd/pull/21158

Signed-off-by: Christian Göttsche  googlemail.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/filesystem.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index b12c65b8..81a32650 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -156,9 +156,9 @@ dev_associate_sysfs(pstore_t)
 genfscon pstore / gen_context(system_u:object_r:pstore_t,s0)
 
 type ramfs_t;
-fs_type(ramfs_t)
+fs_xattr_type(ramfs_t)
 files_mountpoint(ramfs_t)
-genfscon ramfs / gen_context(system_u:object_r:ramfs_t,s0)
+fs_use_trans ramfs gen_context(system_u:object_r:ramfs_t,s0);
 
 type romfs_t;
 fs_type(romfs_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: c2cd4a6f79b4949857e4a4bd68bef6ea1496a255
Author: Markus Linnala  cybercom  com>
AuthorDate: Tue Jun 29 12:32:56 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep  5 14:26:44 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2cd4a6f

policy: files: files_get_etc_unit_status/files_{start,stop}_etc_service: fix 
require

Signed-off-by: Markus Linnala  cybercom.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/files.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 83f8b3f4..f772bfe8 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3228,6 +3228,7 @@ interface(`files_exec_etc_files',`
 interface(`files_get_etc_unit_status',`
gen_require(`
type etc_t;
+   class service status;
')
 
allow $1 etc_t:service status;
@@ -3246,6 +3247,7 @@ interface(`files_get_etc_unit_status',`
 interface(`files_start_etc_service',`
gen_require(`
type etc_t;
+   class service start;
')
 
allow $1 etc_t:service start;
@@ -3264,6 +3266,7 @@ interface(`files_start_etc_service',`
 interface(`files_stop_etc_service',`
gen_require(`
type etc_t;
+   class service stop;
')
 
allow $1 etc_t:service stop;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 2ecd4fac78c9825154992be76dd941c2386deff4
Author: Jonathan Davies  protonmail  com>
AuthorDate: Tue Jul  6 14:52:27 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep  5 14:26:44 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2ecd4fac

devices.fc: Added missing Xen character files.

Signed-off-by: Jonathan Davies  protonmail.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/devices.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index a167126d..bd08f81d 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -198,8 +198,10 @@ ifdef(`distro_suse', `
 /dev/xen/evtchn-c  
gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/gntdev-c  
gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/gntalloc  -c  gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/hypercall -c  gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/privcmd   -c  gen_context(system_u:object_r:xen_device_t,s0)
 /dev/xen/xenbus-c  
gen_context(system_u:object_r:xen_device_t,s0)
+/dev/xen/xenbus_backend-c  
gen_context(system_u:object_r:xen_device_t,s0)
 
 ifdef(`distro_debian',`
 # this is a static /dev dir "backup mount"

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 190cf9a6768816df3af34f6e991c5768da97c759
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Mar 19 19:39:38 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Apr  2 18:54:58 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=190cf9a6

selinux: Add dontaudits when secure mode Booleans are enabled.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/selinux.if | 13 +++--
 policy/modules/kernel/selinux.te | 20 
 2 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 1a750a62..8225d499 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -400,7 +400,10 @@ interface(`selinux_set_generic_booleans',`
allow $1 security_t:dir list_dir_perms;
allow $1 boolean_t:file read_file_perms;
 
-   if(!secure_mode_setbool) {
+   if(secure_mode_setbool) {
+   dontaudit $1 { boolean_t security_t }:file write_file_perms;
+   dontaudit $1 security_t:security setbool;
+   } else {
allow $1 { boolean_t security_t }:file write_file_perms;
allow $1 security_t:security setbool;
}
@@ -441,7 +444,11 @@ interface(`selinux_set_all_booleans',`
allow $1 boolean_type:file read_file_perms;
allow $1 secure_mode_policyload_t:file read_file_perms;
 
-   if (!secure_mode_setbool) {
+   if (secure_mode_setbool) {
+   dontaudit $1 security_t:security setbool;
+   dontaudit $1 security_t:file write_file_perms;
+   dontaudit $1 { boolean_type -secure_mode_policyload_t }:file 
write_file_perms;
+   } else {
allow $1 security_t:security setbool;
allow $1 security_t:file write_file_perms;
allow $1 { boolean_type -secure_mode_policyload_t }:file 
write_file_perms;
@@ -449,6 +456,8 @@ interface(`selinux_set_all_booleans',`
 
if(!secure_mode_policyload && !secure_mode_setbool) {
allow $1 secure_mode_policyload_t:file write_file_perms;
+   } else {
+   dontaudit $1 secure_mode_policyload_t:file write_file_perms;
}
 ')
 

diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 5bca43d3..ffe86460 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -57,7 +57,9 @@ allow can_setenforce security_t:file rw_file_perms;
 
 dev_search_sysfs(can_setenforce)
 
-if(!secure_mode_policyload) {
+if(secure_mode_policyload) {
+   dontaudit can_setenforce security_t:security setenforce;
+} else {
allow can_setenforce security_t:security setenforce;
 }
 
@@ -73,7 +75,9 @@ allow can_load_policy security_t:file rw_file_perms;
 
 dev_search_sysfs(can_load_policy)
 
-if(!secure_mode_policyload) {
+if(secure_mode_policyload) {
+   dontaudit can_load_policy security_t:security load_policy;
+} else {
allow can_load_policy security_t:security load_policy;
 }
 
@@ -104,18 +108,26 @@ allow selinux_unconfined_type boolean_type:file 
read_file_perms;
 # Access the security API.
 allow selinux_unconfined_type security_t:security { compute_av compute_create 
compute_member check_context compute_relabel compute_user setsecparam 
setcheckreqprot read_policy validate_trans };
 
-if (!secure_mode_policyload) {
+if (secure_mode_policyload) {
+   dontaudit selinux_unconfined_type security_t:security { load_policy 
setenforce };
+} else {
allow selinux_unconfined_type security_t:security { load_policy 
setenforce };
 }
 
-if (!secure_mode_setbool) {
+if (secure_mode_setbool) {
+   dontaudit selinux_unconfined_type security_t:security setbool;
+} else {
allow selinux_unconfined_type security_t:security setbool;
 }
 
 if (secure_mode_policyload && !secure_mode_setbool) {
allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t 
}:file write_file_perms;
+} else {
+   dontaudit selinux_unconfined_type { boolean_type 
-secure_mode_policyload_t }:file write_file_perms;
 }
 
 if (!secure_mode_policyload && !secure_mode_setbool) {
allow selinux_unconfined_type boolean_type:file write_file_perms;
+} else {
+   dontaudit selinux_unconfined_type boolean_type:file write_file_perms;
 }

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: c4d506d919d9584fb61e3ebfce7ee718eb866b27
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Mar 19 19:50:06 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Apr  2 18:54:58 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4d506d9

kernel: Add dontaudits when secure_mode_insmod is enabled.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/files.if  | 19 +++
 policy/modules/kernel/kernel.te | 15 ++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 0687a435..349b8696 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -4369,6 +4369,25 @@ interface(`files_load_kernel_modules',`
allow $1 modules_object_t:system module_load;
 ')
 
+
+## 
+## Load kernel module files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_dontaudit_load_kernel_modules',`
+   gen_require(`
+   type modules_object_t;
+   ')
+
+   dontaudit $1 modules_object_t:file read_file_perms;
+   dontaudit $1 modules_object_t:system module_load;
+')
+
 
 ## 
 ## List world-readable directories.

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index c44f49ed..2bd3f924 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -497,7 +497,20 @@ optional_policy(`
 # Kernel module loading policy
 #
 
-if( ! secure_mode_insmod ) {
+if(secure_mode_insmod) {
+   dontaudit can_load_kernmodule self:capability sys_module;
+   dontaudit can_load_kernmodule self:system module_load;
+
+   files_dontaudit_load_kernel_modules(can_load_kernmodule)
+
+   # load_module() calls stop_machine() which
+   # calls sched_setscheduler()
+   # gt: there seems to be no trace of the above, at
+   # least in kernel versions greater than 2.6.37...
+   dontaudit can_load_kernmodule self:capability sys_nice;
+   dontaudit can_load_kernmodule kernel_t:process setsched;
+   dontaudit can_load_kernmodule kernel_t:key search;
+} else {
allow can_load_kernmodule self:capability sys_module;
allow can_load_kernmodule self:system module_load;
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 611eb9925f729ca91ddadfefa48fd0c0c39c24d9
Author: Chris PeBenito  ieee  org>
AuthorDate: Sat Mar 27 18:21:06 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Apr  2 18:54:58 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=611eb992

files, kernel, selinux: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/files.te   | 2 +-
 policy/modules/kernel/kernel.te  | 2 +-
 policy/modules/kernel/selinux.te | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index d97425eb..ff8f849a 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.30.1)
+policy_module(files, 1.30.2)
 
 
 #

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 2bd3f924..ea8196b6 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.29.1)
+policy_module(kernel, 1.29.2)
 
 
 #

diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index ffe86460..a9efb73b 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,4 +1,4 @@
-policy_module(selinux, 1.18.1)
+policy_module(selinux, 1.18.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: b5550e17809acca324fa926671fad42be7aa5f73
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Mar 19 19:04:12 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Apr  2 18:54:58 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b5550e17

selinux: Set regular file for labeled Booleans genfscons.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/selinux.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index f8fcba98..1a750a62 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -40,7 +40,7 @@ interface(`selinux_labeled_boolean',`
 
# because of this statement, any module which
# calls this interface must be in the base module:
-   genfscon selinuxfs /booleans/$2 gen_context(system_u:object_r:$1,s0)
+   genfscon selinuxfs /booleans/$2 -- gen_context(system_u:object_r:$1,s0)
 ')
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: e9c469300bd10185540b0698ed074a98d86f4672
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Mar 19 19:03:47 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Apr  2 18:54:58 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e9c46930

selinux: Change generic Boolean type to boolean_t.

This will prevent other security_t writers from setting Boolean pending
values, which could be activated unwittingly by setbool processes.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/selinux.if | 7 ---
 policy/modules/kernel/selinux.te | 5 -
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 21d22ded..f8fcba98 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -391,17 +391,17 @@ interface(`selinux_read_policy',`
 #
 interface(`selinux_set_generic_booleans',`
gen_require(`
-   type security_t;
+   type boolean_t, security_t;
bool secure_mode_setbool;
')
 
dev_search_sysfs($1)
 
allow $1 security_t:dir list_dir_perms;
-   allow $1 security_t:file read_file_perms;
+   allow $1 boolean_t:file read_file_perms;
 
if(!secure_mode_setbool) {
-   allow $1 security_t:file write_file_perms;
+   allow $1 { boolean_t security_t }:file write_file_perms;
allow $1 security_t:security setbool;
}
 ')
@@ -443,6 +443,7 @@ interface(`selinux_set_all_booleans',`
 
if (!secure_mode_setbool) {
allow $1 security_t:security setbool;
+   allow $1 security_t:file write_file_perms;
allow $1 { boolean_type -secure_mode_policyload_t }:file 
write_file_perms;
}
 

diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 71147210..5bca43d3 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -26,6 +26,9 @@ attribute can_setenforce;
 attribute can_setsecparam;
 attribute selinux_unconfined_type;
 
+type boolean_t, boolean_type;
+genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
+
 type secure_mode_policyload_t;
 selinux_labeled_boolean(secure_mode_policyload_t, secure_mode_policyload)
 
@@ -34,7 +37,7 @@ selinux_labeled_boolean(secure_mode_policyload_t, 
secure_mode_policyload)
 # the permissions in the security class.  It is also
 # applied to selinuxfs inodes.
 #
-type security_t, boolean_type;
+type security_t;
 files_mountpoint(security_t)
 fs_type(security_t)
 mls_trusted_object(security_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: c12534ce37ed704aa6b0058c96e9c84ceb769653
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Mar 12 14:57:36 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Mar 21 21:38:23 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c12534ce

selinux: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/selinux.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index a1b4ae3e..71147210 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -1,4 +1,4 @@
-policy_module(selinux, 1.18.0)
+policy_module(selinux, 1.18.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 0458f4e2ec20f27f0cdc6a29c91e62bb65865075
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Mar  5 21:06:44 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Mar 21 21:38:23 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0458f4e2

selinux: Add a secure_mode_setbool Boolean.

Enabling this will disable all permissions for setting SELinux Booleans,
even for unconfined domains.

This does not affect setenforce.  Enable secure_mode_policyload along with
secure_mode_setbool to fully lock the SELinux security interface.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/selinux.if | 19 +--
 policy/modules/kernel/selinux.te | 30 +++---
 2 files changed, 36 insertions(+), 13 deletions(-)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 43eebcd0..21d22ded 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -392,14 +392,18 @@ interface(`selinux_read_policy',`
 interface(`selinux_set_generic_booleans',`
gen_require(`
type security_t;
+   bool secure_mode_setbool;
')
 
dev_search_sysfs($1)
 
allow $1 security_t:dir list_dir_perms;
-   allow $1 security_t:file rw_file_perms;
+   allow $1 security_t:file read_file_perms;
 
-   allow $1 security_t:security setbool;
+   if(!secure_mode_setbool) {
+   allow $1 security_t:file write_file_perms;
+   allow $1 security_t:security setbool;
+   }
 ')
 
 
@@ -428,18 +432,21 @@ interface(`selinux_set_all_booleans',`
gen_require(`
type security_t, secure_mode_policyload_t;
attribute boolean_type;
-   bool secure_mode_policyload;
+   bool secure_mode_policyload, secure_mode_setbool;
')
 
dev_search_sysfs($1)
 
allow $1 security_t:dir list_dir_perms;
-   allow $1 { boolean_type -secure_mode_policyload_t }:file rw_file_perms;
+   allow $1 boolean_type:file read_file_perms;
allow $1 secure_mode_policyload_t:file read_file_perms;
 
-   allow $1 security_t:security setbool;
+   if (!secure_mode_setbool) {
+   allow $1 security_t:security setbool;
+   allow $1 { boolean_type -secure_mode_policyload_t }:file 
write_file_perms;
+   }
 
-   if(!secure_mode_policyload) {
+   if(!secure_mode_policyload && !secure_mode_setbool) {
allow $1 secure_mode_policyload_t:file write_file_perms;
}
 ')

diff --git a/policy/modules/kernel/selinux.te b/policy/modules/kernel/selinux.te
index 3e4f2000..a1b4ae3e 100644
--- a/policy/modules/kernel/selinux.te
+++ b/policy/modules/kernel/selinux.te
@@ -7,13 +7,19 @@ policy_module(selinux, 1.18.0)
 
 ## 
 ## 
-## Boolean to determine whether the system permits loading policy, setting
-## enforcing mode, and changing boolean values.  Set this to true and you
-## have to reboot to set it back.
+## Boolean to determine whether the system permits loading policy, and setting
+## enforcing mode.  Set this to true and you have to reboot to set it back.
 ## 
 ## 
 gen_bool(secure_mode_policyload,false)
 
+## 
+## 
+## Boolean to determine whether the system permits setting Booelan values.
+## 
+## 
+gen_bool(secure_mode_setbool,false)
+
 attribute boolean_type;
 attribute can_load_policy;
 attribute can_setenforce;
@@ -91,12 +97,22 @@ dev_search_sysfs(can_setsecparam)
 allow selinux_unconfined_type security_t:dir list_dir_perms;
 allow selinux_unconfined_type security_t:file rw_file_perms;
 allow selinux_unconfined_type boolean_type:file read_file_perms;
-allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t }:file 
write_file_perms;
 
 # Access the security API.
-allow selinux_unconfined_type security_t:security { compute_av compute_create 
compute_member check_context compute_relabel compute_user setbool setsecparam 
setcheckreqprot read_policy validate_trans };
+allow selinux_unconfined_type security_t:security { compute_av compute_create 
compute_member check_context compute_relabel compute_user setsecparam 
setcheckreqprot read_policy validate_trans };
 
-if(!secure_mode_policyload) {
+if (!secure_mode_policyload) {
allow selinux_unconfined_type security_t:security { load_policy 
setenforce };
-   allow selinux_unconfined_type secure_mode_policyload_t:file 
write_file_perms;
+}
+
+if (!secure_mode_setbool) {
+   allow selinux_unconfined_type security_t:security setbool;
+}
+
+if (secure_mode_policyload && !secure_mode_setbool) {
+   allow selinux_unconfined_type { boolean_type -secure_mode_policyload_t 
}:file write_file_perms;
+}
+
+if (!secure_mode_policyload && !secure_mode_setbool) {
+   allow selinux_unconfined_type boolean_type:file write_file_perms;
 }

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 722e26ffd25c220056e1cdb1b48b14f95011ba1f
Author: Krzysztof Nowicki  op  pl>
AuthorDate: Wed Feb  3 09:00:35 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb 15 19:49:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=722e26ff

Enable factory directory support in systemd-tmpfilesd

/usr/share/factory serves as a template directory for
systemd-tmpfilesd. The copy (C) and link (L) commands can utilize this
directory as a default source for files, which should be placed in the
filesystem.

This behaiour is controlled via a tunable as it gives
systemd-tmpfilesd manage permissions over etc, which could be
considered as a security risk.

Relevant denials are silenced in case the policy is disabled.

Signed-off-by: Krzysztof Nowicki  op.pl>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/files.if   | 20 
 policy/modules/system/systemd.fc |  2 ++
 policy/modules/system/systemd.te | 24 
 3 files changed, 46 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index b493a4a1..55fbf783 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3119,6 +3119,26 @@ interface(`files_manage_etc_files',`
read_lnk_files_pattern($1, etc_t, etc_t)
 ')
 
+
+## 
+## Do not audit attempts to create, read, write,
+## and delete generic files in /etc.
+## 
+## 
+## 
+## Domain to not audit.
+## 
+## 
+## 
+#
+interface(`files_dontaudit_manage_etc_files',`
+   gen_require(`
+   type etc_t;
+   ')
+
+   dontaudit $1 etc_t:file manage_file_perms;
+')
+
 
 ## 
 ## Delete system configuration files in /etc.

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index f88fdfb4..8dcae1a9 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -55,6 +55,8 @@
 /usr/lib/systemd/system/systemd-rfkill.*   --  
gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
 /usr/lib/systemd/system/systemd-socket-proxyd\.service --  
gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
 
+/usr/share/factory(/.*)?   
gen_context(system_u:object_r:systemd_factory_conf_t,s0)
+
 /var/\.updated --  
gen_context(system_u:object_r:systemd_update_run_t,s0)
 
 /var/lib/systemd/backlight(/.*)?   
gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5d34e6d2..ed2bce80 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -45,6 +45,14 @@ gen_tunable(systemd_socket_proxyd_bind_any, false)
 ## 
 gen_tunable(systemd_socket_proxyd_connect_any, false)
 
+## 
+## 
+## Allow systemd-tmpfilesd to populate missing configuration files from factory
+## template directory.
+## 
+## 
+gen_tunable(systemd_tmpfilesd_factory, false)
+
 attribute systemd_log_parse_env_type;
 attribute systemd_tmpfiles_conf_type;
 attribute systemd_user_session_type;
@@ -104,6 +112,9 @@ type systemd_detect_virt_t;
 type systemd_detect_virt_exec_t;
 init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
 
+type systemd_factory_conf_t;
+systemd_tmpfiles_conf_file(systemd_factory_conf_t)
+
 type systemd_generator_t;
 type systemd_generator_exec_t;
 typealias systemd_generator_t alias { systemd_fstab_generator_t 
systemd_gpt_generator_t };
@@ -1283,6 +1294,7 @@ allow systemd_tmpfiles_t systemd_journal_t:dir 
relabel_dir_perms;
 allow systemd_tmpfiles_t systemd_journal_t:file relabel_file_perms;
 
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms;
 allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
 
 kernel_getattr_proc(systemd_tmpfiles_t)
@@ -1377,6 +1389,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
files_relabel_non_security_files(systemd_tmpfiles_t)
 ')
 
+tunable_policy(`systemd_tmpfilesd_factory', `
+   allow systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
+   allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
+
+   files_manage_etc_files(systemd_tmpfiles_t)
+',`
+   dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
+   dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file 
read_file_perms;
+
+   files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
+')
+
 optional_policy(`
dbus_read_lib_files(systemd_tmpfiles_t)
dbus_relabel_lib_dirs(systemd_tmpfiles_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: b5319ac6961b49e3f3b83cd390c102cd39bb33fd
Author: Krzysztof Nowicki  op  pl>
AuthorDate: Wed Feb  3 14:59:22 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb 15 19:49:24 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b5319ac6

Allow systemd-tmpfilesd to relabel generic files inside /etc

Enable this only with the systemd_tmpfilesd_factory tunable, otherwise
silence the messages with a dontaudit rule.

Fixes:

avc:  denied  { relabelfrom } for comm="systemd-tmpfile"
name="pam.d" dev= ino=
scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:etc_t:s0 tclass=dir

Signed-off-by: Krzysztof Nowicki  op.pl>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/files.if   | 38 ++
 policy/modules/system/systemd.te |  4 
 2 files changed, 42 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 55fbf783..0687a435 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1611,6 +1611,25 @@ interface(`files_relabel_config_dirs',`
relabel_dirs_pattern($1, configfile, configfile)
 ')
 
+#
+## 
+## Do not audit attempts to relabel configuration directories
+## 
+## 
+## 
+## Domain not to audit.
+## 
+## 
+##
+#
+interface(`files_dontaudit_relabel_config_dirs',`
+   gen_require(`
+   attribute configfile;
+   ')
+
+   dontaudit $1 configfile:dir relabel_dir_perms;
+')
+
 
 ## 
 ## Read config files in /etc.
@@ -1669,6 +1688,25 @@ interface(`files_relabel_config_files',`
relabel_files_pattern($1, configfile, configfile)
 ')
 
+###
+## 
+## Do not audit attempts to relabel configuration files
+## 
+## 
+## 
+## Domain not to audit.
+## 
+## 
+##
+#
+interface(`files_dontaudit_relabel_config_files',`
+   gen_require(`
+   attribute configfile;
+   ')
+
+   dontaudit $1 configfile:file relabel_file_perms;
+')
+
 
 ## 
 ## Mount a filesystem on all mount points.

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ed2bce80..08c26078 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1394,11 +1394,15 @@ tunable_policy(`systemd_tmpfilesd_factory', `
allow systemd_tmpfiles_t systemd_factory_conf_t:file read_file_perms;
 
files_manage_etc_files(systemd_tmpfiles_t)
+   files_relabel_config_dirs(systemd_tmpfiles_t)
+   files_relabel_config_files(systemd_tmpfiles_t)
 ',`
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:dir list_dir_perms;
dontaudit systemd_tmpfiles_t systemd_factory_conf_t:file 
read_file_perms;
 
files_dontaudit_manage_etc_files(systemd_tmpfiles_t)
+   files_dontaudit_relabel_config_dirs(systemd_tmpfiles_t)
+   files_dontaudit_relabel_config_files(systemd_tmpfiles_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, doc/, policy/

[Jason Zaman]

commit: cecb7fe66611d6e51bec44507fdda4ef2fcc4808
Author: Jason Zaman  gentoo  org>
AuthorDate: Sat Feb  6 21:18:02 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb  6 21:18:02 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cecb7fe6

Update generated policy and doc files

Signed-off-by: Jason Zaman  gentoo.org>

 doc/policy.xml   | 779 +--
 policy/booleans.conf |   6 +
 policy/modules/kernel/corenetwork.te |   2 +-
 3 files changed, 484 insertions(+), 303 deletions(-)

diff --git a/doc/policy.xml b/doc/policy.xml
index 0537d461..3c0809a4 100644
--- a/doc/policy.xml
+++ b/doc/policy.xml
@@ -85508,7 +85508,17 @@ Domain allowed access.
 
 
 
-
+
+
+Do not audit attempts to get the attributes of the proc filesystem.
+
+
+
+Domain to not audit.
+
+
+
+
 
 Mount on proc directories.
 
@@ -85519,7 +85529,7 @@ Domain allowed access.
 
 
 
-
+
 
 Do not audit attempts to set the
 attributes of directories in /proc.
@@ -85530,7 +85540,7 @@ Domain to not audit.
 
 
 
-
+
 
 Search directories in /proc.
 
@@ -85540,7 +85550,7 @@ Domain allowed access.
 
 
 
-
+
 
 List the contents of directories in /proc.
 
@@ -85550,7 +85560,7 @@ Domain allowed access.
 
 
 
-
+
 
 Do not audit attempts to list the
 contents of directories in /proc.
@@ -85561,7 +85571,7 @@ Domain to not audit.
 
 
 
-
+
 
 Do not audit attempts to write the
 directories in /proc.
@@ -85572,7 +85582,7 @@ Domain to not audit.
 
 
 
-
+
 
 Mount the directories in /proc.
 
@@ -85582,7 +85592,7 @@ Domain allowed access.
 
 
 
-
+
 
 Get the attributes of files in /proc.
 
@@ -85592,7 +85602,7 @@ Domain allowed access.
 
 
 
-
+
 
 Read generic symbolic links in /proc.
 
@@ -85611,7 +85621,7 @@ Domain allowed access.
 
 
 
-
+
 
 Allows caller to read system state information in /proc.
 
@@ -85642,7 +85652,7 @@ Domain allowed access.
 
 
 
-
+
 
 Write to generic proc entries.
 
@@ -85653,7 +85663,7 @@ Domain allowed access.
 
 
 
-
+
 
 Do not audit attempts by caller to
 read system state information in proc.
@@ -85664,7 +85674,7 @@ Domain to not audit.
 
 
 
-
+
 
 Do not audit attempts by caller to
 read symbolic links in proc.
@@ -85675,7 +85685,7 @@ Domain to not audit.
 
 
 
-
+
 
 Allow caller to read and write state information for AFS.
 
@@ -85686,7 +85696,7 @@ Domain allowed access.
 
 
 
-
+
 
 Allow caller to read the state information for software raid.
 
@@ -85697,7 +85707,7 @@ Domain allowed access.
 
 
 
-
+
 
 Allow caller to read and set the state information for software raid.
 
@@ -85707,7 +85717,7 @@ Domain allowed access.
 
 
 
-
+
 
 Allows caller to get attributes of core kernel interface.
 
@@ -85717,7 +85727,7 @@ Domain allowed access.
 
 
 
-
+
 
 Do not audit attempts to get the attributes of
 core kernel interfaces.
@@ -85728,7 +85738,7 @@ Domain to not audit.
 
 
 
-
+
 
 Allows caller to read the core kernel interface.
 
@@ -85738,7 +85748,7 @@ Domain allowed access.
 
 
 
-
+
 
 Allow caller to read kernel messages
 using the /proc/kmsg interface.
@@ -85749,7 +85759,7 @@ Domain allowed access.
 
 
 
-
+
 
 Allow caller to get the attributes of kernel message
 interface (/proc/kmsg).
@@ -85760,7 +85770,7 @@ Domain allowed access.
 
 
 
-
+
 
 Do not audit attempts by caller to get the attributes of kernel
 message interfaces.
@@ -85771,7 +85781,7 @@ Domain to not audit.
 
 
 
-
+
 
 Mount on kernel message interfaces files.
 
@@ -85782,7 +85792,7 @@ Domain allowed access.
 
 
 
-
+
 
 Do not audit attempts to search the network
 state directory.
@@ -85794,7 +85804,7 @@ Domain to not audit.
 
 
 
-
+
 
 Allow searching of network state directory.
 
@@ -85805,7 +85815,7 @@ Domain allowed access.
 
 
 
-
+
 
 Read the network state information.
 
@@ -85827,7 +85837,7 @@ Domain allowed access.
 
 
 
-
+
 
 Allow caller to read the network state symbolic links.
 
@@ -85837,7 +85847,7 @@ Domain allowed access.
 
 
 
-
+
 
 Allow searching of xen state directory.
 
@@ -85848,7 +85858,7 @@ Domain allowed access.
 
 
 
-
+
 
 Do not audit attempts to search the xen
 state directory.
@@ -85860,7 +85870,7 @@ Domain to not audit.
 
 
 
-
+
 
 Allow caller to read the xen state information.
 
@@ -85871,7 +85881,7 @@ Domain allowed access.
 
 
 
-
+
 
 Allow caller to read the xen state symbolic links.
 
@@ -85882,7 +85892,7 @@ Domain allowed access.
 
 
 
-
+
 
 Allow caller to write xen state information.
 
@@ -85893,7 +85903,7 @@ Domain allowed access.
 
 
 
-
+
 
 Allow attempts to list all proc directories.
 
@@ -85903,7 +85913,7 @@ Domain allowed access.
 
 
 
-
+
 
 Do not audit attempts to list all proc directories.
 
@@ -85913,7 +85923,7 @@ Domain to not audit.
 
 
 
-
+
 
 Do not audit attempts by caller to search
 the base directory of sysctls.
@@ -85925,7 +85935,7 @@ Domain to not audit.
 
 
 
-
+
 
 Mount on sysctl_t dirs.
 
@@ -85936,7 +85946,7 @@ Domain allowed access.
 
 
 
-
+
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: d5515d5dcba81e818b43721fe0ac36dcd50315a6
Author: Jason Zaman  gentoo  org>
AuthorDate: Sun Jan 10 23:15:56 2021 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan 10 23:15:56 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d5515d5d

Regenerate corenetwork

Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/corenetwork.if | 570 ++-
 policy/modules/kernel/corenetwork.te |  20 +-
 2 files changed, 574 insertions(+), 16 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.if 
b/policy/modules/kernel/corenetwork.if
index 9b19cea2..368ad3b7 100644
--- a/policy/modules/kernel/corenetwork.if
+++ b/policy/modules/kernel/corenetwork.if
@@ -1498,11 +1498,11 @@ interface(`corenet_udp_send_all_ports',`
 #
 interface(`corenet_sctp_bind_generic_port',`
gen_require(`
-   type port_t, unreserved_port_t, ephemeral_port_t;
+   type port_t, unreserved_port_t;
attribute defined_port_type;
')
 
-   allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket 
name_bind;
+   allow $1 { port_t unreserved_port_t }:sctp_socket name_bind;
dontaudit $1 defined_port_type:sctp_socket name_bind;
 ')
 
@@ -1571,10 +1571,10 @@ interface(`corenet_udp_sendrecv_all_ports',`
 #
 interface(`corenet_dontaudit_sctp_bind_generic_port',`
gen_require(`
-   type port_t, unreserved_port_t, ephemeral_port_t;
+   type port_t, unreserved_port_t;
')
 
-   dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket 
name_bind;
+   dontaudit $1 { port_t unreserved_port_t }:sctp_socket name_bind;
 ')
 
 
@@ -1645,10 +1645,10 @@ interface(`corenet_udp_bind_all_ports',`
 #
 interface(`corenet_sctp_connect_generic_port',`
gen_require(`
-   type port_t, unreserved_port_t,ephemeral_port_t;
+   type port_t, unreserved_port_t;
')
 
-   allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket 
name_connect;
+   allow $1 { port_t unreserved_port_t }:sctp_socket name_connect;
 ')
 
 
@@ -2761,7 +2761,7 @@ interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
 ## Allow the specified domain to receive packets from an
 ## unlabeled connection.  On machines that do not utilize
 ## labeled networking, this will be required on all
-## networking domains.  On machines tha do utilize
+## networking domains.  On machines that do utilize
 ## labeled networking, this will be required for any
 ## networking domain that is allowed to receive
 ## network traffic that does not have a label.
@@ -3339,13 +3339,7 @@ interface(`corenet_relabelto_all_server_packets',`
 ## 
 #
 interface(`corenet_sctp_recvfrom_unlabeled',`
-   gen_require(`
-   attribute corenet_unlabeled_type;
-   ')
-
kernel_recvfrom_unlabeled_peer($1)
-
-   typeattribute $1 corenet_unlabeled_type;
kernel_sendrecv_unlabeled_association($1)
 ')
 
@@ -3529,6 +3523,135 @@ interface(`corenet_unconfined',`
 ')
 
 
+
+## 
+## Send icmp packets.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`corenet_send_icmp_packets',`
+   gen_require(`
+   type icmp_packet_t;
+   ')
+
+   allow $1 icmp_packet_t:packet send;
+')
+
+
+## 
+## Do not audit attempts to send icmp packets.
+## 
+## 
+## 
+## Domain to not audit.
+## 
+## 
+## 
+#
+interface(`corenet_dontaudit_send_icmp_packets',`
+   gen_require(`
+   type icmp_packet_t;
+   ')
+
+   dontaudit $1 icmp_packet_t:packet send;
+')
+
+
+## 
+## Receive icmp packets.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`corenet_receive_icmp_packets',`
+   gen_require(`
+   type icmp_packet_t;
+   ')
+
+   allow $1 icmp_packet_t:packet recv;
+')
+
+
+## 
+## Do not audit attempts to receive icmp packets.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`corenet_dontaudit_receive_icmp_packets',`
+   gen_require(`
+   type icmp_packet_t;
+   ')
+
+   dontaudit $1 icmp_packet_t:packet recv;
+')
+
+
+## 
+## Send and receive icmp packets.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`corenet_sendrecv_icmp_packets',`
+   corenet_send_icmp_packets($1)
+   corenet_receive_icmp_packets($1)
+')
+
+
+## 
+## Do not audit attempts to send and receive icmp packets.
+## 
+## 
+## 
+## Domain to not audit.
+## 
+## 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: a164a2d6e18255bbc842d3cee8edb63882e9e2c2
Author: Peter Morrow  linux  microsoft  com>
AuthorDate: Tue Dec 15 15:19:30 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan 10 21:52:17 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a164a2d6

selinux: add selinux_get_all_booleans() interface

Allow the caller to read the state of selinuxfs booleans.

Signed-off-by: Peter Morrow  linux.microsoft.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/selinux.if | 24 
 1 file changed, 24 insertions(+)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index bf70d3c4..43eebcd0 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -444,6 +444,30 @@ interface(`selinux_set_all_booleans',`
}
 ')
 
+
+## 
+##  Allow caller to get the state of all Booleans to
+##  view conditional portions of the policy.
+## 
+## 
+##  
+##  Domain allowed access.
+##  
+## 
+## 
+#
+interface(`selinux_get_all_booleans',`
+   gen_require(`
+   type security_t;
+   attribute boolean_type;
+   ')
+
+   dev_search_sysfs($1)
+
+   allow $1 security_t:dir list_dir_perms;
+   allow $1 boolean_type:file read_file_perms;
+')
+
 
 ## 
 ## Allow caller to set SELinux access vector cache parameters.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 6a9ade8f0070fb55b5e24befa2501644b412fed2
Author: Dave Sugar  tresys  com>
AuthorDate: Mon Dec  7 16:09:15 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan 10 21:52:17 2021 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a9ade8f

Allow systemd-modules-load to search kernel keys

I was seeing the following errors from systemd-modules-load without this search 
permission.

Dec  7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': 
Required key not available
Dec  7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise 
Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13
Dec  7 14:36:19 systemd: systemd-modules-load.service: main process exited, 
code=exited, status=1/FAILURE
Dec  7 14:36:19 audispd: node=loacalhost type=PROCTITLE 
msg=audit(1607351779.441:3259): 
proctitle="/usr/lib/systemd/systemd-modules-load"
Dec  7 14:36:19 systemd: Failed to start Load Kernel Modules.

This is the denial:

Dec  7 15:56:52 audispd: node=localhost type=AVC 
msg=audit(1607356612.877:3815): avc:  denied { search } for  pid=11715 
comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 
tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1

Signed-off-by: Dave Sugar  tresys.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/kernel.te   | 1 +
 policy/modules/system/modutils.te | 1 -
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8693e800..d70f625b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -512,6 +512,7 @@ if( ! secure_mode_insmod ) {
# gt: there seems to be no trace of the above, at
# least in kernel versions greater than 2.6.37...
allow can_load_kernmodule self:capability sys_nice;
+   kernel_search_key(can_load_kernmodule)
kernel_setsched(can_load_kernmodule)
 }
 

diff --git a/policy/modules/system/modutils.te 
b/policy/modules/system/modutils.te
index e002e6e3..a7f8e42c 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -62,7 +62,6 @@ kernel_write_proc_files(kmod_t)
 kernel_mount_debugfs(kmod_t)
 kernel_mount_kvmfs(kmod_t)
 kernel_read_debugfs(kmod_t)
-kernel_search_key(kmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctls(kmod_t)
 kernel_rw_kernel_sysctl(kmod_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 49688047a9eaf2a136c50ecb7ad5097a9921e870
Author: Chris PeBenito  ieee  org>
AuthorDate: Thu Nov  5 11:55:25 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Nov 16 09:03:43 2020 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=49688047

filesystem, xen: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/filesystem.te | 2 +-
 policy/modules/system/xen.te| 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index f338e207..ef891c09 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.28.2)
+policy_module(filesystem, 1.28.3)
 
 
 #

diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 82328cbb..232c3ee4 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,4 +1,4 @@
-policy_module(xen, 1.18.1)
+policy_module(xen, 1.18.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: b84ca9b9648ba7f073ad7513c4b610b7f0dfbdfc
Author: Antoine Tenart  bootlin  com>
AuthorDate: Mon Sep  7 15:08:12 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Oct 11 21:14:40 2020 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b84ca9b9

corecommands: add entry for Busybox shell

Fixes:

vc:  denied  { execute } for  pid=87 comm="login" name="sh" dev="vda"
ino=408 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:bin_t tclass=file permissive=1

Signed-off-by: Antoine Tenart  bootlin.com>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/corecommands.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 5ced3c67..07a09873 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -157,6 +157,7 @@ ifdef(`distro_gentoo',`
 /usr/bin/sesh  --  
gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/scponly   --  
gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/scponlyc  --  
gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/bin/sh--  
gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/smrsh --  
gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/tcsh  --  
gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/bin/yash  --  
gen_context(system_u:object_r:shell_exec_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/admin/, policy/modules/apps/, ...

[Jason Zaman]

commit: a5831adc8af393b19e3bf83fcd6ea154c31084d6
Author: Chris PeBenito  ieee  org>
AuthorDate: Sat Jan 25 18:48:52 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 15 07:32:05 2020 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5831adc

various: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/admin/usermanage.te| 2 +-
 policy/modules/apps/pulseaudio.te | 2 +-
 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/system/logging.te  | 2 +-
 policy/modules/system/systemd.te  | 2 +-
 policy/modules/system/unconfined.te   | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/admin/usermanage.te 
b/policy/modules/admin/usermanage.te
index ef18fd64..5292f3b3 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -1,4 +1,4 @@
-policy_module(usermanage, 1.23.0)
+policy_module(usermanage, 1.23.1)
 
 
 #

diff --git a/policy/modules/apps/pulseaudio.te 
b/policy/modules/apps/pulseaudio.te
index a763aae4..85dcdc9b 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.12.2)
+policy_module(pulseaudio, 1.12.3)
 
 
 #

diff --git a/policy/modules/kernel/corecommands.te 
b/policy/modules/kernel/corecommands.te
index ed5bb173..e272ee71 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.27.3)
+policy_module(corecommands, 1.27.4)
 
 
 #

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 576ca871..19ef420f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.30.5)
+policy_module(logging, 1.30.6)
 
 
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e09bc338..65562380 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.8.10)
+policy_module(systemd, 1.8.11)
 
 #
 #

diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
index 069506b0..bf1cf6fd 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.13.2)
+policy_module(unconfined, 3.13.3)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 18b85ee49eaccaf5c2765a65234661513555c5f6
Author: Chris PeBenito  ieee  org>
AuthorDate: Sat Feb  8 14:35:13 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 15 07:32:05 2020 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18b85ee4

systemd, devices: Module version bump.

Signed-off-by: Chris PeBenito  ieee.org>
Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/devices.te | 2 +-
 policy/modules/system/systemd.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 70cbc49e..05c087bc 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.25.7)
+policy_module(devices, 1.25.8)
 
 
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7624d258..0c3fa6c1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.8.12)
+policy_module(systemd, 1.8.13)
 
 #
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 19e44f812e0bd3bca6ffdcded4d7e96d41a4e614
Author: bauen1  gmail  com>
AuthorDate: Sat Jan 25 13:19:00 2020 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 15 07:30:57 2020 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=19e44f81

kernel/corecommands: fix the label of xfce4 helpers (on debian)

Signed-off-by: Jason Zaman  gentoo.org>

 policy/modules/kernel/corecommands.fc | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 75667c04..0be85be3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -244,15 +244,34 @@ ifdef(`distro_gentoo',`
 /usr/lib/vte/gnome-pty-helper  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- 
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-helper-1 --   gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4/exo-2/exo-helper-2 --   gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/panel/migrate   --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/panel/wrapper   --  gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4/panel/wrapper-1\.0  --  
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4/panel/wrapper-2\.0  --  
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/session/balou-export-theme -- 
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/session/balou-install-theme -- 
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/session/xfsm-shutdown-helper -- 
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/xfconf/xfconfd  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/xfwm4/helper-dialog --  gen_context(system_u:object_r:bin_t,s0)
 
+ifdef(`distro_debian',`
+/usr/lib/[^/]+/tumbler-1/tumblerd --   gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/exo-1/exo-helper-1 -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/exo-2/exo-helper-2 -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/notifyd/xfce4-notifyd --  
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/panel/migrate --  gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/panel/wrapper --  gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/panel/wrapper-1\.0 -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/panel/wrapper-2\.0 -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/session/balou-export-theme -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/session/balou-install-theme -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/session/xfsm-shutdown-helper -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/xfconf/xfconfd -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/xfce4/xfwm4/helper-dialog --
gen_context(system_u:object_r:bin_t,s0)
+')
+
 /usr/lib/couchdb/erlang/lib/couch-[0-9.]+/priv/couchspawnkillable -- 
gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib/debug/bin(/.*)?   --  gen_context(system_u:object_r:bin_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: /, policy/modules/kernel/, policy/modules/system/, policy/modules/services/, ...

[Jason Zaman]

commit: 3ad3fd938f3a06d4170286f9e14bbcd0765e8fb6
Author: Jason Zaman  gentoo  org>
AuthorDate: Tue Dec 17 04:17:02 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 24 09:58:27 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3ad3fd93

Fix gentoo-specific lint issues

Signed-off-by: Jason Zaman  gentoo.org>

 .travis.yml   | 2 +-
 policy/modules/admin/portage.fc   | 2 +-
 policy/modules/apps/java.fc   | 2 +-
 policy/modules/apps/qemu.fc   | 4 ++--
 policy/modules/contrib/android.fc | 2 +-
 policy/modules/contrib/dirsrv.fc  | 4 ++--
 policy/modules/contrib/openrc.fc  | 2 +-
 policy/modules/contrib/phpfpm.fc  | 8 
 policy/modules/contrib/resolvconf.fc  | 2 +-
 policy/modules/contrib/rtorrent.fc| 6 +++---
 policy/modules/contrib/uwsgi.fc   | 2 +-
 policy/modules/contrib/vde.fc | 2 +-
 policy/modules/kernel/corecommands.fc | 8 
 policy/modules/services/ntp.fc| 2 +-
 policy/modules/system/lvm.fc  | 5 -
 policy/modules/system/miscfiles.fc| 6 ++
 policy/modules/system/tmpfiles.fc | 6 +++---
 17 files changed, 29 insertions(+), 36 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 8be908cc..5dfbe090 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -25,7 +25,7 @@ env:
 matrix:
   include:
   - python: 3.7
-env: LINT=true TYPE=standard
+env: LINT=true TYPE=standard DISTRO=gentoo
 
 sudo: false
 dist: bionic

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 8a41cfff..26850f9d 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -23,7 +23,7 @@
 /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
 /usr/portage/distfiles/cvs-src(/.*)?   
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/egit-src(/.*)?  
gen_context(system_u:object_r:portage_srcrepo_t,s0)
-/usr/portage/distfiles/git.?-src(/.*)? 
gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git[0-9]-src(/.*)?  
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/go-src(/.*)?
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/hg-src(/.*)?
gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/svn-src(/.*)?   
gen_context(system_u:object_r:portage_srcrepo_t,s0)

diff --git a/policy/modules/apps/java.fc b/policy/modules/apps/java.fc
index e8804805..d0476be2 100644
--- a/policy/modules/apps/java.fc
+++ b/policy/modules/apps/java.fc
@@ -34,5 +34,5 @@ HOME_DIR/\.java(/.*)? 
gen_context(system_u:object_r:java_home_t,s0)
 
 ifdef(`distro_gentoo',`
 # Running maven (mvn) command needs read access to this, yet the file is 
marked as bin_t otherwise
-/usr/share/maven-bin-[^/]*/bin/m2.conf --  
gen_context(system_u:object_r:usr_t,s0)
+/usr/share/maven-bin-[^/]*/bin/m2\.conf--  
gen_context(system_u:object_r:usr_t,s0)
 ')

diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc
index df3aa2d3..59dcb78b 100644
--- a/policy/modules/apps/qemu.fc
+++ b/policy/modules/apps/qemu.fc
@@ -12,8 +12,8 @@
 ifdef(`distro_gentoo',`
 /usr/bin/qemu-ga   --  gen_context(system_u:object_r:qemu_ga_exec_t,s0)
 
-/var/log/qemu-ga.log   --  gen_context(system_u:object_r:qemu_ga_log_t,s0)
+/var/log/qemu-ga\.log  --  gen_context(system_u:object_r:qemu_ga_log_t,s0)
 /var/log/qemu-ga(/.*)? --  gen_context(system_u:object_r:qemu_ga_log_t,s0)
 
-/run/qemu-ga.pid   --  gen_context(system_u:object_r:qemu_ga_run_t,s0)
+/run/qemu-ga\.pid  --  gen_context(system_u:object_r:qemu_ga_run_t,s0)
 ')

diff --git a/policy/modules/contrib/android.fc 
b/policy/modules/contrib/android.fc
index af983112..a72f5d9f 100644
--- a/policy/modules/contrib/android.fc
+++ b/policy/modules/contrib/android.fc
@@ -2,7 +2,7 @@ HOME_DIR/\.AndroidStudio.*(/.*)?
gen_context(system_u:object_r:android_home_t,s
 HOME_DIR/\.android(/.*)?   
gen_context(system_u:object_r:android_home_t,s0)
 HOME_DIR/\.gradle(/.*)?
gen_context(system_u:object_r:android_home_t,s0)
 
-/opt/android-studio/bin/studio.sh  
gen_context(system_u:object_r:android_java_exec_t,s0)
+/opt/android-studio/bin/studio\.sh 
gen_context(system_u:object_r:android_java_exec_t,s0)
 
 /opt/android-sdk-update-manager/platform-tools/adb --  
gen_context(system_u:object_r:android_tools_exec_t,s0)
 /opt/android-sdk-update-manager/platform-tools/fastboot--  
gen_context(system_u:object_r:android_tools_exec_t,s0)

diff --git a/policy/modules/contrib/dirsrv.fc b/policy/modules/contrib/dirsrv.fc
index 3a33d632..a675110f 100644
--- a/policy/modules/contrib/dirsrv.fc
+++ b/policy/modules/contrib/dirsrv.fc
@@ -5,8 +5,8 @@
 /var/lib/dirsrv(/.*)?  gen_context(system_u:object_r:dirsrv_var_lib_t,s0)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 86a0e854927db91b4a978fe92a63e3edb5256927
Author: Chris PeBenito  linux  microsoft  com>
AuthorDate: Fri May 31 17:44:49 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jul 13 06:43:14 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86a0e854

devices: Add type for /dev/daxX.Y.

Signed-off-by: Chris PeBenito  linux.microsoft.com>
Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/devices.fc | 1 +
 policy/modules/kernel/devices.te | 6 ++
 2 files changed, 7 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 3b9be43f..bdff6b1a 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -21,6 +21,7 @@
 /dev/controlD64-c  
gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/crash -c  
gen_context(system_u:object_r:crash_device_t,mls_systemhigh)
 /dev/dahdi/.*  -c  gen_context(system_u:object_r:sound_device_t,s0)
+/dev/dax[0-9]\.[0-9]   -c  
gen_context(system_u:object_r:dax_device_t,mls_systemhigh)
 /dev/dmfm  -c  gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dmmidi.*  -c  gen_context(system_u:object_r:sound_device_t,s0)
 /dev/dsp.* -c  gen_context(system_u:object_r:sound_device_t,s0)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index a0331212..88a4246e 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -82,6 +82,12 @@ dev_node(crash_device_t)
 type crypt_device_t;
 dev_node(crypt_device_t)
 
+#
+# Type for /dev/dax*.*
+#
+type dax_device_t;
+dev_node(dax_device_t)
+
 #
 # dlm_misc_device_t is the type of /dev/misc/dlm.*
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 5ff9a8876e58544ab99a22441e272dcb94b0525b
Author: Chris PeBenito  linux  microsoft  com>
AuthorDate: Fri May 31 17:42:42 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Jul 13 06:43:14 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ff9a887

storage: Add fc entry for /dev/pmem*

Signed-off-by: Chris PeBenito  linux.microsoft.com>
Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/storage.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 926327bd..b6dfcd9f 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -41,6 +41,7 @@
 /dev/pcd[0-3]  -b  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/pd[a-d][^/]*  -b  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/pg[0-3]   -c  
gen_context(system_u:object_r:removable_device_t,s0)
+/dev/pmem[0-9]*-b  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/ps3d.*-b  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/ram.* -b  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/(raw/)?rawctl -c  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 98f3eac837bb8fa985f1f3fe7090e17573c9f3a9
Author: Sugar, David  tresys  com>
AuthorDate: Tue Mar  5 22:32:44 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Mar 25 10:05:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=98f3eac8

Add interface to allow relabeling of iso 9660 filesystems.

I have a case where I'm labeling media with my own types to control
access.  But that is requiring that I relabel from iso9660_t to my
own type.  This interface allows that relabel.

type=AVC msg=audit(1551621984.372:919): avc:  denied  { relabelfrom } for  
pid=9717 comm="mount" scontext=staff_u:staff_r:mymedia_sudo_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:iso9660_t:s0 tclass=filesystem permissive=0

Signed-off-by: Dave Sugar  tresys.com>
Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/filesystem.if | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 6da7cc22..603bfc28 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2505,6 +2505,25 @@ interface(`fs_remount_iso9660_fs',`
allow $1 iso9660_t:filesystem remount;
 ')
 
+
+## 
+## Allow changing of the label of a
+## filesystem with iso9660 type
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_relabelfrom_iso9660_fs',`
+   gen_require(`
+   type iso9660_t;
+   ')
+
+   allow $1 iso9660_t:filesystem relabelfrom;
+')
+
 
 ## 
 ## Unmount an iso9660 filesystem, which

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 0d797afccb4ad5dd993c25bf217303343127901d
Author: Jason Zaman  perfinion  com>
AuthorDate: Mon Mar 25 10:03:18 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Mar 25 10:05:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d797afc

corenetwork: regenerate for query scripts

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/corenetwork.if | 646 +--
 policy/modules/kernel/corenetwork.te |  26 +-
 2 files changed, 556 insertions(+), 116 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.if 
b/policy/modules/kernel/corenetwork.if
index d7473484..e6fbf90f 100644
--- a/policy/modules/kernel/corenetwork.if
+++ b/policy/modules/kernel/corenetwork.if
@@ -215,6 +215,60 @@ interface(`corenet_spd_type',`
typeattribute $1 ipsec_spd_type;
 ')
 
+
+## 
+## Define type to be an infiniband pkey type
+## 
+## 
+## 
+## Define type to be an infiniband pkey type
+## 
+## 
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## 
+## 
+## 
+## 
+## Type to be used for infiniband pkeys.
+## 
+## 
+#
+interface(`corenet_ib_pkey',`
+   gen_require(`
+   attribute ibpkey_type;
+   ')
+
+   typeattribute $1 ibpkey_type;
+')
+
+
+## 
+## Define type to be an infiniband endport
+## 
+## 
+## 
+## Define type to be an infiniband endport
+## 
+## 
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## 
+## 
+## 
+## 
+## Type to be used for infiniband endports.
+## 
+## 
+#
+interface(`corenet_ib_endport',`
+   gen_require(`
+   attribute ibendport_type;
+   ')
+
+   typeattribute $1 ibendport_type;
+')
+
 
 ## 
 ## Send and receive TCP network traffic on generic interfaces.
@@ -584,6 +638,24 @@ interface(`corenet_raw_send_all_if',`
allow $1 netif_type:netif { rawip_send egress };
 ')
 
+
+## 
+## Send and receive SCTP network traffic on generic nodes.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`corenet_sctp_sendrecv_generic_node',`
+   gen_require(`
+   type node_t;
+   ')
+
+   allow $1 node_t:node { sendto recvfrom };
+')
+
 
 ## 
 ## Receive raw IP packets on all interfaces.
@@ -791,6 +863,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
corenet_raw_receive_generic_node($1)
 ')
 
+
+## 
+## Bind SCTP sockets to generic nodes.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`corenet_sctp_bind_generic_node',`
+   gen_require(`
+   type node_t;
+   ')
+
+   allow $1 node_t:sctp_socket node_bind;
+')
+
 
 ## 
 ## Bind TCP sockets to generic nodes.
@@ -985,6 +1075,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',`
dontaudit $1 node_type:node { udp_send sendto };
 ')
 
+
+## 
+## Send and receive SCTP network traffic on all nodes.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`corenet_sctp_sendrecv_all_nodes',`
+   gen_require(`
+   attribute node_type;
+   ')
+
+   allow $1 node_type:node { sendto recvfrom };
+')
+
 
 ## 
 ## Receive UDP network traffic on all nodes.
@@ -1177,6 +1285,25 @@ interface(`corenet_tcp_sendrecv_generic_port',`
allow $1 port_t:tcp_socket { send_msg recv_msg };
 ')
 
+
+## 
+## Bind SCTP sockets to all nodes.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`corenet_sctp_bind_all_nodes',`
+   gen_require(`
+   attribute node_type;
+   ')
+
+   allow $1 node_type:sctp_socket node_bind;
+')
+
+
 
 ## 
 ## Do not audit send and receive TCP network traffic on generic ports.
@@ -1384,6 +1511,26 @@ interface(`corenet_udp_send_all_ports',`
allow $1 port_type:udp_socket send_msg;
 ')
 
+
+## 
+## Bind SCTP sockets to generic ports.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`corenet_sctp_bind_generic_port',`
+   gen_require(`
+   type port_t, unreserved_port_t, ephemeral_port_t;
+   attribute defined_port_type;
+   ')
+
+   allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket 
name_bind;
+   dontaudit $1 defined_port_type:sctp_socket name_bind;
+')
+
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: b1b6e9dfd6982086f38e0e4e008d31777ee94255
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Feb 10 06:09:02 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 06:09:02 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1b6e9df

remove duplicated dev_dontaudit_read_sysfs files_dontaudit_read_etc_files

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/devices.if | 20 
 policy/modules/kernel/files.if   | 20 
 2 files changed, 40 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 84b9d8fb..87fabe6f 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5236,26 +5236,6 @@ interface(`dev_unconfined',`
 
 # We cannot use ifdef distro_gentoo for interfaces
 
-
-## 
-## Dont audit attempts to read hardware state information
-## 
-## 
-## 
-## Domain for which the attempts do not need to be audited
-## 
-## 
-#
-interface(`dev_dontaudit_read_sysfs',`
-   gen_require(`
-   type sysfs_t;
-   ')
-
-   dontaudit $1 sysfs_t:file read_file_perms;
-   dontaudit $1 sysfs_t:dir list_dir_perms;
-   dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms;
-')
-
 
 ## 
 ## Relabel cpu online hardware state information.

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 0ace4966..b4db9c89 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -7111,26 +7111,6 @@ interface(`files_dontaudit_read_etc_runtime',`
dontaudit $1 etc_runtime_t:file read_file_perms;
 ')
 
-
-## 
-## Do not audit attempts to read files
-## in /etc
-## 
-## 
-## 
-## Domain to not audit.
-## 
-## 
-#
-interface(`files_dontaudit_read_etc_files',`
-   gen_require(`
-   type etc_t;
-   ')
-
-   dontaudit $1 etc_t:file { getattr read };
-')
-
-
 #
 ## 
 ## List usr/src files

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/contrib/

[Jason Zaman]

commit: 148fa790b9e1d17ccf85658047235034a9c4b415
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Feb 10 06:13:44 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 06:13:44 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=148fa790

Remove upstreamed interface kernel_dontaudit_read_kernel_sysctls

Was upstreamed as kernel_dontaudit_read_kernel_sysctl()

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/contrib/skype.te |  2 +-
 policy/modules/kernel/kernel.if | 18 --
 2 files changed, 1 insertion(+), 19 deletions(-)

diff --git a/policy/modules/contrib/skype.te b/policy/modules/contrib/skype.te
index 85ce3c10..dc7f73ec 100644
--- a/policy/modules/contrib/skype.te
+++ b/policy/modules/contrib/skype.te
@@ -64,7 +64,7 @@ manage_sock_files_pattern(skype_t, skype_tmp_t, skype_tmp_t)
 files_tmp_filetrans(skype_t, skype_tmp_t, { dir file sock_file })
 
 kernel_dontaudit_search_sysctl(skype_t)
-kernel_dontaudit_read_kernel_sysctls(skype_t)
+kernel_dontaudit_read_kernel_sysctl(skype_t)
 kernel_read_network_state(skype_t)
 kernel_read_system_state(skype_t)
 

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index de5ee946..1ad282aa 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2049,24 +2049,6 @@ interface(`kernel_read_crypto_sysctls',`
list_dirs_pattern($1, { proc_t sysctl_t }, sysctl_crypto_t)
 ')
 
-###
-## 
-## Do not audit attempted reading of kernel sysctls
-## 
-## 
-## 
-## Domain to not audit accesses from
-## 
-## 
-#
-interface(`kernel_dontaudit_read_kernel_sysctls',`
-   gen_require(`
-   type sysctl_kernel_t;
-   ')
-
-   dontaudit $1 sysctl_kernel_t:file read_file_perms;
-')
-
 
 ## 
 ## Read general kernel sysctls.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/system/, ...

[Jason Zaman]

commit: 6821d0d812722efa73ccba5bee8410241b622721
Author: Russell Coker  coker  com  au>
AuthorDate: Thu Jan 31 02:58:52 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6821d0d8

more misc stuff

Here's the latest stuff, most of which is to make staff_t usable as a login
domain.  Please merge whatever you think is good and skip the rest.

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/corecommands.fc | 2 ++
 policy/modules/roles/staff.te | 4 
 policy/modules/roles/unprivuser.te| 4 
 policy/modules/services/ssh.te| 1 +
 policy/modules/system/locallogin.te   | 1 +
 policy/modules/system/systemd.te  | 3 ++-
 6 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 6a94f6ef..3b5f9c4d 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -168,6 +168,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/at-spi2-core(/.*)?gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/avahi/avahi-daemon-check-dns\.sh  --  
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/bluetooth/.*  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bridge-utils/.*\.sh   --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 #/usr/lib/dhcpcd/dhcpcd-hooks(/.*)?gen_context(system_u:object_r:bin_t,s0)
@@ -200,6 +201,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/gvfs/gvfs.*   --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ipsec/.*  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/kde4/libexec/.*   --  gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/libexec/kf5/.*  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mailman/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mailman/mail(/.*)?gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mediawiki/math/texvc.*
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 803cca2a..1db51e0f 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -31,6 +31,10 @@ optional_policy(`
git_role(staff_r, staff_t)
 ')
 
+optional_policy(`
+   modemmanager_dbus_chat(staff_t)
+')
+
 optional_policy(`
postgresql_role(staff_r, staff_t)
 ')

diff --git a/policy/modules/roles/unprivuser.te 
b/policy/modules/roles/unprivuser.te
index 0e21b2ad..f3241612 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -20,6 +20,10 @@ optional_policy(`
git_role(user_r, user_t)
 ')
 
+optional_policy(`
+   modemmanager_dbus_chat(user_t)
+')
+
 optional_policy(`
screen_role_template(user, user_r, user_t)
 ')

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 9a9b1061..ccc29001 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -178,6 +178,7 @@ logging_read_generic_logs(ssh_t)
 
 auth_use_nsswitch(ssh_t)
 
+miscfiles_read_generic_certs(ssh_t)
 miscfiles_read_localization(ssh_t)
 
 seutil_read_config(ssh_t)

diff --git a/policy/modules/system/locallogin.te 
b/policy/modules/system/locallogin.te
index 9908a645..adbe775e 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -209,6 +209,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+   xserver_link_xdm_keys(local_login_t)
xserver_read_xdm_tmp_files(local_login_t)
xserver_rw_xdm_tmp_files(local_login_t)
xserver_rw_xdm_keys(local_login_t)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e5f37321..34c38cad 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1008,6 +1008,7 @@ files_create_lock_dirs(systemd_tmpfiles_t)
 files_manage_all_pid_dirs(systemd_tmpfiles_t)
 files_delete_usr_files(systemd_tmpfiles_t)
 files_list_home(systemd_tmpfiles_t)
+files_list_locks(systemd_tmpfiles_t)
 files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
 files_manage_var_dirs(systemd_tmpfiles_t)
 files_manage_var_lib_dirs(systemd_tmpfiles_t)
@@ -1026,8 +1027,8 @@ files_relabelto_etc_dirs(systemd_tmpfiles_t)
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 
 fs_getattr_tmpfs(systemd_tmpfiles_t)
-fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
 fs_getattr_xattr_fs(systemd_tmpfiles_t)
+fs_list_tmpfs(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_search_fs(systemd_tmpfiles_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[Jason Zaman]

commit: f75896871e29215b93854d20fa218118dc70e45d
Author: Alexander Miroshnichenko  millerson  name>
AuthorDate: Sat Jan 26 18:50:12 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f7589687

fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/filesystem.if   | 2 +-
 policy/modules/services/postgresql.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 7d9f0f43..6da7cc22 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2350,7 +2350,7 @@ interface(`fs_rw_hugetlbfs_files',`
 ##  
 ## 
 #
-interface(`fs_rmw_hugetlbfs_files',`
+interface(`fs_mmap_rw_hugetlbfs_files',`
 gen_require(`
 type hugetlbfs_t;
 ')

diff --git a/policy/modules/services/postgresql.te 
b/policy/modules/services/postgresql.te
index 09824a8b..3bdffe4f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -331,7 +331,7 @@ dev_read_urand(postgresql_t)
 
 fs_getattr_all_fs(postgresql_t)
 fs_search_auto_mountpoints(postgresql_t)
-fs_rmw_hugetlbfs_files(postgresql_t)
+fs_mmap_rw_hugetlbfs_files(postgresql_t)
 
 selinux_get_enforce_mode(postgresql_t)
 selinux_validate_context(postgresql_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[Jason Zaman]

commit: d4995122c6b1cdde1674282d58bc69494119f6d8
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Jan 27 17:58:33 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4995122

filesystem, postgresql: Module version bump.

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/filesystem.te   | 2 +-
 policy/modules/services/postgresql.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 8ddacd76..5cbf319b 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.24.0)
+policy_module(filesystem, 1.24.1)
 
 
 #

diff --git a/policy/modules/services/postgresql.te 
b/policy/modules/services/postgresql.te
index 3bdffe4f..8f7043c3 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.19.0)
+policy_module(postgresql, 1.19.1)
 
 gen_require(`
class db_database all_db_database_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 136b8a2b8c1ea3bb501b668de7401e01a87e780b
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Jan 12 08:03:41 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=136b8a2b

files: introduce files_dontaudit_read_etc_files

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/files.if | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 4920809d..0ace4966 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3405,6 +3405,25 @@ interface(`files_dontaudit_read_etc_runtime_files',`
dontaudit $1 etc_runtime_t:file { getattr read };
 ')
 
+
+## 
+## Do not audit attempts to read files
+## in /etc
+## 
+## 
+## 
+## Domain to not audit.
+## 
+## 
+#
+interface(`files_dontaudit_read_etc_files',`
+   gen_require(`
+   type etc_t;
+   ')
+
+   dontaudit $1 etc_t:file { getattr read };
+')
+
 
 ## 
 ## Do not audit attempts to write

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: f2e3f0187d67264d9511dbbdbc3b40d898ac9eed
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Jan 12 08:03:42 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f2e3f018

kernel: introduce kernel_dontaudit_read_kernel_sysctl

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/kernel.if | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 5afc4802..de5ee946 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2012,6 +2012,24 @@ interface(`kernel_dontaudit_search_kernel_sysctl',`
dontaudit $1 sysctl_kernel_t:dir search;
 ')
 
+###
+## 
+## Do not audit attempted reading of kernel sysctls
+## 
+## 
+## 
+## Domain to not audit accesses from
+## 
+## 
+#
+interface(`kernel_dontaudit_read_kernel_sysctl',`
+   gen_require(`
+   type sysctl_kernel_t;
+   ')
+
+   dontaudit $1 sysctl_kernel_t:file read_file_perms;
+')
+
 
 ## 
 ## Read generic crypto sysctls.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 63ab6a3846fefa9040bd9a3b21bdfa8c84b5dc31
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Jan 12 08:03:40 2019 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 10 04:11:25 2019 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63ab6a38

devices: introduce dev_dontaudit_read_sysfs

Signed-off-by: Jason Zaman  perfinion.com>

 policy/modules/kernel/devices.if | 20 
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 0966a468..84b9d8fb 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4043,6 +4043,26 @@ interface(`dev_dontaudit_getattr_sysfs',`
dontaudit $1 sysfs_t:filesystem getattr;
 ')
 
+
+## 
+## Dont audit attempts to read hardware state information
+## 
+## 
+## 
+## Domain for which the attempts do not need to be audited
+## 
+## 
+#
+interface(`dev_dontaudit_read_sysfs',`
+   gen_require(`
+   type sysfs_t;
+   ')
+
+   dontaudit $1 sysfs_t:file read_file_perms;
+   dontaudit $1 sysfs_t:dir list_dir_perms;
+   dontaudit $1 sysfs_t:lnk_file read_lnk_file_perms;
+')
+
 
 ## 
 ## mounton sysfs directories.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/flask/, policy/modules/system/, policy/

[Jason Zaman]

commit: de73378ad96f678ee8882969b84bdcf3b721db1a
Author: Chris PeBenito  ieee  org>
AuthorDate: Mon Oct  8 17:46:05 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Nov 11 23:17:31 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de73378a

Remove unused translate permission in context userspace class.

mcstransd never implemented this permission.  To keep permission indices
lined up, replace the permission with "unused_perm" to make it clear that
it has no effect.

Signed-off-by: Jason Zaman  perfinion.com>

 policy/flask/access_vectors  |  2 +-
 policy/mls   |  3 ---
 policy/modules/kernel/domain.te  |  6 +-
 policy/modules/kernel/mls.if |  8 ++--
 policy/modules/kernel/mls.te |  4 +---
 policy/modules/system/setrans.if | 12 ++--
 policy/modules/system/setrans.te |  2 +-
 7 files changed, 8 insertions(+), 29 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 0630f012..b011d37e 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -765,7 +765,7 @@ class key
 
 class context
 {
-   translate
+   unused_perm
contains
 }
 

diff --git a/policy/mls b/policy/mls
index eeca15a8..484e3ca3 100644
--- a/policy/mls
+++ b/policy/mls
@@ -764,9 +764,6 @@ mlsconstrain association { polmatch }
 # MLS policy for the context class
 #
 
-mlsconstrain context translate
-   (( h1 dom h2 ) or ( t1 == mlstranslate ));
-
 mlsconstrain context contains
(( h1 dom h2 ) and ( l1 domby l2));
 

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 7a34bb07..41ae69db 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,4 +1,4 @@
-policy_module(domain, 1.14.0)
+policy_module(domain, 1.14.1)
 
 
 #
@@ -137,10 +137,6 @@ optional_policy(`
libs_use_shared_libs(domain)
 ')
 
-optional_policy(`
-   setrans_translate_context(domain)
-')
-
 # xdm passes an open file descriptor to xsession-errors.log which is then 
audited by all confined domains.
 optional_policy(`
xserver_dontaudit_use_xdm_fds(domain)

diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 2e2bebc2..c11c7b95 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -849,7 +849,7 @@ interface(`mls_fd_share_all_levels',`
 
 ## 
 ## Make specified domain MLS trusted
-## for translating contexts at all levels.
+## for translating contexts at all levels.  (Deprecated)
 ## 
 ## 
 ## 
@@ -859,11 +859,7 @@ interface(`mls_fd_share_all_levels',`
 ## 
 #
 interface(`mls_context_translate_all_levels',`
-   gen_require(`
-   attribute mlstranslate;
-   ')
-
-   typeattribute $1 mlstranslate;
+   refpolicywarn(`$0($*) has been deprecated')
 ')
 
 

diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 3f842ea3..6fc595e2 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -1,4 +1,4 @@
-policy_module(mls, 1.10.0)
+policy_module(mls, 1.10.1)
 
 
 #
@@ -69,7 +69,5 @@ attribute mlsrangetrans;
 attribute mlsfduse;
 attribute mlsfdshare;
 
-attribute mlstranslate;
-
 attribute mlsdbusrecv;
 attribute mlsdbussend;

diff --git a/policy/modules/system/setrans.if b/policy/modules/system/setrans.if
index 9478dd9b..03afaa92 100644
--- a/policy/modules/system/setrans.if
+++ b/policy/modules/system/setrans.if
@@ -21,7 +21,7 @@ interface(`setrans_initrc_domtrans',`
 
 ###
 ## 
-## Allow a domain to translate contexts.
+## Allow a domain to translate contexts.  (Deprecated)
 ## 
 ## 
 ## 
@@ -30,15 +30,7 @@ interface(`setrans_initrc_domtrans',`
 ## 
 #
 interface(`setrans_translate_context',`
-   gen_require(`
-   type setrans_t, setrans_var_run_t;
-   class context translate;
-   ')
-
-   allow $1 self:unix_stream_socket create_stream_socket_perms;
-   allow $1 setrans_t:context translate;
-   stream_connect_pattern($1, setrans_var_run_t, setrans_var_run_t, 
setrans_t)
-   files_list_pids($1)
+   refpolicywarn(`$0($*) has been deprecated')
 ')
 
 ##

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 3f50e546..24c3577e 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,4 +1,4 @@
-policy_module(setrans, 1.14.0)
+policy_module(setrans, 1.14.1)
 
 gen_require(`
class context contains;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: cae8d35ee1c8db81725474f4ffd04b90a2ff2b91
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Jul 15 20:56:51 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep  9 03:07:46 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cae8d35e

devices: Module version bump.

 policy/modules/kernel/devices.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 79b9c8da..473ccf84 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.23.1)
+policy_module(devices, 1.23.2)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: c83e985052c5fac77e8895d4569aad3289f42d1e
Author: Jagannathan Raman  oracle  com>
AuthorDate: Fri Jul 13 17:05:36 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep  9 03:07:46 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c83e9850

vhost: Add /dev/vhost-scsi device of type vhost_device_t.

Signed-off-by: Jagannathan Raman  oracle.com>

 policy/modules/kernel/devices.fc | 1 +
 policy/modules/kernel/devices.if | 2 +-
 policy/modules/kernel/devices.te | 3 ++-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index e206720b..5ec14acf 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -120,6 +120,7 @@ ifdef(`distro_suse', `
 ')
 /dev/vfio/.+   -c  gen_context(system_u:object_r:vfio_device_t,s0)
 /dev/vhost-net -c  gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vhost-scsi-c  
gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vbi.* -c  gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*-c  
gen_context(system_u:object_r:xserver_misc_device_t,s0)
 /dev/vga_arbiter   -c  
gen_context(system_u:object_r:xserver_misc_device_t,s0)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index f68d60ab..0966a468 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4839,7 +4839,7 @@ interface(`dev_relabelfrom_vfio_dev',`
 
 
 ## 
-## Allow read/write the vhost net device
+## Allow read/write the vhost devices
 ## 
 ## 
 ## 

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 4ce5fecf..79b9c8da 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -286,7 +286,8 @@ type v4l_device_t;
 dev_node(v4l_device_t)
 
 #
-# vhost_device_t is the type for /dev/vhost-net
+# vhost_device_t is the type for vhost devices like
+# /dev/vhost-net and /dev/vhost-scsi
 #
 type vhost_device_t;
 dev_node(vhost_device_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 792f78b7b4b4289a8044c300fcbe02fb7ceab157
Author: Jason Zaman  perfinion  com>
AuthorDate: Tue Jul 10 15:03:14 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Wed Jul 11 14:41:35 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=792f78b7

selinux: compute_access_vector requires creating netlink_selinux_sockets

 policy/modules/kernel/selinux.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 8123b25f..6790e5d0 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -534,6 +534,7 @@ interface(`selinux_compute_access_vector',`
')
 
dev_search_sysfs($1)
+   allow $1 self:netlink_selinux_socket create_socket_perms;
allow $1 security_t:dir list_dir_perms;
allow $1 security_t:file rw_file_perms;
allow $1 security_t:security compute_av;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/admin/, policy/modules/system/, ...

[Jason Zaman]

commit: 89ac4d4f33529492c2840cd3df115321a38018a3
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Jul  1 15:02:33 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Jul  2 11:47:17 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89ac4d4f

Bump module versions for release.

 policy/modules/admin/alsa.te  | 2 +-
 policy/modules/admin/apt.te   | 2 +-
 policy/modules/admin/cfengine.te  | 2 +-
 policy/modules/admin/dpkg.te  | 2 +-
 policy/modules/admin/firstboot.te | 2 +-
 policy/modules/admin/kismet.te| 2 +-
 policy/modules/admin/logrotate.te | 2 +-
 policy/modules/admin/portage.te   | 2 +-
 policy/modules/admin/rpm.te   | 2 +-
 policy/modules/admin/samhain.te   | 2 +-
 policy/modules/admin/sectoolm.te  | 2 +-
 policy/modules/admin/shorewall.te | 2 +-
 policy/modules/admin/sosreport.te | 2 +-
 policy/modules/apps/evolution.te  | 2 +-
 policy/modules/apps/games.te  | 2 +-
 policy/modules/apps/gnome.te  | 2 +-
 policy/modules/apps/gpg.te| 2 +-
 policy/modules/apps/irc.te| 2 +-
 policy/modules/apps/java.te   | 2 +-
 policy/modules/apps/mozilla.te| 2 +-
 policy/modules/apps/mplayer.te| 2 +-
 policy/modules/apps/openoffice.te | 2 +-
 policy/modules/apps/pulseaudio.te | 2 +-
 policy/modules/apps/qemu.te   | 2 +-
 policy/modules/apps/syncthing.te  | 2 +-
 policy/modules/apps/telepathy.te  | 2 +-
 policy/modules/apps/thunderbird.te| 2 +-
 policy/modules/apps/wireshark.te  | 2 +-
 policy/modules/apps/wm.te | 2 +-
 policy/modules/apps/xscreensaver.te   | 2 +-
 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/kernel/corenetwork.te.in   | 2 +-
 policy/modules/kernel/devices.te  | 2 +-
 policy/modules/kernel/files.te| 2 +-
 policy/modules/kernel/terminal.te | 2 +-
 policy/modules/services/accountsd.te  | 2 +-
 policy/modules/services/apache.te | 2 +-
 policy/modules/services/bugzilla.te   | 2 +-
 policy/modules/services/ccs.te| 2 +-
 policy/modules/services/chronyd.te| 2 +-
 policy/modules/services/cobbler.te| 2 +-
 policy/modules/services/colord.te | 2 +-
 policy/modules/services/cron.te   | 2 +-
 policy/modules/services/cups.te   | 2 +-
 policy/modules/services/dbus.te   | 2 +-
 policy/modules/services/devicekit.te  | 2 +-
 policy/modules/services/dictd.te  | 2 +-
 policy/modules/services/dirmngr.te| 2 +-
 policy/modules/services/djbdns.te | 2 +-
 policy/modules/services/dspam.te  | 2 +-
 policy/modules/services/firewalld.te  | 2 +-
 policy/modules/services/ftp.te| 2 +-
 policy/modules/services/i18n_input.te | 2 +-
 policy/modules/services/ifplugd.te| 2 +-
 policy/modules/services/lsm.te| 2 +-
 policy/modules/services/minidlna.te   | 2 +-
 policy/modules/services/mojomojo.te   | 2 +-
 policy/modules/services/mta.te| 2 +-
 policy/modules/services/networkmanager.te | 2 +-
 policy/modules/services/ntp.te| 2 +-
 policy/modules/services/obex.te   | 2 +-
 policy/modules/services/plymouthd.te  | 2 +-
 policy/modules/services/postfix.te| 2 +-
 policy/modules/services/rabbitmq.te   | 2 +-
 policy/modules/services/redis.te  | 2 +-
 policy/modules/services/rsync.te  | 2 +-
 policy/modules/services/samba.te  | 2 +-
 policy/modules/services/sendmail.te   | 2 +-
 policy/modules/services/setroubleshoot.te | 2 +-
 policy/modules/services/sssd.te   | 2 +-
 policy/modules/services/tftp.te   | 2 +-
 policy/modules/services/tor.te| 2 +-
 policy/modules/services/virt.te   | 2 +-
 policy/modules/services/xserver.te| 2 +-
 policy/modules/system/authlogin.te| 2 +-
 policy/modules/system/init.te | 2 +-
 policy/modules/system/ipsec.te| 2 +-
 policy/modules/system/iptables.te | 2 +-
 policy/modules/system/locallogin.te   | 2 +-
 policy/modules/system/logging.te  | 2 +-
 policy/modules/system/lvm.te  | 2 +-
 policy/modules/system/modutils.te | 2 +-
 policy/modules/system/sysnetwork.te   | 2 +-
 policy/modules/system/systemd.te  | 2 +-
 policy/modules/system/udev.te | 2 +-
 policy/modules/system/unconfined.te   | 2 +-
 policy/modules/system/userdomain.te   | 2 +-
 policy/modules/system/xdg.te  | 2 +-
 88 files changed, 88 insertions(+), 88 deletions(-)

diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 008b6d25..46455184 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -1,4 +1,4 @@

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 738d5a8078c3e287725862c78041e92f7f92dfcb
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Jun  7 10:29:26 2018 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Jun  8 11:10:51 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=738d5a80

corecommands: adjust gcc fcontext to also work on musl

 policy/modules/kernel/corecommands.fc | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 9bdcb747..3877b5f0 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -351,10 +351,10 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo', `
-/usr/[^/]+-[^/]+-linux-gnu/gcc-bin/.*(/.*)?
gen_context(system_u:object_r:bin_t,s0)
-/usr/[^/]+-[^/]+-linux-gnu/binutils-bin(/.*)?  
gen_context(system_u:object_r:bin_t,s0)
-/usr/[^/]+-[^/]+-linux-gnu/[^/]+/gcc-bin/.*(/.*)?  
gen_context(system_u:object_r:bin_t,s0)
-/usr/[^/]+-[^/]+-linux-gnu/[^/]+/binutils-bin(/.*)?
gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/-]+-[^/-]+-linux-[^/-]+/gcc-bin/.*(/.*)?   
gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/-]+-[^/-]+-linux-[^/-]+/binutils-bin(/.*)? 
gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/-]+-[^/-]+-linux-[^/-]+/[^/]+/gcc-bin/.*(/.*)? 
gen_context(system_u:object_r:bin_t,s0)
+/usr/[^/-]+-[^/-]+-linux-[^/-]+/[^/]+/binutils-bin(/.*)?   
gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib/rcscripts/addons(/.*)?
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rcscripts/sh(/.*)?gen_context(system_u:object_r:bin_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: f062077321cb890d203c806aa51c0e8ff3991990
Author: Nicolas Iooss  m4x  org>
AuthorDate: Fri Dec 15 21:48:23 2017 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:31:04 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f0620773

corecommands: label systemd script directories bin_t

systemd defines in /usr/lib/systemd several directories which can
contain scripts or executable files:
- system-environment-generators/ and user-environment-generators/
  documented in
  
https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
- system-shutdown/ documented in
  https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
- system-sleep/ documented in
  https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html

Currently the content of these directories is labelled lib_t, which
causes the following AVC on Arch Linux:

avc:  denied  { execute_no_trans } for  pid=10308 comm="systemd"
path="/usr/lib/systemd/system-environment-generators/10-arch"
dev="vda1" ino=543182 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:lib_t tclass=file permissive=1

For information /usr/lib/systemd/system-environment-generators/10-arch
only defines $PATH and its content is available on
https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem

 policy/modules/kernel/corecommands.fc | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 6409fcdd..9bdcb747 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -225,7 +225,11 @@ ifdef(`distro_gentoo',`
 /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh --  
gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/lib/systemd/systemd.* --  gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-environment-generators(/.*)? 
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/systemd/system-generators(/.*)? 
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-sleep(/.*)?gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-environment-generators(/.*)? 
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/tumbler-1/tumblerd--  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/udev/[^/]*--  
gen_context(system_u:object_r:bin_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: 3cfa359b54921eda7f449dd445dadd7e231e4eb3
Author: Christian Göttsche  googlemail  com>
AuthorDate: Mon Jan  1 11:32:34 2018 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Jan 18 16:31:23 2018 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3cfa359b

filesystem: add fs_rw_inherited_hugetlbfs_files for apache module

 policy/modules/kernel/filesystem.if | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 168f204a..7f245e29 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2306,6 +2306,24 @@ interface(`fs_manage_hugetlbfs_dirs',`
 
 
 ## 
+## Read and write inherited hugetlbfs files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_rw_inherited_hugetlbfs_files',`
+   gen_require(`
+   type hugetlbfs_t;
+   ')
+
+   allow $1 hugetlbfs_t:file rw_inherited_file_perms;
+')
+
+
+## 
 ## Read and write hugetlbfs files.
 ## 
 ## 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 1288708d6097b3d28587465b562b038d3df1bb14
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Dec 13 18:15:36 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec 14 04:55:22 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1288708d

storage: Add fcontexts for NVMe disks

NVMe has several dev nodes for each device:
/dev/nvme0 is a char device for communicating with the controller
/dev/nvme0n1 is the block device that stores the data.
/dev/nvme0n1p1 is the first partition

 policy/modules/kernel/storage.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 375b10bc..c7e3ac0d 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -33,6 +33,8 @@
 /dev/mspblk.*  -b  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mtd.* -b  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/nb[^/]+   -b  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/nvme[0-9]+-c  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+/dev/nvme[0-9]n[^/]+   -b  
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/optcd -b  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/p[fg][0-3]-b  
gen_context(system_u:object_r:removable_device_t,s0)
 /dev/pcd[0-3]  -b  
gen_context(system_u:object_r:removable_device_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/

[Jason Zaman]

commit: 414de294634f9a02b072c433c1aab4387f60925e
Author: Chad Hanson  gmail  com>
AuthorDate: Mon Dec 11 04:02:15 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Wed Dec 13 11:59:25 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=414de294

Fix implementation of MLS file relabel attributes

This patch properly completes the implementation of the MLS file relabel 
attributes. In the previous patch 
[http://oss.tresys.com/pipermail/refpolicy/2016-July/008038.html], a new 
attribute, mlsfilerelabetoclr, was created. There should have been a second 
attribute, mlsfilerelabel, created instead of overloading mlsfilewrite for this 
privilege. I concur with creating new attributes for this situation. I have 
created the patch below.

Signed-off-by: Chad Hanson  gmail.com>

 policy/mls   |  2 +-
 policy/modules/kernel/mls.if | 28 
 policy/modules/kernel/mls.te |  3 ++-
 3 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/policy/mls b/policy/mls
index 2dadd205..73ff301b 100644
--- a/policy/mls
+++ b/policy/mls
@@ -72,7 +72,7 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } 
relabelto
(( h1 dom h2 ) or
(( t1 == mlsfilerelabeltoclr ) and ( h1 dom l2 )) or
-   ( t1 == mlsfilewrite ));
+   ( t1 == mlsfilerelabel ));
 
 # the file "read" ops (note the check is dominance of the low level)
 mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { 
read getattr execute }

diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index b09c0a5a..2e2bebc2 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -74,6 +74,26 @@ interface(`mls_file_write_to_clearance',`
 
 ## 
 ## Make specified domain MLS trusted
+## for writing to files at all levels.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`mls_file_write_all_levels',`
+   gen_require(`
+   attribute mlsfilewrite;
+   ')
+
+   typeattribute $1 mlsfilewrite;
+')
+
+
+## 
+## Make specified domain MLS trusted
 ## for relabelto to files up to its clearance.
 ## 
 ## 
@@ -94,7 +114,7 @@ interface(`mls_file_relabel_to_clearance',`
 
 ## 
 ## Make specified domain MLS trusted
-## for writing to files at all levels.
+## for relabelto to files at all levels.
 ## 
 ## 
 ## 
@@ -103,12 +123,12 @@ interface(`mls_file_relabel_to_clearance',`
 ## 
 ## 
 #
-interface(`mls_file_write_all_levels',`
+interface(`mls_file_relabel',`
gen_require(`
-   attribute mlsfilewrite;
+   attribute mlsfilerelabel;
')
 
-   typeattribute $1 mlsfilewrite;
+   typeattribute $1 mlsfilerelabel;
 ')
 
 

diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index ad74e81f..7c50e75c 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -10,9 +10,10 @@ attribute mlsfilereadtoclr;
 attribute mlsfilewrite;
 attribute mlsfilewritetoclr;
 attribute mlsfilewriteinrange;
+attribute mlsfilerelabel;
+attribute mlsfilerelabeltoclr;
 attribute mlsfileupgrade;
 attribute mlsfiledowngrade;
-attribute mlsfilerelabeltoclr;
 
 attribute mlsnetread;
 attribute mlsnetreadtoclr;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 94e5bdcfc5d1a49605d019ff465dd9f56bd9686d
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Dec 13 23:29:26 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec 14 04:55:22 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=94e5bdcf

storage, userdomain: Module version bump.

 policy/modules/kernel/storage.te| 2 +-
 policy/modules/system/userdomain.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/storage.te b/policy/modules/kernel/storage.te
index eb9b5b8d..d2a49c97 100644
--- a/policy/modules/kernel/storage.te
+++ b/policy/modules/kernel/storage.te
@@ -1,4 +1,4 @@
-policy_module(storage, 1.15.0)
+policy_module(storage, 1.15.1)
 
 
 #

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index a3a1802e..3db9b0c2 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.14.9)
+policy_module(userdomain, 4.14.10)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/services/

[Jason Zaman]

commit: 11930ca161a01e71abb6f3522e3dea4f91445ac9
Author: Chris PeBenito  ieee  org>
AuthorDate: Sun Dec  3 21:48:54 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:06:26 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=11930ca1

corcmd, fs, xserver, init, systemd, userdomain: Module version bump.

 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/kernel/filesystem.te   | 2 +-
 policy/modules/services/xserver.te| 2 +-
 policy/modules/system/init.te | 2 +-
 policy/modules/system/systemd.te  | 2 +-
 policy/modules/system/userdomain.te   | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/corecommands.te 
b/policy/modules/kernel/corecommands.te
index 4bc0a45c..9ea33753 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.24.5)
+policy_module(corecommands, 1.24.6)
 
 
 #

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 62c2a783..d564752f 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.23.1)
+policy_module(filesystem, 1.23.2)
 
 
 #

diff --git a/policy/modules/services/xserver.te 
b/policy/modules/services/xserver.te
index e5c5acad..c3380257 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.14.4)
+policy_module(xserver, 3.14.5)
 
 gen_require(`
class x_drawable all_x_drawable_perms;

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f495e386..4ef6d035 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.3.8)
+policy_module(init, 2.3.9)
 
 gen_require(`
class passwd rootok;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4f3ed091..5051b87c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.4.5)
+policy_module(systemd, 1.4.6)
 
 #
 #

diff --git a/policy/modules/system/userdomain.te 
b/policy/modules/system/userdomain.te
index b348ccd0..0e8aa374 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.14.7)
+policy_module(userdomain, 4.14.8)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 023d49ed2fe5b7eb20e3b24a786e54993132ed18
Author: David Sugar  tresys  com>
AuthorDate: Wed Nov 29 21:14:17 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec 12 07:06:26 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=023d49ed

RHEL 7.4 has moved the location of /usr/libexec/sesh to /usr/libexec/sudo/sesh

Update file context to include label for new location.
See https://bugzilla.redhat.com/show_bug.cgi?id=1480791

Signed-off-by: Dave Sugar  tresys.com>

 policy/modules/kernel/corecommands.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 0d2fd27f..6409fcdd 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -265,6 +265,7 @@ ifdef(`distro_gentoo',`
 /usr/libexec(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/libexec/git-core/git-shell--  
gen_context(system_u:object_r:shell_exec_t,s0)
 /usr/libexec/sesh  --  
gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/libexec/sudo/sesh --  gen_context(system_u:object_r:shell_exec_t,s0)
 
 /usr/libexec/openssh/sftp-server --gen_context(system_u:object_r:bin_t,s0)
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 32b741ef487dcaa91d8cefc873a7cbf8c5d581d2
Author: Jason Zaman  perfinion  com>
AuthorDate: Tue Oct 31 05:37:07 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Nov  5 06:38:35 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=32b741ef

files: fcontext for /etc/zfs/zpool.cache

 policy/modules/kernel/files.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/files.fc b/policy/modules/kernel/files.fc
index e69a0025..6ed84ef9 100644
--- a/policy/modules/kernel/files.fc
+++ b/policy/modules/kernel/files.fc
@@ -72,6 +72,8 @@ ifdef(`distro_suse',`
 /etc/sysconfig/iptables\.save -- 
gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/sysconfig/firstboot --gen_context(system_u:object_r:etc_runtime_t,s0)
 
+/etc/zfs/zpool.cache   --  gen_context(system_u:object_r:etc_runtime_t,s0)
+
 ifdef(`distro_gentoo', `
 /etc/profile\.env  --  gen_context(system_u:object_r:etc_runtime_t,s0)
 /etc/csh\.env  --  gen_context(system_u:object_r:etc_runtime_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: d46e984bba90f703233e36a3c77926f0e4711859
Author: Luis Ressel via refpolicy  oss  tresys  
com>
AuthorDate: Tue Oct 24 23:46:43 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Oct 29 12:59:50 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d46e984b

kernel/files.if: files_list_kernel_modules should grant read perms for symlinks

files_search_kernel_modules also grant this; there's a couple of
symlinks in /lib/modules/.

 policy/modules/kernel/files.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a9557079..05ca46a7 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3966,6 +3966,7 @@ interface(`files_list_kernel_modules',`
')
 
allow $1 modules_object_t:dir list_dir_perms;
+   read_lnk_files_pattern($1, modules_object_t, modules_object_t)
 ')
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/admin/

[Jason Zaman]

commit: 6553262d637d9cb2d3e6f1df5d1cfed968ee80d1
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed Oct 25 21:21:31 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Oct 29 12:59:50 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6553262d

files, netutils: Module version bump.

 policy/modules/admin/netutils.te | 2 +-
 policy/modules/kernel/files.te   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 0d3fb75d..315cc3c9 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,4 +1,4 @@
-policy_module(netutils, 1.17.0)
+policy_module(netutils, 1.17.1)
 
 
 #

diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index f713d2b6..473931ee 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.24.3)
+policy_module(files, 1.24.4)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 92204f8b06a390b2fb39a505d0c48f9dfec4a41d
Author: Chris PeBenito  ieee  org>
AuthorDate: Thu Oct 12 21:59:43 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Oct 29 12:59:08 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92204f8b

files: Whitespace fix.

 policy/modules/kernel/files.if | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ec2c8999..a9557079 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6757,7 +6757,6 @@ interface(`files_relabel_all_pid_sock_files',`
relabel_sock_files_pattern($1, pidfile, pidfile)
 ')
 
-
 
 ## 
 ## Relabel to/from all var_run (pid) files and directories

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: f7b55ae6e614572354d5a6f8449c1ed0f256f485
Author: Chris PeBenito  ieee  org>
AuthorDate: Mon Oct  9 18:51:56 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Oct 29 12:59:08 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f7b55ae6

devices: Module version bump.

 policy/modules/kernel/devices.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 57ad955b..0882d522 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.21.3)
+policy_module(devices, 1.21.4)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 549b6dbb3f5ae4e0645aa0bbc657187776c4f305
Author: Nicolas Iooss  m4x  org>
AuthorDate: Wed Sep  6 20:44:17 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Sep  8 22:39:50 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=549b6dbb

corecommands: label Arch Linux pacman's scripts as bin_t

On Arch Linux, the package manager uses hooks which execute scripts in
/usr/share/libalpm/scripts.

 policy/modules/kernel/corecommands.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 1b556308..37760a87 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -310,6 +310,7 @@ ifdef(`distro_gentoo',`
 /usr/share/GNUstep/Makefiles/mkinstalldirs --  
gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/device-manager/hal-device-manager -- 
gen_context(system_u:object_r:bin_t,s0)
 /usr/share/hal/scripts(/.*)?   gen_context(system_u:object_r:bin_t,s0)
+/usr/share/libalpm/scripts(/.*)?   gen_context(system_u:object_r:bin_t,s0)
 /usr/share/mc/extfs/.* --  gen_context(system_u:object_r:bin_t,s0)
 /usr/share/Modules/init(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 /usr/share/org.gnome.Weather/org\.gnome\.Weather\.Application  --  
gen_context(system_u:object_r:bin_t,s0)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 50d84777aa23e2a300967350c8fcd35c0580d337
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Sep  8 15:52:12 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Sep  8 22:39:50 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=50d84777

Module version bump for patches from Nicolas Iooss.

 policy/modules/kernel/corecommands.te | 2 +-
 policy/modules/kernel/terminal.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/corecommands.te 
b/policy/modules/kernel/corecommands.te
index 7a22dc5f..bf025424 100644
--- a/policy/modules/kernel/corecommands.te
+++ b/policy/modules/kernel/corecommands.te
@@ -1,4 +1,4 @@
-policy_module(corecommands, 1.24.2)
+policy_module(corecommands, 1.24.3)
 
 
 #

diff --git a/policy/modules/kernel/terminal.te 
b/policy/modules/kernel/terminal.te
index ff9ee502..2102238e 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -1,4 +1,4 @@
-policy_module(terminal, 1.17.0)
+policy_module(terminal, 1.17.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 92348a31d3dba24301e1d48d8d87027c9aca64e3
Author: David Sugar  tresys  com>
AuthorDate: Tue Sep  5 14:17:50 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Sep  8 22:39:36 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92348a31

Separate read and write interface for tun_tap_device_t

The following patch creates two additional interfaces for tun_tap_device_t to 
grant only read or only write access (rather than both read and write access).  
It is possible to open a tap device for only reading or only writing and this 
allows policy to match that use.

Signed-off-by: Dave Sugar  tresys.com>

 policy/modules/kernel/corenetwork.if.in | 38 +
 1 file changed, 38 insertions(+)

diff --git a/policy/modules/kernel/corenetwork.if.in 
b/policy/modules/kernel/corenetwork.if.in
index 46e10d08..3671fa8e 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -2047,6 +2047,44 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
 
 
 ## 
+## Read the TUN/TAP virtual network device.
+## 
+## 
+## 
+## The domain read allowed access.
+## 
+## 
+#
+interface(`corenet_read_tun_tap_dev',`
+   gen_require(`
+   type tun_tap_device_t;
+   ')
+
+   dev_list_all_dev_nodes($1)
+   allow $1 tun_tap_device_t:chr_file read_chr_file_perms;
+')
+
+
+## 
+## Write the TUN/TAP virtual network device.
+## 
+## 
+## 
+## The domain allowed write access.
+## 
+## 
+#
+interface(`corenet_write_tun_tap_dev',`
+   gen_require(`
+   type tun_tap_device_t;
+   ')
+
+   dev_list_all_dev_nodes($1)
+   allow $1 tun_tap_device_t:chr_file write_chr_file_perms;
+')
+
+
+## 
 ## Read and write the TUN/TAP virtual network device.
 ## 
 ## 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 5c027610b5a5091d5cb2ae20cf2ed62177128253
Author: Nicolas Iooss via refpolicy  oss  tresys  
com>
AuthorDate: Sat Aug 12 08:34:59 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Sep  8 22:39:50 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c027610

terminal: /dev/pts exists in /dev filesystem

systemd tries to create /dev/pts directly with its context type
"devpts_t", but this is not allowed:

avc:  denied  { associate } for  pid=1 comm="systemd" name="pts"
scontext=system_u:object_r:devpts_t
tcontext=system_u:object_r:device_t
tclass=filesystem permissive=1

 policy/modules/kernel/terminal.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/terminal.te 
b/policy/modules/kernel/terminal.te
index f71fda4b..ff9ee502 100644
--- a/policy/modules/kernel/terminal.te
+++ b/policy/modules/kernel/terminal.te
@@ -25,6 +25,7 @@ dev_node(console_device_t)
 # the type of the root directory of the file system.
 #
 type devpts_t;
+dev_associate(devpts_t)
 files_mountpoint(devpts_t)
 fs_associate_tmpfs(devpts_t)
 fs_xattr_type(devpts_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/services/

[Jason Zaman]

commit: b0d06664412c0c7baee2b8e12a26206d05a1ee02
Author: cgzones  googlemail  com>
AuthorDate: Thu Jun  8 14:16:15 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Jun 13 08:02:15 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0d06664

rkhunter: add interfaces for rkhunter module and sysadm permit

 policy/modules/kernel/filesystem.if | 18 ++
 policy/modules/roles/sysadm.te  |  4 
 policy/modules/services/ssh.if  | 19 +++
 3 files changed, 41 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 295f3698..e85169c3 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4823,6 +4823,24 @@ interface(`fs_getattr_tracefs',`
 
 
 ## 
+## Get attributes of dirs on tracefs filesystem.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_getattr_tracefs_dirs',`
+   gen_require(`
+   type tracefs_t;
+   ')
+
+   allow $1 tracefs_t:dir getattr;
+')
+
+
+## 
 ##  search directories on a tracefs filesystem
 ## 
 ## 

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8912fb6e..6d18020b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -906,6 +906,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+   rkhunter_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
rngd_admin(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 3eca8306..22642eb3 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -601,6 +601,25 @@ interface(`ssh_tcp_connect',`
 
 
 ## 
+## Execute the ssh daemon in the caller domain.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`ssh_exec_sshd',`
+   gen_require(`
+   type sshd_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   can_exec($1, sshd_exec_t)
+')
+
+
+## 
 ## Execute the ssh daemon sshd domain.
 ## 
 ## 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/, policy/modules/system/

[Jason Zaman]

commit: cdd50f44b7b658e9478e9c968a299919a679396c
Author: cgzones  googlemail  com>
AuthorDate: Fri Jun  9 13:37:16 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Jun 13 08:02:15 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdd50f44

chkrootkit: add interfaces and sysadm permit

v2:
 - add bin_t fc to corecommands

 policy/modules/kernel/corecommands.fc |  1 +
 policy/modules/roles/sysadm.te|  4 
 policy/modules/system/init.if | 18 ++
 3 files changed, 23 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 320044e9..f1cb22b3 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -426,6 +426,7 @@ ifdef(`distro_suse', `
 /var/ftp/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
 
 /var/lib/asterisk/agi-bin(/.*)?
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/chkrootkit/.* --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/yp/.+ --  gen_context(system_u:object_r:bin_t,s0)
 
 /var/qmail/bin -d  gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 17e1e26f..e28a28bd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -236,6 +236,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+   chkrootkit_run(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
chronyd_admin(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 05fa767f..b9878d02 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -679,6 +679,24 @@ interface(`init_getpgid',`
 
 
 ## 
+## Send init a generic signal.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`init_signal',`
+   gen_require(`
+   type init_t;
+   ')
+
+   allow $1 init_t:process signal;
+')
+
+
+## 
 ## Send init a null signal.
 ## 
 ## 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 9db4609a99bf45fc3f716fa52955a4982dffb145
Author: Jason Zaman  perfinion  com>
AuthorDate: Mon Jun  5 17:33:42 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Jun  5 17:33:42 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9db4609a

filesystem: remove gentoo specific duplicated fs_cgroup_filetrans

 policy/modules/kernel/filesystem.if | 37 -
 1 file changed, 37 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 1db23012..295f3698 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -5399,40 +5399,3 @@ interface(`fs_unconfined',`
 
typeattribute $1 filesystem_unconfined_type;
 ')
-
-# gentoo specific under here but not allowed ifdef
-
-
-## 
-## Create an object in a cgroup tmpfs filesystem, with a private
-## type using a type transition.
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-## 
-## 
-## The type of the object to be created.
-## 
-## 
-## 
-## 
-## The object class of the object being created.
-## 
-## 
-## 
-## 
-## The name of the object being created.
-## 
-## 
-#
-interface(`fs_cgroup_filetrans',`
-   gen_require(`
-   type cgroup_t;
-   ')
-
-   allow $2 tmpfs_t:filesystem associate;
-   filetrans_pattern($1, cgroup_t, $2, $3, $4)
-')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 4c7c974d4a198a0c31bf95c4a32a9c7b70f5
Author: Chris PeBenito  ieee  org>
AuthorDate: Mon Jun  5 00:45:23 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Jun  5 17:16:18 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c7c974d

Module version bumps for patches from Jason Zaman.

 policy/modules/kernel/filesystem.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index afcb3b3f..23d1c0b4 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.22.9)
+policy_module(filesystem, 1.22.10)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 8c64d75ad5512d94b6fb4705b546483e2a09837c
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Jun  4 16:33:44 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Jun  5 17:16:18 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c64d75a

filesystem: introduce fs_cgroup_filetrans interface

 policy/modules/kernel/filesystem.if | 36 
 1 file changed, 36 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index c9c67369..f28614f2 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -944,6 +944,42 @@ interface(`fs_mounton_cgroup', `
 
 
 ## 
+## Create an object in a cgroup tmpfs filesystem, with a private
+## type using a type transition.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+## 
+## The type of the object to be created.
+## 
+## 
+## 
+## 
+## The object class of the object being created.
+## 
+## 
+## 
+## 
+## The name of the object being created.
+## 
+## 
+#
+interface(`fs_cgroup_filetrans',`
+   gen_require(`
+   type cgroup_t, tmpfs_t;
+   ')
+
+   allow $2 tmpfs_t:filesystem associate;
+   filetrans_pattern($1, cgroup_t, $2, $3, $4)
+   fs_search_sysfs($1)
+')
+
+
+## 
 ## Do not audit attempts to read
 ## dirs on a CIFS or SMB filesystem.
 ## 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 7fba64ce25f075ba187e57d510550999ed6d7094
Author: Chris PeBenito  ieee  org>
AuthorDate: Mon Jun  5 00:45:13 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Jun  5 17:16:18 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7fba64ce

filesystem: Fix error in fs_cgroup_filetrans().

 policy/modules/kernel/filesystem.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index f28614f2..1db23012 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -975,7 +975,7 @@ interface(`fs_cgroup_filetrans',`
 
allow $2 tmpfs_t:filesystem associate;
filetrans_pattern($1, cgroup_t, $2, $3, $4)
-   fs_search_sysfs($1)
+   dev_search_sysfs($1)
 ')
 
 

[gentoo-commits] proj/hardened-refpolicy:master commit in: /, policy/modules/kernel/, policy/modules/roles/, support/, policy/flask/

[Jason Zaman]

commit: 51ed8963a91ca0cf0263995205ce5e7ca47d53c2
Author: Daniel Jurgens  mellanox  com>
AuthorDate: Wed May 24 14:14:59 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 16:32:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51ed8963

refpolicy: Infiniband pkeys and endports

Every Infiniband network will have a default pkey, so that is labeled.
The rest of the pkey configuration is network specific. The policy allows
access to the default and unlabeled pkeys for sysadm and staff users.
kernel_t is allowed access to all pkeys, which it needs to process and
route management datagrams.

Endports are all unlabeled by default, sysadm users are allowed to
manage the subnet on unlabeled endports. kernel_t is allowed to manage
the subnet on all ibendports, which is required for configuring the HCA.

This patch requires selinux series: "SELinux user space support for
Infiniband RDMA", due to the new ipkeycon labeling mechanism.

Signed-off-by: Daniel Jurgens  mellanox.com>

 Makefile|   2 +-
 Rules.modular   |   2 +
 Rules.monolithic|   2 +
 policy/flask/access_vectors |  10 +++
 policy/flask/security_classes   |   4 ++
 policy/modules/kernel/corenetwork.if.in | 118 
 policy/modules/kernel/corenetwork.if.m4 |  64 +
 policy/modules/kernel/corenetwork.te.in |   8 +++
 policy/modules/kernel/corenetwork.te.m4 |  26 +++
 policy/modules/kernel/kernel.if |  37 ++
 policy/modules/kernel/kernel.te |   5 ++
 policy/modules/roles/staff.te   |   1 +
 policy/modules/roles/sysadm.te  |   3 +
 support/comment_move_decl.sed   |   2 +-
 14 files changed, 282 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index ed3453e0..89387367 100644
--- a/Makefile
+++ b/Makefile
@@ -372,7 +372,7 @@ $(moddir)/kernel/corenetwork.if: 
$(moddir)/kernel/corenetwork.te.in $(moddir)/ke
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." 
>> $@
@echo "#" >> $@
$(verbose) cat $@.in >> $@
-   $(verbose) $(GREP) 
"^[[:blank:]]*network_(interface|node|port|packet)(_controlled)?\(.*\)" $< \
+   $(verbose) $(GREP) 
"^[[:blank:]]*(network_(interface|node|port|packet)(_controlled)?)|ib_(pkey|endport)\(.*\)"
 $< \
| $(M4) -D self_contained_policy $(M4PARAM) $(m4divert) $@.m4 
$(m4undivert) - \
| $(SED) -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> 
$@
 

diff --git a/Rules.modular b/Rules.modular
index 49d3cca9..331a979d 100644
--- a/Rules.modular
+++ b/Rules.modular
@@ -170,6 +170,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf 
$(tmpdir)/post_te_files.con
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
+   $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
+   $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || 
true
 
 $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
$(verbose) $(comment_move_decl) $^ > $@

diff --git a/Rules.monolithic b/Rules.monolithic
index ce112d78..80e00821 100644
--- a/Rules.monolithic
+++ b/Rules.monolithic
@@ -150,6 +150,8 @@ $(tmpdir)/all_post.conf: $(tmpdir)/all_te_files.conf 
$(tmpdir)/post_te_files.con
$(verbose) $(GREP) ^portcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^netifcon $(tmpdir)/all_te_files.conf >> $@ || true
$(verbose) $(GREP) ^nodecon $(tmpdir)/all_te_files.conf >> $@ || true
+   $(verbose) $(GREP) ^ibpkeycon $(tmpdir)/all_te_files.conf >> $@ || true
+   $(verbose) $(GREP) ^ibendportcon $(tmpdir)/all_te_files.conf >> $@ || 
true
 
 $(tmpdir)/only_te_rules.conf: $(tmpdir)/all_te_files.conf
$(verbose) $(comment_move_decl) $^ > $@

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 7652a313..f20e5c1e 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -927,6 +927,16 @@ inherits database
set_value
 }
 
+class infiniband_pkey
+{
+   access
+}
+
+class infiniband_endport
+{
+   manage_subnet
+}
+
 class db_language
 inherits database
 {

diff --git a/policy/flask/security_classes b/policy/flask/security_classes
index 18c4f974..ce3268da 100644
--- a/policy/flask/security_classes
+++ b/policy/flask/security_classes
@@ -139,6 +139,10 @@ class netlink_crypto_socket
 class x_pointer# userspace
 class x_keyboard   # userspace
 
+# Infiniband
+class infiniband_pkey
+class infiniband_endport
+
 # More Database stuff
 class db_schema# userspace
 class db_view  # userspace

diff --git 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/

[Jason Zaman]

commit: bf96509f09ff0319b82a07f8f8a858293e82ed8c
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed May 24 23:36:04 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 16:32:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf96509f

corenet/sysadm: Move lines.

 policy/modules/kernel/corenetwork.if.in | 138 
 policy/modules/roles/sysadm.te  |   6 +-
 2 files changed, 72 insertions(+), 72 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.if.in 
b/policy/modules/kernel/corenetwork.if.in
index 46fc4f11..4d618d94 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -213,6 +213,60 @@ interface(`corenet_spd_type',`
 
 
 ## 
+## Define type to be an infiniband pkey type
+## 
+## 
+## 
+## Define type to be an infiniband pkey type
+## 
+## 
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## 
+## 
+## 
+## 
+## Type to be used for infiniband pkeys.
+## 
+## 
+#
+interface(`corenet_ib_pkey',`
+   gen_require(`
+   attribute ibpkey_type;
+   ')
+
+   typeattribute $1 ibpkey_type;
+')
+
+
+## 
+## Define type to be an infiniband endport
+## 
+## 
+## 
+## Define type to be an infiniband endport
+## 
+## 
+## This is for supporting third party modules and its
+## use is not allowed in upstream reference policy.
+## 
+## 
+## 
+## 
+## Type to be used for infiniband endports.
+## 
+## 
+#
+interface(`corenet_ib_endport',`
+   gen_require(`
+   attribute ibendport_type;
+   ')
+
+   typeattribute $1 ibendport_type;
+')
+
+
+## 
 ## Send and receive TCP network traffic on generic interfaces.
 ## 
 ## 
@@ -3138,51 +3192,6 @@ interface(`corenet_relabelto_all_packets',`
 
 
 ## 
-## Unconfined access to network objects.
-## 
-## 
-## 
-## The domain allowed access.
-## 
-## 
-#
-interface(`corenet_unconfined',`
-   gen_require(`
-   attribute corenet_unconfined_type;
-   ')
-
-   typeattribute $1 corenet_unconfined_type;
-')
-
-
-## 
-## Define type to be an infiniband pkey type
-## 
-## 
-## 
-## Define type to be an infiniband pkey type
-## 
-## 
-## This is for supporting third party modules and its
-## use is not allowed in upstream reference policy.
-## 
-## 
-## 
-## 
-## Type to be used for infiniband pkeys.
-## 
-## 
-#
-interface(`corenet_ib_pkey',`
-   gen_require(`
-   attribute ibpkey_type;
-   ')
-
-   typeattribute $1 ibpkey_type;
-')
-
-
-## 
 ## Access unlabeled infiniband pkeys.
 ## 
 ## 
@@ -3215,34 +3224,25 @@ interface(`corenet_ib_access_all_pkeys',`
 
 
 ## 
-## Define type to be an infiniband endport
+## Manage subnets on all labeled Infiniband endports
 ## 
-## 
-## 
-## Define type to be an infiniband endport
-## 
-## 
-## This is for supporting third party modules and its
-## use is not allowed in upstream reference policy.
-## 
-## 
 ## 
 ## 
-## Type to be used for infiniband endports.
+## Domain allowed access.
 ## 
 ## 
 #
-interface(`corenet_ib_endport',`
+interface(`corenet_ib_manage_subnet_all_endports',`
gen_require(`
attribute ibendport_type;
')
 
-   typeattribute $1 ibendport_type;
+   allow $1 ibendport_type:infiniband_endport manage_subnet;
 ')
 
 
 ## 
-## Manage subnets on all labeled Infiniband endports
+## Manage subnet on all unlabeled Infiniband endports
 ## 
 ## 
 ## 
@@ -3250,24 +3250,24 @@ interface(`corenet_ib_endport',`
 ## 
 ## 
 #
-interface(`corenet_ib_manage_subnet_all_endports',`
-   gen_require(`
-   attribute ibendport_type;
-   ')
-
-   allow $1 ibendport_type:infiniband_endport manage_subnet;
+interface(`corenet_ib_manage_subnet_unlabeled_endports',`
+   kernel_ib_manage_subnet_unlabeled_endports($1)
 ')
 
 
 ## 
-## Manage subnet on all unlabeled Infiniband endports
+## Unconfined access to network objects.
 ## 
 ## 
 ## 
-## Domain allowed access.
+## The domain allowed access.
 ## 
 ## 
 #
-interface(`corenet_ib_manage_subnet_unlabeled_endports',`
-   kernel_ib_manage_subnet_unlabeled_endports($1)
+interface(`corenet_unconfined',`
+   gen_require(`
+   attribute corenet_unconfined_type;
+   ')
+
+   typeattribute $1 corenet_unconfined_type;
 ')

diff 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/roles/

[Jason Zaman]

commit: 17490d91be530c04b5a4c221c69b58f93dbff7be
Author: Chris PeBenito  ieee  org>
AuthorDate: Wed May 24 23:36:49 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 16:32:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17490d91

Module version bump for infiniband policy from Daniel Jurgens.

 policy/modules/kernel/corenetwork.te.in | 2 +-
 policy/modules/kernel/kernel.te | 2 +-
 policy/modules/roles/staff.te   | 2 +-
 policy/modules/roles/sysadm.te  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index dbe009c8..08f519ee 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.23.3)
+policy_module(corenetwork, 1.23.4)
 
 
 #

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index b9ae4b6a..685f3d0f 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.22.2)
+policy_module(kernel, 1.22.3)
 
 
 #

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index c19212c1..6cf73d28 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,4 +1,4 @@
-policy_module(staff, 2.8.1)
+policy_module(staff, 2.8.2)
 
 
 #

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 508d2a9f..a4fffc27 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.11.7)
+policy_module(sysadm, 2.11.8)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 44fb56ddcb130bb46f67d5bc1a4dc124cb35fe59
Author: Guido Trentalancia  trentalancia  net>
AuthorDate: Sat Apr 29 18:17:47 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 15:53:18 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=44fb56dd

kernel: low-priority update

Update the kernel module with some low priority fixes.

Signed-off-by: Guido Trentalancia  trentalancia.net>

 policy/modules/kernel/kernel.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 639b8454..87f5f9a4 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -276,6 +276,7 @@ dev_setattr_generic_blk_files(kernel_t)
 dev_setattr_generic_chr_files(kernel_t)
 dev_getattr_fs(kernel_t)
 dev_getattr_sysfs(kernel_t)
+dev_write_kmsg(kernel_t)
 
 # Mount root file system. Used when loading a policy
 # from initrd, then mounting the root filesystem
@@ -384,6 +385,7 @@ optional_policy(`
 
 optional_policy(`
plymouthd_read_lib_files(kernel_t)
+   plymouthd_read_pid_files(kernel_t)
plymouthd_read_spool_files(kernel_t)
 
term_use_ptmx(kernel_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/, policy/modules/contrib/

[Jason Zaman]

commit: 248905080e2e9840c120f1bb12d589bbec3c89bb
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Apr 30 09:57:08 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 14:17:45 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=24890508

Remove interfaces added upstream

 policy/modules/contrib/gnome.if | 29 -
 policy/modules/kernel/files.if  | 20 
 policy/modules/system/init.te   |  1 -
 3 files changed, 50 deletions(-)

diff --git a/policy/modules/contrib/gnome.if b/policy/modules/contrib/gnome.if
index ce436cfd..4fcc6905 100644
--- a/policy/modules/contrib/gnome.if
+++ b/policy/modules/contrib/gnome.if
@@ -124,12 +124,6 @@ template(`gnome_role_template',`
wm_dbus_chat($1, $1_gkeyringd_t)
')
')
-
-   ifdef(`distro_gentoo',`
-   optional_policy(`
-   gnome_dbus_chat_gconfd($3)
-   ')
-   ')
 ')
 
 
@@ -841,29 +835,6 @@ interface(`gnome_stream_connect_all_gkeyringd',`
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, 
gkeyringd_domain)
 ')
 
-# From here Gentoo specific but cannot use ifdef distro_gentoo here
-
-#
-## 
-## Send and receive messages from the gconf daemon
-## over dbus.
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-#
-interface(`gnome_dbus_chat_gconfd',`
-   gen_require(`
-   type gconfd_t;
-   class dbus send_msg;
-   ')
-
-   allow $1 gconfd_t:dbus send_msg;
-   allow gconfd_t $1:dbus send_msg;
-')
-
 
 ## 
 ## Manage gstreamer ORC optimized

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index ef969a95..a74f7913 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -7232,26 +7232,6 @@ interface(`files_unconfined',`
 
 
 ## 
-## Create PID directories.
-## 
-## 
-## 
-## Domain allowed access.
-## 
-## 
-#
-interface(`files_create_pid_dirs',`
-   gen_require(`
-   type var_t, var_run_t;
-   ')
-
-   allow $1 var_t:dir search_dir_perms;
-   allow $1 var_run_t:lnk_file read_lnk_file_perms;
-   create_dirs_pattern($1, var_run_t, var_run_t)
-')
-
-
-## 
 ## Create, read, write, and delete symbolic links in
 ## /etc that are dynamically created on boot.
 ## 

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5c6830f2..07238399 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1350,7 +1350,6 @@ ifdef(`distro_gentoo',`
# needs to chmod some devices in early boot
dev_setattr_generic_chr_files(initrc_t)
 
-   files_create_pid_dirs(initrc_t)
files_dontaudit_write_usr_dirs(initrc_t)
files_manage_generic_tmp_dirs(initrc_t)
files_manage_generic_tmp_files(initrc_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: ee9f1937dfcafbac9c687ee2f79d33bd7b54bec2
Author: Nicolas Iooss  m4x  org>
AuthorDate: Mon Feb 27 21:24:02 2017 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Mar  2 10:16:52 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ee9f1937

devices: fix Debian file contexts

When using setfiles to validate file contexts of Debian modular policy
(with DISTRO=debian and MONOLITHIC=n), it fails with:

tmp/all_mods.fc:  line 527 is missing fields
tmp/all_mods.fc:  line 527 is missing fields
tmp/all_mods.fc: Invalid argument

Here is the content of tmp/all_mods.fc around line 527:

# this is a static /dev dir "backup mount"
# if you want to disable udev, youll have to boot permissive and relabel!
/dev/\.static   -d  system_u:object_r:device_t
/dev/\.static/dev   -d  system_u:object_r:device_t
/dev/\.static/dev/(.*)? <>
'

The quote of "you'll" has been eaten by m4 and there is a spurious quote
on the last line, which is reported by setfiles. Fix this by removing
the quote in the comment.

Here is an example of a failed build on Travis-CI:
https://travis-ci.org/fishilico/selinux-refpolicy-patched/jobs/205951446

 policy/modules/kernel/devices.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 19cd9724..84219a87 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -185,7 +185,7 @@ ifdef(`distro_suse', `
 
 ifdef(`distro_debian',`
 # this is a static /dev dir "backup mount"
-# if you want to disable udev, you'll have to boot permissive and relabel!
+# if you want to disable udev, you will have to boot permissive and relabel!
 /dev/\.static  -d  gen_context(system_u:object_r:device_t,s0)
 /dev/\.static/dev  -d  gen_context(system_u:object_r:device_t,s0)
 /dev/\.static/dev/(.*)?<>

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: 2ea4214ce55c1f5dfa9a23bd74e6b8bc01db9611
Author: cgzones  googlemail  com>
AuthorDate: Mon Feb 20 13:20:00 2017 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Mar  2 10:16:40 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2ea4214c

add corecmd_check_exec_bin_files()

useful for monit

 policy/modules/kernel/corecommands.if | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/corecommands.if 
b/policy/modules/kernel/corecommands.if
index 60c1feb7..d7ccec3a 100644
--- a/policy/modules/kernel/corecommands.if
+++ b/policy/modules/kernel/corecommands.if
@@ -218,6 +218,25 @@ interface(`corecmd_dontaudit_getattr_bin_files',`
 
 
 ## 
+## Check if files in bin directories are executable (DAC-wise)
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`corecmd_check_exec_bin_files',`
+   gen_require(`
+   type bin_t;
+   ')
+
+   allow $1 bin_t:dir search_dir_perms;
+   allow $1 bin_t:file { execute getattr };
+')
+
+
+## 
 ## Read files in bin directories.
 ## 
 ## 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Sven Vermeulen]

commit: b7cdb2042f2d50b860b53763af428a02126984a4
Author: cgzones  googlemail  com>
AuthorDate: Mon Feb 20 13:20:25 2017 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Thu Mar  2 10:16:43 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b7cdb204

add fs_getattr_dos_dirs()

useful

 policy/modules/kernel/filesystem.if | 18 ++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index 9069b0c2..0affdae2 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -1800,6 +1800,24 @@ interface(`fs_relabelfrom_dos_fs',`
 
 
 ## 
+## Get attributes of directories on a dosfs filesystem.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`fs_getattr_dos_dirs',`
+   gen_require(`
+   type dosfs_t;
+   ')
+
+   allow $1 dosfs_t:dir getattr;
+')
+
+
+## 
 ## Search dosfs filesystem.
 ## 
 ## 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 805b7816928fa45ce56e4fdeb79fcd0ab4b3e2e4
Author: Chris PeBenito  ieee  org>
AuthorDate: Sat Feb 25 16:50:31 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb 27 10:38:00 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=805b7816

devices: Fix docs for dev_write_generic_sock_files().

 policy/modules/kernel/devices.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 7e09e6f2..28984607 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -880,11 +880,11 @@ interface(`dev_relabel_generic_symlinks',`
 
 
 ## 
-## write generic sock files in /dev.
+## Write generic sock files in /dev.
 ## 
 ## 
 ## 
-## Domain to not audit.
+## Domain allowed access.
 ## 
 ## 
 #

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 5b8acde37136f75ce5a52f1b6a0604d3f35dacc7
Author: Chris PeBenito  ieee  org>
AuthorDate: Fri Feb 24 01:03:23 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 14:22:23 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b8acde3

Systemd fixes from Russell Coker.

 policy/modules/kernel/devices.if|  37 +
 policy/modules/kernel/devices.te|   6 +-
 policy/modules/kernel/files.if  | 127 +++
 policy/modules/kernel/files.te  |   6 +-
 policy/modules/system/authlogin.if  |   9 +
 policy/modules/system/authlogin.te  |   6 +-
 policy/modules/system/init.fc   |   2 +
 policy/modules/system/init.if   | 183 ++---
 policy/modules/system/init.te   | 317 +---
 policy/modules/system/logging.fc|   5 +-
 policy/modules/system/logging.if|  18 ++
 policy/modules/system/logging.te|  36 +++-
 policy/modules/system/lvm.if|  18 ++
 policy/modules/system/lvm.te|   2 +-
 policy/modules/system/miscfiles.te  |   6 +-
 policy/modules/system/systemd.fc|  11 +-
 policy/modules/system/systemd.if| 122 +-
 policy/modules/system/systemd.te|  49 +-
 policy/modules/system/udev.if   |  20 +++
 policy/modules/system/udev.te   |   2 +-
 policy/modules/system/unconfined.if |  19 +++
 policy/modules/system/unconfined.te |   2 +-
 policy/modules/system/userdomain.if |  71 
 policy/modules/system/userdomain.te |   2 +-
 24 files changed, 1011 insertions(+), 65 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 08e2e8af..b51a25ac 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',`
 
 
 ## 
+## Allow full relabeling (to and from) of all device files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`dev_relabel_all_dev_files',`
+   gen_require(`
+   type device_t;
+   ')
+
+   relabel_files_pattern($1, device_t, device_t)
+')
+
+
+## 
 ## List all of the device nodes in a device directory.
 ## 
 ## 
@@ -4206,6 +4225,24 @@ interface(`dev_rw_sysfs',`
 
 
 ## 
+## Relabel hardware state directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dev_relabel_sysfs_dirs',`
+   gen_require(`
+   type sysfs_t;
+   ')
+
+   relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+
+## 
 ## Relabel from/to all sysfs types.
 ## 
 ## 

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 66bc754e..470f0f00 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.2)
+policy_module(devices, 1.20.3)
 
 
 #
@@ -22,6 +22,10 @@ files_associate_tmp(device_t)
 fs_xattr_type(device_t)
 fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
 
+optional_policy(`
+   systemd_tmpfilesd_managed(device_t, fifo_file)
+')
+
 #
 # Type for /dev/agpgart
 #

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 6babfb90..0d6fe3c5 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6531,6 +6531,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
 
 
 ## 
+## manage all pidfile directories
+## in the /var/run directory.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_manage_all_pid_dirs',`
+   gen_require(`
+   attribute pidfile;
+   ')
+
+   manage_dirs_pattern($1, pidfile, pidfile)
+')
+
+
+## 
 ## Read all process ID files.
 ## 
 ## 
@@ -6553,6 +6572,42 @@ interface(`files_read_all_pids',`
 
 
 ## 
+## Execute generic programs in /var/run in the caller domain.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_exec_generic_pid_files',`
+   gen_require(`
+   type var_run_t;
+   ')
+
+   exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+
+## 
+## Relable all pid files
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_relabel_all_pid_files',`
+   gen_require(`
+   attribute pidfile;
+   ')
+
+   relabel_files_pattern($1, pidfile, pidfile)
+')
+
+
+## 
 ## Delete all process IDs.
 ## 
 ## 
@@ -6579,6 +6634,78 @@ interface(`files_delete_all_pids',`
 
 
 ## 
+## Create all 

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/

[Jason Zaman]

commit: 71506bb1ae746af0aed371ff1b7fb2eb371fd33e
Author: cgzones  googlemail  com>
AuthorDate: Fri Jan  6 14:15:41 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Feb 21 06:40:52 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71506bb1

corecommands: label some binaries as bin_t

 policy/modules/kernel/corecommands.fc | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 5049a8a0..2b645e4d 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -278,6 +278,7 @@ ifdef(`distro_gentoo',`
 /usr/share/debconf/.+  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/share/denyhosts/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/share/denyhosts/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/share/dput/execute-dput   --  gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/.*\.sh  gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/ocf-shellfuncs --   gen_context(system_u:object_r:bin_t,s0)
 /usr/share/cluster/svclib_nfslock --   gen_context(system_u:object_r:bin_t,s0)
@@ -304,6 +305,11 @@ ifdef(`distro_gentoo',`
 /usr/share/smolt/client(/.*)?  gen_context(system_u:object_r:bin_t,s0)
 /usr/share/spamassassin/sa-update\.cron gen_context(system_u:object_r:bin_t,s0)
 /usr/share/system-config-printer/applet\.py -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texlive/texmf-dist/scripts/checkcites/checkcites\.lua -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texlive/texmf-dist/scripts/checklistings/checklistings\.sh -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texlive/texmf-dist/scripts/fontools/autoinst -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texlive/texmf-dist/scripts/match_parens/match_parens -- 
gen_context(system_u:object_r:bin_t,s0)
+/usr/share/texlive/texmf-dist/scripts/yplan/yplan -- 
gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf/web2c/mktexdir--  
gen_context(system_u:object_r:bin_t,s0)
 /usr/share/texmf-dist/scripts(/.*)?gen_context(system_u:object_r:bin_t,s0)
 /usr/share/turboprint/lib(/.*)?--  
gen_context(system_u:object_r:bin_t,s0)