public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-05-27 18:39 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-05-27 18:39 UTC (permalink / raw
  To: gentoo-commits

commit:     15516ae2e99869b6e27f924c418d34fc8875ccb5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun May 27 18:37:01 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun May 27 18:37:01 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15516ae2

Mark the modules directory as semanage_store_t

Previously, type transitions (on file/dir) occurred when semanage_t tried to create a directory inside a
selinux_config_t. Recently, this has changed so that this only occurs when said directory (that is created) is called
"modules".

However, on existing systems, this directory already exists (with the selinux_config_t type). As there is no file
context to say otherwise, loading a policy fails (as the "tmp/" dir that it creates doesn't transition) and restoring
the contexts of /etc/selinux recursively doesn't help either.

By adding the definition for the "modules/" directory, we should now be able to run a restorecon -R /etc/selinux once
and have the policy be loaded correctly again.

---
 policy/modules/system/selinuxutil.fc |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index c985344..93832ae 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -9,6 +9,7 @@
 /etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
 /etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?modules	-d	gen_context(system_u:object_r:semanage_store_t,s0)
 /etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-05-28  7:26 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-05-28  7:26 UTC (permalink / raw
  To: gentoo-commits

commit:     9ec2a6a01501ed274bae022420b3d1f3d8e3a4d3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 28 07:25:49 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon May 28 07:25:49 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9ec2a6a0

Update file contexts for udev stuff

---
 policy/modules/system/udev.fc |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 2575393..dc822f5 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -9,6 +9,7 @@
 /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
 /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
+/lib/udev/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
 
 ifdef(`distro_debian',`
@@ -26,6 +27,7 @@ ifdef(`distro_redhat',`
 /sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
 ')
 
+/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
 
 /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-05-28  8:01 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-05-28  8:01 UTC (permalink / raw
  To: gentoo-commits

commit:     95d503094782dba01d86a9ff6c24aecf50807105
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 28 07:37:47 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon May 28 07:37:47 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=95d50309

Introduce named file transitino for /run/udev

---
 policy/modules/system/init.te |    2 +-
 policy/modules/system/udev.if |   21 +++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b0cb238..f1acb15 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -854,7 +854,7 @@ optional_policy(`
 	udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t)
 	udev_dontaudit_getattr_unix_stream_sockets(initrc_t)
 	udev_pid_filetrans_tbl_dirs(initrc_t, "udev")
-	udev_rw_db(initrc_t)
+	udev_manage_db(initrc_t)
 	udev_manage_pid_files(initrc_t)
 	udev_manage_rules_files(initrc_t)
 ')

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 6330df1..098dfd5 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -272,6 +272,27 @@ interface(`udev_rw_db',`
 
 ########################################
 ## <summary>
+##	Manage the udev db files and directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_manage_db',`
+	gen_require(`
+		type udev_tbl_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	manage_dirs_pattern($1, udev_tbl_t, udev_tbl_t)
+	manage_files_pattern($1, udev_tbl_t, udev_tbl_t)
+')
+
+
+########################################
+## <summary>
 ##	Write dirs in /var/run with the udev_tbl file type
 ## </summary>
 ## <param name="domain">



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-05-28  8:18 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-05-28  8:18 UTC (permalink / raw
  To: gentoo-commits

commit:     eff479638c17429af225fbf5aee9bf075dd9dd69
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 28 08:18:36 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon May 28 08:18:36 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eff47963

Allow initrc to create udev_var_run

---
 policy/modules/system/init.te |    4 ++--
 policy/modules/system/udev.if |   39 ++++++++++++++++++---------------------
 2 files changed, 20 insertions(+), 23 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f1acb15..07c23d4 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -853,9 +853,9 @@ optional_policy(`
 optional_policy(`
 	udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t)
 	udev_dontaudit_getattr_unix_stream_sockets(initrc_t)
-	udev_pid_filetrans_tbl_dirs(initrc_t, "udev")
-	udev_manage_db(initrc_t)
+	udev_pid_filetrans_run_dirs(initrc_t, "udev")
 	udev_manage_pid_files(initrc_t)
+	udev_manage_pid_dirs(initrc_t)
 	udev_manage_rules_files(initrc_t)
 ')
 

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 098dfd5..c98bcec 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -272,54 +272,51 @@ interface(`udev_rw_db',`
 
 ########################################
 ## <summary>
-##	Manage the udev db files and directories
+##	Write dirs in /var/run with the udev_var_run file type
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	Name of the directory that the file transition will work on
+##	</summary>
+## </param>
 #
-interface(`udev_manage_db',`
+interface(`udev_pid_filetrans_run_dirs',`
 	gen_require(`
-		type udev_tbl_t;
+		type udev_var_run_t;
 	')
 
-	dev_list_all_dev_nodes($1)
-	manage_dirs_pattern($1, udev_tbl_t, udev_tbl_t)
-	manage_files_pattern($1, udev_tbl_t, udev_tbl_t)
+	files_pid_filetrans($1, udev_var_run_t, dir, $2)
 ')
 
-
 ########################################
 ## <summary>
-##	Write dirs in /var/run with the udev_tbl file type
+##	Create, read, write, and delete
+##	udev pid files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
-## <param name="name" optional="true">
-##	<summary>
-##	Name of the directory that the file transition will work on
-##	</summary>
-## </param>
 #
-interface(`udev_pid_filetrans_tbl_dirs',`
+interface(`udev_manage_pid_files',`
 	gen_require(`
-		type udev_tbl_t;
+		type udev_var_run_t;
 	')
 
-	allow $1 var_t:dir search_dir_perms;
-	allow $1 var_run_t:lnk_file read_lnk_file_perms;
-	files_pid_filetrans($1, udev_tbl_t, dir, $2)
+	files_search_var_lib($1)
+	manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
 ')
 
 ########################################
 ## <summary>
 ##	Create, read, write, and delete
-##	udev pid files.
+##	udev run directories
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -327,11 +324,11 @@ interface(`udev_pid_filetrans_tbl_dirs',`
 ##	</summary>
 ## </param>
 #
-interface(`udev_manage_pid_files',`
+interface(`udev_manage_pid_dirs',`
 	gen_require(`
 		type udev_var_run_t;
 	')
 
 	files_search_var_lib($1)
-	manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
+	manage_dirs_pattern($1, udev_var_run_t, udev_var_run_t)
 ')



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-05-28  8:41 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-05-28  8:41 UTC (permalink / raw
  To: gentoo-commits

commit:     6cdd08259ada20578ed678db846d78728bb59041
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon May 28 08:34:27 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon May 28 08:34:27 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6cdd0825

Allow udev to manage sock files in its run dir

---
 policy/modules/system/udev.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f32e4bb..321a43b 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -74,6 +74,7 @@ read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
 manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
+manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
 
 kernel_read_system_state(udev_t)



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-06-23 13:40 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-06-23 13:40 UTC (permalink / raw
  To: gentoo-commits

commit:     d769d593e6a63a83a2ed5851a7269e497c8d7fb1
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue May 29 18:05:21 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue May 29 18:05:21 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d769d593

Setting contexts for udev correct too so that the filetrans can also be reset

---
 policy/modules/system/udev.fc |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index dc822f5..f2286ef 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -31,7 +31,8 @@ ifdef(`distro_redhat',`
 /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
 
 /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
+/var/run/udev	-d	gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
 
 ifdef(`distro_debian',`
 /var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-06-27 19:12 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-06-27 19:12 UTC (permalink / raw
  To: gentoo-commits

commit:     2a3789fcb7b26f16e4595ab4520a925af9dcabb3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jun 25 18:19:22 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Jun 25 18:19:22 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2a3789fc

Support for udev in /run (using /run/udev)

---
 policy/modules/system/udev.fc |    1 +
 policy/modules/system/udev.if |   22 ++++++++++++++++++++++
 2 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index f2286ef..fb5a97d 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -33,6 +33,7 @@ ifdef(`distro_redhat',`
 /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
 /var/run/udev	-d	gen_context(system_u:object_r:udev_var_run_t,s0)
 /var/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
+/var/run/udev/data(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
 
 ifdef(`distro_debian',`
 /var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index c98bcec..46c8e82 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -249,6 +249,8 @@ interface(`udev_read_db',`
 	allow $1 udev_tbl_t:dir list_dir_perms;
 	read_files_pattern($1, udev_tbl_t, udev_tbl_t)
 	read_lnk_files_pattern($1, udev_tbl_t, udev_tbl_t)
+	# Device table files are beneith /run/udev
+	udev_search_pids($1)
 ')
 
 ########################################
@@ -295,6 +297,26 @@ interface(`udev_pid_filetrans_run_dirs',`
 
 ########################################
 ## <summary>
+## 	Search through udev pid files and directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_search_pids',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	files_search_var_lib($1)
+	search_dirs_pattern($1, udev_var_run_t, udev_var_run_t)
+')
+
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	udev pid files.
 ## </summary>



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-07-04 20:16 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-07-04 20:16 UTC (permalink / raw
  To: gentoo-commits

commit:     895d3c5721bc3ae5df2c1db5ba28aaa4dc09ee88
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul  4 20:14:58 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Jul  4 20:14:58 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=895d3c57

Fix bug #424359 - Introduce proper transitions for udev init script in /run/udev

---
 policy/modules/system/init.te |    4 +++-
 policy/modules/system/udev.if |   26 +++++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f82ecf2..2534150 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -853,7 +853,9 @@ optional_policy(`
 optional_policy(`
 	udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t)
 	udev_dontaudit_getattr_unix_stream_sockets(initrc_t)
-	udev_pid_filetrans_run_dirs(initrc_t, "udev")
+	udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
+	udev_pid_filetrans_db_dirs(initrc_t, "rules.d")
+	udev_pid_filetrans_db_dirs(initrc_t, "data")
 	udev_manage_pid_files(initrc_t)
 	udev_manage_pid_dirs(initrc_t)
 	udev_manage_rules_files(initrc_t)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 8f59ae9..5469742 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -276,6 +276,30 @@ interface(`udev_rw_db',`
 
 ########################################
 ## <summary>
+##	Write dirs in /var/run/udev with the udev_tbl_t (udev database) file type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	Name of the directory that the file transition will work on
+##	</summary>
+## </param>
+#
+interface(`udev_pid_filetrans_db_dirs',`
+	gen_require(`
+		type udev_tbl_t;
+		type udev_var_run_t;
+	')
+
+	filetrans_pattern($1, udev_var_run_t, udev_tbl_t, dir, $2)
+')
+
+########################################
+## <summary>
 ##	Write dirs in /var/run with the udev_var_run file type
 ## </summary>
 ## <param name="domain">
@@ -289,7 +313,7 @@ interface(`udev_rw_db',`
 ##	</summary>
 ## </param>
 #
-interface(`udev_pid_filetrans_run_dirs',`
+interface(`udev_generic_pid_filetrans_run_dirs',`
 	gen_require(`
 		type udev_var_run_t;
 	')



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-07-10 17:22 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-07-10 17:22 UTC (permalink / raw
  To: gentoo-commits

commit:     e7b4aa6923f78af230e19c8590232761d8c1f099
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 10 16:38:46 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jul 10 16:38:46 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e7b4aa69

Improvements on init/udev /run support

---
 policy/modules/system/init.te |    1 +
 policy/modules/system/udev.if |   21 +++++++++++++++++++++
 2 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 2534150..76aad7a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -851,6 +851,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	udev_create_db_dirs(initrc_t)
 	udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t)
 	udev_dontaudit_getattr_unix_stream_sockets(initrc_t)
 	udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 5469742..cff9ce6 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -276,6 +276,27 @@ interface(`udev_rw_db',`
 
 ########################################
 ## <summary>
+##	Create udev database directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_create_db_dirs',`
+	gen_require(`
+		type udev_tbl_t;
+		type udev_var_run_t;
+	')
+
+	create_dirs_pattern($1, udev_var_run_t, udev_tbl_t)
+')
+
+
+
+########################################
+## <summary>
 ##	Write dirs in /var/run/udev with the udev_tbl_t (udev database) file type
 ## </summary>
 ## <param name="domain">



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-07-10 18:26 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-07-10 18:26 UTC (permalink / raw
  To: gentoo-commits

commit:     278d8a1c1beaa385673d2ba15d68e42e9ad5f450
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 10 17:50:27 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jul 10 17:50:27 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=278d8a1c

Update on udev/init file transitions for /run

---
 policy/modules/system/init.te |    3 +--
 policy/modules/system/udev.if |   11 ++++++++---
 policy/modules/system/udev.te |    2 ++
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 76aad7a..4481731 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -855,8 +855,7 @@ optional_policy(`
 	udev_dontaudit_getattr_netlink_kobject_uevent_sockets(initrc_t)
 	udev_dontaudit_getattr_unix_stream_sockets(initrc_t)
 	udev_generic_pid_filetrans_run_dirs(initrc_t, "udev")
-	udev_pid_filetrans_db_dirs(initrc_t, "rules.d")
-	udev_pid_filetrans_db_dirs(initrc_t, "data")
+	udev_pid_filetrans_db(initrc_t, dir, "rules.d")
 	udev_manage_pid_files(initrc_t)
 	udev_manage_pid_dirs(initrc_t)
 	udev_manage_rules_files(initrc_t)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index cff9ce6..d8dd302 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -297,26 +297,31 @@ interface(`udev_create_db_dirs',`
 
 ########################################
 ## <summary>
-##	Write dirs in /var/run/udev with the udev_tbl_t (udev database) file type
+##	Write in /var/run/udev with the udev_tbl_t (udev database) file type
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="class">
+## 	<summary>
+##	Classes on which the file transition should occur
+##	</summary>
+## </param>
 ## <param name="name" optional="true">
 ##	<summary>
 ##	Name of the directory that the file transition will work on
 ##	</summary>
 ## </param>
 #
-interface(`udev_pid_filetrans_db_dirs',`
+interface(`udev_pid_filetrans_db',`
 	gen_require(`
 		type udev_tbl_t;
 		type udev_var_run_t;
 	')
 
-	filetrans_pattern($1, udev_var_run_t, udev_tbl_t, dir, $2)
+	filetrans_pattern($1, udev_var_run_t, udev_tbl_t, $2, $3)
 ')
 
 ########################################

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 321a43b..ce479f2 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -174,6 +174,8 @@ sysnet_etc_filetrans_config(udev_t)
 
 userdom_dontaudit_search_user_home_content(udev_t)
 
+udev_pid_filetrans_db(udev_t, dir, "data")
+
 ifdef(`distro_gentoo',`
 	# during boot, init scripts use /dev/.rcsysinit
 	# existance to determine if we are in early booting



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-07-10 18:26 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-07-10 18:26 UTC (permalink / raw
  To: gentoo-commits

commit:     3b8e56c7a188ec7bbcb3e01222184c417777a9d8
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 10 18:25:28 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jul 10 18:25:28 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3b8e56c7

Mark entire run/udev directory as udev_var_run_t

---
 policy/modules/system/udev.fc |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index fb5a97d..c72f0e8 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -31,7 +31,7 @@ ifdef(`distro_redhat',`
 /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
 
 /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/udev	-d	gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/udev(/.*)?		gen_context(system_u:object_r:udev_var_run_t,s0)
 /var/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
 /var/run/udev/data(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
 



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-07-12 17:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-07-12 17:03 UTC (permalink / raw
  To: gentoo-commits

commit:     7485eb80aea4f429b7ee2d5d547108ef8e4c7d87
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 10 18:27:26 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jul 10 18:27:26 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7485eb80

Add in /run/openrc location information

---
 policy/modules/system/init.fc |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 5559132..456bcc4 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -68,6 +68,7 @@ ifdef(`distro_gentoo', `
 /var/lib/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /var/lib/ip6?tables(/.*)?		gen_context(system_u:object_r:initrc_tmp_t,s0)
 /var/run/svscan\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/openrc(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 ')
 
 ifdef(`distro_suse', `



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-07-17 16:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-07-17 16:27 UTC (permalink / raw
  To: gentoo-commits

commit:     d4f3c6a1af878661b5d4c1d2a86da929d89eb33e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 17 16:27:41 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jul 17 16:27:41 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d4f3c6a1

Allow dhcpc to create (/var)/run/dhcpc

---
 policy/modules/system/sysnetwork.te |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index b2467f5..db76550 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -65,7 +65,10 @@ filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
 
 # create pid file
 manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, file)
+manage_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
+# Create /var/run/dhcpc directory (state directory), needed for /run/dhcpc
+# Gets done through the dhcpcd-hooks
+files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })
 
 # Allow read/write to /etc/resolv.conf and /etc/ntp.conf. Note that any files
 # in /etc created by dhcpcd will be labelled net_conf_t.



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-07-17 16:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-07-17 16:27 UTC (permalink / raw
  To: gentoo-commits

commit:     a27b242a6676fb1d1f078e8ddc68d402c4724ea9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jul 17 15:32:07 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Jul 17 15:32:07 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a27b242a

Marking new udevd location as udev executable

---
 policy/modules/system/udev.fc |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index c72f0e8..69d48c8 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -30,6 +30,8 @@ ifdef(`distro_redhat',`
 /usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
 
+/usr/lib/systemd/systemd-udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
+
 /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
 /var/run/udev(/.*)?		gen_context(system_u:object_r:udev_var_run_t,s0)
 /var/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)



^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-07-26 19:23 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-07-26 19:23 UTC (permalink / raw
  To: gentoo-commits

commit:     d47f0107bd9bd1566748e7377d9ba902b898c1b0
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul 26 19:23:16 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul 26 19:23:16 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d47f0107

Adding cert_home type declaration

---
 policy/modules/system/miscfiles.fc |    2 ++
 policy/modules/system/miscfiles.if |   29 +++++++++++++++++++++++++++++
 policy/modules/system/miscfiles.te |    7 +++++++
 3 files changed, 38 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index fe3427d..0328dd6 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -91,3 +91,5 @@ ifdef(`distro_redhat',`
 /var/empty/sshd/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
+
+HOME_DIR/.nss(/.*)?		gen_context(system_u:object_r:cert_home_t)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 926ba65..42fa71d 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -171,6 +171,35 @@ interface(`miscfiles_manage_cert_files',`
 
 ########################################
 ## <summary>
+##	Automatically use the cert_home_t label for selected resources created
+##	in a users home directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Resource type(s) for which the label should be used
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the resource that is being created
+##	</summary>
+## </param>
+#
+interface(`miscfiles_user_home_dir_filetrans_cert_home',`
+	gen_require(`
+		type cert_home_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, cert_home_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Read fonts.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 703944c..fab61bc 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -14,6 +14,13 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
+# cert_home_t is the type of files in the users' home directories.
+#
+type cert_home_t;
+miscfiles_cert_type(cert_home_t)
+userdom_user_home_content(cert_home_t)
+
+#
 # fonts_t is the type of various font
 # files in /usr
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-07-27 10:11 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-07-27 10:11 UTC (permalink / raw
  To: gentoo-commits

commit:     e8f9229ea91def3d788c4a6c9f2b6434682cb735
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Jul 27 10:11:03 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Jul 27 10:11:03 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e8f9229e

Update on xdg definitions

---
 policy/modules/system/userdomain.if |   20 +++++++++++---------
 1 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index b8f49d3..bc0148d 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -243,15 +243,17 @@ interface(`userdom_manage_home_role',`
 	filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
 	files_list_home($2)
 
-	# manage user xdg locations
-	xdg_manage_generic_cache_home_content($2)
-	xdg_manage_generic_config_home_content($2)
-	xdg_manage_generic_data_home_content($2)
-	xdg_manage_generic_runtime_home_content($2)
-	xdg_relabel_generic_cache_home_content($2)
-	xdg_relabel_generic_config_home_content($2)
-	xdg_relabel_generic_data_home_content($2)
-	xdg_relabel_generic_runtime_home_content($2)
+	# manage user xdg locations. Using _all here, but _generic is possible
+	# too if we don't want users to be able to manage application-specific
+	# content
+	xdg_manage_all_cache_home($2)
+	xdg_manage_all_config_home($2)
+	xdg_manage_all_data_home($2)
+	xdg_manage_all_runtime_home($2)
+	xdg_relabel_all_cache_home($2)
+	xdg_relabel_all_config_home($2)
+	xdg_relabel_all_data_home($2)
+	xdg_relabel_all_runtime_home($2)
 
 	# cjp: this should probably be removed:
 	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-07-27 10:43 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-07-27 10:43 UTC (permalink / raw
  To: gentoo-commits

commit:     fad5514111d08c2f360d87e743dc104761c006b5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Jul 27 10:42:42 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Jul 27 10:42:42 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fad55141

Fix pesky m4 issue when it encounters a string with quotes in it...

---
 policy/modules/system/userdomain.if |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index bc0148d..b610335 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -244,7 +244,7 @@ interface(`userdom_manage_home_role',`
 	files_list_home($2)
 
 	# manage user xdg locations. Using _all here, but _generic is possible
-	# too if we don't want users to be able to manage application-specific
+	# too if we do not want users to be able to manage application-specific
 	# content
 	xdg_manage_all_cache_home($2)
 	xdg_manage_all_config_home($2)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-08-09 16:45 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-08-09 16:45 UTC (permalink / raw
  To: gentoo-commits

commit:     cb1f7de74397c4c8973eff7802927b2c585c78bf
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  9 16:43:57 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug  9 16:43:57 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cb1f7de7

Only create rights are needed

---
 policy/modules/system/sysnetwork.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 8464a4d..f8dd37f 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -65,7 +65,7 @@ filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
 
 # create pid file
 manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
-manage_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
+create_dirs_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
 # Create /var/run/dhcpc directory (state directory), needed for /run/dhcpc
 # Gets done through the dhcpcd-hooks
 files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, { file dir })


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-08-15 13:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-08-15 13:03 UTC (permalink / raw
  To: gentoo-commits

commit:     706b28f208185b5c87e5a39ef082f953a4fbb7e3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Aug 14 16:18:19 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Aug 14 17:31:11 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=706b28f2

Introduce init_daemon_run_dir transformation

Due to the introduction of /run, many init scripts need to create the daemon run
dirs (such as /run/udev for the udev init script). To simplify this, we
introduce the "daemonrundir" attribute to which initrc_t has the necessary
create_dirs_perms granted.

Then, when needed, the modules can call this interface while adding the name of
the directory. This will trigger a named file transition when initrc_t wants to
create this directory:
  init_daemon_run_dir(udev_var_run_t, "udev")
will trigger
  files_pid_filetrans(initrc_t, udev_var_run_t, dir, "udev")

---
 policy/modules/system/init.if |   26 ++++++++++++++++++++++++++
 policy/modules/system/init.te |    5 +++++
 2 files changed, 31 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 684ff3a..ddd54cc 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -417,6 +417,32 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
+##	Mark the type as a daemon run dir
+## </summary>
+## <param name="rundirtype">
+##	<summary>
+##	Type to mark as a daemon run dir
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Name of the run dir directory
+##	</summary>
+## </param>
+#
+interface(`init_daemon_run_dir',`
+	gen_require(`
+		attribute daemonrundir;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonrundir;
+
+	files_pid_filetrans(initrc_t, $1, dir, $2)
+')
+
+########################################
+## <summary>
 ##	Execute init (/sbin/init) with a domain transition.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index fcb537b..db0f013 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -29,6 +29,9 @@ attribute init_run_all_scripts_domain;
 # Mark process types as daemons
 attribute daemon;
 
+# Mark file as daemon run dir
+attribute daemonrundir;
+
 #
 # init_t is the domain of the init process.
 #
@@ -243,6 +246,8 @@ init_telinit(initrc_t)
 
 can_exec(initrc_t, init_script_file_type)
 
+create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
+
 domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
 
 manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-08-15 13:04 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-08-15 13:04 UTC (permalink / raw
  To: gentoo-commits

commit:     5a060df9566f68be256cf6a0cd20edf4eeeefc92
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 15 08:38:48 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 15 09:08:33 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5a060df9

Label the kmod binary as insmod_exec_t

The kmod binary is a replacement for the insmod/modprobe utilities. See also
bug #428322

---
 policy/modules/system/modutils.fc |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 2410551..54d97c6 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -20,3 +20,5 @@ ifdef(`distro_gentoo',`
 /sbin/modules-update	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
 /sbin/rmmod.*		--	gen_context(system_u:object_r:insmod_exec_t,s0)
 /sbin/update-modules	--	gen_context(system_u:object_r:update_modules_exec_t,s0)
+
+/usr/bin/kmod		--	gen_context(system_u:object_r:insmod_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-08-15 13:04 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-08-15 13:04 UTC (permalink / raw
  To: gentoo-commits

commit:     23bce36578a8464620e6a8b98f142fd4c8bca90c
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 15 08:36:25 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 15 08:36:25 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=23bce365

Allow udev to load in kernel modules

As per bug #427660, udev might need to load in kernel modules itself. This
requires not only the sys_module capability (offered through kernel_load_module)
but also read rights on the module-related files (files_read_kernel_modules and
modutils_read_module_config).

---
 policy/modules/system/udev.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d6a107a..60e7aa9 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -80,6 +80,7 @@ files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
 
 kernel_dgram_send(udev_t)
 kernel_getattr_core_if(udev_t)
+kernel_load_module(udev_t)
 kernel_read_device_sysctls(udev_t)
 kernel_read_hotplug_sysctls(udev_t)
 kernel_read_kernel_sysctls(udev_t)
@@ -116,6 +117,7 @@ files_exec_etc_files(udev_t)
 files_getattr_generic_locks(udev_t)
 files_read_etc_files(udev_t)
 files_read_etc_runtime_files(udev_t)
+files_read_kernel_modules(udev_t)
 files_read_usr_files(udev_t)
 files_dontaudit_search_isid_type_dirs(udev_t)
 files_search_mnt(udev_t)
@@ -155,6 +157,7 @@ miscfiles_read_localization(udev_t)
 miscfiles_read_hwdata(udev_t)
 
 modutils_domtrans_insmod(udev_t)
+modutils_read_module_config(udev_t)
 # read modules.inputmap:
 modutils_read_module_deps(udev_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-08-15 13:04 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-08-15 13:04 UTC (permalink / raw
  To: gentoo-commits

commit:     087ef43aea2662dbd935164b3ec94087b45098f5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 15 08:33:26 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 15 08:35:12 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=087ef43a

Rearrange statements (Coding Style)

This is a coding style only update, rearranging the kernel_ and files_ calls within udev.

---
 policy/modules/system/udev.te |   29 ++++++++++++++---------------
 1 files changed, 14 insertions(+), 15 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a8fe208..d6a107a 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -78,24 +78,23 @@ manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 files_pid_filetrans(udev_t, udev_var_run_t, { dir file })
 
-kernel_read_system_state(udev_t)
-kernel_request_load_module(udev_t)
+kernel_dgram_send(udev_t)
 kernel_getattr_core_if(udev_t)
-kernel_use_fds(udev_t)
 kernel_read_device_sysctls(udev_t)
 kernel_read_hotplug_sysctls(udev_t)
-kernel_read_modprobe_sysctls(udev_t)
 kernel_read_kernel_sysctls(udev_t)
+kernel_read_modprobe_sysctls(udev_t)
+kernel_read_network_state(udev_t)
+kernel_read_software_raid_state(udev_t)
+kernel_read_system_state(udev_t)
+kernel_request_load_module(udev_t)
 kernel_rw_hotplug_sysctls(udev_t)
-kernel_rw_unix_dgram_sockets(udev_t)
-kernel_dgram_send(udev_t)
-kernel_signal(udev_t)
-kernel_search_debugfs(udev_t)
-
 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
 kernel_rw_net_sysctls(udev_t)
-kernel_read_network_state(udev_t)
-kernel_read_software_raid_state(udev_t)
+kernel_rw_unix_dgram_sockets(udev_t)
+kernel_search_debugfs(udev_t)
+kernel_signal(udev_t)
+kernel_use_fds(udev_t)
 
 corecmd_exec_all_executables(udev_t)
 
@@ -113,12 +112,12 @@ dev_manage_generic_symlinks(udev_t)
 domain_read_all_domains_state(udev_t)
 domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
 
-files_read_usr_files(udev_t)
-files_read_etc_runtime_files(udev_t)
-files_read_etc_files(udev_t)
 files_exec_etc_files(udev_t)
-files_dontaudit_search_isid_type_dirs(udev_t)
 files_getattr_generic_locks(udev_t)
+files_read_etc_files(udev_t)
+files_read_etc_runtime_files(udev_t)
+files_read_usr_files(udev_t)
+files_dontaudit_search_isid_type_dirs(udev_t)
 files_search_mnt(udev_t)
 
 fs_getattr_all_fs(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-08-21 17:52 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-08-21 17:52 UTC (permalink / raw
  To: gentoo-commits

commit:     11ba636486b2173ebac439c95c6179e68fbdff92
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 16 17:32:36 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 16 17:32:36 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=11ba6364

Allow init scripts to set attribute of rundir

A previous commit allows init scripts (initrc_t) to create run directories for
various daemons, with the proper type transition in place. However, many init
scripts also require changing the ownership of the directory.

Although initrc_t has the chown capability, it also needs setattr privileges on
the resource (in our case, all types that have the daemonrundir attribute set)
in order to change the ownership (or permissions).

---
 policy/modules/system/init.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e0ea2db..3bd98e0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -247,6 +247,7 @@ init_telinit(initrc_t)
 can_exec(initrc_t, init_script_file_type)
 
 create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
+setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
 
 domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-08-29 18:48 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-08-29 18:48 UTC (permalink / raw
  To: gentoo-commits

commit:     dc87bde1d33331b2cfc8755471af7b316f45edb7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 29 16:27:59 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 29 16:27:59 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dc87bde1

Allow cryptsetup to request loading a kernel module

At boot time, when cryptsetup is used for encrypted file systems, cryptsetup
asks the system to load the cryptography-related module(s) as shown by the next
denial:

Aug 21 08:45:49 dell-studio kernel: [   28.881908] type=1400 audit(1345531540.026:21):
avc:  denied  { module_request } for  pid=1524 comm="cryptsetup" kmod="cbc(aes)"
scontext=system_u:system_r:lvm_t tcontext=system_u:system_r:kernel_t tclass=system

---
 policy/modules/system/lvm.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 61c219d..05392e1 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -216,6 +216,7 @@ kernel_get_sysvipc_info(lvm_t)
 kernel_read_system_state(lvm_t)
 # Read system variables in /proc/sys
 kernel_read_kernel_sysctls(lvm_t)
+kernel_request_load_module(lvm_t)
 # it has no reason to need this
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-08-29 18:48 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-08-29 18:48 UTC (permalink / raw
  To: gentoo-commits

commit:     46fe38968ddff1b34e3c52fccff4615d046200a9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 29 18:19:29 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 29 18:19:29 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=46fe3896

Have syslog-ng.persist label survive relabeling

Syslog-ng already holds a filetrans when it writes files in the var_lib_t
resources, causing the files to be labeled syslogd_var_lib_t.

One of these files is the /var/lib/misc/syslog-ng.persist file. However, because
no file context was defined for this file, a system-wide relabeling caused it to
be turned back into var_lib_t.

This fixes the context back to syslogd_var_lib_t.

---
 policy/modules/system/logging.fc |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index f73a25b..6add40e 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -24,7 +24,7 @@
 /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
-/var/lib/misc/syslog-ng\.persist-	--	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+/var/lib/misc/syslog-ng\.persist-?	--	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/r?syslog(/.*)?		gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-08-29 19:31 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-08-29 19:31 UTC (permalink / raw
  To: gentoo-commits

commit:     f3c4bf8b57e43f788a38ec3065e4e6c4281018fa
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 29 19:08:46 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Aug 29 19:08:46 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f3c4bf8b

Syslog-ng also creates the /var/lib/syslog location

If /var/lib/syslog does not exist yet, then syslog-ng (running in syslogd_t)
will attempt to create it. Hence expand the file transition to directories too.

---
 policy/modules/system/logging.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 2045470..9cebc41 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -440,7 +440,7 @@ files_read_etc_runtime_files(syslogd_t)
 files_dontaudit_search_isid_type_dirs(syslogd_t)
 files_read_kernel_symbol_table(syslogd_t)
 files_rw_var_lib_dirs(syslogd_t)
-files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, file)
+files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-04 18:21 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-04 18:21 UTC (permalink / raw
  To: gentoo-commits

commit:     738de6d4092618dff4fbdfbbda39410f4e9123be
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Oct  4 18:06:47 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Oct  4 18:06:47 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=738de6d4

Allow block_suspend for system logger

The syslog-ng daemon seems to require this very often (repetitively), most
likely as a result for "safe" writing of events to the system logs.

---
 policy/modules/system/logging.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 594bc04..eba1bcc 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -355,6 +355,7 @@ optional_policy(`
 # sys_admin for the integrated klog of syslog-ng and metalog
 # cjp: why net_admin!
 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability2 block_suspend;
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
 # setrlimit for syslog-ng


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-10 19:52 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-10 19:52 UTC (permalink / raw
  To: gentoo-commits

commit:     9bc82b653d7a8390207f8163532fe40aeee605ec
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Oct  5 17:14:30 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 10 19:49:17 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9bc82b65

Changes to the sysnetwork policy module

dhcpc is a dbus_system_domain()

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/sysnetwork.te |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index f8dd37f..f365bd0 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -161,10 +161,9 @@ optional_policy(`
 ')
 
 optional_policy(`
-	init_dbus_chat_script(dhcpc_t)
+	dbus_system_domain(dhcpc_t, dhcpc_exec_t)
 
-	dbus_system_bus_client(dhcpc_t)
-	dbus_connect_system_bus(dhcpc_t)
+	init_dbus_chat_script(dhcpc_t)
 
 	optional_policy(`
 		networkmanager_dbus_chat(dhcpc_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-10 19:52 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-10 19:52 UTC (permalink / raw
  To: gentoo-commits

commit:     e0b465deb67da88ae50ba4a9c2b49d8deff16bc0
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Sep 27 13:56:32 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 10 19:49:02 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e0b465de

Restricted Xwindows user domains run windows managers in the windows managers domain

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/userdomain.if |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index cf58129..216862b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -927,6 +927,10 @@ template(`userdom_restricted_xwindows_user_template',`
 		optional_policy(`
 			cups_dbus_chat($1_t)
 		')
+
+		optional_policy(`
+			wm_role_template($1, $1_r, $1_t)
+		')
 	')
 
 	optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-10 19:52 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-10 19:52 UTC (permalink / raw
  To: gentoo-commits

commit:     9901590e892d90040704d52f44d48216b8dea0b5
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct  8 17:44:30 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 10 19:49:24 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9901590e

Changes to the userdomain policy module

Remove evolution and evolution alarm dbus chat from common user template
since callers of the evolution role are now allowed to dbus chat to
evolution and evolution alarm.

Common users need to be able to dbus chat with policykit and consolekit

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/userdomain.if |    7 +++++--
 1 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 216862b..21eb5a6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -618,8 +618,7 @@ template(`userdom_common_user_template',`
 		')
 
 		optional_policy(`
-			evolution_dbus_chat($1_t)
-			evolution_alarm_dbus_chat($1_t)
+			consolekit_dbus_chat($1_t)
 		')
 
 		optional_policy(`
@@ -633,6 +632,10 @@ template(`userdom_common_user_template',`
 		optional_policy(`
 			networkmanager_dbus_chat($1_t)
 		')
+
+		optional_policy(`
+			policykit_dbus_chat($1_t)
+		')
 	')
 
 	optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-19 15:06 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-19 15:06 UTC (permalink / raw
  To: gentoo-commits

commit:     6d82100a89b222319a5a042adba4602b8f6c19b3
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct 15 10:26:48 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Oct 19 15:03:40 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6d82100a

Changes to the modutils policy module

modutils_read_module_config() provides access to list modules_conf_t
directories so that we do not need a seperate
modutils_list_modules_config()

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/modutils.if |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index ad5f878..c1b049c 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -83,8 +83,9 @@ interface(`modutils_read_module_config',`
 	files_search_etc($1)
 	files_search_boot($1)
 
-	read_files_pattern($1, modules_conf_t, modules_conf_t)
-	read_lnk_files_pattern($1, modules_conf_t, modules_conf_t)
+	allow $1 modules_conf_t:dir list_dir_perms;
+	allow $1 modules_conf_t:file read_file_perms;
+	allow $1 modules_conf_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-19 15:06 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-19 15:06 UTC (permalink / raw
  To: gentoo-commits

commit:     abdf46691e906abc5c0920fc979c2a3bb83e1c9a
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Oct 19 12:17:35 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Oct 19 15:03:41 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=abdf4669

Module version bump for modutils patch from Dominick Grift.

---
 policy/modules/system/modutils.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index b26c808..79e5668 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,4 +1,4 @@
-policy_module(modutils, 1.13.1)
+policy_module(modutils, 1.13.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-19 15:06 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-19 15:06 UTC (permalink / raw
  To: gentoo-commits

commit:     bf146a0c05ea61984290a0c3188cd46973d242a7
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Oct 17 12:33:39 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Oct 19 15:03:57 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bf146a0c

Changes to various policy modules

pcscd_read_pub_files is deprecated use pcscd_read_pid_files instead

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/authlogin.if  |    2 +-
 policy/modules/system/udev.te       |    2 +-
 policy/modules/system/userdomain.if |    2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 405a9d1..395ef59 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -395,7 +395,7 @@ interface(`auth_domtrans_chk_passwd',`
 	')
 
 	optional_policy(`
-		pcscd_read_pub_files($1)
+		pcscd_read_pid_files($1)
 		pcscd_stream_connect($1)
 	')
 

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 60e7aa9..7c58b46 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -273,7 +273,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	pcscd_read_pub_files(udev_t)
+	pcscd_read_pid_files(udev_t)
 	pcscd_domtrans(udev_t)
 ')
 

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 21eb5a6..e1addea 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -679,7 +679,7 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
-		pcscd_read_pub_files($1_t)
+		pcscd_read_pid_files($1_t)
 		pcscd_stream_connect($1_t)
 	')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-24 17:51 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-24 17:51 UTC (permalink / raw
  To: gentoo-commits

commit:     2d03f35c0c286ff8beb1ca0e3fd53726ea3e9a74
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Oct 24 17:47:49 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 24 17:47:49 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2d03f35c

Changes to the user domain policy module

gnome_role is deprecated, use gnome_role_template instead
depends on dbus because of gkeyringd

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/userdomain.if |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e1addea..ea3a373 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -932,6 +932,10 @@ template(`userdom_restricted_xwindows_user_template',`
 		')
 
 		optional_policy(`
+			gnome_role_template($1, $1_r, $1_t)
+		')
+
+		optional_policy(`
 			wm_role_template($1, $1_r, $1_t)
 		')
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-28 13:48 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-28 13:48 UTC (permalink / raw
  To: gentoo-commits

commit:     c7f78a00a39415e2cf32e27bc33907b8a23e2ded
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 28 13:20:35 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Oct 28 13:20:35 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c7f78a00

Keep openssl.cnf as etc_t

A previous commit marked the /etc/ssl location (and
all files therein) with cert_t instead of etc_t. As this location contains
/etc/ssl/openssl.cnf, applications linked with openssl's libcrypto fail to
function properly.

The ssh client is one of those applications, which - if not granted - fails
with:

$ ssh giskard.alunduil.com
Auto configuration failed
118260437468864:error:0200100D:system library:fopen:Permission
denied:bss_file.c:169:fopen('/etc/ssl/openssl.cnf','rb')
118260437468864:error:2006D002:BIO routines:BIO_new_file:system
lib:bss_file.c:174:
118260437468864:error:0E078002:configuration file routines:DEF_LOAD:system
lib:conf_def.c:199:

Mark all files inside /etc/ssl/certs, /etc/ssl/private, /etc/pki/certs and
/etc/pki/private as cert_t as those locations usually contain certificates and
key-related files (like revocation lists & keys). This leaves the /etc/ssl
location, and the openssl.cnf file inside of it, as etc_t.

---
 policy/modules/system/miscfiles.fc |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index aa62e6a..a0b8232 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -11,8 +11,10 @@ ifdef(`distro_gentoo',`
 /etc/avahi/etc/localtime --	gen_context(system_u:object_r:locale_t,s0)
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
-/etc/pki(/.*)?			gen_context(system_u:object_r:cert_t,s0)
-/etc/ssl(/.*)?			gen_context(system_u:object_r:cert_t,s0)
+/etc/pki/certs/(.*)?	--	gen_context(system_u:object_r:cert_t,s0)
+/etc/pki/private/(.*)?	--	gen_context(system_u:object_r:cert_t,s0)
+/etc/ssl/certs/(.*)?	--	gen_context(system_u:object_r:cert_t,s0)
+/etc/ssl/private/(.*)?	--	gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
 ifdef(`distro_redhat',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-29 16:06 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-29 16:06 UTC (permalink / raw
  To: gentoo-commits

commit:     6fd8388f7404aec7baf1130f7f0220becf82c048
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Oct 29 15:58:05 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Oct 29 15:58:05 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6fd8388f

System logger can write to logfiles

The system logger, like syslog-ng, should be able to write to log files it has
to manage. As this does not include only the var_log_t labeled ones, we allow
write (and setattr) rights on the logfile files, and add_entry rights onto the
directories that are labeled as logfile too.

See bug #440128

---
 policy/modules/system/logging.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index eba1bcc..5588af2 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -470,6 +470,9 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`distro_gentoo',`
+	allow syslogd_t syslog:dir add_entry_dir_perms;
+	allow syslogd_t syslog:file { write_file_perms setattr_file_perms };
+
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
 	term_append_unallocated_ttys(syslogd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-29 17:45 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-29 17:45 UTC (permalink / raw
  To: gentoo-commits

commit:     f1f19d8a618566163756824d74efa70669da7f82
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Oct 29 17:42:30 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Oct 29 17:42:30 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f1f19d8a

Attribute is logfile, not syslog

---
 policy/modules/system/logging.te |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 5588af2..a541963 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -470,8 +470,8 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`distro_gentoo',`
-	allow syslogd_t syslog:dir add_entry_dir_perms;
-	allow syslogd_t syslog:file { write_file_perms setattr_file_perms };
+	allow syslogd_t logfile:dir add_entry_dir_perms;
+	allow syslogd_t logfile:file { write_file_perms setattr_file_perms };
 
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-29 17:59 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-29 17:59 UTC (permalink / raw
  To: gentoo-commits

commit:     fc6fbdbbd7d501408968267d7d41b6369bb7525f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Oct 29 17:57:21 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Oct 29 17:57:21 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fc6fbdbb

Remove add_entry_dir_perms as it does not seem to be needed

---
 policy/modules/system/logging.te |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index a541963..0e817b7 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -470,7 +470,6 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`distro_gentoo',`
-	allow syslogd_t logfile:dir add_entry_dir_perms;
 	allow syslogd_t logfile:file { write_file_perms setattr_file_perms };
 
 	# default gentoo syslog-ng config appends kernel


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-30 20:24 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-30 20:24 UTC (permalink / raw
  To: gentoo-commits

commit:     883fb73e9f82cf045df61c2ee31c61fd56b1c527
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Oct 22 12:48:22 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Oct 30 20:20:59 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=883fb73e

Changes to the user domain policy module

gnome_role is deprecated, use gnome_role_template instead
depends on dbus because of gkeyringd

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/userdomain.if |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index ea3a373..6551910 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -936,6 +936,10 @@ template(`userdom_restricted_xwindows_user_template',`
 		')
 
 		optional_policy(`
+			gnome_role_template($1, $1_r, $1_t)
+		')
+
+		optional_policy(`
 			wm_role_template($1, $1_r, $1_t)
 		')
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-31 18:04 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-31 18:04 UTC (permalink / raw
  To: gentoo-commits

commit:     b41c1bfb91ec139f0ca15b067ab5603aefd24404
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Oct 31 14:52:36 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 31 17:59:24 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b41c1bfb

Rearrange lines.

---
 policy/modules/system/userdomain.if |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 208799e..1dd2bcc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -675,13 +675,13 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
-		tunable_policy(`allow_user_mysql_connect',`
-			mysql_stream_connect($1_t)
-		')
-
 		mysql_manage_mysqld_home_files($1_t)
 		mysql_relabel_mysqld_home_files($1_t)
 		mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf")
+
+		tunable_policy(`allow_user_mysql_connect',`
+			mysql_stream_connect($1_t)
+		')
 	')
 
 	optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-31 18:04 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-31 18:04 UTC (permalink / raw
  To: gentoo-commits

commit:     725c7384ee245e84f7fe137d425f1539ec56fc6c
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Thu Oct 18 18:08:15 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 31 17:59:21 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=725c7384

Changes to the user domain policy module

Content that (at least) common users need to be able to relabel and
create with a type transition

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/userdomain.if |   23 +++++++++++++++++++++++
 1 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6551910..208799e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -596,6 +596,7 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
 		alsa_manage_home_files($1_t)
 		alsa_read_rw_config($1_t)
 		alsa_relabel_home_files($1_t)
@@ -650,9 +651,20 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		kerberos_manage_krb5_home_files($1_t)
+		kerberos_relabel_krb5_home_files($1_t)
+		kerberos_home_filetrans_krb5_home($1_t, file, ".k5login")
+	')
+
+	optional_policy(`
 		locate_read_lib_files($1_t)
 	')
 
+	optional_policy(`
+		mpd_manage_user_data_content($1_t)
+		mpd_relabel_user_data_content($1_t)
+	')
+
 	# for running depmod as part of the kernel packaging process
 	optional_policy(`
 		modutils_read_module_config($1_t)
@@ -666,11 +678,16 @@ template(`userdom_common_user_template',`
 		tunable_policy(`allow_user_mysql_connect',`
 			mysql_stream_connect($1_t)
 		')
+
+		mysql_manage_mysqld_home_files($1_t)
+		mysql_relabel_mysqld_home_files($1_t)
+		mysql_home_filetrans_mysqld_home($1_t, file, ".my.cnf")
 	')
 
 	optional_policy(`
 		oident_manage_user_content($1_t)
 		oident_relabel_user_content($1_t)
+		oident_home_filetrans_oidentd_home($1_t, file, ".oidentd.conf")
 	')
 
 	optional_policy(`
@@ -691,6 +708,12 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		ppp_manage_home_files($1_t)
+		ppp_relabel_home_files($1_t)
+		ppp_home_filetrans_ppp_home($1_t, file, ".ppprc")
+	')
+
+	optional_policy(`
 		resmgr_stream_connect($1_t)
 	')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-31 18:04 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-31 18:04 UTC (permalink / raw
  To: gentoo-commits

commit:     1ceef8dda1cc590747860372c13759dc442ec315
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Oct 31 15:31:37 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 31 17:59:26 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1ceef8dd

Module version bump for user home content fixes from Dominick Grift.

---
 policy/modules/system/userdomain.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e98e5c6..460d96f 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.8.2)
+policy_module(userdomain, 4.8.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-31 18:04 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-31 18:04 UTC (permalink / raw
  To: gentoo-commits

commit:     5c28ff21913b1426668441753283288db40e83db
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Oct 30 21:51:55 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 31 17:59:31 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5c28ff21

Gentoo openrc migrates /var/run and /var/lock data to /run(/lock)

Gentoo's OpenRC init framework handles the migration of data from /var/run to
/run, and /var/lock to /run/lock. To deal with this, openrc uses "cp -a -r
/var/run /run" and "cp -a -r /var/lock/* /run/lock".

When done, it will create symlinks in /var towards the new locations.

As a result, initrc_t needs to be able to manage symlinks in /var, as well as
manage all pidfile content (needed for the migration of /var/run/* towards
/run).

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/system/init.te |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 83c1a31..cb5b9dc 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -86,7 +86,6 @@ files_pid_file(initrc_var_run_t)
 ifdef(`distro_gentoo',`
 	type rc_exec_t;
 	domain_entry_file(initrc_t, rc_exec_t)
-
 ')
 
 ifdef(`enable_mls',`
@@ -469,8 +468,10 @@ ifdef(`distro_gentoo',`
 	dev_delete_generic_dirs(initrc_t)
 	dev_setattr_generic_dirs(initrc_t)
 
+	files_manage_all_pids(initrc_t)
 	# allow bootmisc to create /var/lock/.keep.
 	files_manage_generic_locks(initrc_t)
+	files_manage_var_symlinks(initrc_t)
 	files_pid_filetrans(initrc_t, initrc_state_t, dir, "openrc")
 
 	# openrc uses tmpfs for its state data


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-10-31 18:04 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-10-31 18:04 UTC (permalink / raw
  To: gentoo-commits

commit:     cb31a289deeaf5a45222d1fab3e33eb4fb7ae008
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Oct 30 21:51:53 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Oct 31 17:59:27 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cb31a289

Allow init to set attributes on device_t

In Gentoo, the openrc init framework creates the /dev/shm location (within
devtmpfs) using a "mkdir -m 1777 /dev/shm" command. This results in initrc_t
wanting to set the attributes of the /dev/shm directory (at that point still
labeled device_t as tmpfs isn't mounted on it yet).

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/system/init.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 3bd98e0..83c1a31 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -86,6 +86,7 @@ files_pid_file(initrc_var_run_t)
 ifdef(`distro_gentoo',`
 	type rc_exec_t;
 	domain_entry_file(initrc_t, rc_exec_t)
+
 ')
 
 ifdef(`enable_mls',`
@@ -466,6 +467,7 @@ ifdef(`distro_gentoo',`
 	# early init
 	dev_create_generic_dirs(initrc_t)
 	dev_delete_generic_dirs(initrc_t)
+	dev_setattr_generic_dirs(initrc_t)
 
 	# allow bootmisc to create /var/lock/.keep.
 	files_manage_generic_locks(initrc_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-12 21:30 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-12 21:30 UTC (permalink / raw
  To: gentoo-commits

commit:     9e80da63f0a14b7d7bd6a92e5ef8f57c79311f1a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Nov 12 21:24:35 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Nov 12 21:24:35 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9e80da63

Remove generic log label for cron location

The /var/log/cron[^/]* line in the context definition takes higher precedence
than the /var/log/cron.* line in the cron.fc file. As a result, when
/var/log/cron.log is created it gets relabeled to var_log_t instead of staying
with the cron_log_t type it should be.

Removing the line so that the definitions in cron.log are used.

---
 policy/modules/system/logging.fc |    1 -
 1 files changed, 0 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index adabdf0..a00c3e0 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -41,7 +41,6 @@ ifdef(`distro_suse', `
 /var/log/boot\.log	--	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/secure[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-/var/log/cron[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/maillog[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-12 21:58 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-12 21:58 UTC (permalink / raw
  To: gentoo-commits

commit:     ca4d3097a55b3f6b334664d3d1c98e1204cd1396
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Nov 12 21:53:18 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Nov 12 21:53:18 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ca4d3097

Allow udev the block_suspend capability

---
 policy/modules/system/udev.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 0ad9110..a4f7e88 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -180,6 +180,8 @@ userdom_dontaudit_search_user_home_content(udev_t)
 udev_pid_filetrans_db(udev_t, dir, "data")
 
 ifdef(`distro_gentoo',`
+	allow udev_t self:capability2 block_suspend;
+
 	# during boot, init scripts use /dev/.rcsysinit
 	# existance to determine if we are in early booting
 	init_getattr_script_status_files(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-12 21:58 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-12 21:58 UTC (permalink / raw
  To: gentoo-commits

commit:     4b0976a6e0d918025814dad63b65416849282f4b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Nov 12 21:47:37 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Nov 12 21:47:37 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4b0976a6

Run ipset in iptables domain

The ipset command is used to manage ip sets, used by iptables for a more
flexible management of firewall rules. It has very similar requirements as
iptables for accessing and working with the Linux kernel, so marking ipset as
iptables_exec_t to have it run in the iptables domain.

---
 policy/modules/system/iptables.fc |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 14cffd2..ac6ce32 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -18,3 +18,7 @@
 /usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+
+ifdef(`distro_gentoo',`
+/usr/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-12 21:58 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-12 21:58 UTC (permalink / raw
  To: gentoo-commits

commit:     02d14eda7e22687e3946600c0bcb7a373d457872
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Nov 12 21:50:54 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Nov 12 21:50:54 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02d14eda

Allow lvtools to create cache folder

The lvscan application will create the /etc/lvm/cache folder if it doesn't exist
yet.

---
 policy/modules/system/lvm.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 02e4873..6a5d75b 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -314,6 +314,9 @@ ifdef(`distro_redhat',`
 
 ifdef(`distro_gentoo',`
 	files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
+
+	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_metadata_t)
+	filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, dir, "cache")
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-12 21:58 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-12 21:58 UTC (permalink / raw
  To: gentoo-commits

commit:     e7a83c6fc843309013226f231e9f463db7d4244a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Nov 12 21:52:02 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Nov 12 21:52:02 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e7a83c6f

lvm needs read access to the event queue of udev

The udev event queue (queue.bin file) is located in the /run/udev folder and
labeled udev_var_run_t. Hence, allow the lvm_t domain read access on this file.

Without this access, LVM operations that manipulate the volumes (like creating
an additional logical volume) results in failures like the following:

  /dev/vg/test: not found: device not cleared
  Aborting. Failed to wipe start of new LV.

---
 policy/modules/system/lvm.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 6a5d75b..265b345 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -317,6 +317,10 @@ ifdef(`distro_gentoo',`
 
 	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_metadata_t)
 	filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, dir, "cache")
+
+	optional_policy(`
+		udev_read_pid_files(lvm_t)
+	')
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-12 21:58 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-12 21:58 UTC (permalink / raw
  To: gentoo-commits

commit:     e9440215bc250e4a0e117e35e5f1490d8bf0f9e7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Nov 12 21:49:27 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Nov 12 21:49:27 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e9440215

lvscan creates the /run/lock/lvm directory if nonexisting

If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
(like lvscan) will create this directory. Introduce a named file transition for
the lock location when a directory named "lvm" is created.

---
 policy/modules/system/lvm.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 05392e1..02e4873 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -312,6 +312,10 @@ ifdef(`distro_redhat',`
 	')
 ')
 
+ifdef(`distro_gentoo',`
+	files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
+')
+
 optional_policy(`
 	bootloader_rw_tmp_files(lvm_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-21 20:40 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-21 20:40 UTC (permalink / raw
  To: gentoo-commits

commit:     15440068c12ed7f28f8ae9111d342958cc472eeb
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Nov 21 20:10:50 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Nov 21 20:10:50 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15440068

Remove duplicate gnome_role_template call

Remove a second gnome_role_template() call as it would try to create the same
type(s) for a second time.

---
 policy/modules/system/userdomain.if |    4 ----
 1 files changed, 0 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 1dd2bcc..6e2f1c7 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -959,10 +959,6 @@ template(`userdom_restricted_xwindows_user_template',`
 		')
 
 		optional_policy(`
-			gnome_role_template($1, $1_r, $1_t)
-		')
-
-		optional_policy(`
 			wm_role_template($1, $1_r, $1_t)
 		')
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     926665ddaadd1da32e514f63d0db9086675e338f
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Nov 26 16:07:16 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:00:39 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=926665dd

Whitespace fix in miscfiles.fc.

---
 policy/modules/system/miscfiles.fc |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 1ede268..a5337b6 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -79,7 +79,7 @@ ifdef(`distro_redhat',`
 
 /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
 /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/man(/.*)?	gen_context(system_u:object_r:man_cache_t,s0)
+/var/cache/man(/.*)?		gen_context(system_u:object_r:man_cache_t,s0)
 
 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     5772cae4d5acb517532233c838d0e67621780dfc
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Oct 31 18:02:16 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:00:37 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5772cae4

Label /var/cache/man with a private man cache type for mandb

Since /var/cache/man was previously labeled man_t, make sure that the old
interfaces with regard to man_t also support man_cache_t

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/miscfiles.fc |    2 +-
 policy/modules/system/miscfiles.if |   80 +++++++++++++++++++++++++++---------
 policy/modules/system/miscfiles.te |    3 +
 3 files changed, 64 insertions(+), 21 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index a0b8232..1ede268 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -79,7 +79,7 @@ ifdef(`distro_redhat',`
 
 /var/cache/fontconfig(/.*)?	gen_context(system_u:object_r:fonts_cache_t,s0)
 /var/cache/fonts(/.*)?		gen_context(system_u:object_r:tetex_data_t,s0)
-/var/cache/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+/var/cache/man(/.*)?	gen_context(system_u:object_r:man_cache_t,s0)
 
 /var/named/chroot/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
 

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 7315ed0..f180d4c 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -557,10 +557,10 @@ interface(`miscfiles_legacy_read_localization',`
 #
 interface(`miscfiles_search_man_pages',`
 	gen_require(`
-		type man_t;
+		type man_t, man_cache_t;
 	')
 
-	allow $1 man_t:dir search_dir_perms;
+	allow $1 { man_cache_t man_t }:dir search_dir_perms;
 	files_search_usr($1)
 ')
 
@@ -576,10 +576,10 @@ interface(`miscfiles_search_man_pages',`
 #
 interface(`miscfiles_dontaudit_search_man_pages',`
 	gen_require(`
-		type man_t;
+		type man_t, man_cache_t;
 	')
 
-	dontaudit $1 man_t:dir search_dir_perms;
+	dontaudit $1 { man_cache_t man_t }:dir search_dir_perms;
 ')
 
 ########################################
@@ -595,13 +595,13 @@ interface(`miscfiles_dontaudit_search_man_pages',`
 #
 interface(`miscfiles_read_man_pages',`
 	gen_require(`
-		type man_t;
+		type man_t, man_cache_t;
 	')
 
 	files_search_usr($1)
-	allow $1 man_t:dir list_dir_perms;
-	read_files_pattern($1, man_t, man_t)
-	read_lnk_files_pattern($1, man_t, man_t)
+	allow $1 { man_cache_t man_t }:dir list_dir_perms;
+	read_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+	read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
 ')
 
 ########################################
@@ -617,17 +617,14 @@ interface(`miscfiles_read_man_pages',`
 #
 interface(`miscfiles_delete_man_pages',`
 	gen_require(`
-		type man_t;
+		type man_t, man_cache_t;
 	')
 
 	files_search_usr($1)
-
-	allow $1 man_t:dir setattr;
-	# RH bug #309351
-	allow $1 man_t:dir list_dir_perms;
-	delete_dirs_pattern($1, man_t, man_t)
-	delete_files_pattern($1, man_t, man_t)
-	delete_lnk_files_pattern($1, man_t, man_t)
+	allow $1 { man_cache_t man_t }:dir { setattr_dir_perms list_dir_perms };
+	delete_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+	delete_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+	delete_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
 ')
 
 ########################################
@@ -642,13 +639,56 @@ interface(`miscfiles_delete_man_pages',`
 #
 interface(`miscfiles_manage_man_pages',`
 	gen_require(`
-		type man_t;
+		type man_t, man_cache_t;
 	')
 
 	files_search_usr($1)
-	manage_dirs_pattern($1, man_t, man_t)
-	manage_files_pattern($1, man_t, man_t)
-	read_lnk_files_pattern($1, man_t, man_t)
+	manage_dirs_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+	manage_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+	read_lnk_files_pattern($1, { man_cache_t man_t }, { man_cache_t man_t })
+')
+
+########################################
+## <summary>
+##	Read man cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_read_man_cache_content',`
+	gen_require(`
+		type man_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 man_cache_t:dir list_dir_perms;
+	allow $1 man_cache_t:file read_file_perms;
+	allow $1 man_cache_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	man cache content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_man_cache_content',`
+	gen_require(`
+		type man_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 man_cache_t:dir manage_dir_perms;
+	allow $1 man_cache_t:file manage_file_perms;
+	allow $1 man_cache_t:lnk_file manage_lnk_file_perms;
 ')
 
 ########################################

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 00801e6..cab354a 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -48,6 +48,9 @@ files_type(locale_t)
 type man_t alias catman_t;
 files_type(man_t)
 
+type man_cache_t;
+files_type(man_cache_t)
+
 #
 # Types for public content
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     63dc1cf6cef5d7cc0e66ded27c983a958f91c4e5
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Nov 26 16:59:55 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:01:02 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=63dc1cf6

Module version bump for userdomain portion of XDG updates from Dominick Grift.

---
 policy/modules/system/userdomain.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 5cd5f28..2c9e371 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.8.3)
+policy_module(userdomain, 4.8.4)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     e1b8d9436704d79d8246c77b58df6ca6d4f6a8a3
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Nov  5 11:55:13 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:00:52 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e1b8d943

Create a attribute user_home_content_type and assign it to all types that are classified userdom_user_home_content()

Create various interfaces using the user_home_content_type attribute for
tmpreaper

user_home_t, user_tmp_t and user_tmpfs_t are user_home_content_type
(why?) We should probably also create user_tmp_content_type and
user_tmpfs_content_type attributes and assign to userdom_tmp_file and
userdom_tmpfs_file respectively

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/userdomain.if |  101 +++++++++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |    2 +
 2 files changed, 103 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6e2f1c7..deb9ae9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1371,9 +1371,12 @@ interface(`userdom_user_application_domain',`
 #
 interface(`userdom_user_home_content',`
 	gen_require(`
+		attribute user_home_content_type;
 		type user_home_t;
 	')
 
+	typeattribute $1 user_home_content_type;
+
 	allow $1 user_home_t:filesystem associate;
 	files_type($1)
 	files_poly_member($1)
@@ -1725,6 +1728,25 @@ interface(`userdom_dontaudit_search_user_home_content',`
 
 ########################################
 ## <summary>
+##	List all users home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_all_user_home_content',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 user_home_content_type:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	List contents of users home directory.
 ## </summary>
 ## <param name="domain">
@@ -1763,6 +1785,26 @@ interface(`userdom_manage_user_home_content_dirs',`
 
 ########################################
 ## <summary>
+##	Delete all user home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_dirs',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
+########################################
+## <summary>
 ##	Delete directories in a user home subdirectory.
 ## </summary>
 ## <param name="domain">
@@ -1781,6 +1823,25 @@ interface(`userdom_delete_user_home_content_dirs',`
 
 ########################################
 ## <summary>
+##	Set attributes of all user home content directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_setattr_all_user_home_content_dirs',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 user_home_content_type:dir setattr_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to set the
 ##	attributes of user home files.
 ## </summary>
@@ -1893,6 +1954,26 @@ interface(`userdom_dontaudit_write_user_home_content_files',`
 
 ########################################
 ## <summary>
+##	Delete all user home content files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_files',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_content($1)
+	delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
+########################################
+## <summary>
 ##	Delete files in a user home subdirectory.
 ## </summary>
 ## <param name="domain">
@@ -2055,6 +2136,26 @@ interface(`userdom_manage_user_home_content_symlinks',`
 
 ########################################
 ## <summary>
+##	Delete all user home content symbolic links.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_home_content_symlinks',`
+	gen_require(`
+		attribute user_home_content_type;
+		type user_home_dir_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	delete_lnk_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
+')
+
+########################################
+## <summary>
 ##	Delete symbolic links in a user home directory.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 460d96f..1f2a519 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -59,6 +59,8 @@ attribute unpriv_userdomain;
 attribute untrusted_content_type;
 attribute untrusted_content_tmp_type;
 
+attribute user_home_content_type;
+
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     9ee24e1865d4d2f0f5e5c82ce501e4ea53a7d43e
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Nov  5 11:55:14 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:00:59 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9ee24e18

These two attribute are unused

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/userdomain.te |    3 ---
 1 files changed, 0 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 1f2a519..5cd5f28 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -56,9 +56,6 @@ attribute userdomain;
 # unprivileged user domains
 attribute unpriv_userdomain;
 
-attribute untrusted_content_type;
-attribute untrusted_content_tmp_type;
-
 attribute user_home_content_type;
 
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     83d40e0392c0e146ffac223c53e7ff2de3523853
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 10 16:52:04 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:01:07 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83d40e03

Run ipset in iptables domain

The ipset command is used to manage ip sets, used by iptables for a more
flexible management of firewall rules. It has very similar requirements as
iptables for accessing and working with the Linux kernel, so marking ipset as
iptables_exec_t to have it run in the iptables domain.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/system/iptables.fc |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index ac6ce32..b57740f 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -15,6 +15,7 @@
 /sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
 /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     452babccc27f2e400ad342bd70bda2a816656406
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Nov 26 16:07:32 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:00:42 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=452babcc

Adjust man cache interface names.

---
 policy/modules/system/miscfiles.if |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index f180d4c..8b9072c 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -658,7 +658,7 @@ interface(`miscfiles_manage_man_pages',`
 ##	</summary>
 ## </param>
 #
-interface(`miscfiles_read_man_cache_content',`
+interface(`miscfiles_read_man_cache',`
 	gen_require(`
 		type man_cache_t;
 	')
@@ -680,7 +680,7 @@ interface(`miscfiles_read_man_cache_content',`
 ##	</summary>
 ## </param>
 #
-interface(`miscfiles_manage_man_cache_content',`
+interface(`miscfiles_manage_man_cache',`
 	gen_require(`
 		type man_cache_t;
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     f608d5bace7345ccf8c85b4bc87ba917eac96192
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Nov 26 16:07:57 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:00:44 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f608d5ba

Module version bump for man cache from Dominick Grift.

---
 policy/modules/system/miscfiles.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index cab354a..4aa3478 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.10.1)
+policy_module(miscfiles, 1.10.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     5f975e92fddf781418ad11916225c4f9baf76669
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Oct 31 16:05:09 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:01:10 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5f975e92

System logger creates innd log files with a named file transition

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/logging.te |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 08f66fb..0b448be 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -504,6 +504,9 @@ optional_policy(`
 
 optional_policy(`
 	inn_manage_log(syslogd_t)
+	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit")
+	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err")
+	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.notice")
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-11-27 19:14 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-11-27 19:14 UTC (permalink / raw
  To: gentoo-commits

commit:     1e0cac462ad92697ddc0316de7252741705d1fad
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Nov 27 13:53:57 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Tue Nov 27 19:01:13 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1e0cac46

Module version bump for iptables fc entry from Sven Vermeulen and inn log from Dominick Grift.

---
 policy/modules/system/iptables.te |    2 +-
 policy/modules/system/logging.te  |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 0646ee7..5dfa44b 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.13.0)
+policy_module(iptables, 1.13.1)
 
 ########################################
 #

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0b448be..49f989a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.19.3)
+policy_module(logging, 1.19.4)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-03 15:45 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-03 15:45 UTC (permalink / raw
  To: gentoo-commits

commit:     31712726b94081b0b5ff249ab40cd309d24ff9fd
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec  3 15:43:53 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Dec  3 15:43:53 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=31712726

Introduce template for tunable restricted access to home content

Some applications are imo best served by restricting the access they have to the
user home files. As this access is generic, move this into a template that can
be called by application domains.

This will then introduce the proper tunables and access for these domains.

---
 policy/modules/system/userdomain.if |  136 +++++++++++++++++++++++++++++++++++
 1 files changed, 136 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index deb9ae9..6b5ed8f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3452,3 +3452,139 @@ interface(`userdom_dbus_send_all_users',`
 
 	allow $1 userdomain:dbus send_msg;
 ')
+
+ifdef(`distro_gentoo',`
+########################################
+## <summary>
+##	Support creation of tunable access to user content
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the application domain to create the
+##	tunables for
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain to create the tunables for
+##	</summary>
+## </param>
+#
+template(`userdom_user_content_access_template',`
+
+	########################################
+	#
+	# Declarations
+	#
+
+	## <desc>
+	##	<p>
+	##	Allow the application to read generic user home content
+	##	</p>
+	## </desc>
+	gen_tunable(`$1_read_generic_user_content', true)
+
+	## <desc>
+	##	<p>
+	##	Allow the application to read all user home content. This
+	##	includes content that is labeled as home content of another
+	##	application.
+	##	</p>
+	## </desc>
+	gen_tunable(`$1_read_all_user_content', false)
+
+	## <desc>
+	##	<p>
+	##	Allow the application to manage generic user home content
+	##	</p>
+	## </desc>
+	gen_tunable(`$1_manage_generic_user_content', false)
+
+	## <desc>
+	##	<p>
+	##	Allow the application to manage all user home content. This
+	##	includes content that is labeled as home content of another
+	##	application.
+	##	</p>
+	## </desc>
+	gen_tunable(`$1_manage_all_user_content', false)
+
+	tunable_policy(`$1_read_generic_user_content',`
+		userdom_list_user_tmp($2)
+		userdom_read_user_home_content_files($2)
+		userdom_read_user_home_content_symlinks($2)
+		userdom_read_user_tmp_files($2)
+		userdom_read_user_tmp_symlinks($2)
+	',`
+		files_dontaudit_list_home($2)
+		files_dontaudit_list_tmp($2)
+	
+		userdom_dontaudit_list_user_home_dirs($2)
+		userdom_dontaudit_list_user_tmp($2)
+		userdom_dontaudit_read_user_home_content_files($2)
+		userdom_dontaudit_read_user_tmp_files($2)
+	')
+
+	tunable_policy(`$1_read_all_user_content',`
+		userdom_list_user_tmp($2)
+		userdom_read_all_user_home_content($2)
+	')
+
+	tunable_policy(`$1_manage_generic_user_content',`
+		userdom_manage_user_tmp_dirs($2)
+		userdom_manage_user_tmp_files($2)
+		userdom_manage_user_home_content_dirs($2)
+		userdom_manage_user_home_content_files($2)
+	')
+
+	tunable_policy(`$1_manage_all_user_content',`
+		userdom_manage_all_user_home_content($2)
+	')
+')
+
+########################################
+## <summary>
+##	Read all user home content, including application-specific home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`userdom_read_all_user_home_content',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	list_dirs_pattern($1, user_home_content_type, user_home_content_type)
+	read_files_pattern($1, user_home_content_type, user_home_content_type)
+	read_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
+	read_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
+	read_sock_files_pattern($1, user_home_content_type, user_home_content_type)
+')
+
+########################################
+## <summary>
+##	Manage all user home content, including application-specific home
+##	content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_all_user_home_content',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	manage_dirs_pattern($1, user_home_content_type, user_home_content_type)
+	manage_files_pattern($1, user_home_content_type, user_home_content_type)
+	manage_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
+	manage_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
+	manage_sock_files_pattern($1, user_home_content_type, user_home_content_type)
+')
+# end of distro_gentoo
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-03 21:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-03 21:03 UTC (permalink / raw
  To: gentoo-commits

commit:     0efe85f51676cb8e96d97afe7a6b4a725379e3e4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec  3 15:43:53 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Dec  3 20:11:42 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0efe85f5

Introduce template for tunable restricted access to home content

Some applications are imo best served by restricting the access they have to the
user home files. As this access is generic, move this into a template that can
be called by application domains.

This will then introduce the proper tunables and access for these domains.

---
 policy/modules/system/userdomain.if |  136 +++++++++++++++++++++++++++++++++++
 1 files changed, 136 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index deb9ae9..981b50a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3452,3 +3452,139 @@ interface(`userdom_dbus_send_all_users',`
 
 	allow $1 userdomain:dbus send_msg;
 ')
+
+
+# Gentoo added stuff, but cannot use an ifdef distro_gentoo for this
+
+########################################
+## <summary>
+##	Support creation of tunable access to user content
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	The prefix of the application domain to create the
+##	tunables for
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain to create the tunables for
+##	</summary>
+## </param>
+#
+template(`userdom_user_content_access_template',`
+
+	########################################
+	#
+	# Declarations
+	#
+
+	## <desc>
+	##	<p>
+	##	Allow the application to read generic user home content
+	##	</p>
+	## </desc>
+	gen_tunable(`$1_read_generic_user_content', true)
+
+	## <desc>
+	##	<p>
+	##	Allow the application to read all user home content. This
+	##	includes content that is labeled as home content of another
+	##	application.
+	##	</p>
+	## </desc>
+	gen_tunable(`$1_read_all_user_content', false)
+
+	## <desc>
+	##	<p>
+	##	Allow the application to manage generic user home content
+	##	</p>
+	## </desc>
+	gen_tunable(`$1_manage_generic_user_content', false)
+
+	## <desc>
+	##	<p>
+	##	Allow the application to manage all user home content. This
+	##	includes content that is labeled as home content of another
+	##	application.
+	##	</p>
+	## </desc>
+	gen_tunable(`$1_manage_all_user_content', false)
+
+	tunable_policy(`$1_read_generic_user_content',`
+		userdom_list_user_tmp($2)
+		userdom_read_user_home_content_files($2)
+		userdom_read_user_home_content_symlinks($2)
+		userdom_read_user_tmp_files($2)
+		userdom_read_user_tmp_symlinks($2)
+	',`
+		files_dontaudit_list_home($2)
+		files_dontaudit_list_tmp($2)
+	
+		userdom_dontaudit_list_user_home_dirs($2)
+		userdom_dontaudit_list_user_tmp($2)
+		userdom_dontaudit_read_user_home_content_files($2)
+		userdom_dontaudit_read_user_tmp_files($2)
+	')
+
+	tunable_policy(`$1_read_all_user_content',`
+		userdom_list_user_tmp($2)
+		userdom_read_all_user_home_content($2)
+	')
+
+	tunable_policy(`$1_manage_generic_user_content',`
+		userdom_manage_user_tmp_dirs($2)
+		userdom_manage_user_tmp_files($2)
+		userdom_manage_user_home_content_dirs($2)
+		userdom_manage_user_home_content_files($2)
+	')
+
+	tunable_policy(`$1_manage_all_user_content',`
+		userdom_manage_all_user_home_content($2)
+	')
+')
+
+########################################
+## <summary>
+##	Read all user home content, including application-specific home content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`userdom_read_all_user_home_content',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	list_dirs_pattern($1, user_home_content_type, user_home_content_type)
+	read_files_pattern($1, user_home_content_type, user_home_content_type)
+	read_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
+	read_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
+	read_sock_files_pattern($1, user_home_content_type, user_home_content_type)
+')
+
+########################################
+## <summary>
+##	Manage all user home content, including application-specific home
+##	content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_all_user_home_content',`
+	gen_require(`
+		attribute user_home_content_type;
+	')
+
+	manage_dirs_pattern($1, user_home_content_type, user_home_content_type)
+	manage_files_pattern($1, user_home_content_type, user_home_content_type)
+	manage_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
+	manage_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
+	manage_sock_files_pattern($1, user_home_content_type, user_home_content_type)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-07 15:36 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-07 15:36 UTC (permalink / raw
  To: gentoo-commits

commit:     a67b9bd3f2ba36dbb717527a60356429dc3ced8c
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec  5 20:39:23 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec  7 15:30:10 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a67b9bd3

Allow udev_t domain to read files labeled as consolekit_var_run_t

When the active session is changed, the udev-acl executable is called
by ConsoleKit. It will then read the ConsoleKit database to figure out
which is the active one.

---
 policy/modules/system/udev.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a4f7e88..aa943a9 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -231,6 +231,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	consolekit_read_pid_files(udev_t)
+')
+
+optional_policy(`
 	cups_domtrans_config(udev_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-07 15:36 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-07 15:36 UTC (permalink / raw
  To: gentoo-commits

commit:     a598bc0a651a3d722fdc3f48ad2b66071df0c810
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec  5 20:39:25 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec  7 15:30:12 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a598bc0a

authlogin.if: Add auth_create_pam_console_data_dirs and auth_pid_filetrans_pam_var_console interfaces

On Debian /var/run/console directory might be created by consolekit, we
need these new interfaces to achieve this.

---
 policy/modules/system/authlogin.if |   50 ++++++++++++++++++++++++++++++++++++
 1 files changed, 50 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 395ef59..fea1b6e 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1132,6 +1132,25 @@ interface(`auth_generic_run_filetrans_pam_console_data',`
 
 ########################################
 ## <summary>
+##	Create pam var console pid directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_create_pam_console_data_dirs',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_search_pids($1)
+	allow $1 pam_var_console_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Relabel pam_console data directories.
 ## </summary>
 ## <param name="domain">
@@ -1229,6 +1248,37 @@ interface(`auth_delete_pam_console_data',`
 
 ########################################
 ## <summary>
+##	Create specified objects in
+##	pid directories with the pam var
+##      console pid file type using a
+##      file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`auth_pid_filetrans_pam_var_console',`
+	gen_require(`
+		type pam_var_console_t;
+	')
+
+	files_pid_filetrans($1, pam_var_console_t, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Read all directories on the filesystem, except
 ##	login files and listed exceptions.
 ## </summary>


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-09 22:25 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-09 22:25 UTC (permalink / raw
  To: gentoo-commits

commit:     fa4cdd305e91ec0f10512eecec42050ca29cb569
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Dec  9 13:47:00 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Dec  9 13:47:00 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fa4cdd30

Remove call that is triggered through userdom_common_user_template

The userdom_unpriv_user_template calls userdom_common_user_template; hence the
call to domain_dontaudit_getsched_all_domains in that template is already
triggered.

---
 policy/modules/system/userdomain.if |    4 ----
 1 files changed, 0 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 2825a1d..60e0fcc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1065,10 +1065,6 @@ template(`userdom_unpriv_user_template', `
 	optional_policy(`
 		setroubleshoot_stream_connect($1_t)
 	')
-
-	ifdef(`distro_gentoo',`
-		domain_dontaudit_getsched_all_domains($1_t)
-	')
 ')
 
 #######################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-21 20:10 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-21 20:10 UTC (permalink / raw
  To: gentoo-commits

commit:     1d5cee45ef90d18e97374228bcdfb68f63cd74d1
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec 21 20:08:42 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Dec 21 20:08:42 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d5cee45

Allow restorecon/setfiles to read all symlinks

As restorecon is currently often ran by users to reset /var/run actions,
setfiles_t need to be able to read /var/* links (including /var/run -> /run and
/var/lock -> /run/lock). Otherwise, we get:

restorecon:	lstat(/var/run/puppet) failed: Permission denied

and the AVC denial clearly shows a read operation against the var_run_t
lnk_file.

---
 policy/modules/system/selinuxutil.te |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 9bf38f8..4cba334 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -633,3 +633,12 @@ ifdef(`hide_broken_symptoms',`
 optional_policy(`
 	hotplug_use_fds(setfiles_t)
 ')
+
+ifdef(`distro_gentoo',`
+	###########################################
+	#
+	# setfiles local policy
+	#
+
+	files_read_all_symlinks(setfiles_t)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-29 18:24 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-29 18:24 UTC (permalink / raw
  To: gentoo-commits

commit:     a642219232df040aabe6b91a5afa15df4506d0c9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 29 14:53:11 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 29 14:53:11 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a6422192

Add file transition for /dev/.lvm created by lvm_t

Gentoo's scripts default the locking directory (early in the boot process) to
/dev/.lvm. Although this is properly marked as lvm_lock_t, the first run(s) of
the LVM utilities (like pvscan) wants to create this directory but fails.

---
 policy/modules/system/lvm.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index d0ad89d..663cc8d 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -365,6 +365,8 @@ ifdef(`distro_gentoo',`
 
 	kernel_request_load_module(lvm_t)
 
+	dev_filetrans(lvm_t, lvm_lock_t, dir, ".lvm")
+
 	optional_policy(`
 		udev_read_pid_files(lvm_t)
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-29 18:24 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-29 18:24 UTC (permalink / raw
  To: gentoo-commits

commit:     8b82a9ace821ff21f627f8378ea947f739064e20
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 29 14:40:57 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 29 14:40:57 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8b82a9ac

Mark /run/udev/rules.d as udev_rules_t

Currently, /run/udev/rules.d is marked as udev_tbl_t in our policy. However,
when the udev init script calls write_root_link_rule (which is labeled bin_t)
then initrc_t wants to write files in /run/udev/rules.d. However, initrc_t
doesn't have write privileges for udev_tbl_t, but it has for udev_rules_t.

Since the directory is for rules files, it makes sense to mark it as such.

---
 policy/modules/system/udev.fc |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 2cf756c..53dbffa 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -42,6 +42,6 @@ ifdef(`distro_gentoo',`
 /usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 
 /var/run/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
+/var/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_rules_t,s0)
 /var/run/udev/data(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-29 18:24 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-29 18:24 UTC (permalink / raw
  To: gentoo-commits

commit:     22c79cd0b9f0f73601207b181243881d530250a8
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 29 14:40:14 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 29 14:40:14 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=22c79cd0

Move gentoo specifics down

Moving the Gentoo specific changes on the policy downwards so that most upstream
patches can be easily applied.

---
 policy/modules/system/udev.fc |   17 +++++++++++------
 1 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 69d48c8..2cf756c 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -9,7 +9,6 @@
 /etc/udev/rules.d(/.*)? gen_context(system_u:object_r:udev_rules_t,s0)
 /etc/udev/scripts/.+ --	gen_context(system_u:object_r:udev_helper_exec_t,s0)
 
-/lib/udev/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
 
 ifdef(`distro_debian',`
@@ -27,16 +26,22 @@ ifdef(`distro_redhat',`
 /sbin/start_udev --	gen_context(system_u:object_r:udev_exec_t,s0)
 ')
 
-/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /usr/bin/udevinfo --	gen_context(system_u:object_r:udev_exec_t,s0)
 
-/usr/lib/systemd/systemd-udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
 
 /var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/udev(/.*)?		gen_context(system_u:object_r:udev_var_run_t,s0)
-/var/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
-/var/run/udev/data(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
 
 ifdef(`distro_debian',`
 /var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
 ')
+
+ifdef(`distro_gentoo',`
+/lib/udev/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
+
+/usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+
+/var/run/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
+/var/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
+/var/run/udev/data(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-29 18:24 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-29 18:24 UTC (permalink / raw
  To: gentoo-commits

commit:     cb6cc4d6edcd8fbdb9a9412d30751f68b7297572
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 29 14:52:46 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 29 14:52:46 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cb6cc4d6

Move Gentoo specifics downwards

---
 policy/modules/system/lvm.te |   32 +++++++++++++++++++-------------
 1 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 265b345..d0ad89d 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -191,7 +191,6 @@ read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
 can_exec(lvm_t, lvm_exec_t)
 
 # Creating lock files
-manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
 manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
 files_lock_filetrans(lvm_t, lvm_lock_t, file)
 
@@ -216,7 +215,6 @@ kernel_get_sysvipc_info(lvm_t)
 kernel_read_system_state(lvm_t)
 # Read system variables in /proc/sys
 kernel_read_kernel_sysctls(lvm_t)
-kernel_request_load_module(lvm_t)
 # it has no reason to need this
 kernel_dontaudit_getattr_core_if(lvm_t)
 kernel_use_fds(lvm_t)
@@ -312,17 +310,6 @@ ifdef(`distro_redhat',`
 	')
 ')
 
-ifdef(`distro_gentoo',`
-	files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
-
-	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_metadata_t)
-	filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, dir, "cache")
-
-	optional_policy(`
-		udev_read_pid_files(lvm_t)
-	')
-')
-
 optional_policy(`
 	bootloader_rw_tmp_files(lvm_t)
 ')
@@ -363,3 +350,22 @@ optional_policy(`
 	xen_append_log(lvm_t)
 	xen_dontaudit_rw_unix_stream_sockets(lvm_t)
 ')
+
+ifdef(`distro_gentoo',`
+	#############################
+	#
+	# Local lvm policy
+	#
+
+	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_metadata_t)
+	filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, dir, "cache")
+
+	manage_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+	files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
+
+	kernel_request_load_module(lvm_t)
+
+	optional_policy(`
+		udev_read_pid_files(lvm_t)
+	')
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-29 18:24 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-29 18:24 UTC (permalink / raw
  To: gentoo-commits

commit:     d7a74e2700b2f16c25047635d211ea501f4295f9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 29 15:52:23 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 29 16:50:46 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d7a74e27

Use udev_rules_t for /run/udev/rules.d

When the init script creates /run/udev/rules.d, make sure that rules.d is
labeled udev_rules_t. Also grant initrc_t the rights to create udev_rules_t
directories.

---
 policy/modules/system/init.te |    4 ++--
 policy/modules/system/udev.if |   20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a37147f..e55e9f1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -936,7 +936,7 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
-		udev_create_db_dirs(initrc_t)
-		udev_pid_filetrans_db(initrc_t, dir, "rules.d")
+		udev_create_rules_dirs(initrc_t)
+		udev_pid_filetrans_rules(initrc_t, dir, "rules.d")
 	')
 ')

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 85b8d4a..5061ad4 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -423,3 +423,23 @@ interface(`udev_pid_filetrans_rules',`
 
 	filetrans_pattern($1, udev_var_run_t, udev_rules_t, $2, $3)
 ')
+
+########################################
+## <summary>
+##	Create udev rules directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`udev_create_rules_dirs',`
+	gen_require(`
+		type udev_rules_t;
+		type udev_var_run_t;
+	')
+
+	create_dirs_pattern($1, udev_var_run_t, udev_rules_t)
+')
+


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-29 18:24 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-29 18:24 UTC (permalink / raw
  To: gentoo-commits

commit:     16b663c51f91abc7f030dceac7189574eac38ef8
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 29 15:51:54 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 29 15:51:54 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=16b663c5

Support a file transition from udev_var_run_t to udev_rules_t

This will be used later by the initrc_t domain.

---
 policy/modules/system/udev.if |   31 +++++++++++++++++++++++++++++++
 1 files changed, 31 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index c38f9b3..85b8d4a 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -392,3 +392,34 @@ interface(`udev_manage_pid_files',`
 interface(`udev_generic_pid_filetrans_run_dirs',`
 	refpolicywarn(`$0($*) has been deprecated.')
 ')
+
+# Gentoo specific but cannot add it within an ifdef distro_gentoo
+
+#########################################
+## <summary>
+##	Write in /var/run/udev with the udev_rules_t (udev rules) file type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="class">
+## 	<summary>
+##	Classes on which the file transition should occur
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	Name of the directory that the file transition will work on
+##	</summary>
+## </param>
+#
+interface(`udev_pid_filetrans_rules',`
+	gen_require(`
+		type udev_rules_t;
+		type udev_var_run_t;
+	')
+
+	filetrans_pattern($1, udev_var_run_t, udev_rules_t, $2, $3)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-29 18:24 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-29 18:24 UTC (permalink / raw
  To: gentoo-commits

commit:     dd062fb88bc26fdc9d657dc32bb23b269fac67df
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 29 15:50:11 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 29 15:50:11 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dd062fb8

Move majority of gentoo specifics downwards

---
 policy/modules/system/init.te |   69 ++++++++++++++++++++++++++--------------
 1 files changed, 45 insertions(+), 24 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e71d117..a37147f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -29,7 +29,7 @@ attribute init_run_all_scripts_domain;
 # Mark process types as daemons
 attribute daemon;
 
-# Mark file as daemon run dir
+# Mark file type as a daemon run directory
 attribute daemonrundir;
 
 #
@@ -122,7 +122,6 @@ dev_filetrans(init_t, initctl_t, fifo_file)
 
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
-manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
 
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
@@ -226,7 +225,7 @@ optional_policy(`
 #
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
-allow initrc_t self:capability ~{ sys_module };
+allow initrc_t self:capability ~{ sys_admin sys_module };
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
@@ -257,7 +256,7 @@ manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 
 allow initrc_t initrc_var_run_t:file manage_file_perms;
-files_pid_filetrans(initrc_t, initrc_var_run_t, { file dir })
+files_pid_filetrans(initrc_t, initrc_var_run_t, file)
 
 can_exec(initrc_t, initrc_tmp_t)
 manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
@@ -287,7 +286,6 @@ files_create_lock_dirs(initrc_t)
 files_pid_filetrans_lock_dir(initrc_t, "lock")
 files_read_kernel_symbol_table(initrc_t)
 files_setattr_lock_dirs(initrc_t)
-files_dontaudit_write_usr_dirs(initrc_t)
 
 corecmd_exec_all_executables(initrc_t)
 
@@ -308,7 +306,6 @@ dev_write_kmsg(initrc_t)
 dev_write_rand(initrc_t)
 dev_write_urand(initrc_t)
 dev_rw_sysfs(initrc_t)
-dev_manage_sysfs_dirs(initrc_t)
 dev_list_usbfs(initrc_t)
 dev_read_framebuffer(initrc_t)
 dev_write_framebuffer(initrc_t)
@@ -348,7 +345,6 @@ files_getattr_all_files(initrc_t)
 files_getattr_all_symlinks(initrc_t)
 files_getattr_all_pipes(initrc_t)
 files_getattr_all_sockets(initrc_t)
-files_create_pid_dirs(initrc_t)
 files_purge_tmp(initrc_t)
 files_delete_all_locks(initrc_t)
 files_read_all_pids(initrc_t)
@@ -367,11 +363,8 @@ files_list_isid_type_dirs(initrc_t)
 files_mounton_isid_type_dirs(initrc_t)
 files_list_default(initrc_t)
 files_mounton_default(initrc_t)
-files_manage_generic_tmp_files(initrc_t)
-files_manage_generic_tmp_dirs(initrc_t)
 
-fs_manage_cgroup_dirs(initrc_t)
-fs_manage_cgroup_files(initrc_t)
+fs_write_cgroup_files(initrc_t)
 fs_list_inotifyfs(initrc_t)
 fs_register_binary_executable_type(initrc_t)
 # rhgb-console writes to ramfs
@@ -421,7 +414,6 @@ logging_manage_generic_logs(initrc_t)
 logging_read_all_logs(initrc_t)
 logging_append_all_logs(initrc_t)
 logging_read_audit_config(initrc_t)
-logging_delete_devlog_socket(initrc_t)
 
 miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
@@ -503,10 +495,6 @@ ifdef(`distro_gentoo',`
 	optional_policy(`
 		dhcpd_setattr_state_files(initrc_t)
 	')
-
-	optional_policy(`
-		rpc_manage_nfs_state_data(initrc_t)
-	')
 ')
 
 ifdef(`distro_redhat',`
@@ -676,10 +664,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	fail2ban_stream_connect(initrc_t)
-')
-
-optional_policy(`
 	ftp_read_config(initrc_t)
 ')
 
@@ -766,10 +750,10 @@ optional_policy(`
 	ifdef(`distro_redhat',`
 		mysql_manage_db_dirs(initrc_t)
 	')
-	mysql_read_config(initrc_t)
-	mysql_setattr_run_dirs(initrc_t)
+
 	mysql_stream_connect(initrc_t)
 	mysql_write_log(initrc_t)
+	mysql_read_config(initrc_t)
 ')
 
 optional_policy(`
@@ -861,8 +845,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	udev_create_db_dirs(initrc_t)
-	udev_pid_filetrans_db(initrc_t, dir, "rules.d")
+	udev_rw_db(initrc_t)
 	udev_manage_pid_files(initrc_t)
 	udev_manage_pid_dirs(initrc_t)
 	udev_manage_rules_files(initrc_t)
@@ -915,7 +898,45 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
+	#####################################
+	#
+	# Local initrc_t policy
+	#
+	allow initrc_t self:capability sys_admin;
+
+	manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
+	files_pid_filetrans(initrc_t, initrc_var_run_t, dir)
+
+	dev_manage_sysfs_dirs(initrc_t)
+
+	files_create_pid_dirs(initrc_t)
+	files_dontaudit_write_usr_dirs(initrc_t)
+	files_manage_generic_tmp_dirs(initrc_t)
+	files_manage_generic_tmp_files(initrc_t)
+
+	fs_manage_cgroup_dirs(initrc_t)
+	fs_manage_cgroup_files(initrc_t)
+
+	logging_delete_devlog_socket(initrc_t)
+
+	optional_policy(`
+		mysql_setattr_run_dirs(initrc_t)
+	')
+
+	optional_policy(`
+		fail2ban_stream_connect(initrc_t)
+	')
+
+	optional_policy(`
+		rpc_manage_nfs_state_data(initrc_t)
+	')
+
 	optional_policy(`
 		stunnel_read_config(initrc_t)
 	')
+
+	optional_policy(`
+		udev_create_db_dirs(initrc_t)
+		udev_pid_filetrans_db(initrc_t, dir, "rules.d")
+	')
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2012-12-29 18:24 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2012-12-29 18:24 UTC (permalink / raw
  To: gentoo-commits

commit:     e81132e1d71edbe52e2199912b8b75353b982fe0
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Dec 29 17:13:39 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Dec 29 17:13:39 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e81132e1

Udev init script writes to /proc/sys/kernel/hotplug

The pseudofile, labeled proc_t, should be writeable by the init scripts. The
udev init script for instance runs
  echo "" > /proc/sys/kernel/hotplug

---
 policy/modules/system/init.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e55e9f1..c44b9d0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -907,6 +907,8 @@ ifdef(`distro_gentoo',`
 	manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
 	files_pid_filetrans(initrc_t, initrc_var_run_t, dir)
 
+	kernel_write_proc_files(initrc_t)
+
 	dev_manage_sysfs_dirs(initrc_t)
 
 	files_create_pid_dirs(initrc_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-01-03 16:49 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-01-03 16:49 UTC (permalink / raw
  To: gentoo-commits

commit:     545015a51b5853256e45e308f6e83524d96923c5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 17 09:42:45 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jan  3 16:24:03 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=545015a5

Allow syslogger to manage cron log files (v2)

Some cron daemons, including vixie-cron, support using the system logger for
handling their logging events. Hence we allow syslogd_t to manage the cron logs,
and put a file transition in place for the system logger when it creates the
cron.log file.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/system/logging.te |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 59b28e6..988419e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -503,6 +503,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_manage_log_files(syslogd_t)
+	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
+')
+
+optional_policy(`
 	inn_manage_log(syslogd_t)
 	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit")
 	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err")


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-01-03 16:49 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-01-03 16:49 UTC (permalink / raw
  To: gentoo-commits

commit:     c98a726a1eaa5fe221f63fc65471e9eaccdfe767
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 17 09:42:48 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jan  3 16:24:05 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c98a726a

Allow initrc_t to read stunnel configuration

The stunnel init script reads the stunnel configuration to find out where to
store and check for the PID file

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/system/init.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c44b9d0..89aa2dd 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -841,6 +841,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	stunnel_read_config(initrc_t)
+')
+
+optional_policy(`
 	sysnet_read_dhcpc_state(initrc_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-01-03 16:49 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-01-03 16:49 UTC (permalink / raw
  To: gentoo-commits

commit:     c6dbdc8b04d7d2ddc3fcd28213d84091c1f24eaf
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec 17 09:42:44 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jan  3 16:24:01 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c6dbdc8b

lvscan creates the /run/lock/lvm directory if nonexisting (v2)

If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
(like lvscan) will create this directory. Introduce a named file transition for
the lock location when a directory named "lvm" is created and grant the
necessary rights to create the directory.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/system/lvm.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 663cc8d..14443b5 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -192,7 +192,9 @@ can_exec(lvm_t, lvm_exec_t)
 
 # Creating lock files
 manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
 files_lock_filetrans(lvm_t, lvm_lock_t, file)
+files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
 
 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
 manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-01-03 16:49 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-01-03 16:49 UTC (permalink / raw
  To: gentoo-commits

commit:     de5aa80ee83e7a25b100939daceb91619398a4fe
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Mon Dec 17 20:07:31 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jan  3 16:26:50 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=de5aa80e

Changes to the userdomain policy module

Make sure various virt user home content gets created with a type
transition and proper file contexts for common users

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/userdomain.if |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 60e0fcc..adcc300 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -734,6 +734,14 @@ template(`userdom_common_user_template',`
 		usernetctl_run($1_t, $1_r)
 	')
 
+	optional_policy(`
+		virt_home_filetrans_virt_home($1_t, dir, ".libvirt")
+		virt_home_filetrans_virt_home($1_t, dir, ".virtinst")
+		virt_home_filetrans_virt_content($1_t, dir, "isos")
+		virt_home_filetrans_svirt_home($1_t, dir, "qemu")
+		virt_home_filetrans_virt_home($1_t, dir, "VirtualMachines")
+	')
+
 	ifdef(`distro_gentoo',`
 		domain_dontaudit_getsched_all_domains($1_t)
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-01-03 16:49 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-01-03 16:49 UTC (permalink / raw
  To: gentoo-commits

commit:     120c8bea9d0bf4dc00edacbac899b9a986946156
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Dec 14 12:58:49 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jan  3 16:24:23 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=120c8bea

Changes to the init policy module

virt_manage_svirt_cache() is deprecated, use virt_manage_virt_cache()
instead

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/init.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 960e38c..a079038 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -861,7 +861,7 @@ optional_policy(`
 
 optional_policy(`
 	virt_stream_connect(initrc_t)
-	virt_manage_svirt_cache(initrc_t)
+	virt_manage_virt_cache(initrc_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-01-16 15:22 Matt Thode
  0 siblings, 0 replies; 705+ messages in thread
From: Matt Thode @ 2013-01-16 15:22 UTC (permalink / raw
  To: gentoo-commits

commit:     9b69c1fc94686ed3cc28e4bb1d1b7a0aa9045025
Author:     Matthew Thode <mthode <AT> mthode <DOT> org>
AuthorDate: Wed Jan 16 15:22:17 2013 +0000
Commit:     Matt Thode <prometheanfire <AT> gentoo <DOT> org>
CommitDate: Wed Jan 16 15:22:17 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b69c1fc

updating udev-197 udevd location for gentoo bug 451128

---
 policy/modules/system/udev.fc |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 53dbffa..be5969a 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -38,6 +38,7 @@ ifdef(`distro_debian',`
 
 ifdef(`distro_gentoo',`
 /lib/udev/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/lib/systemd/systemd-udevd  --  gen_context(system_u:object_r:udev_exec_t,s0)
 
 /usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-01-20 14:41 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-01-20 14:41 UTC (permalink / raw
  To: gentoo-commits

commit:     dd0c0cc3b1bb6b096e89592ff03bfb1ea8d3ea4f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jan 20 14:41:15 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jan 20 14:41:15 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dd0c0cc3

udevadm now at /bin, I think we almost had all possible binary locations now

---
 policy/modules/system/udev.fc |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index be5969a..6c684bd 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -37,6 +37,8 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
+/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
+
 /lib/udev/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /lib/systemd/systemd-udevd  --  gen_context(system_u:object_r:udev_exec_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-01-20 15:23 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-01-20 15:23 UTC (permalink / raw
  To: gentoo-commits

commit:     53016a6a32af36dab10406f2b0aaf7862300dbe3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jan 20 15:23:48 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jan 20 15:23:48 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=53016a6a

Udev changed its rules.d into /lib

---
 policy/modules/system/udev.fc |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 6c684bd..72bacb2 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -40,6 +40,7 @@ ifdef(`distro_gentoo',`
 /bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 
 /lib/udev/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/lib/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_rules_t,s0)
 /lib/systemd/systemd-udevd  --  gen_context(system_u:object_r:udev_exec_t,s0)
 
 /usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-02-04 19:17 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-02-04 19:17 UTC (permalink / raw
  To: gentoo-commits

commit:     c8a8c25caa4f59e4e0331d8defc2690a7445c322
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Jan 12 21:32:22 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Feb  4 19:08:04 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c8a8c25c

udev.if: Call files_search_pid instead of files_search_var_lib in udev_manage_pid_files

udev_manage_pid_files is supposed to manage files that are located in
/var/run, allow to search files in this directory instead of /var/lib

---
 policy/modules/system/udev.if |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 5061ad4..06175a7 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -369,7 +369,7 @@ interface(`udev_manage_pid_files',`
 		type udev_var_run_t;
 	')
 
-	files_search_var_lib($1)
+	files_search_pids($1)
 	manage_files_pattern($1, udev_var_run_t, udev_var_run_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-02-04 19:17 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-02-04 19:17 UTC (permalink / raw
  To: gentoo-commits

commit:     d063e20753e02b765f453bade0258edce2a51862
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Jan 12 21:32:21 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Feb  4 19:08:01 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d063e207

Label /var/run/initctl as initctl_t

In Debian, the initctl pipe has been moved from /dev/initctl to
/run/initctl

---
 policy/modules/system/init.fc |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index eac1780..659474d 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -52,6 +52,7 @@ ifdef(`distro_gentoo', `
 #
 # /var
 #
+/var/run/initctl	-p	gen_context(system_u:object_r:initctl_t,s0)
 /var/run/utmp		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-02-04 19:17 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-02-04 19:17 UTC (permalink / raw
  To: gentoo-commits

commit:     7b7a721d232f16979f836ab3e94facfdd4aaeb5d
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Jan 12 21:32:26 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Feb  4 19:12:12 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7b7a721d

Add mount_var_run_t type and allow mount_t domain to manage the files and directories

In Debian, mount store some information (a utab file) under
/var/run/mount directory.

This is inspired by the fedora policy.

---
 policy/modules/system/mount.te |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 36f33d3..1c86924 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -26,6 +26,9 @@ files_type(mount_loopback_t)
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
 
+type mount_var_run_t;
+files_pid_file(mount_var_run_t)
+
 # causes problems with interfaces when
 # this is optionally declared in monolithic
 # policy--duplicate type declaration
@@ -49,6 +52,11 @@ can_exec(mount_t, mount_exec_t)
 
 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
+create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
+files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
+
 kernel_read_system_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
 kernel_setsched(mount_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-02-04 19:17 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-02-04 19:17 UTC (permalink / raw
  To: gentoo-commits

commit:     c760c0b8232a018b2edb81e6404bc95a5c33ab08
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Jan 12 21:32:29 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Feb  4 19:12:15 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c760c0b8

Add initrc_t to use block_suspend capability

This is needed by nm-dispatcher.action witch is labeled as
NetworkManager_initc_exec_t and is transitioned to initrc_t

---
 policy/modules/system/init.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4276cb1..deab8f3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -226,6 +226,7 @@ optional_policy(`
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
 allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability2 block_suspend;
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-02-04 19:17 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-02-04 19:17 UTC (permalink / raw
  To: gentoo-commits

commit:     acdd6786197c58cdc6f3e88fa486644760e717bb
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Jan 12 21:32:24 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Feb  4 19:10:04 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=acdd6786

Add support for rsyslog

Allow sys_nice capability, setsched, allow to search in /var/spool and
syslog_t domain to read network state files in /proc

squash! Add support for rsyslog

---
 policy/modules/system/logging.te |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index e044c28..99de723 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -357,14 +357,16 @@ optional_policy(`
 
 # chown fsetid for syslog-ng
 # sys_admin for the integrated klog of syslog-ng and metalog
+# sys_nice for rsyslog
 # cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
 allow syslogd_t self:capability2 block_suspend;
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
 # setrlimit for syslog-ng
 # getsched for syslog-ng
-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
+# setsched for rsyslog
+allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -382,6 +384,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
 # create/append log files.
 manage_files_pattern(syslogd_t, var_log_t, var_log_t)
 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+files_search_spool(syslogd_t)
 
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
@@ -399,6 +402,7 @@ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 
 kernel_read_system_state(syslogd_t)
+kernel_read_network_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 # Allow access to /proc/kmsg for syslog-ng


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-02-23 17:14 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-02-23 17:14 UTC (permalink / raw
  To: gentoo-commits

commit:     fdf8829dd4d7fb9dd3410bce5f57d6ffd2232aa5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Feb 23 17:03:23 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Feb 23 17:03:23 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fdf8829d

Allow init script to toggle enforce mode

Our documentation mentions that an init script can be used to toggle enforce
mode if immediately booting in enforcing doesn't work (due to initramfs
requirements or so). But that means that initrc_t needs to be able to.

---
 policy/modules/system/init.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f91f807..1b48f45 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -926,6 +926,8 @@ ifdef(`distro_gentoo',`
 
 	logging_delete_devlog_socket(initrc_t)
 
+	selinux_set_enforce_mode(initrc_t)
+
 	optional_policy(`
 		alsa_write_lib(initrc_t)
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-03-04 20:15 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-03-04 20:15 UTC (permalink / raw
  To: gentoo-commits

commit:     adcf31772b26281c158a0d69743a4b349e47e22f
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Feb 25 16:26:13 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Mar  4 20:13:03 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=adcf3177

Fix bug in userdom_delete_all_user_home_content_files() from Kohei KaiGai.

---
 policy/modules/system/userdomain.if |    2 +-
 policy/modules/system/userdomain.te |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index adcc300..93dacbe 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1981,7 +1981,7 @@ interface(`userdom_delete_all_user_home_content_files',`
 	')
 
 	userdom_search_user_home_content($1)
-	delete_files_pattern($1 { user_home_dir_t user_home_content_type }, user_home_content_type)
+	delete_files_pattern($1, { user_home_dir_t user_home_content_type }, user_home_content_type)
 ')
 
 ########################################

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e2b538b..9da3e54 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.8.5)
+policy_module(userdomain, 4.8.6)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-04-10 19:55 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-04-10 19:55 UTC (permalink / raw
  To: gentoo-commits

commit:     6c7a5a623e83dbcebae78ca667020cecb990387a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Apr 10 19:53:34 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Wed Apr 10 19:53:34 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6c7a5a62

Support passwordless service handling

When using Gentoo init scripts, we transition to run_init_t before calling
run_init. That means that when run_init runs and checks the PAM services, the
pam_rootok.so calls will look for the previous context (which already is
run_init_t) and check if that context is allowed to "accept root" as a
sufficient authentication measure.

run_init_t doesn't (well, didn't with this patch), which makes this check fail.
When calling services with run_init directly (like "run_init rc-service sshd
status") then the previous context is (most likely) the sysadm_t one, which does
have this permission.

See also
http://blog.siphos.be/2013/04/not-needing-run_init-for-password-less-service-management/

---
 policy/modules/system/selinuxutil.te |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 4cba334..cc13e63 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -639,6 +639,11 @@ ifdef(`distro_gentoo',`
 	#
 	# setfiles local policy
 	#
+	gen_require(`
+		class passwd { passwd chfn chsh rootok };
+	')
+
+	allow run_init_t self:passwd rootok;
 
 	files_read_all_symlinks(setfiles_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-04-11  7:19 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-04-11  7:19 UTC (permalink / raw
  To: gentoo-commits

commit:     98f3f2918d780aae4d7225f2a119c9d6d34dfe65
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Apr  5 13:43:14 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr 11 07:17:41 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=98f3f291

Add swapoff fc entry.

---
 policy/modules/system/fstools.fc |    1 +
 policy/modules/system/fstools.te |    2 +-
 2 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index a97a096..7a46b45 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -33,6 +33,7 @@
 /sbin/resize.*fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/scsi_info		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/sfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/sbin/swapoff		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/swapon.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /sbin/tune2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 6c4b6ee..d66d59c 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.15.0)
+policy_module(fstools, 1.15.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-04-11  7:19 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-04-11  7:19 UTC (permalink / raw
  To: gentoo-commits

commit:     f050ce1bd6726cfa1f1f219217c4fba018f6d885
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Apr  5 13:45:04 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Apr 11 07:17:42 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f050ce1b

Add conntrack fc entry.

This tool is for maintaining the netfilter connection tracking.

---
 policy/modules/system/iptables.fc |    1 +
 policy/modules/system/iptables.te |    2 +-
 2 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 1b93eb7..73a1c4e 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -14,6 +14,7 @@
 /sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
+/usr/sbin/conntrack		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 5dfa44b..ab5623f 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.13.1)
+policy_module(iptables, 1.13.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-05-11 13:06 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-05-11 13:06 UTC (permalink / raw
  To: gentoo-commits

commit:     de9a7b75a08d1b1a80d80844a927994929992785
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat May 11 13:05:50 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat May 11 13:05:50 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=de9a7b75

Non-content change (formatting)

---
 policy/modules/system/authlogin.te |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index ec0af2c..e022771 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -405,7 +405,7 @@ optional_policy(`
 	xserver_rw_xdm_pipes(utempter_t)
 ')
 
-#########################################
+#######################################
 #
 # nsswitch_domain local policy
 #
@@ -426,7 +426,7 @@ tunable_policy(`authlogin_nsswitch_use_ldap',`
 
 optional_policy(`
 	tunable_policy(`authlogin_nsswitch_use_ldap',`
-		 ldap_stream_connect(nsswitch_domain)
+		ldap_stream_connect(nsswitch_domain)
 	')
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-06-23 10:11 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-06-23 10:11 UTC (permalink / raw
  To: gentoo-commits

commit:     9007d9da3b3e1d88d1e217ab886b41c4e3f588b6
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun 23 10:08:12 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jun 23 10:08:12 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9007d9da

Fix bug 468874 - Add rawip_socket perms for ipv6 support

Is sent to upstream but doesn't seem to be added (soon).

---
 policy/modules/system/sysnetwork.te | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 327beca..18b6986 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -366,3 +366,13 @@ optional_policy(`
 	xen_append_log(ifconfig_t)
 	xen_dontaudit_rw_unix_stream_sockets(ifconfig_t)
 ')
+
+ifdef(`distro_gentoo',`
+	###########################################
+	# 
+	# dhcp client policy
+	#
+
+	# Fixes bug 468874
+	allow dhcpc_t self:rawip_socket create_socket_perms;
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-07-04 17:32 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-07-04 17:32 UTC (permalink / raw
  To: gentoo-commits

commit:     3e86012d0cd7e77359dc6966a075e18fc44c9b7a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul  4 17:26:59 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul  4 17:26:59 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3e86012d

Allow racoon to listen on its own socket

When starting racoon, the daemon fails with the following error:

Jul  4 19:23:57 test racoon: ERROR:
listen(sockname:/var/lib/racoon/racoon.sock): Permission denied

The denial speaks for itself:

type=AVC msg=audit(1372958637.355:24805): avc:  denied  { listen } for  pid=2981
comm="racoon" path="/var/lib/racoon/racoon.sock"
scontext=system_u:system_r:racoon_t:s0 tcontext=system_u:system_r:racoon_t:s0
tclass=unix_stream_socket

Add in the necessary permission set.

---
 policy/modules/system/ipsec.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 312cd04..223e02b 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -444,3 +444,11 @@ seutil_read_config(setkey_t)
 
 userdom_use_user_terminals(setkey_t)
 
+ifdef(`distro_gentoo',`
+	################################################
+	#
+	# racoon policy
+	#
+
+	allow racoon_t self:unix_stream_socket create_stream_socket_perms;
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-07-04 17:32 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-07-04 17:32 UTC (permalink / raw
  To: gentoo-commits

commit:     81df8db941d640d7bae701f68b3cefbecf06d7b8
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul  4 17:25:35 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul  4 17:25:35 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=81df8db9

Use /var/lib/racoon location for Gentoo

The racoon daemon in Gentoo uses /var/lib/racoon by default instead of the
/var/racoon one as provided by the policy. So enhance the policy with this
location as well.

---
 policy/modules/system/ipsec.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 74a2256..46d232a 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -39,3 +39,7 @@
 
 /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 /var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/var/lib/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-07-04 18:47 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-07-04 18:47 UTC (permalink / raw
  To: gentoo-commits

commit:     bbad00287d52aa38a12a97f89723af019d108bb7
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jul  4 18:44:20 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Jul  4 18:44:20 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bbad0028

Allow setkey output

When calling setkey to show output (such as using "setkey -DP" to view SPD
entries on the machine) no output is shown and a denial like so is found:

type=AVC msg=audit(1372963263.630:26471): avc:  denied  { use } for  pid=12506
comm="setkey" path="/dev/pts/0" dev="devpts" ino=3
scontext=root:sysadm_r:setkey_t:s0-s0:c0.c1023
tcontext=root:staff_r:newrole_t:s0-s0:c0.c1023 tclass=fd

newrole_t has the privfd attribute set, so use
domain_use_interactive_fds(setkey_t) to fix this.

---
 policy/modules/system/ipsec.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 223e02b..2bbfbb3 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -451,4 +451,11 @@ ifdef(`distro_gentoo',`
 	#
 
 	allow racoon_t self:unix_stream_socket create_stream_socket_perms;
+
+	###############################################
+	#
+	# setkey policy
+	#
+
+	domain_use_interactive_fds(setkey_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-07-07  8:43 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-07-07  8:43 UTC (permalink / raw
  To: gentoo-commits

commit:     a6df4d536a5e4b34d16599197a5151876914817e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jul  7 08:34:42 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Jul  7 08:34:42 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a6df4d53

Allow racoon_t to get security_t filesystem attributes

The racoon application needs to check if MLS is enabled on the system (as it
then enables the context validation for security associations). To do so, we
need to grant getattr rights on the security_t filesystem.

See also http://thread.gmane.org/gmane.comp.security.selinux/19413/focus=19418

---
 policy/modules/system/ipsec.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 2bbfbb3..db6d1c6 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -452,6 +452,8 @@ ifdef(`distro_gentoo',`
 
 	allow racoon_t self:unix_stream_socket create_stream_socket_perms;
 
+	selinux_getattr_fs(racoon_t)
+
 	###############################################
 	#
 	# setkey policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-08-10 16:39 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-08-10 16:39 UTC (permalink / raw
  To: gentoo-commits

commit:     a8391e8daab80ff772a3a8896d66394c73e884f4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Aug 10 16:37:20 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sat Aug 10 16:37:20 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a8391e8d

Enable python-exec support

In Gentoo, /usr/sbin/semanage is a symlink to /usr/bin/python-exec which will
then decide which Python version to execute. As semanage is only labeled as
semanage_exec_t if it is a regular file, it now remains bin_t.

We have two choices here - either relabel /usr/sbin/semanage itself, or the
semanage-python* files. We pick the second, because we don't know what
rights/permissions python-exec needs, but it shouldn't be semanage_t.

---
 policy/modules/system/selinuxutil.fc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 3f6690c..335583d 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -52,3 +52,8 @@
 # /var/run
 #
 /var/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+# Support for gentoo python switcheridoo
+/usr/sbin/semanage-python.*	--	gen_context(system_u:object_r:semanage_exec_t,s0)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-08-15  5:46 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-08-15  5:46 UTC (permalink / raw
  To: gentoo-commits

commit:     a9ebba7af270c973d6b0bac190a93182b12fe92e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 05:45:01 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 05:45:01 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a9ebba7a

Add mkfs.f2fs context, see bug #480870

---
 policy/modules/system/fstools.fc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 7a46b45..7d370e8 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -46,3 +46,8 @@
 /usr/sbin/smartctl	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
+
+ifdef(`distro_gentoo',`
+/sbin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-08-15 17:23 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-08-15 17:23 UTC (permalink / raw
  To: gentoo-commits

commit:     f292cb77d238fb6c8bbd8e478bdf885cf5082476
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug 15 17:14:37 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Thu Aug 15 17:14:37 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f292cb77

Make sure "make modules_install" works

The kmod binary (running as depmod) needs to handle temporary files created
earlier in the "make modules_install" process. Also, it needs read rights on
src_t (for instance for System.map information) and manage the kernel modules.

Example of failures

without manage kernel modules:

depmod: ERROR: openat(/lib/modules/3.10.5-hardened, modules.dep.tmp, 1101, 644):
Permission denied
depmod: ERROR: openat(/lib/modules/3.10.5-hardened, modules.dep.bin.tmp, 1101,
644): Permission denied
depmod: ERROR: openat(/lib/modules/3.10.5-hardened, modules.alias.tmp, 1101,
644): Permission denied

without src_t read and user tmp file manage rights:

depmod: FATAL: could not load System.map: Permission denied
make: *** [_modinst_post] Error 1

See bug #428322

---
 policy/modules/system/modutils.te | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7649321..b7d820c 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -324,3 +324,18 @@ ifdef(`distro_ubuntu',`
 		unconfined_domain(update_modules_t)
 	')
 ')
+
+ifdef(`distro_gentoo',`
+	############################
+	#
+	# insmod_t 
+	#
+
+	# During "make modules_install" temp files created by admin
+	# that invoked the command are later used by kmod.
+	userdom_manage_user_tmp_files(insmod_t)
+	userdom_manage_user_tmp_dirs(insmod_t)
+
+	files_read_src_files(insmod_t)
+	files_manage_kernel_modules(insmod_t)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-08-16 10:45 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-08-16 10:45 UTC (permalink / raw
  To: gentoo-commits

commit:     2c0103336e739df2bc2a433f5e28034b2ec66f69
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 07:49:11 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 07:49:11 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2c010333

Allow getattr on file systems for setfiles

When loading a new policy, denials are shown regarding getattr rights against
filesystem classes for tmpfs_t, devpts_t and device_t. Although not clearly
visible in the setfiles code why, allowing these does not hurt security, reduces
clutter in the logs and matches the "normal behavior" of the setfiles command.

---
 policy/modules/system/selinuxutil.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index cc13e63..2b1f521 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -645,5 +645,10 @@ ifdef(`distro_gentoo',`
 
 	allow run_init_t self:passwd rootok;
 
+	# Denials upon loading policy
+	fs_getattr_tmpfs(setfiles_t)
+	dev_getattr_fs(setfiles_t)
+	term_getattr_pty_fs(setfiles_t)
+
 	files_read_all_symlinks(setfiles_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-08-16 16:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-08-16 16:38 UTC (permalink / raw
  To: gentoo-commits

commit:     4bba4d0c463dd189e6978cf1456c5895a9bd2ede
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 16 16:37:09 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 16 16:37:09 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4bba4d0c

Allow dhcpc to set the system hostname

---
 policy/modules/system/sysnetwork.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 18b6986..62aad47 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -375,4 +375,8 @@ ifdef(`distro_gentoo',`
 
 	# Fixes bug 468874
 	allow dhcpc_t self:rawip_socket create_socket_perms;
+
+	# Allow dhcpc to set hostname (/proc/sys/kernel/hostname)
+	allow dhcpc_t self:capability sys_admin;
+	kernel_rw_kernel_sysctl(dhcpc_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-08-23 17:34 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-08-23 17:34 UTC (permalink / raw
  To: gentoo-commits

commit:     4a75c9fb3a77a72c96bd37a2b0868d50b70dd2c8
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 23 17:32:38 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Fri Aug 23 17:32:38 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4a75c9fb

It is not insmod_t that creates the directory modules

---
 policy/modules/system/modutils.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 1d85f94..959d245 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -339,5 +339,4 @@ ifdef(`distro_gentoo',`
 	files_list_src(insmod_t)
 	files_manage_src_files(insmod_t)
 	files_manage_kernel_modules(insmod_t)
-	files_lib_filetrans_kernel_modules(insmod_t, dir, "modules")
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-16  9:26 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-16  9:26 UTC (permalink / raw
  To: gentoo-commits

commit:     b6ec5f1f48273cdbcee54461c91ce581abe14385
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Sep 16 09:23:44 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Sep 16 09:23:44 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b6ec5f1f

Support signed kernel modules

When using CONFIG_MODULE_SIG (signed kernel module support), when trying to load
a kernel module (such as "modprobe vxlan"), insmod_t wants to search through the
kernel keyring to find the key for the module. If it doesn't succeed, loading
fails:

modprobe: ERROR: could not insert 'vxlan': Required key not available.

In the dmesg output, we get:

Request for unknown module key '...' err -13

The denial shows that "insmod_t" wants to search on "kernel_t:key". Allowing
this is sufficient to allow signed modules to be loaded.

---
 policy/modules/system/modutils.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 959d245..c1bd664 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -336,6 +336,9 @@ ifdef(`distro_gentoo',`
 	userdom_manage_user_tmp_files(insmod_t)
 	userdom_manage_user_tmp_dirs(insmod_t)
 
+	# Needed to support signed kernel modules (to find key in modsign_keyring)
+	kernel_search_key(insmod_t)
+
 	files_list_src(insmod_t)
 	files_manage_src_files(insmod_t)
 	files_manage_kernel_modules(insmod_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-24 17:10 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-24 17:10 UTC (permalink / raw
  To: gentoo-commits

commit:     ad5155dbeafa7d1ccdd4a1e584132d692aca1d97
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Aug 26 12:30:49 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Sep 24 13:38:49 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ad5155db

Add label for parted.

---
 policy/modules/system/fstools.fc | 1 +
 policy/modules/system/fstools.te | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 7d370e8..e2e6b71 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -43,6 +43,7 @@
 /usr/bin/syslinux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /usr/sbin/clubufflush	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/parted	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/smartctl	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3452b85..3f48d30 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.16.0)
+policy_module(fstools, 1.16.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     73ba8ba88aed1f2fc60a63c81362006808720ecd
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Sep 26 13:29:42 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:20:45 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=73ba8ba8

Module version bump for restricted x user template fix from Dominick Grift.

---
 policy/modules/system/userdomain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 6a0f24b..f4ac38d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.9.0)
+policy_module(userdomain, 4.9.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     666884f7ec55dda866841340b14c77e013c41d7c
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 13:40:29 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:22:27 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=666884f7

udev: This is specific to debian i think. Some how the /usr/lib/avahi/avahi-daemon-check-dns\.sh ends up in the udev_t domain

The script basically does what the name suggests, and additionally it
need to be able to stop and start avahi-daemon via its init script

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/udev.te | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f2344a1..80dc84e 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -179,6 +179,16 @@ userdom_dontaudit_search_user_home_content(udev_t)
 
 udev_pid_filetrans_db(udev_t, dir, "data")
 
+ifdef(`distro_debian',`
+	optional_policy(`
+		kernel_read_vm_sysctls(udev_t)
+		corenet_udp_bind_generic_node(udev_t)
+		miscfiles_read_generic_certs(udev_t)
+		avahi_initrc_domtrans(udev_t)
+		avahi_manage_pid_files(udev_t)
+	')
+')
+
 ifdef(`distro_gentoo',`
 	allow udev_t self:capability2 block_suspend;
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     8155a2d519962a64df896c49a846c4db549eb972
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Sep 26 13:27:04 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:20:30 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8155a2d5

Module version bump for fc fix in authlogin from Dominick Grift.

---
 policy/modules/system/authlogin.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index e022771..09b791d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.5.0)
+policy_module(authlogin, 2.5.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     fdf7468e99a8c0d639698398a6bb64f9d4558b6d
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 13:40:09 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:20:42 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fdf7468e

userdomain: restricted xwindows user (squash me)

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/userdomain.if | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 93dacbe..be55820 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -968,9 +968,6 @@ template(`userdom_restricted_xwindows_user_template',`
 
 		optional_policy(`
 			gnome_role_template($1, $1_r, $1_t)
-		')
-
-		optional_policy(`
 			wm_role_template($1, $1_r, $1_t)
 		')
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     02180246ec67ee6e32b3aa95c042e9b335f0d6d6
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 13:40:05 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:20:29 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=02180246

authlogin: Sudo file context specification did not catch paths (squash me)

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/authlogin.fc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 1226c32..bc3f7dc 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -48,4 +48,5 @@ ifdef(`distro_gentoo', `
 /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
-/var/(db|lib|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/(db|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
+/var/lib/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     cf3930ec64035e7f3f5252565ef9bd9a796dab79
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Sep 26 13:41:25 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:22:35 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf3930ec

Module version bump for udev Debian fixes from Dominick Grift.

---
 policy/modules/system/udev.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 1dcb64b..0c35778 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.16.0)
+policy_module(udev, 1.16.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     17189d070c451d389815cef2c304c46c86200ab4
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Sep 26 13:41:09 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:22:32 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=17189d07

Add comment for debian avahi-daemon-check-dns.sh usage by udev

---
 policy/modules/system/udev.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 80dc84e..1dcb64b 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -181,6 +181,7 @@ udev_pid_filetrans_db(udev_t, dir, "data")
 
 ifdef(`distro_debian',`
 	optional_policy(`
+		# for /usr/lib/avahi/avahi-daemon-check-dns.sh
 		kernel_read_vm_sysctls(udev_t)
 		corenet_udp_bind_generic_node(udev_t)
 		miscfiles_read_generic_certs(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     0530dde942f7d90edce3272212a3b15496598ed6
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Sep 26 14:25:47 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:22:55 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0530dde9

Module version bump for unconfined dbus fixes from Dominick Grift.

---
 policy/modules/system/unconfined.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 77018f2..3303b71 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.5.0)
+policy_module(unconfined, 3.5.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     57ed0a43a214867626046638fd5826626e0b6814
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 13:39:11 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:22:54 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=57ed0a43

Unconfined domains have unconfined access to all of dbus rather than only system bus

unconfined: unconfined_t is real-time scheduled by rtkit

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/unconfined.if |  3 +--
 policy/modules/system/unconfined.te | 49 ++++++-------------------------------
 2 files changed, 9 insertions(+), 43 deletions(-)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index db7aabb..5ca20a9 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -67,8 +67,7 @@ interface(`unconfined_domain_noaudit',`
 	')
 
 	optional_policy(`
-		# Communicate via dbusd.
-		dbus_system_bus_unconfined($1)
+		dbus_unconfined($1)
 	')
 
 	optional_policy(`

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 0442922..77018f2 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -80,40 +80,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	init_dbus_chat_script(unconfined_t)
-
-	dbus_stub(unconfined_t)
-
-	optional_policy(`
-		avahi_dbus_chat(unconfined_t)
-	')
-
-	optional_policy(`
-		bluetooth_dbus_chat(unconfined_t)
-	')
-
-	optional_policy(`
-		consolekit_dbus_chat(unconfined_t)
-	')
-
-	optional_policy(`
-		cups_dbus_chat_config(unconfined_t)
-	')
-
-	optional_policy(`
-		hal_dbus_chat(unconfined_t)
-	')
-
-	optional_policy(`
-		networkmanager_dbus_chat(unconfined_t)
-	')
-
-	optional_policy(`
-		oddjob_dbus_chat(unconfined_t)
-	')
-')
-
-optional_policy(`
 	firstboot_run(unconfined_t, unconfined_r)
 ')
 
@@ -183,6 +149,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	rtkit_scheduled(unconfined_t)
+')
+
+optional_policy(`
 	rpm_run(unconfined_t, unconfined_r)
 ')
 
@@ -209,6 +179,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	unconfined_dbus_chat(unconfined_t)
+')
+
+optional_policy(`
 	usermanage_run_admin_passwd(unconfined_t, unconfined_r)
 ')
 
@@ -237,12 +211,5 @@ allow unconfined_execmem_t self:process { execstack execmem };
 unconfined_domain_noaudit(unconfined_execmem_t)
 
 optional_policy(`
-	dbus_stub(unconfined_execmem_t)
-
-	init_dbus_chat_script(unconfined_execmem_t)
 	unconfined_dbus_chat(unconfined_execmem_t)
-
-	optional_policy(`
-		hal_dbus_chat(unconfined_execmem_t)
-	')
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-27 13:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-27 13:27 UTC (permalink / raw
  To: gentoo-commits

commit:     52331cf5eba1a993b5e16387692eabaacbd40441
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Tue Sep 24 13:40:19 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Sep 27 13:23:22 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=52331cf5

init: create init_use_inherited_script_ptys() for tmpreaper (Debian)

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/init.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index fc23b5f..06780d5 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1491,6 +1491,27 @@ interface(`init_use_script_ptys',`
 
 ########################################
 ## <summary>
+##	Read and write inherited init script ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_use_inherited_script_ptys',`
+	gen_require(`
+		type initrc_devpts_t;
+	')
+
+	term_list_ptys($1)
+	allow $1 initrc_devpts_t:chr_file { getattr read write ioctl };
+
+	init_use_fds($1)
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read and
 ##	write the init script pty.
 ## </summary>


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-30 19:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
  To: gentoo-commits

commit:     b92fcf621c4710e0d54decc86af7059689d3e2a4
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Sep 27 21:09:43 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:00:13 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b92fcf62

Silence symlink reading by setfiles since it doesn't follow symlinks anyway.

---
 policy/modules/system/selinuxutil.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 4c01b9b..5e7df70 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.17.1)
+policy_module(selinuxutil, 1.17.2)
 
 gen_require(`
 	bool secure_mode;
@@ -560,6 +560,7 @@ files_read_etc_files(setfiles_t)
 files_list_all(setfiles_t)
 files_relabel_all_files(setfiles_t)
 files_read_usr_symlinks(setfiles_t)
+files_dontaudit_read_all_symlinks(setfiles_t)
 
 fs_getattr_xattr_fs(setfiles_t)
 fs_list_all(setfiles_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-30 19:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
  To: gentoo-commits

commit:     751d369607df2c2dffab6c9a4c182e8809bad43c
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Sep 27 21:15:22 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:00:19 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=751d3696

Module version bump for dhcpc fixes from Dominick Grift.

---
 policy/modules/system/sysnetwork.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 5917f6d..f19fb4b 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.15.3)
+policy_module(sysnetwork, 1.15.4)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-30 19:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
  To: gentoo-commits

commit:     9b73dcf3ceca29f92b25b1f4832ab21a5b99e315
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Fri Sep 27 09:35:41 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:00:14 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9b73dcf3

sysnetwork: dhcpc binds socket to random high udp ports sysnetwork: do not audit attempts by ifconfig to read, and write dhcpc udp sockets (looks like a leaked fd)

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/sysnetwork.te | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 0ec0b30..7028bd2 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -113,7 +113,9 @@ corenet_tcp_bind_dhcpc_port(dhcpc_t)
 corenet_udp_bind_dhcpc_port(dhcpc_t)
 corenet_tcp_connect_all_ports(dhcpc_t)
 corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
-corenet_sendrecv_dhcpc_server_packets(dhcpc_t)
+
+corenet_sendrecv_all_server_packets(dhcpc_t)
+corenet_udp_bind_all_unreserved_ports(dhcpc_t)
 
 dev_read_sysfs(dhcpc_t)
 # for SSP:
@@ -315,6 +317,8 @@ modutils_domtrans_insmod(ifconfig_t)
 
 seutil_use_runinit_fds(ifconfig_t)
 
+sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
+
 userdom_use_user_terminals(ifconfig_t)
 userdom_use_all_users_fds(ifconfig_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-09-30 19:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-09-30 19:03 UTC (permalink / raw
  To: gentoo-commits

commit:     ce22be1148a1f270f9c9d127ec1e5d29044daac1
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Sep 27 21:15:02 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Sep 30 19:00:17 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ce22be11

Reorder dhcpc additions.

---
 policy/modules/system/sysnetwork.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 7028bd2..5917f6d 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -111,11 +111,10 @@ corenet_tcp_bind_all_nodes(dhcpc_t)
 corenet_udp_bind_all_nodes(dhcpc_t)
 corenet_tcp_bind_dhcpc_port(dhcpc_t)
 corenet_udp_bind_dhcpc_port(dhcpc_t)
+corenet_udp_bind_all_unreserved_ports(dhcpc_t)
 corenet_tcp_connect_all_ports(dhcpc_t)
 corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
-
 corenet_sendrecv_all_server_packets(dhcpc_t)
-corenet_udp_bind_all_unreserved_ports(dhcpc_t)
 
 dev_read_sysfs(dhcpc_t)
 # for SSP:


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-10-21 18:45 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-10-21 18:45 UTC (permalink / raw
  To: gentoo-commits

commit:     39358a6d4738591ee67d77e3e614712008eaf64e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Oct 21 18:41:18 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 21 18:41:18 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=39358a6d

Support /var/run/syslog-ng.* generally

Gentoo uses syslog-ng.ctl and others, so generalize the pattern.

---
 policy/modules/system/logging.fc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index a00c3e0..ab3d346 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -63,8 +63,7 @@ ifdef(`distro_redhat',`
 /var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
 /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-/var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
-/var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng(.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 
 /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
 /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-10-21 18:45 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-10-21 18:45 UTC (permalink / raw
  To: gentoo-commits

commit:     b2dfd7970bb126880fa3653098d1b853008be57c
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Oct 21 18:44:01 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 21 18:44:01 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b2dfd797

Fix bug #488718 - Allow setcap/getcap for syslog-ng

Syslog-ng requires setcap/getcap capabilities. If not, it errors out:

root <AT> lerya /home/feandil # run_init /etc/init.d/syslog-ng restart
Authenticating feandil.
Password:
 * Stopping syslog-ng ... [ ok ]
 * Checking your configfile (/etc/syslog-ng/syslog-ng.conf) ...
syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied' [ ok ]
 * Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled; error='Permission denied' [ ok ]

See also https://bugs.gentoo.org/show_bug.cgi?id=488718

---
 policy/modules/system/logging.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 17c3876..d7dc379 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -535,6 +535,7 @@ ifdef(`distro_gentoo',`
 	# Local syslogd_t policy
 	#
 	allow syslogd_t self:capability2 block_suspend;
+	allow syslogd_t self:process { setcap getcap };
 
 	manage_dirs_pattern(syslogd_t, syslogmanaged, syslogmanaged)
 	manage_files_pattern(syslogd_t, syslogmanaged, syslogmanaged)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-10-21 18:45 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-10-21 18:45 UTC (permalink / raw
  To: gentoo-commits

commit:     af5963dc5bc69cc1b33a782b28b67b69c8550ab1
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Oct 21 18:43:41 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 21 18:43:41 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=af5963dc

Move to distro_gentoo block

---
 policy/modules/system/logging.te | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 7883d25..17c3876 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -86,10 +86,6 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
 ')
 
-ifdef(`distro_gentoo',`
-	attribute syslogmanaged;
-')
-
 ########################################
 #
 # Auditctl local policy
@@ -360,7 +356,6 @@ optional_policy(`
 # sys_nice for rsyslog
 # cjp: why net_admin!
 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
-allow syslogd_t self:capability2 block_suspend;
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
 # setrlimit for syslog-ng
@@ -449,7 +444,6 @@ files_read_etc_runtime_files(syslogd_t)
 # /initrd is not umounted before minilog starts
 files_dontaudit_search_isid_type_dirs(syslogd_t)
 files_read_kernel_symbol_table(syslogd_t)
-files_rw_var_lib_dirs(syslogd_t)
 files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 
 fs_getattr_all_fs(syslogd_t)
@@ -479,8 +473,6 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`distro_gentoo',`
-	manage_dirs_pattern(syslogd_t, syslogmanaged, syslogmanaged)
-	manage_files_pattern(syslogd_t, syslogmanaged, syslogmanaged)
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
 	term_append_unallocated_ttys(syslogd_t)
@@ -534,3 +526,18 @@ optional_policy(`
 	# log to the xconsole
 	xserver_rw_console(syslogd_t)
 ')
+
+ifdef(`distro_gentoo',`
+	attribute syslogmanaged;
+
+	########################################
+	#
+	# Local syslogd_t policy
+	#
+	allow syslogd_t self:capability2 block_suspend;
+
+	manage_dirs_pattern(syslogd_t, syslogmanaged, syslogmanaged)
+	manage_files_pattern(syslogd_t, syslogmanaged, syslogmanaged)
+
+	files_rw_var_lib_dirs(syslogd_t)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-11-03 11:19 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-11-03 11:19 UTC (permalink / raw
  To: gentoo-commits

commit:     047ba1322c21dd39104b0e19e5d7fae439f0fd1f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov  3 11:12:40 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov  3 11:12:40 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=047ba132

Add interface for relabeling lib_t directories

This interface will be used later by the portage_t domain.

---
 policy/modules/system/libraries.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index a83933f..24b7ef6 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -603,3 +603,23 @@ interface(`libs_lib_filetrans',`
 
 	libs_search_lib($1)
 ')
+
+########################################
+## <summary>
+##	Relabel to and from the type used
+##	for generic lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_relabel_lib_dirs',`
+	gen_require(`
+		type lib_t;
+	')
+
+	relabel_dirs_pattern($1, lib_t, lib_t)
+')
+


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-11-17 17:26 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-11-17 17:26 UTC (permalink / raw
  To: gentoo-commits

commit:     323b1e64f75e789341c253cfd8bc2cdd30d28460
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Nov  4 21:15:13 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 17 17:20:08 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=323b1e64

Allow semodule to create symlink in semanage_store_t

With new userspace, trying to build a SELinux policy (and load it)
fails:

~# semodule -B
libsemanage.semanage_install_active: Unable to create sybolic link from
/etc/selinux/mcs/modules/active/policy.kern to
/etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).

AVC shows a denial for the semodule command, running as semanage_t,
trying to create a lnk_file in semanage_module_t.

---
 policy/modules/system/selinuxutil.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 3822072..e5ff626 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1043,6 +1043,7 @@ interface(`seutil_manage_module_store',`
 	files_search_etc($1)
 	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
 	manage_files_pattern($1, semanage_store_t, semanage_store_t)
+	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
 	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-11-17 17:26 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-11-17 17:26 UTC (permalink / raw
  To: gentoo-commits

commit:     ab1089520f53a6d7e12b5fe642c4cd4657254ca2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Oct 21 18:52:05 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 17 17:20:14 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ab108952

Allow capabilities for syslog-ng

The syslog-ng logger has (build-optional) support for capabilities. If
capabilities support is enabled, running it without setcap/getcap
permissions gives the following upon start:

 * Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled;
error='Permission denied' [ ok ]

Granting only setcap (initial AVC seen) does not fully help either:

 * Starting syslog-ng ...
 Error managing capability set, cap_set_proc returned an error;

With setcap and getcap enabled, syslog-ng starts and functions fine.

See also https://bugs.gentoo.org/show_bug.cgi?id=488718

Reported-by: Vincent Brillault <gentoo <AT> lerya.net>
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d7dc379..650cef1 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -361,7 +361,7 @@ dontaudit syslogd_t self:capability sys_tty_config;
 # setrlimit for syslog-ng
 # getsched for syslog-ng
 # setsched for rsyslog
-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
+allow syslogd_t self:process { getcap setcap signal_perms setpgid setrlimit getsched setsched };
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-11-17 17:26 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-11-17 17:26 UTC (permalink / raw
  To: gentoo-commits

commit:     7f1ae198559fb65bc814b630adba32649e62f64d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov 17 17:23:07 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 17 17:23:07 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7f1ae198

Has been merged, so can be removed from distro-specific block

---
 policy/modules/system/logging.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 81f933c..455d061 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -536,7 +536,6 @@ ifdef(`distro_gentoo',`
 	# Local syslogd_t policy
 	#
 	allow syslogd_t self:capability2 block_suspend;
-	allow syslogd_t self:process { setcap getcap };
 
 	manage_dirs_pattern(syslogd_t, syslogmanaged, syslogmanaged)
 	manage_files_pattern(syslogd_t, syslogmanaged, syslogmanaged)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-11-17 17:26 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-11-17 17:26 UTC (permalink / raw
  To: gentoo-commits

commit:     f6c2a44112d0dabb705795a2e77a774f0aef7fa3
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Nov 13 14:26:38 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 17 17:20:19 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f6c2a441

Add comments about new capabilities for syslogd_t.

---
 policy/modules/system/logging.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 650cef1..ff33e43 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -361,6 +361,7 @@ dontaudit syslogd_t self:capability sys_tty_config;
 # setrlimit for syslog-ng
 # getsched for syslog-ng
 # setsched for rsyslog
+# getcap/setcap for syslog-ng
 allow syslogd_t self:process { getcap setcap signal_perms setpgid setrlimit getsched setsched };
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-11-17 17:26 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-11-17 17:26 UTC (permalink / raw
  To: gentoo-commits

commit:     40fd9c9a69b12d34bb2a2391e8961c347a20c497
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Nov 13 14:27:21 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 17 17:20:21 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=40fd9c9a

Module version bumps for syslog-ng and semodule updates.

---
 policy/modules/system/logging.te     | 2 +-
 policy/modules/system/selinuxutil.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index ff33e43..81f933c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.20.1)
+policy_module(logging, 1.20.2)
 
 ########################################
 #

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 5e7df70..aeeb491 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.17.2)
+policy_module(selinuxutil, 1.17.3)
 
 gen_require(`
 	bool secure_mode;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     92185963a6e43bb8cd706466a0ad736e8bc71cba
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:44:55 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:30:02 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=92185963

fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/fstools.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3f48d30..a912d3d 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -166,6 +166,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	devicekit_read_pid_files(fsadm_t)
+	devicekit_append_inherited_log_files(fsadm_t)
+')
+
+optional_policy(`
 	hal_dontaudit_write_log(fsadm_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     6ec08448ea21b00f150e720286ddf90407f10aee
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:45:03 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:30:09 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6ec08448

sysbnetwork: dhclient searches /var/lib/ntp

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/sysnetwork.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 9613897..cde5324 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -221,6 +221,7 @@ optional_policy(`
 
 optional_policy(`
 	ntp_initrc_domtrans(dhcpc_t)
+	ntp_read_drift_files(dhcpc_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     c50f5c45160fd4d53ed545a8610ca58b266e5a94
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:44:56 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:30:05 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c50f5c45

sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/sysnetwork.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index f19fb4b..9613897 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -203,6 +203,13 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_domtrans(dhcpc_t)
+	networkmanager_read_pid_files(dhcpc_t)
+	networkmanager_manage_lib_files(dhcpc_t)
+	networkmanager_stream_connect(dhcpc_t)
+')
+
+optional_policy(`
 	nis_read_ypbind_pid(dhcpc_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     5eb14ed9bd5dba41fbcaee27c9ca156d47bd90b4
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:44:44 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:30:56 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5eb14ed9

userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/userdomain.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index be55820..dbe838c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2688,6 +2688,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 
 ########################################
 ## <summary>
+##	Delete user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
 ##	Read user tmpfs files.
 ## </summary>
 ## <param name="domain">


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     7bc4fc00ec207bfb97c9baf00b87e0b03411c14d
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:44:49 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:02 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7bc4fc00

These { read write } tty_device_t chr files on boot up in Debian

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/fstools.te    | 5 +++++
 policy/modules/system/hostname.te   | 4 ++++
 policy/modules/system/sysnetwork.te | 4 ++++
 3 files changed, 13 insertions(+)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index c7f82a3..4295d9c 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -149,6 +149,11 @@ seutil_read_config(fsadm_t)
 
 userdom_use_user_terminals(fsadm_t)
 
+ifdef(`distro_debian',`
+	term_dontaudit_use_unallocated_ttys(fsadm_t)
+')
+
+
 ifdef(`distro_redhat',`
 	optional_policy(`
 		unconfined_domain(fsadm_t)

diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 24a7889..d5d4a1c 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -56,6 +56,10 @@ sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
 sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
 
+ifdef(`distro_debian',`
+	term_dontaudit_use_unallocated_ttys(hostname_t)
+')
+
 optional_policy(`
 	nis_use_ypbind(hostname_t)
 ')

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 8bb0a25..7622852 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -329,6 +329,10 @@ sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
 userdom_use_user_terminals(ifconfig_t)
 userdom_use_all_users_fds(ifconfig_t)
 
+ifdef(`distro_debian',`
+	term_dontaudit_use_unallocated_ttys(ifconfig_t)
+')
+
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(ifconfig_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     ae706f76bd11bea48cf179ece1ba35ce676438c1
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec  3 14:45:16 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:30:58 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ae706f76

Rearrage userdom_delete_user_tmpfs_files() interface.

---
 policy/modules/system/userdomain.if | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index dbe838c..027a04f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2688,7 +2688,7 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 
 ########################################
 ## <summary>
-##	Delete user tmpfs files.
+##	Read user tmpfs files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2696,12 +2696,13 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_delete_user_tmpfs_files',`
+interface(`userdom_read_user_tmpfs_files',`
 	gen_require(`
 		type user_tmpfs_t;
 	')
 
-	delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	allow $1 user_tmpfs_t:dir list_dir_perms;
 	fs_search_tmpfs($1)
 ')
 
@@ -2715,19 +2716,20 @@ interface(`userdom_delete_user_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_read_user_tmpfs_files',`
+interface(`userdom_rw_user_tmpfs_files',`
 	gen_require(`
 		type user_tmpfs_t;
 	')
 
-	read_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
 	allow $1 user_tmpfs_t:dir list_dir_perms;
 	fs_search_tmpfs($1)
 ')
 
 ########################################
 ## <summary>
-##	Read user tmpfs files.
+##	Delete user tmpfs files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2735,14 +2737,12 @@ interface(`userdom_read_user_tmpfs_files',`
 ##	</summary>
 ## </param>
 #
-interface(`userdom_rw_user_tmpfs_files',`
+interface(`userdom_delete_user_tmpfs_files',`
 	gen_require(`
 		type user_tmpfs_t;
 	')
 
-	rw_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	read_lnk_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
-	allow $1 user_tmpfs_t:dir list_dir_perms;
+	delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
 	fs_search_tmpfs($1)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     bed5d3c4a14015cc4fe8a740a2a7870bb700db02
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec  3 14:52:21 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:00 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bed5d3c4

setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian

Access noted by Dominick Grift.

---
 policy/modules/system/setrans.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index ac6e607..bd4f8c4 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -84,7 +84,7 @@ logging_send_syslog_msg(setrans_t)
 
 miscfiles_read_localization(setrans_t)
 
-seutil_read_config(setrans_t)
+seutil_libselinux_linked(setrans_t)
 
 optional_policy(`
 	rpm_use_script_fds(setrans_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     f26be42ab7f8d99d55ca2d0ef44c70b0ea7cc7a2
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:44:51 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:05 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f26be42a

udev: udevd executable location changed

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/udev.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index dcc2a64..93800be 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -33,6 +33,7 @@ ifdef(`distro_redhat',`
 /var/run/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
 
 ifdef(`distro_debian',`
+/lib/systemd/systemd-udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /var/run/xen-hotplug -d	gen_context(system_u:object_r:udev_var_run_t,s0)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     83fb5a8a5ea6b84fe285070d70669916aceefc4c
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec  3 15:39:51 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:04 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=83fb5a8a

Whitespace fix in fstools.

---
 policy/modules/system/fstools.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 4295d9c..b204155 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -153,7 +153,6 @@ ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(fsadm_t)
 ')
 
-
 ifdef(`distro_redhat',`
 	optional_policy(`
 		unconfined_domain(fsadm_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     4b3378e60d2ede4dcd5e68a76740dffc935df4d8
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:45:12 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:09 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4b3378e6

udev: in debian udevadm is located in /bin/udevadm

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/udev.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 93800be..447b213 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -12,6 +12,7 @@
 /lib/udev/udev-acl --	gen_context(system_u:object_r:udev_exec_t,s0)
 
 ifdef(`distro_debian',`
+/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 /lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     85d94fe10355cf2807a3015bb8678e391ff47be0
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec  3 15:54:22 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:08 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=85d94fe1

Add comment in policy for lvm sysfs write.

---
 policy/modules/system/lvm.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index a022d23..7133d73 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -234,6 +234,7 @@ dev_manage_generic_symlinks(lvm_t)
 dev_relabel_generic_dev_dirs(lvm_t)
 dev_manage_generic_blk_files(lvm_t)
 # Read /sys/block. Device mapper metadata is kept there.
+# Write read_ahead_kb
 dev_rw_sysfs(lvm_t)
 # cjp: this has no effect since LVM does not
 # have lnk_file relabelto for anything else.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     b1c033dde72b87ecb4ea857c3d714a49abfb88e2
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec  3 18:03:35 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:11 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b1c033dd

Module version bump for second lot of patches from Dominick Grift.

---
 policy/modules/system/fstools.te    | 2 +-
 policy/modules/system/hostname.te   | 2 +-
 policy/modules/system/lvm.te        | 2 +-
 policy/modules/system/setrans.te    | 2 +-
 policy/modules/system/sysnetwork.te | 2 +-
 policy/modules/system/udev.te       | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b204155..610fa40 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.16.2)
+policy_module(fstools, 1.16.3)
 
 ########################################
 #

diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index d5d4a1c..6d9f4fe 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -1,4 +1,4 @@
-policy_module(hostname, 1.8.1)
+policy_module(hostname, 1.8.2)
 
 ########################################
 #

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 7133d73..a02b319 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.15.2)
+policy_module(lvm, 1.15.3)
 
 ########################################
 #

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index bd4f8c4..c89a531 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,4 +1,4 @@
-policy_module(setrans, 1.8.1)
+policy_module(setrans, 1.8.2)
 
 gen_require(`
 	class context contains;

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 7622852..021c8ca 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.15.5)
+policy_module(sysnetwork, 1.15.6)
 
 ########################################
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 626ded7..2679c85 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.16.3)
+policy_module(udev, 1.16.4)
 
 ########################################
 #

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index f4ac38d..91750c8 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.9.1)
+policy_module(userdomain, 4.9.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     93cbdc1109d7035842b5dfd5b490191f73b361d8
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:44:53 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:07 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=93cbdc11

lvm: lvm writes read_ahead_kb

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/lvm.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 5f2e1e4..a022d23 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -234,7 +234,7 @@ dev_manage_generic_symlinks(lvm_t)
 dev_relabel_generic_dev_dirs(lvm_t)
 dev_manage_generic_blk_files(lvm_t)
 # Read /sys/block. Device mapper metadata is kept there.
-dev_read_sysfs(lvm_t)
+dev_rw_sysfs(lvm_t)
 # cjp: this has no effect since LVM does not
 # have lnk_file relabelto for anything else.
 # perhaps this should be blk_files?


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     4929259123b905a9d2d131e56f52683cce3d4759
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:44:57 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:16 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=49292591

iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/iptables.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index be8ed1e..63eb287 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
 allow iptables_t iptables_tmp_t:file manage_file_perms;
 files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
 
+kernel_getattr_proc(iptables_t)
 kernel_request_load_module(iptables_t)
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
@@ -105,6 +106,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	firewalld_read_config_files(iptables_t)
+	firewalld_dontaudit_rw_tmp_files(iptables_t)
+')
+
+optional_policy(`
 	firstboot_use_fds(iptables_t)
 	firstboot_rw_pipes(iptables_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     f442694d6636902e6641eb95412451cda0d49411
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Dec  6 13:37:09 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:21 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f442694d

Whitespace fix in libraries.

---
 policy/modules/system/libraries.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index b019baf..18398f5 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -119,7 +119,7 @@ ifdef(`distro_redhat',`
 /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 ifdef(`distro_debian',`
-/usr/(.*/)?dh-python/dh_pypy	--	gen_context(system_u:object_r:lib_t,s0)
+/usr/(.*/)?dh-python/dh_pypy		--	gen_context(system_u:object_r:lib_t,s0)
 ')
 
 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:33 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:33 UTC (permalink / raw
  To: gentoo-commits

commit:     fc5282ecf2653a41bd13915c0b769f43291e1ab4
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:45:08 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:31:18 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fc5282ec

libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/libraries.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index f9f8c2f..b019baf 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -118,6 +118,10 @@ ifdef(`distro_redhat',`
 
 /usr/(.*/)?nvidia/.+\.so(\..*)?		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+ifdef(`distro_debian',`
+/usr/(.*/)?dh-python/dh_pypy	--	gen_context(system_u:object_r:lib_t,s0)
+')
+
 /usr/lib/altivec/libavcodec\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/cedega/.+\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/dovecot/(.*/)?lib.*\.so.*      --      gen_context(system_u:object_r:lib_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:48 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     f7ac53bc7bf3d18bc929e9e1d19b11b692f948a8
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec  6 17:46:52 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:46:52 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f7ac53bc

Move gentoo specific to lower part

---
 policy/modules/system/unconfined.te | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 3dd0858..d6dcf37 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -72,10 +72,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	chromium_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
 	cron_unconfined_role(unconfined_r, unconfined_t)
 ')
 
@@ -157,10 +153,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	rtorrent_role(unconfined_r, unconfined_t)
-')
-
-optional_policy(`
 	samba_run_net(unconfined_t, unconfined_r)
 	samba_run_winbind_helper(unconfined_t, unconfined_r)
 ')
@@ -198,10 +190,6 @@ optional_policy(`
 	wine_domtrans(unconfined_t)
 ')
 
-optional_policy(`
-	xserver_role(unconfined_r, unconfined_t)
-')
-
 ########################################
 #
 # Unconfined Execmem Local policy
@@ -213,3 +201,18 @@ unconfined_domain_noaudit(unconfined_execmem_t)
 optional_policy(`
 	unconfined_dbus_chat(unconfined_execmem_t)
 ')
+
+ifdef(`distro_gentoo',`
+
+	optional_policy(`
+		chromium_role(unconfined_r, unconfined_t)
+	')
+
+	optional_policy(`
+		rtorrent_role(unconfined_r, unconfined_t)
+	')
+
+	optional_policy(`
+		xserver_role(unconfined_r, unconfined_t)
+	')
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-06 17:48 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-06 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     c308e6f1f5a4cf7df16bc154da2d500dfa3703c9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Dec  6 17:45:37 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec  6 17:45:37 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c308e6f1

Move gentoo specifics to lower part

---
 policy/modules/system/udev.te | 66 +++++++++++++++++++++++++++----------------
 1 file changed, 41 insertions(+), 25 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 2679c85..a7078c4 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -64,10 +64,7 @@ can_exec(udev_t, udev_helper_exec_t)
 # read udev config
 allow udev_t udev_etc_t:file read_file_perms;
 
-allow udev_t udev_tbl_t:dir relabelto;
-manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
-manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
-manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
+allow udev_t udev_tbl_t:file manage_file_perms;
 dev_filetrans(udev_t, udev_tbl_t, file)
 
 list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
@@ -79,24 +76,24 @@ manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
 
-kernel_dgram_send(udev_t)
+kernel_read_system_state(udev_t)
+kernel_request_load_module(udev_t)
 kernel_getattr_core_if(udev_t)
-kernel_load_module(udev_t)
+kernel_use_fds(udev_t)
 kernel_read_device_sysctls(udev_t)
 kernel_read_hotplug_sysctls(udev_t)
-kernel_read_kernel_sysctls(udev_t)
 kernel_read_modprobe_sysctls(udev_t)
-kernel_read_network_state(udev_t)
-kernel_read_software_raid_state(udev_t)
-kernel_read_system_state(udev_t)
-kernel_request_load_module(udev_t)
+kernel_read_kernel_sysctls(udev_t)
 kernel_rw_hotplug_sysctls(udev_t)
-#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
-kernel_rw_net_sysctls(udev_t)
 kernel_rw_unix_dgram_sockets(udev_t)
-kernel_search_debugfs(udev_t)
+kernel_dgram_send(udev_t)
 kernel_signal(udev_t)
-kernel_use_fds(udev_t)
+kernel_search_debugfs(udev_t)
+
+#https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
+kernel_rw_net_sysctls(udev_t)
+kernel_read_network_state(udev_t)
+kernel_read_software_raid_state(udev_t)
 
 corecmd_exec_all_executables(udev_t)
 
@@ -114,13 +111,12 @@ dev_manage_generic_symlinks(udev_t)
 domain_read_all_domains_state(udev_t)
 domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
 
-files_exec_etc_files(udev_t)
-files_getattr_generic_locks(udev_t)
-files_read_etc_files(udev_t)
-files_read_etc_runtime_files(udev_t)
-files_read_kernel_modules(udev_t)
 files_read_usr_files(udev_t)
+files_read_etc_runtime_files(udev_t)
+files_read_etc_files(udev_t)
+files_exec_etc_files(udev_t)
 files_dontaudit_search_isid_type_dirs(udev_t)
+files_getattr_generic_locks(udev_t)
 files_search_mnt(udev_t)
 
 fs_getattr_all_fs(udev_t)
@@ -178,8 +174,6 @@ sysnet_etc_filetrans_config(udev_t)
 
 userdom_dontaudit_search_user_home_content(udev_t)
 
-udev_pid_filetrans_db(udev_t, dir, "data")
-
 ifdef(`distro_debian',`
 	files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
 
@@ -197,12 +191,9 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
-	allow udev_t self:capability2 block_suspend;
-
 	# during boot, init scripts use /dev/.rcsysinit
 	# existance to determine if we are in early booting
 	init_getattr_script_status_files(udev_t)
-	init_domtrans_script(udev_t)
 ')
 
 ifdef(`distro_redhat',`
@@ -331,3 +322,28 @@ optional_policy(`
 optional_policy(`
 	xserver_read_xdm_pid(udev_t)
 ')
+
+ifdef(`distro_gentoo',`
+	#################################
+	#
+	# local udev_t policy
+	#
+	allow udev_t self:capability2 block_suspend;
+	allow udev_t udev_tbl_t:dir relabelto;
+
+	manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
+	manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
+	manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
+
+	kernel_load_module(udev_t)
+
+	files_read_etc_files(udev_t)
+	files_read_etc_runtime_files(udev_t)
+	files_read_kernel_modules(udev_t)
+	files_read_usr_files(udev_t)
+	files_dontaudit_search_isid_type_dirs(udev_t)
+
+	udev_pid_filetrans_db(udev_t, dir, "data")
+
+	init_domtrans_script(udev_t)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-09 19:17 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-09 19:17 UTC (permalink / raw
  To: gentoo-commits

commit:     9ab3cc62da79e999f120d447425098b3114ec168
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Dec  9 19:15:06 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Dec  9 19:15:06 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9ab3cc62

Support python-exec location for semanage

The new python-exec stores the Python code in
/urs/lib/python-exec/${EPYTHON}. Luckily, it /executes/ the code rather
than loading it as a library, so we can just set the context on these
files.

---
 policy/modules/system/selinuxutil.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 335583d..22358d0 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -56,4 +56,6 @@
 ifdef(`distro_gentoo',`
 # Support for gentoo python switcheridoo
 /usr/sbin/semanage-python.*	--	gen_context(system_u:object_r:semanage_exec_t,s0)
+# Even more python switcheridoo, different this time
+/usr/lib/python-exec/python.*/semanage	--	gen_context(system_u:object_r:semanage_exec_t,s0)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-12 12:37 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-12 12:37 UTC (permalink / raw
  To: gentoo-commits

commit:     1355c5f867cd67729ec78f0d86ffc09e63b426b7
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:45:01 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 12 12:35:06 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1355c5f8

init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/init.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 06780d5..3b788c2 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -990,6 +990,8 @@ interface(`init_run_daemon',`
 	')
 
 	typeattribute $1 direct_run_init;
+
+	allow $2 system_r;
 	role_transition $2 direct_init_entry system_r;
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-12 12:37 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-12 12:37 UTC (permalink / raw
  To: gentoo-commits

commit:     4b165d676eb341f3b88a0d0c1692ec7b2b6cf355
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec 10 14:55:56 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 12 12:35:10 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4b165d67

Whitespace fix in init.te.

---
 policy/modules/system/init.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c49e39e..40bb4d2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -180,8 +180,8 @@ seutil_read_config(init_t)
 miscfiles_read_localization(init_t)
 
 ifdef(`distro_debian',`
-fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
-fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
+	fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
+	fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
 ')
 
 ifdef(`distro_gentoo',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-12 12:37 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-12 12:37 UTC (permalink / raw
  To: gentoo-commits

commit:     be1c4a5c084687b13bc262f644e509c731bf1300
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec 10 15:27:44 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 12 12:35:13 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=be1c4a5c

init: creates /run/utmp

Manually apply patch from Dominick Grift.

---
 policy/modules/system/init.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 40bb4d2..b3c3cc1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -181,6 +181,8 @@ miscfiles_read_localization(init_t)
 
 ifdef(`distro_debian',`
 	fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
+
+	allow init_t initrc_var_run_t:file manage_file_perms;
 	fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-12 12:37 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-12 12:37 UTC (permalink / raw
  To: gentoo-commits

commit:     06b31da4bf8d7140f78371fea0955d8ecd682a5e
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec 10 15:26:53 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 12 12:35:11 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=06b31da4

init: init_script_domain() allow system_r role the init script domain type

Manually apply patch from Dominick Grift.

---
 policy/modules/system/init.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3b788c2..fa19e41 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -76,6 +76,8 @@ interface(`init_script_domain',`
 	domain_type($1)
 	domain_entry_file($1, $2)
 
+	role system_r types $1;
+
 	domtrans_pattern(init_run_all_scripts_domain, $2, $1)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-12 12:37 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-12 12:37 UTC (permalink / raw
  To: gentoo-commits

commit:     15cfa1529c9d666674906c6c16aec3713920a088
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:45:07 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 12 12:35:08 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=15cfa152

init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/init.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4c6fd28..c49e39e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -179,6 +179,11 @@ seutil_read_config(init_t)
 
 miscfiles_read_localization(init_t)
 
+ifdef(`distro_debian',`
+fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
+fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
+')
+
 ifdef(`distro_gentoo',`
 	allow init_t self:process { getcap setcap };
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-12 12:37 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-12 12:37 UTC (permalink / raw
  To: gentoo-commits

commit:     f53afee185d189675cc816fa706a7cee922adc04
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Dec 10 15:40:38 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Dec 12 12:35:17 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f53afee1

Module version bump for 4 init patches from Dominick Grift.

---
 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b3c3cc1..39ceea5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.20.1)
+policy_module(init, 1.20.2)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-20 19:47 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-20 19:47 UTC (permalink / raw
  To: gentoo-commits

commit:     ae23fb29fd27e512168fc130c164ebbcf761859f
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Dec 20 19:44:03 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 19:45:36 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ae23fb29

Fix Debian compile issue.

---
 policy/modules/system/init.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 39ceea5..e69cd67 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.20.2)
+policy_module(init, 1.20.3)
 
 gen_require(`
 	class passwd rootok;
@@ -180,7 +180,7 @@ seutil_read_config(init_t)
 miscfiles_read_localization(init_t)
 
 ifdef(`distro_debian',`
-	fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
+	fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
 
 	allow init_t initrc_var_run_t:file manage_file_perms;
 	fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-20 21:00 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-20 21:00 UTC (permalink / raw
  To: gentoo-commits

commit:     cfa0226d0e7bf3bf864763c6445a5cb6472c4f8d
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:45:10 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 20:56:42 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cfa0226d

init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/init.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e69cd67..a0afe45 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -449,6 +449,10 @@ ifdef(`distro_debian',`
 	storage_tmpfs_filetrans_fixed_disk(initrc_t)
 
 	files_setattr_etc_dirs(initrc_t)
+
+	optional_policy(`
+		exim_manage_var_lib_files(initrc_t)
+	')
 ')
 
 ifdef(`distro_gentoo',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-20 21:00 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-20 21:00 UTC (permalink / raw
  To: gentoo-commits

commit:     8d901c16df968731bdffc4d2034602bdc3b44e7f
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Dec 16 16:08:18 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 20:56:48 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8d901c16

Label /bin/fusermount like /usr/bin/fusermount

On Debian, fusermount is installed under that path

---
 policy/modules/system/mount.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index a38605e..4619000 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -1,3 +1,4 @@
+/bin/fusermount			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-20 21:00 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-20 21:00 UTC (permalink / raw
  To: gentoo-commits

commit:     72efbc0af95e08b240cc27dbdcf83ace10dc2cbf
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Sat Nov  9 09:45:11 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 20:56:44 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=72efbc0a

init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/init.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a0afe45..fc36620 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -453,6 +453,14 @@ ifdef(`distro_debian',`
 	optional_policy(`
 		exim_manage_var_lib_files(initrc_t)
 	')
+
+	optional_policy(`
+		gdomap_read_config(initrc_t)
+	')
+
+	optional_policy(`
+		minissdpd_read_config(initrc_t)
+	')
 ')
 
 ifdef(`distro_gentoo',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-20 21:00 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-20 21:00 UTC (permalink / raw
  To: gentoo-commits

commit:     d492848e210a84f20730c54cd9a06de03e3a17a7
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Dec 20 19:56:07 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 20:56:46 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d492848e

Module version bump for 2 patches from Dominick Grift.

---
 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index fc36620..8bf29d5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.20.3)
+policy_module(init, 1.20.4)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-20 21:00 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-20 21:00 UTC (permalink / raw
  To: gentoo-commits

commit:     f2379f69cf6fbb204368257cae7f06c1fa926f0b
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Dec 20 20:02:24 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 20:56:49 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f2379f69

Module version bump for patch from Laurent Bigonville.

---
 policy/modules/system/mount.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 5e939f7..a686071 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.16.2)
+policy_module(mount, 1.16.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-20 21:00 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-20 21:00 UTC (permalink / raw
  To: gentoo-commits

commit:     2938abacd51fc8b7f6f33bccb2d81fb86d8958e9
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Dec 16 16:08:19 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 20:56:52 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2938abac

Allow udev to write in /etc/udev/rules.d

Udev is writing persistent rules in /etc/udev/rules.d to ensure the
network interfaces and storage devices have a persistent name.

This patch has been taken from the Fedora policy

---
 policy/modules/system/udev.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a7078c4..04ca970 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -68,7 +68,8 @@ allow udev_t udev_tbl_t:file manage_file_perms;
 dev_filetrans(udev_t, udev_tbl_t, file)
 
 list_dirs_pattern(udev_t, udev_rules_t, udev_rules_t)
-read_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+manage_files_pattern(udev_t, udev_rules_t, udev_rules_t)
+manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
 
 manage_dirs_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-20 21:00 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-20 21:00 UTC (permalink / raw
  To: gentoo-commits

commit:     cc3147d7d9742758a0e736353ce98c10f871d05d
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Dec 20 20:04:52 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Dec 20 20:56:54 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cc3147d7

Module version bump for patch from Laurent Bigonville.

---
 policy/modules/system/udev.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 04ca970..19a3c8e 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.16.4)
+policy_module(udev, 1.16.5)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2013-12-29 15:24 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2013-12-29 15:24 UTC (permalink / raw
  To: gentoo-commits

commit:     a9333123e9697f2281b2d3023784e18760cad9c0
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Dec 29 15:22:48 2013 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Dec 29 15:22:48 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a9333123

Fix bug #468878 - Allow pump DHCP client to work

---
 policy/modules/system/sysnetwork.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 021c8ca..bfd9435 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -402,4 +402,8 @@ ifdef(`distro_gentoo',`
 	# Allow dhcpc to set hostname (/proc/sys/kernel/hostname)
 	allow dhcpc_t self:capability sys_admin;
 	kernel_rw_kernel_sysctl(dhcpc_t)
+
+	# Fixes bug 468878
+	files_pid_filetrans(dhcpc_t, dhcpc_var_run_t, sock_file)
+	allow dhcpc_t self:unix_stream_socket { create_stream_socket_perms connectto };
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-01-18 10:29 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-01-18 10:29 UTC (permalink / raw
  To: gentoo-commits

commit:     8384bd6cb399474ef8b07178e4044d2b8123b09d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jan 12 17:57:02 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 12 17:57:02 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8384bd6c

Typo in init_daemon_run_dir call

---
 policy/modules/system/authlogin.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 4f4116e..68bc0d6 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -466,5 +466,5 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
-	init_daemon_rundir(pam_var_run_t, "sepermit")
+	init_daemon_run_dir(pam_var_run_t, "sepermit")
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-01-19 19:01 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-01-19 19:01 UTC (permalink / raw
  To: gentoo-commits

commit:     f284a7d9a477d5e167d5bdf619fd72a0ede11655
Author:     Dominick Grift <dominick.grift <AT> gmail <DOT> com>
AuthorDate: Wed Jan 15 15:04:31 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 18:56:29 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f284a7d9

Change behavior of init_run_daemon()

Callers on init_run_daemon() role and domain transition on all
init_script_file_type to system_r and initrc_t respectively.

The old behavior of role and domain transitioning on init daemon entry
files was causing problems with programs that can be run both by system
and session.

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

---
 policy/modules/system/init.if | 15 ++++-----------
 policy/modules/system/init.te |  6 ------
 2 files changed, 4 insertions(+), 17 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index fa19e41..62a86ec 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -193,7 +193,6 @@ interface(`init_ranged_domain',`
 #
 interface(`init_daemon_domain',`
 	gen_require(`
-		attribute direct_run_init, direct_init, direct_init_entry;
 		type initrc_t;
 		role system_r;
 		attribute daemon;
@@ -218,12 +217,6 @@ interface(`init_daemon_domain',`
 	init_use_script_ptys($1)
 
 	ifdef(`direct_sysadm_daemon',`
-		domtrans_pattern(direct_run_init, $2, $1)
-		allow direct_run_init $1:process { noatsecure siginh rlimitinh };
-
-		typeattribute $1 direct_init;
-		typeattribute $2 direct_init_entry;
-
 		userdom_dontaudit_use_user_terminals($1)
 	')
 
@@ -987,14 +980,14 @@ interface(`init_all_labeled_script_domtrans',`
 #
 interface(`init_run_daemon',`
 	gen_require(`
-		attribute direct_run_init, direct_init, direct_init_entry;
+                attribute init_script_file_type;
 		role system_r;
 	')
 
-	typeattribute $1 direct_run_init;
-
 	allow $2 system_r;
-	role_transition $2 direct_init_entry system_r;
+
+        init_all_labeled_script_domtrans($1)
+        role_transition $2 init_script_file_type system_r;
 ')
 
 ########################################

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index dce9cd0..aa97e04 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -16,12 +16,6 @@ gen_require(`
 ## </desc>
 gen_tunable(init_upstart, false)
 
-# used for direct running of init scripts
-# by admin domains
-attribute direct_run_init;
-attribute direct_init;
-attribute direct_init_entry;
-
 attribute init_script_domain_type;
 attribute init_script_file_type;
 attribute init_run_all_scripts_domain;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-01-19 19:01 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-01-19 19:01 UTC (permalink / raw
  To: gentoo-commits

commit:     ac640c358966775ed807e0b7e978010ceac841f2
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Jan 16 21:11:02 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 18:57:03 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ac640c35

Module version bump for direct initrc fixes from Dominick Grift.

---
 policy/modules/system/init.te       | 2 +-
 policy/modules/system/unconfined.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index aa97e04..8811584 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.20.5)
+policy_module(init, 1.20.6)
 
 gen_require(`
 	class passwd rootok;

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index dade731..55276f0 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.5.2)
+policy_module(unconfined, 3.5.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-01-19 19:01 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-01-19 19:01 UTC (permalink / raw
  To: gentoo-commits

commit:     92861ec6bce214903cd7710c3d9fdb8b4ca087e2
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Jan 15 18:02:59 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 19:00:43 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=92861ec6

Label /etc/selinux/([^/]*/)?modules(/.*)? as semanage_store_t

Move the filetrans_patern out of the seutil_manage_module_store
interface as only semanage_t should be creating this directory

---
 policy/modules/system/selinuxutil.fc | 3 +--
 policy/modules/system/selinuxutil.if | 1 -
 policy/modules/system/selinuxutil.te | 2 ++
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 22358d0..f37652d 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -9,8 +9,7 @@
 /etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
 /etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 /etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?modules	-d	gen_context(system_u:object_r:semanage_store_t,s0)
-/etc/selinux/([^/]*/)?modules/(active|tmp|previous)(/.*)? gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
 /etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
 /etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index e5ff626..bee06f4 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1044,7 +1044,6 @@ interface(`seutil_manage_module_store',`
 	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
 	manage_files_pattern($1, semanage_store_t, semanage_store_t)
 	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
-	filetrans_pattern($1, selinux_config_t, semanage_store_t, dir, "modules")
 ')
 
 #######################################

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index aeeb491..2052f00 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -450,6 +450,8 @@ allow semanage_t self:fifo_file rw_fifo_file_perms;
 
 allow semanage_t policy_config_t:file rw_file_perms;
 
+filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
+
 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 allow semanage_t semanage_tmp_t:file manage_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-01-19 19:01 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-01-19 19:01 UTC (permalink / raw
  To: gentoo-commits

commit:     fba8a70b29ae1cc3b453d157c03d7d02ffcc3c8d
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Jan 17 13:54:08 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 19 19:00:51 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fba8a70b

Module version bump for module store labeling fixes from Laurent Bigonville.

---
 policy/modules/system/selinuxutil.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 2052f00..4d912bf 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.17.3)
+policy_module(selinuxutil, 1.17.4)
 
 gen_require(`
 	bool secure_mode;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-01-23 20:00 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-01-23 20:00 UTC (permalink / raw
  To: gentoo-commits

commit:     99846a2c6f55a85393fc9297084220e4bd79d6e0
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jan 21 13:54:59 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 23 19:59:30 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=99846a2c

Fix ZFS fc escaping in mount.

---
 policy/modules/system/mount.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index a5e1c6e..613ff7a 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -2,7 +2,7 @@
 /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
-/sbin/mount.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount\.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /sbin/zpool				--	gen_context(system_u:object_r:mount_exec_t,s0)
 /sbin/zfs				--	gen_context(system_u:object_r:mount_exec_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-01-28  8:09 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-01-28  8:09 UTC (permalink / raw
  To: gentoo-commits

commit:     7f89194367dde12d9a96fafa5cb19ba563595cb6
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Jan 11 14:23:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jan 28 08:07:05 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7f891943

Allow unconfined users to transition to dpkg_t domain

dpkg is now using rpm_execcon()/setexecfilecon()-like function to
transition to the dpkg_script_t domain. This function will fail in
enforcing mode if the transition is not allowed.

---
 policy/modules/system/unconfined.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 55276f0..51a2992 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -80,6 +80,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dpkg_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
 	firstboot_run(unconfined_t, unconfined_r)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-01-28  8:09 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-01-28  8:09 UTC (permalink / raw
  To: gentoo-commits

commit:     919557cb9afc97e691e2fd994ac2e41a07df7fe3
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Jan 27 18:19:57 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jan 28 08:07:29 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=919557cb

Module version bump for unconfined transition to dpkg from Laurent Bigonville.

---
 policy/modules/system/unconfined.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 51a2992..db881b1 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.5.3)
+policy_module(unconfined, 3.5.4)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-02-01  9:56 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-02-01  9:56 UTC (permalink / raw
  To: gentoo-commits

commit:     729fa63b15ca169a34c8e1fd90f4237fd699c9e2
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Jan 29 21:15:44 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Feb  1 09:53:51 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=729fa63b

Add fcontext for rsyslog pidfile

---
 policy/modules/system/logging.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index ab3d346..621c0c8 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -62,6 +62,7 @@ ifdef(`distro_redhat',`
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
 /var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
 /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/rsyslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng(.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-02-01  9:56 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-02-01  9:56 UTC (permalink / raw
  To: gentoo-commits

commit:     2042fa1e187d22ce638f719cc16ac4558f15e621
Author:     Chris PeBenito <pebenito <AT> gentoo <DOT> org>
AuthorDate: Sat Feb  1 03:24:08 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Feb  1 09:54:00 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2042fa1e

Module version bump for logging fc patch from Laurent Bigonville.

---
 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 64c6667..c7c7176 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.20.3)
+policy_module(logging, 1.20.4)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-02-09 10:54 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
  To: gentoo-commits

commit:     66ca50b63cc764ead95713fd5f7cf481320b340f
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Feb  1 13:50:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb  9 10:52:39 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=66ca50b6

system/mount.if: Add mount_read_mount_loopback interface

---
 policy/modules/system/mount.if | 18 ++++++++++++++++++
 policy/modules/system/mount.te |  2 +-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 4584457..802fd3d 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -173,3 +173,21 @@ interface(`mount_run_unconfined',`
 	mount_domtrans_unconfined($1)
 	role $2 types unconfined_mount_t;
 ')
+
+########################################
+## <summary>
+##	Read mount_loopback files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_read_mount_loopback',`
+	gen_require(`
+		type mount_t;
+	')
+
+	allow $1 mount_loopback_t:file read_file_perms;
+')

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index a5f8709..3c5fa5f 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -43,7 +43,7 @@ application_domain(unconfined_mount_t, mount_exec_t)
 # setuid/setgid needed to mount cifs
 allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
 
-allow mount_t mount_loopback_t:file read_file_perms;
+mount_read_mount_loopback(mount_t)
 
 allow mount_t mount_tmp_t:file manage_file_perms;
 allow mount_t mount_tmp_t:dir manage_dir_perms;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-02-09 10:54 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-02-09 10:54 UTC (permalink / raw
  To: gentoo-commits

commit:     30d59932effdc3e24f87b00f90512dd59135fbb9
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Feb  1 13:50:23 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Feb  9 10:52:41 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=30d59932

Allow mount_t usage of /dev/loop-control

If loopback devices are not pregenerated (kernel option
CONFIG_BLK_DEV_LOOP_MIN_COUNT=0), mount needs to write to
/dev/loop-control do create them dynamically when needed.

---
 policy/modules/system/mount.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 3c5fa5f..1b9030a 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -77,6 +77,7 @@ dev_list_all_dev_nodes(mount_t)
 dev_read_sysfs(mount_t)
 dev_dontaudit_write_sysfs_dirs(mount_t)
 dev_rw_lvm_control(mount_t)
+dev_rw_loop_control(mount_t)
 dev_dontaudit_getattr_all_chr_files(mount_t)
 dev_dontaudit_getattr_memory_dev(mount_t)
 dev_getattr_sound_dev(mount_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-02-17 19:55 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-02-17 19:55 UTC (permalink / raw
  To: gentoo-commits

commit:     f1d06af86ee44fb6cfe51177edb204ae9ce6a8d2
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Feb 15 12:07:45 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Feb 17 19:54:04 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f1d06af8

Label fatsort as fsadm_exec_t.

FATsort is an utility to sort directory entries on FAT partitions, see
http://fatsort.sourceforge.net/ . It requires direct access to the
block devices.

---
 policy/modules/system/fstools.fc | 1 +
 policy/modules/system/fstools.te | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 453d50c..afdc067 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -49,6 +49,7 @@
 /usr/bin/syslinux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /usr/sbin/clubufflush	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/fatsort	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/parted	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/smartctl	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 5aff100..653d0b9 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.16.5)
+policy_module(fstools, 1.16.6)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-04-08 16:02 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
  To: gentoo-commits

commit:     bf28162c411a83bb8d14ca0b70dcc6ece418c095
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Apr  4 19:53:32 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr  8 15:20:52 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bf28162c

Module version bump for userdomain kernel symbol table fix from Nicolas Iooss.

---
 policy/modules/system/userdomain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index c85e4d6..43ec88f 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.10.0)
+policy_module(userdomain, 4.10.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-04-08 16:02 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-04-08 16:02 UTC (permalink / raw
  To: gentoo-commits

commit:     1a9ac1b5f5f82b586e7879f51670b61ee93757bd
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Mar 23 21:20:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Apr  8 15:20:51 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1a9ac1b5

userdomain: no longer allow unprivileged users to read kernel symbols

Unprivileged users don't need to read kallsyms and /boot/System.map.

This allow rule was introduced in the initial revision of userdomain.if in
2005, with commit b16c6b8c32a631a2e66265f6f60b664222760972:

    # cjp: why?
    bootloader_read_kernel_symbol_table($1_t)

---
 policy/modules/system/userdomain.if | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9aeac69..822e21f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1030,8 +1030,6 @@ template(`userdom_unpriv_user_template', `
 	corenet_tcp_bind_xserver_port($1_t)
 
 	files_exec_usr_files($1_t)
-	# cjp: why?
-	files_read_kernel_symbol_table($1_t)
 
 	ifndef(`enable_mls',`
 		fs_exec_noxattr($1_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-04-11 17:48 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-04-11 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     e5a9a4b6a5a10d11bd8934e6b79da7ff6d88597b
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Apr  4 20:52:54 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 11 17:47:59 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5a9a4b6

Use new fs_getattr_all_xattr_fs interface for setfiles_t and restorecond_t

Use the new fs_getattr_all_xattr_fs() interface to allow setfiles_t and
restorecond_t domain to also get the attributes on pseudo-filesystems
that support xattr

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740682

---
 policy/modules/system/selinuxutil.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 305ef69..cf0c693 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -332,7 +332,7 @@ kernel_read_system_state(restorecond_t)
 
 fs_relabelfrom_noxattr_fs(restorecond_t)
 fs_dontaudit_list_nfs(restorecond_t)
-fs_getattr_xattr_fs(restorecond_t)
+fs_getattr_all_xattr_fs(restorecond_t)
 fs_list_inotifyfs(restorecond_t)
 
 selinux_validate_context(restorecond_t)
@@ -564,7 +564,7 @@ files_relabel_all_files(setfiles_t)
 files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
-fs_getattr_xattr_fs(setfiles_t)
+fs_getattr_all_xattr_fs(setfiles_t)
 fs_list_all(setfiles_t)
 fs_search_auto_mountpoints(setfiles_t)
 fs_relabelfrom_noxattr_fs(setfiles_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-04-11 17:48 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-04-11 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     ac5b056e808e96202f2ece7a5cba0aa7ca95602a
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Apr  5 18:01:23 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 11 17:48:04 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ac5b056e

Label /usr/local/share/ca-certificates(/.*)? as cert_t

On Debian, this directory can contain locally trusted certificates that
will be then be symlinked to /etc/ssl/certs by
update-ca-certificates(8), the files should be labelled as cert_t.

---
 policy/modules/system/miscfiles.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 8b48030..7396629 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -39,6 +39,8 @@ ifdef(`distro_redhat',`
 
 /usr/lib/perl5/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
 
+/usr/local/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
+
 /usr/local/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
 /usr/local/share/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-04-11 17:48 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-04-11 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     1d9cedc615b9f486cba8290781abfa238b3133fc
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Apr  5 18:01:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Apr 11 17:48:02 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d9cedc6

Properly label the manpages installed by postgresql

The postgresql manpages are installed under a private directory, some of
them are symlinked to the usual location.

Properly labeling them ensure that mandb can read them.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740591

---
 policy/modules/system/miscfiles.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index a5337b6..8b48030 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -52,6 +52,7 @@ ifdef(`distro_redhat',`
 /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
 /usr/share/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)
 /usr/share/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
+/usr/share/postgresql/[^/]*/man(/.*)?      gen_context(system_u:object_r:man_t,s0)
 /usr/share/X11/locale(/.*)?	gen_context(system_u:object_r:locale_t,s0)
 /usr/share/zoneinfo(/.*)?	gen_context(system_u:object_r:locale_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-04-21 15:25 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-04-21 15:25 UTC (permalink / raw
  To: gentoo-commits

commit:     1995f2924a0f45048344057c18adf4000028bfc7
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Apr 14 21:33:33 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 21 15:19:45 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1995f292

Label syslog-ng.pid as syslogd_var_run_t

---
 policy/modules/system/logging.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 621c0c8..cb6eaa3 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -64,6 +64,8 @@ ifdef(`distro_redhat',`
 /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/rsyslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/syslog-ng\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng(.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 
 /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-04-21 15:25 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-04-21 15:25 UTC (permalink / raw
  To: gentoo-commits

commit:     5b5a0640409c1b6171831b218e8d60e95c6213ff
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Apr 14 21:28:00 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 21 15:19:53 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5b5a0640

Label /usr/share/virtualbox/VBoxCreateUSBNode.sh as udev_helper_exec_t

VBoxCreateUSBNode.sh creates character special files in /dev/vboxusb each time
a new USB device appears.  This script is called by udev.

audit.log on a system in permissive mode before this patch contains:

    type=AVC msg=audit(1396889711.890:175): avc:  denied  { execute } for  pid=26284 comm="systemd-udevd" name="VBoxCreateUSBNode.sh" dev="sda5" ino=5899405 scontext=system_u:system_r:udev_t tcontext=unconfined_u:object_r:usr_t tclass=file
    type=AVC msg=audit(1396889711.890:175): avc:  denied  { execute_no_trans } for  pid=26284 comm="systemd-udevd" path="/usr/share/virtualbox/VBoxCreateUSBNode.sh" dev="sda5" ino=5899405 scontext=system_u:system_r:udev_t tcontext=unconfined_u:object_r:usr_t tclass=file

---
 policy/modules/system/udev.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 447b213..82662a1 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -31,6 +31,8 @@ ifdef(`distro_redhat',`
 
 /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
 
+/usr/share/virtualbox/VBoxCreateUSBNode\.sh	--	gen_context(system_u:object_r:udev_helper_exec_t,s0)
+
 /var/run/udev(/.*)?	gen_context(system_u:object_r:udev_var_run_t,s0)
 
 ifdef(`distro_debian',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-04-21 15:25 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-04-21 15:25 UTC (permalink / raw
  To: gentoo-commits

commit:     e447b905125aba52d801af16805805fa760148ac
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Apr 13 21:46:09 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 21 15:17:54 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e447b905

Label /etc/locale.alias as locale_t on Debian

On Debian, /usr/share/locale/locale.alias is a symlink to
/etc/locale.alias, properly label this file.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707246

---
 policy/modules/system/miscfiles.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 7396629..58b4f5f 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -17,6 +17,10 @@ ifdef(`distro_gentoo',`
 /etc/ssl/private/(.*)?	--	gen_context(system_u:object_r:cert_t,s0)
 /etc/timezone		--	gen_context(system_u:object_r:locale_t,s0)
 
+ifdef(`distro_debian',`
+/etc/locale.alias	--	gen_context(system_u:object_r:locale_t,s0)
+')
+
 ifdef(`distro_redhat',`
 /etc/sysconfig/clock	--	gen_context(system_u:object_r:locale_t,s0)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-05-01  8:49 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-05-01  8:49 UTC (permalink / raw
  To: gentoo-commits

commit:     fb4871d3475396c2f1ce86bab47e689fa509f99e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May  1 08:04:35 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May  1 08:47:45 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fb4871d3

Add /etc/fonts as fonts_t location

---
 policy/modules/system/miscfiles.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 58b4f5f..f1b2103 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -104,3 +104,7 @@ ifdef(`distro_redhat',`
 ')
 
 HOME_DIR/.pki(/.*)?		gen_context(system_u:object_r:cert_home_t)
+
+ifdef(`distro_gentoo',`
+/etc/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-05-16 18:43 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-05-16 18:43 UTC (permalink / raw
  To: gentoo-commits

commit:     c34ccf06f53106dd698fcb1569e3b5cccb78167d
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue May 13 12:44:26 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 16 18:42:55 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c34ccf06

Module version bump for unconfined->lvm transition from Nicolas Iooss.

---
 policy/modules/system/unconfined.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 28df819..e92c2c0 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.6.0)
+policy_module(unconfined, 3.6.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-05-16 18:43 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-05-16 18:43 UTC (permalink / raw
  To: gentoo-commits

commit:     e8f4cf7abd48e3f49d693d944cb3c60845398904
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat May 10 14:45:24 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 16 18:42:54 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e8f4cf7a

Make unconfined user run lvm programs in confined domain

When an unconfined user uses truecrypt to mount an encrypted file, dmsetup is
called to setup a new device.  This program works with udev to configure the
new device and uses SysV semaphores to synchronize states.  As udev runs
dmsetup in lvm_t domain, the first dmsetup process needs to create lvm_t
semaphores (not unconfined_t) and hence needs to run in lvm_t domain.

More details are available in the archives on the ML:
http://oss.tresys.com/pipermail/refpolicy/2014-May/007111.html

---
 policy/modules/system/unconfined.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 9742a34..28df819 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -108,6 +108,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	lvm_run(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
 	modutils_run_update_mods(unconfined_t, unconfined_r)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-05-28 15:40 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-05-28 15:40 UTC (permalink / raw
  To: gentoo-commits

commit:     e73631f72a9944c16c84ec42e5e665e2f815fed9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May 22 17:59:30 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed May 28 15:38:57 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e73631f7

ifconfig can also be in /bin

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/system/sysnetwork.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 40edc18..fa7a406 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -2,6 +2,7 @@
 #
 # /bin
 #
+/bin/ifconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /bin/ip			--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-05-28 15:40 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-05-28 15:40 UTC (permalink / raw
  To: gentoo-commits

commit:     a5789c9300a5b068ba899c6984b786e20ed67473
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue May 27 13:08:12 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed May 28 15:38:59 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a5789c93

Module version bump for ifconfig fc entry from Sven Vermeulen.

---
 policy/modules/system/sysnetwork.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 1523924..3f79de9 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.16.0)
+policy_module(sysnetwork, 1.16.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-05-30 12:51 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-05-30 12:51 UTC (permalink / raw
  To: gentoo-commits

commit:     37c87be77b50e083b41acd263d8f14d647cc6533
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri May 30 12:50:42 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri May 30 12:50:42 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=37c87be7

udev-acl is moved to /usr/lib/ConsoleKit

---
 policy/modules/system/udev.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 82662a1..8d414c1 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -49,6 +49,8 @@ ifdef(`distro_gentoo',`
 
 /usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 
+/usr/lib/ConsoleKit/udev-acl	--	gen_context(system_u:object_r:udev_exec_t,s0)
+
 /var/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_rules_t,s0)
 /var/run/udev/data(/.*)?	gen_context(system_u:object_r:udev_tbl_t,s0)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-06-07 17:48 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-06-07 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     2444e174c98a308ab6a27892f38028dbe4d0516b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun  7 17:45:56 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun  7 17:45:56 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=2444e174

Fix bug #512676 - Enable create/bind on SELinux netlink socket for run_init

The run_init code calls avc_* functions, but the following failure
occurs:

~# run_init rc-service nfs status
Authenticating swift.
run_init: avc.c:74: avc_context_to_sid_raw: Assertion `avc_running' failed.
Segmentation fault

AVC denials are shown related to the netlink_selinux_socket class
(create/bind privileges) and signal (possibly to handle failure).

Allowing them has the run_init code run properly again.

---
 policy/modules/system/selinuxutil.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 2b99c9b..b4d7bc3 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -650,6 +650,10 @@ ifdef(`distro_gentoo',`
 
 	allow run_init_t self:passwd rootok;
 
+	# Fix bug #512676
+	allow run_init_t self:process signal;
+	allow run_init_t self:selinux_netlink_socket { create bind };
+
 	# Denials upon loading policy
 	fs_getattr_tmpfs(setfiles_t)
 	dev_getattr_fs(setfiles_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-06-07 18:13 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-06-07 18:13 UTC (permalink / raw
  To: gentoo-commits

commit:     58d9b420e98c471fe7a2b64caf4c1db6a83a8699
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jun  7 18:13:02 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jun  7 18:13:02 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=58d9b420

netlink_selinux_socket, not selinux_netlink_socket

---
 policy/modules/system/selinuxutil.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index b4d7bc3..2910423 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -652,7 +652,7 @@ ifdef(`distro_gentoo',`
 
 	# Fix bug #512676
 	allow run_init_t self:process signal;
-	allow run_init_t self:selinux_netlink_socket { create bind };
+	allow run_init_t self:netlink_selinux_socket { create bind };
 
 	# Denials upon loading policy
 	fs_getattr_tmpfs(setfiles_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-06-10 18:17 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-06-10 18:17 UTC (permalink / raw
  To: gentoo-commits

commit:     3246e04de8ab5526661622c066a1ca5020f4fe23
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Wed Jun  4 12:32:28 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 10 18:14:26 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3246e04d

Allow init to execute shutdown

In many inittabs, there's a line like
"ca:12345:ctrlaltdel:/sbin/shutdown -h now" which triggers a shutdown or
a reboot on Ctrl+Alt+Del.

---
 policy/modules/system/init.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a4a7872..2deb7e5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -213,6 +213,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	shutdown_domtrans(init_t)
+')
+
+optional_policy(`
 	sssd_stream_connect(init_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-06-22 10:34 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-06-22 10:34 UTC (permalink / raw
  To: gentoo-commits

commit:     a86d100c0c85eb918d6e8f7585f0f90d36fb78e3
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jun 22 10:33:40 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jun 22 10:33:40 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a86d100c

Allow local_login_t to execute /etc/security/namespace.init in case of polyinstantiation

---
 policy/modules/system/locallogin.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 03c26f0..d8b56c8 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -264,3 +264,12 @@ optional_policy(`
 optional_policy(`
 	nscd_use(sulogin_t)
 ')
+
+ifdef(`distro_gentoo',`
+
+# Enable polyinstantiation of directories
+tunable_policy(`allow_polyinstantiation',`
+	# Execute /etc/security/namespace.init
+	corecmd_exec_bin(local_login_t)
+')
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-06-22 11:37 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-06-22 11:37 UTC (permalink / raw
  To: gentoo-commits

commit:     d8ac33569dbe35c448ff90002638c1af1212bb4e
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 22 11:33:35 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jun 22 11:35:30 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d8ac3356

Add file contexts for efibootmgr and gdisk

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/fstools.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index afdc067..213ceb2 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -58,4 +58,6 @@
 ifdef(`distro_gentoo',`
 /sbin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/gdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/efibootmgr	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-06-23 19:58 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-06-23 19:58 UTC (permalink / raw
  To: gentoo-commits

commit:     7549d67ff17abac24b2cb5569cb278b26005b752
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jun 23 19:57:24 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jun 23 19:57:24 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7549d67f

Adding access interface to initrc_state_t

---
 policy/modules/system/init.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 62a86ec..4918397 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1840,3 +1840,23 @@ interface(`init_udp_recvfrom_all_daemons',`
 	')
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
+
+## This should be behind a ifdef distro_gentoo but this is not allowed here
+
+#########################################
+## <summary>
+##	Allow reading the init script state resources
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`init_read_script_status_files',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	read_files_pattern($1, initrc_state_t, initrc_state_t)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-06-23 20:04 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-06-23 20:04 UTC (permalink / raw
  To: gentoo-commits

commit:     c962ddf5bfde6405952e9b2502af2acb0a29e49a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jun 23 20:03:40 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jun 23 20:03:40 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c962ddf5

Use single comment character as it messes up the refpolicy documentation system

---
 policy/modules/system/init.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4918397..4d53ebb 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1841,11 +1841,11 @@ interface(`init_udp_recvfrom_all_daemons',`
 	corenet_udp_recvfrom_labeled($1, daemon)
 ')
 
-## This should be behind a ifdef distro_gentoo but this is not allowed here
+# This should be behind an ifdef distro_gentoo but this is not allowed here
 
 #########################################
 ## <summary>
-##	Allow reading the init script state resources
+##	Allow reading the init script state files
 ## </summary>
 ## <param name="domain">
 ##	<summary>


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-06-25 19:06 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:06 UTC (permalink / raw
  To: gentoo-commits

commit:     185af393c476122508ba701df7bcbdcb0e4d4a68
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Mon Jun  9 12:38:45 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 18:59:11 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=185af393

Allow unconfined domains to use syslog capability

When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):

  dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
  CAP_SYSLOG (deprecated).

audit.log contains following AVC:

  avc:  denied  { syslog } for  pid=16289 comm="dmesg" capability=34
  scontext=unconfined_u:unconfined_r:unconfined_t
  tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2

---
 policy/modules/system/unconfined.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 5ca20a9..2b85a6e 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -20,6 +20,7 @@ interface(`unconfined_domain_noaudit',`
 
 	# Use most Linux capabilities
 	allow $1 self:capability ~sys_module;
+	allow $1 self:capability2 syslog;
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-06-25 19:06 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-06-25 19:06 UTC (permalink / raw
  To: gentoo-commits

commit:     038b148528be0bddac9bbf92b6c4d0c86163ae78
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Jun  9 13:29:12 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jun 25 18:59:12 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=038b1485

Module version bump for unconfined syslog cap from Nicolas Iooss.

---
 policy/modules/system/unconfined.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index e92c2c0..21c788a 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.6.1)
+policy_module(unconfined, 3.6.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-06-30 19:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-06-30 19:03 UTC (permalink / raw
  To: gentoo-commits

commit:     805b0b2bbf6125b135d8180d3a898070af812b76
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun 25 19:53:00 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jun 30 18:57:58 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=805b0b2b

Support initrc_t generated pid files with file transition

For some daemons, it is the init script that is responsible for creating
the PID file of the daemon. As we do not want to update the init SELinux
policy module for each of these situations, we need to introduce an
interface that can be called by the SELinux policy module of the caller
(the daemon domain).

The initial suggestion was to transform the init_daemon_run_dir
interface, which offers a similar approach for directories in /run, into
a class-agnostic interface. Several names have been suggested, such as
init_script_spec_run_content or init_script_generic_run_filetrans_spec,
but in the end init_daemon_pid_file was used.

The interface requires the class(es) on which the file transition should
occur, like so:

  init_daemon_pid_file(xdm_var_run_t, dir, "xdm")
  init_daemon_pid_file(postgresql_var_run_t, file, "postgresql.pid")

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/system/init.if | 33 +++++++++++++++++++++++++++++++++
 policy/modules/system/init.te |  6 ++++++
 2 files changed, 39 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4d53ebb..e60d55e 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -158,6 +158,39 @@ interface(`init_ranged_domain',`
 
 ########################################
 ## <summary>
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Create a domain for long running processes
 ##	(daemons/services) which are started by init scripts.
 ## </summary>

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 355892a..a243be6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -23,6 +23,8 @@ attribute init_run_all_scripts_domain;
 # Mark process types as daemons
 attribute daemon;
 
+# Mark file type as a daemon pid file
+attribute daemonpidfile;
 # Mark file type as a daemon run directory
 attribute daemonrundir;
 
@@ -251,6 +253,10 @@ init_telinit(initrc_t)
 
 can_exec(initrc_t, init_script_file_type)
 
+create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
+manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile)
+setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
+
 create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
 setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-06-30 19:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-06-30 19:03 UTC (permalink / raw
  To: gentoo-commits

commit:     21342c022f09080d201c8661aa2ac8af893b4346
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jun 25 19:53:01 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jun 30 18:58:03 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=21342c02

Deprecate init_daemon_run_dir interface

With init_daemon_pid_file supporting class parameters, all calls to
init_daemon_run_dir can now be transformed into init_daemon_pid_file
calls.

Update the init_daemon_run_dir interface so it gives a warning when
used, and use the init_daemon_pid_file interface underlyingly.

Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>

---
 policy/modules/system/init.if | 5 ++---
 policy/modules/system/init.te | 2 ++
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index e60d55e..6a01568 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -464,9 +464,8 @@ interface(`init_daemon_run_dir',`
 		type initrc_t;
 	')
 
-	typeattribute $1 daemonrundir;
-
-	files_pid_filetrans(initrc_t, $1, dir, $2)
+	refpolicywarn(`$0($*) has been deprecated, use init_daemon_pid_file() instead.')
+	init_daemon_pid_file($1, dir, $2)
 ')
 
 ########################################

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a243be6..4bee18e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -26,6 +26,7 @@ attribute daemon;
 # Mark file type as a daemon pid file
 attribute daemonpidfile;
 # Mark file type as a daemon run directory
+# TODO - this attribute is deprecated and kept for a short while for compatibility
 attribute daemonrundir;
 
 #
@@ -257,6 +258,7 @@ create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
 manage_files_pattern(initrc_t, daemonpidfile, daemonpidfile)
 setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
 
+# TODO - this is deprecated supported for a short while for backwards compatibility
 create_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
 setattr_dirs_pattern(initrc_t, daemonrundir, daemonrundir)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-07-15 16:16 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-07-15 16:16 UTC (permalink / raw
  To: gentoo-commits

commit:     7841919ab435ccb72bb9a469eee887a827748f25
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 15 16:10:33 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 16:12:42 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7841919a

initrc_t needs to chmod /dev nodes

In the early phase of boot, initrc_t needs to be able to correct
the perms on some nodes in /dev

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/init.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b73bd23..88fe1de 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -941,6 +941,8 @@ ifdef(`distro_gentoo',`
 	kernel_write_proc_files(initrc_t)
 
 	dev_manage_sysfs_dirs(initrc_t)
+	# needs to chmod some devices in early boot
+	dev_setattr_generic_chr_files(initrc_t)
 
 	files_create_pid_dirs(initrc_t)
 	files_dontaudit_write_usr_dirs(initrc_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-07-29 14:07 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-07-29 14:07 UTC (permalink / raw
  To: gentoo-commits

commit:     0783942ea1280c9c997e2305d835008808a490d9
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Jul  8 12:53:06 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 29 14:03:35 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0783942e

Module version bump for libraries fc fix from Nicolas Iooss.

---
 policy/modules/system/libraries.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 6e56c05..7d6238e 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.11.0)
+policy_module(libraries, 2.11.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-07-29 14:07 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-07-29 14:07 UTC (permalink / raw
  To: gentoo-commits

commit:     4563b7dd71222c81a270198e2915712fef53e048
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Jul  5 16:35:26 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jul 29 14:03:21 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4563b7dd

Label /lib symlink as lib_t for every distro

As in Debian, Gentoo and Arch Linux /lib may be a symlink, move its file
context definition outside of ifdef blocks.

---
 policy/modules/system/libraries.fc | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 18398f5..85e918f 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -33,22 +33,15 @@ ifdef(`distro_redhat',`
 /etc/ppp/plugins/rp-pppoe\.so 		--	gen_context(system_u:object_r:lib_t,s0)
 
 #
-# /lib
+# /lib(64)?
 #
 /lib					-d	gen_context(system_u:object_r:lib_t,s0)
+/lib					-l	gen_context(system_u:object_r:lib_t,s0)
 /lib/.*						gen_context(system_u:object_r:lib_t,s0)
 /lib/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
 
 /lib/security/pam_poldi\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-ifdef(`distro_debian',`
-/lib					-l	gen_context(system_u:object_r:lib_t,s0)
-')
-
-ifdef(`distro_gentoo',`
-/lib					-l	gen_context(system_u:object_r:lib_t,s0)
-')
-
 #
 # /opt
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-07-30 10:21 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-07-30 10:21 UTC (permalink / raw
  To: gentoo-commits

commit:     3d7643757473b43c32cf9eb43142346b821685c6
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Jul 30 10:19:30 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Jul 30 10:19:30 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3d764375

Reading generic user content includes listing generic user directories

---
 policy/modules/system/userdomain.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7ad8e5b..6eb83e5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3540,6 +3540,7 @@ template(`userdom_user_content_access_template',`
 
 	tunable_policy(`$1_read_generic_user_content',`
 		userdom_list_user_tmp($2)
+		userdom_list_user_home_content($2)
 		userdom_read_user_home_content_files($2)
 		userdom_read_user_home_content_symlinks($2)
 		userdom_read_user_tmp_files($2)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-07-31 15:26 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-07-31 15:26 UTC (permalink / raw
  To: gentoo-commits

commit:     a914ca2ed858bb02fc1513b6b318c7fb2bdcffce
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 29 14:14:09 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jul 31 15:24:46 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a914ca2e

OpenRC 0.13 renamed some of the commands

---
 policy/modules/system/init.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 659474d..3496579 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -36,6 +36,7 @@ ifdef(`distro_gentoo', `
 
 ifdef(`distro_gentoo', `
 /sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
+/sbin/openrc		--	gen_context(system_u:object_r:rc_exec_t,s0)
 ')
 
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-07  8:06 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-07  8:06 UTC (permalink / raw
  To: gentoo-commits

commit:     3b742fca07833a9b5f5f1d4f2566593f90f6b22f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug  6 09:17:15 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug  6 18:08:37 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3b742fca

Make SELinux configuration a security file type

The SELinux configuration should be considered a security-sensitive
configuration type and as such should not be made part of the
system-wide accesses towards regular files (non_auth/non_security).

---
 policy/modules/system/selinuxutil.te | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 48566a4..4d6f5d9 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -28,7 +28,7 @@ roleattribute system_r semanage_roles;
 # in the domain_type interface
 # (fix dup decl)
 type selinux_config_t;
-files_type(selinux_config_t)
+files_security_file(selinux_config_t)
 
 type checkpolicy_t, can_write_binary_policy;
 type checkpolicy_exec_t;
@@ -40,14 +40,14 @@ role system_r types checkpolicy_t;
 # /etc/selinux/*/contexts/*
 #
 type default_context_t;
-files_type(default_context_t)
+files_security_file(default_context_t)
 
 #
 # file_context_t is the type applied to
 # /etc/selinux/*/contexts/files
 #
 type file_context_t;
-files_type(file_context_t)
+files_security_file(file_context_t)
 
 type load_policy_t;
 type load_policy_exec_t;
@@ -67,7 +67,7 @@ role newrole_roles types newrole_t;
 # the security server policy configuration.
 #
 type policy_config_t;
-files_type(policy_config_t)
+files_security_file(policy_config_t)
 
 neverallow ~can_relabelto_binary_policy policy_config_t:file relabelto;
 #neverallow ~can_write_binary_policy policy_config_t:file { write append };


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:testing commit in: policy/modules/system/
@ 2014-08-08 14:49 Sven Vermeulen
  2014-08-08 15:27 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-08 14:49 UTC (permalink / raw
  To: gentoo-commits

commit:     41fed32dfd6a3a812c252bd6facd6982b23988da
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:27:49 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 14:49:43 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=41fed32d

Introduce the tmpfiles_t domain

The tmpfiles application, as documented in [1], is used to prepare directory
structures in runtime, volatile locations (such as /var/run, /run and
perhaps even /tmp and /var/tmp).

[1] http://www.freedesktop.org/software/systemd/man/tmpfiles.d.html

The need for the tmpfiles application seems to came forward as systemd
service files ("unit files") are not the flexible shell scripts that are
used in init scripts (/etc/rc.d/init.d/* files). Whereas these init scripts
usually did the preparation of runtime directories, the systemd service
scripts do not (well, beyond the RuntimeDirectory= directive, that is).

Instead, services are required to create a tmpfiles configuration file
inside one of the following locations, informing the tmpfiles application to
create directories and files as needed:

(a.) /usr/lib/tmpfiles.d/ (*.conf) for packaged services (default settings)
(b.) /run/tmpfiles.d/ (*.conf) for dynamically generated overrides of (a.)
(c.) /etc/tmpfiles.d/ (*.conf) for local system administration overrides
     of (a.) and (b.)

These files declare what action to perform on a specific location (such as
create a directory) and which ownership to apply (similar to the install(1)
application it seems).

Both in systemd as well as OpenRC the tmpfiles application is SELinux-aware,
(re)setting the context of the target.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/tmpfiles.fc |   7 ++
 policy/modules/system/tmpfiles.if | 161 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/tmpfiles.te | 103 ++++++++++++++++++++++++
 3 files changed, 271 insertions(+)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
new file mode 100644
index 0000000..12fd30a
--- /dev/null
+++ b/policy/modules/system/tmpfiles.fc
@@ -0,0 +1,7 @@
+
+/etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
+/var/run/tmpfiles.d(/.*)?			gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+
+/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+

diff --git a/policy/modules/system/tmpfiles.if b/policy/modules/system/tmpfiles.if
new file mode 100644
index 0000000..09897fc
--- /dev/null
+++ b/policy/modules/system/tmpfiles.if
@@ -0,0 +1,161 @@
+## <summary>Policy for tmpfiles, a boot-time temporary file handler</summary>
+
+########################################
+## <summary>
+##	Read resources in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_var_run',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 tmpfiles_var_run_t:dir list_dir_perms;
+	allow $1 tmpfiles_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	create_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	write_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+	tmpfiles_read_var_run($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /run/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_var_run_files',`
+	gen_require(`
+		type tmpfiles_var_run_t;
+	')
+
+	tmpfiles_read_var_run($1)
+
+	manage_files_pattern($1, tmpfiles_var_run_t, tmpfiles_var_run_t)
+')
+
+########################################
+## <summary>
+##	Read files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_read_conf',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 tmpfiles_conf_t:dir list_dir_perms;
+	allow $1 tmpfiles_conf_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Create files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_create_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	create_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Write to files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_write_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	write_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')
+
+########################################
+## <summary>
+##	Manage files in /etc/tmpfiles.d/.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`tmpfiles_manage_conf_files',`
+	gen_require(`
+		type tmpfiles_conf_t;
+	')
+
+	manage_files_pattern($1, tmpfiles_conf_t, tmpfiles_conf_t)
+
+	tmpfiles_read_conf($1)
+')

diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
new file mode 100644
index 0000000..de92477
--- /dev/null
+++ b/policy/modules/system/tmpfiles.te
@@ -0,0 +1,103 @@
+policy_module(tmpfiles, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##      <p>
+##      Determine whether tmpfiles can manage
+##      all non-security sensitive resources.
+##	Without this, it is only allowed rights towards
+##	/run, /tmp, /dev and /var/lock.
+##      </p>
+## </desc>
+gen_tunable(tmpfiles_manage_all_non_security, false)
+
+type tmpfiles_t;
+type tmpfiles_exec_t;
+init_daemon_domain(tmpfiles_t, tmpfiles_exec_t)
+
+type tmpfiles_conf_t;
+files_config_file(tmpfiles_conf_t)
+
+type tmpfiles_var_run_t;
+files_pid_file(tmpfiles_var_run_t)
+
+
+########################################
+#
+# Local policy
+#
+
+allow tmpfiles_t self:capability { mknod chown fowner fsetid };
+allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
+allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
+
+allow tmpfiles_t tmpfiles_exec_t:file execute_no_trans;
+
+list_dirs_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+read_files_pattern(tmpfiles_t, tmpfiles_conf_t, tmpfiles_conf_t)
+
+manage_files_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+manage_dirs_pattern(tmpfiles_t, tmpfiles_var_run_t, tmpfiles_var_run_t)
+
+corecmd_exec_bin(tmpfiles_t)
+corecmd_exec_shell(tmpfiles_t)
+
+dev_create_all_blk_files(tmpfiles_t)
+dev_create_all_chr_files(tmpfiles_t)
+dev_getattr_all_blk_files(tmpfiles_t)
+dev_getattr_generic_blk_files(tmpfiles_t)
+dev_getattr_generic_chr_files(tmpfiles_t)
+dev_relabel_all_dev_nodes(tmpfiles_t)
+dev_relabel_generic_dev_dirs(tmpfiles_t)
+dev_relabelfrom_generic_chr_files(tmpfiles_t)
+dev_setattr_all_chr_files(tmpfiles_t)
+dev_setattr_generic_dirs(tmpfiles_t)
+
+files_manage_all_pids(tmpfiles_t)
+files_manage_generic_locks(tmpfiles_t)
+files_manage_generic_tmp_dirs(tmpfiles_t)
+files_manage_generic_tmp_files(tmpfiles_t)
+files_manage_var_dirs(tmpfiles_t)
+files_manage_var_files(tmpfiles_t)
+files_relabel_all_lock_dirs(tmpfiles_t)
+files_relabel_all_pidfiles(tmpfiles_t)
+files_relabel_all_tmp_dirs(tmpfiles_t)
+files_relabel_all_tmp_files(tmpfiles_t)
+files_setattr_all_tmp_dirs(tmpfiles_t)
+files_setattr_lock_dirs(tmpfiles_t)
+files_setattr_pid_dirs(tmpfiles_t)
+
+fs_getattr_all_fs(tmpfiles_t)
+fs_getattr_tmpfs_dirs(tmpfiles_t)
+fs_manage_cgroup_files(tmpfiles_t)
+
+selinux_get_enforce_mode(tmpfiles_t)
+
+auth_use_nsswitch(tmpfiles_t)
+
+init_exec_rc(tmpfiles_t)
+
+miscfiles_read_localization(tmpfiles_t)
+
+seutil_exec_setfiles(tmpfiles_t)
+seutil_libselinux_linked(tmpfiles_t)
+seutil_read_file_contexts(tmpfiles_t)
+
+ifdef(`distro_gentoo',`
+	dev_create_generic_dirs(tmpfiles_t)
+	# Early at boot, access /dev/console and /dev/tty which is device_t due to kernel-provided devtmpfs 
+	dev_rw_generic_chr_files(tmpfiles_t)
+
+	init_relabelto_script_state(tmpfiles_t)
+')
+
+tunable_policy(`tmpfiles_manage_all_non_security',`
+	files_manage_all_non_security_file_types(tmpfiles_t)
+	files_manage_non_security_dirs(tmpfiles_t)
+	files_relabel_all_non_security_file_types(tmpfiles_t)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-08 15:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-08 15:27 UTC (permalink / raw
  To: gentoo-commits

commit:     bb44da60efc9fca1377a3270f67da79aafa2b820
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug  8 14:42:31 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 14:42:51 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bb44da60

Introduce init_relabelto_script_state

---
 policy/modules/system/init.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 6a01568..ab4b450 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1892,3 +1892,22 @@ interface(`init_read_script_status_files',`
 
 	read_files_pattern($1, initrc_state_t, initrc_state_t)
 ')
+
+#########################################
+## <summary>
+##	Label to init script status files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`init_relabelto_script_state',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	relabelto_files_pattern($1, initrc_state_t, initrc_state_t)
+	relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-08 15:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-08 15:27 UTC (permalink / raw
  To: gentoo-commits

commit:     f901a2a92def4f0c956c9ddc43bac2109a5f1348
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Aug  7 15:31:11 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug  8 14:49:47 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f901a2a9

Give kmod access to tmpfiles

Upon boot, the kmod application (running as insmod_t) can generate a
tmpfiles configuration file to allow tmpfiles to relabel and set the
required static device nodes for the kernel:

kmod static-nodes --format=tmpfiles --output=/run/tmpfiles.d/kmod.conf

This requires the insmod_t domain to have create/write privileges
towards the /run/tmpfiles.d location.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

---
 policy/modules/system/modutils.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index f52e72a..419b826 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -232,6 +232,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	tmpfiles_create_var_run_files(insmod_t)
+	tmpfiles_write_var_run_files(insmod_t)
+')
+
+optional_policy(`
 	unconfined_domain(insmod_t)
 	unconfined_dontaudit_rw_pipes(insmod_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-12 17:12 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-12 17:12 UTC (permalink / raw
  To: gentoo-commits

commit:     8091d5f27c3715d4165980bee51d7652837a97a7
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Aug 12 15:47:07 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 12 15:47:07 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8091d5f2

tmpfiles on gentoo needs a few extra perms

currently tmpfiles.sh runs mknod which creates device_t
and is relabelled afterwards.

---
 policy/modules/system/tmpfiles.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
index de92477..49445de 100644
--- a/policy/modules/system/tmpfiles.te
+++ b/policy/modules/system/tmpfiles.te
@@ -32,7 +32,7 @@ files_pid_file(tmpfiles_var_run_t)
 #
 
 allow tmpfiles_t self:capability { mknod chown fowner fsetid };
-allow tmpfiles_t self:process getsched;
+allow tmpfiles_t self:process { getsched setfscreate };
 allow tmpfiles_t self:fifo_file rw_fifo_file_perms;
 allow tmpfiles_t self:unix_dgram_socket create_socket_perms;
 
@@ -55,6 +55,7 @@ dev_getattr_generic_chr_files(tmpfiles_t)
 dev_relabel_all_dev_nodes(tmpfiles_t)
 dev_relabel_generic_dev_dirs(tmpfiles_t)
 dev_relabelfrom_generic_chr_files(tmpfiles_t)
+dev_setattr_all_blk_files(tmpfiles_t)
 dev_setattr_all_chr_files(tmpfiles_t)
 dev_setattr_generic_dirs(tmpfiles_t)
 
@@ -92,6 +93,8 @@ ifdef(`distro_gentoo',`
 	dev_create_generic_dirs(tmpfiles_t)
 	# Early at boot, access /dev/console and /dev/tty which is device_t due to kernel-provided devtmpfs 
 	dev_rw_generic_chr_files(tmpfiles_t)
+	dev_create_generic_chr_files(tmpfiles_t)
+	dev_create_generic_blk_files(tmpfiles_t)
 
 	init_relabelto_script_state(tmpfiles_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-13 20:02 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-13 20:02 UTC (permalink / raw
  To: gentoo-commits

commit:     b159698992463638f2fd801f987f2d8a2f1b6012
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Wed Aug 13 16:36:10 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug 13 16:36:10 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b1596989

Allow dhcpc to create and manage control sockets

---
 policy/modules/system/sysnetwork.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 35ca66f..cb0922d 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -399,6 +399,9 @@ ifdef(`distro_gentoo',`
 	# Fixes bug 468874
 	allow dhcpc_t self:rawip_socket create_socket_perms;
 
+	# Allow dhcpcd to set its control sockets
+	allow dhcpc_t dhcpc_var_run_t:sock_file manage_sock_file_perms;
+
 	# Allow dhcpc to set hostname (/proc/sys/kernel/hostname)
 	allow dhcpc_t self:capability sys_admin;
 	kernel_rw_kernel_sysctl(dhcpc_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-15 10:04 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
  To: gentoo-commits

commit:     5248f963330c4a11ac1d737aec13afa52c5abb9f
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Aug 11 12:31:32 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:55 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5248f963

Some of the fsadm tools can also be in /usr/sbin instead of /sbin

Signed-off-by: Luis Ressel <aranea <AT> aixah.de>

---
 policy/modules/system/fstools.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 213ceb2..bd4066e 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -50,7 +50,11 @@
 
 /usr/sbin/clubufflush	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fatsort	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/fsck.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mkfs.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/parted	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partprobe	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/smartctl	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/system/
@ 2014-08-15 10:04 Sven Vermeulen
  2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
  To: gentoo-commits

commit:     4db655ea4fcd44ce33dffd3ea7655bc824ddda90
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Aug 11 12:31:33 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:57 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4db655ea

Label /usr/sbin/{add, del}part as fsadm_exec_t

These are seldomly-used tools from the util-linux package.

Please check if they are located in /sbin instead of /usr/sbin on other
distributions.

Signed-off-by: Luis Ressel <aranea <AT> aixah.de>

---
 policy/modules/system/fstools.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index bd4066e..aa1d594 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -48,7 +48,9 @@
 /usr/bin/scsi_unique_id	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/syslinux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
+/usr/sbin/addpart	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/clubufflush	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/delpart	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fatsort	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fsck.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkfs.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:salt commit in: policy/modules/system/
@ 2014-08-15 10:04 Sven Vermeulen
  2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-15 10:04 UTC (permalink / raw
  To: gentoo-commits

commit:     bf1344dbd12c000f31219d90eef4c378ab72e91c
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Aug 14 19:47:55 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 15 09:57:58 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bf1344db

Module version bump for fstools fc entries from Luis Ressel.

---
 policy/modules/system/fstools.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b876224..5c77a4f 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.17.0)
+policy_module(fstools, 1.17.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-17  9:42 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-17  9:42 UTC (permalink / raw
  To: gentoo-commits

commit:     8bb8af09473326d9b48783118f3f0694ef6b0ed0
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 17 09:32:28 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Aug 17 09:32:28 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8bb8af09

Add block_suspend to admin users

Administrative user domains often perform system tasks in their user
domain (for instance sysadm_t). These tasks should be able to
run-to-complete and should not be interrupted by suspend operations that
might be scheduled.

Tasks that use the epoll() system might use the EPOLLWAKEUP flag to
prevent suspends while epoll events are ready. This only works if
CAP_BLOCK_SUSPEND is active (otherwise EPOLLWAKEUP is ignored).

---
 policy/modules/system/userdomain.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index f299e2e..5b26aef 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1243,6 +1243,8 @@ template(`userdom_admin_user_template',`
 	')
 
 	ifdef(`distro_gentoo',`
+		# Grant block_suspend capability2 to administrators, this annoys the heck out of me
+		allow $1_t self:capability2 { block_suspend };
 		# Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise
 		seutil_relabelto_bin_policy($1_t)
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-19  9:19 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2014-08-19  9:19 UTC (permalink / raw
  To: gentoo-commits

commit:     bf1344dbd12c000f31219d90eef4c378ab72e91c
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Aug 14 19:47:55 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 09:57:58 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bf1344db

Module version bump for fstools fc entries from Luis Ressel.

---
 policy/modules/system/fstools.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b876224..5c77a4f 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.17.0)
+policy_module(fstools, 1.17.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-19  9:19 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2014-08-19  9:19 UTC (permalink / raw
  To: gentoo-commits

commit:     5248f963330c4a11ac1d737aec13afa52c5abb9f
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Aug 11 12:31:32 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 09:57:55 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5248f963

Some of the fsadm tools can also be in /usr/sbin instead of /sbin

Signed-off-by: Luis Ressel <aranea <AT> aixah.de>

---
 policy/modules/system/fstools.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 213ceb2..bd4066e 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -50,7 +50,11 @@
 
 /usr/sbin/clubufflush	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fatsort	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/fsck.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/mkfs.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/parted	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partprobe	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/partx		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/smartctl	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-19  9:19 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2014-08-19  9:19 UTC (permalink / raw
  To: gentoo-commits

commit:     4db655ea4fcd44ce33dffd3ea7655bc824ddda90
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Aug 11 12:31:33 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Fri Aug 15 09:57:57 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4db655ea

Label /usr/sbin/{add, del}part as fsadm_exec_t

These are seldomly-used tools from the util-linux package.

Please check if they are located in /sbin instead of /usr/sbin on other
distributions.

Signed-off-by: Luis Ressel <aranea <AT> aixah.de>

---
 policy/modules/system/fstools.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index bd4066e..aa1d594 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -48,7 +48,9 @@
 /usr/bin/scsi_unique_id	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/syslinux	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
+/usr/sbin/addpart	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/clubufflush	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/delpart	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fatsort	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fsck.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkfs.*	--	gen_context(system_u:object_r:fsadm_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-19  9:19 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2014-08-19  9:19 UTC (permalink / raw
  To: gentoo-commits

commit:     8bb8af09473326d9b48783118f3f0694ef6b0ed0
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug 17 09:32:28 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Sun Aug 17 09:32:28 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8bb8af09

Add block_suspend to admin users

Administrative user domains often perform system tasks in their user
domain (for instance sysadm_t). These tasks should be able to
run-to-complete and should not be interrupted by suspend operations that
might be scheduled.

Tasks that use the epoll() system might use the EPOLLWAKEUP flag to
prevent suspends while epoll events are ready. This only works if
CAP_BLOCK_SUSPEND is active (otherwise EPOLLWAKEUP is ignored).

---
 policy/modules/system/userdomain.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index f299e2e..5b26aef 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1243,6 +1243,8 @@ template(`userdom_admin_user_template',`
 	')
 
 	ifdef(`distro_gentoo',`
+		# Grant block_suspend capability2 to administrators, this annoys the heck out of me
+		allow $1_t self:capability2 { block_suspend };
 		# Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise
 		seutil_relabelto_bin_policy($1_t)
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-19 20:07 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-19 20:07 UTC (permalink / raw
  To: gentoo-commits

commit:     ce7ff0c908740a95edf2dcd6ac2910b3161eb569
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Aug 11 13:33:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 19 20:06:42 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ce7ff0c9

system/mount.if: Add mount_rw_loopback_files interface

---
 policy/modules/system/mount.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index fe24186..8a2105b 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -191,3 +191,21 @@ interface(`mount_read_loopback_files',`
 
 	allow $1 mount_loopback_t:file read_file_perms;
 ')
+
+########################################
+## <summary>
+##	Read and write loopback filesystem image files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_loopback_files',`
+	gen_require(`
+		type mount_loopback_t;
+	')
+
+	allow $1 mount_loopback_t:file rw_file_perms;
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-19 20:07 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-19 20:07 UTC (permalink / raw
  To: gentoo-commits

commit:     ff1afbaf2e0f1d8fd0b381167d735606024f29bc
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Aug 11 13:33:17 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 19 20:06:45 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ff1afbaf

system/fstools.if: Add fstools_use_fds interface

---
 policy/modules/system/fstools.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/fstools.if b/policy/modules/system/fstools.if
index 016a770..c4bbd88 100644
--- a/policy/modules/system/fstools.if
+++ b/policy/modules/system/fstools.if
@@ -83,6 +83,24 @@ interface(`fstools_signal',`
 
 ########################################
 ## <summary>
+##	Inherit fstools file descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`fstools_use_fds',`
+	gen_require(`
+		type fsadm_t;
+	')
+
+	allow $1 fsadm_t:fd use;
+')
+
+########################################
+## <summary>
 ##	Read fstools unnamed pipes.
 ## </summary>
 ## <param name="domain">


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-19 20:07 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-19 20:07 UTC (permalink / raw
  To: gentoo-commits

commit:     5a4304143a9dcf5980eefbfdaa78b5d1416fa884
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Aug 19 12:44:57 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Aug 19 20:06:49 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5a430414

Move losetup addition in fstools.

---
 policy/modules/system/fstools.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 7ce8171..a2a12c4 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -127,9 +127,6 @@ files_search_all(fsadm_t)
 mls_file_read_all_levels(fsadm_t)
 mls_file_write_all_levels(fsadm_t)
 
-# losetup: bind mount_loopback_t files to loop devices
-mount_rw_loopback_files(fsadm_t)
-
 storage_raw_read_fixed_disk(fsadm_t)
 storage_raw_write_fixed_disk(fsadm_t)
 storage_raw_read_removable_device(fsadm_t)
@@ -147,6 +144,9 @@ logging_send_syslog_msg(fsadm_t)
 
 miscfiles_read_localization(fsadm_t)
 
+# losetup: bind mount_loopback_t files to loop devices
+mount_rw_loopback_files(fsadm_t)
+
 seutil_read_config(fsadm_t)
 
 userdom_use_user_terminals(fsadm_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-20 17:29 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-20 17:29 UTC (permalink / raw
  To: gentoo-commits

commit:     9660ec3c7e65d654770832d9011cce2eb7bc1134
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Aug 20 16:26:29 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Wed Aug 20 17:10:23 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9660ec3c

Allow udev udev to set predictable ifnames

Udev sets the interface names predictably, it uses a
netlink_route_socket to do so.

more info at:
http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/

---
 policy/modules/system/udev.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 83a8b11..737e854 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -332,6 +332,9 @@ ifdef(`distro_gentoo',`
 	allow udev_t self:capability2 block_suspend;
 	allow udev_t udev_tbl_t:dir relabelto;
 
+	# needed for predictable network interfaces naming
+	allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+
 	manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
 	manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)
 	manage_lnk_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-21 17:31 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-21 17:31 UTC (permalink / raw
  To: gentoo-commits

commit:     c0519a41863a832f15e1617b50e457b73bcc3c7a
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Aug 21 13:53:51 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 21 17:29:47 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c0519a41

Module version bump for FUSE fix for mount from Luis Ressel.

---
 policy/modules/system/mount.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 7db4a9a..9b46a76 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,4 +1,4 @@
-policy_module(mount, 1.17.1)
+policy_module(mount, 1.17.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-21 17:31 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-21 17:31 UTC (permalink / raw
  To: gentoo-commits

commit:     d9b301bb1c15d5f50bffccc58667d7f0dce316c5
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Aug 11 13:52:56 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Aug 21 17:29:43 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d9b301bb

Grant mount permission to access /dev/fuse

This is needed for mounting FUSE-based filesystems like ntfs-3g.

---
 policy/modules/system/mount.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 83854fd..7db4a9a 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -121,6 +121,7 @@ storage_raw_read_fixed_disk(mount_t)
 storage_raw_write_fixed_disk(mount_t)
 storage_raw_read_removable_device(mount_t)
 storage_raw_write_removable_device(mount_t)
+storage_rw_fuse(mount_t)
 
 term_use_all_terms(mount_t)
 term_dontaudit_manage_pty_dirs(mount_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-22 18:07 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-22 18:07 UTC (permalink / raw
  To: gentoo-commits

commit:     fe1414d1fa7a4453a871dd3587384d1c6d432ce2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 22 18:07:09 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 22 18:07:09 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fe1414d1

insmod deletes obsolete module deps (make modules_install)

---
 policy/modules/system/modutils.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 419b826..b17ad6c 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -337,6 +337,8 @@ ifdef(`distro_gentoo',`
 	# insmod_t 
 	#
 
+	# During "make modules_install" insmod removes old/previous deps
+	delete_files_pattern(insmod_t, modules_object_t, modules_dep_t)
 	# During "make modules_install" temp files created by admin
 	# that invoked the command are later used by kmod.
 	userdom_manage_user_tmp_files(insmod_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-22 19:05 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-22 19:05 UTC (permalink / raw
  To: gentoo-commits

commit:     1df21420237c54a402798d9cff437c32017c714e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 22 19:05:19 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 22 19:05:19 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1df21420

Allow sysadmins to interact with kernel (for instance for lsusb command)

---
 policy/modules/system/userdomain.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 5b26aef..78cb3ad 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1245,6 +1245,8 @@ template(`userdom_admin_user_template',`
 	ifdef(`distro_gentoo',`
 		# Grant block_suspend capability2 to administrators, this annoys the heck out of me
 		allow $1_t self:capability2 { block_suspend };
+		# Allow admins to interact with kernel, for instance using lsusb command
+		allow $1 self:netlink_kobject_uevent_socket create_socket_perms;
 		# Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise
 		seutil_relabelto_bin_policy($1_t)
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-08-22 19:12 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-08-22 19:12 UTC (permalink / raw
  To: gentoo-commits

commit:     482dc188fa0709641e76778f2c22f0b248cb4f82
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Aug 22 19:12:15 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Aug 22 19:12:15 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=482dc188

It is a template, so use _t (compile issue otherwise)

---
 policy/modules/system/userdomain.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 78cb3ad..08139d9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1246,7 +1246,7 @@ template(`userdom_admin_user_template',`
 		# Grant block_suspend capability2 to administrators, this annoys the heck out of me
 		allow $1_t self:capability2 { block_suspend };
 		# Allow admins to interact with kernel, for instance using lsusb command
-		allow $1 self:netlink_kobject_uevent_socket create_socket_perms;
+		allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
 		# Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise
 		seutil_relabelto_bin_policy($1_t)
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-13  9:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-13  9:38 UTC (permalink / raw
  To: gentoo-commits

commit:     d4e625e9ac332806fc907c4e6b4cbd24506078ca
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Sep  7 21:28:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:30:22 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d4e625e9

Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t)

Since commit 0fd9dc55, logging.te contains:

  term_write_all_user_ttys(syslogd_t)

As "write" is a superset of "append", this rule is no longer needed:

    term_append_unallocated_ttys(syslogd_t)

While at it, add a comment which explains why
term_dontaudit_setattr_unallocated_ttys is needed.

---
 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 85c3c73..4008931 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -483,7 +483,7 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
-	term_append_unallocated_ttys(syslogd_t)
+	# and chown/chgrp/chmod /dev/tty12, which is denied
 	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-13  9:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-13  9:38 UTC (permalink / raw
  To: gentoo-commits

commit:     a83e03c5d3b7668f0133349cdb8c6e1ae4290ca6
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Sep 13 09:37:00 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:37:00 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a83e03c5

Reintroduce refpolicy quircks as merging becomes difficult otherwise

---
 policy/modules/system/logging.fc | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 22034dc..a0e957c 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -26,7 +26,7 @@
 /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
-/var/lib/misc/syslog-ng\.persist-?	--	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
+/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/r?syslog(/.*)?		gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
@@ -68,12 +68,12 @@ ifdef(`distro_redhat',`
 /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/rsyslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-/var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/syslog-ng\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-/var/run/syslog-ng(.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/systemd/journal(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-/var/run/systemd/journal/syslog	-s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-/var/run/systemd/journal/dev-log	-s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/syslog	 -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
 /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-13  9:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-13  9:38 UTC (permalink / raw
  To: gentoo-commits

commit:     50879ac75947cac9d0e6ff2b82dac10b887fa98f
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Sep  7 21:28:12 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:28:48 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=50879ac7

Label systemd-journald files and directories

---
 policy/modules/system/logging.fc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index cb6eaa3..b70a126 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,8 @@
 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/usr/lib/systemd/systemd-journald	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+
 /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
 /usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/rklogd	--	gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -61,12 +63,17 @@ ifdef(`distro_redhat',`
 /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
 /var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
+/var/run/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/run/log/journal(/.*)?	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/rsyslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng(.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/systemd/journal(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/systemd/journal/syslog	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/dev-log	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
 /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-13  9:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-13  9:38 UTC (permalink / raw
  To: gentoo-commits

commit:     6a62d9b102c192f8e2c2add471e19e05cda50416
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Sep 12 13:54:11 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:30:12 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6a62d9b1

Add comment for journald ring buffer reading.

---
 policy/modules/system/logging.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index f254279..241a409 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -406,6 +406,7 @@ kernel_read_messages(syslogd_t)
 kernel_read_vm_sysctls(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
+# Read ring buffer for journald
 kernel_read_ring_buffer(syslogd_t)
 # /initrd is not umounted before minilog starts
 kernel_dontaudit_search_unlabeled(syslogd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-13  9:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-13  9:38 UTC (permalink / raw
  To: gentoo-commits

commit:     e5341021fd4a44655b738885c60ee3bbfd29bfe5
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Sep  7 21:28:11 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:25:22 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e5341021

Introduce init_search_run interface

---
 policy/modules/system/init.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ab4b450..76ef0dc 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1597,6 +1597,25 @@ interface(`init_dontaudit_read_script_status_files',`
 	dontaudit $1 initrc_state_t:file read_file_perms;
 ')
 
+######################################
+## <summary>
+##	Search the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_search_run',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 init_var_run_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read init script temporary data.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-13  9:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-13  9:38 UTC (permalink / raw
  To: gentoo-commits

commit:     b345de50c6447626549e0865831175f1f2ec85de
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Sep 13 09:33:45 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:33:45 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b345de50

Move gentoo specifics downward for faster merging

---
 policy/modules/system/init.fc | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index e499287..b4391ce 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -26,7 +26,6 @@ ifdef(`distro_gentoo',`
 
 ifdef(`distro_gentoo', `
 /lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
-/lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 ')
 
 #
@@ -38,7 +37,6 @@ ifdef(`distro_gentoo', `
 
 ifdef(`distro_gentoo', `
 /sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
-/sbin/openrc		--	gen_context(system_u:object_r:rc_exec_t,s0)
 ')
 
 #
@@ -46,7 +44,7 @@ ifdef(`distro_gentoo', `
 #
 /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
-/usr/lib/systemd/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/systemd --	gen_context(system_u:object_r:init_exec_t,s0)
 
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -73,9 +71,7 @@ ifdef(`distro_debian',`
 
 ifdef(`distro_gentoo', `
 /var/lib/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
-/var/lib/ip6?tables(/.*)?		gen_context(system_u:object_r:initrc_tmp_t,s0)
 /var/run/svscan\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
-/var/run/openrc(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 ')
 
 ifdef(`distro_suse', `
@@ -85,3 +81,22 @@ ifdef(`distro_suse', `
 /var/run/setleds-on	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_var_run_t,s0)
 ')
+
+ifdef(`distro_gentoo',`
+# 
+# /lib
+#
+/lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+
+#
+# /sbin
+#
+/sbin/openrc		--	gen_context(system_u:object_r:rc_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/ip6?tables(/.*)?		gen_context(system_u:object_r:initrc_tmp_t,s0)
+
+/var/run/openrc(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-13  9:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-13  9:38 UTC (permalink / raw
  To: gentoo-commits

commit:     75b6f28b5850e1e997dac51d25e1688999db603a
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Sep  7 21:28:15 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:30:15 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=75b6f28b

Allow journald to access to the state of all processes

When a process sends a syslog message to journald, journald records
information such as command, executable, cgroup, etc.:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-server.c?id=v215#n589

This needs domain_read_all_domains_state.

---
 policy/modules/system/logging.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 241a409..85c3c73 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -443,6 +443,8 @@ dev_read_sysfs(syslogd_t)
 dev_rw_kmsg(syslogd_t)
 
 domain_use_interactive_fds(syslogd_t)
+# Allow access to /proc/ information for journald
+domain_read_all_domains_state(syslogd_t)
 
 files_read_etc_files(syslogd_t)
 files_read_usr_files(syslogd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-13  9:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-13  9:38 UTC (permalink / raw
  To: gentoo-commits

commit:     49f6fb3e2c520c89c245d89356a4611674b7af7d
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Sep 12 13:49:37 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:30:02 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=49f6fb3e

Whitespace change in logging.fc.

---
 policy/modules/system/logging.fc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index b70a126..22034dc 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,7 +17,7 @@
 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
-/usr/lib/systemd/systemd-journald	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
 
 /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
 /usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
@@ -72,8 +72,8 @@ ifdef(`distro_redhat',`
 /var/run/syslog-ng\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng(.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/systemd/journal(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
-/var/run/systemd/journal/syslog	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-/var/run/systemd/journal/dev-log	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/syslog	-s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/dev-log	-s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
 /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-13  9:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-13  9:38 UTC (permalink / raw
  To: gentoo-commits

commit:     af47eb2d50f3e3c134ec307b5021db258bb027ab
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Sep 12 13:42:59 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:25:12 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=af47eb2d

Move systemd fc entry.

---
 policy/modules/system/init.fc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 3c50f9d..e499287 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -22,11 +22,12 @@ ifdef(`distro_gentoo',`
 #
 # /lib
 #
+/lib/systemd/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
+
 ifdef(`distro_gentoo', `
 /lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 ')
-/lib/systemd/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 #
 # /sbin


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-13  9:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-13  9:38 UTC (permalink / raw
  To: gentoo-commits

commit:     004c03ed39f178ef22d3e5f56d1e671e21d1f394
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Sep  7 21:28:10 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:24:30 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=004c03ed

Label systemd files in init module

---
 policy/modules/system/init.fc | 6 ++++++
 policy/modules/system/init.te | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 3496579..3c50f9d 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -26,6 +26,7 @@ ifdef(`distro_gentoo', `
 /lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 ')
+/lib/systemd/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 #
 # /sbin
@@ -44,6 +45,8 @@ ifdef(`distro_gentoo', `
 #
 /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
+/usr/lib/systemd/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
+
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
@@ -53,11 +56,14 @@ ifdef(`distro_gentoo', `
 #
 # /var
 #
+/var/lib/systemd(/.*)?		gen_context(system_u:object_r:init_var_lib_t,s0)
+
 /var/run/initctl	-p	gen_context(system_u:object_r:initctl_t,s0)
 /var/run/utmp		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/setmixer_flag	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 
 ifdef(`distro_debian',`
 /var/run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 88fe1de..94a5516 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -40,12 +40,18 @@ kernel_domtrans_to(init_t, init_exec_t)
 role system_r types init_t;
 
 #
-# init_var_run_t is the type for /var/run/shutdown.pid.
+# init_var_run_t is the type for /var/run/shutdown.pid and /var/run/systemd.
 #
 type init_var_run_t;
 files_pid_file(init_var_run_t)
 
 #
+# init_var_lib_t is the type for /var/lib/systemd.
+#
+type init_var_lib_t;
+files_type(init_var_lib_t)
+
+#
 # initctl_t is the type of the named pipe created
 # by init during initialization.  This pipe is used
 # to communicate with init.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-13  9:38 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-13  9:38 UTC (permalink / raw
  To: gentoo-commits

commit:     cc6930453f9123999e2be8338b3a92599e82be78
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Sep  7 21:28:13 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Sep 13 09:30:07 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cc693045

Support logging with /run/systemd/journal/dev-log

In June 2014 systemd moved the socket used by journald to /run.  This
requires two new directory search access for every domain sending syslog
messages:

* /run/systemd/ (handled by init_search_run)
* /run/systemd/journal/ (labeled syslogd_var_run_t)

systemd commit:
http://cgit.freedesktop.org/systemd/systemd/commit/units/systemd-journald-dev-log.socket?id=03ee5c38cb0da193dd08733fb4c0c2809cee6a99

---
 policy/modules/system/logging.if | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 6bd6586..042aa70 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -530,12 +530,16 @@ interface(`logging_log_filetrans',`
 #
 interface(`logging_send_syslog_msg',`
 	gen_require(`
-		type syslogd_t, devlog_t;
+		type syslogd_t, syslogd_var_run_t, devlog_t;
 	')
 
 	allow $1 devlog_t:lnk_file read_lnk_file_perms;
 	allow $1 devlog_t:sock_file write_sock_file_perms;
 
+	# systemd journal socket is in /run/systemd/journal/dev-log
+	init_search_run($1)
+	allow $1 syslogd_var_run_t:dir search_dir_perms;
+
 	# the type of socket depends on the syslog daemon
 	allow $1 syslogd_t:unix_dgram_socket sendto;
 	allow $1 syslogd_t:unix_stream_socket connectto;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-09-21 14:04 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-09-21 14:04 UTC (permalink / raw
  To: gentoo-commits

commit:     d881de39c19931dc670b845ec514d17fab928647
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Sep 12 18:25:01 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Sep 21 14:02:14 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d881de39

/dev/log symlinks are not labeled devlog_t.

Drop rule; if /dev/log is a symlink, it should be device_t.

---
 policy/modules/system/logging.if | 1 -
 policy/modules/system/logging.te | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 042aa70..1c4af7b 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -533,7 +533,6 @@ interface(`logging_send_syslog_msg',`
 		type syslogd_t, syslogd_var_run_t, devlog_t;
 	')
 
-	allow $1 devlog_t:lnk_file read_lnk_file_perms;
 	allow $1 devlog_t:sock_file write_sock_file_perms;
 
 	# systemd journal socket is in /run/systemd/journal/dev-log

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index c56577e..9a6361b 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.21.2)
+policy_module(logging, 1.21.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-10-12  8:27 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-10-12  8:27 UTC (permalink / raw
  To: gentoo-commits

commit:     206d478257fb5d42e7fe6f6808c7d7d349a282a9
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Aug 23 13:11:05 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:24:37 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=206d4782

Fix minor typo in init.if

---
 policy/modules/system/init.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 36eb078..2b7793a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -789,7 +789,7 @@ interface(`init_rw_initctl',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed access.
+##	Domain to not audit.
 ##	</summary>
 ## </param>
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-10-12  9:13 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-10-12  9:13 UTC (permalink / raw
  To: gentoo-commits

commit:     eaef7e0bc37c62511400aaf136f8bb6e4e63241a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:38:37 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:38:37 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=eaef7e0b

Add auth_pid_filetrans_pam_var_run

This interface allows a domain to create resources inside the generic
pid location (/var/run) and have them created with the pam_var_run_t
type.

---
 policy/modules/system/authlogin.if | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 8225390..f20a6a6 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1805,3 +1805,37 @@ interface(`auth_unconfined',`
 	typeattribute $1 can_write_shadow_passwords;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
+
+# Should be in an ifdef distro_gentoo but that is not supported in the global if file
+
+########################################
+## <summary>
+##	Create specified objects in
+##	pid directories with the pam var
+##      run file type using a
+##      file type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	Class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`auth_pid_filetrans_pam_var_run',`
+	gen_require(`
+		type pam_var_run_t;
+	')
+
+	files_pid_filetrans($1, pam_var_run_t, $2, $3)
+')
+


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-10-31 15:32 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-10-31 15:32 UTC (permalink / raw
  To: gentoo-commits

commit:     3805de84f208d3e85057eab898de864af6128558
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Oct 18 13:30:21 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Oct 31 15:26:27 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3805de84

Allow iw to create generic netlink sockets

iw uses generic netlink socket to configure WiFi properties.  For
example, "strace iw dev wlan0 set power_save on" outputs:

    socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
    setsockopt(3, SOL_SOCKET, SO_SNDBUF, [32768], 4) = 0
    setsockopt(3, SOL_SOCKET, SO_RCVBUF, [32768], 4) = 0
    bind(3, {sa_family=AF_NETLINK, pid=7836, groups=00000000}, 12) = 0

Some AVC denials are reported in audit.log:

    type=AVC msg=audit(1408829044.820:486): avc:  denied  { create } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:487): avc:  denied  { setopt } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:488): avc:  denied  { bind } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:489): avc:  denied  { getattr }
    for  pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1
    type=AVC msg=audit(1408829044.820:490): avc:  denied  { write } for
    pid=5950 comm="iw" scontext=system_u:system_r:ifconfig_t
    tcontext=system_u:system_r:ifconfig_t tclass=netlink_socket
    permissive=1

Allowing ifconfig_t to create generic netlink sockets fixes this.

(On a side note, the AVC denials were caused by TLP, a tool which
applies "laptop configuration" when switching between AC and battery
with the help of a udev script)

---
 policy/modules/system/sysnetwork.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index cb0922d..b95de37 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -276,6 +276,7 @@ allow ifconfig_t self:msg { send receive };
 allow ifconfig_t self:udp_socket create_socket_perms;
 # for /sbin/ip
 allow ifconfig_t self:packet_socket create_socket_perms;
+allow ifconfig_t self:netlink_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
 allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
 allow ifconfig_t self:tcp_socket { create ioctl };


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-10-31 15:32 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-10-31 15:32 UTC (permalink / raw
  To: gentoo-commits

commit:     25635ce6697a48861fa0f3021f79261f760b4d99
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Oct 18 13:30:22 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Oct 31 15:26:27 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=25635ce6

Use create_netlink_socket_perms when allowing netlink socket creation

create_netlink_socket_perms is defined as:

    { create_socket_perms nlmsg_read nlmsg_write }

This means that it is redundant to allow create_socket_perms and
nlmsg_read/nlmsg_write.

Clean up things without allowing anything new.

---
 policy/modules/system/ipsec.te      | 2 +-
 policy/modules/system/sysnetwork.te | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index db6d1c6..15d7caf 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -79,7 +79,7 @@ allow ipsec_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_t self:udp_socket create_socket_perms;
 allow ipsec_t self:key_socket create_socket_perms;
 allow ipsec_t self:fifo_file read_fifo_file_perms;
-allow ipsec_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_write };
+allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
 
 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
 

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index b95de37..f7dbde0 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -57,7 +57,7 @@ allow dhcpc_t self:fifo_file rw_fifo_file_perms;
 allow dhcpc_t self:tcp_socket create_stream_socket_perms;
 allow dhcpc_t self:udp_socket create_socket_perms;
 allow dhcpc_t self:packet_socket create_socket_perms;
-allow dhcpc_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
 
 allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
 read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -278,7 +278,7 @@ allow ifconfig_t self:udp_socket create_socket_perms;
 allow ifconfig_t self:packet_socket create_socket_perms;
 allow ifconfig_t self:netlink_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
-allow ifconfig_t self:netlink_xfrm_socket { create_netlink_socket_perms nlmsg_read };
+allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;
 allow ifconfig_t self:tcp_socket { create ioctl };
 
 kernel_use_fds(ifconfig_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-10-31 15:32 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-10-31 15:32 UTC (permalink / raw
  To: gentoo-commits

commit:     3c9fbd8f4568196a2e2685b5c66fddf7a68e5fb7
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Oct 18 13:30:20 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Oct 31 15:26:27 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3c9fbd8f

Label /sbin/iw as ifconfig_exec_t

iw manpage says "iw - show / manipulate wireless devices and their
configuration".  Label this command ifconfig_exec_t to allow it to
manage wireless communication devices.

Debian installs iw in /sbin/iw, Fedora in /usr/sbin/iw and Arch Linux in
/usr/bin/iw (with /usr/sbin being a symlink to /usr/bin).

---
 policy/modules/system/sysnetwork.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index fa7a406..fbb935c 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -48,6 +48,7 @@ ifdef(`distro_redhat',`
 /sbin/ipx_configure	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ipx_interface	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/ipx_internal_net	--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
+/sbin/iw		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/iwconfig		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/mii-tool		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /sbin/pump		--	gen_context(system_u:object_r:dhcpc_exec_t,s0)
@@ -56,6 +57,7 @@ ifdef(`distro_redhat',`
 #
 # /usr
 #
+/usr/sbin/iw		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 /usr/sbin/tc		--	gen_context(system_u:object_r:ifconfig_exec_t,s0)
 
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-10-31 15:32 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-10-31 15:32 UTC (permalink / raw
  To: gentoo-commits

commit:     a5c43ef80182eb5bca681d78c1ca63f1fafb662b
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Oct 23 12:50:18 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Oct 31 15:26:28 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a5c43ef8

Add comment for iw generic netlink socket usage

---
 policy/modules/system/sysnetwork.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index f7dbde0..c4f1727 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -276,6 +276,8 @@ allow ifconfig_t self:msg { send receive };
 allow ifconfig_t self:udp_socket create_socket_perms;
 # for /sbin/ip
 allow ifconfig_t self:packet_socket create_socket_perms;
+# generic netlink socket for iw
+# socket(PF_NETLINK, SOCK_RAW|SOCK_CLOEXEC, NETLINK_GENERIC) = 3
 allow ifconfig_t self:netlink_socket create_socket_perms;
 allow ifconfig_t self:netlink_route_socket create_netlink_socket_perms;
 allow ifconfig_t self:netlink_xfrm_socket create_netlink_socket_perms;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-10-31 15:32 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-10-31 15:32 UTC (permalink / raw
  To: gentoo-commits

commit:     212211fe7b76022b29cea95b3d087b9344ed3fa5
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Oct 23 12:51:53 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Oct 31 15:26:28 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=212211fe

Module version bump for /sbin/iw support from Nicolas Iooss.

---
 policy/modules/system/sysnetwork.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index c4f1727..d053ee2 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.16.2)
+policy_module(sysnetwork, 1.16.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-11-02 14:53 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-11-02 14:53 UTC (permalink / raw
  To: gentoo-commits

commit:     dd35a2da47d070915720f579a180a10df2a8baad
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov  2 14:53:23 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov  2 14:53:23 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dd35a2da

Support pam_rootok.so update in pam.d/run_init for integrated run_init support in openrc

---
 policy/modules/system/selinuxutil.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 4d6f5d9..0ad0479 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -648,7 +648,8 @@ ifdef(`distro_gentoo',`
 		class passwd { passwd chfn chsh rootok };
 	')
 
-	allow run_init_t self:passwd rootok;
+	# Needed to support pam_rootok.so even with integrated run_init support in openrc
+	allow run_init_t self:passwd { passwd rootok };
 
 	# Fix bug #512676
 	allow run_init_t self:process signal;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-11-02 15:08 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-11-02 15:08 UTC (permalink / raw
  To: gentoo-commits

commit:     ef453666f30146da245ea98fe97f4548b1fb5166
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov  2 15:08:33 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov  2 15:08:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ef453666

Add auth_read_shadow for run_init_t to support pam-less openrc

---
 policy/modules/system/selinuxutil.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 0ad0479..1ba9d3c 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -655,6 +655,10 @@ ifdef(`distro_gentoo',`
 	allow run_init_t self:process signal;
 	allow run_init_t self:netlink_selinux_socket { create bind };
 
+	# Needed to support openrc with USE="-pam"
+	# TODO can we make this optional? is this a bad thing?
+	auth_read_shadow(run_init_t)
+
 	# Denials upon loading policy
 	fs_getattr_tmpfs(setfiles_t)
 	dev_getattr_fs(setfiles_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-11-22 19:02 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-11-22 19:02 UTC (permalink / raw
  To: gentoo-commits

commit:     fe62598f2fb87fe0dfca34f82311ffd29df37795
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:46:23 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:46:23 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fe62598f

Reshuffle and update with upstream

---
 policy/modules/system/init.if | 82 ++++++++++++++++++++++++-------------------
 1 file changed, 46 insertions(+), 36 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2b7793a..99e42fc 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,39 +150,6 @@ interface(`init_ranged_domain',`
 
 ########################################
 ## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it
-## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	gen_require(`
-		attribute daemonpidfile;
-		type initrc_t;
-	')
-
-	typeattribute $1 daemonpidfile;
-
-	files_pid_file($1)
-	files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
 ##	Create a domain for long running processes
 ##	(daemons/services) which are started by init scripts.
 ## </summary>
@@ -421,16 +388,50 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
-##	Mark the type as a daemon run dir
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
 ## </summary>
-## <param name="rundirtype">
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
+##	Mark the file type as a daemon run dir, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
 ##	<summary>
 ##	Type to mark as a daemon run dir
 ##	</summary>
 ## </param>
 ## <param name="filename">
 ##	<summary>
-##	Name of the run dir directory
+##	Filename of the directory that the init script creates
 ##	</summary>
 ## </param>
 #
@@ -843,6 +844,14 @@ interface(`init_spec_domtrans_script',`
 	files_list_etc($1)
 	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
 
+	ifdef(`distro_gentoo',`
+		gen_require(`
+			type rc_exec_t;
+		')
+
+		domtrans_pattern($1, rc_exec_t, initrc_t)
+	')
+
 	ifdef(`enable_mcs',`
 		range_transition $1 initrc_exec_t:process s0;
 	')
@@ -882,6 +891,7 @@ interface(`init_domtrans_script',`
 		gen_require(`
 			type rc_exec_t;
 		')
+
 		domtrans_pattern($1, rc_exec_t, initrc_t)
 	')
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/system/
@ 2014-11-23 14:06 Sven Vermeulen
  2014-11-22 19:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2014-11-23 14:06 UTC (permalink / raw
  To: gentoo-commits

commit:     d634f3732a6e8ce11f31f6cda00e2be5d48e8276
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:34:23 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:34:23 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d634f373

Bad whitespace but matches upstream

---
 policy/modules/system/authlogin.if | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index f20a6a6..03c567a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1767,9 +1767,9 @@ interface(`auth_relabel_login_records',`
 ## <infoflow type="both" weight="10"/>
 #
 interface(`auth_use_nsswitch',`
-	gen_require(`
-		attribute nsswitch_domain;
-	')
+    gen_require(`
+        attribute nsswitch_domain;
+    ')
 
 	typeattribute $1 nsswitch_domain;
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:initrd commit in: policy/modules/system/
@ 2014-11-26 16:22 Jason Zaman
  2014-11-27  8:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2014-11-26 16:22 UTC (permalink / raw
  To: gentoo-commits

commit:     30ac48af98cd4789dcfcb897a969d51233844db4
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:04:56 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Nov 26 12:28:11 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=30ac48af

Allow admin users to manage user tmp chr_files

Needed when building initrds.

---
 policy/modules/system/userdomain.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index eba23be..1d5370c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1249,6 +1249,8 @@ template(`userdom_admin_user_template',`
 		allow $1_t self:netlink_kobject_uevent_socket create_socket_perms;
 		# Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise
 		seutil_relabelto_bin_policy($1_t)
+		# allow to manage chr_files in user_tmp (for initrd's)
+		userdom_manage_user_tmp_chr_files($1_t)
 	')
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-11-27  8:31 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2014-11-27  8:31 UTC (permalink / raw
  To: gentoo-commits

commit:     3f6c14f9b89350b60e83e5f7764b7a095df7b005
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 25 20:00:07 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Nov 26 12:28:11 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3f6c14f9

Introduce userdom_manage_user_tmp_chr_files interface

---
 policy/modules/system/userdomain.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 16a95cc..eba23be 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3630,3 +3630,23 @@ interface(`userdom_manage_all_user_home_content',`
 	manage_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
 	manage_sock_files_pattern($1, user_home_content_type, user_home_content_type)
 ')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	temporary character files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_tmp_chr_files',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
+	files_search_tmp($1)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2014-11-28 10:04 Sven Vermeulen
  2014-11-22 19:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:04 UTC (permalink / raw
  To: gentoo-commits

commit:     5972047d8963d9fc145f34156e9078a40b7f3c1f
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:35:21 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:35:21 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=5972047d

Remove ifdef distro, pwd lock is now part of upstream

---
 policy/modules/system/authlogin.fc | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index bc3f7dc..2479587 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -1,9 +1,7 @@
 
 /bin/login		--	gen_context(system_u:object_r:login_exec_t,s0)
 
-ifndef(`distro_gentoo',`
 /etc/\.pwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
-')
 /etc/group\.lock	--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/gshadow.*		--	gen_context(system_u:object_r:shadow_t,s0)
 /etc/passwd\.lock	--	gen_context(system_u:object_r:shadow_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2014-11-28 10:04 Sven Vermeulen
  2014-11-22 19:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:04 UTC (permalink / raw
  To: gentoo-commits

commit:     9d229675d7084facc9592f1ddab5f976337524f4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Nov 22 18:47:27 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Nov 22 18:47:27 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9d229675

Whitespace according to upstream

---
 policy/modules/system/ipsec.fc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 46d232a..082ce47 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -14,9 +14,9 @@
 
 /usr/lib/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/lib/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
-/usr/lib/ipsec/eroute	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib/ipsec/eroute		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/lib/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
-/usr/lib/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/lib/ipsec/pluto		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/lib/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 
 /usr/libexec/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2014-11-28 10:04 Sven Vermeulen
  2014-11-27 21:01 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:04 UTC (permalink / raw
  To: gentoo-commits

commit:     8a743e507cd42248d705907e7bcb42e268bfab9a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 27 21:00:38 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Nov 27 21:00:38 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8a743e50

Fix bug 530918 - Allow lvm_t socket creation perms to handle cryptsetup luksFormat

---
 policy/modules/system/lvm.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index c9fba08..a5952f7 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -361,6 +361,9 @@ ifdef(`distro_gentoo',`
 	# Local lvm policy
 	#
 
+	# cryptsetup support bug 530918
+	allow lvm_t self:socket create_stream_socket_perms;
+
 	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_metadata_t)
 	filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, dir, "cache")
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2014-11-28 10:04 Sven Vermeulen
  2014-11-27 21:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:04 UTC (permalink / raw
  To: gentoo-commits

commit:     b86c4b022307c8477a9373e0677b9eb51240e71b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Nov 27 21:58:05 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Nov 27 21:58:05 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b86c4b02

Fix bug #529430 - Various policy fixes to support lvmetad, dmeventd/lvm-monitoring

---
 policy/modules/system/lvm.fc | 9 +++++++++
 policy/modules/system/lvm.te | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 13a5759..ea5ba34 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -105,3 +105,12 @@ ifdef(`distro_gentoo',`
 /var/lock/lvm(/.*)?		gen_context(system_u:object_r:lvm_lock_t,s0)
 /var/run/multipathd\.sock -s	gen_context(system_u:object_r:lvm_var_run_t,s0)
 /var/run/dmevent.*		gen_context(system_u:object_r:lvm_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+# Bug 529430 comment 7
+/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/var/run/lvm(/.*)?		gen_context(system_u:object_r:lvm_var_run_t,s0)
+
+# Bug 529430 comment 8
+/sbin/dmeventd		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+')

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index a5952f7..a1485fb 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -365,6 +365,11 @@ ifdef(`distro_gentoo',`
 	allow lvm_t self:socket create_stream_socket_perms;
 
 	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_metadata_t)
+	# Bug 529430 comment 6
+	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+	# BUg 529430 comment 8
+	manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
+
 	filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, dir, "cache")
 
 	kernel_request_load_module(lvm_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2014-11-28 10:04 Sven Vermeulen
  2014-11-28  9:40 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:04 UTC (permalink / raw
  To: gentoo-commits

commit:     91a3d6f2a32354213d8da990af4b77e6680a5fc5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 09:39:33 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 09:39:33 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=91a3d6f2

Fix bug 530898 - Enable netlink interaction from dhcpcd

---
 policy/modules/system/sysnetwork.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index d053ee2..3576536 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -402,6 +402,12 @@ ifdef(`distro_gentoo',`
 	# Fixes bug 468874
 	allow dhcpc_t self:rawip_socket create_socket_perms;
 
+	# Fixes bug 530898
+	allow dhcpc_t self:netlink_kobject_uevent_socket client_stream_socket_perms;
+	# Also mentioned as AVCs in bug 530898. Not certain if this is needed but considering
+	# the dhcpc_t use case we currently allow it
+	allow dhcpc_t self:netlink_socket client_stream_socket_perms;
+
 	# Allow dhcpcd to set its control sockets
 	allow dhcpc_t dhcpc_var_run_t:sock_file manage_sock_file_perms;
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2014-11-28 11:16 Sven Vermeulen
  2014-11-28 11:14 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2014-11-28 11:16 UTC (permalink / raw
  To: gentoo-commits

commit:     dcb74d6325828450be6f367f787b0494ed32c7d9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 11:13:48 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 11:13:48 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dcb74d63

Add file context definitions for dhcpcd sockets

---
 policy/modules/system/sysnetwork.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index fbb935c..a809d61 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,7 @@ ifdef(`distro_debian',`
 /var/run/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
+ifdef(`distro_gentoo',`
+/var/run/dhcpcd\.sock	-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+/var/run/dhcpcd\.unpriv\.sock	-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-12-04  1:46 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2014-12-04  1:46 UTC (permalink / raw
  To: gentoo-commits

commit:     b04ee12b1c1d655edf30f74d7863d1b41805b60a
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Dec  3 18:37:02 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 20:32:15 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b04ee12b

Module version bump for module store move from Steve Lawrence.

---
 policy/modules/system/selinuxutil.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index bc7e245..55fd4de 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.18.1)
+policy_module(selinuxutil, 1.18.2)
 
 gen_require(`
 	bool secure_mode;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-12-04  1:46 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2014-12-04  1:46 UTC (permalink / raw
  To: gentoo-commits

commit:     4270746b108fd90b377127c6f20998af640a4869
Author:     Steve Lawrence <slawrence <AT> tresys <DOT> com>
AuthorDate: Wed Dec  3 14:55:26 2014 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Wed Dec  3 20:32:15 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=4270746b

Update policy for selinux userspace moving the policy store to /var/lib/selinux

With the new userspace, the only files in /var/lib/selinux are selinux
store related files, so label it and everything inside it as
semanage_store_t. semanage_var_lib_t is completely removed and now
aliases semanage_store_t for backwards compatibility. This differs from
the v2 patch in that it adds back the ability to manage
selinux_config_t, which is necessary to manage the old module store for
things like migrating from the old to new store and backwards
compatability.

Signed-off-by: Steve Lawrence <slawrence <AT> tresys.com>

---
 policy/modules/system/selinuxutil.fc | 5 ++++-
 policy/modules/system/selinuxutil.if | 2 ++
 policy/modules/system/selinuxutil.te | 8 +-------
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index f37652d..59ae92a 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -41,11 +41,14 @@
 /usr/sbin/setsebool		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 /usr/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 /usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/libexec/selinux/semanage_migrate_store		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 #
 # /var/lib
 #
-/var/lib/selinux(/.*)?			gen_context(system_u:object_r:semanage_var_lib_t,s0)
+/var/lib/selinux(/.*)?			gen_context(system_u:object_r:semanage_store_t,s0)
+/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
 
 #
 # /var/run

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index bee06f4..129a6e0 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1041,7 +1041,9 @@ interface(`seutil_manage_module_store',`
 	')
 
 	files_search_etc($1)
+	files_search_var($1)
 	manage_dirs_pattern($1, selinux_config_t, semanage_store_t)
+	manage_dirs_pattern($1, semanage_store_t, semanage_store_t)
 	manage_files_pattern($1, semanage_store_t, semanage_store_t)
 	manage_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
 ')

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 1ba9d3c..bc7e245 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -100,7 +100,7 @@ application_domain(semanage_t, semanage_exec_t)
 domain_interactive_fd(semanage_t)
 role semanage_roles types semanage_t;
 
-type semanage_store_t;
+type semanage_store_t alias semanage_var_lib_t;
 files_type(semanage_store_t)
 
 type semanage_read_lock_t;
@@ -112,9 +112,6 @@ files_tmp_file(semanage_tmp_t)
 type semanage_trans_lock_t;
 files_type(semanage_trans_lock_t)
 
-type semanage_var_lib_t;
-files_type(semanage_var_lib_t)
-
 type setfiles_t alias restorecon_t, can_relabelto_binary_policy;
 type setfiles_exec_t alias restorecon_exec_t;
 init_system_domain(setfiles_t, setfiles_exec_t)
@@ -456,9 +453,6 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 allow semanage_t semanage_tmp_t:file manage_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
-manage_dirs_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
-manage_files_pattern(semanage_t, semanage_var_lib_t, semanage_var_lib_t)
-
 kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-12-15 18:40 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-12-15 18:40 UTC (permalink / raw
  To: gentoo-commits

commit:     538e55cdbf09b5d47ce328ce1da7064487323efc
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 15:58:55 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Dec 15 18:37:59 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=538e55cd

Add support for init_script_readable

---
 policy/modules/system/init.if | 18 ++++++++++++++++++
 policy/modules/system/init.te |  6 ++++++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 99e42fc..4d923d6 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1916,3 +1916,21 @@ interface(`init_relabelto_script_state',`
 	relabelto_files_pattern($1, initrc_state_t, initrc_state_t)
 	relabelto_dirs_pattern($1, initrc_state_t, initrc_state_t)
 ')
+
+#########################################
+## <summary>
+##	Mark as a readable type for the initrc_t domain
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type that initrc_t needs read access to
+##	</summary>
+## </param>
+#
+interface(`init_script_readable_type',`
+	gen_require(`
+		attribute init_script_readable;
+	')
+
+	typeattribute $1 init_script_readable;
+')

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 04b07e1..5d83a49 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -935,12 +935,18 @@ optional_policy(`
 ')
 
 ifdef(`distro_gentoo',`
+	# Attribute to assign to types that the initrc_t domain needs read access to
+	attribute init_script_readable;
+
 	#####################################
 	#
 	# Local initrc_t policy
 	#
 	allow initrc_t self:capability sys_admin;
 
+	read_files_pattern(initrc_t, init_script_readable, init_script_readable)
+	read_lnk_files_pattern(initrc_t, init_script_readable, init_script_readable)
+
 	manage_dirs_pattern(initrc_t, initrc_var_run_t, initrc_var_run_t)
 	files_pid_filetrans(initrc_t, initrc_var_run_t, dir)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2014-12-30 20:43 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2014-12-30 20:43 UTC (permalink / raw
  To: gentoo-commits

commit:     90bfde5dce608aa910e0e0e7db0af6c5dda0cb21
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Dec 30 20:43:20 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Dec 30 20:43:20 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=90bfde5d

Grant all PAM using applications read access to SELinux state

---
 policy/modules/system/authlogin.if | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index f05d7bf..6aac59c 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -80,6 +80,13 @@ interface(`auth_use_pam',`
 	optional_policy(`
 		nis_authenticate($1)
 	')
+
+	ifdef(`distro_gentoo',`
+		# pam_unix.so only calls unix_chkpwd if geteuid <> 0 or if SELinux is enabled.
+		# So we need to grant it the proper privileges to check if SELinux is enabled
+		selinux_getattr_fs($1)
+		selinux_get_enforce_mode($1)
+	')
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-01-25 13:50 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2015-01-25 13:50 UTC (permalink / raw
  To: gentoo-commits

commit:     e19b8a6df341e3dc10334f39c5ffed42035da210
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Jan 25 13:49:11 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 25 13:49:11 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e19b8a6d

Allow dhcpc_script_t to create /run/dhcpcd directory, otherwise resolv.conf generation fails

---
 policy/modules/system/sysnetwork.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index b65117e..e5c63d6 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -455,6 +455,7 @@ ifdef(`distro_gentoo',`
 	files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
 
 	manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
+	create_dirs_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
 	files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
 
 	kernel_read_network_state(dhcpc_script_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2015-01-29  8:38 Jason Zaman
  2015-01-29  9:12 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2015-01-29  8:38 UTC (permalink / raw
  To: gentoo-commits

commit:     996d64d63da9b3510b66053b8a82fd0bce7ac3fc
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:21:00 2015 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:03:50 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=996d64d6

udev: allow netlink_socket perms

udev needs these perms for CRDA communication (Central Regulatory Domain
Agent for wifi)

type=AVC msg=audit(1421753429.771:3718): avc:  denied  { create } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3719): avc:  denied  { setopt } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3720): avc:  denied  { bind } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3721): avc:  denied  { getattr } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3722): avc:  denied  { write } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1
type=AVC msg=audit(1421753429.771:3723): avc:  denied  { read } for
pid=28698 comm="crda" scontext=system_u:system_r:udev_t
tcontext=system_u:system_r:udev_t tclass=netlink_socket permissive=1

---
 policy/modules/system/udev.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 78e4328..d4d77f2 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -334,6 +334,8 @@ ifdef(`distro_gentoo',`
 
 	# needed for predictable network interfaces naming
 	allow udev_t self:netlink_route_socket rw_netlink_socket_perms;
+	# needed for crda, bug #538110
+	allow udev_t self:netlink_socket create_socket_perms;
 
 	manage_dirs_pattern(udev_t, udev_tbl_t, udev_tbl_t)
 	manage_files_pattern(udev_t, udev_tbl_t, udev_tbl_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-01-29  9:12 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-01-29  9:12 UTC (permalink / raw
  To: gentoo-commits

commit:     a0f63a5ebdaa7a52d2ea96dc1f3299f741313f93
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jan 20 14:31:35 2015 +0000
Commit:     Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Jan 29 08:32:53 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a0f63a5e

init: needs access to networkmanager rawip sockets

---
 policy/modules/system/init.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5d83a49..c265e53 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -977,6 +977,11 @@ ifdef(`distro_gentoo',`
 	')
 
 	optional_policy(`
+		networkmanager_rw_rawip_sockets(initrc_t)
+		networkmanager_stream_connect(initrc_t)
+	')
+
+	optional_policy(`
 		fail2ban_stream_connect(initrc_t)
 	')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-01-29 20:51 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2015-01-29 20:51 UTC (permalink / raw
  To: gentoo-commits

commit:     b3c2077a4cbaefff55da8c50baf3a8e24c1f0c67
Author:     Steve Lawrence <slawrence <AT> tresys <DOT> com>
AuthorDate: Tue Dec  2 16:27:14 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 29 20:49:31 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b3c2077a

Remove optional else block for dhcp ping

Else blocks with optional statements are not supported in CIL.
Currently, if the pp to CIL compiler comes across one of these in a pp
module, it just drops the block and outputs a warning. Fortunately,
these are very rare. In fact, this is the only place in refpolicy where
an optional else block is used, and it is not clear if it is even
needed. This patch is untested, and is more to spark discussions to see
if there are any thoughts about whether or not this piece of policy is
needed.

Signed-off-by: Steve Lawrence <slawrence <AT> tresys.com>

---
 policy/modules/system/sysnetwork.te | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index e5c63d6..0e8ff59 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -197,9 +197,6 @@ optional_policy(`
 optional_policy(`
 	netutils_run_ping(dhcpc_t, dhcpc_roles)
 	netutils_run(dhcpc_t, dhcpc_roles)
-',`
-	allow dhcpc_t self:capability setuid;
-	allow dhcpc_t self:rawip_socket create_socket_perms;
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-01-29 20:51 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2015-01-29 20:51 UTC (permalink / raw
  To: gentoo-commits

commit:     63f35813f4832aedc169d2db322ac09669f7345e
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Jan 12 13:45:58 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 29 20:49:33 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=63f35813

Module version bump for optional else block removal from Steve Lawrence.

---
 policy/modules/system/sysnetwork.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 0e8ff59..fc0ed62 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.17.0)
+policy_module(sysnetwork, 1.17.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2015-02-09  9:55 Jason Zaman
  2015-02-09 18:33 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2015-02-09  9:55 UTC (permalink / raw
  To: gentoo-commits

commit:     1d291587f6308317bfd3a37227a00d68092e9c40
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb  9 08:40:08 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  9 09:52:54 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=1d291587

Revert "Reshuffle and update with upstream"

This reverts commit fe62598f2fb87fe0dfca34f82311ffd29df37795.

the domtrans pattern part broke openrc without run_init,
that part relies on being in the run_init domain and then
does the transition. this was transitioning directly into
initrc_t but that does not work with being in sysadm_r.

---
 policy/modules/system/init.if | 82 +++++++++++++++++++------------------------
 1 file changed, 36 insertions(+), 46 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4d923d6..7cdf3a8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,6 +150,39 @@ interface(`init_ranged_domain',`
 
 ########################################
 ## <summary>
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
 ##	Create a domain for long running processes
 ##	(daemons/services) which are started by init scripts.
 ## </summary>
@@ -388,50 +421,16 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it
+##	Mark the type as a daemon run dir
 ## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	gen_require(`
-		attribute daemonpidfile;
-		type initrc_t;
-	')
-
-	typeattribute $1 daemonpidfile;
-
-	files_pid_file($1)
-	files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
-##	Mark the file type as a daemon run dir, allowing initrc_t
-##	to create it
-## </summary>
-## <param name="filetype">
+## <param name="rundirtype">
 ##	<summary>
 ##	Type to mark as a daemon run dir
 ##	</summary>
 ## </param>
 ## <param name="filename">
 ##	<summary>
-##	Filename of the directory that the init script creates
+##	Name of the run dir directory
 ##	</summary>
 ## </param>
 #
@@ -844,14 +843,6 @@ interface(`init_spec_domtrans_script',`
 	files_list_etc($1)
 	spec_domtrans_pattern($1, initrc_exec_t, initrc_t)
 
-	ifdef(`distro_gentoo',`
-		gen_require(`
-			type rc_exec_t;
-		')
-
-		domtrans_pattern($1, rc_exec_t, initrc_t)
-	')
-
 	ifdef(`enable_mcs',`
 		range_transition $1 initrc_exec_t:process s0;
 	')
@@ -891,7 +882,6 @@ interface(`init_domtrans_script',`
 		gen_require(`
 			type rc_exec_t;
 		')
-
 		domtrans_pattern($1, rc_exec_t, initrc_t)
 	')
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:adminroles commit in: policy/modules/system/
@ 2015-02-09  9:58 Jason Zaman
  2015-02-09 18:33 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2015-02-09  9:58 UTC (permalink / raw
  To: gentoo-commits

commit:     0897e2ba7152ef4752b2fb292fe9bde72b88b465
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb  9 09:20:21 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  9 09:54:18 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=0897e2ba

add back the working parts of commit fe62598f2fb87

---
 policy/modules/system/init.if | 74 ++++++++++++++++++++++---------------------
 1 file changed, 38 insertions(+), 36 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 7cdf3a8..1f897d2 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -150,39 +150,6 @@ interface(`init_ranged_domain',`
 
 ########################################
 ## <summary>
-##	Mark the file type as a daemon pid file, allowing initrc_t
-##	to create it
-## </summary>
-## <param name="filetype">
-##	<summary>
-##	Type to mark as a daemon pid file
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Class on which the type is applied
-##	</summary>
-## </param>
-## <param name="filename">
-##	<summary>
-##	Filename of the file that the init script creates
-##	</summary>
-## </param>
-#
-interface(`init_daemon_pid_file',`
-	gen_require(`
-		attribute daemonpidfile;
-		type initrc_t;
-	')
-
-	typeattribute $1 daemonpidfile;
-
-	files_pid_file($1)
-	files_pid_filetrans(initrc_t, $1, $2, $3)
-')
-
-########################################
-## <summary>
 ##	Create a domain for long running processes
 ##	(daemons/services) which are started by init scripts.
 ## </summary>
@@ -421,16 +388,50 @@ interface(`init_ranged_system_domain',`
 
 ########################################
 ## <summary>
-##	Mark the type as a daemon run dir
+##	Mark the file type as a daemon pid file, allowing initrc_t
+##	to create it
 ## </summary>
-## <param name="rundirtype">
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon pid file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_pid_file',`
+	gen_require(`
+		attribute daemonpidfile;
+		type initrc_t;
+	')
+
+	typeattribute $1 daemonpidfile;
+
+	files_pid_file($1)
+	files_pid_filetrans(initrc_t, $1, $2, $3)
+')
+
+########################################
+## <summary>
+##	Mark the file type as a daemon run dir, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
 ##	<summary>
 ##	Type to mark as a daemon run dir
 ##	</summary>
 ## </param>
 ## <param name="filename">
 ##	<summary>
-##	Name of the run dir directory
+##	Filename of the directory that the init script creates
 ##	</summary>
 ## </param>
 #
@@ -882,6 +883,7 @@ interface(`init_domtrans_script',`
 		gen_require(`
 			type rc_exec_t;
 		')
+
 		domtrans_pattern($1, rc_exec_t, initrc_t)
 	')
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-03-03 15:19 git@oystercatcher mirror+tproxy
  0 siblings, 0 replies; 705+ messages in thread
From: git@oystercatcher mirror+tproxy @ 2015-03-03 15:19 UTC (permalink / raw
  To: gentoo-commits

commit:     9c0dcd8c971259c2af31fb6fdc133388aa478a29
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Mar  3 15:18:48 2015 +0000
Commit:     git@oystercatcher mirror+tproxy <git <AT> oystercatcher <DOT> gentoo <DOT> org>
CommitDate: Tue Mar  3 15:18:48 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9c0dcd8c

Fix bug #541990 - Grant setfscreate to semanage_migrate_store [semanage_t]

 policy/modules/system/selinuxutil.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index b0d14cb..9b70f53 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -667,4 +667,12 @@ ifdef(`distro_gentoo',`
 
 	# Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise
 	seutil_relabelto_bin_policy(restorecond_t)
+
+	##########################################
+	#
+	# semanage local policy
+	#
+
+	# Fix bug #541990 - Grant setfscreate privilege to allow semanage_migrate_store to work properly
+	allow semanage_t self:process { setfscreate };
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2015-03-04 17:03 Sven Vermeulen
  2015-03-03 15:18 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2015-03-04 17:03 UTC (permalink / raw
  To: gentoo-commits

commit:     9c0dcd8c971259c2af31fb6fdc133388aa478a29
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Mar  3 15:18:48 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Mar  3 15:18:48 2015 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9c0dcd8c

Fix bug #541990 - Grant setfscreate to semanage_migrate_store [semanage_t]

 policy/modules/system/selinuxutil.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index b0d14cb..9b70f53 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -667,4 +667,12 @@ ifdef(`distro_gentoo',`
 
 	# Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise
 	seutil_relabelto_bin_policy(restorecond_t)
+
+	##########################################
+	#
+	# semanage local policy
+	#
+
+	# Fix bug #541990 - Grant setfscreate privilege to allow semanage_migrate_store to work properly
+	allow semanage_t self:process { setfscreate };
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2015-03-29 10:01 Jason Zaman
  2015-03-29  9:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2015-03-29 10:01 UTC (permalink / raw
  To: gentoo-commits

commit:     6f832c0037b7b18d1e3a953831016b0eace8d896
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Mar 24 07:27:56 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 29 09:54:10 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f832c00

init: add /lib64/rc/cache as an init state dir

 policy/modules/system/init.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index b4391ce..02ec851 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -87,6 +87,7 @@ ifdef(`distro_gentoo',`
 # /lib
 #
 /lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/lib/rc/cache(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 
 #
 # /sbin


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-04-22 21:46 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-04-22 21:46 UTC (permalink / raw
  To: gentoo-commits

commit:     aa590f23e36cbb49b36ea7fc389d26d9111055fc
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Apr 13 18:13:39 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Apr 22 21:44:30 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aa590f23

fstools: add in filetrans for /run dir

the blkid tool writes to /run/blkid/. This creates the "fstools_run_t"
type an allows the transition in /run.

type=AVC msg=audit(1428929528.885:149519): avc:  denied  { write } for pid=5590 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=0

In permissive:
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { write } for  pid=26197 comm="mkfs.ext4" name="/" dev="tmpfs" ino=17656 scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { add_name } for  pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160149): avc:  denied  { create } for  pid=26197 comm="mkfs.ext4" name="blkid" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=SYSCALL msg=audit(1428948565.919:160149): arch=c000003e syscall=83 success=yes exit=0 a0=2cd79c6d214 a1=1ed a2=ffffffffffffff20 a3=539fe9bc40 items=2 ppid=28115 pid=26197 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2 comm="mkfs.ext4" exe="/sbin/mke2fs" subj=staff_u:sysadm_r:fsadm_t key=(null)
type=CWD msg=audit(1428948565.919:160149):  cwd="/root/selinux"
type=PATH msg=audit(1428948565.919:160149): item=0 name="/run/" inode=17656 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t nametype=PARENT
type=PATH msg=audit(1428948565.919:160149): item=1 name="/run/blkid" inode=4062404 dev=00:13 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:var_run_t nametype=CREATE
type=UNKNOWN[1327] msg=audit(1428948565.919:160149): proctitle=6D6B66732E65787434002F6465762F7A72616D31
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { write } for  pid=26197 comm="mkfs.ext4" name="blkid" dev="tmpfs" ino=4062404 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { add_name } for  pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=dir permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { create } for  pid=26197 comm="mkfs.ext4" name="blkid.tab" scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160150): avc:  denied  { write open } for  pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1
type=AVC msg=audit(1428948565.919:160151): avc:  denied  { getattr } for  pid=26197 comm="mkfs.ext4" path="/run/blkid/blkid.tab" dev="tmpfs" ino=4062405 scontext=staff_u:sysadm_r:fsadm_t tcontext=staff_u:object_r:var_run_t tclass=file permissive=1

Changes from v1:
- only transition on dir, not file.
- add fcontext for /run/fsck too.
- the audit log in the previous version was missing some lines.

 policy/modules/system/fstools.fc | 3 +++
 policy/modules/system/fstools.te | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index be77216..9f3b9ca 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -63,6 +63,9 @@
 
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)
 
+/var/run/blkid(/.*)?		gen_context(system_u:object_r:fsadm_run_t,s0)
+/var/run/fsck(/.*)?		gen_context(system_u:object_r:fsadm_run_t,s0)
+
 ifdef(`distro_gentoo',`
 /sbin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index a0cfb1d..868cf31 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -16,6 +16,9 @@ logging_log_file(fsadm_log_t)
 type fsadm_tmp_t;
 files_tmp_file(fsadm_tmp_t)
 
+type fsadm_run_t;
+files_pid_file(fsadm_run_t)
+
 type swapfile_t; # customizable
 files_type(swapfile_t)
 
@@ -45,6 +48,10 @@ allow fsadm_t fsadm_tmp_t:dir manage_dir_perms;
 allow fsadm_t fsadm_tmp_t:file manage_file_perms;
 files_tmp_filetrans(fsadm_t, fsadm_tmp_t, { file dir })
 
+allow fsadm_t fsadm_run_t:dir manage_dir_perms;
+allow fsadm_t fsadm_run_t:file manage_file_perms;
+files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
+
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-04-22 21:46 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-04-22 21:46 UTC (permalink / raw
  To: gentoo-commits

commit:     3552f2384c427e489aad37d8cdfe99dc84c0ef2b
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Apr 15 16:17:30 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Apr 22 21:44:30 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3552f238

Module version bump for fstools blkid fix from Jason Zaman

 policy/modules/system/fstools.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 868cf31..8e82b08 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.18.0)
+policy_module(fstools, 1.18.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-05-22 19:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-05-22 19:32 UTC (permalink / raw
  To: gentoo-commits

commit:     5454b1692fd734babb5b459922136c7dfc7c4aa2
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 22 14:08:05 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:16:43 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5454b169

Introduce init_startstop_service interface

This is to be used where a role needs to start and stop a labeled
service. It centralizes all the rules for redhat < 6 sysvinit that
were used in the _admin interfaces. The rules for other inits will
be added later.

 policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 61db079..acf1fae 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1008,6 +1008,46 @@ interface(`init_startstop_service',`
 
 ########################################
 ## <summary>
+##	Allow the role to start and stop
+##	labeled services.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be performing this action.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a daemon domain.
+##	</summary>
+## </param>
+## <param name="init_script_file">
+##	<summary>
+##	Labeled init script file.
+##	</summary>
+## </param>
+#
+interface(`init_startstop_service',`
+	gen_require(`
+		role system_r;
+	')
+
+	ifndef(`direct_sysadm_daemon',`
+		# rules for sysvinit / upstart
+		init_labeled_script_domtrans($1, $4)
+		domain_system_change_exemption($1)
+		role_transition $2 $4 system_r;
+		allow $2 system_r;
+	')
+')
+
+########################################
+## <summary>
 ##	Start and stop daemon programs directly.
 ## </summary>
 ## <desc>


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-05-22 19:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-05-22 19:32 UTC (permalink / raw
  To: gentoo-commits

commit:     c2986eed04bbae7ef6ff1bdad6df31022abdc970
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue May 12 20:03:40 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:16:43 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2986eed

Introduce init_startstop_service interface

This is to be used where a role needs to start and stop a labeled
service. It centralizes all the rules for redhat < 6 sysvinit that
were used in the _admin interfaces. The rules for other inits will
be added later.

 policy/modules/system/init.if | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 1f897d2..61db079 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -968,6 +968,46 @@ interface(`init_all_labeled_script_domtrans',`
 
 ########################################
 ## <summary>
+##	Allow the role to start and stop
+##	labeled services.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be performing this action.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a daemon domain.
+##	</summary>
+## </param>
+## <param name="init_script_file">
+##	<summary>
+##	Labeled init script file.
+##	</summary>
+## </param>
+#
+interface(`init_startstop_service',`
+	gen_require(`
+		role system_r;
+	')
+
+	ifndef(`direct_sysadm_daemon',`
+		# rules for sysvinit / upstart
+		init_labeled_script_domtrans($1, $4)
+		domain_system_change_exemption($1)
+		role_transition $2 $4 system_r;
+		allow $2 system_r;
+	')
+')
+
+########################################
+## <summary>
 ##	Start and stop daemon programs directly.
 ## </summary>
 ## <desc>


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-05-22 19:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-05-22 19:32 UTC (permalink / raw
  To: gentoo-commits

commit:     9e474937977d0e21a9b63eee5717d8b4837dba32
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri May 22 18:25:04 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:16:43 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e474937

Module version bump for init_startstop_service from Jason Zaman.

 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c265e53..141df45 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 1.22.0)
+policy_module(init, 1.22.1)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-05-22 20:09 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-05-22 20:09 UTC (permalink / raw
  To: gentoo-commits

commit:     4145312546b2dfef571c04698fa81b545a5be63d
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 22 19:52:07 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 19:52:07 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=41453125

Revert "Introduce init_startstop_service interface", accidentally applied twice

This reverts commit c2986eed04bbae7ef6ff1bdad6df31022abdc970.

 policy/modules/system/init.if | 40 ----------------------------------------
 1 file changed, 40 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index acf1fae..61db079 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1008,46 +1008,6 @@ interface(`init_startstop_service',`
 
 ########################################
 ## <summary>
-##	Allow the role to start and stop
-##	labeled services.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="role">
-##	<summary>
-##	The role to be performing this action.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Type to be used as a daemon domain.
-##	</summary>
-## </param>
-## <param name="init_script_file">
-##	<summary>
-##	Labeled init script file.
-##	</summary>
-## </param>
-#
-interface(`init_startstop_service',`
-	gen_require(`
-		role system_r;
-	')
-
-	ifndef(`direct_sysadm_daemon',`
-		# rules for sysvinit / upstart
-		init_labeled_script_domtrans($1, $4)
-		domain_system_change_exemption($1)
-		role_transition $2 $4 system_r;
-		allow $2 system_r;
-	')
-')
-
-########################################
-## <summary>
 ##	Start and stop daemon programs directly.
 ## </summary>
 ## <desc>


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-05-22 20:19 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-05-22 20:19 UTC (permalink / raw
  To: gentoo-commits

commit:     7a7d862ad99304dbe93e2feb668088b4966db74d
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri May 15 15:03:30 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 22 20:01:41 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a7d862a

Add openrc support to init_startstop_service

Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.

 policy/modules/system/init.if        | 14 ++++---
 policy/modules/system/selinuxutil.if | 75 ++++++++++++++++++++++++++++++++++++
 2 files changed, 84 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 61db079..7b17c5c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -998,11 +998,15 @@ interface(`init_startstop_service',`
 	')
 
 	ifndef(`direct_sysadm_daemon',`
-		# rules for sysvinit / upstart
-		init_labeled_script_domtrans($1, $4)
-		domain_system_change_exemption($1)
-		role_transition $2 $4 system_r;
-		allow $2 system_r;
+		ifdef(`distro_gentoo',`
+			seutil_spec_run_runinit($1, $2, $4)
+		',`
+			# rules for sysvinit / upstart
+			init_labeled_script_domtrans($1, $4)
+			domain_system_change_exemption($1)
+			role_transition $2 $4 system_r;
+			allow $2 system_r;
+		')
 	')
 ')
 

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 129a6e0..e69f279 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -379,6 +379,40 @@ interface(`seutil_domtrans_runinit',`
 
 ########################################
 ## <summary>
+##	Execute file in the run_init domain.
+## </summary>
+## <desc>
+##	<p>
+##	Execute file in the run_init domain.
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type of entry file.
+##	</summary>
+## </param>
+#
+interface(`seutil_spec_domtrans_runinit',`
+	gen_require(`
+		type run_init_t;
+	')
+
+	domain_entry_file(run_init_t, $2)
+	domain_auto_transition_pattern($1, $2, run_init_t)
+
+	allow run_init_t $1:fd use;
+	allow run_init_t $1:fifo_file rw_file_perms;
+	allow run_init_t $1:process sigchld;
+')
+
+########################################
+## <summary>
 ##	Execute init scripts in the run_init domain.
 ## </summary>
 ## <desc>
@@ -470,6 +504,47 @@ interface(`seutil_init_script_run_runinit',`
 
 ########################################
 ## <summary>
+##	Execute specified file in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+## </summary>
+## <desc>
+##	<p>
+##	Execute specified file in the run_init domain, and
+##	allow the specified role the run_init domain,
+##	and use the caller's terminal.
+##	</p>
+##	<p>
+##	This is used for the Gentoo integrated run_init.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Type of init script.
+##	</summary>
+## </param>
+#
+interface(`seutil_spec_run_runinit',`
+	gen_require(`
+		attribute_role run_init_roles;
+	')
+
+	seutil_spec_domtrans_runinit($1, $3)
+	roleattribute $2 run_init_roles;
+')
+
+########################################
+## <summary>
 ##	Inherit and use run_init file descriptors.
 ## </summary>
 ## <param name="domain">


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-05-27 20:00 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-05-27 20:00 UTC (permalink / raw
  To: gentoo-commits

commit:     612782c9a0018a2b6d38c19476f44b7ad92ff070
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon May 25 09:33:55 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed May 27 18:59:50 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=612782c9

logging: use init_startstop_service in _admin interface

The logging_admin interfaces had rules for RedHat sysvinit. This
replaces them with the interface init_startstop_service which can
easily be changed for other init systems.

 policy/modules/system/logging.if | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 1c4af7b..9fa0f5d 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1022,10 +1022,7 @@ interface(`logging_admin_audit',`
 
 	logging_run_auditctl($1, $2)
 
-	init_labeled_script_domtrans($1, auditd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 auditd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t)
 ')
 
 ########################################
@@ -1080,10 +1077,7 @@ interface(`logging_admin_syslog',`
 
 	logging_manage_all_logs($1)
 
-	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
-	domain_system_change_exemption($1)
-	role_transition $2 syslogd_initrc_exec_t system_r;
-	allow $2 system_r;
+	init_startstop_service($1, $2, syslogd_t, syslogd_initrc_exec_t)
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-05-27 20:00 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-05-27 20:00 UTC (permalink / raw
  To: gentoo-commits

commit:     78438b16c855c83be05b9d421c8fd0a3d0e878d2
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed May 27 18:58:19 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed May 27 18:59:51 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=78438b16

Add openrc support to init_startstop_service

Adds the openrc rules in ifdef distro_gentoo to transition
to run_init correctly.

 policy/modules/system/init.if        | 3 ++-
 policy/modules/system/selinuxutil.if | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 7b17c5c..ed65609 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -999,7 +999,8 @@ interface(`init_startstop_service',`
 
 	ifndef(`direct_sysadm_daemon',`
 		ifdef(`distro_gentoo',`
-			seutil_spec_run_runinit($1, $2, $4)
+			# for OpenRC
+			seutil_labeled_init_script_run_runinit($1, $2, $4)
 		',`
 			# rules for sysvinit / upstart
 			init_labeled_script_domtrans($1, $4)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index e69f279..bcb4330 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -398,7 +398,7 @@ interface(`seutil_domtrans_runinit',`
 ##	</summary>
 ## </param>
 #
-interface(`seutil_spec_domtrans_runinit',`
+interface(`seutil_labeled_init_script_domtrans_runinit',`
 	gen_require(`
 		type run_init_t;
 	')
@@ -534,12 +534,12 @@ interface(`seutil_init_script_run_runinit',`
 ##	</summary>
 ## </param>
 #
-interface(`seutil_spec_run_runinit',`
+interface(`seutil_labeled_init_script_run_runinit',`
 	gen_require(`
 		attribute_role run_init_roles;
 	')
 
-	seutil_spec_domtrans_runinit($1, $3)
+	seutil_labeled_init_script_domtrans_runinit($1, $3)
 	roleattribute $2 run_init_roles;
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-06-11 16:04 Sven Vermeulen
  2015-06-11 16:08 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2015-06-11 16:04 UTC (permalink / raw
  To: gentoo-commits

commit:     4e0b54e1d130040aa21f0add9b6b6a748d64d40e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu Jun 11 16:04:34 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jun 11 16:04:34 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4e0b54e1

Allow user domains to manage XDG documents, pictures and music

 policy/modules/system/userdomain.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 1d5370c..ea03e86 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -282,7 +282,10 @@ interface(`userdom_manage_home_role',`
 			xdg_manage_all_config_home($2)
 			xdg_manage_all_data_home($2)
 			xdg_manage_all_runtime_home($2)
+			xdg_manage_documents_home($2)
 			xdg_manage_downloads_home($2)
+			xdg_manage_music_home($2)
+			xdg_manage_pictures_home($2)
 			xdg_manage_videos_home($2)
 			xdg_relabel_all_cache_home($2)
 			xdg_relabel_all_config_home($2)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2015-07-11 14:09 Sven Vermeulen
  2015-07-11 13:38 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2015-07-11 14:09 UTC (permalink / raw
  To: gentoo-commits

commit:     76b213703ff1b7bbcbfb0876388c764918290070
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sat Jul 11 13:36:30 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 13:36:30 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=76b21370

Allow run_init_t to read all named init scripts

When OpenRC wants to execute a labeled init script, it fails if this is
a symlink:

~$ sudo /etc/init.d/ceph-mon.0 start
openrc-run should not be run directly

The denial shows that a read on the symlink is denied:

type=AVC msg=audit(1436621093.701:1165): avc:  denied  { read } for
pid=30786 comm="openrc" name="ceph-mon.0" dev="vda3" ino=1966780
scontext=staff_u:staff_r:run_init_t:s0
tcontext=system_u:object_r:ceph_initrc_exec_t:s0 tclass=lnk_file
permissive=0

After granting this, the behavior is as expected:

~$ sudo /etc/init.d/ceph-mon.0 start
* Starting Ceph mon.0 ...               [ ok ]

X-Gentoo-Bug: 554514
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=554514

 policy/modules/system/init.if        | 5 +++++
 policy/modules/system/selinuxutil.te | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ed65609..211d434 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1195,6 +1195,11 @@ interface(`init_read_all_script_files',`
 
 	files_search_etc($1)
 	allow $1 init_script_file_type:file read_file_perms;
+
+	ifdef(`distro_gentoo',`
+		# Bug 554514
+		allow $1 init_script_file_type:lnk_file read_lnk_file_perms;
+	')
 ')
 
 #######################################

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 51c64be..d25a0fd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -418,6 +418,8 @@ userdom_use_user_terminals(run_init_t)
 ifndef(`direct_sysadm_daemon',`
 	ifdef(`distro_gentoo',`
 		# Gentoo integrated run_init:
+		# Bug 554514
+		init_read_all_script_files(run_init_t)	
 		init_script_file_entry_type(run_init_t)
 
 		init_exec_rc(run_init_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-08-02 19:05 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-08-02 19:05 UTC (permalink / raw
  To: gentoo-commits

commit:     1142e65e5281195a865c737d4640db42ae91c89a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Aug  2 18:38:34 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug  2 19:04:45 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1142e65e

miscfiles: gen_contexts was missing the sensitivity

 policy/modules/system/miscfiles.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index f1b2103..be0b6a1 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -103,7 +103,7 @@ ifdef(`distro_redhat',`
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
 
-HOME_DIR/.pki(/.*)?		gen_context(system_u:object_r:cert_home_t)
+HOME_DIR/.pki(/.*)?		gen_context(system_u:object_r:cert_home_t,s0)
 
 ifdef(`distro_gentoo',`
 /etc/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2015-10-14 18:36 Jason Zaman
  2015-10-13 14:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2015-10-14 18:36 UTC (permalink / raw
  To: gentoo-commits

commit:     5522373aa919d8f9ee0e1937e9f031ad35c07c4a
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Oct 11 10:37:56 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 13 14:21:41 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5522373a

system/ipsec: Add policy for StrongSwan

Adds an ipsec_supervisor_t domain for StrongSwan's starter.
Thanks to Matthias Dahl for most of the work on this.

 policy/modules/system/ipsec.fc | 17 ++++++++++++
 policy/modules/system/ipsec.te | 61 +++++++++++++++++++++++++++++++++++++++---
 2 files changed, 75 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 0f1e351..d42b08e 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -10,6 +10,14 @@
 
 /etc/ipsec\.d(/.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
 
+/etc/strongswan\.conf		--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/strongswan\.d(/.*)?		gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
+/etc/swanctl/(.*)?			gen_context(system_u:object_r:ipsec_key_file_t,s0)
+/etc/swanctl			-d	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+/etc/swanctl/swanctl.conf	--	gen_context(system_u:object_r:ipsec_conf_file_t,s0)
+
 /sbin/setkey			--	gen_context(system_u:object_r:setkey_exec_t,s0)
 
 /usr/lib/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
@@ -19,17 +27,25 @@
 /usr/lib/ipsec/pluto		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/lib/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 
+/usr/libexec/ipsec/_copyright	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/_plutoload	-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/libexec/ipsec/_plutorun	--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
+/usr/libexec/ipsec/_updown	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/charon	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/eroute	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/klipsdebug	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/lookip	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/pluto	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/scepclient	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/ipsec/spi		--	gen_context(system_u:object_r:ipsec_exec_t,s0)
+/usr/libexec/ipsec/starter	--	gen_context(system_u:object_r:ipsec_supervisor_exec_t,s0)
+/usr/libexec/ipsec/stroke	--	gen_context(system_u:object_r:ipsec_exec_t,s0)
 /usr/libexec/nm-openswan-service -- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
 /usr/sbin/ipsec			-- 	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 /usr/sbin/racoon		--	gen_context(system_u:object_r:racoon_exec_t,s0)
 /usr/sbin/setkey		--	gen_context(system_u:object_r:setkey_exec_t,s0)
+/usr/sbin/swanctl		--	gen_context(system_u:object_r:ipsec_mgmt_exec_t,s0)
 
 /var/lib/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
@@ -39,5 +55,6 @@
 
 /var/racoon(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 
+/var/run/charon\.(.*)?		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)
 /var/run/pluto(/.*)?			gen_context(system_u:object_r:ipsec_var_run_t,s0)
 /var/run/racoon\.pid		--	gen_context(system_u:object_r:ipsec_var_run_t,s0)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 3734bd4..2d8b686 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -67,19 +67,25 @@ type setkey_exec_t;
 init_system_domain(setkey_t, setkey_exec_t)
 role system_r types setkey_t;
 
+type ipsec_supervisor_t;
+type ipsec_supervisor_exec_t;
+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
+role system_r types ipsec_supervisor_t;
+
 ########################################
 #
 # ipsec Local policy
 #
 
-allow ipsec_t self:capability { net_admin dac_override dac_read_search setpcap sys_nice };
+allow ipsec_t self:capability { chown dac_override dac_read_search setgid setuid setpcap net_admin sys_nice };
 dontaudit ipsec_t self:capability { sys_ptrace sys_tty_config };
 allow ipsec_t self:process { getcap setcap getsched signal setsched };
 allow ipsec_t self:tcp_socket create_stream_socket_perms;
 allow ipsec_t self:udp_socket create_socket_perms;
 allow ipsec_t self:key_socket create_socket_perms;
-allow ipsec_t self:fifo_file read_fifo_file_perms;
+allow ipsec_t self:fifo_file rw_fifo_file_perms;
 allow ipsec_t self:netlink_xfrm_socket create_netlink_socket_perms;
+allow ipsec_t self:netlink_route_socket rw_netlink_socket_perms;
 
 allow ipsec_t ipsec_initrc_exec_t:file read_file_perms;
 
@@ -113,7 +119,7 @@ allow ipsec_mgmt_t ipsec_t:unix_stream_socket { read write };
 allow ipsec_mgmt_t ipsec_t:process { rlimitinh sigchld };
 
 kernel_read_kernel_sysctls(ipsec_t)
-kernel_read_net_sysctls(ipsec_t)
+kernel_rw_net_sysctls(ipsec_t);
 kernel_list_proc(ipsec_t)
 kernel_read_proc_symlinks(ipsec_t)
 # allow pluto to access /proc/net/ipsec_eroute;
@@ -196,6 +202,8 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
 allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 
+allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
+
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
 
@@ -236,6 +244,7 @@ can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 
 domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
+domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
 
 kernel_rw_net_sysctls(ipsec_mgmt_t)
 # allow pluto to access /proc/net/ipsec_eroute;
@@ -444,6 +453,52 @@ seutil_read_config(setkey_t)
 
 userdom_use_user_terminals(setkey_t)
 
+########################################
+#
+# ipsec_supervisor policy
+#
+
+allow ipsec_supervisor_t self:capability { dac_read_search dac_override kill net_admin };
+allow ipsec_supervisor_t self:process { signal };
+allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
+allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
+allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
+
+allow ipsec_supervisor_t ipsec_conf_file_t:dir list_dir_perms;
+read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
+
+manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
+
+allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
+allow ipsec_supervisor_t ipsec_t:process { signal };
+
+allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
+manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
+manage_files_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_supervisor_t, ipsec_var_run_t, { dir file sock_file })
+
+domtrans_pattern(ipsec_supervisor_t, ipsec_exec_t, ipsec_t);
+
+kernel_read_network_state(ipsec_supervisor_t)
+kernel_read_system_state(ipsec_supervisor_t)
+kernel_rw_net_sysctls(ipsec_supervisor_t);
+
+corecmd_exec_bin(ipsec_supervisor_t);
+corecmd_exec_shell(ipsec_supervisor_t)
+
+dev_read_rand(ipsec_supervisor_t);
+dev_read_urand(ipsec_supervisor_t);
+
+files_read_etc_files(ipsec_supervisor_t);
+
+logging_send_syslog_msg(ipsec_supervisor_t);
+
+miscfiles_read_localization(ipsec_supervisor_t);
+
+optional_policy(`
+	modutils_domtrans_insmod(ipsec_supervisor_t)
+')
+
 ifdef(`distro_gentoo',`
 	################################################
 	#


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2015-10-14 18:36 Jason Zaman
  2015-10-13 14:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2015-10-14 18:36 UTC (permalink / raw
  To: gentoo-commits

commit:     4db341f7c2dd5502db391b2322967772e3213c01
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Oct 12 13:30:05 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 13 14:21:41 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4db341f7

Rearrange lines in ipsec.te.

 policy/modules/system/ipsec.te | 43 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 22 deletions(-)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 2d8b686..b9cfcc3 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -54,6 +54,11 @@ files_lock_file(ipsec_mgmt_lock_t)
 type ipsec_mgmt_var_run_t;
 files_pid_file(ipsec_mgmt_var_run_t)
 
+type ipsec_supervisor_t;
+type ipsec_supervisor_exec_t;
+init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
+role system_r types ipsec_supervisor_t;
+
 type racoon_t;
 type racoon_exec_t;
 init_daemon_domain(racoon_t, racoon_exec_t)
@@ -67,11 +72,6 @@ type setkey_exec_t;
 init_system_domain(setkey_t, setkey_exec_t)
 role system_r types setkey_t;
 
-type ipsec_supervisor_t;
-type ipsec_supervisor_exec_t;
-init_daemon_domain(ipsec_supervisor_t, ipsec_supervisor_exec_t);
-role system_r types ipsec_supervisor_t;
-
 ########################################
 #
 # ipsec Local policy
@@ -202,49 +202,48 @@ allow ipsec_mgmt_t self:udp_socket create_socket_perms;
 allow ipsec_mgmt_t self:key_socket create_socket_perms;
 allow ipsec_mgmt_t self:fifo_file rw_fifo_file_perms;
 
-allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
+domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
+
+# _realsetup needs to be able to cat /var/run/pluto.pid,
+# run ps on that pid, and delete the file
+read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
+read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
+
+allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
+
+manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
+manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
 
 allow ipsec_mgmt_t ipsec_mgmt_lock_t:file manage_file_perms;
 files_lock_filetrans(ipsec_mgmt_t, ipsec_mgmt_lock_t, file)
 
+manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
+logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
+
 manage_dirs_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
 manage_files_pattern(ipsec_mgmt_t, ipsec_tmp_t, ipsec_tmp_t)
 files_tmp_filetrans(ipsec_mgmt_t, ipsec_tmp_t, { dir file })
 
-manage_files_pattern(ipsec_mgmt_t, ipsec_log_t, ipsec_log_t)
-logging_log_filetrans(ipsec_mgmt_t, ipsec_log_t, file)
-
 allow ipsec_mgmt_t ipsec_mgmt_var_run_t:file manage_file_perms;
-files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
-
 manage_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
 manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t)
+files_pid_filetrans(ipsec_mgmt_t, ipsec_mgmt_var_run_t, file)
 
 allow ipsec_mgmt_t ipsec_var_run_t:sock_file manage_sock_file_perms;
 files_pid_filetrans(ipsec_mgmt_t, ipsec_var_run_t, sock_file)
 
-# _realsetup needs to be able to cat /var/run/pluto.pid,
-# run ps on that pid, and delete the file
-read_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
-read_lnk_files_pattern(ipsec_mgmt_t, ipsec_t, ipsec_t)
-
 # logger, running in ipsec_mgmt_t needs to use sockets
 allow ipsec_mgmt_t self:unix_dgram_socket { create connect write };
 allow ipsec_mgmt_t ipsec_t:unix_dgram_socket { create connect write };
 
-allow ipsec_mgmt_t ipsec_conf_file_t:file read_file_perms;
-
-manage_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
-manage_lnk_files_pattern(ipsec_mgmt_t, ipsec_key_file_t, ipsec_key_file_t)
-
 # whack needs to connect to pluto
 stream_connect_pattern(ipsec_mgmt_t, ipsec_var_run_t, ipsec_var_run_t, ipsec_t)
 
 can_exec(ipsec_mgmt_t, ipsec_mgmt_exec_t)
 allow ipsec_mgmt_t ipsec_mgmt_exec_t:lnk_file read;
 
-domtrans_pattern(ipsec_mgmt_t, ipsec_exec_t, ipsec_t)
 domtrans_pattern(ipsec_mgmt_t, ipsec_supervisor_exec_t, ipsec_supervisor_t);
+allow ipsec_mgmt_t ipsec_supervisor_t:process { signal signull };
 
 kernel_rw_net_sysctls(ipsec_mgmt_t)
 # allow pluto to access /proc/net/ipsec_eroute;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2015-10-14 18:36 Jason Zaman
  2015-10-14 18:35 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2015-10-14 18:36 UTC (permalink / raw
  To: gentoo-commits

commit:     978ce09db2ebb2af831a04aae9e973d2706a25dd
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Oct 14 18:34:53 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Oct 14 18:34:53 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=978ce09d

ipsec: Allow ipsec to run resolvconf

 policy/modules/system/ipsec.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 02fad03..3dd5c8b 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -514,4 +514,13 @@ ifdef(`distro_gentoo',`
 	#
 
 	domain_use_interactive_fds(setkey_t)
+
+	########################################
+	#
+	# ipsec_mgmt Local policy
+	#
+
+	optional_policy(`
+		resolvconf_client_domain(ipsec_mgmt_t)
+	')
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2015-10-26  5:36 Jason Zaman
  2015-10-26  5:48 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2015-10-26  5:36 UTC (permalink / raw
  To: gentoo-commits

commit:     360b075cbb2c37b12a039e12d4ac0f6d68c2e0f8
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 17:25:57 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:55:52 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=360b075c

Add refpolicy core socket-activated services.

 policy/modules/system/logging.te | 1 +
 policy/modules/system/lvm.te     | 1 +
 policy/modules/system/udev.te    | 1 +
 3 files changed, 3 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index fd941ab..ef56179 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -67,6 +67,7 @@ files_config_file(syslog_conf_t)
 type syslogd_t;
 type syslogd_exec_t;
 init_daemon_domain(syslogd_t, syslogd_exec_t)
+init_named_socket_activation(syslogd_t, syslogd_var_run_t)
 
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 61bd92b..d15ea3c 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -18,6 +18,7 @@ files_pid_file(clvmd_var_run_t)
 type lvm_t;
 type lvm_exec_t;
 init_system_domain(lvm_t, lvm_exec_t)
+init_named_socket_activation(lvm_t, lvm_var_run_t)
 # needs privowner because it assigns the identity system_u to device nodes
 # but runs as the identity of the sysadmin
 domain_obj_id_change_exemption(lvm_t)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 40868ad..c9091f3 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -13,6 +13,7 @@ domain_obj_id_change_exemption(udev_t)
 domain_entry_file(udev_t, udev_helper_exec_t)
 domain_interactive_fd(udev_t)
 init_daemon_domain(udev_t, udev_exec_t)
+init_named_socket_activation(udev_t, udev_var_run_t)
 
 type udev_etc_t alias etc_udev_t;
 files_config_file(udev_etc_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2015-10-26  5:36 Jason Zaman
  2015-10-26  5:48 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2015-10-26  5:36 UTC (permalink / raw
  To: gentoo-commits

commit:     a51ba0a947d3824df1342367d7fd6fd955e6410b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 26 04:27:25 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:27:25 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a51ba0a9

system/logging: Remove duplicate filetrans on cron.log

policy/modules/system/logging.te:534:ERROR 'duplicate filename
transition for: filename_trans cron.log syslogd_t var_log_t:file' at
type_transition syslogd_t var_log_t:file cron_log_t "cron.log";

The cron type is gentoo only so make the logging one ifndef

 policy/modules/system/logging.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 902ff63..d0c4d31 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -533,7 +533,9 @@ optional_policy(`
 
 optional_policy(`
 	cron_manage_log_files(syslogd_t)
+	ifndef(`distro_gentoo',`
 	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
+	')
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-10-26  5:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-10-26  5:48 UTC (permalink / raw
  To: gentoo-commits

commit:     2b1fd1cb76055efbf37feb023a65831b79932f2b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 26 04:59:35 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 04:59:35 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b1fd1cb

system/logging: Remove duplicate filetrans on news logs

policy/modules/system/logging.te:541:ERROR 'duplicate filename transition for:
filename_trans news.crit syslogd_t var_log_t:file'
type_transition syslogd_t var_log_t:file innd_log_t "news.crit";

The news type is gentoo only so make the logging one ifndef

 policy/modules/system/logging.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d0c4d31..52c86e5 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -540,9 +540,11 @@ optional_policy(`
 
 optional_policy(`
 	inn_manage_log(syslogd_t)
+	ifndef(`distro_gentoo',`
 	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit")
 	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err")
 	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.notice")
+	')
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-12-17 16:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
  To: gentoo-commits

commit:     ab78c64635ddaf28fa45ee087c1e96838779dce3
Author:     Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Tue Dec  8 20:47:38 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:25:22 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ab78c646

systemd: add missing file context spec for systemd-user-sessions executable file

Signed-off-by: Dominick Grift <dac.override <AT> gmail.com>

 policy/modules/system/systemd.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 864979d..a0b5f0b 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -17,6 +17,7 @@
 /usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)
 /usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
 /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
 
 # Systemd unit files
 /usr/lib/systemd/system/[^/]*halt.*	--	gen_context(system_u:object_r:power_unit_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-12-17 16:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-12-17 16:10 UTC (permalink / raw
  To: gentoo-commits

commit:     9823ccc9e3b0471ce9039295d50fddae02403df4
Author:     Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Dec 10 11:21:25 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:25:22 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9823ccc9

authlogin: remove duplicate files_list_var_lib(nsswitch_domain)

Signed-off-by: Dominick Grift <dac.override <AT> gmail.com>

 policy/modules/system/authlogin.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b811c8d..98ebecd 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -419,8 +419,6 @@ files_read_etc_files(nsswitch_domain)
 sysnet_dns_name_resolve(nsswitch_domain)
 
 tunable_policy(`authlogin_nsswitch_use_ldap',`
-	files_list_var_lib(nsswitch_domain)
-
 	miscfiles_read_generic_certs(nsswitch_domain)
 	sysnet_use_ldap(nsswitch_domain)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2015-12-17 18:49 Jason Zaman
  2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
  To: gentoo-commits

commit:     aa10eb9453c2aa407e9b68da69484e598919f1e1
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Dec  9 14:40:55 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:25:22 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aa10eb94

Module version bump for systemd-user-sessions fc entry from Dominick Grift

 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index fdb9fef..1f70a93 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.1.0)
+policy_module(systemd, 1.1.1)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2015-12-18  4:14 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2015-12-18  4:14 UTC (permalink / raw
  To: gentoo-commits

commit:     0460b12a0cbc61b25ebcbf20f283534cc49b98f5
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Dec 17 18:15:37 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Dec 18 04:12:29 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0460b12a

Introduce mount_rw_pipes interface

 policy/modules/system/mount.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/system/mount.if b/policy/modules/system/mount.if
index 8a2105b..279f6d7 100644
--- a/policy/modules/system/mount.if
+++ b/policy/modules/system/mount.if
@@ -209,3 +209,23 @@ interface(`mount_rw_loopback_files',`
 
 	allow $1 mount_loopback_t:file rw_file_perms;
 ')
+
+# gentoo specific under here
+
+########################################
+## <summary>
+##	Read and write mount unnamed pipes
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mount_rw_pipes',`
+	gen_require(`
+		type mount_t;
+	')
+
+	allow $1 mount_t:fifo_file rw_fifo_file_perms;
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-01-30 17:21 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
  To: gentoo-commits

commit:     a805901283fe872c7236336867701f1834274307
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Dec 14 21:19:24 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 16:45:01 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a8059012

Give some systemd domain access to /proc/sys/kernel/random/boot_id

 policy/modules/system/systemd.te | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1f70a93..2376af3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -129,6 +129,8 @@ kernel_dgram_send(systemd_cgroups_t)
 # locale local policy
 #
 
+kernel_read_kernel_sysctls(systemd_locale_t)
+
 files_read_etc_files(systemd_locale_t)
 
 logging_send_syslog_msg(systemd_locale_t)
@@ -145,6 +147,8 @@ optional_policy(`
 # Hostnamed policy
 #
 
+kernel_read_kernel_sysctls(systemd_hostnamed_t)
+
 files_read_etc_files(systemd_hostnamed_t)
 
 logging_send_syslog_msg(systemd_hostnamed_t)
@@ -174,6 +178,8 @@ manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_lo
 manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
 files_search_pids(systemd_logind_t)
 
+kernel_read_kernel_sysctls(systemd_logind_t)
+
 auth_manage_faillog(systemd_logind_t)
 
 dev_rw_sysfs(systemd_logind_t)
@@ -236,6 +242,8 @@ logging_send_syslog_msg(systemd_sessions_t)
 allow systemd_tmpfiles_t self:capability  { fowner chown fsetid dac_override mknod };
 allow systemd_tmpfiles_t self:process { setfscreate getcap };
 
+kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+
 dev_relabel_all_sysfs(systemd_tmpfiles_t)
 dev_read_urand(systemd_tmpfiles_t)
 dev_manage_all_dev_nodes(systemd_tmpfiles_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-01-30 17:21 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
  To: gentoo-commits

commit:     6b7f2fdba7706b4859e2d63c4b8ef887b61d6bbd
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec 16 18:19:30 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:02:52 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b7f2fdb

Allow syslogd_t to read sysctl_vm_overcommit_t

 policy/modules/system/logging.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 7b6b6fb..f2e4984 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -418,7 +418,8 @@ kernel_read_kernel_sysctls(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 # Allow access to /proc/kmsg for syslog-ng
 kernel_read_messages(syslogd_t)
-kernel_read_vm_sysctls(syslogd_t)
+# rsyslog
+kernel_read_vm_overcommit_sysctl(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
 # Read ring buffer for journald


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-01-30 17:21 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
  To: gentoo-commits

commit:     4b490e79fdaf7108a2b6a933e893612e528c9a2c
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Fri Jan 15 14:50:01 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b490e79

Module version bump for systemd audit_read capability from Laurent Bigonville

 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 1239f1b..fd559bc 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.0.1)
+policy_module(init, 2.0.2)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-01-30 17:21 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
  To: gentoo-commits

commit:     3453ea565d37914f41109bf1d742451c448e673d
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Jan 15 10:42:25 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3453ea56

Allow systemd the audit_read capability

At early boot, I get the following messages in dmesg:

audit: type=1400 audit(1452851002.184:3): avc:  denied  { audit_read } for  pid=1 comm="systemd" capability=37 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1
systemd[1]: Listening on Journal Audit Socket.

 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0aafb44..1239f1b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -195,7 +195,7 @@ ifdef(`init_systemd',`
 	typeattribute init_t init_run_all_scripts_domain;
 
 	allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
-	allow init_t self:capability2 block_suspend;
+	allow init_t self:capability2 { audit_read block_suspend };
 	allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
 	allow init_t self:netlink_route_socket create_netlink_socket_perms;
 	allow init_t self:netlink_selinux_socket create_socket_perms;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-01-30 17:21 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-01-30 17:21 UTC (permalink / raw
  To: gentoo-commits

commit:     fa7ae7016f74f2285ef85218f8df27a0501bddf9
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Jan 17 18:46:23 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 17:16:56 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fa7ae701

Fix typo in init_dbus_chat requirements

init_dbus_chat interface required initrc_t type but used init_t type.

 policy/modules/system/init.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index cfe4bd4..48c5d3d 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -966,7 +966,7 @@ interface(`init_service_start',`
 #
 interface(`init_dbus_chat',`
 	gen_require(`
-		type initrc_t;
+		type init_t;
 		class dbus send_msg;
 	')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-01-31 16:19 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2016-01-31 16:19 UTC (permalink / raw
  To: gentoo-commits

commit:     aea1a2c1e811cffff5f00eaff151aa39d275dc91
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sun Jan 31 16:19:24 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jan 31 16:19:24 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aea1a2c1

Allow sesearch to find default policy

Utilities that want to find the default policy in /etc/selinux/*/policy
will need read privileges on policy_config_t as they list the contents
of the policy/ folder.

Example is the sesearch command.

 policy/modules/system/selinuxutil.if | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index 55d2429..b4c70a3 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -941,6 +941,12 @@ interface(`seutil_read_bin_policy',`
 	files_search_etc($1)
 	allow $1 selinux_config_t:dir search_dir_perms;
 	read_files_pattern($1, policy_config_t, policy_config_t)
+
+	ifdef(`distro_gentoo',`
+		# Allow sesearch to read /etc/selinux/.../policy
+		# Otherwise it returns "No default policy found"
+		allow $1 policy_config_t:dir list_dir_perms;
+	')
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-02-12  3:51 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-02-12  3:51 UTC (permalink / raw
  To: gentoo-commits

commit:     2efc5d1fdd25123824002647938d219a0409845a
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Feb 10 15:34:51 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 03:15:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2efc5d1f

Whitespace fix in iptables.fc.

 policy/modules/system/iptables.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 709aa6c..0e1ecd3 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -28,4 +28,4 @@
 /usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
 /var/run/ebtables\.lock		--	gen_context(system_u:object_r:iptables_var_run_t,s0)
-/var/run/xtables.*       --  gen_context(system_u:object_r:iptables_var_run_t,s0)
+/var/run/xtables.*		--	gen_context(system_u:object_r:iptables_var_run_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-02-12  3:51 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-02-12  3:51 UTC (permalink / raw
  To: gentoo-commits

commit:     c012684e5095d01de71044df7fc4e357679cd068
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Feb  8 13:33:08 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 03:15:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c012684e

Module version bump for ipset fc entry from Laurent Bigonville.

 policy/modules/system/iptables.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index ef25371..517bfd5 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.16.0)
+policy_module(iptables, 1.16.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-02-12  3:51 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-02-12  3:51 UTC (permalink / raw
  To: gentoo-commits

commit:     86cd82f47792cab3b82f8e2cb6345c2b435f67b0
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Feb 10 15:36:09 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 03:15:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86cd82f4

Module version bump for iptables fc entries from Laurent Bigonville and Lukas Vrabec.

 policy/modules/system/iptables.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 517bfd5..ce9ea3f 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.16.1)
+policy_module(iptables, 1.16.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-02-12  3:51 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-02-12  3:51 UTC (permalink / raw
  To: gentoo-commits

commit:     65f9415edcff586ac0cf20cd9a036317ab361d47
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Feb  3 13:14:38 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 03:15:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=65f9415e

Allow logind to read efivarfs files

 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 8892447..5565fd3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -191,6 +191,8 @@ dev_setattr_sound_dev(systemd_logind_t)
 
 files_read_etc_files(systemd_logind_t)
 
+fs_read_efivarfs_files(systemd_logind_t)
+
 fs_getattr_tmpfs(systemd_logind_t)
 
 storage_getattr_removable_dev(systemd_logind_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-02-12  3:51 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-02-12  3:51 UTC (permalink / raw
  To: gentoo-commits

commit:     409aefdf3b059a86e9d43440085b111817e835ba
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Fri Feb  5 00:14:30 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 03:15:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=409aefdf

Add label for /sbin/ipset

 policy/modules/system/iptables.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index b3eda3e..e6d5258 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -6,6 +6,7 @@
 /sbin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ip6?tables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-02-12  3:51 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-02-12  3:51 UTC (permalink / raw
  To: gentoo-commits

commit:     e6bf06ab8cbd26b03bdb0530760df814ae51e946
Author:     Lukas Vrabec <lvrabec <AT> redhat <DOT> com>
AuthorDate: Tue Aug 11 09:55:18 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 03:15:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e6bf06ab

Label /var/run/xtables.lock as iptables_var_run_t.

 policy/modules/system/iptables.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index e6d5258..c97cefc 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -26,3 +26,5 @@
 /usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+
+/var/run/xtables.*       --  gen_context(system_u:object_r:iptables_var_run_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-02-12  3:51 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-02-12  3:51 UTC (permalink / raw
  To: gentoo-commits

commit:     4415fab18ad8d2769f159216d68283efbcbf7fc5
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Mon Feb  8 21:48:53 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 12 03:15:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4415fab1

Label /var/run/ebtables.lock as iptables_var_run_t.

This lock file is used on debian since version 2.0.10.4-3.2. This is
also used on Fedora.

 policy/modules/system/iptables.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index c97cefc..709aa6c 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -27,4 +27,5 @@
 /usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
+/var/run/ebtables\.lock		--	gen_context(system_u:object_r:iptables_var_run_t,s0)
 /var/run/xtables.*       --  gen_context(system_u:object_r:iptables_var_run_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-03-11 17:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
  To: gentoo-commits

commit:     f9b071ba066b0115b30453adf9e15daf314dc901
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Feb 16 14:48:37 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:15:38 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9b071ba

Module version bump for iptables/firewalld patch from Laurent Bigonville.

 policy/modules/system/iptables.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 2a5174c..e7d91a7 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.16.2)
+policy_module(iptables, 1.16.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-03-11 17:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
  To: gentoo-commits

commit:     a69295a3c6b598490e971fe458fbcb64d28f8625
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Fri Mar  4 02:05:18 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:15:38 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a69295a3

Allow getty the sys_admin capability

It's required for agetty on kernels with a recent grsecurity patchset.
(The denial itself has been showing up for quite some time, but it
hasn't had any obvious ill effects until recently.)

 policy/modules/system/getty.te | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index f6743ea..80fec66 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -33,7 +33,7 @@ files_pid_file(getty_var_run_t)
 #
 
 # Use capabilities.
-allow getty_t self:capability { dac_override chown setgid sys_resource sys_tty_config fowner fsetid };
+allow getty_t self:capability { dac_override chown setgid sys_admin sys_resource sys_tty_config fowner fsetid };
 dontaudit getty_t self:capability sys_tty_config;
 allow getty_t self:process { getpgid setpgid getsession signal_perms };
 allow getty_t self:fifo_file rw_fifo_file_perms;
@@ -102,11 +102,6 @@ ifdef(`distro_gentoo',`
 	sysnet_dns_name_resolve(getty_t)
 ')
 
-ifdef(`distro_redhat',`
-	# getty requires sys_admin #209426
-	allow getty_t self:capability sys_admin;
-')
-
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(getty_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-03-11 17:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
  To: gentoo-commits

commit:     7c64d1b08fd49c3317d31f82deb877e522e631f0
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Feb 13 09:04:06 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:15:38 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c64d1b0

Allow {eb,ip,ip6}tables-restore to read files in /run/firewalld

Since version 0.4.0, firewalld uses *tables-restore to speedup the
load of the rules

 policy/modules/system/iptables.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index ce9ea3f..2a5174c 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -111,6 +111,7 @@ optional_policy(`
 
 optional_policy(`
 	firewalld_read_config_files(iptables_t)
+	firewalld_read_var_run_files(iptables_t)
 	firewalld_dontaudit_rw_tmp_files(iptables_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-03-11 17:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
  To: gentoo-commits

commit:     612824ba0666a9c8e0f6858196772c23f986548e
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Mar  7 15:14:28 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:15:38 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=612824ba

Module version bump for getty patch from Luis Ressel.

 policy/modules/system/getty.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 80fec66..8ff3183 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -1,4 +1,4 @@
-policy_module(getty, 1.10.0)
+policy_module(getty, 1.10.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-03-11 17:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-03-11 17:20 UTC (permalink / raw
  To: gentoo-commits

commit:     b0c79d2a055903a37b3aaf0dd1eb7e2fcfc90224
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Mar  7 08:45:36 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Mar 11 17:15:38 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0c79d2a

system/init: move systemd_ interfaces into optional_policy

When ifdef systemd is enabled, some interfaces from systemd are called
unconditionally. This makes migrating from non-systemd to systemd
complicated since init is part of base and systemd is not so loading
fails. Moving them into optional_policy fixes this.

 policy/modules/system/init.te | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index fd559bc..1f59e2a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -280,13 +280,15 @@ ifdef(`init_systemd',`
 
 	seutil_read_file_contexts(init_t)
 
-	systemd_relabelto_kmod_files(init_t)
-	systemd_dbus_chat_logind(init_t)
-
 	# udevd is a "systemd kobject uevent socket activated daemon"
 	udev_create_kobject_uevent_sockets(init_t)
 
 	optional_policy(`
+		systemd_relabelto_kmod_files(init_t)
+		systemd_dbus_chat_logind(init_t)
+	')
+
+	optional_policy(`
 		dbus_system_bus_client(init_t)
 		dbus_connect_system_bus(init_t)
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-05-13  5:37 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-05-13  5:37 UTC (permalink / raw
  To: gentoo-commits

commit:     7a1d866be3985d9cb2c6e30bfd301411e4db9223
Author:     Dominick Grift <dac.override <AT> gmail <DOT> com>
AuthorDate: Thu Mar 31 07:40:42 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri May 13 05:07:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a1d866b

systemd: Add support for --log-target

https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=

see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22

v2: Add comment about dontaudit rule

Signed-off-by: Dominick Grift <dac.override <AT> gmail.com>

 policy/modules/system/systemd.if | 19 +++++++++++++++++
 policy/modules/system/systemd.te | 44 +++++++++++++++++++++++++++-------------
 2 files changed, 49 insertions(+), 14 deletions(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 3cd6670..705cbaa 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2,6 +2,25 @@
 
 ######################################
 ## <summary>
+##   Make the specified type usable as an
+##   log parse environment type.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Type to be used as a log parse environment type.
+##   </summary>
+## </param>
+#
+interface(`systemd_log_parse_environment',`
+	gen_require(`
+		attribute systemd_log_parse_env_type;
+	')
+
+	typeattribute $1 systemd_log_parse_env_type;
+')
+
+######################################
+## <summary>
 ##   Read systemd_login PID files.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 60a75fa..6d40952 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3)
 ## </desc>
 gen_tunable(systemd_tmpfiles_manage_all, false)
 
+attribute systemd_log_parse_env_type;
+
 type systemd_activate_t;
 type systemd_activate_exec_t;
 init_system_domain(systemd_activate_t, systemd_activate_exec_t)
@@ -113,16 +115,33 @@ init_unit_file(power_unit_t)
 
 ######################################
 #
+# systemd log parse enviroment
+#
+
+# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
+dontaudit systemd_log_parse_env_type self:capability net_admin;
+
+kernel_read_system_state(systemd_log_parse_env_type)
+
+dev_write_kmsg(systemd_log_parse_env_type)
+
+term_use_console(systemd_log_parse_env_type)
+
+init_read_state(systemd_log_parse_env_type)
+
+logging_send_syslog_msg(systemd_log_parse_env_type)
+
+######################################
+#
 # Cgroups local policy
 #
 
 kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
+kernel_dgram_send(systemd_cgroups_t)
 
 init_stream_connect(systemd_cgroups_t)
 
-logging_send_syslog_msg(systemd_cgroups_t)
-
-kernel_dgram_send(systemd_cgroups_t)
+systemd_log_parse_environment(systemd_cgroups_t)
 
 #######################################
 #
@@ -133,10 +152,10 @@ kernel_read_kernel_sysctls(systemd_locale_t)
 
 files_read_etc_files(systemd_locale_t)
 
-logging_send_syslog_msg(systemd_locale_t)
-
 seutil_read_file_contexts(systemd_locale_t)
 
+systemd_log_parse_environment(systemd_locale_t)
+
 optional_policy(`
 	dbus_connect_system_bus(systemd_locale_t)
 	dbus_system_bus_client(systemd_locale_t)
@@ -151,10 +170,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
 
 files_read_etc_files(systemd_hostnamed_t)
 
-logging_send_syslog_msg(systemd_hostnamed_t)
-
 seutil_read_file_contexts(systemd_hostnamed_t)
 
+systemd_log_parse_environment(systemd_hostnamed_t)
+
 optional_policy(`
 	dbus_system_bus_client(systemd_hostnamed_t)
 	dbus_connect_system_bus(systemd_hostnamed_t)
@@ -207,13 +226,10 @@ init_start_all_units(systemd_logind_t)
 init_stop_all_units(systemd_logind_t)
 init_service_status(systemd_logind_t)
 init_service_start(systemd_logind_t)
-# This is for reading /proc/1/cgroup
-init_read_state(systemd_logind_t)
 
 locallogin_read_state(systemd_logind_t)
 
-logging_send_syslog_msg(systemd_logind_t)
-
+systemd_log_parse_environment(systemd_logind_t)
 systemd_start_power_units(systemd_logind_t)
 
 udev_read_db(systemd_logind_t)
@@ -234,7 +250,7 @@ optional_policy(`
 allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
 files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
 
-logging_send_syslog_msg(systemd_sessions_t)
+systemd_log_parse_environment(systemd_sessions_t)
 
 #########################################
 #
@@ -260,10 +276,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)
 
-logging_send_syslog_msg(systemd_tmpfiles_t)
-
 seutil_read_file_contexts(systemd_tmpfiles_t)
 
+systemd_log_parse_environment(systemd_tmpfiles_t)
+
 tunable_policy(`systemd_tmpfiles_manage_all',`
 	# systemd-tmpfiles can be configured to manage anything.
 	# have a last-resort option for users to do this.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-06-02  6:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-06-02  6:32 UTC (permalink / raw
  To: gentoo-commits

commit:     0d320152aa69e147c6da94d13ab929db3f070e78
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun  1 16:08:56 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun  1 18:20:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d320152

userdomain: introduce interfaces for user runtime

 policy/modules/system/userdomain.if | 206 ++++++++++++++++++++++++++++++++++++
 1 file changed, 206 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 14dae15..beed625 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -324,6 +324,7 @@ interface(`userdom_manage_tmp_role',`
 	manage_sock_files_pattern($2, user_tmp_t, user_tmp_t)
 	manage_fifo_files_pattern($2, user_tmp_t, user_tmp_t)
 	files_tmp_filetrans($2, user_tmp_t, { dir file lnk_file sock_file fifo_file })
+	userdom_user_runtime_filetrans_user_tmp($2, { dir file lnk_file sock_file fifo_file })
 ')
 
 #######################################
@@ -2768,6 +2769,211 @@ interface(`userdom_search_user_runtime_root',`
 
 ########################################
 ## <summary>
+##	Create, read, write, and delete user
+##	runtime root dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_runtime_root_dirs',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	allow $1 user_runtime_root_t:dir manage_dir_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete user
+##	runtime dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_runtime_dirs',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir manage_dir_perms;
+	userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+##	Mount a filesystem on user runtime dir
+##	directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_mounton_user_runtime_dirs',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir mounton;
+')
+
+########################################
+## <summary>
+##	Relabel to user runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_relabelto_user_runtime_dirs',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir relabelto;
+')
+
+########################################
+## <summary>
+##	Create objects in the pid directory
+##	with an automatic type transition to
+##	the user runtime root type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_pid_filetrans_user_runtime_root',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	files_pid_filetrans($1, user_runtime_root_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create objects in a user runtime
+##	directory with an automatic type
+##	transition to a specified private
+##	type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private_type">
+##	<summary>
+##	The type of the object to create.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_filetrans',`
+	gen_require(`
+		type user_runtime_root_t, user_runtime_t;
+	')
+
+	filetrans_pattern($1, user_runtime_t, $2, $3, $4)
+	userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+##	Create objects in the user runtime directory
+##	with an automatic type transition to
+##	the user temporary type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_filetrans_user_tmp',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	userdom_user_runtime_filetrans($1, user_tmp_t, $2, $3)
+')
+
+########################################
+## <summary>
+##	Create objects in the user runtime root
+##	directory with an automatic type transition
+##	to the user runtime dir type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object_class">
+##	<summary>
+##	The class of the object to be created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_root_filetrans_user_runtime',`
+	gen_require(`
+		type user_runtime_root_t, user_runtime_t;
+	')
+
+	filetrans_pattern($1, user_runtime_root_t, user_runtime_t, $2, $3)
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
 ##	Read and write user tmpfs files.
 ## </summary>
 ## <param name="domain">


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-06-02  6:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-06-02  6:32 UTC (permalink / raw
  To: gentoo-commits

commit:     c3f41eca7bf46e2f2dffbd048c7b8afa62f4a803
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu May 26 12:53:00 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun  1 18:20:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c3f41eca

Module version bump for systemd-resolved patch from Laurent BIgonville.

 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e42f3ca..ceb0f29 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.1.4)
+policy_module(systemd, 1.1.5)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-06-02  6:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-06-02  6:32 UTC (permalink / raw
  To: gentoo-commits

commit:     cd99b0bd8afe0e8e35e74bd27124d38b6b1fa090
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun  1 16:08:53 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun  1 18:20:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd99b0bd

authlogin: remove fcontext for /var/run/user

 policy/modules/system/authlogin.fc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index bb11be5..c0ee2e3 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -47,6 +47,5 @@ ifdef(`distro_gentoo', `
 /var/run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
-/var/run/user(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /var/(db|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/lib/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-06-02  6:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-06-02  6:32 UTC (permalink / raw
  To: gentoo-commits

commit:     33b0d446f0d55311b674932b135b7ce0fe4e7b8b
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu May 26 12:43:10 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun  1 18:20:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=33b0d446

Add policy for systemd-resolved

Initial policy for systemd-resolved, tested with systemd 230 on debian

 policy/modules/system/systemd.fc |  2 ++
 policy/modules/system/systemd.te | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index a0b5f0b..a987681 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -17,6 +17,7 @@
 /usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)
 /usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
 /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
 
 # Systemd unit files
@@ -33,6 +34,7 @@
 /var/run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /var/run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 
+/var/run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
 /var/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /var/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /var/run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0bed23c..e42f3ca 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -80,6 +80,13 @@ type systemd_nspawn_t;
 type systemd_nspawn_exec_t;
 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
 
+type systemd_resolved_t;
+type systemd_resolved_exec_t;
+init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
+
+type systemd_resolved_var_run_t;
+files_pid_file(systemd_resolved_var_run_t)
+
 type systemd_run_t;
 type systemd_run_exec_t;
 init_daemon_domain(systemd_run_t, systemd_run_exec_t)
@@ -244,6 +251,39 @@ optional_policy(`
 
 #########################################
 #
+# Resolved local policy
+#
+
+allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
+allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
+
+allow systemd_resolved_t self:tcp_socket { accept listen };
+
+manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
+
+kernel_read_crypto_sysctls(systemd_resolved_t)
+kernel_read_kernel_sysctls(systemd_resolved_t)
+kernel_read_system_state(systemd_resolved_t)
+
+corenet_tcp_bind_generic_node(systemd_resolved_t)
+corenet_tcp_bind_llmnr_port(systemd_resolved_t)
+corenet_udp_bind_generic_node(systemd_resolved_t)
+corenet_udp_bind_llmnr_port(systemd_resolved_t)
+
+auth_use_nsswitch(systemd_resolved_t)
+
+seutil_read_file_contexts(systemd_resolved_t)
+
+systemd_log_parse_environment(systemd_resolved_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_resolved_t)
+')
+
+#########################################
+#
 # Sessions local policy
 #
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-06-02  6:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-06-02  6:32 UTC (permalink / raw
  To: gentoo-commits

commit:     d1b5efce35114ffed602938f377df910c78bddab
Author:     Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Jun  1 17:34:14 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun  1 18:20:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d1b5efce

Module version bumps + contrib update for user_runtime from Jason Zaman.

 policy/modules/system/authlogin.te  | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 587b289..b900122 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.8.1)
+policy_module(authlogin, 2.8.2)
 
 ########################################
 #

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 8def7fd..62b5cdf 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.1)
+policy_module(userdomain, 4.11.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-06-02  6:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-06-02  6:32 UTC (permalink / raw
  To: gentoo-commits

commit:     01647fd1719e35255f0b775ea104c4296696ee1d
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun  1 16:08:54 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun  1 18:20:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=01647fd1

userdomain: Introduce types for /run/user

These are the types for /run/user, analogous to /home's home_root_t and
home_dir_t.

 policy/modules/system/userdomain.fc |  7 +++++++
 policy/modules/system/userdomain.te | 15 +++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..0ec8d11 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -2,3 +2,10 @@ HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
+
+/var/run/user		-d	gen_context(system_u:object_r:user_runtime_root_t,s0)
+/var/run/user/[^/]+	-d	gen_context(system_u:object_r:user_runtime_t,s0)
+/var/run/user/[^/]+/.+	-d	<<none>>
+# new genhomedircon required for these patterns
+/var/run/user/%{USERID}	-d	gen_context(system_u:object_r:user_runtime_t,s0)
+/var/run/user/%{USERID}/.+	<<none>>

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 2a36851..8def7fd 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,3 +93,18 @@ userdom_user_home_content(user_tmpfs_t)
 type user_tty_device_t alias { staff_tty_device_t sysadm_tty_device_t secadm_tty_device_t auditadm_tty_device_t unconfined_tty_device_t };
 dev_node(user_tty_device_t)
 ubac_constrained(user_tty_device_t)
+
+type user_runtime_root_t;
+fs_associate_tmpfs(user_runtime_root_t)
+files_mountpoint(user_runtime_root_t)
+files_poly_parent(user_runtime_root_t)
+
+type user_runtime_t;
+fs_associate_tmpfs(user_runtime_t)
+files_type(user_runtime_t)
+files_mountpoint(user_runtime_t)
+files_associate_tmp(user_runtime_t)
+files_poly(user_runtime_t)
+files_poly_member(user_runtime_t)
+files_poly_parent(user_runtime_t)
+ubac_constrained(user_runtime_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-06-02  6:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-06-02  6:32 UTC (permalink / raw
  To: gentoo-commits

commit:     3aa651f4510a18755348107c754f635db5a4b758
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Jun  1 16:08:55 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jun  1 18:20:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3aa651f4

userdomain: user_tmp requires searching /run/user

 policy/modules/system/userdomain.if | 51 +++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9284808..14dae15 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -344,6 +344,7 @@ interface(`userdom_exec_user_tmp_files',`
 
 	exec_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 #######################################
@@ -2373,6 +2374,7 @@ interface(`userdom_write_user_tmp_sockets',`
 
 	allow $1 user_tmp_t:sock_file write_sock_file_perms;
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 ########################################
@@ -2391,7 +2393,9 @@ interface(`userdom_list_user_tmp',`
 	')
 
 	allow $1 user_tmp_t:dir list_dir_perms;
+	allow $1 user_runtime_t:dir list_dir_perms;
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 ########################################
@@ -2450,6 +2454,7 @@ interface(`userdom_read_user_tmp_files',`
 	read_files_pattern($1, user_tmp_t, user_tmp_t)
 	allow $1 user_tmp_t:dir list_dir_perms;
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 ########################################
@@ -2508,6 +2513,7 @@ interface(`userdom_rw_user_tmp_files',`
 	allow $1 user_tmp_t:dir list_dir_perms;
 	rw_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 ########################################
@@ -2547,6 +2553,7 @@ interface(`userdom_read_user_tmp_symlinks',`
 	read_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
 	allow $1 user_tmp_t:dir list_dir_perms;
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 ########################################
@@ -2567,6 +2574,7 @@ interface(`userdom_manage_user_tmp_dirs',`
 
 	manage_dirs_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 ########################################
@@ -2587,6 +2595,7 @@ interface(`userdom_manage_user_tmp_files',`
 
 	manage_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 ########################################
@@ -2607,6 +2616,7 @@ interface(`userdom_manage_user_tmp_symlinks',`
 
 	manage_lnk_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 ########################################
@@ -2627,6 +2637,7 @@ interface(`userdom_manage_user_tmp_pipes',`
 
 	manage_fifo_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 ########################################
@@ -2647,6 +2658,7 @@ interface(`userdom_manage_user_tmp_sockets',`
 
 	manage_sock_files_pattern($1, user_tmp_t, user_tmp_t)
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 ########################################
@@ -2683,6 +2695,7 @@ interface(`userdom_user_tmp_filetrans',`
 
 	filetrans_pattern($1, user_tmp_t, $2, $3, $4)
 	files_search_tmp($1)
+	userdom_search_user_runtime($1)
 ')
 
 ########################################
@@ -2717,6 +2730,44 @@ interface(`userdom_tmp_filetrans_user_tmp',`
 
 ########################################
 ## <summary>
+##	Search users runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_search_user_runtime',`
+	gen_require(`
+		type user_runtime_t;
+	')
+
+	allow $1 user_runtime_t:dir search_dir_perms;
+	userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+##	Search user runtime root directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_search_user_runtime_root',`
+	gen_require(`
+		type user_runtime_root_t;
+	')
+
+	allow $1 user_runtime_root_t:dir search_dir_perms;
+	files_search_pids($1)
+')
+
+########################################
+## <summary>
 ##	Read and write user tmpfs files.
 ## </summary>
 ## <param name="domain">


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-06-02  6:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-06-02  6:32 UTC (permalink / raw
  To: gentoo-commits

commit:     75a4146c71914a7fde5a09918baa4e54db21683d
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jun  2 04:39:36 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Jun  2 04:39:36 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75a4146c

userdomain: Add user runtime to gentoo-specific interfaces

 policy/modules/system/userdomain.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index beed625..00b9335 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3916,5 +3916,6 @@ interface(`userdom_manage_user_tmp_chr_files',`
 	')
 
 	manage_chr_files_pattern($1, user_tmp_t, user_tmp_t)
+	userdom_search_user_runtime($1)
 	files_search_tmp($1)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-08-13 18:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
  To: gentoo-commits

commit:     1c491aeedcfbcd28abb64198e73950daa74244ee
Author:     Lukas Vrabec <lvrabec <AT> redhat <DOT> com>
AuthorDate: Tue Aug  2 14:20:00 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1c491aee

Systemd by version 231 starts using shared library and systemd daemons execute it. For this reason lib_t type is needed.

 policy/modules/system/libraries.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 85e918f..2467d45 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -149,6 +149,8 @@ ifdef(`distro_debian',`
 /usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
+/usr/lib/systemd/libsystemd-shared-[0-9]+\.so.*   --      gen_context(system_u:object_r:lib_t,s0)
+
 /usr/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:lib_t,s0)
 /usr/lib/wine/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-08-13 18:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
  To: gentoo-commits

commit:     f4a8d49072d01c9ee50e82edaec5fd39bd3d41e9
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Aug  2 23:46:02 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f4a8d490

Module version bump for user_udp_server tunable from Russell Coker.

 policy/modules/system/userdomain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 62b5cdf..e67afee 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.2)
+policy_module(userdomain, 4.11.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-08-13 18:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
  To: gentoo-commits

commit:     724b835c2a91634d237a5c9854ed773f78e58f6e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Aug  3 00:21:24 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=724b835c

libraries: Move libsystemd fc entry.

 policy/modules/system/libraries.fc | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 2467d45..2e92f7e 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -140,6 +140,7 @@ ifdef(`distro_debian',`
 /usr/lib/fglrx/.*\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/libjs\.so.*		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/sse2/libx264\.so(\.[^/]*)* 	-- gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/systemd/libsystemd-shared-[0-9]+\.so.*   --      gen_context(system_u:object_r:lib_t,s0)
 /usr/lib(/.*)?/libnvidia.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib(/.*)?/nvidia_drv.*\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/nero/plug-ins/libMP3\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
@@ -149,8 +150,6 @@ ifdef(`distro_debian',`
 /usr/lib/nvidia/libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/xorg/modules/glesx\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 
-/usr/lib/systemd/libsystemd-shared-[0-9]+\.so.*   --      gen_context(system_u:object_r:lib_t,s0)
-
 /usr/.*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:lib_t,s0)
 /usr/lib/wine/.+\.so	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/(sse2/)?libfame-.*\.so.*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-08-13 18:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
  To: gentoo-commits

commit:     6cbc3eb88900314095eff8f4f99b97e2ae9126b1
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Aug  3 00:22:06 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6cbc3eb8

libraries: Module version bump for libsystemd fc entry from Lukas Vrabec.

 policy/modules/system/libraries.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 0f5cd56..965841c 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.12.0)
+policy_module(libraries, 2.12.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-08-13 18:32 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-08-13 18:32 UTC (permalink / raw
  To: gentoo-commits

commit:     ebae10c1795bdf42caa83f6daed9b0974c83146f
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Aug  3 05:48:19 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ebae10c1

getattr on unlabeled blk devs

The following has been in my tree for a few years.  It allows initrc_t to stat
devices early in the boot process.

>From ad46ce856a1a780cf6c3a0bb741794019e03edc2 Mon Sep 17 00:00:00 2001
From: Dominick Grift <dominick.grift <AT> gmail.com>
Date: Sat, 9 Nov 2013 10:45:09 +0100
Subject: [PATCH] init: startpar (initrc_t) gets attributes of /dev/dm-0
 (device_t) early on boot, soon later the node context is properly reset
 (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file

Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com>

 policy/modules/system/init.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8e8c163..0d4f74a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -568,6 +568,9 @@ userdom_read_user_home_content_files(initrc_t)
 userdom_use_user_terminals(initrc_t)
 
 ifdef(`distro_debian',`
+	kernel_getattr_core_if(initrc_t)
+
+	dev_getattr_generic_blk_files(initrc_t)
 	dev_setattr_generic_dirs(initrc_t)
 
 	fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2016-08-13 18:35 Jason Zaman
  2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2016-08-13 18:35 UTC (permalink / raw
  To: gentoo-commits

commit:     f823f0571cf9bab988ac3d2fd85947b5e160c49e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug  6 23:14:18 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Aug 13 18:23:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f823f057

Systemd units from Russell Coker.

 policy/modules/system/logging.fc     | 1 +
 policy/modules/system/logging.te     | 2 +-
 policy/modules/system/selinuxutil.fc | 1 +
 policy/modules/system/selinuxutil.te | 5 ++++-
 policy/modules/system/setrans.fc     | 2 ++
 policy/modules/system/setrans.te     | 2 +-
 6 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index e504aec..16fd395 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -20,6 +20,7 @@
 /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
 /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
 /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
 
 /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
 /usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d9737d0..3f3813f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.23.2)
+policy_module(logging, 1.23.3)
 
 ########################################
 #

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 8f0db04..771986f 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -33,6 +33,7 @@
 /usr/bin/newrole		--	gen_context(system_u:object_r:newrole_exec_t,s0)
 
 /usr/lib/selinux(/.*)?			gen_context(system_u:object_r:policy_src_t,s0)
+/usr/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_t,s0)
 
 /usr/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
 /usr/sbin/restorecond		--	gen_context(system_u:object_r:restorecond_exec_t,s0)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 50015ad..4a100cd 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.20.1)
+policy_module(selinuxutil, 1.20.2)
 
 gen_require(`
 	bool secure_mode;
@@ -85,6 +85,9 @@ init_daemon_domain(restorecond_t, restorecond_exec_t)
 domain_obj_id_change_exemption(restorecond_t)
 role system_r types restorecond_t;
 
+type restorecond_unit_t;
+init_unit_file(restorecond_unit_t)
+
 type restorecond_var_run_t;
 files_pid_file(restorecond_var_run_t)
 

diff --git a/policy/modules/system/setrans.fc b/policy/modules/system/setrans.fc
index bea4629..094ef22 100644
--- a/policy/modules/system/setrans.fc
+++ b/policy/modules/system/setrans.fc
@@ -2,4 +2,6 @@
 
 /sbin/mcstransd		--	gen_context(system_u:object_r:setrans_exec_t,s0)
 
+/usr/lib/systemd/system/mcstrans.*\.service -- gen_context(system_u:object_r:setrans_unit_t,s0)
+
 /var/run/setrans(/.*)?		gen_context(system_u:object_r:setrans_var_run_t,mls_systemhigh)

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 386df74..216e871 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -1,4 +1,4 @@
-policy_module(setrans, 1.11.0)
+policy_module(setrans, 1.11.1)
 
 gen_require(`
 	class context contains;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-08-17 16:59 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
  To: gentoo-commits

commit:     3b7b2910b3018c9b47e4b6c8463a2bb0abc903ae
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 20:08:12 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3b7b2910

userdomain: Fix compile errors.

 policy/modules/system/userdomain.if | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 534a249..f22ef9b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -661,7 +661,7 @@ template(`userdom_common_user_template',`
 		')
 
 		optional_policy(`
-			xdm_dbus_chat($1_t)
+			xserver_dbus_chat_xdm($1_t)
 		')
 	')
 

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index b6b6d15..9136d6b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.4)
+policy_module(userdomain, 4.11.5)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2016-08-17 16:59 Jason Zaman
  2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
  To: gentoo-commits

commit:     814a47ac343732aacb70ae6440c3f5b4a4f479f6
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:51:42 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=814a47ac

Update the sysnetwork module to add some permissions needed by the dhcp client (another separate patch makes changes to the ifconfig part).

Create auxiliary interfaces in the ntp module.

The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.

Include revisions from Chris PeBenito.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/sysnetwork.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 287d2fd..c67494e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -130,9 +130,11 @@ files_search_home(dhcpc_t)
 files_search_var_lib(dhcpc_t)
 files_dontaudit_search_locks(dhcpc_t)
 files_getattr_generic_locks(dhcpc_t)
+files_manage_var_files(dhcpc_t)
 
 fs_getattr_all_fs(dhcpc_t)
 fs_search_auto_mountpoints(dhcpc_t)
+fs_search_cgroup_dirs(dhcpc_t)
 
 term_dontaudit_use_all_ttys(dhcpc_t)
 term_dontaudit_use_all_ptys(dhcpc_t)
@@ -227,6 +229,7 @@ optional_policy(`
 optional_policy(`
 	ntp_initrc_domtrans(dhcpc_t)
 	ntp_read_drift_files(dhcpc_t)
+	ntp_read_conf_files(dhcpc_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2016-08-17 16:59 Jason Zaman
  2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
  To: gentoo-commits

commit:     b1ab644ac721bca04de70d98abb9aa060e1539e4
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:52:07 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1ab644a

Ifconfig should be able to read firmware files in /lib (i.e. some network cards need to load their firmware) and it should not audit attempts to load kernel modules directly.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/sysnetwork.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index c67494e..59541ff 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -267,6 +267,7 @@ optional_policy(`
 #
 
 allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
+dontaudit ifconfig_t self:capability sys_module;
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_fifo_file_perms;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2016-08-17 16:59 Jason Zaman
  2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
  To: gentoo-commits

commit:     c90a72dc34e6db9bd4f0c6b727491abebde69bbc
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:12:50 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c90a72dc

Allow the system user domains to chat over dbus with a few other domains (e.g. gnome session).

Thanks to Jason Zaman for pointing out the correct interface to
achieve this.

This new version fixes a typographic error in the previous version.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/userdomain.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9c40ce1..f0b4778 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -620,10 +620,18 @@ template(`userdom_common_user_template',`
 		dbus_system_bus_client($1_t)
 
 		optional_policy(`
+			accountsd_dbus_chat($1_t)
+		')
+
+		optional_policy(`
 			bluetooth_dbus_chat($1_t)
 		')
 
 		optional_policy(`
+			colord_dbus_chat($1_t)
+		')
+
+		optional_policy(`
 			consolekit_dbus_chat($1_t)
 		')
 
@@ -632,6 +640,11 @@ template(`userdom_common_user_template',`
 		')
 
 		optional_policy(`
+			devicekit_dbus_chat_disk($1_t)
+			devicekit_dbus_chat_power($1_t)
+		')
+
+		optional_policy(`
 			hal_dbus_chat($1_t)
 		')
 
@@ -642,6 +655,14 @@ template(`userdom_common_user_template',`
 		optional_policy(`
 			policykit_dbus_chat($1_t)
 		')
+
+		optional_policy(`
+			rtkit_daemon_dbus_chat($1_t)
+		')
+
+		optional_policy(`
+			xdm_dbus_chat($1_t)
+		')
 	')
 
 	optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2016-08-17 16:59 Jason Zaman
  2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2016-08-17 16:59 UTC (permalink / raw
  To: gentoo-commits

commit:     30f16ad46a5a5ecbfd2bad13462b1cb14852057b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:52:32 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30f16ad4

Remove redundant libs_read_lib_files() for ifconfig_t.

 policy/modules/system/sysnetwork.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 59541ff..2258f90 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -327,8 +327,6 @@ files_dontaudit_read_root_files(ifconfig_t)
 init_use_fds(ifconfig_t)
 init_use_script_ptys(ifconfig_t)
 
-libs_read_lib_files(ifconfig_t)
-
 logging_send_syslog_msg(ifconfig_t)
 
 miscfiles_read_localization(ifconfig_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-03  6:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-10-03  6:20 UTC (permalink / raw
  To: gentoo-commits

commit:     facae736af918d3a0c96c1bf70c718babcf6f773
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Sep  7 22:02:18 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=facae736

Module version bumps for LVM and useromain patches from Guido Trentalancia.

 policy/modules/system/lvm.te        | 2 +-
 policy/modules/system/userdomain.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index c8831c6..b178770 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.17.0)
+policy_module(lvm, 1.17.1)
 
 ########################################
 #

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 3a97cc9..deb6a8d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.5)
+policy_module(userdomain, 4.11.6)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-03  6:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-10-03  6:20 UTC (permalink / raw
  To: gentoo-commits

commit:     df1ee817ba489be676d93b7103101e0106cbe7ce
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Sep  5 16:58:48 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df1ee817

Improve tunable support for rw operations on noxattr fs / removable media

Improve the existing user domain template policy:

- better support for the "user_rw_noexattrfile" boolean (enable
  write operations on filesystems that do not support extended
  attributes, such as FAT or cdrom filesystem);
- add support for a new "user_exec_noexattrfile" boolean to
  control the execution of files from filesystems that do not
  support extended attributes (potentially dangerous);
- add support for a new "user_write_removable" boolean which
  enables write operations on removable devices (such as
  external removable USB memory, USB mobile phones, etc).

Note that devices might be removable but support extended
attributes (Linux xattr filesystems on external USB mass storage
devices), so two separate booleans are needed for optimal
configuration flexibility.

Writing to removable mass storage devices is a major cause of
leakage of confidential information, so the new boolean defaults
to false.

Disable raw access for MLS policies (thanks to Christoper
PeBenito for suggesting this).

This new version of the patch correctly includes the definitions
of the new booleans (by including the .te file differences).

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/userdomain.if | 52 ++++++++++++++++++++++---------------
 policy/modules/system/userdomain.te | 17 ++++++++++++
 2 files changed, 48 insertions(+), 21 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index f22ef9b..12585fb 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -596,10 +596,37 @@ template(`userdom_common_user_template',`
 		dev_read_mouse($1_t)
 	')
 
+	tunable_policy(`user_rw_noexattrfile',`
+		fs_manage_noxattr_fs_files($1_t)
+		fs_manage_noxattr_fs_dirs($1_t)
+	',`
+		fs_read_noxattr_fs_files($1_t)
+	')
+
 	tunable_policy(`user_ttyfile_stat',`
 		term_getattr_all_ttys($1_t)
 	')
 
+	ifndef(`enable_mls',`
+		tunable_policy(`user_write_removable',`
+			# Read/write floppies and other removable devices
+			storage_raw_read_removable_device($1_t)
+			storage_raw_write_removable_device($1_t)
+		',`
+			# Read floppies
+			storage_raw_read_removable_device($1_t)
+		')
+	')
+
+	tunable_policy(`user_write_removable',`
+		# Read/write USB devices (e.g. external removable USB mass storage devices)
+		dev_rw_generic_usb_dev($1_t)
+	',`
+		# Read USB devices (e.g. external removable USB mass storage devices)
+		dev_read_generic_usb_dev($1_t)
+	')
+
+
 	optional_policy(`
 		alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
 		alsa_manage_home_files($1_t)
@@ -1062,26 +1089,16 @@ template(`userdom_unpriv_user_template', `
 
 	files_exec_usr_files($1_t)
 
-	ifndef(`enable_mls',`
-		fs_exec_noxattr($1_t)
-
-		tunable_policy(`user_rw_noexattrfile',`
-			fs_manage_noxattr_fs_files($1_t)
-			fs_manage_noxattr_fs_dirs($1_t)
-			# Write floppies
-			storage_raw_read_removable_device($1_t)
-			storage_raw_write_removable_device($1_t)
-		',`
-			storage_raw_read_removable_device($1_t)
-		')
-	')
-
 	tunable_policy(`user_dmesg',`
 		kernel_read_ring_buffer($1_t)
 	',`
 		kernel_dontaudit_read_ring_buffer($1_t)
 	')
 
+	tunable_policy(`user_exec_noexattrfile',`
+		fs_exec_noxattr($1_t)
+	')
+
 	# Allow users to run TCP servers (bind to ports and accept connection from
 	# the same domain and outside users) disabling this forces FTP passive mode
 	# and may change other protocols
@@ -1263,13 +1280,6 @@ template(`userdom_admin_user_template',`
 	userdom_manage_user_home_content_sockets($1_t)
 	userdom_user_home_dir_filetrans_user_home_content($1_t, { dir file lnk_file fifo_file sock_file })
 
-	tunable_policy(`user_rw_noexattrfile',`
-		fs_manage_noxattr_fs_files($1_t)
-		fs_manage_noxattr_fs_dirs($1_t)
-	',`
-		fs_read_noxattr_fs_files($1_t)
-	')
-
 	optional_policy(`
 		postgresql_unconfined($1_t)
 	')

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 9136d6b..3a97cc9 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -43,6 +43,23 @@ gen_tunable(user_rw_noexattrfile, false)
 
 ## <desc>
 ## <p>
+## Allow user to execute files on filesystems
+## that do not have extended attributes (FAT, CDROM, FLOPPY)
+## </p>
+## </desc>
+gen_tunable(user_exec_noexattrfile, false)
+
+## <desc>
+## <p>
+## Allow user to write files on removable
+## devices (e.g. external USB memory
+## devices or floppies)
+## </p>
+## </desc>
+gen_tunable(user_write_removable, false)
+
+## <desc>
+## <p>
 ## Allow w to display everyone
 ## </p>
 ## </desc>


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-03  6:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-10-03  6:20 UTC (permalink / raw
  To: gentoo-commits

commit:     2022bceff1d223d72e93d2a62d952f6de4d88e2d
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Thu Sep  8 16:38:37 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2022bcef

userdomain: introduce the user certificate file context (was miscfiles: introduce the user certificate file context)

Introduce a new file context for user certificates (user_cert_t)
located in home directories.

Introduce new auxiliary interfaces to read and manage such files
files and directories.

Thanks to Christopher PeBenito for the useful suggestions that
led to this improved version of the patch.

Compared to the previous version, this patch adds the ability to
search the user home directories in the new interfaces.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/userdomain.fc |  1 +
 policy/modules/system/userdomain.if | 46 +++++++++++++++++++++++++++++++++++++
 policy/modules/system/userdomain.te |  3 +++
 3 files changed, 50 insertions(+)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 0ec8d11..0214d21 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,5 +1,6 @@
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
 
 /tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
 

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e353c6e..e6e434a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -246,6 +246,9 @@ interface(`userdom_manage_home_role',`
 	# cjp: this should probably be removed:
 	allow $2 user_home_dir_t:dir { manage_dir_perms relabel_dir_perms };
 
+	userdom_manage_user_certs($2)
+	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
+
 	tunable_policy(`use_nfs_home_dirs',`
 		fs_manage_nfs_dirs($2)
 		fs_manage_nfs_files($2)
@@ -2396,6 +2399,49 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
 
 ########################################
 ## <summary>
+##	Read user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_read_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	allow $1 user_cert_t:dir list_dir_perms;
+	read_files_pattern($1, user_cert_t, user_cert_t)
+	read_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Manage user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	manage_dirs_pattern($1, user_cert_t, user_cert_t)
+	manage_files_pattern($1, user_cert_t, user_cert_t)
+	manage_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
 ##	Write to user temporary named sockets.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index deb6a8d..b44dd5d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -93,6 +93,9 @@ files_associate_tmp(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
 
+type user_cert_t;
+userdom_user_home_content(user_cert_t)
+
 type user_devpts_t alias { staff_devpts_t sysadm_devpts_t secadm_devpts_t auditadm_devpts_t unconfined_devpts_t };
 dev_node(user_devpts_t)
 files_type(user_devpts_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-03  6:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-10-03  6:20 UTC (permalink / raw
  To: gentoo-commits

commit:     ca00fbff6cea187f3b7c99ff328c0f13dffef900
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Sep  7 21:51:42 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca00fbff

userdomain: Move enable_mls block in userdom_common_user_template().

 policy/modules/system/userdomain.if | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 12585fb..e353c6e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -592,6 +592,17 @@ template(`userdom_common_user_template',`
 	# to this one.
 	seutil_dontaudit_signal_newrole($1_t)
 
+	ifndef(`enable_mls',`
+		tunable_policy(`user_write_removable',`
+			# Read/write floppies and other removable devices
+			storage_raw_read_removable_device($1_t)
+			storage_raw_write_removable_device($1_t)
+		',`
+			# Read floppies
+			storage_raw_read_removable_device($1_t)
+		')
+	')
+
 	tunable_policy(`user_direct_mouse',`
 		dev_read_mouse($1_t)
 	')
@@ -607,17 +618,6 @@ template(`userdom_common_user_template',`
 		term_getattr_all_ttys($1_t)
 	')
 
-	ifndef(`enable_mls',`
-		tunable_policy(`user_write_removable',`
-			# Read/write floppies and other removable devices
-			storage_raw_read_removable_device($1_t)
-			storage_raw_write_removable_device($1_t)
-		',`
-			# Read floppies
-			storage_raw_read_removable_device($1_t)
-		')
-	')
-
 	tunable_policy(`user_write_removable',`
 		# Read/write USB devices (e.g. external removable USB mass storage devices)
 		dev_rw_generic_usb_dev($1_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-03  6:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-10-03  6:20 UTC (permalink / raw
  To: gentoo-commits

commit:     f36491e2fcb14f581c49e1a5a41e1b9f9159c585
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Sep  5 17:09:37 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f36491e2

Update the lvm module

Update the lvm module to add a permission needed by cryptsetup.

At the moment the SELinux kernel code is not able yet to distinguish
the sockets in the AF_ALG namespace that are used for interfacing to
the kernel Crypto API.

In the future the SELinux kernel code will be updated to distinguish
the new socket class and so this permission will change its class
from the generic "socket" to the new socket (e.g. "alg_socket").

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/lvm.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 2ebfe0c..c8831c6 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -179,6 +179,8 @@ allow lvm_t self:fifo_file manage_fifo_file_perms;
 allow lvm_t self:unix_dgram_socket create_socket_perms;
 allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow lvm_t self:sem create_sem_perms;
+# gt: the following is for sockets in the AF_ALG namespace (userspace interface to the kernel Crypto API)
+allow lvm_t self:socket create_stream_socket_perms;
 
 allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };
@@ -253,6 +255,8 @@ dev_dontaudit_getattr_generic_chr_files(lvm_t)
 dev_dontaudit_getattr_generic_blk_files(lvm_t)
 dev_dontaudit_getattr_generic_pipes(lvm_t)
 dev_create_generic_dirs(lvm_t)
+# the following one is needed by cryptsetup
+dev_getattr_fs(lvm_t)
 
 domain_use_interactive_fds(lvm_t)
 domain_read_all_domains_state(lvm_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2016-10-03  6:26 Jason Zaman
  2016-10-03  6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2016-10-03  6:26 UTC (permalink / raw
  To: gentoo-commits

commit:     e057adebff1c29e23b319ea8adf5336b102bca64
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Sep 18 20:41:47 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e057adeb

Module version bump for selinuxutil fix from Jason Zaman.

 policy/modules/system/selinuxutil.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 98d7840..e162290 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.20.2)
+policy_module(selinuxutil, 1.20.3)
 
 gen_require(`
 	bool secure_mode;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2016-10-03  6:26 Jason Zaman
  2016-10-03  6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2016-10-03  6:26 UTC (permalink / raw
  To: gentoo-commits

commit:     90909b138975c956acff4d6d6abcd63003ed5b3b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Sep  8 23:17:31 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=90909b13

Additional change from Guido Trentalancia related to evolution.

 policy/modules/system/userdomain.if | 22 ++++++++++++++++++++++
 policy/modules/system/userdomain.te |  2 +-
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e6e434a..bf78a2b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2421,6 +2421,28 @@ interface(`userdom_read_user_certs',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to manage
+##	the user SSL certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`userdom_dontaudit_manage_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	dontaudit $1 user_cert_t:dir manage_dir_perms;
+	dontaudit $1 user_cert_t:file manage_file_perms;
+	dontaudit $1 user_cert_t:lnk_file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Manage user SSL certificates.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index b44dd5d..c9774a1 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.11.6)
+policy_module(userdomain, 4.11.7)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2016-10-03  6:26 Jason Zaman
  2016-10-03  6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2016-10-03  6:26 UTC (permalink / raw
  To: gentoo-commits

commit:     c7941d5608f8aadd8be1cdda6abff4084b2e094e
Author:     Jason Zaman via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sun Sep 18 06:38:31 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct  3 06:04:21 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7941d56

selinuxutil: allow setfiles to read semanage store

commit a7334eb0de98af11ec38b6263536fa01bc2a606c
libsemanage: validate and compile file contexts before installing

validates the fcontexts when they are still in /var/lib/selinux. Without
setfiles_t having access to read the files, validation fails and the
policy cannot be updated.

 policy/modules/system/selinuxutil.if | 23 +++++++++++++++++++++++
 policy/modules/system/selinuxutil.te |  1 +
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
index b4c70a3..a8221f0 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -1107,6 +1107,29 @@ interface(`seutil_run_semanage',`
 
 ########################################
 ## <summary>
+##	Read the semanage module store.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`seutil_read_module_store',`
+	gen_require(`
+		type selinux_config_t, semanage_store_t;
+	')
+
+	files_search_etc($1)
+	files_search_var($1)
+	list_dirs_pattern($1, selinux_config_t, semanage_store_t)
+	list_dirs_pattern($1, semanage_store_t, semanage_store_t)
+	read_files_pattern($1, semanage_store_t, semanage_store_t)
+	read_lnk_files_pattern($1, semanage_store_t, semanage_store_t)
+')
+
+########################################
+## <summary>
 ##	Full management of the semanage
 ##	module store.
 ## </summary>

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 4a100cd..98d7840 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -597,6 +597,7 @@ logging_send_syslog_msg(setfiles_t)
 miscfiles_read_localization(setfiles_t)
 
 seutil_libselinux_linked(setfiles_t)
+seutil_read_module_store(setfiles_t)
 
 userdom_use_all_users_fds(setfiles_t)
 # for config files in a home directory


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 15:45 Sven Vermeulen
  2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2016-10-24 15:45 UTC (permalink / raw
  To: gentoo-commits

commit:     385048b24a6639c4a51573409f2b4c42692827b3
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sat Oct 10 12:08:03 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 15:45:30 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=385048b2

Manage tun/tap interfaces

We need the relabelfrom/relabelto rights, otherwise tun/tap interface
activities fail:

~# tunctl -d tap0
TUNSETIFF: Permission denied

 policy/modules/system/userdomain.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index bf78a2b..1572b51 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1300,6 +1300,9 @@ template(`userdom_admin_user_template',`
 		seutil_relabelto_bin_policy($1_t)
 		# allow to manage chr_files in user_tmp (for initrd's)
 		userdom_manage_user_tmp_chr_files($1_t)
+		# allow managing tun/tap interfaces (labeling)
+		# without this operations such as tunctl -d tap0 result in a TUNSETIFF: Device or resource busy
+		allow $1_t self:tun_socket { relabelfrom relabelto };
 	')
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 16:47 Sven Vermeulen
  2016-10-24 16:56 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:47 UTC (permalink / raw
  To: gentoo-commits

commit:     64da9c74ec1c09833fc0537479c8d3298f09dd88
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:33:17 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:33:17 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=64da9c74

Introduce userdom_user_home_dir_filetrans_user_cert

The userdom_user_home_dir_filetrans_user_cert interface can be assigned
to SELinux policies for domains that create the necessary user
directories, such as ~/.pki.

This interface will need to be upstreamed later though (we currently
need it already because we have end-user domains that other
distributions generally keep in the user domain).

 policy/modules/system/userdomain.if | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 1572b51..7c0d914 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4026,3 +4026,32 @@ interface(`userdom_manage_user_tmp_chr_files',`
 	userdom_search_user_runtime($1)
 	files_search_tmp($1)
 ')
+
+########################################
+## <summary>
+##	Automatically use the cert_home_t label for selected resources
+##	created in a users home directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Resource type(s) for which the label should be used
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the resource that is being created
+##	</summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_cert',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/system/
@ 2016-10-24 16:56 Sven Vermeulen
  2016-10-24 16:56 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
  0 siblings, 1 reply; 705+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:56 UTC (permalink / raw
  To: gentoo-commits

commit:     5ec059a3f5ae282f6a3fd355788563a8714b8430
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:49:13 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:49:13 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ec059a3

Fix documentation for userdom_user_home_dir_filetrans_user_cert

 policy/modules/system/userdomain.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 879ab82..666292e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4027,7 +4027,7 @@ interface(`userdom_manage_user_tmp_chr_files',`
 
 ########################################
 ## <summary>
-##	Automatically use the cert_home_t label for selected resources
+##	Automatically use the user_cert_t label for selected resources
 ##	created in a users home directory
 ## </summary>
 ## <param name="domain">


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-24 16:56 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:56 UTC (permalink / raw
  To: gentoo-commits

commit:     7802f6b2a69eefd11feb78859d2feb58be59a99b
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:41:27 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:41:27 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7802f6b2

Switch from cert_home_t to user_cert_t

The type for user home certificate directories (and files) is
user_cert_t. Remove all references to its code, and instead use the new
type.

Keep an alias at hand for third party SELinux policy modules though.

 policy/modules/system/miscfiles.fc  |  2 --
 policy/modules/system/miscfiles.if  | 40 ++-----------------------------------
 policy/modules/system/miscfiles.te  |  7 -------
 policy/modules/system/userdomain.if |  2 --
 policy/modules/system/userdomain.te |  7 +++++++
 5 files changed, 9 insertions(+), 49 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index be0b6a1..42ac30b 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -103,8 +103,6 @@ ifdef(`distro_redhat',`
 /var/spool/postfix/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
 ')
 
-HOME_DIR/.pki(/.*)?		gen_context(system_u:object_r:cert_home_t,s0)
-
 ifdef(`distro_gentoo',`
 /etc/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 ')

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 63ed47f..93e6acb 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -97,15 +97,8 @@ interface(`miscfiles_read_generic_certs',`
 ## </param>
 #
 interface(`miscfiles_manage_user_certs',`
-	gen_require(`
-		type cert_home_t;
-	')
-
-	manage_dirs_pattern($1, cert_home_t, cert_home_t)
-	manage_files_pattern($1, cert_home_t, cert_home_t)
-	manage_lnk_files_pattern($1, cert_home_t, cert_home_t)
-
-	userdom_search_user_home_dirs($1)
+	userdom_manage_user_certs($1)
+	refpolicywarn(`$0() has been deprecated, please use userdom_manage_user_certs() instead.')
 ')
 
 ########################################
@@ -213,35 +206,6 @@ interface(`miscfiles_manage_cert_files',`
 
 ########################################
 ## <summary>
-##	Automatically use the cert_home_t label for selected resources created
-##	in a users home directory
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Resource type(s) for which the label should be used
-##	</summary>
-## </param>
-## <param name="filename" optional="true">
-##	<summary>
-##	Name of the resource that is being created
-##	</summary>
-## </param>
-#
-interface(`miscfiles_user_home_dir_filetrans_cert_home',`
-	gen_require(`
-		type cert_home_t;
-	')
-
-	userdom_user_home_dir_filetrans($1, cert_home_t, $2, $3)
-')
-
-########################################
-## <summary>
 ##	Read fonts.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 246ac6a..85a29e3 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -14,13 +14,6 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
-# cert_home_t is the type of files in the users' home directories.
-#
-type cert_home_t;
-miscfiles_cert_type(cert_home_t)
-userdom_user_home_content(cert_home_t)
-
-#
 # fonts_t is the type of various font
 # files in /usr
 #

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7c0d914..879ab82 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -272,8 +272,6 @@ interface(`userdom_manage_home_role',`
 	')
 
 	ifdef(`distro_gentoo',`
-		miscfiles_manage_user_certs($2)
-		miscfiles_relabel_user_certs($2)
 
 		optional_policy(`
 			flash_manage_home($2)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 0b0eb60..94b068e 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -128,3 +128,10 @@ files_poly(user_runtime_t)
 files_poly_member(user_runtime_t)
 files_poly_parent(user_runtime_t)
 ubac_constrained(user_runtime_t)
+
+ifdef(`distro_gentoo',`
+	# We used to use cert_home_t but an upstream commit introduced the same
+	# concept as user_cert_t. Enabling an alias to keep custom modules from
+	# users running.
+	type user_cert_t alias cert_home_t;
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-24 16:56 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:56 UTC (permalink / raw
  To: gentoo-commits

commit:     45d45937e484dfec4a7abcf67dc1d95d2fb267f2
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:45:01 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:45:01 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45d45937

Swap documentation for two interfaces

 policy/modules/system/miscfiles.if | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 93e6acb..d89c7c0 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -787,8 +787,7 @@ interface(`miscfiles_read_test_files',`
 
 ########################################
 ## <summary>
-##	Create files in etc directories
-##	with localization file type.
+##	Execute test files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -807,7 +806,8 @@ interface(`miscfiles_exec_test_files',`
 
 ########################################
 ## <summary>
-##	Execute test files.
+##	Create files in etc directories
+##	with localization file type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-24 16:56 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2016-10-24 16:56 UTC (permalink / raw
  To: gentoo-commits

commit:     d95d8f98194fb82bcd0afba3ce09893911a3f146
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 16:55:07 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 16:55:07 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d95d8f98

Move miscfiles_relabel_user_certs to userdom_relabel_user_certs

 policy/modules/system/miscfiles.if  | 11 +++--------
 policy/modules/system/userdomain.if | 23 +++++++++++++++++++++++
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index d89c7c0..5b9a810 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -103,7 +103,7 @@ interface(`miscfiles_manage_user_certs',`
 
 ########################################
 ## <summary>
-##	Relabel from/to cert_home_t (user-managed SSL certificates)
+##	Relabel from/to user_cert_t (user-managed SSL certificates)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -112,13 +112,8 @@ interface(`miscfiles_manage_user_certs',`
 ## </param>
 #
 interface(`miscfiles_relabel_user_certs',`
-	gen_require(`
-		type cert_home_t;
-	')
-
-	relabel_dirs_pattern($1, cert_home_t, cert_home_t)
-	relabel_files_pattern($1, cert_home_t, cert_home_t)
-	relabel_lnk_files_pattern($1, cert_home_t, cert_home_t)
+	userdom_relabel_user_certs($1)
+	refpolicywarn(`$0() has been deprecated, please use userdom_relabel_user_certs() instead.')
 ')
 
 ########################################

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 666292e..c4bef2b 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4053,3 +4053,26 @@ interface(`userdom_user_home_dir_filetrans_user_cert',`
 
 	userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
 ')
+
+########################################
+## <summary>
+##	Allow relabeling resources to user_cert_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+
+interface(`userdom_relabel_user_certs',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	relabel_dirs_pattern($1, user_cert_t, user_cert_t)
+	relabel_files_pattern($1, user_cert_t, user_cert_t)
+	relabel_lnk_files_pattern($1, user_cert_t, user_cert_t)
+	relabel_sock_files_pattern($1, user_cert_t, user_cert_t)
+	relabel_fifo_files_pattern($1, user_cert_t, user_cert_t)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-10-24 17:00 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2016-10-24 17:00 UTC (permalink / raw
  To: gentoo-commits

commit:     db3d43d0b52fc05b6bd36f6b887e84799a147ce4
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Oct 24 17:00:46 2016 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Oct 24 17:00:46 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=db3d43d0

Duplicate type declaration, switch to typealias

 policy/modules/system/userdomain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 94b068e..d147a56 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -133,5 +133,5 @@ ifdef(`distro_gentoo',`
 	# We used to use cert_home_t but an upstream commit introduced the same
 	# concept as user_cert_t. Enabling an alias to keep custom modules from
 	# users running.
-	type user_cert_t alias cert_home_t;
+	typealias user_cert_t alias cert_home_t;
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-12-06 12:26 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-12-06 12:26 UTC (permalink / raw
  To: gentoo-commits

commit:     413d913dee884ea80815487287919e16b7387039
Author:     Guido Trentalancia via refpolicy <refpolicy <AT> oss <DOT> tresys <DOT> com>
AuthorDate: Sat Oct 29 16:08:18 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 16:04:59 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=413d913d

Let unprivileged users list mounted filesystems

Let unprivileged users list filesystems mounted on mount points such
as /mnt (cdrom, FAT, NTFS and so on).

This makes a great difference to the usability and effectiveness of
graphical filesystem browsers such as Gnome Nautilus and currently
comes at no security penalty because mounted filesystems can be
listed with programs such as the "df" program from GNU coreutils or
by simply reading /proc/mounts.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/userdomain.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e933890..6fb46be 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -552,8 +552,8 @@ template(`userdom_common_user_template',`
 
 	files_exec_etc_files($1_t)
 	files_search_locks($1_t)
-	# Check to see if cdrom is mounted
-	files_search_mnt($1_t)
+	# List mounted filesystems (cdrom, FAT, NTFS and so on)
+	files_list_mnt($1_t)
 	# cjp: perhaps should cut back on file reads:
 	files_read_var_files($1_t)
 	files_read_var_symlinks($1_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-12-06 12:26 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-12-06 12:26 UTC (permalink / raw
  To: gentoo-commits

commit:     8fad664ca60249f1eefd1344de33361f1501b14f
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Nov 27 13:59:48 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 15:11:32 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8fad664c

modutils.te: Temporarily remove custom gentoo changes

 policy/modules/system/modutils.te | 25 -------------------------
 1 file changed, 25 deletions(-)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 4436336..de34ed4 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -89,10 +89,6 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
-	dracut_rw_tmp_files(depmod_t)
-')
-
-optional_policy(`
 	rpm_rw_pipes(depmod_t)
 	rpm_manage_script_tmp_files(depmod_t)
 ')
@@ -338,24 +334,3 @@ ifdef(`distro_ubuntu',`
 		unconfined_domain(update_modules_t)
 	')
 ')
-
-ifdef(`distro_gentoo',`
-	############################
-	#
-	# insmod_t 
-	#
-
-	# During "make modules_install" insmod removes old/previous deps
-	delete_files_pattern(insmod_t, modules_object_t, modules_dep_t)
-	# During "make modules_install" temp files created by admin
-	# that invoked the command are later used by kmod.
-	userdom_manage_user_tmp_files(insmod_t)
-	userdom_manage_user_tmp_dirs(insmod_t)
-
-	# Needed to support signed kernel modules (to find key in modsign_keyring)
-	kernel_search_key(insmod_t)
-
-	files_list_src(insmod_t)
-	files_manage_src_files(insmod_t)
-	files_manage_kernel_modules(insmod_t)
-')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-12-06 12:26 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-12-06 12:26 UTC (permalink / raw
  To: gentoo-commits

commit:     0414c36887ffeb0ee442ac0d91e73a9637ebb528
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Nov 27 15:34:13 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 16:21:20 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0414c368

system/modutils: Add kernel_search_key(kmod_t)

This permission is currently granted in an ifdef(systemd) block, but
it's also required on non-systemd systems if signed kernel modules are
being used.

 policy/modules/system/modutils.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 401f5c9..87e71d9 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -111,9 +111,9 @@ userdom_dontaudit_search_user_home_dirs(kmod_t)
 
 kernel_domtrans_to(kmod_t, kmod_exec_t)
 
-ifdef(`init_systemd',`
-	kernel_search_key(kmod_t)
+kernel_search_key(kmod_t)
 
+ifdef(`init_systemd',`
 	init_rw_stream_sockets(kmod_t)
 
 	systemd_write_kmod_files(kmod_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-12-06 12:26 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-12-06 12:26 UTC (permalink / raw
  To: gentoo-commits

commit:     53ab258ab97b3fda22509e190aca69e2f15e4630
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Nov 27 16:00:43 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 16:05:00 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53ab258a

modutils.te: Adjustment for compatibility with our tmpfiles policy

 policy/modules/system/modutils.fc | 2 +-
 policy/modules/system/modutils.te | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 7adbbd7..1fda13f 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -23,4 +23,4 @@ ifdef(`distro_gentoo',`
 /sbin/update-modules	--	gen_context(system_u:object_r:kmod_exec_t,s0)
 
 /usr/bin/kmod		--	gen_context(system_u:object_r:kmod_exec_t,s0)
-/var/run/tmpfiles.d(/.*)?	gen_context(system_u:object_r:kmod_var_run_t,s0)
+/var/run/tmpfiles\.d/kmod\.conf -- gen_context(system_u:object_r:kmod_var_run_t,s0)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index b516d99..401f5c9 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -198,4 +198,8 @@ ifdef(`distro_gentoo',`
 	files_list_src(kmod_t)
 	files_manage_src_files(kmod_t)
 	files_manage_kernel_modules(kmod_t)
+
+	# for /run/tmpfiles.d/kmod.conf
+	tmpfiles_create_var_run_files(kmod_t)
+	filetrans_add_pattern(kmod_t, tmpfiles_var_run_t, kmod_var_run_t, file)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-12-06 12:26 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-12-06 12:26 UTC (permalink / raw
  To: gentoo-commits

commit:     15b931e08acd789f7fc9bdf35c8866a263a8417b
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Nov 27 15:06:24 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 27 16:05:00 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15b931e0

modutils.te: Re-add custom gentoo changes

TODO: Check if we indeed still need those permissions.

 policy/modules/system/modutils.te | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 3bf9bff..b516d99 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -180,3 +180,22 @@ optional_policy(`
 	xserver_getattr_log(kmod_t)
 ')
 
+optional_policy(`
+	dracut_rw_tmp_files(kmod_t)
+')
+
+ifdef(`distro_gentoo',`
+	############################
+	#
+	# insmod_t
+	#
+
+	# During "make modules_install" temp files created by admin
+	# that invoked the command are later used by kmod.
+	userdom_manage_user_tmp_files(kmod_t)
+	userdom_manage_user_tmp_dirs(kmod_t)
+
+	files_list_src(kmod_t)
+	files_manage_src_files(kmod_t)
+	files_manage_kernel_modules(kmod_t)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-12-06 13:39 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
  To: gentoo-commits

commit:     b40edf6a92608a7e0bb13981b79bf3cb1eab4fc8
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Dec  4 16:29:17 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b40edf6a

define filecontext for /run/agetty.reload

 policy/modules/system/getty.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/getty.fc b/policy/modules/system/getty.fc
index e1a1848..7bea727 100644
--- a/policy/modules/system/getty.fc
+++ b/policy/modules/system/getty.fc
@@ -7,6 +7,7 @@
 /var/log/vgetty\.log\..* --	gen_context(system_u:object_r:getty_log_t,s0)
 
 /var/run/mgetty\.pid.*	--	gen_context(system_u:object_r:getty_var_run_t,s0)
+/var/run/agetty\.reload	--	gen_context(system_u:object_r:getty_var_run_t,s0)
 
 /var/spool/fax(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)
 /var/spool/voice(/.*)?		gen_context(system_u:object_r:getty_var_run_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-12-06 13:39 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-12-06 13:39 UTC (permalink / raw
  To: gentoo-commits

commit:     cbcab29a1675e9c599a8362a793624c347b18e51
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec  4 18:30:54 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cbcab29a

Module version bumps for patches from cgzones.

 policy/modules/system/getty.te      | 2 +-
 policy/modules/system/sysnetwork.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index 05c6413..b2358ba 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -1,4 +1,4 @@
-policy_module(getty, 1.11.0)
+policy_module(getty, 1.11.1)
 
 ########################################
 #

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index c5082dc..f2964fc 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.19.0)
+policy_module(sysnetwork, 1.19.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2016-12-06 14:24 Jason Zaman
  2016-12-06 13:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2016-12-06 14:24 UTC (permalink / raw
  To: gentoo-commits

commit:     4745a1435bfff911b6b37c15351ed745923329bc
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Dec  4 16:34:11 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 12:39:33 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4745a143

allow dhcp_t to domtrans into avahi

#============= dhcpc_t ==============
# audit(1459860992.664:6):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="execute_no_trans"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.2.gz:Apr  5 14:56:32 debianSe kernel: [    4.830761]
#   audit: type=1400 audit(1459860992.664:6): avc:  denied  { execute_no_trans }
#   for  pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
#   ino=140521 scontext=system_u:system_r:dhcpc_t:s0
#   tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1454514879.616:134):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="execute_no_trans"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.5.gz:Feb  3 16:54:39 debianSe kernel: [   13.237496]
#   audit: type=1400 audit(1454514879.616:134): avc:  denied  { execute_no_trans
#   } for  pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd"
#   dev="sda1" ino=140521 scontext=system_u:system_r:dhcpc_t
#   tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 "
allow dhcpc_t avahi_exec_t:file execute_no_trans;
# audit(1459860992.660:4):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="execute"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.2.gz:Apr  5 14:56:32 debianSe kernel: [    4.827312]
#   audit: type=1400 audit(1459860992.660:4): avc:  denied  { execute } for
#   pid=412 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521
#   scontext=system_u:system_r:dhcpc_t:s0
#   tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1459860992.664:5):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="{ read open }"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.2.gz:Apr  5 14:56:32 debianSe kernel: [    4.829009]
#   audit: type=1400 audit(1459860992.664:5): avc:  denied  { read open } for
#   pid=412 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
#   ino=140521 scontext=system_u:system_r:dhcpc_t:s0
#   tcontext=system_u:object_r:avahi_exec_t:s0 tclass=file permissive=1 "
# audit(1454514879.616:132):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="execute"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.5.gz:Feb  3 16:54:39 debianSe kernel: [   13.237297]
#   audit: type=1400 audit(1454514879.616:132): avc:  denied  { execute } for
#   pid=464 comm="dhclient-script" name="avahi-autoipd" dev="sda1" ino=140521
#   scontext=system_u:system_r:dhcpc_t tcontext=system_u:object_r:avahi_exec_t
#   tclass=file permissive=1 "
# audit(1454514879.616:133):
#  scontext="system_u:system_r:dhcpc_t:s0" tcontext="system_u:object_r:avahi_exec_t:s0"
#  class="file" perms="{ read open }"
#  comm="dhclient-script" exe="" path=""
#  message="/var/log/syslog.5.gz:Feb  3 16:54:39 debianSe kernel: [   13.237309]
#   audit: type=1400 audit(1454514879.616:133): avc:  denied  { read open } for
#   pid=464 comm="dhclient-script" path="/usr/sbin/avahi-autoipd" dev="sda1"
#   ino=140521 scontext=system_u:system_r:dhcpc_t
#   tcontext=system_u:object_r:avahi_exec_t tclass=file permissive=1 "
#!!!! This avc is allowed in the current policy
allow dhcpc_t avahi_exec_t:file { read execute open };

 policy/modules/system/sysnetwork.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 4bed58a..c5082dc 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -173,6 +173,10 @@ ifdef(`init_systemd',`
 ')
 
 optional_policy(`
+	avahi_domtrans(dhcpc_t)
+')
+
+optional_policy(`
 	consoletype_run(dhcpc_t, dhcpc_roles)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-12-08  4:47 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-12-08  4:47 UTC (permalink / raw
  To: gentoo-commits

commit:     8a244682cdb051e2a700155c49e9217baee65b0e
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Dec  4 16:42:52 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec  8 04:36:39 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a244682

fix syslogd audits

 policy/modules/system/logging.te | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 96ffbcd..a9fbf1b 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -372,7 +372,7 @@ optional_policy(`
 # sys_nice for rsyslog
 # cjp: why net_admin!
 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
-dontaudit syslogd_t self:capability sys_tty_config;
+dontaudit syslogd_t self:capability { sys_tty_config sys_ptrace };
 # setpgid for metalog
 # setrlimit for syslog-ng
 # getsched for syslog-ng
@@ -456,6 +456,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
+dev_read_urand(syslogd_t)
 # Allow access to /dev/kmsg for journald
 dev_rw_kmsg(syslogd_t)
 
@@ -498,7 +499,10 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`init_systemd',`
+	# systemd-journald permissions
+
 	allow syslogd_t self:capability { chown setuid setgid };
+	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
 
 	kernel_use_fds(syslogd_t)
 	kernel_getattr_dgram_sockets(syslogd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2016-12-08  4:47 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2016-12-08  4:47 UTC (permalink / raw
  To: gentoo-commits

commit:     dfe8d0c37098717dacbadf331aafb903e108a021
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec  7 00:52:42 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec  8 04:43:12 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dfe8d0c3

Module version bump for journald fixes from cgzones.

 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index a9fbf1b..481cdef 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.24.0)
+policy_module(logging, 1.24.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2016-12-08  5:03 Jason Zaman
  2016-12-08  4:47 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2016-12-08  5:03 UTC (permalink / raw
  To: gentoo-commits

commit:     52f264ecb4cfbf36d25a980096b09d10147e9e34
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Dec  7 01:01:22 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec  8 04:44:05 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52f264ec

modutils: Move lines.

 policy/modules/system/modutils.te | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 87e71d9..8ebd5d1 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -8,6 +8,7 @@ policy_module(modutils, 1.16.1)
 type kmod_t alias { insmod_t depmod_t update_modules_t };
 type kmod_exec_t alias { insmod_exec_t depmod_exec_t update_modules_exec_t };
 application_domain(kmod_t, kmod_exec_t)
+kernel_domtrans_to(kmod_t, kmod_exec_t)
 mls_file_write_all_levels(kmod_t)
 role system_r types kmod_t;
 
@@ -52,6 +53,7 @@ kernel_write_proc_files(kmod_t)
 kernel_mount_debugfs(kmod_t)
 kernel_mount_kvmfs(kmod_t)
 kernel_read_debugfs(kmod_t)
+kernel_search_key(kmod_t)
 # Rules for /proc/sys/kernel/tainted
 kernel_read_kernel_sysctls(kmod_t)
 kernel_rw_kernel_sysctl(kmod_t)
@@ -109,10 +111,6 @@ userdom_use_user_terminals(kmod_t)
 
 userdom_dontaudit_search_user_home_dirs(kmod_t)
 
-kernel_domtrans_to(kmod_t, kmod_exec_t)
-
-kernel_search_key(kmod_t)
-
 ifdef(`init_systemd',`
 	init_rw_stream_sockets(kmod_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-01-01 16:36 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-01-01 16:36 UTC (permalink / raw
  To: gentoo-commits

commit:     a5eb286b975246977f37efd4e25a48b647170aa9
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sun Dec 18 20:01:56 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5eb286b

udev: manage tmpfs files and directories

Update the udev module so that the udev domain can manage tmpfs files
and directories.

Thanks to Christian Göttsche for pointing out that this only applies
to systems not using systemd (v2).

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/udev.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index cbce9f2..a774e61 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -229,6 +229,9 @@ ifdef(`init_systemd',`
 	init_dgram_send(udev_t)
 
 	systemd_read_logind_pids(udev_t)
+',`
+	fs_manage_tmpfs_dirs(udev_t)
+	fs_manage_tmpfs_files(udev_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-01-01 16:36 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-01-01 16:36 UTC (permalink / raw
  To: gentoo-commits

commit:     61ff9d660037e9010115f2d0ac61180673e377ac
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Dec 17 18:08:40 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61ff9d66

udev: always enable kernel module loading

The udev daemon should be able to load kernel modules not only on
systems using systemd but also on systems using former versions of
the udev daemon.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/udev.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a774e61..760b4de 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -79,6 +79,7 @@ manage_lnk_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 manage_sock_files_pattern(udev_t, udev_var_run_t, udev_var_run_t)
 files_pid_filetrans(udev_t, udev_var_run_t, dir, "udev")
 
+kernel_load_module(udev_t)
 kernel_read_system_state(udev_t)
 kernel_request_load_module(udev_t)
 kernel_getattr_core_if(udev_t)
@@ -220,8 +221,6 @@ ifdef(`distro_redhat',`
 ')
 
 ifdef(`init_systemd',`
-	kernel_load_module(udev_t)
-
 	files_search_kernel_modules(udev_t)
 
 	fs_read_cgroup_files(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-01-01 16:36 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-01-01 16:36 UTC (permalink / raw
  To: gentoo-commits

commit:     3225e34cc39a06b44cc0871b984791eeaf9bb970
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Tue Dec 27 13:45:21 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3225e34c

systemd: add systemd-binfmt policy

This systemd service registers in /proc/sys/fs/binfmt_misc binary formats
for executables.

Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>

 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.te | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 673bb68..d66feda 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -29,6 +29,7 @@
 /usr/lib/systemd/system/[^/]*sleep.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/[^/]*suspend.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/systemd-backlight.*	--	gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
+/usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c50e93a..cf22ba8 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -36,6 +36,9 @@ type systemd_binfmt_t;
 type systemd_binfmt_exec_t;
 init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
 
+type systemd_binfmt_unit_t;
+init_unit_file(systemd_binfmt_unit_t)
+
 type systemd_cgroups_t;
 type systemd_cgroups_exec_t;
 domain_type(systemd_cgroups_t)
@@ -162,6 +165,18 @@ files_read_etc_files(systemd_backlight_t)
 
 udev_read_pid_files(systemd_backlight_t)
 
+#######################################
+#
+# Binfmt local policy
+#
+
+systemd_log_parse_environment(systemd_binfmt_t)
+
+# Allow to read /etc/binfmt.d/ files
+files_read_etc_files(systemd_binfmt_t)
+
+fs_register_binary_executable_type(systemd_binfmt_t)
+
 ######################################
 #
 # Cgroups local policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2017-01-01 16:37 Jason Zaman
  2017-01-01 16:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2017-01-01 16:37 UTC (permalink / raw
  To: gentoo-commits

commit:     989ddb737f2e045e534d3238a9ed8248faf55c83
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Tue Dec 27 15:33:57 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=989ddb73

base: use new genhomedircon template for username

Use the new genhomedircon templates for username-dependant
file contexts (requires libsemanage >= 2.6).

This is the base policy part (1/2).

 policy/modules/system/userdomain.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index c8b881e..6c813b4 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -2,7 +2,7 @@ HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
 HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
 
-/tmp/gconfd-USER -d	gen_context(system_u:object_r:user_tmp_t,s0)
+/tmp/gconfd-%{USERNAME} -d	gen_context(system_u:object_r:user_tmp_t,s0)
 
 /run/user		-d	gen_context(system_u:object_r:user_runtime_root_t,s0)
 /run/user/[^/]+	-d	gen_context(system_u:object_r:user_runtime_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2017-01-01 16:37 Jason Zaman
  2017-01-01 16:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2017-01-01 16:37 UTC (permalink / raw
  To: gentoo-commits

commit:     136d58b22660009b8fba0fbf2a1a160aba8d9735
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Tue Dec 27 13:44:58 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan  1 16:26:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=136d58b2

systemd: add systemd-backlight policy

The documentation page of this service describes well which access are
needed
(https://www.freedesktop.org/software/systemd/man/systemd-backlight <AT> .service.html).
systemd-backlight:
- is a systemd service
- manages /var/lib/systemd/backlight/
- reads udev device properties to find ID_BACKLIGHT_CLAMP

Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>

 policy/modules/system/systemd.fc |  2 ++
 policy/modules/system/systemd.te | 24 ++++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index ff0f976..673bb68 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -28,7 +28,9 @@
 /usr/lib/systemd/system/[^/]*shutdown.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/[^/]*sleep.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/[^/]*suspend.*	--	gen_context(system_u:object_r:power_unit_t,s0)
+/usr/lib/systemd/system/systemd-backlight.*	--	gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
 
+/var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
 
 /run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 196abab..c50e93a 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -26,6 +26,12 @@ type systemd_backlight_t;
 type systemd_backlight_exec_t;
 init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
 
+type systemd_backlight_unit_t;
+init_unit_file(systemd_backlight_unit_t)
+
+type systemd_backlight_var_lib_t;
+files_type(systemd_backlight_var_lib_t)
+
 type systemd_binfmt_t;
 type systemd_binfmt_exec_t;
 init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
@@ -140,6 +146,24 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
 
 ######################################
 #
+# Backlight local policy
+#
+
+allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
+init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
+manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
+
+systemd_log_parse_environment(systemd_backlight_t)
+
+# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
+dev_rw_sysfs(systemd_backlight_t)
+
+files_read_etc_files(systemd_backlight_t)
+
+udev_read_pid_files(systemd_backlight_t)
+
+######################################
+#
 # Cgroups local policy
 #
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-01-13 18:43 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
  To: gentoo-commits

commit:     c8b3daa87fb663a3b0908b79f5876e5d91ede429
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 10:53:06 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:39:00 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c8b3daa8

auditd / auditctl: fix audits

 policy/modules/system/logging.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 90e8682..5443405 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -100,6 +100,7 @@ ifdef(`enable_mls',`
 #
 
 allow auditctl_t self:capability { fsetid dac_read_search dac_override };
+allow auditctl_t self:process getcap;
 allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
 
 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
@@ -149,6 +150,7 @@ allow auditd_t auditd_etc_t:dir list_dir_perms;
 allow auditd_t auditd_etc_t:file read_file_perms;
 
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+allow auditd_t auditd_log_t:dir setattr;
 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t var_log_t:dir search_dir_perms;
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-01-13 18:43 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
  To: gentoo-commits

commit:     82d98c88d39b643eff0cd53679cd9374d33e7062
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jan  6 14:01:45 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:39:05 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=82d98c88

update unconfined module * grant capability2:wake_alarm * remove deprecated interfaces

 policy/modules/system/unconfined.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 78f9c14..3bf6605 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -20,7 +20,7 @@ interface(`unconfined_domain_noaudit',`
 
 	# Use most Linux capabilities
 	allow $1 self:capability ~sys_module;
-	allow $1 self:capability2 syslog;
+	allow $1 self:capability2 { syslog wake_alarm };
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-01-13 18:43 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
  To: gentoo-commits

commit:     55f60d30e606f695662113f02acc45a78e3433a3
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Mon Jan  2 21:11:32 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:38:51 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=55f60d30

init: support sysvinit

Add a permission needed for the correct functioning of sysvinit
on systems using the initramfs.

Without the selinux_get_fs_mount() interface call, the call to
libselinux:is_selinux_enabled() fails and sysvinit tries to do
the initial policy load again.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/init.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index bd97a7c..ce6f2f9 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -162,6 +162,7 @@ files_exec_etc_files(init_t)
 files_dontaudit_rw_root_files(init_t)
 files_dontaudit_rw_root_chr_files(init_t)
 
+fs_getattr_xattr_fs(init_t)
 fs_list_inotifyfs(init_t)
 # cjp: this may be related to /dev/log
 fs_write_ramfs_sockets(init_t)
@@ -174,6 +175,10 @@ mls_file_write_all_levels(init_t)
 mls_process_write_all_levels(init_t)
 mls_fd_use_all_levels(init_t)
 
+# the following one is needed for libselinux:is_selinux_enabled()
+# otherwise the call fails and sysvinit tries to load the policy
+# again when using the initramfs
+selinux_get_fs_mount(init_t)
 selinux_set_all_booleans(init_t)
 
 term_use_all_terms(init_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-01-13 18:43 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2017-01-13 18:43 UTC (permalink / raw
  To: gentoo-commits

commit:     7016d9a6b6505eea13d0c4cb7a4d94d096ef07ee
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jan  6 14:05:00 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Jan 13 18:39:37 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7016d9a6

update mount module

* rename mount_var_run_t to mount_runtime_t
* delete kernel_read_unlabeled_files(mount_t)
* add selinux_getattr_fs(mount_t)

 policy/modules/system/mount.fc |  4 ++--
 policy/modules/system/mount.te | 19 +++++++++----------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 9cfb93a..182d0fd 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -2,7 +2,7 @@
 /bin/mount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /bin/umount.*			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
-/sbin/mount\.zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
+/sbin/mount\.zfs		--	gen_context(system_u:object_r:mount_exec_t,s0)
 /sbin/zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /sbin/zpool			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
@@ -14,4 +14,4 @@
 /usr/sbin/zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/sbin/zpool			--	gen_context(system_u:object_r:mount_exec_t,s0)
 
-/run/mount(/.*)?			gen_context(system_u:object_r:mount_var_run_t,s0)
+/run/mount(/.*)?			gen_context(system_u:object_r:mount_runtime_t,s0)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index a2ed9b7..4bfb93b 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -23,12 +23,13 @@ role mount_roles types mount_t;
 type mount_loopback_t; # customizable
 files_type(mount_loopback_t)
 
+type mount_runtime_t;
+typealias mount_runtime_t alias mount_var_run_t;
+files_pid_file(mount_runtime_t)
+
 type mount_tmp_t;
 files_tmp_file(mount_tmp_t)
 
-type mount_var_run_t;
-files_pid_file(mount_var_run_t)
-
 # causes problems with interfaces when
 # this is optionally declared in monolithic
 # policy--duplicate type declaration
@@ -55,10 +56,10 @@ can_exec(mount_t, mount_exec_t)
 
 files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
 
-create_dirs_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-create_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-rw_files_pattern(mount_t, mount_var_run_t, mount_var_run_t)
-files_pid_filetrans(mount_t, mount_var_run_t, dir, "mount")
+create_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+create_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
+files_pid_filetrans(mount_t, mount_runtime_t, dir, "mount")
 
 kernel_read_system_state(mount_t)
 kernel_read_kernel_sysctls(mount_t)
@@ -68,9 +69,6 @@ kernel_dontaudit_write_debugfs_dirs(mount_t)
 kernel_dontaudit_write_proc_dirs(mount_t)
 # To load binfmt_misc kernel module
 kernel_request_load_module(mount_t)
-# for when /etc/mtab loses its type
-# cjp: this seems wrong, the type should probably be etc
-kernel_read_unlabeled_files(mount_t)
 
 # required for mount.smbfs
 corecmd_exec_bin(mount_t)
@@ -142,6 +140,7 @@ miscfiles_read_localization(mount_t)
 sysnet_use_portmap(mount_t)
 
 seutil_read_config(mount_t)
+selinux_getattr_fs(mount_t)
 
 userdom_use_all_users_fds(mount_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-01-23 18:17 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-01-23 18:17 UTC (permalink / raw
  To: gentoo-commits

commit:     bd9a0390dde045170e4291bbd5a0e8655d435b39
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jan 23 18:04:15 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jan 23 18:04:15 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd9a0390

sysnetwork: allow dhcpc scripts to run resolvconf

dhcpcd runs resolvconf from a script not directly from dhcpc_t

type=AVC msg=audit(1480827246.554:34865): avc:  denied  { open } for
pid=16908 comm="resolvconf" path="/proc/meminfo" dev="proc"
ino=4026531989 scontext=system_u:system_r:resolvconf_t
tcontext=system_u:object_r:proc_t tclass=file

Gentoo-Bug: https://bugs.gentoo.org/602624

 policy/modules/system/sysnetwork.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 18090d0..c7fdcb9 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -493,4 +493,8 @@ ifdef(`distro_gentoo',`
 	optional_policy(`
 		ntp_manage_config(dhcpc_script_t)
 	')
+
+	optional_policy(`
+		resolvconf_client_domain(dhcpc_script_t)
+	')
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-01-25 11:59 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-01-25 11:59 UTC (permalink / raw
  To: gentoo-commits

commit:     ee30a1c78c2191932984bda592fa61a7a86ce10d
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Fri Jan 20 01:05:30 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jan 25 07:07:46 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ee30a1c7

udev: execute HPLIP applications in their own domain

Execute HP Linux Imaging and Printing (HPLIP) applications launched
by udev in their own domain.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/udev.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 9570bca..e8be025 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -261,6 +261,7 @@ optional_policy(`
 
 optional_policy(`
 	cups_domtrans_config(udev_t)
+	cups_domtrans_hplip(udev_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-01-25 11:59 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-01-25 11:59 UTC (permalink / raw
  To: gentoo-commits

commit:     1939ce14da3c73bb79b0a6d2108baf4987083d86
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Jan 23 23:50:53 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jan 25 07:07:46 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1939ce14

Module version bump for cups patch from Guido Trentalancia.

 policy/modules/system/udev.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index e8be025..76d753b 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.20.3)
+policy_module(udev, 1.20.4)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:usrmerge commit in: policy/modules/system/
@ 2017-02-05 15:13 Jason Zaman
  2017-02-16 11:34 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2017-02-05 15:13 UTC (permalink / raw
  To: gentoo-commits

commit:     a22e9f51496b244924b7103da65925d57e8603df
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb  5 08:58:28 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb  5 15:10:31 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a22e9f51

usrmerge: Add gentoo-specific /usr fcontexts

 policy/modules/system/fstools.fc    | 1 -
 policy/modules/system/init.fc       | 6 +++---
 policy/modules/system/lvm.fc        | 4 ++--
 policy/modules/system/sysnetwork.fc | 2 +-
 policy/modules/system/tmpfiles.fc   | 4 ++--
 policy/modules/system/udev.fc       | 7 ++-----
 6 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 5249a70..4dca3ed 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -61,6 +61,5 @@
 /run/fsck(/.*)?		gen_context(system_u:object_r:fsadm_run_t,s0)
 
 ifdef(`distro_gentoo',`
-/sbin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 ')

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 3e1365c..19a953f 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -81,13 +81,13 @@ ifdef(`distro_gentoo',`
 #
 # /lib
 #
-/lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
-/lib/rc/cache(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/usr/lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/usr/lib/rc/cache(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 
 #
 # /sbin
 #
-/sbin/openrc		--	gen_context(system_u:object_r:rc_exec_t,s0)
+/usr/sbin/openrc		--	gen_context(system_u:object_r:rc_exec_t,s0)
 
 #
 # /var

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 8f4988e..3fc24cc 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -100,9 +100,9 @@ ifdef(`distro_gentoo',`
 
 ifdef(`distro_gentoo',`
 # Bug 529430 comment 7
-/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /var/run/lvm(/.*)?		gen_context(system_u:object_r:lvm_var_run_t,s0)
 
 # Bug 529430 comment 8
-/sbin/dmeventd		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/dmeventd		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 ')

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index a295f46..2c93c41 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -72,7 +72,7 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
+/usr/lib/dhcpcd/dhcpcd-run-hooks	--	gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
 /var/run/dhcpcd\.sock	-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 /var/run/dhcpcd\.unpriv\.sock	-s	gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 ')

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
index 12fd30a..3f9b2b8 100644
--- a/policy/modules/system/tmpfiles.fc
+++ b/policy/modules/system/tmpfiles.fc
@@ -2,6 +2,6 @@
 /etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
 /var/run/tmpfiles.d(/.*)?			gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
 
-/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
-/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/usr/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/usr/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
 

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 6801d63..de64670 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -42,11 +42,8 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
-/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
-
-/lib/udev/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
-/lib/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_rules_t,s0)
-/lib/systemd/systemd-udevd  --  gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/lib/udev/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
+/usr/lib/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_rules_t,s0)
 
 /usr/bin/udevadm	--	gen_context(system_u:object_r:udev_exec_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-17  8:44 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-17  8:44 UTC (permalink / raw
  To: gentoo-commits

commit:     0c21541d004818b56963b2462639800b0956e8ce
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Feb  8 00:03:59 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Feb 17 08:04:15 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0c21541d

Systemd tmpfiles fix for kmod.conf from Russell Coker.

 policy/modules/system/modutils.if | 18 ++++++++++++++++++
 policy/modules/system/modutils.te |  2 +-
 policy/modules/system/systemd.te  |  5 ++++-
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if
index ae082519..880730c9 100644
--- a/policy/modules/system/modutils.if
+++ b/policy/modules/system/modutils.if
@@ -333,3 +333,21 @@ interface(`modutils_exec_update_mods',`
 	corecmd_search_bin($1)
 	can_exec($1, update_modules_exec_t)
 ')
+
+########################################
+## <summary>
+##	Read kmod lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`modutils_read_var_run_files',`
+	gen_require(`
+		type kmod_var_run_t;
+	')
+
+	allow $1 kmod_var_run_t:file read_file_perms;
+')

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 901cdea0..6e8cfb1c 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -1,4 +1,4 @@
-policy_module(modutils, 1.17.1)
+policy_module(modutils, 1.17.2)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 48e9ee18..d16a3804 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.1)
+policy_module(systemd, 1.3.2)
 
 #########################################
 #
@@ -355,6 +355,9 @@ auth_manage_login_records(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)
 
+# for /run/tmpfiles.d/kmod.conf
+modutils_read_var_run_files(systemd_tmpfiles_t)
+
 seutil_read_file_contexts(systemd_tmpfiles_t)
 
 systemd_log_parse_environment(systemd_tmpfiles_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-21  7:11 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-21  7:11 UTC (permalink / raw
  To: gentoo-commits

commit:     1be54ba357bd1336f0150d5337dedea3b1736421
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jan  6 14:10:04 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 06:34:38 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1be54ba3

selinuxutil: adjustments

* no negative permission matching for newrole_t:process
* do not label /usr/lib/selinux as policy_src_t, otherwise semodule can not run /usr/lib/selinux/hll/pp
* reorder label for /run/restorecond.pid
* fix systemd related denials

 policy/modules/system/selinuxutil.fc | 65 ++++++++++++++++++------------------
 policy/modules/system/selinuxutil.te | 25 +++++++++++---
 2 files changed, 52 insertions(+), 38 deletions(-)

diff --git a/policy/modules/system/selinuxutil.fc b/policy/modules/system/selinuxutil.fc
index 8159897e..f7b84401 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -3,53 +3,52 @@
 #
 # /etc
 #
-/etc/selinux(/.*)?			gen_context(system_u:object_r:selinux_config_t,s0)
-/etc/selinux/([^/]*/)?contexts(/.*)?	gen_context(system_u:object_r:default_context_t,s0)
-/etc/selinux/([^/]*/)?contexts/files(/.*)? gen_context(system_u:object_r:file_context_t,s0)
-/etc/selinux/([^/]*/)?policy(/.*)?	gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?setrans\.conf --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?seusers	--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?modules(/.*)?	gen_context(system_u:object_r:semanage_store_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-/etc/selinux/([^/]*/)?users(/.*)? --	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux(/.*)?					gen_context(system_u:object_r:selinux_config_t,s0)
+/etc/selinux/([^/]*/)?contexts(/.*)?			gen_context(system_u:object_r:default_context_t,s0)
+/etc/selinux/([^/]*/)?contexts/files(/.*)?		gen_context(system_u:object_r:file_context_t,s0)
+/etc/selinux/([^/]*/)?policy(/.*)?			gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?setrans\.conf		--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?seusers			--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?modules(/.*)?			gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK --	gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK --	gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/etc/selinux/([^/]*/)?users(/.*)?		--	gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
 
 #
 # /root
 #
-/root/\.default_contexts	-- 	gen_context(system_u:object_r:default_context_t,s0)
+/root/\.default_contexts			-- 	gen_context(system_u:object_r:default_context_t,s0)
+
+#
+# /run
+#
+/run/restorecond\.pid				--	gen_context(system_u:object_r:restorecond_run_t,s0)
 
 #
 # /usr
 #
-/usr/bin/checkpolicy		--	gen_context(system_u:object_r:checkpolicy_exec_t,s0)
-/usr/bin/newrole		--	gen_context(system_u:object_r:newrole_exec_t,s0)
+/usr/bin/checkpolicy				--	gen_context(system_u:object_r:checkpolicy_exec_t,s0)
+/usr/bin/newrole				--	gen_context(system_u:object_r:newrole_exec_t,s0)
 
-/usr/lib/selinux(/.*)?			gen_context(system_u:object_r:policy_src_t,s0)
-/usr/lib/systemd/system/restorecond.*\.service -- gen_context(system_u:object_r:restorecond_unit_t,s0)
+/usr/lib/systemd/system/restorecond.*\.service	--	gen_context(system_u:object_r:restorecond_unit_t,s0)
 
-/usr/sbin/load_policy		--	gen_context(system_u:object_r:load_policy_exec_t,s0)
-/usr/sbin/restorecon		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/restorecond		--	gen_context(system_u:object_r:restorecond_exec_t,s0)
-/usr/sbin/run_init		--	gen_context(system_u:object_r:run_init_exec_t,s0)
-/usr/sbin/setfiles.*		--	gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/setsebool		--	gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/sbin/semanage		--	gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/sbin/semodule		--	gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/libexec/selinux/semanage_migrate_store		--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/load_policy				--	gen_context(system_u:object_r:load_policy_exec_t,s0)
+/usr/sbin/restorecon				--	gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/restorecond				--	gen_context(system_u:object_r:restorecond_exec_t,s0)
+/usr/sbin/run_init				--	gen_context(system_u:object_r:run_init_exec_t,s0)
+/usr/sbin/setfiles.*				--	gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/setsebool				--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semanage				--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semodule				--	gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/libexec/selinux/semanage_migrate_store	--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 #
 # /var/lib
 #
-/var/lib/selinux(/.*)?			gen_context(system_u:object_r:semanage_store_t,s0)
-/var/lib/selinux/[^/]+/semanage\.read\.LOCK -- gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/var/lib/selinux/[^/]+/semanage\.trans\.LOCK -- gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-/usr/lib/selinux/semanage_migrate_store	--	gen_context(system_u:object_r:semanage_exec_t,s0)
-
-#
-# /var/run
-#
-/run/restorecond\.pid	--	gen_context(system_u:object_r:restorecond_var_run_t,s0)
+/var/lib/selinux(/.*)?					gen_context(system_u:object_r:semanage_store_t,s0)
+/var/lib/selinux/[^/]+/semanage\.read\.LOCK	--	gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/var/lib/selinux/[^/]+/semanage\.trans\.LOCK	--	gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/usr/lib/selinux/semanage_migrate_store		--	gen_context(system_u:object_r:semanage_exec_t,s0)
 
 ifdef(`distro_gentoo',`
 # Support for gentoo python switcheridoo

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index dd95cf64..703a4453 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -88,8 +88,9 @@ role system_r types restorecond_t;
 type restorecond_unit_t;
 init_unit_file(restorecond_unit_t)
 
-type restorecond_var_run_t;
-files_pid_file(restorecond_var_run_t)
+type restorecond_run_t;
+typealias restorecond_run_t alias restorecond_var_run_t;
+files_pid_file(restorecond_run_t)
 
 type run_init_t;
 type run_init_exec_t;
@@ -221,7 +222,6 @@ optional_policy(`
 #
 
 allow newrole_t self:capability { dac_override fowner setgid setuid };
-allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
 allow newrole_t self:fifo_file rw_fifo_file_perms;
@@ -303,6 +303,21 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+ifdef(`init_systemd',`
+	optional_policy(`
+		systemd_use_logind_fds(newrole_t)
+		systemd_dbus_chat_logind(newrole_t)
+	')
+')
+
+optional_policy(`
+	dbus_system_bus_client(newrole_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(newrole_t)
+	')
+')
+
 # if secure mode is enabled, then newrole
 # can only transition to unprivileged users
 if(secure_mode) {
@@ -323,8 +338,8 @@ tunable_policy(`allow_polyinstantiation',`
 allow restorecond_t self:capability { dac_override dac_read_search fowner };
 allow restorecond_t self:fifo_file rw_fifo_file_perms;
 
-allow restorecond_t restorecond_var_run_t:file manage_file_perms;
-files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
+allow restorecond_t restorecond_run_t:file manage_file_perms;
+files_pid_filetrans(restorecond_t, restorecond_run_t, file)
 
 kernel_getattr_debugfs(restorecond_t)
 kernel_read_system_state(restorecond_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-21  7:11 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-21  7:11 UTC (permalink / raw
  To: gentoo-commits

commit:     3b341978b190d40b178cee85d0fb511d9d94f4c0
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 10:40:32 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:03:24 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3b341978

systemd_cgroups_t: fix denials

 policy/modules/system/systemd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4bd7f9b3..395f62cd 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -185,6 +185,10 @@ fs_register_binary_executable_type(systemd_binfmt_t)
 kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
 kernel_dgram_send(systemd_cgroups_t)
 
+selinux_getattr_fs(systemd_cgroups_t)
+
+# write to /run/systemd/cgroups-agent
+init_dgram_send(systemd_cgroups_t)
 init_stream_connect(systemd_cgroups_t)
 
 systemd_log_parse_environment(systemd_cgroups_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-21  7:11 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-21  7:11 UTC (permalink / raw
  To: gentoo-commits

commit:     641163ef5000a59760eb53dc952e5c00b3100a1c
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Feb 20 15:57:50 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:03:24 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=641163ef

Module version bump for selinuxutil and systmd changes from cgzones.

 policy/modules/system/selinuxutil.te | 2 +-
 policy/modules/system/systemd.te     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 287fa98f..bc57e4a7 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.3)
+policy_module(selinuxutil, 1.22.4)
 
 gen_require(`
 	bool secure_mode;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7ae7ce1d..8dd8f90c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.3)
+policy_module(systemd, 1.3.4)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-21  7:11 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-21  7:11 UTC (permalink / raw
  To: gentoo-commits

commit:     63ae044bbcc35913a46393511f8fa032c8465423
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Feb 20 16:21:00 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:03:24 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63ae044b

Module version bump for cgroups systemd fix from cgzones.

 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 8dd8f90c..904c777a 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.4)
+policy_module(systemd, 1.3.5)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-21  7:11 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-21  7:11 UTC (permalink / raw
  To: gentoo-commits

commit:     55ff304e351b3a824ba47e5df3f5dce83dc8d729
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 18 18:58:29 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:03:24 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=55ff304e

Module version bump for hostname fix from cgzones.

 policy/modules/system/hostname.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 6bb5f9b2..4d86bf30 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -1,4 +1,4 @@
-policy_module(hostname, 1.10.1)
+policy_module(hostname, 1.10.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-21  8:42 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-21  8:42 UTC (permalink / raw
  To: gentoo-commits

commit:     f233711e12d64179d3b92ef074f17e043594b1e7
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Feb 21 07:16:07 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:20:22 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f233711e

tmpfiles: add fcontext for opentmpfiles path

 policy/modules/system/tmpfiles.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
index 47fd4b8c..0240298f 100644
--- a/policy/modules/system/tmpfiles.fc
+++ b/policy/modules/system/tmpfiles.fc
@@ -2,6 +2,7 @@
 /etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
 /run/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
 
+/usr/bin/tmpfiles				--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
 /usr/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
 /usr/lib/rc/sh/tmpfiles.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2017-02-25 14:59 Jason Zaman
  2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
  To: gentoo-commits

commit:     9b0381b0a1bb48191b63472a7297882b81f1a1a5
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 11:14:08 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:15:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9b0381b0

add init_daemon_lock_file()

needed for ntp

 policy/modules/system/init.if | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 1b26cf5e..4a36e12a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -512,6 +512,39 @@ interface(`init_daemon_pid_file',`
 
 ########################################
 ## <summary>
+##	Mark the file type as a daemon lock file, allowing initrc_t
+##	to create it
+## </summary>
+## <param name="filetype">
+##	<summary>
+##	Type to mark as a daemon lock file
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Class on which the type is applied
+##	</summary>
+## </param>
+## <param name="filename">
+##	<summary>
+##	Filename of the file that the init script creates
+##	</summary>
+## </param>
+#
+interface(`init_daemon_lock_file',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	files_lock_file($1)
+	files_lock_filetrans(initrc_t, $1, $2, $3)
+
+	allow initrc_t $1:dir manage_dir_perms;
+	allow initrc_t $1:file manage_file_perms;
+')
+
+########################################
+## <summary>
 ##	Mark the file type as a daemon run dir, allowing initrc_t
 ##	to create it
 ## </summary>


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2017-02-25 14:59 Jason Zaman
  2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
  To: gentoo-commits

commit:     03ff4298e41b65f82fc8f0282fe619de74288923
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 23 00:01:20 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:15:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=03ff4298

Module version bump for ntp fixes from cgzones.

 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e07f7050..a43bf19b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.4)
+policy_module(init, 2.2.5)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2017-02-25 14:59 Jason Zaman
  2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
  To: gentoo-commits

commit:     a94131f569e9e185a3f08a774bb6ba62c5e90bd1
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:16:40 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:22:23 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a94131f5

Fix CI errors.

 policy/modules/system/logging.te | 2 --
 policy/modules/system/systemd.if | 2 +-
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 9a6c714a..54436756 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -515,8 +515,6 @@ ifdef(`init_systemd',`
 	allow syslogd_t self:capability2 audit_read;
 	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
 	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
-	allow syslogd_t init_var_run_t:file { read write create open };
-	allow syslogd_t var_run_t:dir create;
 
 	kernel_getattr_dgram_sockets(syslogd_t)
 	kernel_read_ring_buffer(syslogd_t)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 69ee084f..70047dbe 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -248,7 +248,7 @@ interface(`systemd_manage_all_units',`
 #
 interface(`systemd_manage_journal_files',`
 	gen_require(`
-		type systemd_logind_t;
+		type systemd_journal_t;
 	')
 
 	manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2017-02-25 14:59 Jason Zaman
  2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
  To: gentoo-commits

commit:     b3270de1d3ef64f7c1c499813a242292584561de
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:32:10 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:22:23 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3270de1

Module version bump for CI fixes.

 policy/modules/system/logging.te | 2 +-
 policy/modules/system/systemd.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 54436756..8d123eea 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.3)
+policy_module(logging, 1.25.4)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 19e6947a..40719e93 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.6)
+policy_module(systemd, 1.3.7)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-25 16:58 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
  To: gentoo-commits

commit:     6fb566c033803208cc19261105ce611225d5f08d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 13:39:58 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:43:11 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6fb566c0

init: Move interface and whitespace change.

 policy/modules/system/init.if | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index b1778f1a..8d65e648 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1137,12 +1137,12 @@ interface(`init_var_lib_filetrans',`
 
 ######################################
 ## <summary>
-##  Allow search  directory in the /run/systemd directory.
+##	Allow search  directory in the /run/systemd directory.
 ## </summary>
 ## <param name="domain">
-##  <summary>
-##  Domain allowed access.
-##  </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 #
 interface(`init_search_pids',`
@@ -2270,7 +2270,7 @@ interface(`init_read_script_tmp_files',`
 
 ########################################
 ## <summary>
-##	Read and write init script temporary data.
+##	Read and write init script inherited temporary data.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2278,18 +2278,17 @@ interface(`init_read_script_tmp_files',`
 ##	</summary>
 ## </param>
 #
-interface(`init_rw_script_tmp_files',`
+interface(`init_rw_inherited_script_tmp_files',`
 	gen_require(`
 		type initrc_tmp_t;
 	')
 
-	files_search_tmp($1)
-	rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
+	allow $1 initrc_tmp_t:file rw_inherited_file_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write init script inherited temporary data.
+##	Read and write init script temporary data.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2297,12 +2296,13 @@ interface(`init_rw_script_tmp_files',`
 ##	</summary>
 ## </param>
 #
-interface(`init_rw_inherited_script_tmp_files',`
+interface(`init_rw_script_tmp_files',`
 	gen_require(`
 		type initrc_tmp_t;
 	')
 
-	allow $1 initrc_tmp_t:file rw_inherited_file_perms;
+	files_search_tmp($1)
+	rw_files_pattern($1, initrc_tmp_t, initrc_tmp_t)
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-25 16:58 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
  To: gentoo-commits

commit:     be5ad6588778385c9353e1b6ca9fcc5f4b149148
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Fri Feb 24 06:22:42 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:43:11 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=be5ad658

new init interfaces for systemd

These are needed by several patches I'm about to send.

Description: some new interfaces for init/systemd
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2017-02-24

 policy/modules/system/init.if | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 162ce266..2230df01 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1135,6 +1135,24 @@ interface(`init_var_lib_filetrans',`
 	filetrans_pattern($1, init_var_lib_t, $2, $3, $4)
 ')
 
+######################################
+## <summary>
+##  Allow search  directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_search_pid_dirs',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	allow $1 init_var_run_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create files in an init PID directory.
@@ -2271,6 +2289,24 @@ interface(`init_rw_script_tmp_files',`
 
 ########################################
 ## <summary>
+##	Read and write init script inherited temporary data.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_inherited_script_tmp_files',`
+	gen_require(`
+		type initrc_tmp_t;
+	')
+
+	allow $1 initrc_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create files in a init script
 ##	temporary data directory.
 ## </summary>


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2017-02-25 16:58 Jason Zaman
  2017-02-25 16:58 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2017-02-25 16:58 UTC (permalink / raw
  To: gentoo-commits

commit:     14e61be0a6e5ecfedcce85f2222fa1d2179cfdb2
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 13:38:16 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 16:43:11 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=14e61be0

init: Rename init_search_pid_dirs() to init_search_pids().

 policy/modules/system/init.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2230df01..b1778f1a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1145,7 +1145,7 @@ interface(`init_var_lib_filetrans',`
 ##  </summary>
 ## </param>
 #
-interface(`init_search_pid_dirs',`
+interface(`init_search_pids',`
 	gen_require(`
 		type init_var_run_t;
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-27 10:50 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-27 10:50 UTC (permalink / raw
  To: gentoo-commits

commit:     9aaa2422ee9903dab8bd049c7cbc7f17850cd66d
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 10:32:17 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:38:00 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9aaa2422

newrole: fix denials

dontaudit net_admin access due to setsockopt
allow communication with systemd-logind

 policy/modules/system/selinuxutil.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index bc57e4a7..5f624126 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -221,6 +221,7 @@ optional_policy(`
 # Newrole local policy
 #
 
+dontaudit newrole_t self:capability net_admin;
 allow newrole_t self:capability { dac_override fowner setgid setuid };
 allow newrole_t self:process setexec;
 allow newrole_t self:fd use;
@@ -282,6 +283,7 @@ auth_use_nsswitch(newrole_t)
 auth_run_chk_passwd(newrole_t, newrole_roles)
 auth_run_upd_passwd(newrole_t, newrole_roles)
 auth_rw_faillog(newrole_t)
+auth_use_pam_systemd(newrole_t)
 
 # Write to utmp.
 init_rw_utmp(newrole_t)
@@ -330,6 +332,10 @@ tunable_policy(`allow_polyinstantiation',`
 	files_polyinstantiate_all(newrole_t)
 ')
 
+optional_policy(`
+	systemd_use_logind_fds(newrole_t)
+')
+
 ########################################
 #
 # Restorecond local policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-27 10:50 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-27 10:50 UTC (permalink / raw
  To: gentoo-commits

commit:     790a26f8e3601f0e6f0fc4e7a480ac7196b34567
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  5 12:21:10 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:37:10 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=790a26f8

locallogin: adjustments

* do not grant permissions by negativ matching
* separate dbus from consolekit block for systemd

 policy/modules/system/locallogin.te | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 174ba9f4..964239a4 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -33,8 +33,7 @@ role system_r types sulogin_t;
 #
 
 allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:process { setexec setrlimit setsched };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
 allow local_login_t self:sock_file read_sock_file_perms;
@@ -171,7 +170,9 @@ optional_policy(`
 optional_policy(`
 	dbus_system_bus_client(local_login_t)
 
-	consolekit_dbus_chat(local_login_t)
+	optional_policy(`
+		consolekit_dbus_chat(local_login_t)
+	')
 ')
 
 optional_policy(`
@@ -211,7 +212,6 @@ optional_policy(`
 #
 
 allow sulogin_t self:capability dac_override;
-allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_fifo_file_perms;
 allow sulogin_t self:unix_dgram_socket create_socket_perms;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-02-27 11:24 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-02-27 11:24 UTC (permalink / raw
  To: gentoo-commits

commit:     c67ae33b11b38f63316dc1f7ada908a525768b85
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Feb 27 11:20:10 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 11:23:13 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c67ae33b

authlogin: put interface properly inside optional

 policy/modules/system/authlogin.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 59dc8c86..23d184e6 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -87,7 +87,8 @@ logging_log_file(wtmp_t)
 
 optional_policy(`
 	systemd_tmpfilesd_managed(faillog_t, file)
-')	systemd_tmpfilesd_managed(var_auth_t, dir)
+	systemd_tmpfilesd_managed(var_auth_t, dir)
+')
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
@ 2017-02-27 11:40 Jason Zaman
  2017-02-27 10:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
  0 siblings, 1 reply; 705+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
  To: gentoo-commits

commit:     9276dbc09b973cb5ec8e5ec46f39257c7ab65e3d
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sat Feb 18 20:46:56 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:37:10 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9276dbc0

authlogin: introduce auth_use_pam_systemd

add special interface for pam_systemd module permissions

 policy/modules/system/authlogin.if | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 5bac5fb3..fb92132d 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -91,6 +91,23 @@ interface(`auth_use_pam',`
 
 ########################################
 ## <summary>
+##	Use the pam module systemd during authentication.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_use_pam_systemd',`
+	optional_policy(`
+		dbus_system_bus_client($1)
+		systemd_dbus_chat_logind($1)
+	')
+')
+
+########################################
+## <summary>
 ##	Make the specified domain used for a login program.
 ## </summary>
 ## <param name="domain">


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-03-02 10:17 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2017-03-02 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     61e9c5dac42b98c1fbf991e7b31b404c8801c1cc
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Mar  1 00:14:29 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Mar  2 10:16:54 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61e9c5da

Module version bump for user terminal improvments from cgzones.

 policy/modules/system/userdomain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 3d60070c..46c91fd5 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.2)
+policy_module(userdomain, 4.13.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-03-02 10:17 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2017-03-02 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     93880cc289e815e9a31a08a0832f80583ae15cb9
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 16 13:30:48 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Mar  2 10:16:48 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=93880cc2

improve documentation for user_user_(inherited_)?user_terminals

 policy/modules/system/userdomain.if | 52 +++++++++++++++++++++----------------
 1 file changed, 30 insertions(+), 22 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 0799c18c..a43c756e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3275,41 +3275,48 @@ interface(`userdom_use_user_ptys',`
 		type user_devpts_t;
 	')
 
+	term_list_ptys($1)
 	allow $1 user_devpts_t:chr_file rw_term_perms;
 ')
 
 ########################################
 ## <summary>
-##     Read and write a inherited user TTYs and PTYs.
+##	Read and write a user TTYs and PTYs.
 ## </summary>
 ## <desc>
-##     <p>
-##     Allow the specified domain to read and write inherited user
-##     TTYs and PTYs. This will allow the domain to
-##     interact with the user via the terminal. Typically
-##     all interactive applications will require this
-##     access.
-##     </p>
+##	<p>
+##	Allow the specified domain to read and write user
+##	TTYs and PTYs. This will allow the domain to
+##	interact with the user via the terminal. Typically
+##	all interactive applications will require this
+##	access.
+##	</p>
+##	<p>
+##	However, this also allows the applications to spy
+##	on user sessions or inject information into the
+##	user session.  Thus, this access should likely
+##	not be allowed for non-interactive domains.
+##	</p>
 ## </desc>
 ## <param name="domain">
-##     <summary>
-##     Domain allowed access.
-##     </summary>
+##	<summary>
+##	Domain allowed access.
+##	</summary>
 ## </param>
 ## <infoflow type="both" weight="10"/>
 #
 interface(`userdom_use_inherited_user_terminals',`
 	gen_require(`
-		type user_tty_device_t, user_devpts_t;
+		type user_devpts_t, user_tty_device_t;
 	')
 
-	allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
-	allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+	term_list_ptys($1)
+	allow $1 { user_devpts_t user_tty_device_t }:chr_file rw_inherited_term_perms;
 ')
 
 ########################################
 ## <summary>
-##	Read and write a user TTYs and PTYs.
+##	Read, write and open a user TTYs and PTYs.
 ## </summary>
 ## <desc>
 ##	<p>
@@ -3320,6 +3327,12 @@ interface(`userdom_use_inherited_user_terminals',`
 ##	access.
 ##	</p>
 ##	<p>
+##	This interface will also allow to open these user
+##	terminals, which should not be necessary in general
+##	and userdom_use_inherited_user_terminals() should
+##	be sufficient.
+##	</p>
+##	<p>
 ##	However, this also allows the applications to spy
 ##	on user sessions or inject information into the
 ##	user session.  Thus, this access should likely
@@ -3334,13 +3347,8 @@ interface(`userdom_use_inherited_user_terminals',`
 ## <infoflow type="both" weight="10"/>
 #
 interface(`userdom_use_user_terminals',`
-	gen_require(`
-		type user_tty_device_t, user_devpts_t;
-	')
-
-	allow $1 user_tty_device_t:chr_file rw_term_perms;
-	allow $1 user_devpts_t:chr_file rw_term_perms;
-	term_list_ptys($1)
+	userdom_use_user_ptys($1)
+	userdom_use_user_ttys($1)
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-03-02 10:17 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2017-03-02 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     9ae8da19583774e0eccb52e8108e89dfaa513bd7
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Mon Feb 20 13:24:56 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Mar  2 10:16:45 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ae8da19

update init_ACTION_all_units

When with systemd a program does not ship a systemd unit file but only a init script, systemd creates a pseudo service on the fly.
To be able to act on this service, add the target attribute init_script_file_type to the init_ACTION_all_units interfaces.

Useful for monit.

 policy/modules/system/init.if | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 6a067ab2..195c5fa3 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -2843,11 +2843,11 @@ interface(`init_reload_generic_units',`
 #
 interface(`init_get_all_units_status',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service status;
 	')
 
-	allow $1 systemdunit:service status;
+	allow $1 { init_script_file_type systemdunit }:service status;
 ')
 
 ########################################
@@ -2862,11 +2862,11 @@ interface(`init_get_all_units_status',`
 #
 interface(`init_start_all_units',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service start;
 	')
 
-	allow $1 systemdunit:service start;
+	allow $1 { init_script_file_type systemdunit }:service start;
 ')
 
 ########################################
@@ -2881,11 +2881,11 @@ interface(`init_start_all_units',`
 #
 interface(`init_stop_all_units',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service stop;
 	')
 
-	allow $1 systemdunit:service stop;
+	allow $1 { init_script_file_type systemdunit }:service stop;
 ')
 
 #######################################
@@ -2900,9 +2900,9 @@ interface(`init_stop_all_units',`
 #
 interface(`init_reload_all_units',`
 	gen_require(`
-		attribute systemdunit;
+		attribute init_script_file_type, systemdunit;
 		class service reload;
 	')
 
-	allow $1 systemdunit:service reload;
+	allow $1 { init_script_file_type systemdunit }:service reload;
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-03-30 17:06 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-03-30 17:06 UTC (permalink / raw
  To: gentoo-commits

commit:     09809ab57a026d6211ca0c65a8837110c12b4367
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 16:32:38 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:32:38 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=09809ab5

tmpfiles: fix policy broken by systemd policy update

 policy/modules/system/modutils.fc | 4 ----
 policy/modules/system/modutils.te | 6 +++---
 policy/modules/system/systemd.fc  | 2 ++
 policy/modules/system/tmpfiles.fc | 2 ++
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index b050420a..bd241944 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -8,11 +8,7 @@ ifdef(`distro_gentoo',`
 /etc/modprobe.devfs.*		--	gen_context(system_u:object_r:modules_conf_t,s0)
 ')
 
-ifdef(`init_systemd',`
 /run/tmpfiles\.d/kmod\.conf	--	gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
-',`
-/run/tmpfiles\.d/kmod\.conf	--	gen_context(system_u:object_r:kmod_var_run_t,s0)
-')
 
 /usr/bin/kmod			--	gen_context(system_u:object_r:kmod_exec_t,s0)
 

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 7d614bd1..28dd296a 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -23,9 +23,9 @@ files_type(modules_conf_t)
 type modules_dep_t;
 files_type(modules_dep_t)
 
+type kmod_tmpfiles_conf_t;
+typealias kmod_tmpfiles_conf_t alias { kmod_var_run_t systemd_kmod_conf_t };
 ifdef(`init_systemd',`
-	type kmod_tmpfiles_conf_t;
-	typealias kmod_tmpfiles_conf_t alias { kmod_var_run_t systemd_kmod_conf_t };
 	systemd_tmpfiles_conf_file(kmod_tmpfiles_conf_t)
 	systemd_tmpfiles_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file)
 ')
@@ -194,5 +194,5 @@ ifdef(`distro_gentoo',`
 
 	# for /run/tmpfiles.d/kmod.conf
 	tmpfiles_create_var_run_files(kmod_t)
-	filetrans_add_pattern(kmod_t, tmpfiles_var_run_t, kmod_var_run_t, file)
+	filetrans_add_pattern(kmod_t, tmpfiles_var_run_t, kmod_tmpfiles_conf_t, file)
 ')

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 319decfe..41fdfc83 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -48,8 +48,10 @@
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
 
+ifdef(`init_systemd',`
 /run/tmpfiles\.d	-d	gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)
 /run/tmpfiles\.d/.*		<<none>>
+')
 
 /var/log/journal(/.*)?		gen_context(system_u:object_r:systemd_journal_t,s0)
 /run/log/journal(/.*)?		gen_context(system_u:object_r:systemd_journal_t,s0)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
index 0240298f..16d821a8 100644
--- a/policy/modules/system/tmpfiles.fc
+++ b/policy/modules/system/tmpfiles.fc
@@ -1,6 +1,8 @@
 
+ifndef(`init_systemd',`
 /etc/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_conf_t,s0)
 /run/tmpfiles.d(/.*)?				gen_context(system_u:object_r:tmpfiles_var_run_t,s0)
+')
 
 /usr/bin/tmpfiles				--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
 /usr/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-04-10 17:28 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2017-04-10 17:28 UTC (permalink / raw
  To: gentoo-commits

commit:     38fc037e463699c20078a6cd3ee5f7d441e8e0ef
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Mon Apr 10 17:28:32 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 17:28:32 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=38fc037e

Fix duplicate file context

 policy/modules/system/lvm.fc | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 1e6abbaf..960da828 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -102,10 +102,6 @@ ifdef(`distro_gentoo',`
 /run/lvm(/.*)?				gen_context(system_u:object_r:lvm_var_run_t,s0)
 
 ifdef(`distro_gentoo',`
-# Bug 529430 comment 7
-/usr/sbin/lvmetad		--	gen_context(system_u:object_r:lvm_exec_t,s0)
-/run/lvm(/.*)?				gen_context(system_u:object_r:lvm_var_run_t,s0)
-
 # Bug 529430 comment 8
 /usr/sbin/dmeventd		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-04-30 14:44 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-04-30 14:44 UTC (permalink / raw
  To: gentoo-commits

commit:     1d14d5ba6e3da3b114bc6035a2216c7b4cc30b29
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Apr 30 14:38:18 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 14:38:18 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1d14d5ba

unconfined: remove duplicated xserver_role

 policy/modules/system/unconfined.te | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index b15aaee7..b7edee8c 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -236,8 +236,4 @@ ifdef(`distro_gentoo',`
 	optional_policy(`
 		rtorrent_role(unconfined_r, unconfined_t)
 	')
-
-	optional_policy(`
-		xserver_role(unconfined_r, unconfined_t)
-	')
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-05-07 16:09 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-05-07 16:09 UTC (permalink / raw
  To: gentoo-commits

commit:     542af989565d81b90ef54fcb78d259fb7073bfba
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sat Apr 15 18:23:34 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May  7 15:49:16 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=542af989

Synchronize file patterns for /usr/bin/mount... and /usr/sbin/mount...

mount.fc defines file contexts for /usr/bin/mount.*, /usr/bin/umount.*
and /usr/sbin/mount\.zfs. These patterns are not consistent for two
reasons:

- some distributions use /sbin/mount... for other file systems that zfs.
  For example Debian uses /sbin/mount.ntfs-3g
  (https://packages.debian.org/jessie/amd64/ntfs-3g/filelist)
- mount_exec_t type should only be applied to mount, umount, mount.$FS
  and umount.udisks2, not mountpoint.

Replace the file patterns with ones that do not match mountpoint and
match every mount and umount programs in /usr/bin and /usr/sbin.

 policy/modules/system/mount.fc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 39ea6f5c..97e2596b 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -1,8 +1,9 @@
 /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
-/usr/bin/mount.*		--	gen_context(system_u:object_r:mount_exec_t,s0)
-/usr/bin/umount.*		--	gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/bin/mount(\.[^/]+)?	--	gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/bin/umount(\.[^/]+)?	--	gen_context(system_u:object_r:mount_exec_t,s0)
 
-/usr/sbin/mount\.zfs		--	gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/sbin/mount(\.[^/]+)?	--	gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/sbin/umount(\.[^/]+)?	--	gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/sbin/zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/sbin/zpool			--	gen_context(system_u:object_r:mount_exec_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-05-07 16:09 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-05-07 16:09 UTC (permalink / raw
  To: gentoo-commits

commit:     42bae906477136079a1599048a431574d03643fa
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sat Apr 29 18:17:30 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May  7 15:53:18 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42bae906

init: smoother system boot

Improve the initrc domain within the init module with some permissions
needed for a smoother boot.

Let the iptables init scripts read the iptables configuration.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/system/init.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 07238399..a01b5093 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -487,6 +487,7 @@ kernel_clear_ring_buffer(initrc_t)
 kernel_get_sysvipc_info(initrc_t)
 kernel_read_all_sysctls(initrc_t)
 kernel_rw_all_sysctls(initrc_t)
+kernel_use_fds(initrc_t)
 # for lsof which is used by alsa shutdown:
 kernel_dontaudit_getattr_message_if(initrc_t)
 # cjp: not sure why these are here; should use mount policy
@@ -494,6 +495,7 @@ kernel_list_unlabeled(initrc_t)
 kernel_mounton_unlabeled_dirs(initrc_t)
 
 files_create_lock_dirs(initrc_t)
+files_manage_all_locks(initrc_t)
 files_pid_filetrans_lock_dir(initrc_t, "lock")
 files_read_kernel_symbol_table(initrc_t)
 files_setattr_lock_dirs(initrc_t)
@@ -1116,6 +1118,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	iptables_read_config(initrc_t)
+')
+
+optional_policy(`
 	iscsi_stream_connect(initrc_t)
 	iscsi_read_lib_files(initrc_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-05-07 17:41 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-05-07 17:41 UTC (permalink / raw
  To: gentoo-commits

commit:     77bed1b44f95619267e8a36a197fc6b5513e11ed
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May  7 03:24:40 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun May  7 17:40:29 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=77bed1b4

modutils: kmod_tmpfiles_conf_t create should be allowed even for openrc

 policy/modules/system/modutils.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index 1c52e0b5..80831320 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -49,6 +49,7 @@ manage_files_pattern(kmod_t, modules_dep_t, modules_dep_t)
 filetrans_add_pattern(kmod_t, modules_object_t, modules_dep_t, file)
 create_files_pattern(kmod_t, modules_object_t, modules_dep_t)
 delete_files_pattern(kmod_t, modules_object_t, modules_dep_t)
+allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
 
 can_exec(kmod_t, kmod_exec_t)
 
@@ -115,8 +116,6 @@ userdom_use_user_terminals(kmod_t)
 userdom_dontaudit_search_user_home_dirs(kmod_t)
 
 ifdef(`init_systemd',`
-	# for /run/tmpfiles.d/kmod.conf
-	allow kmod_t kmod_tmpfiles_conf_t:file manage_file_perms;
 	# kmod needs to create /run/tmpdiles.d
 	systemd_tmpfiles_creator(kmod_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-05-18 17:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
  To: gentoo-commits

commit:     a2905af973f935e826ee973a5ec5895d6a848fc8
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon May  8 17:02:14 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:46 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2905af9

system/selinuxutil: Allow semanage to execute its tmp files

Since app-admin/setools-4.1.0, some python internals try to create and
execute a file in /tmp during semanage initalization, causing semanage
to crash. Here's the backtrace (with the path
"/usr/lib64/python3.4/site-packages" replaced by "py" for brevity):

Traceback (most recent call last):
  File "/usr/lib/python-exec/python3.4/semanage", line 28, in <module>
    import seobject
  File "py/seobject.py", line 34, in <module>
    import sepolicy
  File "py/sepolicy/__init__.py", line 8, in <module>
    import setools
  File "py/setools/__init__.py", line 77, in <module>
    from .infoflow import InfoFlowAnalysis
  File "py/setools/infoflow.py", line 22, in <module>
    import networkx as nx
  File "py/networkx/__init__.py", line 93, in <module>
    import networkx.linalg
  File "py/networkx/linalg/__init__.py", line 9, in <module>
    from networkx.linalg.algebraicconnectivity import *
  File "py/networkx/linalg/algebraicconnectivity.py", line 18, in <module>
    from numpy import (array, asmatrix, asarray, dot, matrix, ndarray, ones,
  File "py/numpy/__init__.py", line 180, in <module>
    from . import add_newdocs
  File "py/numpy/add_newdocs.py", line 13, in <module>
    from numpy.lib import add_newdoc
  File "py/numpy/lib/__init__.py", line 8, in <module>
    from .type_check import *
  File "py/numpy/lib/type_check.py", line 11, in <module>
    import numpy.core.numeric as _nx
  File "py/numpy/core/__init__.py", line 22, in <module>
    from . import _internal  # for freeze programs
  File "py/numpy/core/_internal.py", line 14, in <module>
    import ctypes
  File "/usr/lib64/python3.4/ctypes/__init__.py", line 541, in <module>
    _reset_cache()
  File "/usr/lib64/python3.4/ctypes/__init__.py", line 280, in _reset_cache
    CFUNCTYPE(c_int)(lambda: None)
MemoryError

 policy/modules/system/selinuxutil.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 748e4acf..487bceca 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -488,7 +488,7 @@ allow semanage_t policy_src_t:dir search;
 filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "modules")
 
 allow semanage_t semanage_tmp_t:dir manage_dir_perms;
-allow semanage_t semanage_tmp_t:file manage_file_perms;
+allow semanage_t semanage_tmp_t:file { manage_file_perms mmap_file_perms };
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
 kernel_read_system_state(semanage_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-05-18 17:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
  To: gentoo-commits

commit:     bdcf54d71cb3522081eeeb5b6268d1016c70f280
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun May  7 17:44:55 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 16:57:54 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bdcf54d7

libraries: update wildcard /usr/lib fcontext

subs_dist takes care of it, the wildcard is no longer needed

 policy/modules/system/libraries.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 1dfa5714..482bb014 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -227,7 +227,7 @@ HOME_DIR/.*/plugins/nppdf\.so.* --	gen_context(system_u:object_r:textrel_shlib_t
 /usr/lib/ocaml/stublibs/dllnums\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 
 # Livna.org packages: xmms-mp3, ffmpeg, xvidcore, xine-lib, gsm, lame
-/usr/lib.*/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/(/.*)?/libmpg123\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/codecs/drv[1-9c]\.so(\.[^/]*)* --	gen_context(system_u:object_r:textrel_shlib_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-05-18 17:03 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2017-05-18 17:03 UTC (permalink / raw
  To: gentoo-commits

commit:     d1630fe00a7902d54fa57bad9c9f047072528179
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon May 15 22:42:18 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:54 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d1630fe0

init: add comment for ProtectSystem.

 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 3d3697fb..4e2c6504 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -288,6 +288,7 @@ ifdef(`init_systemd',`
 	files_search_kernel_modules(init_t)
 	# for privatetmp functions
 	files_mounton_tmp(init_t)
+	# for ProtectSystem
 	files_mounton_etc_dirs(init_t)
 
 	fs_relabel_cgroup_dirs(init_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-06-13  8:25 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-06-13  8:25 UTC (permalink / raw
  To: gentoo-commits

commit:     b2b02cc2ad8d8424426a2395c52bd0ff63e2d0d6
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jun  7 23:26:06 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:02:15 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2b02cc2

miscfiles: Module version bump for patch from Luis Ressel.

 policy/modules/system/miscfiles.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index c0acc2b4..4fb77f70 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.12.3)
+policy_module(miscfiles, 1.12.4)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-06-13  8:25 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-06-13  8:25 UTC (permalink / raw
  To: gentoo-commits

commit:     0f2822b1a99d11618c35b0b878b24cce28a8e461
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Wed Jun  7 12:38:59 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:02:15 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f2822b1

system/miscfiles: Generalize the man_t fc's

This won't match subdirectories of /usr/lib, but that shouldn't be a
problem, since we have "allow domain lib_t ..." anyway.

We can't match on "/usr/(.*/)?man(/.*)?", since that'd result in a few
false positives; in particular, the files
  /usr/share/xmlto/format/docbook/man
  /usr/share/bash-completion/completions/man

 policy/modules/system/miscfiles.fc | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 42ac30bd..88eceb99 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -39,26 +39,23 @@ ifdef(`distro_redhat',`
 #
 # /usr
 #
+/usr/(.*/)?man		-d	gen_context(system_u:object_r:man_t,s0)
+/usr/(.*/)?man/.*		gen_context(system_u:object_r:man_t,s0)
+
 /usr/lib/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)
 
 /usr/lib/perl5/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
 
 /usr/local/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
 
-/usr/local/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
-/usr/local/share/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
-
 /usr/local/share/fonts(/.*)?	gen_context(system_u:object_r:man_t,s0)
 
-/usr/man(/.*)?			gen_context(system_u:object_r:man_t,s0)
-
+/usr/share/docbook2X/xslt/man(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 /usr/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
 /usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)
 /usr/share/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
 /usr/share/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)
-/usr/share/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
-/usr/share/postgresql/[^/]*/man(/.*)?      gen_context(system_u:object_r:man_t,s0)
 /usr/share/X11/locale(/.*)?	gen_context(system_u:object_r:locale_t,s0)
 /usr/share/zoneinfo(/.*)?	gen_context(system_u:object_r:locale_t,s0)
 
@@ -67,8 +64,6 @@ ifdef(`distro_redhat',`
 
 /usr/X11R6/lib/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 
-/usr/X11R6/man(/.*)?		gen_context(system_u:object_r:man_t,s0)
-
 ifdef(`distro_gentoo',`
 /usr/share/misc/(pci|usb)\.ids -- gen_context(system_u:object_r:hwdata_t,s0)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-06-13  8:25 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-06-13  8:25 UTC (permalink / raw
  To: gentoo-commits

commit:     ac31d80a915349905bd027a391f26b4d47449744
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jun  8 17:12:11 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:02:15 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ac31d80a

iptables: align file contexts

 policy/modules/system/iptables.fc | 74 +++++++++++++++++++--------------------
 1 file changed, 37 insertions(+), 37 deletions(-)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 7e71bdb4..181eee95 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -1,41 +1,41 @@
-/etc/rc\.d/init\.d/ip6?tables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/ebtables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/nftables	--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
-/etc/sysconfig/ip6?tables.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
-/etc/sysconfig/system-config-firewall.* -- gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/rc\.d/init\.d/ip6?tables		--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/ebtables		--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/nftables		--	gen_context(system_u:object_r:iptables_initrc_exec_t,s0)
+/etc/sysconfig/ip6?tables.*		--	gen_context(system_u:object_r:iptables_conf_t,s0)
+/etc/sysconfig/system-config-firewall.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
 
-/usr/bin/conntrack		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ebtables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ebtables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ip6?tables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ip6?tables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ipvsadm		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ipvsadm-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/nft			--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/bin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/conntrack			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ipchains.*			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ipset				--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ip6?tables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ip6?tables-multi 		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ip6?tables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ipvsadm			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/ipvsadm-save			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/nft				--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/xtables-multi			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
-/usr/lib/systemd/system/[^/]*arptables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
-/usr/lib/systemd/system/[^/]*ebtables.*	 -- gen_context(system_u:object_r:iptables_unit_t,s0)
-/usr/lib/systemd/system/[^/]*ip6tables.* -- gen_context(system_u:object_r:iptables_unit_t,s0)
-/usr/lib/systemd/system/[^/]*iptables.*	-- gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*arptables.* --	gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ebtables.*	 --	gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*ip6tables.* --	gen_context(system_u:object_r:iptables_unit_t,s0)
+/usr/lib/systemd/system/[^/]*iptables.*	--	gen_context(system_u:object_r:iptables_unit_t,s0)
 
-/usr/sbin/conntrack		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ebtables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ebtables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ip6?tables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ip6?tables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ip6?tables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipvsadm		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipvsadm-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/nft			--	gen_context(system_u:object_r:iptables_exec_t,s0)
-/usr/sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/conntrack			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipchains.*			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipset				--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables-multi 		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ip6?tables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipvsadm-save			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/nft				--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-multi			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
-/run/ebtables\.lock		--	gen_context(system_u:object_r:iptables_var_run_t,s0)
-/run/xtables.*		--	gen_context(system_u:object_r:iptables_var_run_t,s0)
+/run/ebtables\.lock			--	gen_context(system_u:object_r:iptables_var_run_t,s0)
+/run/xtables.*				--	gen_context(system_u:object_r:iptables_var_run_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-06-13  8:25 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-06-13  8:25 UTC (permalink / raw
  To: gentoo-commits

commit:     a99a839587e7ef976a9b068e0bbebd031a2b1b76
Author:     cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jun  9 13:49:35 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jun 13 08:02:15 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a99a8395

iptables: update

v2:
 - do not remove interfaces superseded by auth_use_nsswitch()

 policy/modules/system/iptables.fc |  8 +++++---
 policy/modules/system/iptables.if | 33 ++++++++++++++++-----------------
 policy/modules/system/iptables.te | 22 +++++++---------------
 3 files changed, 28 insertions(+), 35 deletions(-)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 181eee95..32877b26 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -4,6 +4,9 @@
 /etc/sysconfig/ip6?tables.*		--	gen_context(system_u:object_r:iptables_conf_t,s0)
 /etc/sysconfig/system-config-firewall.*	--	gen_context(system_u:object_r:iptables_conf_t,s0)
 
+/run/ebtables\.lock			--	gen_context(system_u:object_r:iptables_runtime_t,s0)
+/run/xtables.*				--	gen_context(system_u:object_r:iptables_runtime_t,s0)
+
 /usr/bin/conntrack			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/ebtables			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/ebtables-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
@@ -16,6 +19,7 @@
 /usr/bin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/ipvsadm-save			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/nft				--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/xtables-compat-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/xtables-multi			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
 /usr/lib/systemd/system/[^/]*arptables.* --	gen_context(system_u:object_r:iptables_unit_t,s0)
@@ -35,7 +39,5 @@
 /usr/sbin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/ipvsadm-save			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/nft				--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-compat-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/xtables-multi			--	gen_context(system_u:object_r:iptables_exec_t,s0)
-
-/run/ebtables\.lock			--	gen_context(system_u:object_r:iptables_var_run_t,s0)
-/run/xtables.*				--	gen_context(system_u:object_r:iptables_var_run_t,s0)

diff --git a/policy/modules/system/iptables.if b/policy/modules/system/iptables.if
index 6321f8c4..7d8f1821 100644
--- a/policy/modules/system/iptables.if
+++ b/policy/modules/system/iptables.if
@@ -1,4 +1,4 @@
-## <summary>Policy for iptables.</summary>
+## <summary>Administration tool for IP packet filtering and NAT.</summary>
 
 ########################################
 ## <summary>
@@ -68,7 +68,7 @@ interface(`iptables_exec',`
 	can_exec($1, iptables_exec_t)
 ')
 
-#####################################
+########################################
 ## <summary>
 ##	Execute iptables init scripts in
 ##	the init script domain.
@@ -87,7 +87,7 @@ interface(`iptables_initrc_domtrans',`
 	init_labeled_script_domtrans($1, iptables_initrc_exec_t)
 ')
 
-#####################################
+########################################
 ## <summary>
 ##	Set the attributes of iptables config files.
 ## </summary>
@@ -106,7 +106,7 @@ interface(`iptables_setattr_config',`
 	allow $1 iptables_conf_t:file setattr;
 ')
 
-#####################################
+########################################
 ## <summary>
 ##	Read iptables config files.
 ## </summary>
@@ -126,7 +126,7 @@ interface(`iptables_read_config',`
 	read_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
 
-#####################################
+########################################
 ## <summary>
 ##	Create files in /etc with the type used for
 ##	the iptables config files.
@@ -145,7 +145,7 @@ interface(`iptables_etc_filetrans_config',`
 	files_etc_filetrans($1, iptables_conf_t, file)
 ')
 
-###################################
+########################################
 ## <summary>
 ##	Manage iptables config files.
 ## </summary>
@@ -165,9 +165,9 @@ interface(`iptables_manage_config',`
 	manage_files_pattern($1, iptables_conf_t, iptables_conf_t)
 ')
 
-###################################
+########################################
 ## <summary>
-##	dontaudit reading iptables_var_run_t
+##	dontaudit reading iptables_runtime_t
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -177,10 +177,10 @@ interface(`iptables_manage_config',`
 #
 interface(`iptables_dontaudit_read_pids',`
 	gen_require(`
-		type iptables_var_run_t;
+		type iptables_runtime_t;
 	')
 
-	dontaudit $1 iptables_var_run_t:file read;
+	dontaudit $1 iptables_runtime_t:file read;
 ')
 
 ########################################
@@ -204,20 +204,19 @@ interface(`iptables_dontaudit_read_pids',`
 interface(`iptables_admin',`
 	gen_require(`
 		type iptables_t, iptables_initrc_exec_t, iptables_conf_t;
-		type iptables_tmp_t, iptables_var_run_t, iptables_unit_t;
+		type iptables_tmp_t, iptables_runtime_t, iptables_unit_t;
 	')
 
-	allow $1 iptables_t:process { ptrace signal_perms };
-	ps_process_pattern($1, iptables_t)
+	admin_process_pattern($1, iptables_t)
 
 	init_startstop_service($1, $2, iptables_t, iptables_initrc_exec_t, iptables_unit_t)
 
-	files_list_etc($1)
+	files_search_etc($1)
 	admin_pattern($1, iptables_conf_t)
 
-	files_list_tmp($1)
+	files_search_tmp($1)
 	admin_pattern($1, iptables_tmp_t)
 
-	files_list_pids($1)
-	admin_pattern($1, iptables_var_run_t)
+	files_search_pids($1)
+	admin_pattern($1, iptables_runtime_t)
 ')

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 5de8db0c..33cd9343 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -19,15 +19,15 @@ init_script_file(iptables_initrc_exec_t)
 type iptables_conf_t;
 files_config_file(iptables_conf_t)
 
+type iptables_runtime_t alias iptables_var_run_t;
+files_pid_file(iptables_runtime_t)
+
 type iptables_tmp_t;
 files_tmp_file(iptables_tmp_t)
 
 type iptables_unit_t;
 init_unit_file(iptables_unit_t)
 
-type iptables_var_run_t;
-files_pid_file(iptables_var_run_t)
-
 ########################################
 #
 # Iptables local policy
@@ -44,16 +44,15 @@ allow iptables_t self:rawip_socket create_socket_perms;
 manage_files_pattern(iptables_t, iptables_conf_t, iptables_conf_t)
 files_etc_filetrans(iptables_t, iptables_conf_t, file)
 
-manage_files_pattern(iptables_t, iptables_var_run_t, iptables_var_run_t)
-files_pid_filetrans(iptables_t, iptables_var_run_t, file)
-
 can_exec(iptables_t, iptables_exec_t)
 
+manage_files_pattern(iptables_t, iptables_runtime_t, iptables_runtime_t)
+files_pid_filetrans(iptables_t, iptables_runtime_t, file)
+
 allow iptables_t iptables_tmp_t:dir manage_dir_perms;
 allow iptables_t iptables_tmp_t:file manage_file_perms;
 files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
 
-kernel_getattr_proc(iptables_t)
 kernel_request_load_module(iptables_t)
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)
@@ -76,8 +75,6 @@ fs_list_inotifyfs(iptables_t)
 
 mls_file_read_all_levels(iptables_t)
 
-term_dontaudit_use_console(iptables_t)
-
 domain_use_interactive_fds(iptables_t)
 
 files_read_etc_files(iptables_t)
@@ -98,8 +95,7 @@ miscfiles_read_localization(iptables_t)
 sysnet_run_ifconfig(iptables_t, iptables_roles)
 sysnet_dns_name_resolve(iptables_t)
 
-userdom_use_user_terminals(iptables_t)
-userdom_use_all_users_fds(iptables_t)
+userdom_use_inherited_user_terminals(iptables_t)
 
 ifdef(`hide_broken_symptoms',`
 	dev_dontaudit_write_mtrr(iptables_t)
@@ -142,10 +138,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	seutil_sigchld_newrole(iptables_t)
-')
-
-optional_policy(`
 	shorewall_read_tmp_files(iptables_t)
 	shorewall_rw_lib_files(iptables_t)
 	shorewall_read_config(iptables_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-09-09  2:43 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-09-09  2:43 UTC (permalink / raw
  To: gentoo-commits

commit:     459d6a106b4d2954e44fce482bb453cc39907600
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Sep  6 15:04:11 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep  8 22:39:50 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=459d6a10

systemd, udev: Module version bump.

 policy/modules/system/systemd.te | 2 +-
 policy/modules/system/udev.te    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f9e1a24f..5fdeb388 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.4.0)
+policy_module(systemd, 1.4.1)
 
 #########################################
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 9ecd0325..3f89bacd 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.22.0)
+policy_module(udev, 1.22.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-09-09  2:43 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-09-09  2:43 UTC (permalink / raw
  To: gentoo-commits

commit:     a5b7fa4715e1f1fd2286250a77705cf42dec10a3
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Sep  8 15:41:56 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep  8 22:39:50 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5b7fa47

systemd: Whitespace fix.

 policy/modules/system/systemd.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 10f75de3..fa1c6568 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -397,7 +397,7 @@ interface(`systemd_start_power_units',`
 ##	</summary>
 ## </param>
 #
-	interface(`systemd_tmpfiles_conf_file',`
+interface(`systemd_tmpfiles_conf_file',`
 	gen_require(`
 		attribute systemd_tmpfiles_conf_type;
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-09-09  2:43 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-09-09  2:43 UTC (permalink / raw
  To: gentoo-commits

commit:     edaef9b282d752f43d60bcda586840bd1342e9fd
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Wed Jun  7 12:28:44 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Sep  8 22:55:42 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=edaef9b2

miscfiles: Fix typo in /usr/local/share/man fc

This has been sitting in our policy since 2012 (aaa0f803d), but it's
obviously a typo.

 policy/modules/system/miscfiles.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 88eceb99..1ccaaec7 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -48,7 +48,7 @@ ifdef(`distro_redhat',`
 
 /usr/local/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
 
-/usr/local/share/fonts(/.*)?	gen_context(system_u:object_r:man_t,s0)
+/usr/local/share/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 
 /usr/share/docbook2X/xslt/man(/.*)?	gen_context(system_u:object_r:usr_t,s0)
 /usr/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-09-09  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-09-09  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     b70c273305b2afca822fe624279ddfad28ac550a
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Sep  8 17:50:24 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  9 02:56:59 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b70c2733

Label RHEL specific systemd binaries

Label RHEL specific systemd binaries /usr/lib/systemd/rhel* as initrc_exec_t.
Now in the proper location.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/init.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 0cc3cd8f..8a8ce871 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -38,6 +38,10 @@ ifdef(`distro_gentoo', `
 /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 ')
 
+ifdef(`distro_redhat',`
+/usr/lib/systemd/rhel[^/]* 	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+')
+
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-09-09  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-09-09  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     309123918ff4990a52478e20c0679d9382de7267
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Sep  8 23:30:34 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  9 02:56:59 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30912391

init: Move fc lines.

 policy/modules/system/init.fc | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 8a8ce871..1637792a 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -34,14 +34,6 @@ ifdef(`distro_gentoo',`
 /usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/system(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 
-ifdef(`distro_gentoo', `
-/usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
-')
-
-ifdef(`distro_redhat',`
-/usr/lib/systemd/rhel[^/]* 	--	gen_context(system_u:object_r:initrc_exec_t,s0)
-')
-
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
@@ -50,9 +42,14 @@ ifdef(`distro_redhat',`
 /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 ifdef(`distro_gentoo', `
+/usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
 ')
 
+ifdef(`distro_redhat',`
+/usr/lib/systemd/rhel[^/]* 	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+')
+
 #
 # /var
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-09-09  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-09-09  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     7634761b77b813619325457fb6ce529dca0f2bf9
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Sep  8 23:33:43 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  9 02:56:59 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7634761b

init: Module version bump for patch from Dave Sugar.

 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 26dd5824..09610366 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.3.0)
+policy_module(init, 2.3.1)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-09-17  4:21 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-09-17  4:21 UTC (permalink / raw
  To: gentoo-commits

commit:     cfbef5930f7c84b0ec41c68727706ce8ee1cc763
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Sep 15 15:35:38 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:17:39 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cfbef593

udev: map module objects to load kernel modules

denied  { map } for  pid=7850 comm="systemd-udevd" path="/lib64/modules/4.13.0-gentoo/kernel/drivers/hid/hid-logitech-hidpp.ko" dev="zfs" ino=709934 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0

 policy/modules/system/udev.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 50c89daa..838e7e34 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -174,6 +174,7 @@ modutils_domtrans(udev_t)
 modutils_read_module_config(udev_t)
 # read modules.inputmap:
 modutils_read_module_deps(udev_t)
+modutils_read_module_objects(udev_t)
 
 seutil_read_config(udev_t)
 seutil_read_default_contexts(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-09-17  4:21 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-09-17  4:21 UTC (permalink / raw
  To: gentoo-commits

commit:     1614577f275acd80d608b5e7dc6f35925407fe48
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Sep 15 15:39:24 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:17:39 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1614577f

syslog: allow map persist file

 policy/modules/system/logging.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 4b04f9bc..99f778b9 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -421,6 +421,7 @@ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
 files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
 
 manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
+allow syslogd_t syslogd_var_lib_t:file map;
 files_search_var_lib(syslogd_t)
 
 # manage pid file


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-09-17  4:21 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-09-17  4:21 UTC (permalink / raw
  To: gentoo-commits

commit:     05ebcff9bff4e900891c31115c37ed3e8753eb2b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Sep 16 17:30:33 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:17:40 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05ebcff9

authlogin, logging, udev: Module version bump.

 policy/modules/system/authlogin.te | 2 +-
 policy/modules/system/logging.te   | 2 +-
 policy/modules/system/udev.te      | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 69337c89..5ee69fcf 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.11.0)
+policy_module(authlogin, 2.11.1)
 
 ########################################
 #

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 99f778b9..075e1e2f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.26.3)
+policy_module(logging, 1.26.4)
 
 ########################################
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 838e7e34..6d4722e9 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.22.2)
+policy_module(udev, 1.22.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-09-17  4:21 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-09-17  4:21 UTC (permalink / raw
  To: gentoo-commits

commit:     d584e0ae937da73467210e8990b8d2eb56e61459
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Sep 16 17:31:12 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:17:40 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d584e0ae

init: Remove sm-notify.pid fc entry which collides with the rpc module.

 policy/modules/system/init.fc | 1 -
 policy/modules/system/init.te | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 1637792a..d029ea30 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -61,7 +61,6 @@ ifdef(`distro_redhat',`
 /run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/setmixer_flag	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
-/run/sm-notify\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 /run/wd_keepalive\.pid	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 30b144f2..5a60092d 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.3.4)
+policy_module(init, 2.3.5)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-09-17  4:21 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-09-17  4:21 UTC (permalink / raw
  To: gentoo-commits

commit:     2bda37cd873705f0740cf82fc5a02383a14fdbba
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Fri Sep 15 07:14:21 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 17 03:17:40 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2bda37cd

sudo: add fcontext for /run/sudo/ts/USERNAME

This lets restorecon -F set the context properly

 policy/modules/system/authlogin.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 68f61737..a0c4d1c9 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -49,5 +49,6 @@ ifdef(`distro_suse', `
 /run/pam_ssh(/.*)?		gen_context(system_u:object_r:var_auth_t,s0)
 /run/sepermit(/.*)? 	gen_context(system_u:object_r:pam_var_run_t,s0)
 /run/sudo(/.*)?		gen_context(system_u:object_r:pam_var_run_t,s0)
+/run/sudo/ts/%{USERNAME}	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/(db|adm)/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)
 /var/lib/sudo(/.*)?	gen_context(system_u:object_r:pam_var_run_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-10-29 20:42 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
  To: gentoo-commits

commit:     aae531f9052e27c2794a9f199d0eacda54a2d2ab
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 11 00:32:43 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:08 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aae531f9

Module version bumps.

 policy/modules/system/init.te    | 2 +-
 policy/modules/system/systemd.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9ff247d1..90291d34 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.3.6)
+policy_module(init, 2.3.7)
 
 gen_require(`
 	class passwd rootok;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 166bd4dd..74cfe704 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.4.3)
+policy_module(systemd, 1.4.4)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-10-29 20:42 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
  To: gentoo-commits

commit:     52c2b105a22a89b938af9d558bbfbf4a1c8198a3
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Oct  9 21:15:13 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:08 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52c2b105

Fix problem labeling /run/log/journal/*

Fix the following denials I was seeing in dmesg from init_t (systemd) when attempting to relabel /run/log/journal/*

[    4.758398] type=1400 audit(1507601754.187:3): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="log" dev="tmpfs" ino=1365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir
[    4.758541] systemd[1]: Unable to fix SELinux security context of /run/log: Permission denied
[    4.758736] type=1400 audit(1507601754.187:4): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="journal" dev="tmpfs" ino=7004 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[    4.758773] systemd[1]: Unable to fix SELinux security context of /run/log/journal: Permission denied
[    4.758928] type=1400 audit(1507601754.187:5): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="791393fb4b8f4a59af4266b634b218e2" dev="tmpfs" ino=7005 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir
[    4.758960] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2: Permission denied
[    4.759144] type=1400 audit(1507601754.187:6): avc:  denied  { relabelto } for  pid=1 comm="systemd" name="system.journal" dev="tmpfs" ino=7006 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file
[    4.759196] systemd[1]: Unable to fix SELinux security context of /run/log/journal/791393fb4b8f4a59af4266b634b218e2/system.journal: Permission denied

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/init.te    |  3 +++
 policy/modules/system/systemd.if | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 63cec7d6..9ff247d1 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -320,12 +320,15 @@ ifdef(`init_systemd',`
 	logging_manage_pid_sockets(init_t)
 	logging_send_audit_msgs(init_t)
 	logging_relabelto_devlog_sock_files(init_t)
+	logging_relabel_generic_log_dirs(init_t)
 
 	systemd_manage_passwd_runtime_symlinks(init_t)
 	systemd_use_passwd_agent(init_t)
 	systemd_list_tmpfiles_conf(init_t)
 	systemd_relabelto_tmpfiles_conf_dirs(init_t)
 	systemd_relabelto_tmpfiles_conf_files(init_t)
+	systemd_relabelto_journal_dirs(init_t)
+	systemd_relabelto_journal_files(init_t)
 
 	term_create_devpts_dirs(init_t)
 

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 766f33fb..69669a1a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -348,6 +348,46 @@ interface(`systemd_manage_journal_files',`
 	manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
 ')
 
+
+########################################
+## <summary>
+##	Relabel to systemd-journald directory type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_relabelto_journal_dirs',`
+	gen_require(`
+		type systemd_journal_t;
+	')
+
+	files_search_var($1)
+	allow $1 systemd_journal_t:dir relabelto_dir_perms;
+')
+
+########################################
+## <summary>
+##	Relabel to systemd-journald file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_relabelto_journal_files',`
+	gen_require(`
+		type systemd_journal_t;
+	')
+
+	files_search_var($1)
+	list_dirs_pattern($1,systemd_journal_t,systemd_journal_t)
+	allow $1 systemd_journal_t:file relabelto_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Allow systemd_logind_t to read process state for cgroup file


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-10-29 20:42 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
  To: gentoo-commits

commit:     2f334fd8b7310980458c2665e122560a086d7cb3
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Oct 11 22:45:29 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:08 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2f334fd8

ipsec: Module version bump.

 policy/modules/system/ipsec.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 75f69b5b..c093f2d1 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,4 +1,4 @@
-policy_module(ipsec, 1.18.0)
+policy_module(ipsec, 1.18.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-10-29 20:42 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
  To: gentoo-commits

commit:     ef14bcd0189098ada222dd638183eb44073de691
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Oct 12 21:42:23 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:08 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef14bcd0

init: Clean up line placement in init_systemd blocks.

No rule changes.

 policy/modules/system/init.te | 196 ++++++++++++++++++++++--------------------
 1 file changed, 102 insertions(+), 94 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 90291d34..75da7a62 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -216,11 +216,23 @@ ifdef(`init_systemd',`
 	# handle instances where an old labeled init script is encountered.
 	typeattribute init_t init_run_all_scripts_domain;
 
+	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+	allow init_t self:process { setsockcreate setfscreate setrlimit };
+	allow init_t self:process { getcap setcap getsched setsched };
+	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
+	allow init_t self:netlink_selinux_socket create_socket_perms;
+	allow init_t self:system { status reboot halt reload };
+	# Until systemd is fixed
+	allow init_t self:udp_socket create_socket_perms;
+	allow init_t self:netlink_route_socket create_netlink_socket_perms;
+	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
+	allow init_t self:capability2 audit_read;
+
 	# for /run/systemd/inaccessible/{chr,blk}
 	allow init_t init_var_run_t:blk_file { create getattr };
 	allow init_t init_var_run_t:chr_file { create getattr };
 
-
 	allow init_t systemprocess:process { dyntransition siginh };
 	allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
 	allow init_t systemprocess:unix_dgram_socket create_socket_perms;
@@ -257,18 +269,47 @@ ifdef(`init_systemd',`
 
 	kernel_dyntrans_to(init_t)
 	kernel_read_network_state(init_t)
-	kernel_read_kernel_sysctls(init_t)
-	kernel_read_vm_sysctls(init_t)
 	kernel_dgram_send(init_t)
 	kernel_stream_connect(init_t)
 	kernel_getattr_proc(init_t)
 	kernel_read_fs_sysctls(init_t)
+	kernel_list_unlabeled(init_t)
+	kernel_load_module(init_t)
+	kernel_rw_kernel_sysctl(init_t)
+	kernel_rw_net_sysctls(init_t)
+	kernel_read_all_sysctls(init_t)
+	kernel_read_software_raid_state(init_t)
+	kernel_unmount_debugfs(init_t)
+	kernel_setsched(init_t)
+	kernel_rw_unix_sysctls(init_t)
+
+	# run systemd misc initializations
+	# in the initrc_t domain, as would be
+	# done in traditional sysvinit/upstart.
+	corecmd_bin_domtrans(init_t, initrc_t)
+	corecmd_shell_domtrans(init_t, initrc_t)
 
-	dev_create_generic_dirs(init_t)
 	dev_manage_input_dev(init_t)
 	dev_relabel_all_sysfs(init_t)
 	dev_relabel_generic_symlinks(init_t)
 	dev_read_urand(init_t)
+	dev_write_kmsg(init_t)
+	dev_write_urand(init_t)
+	dev_rw_lvm_control(init_t)
+	dev_rw_autofs(init_t)
+	dev_manage_generic_symlinks(init_t)
+	dev_manage_generic_dirs(init_t)
+	dev_manage_generic_files(init_t)
+	dev_manage_null_service(initrc_t)
+	dev_read_generic_chr_files(init_t)
+	dev_relabel_generic_dev_dirs(init_t)
+	dev_relabel_all_dev_nodes(init_t)
+	dev_relabel_all_dev_files(init_t)
+	dev_manage_sysfs_dirs(init_t)
+	dev_relabel_sysfs_dirs(init_t)
+	dev_read_usbfs(initrc_t)
+	# systemd writes to /dev/watchdog on shutdown
+	dev_write_watchdog(init_t)
 
 	domain_read_all_domains_state(init_t)
 
@@ -283,21 +324,47 @@ ifdef(`init_systemd',`
 	files_relabelto_etc_runtime_files(init_t)
 	files_read_all_locks(init_t)
 	files_search_kernel_modules(init_t)
+	files_create_all_pid_pipes(init_t)
+	files_create_all_pid_sockets(init_t)
+	files_create_all_spool_sockets(init_t)
+	files_create_lock_dirs(init_t)
+	files_delete_all_pids(init_t)
+	files_delete_all_spool_sockets(init_t)
+	files_exec_generic_pid_files(init_t)
+	files_list_locks(init_t)
+	files_list_spool(init_t)
+	files_manage_all_pid_dirs(init_t)
+	files_manage_generic_tmp_dirs(init_t)
+	files_manage_urandom_seed(init_t)
+	files_mounton_all_mountpoints(init_t)
+	files_read_boot_files(initrc_t)
+	files_relabel_all_lock_dirs(init_t)
+	files_relabel_all_pid_dirs(init_t)
+	files_relabel_all_pid_files(init_t)
+	files_search_all(init_t)
+	files_unmount_all_file_type_fs(init_t)
 	# for privatetmp functions
 	files_mounton_tmp(init_t)
 	# for ProtectSystem
 	files_mounton_etc_dirs(init_t)
 
 	fs_relabel_cgroup_dirs(init_t)
-	fs_rw_cgroup_files(init_t)
 	fs_list_auto_mountpoints(init_t)
 	fs_mount_autofs(init_t)
 	fs_manage_hugetlbfs_dirs(init_t)
 	fs_getattr_tmpfs(init_t)
 	fs_read_tmpfs_files(init_t)
-	fs_read_cgroup_files(init_t)
 	fs_relabel_pstore_dirs(init_t)
 	fs_dontaudit_getattr_xattr_fs(init_t)
+	fs_create_cgroup_links(init_t)
+	fs_getattr_all_fs(init_t)
+	fs_manage_cgroup_dirs(init_t)
+	fs_manage_cgroup_files(init_t)
+	fs_manage_tmpfs_dirs(init_t)
+	fs_mount_all_fs(init_t)
+	fs_remount_all_fs(init_t)
+	fs_relabelfrom_tmpfs_symlinks(init_t)
+	fs_unmount_all_fs(init_t)
 	# for privatetmp functions
 	fs_relabel_tmpfs_dirs(init_t)
 	fs_relabel_tmpfs_files(init_t)
@@ -308,20 +375,32 @@ ifdef(`init_systemd',`
 	# for network namespaces
 	fs_read_nsfs_files(init_t)
 
-	# need write to /var/run/systemd/notify
-	init_write_pid_socket(daemon)
+	init_read_script_state(init_t)
 
 	# systemd_socket_activated policy
 	mls_socket_write_all_levels(init_t)
 
+	selinux_unmount_fs(init_t)
+	selinux_validate_context(init_t)
 	selinux_compute_create_context(init_t)
 	selinux_compute_access_vector(init_t)
 
+	storage_getattr_removable_dev(init_t)
+
+	term_relabel_pty_dirs(init_t)
+
+	auth_manage_var_auth(init_t)
+	auth_relabel_login_records(init_t)
+	auth_relabel_pam_console_data_dirs(init_t)
+
 	logging_manage_pid_sockets(init_t)
 	logging_send_audit_msgs(init_t)
 	logging_relabelto_devlog_sock_files(init_t)
 	logging_relabel_generic_log_dirs(init_t)
 
+	# lvm2-activation-generator checks file labels
+	seutil_read_file_contexts(init_t)
+
 	systemd_manage_passwd_runtime_symlinks(init_t)
 	systemd_use_passwd_agent(init_t)
 	systemd_list_tmpfiles_conf(init_t)
@@ -329,6 +408,7 @@ ifdef(`init_systemd',`
 	systemd_relabelto_tmpfiles_conf_files(init_t)
 	systemd_relabelto_journal_dirs(init_t)
 	systemd_relabelto_journal_files(init_t)
+	systemd_manage_all_units(init_t)
 
 	term_create_devpts_dirs(init_t)
 
@@ -853,21 +933,8 @@ ifdef(`enabled_mls',`
 ')
 
 ifdef(`init_systemd',`
-	allow init_t self:system { status reboot halt reload };
-
-	allow init_t self:unix_dgram_socket { create_socket_perms sendto };
-	allow init_t self:process { setsockcreate setfscreate setrlimit };
-	allow init_t self:process { getcap setcap getsched setsched };
-	allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
-	allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
-	allow init_t self:netlink_selinux_socket create_socket_perms;
-	# Until systemd is fixed
-	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
-	allow init_t self:udp_socket create_socket_perms;
-	allow init_t self:netlink_route_socket create_netlink_socket_perms;
-	allow init_t initrc_t:unix_dgram_socket create_socket_perms;
 	allow initrc_t init_t:system { start status reboot halt reload };
-	allow init_t self:capability2 audit_read;
+
 	manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
 	files_lock_filetrans(initrc_t, initrc_lock_t, file)
 
@@ -890,106 +957,37 @@ ifdef(`init_systemd',`
 	allow initrc_t init_script_file_type:service { stop start status reload };
 
 	kernel_dgram_send(initrc_t)
-	kernel_list_unlabeled(init_t)
-	kernel_load_module(init_t)
-	kernel_rw_kernel_sysctl(init_t)
-	kernel_rw_net_sysctls(init_t)
-	kernel_read_all_sysctls(init_t)
-	kernel_read_software_raid_state(init_t)
-	kernel_unmount_debugfs(init_t)
-	kernel_setsched(init_t)
-	kernel_rw_unix_sysctls(init_t)
-
-	auth_manage_var_auth(init_t)
-	auth_relabel_login_records(init_t)
-	auth_relabel_pam_console_data_dirs(init_t)
 
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
 	# done in traditional sysvinit/upstart.
 	corecmd_bin_entry_type(initrc_t)
-	corecmd_bin_domtrans(init_t, initrc_t)
-	corecmd_shell_domtrans(init_t, initrc_t)
 
 	dev_create_generic_dirs(initrc_t)
-	dev_write_kmsg(init_t)
-	dev_write_urand(init_t)
-	dev_rw_lvm_control(init_t)
-	dev_rw_autofs(init_t)
-	dev_manage_generic_symlinks(init_t)
-	dev_manage_generic_dirs(init_t)
-	dev_manage_generic_files(init_t)
-	dev_manage_null_service(initrc_t)
-	dev_read_generic_chr_files(init_t)
-	dev_relabel_generic_dev_dirs(init_t)
-	dev_relabel_all_dev_nodes(init_t)
-	dev_relabel_all_dev_files(init_t)
-	dev_manage_sysfs_dirs(init_t)
-	dev_relabel_sysfs_dirs(init_t)
-	dev_read_usbfs(initrc_t)
-	# systemd writes to /dev/watchdog on shutdown
-	dev_write_watchdog(init_t)
 
 	# Allow initrc_t to check /etc/fstab "service." It appears that
 	# systemd is conflating files and services.
-	files_create_all_pid_pipes(init_t)
-	files_create_all_pid_sockets(init_t)
-	files_create_all_spool_sockets(init_t)
-	files_create_lock_dirs(init_t)
-	files_create_pid_dirs(initrc_t)
-	files_delete_all_pids(init_t)
-	files_delete_all_spool_sockets(init_t)
-	files_exec_generic_pid_files(init_t)
 	files_get_etc_unit_status(initrc_t)
-	files_list_locks(init_t)
-	files_list_spool(init_t)
-	files_manage_all_pid_dirs(init_t)
-	files_manage_generic_tmp_dirs(init_t)
-	files_manage_urandom_seed(init_t)
-	files_mounton_all_mountpoints(init_t)
-	files_read_boot_files(initrc_t)
-	files_relabel_all_lock_dirs(init_t)
-	files_relabel_all_pid_dirs(init_t)
-	files_relabel_all_pid_files(init_t)
-	files_search_all(init_t)
+	files_create_pid_dirs(initrc_t)
 	files_setattr_pid_dirs(initrc_t)
-	files_unmount_all_file_type_fs(init_t)
-
-	fs_create_cgroup_links(init_t)
-	fs_getattr_all_fs(init_t)
-	fs_manage_cgroup_dirs(init_t)
-	fs_manage_cgroup_files(init_t)
-	fs_manage_tmpfs_dirs(init_t)
-	fs_mount_all_fs(init_t)
-	fs_remount_all_fs(init_t)
-	fs_relabelfrom_tmpfs_symlinks(init_t)
-	fs_unmount_all_fs(init_t)
-	fs_search_cgroup_dirs(daemon)
 
 	# for logsave in strict configuration
 	fstools_write_log(initrc_t)
 
+	selinux_set_enforce_mode(initrc_t)
+
 	init_get_all_units_status(initrc_t)
 	init_manage_var_lib_files(initrc_t)
-	init_read_script_state(init_t)
 	init_rw_stream_sockets(initrc_t)
 
 	# Create /etc/audit.rules.prev after firstboot remediation
 	logging_manage_audit_config(initrc_t)
 
-	selinux_set_enforce_mode(initrc_t)
-	selinux_unmount_fs(init_t)
-	selinux_validate_context(init_t)
 	# lvm2-activation-generator checks file labels
 	seutil_read_file_contexts(initrc_t)
-	seutil_read_file_contexts(init_t)
 
-	storage_getattr_removable_dev(init_t)
-	systemd_manage_all_units(init_t)
 	systemd_start_power_units(initrc_t)
 
-	term_relabel_pty_dirs(init_t)
-
 	optional_policy(`
 		# create /var/lock/lvm/
 		lvm_create_lock_dirs(initrc_t)
@@ -1416,6 +1414,16 @@ init_dontaudit_use_fds(daemon)
 # when using run_init
 init_use_script_ptys(daemon)
 
+ifdef(`init_systemd',`
+	# Until systemd is fixed
+	allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+
+	fs_search_cgroup_dirs(daemon)
+
+	# need write to /var/run/systemd/notify
+	init_write_pid_socket(daemon)
+')
+
 tunable_policy(`init_daemons_use_tty',`
 	term_use_unallocated_ttys(daemon)
 	term_use_generic_ptys(daemon)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-10-29 20:42 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
  To: gentoo-commits

commit:     0a049992e4cf60f3aa33ec665a5d7df5b0b573e1
Author:     David Graziano <david.graziano <AT> rockwellcollins <DOT> com>
AuthorDate: Mon Oct  9 20:42:59 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:08 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0a049992

system/ipsec: Add signull access for strongSwan

Allows ipsec_supervisor_t domain to signull other
strongSwan domains.

Signed-off-by: David Graziano <david.graziano <AT> rockwellcollins.com>

 policy/modules/system/ipsec.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index b9b723e9..75f69b5b 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -461,7 +461,7 @@ userdom_use_user_terminals(setkey_t)
 #
 
 allow ipsec_supervisor_t self:capability { dac_override dac_read_search kill net_admin };
-allow ipsec_supervisor_t self:process { signal };
+allow ipsec_supervisor_t self:process { signal signull };
 allow ipsec_supervisor_t self:fifo_file rw_fifo_file_perms;
 allow ipsec_supervisor_t self:netlink_route_socket rw_netlink_socket_perms;
 allow ipsec_supervisor_t self:netlink_xfrm_socket create_netlink_socket_perms;
@@ -472,7 +472,7 @@ read_files_pattern(ipsec_supervisor_t, ipsec_conf_file_t, ipsec_conf_file_t);
 manage_files_pattern(ipsec_supervisor_t, ipsec_key_file_t, ipsec_key_file_t)
 
 allow ipsec_supervisor_t ipsec_t:unix_stream_socket { connectto };
-allow ipsec_supervisor_t ipsec_t:process { signal };
+allow ipsec_supervisor_t ipsec_t:process { signal signull };
 
 allow ipsec_supervisor_t ipsec_var_run_t:sock_file { rw_sock_file_perms unlink };
 manage_dirs_pattern(ipsec_supervisor_t, ipsec_var_run_t, ipsec_var_run_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-10-29 20:42 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
  To: gentoo-commits

commit:     c17970cb2afae09ea21a3630bbd02f7f0d402844
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Oct 11 14:59:08 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 12:59:50 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c17970cb

policy for systemd-networkd

Policy needed for systemd-networkd to function.  This is based on a patch from krzysztof.a.nowicki at gmail.com that was submitted back in May (I talked to him via email a while ago about me picking up the patch).  He was too busy to update and I needed to get it working.

I am pretty sure I updated everything mentioned in previous feedback, please comment if something is still off and I will revise.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/init.te       |   1 +
 policy/modules/system/sysnetwork.fc |   2 +
 policy/modules/system/systemd.fc    |   3 +
 policy/modules/system/systemd.if    | 115 ++++++++++++++++++++++++++++++++++++
 policy/modules/system/systemd.te    |  70 ++++++++++++++++++++++
 5 files changed, 191 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 350554d3..02a9e3b8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -329,6 +329,7 @@ ifdef(`init_systemd',`
 	files_create_all_pid_sockets(init_t)
 	files_create_all_spool_sockets(init_t)
 	files_create_lock_dirs(init_t)
+	systemd_rw_networkd_netlink_route_sockets(init_t)
 	files_delete_all_pids(init_t)
 	files_delete_all_spool_sockets(init_t)
 	files_exec_generic_pid_files(init_t)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index c71281bd..3b532567 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -24,6 +24,8 @@ ifdef(`distro_debian',`
 /etc/dhcp3(/.*)?		gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
 
+/etc/systemd/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+
 ifdef(`distro_redhat',`
 /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
 /etc/sysconfig/networking(/.*)? gen_context(system_u:object_r:net_conf_t,s0)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index c697a1c9..392b00b9 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -21,6 +21,7 @@
 /usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)
 /usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)
 /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
+/usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
 
@@ -34,6 +35,7 @@
 /usr/lib/systemd/system/[^/]*suspend.*	--	gen_context(system_u:object_r:power_unit_t,s0)
 /usr/lib/systemd/system/systemd-backlight.*	--	gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
 /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
+/usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
 
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
@@ -50,6 +52,7 @@
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
+/run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)
 
 ifdef(`init_systemd',`
 /run/tmpfiles\.d	-d	gen_context(system_u:object_r:systemd_tmpfiles_conf_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 69669a1a..8f914837 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -390,6 +390,121 @@ interface(`systemd_relabelto_journal_files',`
 
 ########################################
 ## <summary>
+##	Allow domain to read systemd_networkd_t unit files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	 </summary>
+## </param>
+#
+interface(`systemd_read_networkd_units',`
+	gen_require(`
+		type systemd_networkd_t;
+	')
+
+	init_search_units($1)
+	list_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
+	read_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to create/manage systemd_networkd_t unit files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	 </summary>
+## </param>
+#
+interface(`systemd_manage_networkd_units',`
+	gen_require(`
+		type systemd_networkd_unit_t;
+	')
+
+	init_search_units($1)
+	manage_dirs_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
+	manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
+')
+
+########################################
+## <summary>
+##	Allow specified domain to start systemd-networkd units
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_startstop_networkd',`
+	gen_require(`
+		type systemd_networkd_unit_t;
+		class service { start stop };
+	')
+
+	allow $1 systemd_networkd_unit_t:service { start stop };
+')
+
+########################################
+## <summary>
+##	Allow specified domain to get status of systemd-networkd
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_status_networkd',`
+	gen_require(`
+		type systemd_networkd_unit_t;
+		class service status;
+	')
+
+	allow $1 systemd_networkd_unit_t:service status;
+')
+
+#######################################
+## <summary>
+## Relabel systemd_networkd tun socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_relabelfrom_networkd_tun_sockets',`
+	gen_require(`
+		type systemd_networkd_t;
+	')
+
+	allow $1 systemd_networkd_t:tun_socket relabelfrom;
+')
+
+#######################################
+## <summary>
+## Read/Write from systemd_networkd netlink route socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_rw_networkd_netlink_route_sockets',`
+	gen_require(`
+		type systemd_networkd_t;
+	')
+
+	allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms;
+')
+
+
+########################################
+## <summary>
 ##     Allow systemd_logind_t to read process state for cgroup file
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 74cfe704..56aa9198 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -109,6 +109,16 @@ type systemd_machined_var_run_t;
 files_pid_file(systemd_machined_var_run_t)
 init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
 
+type systemd_networkd_t;
+type systemd_networkd_exec_t;
+init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
+
+type systemd_networkd_unit_t;
+init_unit_file(systemd_networkd_unit_t)
+
+type systemd_networkd_var_run_t;
+files_pid_file(systemd_networkd_var_run_t)
+
 type systemd_notify_t;
 type systemd_notify_exec_t;
 init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
@@ -516,6 +526,66 @@ optional_policy(`
 
 ########################################
 #
+# networkd local policy
+#
+
+allow systemd_networkd_t self:capability { chown dac_override fowner net_admin net_raw setgid setpcap setuid };
+allow systemd_networkd_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow systemd_networkd_t self:netlink_route_socket { create_socket_perms nlmsg_read nlmsg_write };
+allow systemd_networkd_t self:packet_socket create_socket_perms;
+allow systemd_networkd_t self:process { getcap setcap setfscreate };
+allow systemd_networkd_t self:rawip_socket create_socket_perms;
+allow systemd_networkd_t self:tun_socket { create_socket_perms relabelfrom relabelto };
+allow systemd_networkd_t self:udp_socket create_socket_perms;
+allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
+
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+
+kernel_dgram_send(systemd_networkd_t)
+kernel_read_system_state(systemd_networkd_t)
+kernel_read_kernel_sysctls(systemd_networkd_t)
+kernel_read_network_state(systemd_networkd_t)
+kernel_request_load_module(systemd_networkd_t)
+kernel_rw_net_sysctls(systemd_networkd_t)
+
+corecmd_bin_entry_type(systemd_networkd_t)
+corecmd_exec_bin(systemd_networkd_t)
+
+corenet_rw_tun_tap_dev(systemd_networkd_t)
+
+dev_read_urand(systemd_networkd_t)
+dev_read_sysfs(systemd_networkd_t)
+dev_write_kmsg(systemd_networkd_t)
+
+files_read_etc_files(systemd_networkd_t)
+
+auth_use_nsswitch(systemd_networkd_t)
+
+init_dgram_send(systemd_networkd_t)
+init_read_state(systemd_networkd_t)
+
+logging_send_syslog_msg(systemd_networkd_t)
+
+miscfiles_read_localization(systemd_networkd_t)
+
+sysnet_read_config(systemd_networkd_t)
+
+systemd_log_parse_environment(systemd_networkd_t)
+
+optional_policy(`
+	dbus_system_bus_client(systemd_networkd_t)
+	dbus_connect_system_bus(systemd_networkd_t)
+')
+
+optional_policy(`
+	udev_read_db(systemd_networkd_t)
+	udev_read_pid_files(systemd_networkd_t)
+')
+
+########################################
+#
 # systemd_notify local policy
 #
 allow systemd_notify_t self:capability chown;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-10-29 20:42 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-10-29 20:42 UTC (permalink / raw
  To: gentoo-commits

commit:     c67b1ee5089ea859ab1560ae3ff43d3e731151d9
Author:     Amadeusz Sławiński <amade <AT> asmblr <DOT> net>
AuthorDate: Tue Oct 17 20:39:17 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 13:57:28 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c67b1ee5

lvm: allow map perms on lvm_etc_t

Signed-off-by: Amadeusz Sławiński <amade <AT> asmblr.net>

 policy/modules/system/lvm.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f75f2645..7c601fad 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -211,6 +211,7 @@ manage_sock_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
 files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
 
 read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+allow lvm_t lvm_etc_t:file map;
 read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
 # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
 manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-10-30 15:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-10-30 15:07 UTC (permalink / raw
  To: gentoo-commits

commit:     dad9b3b3a4e4f0671358b440444d34fc292c9cc1
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Oct 30 07:45:40 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 30 09:37:17 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dad9b3b3

modutils: make kmod_tmpfiles a file_type even without systemd

OpenRC uses it too and without this it cant get associated with tmpfs

 policy/modules/system/modutils.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index c8aef93a..98229989 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -25,6 +25,7 @@ files_type(modules_dep_t)
 
 type kmod_tmpfiles_conf_t;
 typealias kmod_tmpfiles_conf_t alias { kmod_var_run_t systemd_kmod_conf_t };
+files_config_file(kmod_tmpfiles_conf_t)
 ifdef(`init_systemd',`
 	systemd_tmpfiles_conf_file(kmod_tmpfiles_conf_t)
 	systemd_tmpfiles_conf_filetrans(kmod_t, kmod_tmpfiles_conf_t, file)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-10-31  5:40 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-10-31  5:40 UTC (permalink / raw
  To: gentoo-commits

commit:     2084c79dd51f642b986a1dcfbfb343dc497e48b0
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Oct 31 01:39:39 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 31 05:16:01 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2084c79d

miscfiles: Module version bump.

 policy/modules/system/miscfiles.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 1823eb40..b009f437 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.13.1)
+policy_module(miscfiles, 1.13.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-10-31  5:40 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-10-31  5:40 UTC (permalink / raw
  To: gentoo-commits

commit:     e138f2b3eecab7cc264b914dff2aaa58c9bba703
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Oct 31 01:38:17 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 31 05:16:01 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e138f2b3

refpolicy and certs

The following patch allows mon_t to set limits for it's children and removes
cert_t labelling from CA public keys (that aren't secret) so that processes
which only need to verify keys (EG https clients) don't need cert_t access.

 policy/modules/system/miscfiles.fc | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 1ccaaec7..a46d97cc 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -46,12 +46,9 @@ ifdef(`distro_redhat',`
 
 /usr/lib/perl5/man(/.*)?	gen_context(system_u:object_r:man_t,s0)
 
-/usr/local/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
-
 /usr/local/share/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 
 /usr/share/docbook2X/xslt/man(/.*)?	gen_context(system_u:object_r:usr_t,s0)
-/usr/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
 /usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)
 /usr/share/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-11-05  8:01 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-11-05  8:01 UTC (permalink / raw
  To: gentoo-commits

commit:     7c26bbe13b7092ebfcaf064de9f464bca877a98c
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Oct 31 05:37:06 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov  5 06:38:35 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7c26bbe1

userdomain: allow admin to rw tape storage

 policy/modules/system/userdomain.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index bc8052e6..cb183a90 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1251,6 +1251,8 @@ template(`userdom_admin_user_template',`
 	fs_set_all_quotas($1_t)
 	fs_exec_noxattr($1_t)
 
+	storage_read_tape($1_t)
+	storage_write_tape($1_t)
 	storage_raw_read_removable_device($1_t)
 	storage_raw_write_removable_device($1_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-11-17 14:59 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-11-17 14:59 UTC (permalink / raw
  To: gentoo-commits

commit:     b1cf5abd007ff512447be668a8882cef072e9049
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> com>
AuthorDate: Wed Nov  8 17:30:09 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 15 01:10:14 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1cf5abd

base: create a type for SSL private keys

Reserve the tls_privkey_t file label for SSL/TLS private keys (e.g.
files in /etc/pki/*/private/).

Create and use appropriate interfaces for such new scenario (so
that SSL/TLS private keys are protected).

This part (1/2) refers to the base policy changes.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com>

 policy/modules/system/miscfiles.fc |   1 +
 policy/modules/system/miscfiles.if | 115 +++++++++++++++++++++++++++++++++++--
 policy/modules/system/miscfiles.te |   7 +++
 3 files changed, 119 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index a46d97cc..48e4c6ad 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -12,6 +12,7 @@ ifdef(`distro_gentoo',`
 /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0)
 /etc/localtime		--	gen_context(system_u:object_r:locale_t,s0)
 /etc/pki/certs/(.*)?	--	gen_context(system_u:object_r:cert_t,s0)
+/etc/pki/.*/private(/.*)?	gen_context(system_u:object_r:tls_privkey_t,s0)
 /etc/pki/private/(.*)?	--	gen_context(system_u:object_r:cert_t,s0)
 /etc/ssl/certs/(.*)?	--	gen_context(system_u:object_r:cert_t,s0)
 /etc/ssl/private/(.*)?	--	gen_context(system_u:object_r:cert_t,s0)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index b3c46fa4..1a443703 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -46,7 +46,52 @@ interface(`miscfiles_cert_type',`
 
 ########################################
 ## <summary>
-##	Read all SSL certificates.
+##	Make the specified type usable
+##	as a SSL/TLS private key file.
+## </summary>
+## <desc>
+##	<p>
+##	Make the specified type usable for SSL/TLS private key files.
+##	This will also make the type usable for files, making
+##	calls to files_type() redundant.  Failure to use this interface
+##	for a temporary file may result in problems with
+##	SSL/TLS private key management tools.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>files_type()</li>
+##	</ul>
+##	<p>
+##	Example:
+##	</p>
+##	<p>
+##	type mytlsprivkeyfile_t;
+##	tls_privkey_type(mytlsprivkeyfile_t)
+##	allow mydomain_t mytlsprivkeyfile_t:file read_file_perms;
+##	files_search_etc(mydomain_t)
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to be used for files.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`miscfiles_tls_privkey_type',`
+	gen_require(`
+		attribute tls_privkey_type;
+	')
+
+	typeattribute $1 tls_privkey_type;
+	files_type($1)
+')
+
+########################################
+## <summary>
+##	Read all SSL/TLS certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +112,7 @@ interface(`miscfiles_read_all_certs',`
 
 ########################################
 ## <summary>
-##	Read generic SSL certificates.
+##	Read generic SSL/TLS certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -118,7 +163,7 @@ interface(`miscfiles_relabel_user_certs',`
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL/TLS certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -136,7 +181,7 @@ interface(`miscfiles_manage_generic_cert_dirs',`
 
 ########################################
 ## <summary>
-##	Manage generic SSL certificates.
+##	Manage generic SSL/TLS certificates.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -156,6 +201,68 @@ interface(`miscfiles_manage_generic_cert_files',`
 
 ########################################
 ## <summary>
+##	Read generic SSL/TLS private
+##	keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_read_generic_tls_privkey',`
+	gen_require(`
+		type tls_privkey_t;
+	')
+
+	allow $1 tls_privkey_t:dir list_dir_perms;
+	read_files_pattern($1, tls_privkey_t, tls_privkey_t)
+	read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
+')
+
+########################################
+## <summary>
+##	Manage generic SSL/TLS private
+##	keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`miscfiles_manage_generic_tls_privkey_dirs',`
+	gen_require(`
+		type tls_privkey_t;
+	')
+
+	manage_dirs_pattern($1, tls_privkey_t, tls_privkey_t)
+')
+
+########################################
+## <summary>
+##	Manage generic SSL/TLS private
+##	keys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_manage_generic_tls_privkey_files',`
+	gen_require(`
+		type tls_privkey_t;
+	')
+
+	manage_files_pattern($1, tls_privkey_t, tls_privkey_t)
+	read_lnk_files_pattern($1, tls_privkey_t, tls_privkey_t)
+')
+
+########################################
+## <summary>
 ##	Read fonts.
 ## </summary>
 ## <param name="domain">

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index b009f437..88b1807e 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -6,6 +6,7 @@ policy_module(miscfiles, 1.13.2)
 #
 
 attribute cert_type;
+attribute tls_privkey_type;
 
 #
 # cert_t is the type of files in the system certs directories.
@@ -14,6 +15,12 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
+# tls_privkey_t is the type of files for the SSL/TLS private keys.
+#
+type tls_privkey_t;
+miscfiles_tls_privkey_type(tls_privkey_t)
+
+#
 # fonts_t is the type of various font
 # files in /usr
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-11-17 14:59 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-11-17 14:59 UTC (permalink / raw
  To: gentoo-commits

commit:     f299262e1366f633c3815664d1b7cb582123256c
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Nov 10 01:36:54 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 15 01:11:07 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f299262e

Several module version bumps.

 policy/modules/system/miscfiles.te | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 88b1807e..e16c5808 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -15,12 +15,6 @@ type cert_t;
 miscfiles_cert_type(cert_t)
 
 #
-# tls_privkey_t is the type of files for the SSL/TLS private keys.
-#
-type tls_privkey_t;
-miscfiles_tls_privkey_type(tls_privkey_t)
-
-#
 # fonts_t is the type of various font
 # files in /usr
 #
@@ -75,3 +69,9 @@ files_type(test_file_t)
 #
 type tetex_data_t;
 files_tmp_file(tetex_data_t)
+
+#
+# tls_privkey_t is the type of files for the SSL/TLS private keys.
+#
+type tls_privkey_t;
+miscfiles_tls_privkey_type(tls_privkey_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-11-17 14:59 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-11-17 14:59 UTC (permalink / raw
  To: gentoo-commits

commit:     c11a4345ff667eaa103b968056865fbc4e1024d3
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Nov 14 02:04:56 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Nov 15 01:11:07 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c11a4345

libraries: Add fc entry for musl's ld.so config

 policy/modules/system/libraries.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 482bb014..36ef066f 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -29,6 +29,7 @@ ifdef(`distro_redhat',`
 #
 /etc/ld\.so\.cache			--	gen_context(system_u:object_r:ld_so_cache_t,s0)
 /etc/ld\.so\.preload			--	gen_context(system_u:object_r:ld_so_cache_t,s0)
+/etc/ld-musl-[^/]*\.path		--	gen_context(system_u:object_r:ld_so_cache_t,s0)
 
 /etc/ppp/plugins/rp-pppoe\.so 		--	gen_context(system_u:object_r:lib_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-12-12  7:59 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-12-12  7:59 UTC (permalink / raw
  To: gentoo-commits

commit:     60d89770b45fce6ae0eefabbbbebd1fbaa717eea
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Dec  8 22:30:58 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:06:27 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=60d89770

label systemd-shutdown so shutdown works

I am seeing (on RHEL 7.4 w/systemd) that halting the system doesn't work.  It took me a long time (and a lot of help from Steve L.) to figure out what was going on.  It turns out in refpolicy the default label for /usr/lib/systemd/systemd-shutdown is bin_t.  But when systemd tried to execve systemd-shutdown it fails because init_t isn't allowed file entrypoint for bin_t.  When I labeled systemd-shutdown as init_exec_t shutting down the system works.

I was seeing the following log (from systemd) when I enabled systemd debug logging (which was very useful).

[   59.745037] systemd[1]: Starting Final Step.
[   59.746112] systemd[1]: Starting Power-Off...
[   59.776320] systemd[1]: Shutting down.
[   59.783559] systemd[1]: Failed to execute shutdown binary, freezing: Operation not permitted

At this point everything locks up instead of actually halting the system.

This is a patch to change the label for systemd-shutdown which solves the problem.  I'm happy to go through and make a distinct type of systemd-shutdown if someone doesn't think it is a good idea to share the type with systemd.  But based on what is going on, this might be reasonable.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/init.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index d029ea30..bf0acaf9 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -29,6 +29,7 @@ ifdef(`distro_gentoo',`
 /usr/bin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 /usr/lib/systemd/systemd --	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/systemd-shutdown	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/lib/systemd/system-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/user-preset(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
 /usr/lib/systemd/ntp-units\.d -d gen_context(system_u:object_r:systemd_unit_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-12-12  7:59 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-12-12  7:59 UTC (permalink / raw
  To: gentoo-commits

commit:     cea191481ead6fd006f9dc695f491a7651b24f56
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec  6 17:06:04 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:06:26 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cea19148

Add private type for systemd logind inhibit files and pipes

 policy/modules/system/systemd.fc |  2 +-
 policy/modules/system/systemd.if | 20 ++++++++++++++++++++
 policy/modules/system/systemd.te |  9 ++++++++-
 3 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 392b00b9..73da3de4 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -49,7 +49,7 @@
 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
 /run/systemd/transient(/.*)?	gen_context(system_u:object_r:systemd_unit_t,s0)
 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-/run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_inhibit_var_run_t,s0)
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
 /run/systemd/netif(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_run_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8f914837..d875098a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -138,6 +138,26 @@ interface(`systemd_write_inherited_logind_sessions_pipes',`
 	allow systemd_logind_t $1:process signal;
 ')
 
+######################################
+## <summary>
+##      Write inherited logind inhibit pipes.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_inhibit_pipes',`
+	gen_require(`
+		type systemd_logind_inhibit_var_run_t;
+		type systemd_logind_t;
+	')
+
+	allow $1 systemd_logind_t:fd use;
+	allow $1 systemd_logind_inhibit_var_run_t:fifo_file write;
+')
+
 ########################################
 ## <summary>
 ##   Send and receive messages from

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 5051b87c..9a65b8f6 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -101,6 +101,9 @@ type systemd_logind_var_run_t;
 files_pid_file(systemd_logind_var_run_t)
 init_daemon_pid_file(systemd_logind_var_run_t, dir, "systemd_logind")
 
+type systemd_logind_inhibit_var_run_t;
+files_pid_file(systemd_logind_inhibit_var_run_t)
+
 type systemd_machined_t;
 type systemd_machined_exec_t;
 init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
@@ -364,7 +367,11 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t)
 allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms;
-init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit")
+
+manage_dirs_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
+manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
+manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_var_run_t, systemd_logind_inhibit_var_run_t)
+init_pid_filetrans(systemd_logind_t, systemd_logind_inhibit_var_run_t, dir, "inhibit")
 
 allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms;
 allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-12-12  7:59 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-12-12  7:59 UTC (permalink / raw
  To: gentoo-commits

commit:     f0c0bd6830718a75ea48fa83581c82f8346d302a
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec 10 19:45:10 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:06:27 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f0c0bd68

init: Module version bump.

 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4ef6d035..210df6f3 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.3.9)
+policy_module(init, 2.3.10)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-12-12  7:59 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-12-12  7:59 UTC (permalink / raw
  To: gentoo-commits

commit:     cd882d60b804d24d79c12313a4e6f67c92af0485
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec  6 17:06:03 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:06:26 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd882d60

Allow domains using sysnet_dns_name_resolve() interface to access NSS mymachines files

If the machine is using the mymachine NSS module, the domain doing DNS
resolution should be able to access files under /run/systemd/machines/

 policy/modules/system/sysnetwork.if | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index a20a2d46..53c806a5 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -751,6 +751,11 @@ interface(`sysnet_dns_name_resolve',`
 	optional_policy(`
 		nscd_use($1)
 	')
+
+	# This seems needed when the mymachines NSS module is used
+	optional_policy(`
+		systemd_read_machines($1)
+	')
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-12-14  5:15 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-12-14  5:15 UTC (permalink / raw
  To: gentoo-commits

commit:     cdfafeaeac734530e89e329dccf9ca03840e0b62
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Dec 13 18:15:35 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 14 04:55:22 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cdfafeae

userdomain: Allow public content access

All are allowed read access to readonly files.
unpriv and admin users are allowed rw access to public rw files.

 policy/modules/system/userdomain.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 696983f1..0d4fa8e4 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -894,6 +894,7 @@ template(`userdom_login_user_template', `
 	miscfiles_read_man_pages($1_t)
 	# map is needed for man-dbs apropos program
 	miscfiles_map_man_cache($1_t)
+	miscfiles_read_public_files($1_t)
 	# for running TeX programs
 	miscfiles_read_tetex_data($1_t)
 	miscfiles_exec_tetex_data($1_t)
@@ -1093,6 +1094,8 @@ template(`userdom_unpriv_user_template', `
 
 	files_exec_usr_files($1_t)
 
+	miscfiles_manage_public_files($1_t)
+
 	tunable_policy(`user_dmesg',`
 		kernel_read_ring_buffer($1_t)
 	',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-12-14  5:15 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-12-14  5:15 UTC (permalink / raw
  To: gentoo-commits

commit:     ec078ec960bf0bdade1b2f7d5438e30344c21956
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Dec 12 02:15:18 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 12:03:31 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ec078ec9

Make an attribute for objects in /run/user/%{USERID}/*

Setup attribute user_runtime_content_type in userdomain for files in /run/user/%{USERID}/* interfaces to associate this attribute with types and interfaces to delete types with this attribute.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/userdomain.if | 156 +++++++++++++++++++++++++++++++++++-
 policy/modules/system/userdomain.te |   4 +
 2 files changed, 159 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 68e0ee8b..696983f1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2978,6 +2978,28 @@ interface(`userdom_relabel_user_tmpfs_files',`
 
 ########################################
 ## <summary>
+##	Make the specified type usable in 
+##	the directory /run/user/%{USERID}/.
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to be used as a file in the
+##	user_runtime_content_dir_t.
+##	</summary>
+## </param>
+#
+interface(`userdom_user_runtime_content',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	typeattribute $1 user_runtime_content_type;
+	files_type($1)
+	ubac_constrained($1)
+')
+
+########################################
+## <summary>
 ##	Search users runtime directories.
 ## </summary>
 ## <param name="domain">
@@ -3143,7 +3165,139 @@ interface(`userdom_delete_user_runtime_files',`
 	')
 
 	allow $1 user_runtime_t:dir list_dir_perms;
-	allow $1 user_runtime_t:file unlink;
+	allow $1 user_runtime_t:file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	Search users runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_search_all_user_runtime',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir search_dir_perms;
+	userdom_search_user_runtime_root($1)
+')
+
+########################################
+## <summary>
+##	List user runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_list_all_user_runtime',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	userdom_search_user_runtime($1)
+')
+
+########################################
+## <summary>
+##	delete user runtime directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_dirs',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir { delete_dir_perms del_entry_dir_perms list_dir_perms };
+')
+
+########################################
+## <summary>
+##	delete user runtime files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_files',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:file delete_file_perms;
+')
+
+########################################
+## <summary>
+##	delete user runtime symlink files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_symlinks',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:fifo_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
+##	delete user runtime fifo files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_named_pipes',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:fifo_file delete_fifo_file_perms;
+')
+
+########################################
+## <summary>
+##	delete user runtime socket files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_delete_all_user_runtime_named_sockets',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:file delete_sock_file_perms;
 ')
 
 ########################################

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 0e8aa374..a130215b 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -75,6 +75,9 @@ attribute unpriv_userdomain;
 
 attribute user_home_content_type;
 
+# dirs/files/etc created in /run/user/%{USERID}/
+attribute user_runtime_content_type;
+
 type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
 fs_associate_tmpfs(user_home_dir_t)
 files_type(user_home_dir_t)
@@ -128,6 +131,7 @@ files_poly(user_runtime_t)
 files_poly_member(user_runtime_t)
 files_poly_parent(user_runtime_t)
 ubac_constrained(user_runtime_t)
+userdom_user_runtime_content(user_runtime_t)
 
 ifdef(`distro_gentoo',`
 	# We used to use cert_home_t but an upstream commit introduced the same


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2017-12-14  5:15 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2017-12-14  5:15 UTC (permalink / raw
  To: gentoo-commits

commit:     a4cd0594e707a739edae6a241a92823e90e31203
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Dec 12 02:15:28 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Dec 13 12:03:31 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4cd0594

Allow systemd_logind to delete user_runtime_content_type files

Now that objects in /run/user/%{USERID}/* use the attribute user_runtime_content_type use interfaces userdom_delete_all_user_runtime_* to allow deletion of these objects.

type=AVC msg=audit(1511920346.734:199): avc:  denied  { read } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:199): avc:  denied  { open } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:200): avc:  denied  { getattr } for  pid=1067 comm="systemd-logind" path="/run/user/998/dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { write } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { remove_name } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir
type=AVC msg=audit(1511920346.734:201): avc:  denied  { unlink } for  pid=1067 comm="systemd-logind" name="user" dev="tmpfs" ino=14746 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=file
type=AVC msg=audit(1511920346.734:202): avc:  denied  { rmdir } for  pid=1067 comm="systemd-logind" name="dconf" dev="tmpfs" ino=14745 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/systemd.te | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9ab85680..f64059b1 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -445,6 +445,11 @@ udev_list_pids(systemd_logind_t)
 udev_read_db(systemd_logind_t)
 udev_read_pid_files(systemd_logind_t)
 
+userdom_delete_all_user_runtime_dirs(systemd_logind_t)
+userdom_delete_all_user_runtime_files(systemd_logind_t)
+userdom_delete_all_user_runtime_named_pipes(systemd_logind_t)
+userdom_delete_all_user_runtime_named_sockets(systemd_logind_t)
+userdom_delete_all_user_runtime_symlinks(systemd_logind_t)
 userdom_manage_user_runtime_dirs(systemd_logind_t)
 userdom_manage_user_runtime_root_dirs(systemd_logind_t)
 userdom_mounton_user_runtime_dirs(systemd_logind_t)
@@ -454,7 +459,6 @@ userdom_relabel_user_tmpfs_files(systemd_logind_t)
 userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
 userdom_relabelto_user_runtime_dirs(systemd_logind_t)
 userdom_setattr_user_ttys(systemd_logind_t)
-userdom_delete_user_runtime_files(systemd_logind_t)
 userdom_use_user_ttys(systemd_logind_t)
 
 # Needed to work around patch not yet merged into the systemd-logind supported on RHEL 7.x


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-01-18 16:37 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
  To: gentoo-commits

commit:     6695d0d08a0be39393eb598e8b475e1cbb6cf756
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Dec 29 20:28:47 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:31:12 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6695d0d0

hostname: cmdline usage + signal perms sort

 policy/modules/system/hostname.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 4e85d041..1a5a3581 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -17,7 +17,7 @@ role system_r types hostname_t;
 
 # sys_admin : for setting the hostname
 allow hostname_t self:capability sys_admin;
-allow hostname_t self:process { sigchld sigkill sigstop signull signal };
+allow hostname_t self:process { sigchld sigkill signal signull sigstop };
 allow hostname_t self:unix_stream_socket create_stream_socket_perms;
 dontaudit hostname_t self:capability sys_tty_config;
 
@@ -56,6 +56,8 @@ sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
 sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
 
+userdom_use_inherited_user_terminals(hostname_t)
+
 optional_policy(`
 	nis_use_ypbind(hostname_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-01-18 16:37 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
  To: gentoo-commits

commit:     67b9c0ff211df688283e80ddf383f82b1d43af29
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Jan  5 21:20:50 2018 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:31:34 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=67b9c0ff

init: Module version bump.

 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 210df6f3..345eaf47 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.3.10)
+policy_module(init, 2.3.11)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-01-18 16:37 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
  To: gentoo-commits

commit:     cc056580cd98b1c4bdbf38565182c2dca0be1516
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Dec 31 12:06:52 2017 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:31:17 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc056580

hostname: Module version bump.

 policy/modules/system/hostname.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 1a5a3581..9a9c0fe4 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -1,4 +1,4 @@
-policy_module(hostname, 1.11.0)
+policy_module(hostname, 1.11.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-01-18 16:37 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2018-01-18 16:37 UTC (permalink / raw
  To: gentoo-commits

commit:     b6b208348814083b568c4aa64efcc644c5debeeb
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan  4 21:51:21 2018 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu Jan 18 16:31:30 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6b20834

init: add init_rw_inherited_stream_socket

 policy/modules/system/init.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index a512a5a4..547720de 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -891,6 +891,24 @@ interface(`init_dgram_send',`
 
 ########################################
 ## <summary>
+##	Read and write to inherited init unix streams.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_rw_inherited_stream_socket',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+')
+
+########################################
+## <summary>
 ##	Allow the specified domain to read/write to
 ##	init with unix domain stream sockets.
 ##	</summary>


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-02-18 11:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-02-18 11:30 UTC (permalink / raw
  To: gentoo-commits

commit:     0c11ce5d5e0d54d27e0607a746bab54a45ca09f3
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Feb 15 22:07:08 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 18 11:20:22 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0c11ce5d

Misc dbus fixes from Russell Coker.

 policy/modules/system/init.te       |  6 +++++-
 policy/modules/system/locallogin.te |  3 ++-
 policy/modules/system/systemd.te    | 13 ++++++++++++-
 policy/modules/system/unconfined.te |  6 +++++-
 4 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 59c27676..846ab7b5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.4.0)
+policy_module(init, 2.4.1)
 
 gen_require(`
 	class passwd rootok;
@@ -488,6 +488,10 @@ optional_policy(`
 
 optional_policy(`
 	dbus_system_bus_client(init_t)
+
+	optional_policy(`
+		unconfined_dbus_send(init_t)
+	')
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 4ea6e87f..f7b428a7 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,4 +1,4 @@
-policy_module(locallogin, 1.17.0)
+policy_module(locallogin, 1.17.1)
 
 ########################################
 #
@@ -137,6 +137,7 @@ userdom_create_all_users_keys(local_login_t)
 ifdef(`init_systemd',`
 	auth_manage_faillog(local_login_t)
 
+	init_dbus_chat(local_login_t)
 	systemd_dbus_chat_logind(local_login_t)
 	systemd_use_logind_fds(local_login_t)
 	systemd_manage_logind_pid_pipes(local_login_t)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a8d597b5..0f6b4a45 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.5.0)
+policy_module(systemd, 1.5.1)
 
 #########################################
 #
@@ -308,6 +308,7 @@ systemd_log_parse_environment(systemd_hostnamed_t)
 optional_policy(`
 	dbus_connect_system_bus(systemd_hostnamed_t)
 	dbus_system_bus_client(systemd_hostnamed_t)
+	init_dbus_chat(systemd_hostnamed_t)
 ')
 
 optional_policy(`
@@ -450,6 +451,8 @@ userdom_delete_all_user_runtime_files(systemd_logind_t)
 userdom_delete_all_user_runtime_named_pipes(systemd_logind_t)
 userdom_delete_all_user_runtime_named_sockets(systemd_logind_t)
 userdom_delete_all_user_runtime_symlinks(systemd_logind_t)
+# user_tmp_t is for the dbus-1 directory
+userdom_list_user_tmp(systemd_logind_t)
 userdom_manage_user_runtime_dirs(systemd_logind_t)
 userdom_manage_user_runtime_root_dirs(systemd_logind_t)
 userdom_mounton_user_runtime_dirs(systemd_logind_t)
@@ -479,6 +482,10 @@ optional_policy(`
 	devicekit_dbus_chat_power(systemd_logind_t)
 ')
 
+optional_policy(`
+	modemmanager_dbus_chat(systemd_logind_t)
+')
+
 optional_policy(`
 	networkmanager_dbus_chat(systemd_logind_t)
 ')
@@ -749,6 +756,10 @@ optional_policy(`
 	allow systemd_machined_t systemd_nspawn_t:dbus send_msg;
 
 	dbus_system_bus_client(systemd_nspawn_t)
+
+	optional_policy(`
+		unconfined_dbus_send(systemd_machined_t)
+	')
 ')
 
 optional_policy(`

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index df06aa79..e4d9c1e9 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.10.0)
+policy_module(unconfined, 3.10.1)
 
 ########################################
 #
@@ -115,6 +115,10 @@ optional_policy(`
 	lvm_run(unconfined_t, unconfined_r)
 ')
 
+optional_policy(`
+	modemmanager_dbus_chat(unconfined_t)
+')
+
 optional_policy(`
 	modutils_run(unconfined_t, unconfined_r)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-03-25 10:29 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
  To: gentoo-commits

commit:     126835e553be3864edf003400c7ee272e0b20ce4
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 18 16:24:04 2018 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:33:41 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=126835e5

another trivial dbus patch from Russell Coker.

 policy/modules/system/systemd.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 66eaea42..e55d01ca 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.5.2)
+policy_module(systemd, 1.5.3)
 
 #########################################
 #
@@ -479,6 +479,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	devicekit_dbus_chat_disk(systemd_logind_t)
 	devicekit_dbus_chat_power(systemd_logind_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-03-25 10:29 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
  To: gentoo-commits

commit:     a71a8bae341b8d4eb53edc5ad5d070754320a4fc
Author:     Miroslav Grepl <mgrepl <AT> redhat <DOT> com>
AuthorDate: Tue Jul 19 09:32:07 2011 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:33:46 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a71a8bae

xtables-multi wants to getattr of the proc fs

 policy/modules/system/iptables.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 03abcd6c..50328250 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -53,6 +53,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
 allow iptables_t iptables_tmp_t:file manage_file_perms;
 files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
 
+kernel_getattr_proc(iptables_t)
 kernel_request_load_module(iptables_t)
 kernel_read_system_state(iptables_t)
 kernel_read_network_state(iptables_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-03-25 10:29 Sven Vermeulen
  0 siblings, 0 replies; 705+ messages in thread
From: Sven Vermeulen @ 2018-03-25 10:29 UTC (permalink / raw
  To: gentoo-commits

commit:     04375af3107b98dc59ce2c935abcbd1eb1321d7f
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Mar  9 22:09:50 2018 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Mar 25 09:33:49 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04375af3

iptables: Module version bump.

 policy/modules/system/iptables.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 50328250..286af636 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.19.0)
+policy_module(iptables, 1.19.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-04-22 12:00 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
  To: gentoo-commits

commit:     c3625775bab1d65ad6af09a06097b4fbbe8646d2
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Apr 16 20:07:53 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:46:18 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c3625775

Interface to read /run/systemd/resolve/resolv.conf

With systemd, /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf allow domains with access to read network configuration to read this file.
Please note, this can't be in optional due to tunable_policy in nis_authenticate interface.

type=AVC msg=audit(1523455881.596:214): avc:  denied  { search } for  pid=944 comm="chronyd" name="resolve" dev="tmpfs" ino=14267 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=dir
type=AVC msg=audit(1523455881.596:214): avc:  denied  { read } for  pid=944 comm="chronyd" name="resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:214): avc:  denied  { open } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file
type=AVC msg=audit(1523455881.596:215): avc:  denied  { getattr } for  pid=944 comm="chronyd" path="/run/systemd/resolve/resolv.conf" dev="tmpfs" ino=14277 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:systemd_resolved_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/sysnetwork.if |  2 ++
 policy/modules/system/systemd.if    | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 53c806a5..e9dc5401 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -348,6 +348,8 @@ interface(`sysnet_read_config',`
 	files_search_etc($1)
 	allow $1 net_conf_t:file read_file_perms;
 
+	systemd_read_resolved_runtime($1)
+
 	ifdef(`distro_debian',`
 		files_search_pids($1)
 		allow $1 net_conf_t:dir list_dir_perms;

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index f6e34102..866838fe 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -715,3 +715,22 @@ interface(`systemd_tmpfilesd_managed',`
 
 	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
 ')
+
+#######################################
+## <summary>
+##  Allow domain to read resolv.conf file generated by systemd_resolved
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_read_resolved_runtime',`
+	gen_require(`
+		type systemd_resolved_var_run_t;
+	')
+
+	read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
+')
+


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-04-22 12:00 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
  To: gentoo-commits

commit:     417e4972fd4cd3e5852cd1e171761b95f13b1ac0
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 18 00:20:27 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:46:18 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=417e4972

init, logging, sysnetwork, systemd, udev: Module version bump.

 policy/modules/system/init.te       | 2 +-
 policy/modules/system/logging.te    | 2 +-
 policy/modules/system/sysnetwork.te | 2 +-
 policy/modules/system/systemd.te    | 2 +-
 policy/modules/system/udev.te       | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8fd6c23f..f1b6b008 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.4.3)
+policy_module(init, 2.4.4)
 
 gen_require(`
 	class passwd rootok;

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 38b75ce4..e13b43f0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.27.2)
+policy_module(logging, 1.27.3)
 
 ########################################
 #

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index f6b6bf8e..0e3c9c41 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.22.0)
+policy_module(sysnetwork, 1.22.1)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 3a8eed9b..0cf54f54 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.5.4)
+policy_module(systemd, 1.5.5)
 
 #########################################
 #

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 53daf204..093029aa 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.23.0)
+policy_module(udev, 1.23.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-04-22 12:00 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-04-22 12:00 UTC (permalink / raw
  To: gentoo-commits

commit:     d2997e65537e373d02d379ab2d5036788b7a5155
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Apr 16 20:08:55 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 22 11:46:18 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2997e65

Fix problems booting with fips=1

Seeing the following problem when booting in enforcing with FIPS mode enabled.
Request for unknown module key 'CentOS Linux kernel signing key: c757a9fbbd0d82c9e54052029a0908d17cf1adc7' err -13
Then seeing the system halt

Fixing the following denials:
[    4.492635] type=1400 audit(1523666552.903:4): avc:  denied  { search } for  pid=894 comm="systemd-journal" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.496621] type=1400 audit(1523666552.907:5): avc:  denied  { read } for  pid=894 comm="systemd-journal" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.499741] type=1400 audit(1523666552.910:6): avc:  denied  { open } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.502969] type=1400 audit(1523666552.914:7): avc:  denied  { getattr } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

[    4.950021] type=1400 audit(1523666553.360:8): avc:  denied  { search } for  pid=952 comm="systemctl" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.986551] type=1400 audit(1523666553.397:9): avc:  denied  { read } for  pid=952 comm="systemctl" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    5.028737] type=1400 audit(1523666553.439:10): avc:  denied  { open } for  pid=952 comm="systemctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

type=1400 audit(1512501270.176:3): avc:  denied  { search } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/init.te    | 1 +
 policy/modules/system/logging.te | 1 +
 policy/modules/system/udev.te    | 2 ++
 3 files changed, 4 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 82722156..8fd6c23f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -281,6 +281,7 @@ ifdef(`init_systemd',`
 	kernel_read_all_sysctls(init_t)
 	kernel_read_software_raid_state(init_t)
 	kernel_unmount_debugfs(init_t)
+	kernel_search_key(init_t)
 	kernel_setsched(init_t)
 	kernel_rw_unix_sysctls(init_t)
 

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d18dc74b..38b75ce4 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -434,6 +434,7 @@ allow syslogd_t syslogd_var_run_t:file map;
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
 
+kernel_read_crypto_sysctls(syslogd_t)
 kernel_read_system_state(syslogd_t)
 kernel_read_network_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 7620e44c..53daf204 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -96,9 +96,11 @@ kernel_rw_unix_dgram_sockets(udev_t)
 kernel_dgram_send(udev_t)
 kernel_signal(udev_t)
 kernel_search_debugfs(udev_t)
+kernel_search_key(udev_t)
 
 #https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235182
 kernel_rw_net_sysctls(udev_t)
+kernel_read_crypto_sysctls(udev_t)
 kernel_read_network_state(udev_t)
 kernel_read_software_raid_state(udev_t)
 kernel_dontaudit_search_unlabeled(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-04-25 10:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-04-25 10:02 UTC (permalink / raw
  To: gentoo-commits

commit:     3ae0485c2f5e5d0a666ad48895df6ea4993b19fd
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Apr 22 16:13:34 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Apr 25 04:08:35 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3ae0485c

sysnetwork: put systemd_read_resolved_runtime in an ifdef

commit f865919872a2d709d37f3df7032a6ea73bdd8080
(Interface to read /run/systemd/resolve/resolv.conf)
Added an interface to sysnet_read_config which requires the systemd
module loaded. Putting the interface in an optional_policy() is not
possible since sysnet_read_config is called from several tunables so
we use an ifdef.

 policy/modules/system/sysnetwork.if | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index e9dc5401..693a26c6 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -348,7 +348,9 @@ interface(`sysnet_read_config',`
 	files_search_etc($1)
 	allow $1 net_conf_t:file read_file_perms;
 
-	systemd_read_resolved_runtime($1)
+	ifdef(`init_systemd',`
+		systemd_read_resolved_runtime($1)
+	')
 
 	ifdef(`distro_debian',`
 		files_search_pids($1)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-08 10:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-08 10:07 UTC (permalink / raw
  To: gentoo-commits

commit:     6658ee5fcff0ffbcc3ab742ed082bea9030c396d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed May  2 21:22:52 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6658ee5f

init: Module version bump.

 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 09f9688e..7afc33d0 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.4.4)
+policy_module(init, 2.4.5)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-08 10:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-08 10:07 UTC (permalink / raw
  To: gentoo-commits

commit:     83621cff0136e3a63561b364715fa636cd8ccdb1
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 25 21:33:51 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83621cff

sysnetwork: Move lines in sysnet_read_config().

 policy/modules/system/sysnetwork.if | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 693a26c6..f4f17a5d 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -348,10 +348,6 @@ interface(`sysnet_read_config',`
 	files_search_etc($1)
 	allow $1 net_conf_t:file read_file_perms;
 
-	ifdef(`init_systemd',`
-		systemd_read_resolved_runtime($1)
-	')
-
 	ifdef(`distro_debian',`
 		files_search_pids($1)
 		allow $1 net_conf_t:dir list_dir_perms;
@@ -362,6 +358,10 @@ interface(`sysnet_read_config',`
 		allow $1 net_conf_t:dir list_dir_perms;
 		read_files_pattern($1, net_conf_t, net_conf_t)
 	')
+
+	ifdef(`init_systemd',`
+		systemd_read_resolved_runtime($1)
+	')
 ')
 
 #######################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-08 10:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-08 10:07 UTC (permalink / raw
  To: gentoo-commits

commit:     31251ed390d89aaf082af95bf532470b4d0f339d
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Apr 30 06:32:23 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=31251ed3

init: Add filetrans for /run/initctl

sysvinit 2.89 moved /dev/initctl to /run/initctl.

Reported-by: revel

 policy/modules/system/init.if | 5 +++++
 policy/modules/system/init.te | 1 +
 2 files changed, 6 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 547720de..46e61cb4 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1314,6 +1314,8 @@ interface(`init_getattr_initctl',`
 			type initctl_t;
 		')
 
+		dev_list_all_dev_nodes($1)
+		files_search_pids($1)
 		allow $1 initctl_t:fifo_file getattr;
 	')
 ')
@@ -1353,6 +1355,7 @@ interface(`init_write_initctl',`
 	')
 
 	dev_list_all_dev_nodes($1)
+	files_search_pids($1)
 	allow $1 initctl_t:fifo_file write;
 ')
 
@@ -1385,6 +1388,7 @@ interface(`init_telinit',`
 	corecmd_exec_bin($1)
 
 	dev_list_all_dev_nodes($1)
+	files_search_pids($1)
 
 	init_exec($1)
 ')
@@ -1405,6 +1409,7 @@ interface(`init_rw_initctl',`
 	')
 
 	dev_list_all_dev_nodes($1)
+	files_search_pids($1)
 	allow $1 initctl_t:fifo_file rw_fifo_file_perms;
 ')
 

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f1b6b008..09f9688e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -145,6 +145,7 @@ allow init_t init_var_run_t:file manage_lnk_file_perms;
 
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
+files_pid_filetrans(init_t, initctl_t, fifo_file)
 
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-08 10:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-08 10:07 UTC (permalink / raw
  To: gentoo-commits

commit:     a03f90ec865713942b3fe7fad6b7f72248e172ea
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Apr 25 21:34:13 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a03f90ec

sysnetwork: Module version bump.

 policy/modules/system/sysnetwork.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 0e3c9c41..12c83a8a 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.22.1)
+policy_module(sysnetwork, 1.22.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-08 10:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-08 10:07 UTC (permalink / raw
  To: gentoo-commits

commit:     25274b23ec244b1a83c27e5184bbef665e750efa
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Jun  6 14:25:09 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25274b23

systemd-resolved uses notify to indicate status

type=AVC msg=audit(1528207926.219:1609): avc:  denied  { write } for  pid=2689 comm="systemd-resolve" name="notify" dev="tmpfs" ino=6277 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1528208016.448:1702): avc:  denied  { sendto } for  pid=2689 comm="systemd-resolve" path="/run/systemd/notify" scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/systemd.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 60651a9e..cf2c3296 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -844,6 +844,7 @@ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
 
 dev_read_sysfs(systemd_resolved_t)
 
+kernel_dgram_send(systemd_resolved_t)
 kernel_read_crypto_sysctls(systemd_resolved_t)
 kernel_read_kernel_sysctls(systemd_resolved_t)
 kernel_read_net_sysctls(systemd_resolved_t)
@@ -855,6 +856,8 @@ corenet_udp_bind_llmnr_port(systemd_resolved_t)
 
 auth_use_nsswitch(systemd_resolved_t)
 
+init_dgram_send(systemd_resolved_t)
+
 seutil_read_file_contexts(systemd_resolved_t)
 
 systemd_log_parse_environment(systemd_resolved_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-08 10:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-08 10:07 UTC (permalink / raw
  To: gentoo-commits

commit:     df3fc700c5939555aac1f9e648c27208c4e17f76
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Jun  6 14:25:08 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df3fc700

Allow systemd-resolved to connect to system dbusd

type=USER_AVC msg=audit(1527726267.150:134): pid=1170 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { acquire_svc } for service=org.freedesktop.resolve1 spid=1208 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 79774dd3..60651a9e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -861,6 +861,7 @@ systemd_log_parse_environment(systemd_resolved_t)
 systemd_read_networkd_runtime(systemd_resolved_t)
 
 optional_policy(`
+	dbus_connect_system_bus(systemd_resolved_t)
 	dbus_system_bus_client(systemd_resolved_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-08 10:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-08 10:07 UTC (permalink / raw
  To: gentoo-commits

commit:     511e0ce6b19693fe93b764828f9d2a4427166981
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Thu Jun  7 19:19:40 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=511e0ce6

policy for systemd-hwdb

systemd-hwdb rebuilds /etc/udev/hwdb.bin from files in /var/lib/udev/hwdb.d/*
making a temp file first in /etc/udev/ then moving the tmp file
over hwdb.bin when complete.  It also relabels based in file_contexts
This provides private type for /etc/udev/hwdb.bin

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/systemd.fc |  3 +++
 policy/modules/system/systemd.if | 19 +++++++++++++++++++
 policy/modules/system/systemd.te | 24 ++++++++++++++++++++++++
 policy/modules/system/udev.te    |  1 +
 4 files changed, 47 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 5d4857e4..df1a4b2e 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -2,6 +2,7 @@
 /usr/bin/systemd-cgtop			--	gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
 /usr/bin/systemd-coredump		--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
 /usr/bin/systemd-detect-virt		--	gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0)
+/usr/bin/systemd-hwdb			--	gen_context(system_u:object_r:systemd_hw_exec_t,s0)
 /usr/bin/systemd-nspawn			--	gen_context(system_u:object_r:systemd_nspawn_exec_t,s0)
 /usr/bin/systemd-run			--	gen_context(system_u:object_r:systemd_run_exec_t,s0)
 /usr/bin/systemd-stdio-bridge		--	gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
@@ -38,6 +39,8 @@
 /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 /usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
 
+/etc/udev/hwdb.bin				--	gen_context(system_u:object_r:systemd_hwdb_t,s0)
+
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index fd501c52..75bbeead 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -772,5 +772,24 @@ interface(`systemd_getattr_updated_runtime',`
 ')
 
 
+#######################################
+## <summary>
+##  Allow domain to read udev hwdb file
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_read_hwdb',`
+	gen_require(`
+		type systemd_hwdb_t;
+	')
+
+	read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
+')
+
+
 
 

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 15fe6e1b..c324d3bf 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -81,6 +81,13 @@ type systemd_hostnamed_t;
 type systemd_hostnamed_exec_t;
 init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
 
+type systemd_hw_t;
+type systemd_hw_exec_t;
+init_system_domain(systemd_hw_t, systemd_hw_exec_t)
+
+type systemd_hwdb_t;
+files_type(systemd_hwdb_t);
+
 type systemd_journal_t;
 files_type(systemd_journal_t)
 logging_log_file(systemd_journal_t)
@@ -322,6 +329,23 @@ optional_policy(`
 	networkmanager_dbus_chat(systemd_hostnamed_t)
 ')
 
+#########################################
+#
+# hw local policy
+#
+
+allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabelfrom relabelto };
+
+files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
+files_search_pids(systemd_hw_t)
+
+init_read_state(systemd_hw_t)
+
+selinux_get_fs_mount(systemd_hw_t)
+
+seutil_read_config(systemd_hw_t)
+seutil_read_file_contexts(systemd_hw_t)
+
 #######################################
 #
 # locale local policy

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 093029aa..c3929f6d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -248,6 +248,7 @@ ifdef(`init_systemd',`
 	init_get_generic_units_status(udev_t)
 	init_stream_connect(udev_t)
 
+	systemd_read_hwdb(udev_t)
 	systemd_read_logind_sessions_files(udev_t)
 	systemd_read_logind_pids(udev_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-08 10:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-08 10:07 UTC (permalink / raw
  To: gentoo-commits

commit:     3263ab0206a19727bff6ea79d5c129e2fdc1bfdb
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Thu Jun  7 19:19:41 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3263ab02

policy for systemd-update-done

systemd-update-done needs to be able to create /etc/.updated and /var/.updated

Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /etc/.updated: Permission denied
Jun  6 13:11:58 localhost systemd-update-done: Failed to create timestamp file /var/.updated: Permission denied
Jun  6 13:11:58 localhost systemd: systemd-update-done.service: main process exited, code=exited, status=1/FAILURE
Jun  6 13:11:58 localhost systemd: Failed to start Update is Completed.
Jun  6 13:11:58 localhost systemd: Unit systemd-update-done.service entered failed state.
Jun  6 13:11:58 localhost systemd: systemd-update-done.service failed.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/init.te    |  1 +
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.if | 21 +++++++++++++++++++++
 policy/modules/system/systemd.te | 22 ++++++++++++++++++++++
 4 files changed, 45 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 7afc33d0..d38b6e39 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -407,6 +407,7 @@ ifdef(`init_systemd',`
 	# lvm2-activation-generator checks file labels
 	seutil_read_file_contexts(init_t)
 
+	systemd_getattr_updated_runtime(init_t)
 	systemd_manage_passwd_runtime_symlinks(init_t)
 	systemd_use_passwd_agent(init_t)
 	systemd_list_tmpfiles_conf(init_t)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 0f8c193d..5d4857e4 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -23,6 +23,7 @@
 /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
 /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
+/usr/lib/systemd/systemd-update-done	--	gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
 
 # Systemd unit files

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b053242a..fd501c52 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -753,3 +753,24 @@ interface(`systemd_read_resolved_runtime',`
 	read_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
 ')
 
+#######################################
+## <summary>
+##  Allow domain to getattr on .updated file (generated by systemd-update-done
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_getattr_updated_runtime',`
+	gen_require(`
+		type systemd_update_run_t;
+	')
+
+	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
+')
+
+
+
+

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cf2c3296..15fe6e1b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -173,6 +173,13 @@ init_daemon_domain(systemd_tmpfiles_t, systemd_tmpfiles_exec_t)
 type systemd_tmpfiles_conf_t;
 files_config_file(systemd_tmpfiles_conf_t)
 
+type systemd_update_done_t;
+type systemd_update_done_exec_t;
+init_system_domain(systemd_update_done_t, systemd_update_done_exec_t)
+
+type systemd_update_run_t;
+files_type(systemd_update_run_t)
+
 #
 # Unit file types
 #
@@ -1006,3 +1013,18 @@ optional_policy(`
 	xserver_relabel_console_pipes(systemd_tmpfiles_t)
 	xserver_setattr_console_pipes(systemd_tmpfiles_t)
 ')
+
+#########################################
+#
+# Update Done local policy
+#
+
+allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
+
+dev_write_kmsg(systemd_update_done_t)
+
+files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
+files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file, ".updated")
+
+kernel_read_system_state(systemd_update_done_t)
+


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-08 10:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-08 10:07 UTC (permalink / raw
  To: gentoo-commits

commit:     6e80ac7a0685e7dedaae81a7d3bb206fe4b9f997
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Jun  8 00:17:15 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:22:56 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6e80ac7a

systemd: Move lines.

 policy/modules/system/systemd.fc |  4 ++--
 policy/modules/system/systemd.if | 41 ++++++++++++++++++----------------------
 policy/modules/system/systemd.te |  6 +++---
 3 files changed, 23 insertions(+), 28 deletions(-)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index df1a4b2e..277c7fc4 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -1,3 +1,5 @@
+/etc/udev/hwdb\.bin			--	gen_context(system_u:object_r:systemd_hwdb_t,s0)
+
 /usr/bin/systemd-analyze		--	gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
 /usr/bin/systemd-cgtop			--	gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
 /usr/bin/systemd-coredump		--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
@@ -39,8 +41,6 @@
 /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 /usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
 
-/etc/udev/hwdb.bin				--	gen_context(system_u:object_r:systemd_hwdb_t,s0)
-
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 75bbeead..34685088 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -19,6 +19,24 @@ interface(`systemd_log_parse_environment',`
 	typeattribute $1 systemd_log_parse_env_type;
 ')
 
+#######################################
+## <summary>
+##  Allow domain to read udev hwdb file
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_read_hwdb',`
+	gen_require(`
+		type systemd_hwdb_t;
+	')
+
+	read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
+')
+
 ######################################
 ## <summary>
 ##   Read systemd_login PID files.
@@ -770,26 +788,3 @@ interface(`systemd_getattr_updated_runtime',`
 
 	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
 ')
-
-
-#######################################
-## <summary>
-##  Allow domain to read udev hwdb file
-## </summary>
-## <param name="domain">
-## <summary>
-##  domain allowed access
-## </summary>
-## </param>
-#
-interface(`systemd_read_hwdb',`
-	gen_require(`
-		type systemd_hwdb_t;
-	')
-
-	read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
-')
-
-
-
-

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c324d3bf..1cf5fb95 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -335,14 +335,14 @@ optional_policy(`
 #
 
 allow systemd_hw_t systemd_hwdb_t:file { manage_file_perms relabelfrom relabelto };
-
 files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
-files_search_pids(systemd_hw_t)
 
-init_read_state(systemd_hw_t)
+files_search_pids(systemd_hw_t)
 
 selinux_get_fs_mount(systemd_hw_t)
 
+init_read_state(systemd_hw_t)
+
 seutil_read_config(systemd_hw_t)
 seutil_read_file_contexts(systemd_hw_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-08 10:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-08 10:07 UTC (permalink / raw
  To: gentoo-commits

commit:     3f528d57501507ca95e24e88e0c29c36bd216bef
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Jun  6 14:25:07 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3f528d57

Allow systemd_resolved to read systemd_networkd runtime files

type=AVC msg=audit(1527698299.999:144): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="links" dev="tmpfs" ino=16229 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527698299.999:145): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698299.999:145): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527698300.000:146): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/run/systemd/netif/links/3" dev="tmpfs" ino=18857 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527702014.276:183): avc:  denied  { search } for  pid=1180 comm="systemd-resolve" name="netif" dev="tmpfs" ino=16878 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1527704163.181:152): avc:  denied  { open } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.181:153): avc:  denied  { getattr } for  pid=1236 comm="systemd-resolve" path="/run/systemd/netif/links/5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file
type=AVC msg=audit(1527704163.604:173): avc:  denied  { read } for  pid=1236 comm="systemd-resolve" name="5" dev="tmpfs" ino=19562 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:systemd_networkd_var_run_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/systemd.if | 19 +++++++++++++++++++
 policy/modules/system/systemd.te |  1 +
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 866838fe..b053242a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -523,6 +523,25 @@ interface(`systemd_rw_networkd_netlink_route_sockets',`
 	allow $1 systemd_networkd_t:netlink_route_socket client_stream_socket_perms;
 ')
 
+#######################################
+## <summary>
+##  Allow domain to read files generated by systemd_networkd
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+
+interface(`systemd_read_networkd_runtime',`
+	gen_require(`
+		type systemd_networkd_var_run_t;
+	')
+
+	list_dirs_pattern($1, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+	read_files_pattern($1, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
+')
 
 ########################################
 ## <summary>

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 708b9f23..79774dd3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -858,6 +858,7 @@ auth_use_nsswitch(systemd_resolved_t)
 seutil_read_file_contexts(systemd_resolved_t)
 
 systemd_log_parse_environment(systemd_resolved_t)
+systemd_read_networkd_runtime(systemd_resolved_t)
 
 optional_policy(`
 	dbus_system_bus_client(systemd_resolved_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-08 10:07 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-08 10:07 UTC (permalink / raw
  To: gentoo-commits

commit:     ce92e2974b7ba4eb073097e4a192779147db3b39
Author:     Dave Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Jun  6 14:25:06 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 09:21:01 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ce92e297

Allow systemd-resolved to read sysctl

type=AVC msg=audit(1527698300.007:150): avc:  denied  { search } for  pid=1193 comm="systemd-resolve" name="net" dev="proc" ino=8515 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir
type=AVC msg=audit(1527698300.007:150): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:150): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:151): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/proc/sys/net/ipv6/conf/all/disable_ipv6" dev="proc" ino=7988 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file

type=AVC msg=audit(1527698300.006:148): avc:  denied  { read } for  pid=1193 comm="systemd-resolve" name="disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.006:148): avc:  denied  { open } for  pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file
type=AVC msg=audit(1527698300.007:149): avc:  denied  { getattr } for  pid=1193 comm="systemd-resolve" path="/sys/module/ipv6/parameters/disable" dev="sysfs" ino=2111 scontext=system_u:system_r:systemd_resolved_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>

 policy/modules/system/systemd.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0cf54f54..708b9f23 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -842,8 +842,11 @@ manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_reso
 manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
 init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
 
+dev_read_sysfs(systemd_resolved_t)
+
 kernel_read_crypto_sysctls(systemd_resolved_t)
 kernel_read_kernel_sysctls(systemd_resolved_t)
+kernel_read_net_sysctls(systemd_resolved_t)
 
 corenet_tcp_bind_generic_node(systemd_resolved_t)
 corenet_tcp_bind_llmnr_port(systemd_resolved_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-09  5:24 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-09  5:24 UTC (permalink / raw
  To: gentoo-commits

commit:     d47c34f5d993c54990c4a9504950b880dcc3145d
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jun  7 10:38:57 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Jun  8 11:10:51 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d47c34f5

lvm: allow reading initrc pipes

Bug: https://bugs.gentoo.org/615300

 policy/modules/system/init.if | 18 ++++++++++++++++++
 policy/modules/system/lvm.te  |  5 ++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 46e61cb4..d6a8f2ee 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1859,6 +1859,24 @@ interface(`init_ptrace',`
 	allow $1 init_t:process ptrace;
 ')
 
+########################################
+## <summary>
+##	Read an init script unnamed pipe.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_read_script_pipes',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:fifo_file read_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Write an init script unnamed pipe.

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 9df06823..446ab777 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -393,9 +393,12 @@ ifdef(`distro_gentoo',`
 	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_metadata_t)
 	# Bug 529430 comment 6
 	create_dirs_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
-	# BUg 529430 comment 8
+	# Bug 529430 comment 8
 	manage_fifo_files_pattern(lvm_t, lvm_var_run_t, lvm_var_run_t)
 
+	# Bug 615300
+	init_read_script_pipes(lvm_t)
+
 	filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, dir, "cache")
 
 	kernel_request_load_module(lvm_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-24  8:46 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-24  8:46 UTC (permalink / raw
  To: gentoo-commits

commit:     7eca40c847802b7c207ccb14850d9e3c1147b502
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Jun 14 14:12:22 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jun 16 06:58:13 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7eca40c8

userdomain: remove gentoo-specific xdg interfaces now that they are upstream

 policy/modules/system/userdomain.if | 144 ------------------------------------
 1 file changed, 144 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index ce19cc8e..3f380d40 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -395,20 +395,6 @@ interface(`userdom_manage_home_role',`
 			flash_manage_home($2)
 			flash_relabel_home($2)
 		')
-
-		optional_policy(`
-			xdg_manage_all_cache_home($2)
-			xdg_manage_all_config_home($2)
-			xdg_manage_all_data_home($2)
-			xdg_manage_documents_home($2)
-			xdg_manage_downloads_home($2)
-			xdg_manage_music_home($2)
-			xdg_manage_pictures_home($2)
-			xdg_manage_videos_home($2)
-			xdg_relabel_all_cache_home($2)
-			xdg_relabel_all_config_home($2)
-			xdg_relabel_all_data_home($2)
-		')
 	')
 ')
 
@@ -4504,136 +4490,6 @@ interface(`userdom_dbus_send_all_users',`
 
 # Gentoo added stuff, but cannot use an ifdef distro_gentoo for this
 
-########################################
-## <summary>
-##	Support creation of tunable access to user content
-## </summary>
-## <param name="prefix">
-##	<summary>
-##	The prefix of the application domain to create the
-##	tunables for
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	Domain to create the tunables for
-##	</summary>
-## </param>
-#
-template(`userdom_user_content_access_template',`
-
-	########################################
-	#
-	# Declarations
-	#
-
-	## <desc>
-	##	<p>
-	##	Please update doc/gentoo_tunables.xml.
-	##	</p>
-	## </desc>
-	gen_tunable(`$1_read_generic_user_content', true)
-
-	## <desc>
-	##	<p>
-	##	Please update doc/gentoo_tunables.xml.
-	##	</p>
-	## </desc>
-	gen_tunable(`$1_read_all_user_content', false)
-
-	## <desc>
-	##	<p>
-	##	Please update doc/gentoo_tunables.xml.
-	##	</p>
-	## </desc>
-	gen_tunable(`$1_manage_generic_user_content', false)
-
-	## <desc>
-	##	<p>
-	##	Please update doc/gentoo_tunables.xml.
-	##	</p>
-	## </desc>
-	gen_tunable(`$1_manage_all_user_content', false)
-
-	tunable_policy(`$1_read_generic_user_content',`
-		userdom_list_user_tmp($2)
-		userdom_list_user_home_content($2)
-		userdom_read_user_home_content_files($2)
-		userdom_read_user_home_content_symlinks($2)
-		userdom_read_user_tmp_files($2)
-		userdom_read_user_tmp_symlinks($2)
-	',`
-		files_dontaudit_list_home($2)
-		files_dontaudit_list_tmp($2)
-	
-		userdom_dontaudit_list_user_home_dirs($2)
-		userdom_dontaudit_list_user_tmp($2)
-		userdom_dontaudit_read_user_home_content_files($2)
-		userdom_dontaudit_read_user_tmp_files($2)
-	')
-
-	tunable_policy(`$1_read_all_user_content',`
-		userdom_list_user_tmp($2)
-		userdom_read_all_user_home_content($2)
-	')
-
-	tunable_policy(`$1_manage_generic_user_content',`
-		userdom_manage_user_tmp_dirs($2)
-		userdom_manage_user_tmp_files($2)
-		userdom_manage_user_home_content_dirs($2)
-		userdom_manage_user_home_content_files($2)
-	')
-
-	tunable_policy(`$1_manage_all_user_content',`
-		userdom_manage_all_user_home_content($2)
-	')
-')
-
-########################################
-## <summary>
-##	Read all user home content, including application-specific home content.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-#
-interface(`userdom_read_all_user_home_content',`
-	gen_require(`
-		attribute user_home_content_type;
-	')
-
-	list_dirs_pattern($1, user_home_content_type, user_home_content_type)
-	read_files_pattern($1, user_home_content_type, user_home_content_type)
-	read_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
-	read_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
-	read_sock_files_pattern($1, user_home_content_type, user_home_content_type)
-')
-
-########################################
-## <summary>
-##	Manage all user home content, including application-specific home
-##	content.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-#
-interface(`userdom_manage_all_user_home_content',`
-	gen_require(`
-		attribute user_home_content_type;
-	')
-
-	manage_dirs_pattern($1, user_home_content_type, user_home_content_type)
-	manage_files_pattern($1, user_home_content_type, user_home_content_type)
-	manage_lnk_files_pattern($1, user_home_content_type, user_home_content_type)
-	manage_fifo_files_pattern($1, user_home_content_type, user_home_content_type)
-	manage_sock_files_pattern($1, user_home_content_type, user_home_content_type)
-')
-
 ########################################
 ## <summary>
 ##	Create, read, write, and delete user


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-24  8:46 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-24  8:46 UTC (permalink / raw
  To: gentoo-commits

commit:     173e6be1309b077f958d104fdbfc83207ff4324b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Jun 23 14:50:14 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jun 24 08:35:17 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=173e6be1

sysnetwork: Module version bump.

 policy/modules/system/sysnetwork.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 12c83a8a..28688894 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.22.2)
+policy_module(sysnetwork, 1.22.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-24  8:46 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-24  8:46 UTC (permalink / raw
  To: gentoo-commits

commit:     d0399fa91589bd6e57fba82b297e959e3f28f0c4
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Jun 20 09:38:12 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jun 24 08:35:17 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d0399fa9

Label /etc/hosts.allow as net_conf_t

/etc/hosts.deny is labeled as net_conf_t so it makes sense to label
hosts.allow the same way

Signed-off-by: Laurent Bigonville <bigon <AT> bigon.be>

 policy/modules/system/sysnetwork.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index 3b532567..430eb93d 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -16,6 +16,7 @@ ifdef(`distro_debian',`
 /etc/dhcp/dhcpd\.conf	--	gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/ethers		--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts		--	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hosts\.allow.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts\.deny.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/denyhosts.*	--	gen_context(system_u:object_r:net_conf_t,s0)
 /etc/resolv\.conf.*	--	gen_context(system_u:object_r:net_conf_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-24 10:47 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-24 10:47 UTC (permalink / raw
  To: gentoo-commits

commit:     5fb9c04db1dddabde31193fd6d193aae656fa5f5
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 24 10:46:11 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jun 24 10:46:11 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5fb9c04d

xdg: Add compat aliases for the old gentoo-specific names

 policy/modules/system/xdg.te | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/policy/modules/system/xdg.te b/policy/modules/system/xdg.te
index df2224f1..0cef070e 100644
--- a/policy/modules/system/xdg.te
+++ b/policy/modules/system/xdg.te
@@ -36,3 +36,19 @@ userdom_user_home_content(xdg_pictures_t)
 
 type xdg_videos_t; # customizable
 userdom_user_home_content(xdg_videos_t)
+
+ifdef(`distro_gentoo',`
+	# Compat aliases for the old gentoo-specific names
+	attribute xdg_cache_home_type;
+	attribute xdg_config_home_type;
+	attribute xdg_data_home_type;
+
+	typealias xdg_cache_t alias xdg_cache_home_t;
+	typealias xdg_config_t alias xdg_config_home_t;
+	typealias xdg_data_t alias xdg_data_home_t;
+	typealias xdg_documents_t alias xdg_documents_home_t;
+	typealias xdg_downloads_t alias xdg_downloads_home_t;
+	typealias xdg_music_t alias xdg_music_home_t;
+	typealias xdg_pictures_t alias xdg_pictures_home_t;
+	typealias xdg_videos_t alias xdg_videos_home_t;
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-25  5:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-25  5:33 UTC (permalink / raw
  To: gentoo-commits

commit:     a567c5599a2464d36d2665b6949ff84c0e1aa820
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 24 09:56:08 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 25 05:31:59 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a567c559

xdg: filetrans should not add filetrans from user_home_dir

SELinux 2.8 is stricter with duplicate filetrans and these rules cause
problems if a domain needs more than one xdg dir.

Domains should call xdg_generic_user_home_dir_filetrans_data directly if
needed.

 policy/modules/system/xdg.if | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 45d73f15..f59be0a0 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -146,7 +146,6 @@ interface(`xdg_cache_filetrans',`
 	filetrans_pattern($1, xdg_cache_t, $2, $3, $4)
 
 	xdg_create_cache_dirs($1)
-	xdg_generic_user_home_dir_filetrans_cache($1, dir, ".cache")
 ')
 
 ########################################
@@ -397,8 +396,6 @@ interface(`xdg_config_filetrans',`
 	filetrans_pattern($1, xdg_config_t, $2, $3, $4)
 
 	xdg_create_config_dirs($1)
-	xdg_generic_user_home_dir_filetrans_config($1, dir, ".config")
-
 ')
 
 ########################################
@@ -629,7 +626,6 @@ interface(`xdg_data_filetrans',`
 	filetrans_pattern($1, xdg_data_t, $2, $3, $4)
 
 	xdg_create_data_dirs($1)
-	xdg_generic_user_home_dir_filetrans_data($1, dir, ".local")
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-25  5:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-25  5:33 UTC (permalink / raw
  To: gentoo-commits

commit:     75df5df7c2482cc1c9e1161dffd3d8388497ba6b
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 24 09:56:09 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 25 05:31:59 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75df5df7

xdg: Introduce xdg_search_cache_dirs

 policy/modules/system/xdg.if | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index f59be0a0..e94d6720 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -63,6 +63,26 @@ interface(`xdg_data_content',`
 	userdom_user_home_content($1)
 ')
 
+########################################
+## <summary>
+##	Search through the xdg cache home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`xdg_search_cache_dirs',`
+	gen_require(`
+		type xdg_cache_t;
+	')
+
+	search_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
+
+	userdom_search_user_home_dirs($1)
+')
+
 ########################################
 ## <summary>
 ##	Read the xdg cache home files


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-06-25  5:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-06-25  5:33 UTC (permalink / raw
  To: gentoo-commits

commit:     0bd77a1d1e383ea906b88a8cd206554ccb4256d0
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Jun 24 09:56:07 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jun 25 05:31:59 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0bd77a1d

xdg: Add map perms, also make lnk_file, dirs consistent

 policy/modules/system/xdg.if | 47 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 2fd2e34d..45d73f15 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -63,7 +63,6 @@ interface(`xdg_data_content',`
 	userdom_user_home_content($1)
 ')
 
-
 ########################################
 ## <summary>
 ##	Read the xdg cache home files
@@ -80,7 +79,9 @@ interface(`xdg_read_cache_files',`
 	')
 
 	read_files_pattern($1, xdg_cache_t, xdg_cache_t)
+	allow $1 xdg_cache_t:file map;
 	list_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
+	read_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -101,6 +102,9 @@ interface(`xdg_read_all_cache_files',`
 	')
 
 	read_files_pattern($1, xdg_cache_type, xdg_cache_type)
+	allow $1 xdg_cache_type:file map;
+	list_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
+	read_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -209,6 +213,7 @@ interface(`xdg_manage_cache',`
 
 	manage_dirs_pattern($1, xdg_cache_t, xdg_cache_t)
 	manage_files_pattern($1, xdg_cache_t, xdg_cache_t)
+	allow $1 xdg_cache_t:file map;
 	manage_lnk_files_pattern($1, xdg_cache_t, xdg_cache_t)
 	manage_fifo_files_pattern($1, xdg_cache_t, xdg_cache_t)
 	manage_sock_files_pattern($1, xdg_cache_t, xdg_cache_t)
@@ -233,6 +238,7 @@ interface(`xdg_manage_all_cache',`
 
 	manage_dirs_pattern($1, xdg_cache_type, xdg_cache_type)
 	manage_files_pattern($1, xdg_cache_type, xdg_cache_type)
+	allow $1 xdg_cache_type:file map;
 	manage_lnk_files_pattern($1, xdg_cache_type, xdg_cache_type)
 	manage_fifo_files_pattern($1, xdg_cache_type, xdg_cache_type)
 	manage_sock_files_pattern($1, xdg_cache_type, xdg_cache_type)
@@ -324,7 +330,9 @@ interface(`xdg_read_config_files',`
 	')
 
 	read_files_pattern($1, xdg_config_t, xdg_config_t)
+	allow $1 xdg_config_t:file map;
 	list_dirs_pattern($1, xdg_config_t, xdg_config_t)
+	read_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -345,6 +353,9 @@ interface(`xdg_read_all_config_files',`
 	')
 
 	read_files_pattern($1, xdg_config_type, xdg_config_type)
+	allow $1 xdg_config_type:file map;
+	list_dirs_pattern($1, xdg_config_type, xdg_config_type)
+	read_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -454,6 +465,7 @@ interface(`xdg_manage_config',`
 
 	manage_dirs_pattern($1, xdg_config_t, xdg_config_t)
 	manage_files_pattern($1, xdg_config_t, xdg_config_t)
+	allow $1 xdg_config_t:file map;
 	manage_lnk_files_pattern($1, xdg_config_t, xdg_config_t)
 	manage_fifo_files_pattern($1, xdg_config_t, xdg_config_t)
 	manage_sock_files_pattern($1, xdg_config_t, xdg_config_t)
@@ -478,6 +490,7 @@ interface(`xdg_manage_all_config',`
 
 	manage_dirs_pattern($1, xdg_config_type, xdg_config_type)
 	manage_files_pattern($1, xdg_config_type, xdg_config_type)
+	allow $1 xdg_config_type:file map;
 	manage_lnk_files_pattern($1, xdg_config_type, xdg_config_type)
 	manage_fifo_files_pattern($1, xdg_config_type, xdg_config_type)
 	manage_sock_files_pattern($1, xdg_config_type, xdg_config_type)
@@ -549,7 +562,9 @@ interface(`xdg_read_data_files',`
 	')
 
 	read_files_pattern($1, xdg_data_t, xdg_data_t)
+	allow $1 xdg_data_t:file map;
 	list_dirs_pattern($1, xdg_data_t, xdg_data_t)
+	read_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -570,6 +585,9 @@ interface(`xdg_read_all_data_files',`
 	')
 
 	read_files_pattern($1, xdg_data_type, xdg_data_type)
+	allow $1 xdg_data_type:file map;
+	list_dirs_pattern($1, xdg_data_type, xdg_data_type)
+	read_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -678,6 +696,7 @@ interface(`xdg_manage_data',`
 
 	manage_dirs_pattern($1, xdg_data_t, xdg_data_t)
 	manage_files_pattern($1, xdg_data_t, xdg_data_t)
+	allow $1 xdg_data_t:file map;
 	manage_lnk_files_pattern($1, xdg_data_t, xdg_data_t)
 	manage_fifo_files_pattern($1, xdg_data_t, xdg_data_t)
 	manage_sock_files_pattern($1, xdg_data_t, xdg_data_t)
@@ -702,6 +721,7 @@ interface(`xdg_manage_all_data',`
 
 	manage_dirs_pattern($1, xdg_data_type, xdg_data_type)
 	manage_files_pattern($1, xdg_data_type, xdg_data_type)
+	allow $1 xdg_data_type:file map;
 	manage_lnk_files_pattern($1, xdg_data_type, xdg_data_type)
 	manage_fifo_files_pattern($1, xdg_data_type, xdg_data_type)
 	manage_sock_files_pattern($1, xdg_data_type, xdg_data_type)
@@ -803,6 +823,8 @@ interface(`xdg_manage_documents',`
 
 	manage_dirs_pattern($1, xdg_documents_t, xdg_documents_t)
 	manage_files_pattern($1, xdg_documents_t, xdg_documents_t)
+	allow $1 xdg_documents_t:file map;
+	manage_lnk_files_pattern($1, xdg_documents_t, xdg_documents_t)
 ')
 
 ########################################
@@ -843,6 +865,9 @@ interface(`xdg_read_downloads',`
 	')
 
 	read_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+	allow $1 xdg_downloads_t:file map;
+	list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+	read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -863,6 +888,9 @@ interface(`xdg_create_downloads',`
 	')
 
 	create_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+	allow $1 xdg_downloads_t:file map;
+	create_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+	create_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -883,6 +911,9 @@ interface(`xdg_write_downloads',`
 	')
 
 	write_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+	allow $1 xdg_downloads_t:file map;
+	list_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
+	read_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -933,6 +964,8 @@ interface(`xdg_manage_downloads',`
 
 	manage_dirs_pattern($1, xdg_downloads_t, xdg_downloads_t)
 	manage_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
+	allow $1 xdg_downloads_t:file map;
+	manage_lnk_files_pattern($1, xdg_downloads_t, xdg_downloads_t)
 ')
 
 ########################################
@@ -973,7 +1006,9 @@ interface(`xdg_read_pictures',`
 	')
 
 	read_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+	allow $1 xdg_pictures_t:file map;
 	list_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
+	read_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -1024,6 +1059,8 @@ interface(`xdg_manage_pictures',`
 
 	manage_dirs_pattern($1, xdg_pictures_t, xdg_pictures_t)
 	manage_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
+	allow $1 xdg_pictures_t:file map;
+	manage_lnk_files_pattern($1, xdg_pictures_t, xdg_pictures_t)
 ')
 
 ########################################
@@ -1064,7 +1101,9 @@ interface(`xdg_read_music',`
 	')
 
 	read_files_pattern($1, xdg_music_t, xdg_music_t)
+	allow $1 xdg_music_t:file map;
 	list_dirs_pattern($1, xdg_music_t, xdg_music_t)
+	read_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -1115,6 +1154,8 @@ interface(`xdg_manage_music',`
 
 	manage_dirs_pattern($1, xdg_music_t, xdg_music_t)
 	manage_files_pattern($1, xdg_music_t, xdg_music_t)
+	allow $1 xdg_music_t:file map;
+	manage_lnk_files_pattern($1, xdg_music_t, xdg_music_t)
 ')
 
 ########################################
@@ -1155,7 +1196,9 @@ interface(`xdg_read_videos',`
 	')
 
 	read_files_pattern($1, xdg_videos_t, xdg_videos_t)
+	allow $1 xdg_videos_t:file map;
 	list_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
+	read_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
 
 	userdom_search_user_home_dirs($1)
 ')
@@ -1206,6 +1249,8 @@ interface(`xdg_manage_videos',`
 
 	manage_dirs_pattern($1, xdg_videos_t, xdg_videos_t)
 	manage_files_pattern($1, xdg_videos_t, xdg_videos_t)
+	allow $1 xdg_videos_t:file map;
+	manage_lnk_files_pattern($1, xdg_videos_t, xdg_videos_t)
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-07-12 14:37 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-07-12 14:37 UTC (permalink / raw
  To: gentoo-commits

commit:     85c461c93005579188f0b3b50a6873678d9e2270
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Jul 10 15:03:18 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Jul 11 14:41:35 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=85c461c9

iptables: fcontexts for 1.8.0

The binary changed from /sbin/xtables-multi to xtables-legacy-multi and
xtables-nft-multi

 policy/modules/system/iptables.fc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 32877b26..ba65e811 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -20,7 +20,9 @@
 /usr/bin/ipvsadm-save			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/nft				--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/xtables-compat-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/xtables-legacy-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/xtables-multi			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/bin/xtables-nft-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
 /usr/lib/systemd/system/[^/]*arptables.* --	gen_context(system_u:object_r:iptables_unit_t,s0)
 /usr/lib/systemd/system/[^/]*ebtables.*	 --	gen_context(system_u:object_r:iptables_unit_t,s0)
@@ -40,4 +42,6 @@
 /usr/sbin/ipvsadm-save			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/nft				--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/xtables-compat-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-legacy-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/xtables-multi			--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/xtables-nft-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-09-11  9:06 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-09-11  9:06 UTC (permalink / raw
  To: gentoo-commits

commit:     3e34841ee1b176836216f3b53bf6cd772ef807d7
Author:     Yuli Khodorkovskiy <yuli.khodorkovskiy <AT> crunchydata <DOT> com>
AuthorDate: Thu Jul 26 22:37:06 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  9 03:07:46 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e34841e

ipsec: add missing permissions for pluto

When using libreswan, pluto needs permissions for building the
Security Association Database and for setting contexts on IPSec
policy and SAs.

Signed-off-by: Yuli Khodorkovskiy <yuli <AT> crunchydata.com>

 policy/modules/system/ipsec.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index d7a58622..65fb1c08 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -151,12 +151,16 @@ corenet_udp_bind_isakmp_port(ipsec_t)
 corenet_udp_bind_ipsecnat_port(ipsec_t)
 corenet_sendrecv_generic_server_packets(ipsec_t)
 corenet_sendrecv_isakmp_server_packets(ipsec_t)
+# allow pluto to build Security Association Database
+corenet_setcontext_all_spds(ipsec_t)
 
 dev_read_sysfs(ipsec_t)
 dev_read_rand(ipsec_t)
 dev_read_urand(ipsec_t)
 
 domain_use_interactive_fds(ipsec_t)
+# allow pluto to set contexts on ipsec policy and SAs
+domain_ipsec_setcontext_all_domains(ipsec_t)
 
 files_list_tmp(ipsec_t)
 files_read_etc_files(ipsec_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-09-11  9:06 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-09-11  9:06 UTC (permalink / raw
  To: gentoo-commits

commit:     2732e6ff7feeceb82f598a980e3a09e37ee16688
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Aug  4 12:51:00 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  9 03:07:46 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2732e6ff

fstools: Module version bump.

 policy/modules/system/fstools.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 738aef93..0251d6e0 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.22.0)
+policy_module(fstools, 1.22.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-09-11  9:06 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-09-11  9:06 UTC (permalink / raw
  To: gentoo-commits

commit:     084110a7f93df028ea36a61c3f10d6747d5d2cd2
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Fri Aug  3 19:27:51 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  9 03:07:46 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=084110a7

fstools: label e2mmpstatus as fsadm_exec_t

e2fsprogs 1.44.3 installs e2mmpstatus as a hard link to dumpe2fs. This
makes "restorecon -Rv /usr/bin" relabels this file with conflicting
contexts:

Relabeled /usr/bin/e2mmpstatus from system_u:object_r:fsadm_exec_t to system_u:object_r:bin_t
Relabeled /usr/bin/dumpe2fs from system_u:object_r:bin_t to system_u:object_r:fsadm_exec_t

Fix this by labelling e2mmpstatus like dumpe2fs.

Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>

 policy/modules/system/fstools.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 494d021e..2f4d6cd8 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -11,6 +11,7 @@
 /usr/bin/e2fsck			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/e4fsck			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/e2label		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/e2mmpstatus		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/efibootmgr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/fatsort		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/fdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -67,6 +68,7 @@
 /usr/sbin/e2fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/e4fsck		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/e2label		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/e2mmpstatus		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/efibootmgr		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fatsort		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/fdisk			--	gen_context(system_u:object_r:fsadm_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-09-11  9:06 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-09-11  9:06 UTC (permalink / raw
  To: gentoo-commits

commit:     089924b77114446a0d408829aed3a5f98e403452
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Jul 28 13:02:22 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  9 03:07:46 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=089924b7

ipsec: Module version bump.

 policy/modules/system/ipsec.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 65fb1c08..fbe0d594 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,4 +1,4 @@
-policy_module(ipsec, 1.20.0)
+policy_module(ipsec, 1.20.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     ef06a7e9edf190fefe68db2d1d50496e7b7b6901
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Oct 27 13:03:20 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef06a7e9

system/init: Give init_spec_daemon_domain()s the "daemon" attribute

init_daemon_domain() applies this attribute too.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/init.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index d6a8f2ee..334d6036 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -206,6 +206,8 @@ interface(`init_spec_daemon_domain',`
 		role system_r;
 	')
 
+	typeattribute $1 daemon;
+
 	domain_type($1)
 	domain_entry_file($1, $2)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     06ba03b1498bde018ab1287df5f00394b8723bf1
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sun Oct 14 10:05:06 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=06ba03b1

miscfiles: Label /usr/share/texmf*/fonts/ as fonts_t

fontconfig can be configure to use the TeX Live fonts in addition to
/usr/share/fonts/.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/miscfiles.fc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 48e4c6ad..572a15df 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -50,9 +50,12 @@ ifdef(`distro_redhat',`
 /usr/local/share/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 
 /usr/share/docbook2X/xslt/man(/.*)?	gen_context(system_u:object_r:usr_t,s0)
+
 /usr/share/fonts(/.*)?		gen_context(system_u:object_r:fonts_t,s0)
-/usr/share/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 /usr/share/ghostscript/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/texmf[^/]*/fonts(/.*)? gen_context(system_u:object_r:fonts_t,s0)
+/usr/share/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
+
 /usr/share/locale(/.*)?		gen_context(system_u:object_r:locale_t,s0)
 /usr/share/X11/locale(/.*)?	gen_context(system_u:object_r:locale_t,s0)
 /usr/share/zoneinfo(/.*)?	gen_context(system_u:object_r:locale_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     492ebee99e99b9152946f2967b96698a97b8c0e7
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Oct 14 17:55:21 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=492ebee9

miscfiles: Module version bump.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/miscfiles.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index e94ecd3e..23647571 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.14.0)
+policy_module(miscfiles, 1.14.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-11-11 23:29 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-11-11 23:29 UTC (permalink / raw
  To: gentoo-commits

commit:     682ae85bac62d08d6fadb22405f347dd194bdfdb
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Fri Nov  2 00:36:45 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 11 23:17:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=682ae85b

Add interface udev_run_domain

This interface is useful when using the 'RUN' option in UDEV rules where udev will be executing a user executable to perform some action.  This interface allows a domain transition to occur for the run action.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/udev.if | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index 73e994d6..2ecdf5f0 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -36,6 +36,37 @@ interface(`udev_domtrans',`
 	domtrans_pattern($1, udev_exec_t, udev_t)
 ')
 
+########################################
+## <summary>
+##	Allow udev to execute the specified program in
+##	the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	This is a interface to support the UDEV 'RUN'
+##	command.  This will allow the command run by
+##	udev to be run in a domain other than udev_t.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+## <param name="entry_file">
+##	<summary>
+##	Domain entry point file.
+##	</summary>
+## </param>
+#
+interface(`udev_run_domain',`
+	gen_require(`
+		type udev_t;
+	')
+
+	domtrans_pattern(udev_t,$2,$1)
+')
+
 ########################################
 ## <summary>
 ##	Execute udev in the caller domain.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     e9b51f6d4a82d767b3b7da4c7a6df72a5829e438
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Nov 11 12:33:00 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e9b51f6d

Add systemd_dbus_chat_resolved() interface

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/systemd.if | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 34685088..9247924b 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -753,6 +753,27 @@ interface(`systemd_tmpfilesd_managed',`
 	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
 ')
 
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd resolved over dbus.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access.
+##   </summary>
+## </param>
+#
+interface(`systemd_dbus_chat_resolved',`
+	gen_require(`
+		type systemd_resolved_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_resolved_t:dbus send_msg;
+	allow systemd_resolved_t $1:dbus send_msg;
+')
+
 #######################################
 ## <summary>
 ##  Allow domain to read resolv.conf file generated by systemd_resolved


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     5ccbe3a67512a8fc056b2bed30fe8e346d347387
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Thu Nov  1 14:14:43 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ccbe3a6

Allow semanage_t to connect to system D-Bus bus

This is needed as systemd NSS modules is talking to systemd/PID1 over
D-Bus

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/selinuxutil.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index c4a199f4..1293616c 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -560,6 +560,13 @@ optional_policy(`
 	portage_eselect_module(semanage_t)
 ')
 
+ifdef(`init_systemd',`
+	optional_policy(`
+		init_dbus_chat(semanage_t)
+		dbus_system_bus_client(semanage_t)
+	')
+')
+
 optional_policy(`
 	locallogin_use_fds(semanage_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     e90c8ba7ec87789c618bdac926e0af6baf3da89c
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Nov 11 12:33:28 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e90c8ba7

Allow sysnet_dns_name_resolve() to use resolved to resolve DNS names

Also allow unconfined_t to talk with the resolved daemon

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/sysnetwork.if | 11 ++++++++---
 policy/modules/system/unconfined.te |  6 ++++++
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index f4f17a5d..15fc046c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -756,9 +756,14 @@ interface(`sysnet_dns_name_resolve',`
 		nscd_use($1)
 	')
 
-	# This seems needed when the mymachines NSS module is used
-	optional_policy(`
-		systemd_read_machines($1)
+	ifdef(`init_systemd',`
+		optional_policy(`
+			systemd_dbus_chat_resolved($1)
+		')
+		# This seems needed when the mymachines NSS module is used
+		optional_policy(`
+			systemd_read_machines($1)
+		')
 	')
 ')
 

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index d669ff16..b981fa85 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -58,6 +58,12 @@ ifdef(`direct_sysadm_daemon',`
         ')
 ')
 
+ifdef(`init_systemd',`
+	optional_policy(`
+		systemd_dbus_chat_resolved(unconfined_t)
+	')
+')
+
 optional_policy(`
 	ada_domtrans(unconfined_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     6ba54515b29ca6073950bd24f269056663026673
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Nov 11 12:37:00 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6ba54515

Allow systemd_resolved_t to bind to port 53 and use net_raw

resolved also binds against port 53 on lo interface

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/systemd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2a658621..e70ccb21 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -864,7 +864,7 @@ optional_policy(`
 # Resolved local policy
 #
 
-allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
+allow systemd_resolved_t self:capability { chown net_raw setgid setpcap setuid };
 allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
 
 allow systemd_resolved_t self:tcp_socket { accept listen };
@@ -881,8 +881,10 @@ kernel_read_kernel_sysctls(systemd_resolved_t)
 kernel_read_net_sysctls(systemd_resolved_t)
 
 corenet_tcp_bind_generic_node(systemd_resolved_t)
+corenet_tcp_bind_dns_port(systemd_resolved_t)
 corenet_tcp_bind_llmnr_port(systemd_resolved_t)
 corenet_udp_bind_generic_node(systemd_resolved_t)
+corenet_udp_bind_dns_port(systemd_resolved_t)
 corenet_udp_bind_llmnr_port(systemd_resolved_t)
 
 auth_use_nsswitch(systemd_resolved_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     047d9ea6c5adefc531ea42c30f3ecf7fe15cc43e
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Nov 11 19:04:21 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=047d9ea6

Allow iscsid_t to create a netlink_iscsi_socket

----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:195) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:195) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x55bfc5837270 a2=0xc a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:195) : avc:  denied  { bind } for  pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1
----
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:194) : proctitle=/sbin/iscsid
type=SYSCALL msg=audit(11/11/18 14:02:09.006:194) : arch=x86_64 syscall=socket success=yes exit=6 a0=netlink a1=SOCK_RAW a2=egp a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(11/11/18 14:02:09.006:194) : avc:  denied  { create } for  pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/iscsi.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index 9457ef29..dc5f8f52 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -40,6 +40,7 @@ allow iscsid_t self:fifo_file rw_fifo_file_perms;
 allow iscsid_t self:unix_stream_socket { accept connectto listen };
 allow iscsid_t self:sem create_sem_perms;
 allow iscsid_t self:shm create_shm_perms;
+allow iscsid_t self:netlink_iscsi_socket create_socket_perms;
 allow iscsid_t self:netlink_socket create_socket_perms;
 allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow iscsid_t self:netlink_route_socket nlmsg_write;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     97e7530c5e79281a24499ac28edcf35daa2349c2
Author:     David Sugar <dsugar <AT> tresys <DOT> com>
AuthorDate: Sat Nov 17 04:23:43 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:56:47 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=97e7530c

interface to enable/disable systemd_networkd service

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/systemd.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 9247924b..74f0b215 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -467,6 +467,25 @@ interface(`systemd_manage_networkd_units',`
 	manage_files_pattern($1, systemd_networkd_unit_t, systemd_networkd_unit_t)
 ')
 
+########################################
+## <summary>
+##	Allow specified domain to enable systemd-networkd units
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_enabledisable_networkd',`
+	gen_require(`
+		type systemd_networkd_unit_t;
+		class service { enable disable };
+	')
+
+	allow $1 systemd_networkd_unit_t:service { enable disable };
+')
+
 ########################################
 ## <summary>
 ##	Allow specified domain to start systemd-networkd units


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     1e96396dedf4d264ac02943157f34e0497671d9f
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Sep 11 16:13:24 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec  9 11:45:31 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1e96396d

libraries: ldconfig is a shell script on Gentoo musl libc

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/libraries.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 422b0ea1..6812a58e 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -145,3 +145,10 @@ optional_policy(`
 optional_policy(`
 	unconfined_domain(ldconfig_t)
 ')
+
+ifdef(`distro_gentoo',`
+	# on musl ldconfig is a shell script
+	allow ldconfig_t self:fifo_file rw_fifo_file_perms;
+	corecmd_exec_shell(ldconfig_t)
+	corecmd_exec_bin(ldconfig_t)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2018-12-09 11:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2018-12-09 11:48 UTC (permalink / raw
  To: gentoo-commits

commit:     892c088f75d2df27a501850dae2ef05c8759a591
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Wed Oct  3 17:10:39 2018 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 18 10:59:17 2018 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=892c088f

Enable the tmpfiles_manage_all_non_security boolean by default

This sucks, not only because I don't like granting tmpfiles_t this
access, but also since it's one more unneccessary difference between
gentoo and refpolicy.

Nevertheless, it's the most reasonable fix I can think of.

Bug: https://bugs.gentoo.org/667122
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/tmpfiles.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
index 1366fbff..9063ca3e 100644
--- a/policy/modules/system/tmpfiles.te
+++ b/policy/modules/system/tmpfiles.te
@@ -13,7 +13,8 @@ policy_module(tmpfiles, 1.0.0)
 ##	/run, /tmp, /dev and /var/lock.
 ##      </p>
 ## </desc>
-gen_tunable(tmpfiles_manage_all_non_security, false)
+# Enabled by default on Gentoo to fix https://bugs.gentoo.org/667122
+gen_tunable(tmpfiles_manage_all_non_security, true)
 
 type tmpfiles_t;
 type tmpfiles_exec_t;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-02-10  4:14 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-02-10  4:14 UTC (permalink / raw
  To: gentoo-commits

commit:     85052797855d8b35d000e06b84df0de5d7a87a8c
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jan 23 23:35:00 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=85052797

init: Drop unnecessary userspace class dependence in init_read_generic_units_symlinks().

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/init.if | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 12ee83de..89ac691c 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3058,7 +3058,6 @@ interface(`init_search_units',`
 interface(`init_read_generic_units_symlinks',`
 	gen_require(`
 		type systemd_unit_t;
-		class service status;
 	')
 
 	allow $1 systemd_unit_t:lnk_file read_lnk_file_perms;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-02-10  4:14 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-02-10  4:14 UTC (permalink / raw
  To: gentoo-commits

commit:     ebbdea62e2a5ee04b6c4ecf78315dd133fa23023
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jan 12 08:03:43 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ebbdea62

userdomain: introduce userdom_user_home_dir_filetrans_user_cert

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/userdomain.if | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 3f380d40..7fe015de 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2522,6 +2522,35 @@ interface(`userdom_user_home_content_filetrans',`
 	files_search_home($1)
 ')
 
+########################################
+## <summary>
+##	Automatically use the user_cert_t label for selected resources
+##	created in a users home directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="class">
+##	<summary>
+##	Resource type(s) for which the label should be used
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name of the resource that is being created
+##	</summary>
+## </param>
+#
+interface(`userdom_user_home_dir_filetrans_user_cert',`
+	gen_require(`
+		type user_cert_t;
+	')
+
+	userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
+')
+
 ########################################
 ## <summary>
 ##	Create objects in a user home directory


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-02-10  4:24 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-02-10  4:24 UTC (permalink / raw
  To: gentoo-commits

commit:     04574aa8704e2f617d1f085fe4564c551c0339ac
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Feb 10 04:20:49 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:23:42 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04574aa8

remove duplicate userdom_user_home_dir_filetrans_user_cert interface

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/userdomain.if | 29 -----------------------------
 1 file changed, 29 deletions(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 7fe015de..da98bde5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -4540,35 +4540,6 @@ interface(`userdom_manage_user_tmp_chr_files',`
 	files_search_tmp($1)
 ')
 
-########################################
-## <summary>
-##	Automatically use the user_cert_t label for selected resources
-##	created in a users home directory
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access
-##	</summary>
-## </param>
-## <param name="class">
-##	<summary>
-##	Resource type(s) for which the label should be used
-##	</summary>
-## </param>
-## <param name="filename" optional="true">
-##	<summary>
-##	Name of the resource that is being created
-##	</summary>
-## </param>
-#
-interface(`userdom_user_home_dir_filetrans_user_cert',`
-	gen_require(`
-		type user_cert_t;
-	')
-
-	userdom_user_home_dir_filetrans($1, user_cert_t, $2, $3)
-')
-
 ########################################
 ## <summary>
 ##	Allow relabeling resources to user_cert_t


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-03-26 10:17 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     68f0d31ccb685203e3146a4f10f80af9412fd160
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Sat Mar  9 03:58:09 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68f0d31c

Allow additional map permission when reading hwdb

I'm seeing a denial for udev to map /etc/udev/hwdb.bin.
This creates and uses a new interface to allow the needed
permission for udev.

type=AVC msg=audit(1551886176.948:642): avc:  denied  { map } for  pid=5187 comm="systemd-udevd" path="/etc/udev/hwdb.bin" dev="dm-1" ino=6509618 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1

Updated from previous to create a new interface.

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 policy/modules/system/udev.te    |  1 +
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8d2bb8da..6353ca69 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -37,6 +37,24 @@ interface(`systemd_read_hwdb',`
 	read_files_pattern($1, systemd_hwdb_t, systemd_hwdb_t)
 ')
 
+#######################################
+## <summary>
+##  Allow domain to map udev hwdb file
+## </summary>
+## <param name="domain">
+## <summary>
+##  domain allowed access
+## </summary>
+## </param>
+#
+interface(`systemd_map_hwdb',`
+	gen_require(`
+		type systemd_hwdb_t;
+	')
+
+	allow $1 systemd_hwdb_t:file map;
+')
+
 ######################################
 ## <summary>
 ##   Read systemd_login PID files.

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 99f22bfb..f6a9d652 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -248,6 +248,7 @@ ifdef(`init_systemd',`
 	init_get_generic_units_status(udev_t)
 	init_stream_connect(udev_t)
 
+	systemd_map_hwdb(udev_t)
 	systemd_read_hwdb(udev_t)
 	systemd_read_logind_sessions_files(udev_t)
 	systemd_read_logind_pids(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-03-26 10:17 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     af8e8b50f5255b447e534a740abe4bc2e5ccc501
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Mar 17 20:25:28 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=af8e8b50

udev: Move one line and remove a redundant line.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/udev.te | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 5e24d949..e6c64026 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -420,11 +420,12 @@ ifdef(`distro_gentoo',`
 allow udevadm_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udevadm_t self:unix_stream_socket create_socket_perms;
 
+stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t)
+
 delete_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 delete_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 delete_lnk_files_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
 list_dirs_pattern(udevadm_t, udev_var_run_t, udev_var_run_t)
-stream_connect_pattern(udevadm_t, udev_var_run_t, udev_var_run_t, udev_t)
 
 dev_rw_sysfs(udevadm_t)
 dev_read_urand(udevadm_t)
@@ -437,7 +438,5 @@ init_read_state(udevadm_t)
 
 kernel_read_system_state(udevadm_t)
 
-libs_use_ld_so(udevadm_t)
-
 seutil_read_file_contexts(udevadm_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-03-26 10:17 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     f181d110ce34e9c8bb5a85ab5727a9fa2cbfa26b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Mar 17 20:25:03 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f181d110

udev: Whitespace fix.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/udev.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 77503764..5e24d949 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -412,7 +412,6 @@ ifdef(`distro_gentoo',`
 	init_domtrans_script(udev_t)
 ')
 
-
 ########################################
 #
 # udevadm Local policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-03-26 10:17 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-03-26 10:17 UTC (permalink / raw
  To: gentoo-commits

commit:     f3f0bbf1d5523ba85cfb5cf926a55f3a5df2a6f4
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Thu Mar 21 18:29:26 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f3f0bbf1

Resolve denial about logging to journal from chkpwd

type=AVC msg=audit(1553029357.588:513): avc:  denied  { sendto } for  pid=7577 comm="unix_chkpwd" path="/dev/log" scontext=toor_u:staff_r:chkpwd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/authlogin.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 53f2264f..d105c58c 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -144,6 +144,11 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+ifdef(`init_systemd',`
+	# for journald /dev/log
+	kernel_dgram_send(chkpwd_t)
+')
+
 optional_policy(`
 	# apache leaks file descriptors
 	apache_dontaudit_rw_tcp_sockets(chkpwd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-07-13  7:01 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-07-13  7:01 UTC (permalink / raw
  To: gentoo-commits

commit:     5c6a954b4abbc2f65ebebbfa363f6a287cfe122d
Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Tue May 28 15:13:32 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c6a954b

init: Add systemd block to init_script_domain().

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/init.if | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2a928ca7..411c5cc8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -99,6 +99,12 @@ interface(`init_script_domain',`
 	role system_r types $1;
 
 	domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+
+	ifdef(`init_systemd',`
+		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
+
+		allow init_t $1:process2 { nnp_transition nosuid_transition };
+	')
 ')
 
 ########################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-07-13  7:01 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-07-13  7:01 UTC (permalink / raw
  To: gentoo-commits

commit:     294b186e685633cbaf8c35886574fba4d6a6693f
Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Fri May 24 18:38:51 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 13 06:43:14 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=294b186e

systemd: modules-load updates.

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/system/systemd.te | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 29d5d4fc..a08ee785 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -623,11 +623,14 @@ optional_policy(`
 # modules-load local policy
 #
 
-files_load_kernel_modules(systemd_modules_load_t)
+kernel_load_module(systemd_modules_load_t)
+
 files_read_etc_files(systemd_modules_load_t)
 
-init_read_state(systemd_modules_load_t)
-init_search_run(systemd_modules_load_t)
+modutils_read_module_config(systemd_modules_load_t)
+modutils_read_module_deps(systemd_modules_load_t)
+
+systemd_log_parse_environment(systemd_modules_load_t)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     53965ae805001f34662311a40b19e3a307d0e81e
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Wed Nov 13 19:23:57 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53965ae8

unconfined: Add namespaced capabilities.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/unconfined.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 0a2f7a86..f2867c18 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -20,8 +20,8 @@ interface(`unconfined_domain_noaudit',`
 	')
 
 	# Use most Linux capabilities
-	allow $1 self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
-	allow $1 self:capability2 { syslog wake_alarm };
+	allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
+	allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm };
 	allow $1 self:fifo_file manage_fifo_file_perms;
 
 	# Transition to myself, to make get_ordered_context_list happy.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     7231d7d18ef229fad0364e8ff29294004c34eaff
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Tue Oct 29 17:28:05 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7231d7d1

Add missing gen_require for init_t in init_script_domain

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index bd6c965e..2e5bd3e8 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -101,6 +101,9 @@ interface(`init_script_domain',`
 	domtrans_pattern(init_run_all_scripts_domain, $2, $1)
 
 	ifdef(`init_systemd',`
+		gen_require(`
+			type init_t;
+		')
 		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
 
 		allow init_t $1:process2 { nnp_transition nosuid_transition };


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     1424ef367c3979513e9b1a17625c95e58e344213
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Oct 31 07:33:14 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1424ef36

init: Whitespace change.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 2e5bd3e8..3465641f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -104,6 +104,7 @@ interface(`init_script_domain',`
 		gen_require(`
 			type init_t;
 		')
+
 		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
 
 		allow init_t $1:process2 { nnp_transition nosuid_transition };


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     6f4564d1a54ab5834d4831aeb320d74178d8650f
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Oct 31 08:12:24 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f4564d1

init: Module version bump.

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 55b981c2..fe9b8535 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.7.3)
+policy_module(init, 2.7.4)
 
 gen_require(`
 	class passwd rootok;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     9074e45e4da9e23b5e161fe4da909672001f4cb0
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Fri Nov 22 21:39:35 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9074e45e

unconfined: Fix systemd --user rule.

Use the full init_pgm_spec_user_daemon_domain() to ensure correct
permissions.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.if       | 7 +------
 policy/modules/system/unconfined.te | 2 +-
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3465641f..9425c651 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -672,12 +672,7 @@ interface(`init_domtrans',`
 ## </desc>
 ## <param name="domain">
 ##	<summary>
-##	Domain allowed to transition.
-##	</summary>
-## </param>
-## <param name="domain">
-##	<summary>
-##	New domain.
+##	The type to be used as a systemd --user domain.
 ##	</summary>
 ## </param>
 #

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 62b9eb17..2bb15219 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -62,7 +62,7 @@ ifdef(`init_systemd',`
 	# for systemd-analyze
 	init_service_status(unconfined_t)
 	# for systemd --user:
-	init_pgm_entrypoint(unconfined_t)
+	init_pgm_spec_user_daemon_domain(unconfined_t)
 
 	optional_policy(`
 		systemd_dbus_chat_resolved(unconfined_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     a38acee2cfa56d90e3e39f4ea79ccbdf44478f5b
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Nov 23 15:27:14 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a38acee2

logging: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 7aa2bcd0..a47a2659 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.30.2)
+policy_module(logging, 1.30.3)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     f2c832a038e43ad3edefdf9960d51f4dc00bb681
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Sun Nov 17 04:48:46 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f2c832a0

resolve syslog imuxsock denial

I'm seeing the following error while starting rsyslog:
Nov 17 02:01:38 localhost rsyslogd: cannot create '/run/systemd/journal/syslog': Permission denied [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: imuxsock does not run because we could not aquire any socket  [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: activation of module imuxsock failed [v8.24.0-41.el7_7.2]

With the following denials:
type=AVC msg=audit(1573958708.773:1896): avc:  denied  { create } for  pid=2347 comm="rsyslogd" name="syslog" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1573958708.773:1897): avc:  denied  { setattr } for  pid=2347 comm="rsyslogd" name="syslog" dev="tmpfs" ino=19368 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/logging.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index ce4570c8..0ac55531 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -432,6 +432,8 @@ allow syslogd_t syslogd_runtime_t:file map;
 files_pid_filetrans(syslogd_t, syslogd_runtime_t, file)
 allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
 
+allow syslogd_t syslogd_runtime_t:sock_file { create setattr };
+
 kernel_read_crypto_sysctls(syslogd_t)
 kernel_read_system_state(syslogd_t)
 kernel_read_network_state(syslogd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     08399066fe5050acb5f9ffb23b0b5039d43ab741
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Dec  2 13:47:19 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=08399066

unconfined: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/unconfined.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index c8723860..7790391e 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.13.1)
+policy_module(unconfined, 3.13.2)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2019-12-16 17:48 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2019-12-16 17:48 UTC (permalink / raw
  To: gentoo-commits

commit:     d2bfc0cfbd0a662aa22874a440e4138b5ad7cf48
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Nov 23 15:26:50 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d2bfc0cf

logging: Reorder lines.

No rule change.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/logging.te | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0ac55531..7aa2bcd0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -425,14 +425,12 @@ manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
 allow syslogd_t syslogd_var_lib_t:file map;
 files_search_var_lib(syslogd_t)
 
-# manage pid file
-manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
-allow syslogd_t syslogd_runtime_t:file map;
-
-files_pid_filetrans(syslogd_t, syslogd_runtime_t, file)
+# manage runtime files
 allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
-
 allow syslogd_t syslogd_runtime_t:sock_file { create setattr };
+allow syslogd_t syslogd_runtime_t:file map;
+manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
+files_pid_filetrans(syslogd_t, syslogd_runtime_t, file)
 
 kernel_read_crypto_sysctls(syslogd_t)
 kernel_read_system_state(syslogd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     ee6fa61986a465420fe07823926a02ba076f04ce
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Wed Jan 15 20:46:40 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ee6fa619

systemd: add an interface to use nss-systemd

systemd's Name Service Switch (NSS) module provides UNIX user and group
name resolution for dynamic users and groups allocated through options
such as DynamicUser= in systemd unit files, according to its man page,
https://github.com/systemd/systemd/blob/v244/man/nss-systemd.xml.

If systemd compiled without NOLEGACY, commit
https://github.com/systemd/systemd/commit/24eccc3414a29a14b319d639531bd23c158b20e1
("nss-systemd,user-util: add a way how synthesizing "nobody" can be
turned off") implemented a way to tweak nss-systemd's behavior by
checking whether /etc/systemd/dont-synthesize-nobody exists. Allow this
access.

Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.if | 28 ++++++++++++++++++++++++++++
 policy/modules/system/systemd.te |  3 +++
 3 files changed, 32 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index c87311a6..4a873052 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -1,5 +1,6 @@
 /etc/\.updated				--	gen_context(system_u:object_r:systemd_update_run_t,s0)
 
+/etc/systemd/dont-synthesize-nobody	--	gen_context(system_u:object_r:systemd_conf_t,s0)
 /etc/udev/hwdb\.bin			--	gen_context(system_u:object_r:systemd_hwdb_t,s0)
 
 /usr/bin/systemd-analyze		--	gen_context(system_u:object_r:systemd_analyze_exec_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a49b0f77..8f50e39e 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -79,6 +79,34 @@ interface(`systemd_log_parse_environment',`
 	typeattribute $1 systemd_log_parse_env_type;
 ')
 
+######################################
+## <summary>
+##   Allow domain to use systemd's Name Service Switch (NSS) module.
+##   This module provides UNIX user and group name resolution for dynamic users
+##   and groups allocated through the DynamicUser= option in systemd unit files
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Domain allowed access
+##   </summary>
+## </param>
+#
+interface(`systemd_use_nss',`
+	gen_require(`
+		type systemd_conf_t;
+	')
+
+	# Get attributes of /etc/systemd/dont-synthesize-nobody
+	files_search_etc($1)
+	allow $1 systemd_conf_t:file getattr;
+
+	optional_policy(`
+		dbus_system_bus_client($1)
+		# For GetDynamicUser(), LookupDynamicUserByName()... of org.freedesktop.systemd1.Manager
+		init_dbus_chat($1)
+	')
+')
+
 ######################################
 ## <summary>
 ##   Allow domain to be used as a systemd service with a unit

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1627e88e..e09bc338 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -58,6 +58,9 @@ init_system_domain(systemd_binfmt_t, systemd_binfmt_exec_t)
 type systemd_binfmt_unit_t;
 init_unit_file(systemd_binfmt_unit_t)
 
+type systemd_conf_t;
+files_config_file(systemd_conf_t)
+
 type systemd_gpt_generator_t;
 type systemd_gpt_generator_exec_t;
 init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     a69c4e9402dc854cf64ff6a927e0bfa52a24e87d
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Sat Feb  1 21:18:25 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a69c4e94

systemd: remove whitespace

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f55294e3..ca2b49e3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1021,7 +1021,7 @@ auth_use_nsswitch(systemd_resolved_t)
 
 files_watch_root_dirs(systemd_resolved_t)
 files_watch_runtime_dirs(systemd_resolved_t)
- 
+
 init_dgram_send(systemd_resolved_t)
 
 seutil_read_file_contexts(systemd_resolved_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     775d44d3d90db169fb5816100b547ff8e462e0aa
Author:     Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Sun Jan 26 17:47:33 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=775d44d3

mount: label fusermount3 like fusermount

libfuse 3.0 renamed fusermount to fusermount3 in order to allow both
libfuse 2 and libfuse 3 to be installed together:
https://github.com/libfuse/libfuse/commit/695e45a4de50a9164766a7d73656b1afc9244a56

Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/mount.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/mount.fc b/policy/modules/system/mount.fc
index 7352406c..1646054e 100644
--- a/policy/modules/system/mount.fc
+++ b/policy/modules/system/mount.fc
@@ -1,4 +1,5 @@
 /usr/bin/fusermount		--	gen_context(system_u:object_r:mount_exec_t,s0)
+/usr/bin/fusermount3		--	gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/bin/mount(\.[^/]+)?	--	gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/bin/umount(\.[^/]+)?	--	gen_context(system_u:object_r:mount_exec_t,s0)
 /usr/bin/zfs			--	gen_context(system_u:object_r:mount_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     74f7c94c86d961659332a947e12d89bf2279c855
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Sat Feb  1 20:47:29 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74f7c94c

udev: remove console-setup

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/udev.fc | 1 -
 policy/modules/system/udev.te | 1 -
 2 files changed, 2 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 61dec2e5..ad617ea3 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -40,7 +40,6 @@ ifdef(`distro_redhat',`
 /run/udev(/.*)?	gen_context(system_u:object_r:udev_runtime_t,s0)
 
 ifdef(`distro_debian',`
-/run/console-setup(/.*)?	gen_context(system_u:object_r:udev_runtime_t,s0)
 /run/xen-hotplug -d	gen_context(system_u:object_r:udev_runtime_t,s0)
 ')
 

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d0228312..71d98fc8 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -86,7 +86,6 @@ manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 files_pid_filetrans(udev_t, udev_runtime_t, dir, "udev")
-files_pid_filetrans(udev_t, udev_runtime_t, dir, "console-setup")
 
 kernel_load_module(udev_t)
 kernel_read_system_state(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     75852c7f3ca62154b160b706219d74142e0272c8
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Sat Feb  1 21:06:04 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=75852c7f

init: add interfaces for managing /run/systemd

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.if | 55 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 260cdf7b..03538310 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1380,6 +1380,61 @@ interface(`init_list_pids',`
 	files_search_pids($1)
 ')
 
+######################################
+## <summary>
+##  Create symbolic links in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_manage_pid_symlinks', `
+	gen_require(`
+		type init_runtime_t;
+	')
+
+	allow $1 init_runtime_t:lnk_file create_lnk_file_perms;
+')
+
+######################################
+## <summary>
+##  Create and write files in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_create_write_pid_files', `
+	gen_require(`
+		type init_runtime_t;
+	')
+
+	allow $1 init_runtime_t:file { create_file_perms write };
+')
+
+######################################
+## <summary>
+##  Create, read, write, and delete
+##  directories in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_manage_pid_dirs', `
+	gen_require(`
+		type init_runtime_t;
+	')
+
+	manage_dirs_pattern($1, init_runtime_t, init_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##	Create files in an init PID directory.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     89bbf2c9c184032df64ca304036fe8eb11d1f433
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Thu Dec 19 21:26:41 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=89bbf2c9

systemd: add policy for systemd-fstab-generator

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.te | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 4a873052..518ca925 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -16,6 +16,7 @@
 /usr/bin/systemd-notify			--	gen_context(system_u:object_r:systemd_notify_exec_t,s0)
 
 # Systemd generators
+/usr/lib/systemd/system-generators/systemd-fstab-generator	    --	    gen_context(system_u:object_r:systemd_fstab_generator_exec_t,s0)
 /usr/lib/systemd/system-generators/systemd-gpt-auto-generator	    --	    gen_context(system_u:object_r:systemd_gpt_generator_exec_t,s0)
 
 /usr/lib/systemd/systemd-activate	--	gen_context(system_u:object_r:systemd_activate_exec_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ca2b49e3..4d906e5c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -61,6 +61,10 @@ init_unit_file(systemd_binfmt_unit_t)
 type systemd_conf_t;
 files_config_file(systemd_conf_t)
 
+type systemd_fstab_generator_t;
+type systemd_fstab_generator_exec_t;
+init_system_domain(systemd_fstab_generator_t, systemd_fstab_generator_exec_t)
+
 type systemd_gpt_generator_t;
 type systemd_gpt_generator_exec_t;
 init_system_domain(systemd_gpt_generator_t, systemd_gpt_generator_exec_t)
@@ -267,6 +271,27 @@ files_read_etc_files(systemd_binfmt_t)
 
 fs_register_binary_executable_type(systemd_binfmt_t)
 
+#######################################
+#
+# fstab generator local policy
+#
+
+corecmd_search_bin(systemd_fstab_generator_t)
+
+files_read_etc_files(systemd_fstab_generator_t)
+files_search_pids(systemd_fstab_generator_t)
+
+fstools_exec(systemd_fstab_generator_t)
+
+init_create_write_pid_files(systemd_fstab_generator_t)
+init_manage_pid_dirs(systemd_fstab_generator_t)
+init_manage_pid_symlinks(systemd_fstab_generator_t)
+init_search_pids(systemd_fstab_generator_t)
+
+kernel_read_kernel_sysctls(systemd_fstab_generator_t)
+
+systemd_log_parse_environment(systemd_fstab_generator_t)
+
 #######################################
 #
 # GPT auto generator local policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     06ffdce42c8c2e78d501d2f64db87468f53e4d55
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Jan 25 19:32:50 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=06ffdce4

userdomain: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/userdomain.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 31f23be2..a9f8d3e6 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.18.3)
+policy_module(userdomain, 4.18.4)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     d372650e27df2987b357dea9a06b20972910452a
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Sat Feb  8 15:16:14 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d372650e

init: split init_create_pid_files interface

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.if    | 24 +++++++++++++++++++++---
 policy/modules/system/systemd.te |  3 ++-
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 03538310..b1b6ca2d 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1400,7 +1400,7 @@ interface(`init_manage_pid_symlinks', `
 
 ######################################
 ## <summary>
-##  Create and write files in the /run/systemd directory.
+##  Create files in the /run/systemd directory.
 ## </summary>
 ## <param name="domain">
 ##  <summary>
@@ -1408,12 +1408,30 @@ interface(`init_manage_pid_symlinks', `
 ##  </summary>
 ## </param>
 #
-interface(`init_create_write_pid_files', `
+interface(`init_create_pid_files', `
 	gen_require(`
 		type init_runtime_t;
 	')
 
-	allow $1 init_runtime_t:file { create_file_perms write };
+	allow $1 init_runtime_t:file create_file_perms;
+')
+
+######################################
+## <summary>
+##  Write files in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`init_write_pid_files', `
+	gen_require(`
+		type init_runtime_t;
+	')
+
+	allow $1 init_runtime_t:file write_file_perms;
 ')
 
 ######################################

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f0412af3..3edbc98e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -283,10 +283,11 @@ files_search_pids(systemd_fstab_generator_t)
 
 fstools_exec(systemd_fstab_generator_t)
 
-init_create_write_pid_files(systemd_fstab_generator_t)
+init_create_pid_files(systemd_fstab_generator_t)
 init_manage_pid_dirs(systemd_fstab_generator_t)
 init_manage_pid_symlinks(systemd_fstab_generator_t)
 init_search_pids(systemd_fstab_generator_t)
+init_write_pid_files(systemd_fstab_generator_t)
 
 kernel_read_kernel_sysctls(systemd_fstab_generator_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     5668039ba3897f9ca837387d67b039e51fe1e41b
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Wed Jan 22 12:35:42 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5668039b

audit daemon can halt system, allow this to happen.

auditd can halt the system for several reasons based on configuration.
These mostly revovle around audit partition full issues.  I am seeing
the following denials when attempting to halt the system.

Jan 12 03:38:48 localhost audispd: node=localhost type=USER_AVC msg=audit(1578800328.122:1943): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Jan 12 03:38:48 localhost audispd: node=localhost type=USER_AVC msg=audit(1578800328.147:1944): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" cmdline="/sbin/init 0" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:power_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Jan 12 04:44:54 localhost audispd: node=localhost type=AVC msg=audit(1578804294.103:1923): avc:  denied  { getattr } for  pid=6936 comm="systemctl" path="/run/systemd/system" dev="tmpfs" ino=45 scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=dir permissive=1

 v2 - use optional rather than ifdef
 v3 - fix order

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/logging.te |  6 ++++++
 policy/modules/system/systemd.if | 20 ++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 19ef420f..d763b06e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -231,6 +231,12 @@ optional_policy(`
 	seutil_sigchld_newrole(auditd_t)
 ')
 
+optional_policy(`
+	init_list_unit_dirs(auditd_t)
+	systemd_start_power_units(auditd_t)
+	systemd_status_power_units(auditd_t)
+')
+
 optional_policy(`
 	udev_read_db(auditd_t)
 ')

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8f50e39e..4dd26458 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -819,6 +819,26 @@ interface(`systemd_start_power_units',`
 	allow $1 power_unit_t:service start;
 ')
 
+########################################
+## <summary>
+##	Get the system status information about power units
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_status_power_units',`
+	gen_require(`
+		type power_unit_t;
+		class service status;
+	')
+
+	allow $1 power_unit_t:service status;
+')
+
+
 ########################################
 ## <summary>
 ##	Make the specified type usable for


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     74cdafab2e96eedec3dc91926d38b8597bc70893
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Thu Jan 23 12:40:49 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74cdafab

Allow systemd to getattr all files

Systemd has ConditionPath.*, ConditionFile.* and ConditionDir* which
are used to check various path/file/directory to control starting a
service.  But this requires getattr permissions on the types.
Example denials that fit the problem.

The first example is from lvm where accessing config file.

type=AVC msg=audit(1575427946.229:1624): avc:  denied  { getattr } for
pid=1 comm="systemd" path="/etc/lvm/lvm.conf" dev="dm-0" ino=51799
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:lvm_etc_t:s0 tclass=file permissive=0

This second example is from chronyd, but it is happening becuase I added
the conditional in a drop-in file.

type=AVC msg=audit(1575427959.882:1901): avc:  denied  { getattr } for
pid=1 comm="systemd" path="/etc/chrony.conf" dev="dm-0" ino=53824
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:chronyd_conf_t:s0 tclass=file permissive=1

v3 - rework to not use interface and allow getattr for all files

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 8417a003..1d060385 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -335,6 +335,11 @@ ifdef(`init_systemd',`
 	domain_subj_id_change_exemption(init_t)
 	domain_role_change_exemption(init_t)
 
+	files_getattr_all_dirs(init_t)
+	files_getattr_all_files(init_t)
+	files_getattr_all_pipes(init_t)
+	files_getattr_all_sockets(init_t)
+	files_read_all_symlinks(init_t)
 	files_read_all_pids(init_t)
 	files_list_usr(init_t)
 	files_list_var(init_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     7059410d97062ae4e1cb4bd4b9241a366cfd124e
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb  8 14:40:09 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7059410d

systemd: Whitespace fix.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 4dd26458..917959d2 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -838,7 +838,6 @@ interface(`systemd_status_power_units',`
 	allow $1 power_unit_t:service status;
 ')
 
-
 ########################################
 ## <summary>
 ##	Make the specified type usable for


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-02-15  7:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-02-15  7:33 UTC (permalink / raw
  To: gentoo-commits

commit:     4a12cd615508f0a3624d6d10fb11390897a8e118
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb  8 14:40:51 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a12cd61

init, logging, systemd: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.te    | 2 +-
 policy/modules/system/logging.te | 2 +-
 policy/modules/system/systemd.te | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 1d060385..b06e258e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.7.8)
+policy_module(init, 2.7.9)
 
 gen_require(`
 	class passwd rootok;

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d763b06e..4f0fe091 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.30.6)
+policy_module(logging, 1.30.7)
 
 ########################################
 #

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0c3fa6c1..f0412af3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.8.13)
+policy_module(systemd, 1.8.14)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     18d959895e154d12737bf1dae892e7f9a06f7011
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Thu Aug 13 08:49:41 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:00:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=18d95989

locallogin: allow login to get attributes of procfs

Fixes:
avc:  denied  { getattr } for  pid=88 comm="login" name="/" dev="proc"
ino=1 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/locallogin.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 0474c4ef..c0072289 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -59,6 +59,7 @@ kernel_read_system_state(local_login_t)
 kernel_read_kernel_sysctls(local_login_t)
 kernel_search_key(local_login_t)
 kernel_link_key(local_login_t)
+kernel_getattr_proc(local_login_t)
 
 corecmd_list_bin(local_login_t)
 # cjp: these are probably not needed:


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     6d822946c4c98fd62daf6095415a21866790ff95
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Thu Aug 13 12:08:37 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6d822946

systemd: allow systemd-resolve to read in tmpfs

Fixes:
avc:  denied  { read } for  pid=76 comm="systemd-resolve" name="/"
dev="tmpfs" ino=651 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f58ad97d..b19a20ac 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1095,6 +1095,7 @@ auth_use_nsswitch(systemd_resolved_t)
 
 files_watch_root_dirs(systemd_resolved_t)
 files_watch_runtime_dirs(systemd_resolved_t)
+files_list_runtime(systemd_resolved_t)
 
 init_dgram_send(systemd_resolved_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     7e809e87c1da6253cba08a8d8603f78be8b52b64
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Tue Sep 15 02:57:58 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:07:46 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e809e87

sysnet: allow dhcpcd to create socket file

The dhcpcd needs to create socket file under /run/dhcpcd directory.

Fixes:
AVC avc:  denied  { create } for  pid=331 comm="dhcpcd" name="eth0.sock"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0

AVC avc:  denied  { setattr } for  pid=331 comm="dhcpcd"
name="eth0.sock" dev="tmpfs" ino=19153
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0

AVC avc:  denied  { sendto } for  pid=331 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=unix_dgram_socket permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/sysnetwork.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 83389037..9099802e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -62,6 +62,7 @@ allow dhcpc_t self:packet_socket create_socket_perms;
 allow dhcpc_t self:netlink_generic_socket create_socket_perms;
 allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
 allow dhcpc_t self:rawip_socket create_socket_perms;
+allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
 
 allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
 read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)
@@ -74,6 +75,7 @@ allow dhcpc_t dhcpc_state_t:file map;
 
 # create pid file
 manage_files_pattern(dhcpc_t, dhcpc_runtime_t, dhcpc_runtime_t)
+manage_sock_files_pattern(dhcpc_t, dhcpc_runtime_t, dhcpc_runtime_t)
 create_dirs_pattern(dhcpc_t, dhcpc_runtime_t, dhcpc_runtime_t)
 # Create /var/run/dhcpc directory (state directory), needed for /run/dhcpc
 # Gets done through the dhcpcd-hooks


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     8ea2a42f1a0d9051533a8d262f5487f44fa605ae
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Thu Aug 13 09:52:20 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8ea2a42f

systemd: add extra systemd_generator_t rules

Fixes:

avc:  denied  { setfscreate } for  pid=41 comm="systemd-getty-g"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=process
permissive=1

avc:  denied  { dac_override } for  pid=40 comm="systemd-fstab-g"
capability=1  scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=capability
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 14306447..d0a852a2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -362,6 +362,8 @@ seutil_search_default_contexts(systemd_coredump_t)
 #
 
 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
+allow systemd_generator_t self:capability dac_override;
+allow systemd_generator_t self:process setfscreate;
 
 corecmd_getattr_bin_files(systemd_generator_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     3f53590de965cda81024db69cc574633de1693e0
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Thu Aug 13 09:08:43 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:00:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3f53590d

logging: allow systemd-journal to write messages to the audit socket

Fixes:

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

avc:  denied  { nlmsg_write } for  pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 39664307..820fc8d3 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -524,7 +524,7 @@ ifdef(`init_systemd',`
 	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
 	allow syslogd_t self:capability2 audit_read;
 	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
-	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
+	allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
 
 	# remove /run/log/journal when switching to permanent storage
 	allow syslogd_t var_log_t:dir rmdir;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     7ee3081a194697c1ebcecff0c40290fa0f498267
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Fri Sep 18 14:29:41 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7ee3081a

systemd: allow systemd-network to get attributes of fs

Fixes:

avc:  denied  { getattr } for  pid=57 comm="systemd-network" name="/"
dev="vda" ino=2 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index eb6f782f..f58ad97d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -785,6 +785,7 @@ dev_write_kmsg(systemd_networkd_t)
 files_read_etc_files(systemd_networkd_t)
 files_watch_runtime_dirs(systemd_networkd_t)
 files_watch_root_dirs(systemd_networkd_t)
+fs_getattr_xattr_fs(systemd_networkd_t)
 
 auth_use_nsswitch(systemd_networkd_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     e5975779e32d5337266c191163bbde851ee4bda9
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Thu Aug 13 10:08:03 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e5975779

systemd: allow systemd-hwdb to search init runtime directories

Fixes:

avc:  denied  { search } for  pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1

avc:  denied  { search } for  pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d0a852a2..eb6f782f 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -461,6 +461,7 @@ selinux_get_fs_mount(systemd_hw_t)
 selinux_use_status_page(systemd_hw_t)
 
 init_read_state(systemd_hw_t)
+init_search_runtime(systemd_hw_t)
 
 seutil_read_config(systemd_hw_t)
 seutil_read_file_contexts(systemd_hw_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     b448dc10ff3432e236a94f80ba0c6d924e753953
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Thu Aug 13 09:36:54 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:00:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b448dc10

sysnetwork: allow to read network configuration files

Fixes:

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { open } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

avc:  denied  { getattr } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { read } for  pid=59 comm="systemd-network" name="network"
dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { open } for  pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { search } for  pid=59 comm="systemd-network"
name="network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1

avc:  denied  { getattr } for  pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/sysnetwork.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 3e88974f..53cbbf7f 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -346,6 +346,8 @@ interface(`sysnet_read_config',`
 	')
 
 	files_search_etc($1)
+	files_search_runtime($1)
+	allow $1 net_conf_t:dir list_dir_perms;
 	allow $1 net_conf_t:file read_file_perms;
 
 	ifdef(`distro_debian',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     326c950e7b3c5e3ab77aff79f16e6440421f47ae
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Mon Aug 31 13:38:13 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:00:05 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=326c950e

udev: allow udevadm to retrieve xattrs

Fixes:

avc:  denied  { getattr } for  pid=50 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

avc:  denied  { getattr } for  pid=52 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/udev.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 49380fb2..2ef2337e 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -451,3 +451,5 @@ kernel_read_kernel_sysctls(udevadm_t)
 kernel_read_system_state(udevadm_t)
 
 seutil_read_file_contexts(udevadm_t)
+
+fs_getattr_xattr_fs(udevadm_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     fa247cca2d228e0eee5cc6c1cbf812a1dfd1adbb
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Oct  9 13:42:31 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fa247cca

systemd: Move systemd-pstore block up in alphabetical order.

No rule change.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 46 ++++++++++++++++++++--------------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b7f25594..7acbc551 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1046,6 +1046,29 @@ optional_policy(`
 ')
 
 
+#########################################
+#
+# systemd-pstore local policy
+#
+
+dontaudit systemd_pstore_t self:capability net_admin;
+
+manage_files_pattern(systemd_pstore_t, systemd_pstore_var_lib_t, systemd_pstore_var_lib_t)
+
+files_read_etc_files(systemd_pstore_t)
+files_search_var_lib(systemd_pstore_t)
+
+fs_list_pstore_dirs(systemd_pstore_t)
+fs_read_pstore_files(systemd_pstore_t)
+fs_delete_pstore_files(systemd_pstore_t)
+
+init_search_run(systemd_pstore_t)
+init_list_var_lib_dirs(systemd_pstore_t)
+
+kernel_read_system_state(systemd_pstore_t)
+
+logging_send_syslog_msg(systemd_pstore_t)
+
 #######################################
 #
 # Rfkill local policy
@@ -1428,26 +1451,3 @@ userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
 userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
 
 dbus_system_bus_client(systemd_user_runtime_dir_t)
-
-#########################################
-#
-# systemd-pstore local policy
-#
-
-dontaudit systemd_pstore_t self:capability net_admin;
-
-manage_files_pattern(systemd_pstore_t, systemd_pstore_var_lib_t, systemd_pstore_var_lib_t)
-
-files_read_etc_files(systemd_pstore_t)
-files_search_var_lib(systemd_pstore_t)
-
-fs_list_pstore_dirs(systemd_pstore_t)
-fs_read_pstore_files(systemd_pstore_t)
-fs_delete_pstore_files(systemd_pstore_t)
-
-init_search_run(systemd_pstore_t)
-init_list_var_lib_dirs(systemd_pstore_t)
-
-kernel_read_system_state(systemd_pstore_t)
-
-logging_send_syslog_msg(systemd_pstore_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     1fbd9f8a1e6432bf4eec1a77a6a4d652492c0b87
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Mon Oct  5 15:51:05 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1fbd9f8a

systemd: allow systemd-network to list the runtime directory

Fixes:

avc:  denied  { read } for  pid=58 comm="systemd-network" name="/"
dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1

avc:  denied  { read } for  pid=58 comm="systemd-network" name="/"
dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e1fc8fd4..b7f25594 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -794,6 +794,7 @@ dev_write_kmsg(systemd_networkd_t)
 files_read_etc_files(systemd_networkd_t)
 files_watch_runtime_dirs(systemd_networkd_t)
 files_watch_root_dirs(systemd_networkd_t)
+files_list_runtime(systemd_networkd_t)
 fs_getattr_xattr_fs(systemd_networkd_t)
 
 auth_use_nsswitch(systemd_networkd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-10-13  3:02 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-10-13  3:02 UTC (permalink / raw
  To: gentoo-commits

commit:     539cc57f78a7663ec8bad0d7c6ace4ae42115144
Author:     Antoine Tenart <antoine.tenart <AT> bootlin <DOT> com>
AuthorDate: Fri Sep 25 07:30:38 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 11 21:14:40 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=539cc57f

systemd: allow systemd-getty-generator to read and write unallocated ttys

Fixes:

avc:  denied  { read write } for  pid=40 comm="systemd-getty-g"
name="ttyS0" dev="devtmpfs" ino=612
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1

avc:  denied  { open } for  pid=40 comm="systemd-getty-g"
path="/dev/ttyS0" dev="devtmpfs" ino=612
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1

avc:  denied  { ioctl } for  pid=40 comm="systemd-getty-g"
path="/dev/ttyS0" dev="devtmpfs" ino=612 ioctlcmd=0x5401
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1

Signed-off-by: Antoine Tenart <antoine.tenart <AT> bootlin.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 495e9e08..e1fc8fd4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -409,6 +409,8 @@ storage_raw_read_fixed_disk(systemd_generator_t)
 
 systemd_log_parse_environment(systemd_generator_t)
 
+term_use_unallocated_ttys(systemd_generator_t)
+
 optional_policy(`
 	fstools_exec(systemd_generator_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     850672bdf4d432537c4a064319d1c1da05f67af6
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Tue Nov 17 03:46:25 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 28 22:56:08 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=850672bd

init: Added fcontext for openrc-shutdown.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index acf89af4..74fb8211 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -47,6 +47,7 @@ ifdef(`distro_gentoo', `
 /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
 /usr/sbin/openrc-init		--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/openrc-shutdown	--	gen_context(system_u:object_r:init_exec_t,s0)
 ')
 
 ifdef(`distro_redhat',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     63b316f5821e49c3f6b3e87a219af24e2bebab12
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Nov  9 16:45:32 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=63b316f5

lvm: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/lvm.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 58517502..9c281a51 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.25.0)
+policy_module(lvm, 1.25.1)
 
 ########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     ef51b2e319e62e59306a8b44ed96d98e0de0dec4
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Tue Nov 17 03:46:24 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 28 22:56:01 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef51b2e3

init: Added fcontext for openrc-init.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index eeeb32be..acf89af4 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -46,6 +46,7 @@ ifdef(`distro_gentoo',`
 ifdef(`distro_gentoo', `
 /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
+/usr/sbin/openrc-init		--	gen_context(system_u:object_r:init_exec_t,s0)
 ')
 
 ifdef(`distro_redhat',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     f5fb96b1a6cbde18dcf9bde9b29a84fb81acdb1e
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> com>
AuthorDate: Mon Nov  9 14:43:01 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 16 09:03:43 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f5fb96b1

Add LVM module permissions needed to open cryptsetup devices.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/lvm.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 23eaceb2..58517502 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -177,6 +177,8 @@ allow lvm_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow lvm_t self:sem create_sem_perms;
 # gt: the following is for sockets in the AF_ALG namespace (userspace interface to the kernel Crypto API)
 allow lvm_t self:socket create_stream_socket_perms;
+# gt: the following allows opening cryptsetup devices
+allow lvm_t self:key { search write };
 
 allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
 allow lvm_t clvmd_t:unix_stream_socket { connectto rw_socket_perms };


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     e5553f37a167cc7205e8550025fd2501ba7ed8b3
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 17 03:46:22 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 28 22:55:51 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e5553f37

getty: allow watching file /run/agetty.reload

avc:  denied  { watch } for  pid=2485 comm="agetty" path="/run/agetty.reload" dev="tmpfs" ino=22050 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:getty_runtime_t:s0 tclass=file permissive=0

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/getty.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index ce9e4ded..f9514c77 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -47,6 +47,7 @@ allow getty_t getty_log_t:file { append_file_perms create_file_perms setattr_fil
 logging_log_filetrans(getty_t, getty_log_t, file)
 
 allow getty_t getty_runtime_t:dir watch;
+allow getty_t getty_runtime_t:file watch;
 manage_files_pattern(getty_t, getty_runtime_t, getty_runtime_t)
 files_runtime_filetrans(getty_t, getty_runtime_t, file)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     50ce02c8052e06fca2e8ec5ba6982effdf522d67
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 17 03:46:28 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 28 22:56:14 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=50ce02c8

systemd: make remaining dbus_* optional

Almost all calls to dbus_ interfaces were already optional, this makes
the remaining one optional_policy so that the modules can be installed /
upgraded easier.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 74f3fc55..a08b83d5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1450,4 +1450,6 @@ userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t)
 userdom_mounton_user_runtime_dirs(systemd_user_runtime_dir_t)
 userdom_relabelto_user_runtime_dirs(systemd_user_runtime_dir_t)
 
-dbus_system_bus_client(systemd_user_runtime_dir_t)
+optional_policy(`
+    dbus_system_bus_client(systemd_user_runtime_dir_t)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     47d0b1e01912604be4f030997d4946439e80b1ce
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 17 03:46:26 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 28 22:56:10 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=47d0b1e0

Add transition on gentoo init_t to openrc

Commit "init: replace call to init_domtrans_script"
(be231899f5c7f0882843942624dd268f99bab141 in upstream repo)
removed the call to init_domtrans_script which removed the openrc
domtrans. This adds it back directly in the distro_gentoo block.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b52eaddb..6b2654fa 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -120,6 +120,7 @@ init_unit_file(systemd_unit_t)
 ifdef(`distro_gentoo',`
 	type rc_exec_t;
 	domain_entry_file(initrc_t, rc_exec_t)
+	domtrans_pattern(init_t, rc_exec_t, initrc_t)
 ')
 
 ifdef(`enable_mls',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-11-28 23:09 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-11-28 23:09 UTC (permalink / raw
  To: gentoo-commits

commit:     46171c7e1b366ee26f62fcbceab9ea3c9f532628
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Tue Nov 17 03:46:27 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 28 22:56:12 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=46171c7e

init: upstream fcontexts from gentoo policy

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.fc | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 74fb8211..c8451701 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -44,8 +44,11 @@ ifdef(`distro_gentoo',`
 /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 ifdef(`distro_gentoo', `
+/usr/lib/rc/cache(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/usr/lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
-/usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
+/usr/sbin/rc			--	gen_context(system_u:object_r:rc_exec_t,s0)
+/usr/sbin/openrc		--	gen_context(system_u:object_r:rc_exec_t,s0)
 /usr/sbin/openrc-init		--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/sbin/openrc-shutdown	--	gen_context(system_u:object_r:init_exec_t,s0)
 ')
@@ -79,6 +82,9 @@ ifdef(`distro_debian',`
 
 ifdef(`distro_gentoo', `
 /var/lib/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
+/var/lib/ip6?tables(/.*)?	gen_context(system_u:object_r:initrc_tmp_t,s0)
+
+/run/openrc(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /run/svscan\.pid	--	gen_context(system_u:object_r:initrc_runtime_t,s0)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2020-11-29  0:05 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2020-11-29  0:05 UTC (permalink / raw
  To: gentoo-commits

commit:     4a0d8b5637db7d64811d9cfe1d6746d2baf63150
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Sat Nov 28 23:30:04 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Nov 28 23:30:04 2020 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a0d8b56

init: remove gentoo-specific rules that have been upstreamed

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.fc | 20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index c8451701..567bc960 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -95,23 +95,3 @@ ifdef(`distro_suse', `
 /run/setleds-on	--	gen_context(system_u:object_r:initrc_runtime_t,s0)
 /run/sysconfig(/.*)?	gen_context(system_u:object_r:initrc_runtime_t,s0)
 ')
-
-ifdef(`distro_gentoo',`
-#
-# /lib
-#
-/usr/lib/rc/console(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
-/usr/lib/rc/cache(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
-
-#
-# /sbin
-#
-/usr/sbin/openrc		--	gen_context(system_u:object_r:rc_exec_t,s0)
-
-#
-# /var
-#
-/var/lib/ip6?tables(/.*)?		gen_context(system_u:object_r:initrc_tmp_t,s0)
-
-/run/openrc(/.*)?			gen_context(system_u:object_r:initrc_state_t,s0)
-')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     3d3ef68f377b443340c7e68a1e2c2cad729a6608
Author:     GalaxyMaster <galaxy4public <AT> users <DOT> noreply <DOT> github <DOT> com>
AuthorDate: Sun Nov  8 13:50:12 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 20:28:34 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3d3ef68f

added policy for systemd-socket-proxyd

Signed-off-by: (GalaxyMaster) <galaxy4public <AT> users.noreply.github.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.if    |  5 +++-
 policy/modules/system/systemd.fc |  2 ++
 policy/modules/system/systemd.if | 18 ++++++++++++++
 policy/modules/system/systemd.te | 52 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 76 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 540cd0c7..e3d50779 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -359,12 +359,15 @@ interface(`init_daemon_domain',`
 		init_domain($1, $2)
 
 		allow $1 init_t:unix_dgram_socket sendto;
+
+		optional_policy(`
+			systemd_connectto_socket_proxyd_unix_sockets($1)
+		')
 	')
 
 	optional_policy(`
 		nscd_use($1)
 	')
-
 ')
 
 ########################################

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index a998f42b..f88fdfb4 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -36,6 +36,7 @@
 /usr/lib/systemd/systemd-pstore		--	gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-rfkill		--	gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
+/usr/lib/systemd/systemd-socket-proxyd	--	gen_context(system_u:object_r:systemd_socket_proxyd_exec_t,s0)
 /usr/lib/systemd/systemd-update-done	--	gen_context(system_u:object_r:systemd_update_done_exec_t,s0)
 /usr/lib/systemd/systemd-user-runtime-dir	--	gen_context(system_u:object_r:systemd_user_runtime_dir_exec_t,s0)
 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
@@ -52,6 +53,7 @@
 /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 /usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
 /usr/lib/systemd/system/systemd-rfkill.*	--	gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
+/usr/lib/systemd/system/systemd-socket-proxyd\.service	--	gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
 
 /var/\.updated				--	gen_context(system_u:object_r:systemd_update_run_t,s0)
 

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index c8f33d51..9335d4a2 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -963,6 +963,24 @@ interface(`systemd_status_power_units',`
 	allow $1 power_unit_t:service status;
 ')
 
+########################################
+## <summary>
+##  Allows connections to the systemd-socket-proxyd's socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_connectto_socket_proxyd_unix_sockets', `
+	gen_require(`
+		type systemd_socket_proxyd_t;
+	')
+
+	allow $1 systemd_socket_proxyd_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##	Make the specified type usable for

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7caf94c9..cb4f4eea 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -29,6 +29,22 @@ gen_tunable(systemd_nspawn_labeled_namespace, false)
 ## </desc>
 gen_tunable(systemd_logind_get_bootloader, false)
 
+## <desc>
+## <p>
+## Allow systemd-socket-proxyd to bind any port instead of one labelled
+## with systemd_socket_proxyd_port_t.
+## </p>
+## </desc>
+gen_tunable(systemd_socket_proxyd_bind_any, false)
+
+## <desc>
+## <p>
+## Allow systemd-socket-proxyd to connect to any port instead of
+## labelled ones.
+## </p>
+## </desc>
+gen_tunable(systemd_socket_proxyd_connect_any, false)
+
 attribute systemd_log_parse_env_type;
 attribute systemd_tmpfiles_conf_type;
 attribute systemd_user_session_type;
@@ -217,6 +233,16 @@ files_runtime_file(systemd_sessions_runtime_t)
 init_daemon_runtime_file(systemd_sessions_runtime_t, dir, "systemd_sessions")
 init_mountpoint(systemd_sessions_runtime_t)
 
+type systemd_socket_proxyd_t;
+type systemd_socket_proxyd_exec_t;
+init_daemon_domain(systemd_socket_proxyd_t, systemd_socket_proxyd_exec_t)
+
+type systemd_socket_proxyd_port_t;
+corenet_port(systemd_socket_proxyd_port_t)
+
+type systemd_socket_proxyd_unit_file_t;
+init_unit_file(systemd_socket_proxyd_unit_file_t)
+
 type systemd_sysusers_t;
 type systemd_sysusers_exec_t;
 init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
@@ -1147,6 +1173,32 @@ optional_policy(`
 	dbus_watch_system_bus_runtime_named_sockets(systemd_resolved_t)
 ')
 
+#########################################
+#
+# Socket-proxyd local policy
+#
+
+allow systemd_socket_proxyd_t self:unix_dgram_socket { create create_socket_perms getopt setopt sendto read write };
+allow systemd_socket_proxyd_t self:tcp_socket accept;
+
+kernel_read_system_state(systemd_socket_proxyd_t)
+
+auth_use_nsswitch(systemd_socket_proxyd_t)
+sysnet_dns_name_resolve(systemd_socket_proxyd_t)
+
+tunable_policy(`systemd_socket_proxyd_bind_any',`
+ corenet_tcp_bind_all_ports(systemd_socket_proxyd_t)
+',`
+ allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_bind;
+')
+
+tunable_policy(`systemd_socket_proxyd_connect_any',`
+ corenet_tcp_connect_all_ports(systemd_socket_proxyd_t)
+',`
+ allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_connect;
+')
+
+
 #########################################
 #
 # Sessions local policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     f3249bbaff9ae98c9b741ad362fd4ed8e9b7deba
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Thu Jun  4 15:45:35 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 20:28:34 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f3249bba

authlogin: connect to userdb

Signed-off-by: bauen1 <j2468h <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/authlogin.te |  4 ++++
 policy/modules/system/init.if      | 19 +++++++++++++++++++
 policy/modules/system/systemd.if   | 21 +++++++++++++++++++++
 3 files changed, 44 insertions(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index d6931831..7692abb6 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -426,6 +426,10 @@ files_read_etc_files(nsswitch_domain)
 
 sysnet_dns_name_resolve(nsswitch_domain)
 
+ifdef(`init_systemd', `
+	systemd_stream_connect_userdb(nsswitch_domain)
+')
+
 tunable_policy(`authlogin_nsswitch_use_ldap',`
 	miscfiles_read_generic_certs(nsswitch_domain)
 	sysnet_use_ldap(nsswitch_domain)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index ff8f7db7..540cd0c7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -923,6 +923,25 @@ interface(`init_stream_connect',`
 	allow $1 init_t:unix_stream_socket getattr;
 ')
 
+########################################
+## <summary>
+##	Connect to init with a unix socket.
+##  Without any additional permissions.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_unix_stream_socket_connectto',`
+	gen_require(`
+		type init_t;
+	')
+
+	allow $1 init_t:unix_stream_socket connectto;
+')
+
 ########################################
 ## <summary>
 ##	Inherit and use file descriptors from init.

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 895437e7..c8f33d51 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -462,6 +462,27 @@ interface(`systemd_manage_userdb_runtime_sock_files', `
 	manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
 ')
 
+########################################
+## <summary>
+##  Connect to /run/systemd/userdb/io.systemd.DynamicUser .
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_stream_connect_userdb', `
+	gen_require(`
+		type systemd_userdb_runtime_t;
+	')
+
+	init_search_runtime($1)
+	allow $1 systemd_userdb_runtime_t:dir list_dir_perms;
+	allow $1 systemd_userdb_runtime_t:sock_file write_sock_file_perms;
+	init_unix_stream_socket_connectto($1)
+')
+
 ########################################
 ## <summary>
 ##	Allow reading /run/systemd/machines


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     2680ffc26669f64ce26926ef92390e269be44476
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Dec  8 20:09:27 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2680ffc2

userdomain: Fix error in calling userdom_xdg_user_template().

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/userdomain.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 4c902bff..15b35ed9 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1208,7 +1208,7 @@ template(`userdom_unpriv_user_template', `
 	')
 
 	# Allow users to manage xdg content in their home directories
-	userdom_xdg_user_template($1_t)
+	userdom_xdg_user_template($1)
 
 	# Allow users to run TCP servers (bind to ports and accept connection from
 	# the same domain and outside users) disabling this forces FTP passive mode


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     dcc7ffbda78667ac473155403b242ada69e47267
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Dec  3 14:37:02 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dcc7ffbd

systemd: Whitespace changes.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cb4f4eea..a5c247f5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1184,21 +1184,21 @@ allow systemd_socket_proxyd_t self:tcp_socket accept;
 kernel_read_system_state(systemd_socket_proxyd_t)
 
 auth_use_nsswitch(systemd_socket_proxyd_t)
+
 sysnet_dns_name_resolve(systemd_socket_proxyd_t)
 
 tunable_policy(`systemd_socket_proxyd_bind_any',`
- corenet_tcp_bind_all_ports(systemd_socket_proxyd_t)
+	corenet_tcp_bind_all_ports(systemd_socket_proxyd_t)
 ',`
- allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_bind;
+	allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_bind;
 ')
 
 tunable_policy(`systemd_socket_proxyd_connect_any',`
- corenet_tcp_connect_all_ports(systemd_socket_proxyd_t)
+	corenet_tcp_connect_all_ports(systemd_socket_proxyd_t)
 ',`
- allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_connect;
+	allow systemd_socket_proxyd_t systemd_socket_proxyd_port_t:tcp_socket name_connect;
 ')
 
-
 #########################################
 #
 # Sessions local policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     3ade4a4cd4dc06c396551819217ea2acca169ea0
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Dec  4 18:32:57 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3ade4a4c

init, systemd: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.te    | 2 +-
 policy/modules/system/systemd.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index e2cca47e..06076e0a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.9.3)
+policy_module(init, 2.9.4)
 
 gen_require(`
 	class passwd rootok;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index a5c247f5..7a19b151 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.10.5)
+policy_module(systemd, 1.10.6)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     aff86b0b1ed6e51a76399f7af56b84e4f620026a
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Thu Jun  4 16:41:21 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 20:28:34 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aff86b0b

systemd-logind: utilize nsswitch

Signed-off-by: bauen1 <j2468h <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index dfc259df..7caf94c9 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -567,7 +567,6 @@ dev_setattr_video_dev(systemd_logind_t)
 
 domain_obj_id_change_exemption(systemd_logind_t)
 
-files_read_etc_files(systemd_logind_t)
 files_search_runtime(systemd_logind_t)
 
 fs_getattr_cgroup(systemd_logind_t)
@@ -591,6 +590,7 @@ term_setattr_unallocated_ttys(systemd_logind_t)
 term_use_unallocated_ttys(systemd_logind_t)
 
 auth_manage_faillog(systemd_logind_t)
+auth_use_nsswitch(systemd_logind_t)
 
 init_dbus_send_script(systemd_logind_t)
 init_get_all_units_status(systemd_logind_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     ef96877e219bdf1be92dee4f4f7b1897073218f8
Author:     bauen1 <j2468h <AT> gmail <DOT> com>
AuthorDate: Thu Jun  4 08:30:19 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 20:28:34 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef96877e

systemd: private type for /run/systemd/userdb

Signed-off-by: bauen1 <j2468h <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.te    |  3 +++
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.if | 56 ++++++++++++++++++++++++++++++++++++++++
 policy/modules/system/systemd.te |  3 +++
 4 files changed, 63 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9f9b78b0..e2cca47e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -469,6 +469,9 @@ ifdef(`init_systemd',`
 	systemd_list_tmpfiles_conf(init_t)
 	systemd_relabelto_tmpfiles_conf_dirs(init_t)
 	systemd_relabelto_tmpfiles_conf_files(init_t)
+	systemd_manage_userdb_runtime_sock_files(init_t)
+	systemd_manage_userdb_runtime_dirs(init_t)
+	systemd_filetrans_userdb_runtime_dirs(init_t)
 	systemd_relabelto_journal_dirs(init_t)
 	systemd_relabelto_journal_files(init_t)
 

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 34637068..a998f42b 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -70,6 +70,7 @@
 /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
+/run/systemd/userdb(/.*)?	gen_context(system_u:object_r:systemd_userdb_runtime_t,s0)
 /run/systemd/inhibit(/.*)?	gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0)
 /run/systemd/nspawn(/.*)?	gen_context(system_u:object_r:systemd_nspawn_runtime_t,s0)
 /run/systemd/machines(/.*)?	gen_context(system_u:object_r:systemd_machined_runtime_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 262c26d1..895437e7 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -426,6 +426,42 @@ interface(`systemd_signull_logind',`
 	allow $1 systemd_logind_t:process signull;
 ')
 
+########################################
+## <summary>
+##  Manage systemd userdb runtime directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_userdb_runtime_dirs', `
+	gen_require(`
+		type systemd_userdb_runtime_t;
+	')
+
+	manage_dirs_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
+')
+
+########################################
+## <summary>
+##  Manage socket files under /run/systemd/userdb .
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_userdb_runtime_sock_files', `
+	gen_require(`
+		type systemd_userdb_runtime_t;
+	')
+
+	manage_sock_files_pattern($1, systemd_userdb_runtime_t, systemd_userdb_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow reading /run/systemd/machines
@@ -528,6 +564,26 @@ interface(`systemd_filetrans_passwd_runtime_dirs',`
 	init_runtime_filetrans($1, systemd_passwd_runtime_t, dir, "ask-password")
 ')
 
+########################################
+## <summary>
+##  Transition to systemd_userdb_runtime_t when
+##  creating the userdb directory inside an init runtime
+##  directory.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed access.
+##  </summary>
+## </param>
+#
+interface(`systemd_filetrans_userdb_runtime_dirs', `
+	gen_require(`
+		type systemd_userdb_runtime_t;
+	')
+
+	init_runtime_filetrans($1, systemd_userdb_runtime_t, dir, "userdb")
+')
+
 ######################################
 ## <summary>
 ##  Allow to domain to create systemd-passwd symlink

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b6e508eb..dfc259df 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -249,6 +249,9 @@ init_system_domain(systemd_user_runtime_dir_t, systemd_user_runtime_dir_exec_t)
 type systemd_user_tmpfs_t;
 userdom_user_tmpfs_file(systemd_user_tmpfs_t)
 
+type systemd_userdb_runtime_t;
+files_runtime_file(systemd_userdb_runtime_t)
+
 #
 # Unit file types
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     9c35b59e9b72544877ec8d341bdde55423d0b7da
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Dec  3 14:37:29 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9c35b59e

systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to systemd_stream_connect_socket_proxyd().

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.if    | 2 +-
 policy/modules/system/systemd.if | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index e3d50779..7f37e6cb 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -361,7 +361,7 @@ interface(`init_daemon_domain',`
 		allow $1 init_t:unix_dgram_socket sendto;
 
 		optional_policy(`
-			systemd_connectto_socket_proxyd_unix_sockets($1)
+			systemd_stream_connect_socket_proxyd($1)
 		')
 	')
 

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 9335d4a2..ffbdd6d1 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -973,7 +973,7 @@ interface(`systemd_status_power_units',`
 ##	</summary>
 ## </param>
 #
-interface(`systemd_connectto_socket_proxyd_unix_sockets', `
+interface(`systemd_stream_connect_socket_proxyd', `
 	gen_require(`
 		type systemd_socket_proxyd_t;
 	')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     06fde63185dca6b4f960f0cc1c53d4e24055fec3
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Jan 21 18:25:32 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=06fde631

systemd: Add systemd-tty-ask watch for /run/systemd/ask-password.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7a19b151..9c210947 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1023,6 +1023,7 @@ allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override
 allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
 allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 
+allow systemd_passwd_agent_t systemd_passwd_var_run_t:dir watch;
 manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
 manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
 manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     9dfb39340ecb9c520110abd96c70388f09851000
Author:     Daniel Burgener <Daniel.Burgener <AT> microsoft <DOT> com>
AuthorDate: Fri Dec 11 18:22:42 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9dfb3934

Allow systemd-ask-password to watch files

On systems that use plymouth, systemd-ask-password may set watches on
the contents on /run/systemd/ask-password, whereas other scenarions only
set watch on the parent directory.

Signed-off-by: Daniel Burgener <Daniel.Burgener <AT> microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 9c210947..2eac4fa5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1023,7 +1023,7 @@ allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override
 allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal };
 allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms;
 
-allow systemd_passwd_agent_t systemd_passwd_var_run_t:dir watch;
+allow systemd_passwd_agent_t systemd_passwd_var_run_t:{ dir file } watch;
 manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
 manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)
 manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     52f2e0ce9cab8eaec051fd7742db42e85a0c0138
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Dec 15 14:40:48 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52f2e0ce

systemd: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2eac4fa5..ac664174 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.10.6)
+policy_module(systemd, 1.10.7)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-01-11  1:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-01-11  1:27 UTC (permalink / raw
  To: gentoo-commits

commit:     50fabb29d24fc7c921197a7b03b801f7018384af
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Dec 17 14:23:18 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 10 21:52:17 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=50fabb29

authlogin, init, systemd: Module version bump.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/authlogin.te | 2 +-
 policy/modules/system/init.te      | 2 +-
 policy/modules/system/systemd.te   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 7692abb6..8dccf265 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.17.1)
+policy_module(authlogin, 2.17.2)
 
 ########################################
 #

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 06076e0a..45fa0275 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.9.4)
+policy_module(init, 2.9.5)
 
 gen_require(`
 	class passwd rootok;

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ac664174..fad477d5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.10.7)
+policy_module(systemd, 1.10.8)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-02-01  2:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-02-01  2:10 UTC (permalink / raw
  To: gentoo-commits

commit:     f9897d936fcad0c175a4a54dc9e14561fef9236d
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Jan 28 16:30:40 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  1 01:21:42 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f9897d93

sysnetwork: Merge dhcpc_manage_samba tunable block with existing samba block.

This moves the existing samba_manage_config(dhcpc_t) that is not tunable
into the tunable block.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/sysnetwork.te | 23 ++++++++++-------------
 1 file changed, 10 insertions(+), 13 deletions(-)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a8fe42d6..ee768012 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -184,18 +184,6 @@ ifdef(`init_systemd',`
 	init_search_units(dhcpc_t)
 ')
 
-optional_policy(`
-	tunable_policy(`dhcpc_manage_samba',`
-        	samba_manage_var_files(dhcpc_t)
-		init_exec_script_files(dhcpc_t)
-		init_get_system_status(dhcpc_t)
-		samba_stop(dhcpc_t)
-		samba_start(dhcpc_t)
-		samba_reload(dhcpc_t)
-		samba_status(dhcpc_t)
-	')
-')
-
 optional_policy(`
 	avahi_domtrans(dhcpc_t)
 ')
@@ -252,7 +240,16 @@ optional_policy(`
 ')
 
 optional_policy(`
-	samba_manage_config(dhcpc_t)
+	tunable_policy(`dhcpc_manage_samba',`
+		samba_manage_config(dhcpc_t)
+		samba_manage_var_files(dhcpc_t)
+		init_exec_script_files(dhcpc_t)
+		init_get_system_status(dhcpc_t)
+		samba_stop(dhcpc_t)
+		samba_start(dhcpc_t)
+		samba_reload(dhcpc_t)
+		samba_status(dhcpc_t)
+	')
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-02-07  3:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-02-07  3:20 UTC (permalink / raw
  To: gentoo-commits

commit:     db53283aab8d16614c4c72b3967d8570083a2e20
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Feb  1 20:46:24 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 20:54:11 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=db53283a

lvm: add lvm_tmpfs_t type and rules

cryptsetup uses tmpfs when performing some operations on encrypted
volumes such as changing keys.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/lvm.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index a0cc3bd9..99053132 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -42,6 +42,9 @@ init_unit_file(lvm_unit_t)
 type lvm_tmp_t;
 files_tmp_file(lvm_tmp_t)
 
+type lvm_tmpfs_t;
+files_tmpfs_file(lvm_tmpfs_t)
+
 type lvm_var_lib_t;
 files_type(lvm_var_lib_t)
 
@@ -183,6 +186,10 @@ manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
 manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
 files_tmp_filetrans(lvm_t, lvm_tmp_t, { file dir })
 
+manage_dirs_pattern(lvm_t, lvm_tmpfs_t, lvm_tmpfs_t)
+manage_files_pattern(lvm_t, lvm_tmpfs_t, lvm_tmpfs_t)
+fs_tmpfs_filetrans(lvm_t, lvm_tmpfs_t, { dir file })
+
 # /lib/lvm-<version> holds the actual LVM binaries (and symlinks)
 read_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)
 read_lnk_files_pattern(lvm_t, lvm_exec_t, lvm_exec_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-02-07  3:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-02-07  3:20 UTC (permalink / raw
  To: gentoo-commits

commit:     e3ac68ac44916a79cd8c09711c4e689533834275
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb  2 18:50:45 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:09 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e3ac68ac

systemd: Move lines.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if |  1 +
 policy/modules/system/systemd.te | 17 +++++++++--------
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 642d58e2..d7d0eb3d 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -78,6 +78,7 @@ template(`systemd_role_template',`
 	dbus_system_bus_client($1_systemd_t)
 
 	selinux_use_status_page($1_systemd_t)
+
 	seutil_read_file_contexts($1_systemd_t)
 	seutil_search_default_contexts($1_systemd_t)
 ')

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 39c37ac1..9ef509dc 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -151,13 +151,13 @@ type systemd_machined_t;
 type systemd_machined_exec_t;
 init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
 
+type systemd_machined_devpts_t;
+term_login_pty(systemd_machined_devpts_t)
+
 type systemd_machined_runtime_t alias systemd_machined_var_run_t;
 files_runtime_file(systemd_machined_runtime_t)
 init_daemon_runtime_file(systemd_machined_runtime_t, dir, "machines")
 
-type systemd_machined_devpts_t;
-term_login_pty(systemd_machined_devpts_t)
-
 type systemd_modules_load_t;
 type systemd_modules_load_exec_t;
 init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
@@ -562,9 +562,6 @@ allow systemd_logind_t self:fifo_file rw_fifo_file_perms;
 allow systemd_logind_t systemd_logind_var_lib_t:dir manage_dir_perms;
 init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir)
 
-# for /run/systemd/userdb/io.systemd.Machine
-allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
-
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 manage_files_pattern(systemd_logind_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
 allow systemd_logind_t systemd_logind_runtime_t:dir manage_dir_perms;
@@ -574,6 +571,9 @@ manage_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd
 manage_fifo_files_pattern(systemd_logind_t, systemd_logind_inhibit_runtime_t, systemd_logind_inhibit_runtime_t)
 init_runtime_filetrans(systemd_logind_t, systemd_logind_inhibit_runtime_t, dir, "inhibit")
 
+# for /run/systemd/userdb/io.systemd.Machine
+allow systemd_logind_t systemd_machined_t:unix_stream_socket connectto;
+
 allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
@@ -730,6 +730,9 @@ allow systemd_machined_t self:capability { setgid sys_chroot sys_ptrace };
 allow systemd_machined_t self:process setfscreate;
 allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect };
 
+term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
+allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
+
 manage_files_pattern(systemd_machined_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
 allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
 
@@ -761,8 +764,6 @@ logging_send_syslog_msg(systemd_machined_t)
 
 seutil_search_default_contexts(systemd_machined_t)
 
-term_create_pty(systemd_machined_t, systemd_machined_devpts_t)
-allow systemd_machined_t systemd_machined_devpts_t:chr_file manage_file_perms;
 term_getattr_pty_fs(systemd_machined_t)
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-02-07  3:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-02-07  3:20 UTC (permalink / raw
  To: gentoo-commits

commit:     f312afbcbc2ca62b7745e95fbe065c1f60ff28f5
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb  2 19:02:49 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:09 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f312afbc

systemd: Fix lint errors.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index d7d0eb3d..48a63cb3 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -30,7 +30,6 @@ template(`systemd_role_template',`
 		attribute systemd_user_session_type, systemd_log_parse_env_type;
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
 		type systemd_run_exec_t, systemd_analyze_exec_t;
-		type systemd_machined_t;
 	')
 
 	#################################
@@ -68,7 +67,7 @@ template(`systemd_role_template',`
 
 	# Allow using file descriptors for user environment generators
 	allow $3 $1_systemd_t:fd use;
-	allow $3 $1_systemd_t:fifo_file rw_inherited_file_perms;
+	allow $3 $1_systemd_t:fifo_file rw_inherited_fifo_file_perms;
 
 	# systemctl --user
 	stream_connect_pattern($3, systemd_user_runtime_t, systemd_user_runtime_t, $1_systemd_t)
@@ -1351,5 +1350,5 @@ interface(`systemd_use_machined_devpts', `
 	')
 
 	allow $1 systemd_machined_t:fd use;
-	allow $1 systemd_machined_devpts_t:chr_file { read write };
+	allow $1 systemd_machined_devpts_t:chr_file rw_inherited_term_perms;
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     095fdbed8f005dd9b8614e5c06a60d3e7b927dc2
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Wed Aug 12 12:26:35 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=095fdbed

Also grant directory permissions in sysnet_manage_config

On systemd, systemd-networkd keeps its configuration in
/etc/systemd/network, where both files and directories are labelled as
net_conf_t. When granting network configuration management permissions
also include directory management rights when systemd is in use.

This fixes denials from udev trying to parse systemd network
configuration.

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/sysnetwork.if | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index a8f619c1..c361cd81 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -541,6 +541,10 @@ interface(`sysnet_manage_config',`
 	ifdef(`distro_redhat',`
 		manage_files_pattern($1, net_conf_t, net_conf_t)
 	')
+
+	ifdef(`init_systemd',`
+		manage_files_pattern($1, net_conf_t, net_conf_t)
+	')
 ')
 
 #######################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     c7679c9a675138403d7e84d096c5c911b8635ea9
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Wed Feb  3 06:35:13 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7679c9a

When using systemd_tmpfilesd_managed also grant directory permissions

This allows systemd-tmpfilesd to create files inside directories
belonging to the subject domain.

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index fb20b528..6a66a2d7 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1174,6 +1174,7 @@ interface(`systemd_tmpfilesd_managed',`
 		type systemd_tmpfiles_t;
 	')
 
+	allow systemd_tmpfiles_t $1:dir list_dir_perms;
 	allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     b68e3d24a8c066ede243cb178f85c4446fc1d13f
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Thu Aug 13 19:30:13 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b68e3d24

Fix systemd-journal-flush service

This service executes journalctl, which needs access to the journald
socket.

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f711e535..64cddd70 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1061,6 +1061,7 @@ ifdef(`init_systemd',`
 	logging_manage_audit_config(initrc_t)
 	# journalctl:
 	logging_watch_runtime_dirs(initrc_t)
+	logging_manage_runtime_sockets(initrc_t)
 
 	# lvm2-activation-generator checks file labels
 	seutil_read_file_contexts(initrc_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     f6088138b8acb7213d368f6acc481c7b417d9cf6
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Tue Aug 11 12:53:18 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6088138

Allow execution of shell-scripted systemd generators

While systemd recommends to use native binaries as generators due to
performance reasons, there is nothing that really prevents from them
being shell scripts.

This is Gentoo-specific as the affected generator is provided by
the distribution, not by upstream systemd.

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 8ec415d0..5d34e6d2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -443,6 +443,10 @@ systemd_log_parse_environment(systemd_generator_t)
 
 term_use_unallocated_ttys(systemd_generator_t)
 
+ifdef(`distro_gentoo',`
+	corecmd_shell_entry_type(systemd_generator_t)
+')
+
 optional_policy(`
 	fstools_exec(systemd_generator_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     468a27270a27c80bb18eb60208c765af0aaac899
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Wed Feb  3 21:18:59 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=468a2727

Mark lvm_lock_t as systemd_tmpfilesd-managed

lvm2 installs a file into /usr/lib/tmpfliles.d/ to create
/run/lock/lvm so systemd-tmpfilesd needs the rights to create it.

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/lvm.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index b16e5569..398e3426 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -29,6 +29,9 @@ files_type(lvm_etc_t)
 
 type lvm_lock_t;
 files_lock_file(lvm_lock_t)
+optional_policy(`
+        systemd_tmpfilesd_managed(lvm_lock_t, dir)
+')
 
 type lvm_metadata_t;
 files_type(lvm_metadata_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     5979e04f9cca8d0fe89f16e5bb3c7589ec3b5de1
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Wed Feb  3 15:02:11 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5979e04f

Allow systemd-tmpfilesd to set attributes of /var/lock

Fixes:

avc:  denied  { setattr } for pid= comm="systemd-tmpfile" name="lock"
dev="tmpfs" ino= scontext=system_u:system_r:systemd_tmpfiles_t:s0
tcontext=system_u:object_r:var_lock_t:s0 tclass=dir

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 08c26078..427ae600 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1330,6 +1330,7 @@ files_relabel_var_lib_dirs(systemd_tmpfiles_t)
 files_relabelfrom_home(systemd_tmpfiles_t)
 files_relabelto_home(systemd_tmpfiles_t)
 files_relabelto_etc_dirs(systemd_tmpfiles_t)
+files_setattr_lock_dirs(systemd_tmpfiles_t)
 # for /etc/mtab
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     e02aa6654e83cde6d24080f8a3ac5363ffed0bdb
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Wed Feb  3 21:33:01 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e02aa665

Allow systemd-tmpfilesd handle faillog directory

Is is being created from a pam-provided tmpfiles.d config.

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/authlogin.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 6fc4097e..5c8f8b4c 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -87,7 +87,7 @@ type wtmp_t;
 logging_log_file(wtmp_t)
 
 optional_policy(`
-	systemd_tmpfilesd_managed(faillog_t, file)
+	systemd_tmpfilesd_managed(faillog_t, { dir file })
 	systemd_tmpfilesd_managed(var_auth_t, dir)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     1e529853d647536648b7a36b39f234280ed580ec
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Thu Feb  4 15:19:40 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1e529853

Fix setting-up sandbox environment for systemd-networkd

Systemd starts networkd in a sandbox enviroment for enhanced
security. As part of that, several mounts need to be prepared, of
which one fails:

avc:  denied  { mounton } for  pid=711 comm="(networkd)"
path="/run/systemd/unit-root/run/systemd/netif" dev="tmpfs" ino=1538
scontext=system_u:system_r:init_t:s0
tcontext=system_u:object_r:systemd_networkd_runtime_t:s0 tclass=dir
permissive=1

Fix this by declaring directories of systemd_networkd_runtime_t type
as an init daemon mount point.

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 427ae600..2b50638b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -179,6 +179,7 @@ init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
 
 type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
 files_runtime_file(systemd_networkd_runtime_t)
+init_mountpoint(systemd_networkd_runtime_t)
 
 type systemd_networkd_unit_t;
 init_unit_file(systemd_networkd_unit_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-03-21 22:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-03-21 22:10 UTC (permalink / raw
  To: gentoo-commits

commit:     f99e9784118da0cf0ce9c12d9af85d3614a3d6cc
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Thu Feb  4 15:55:09 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f99e9784

Allow systemd-tmpfilesd to access nsswitch information

Fixes io.systemd.DynamicUser denials.

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2b50638b..74ac00cc 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1352,6 +1352,8 @@ auth_relabel_lastlog(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)
 
+auth_use_nsswitch(systemd_tmpfiles_t)
+
 init_manage_utmp(systemd_tmpfiles_t)
 init_manage_var_lib_files(systemd_tmpfiles_t)
 # for /proc/1/environ


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-03-22  0:21 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-03-22  0:21 UTC (permalink / raw
  To: gentoo-commits

commit:     72448072947e9656213c8564b7c293b143f64e81
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 21 05:54:45 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar 21 22:07:35 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=72448072

dhcpc: read udev database

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/sysnetwork.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 2d866e96..8f38ccb7 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -451,6 +451,10 @@ ifdef(`distro_gentoo',`
 		resolvconf_client_domain(dhcpc_t)
 	')
 
+	optional_policy(`
+		udev_read_runtime_files(dhcpc_t)
+	')
+
 	#########################################
 	#
 	# dhcpc_script_t


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-09-05 16:00 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-09-05 16:00 UTC (permalink / raw
  To: gentoo-commits

commit:     b6a25da4025588bf8442eb59f8010ed5dfbdbec2
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Fri Jul  9 13:25:56 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep  5 14:26:44 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b6a25da4

sysnetwork: dhcpc_t: Added corenet_sendrecv_icmp_packets()

DHCP client needs to handle ICMPv6 packets required for router solicitation
when combined with secmark.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/sysnetwork.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 8f38ccb7..81a17898 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -127,6 +127,7 @@ corenet_udp_bind_all_unreserved_ports(dhcpc_t)
 corenet_tcp_connect_all_ports(dhcpc_t)
 corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
 corenet_sendrecv_all_server_packets(dhcpc_t)
+corenet_sendrecv_icmp_packets(dhcpc_t)
 
 dev_read_sysfs(dhcpc_t)
 # for SSP:


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-11-11 21:27 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-11-11 21:27 UTC (permalink / raw
  To: gentoo-commits

commit:     f3fda5f5f1c4d097a9a9ec474fdb7b14790b62a2
Author:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
AuthorDate: Sun Oct 31 23:36:14 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f3fda5f5

udev: Drop gentoo-specific fcontexts that have been upstreamed

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/udev.fc | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index e4f5c4b9..50f9f039 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -43,10 +43,6 @@ ifdef(`distro_debian',`
 
 ifdef(`distro_gentoo',`
 /usr/lib/udev/udevd	--	gen_context(system_u:object_r:udev_exec_t,s0)
-/usr/lib/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_rules_t,s0)
 
-/usr/lib/ConsoleKit/udev-acl	--	gen_context(system_u:object_r:udev_exec_t,s0)
-
-/run/udev/rules\.d(/.*)?	gen_context(system_u:object_r:udev_rules_t,s0)
 /run/udev/data(/.*)?		gen_context(system_u:object_r:udev_tbl_t,s0)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-11-12  2:00 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-11-12  2:00 UTC (permalink / raw
  To: gentoo-commits

commit:     f022dfa7423dc2477b1dcfc3e5d2f5a0cf527156
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Tue Jun 15 12:37:47 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Nov 12 01:53:00 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f022dfa7

modutils.fc: Added Gentoo specific modules_conf_t paths.

Closes: https://github.com/perfinion/hardened-refpolicy/pull/21
Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/modutils.fc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index 169a2569..cfcfb715 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -6,6 +6,9 @@ ifdef(`distro_gentoo',`
 # gentoo init scripts still manage this file
 # even if devfs is off
 /etc/modprobe\.devfs.*		--	gen_context(system_u:object_r:modules_conf_t,s0)
+/etc/modules-load\.d/.*\.conf	--	gen_context(system_u:object_r:modules_conf_t,s0)
+
+/run/modules-load\.d/.*\.conf	--	gen_context(system_u:object_r:modules_conf_t,s0)
 ')
 
 /run/tmpfiles\.d/kmod\.conf	--	gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
@@ -19,6 +22,10 @@ ifdef(`distro_gentoo',`
 /usr/bin/rmmod.*		--	gen_context(system_u:object_r:kmod_exec_t,s0)
 /usr/bin/update-modules		--	gen_context(system_u:object_r:kmod_exec_t,s0)
 
+ifdef(`distro_gentoo',`
+/usr/lib/modules-load\.d/.*\.conf	--	gen_context(system_u:object_r:modules_conf_t,s0)
+')
+
 /usr/lib/modules/[^/]+/modules\..+ --	gen_context(system_u:object_r:modules_dep_t,s0)
 /usr/lib/modules/modprobe\.conf	--	gen_context(system_u:object_r:modules_conf_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-11-12  2:00 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-11-12  2:00 UTC (permalink / raw
  To: gentoo-commits

commit:     715686eed5de5091ee8273d5c36a076138dcc10f
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Fri Jul  9 23:11:26 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Nov 12 01:53:00 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=715686ee

iptables.te: Added init_read_script_pipes().

Closes: https://github.com/perfinion/hardened-refpolicy/pull/22
Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/iptables.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 6cca017d..3269a1bd 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -85,6 +85,7 @@ auth_use_nsswitch(iptables_t)
 
 init_use_fds(iptables_t)
 init_use_script_ptys(iptables_t)
+init_read_script_pipes(iptables_t)
 # to allow rules to be saved on reboot:
 init_rw_script_pipes(iptables_t)
 init_rw_script_tmp_files(iptables_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-11-21 19:33 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-11-21 19:33 UTC (permalink / raw
  To: gentoo-commits

commit:     7323f1d881f61ee2e8a1889e32054b7c3f6328a5
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Sun Nov 21 09:34:41 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 21 19:21:13 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7323f1d8

libraries.if: Added libs_manage_lib_symlinks().

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/libraries.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/libraries.if b/policy/modules/system/libraries.if
index ad4bafa3..cb1ef12c 100644
--- a/policy/modules/system/libraries.if
+++ b/policy/modules/system/libraries.if
@@ -389,6 +389,24 @@ interface(`libs_delete_lib_symlinks',`
 	delete_lnk_files_pattern($1, lib_t, lib_t)
 ')
 
+########################################
+## <summary>
+##	Manage generic symlinks in library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_manage_lib_symlinks',`
+	gen_require(`
+		type lib_t;
+	')
+
+	manage_lnk_files_pattern($1, lib_t, lib_t)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete shared libraries.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-11-21 23:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-11-21 23:20 UTC (permalink / raw
  To: gentoo-commits

commit:     669856d8e7f852184036025d17574a021c502682
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Tue Apr  6 10:57:21 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 21 23:14:37 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=669856d8

init.te: Allow init to read tmpfs files.

Closes: https://github.com/perfinion/hardened-refpolicy/pull/13
Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 983d4fbb..9a3affbb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -901,6 +901,7 @@ ifdef(`distro_gentoo',`
 	# openrc uses tmpfs for its state data
 	fs_tmpfs_filetrans(initrc_t, initrc_state_t, { dir file fifo_file lnk_file })
 	files_mountpoint(initrc_state_t)
+	fs_read_tmpfs_files(init_t)
 
 	# init scripts touch this
 	clock_dontaudit_write_adjtime(initrc_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-11-21 23:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-11-21 23:20 UTC (permalink / raw
  To: gentoo-commits

commit:     796eabdd06687050ddd2253588e3d907908e475c
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Tue Apr  6 09:50:13 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 21 23:14:37 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=796eabdd

init.te: Allow init_t access to initrc_state_t dir and fifo.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 3802f575..983d4fbb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -651,6 +651,9 @@ setattr_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile)
 
 domtrans_pattern(init_run_all_scripts_domain, initrc_exec_t, initrc_t)
 
+manage_dirs_pattern(init_t, initrc_state_t, initrc_state_t)
+manage_fifo_files_pattern(init_t, initrc_state_t, initrc_state_t)
+
 manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
 manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
 manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2021-11-21 23:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2021-11-21 23:20 UTC (permalink / raw
  To: gentoo-commits

commit:     f993307d3d070eb457f5ceb2da37c395d61ce630
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Tue Apr  6 09:30:18 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 21 23:14:37 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f993307d

getty.te: Allow access to search /var/lib/.

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/getty.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index e6e76a93..724e31ad 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -100,6 +100,8 @@ ifdef(`distro_gentoo',`
 	# Gentoo default /etc/issue makes agetty
 	# do a DNS lookup for the hostname
 	sysnet_dns_name_resolve(getty_t)
+
+	files_search_var_lib(getty_t)
 ')
 
 ifdef(`distro_ubuntu',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     f7e5d1a892569f1f9adb0df63eb3965340763a5e
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Jan 11 19:59:59 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f7e5d1a8

systemd: allow systemd user managers to execute user bin files

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 975623f5..4906767a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -126,6 +126,8 @@ template(`systemd_role_template',`
 	dbus_spec_session_bus_client($1, $1_systemd_t)
 	dbus_connect_spec_session_bus($1, $1_systemd_t)
 
+	userdom_exec_user_bin_files($1_systemd_t)
+
 	# userdomain rules
 	allow $3 $1_systemd_t:process signal;
 	allow $3 $1_systemd_t:unix_stream_socket rw_stream_socket_perms;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     f1666469b87a81d52a5a15aec0a53771b2b7e486
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Jan 17 21:09:10 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f1666469

systemd: add supporting interfaces for user daemons

Add an interface to allow systemd user daemons to use systemd notify and
an interface to write to the systemd user runtime named socket.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 48 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index db98053a..e5214124 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -257,6 +257,35 @@ interface(`systemd_user_unix_stream_activated_socket',`
 	systemd_user_activated_sock_file($2)
 ')
 
+######################################
+## <summary>
+##	Allow the target domain the permissions necessary
+##	to use systemd notify when started by the specified
+##	systemd user instance.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the user domain.
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	Domain to be allowed systemd notify permissions.
+##	</summary>
+## </param>
+#
+template(`systemd_user_send_systemd_notify',`
+	gen_require(`
+		type $1_systemd_t;
+		type systemd_user_runtime_notify_t;
+	')
+
+	systemd_search_user_runtime($2)
+	allow $2 systemd_user_runtime_notify_t:sock_file rw_sock_file_perms;
+
+	allow $2 $1_systemd_t:unix_dgram_socket sendto;
+')
+
 ######################################
 ## <summary>
 ##   Allow the target domain to be monitored and have its output
@@ -596,6 +625,25 @@ interface(`systemd_read_user_runtime_lnk_files',`
 	read_lnk_files_pattern($1, systemd_user_runtime_t, systemd_user_runtime_t)
 ')
 
+######################################
+## <summary>
+##	Allow the specified domain to write to
+##	the systemd user runtime named socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_write_user_runtime_socket',`
+	gen_require(`
+		type systemd_user_runtime_t;
+	')
+
+	allow $1 systemd_user_runtime_t:sock_file write;
+')
+
 ######################################
 ## <summary>
 ##   Allow the specified domain to read system-wide systemd


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     b76bc8b1d78cf22cb9c3e019b4ff0ff80c1c0155
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Jan 17 20:52:00 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b76bc8b1

systemd: use stream socket perms in systemd_user_app_status

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 4906767a..db98053a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -289,7 +289,7 @@ template(`systemd_user_app_status',`
 	ps_process_pattern($1_systemd_t, $2)
 	allow $1_systemd_t $2:process signal_perms;
 	allow $2 $1_systemd_t:fd use;
-	allow $2 $1_systemd_t:unix_stream_socket rw_socket_perms;
+	allow $2 $1_systemd_t:unix_stream_socket rw_stream_socket_perms;
 
 	# apps run by systemd --user instances need to be able to read the
 	# state of the systemd --user instance


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     ff059cfa2c7ef4bd5ff446240617a14e515a0ace
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Jan 11 19:56:49 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:15:06 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ff059cfa

userdomain: add type for user bin files

Add a type and allow execute access to executable files that may be
freely managed by users in their home directories. Although users may
normally execute anything labeled user_home_t, this type is intended to
be executed by user services such as the user's systemd --user instance.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/userdomain.fc |  2 ++
 policy/modules/system/userdomain.if | 52 ++++++++++++++++++++++++++++++++++++-
 policy/modules/system/userdomain.te |  3 +++
 3 files changed, 56 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index 70b83058..173e314a 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,5 +1,7 @@
 HOME_DIR	-d	gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
 HOME_DIR/.+		gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/bin(/.*)?		gen_context(system_u:object_r:user_bin_t,s0)
+HOME_DIR/\.local/bin(/.*)?		gen_context(system_u:object_r:user_bin_t,s0)
 HOME_DIR/\.pki(/.*)?	gen_context(system_u:object_r:user_cert_t,s0)
 
 /tmp/gconfd-%{USERNAME} -d	gen_context(system_u:object_r:user_tmp_t,s0)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index ef4419a5..6380e869 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -376,7 +376,8 @@ interface(`userdom_ro_home_role',`
 #
 interface(`userdom_manage_home_role',`
 	gen_require(`
-		type user_home_t, user_home_dir_t, user_cert_t;
+		type user_home_t, user_home_dir_t;
+		type user_bin_t, user_cert_t;
 	')
 
 	##############################
@@ -410,6 +411,10 @@ interface(`userdom_manage_home_role',`
 	allow $2 user_home_t:sock_file { watch watch_mount watch_sb watch_with_perm watch_reads };
 	allow $2 user_home_t:fifo_file { watch watch_mount watch_sb watch_with_perm watch_reads };
 
+	userdom_manage_user_bin($2)
+	userdom_exec_user_bin_files($2)
+	userdom_user_home_dir_filetrans($2, user_bin_t, dir, "bin")
+
 	userdom_manage_user_certs($2)
 	userdom_user_home_dir_filetrans($2, user_cert_t, dir, ".pki")
 
@@ -442,6 +447,10 @@ interface(`userdom_manage_home_role',`
 			flash_relabel_home($2)
 		')
 	')
+
+	optional_policy(`
+		xdg_data_filetrans($2, user_bin_t, dir, "bin")
+	')
 ')
 
 #######################################
@@ -2774,6 +2783,47 @@ interface(`userdom_user_home_dir_filetrans_user_home_content',`
 	files_search_home($1)
 ')
 
+########################################
+## <summary>
+##	Execute user executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_exec_user_bin_files',`
+	gen_require(`
+		type user_bin_t;
+	')
+
+	exec_files_pattern($1, user_bin_t, user_bin_t)
+	read_lnk_files_pattern($1, user_bin_t, user_bin_t)
+	files_search_home($1)
+')
+
+########################################
+## <summary>
+##	Manage user executable files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_manage_user_bin',`
+	gen_require(`
+		type user_bin_t;
+	')
+
+	allow $1 user_bin_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $1 user_bin_t:file { manage_file_perms relabel_file_perms };
+	allow $1 user_bin_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	files_search_home($1)
+')
+
 ########################################
 ## <summary>
 ##	Read user SSL certificates.

diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index e9a5ccfc..9339cb9d 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -95,6 +95,9 @@ files_associate_tmp(user_home_t)
 files_poly_parent(user_home_t)
 files_mountpoint(user_home_t)
 
+type user_bin_t;
+userdom_user_home_content(user_bin_t)
+
 type user_cert_t;
 userdom_user_home_content(user_cert_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-01-30  1:22 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-01-30  1:22 UTC (permalink / raw
  To: gentoo-commits

commit:     c57bb49065554c2efa1f8bf8a6854eaeb0588d31
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Jan  6 23:24:35 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 30 01:12:42 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c57bb490

xdg: add interface to search xdg data directories

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/xdg.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index b7620384..6e1cd836 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -635,6 +635,24 @@ interface(`xdg_relabel_all_config',`
 	userdom_search_user_home_dirs($1)
 ')
 
+########################################
+## <summary>
+##	Search through the xdg data home directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`xdg_search_data_dirs',`
+	gen_require(`
+		type xdg_data_t;
+	')
+
+	allow $1 xdg_data_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Watch the xdg data home directories


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-02-07  2:14 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-02-07  2:14 UTC (permalink / raw
  To: gentoo-commits

commit:     09a4816dac1fb5111b3b67b71bdf7942b2c02c42
Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Wed Jan  5 17:02:06 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  7 02:09:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=09a4816d

systemd: Updates for generators and kmod-static-nodes.service.

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/logging.te  | 1 +
 policy/modules/system/modutils.fc | 1 +
 policy/modules/system/systemd.te  | 5 ++++-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 451155d3..6cc5c16c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -549,6 +549,7 @@ ifdef(`init_systemd',`
 	init_dgram_send(syslogd_t)
 	init_read_runtime_pipes(syslogd_t)
 	init_read_runtime_symlinks(syslogd_t)
+	init_read_runtime_files(syslogd_t)
 	init_read_state(syslogd_t)
 
 	# needed for systemd-initrd case when syslog socket is unlabelled

diff --git a/policy/modules/system/modutils.fc b/policy/modules/system/modutils.fc
index cfcfb715..88b30551 100644
--- a/policy/modules/system/modutils.fc
+++ b/policy/modules/system/modutils.fc
@@ -10,6 +10,7 @@ ifdef(`distro_gentoo',`
 
 /run/modules-load\.d/.*\.conf	--	gen_context(system_u:object_r:modules_conf_t,s0)
 ')
+/run/tmpfiles\.d/static-nodes\.conf --  gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
 
 /run/tmpfiles\.d/kmod\.conf	--	gen_context(system_u:object_r:kmod_tmpfiles_conf_t,s0)
 

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7ccfbaf2..68fb96ec 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -510,7 +510,7 @@ systemd_log_parse_environment(systemd_generator_t)
 
 term_use_unallocated_ttys(systemd_generator_t)
 
-udev_search_runtime(systemd_generator_t)
+udev_read_runtime_files(systemd_generator_t)
 
 ifdef(`distro_gentoo',`
 	corecmd_shell_entry_type(systemd_generator_t)
@@ -1469,6 +1469,8 @@ files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
 
 fs_getattr_all_fs(systemd_sessions_t)
 fs_search_cgroup_dirs(systemd_sessions_t)
+fs_search_tmpfs(systemd_sessions_t)
+fs_search_ramfs(systemd_sessions_t)
 
 kernel_read_kernel_sysctls(systemd_sessions_t)
 kernel_dontaudit_getattr_proc(systemd_sessions_t)
@@ -1627,6 +1629,7 @@ init_read_state(systemd_tmpfiles_t)
 
 init_relabel_utmp(systemd_tmpfiles_t)
 init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+init_read_runtime_files(systemd_tmpfiles_t)
 
 logging_manage_generic_logs(systemd_tmpfiles_t)
 logging_manage_generic_log_dirs(systemd_tmpfiles_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-02-07  2:14 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-02-07  2:14 UTC (permalink / raw
  To: gentoo-commits

commit:     06fc14861d2845562804a6ffef47402b13fcbad0
Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
AuthorDate: Mon Jan  3 21:21:59 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb  7 02:09:25 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=06fc1486

systemd: Additional fixes for fs getattrs.

This may need to be allowed more broadly.

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 36 +++++++++++++++++++++++++++++-------
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 95939f0f..7ccfbaf2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -482,8 +482,7 @@ files_search_all_mountpoints(systemd_generator_t)
 files_list_usr(systemd_generator_t)
 
 fs_list_efivars(systemd_generator_t)
-fs_getattr_cgroup(systemd_generator_t)
-fs_getattr_xattr_fs(systemd_generator_t)
+fs_getattr_all_fs(systemd_generator_t)
 
 init_create_runtime_files(systemd_generator_t)
 init_manage_runtime_dirs(systemd_generator_t)
@@ -695,6 +694,9 @@ files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
 
 files_search_runtime(systemd_hw_t)
 
+fs_getattr_all_fs(systemd_hw_t)
+fs_search_cgroup_dirs(systemd_hw_t)
+
 selinux_get_fs_mount(systemd_hw_t)
 selinux_use_status_page(systemd_hw_t)
 
@@ -822,6 +824,7 @@ fs_read_cgroup_files(systemd_logind_t)
 fs_read_efivarfs_files(systemd_logind_t)
 fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
 fs_unmount_tmpfs(systemd_logind_t)
+fs_getattr_xattr_fs(systemd_logind_t)
 
 logging_send_audit_msgs(systemd_logind_t)
 
@@ -905,7 +908,6 @@ ifdef(`distro_redhat',`
 
 tunable_policy(`systemd_logind_get_bootloader',`
 	fs_getattr_dos_fs(systemd_logind_t)
-	fs_getattr_xattr_fs(systemd_logind_t)
 	fs_list_dos(systemd_logind_t)
 	fs_read_dos_files(systemd_logind_t)
 
@@ -1072,8 +1074,8 @@ files_read_etc_files(systemd_networkd_t)
 files_watch_runtime_dirs(systemd_networkd_t)
 files_watch_root_dirs(systemd_networkd_t)
 files_list_runtime(systemd_networkd_t)
-fs_getattr_xattr_fs(systemd_networkd_t)
-fs_getattr_cgroup(systemd_networkd_t)
+
+fs_getattr_all_fs(systemd_networkd_t)
 fs_search_cgroup_dirs(systemd_networkd_t)
 fs_read_nsfs_files(systemd_networkd_t)
 
@@ -1412,6 +1414,9 @@ files_watch_root_dirs(systemd_resolved_t)
 files_watch_runtime_dirs(systemd_resolved_t)
 files_list_runtime(systemd_resolved_t)
 
+fs_getattr_all_fs(systemd_resolved_t)
+fs_search_cgroup_dirs(systemd_resolved_t)
+
 init_dgram_send(systemd_resolved_t)
 
 seutil_read_file_contexts(systemd_resolved_t)
@@ -1462,6 +1467,9 @@ allow systemd_sessions_t self:process setfscreate;
 allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
 files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
 
+fs_getattr_all_fs(systemd_sessions_t)
+fs_search_cgroup_dirs(systemd_sessions_t)
+
 kernel_read_kernel_sysctls(systemd_sessions_t)
 kernel_dontaudit_getattr_proc(systemd_sessions_t)
 
@@ -1491,6 +1499,9 @@ kernel_dontaudit_getattr_proc(systemd_sysctl_t)
 
 files_read_etc_files(systemd_sysctl_t)
 
+fs_getattr_all_fs(systemd_sysctl_t)
+fs_search_cgroup_dirs(systemd_sysctl_t)
+
 systemd_log_parse_environment(systemd_sysctl_t)
 
 #########################################
@@ -1504,6 +1515,9 @@ allow systemd_sysusers_t self:unix_dgram_socket sendto;
 
 files_manage_etc_files(systemd_sysusers_t)
 
+fs_getattr_all_fs(systemd_sysusers_t)
+fs_search_cgroup_dirs(systemd_sysusers_t)
+
 kernel_read_kernel_sysctls(systemd_sysusers_t)
 
 selinux_use_status_page(systemd_sysusers_t)
@@ -1587,10 +1601,10 @@ files_setattr_lock_dirs(systemd_tmpfiles_t)
 # for /etc/mtab
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 
-fs_getattr_tmpfs(systemd_tmpfiles_t)
-fs_getattr_xattr_fs(systemd_tmpfiles_t)
 fs_list_tmpfs(systemd_tmpfiles_t)
 fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
+fs_getattr_all_fs(systemd_tmpfiles_t)
+fs_search_cgroup_dirs(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_use_status_page(systemd_tmpfiles_t)
@@ -1679,6 +1693,9 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
 files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 
+fs_getattr_all_fs(systemd_update_done_t)
+fs_search_cgroup_dirs(systemd_update_done_t)
+
 kernel_read_kernel_sysctls(systemd_update_done_t)
 
 selinux_use_status_page(systemd_update_done_t)
@@ -1787,8 +1804,12 @@ files_read_etc_files(systemd_userdbd_t)
 files_read_etc_runtime_files(systemd_userdbd_t)
 files_read_usr_files(systemd_userdbd_t)
 
+fs_getattr_all_fs(systemd_userdbd_t)
+fs_search_cgroup_dirs(systemd_userdbd_t)
 fs_read_efivarfs_files(systemd_userdbd_t)
 
+kernel_read_system_state(systemd_userdbd_t)
+
 init_stream_connect(systemd_userdbd_t)
 init_search_runtime(systemd_userdbd_t)
 init_read_state(systemd_userdbd_t)
@@ -1819,6 +1840,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
 fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
 fs_read_cgroup_files(systemd_user_runtime_dir_t)
 fs_getattr_cgroup(systemd_user_runtime_dir_t)
+fs_getattr_xattr_fs(systemd_user_runtime_dir_t)
 
 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
 kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     b3a7d999f44a74fcb84a309b909541a64a6d2ef5
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Nov 10 00:51:33 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b3a7d999

init: allow systemd to nnp_transition and nosuid_transition to daemon domains

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 0559dc93..8d3eab4a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -376,6 +376,8 @@ interface(`init_daemon_domain',`
 
 		allow $1 init_t:unix_dgram_socket sendto;
 
+		allow init_t $1:process2 { nnp_transition nosuid_transition };
+
 		optional_policy(`
 			systemd_stream_connect_socket_proxyd($1)
 		')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     96e2577855dad18d23e011de5d150f72eca4333d
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Nov 30 16:31:09 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=96e25778

getty, locallogin: cgroup fixes

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/getty.te      | 2 ++
 policy/modules/system/locallogin.te | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
index e8c5a1b4..cba1f8ab 100644
--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
@@ -70,6 +70,8 @@ files_search_spool(getty_t)
 files_dontaudit_search_var_lib(getty_t)
 
 fs_search_auto_mountpoints(getty_t)
+fs_getattr_cgroup(getty_t)
+fs_search_cgroup_dirs(getty_t)
 # for error condition handling
 fs_getattr_xattr_fs(getty_t)
 

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 6d5e948d..7fec15aa 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -55,6 +55,10 @@ allow local_login_t local_login_tmp_t:dir manage_dir_perms;
 allow local_login_t local_login_tmp_t:file manage_file_perms;
 files_tmp_filetrans(local_login_t, local_login_tmp_t, { file dir })
 
+fs_getattr_cgroup(local_login_t)
+fs_search_cgroup_dirs(local_login_t)
+fs_getattr_xattr_fs(local_login_t)
+
 kernel_read_system_state(local_login_t)
 kernel_read_kernel_sysctls(local_login_t)
 kernel_search_key(local_login_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     bbd6fcc9c8ff59bcde02b114d6985505e33e8d3f
Author:     Jonathan Davies <jpds <AT> protonmail <DOT> com>
AuthorDate: Fri Mar 25 00:29:42 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bbd6fcc9

systemd.if: Allowed reading systemd_userdbd_runtime_t symlinks in systemd_stream_connect_userdb().

Signed-off-by: Jonathan Davies <jpds <AT> protonmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index fc000ef9..b1616d21 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1250,6 +1250,7 @@ interface(`systemd_stream_connect_userdb', `
 
 	init_search_runtime($1)
 	allow $1 systemd_userdbd_runtime_t:dir list_dir_perms;
+	allow $1 systemd_userdbd_runtime_t:lnk_file read_lnk_file_perms;
 	stream_connect_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_userdbd_t)
 	init_unix_stream_socket_connectto($1)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     b92a94a5433397a83d36847cbd4b8ce677e1e607
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Nov 13 21:17:53 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b92a94a5

systemd: add support for systemd-resolved stubs

When using systemd-resolved, the recommended configuration is to symlink
/etc/resolv.conf to one of the stub files in /run/systemd/resolve. To
support this, daemons that can read net_conf_t must be able to search
the init runtime and read etc_t symlinks. Allow this access if systemd
is enabled.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index e68a9b44..fc000ef9 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2164,6 +2164,10 @@ interface(`systemd_read_resolved_runtime',`
 		type systemd_resolved_runtime_t;
 	')
 
+	# to read the systemd-resolved stub
+	files_read_etc_symlinks($1)
+
+	init_search_runtime($1)
 	read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     996ce0759abb385b647feff2fce7e7368226ba21
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  1 14:06:26 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=996ce075

udev: allow udev to start the systemd system object

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/udev.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 17cb7de4..360ebc81 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -258,6 +258,7 @@ ifdef(`init_systemd',`
 	init_dgram_send(udev_t)
 	init_get_generic_units_status(udev_t)
 	init_stream_connect(udev_t)
+	init_start_system(udev_t)
 
 	systemd_map_hwdb(udev_t)
 	systemd_read_hwdb(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     5c01efb62cfd14b4ccf8cebcab4245bd188d2060
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Nov 30 16:30:57 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c01efb6

locallogin: fix for polyinstantiation

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/locallogin.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 91f21cc2..6d5e948d 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -157,6 +157,10 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+tunable_policy(`allow_polyinstantiation',`
+	seutil_domtrans_setfiles(local_login_t)
+')
+
 tunable_policy(`console_login',`
 	# Able to relabel /dev/console to user tty types.
 	term_relabel_console(local_login_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     621173ccfc704a796406e112f0342aae3f3bd803
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri Nov 12 22:23:37 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=621173cc

authlogin: dontaudit getcap chkpwd

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/authlogin.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 286bf52e..f4741e3a 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -109,6 +109,7 @@ optional_policy(`
 allow chkpwd_t self:capability { dac_override setuid };
 dontaudit chkpwd_t self:capability sys_tty_config;
 allow chkpwd_t self:process { getattr signal };
+dontaudit chkpwd_t self:process getcap;
 
 allow chkpwd_t shadow_t:file read_file_perms;
 files_list_etc(chkpwd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     7b9bf7671fd0f56c1761f3a7c0e4e11844cd51d3
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Nov 30 17:11:56 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7b9bf767

unconfined: fixes for bluetooth dbus chat and systemd

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/unconfined.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index df6fbdb7..dacad205 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -60,6 +60,7 @@ ifdef(`init_systemd',`
 	init_service_status(unconfined_t)
 	# for systemd --user:
 	init_pgm_spec_user_daemon_domain(unconfined_t)
+	allow unconfined_t self:system { status start stop reload };
 
 	optional_policy(`
 		systemd_dbus_chat_resolved(unconfined_t)
@@ -76,6 +77,10 @@ optional_policy(`
 	bind_run_ndc(unconfined_t, unconfined_r)
 ')
 
+optional_policy(`
+	bluetooth_dbus_chat(unconfined_t)
+')
+
 optional_policy(`
 	bootloader_run(unconfined_t, unconfined_r)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-03-31  3:31 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-03-31  3:31 UTC (permalink / raw
  To: gentoo-commits

commit:     73fad8a2bc1251e5d3c5cb47933ac92a2440d4bf
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Nov 30 16:09:39 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 31 02:40:53 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=73fad8a2

systemd: various fixes

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cd120829..171cb5e5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -658,6 +658,9 @@ udev_read_runtime_files(systemd_homework_t)
 
 allow systemd_hostnamed_t self:capability sys_admin;
 
+fs_getattr_cgroup(systemd_hostnamed_t)
+fs_getattr_xattr_fs(systemd_hostnamed_t)
+
 kernel_read_kernel_sysctls(systemd_hostnamed_t)
 kernel_dontaudit_getattr_proc(systemd_hostnamed_t)
 
@@ -1020,6 +1023,9 @@ optional_policy(`
 # modules-load local policy
 #
 
+fs_getattr_cgroup(systemd_modules_load_t)
+fs_getattr_xattr_fs(systemd_modules_load_t)
+
 kernel_load_module(systemd_modules_load_t)
 kernel_read_kernel_sysctls(systemd_modules_load_t)
 kernel_request_load_module(systemd_modules_load_t)
@@ -1372,6 +1378,10 @@ manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_v
 manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
 init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir)
 
+fs_getattr_cgroup(systemd_rfkill_t)
+fs_getattr_xattr_fs(systemd_rfkill_t)
+
+kernel_getattr_proc(systemd_rfkill_t)
 kernel_read_kernel_sysctls(systemd_rfkill_t)
 
 dev_read_sysfs(systemd_rfkill_t)
@@ -1586,6 +1596,7 @@ dev_setattr_all_sysfs(systemd_tmpfiles_t)
 dev_write_sysfs(systemd_tmpfiles_t)
 
 files_create_lock_dirs(systemd_tmpfiles_t)
+files_dontaudit_getattr_lost_found_dirs(systemd_tmpfiles_t)
 files_manage_all_runtime_dirs(systemd_tmpfiles_t)
 files_delete_usr_files(systemd_tmpfiles_t)
 files_list_home(systemd_tmpfiles_t)
@@ -1853,6 +1864,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
 fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
 fs_read_cgroup_files(systemd_user_runtime_dir_t)
 fs_getattr_cgroup(systemd_user_runtime_dir_t)
+fs_search_cgroup_dirs(systemd_user_runtime_dir_t)
 fs_getattr_xattr_fs(systemd_user_runtime_dir_t)
 
 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     888c1aed22a0f67d4e4bdac540f249c392f27cec
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Apr  2 19:40:07 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=888c1aed

init, systemd: allow unpriv users to read the catalog

Label /var/lib/systemd/catalog the journal type, and allow unpriv users
to search /var/lib/systemd. This is to fix this warning when an
unprivileged user uses journalctl:

Failed to find catalog entry: Permission denied

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.if    | 19 +++++++++++++++++++
 policy/modules/system/systemd.fc |  2 ++
 policy/modules/system/systemd.if |  1 +
 3 files changed, 22 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 8d3eab4a..1ce483da 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1375,6 +1375,25 @@ interface(`init_read_var_lib_links',`
 	allow $1 init_var_lib_t:lnk_file read_lnk_file_perms;
 ')
 
+########################################
+## <summary>
+##      Search /var/lib/systemd/ dirs
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_search_var_lib_dirs',`
+	gen_require(`
+		type init_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 init_var_lib_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##      List /var/lib/systemd/ dir

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 2cbc2e19..cf7ce0c4 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -75,6 +75,8 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 
 /var/\.updated				--	gen_context(system_u:object_r:systemd_update_run_t,s0)
 
+/var/lib/systemd/catalog(/.*)?	gen_context(system_u:object_r:systemd_journal_t,s0)
+
 /var/lib/systemd/backlight(/.*)?	gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/home(/.*)?     gen_context(system_u:object_r:systemd_homed_var_lib_t,s0)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index c2b6824b..1da951f0 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -160,6 +160,7 @@ template(`systemd_role_template',`
 	can_exec($3, { systemd_run_exec_t systemd_analyze_exec_t })
 
 	init_dbus_chat($3)
+	init_search_var_lib_dirs($3)
 
 	systemd_list_journal_dirs($3)
 	systemd_read_journal_files($3)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     9f377595365a60a9d630534e322aa928a4f9c3ea
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Apr 27 05:09:52 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f377595

sysnetwork, systemd: allow DNS resolution over io.systemd.Resolve

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/sysnetwork.if |  1 +
 policy/modules/system/systemd.if    | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index ad8428f5..464893f6 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -900,6 +900,7 @@ interface(`sysnet_dns_name_resolve',`
 	ifdef(`init_systemd',`
 		optional_policy(`
 			systemd_dbus_chat_resolved($1)
+			systemd_stream_connect_resolved($1)
 		')
 		# This seems needed when the mymachines NSS module is used
 		optional_policy(`

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index cab51732..cc942879 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2319,6 +2319,27 @@ interface(`systemd_tmpfilesd_managed',`
 	')
 ')
 
+#######################################
+## <summary>
+##	Connect to systemd resolved over
+##	/run/systemd/resolve/io.systemd.Resolve .
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_stream_connect_resolved',`
+	gen_require(`
+		type systemd_resolved_t;
+		type systemd_resolved_runtime_t;
+	')
+
+	files_search_runtime($1)
+	stream_connect_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t, systemd_resolved_t)
+')
+
 ########################################
 ## <summary>
 ##   Send and receive messages from


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     aa7fdc2ac01b265a8e6233f8846f6ecbac3ddc8c
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Apr  2 19:30:02 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aa7fdc2a

systemd: minor fixes to systemd user domains

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index cc942879..c2b6824b 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -91,10 +91,14 @@ template(`systemd_role_template',`
 
 	files_search_home($1_systemd_t)
 
+	fs_getattr_xattr_fs($1_systemd_t)
 	fs_manage_cgroup_files($1_systemd_t)
 	fs_watch_cgroup_files($1_systemd_t)
 
 	kernel_dontaudit_getattr_proc($1_systemd_t)
+	# if systemd exists in the initrd, the journal socket stays labeled kernel_t
+	# without this access, user services cannot log to the journal
+	kernel_stream_connect($1_systemd_t)
 
 	selinux_use_status_page($1_systemd_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     3d84d768f45b1c443e3f0f477d62aa813831da4d
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu Mar 31 17:22:37 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3d84d768

systemd: add file transition for systemd-networkd runtime

systemd-networkd creates the /run/systemd/network directory which should
be labeled appropriately.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ec8d16a6..501a1227 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1099,6 +1099,7 @@ auth_use_nsswitch(systemd_networkd_t)
 
 init_dgram_send(systemd_networkd_t)
 init_read_state(systemd_networkd_t)
+init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, dir)
 
 logging_send_syslog_msg(systemd_networkd_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     0c159bed7e8d9efce2dfdfa9b4ae1235135d8367
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu May 19 15:42:51 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0c159bed

systemd: add file contexts for systemd-network-generator

Thanks-To: Zhao Yi
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index db1e6415..f22e655b 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -39,6 +39,7 @@
 /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)
 /usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-pstore		--	gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-rfkill		--	gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)
@@ -66,6 +67,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /usr/lib/systemd/system/systemd-backlight.*	--	gen_context(system_u:object_r:systemd_backlight_unit_t,s0)
 /usr/lib/systemd/system/systemd-binfmt.*	--	gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
 /usr/lib/systemd/system/systemd-networkd.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
+/usr/lib/systemd/system/systemd-network-generator.*		gen_context(system_u:object_r:systemd_networkd_unit_t,s0)
 /usr/lib/systemd/system/systemd-rfkill.*	--	gen_context(system_u:object_r:systemd_rfkill_unit_t,s0)
 /usr/lib/systemd/system/systemd-socket-proxyd\.service	--	gen_context(system_u:object_r:systemd_socket_proxyd_unit_file_t,s0)
 /usr/lib/systemd/system/systemd-userdbd\.(service|socket)		--	gen_context(system_u:object_r:systemd_userdbd_unit_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     e12ee65669beb8e0a41580e4edea45f62f27dfda
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Fri May 20 15:30:10 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e12ee656

systemd: allow systemd-networkd to read init runtime files

If started from an initrd and the kernel is configured for networking at
early boot, systemd-networkd needs access to files for the network
configuration in /run/systemd/network which are still init_runtime_t
during early boot. systemd will later relabel these files after the
policy is loaded.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 501a1227..92a2b486 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1099,6 +1099,7 @@ auth_use_nsswitch(systemd_networkd_t)
 
 init_dgram_send(systemd_networkd_t)
 init_read_state(systemd_networkd_t)
+init_read_runtime_files(systemd_networkd_t)
 init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, dir)
 
 logging_send_syslog_msg(systemd_networkd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     ec23048973313061821a137ceb9d3c63709dda9d
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Apr 27 22:48:35 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ec230489

unconfined: use unconfined container role

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/unconfined.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index dacad205..308a76e4 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -86,7 +86,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	container_user_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
+	container_unconfined_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     bb796e037d8e1e0db2dcce7af23765b287fac2e8
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Thu May 19 15:43:44 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bb796e03

systemd, udev: allow udev to read systemd-networkd runtime

udev searches for .link files and applies custom udev rules to devices
as they come up.

Thanks-To: Zhao Yi
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/udev.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 360ebc81..c60ad560 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -264,6 +264,8 @@ ifdef(`init_systemd',`
 	systemd_read_hwdb(udev_t)
 	systemd_read_logind_sessions_files(udev_t)
 	systemd_read_logind_runtime_files(udev_t)
+	# udev searches for .link files and applies custom udev rules
+	systemd_read_networkd_runtime(udev_t)
 
 	optional_policy(`
 		init_dbus_chat(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:10 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:10 UTC (permalink / raw
  To: gentoo-commits

commit:     5f563b73a5b5c4b110e67da63978b82995005666
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Apr  2 19:44:01 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 18:41:55 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5f563b73

systemd: add missing file context for /run/systemd/network

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index cf7ce0c4..db1e6415 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -98,6 +98,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
 /run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
 /run/systemd/home(/.*)?         gen_context(system_u:object_r:systemd_homed_runtime_t,s0)
+/run/systemd/network(/.*)?  gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
 /run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
 /run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:54 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
  To: gentoo-commits

commit:     9f360ceda6290fc51e9f537d59574810e5a876b6
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Wed Aug 17 17:53:26 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:49 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f360ced

systemd: Add interface for systemctl exec.

Adds necessary baseline permissions for the command.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 62545021..f48cc541 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2388,6 +2388,37 @@ interface(`systemd_read_resolved_runtime',`
 	read_files_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t)
 ')
 
+########################################
+## <summary>
+##	Execute the systemctl program.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_exec_systemctl',`
+	gen_require(`
+		type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+	')
+
+	dontaudit $1 self:capability { net_admin sys_resource };
+	allow $1 self:process signal;
+	allow $1 self:unix_stream_socket create_socket_perms;
+
+	# the command is a regular bin
+	corecmd_exec_bin($1)
+
+	domtrans_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+	allow $1 systemd_passwd_agent_t:process signal;
+
+	init_read_state($1)
+	init_stream_connect($1)
+	init_telinit($1)
+	init_dbus_chat($1)
+')
+
 #######################################
 ## <summary>
 ##  Allow domain to getattr on .updated file (generated by systemd-update-done


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:54 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
  To: gentoo-commits

commit:     d63d91588adf55e6867440af9b9f6a4fe6c166f6
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Fri Aug 26 02:45:24 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d63d9158

systemd: init_t creates systemd-logind 'linger' directory

node=localhost type=AVC msg=audit(1661480051.880:321): avc:  denied  { create } for  pid=1027 comm="(d-logind)" name="linger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/init.te    |  1 +
 policy/modules/system/systemd.if | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 285ee5b4..9ecaae54 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -551,6 +551,7 @@ ifdef(`init_systemd',`
 
 	optional_policy(`
 		systemd_dbus_chat_logind(init_t)
+		systemd_create_logind_linger_dir(init_t)
 		systemd_search_all_user_keys(init_t)
 		systemd_create_all_user_keys(init_t)
 		systemd_write_all_user_keys(init_t)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index f48cc541..2370c729 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2031,6 +2031,27 @@ interface(`systemd_read_logind_state',`
 	allow systemd_logind_t $1:file read_file_perms;
 ')
 
+########################################
+## <summary>
+##	Allow the specified domain to create
+##	the systemd-logind linger directory with
+##	the correct context.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_create_logind_linger_dir',`
+	gen_require(`
+		type systemd_logind_var_lib_t;
+	')
+
+	init_var_lib_filetrans($1, systemd_logind_var_lib_t, dir, "linger")
+	allow $1 systemd_logind_var_lib_t:dir create;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to start systemd


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 19:54 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2022-09-03 19:54 UTC (permalink / raw
  To: gentoo-commits

commit:     d50193d70d6d2620c82c112a534d36a6ff06e6ea
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Fri Aug 26 12:45:38 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d50193d7

systemd: systemd-update-done fix startup issue

Seeing error:

Failed to initalize SELinux labeling handle: No such file or directory

but no denials.  With strace (and looking at source) found it is
opening /etc/selinux/config

openat(AT_FDCWD, "/etc/selinux/config", O_RDONLY|O_CLOEXEC) = 3

but that was dontaudited.

allow systemd_update_done_t file_type:filesystem getattr;
allow systemd_update_done_t selinux_config_t:dir { getattr open search };
dontaudit systemd_update_done_t selinux_config_t:dir { getattr open search };
dontaudit systemd_update_done_t selinux_config_t:file { getattr ioctl lock open read };

These changes fix the issue

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2dc8b901..1eb35aa4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1752,6 +1752,7 @@ kernel_read_kernel_sysctls(systemd_update_done_t)
 
 selinux_use_status_page(systemd_update_done_t)
 
+seutil_read_config(systemd_update_done_t)
 seutil_read_file_contexts(systemd_update_done_t)
 
 systemd_log_parse_environment(systemd_update_done_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 20:04 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-09-03 20:04 UTC (permalink / raw
  To: gentoo-commits

commit:     6f537bac5606bd0ad279ab8016c2c8c51476956d
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May 30 22:51:28 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 20:04:19 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6f537bac

iptables: add file context for /usr/libexec/nftables/nftables.sh

Bug: https://bugs.gentoo.org/840230
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/iptables.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 6157f313..ab1300db 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -24,6 +24,8 @@
 /usr/bin/xtables-multi			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/bin/xtables-nft-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
+/usr/libexec/nftables/nftables\.sh	--	gen_context(system_u:object_r:iptables_exec_t,s0)
+
 /usr/lib/systemd/system/[^/]*arptables.* --	gen_context(system_u:object_r:iptables_unit_t,s0)
 /usr/lib/systemd/system/[^/]*ebtables.*	 --	gen_context(system_u:object_r:iptables_unit_t,s0)
 /usr/lib/systemd/system/[^/]*ip6tables.* --	gen_context(system_u:object_r:iptables_unit_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-09-03 20:04 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-09-03 20:04 UTC (permalink / raw
  To: gentoo-commits

commit:     981aa7aa147482d2f70458f0063476fa31869841
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Sat Nov 13 17:41:37 2021 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 20:04:37 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=981aa7aa

miscfiles: add file context for /usr/share/ca-certificates

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/miscfiles.fc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/miscfiles.fc b/policy/modules/system/miscfiles.fc
index 87a0cae1..3fa37471 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -58,6 +58,9 @@ ifdef(`distro_redhat',`
 
 /usr/share/ssl/certs(/.*)?	gen_context(system_u:object_r:cert_t,s0)
 /usr/share/ssl/private(/.*)?	gen_context(system_u:object_r:cert_t,s0)
+ifdef(`distro_gentoo',`
+/usr/share/ca-certificates(/.*)?	gen_context(system_u:object_r:cert_t,s0)
+')
 
 /usr/X11R6/lib/X11/fonts(/.*)?	gen_context(system_u:object_r:fonts_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:concord-dev commit in: policy/modules/system/
@ 2022-10-12 13:34 Kenton Groombridge
  2022-09-03 20:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Kenton Groombridge
  0 siblings, 1 reply; 705+ messages in thread
From: Kenton Groombridge @ 2022-10-12 13:34 UTC (permalink / raw
  To: gentoo-commits

commit:     d935f927cd34c1a91d3a8f3c9278baeeef852320
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Wed Jan 27 01:02:21 2021 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Sat Sep  3 20:04:08 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d935f927

iptables: add file context for saved rules

Bug: https://bugs.gentoo.org/840230
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/init.fc     | 1 -
 policy/modules/system/iptables.fc | 5 +++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index fe661d5d..4a7c0e00 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -82,7 +82,6 @@ ifdef(`distro_debian',`
 
 ifdef(`distro_gentoo', `
 /var/lib/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
-/var/lib/ip6?tables(/.*)?	gen_context(system_u:object_r:initrc_tmp_t,s0)
 
 /run/openrc(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 /run/svscan\.pid	--	gen_context(system_u:object_r:initrc_runtime_t,s0)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index ba65e811..6157f313 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -45,3 +45,8 @@
 /usr/sbin/xtables-legacy-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/xtables-multi			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/xtables-nft-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+
+ifdef(`distro_gentoo', `
+/var/lib/ip6?tables(/.*)?		gen_context(system_u:object_r:iptables_conf_t,s0)
+/var/lib/nftables(/.*)?			gen_context(system_u:object_r:iptables_conf_t,s0)
+')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     c307ecefdf832e0c77ea2ffce048b4818f7a09ec
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Wed Jul  8 06:38:55 2020 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:06:49 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c307ecef

sysnetwork: allow systemd_networkd_t to read link file

Per https://systemd.network/systemd.network.html, we can create a
symlink pointing to /dev/null for systemd network configuration file.
For example:
$ ls -l /etc/systemd/network/80-wired.network
lrwxrwxrwx. 1 root root 9 Mar  9  2022 /etc/systemd/network/80-wired.network -> /dev/null

Fixes:
avc:  denied  { read } for  pid=211 comm="systemd-network"
name="80-wired.network" dev="vda" ino=1477
scontext=system_u:system_r:systemd_networkd_t:s0-s15:c0.c1023
tcontext=system_u:object_r:net_conf_t:s0 tclass=lnk_file permissive=0

systemd-networkd[211]: Failed to load /etc/systemd/network/80-wired.network, ignoring: Permission denied

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/sysnetwork.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 2598c7adc..77c175970 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -349,6 +349,7 @@ interface(`sysnet_read_config',`
 	files_search_runtime($1)
 	allow $1 net_conf_t:dir list_dir_perms;
 	allow $1 net_conf_t:file read_file_perms;
+	allow $1 net_conf_t:lnk_file read_lnk_file_perms;
 
 	ifdef(`distro_debian',`
 		files_search_runtime($1)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     c94eeb89027d18ddcb3891d4f81fd342da4b3a61
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 17:23:53 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:07 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c94eeb89

xdg: add interface to dontaudit searching xdg data dirs

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/xdg.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/xdg.if b/policy/modules/system/xdg.if
index 6e1cd836c..62edcd84d 100644
--- a/policy/modules/system/xdg.if
+++ b/policy/modules/system/xdg.if
@@ -653,6 +653,25 @@ interface(`xdg_search_data_dirs',`
 	allow $1 xdg_data_t:dir search_dir_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search through the
+##	xdg data home directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`xdg_dontaudit_search_data_dirs',`
+	gen_require(`
+		type xdg_data_t;
+	')
+
+	dontaudit $1 xdg_data_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Watch the xdg data home directories


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     cec2de860f7eb541711fc5a6dc0adf873970068d
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Sat Sep 17 02:28:33 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:02 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cec2de86

Seeing long delay during shutdown saying: 'A stop job is running for Restore /run/initramfs on shutdown'

These were the denials in audit.log related to this

node=localhost type=AVC msg=audit(1663379349.428:5081): avc:  denied  { write } for  pid=3594 comm="cpio" name="initramfs" dev="tmpfs" ino=18 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.428:5081): avc:  denied  { add_name } for  pid=3594 comm="cpio" name="bin" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5083): avc:  denied  { create } for  pid=3594 comm="cpio" name="dev" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5084): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="dev" dev="tmpfs" ino=1356 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1663379349.430:5087): avc:  denied  { create } for  pid=3594 comm="cpio" name="systemd.conf" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.430:5087): avc:  denied  { write open } for pid=3594 comm="cpio" path="/run/initramfs/etc/conf.d/systemd.conf" dev="tmpfs" ino=1365 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.430:5088): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="systemd.conf" dev="tmpfs" ino=1365 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.834:5119): avc:  denied  { read } for  pid=3594 comm="cpio" name="gr737d-8x16.psfu.gz" dev="tmpfs" ino=1632 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1663379349.834:5119): avc:  denied  { link } for  pid=3594 comm="cpio" name="gr737d-8x16.psfu.gz" dev="tmpfs" ino=1632 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1

Also seeing the following, but seems to function without related rules:

node=localhost type=AVC msg=audit(1663379349.428:5081): avc:  denied  { create } for  pid=3594 comm="cpio" name="bin" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=1
node=localhost type=AVC msg=audit(1663379349.428:5082): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="bin" dev="tmpfs" ino=1355 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=lnk_file permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5085): avc:  denied  { create } for  pid=3594 comm="cpio" name="console" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1
node=localhost type=AVC msg=audit(1663379349.429:5086): avc:  denied  { setattr } for  pid=3594 comm="cpio" name="console" dev="tmpfs" ino=1357 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/init.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0c4fb9dd1..249775e52 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1019,6 +1019,8 @@ ifdef(`distro_redhat',`
 
 	fs_read_tmpfs_symlinks(initrc_t)
 	fs_rw_tmpfs_chr_files(initrc_t)
+	fs_manage_tmpfs_dirs(initrc_t)
+	fs_manage_tmpfs_files(initrc_t)
 
 	storage_manage_fixed_disk(initrc_t)
 	storage_dev_filetrans_fixed_disk(initrc_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     e80a5063c43f7a98c80513cb2b9078fec7fd48ed
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Thu Feb  4 07:10:15 2016 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:21 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e80a5063

logging: allow systemd-journal to manage syslogd_runtime_t sock_file

Fixes:
avc:  denied  { write } for  pid=165 comm="systemd-journal"
name="syslog" dev="tmpfs" ino=545 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:syslogd_runtime_t tclass=sock_file permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0b05b4335..69b7aa41f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -437,7 +437,7 @@ files_search_var_lib(syslogd_t)
 
 # manage runtime files
 allow syslogd_t syslogd_runtime_t:dir create_dir_perms;
-allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink };
+allow syslogd_t syslogd_runtime_t:sock_file manage_sock_file_perms;
 allow syslogd_t syslogd_runtime_t:file map;
 manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
 files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-11-02 14:42 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-11-02 14:42 UTC (permalink / raw
  To: gentoo-commits

commit:     30e5ae18635c5685eb4bd6e40bdb7c8616207a42
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 16:35:52 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:16 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=30e5ae18

mount: allow mounting glusterfs volumes

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/mount.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 615f165fa..8b02840f0 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -198,6 +198,13 @@ optional_policy(`
 	container_getattr_fs(mount_t)
 ')
 
+optional_policy(`
+	glusterfs_domtrans_daemon(mount_t)
+
+	# required for mount.glusterfs
+	corecmd_exec_shell(mount_t)
+')
+
 optional_policy(`
 	modutils_read_module_deps(mount_t)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     cf829adf39247b5153927e02f14b7eecc090283b
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Dec 10 21:24:25 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:05:25 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cf829adf

systemd: add policy for systemd-pcrphase

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.te | 26 ++++++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 87c1e0b9c..f4b5fa049 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -38,6 +38,7 @@
 /usr/lib/systemd/systemd-modules-load	--	gen_context(system_u:object_r:systemd_modules_load_exec_t,s0)
 /usr/lib/systemd/systemd-networkd	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
 /usr/lib/systemd/systemd-network-generator	--	gen_context(system_u:object_r:systemd_networkd_exec_t,s0)
+/usr/lib/systemd/systemd-pcrphase		--	gen_context(system_u:object_r:systemd_pcrphase_exec_t,s0)
 /usr/lib/systemd/systemd-pstore		--	gen_context(system_u:object_r:systemd_pstore_exec_t,s0)
 /usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
 /usr/lib/systemd/systemd-rfkill		--	gen_context(system_u:object_r:systemd_rfkill_exec_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d02407d53..b796b669e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -219,6 +219,10 @@ files_runtime_file(systemd_nspawn_runtime_t)
 type systemd_nspawn_tmp_t;
 files_tmp_file(systemd_nspawn_tmp_t)
 
+type systemd_pcrphase_t;
+type systemd_pcrphase_exec_t;
+init_system_domain(systemd_pcrphase_t, systemd_pcrphase_exec_t)
+
 type systemd_pstore_t;
 type systemd_pstore_exec_t;
 init_system_domain(systemd_pstore_t, systemd_pstore_exec_t)
@@ -1387,6 +1391,28 @@ optional_policy(`
 	plymouthd_stream_connect(systemd_passwd_agent_t)
 ')
 
+#########################################
+#
+# systemd-pcrphase local policy
+#
+
+allow systemd_pcrphase_t self:capability dac_override;
+dontaudit systemd_pcrphase_t self:capability net_admin;
+
+dev_rw_tpm(systemd_pcrphase_t)
+dev_write_kmsg(systemd_pcrphase_t)
+
+fs_read_efivarfs_files(systemd_pcrphase_t)
+fs_getattr_cgroup(systemd_pcrphase_t)
+fs_search_cgroup_dirs(systemd_pcrphase_t)
+
+kernel_dontaudit_getattr_proc(systemd_pcrphase_t)
+kernel_read_kernel_sysctls(systemd_pcrphase_t)
+kernel_read_system_state(systemd_pcrphase_t)
+
+init_read_state(systemd_pcrphase_t)
+
+logging_send_syslog_msg(systemd_pcrphase_t)
 
 #########################################
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     83951ea02202a7998db13df6e6418dd587092678
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Thu Dec  1 06:30:48 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:04:22 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=83951ea0

udev: permit to read hwdb

On a gentoo with openRC, udev is denied to read hwdb.
On current policy, reading hwdb is only allowed for system with systemd.

In fact it is a common action (beyond openrc/systemd) so rules for reading it must be global.

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/udev.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 8f79de24d..56cfa2fb8 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -201,6 +201,9 @@ sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
 
+systemd_map_hwdb(udev_t)
+systemd_read_hwdb(udev_t)
+
 userdom_dontaudit_getattr_user_home_dirs(udev_t)
 userdom_dontaudit_search_user_home_content(udev_t)
 
@@ -265,8 +268,6 @@ ifdef(`init_systemd',`
 	init_stream_connect(udev_t)
 	init_start_system(udev_t)
 
-	systemd_map_hwdb(udev_t)
-	systemd_read_hwdb(udev_t)
 	systemd_read_logind_sessions_files(udev_t)
 	systemd_read_logind_runtime_files(udev_t)
 	# udev searches for .link files and applies custom udev rules


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     5a9675744968affced75d510ec23e1410443a576
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Wed Nov 30 08:27:56 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:50 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a967574

fstools: handle gentoo place for drivedb.h

On a gentoo-hardened+selinux, I got denial from fsadm_t reading var_t.
This is due to smartctl trying to read /var/db/smartmontools/drivedb.h

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/fstools.fc | 4 ++++
 policy/modules/system/fstools.te | 9 +++++++++
 2 files changed, 13 insertions(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 2f4d6cd88..ac67213ea 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -108,6 +108,10 @@
 /usr/sbin/zstreamdump		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/ztest			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 
+ifdef(`distro_gentoo',`
+/var/db/smartmontools(/.*)?		gen_context(system_u:object_r:fsadm_db_t,s0)
+')
+
 /var/swap			--	gen_context(system_u:object_r:swapfile_t,s0)
 
 /var/log/fsck(/.*)?		gen_context(system_u:object_r:fsadm_log_t,s0)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 75da8a0a0..11211b699 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -19,6 +19,11 @@ files_tmp_file(fsadm_tmp_t)
 type fsadm_run_t;
 files_runtime_file(fsadm_run_t)
 
+ifdef(`distro_gentoo',`
+type fsadm_db_t;
+files_type(fsadm_db_t)
+')
+
 type swapfile_t; # customizable
 files_type(swapfile_t)
 
@@ -55,6 +60,10 @@ allow fsadm_t fsadm_run_t:dir manage_dir_perms;
 allow fsadm_t fsadm_run_t:file manage_file_perms;
 files_runtime_filetrans(fsadm_t, fsadm_run_t, dir)
 
+ifdef(`distro_gentoo',`
+manage_files_pattern(fsadm_t, fsadm_db_t, fsadm_db_t)
+')
+
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     a4e812d6676ac1ce42ab81f5fb86621575741650
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 15:30:09 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:35 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4e812d6

logging: allow domains sending syslog messages to connect to kernel unix stream sockets

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/logging.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 34da975bb..e50cdb59b 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -703,6 +703,7 @@ interface(`logging_send_syslog_msg',`
 		allow syslogd_t $1:process signull;
 
 		kernel_dgram_send($1)
+		kernel_stream_connect($1)
 	')
 
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     539a006d1873378406f513df611ebc0069c04211
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Wed Dec  7 15:47:40 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:40 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=539a006d

userdom: allow admin users to use tcpdiag netlink sockets

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/userdomain.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index f3308eca2..9348e4f25 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1355,6 +1355,7 @@ template(`userdom_admin_user_template',`
 	allow $1_t self:cap_userns sys_ptrace;
 	allow $1_t self:process { setexec setfscreate };
 	allow $1_t self:netlink_audit_socket nlmsg_readpriv;
+	allow $1_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
 	allow $1_t self:tun_socket create;
 	# Set password information for other users.
 	allow $1_t self:passwd { passwd chfn chsh };


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2022-12-13 20:55 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2022-12-13 20:55 UTC (permalink / raw
  To: gentoo-commits

commit:     e66b9abefe4778d33a67e959095e26821da832ae
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Dec 13 15:06:06 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue Dec 13 19:07:52 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e66b9abe

fstools: Move lines.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/fstools.te | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 11211b699..3d5525cc4 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -19,14 +19,14 @@ files_tmp_file(fsadm_tmp_t)
 type fsadm_run_t;
 files_runtime_file(fsadm_run_t)
 
-ifdef(`distro_gentoo',`
-type fsadm_db_t;
-files_type(fsadm_db_t)
-')
-
 type swapfile_t; # customizable
 files_type(swapfile_t)
 
+ifdef(`distro_gentoo',`
+	type fsadm_db_t;
+	files_type(fsadm_db_t)
+')
+
 ########################################
 #
 # local policy
@@ -60,10 +60,6 @@ allow fsadm_t fsadm_run_t:dir manage_dir_perms;
 allow fsadm_t fsadm_run_t:file manage_file_perms;
 files_runtime_filetrans(fsadm_t, fsadm_run_t, dir)
 
-ifdef(`distro_gentoo',`
-manage_files_pattern(fsadm_t, fsadm_db_t, fsadm_db_t)
-')
-
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
@@ -178,6 +174,10 @@ ifdef(`distro_debian',`
 	term_dontaudit_use_unallocated_ttys(fsadm_t)
 ')
 
+ifdef(`distro_gentoo',`
+	manage_files_pattern(fsadm_t, fsadm_db_t, fsadm_db_t)
+')
+
 ifdef(`distro_redhat',`
 	optional_policy(`
 		unconfined_domain(fsadm_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     80a409c0178ab54290d9ace5b6be2b4d384dd58f
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Tue Dec 27 20:27:08 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:29 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=80a409c0

mount: dbus interface must be optional

On gentoo, when emerging selinux-base-policy, the post install (loading policy) fail due to a missing type.
This is due to mount.te using a dbus interface and the dbus module is not present.
Fix this by setting the dbus interface as optional;

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/mount.te | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index a90273bb6..22a47661a 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -148,8 +148,6 @@ selinux_getattr_fs(mount_t)
 
 userdom_use_all_users_fds(mount_t)
 
-dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
-
 ifdef(`distro_redhat',`
 	optional_policy(`
 		auth_read_pam_console_data(mount_t)
@@ -204,6 +202,10 @@ optional_policy(`
 	container_getattr_fs(mount_t)
 ')
 
+optional_policy(`
+	dbus_dontaudit_write_system_bus_runtime_named_sockets(mount_t)
+')
+
 optional_policy(`
 	glusterfs_domtrans_daemon(mount_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     d9b58015e736c119e4338fffbcdac9a039ccfbc3
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Jan 17 13:36:58 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:04 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d9b58015

systemd: Tmpfilesd can correct seusers on files.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 7cd50f1b0..93b72faf5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1673,6 +1673,8 @@ dev_setattr_all_sysfs(systemd_tmpfiles_t)
 # /sys/module/kernel/parameters/crash_kexec_post_notifiers
 dev_write_sysfs(systemd_tmpfiles_t)
 
+domain_obj_id_change_exemption(systemd_tmpfiles_t)
+
 files_create_lock_dirs(systemd_tmpfiles_t)
 files_dontaudit_getattr_all_dirs(systemd_tmpfiles_t)
 files_manage_all_runtime_dirs(systemd_tmpfiles_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     436c4b774fc27c4545a838cdacd84bc5d0dab824
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Feb  7 21:02:01 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:08 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=436c4b77

iscsi: Read initiatorname.iscsi.

This is normally created by iscsi-init.service.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/iscsi.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index 171bfe85a..cf70f6d3f 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -90,6 +90,8 @@ dev_rw_userio_dev(iscsid_t)
 domain_use_interactive_fds(iscsid_t)
 domain_dontaudit_read_all_domains_state(iscsid_t)
 
+files_read_etc_runtime_files(iscsid_t)
+
 auth_use_nsswitch(iscsid_t)
 
 init_stream_connect_script(iscsid_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     55eca939543fc86c71b3b4843b6f72249fc5774d
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Wed Jan 25 20:33:13 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:05 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=55eca939

selinuxutil: permit run_init to read kernel sysctl

When restarting services with run_init, I got some AVC due to run_init reading /proc/sys/kernel/cap_last_cap

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/selinuxutil.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 5c7c1aec2..a3ff73778 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -452,6 +452,8 @@ init_spec_domtrans_script(run_init_t)
 # for utmp
 init_rw_utmp(run_init_t)
 
+kernel_read_kernel_sysctls(run_init_t)
+
 logging_send_syslog_msg(run_init_t)
 
 miscfiles_read_localization(run_init_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     2804c33404d9a21cbe3fdcf1ed36df2ca76a5d09
Author:     George Zenner <zen <AT> pyl <DOT> onl>
AuthorDate: Fri Feb 10 21:45:09 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:26:25 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2804c334

Signed-off-by: George Zenner <zen <AT> pyl.onl>

	modified:   policy/modules/system/sysnetwork.if

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/sysnetwork.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 5bf1a6f8c..99291eefe 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -83,6 +83,25 @@ interface(`sysnet_dontaudit_use_dhcpc_fds',`
 	dontaudit $1 dhcpc_t:fd use;
 ')
 
+########################################
+## <summary>
+##      Do not audit attempts to read/write to the
+##      dhcp unix datagram socket descriptors.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets',`
+        gen_require(`
+                type dhcpc_t;
+        ')
+
+        dontaudit $1 dhcpc_t:unix_dgram_socket { read write };
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read/write to the


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     78387476d3ba8639eaa402a26f9b84691db92def
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Feb 13 14:38:00 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:26:34 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=78387476

sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets()

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/sysnetwork.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 99291eefe..70e873fe6 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -94,7 +94,7 @@ interface(`sysnet_dontaudit_use_dhcpc_fds',`
 ##      </summary>
 ## </param>
 #
-interface(`sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets',`
+interface(`sysnet_dontaudit_rw_dhcpc_dgram_sockets',`
         gen_require(`
                 type dhcpc_t;
         ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-02-13 15:35 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-02-13 15:35 UTC (permalink / raw
  To: gentoo-commits

commit:     42198559f84a00341c8526ae29820ccc585febe5
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Tue Feb  7 21:02:23 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:24:09 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=42198559

lvm: Add fc entry for /etc/multipath/*

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/lvm.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index 378970e5e..301f19f19 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -15,6 +15,8 @@
 /etc/lvmtab(/.*)?			gen_context(system_u:object_r:lvm_metadata_t,s0)
 /etc/lvmtab\.d(/.*)?			gen_context(system_u:object_r:lvm_metadata_t,s0)
 
+/etc/multipath(/.*)?                    gen_context(system_u:object_r:lvm_metadata_t,s0)
+
 #
 # /usr
 #


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     79c09b22f530dd92c44143533fb87991a3417169
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 16:23:23 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79c09b22

init: allow initrc_t to getcap

Many AVCs are observed on a systemd system and various services.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/init.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a2b0693b6..87d62741e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -699,7 +699,7 @@ optional_policy(`
 # Init script local policy
 #
 
-allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
+allow initrc_t self:process { getcap getpgid setsched setpgid setrlimit getsched };
 allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
 allow initrc_t self:capability2 { wake_alarm block_suspend };
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     b08912707a9b728f5c35760cf1b2464594cdaad1
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 15:25:29 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0891270

init, systemd: allow init to create userdb runtime symlinks

At boot, systemd-init will create symlinks in /run/systemd/userdb. This
fixes these AVCs:

avc:  denied  { create } for  pid=1 comm="systemd" name="io.systemd.NameServiceSwitch" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0
avc:  denied  { create } for  pid=1 comm="systemd" name="io.systemd.DropIn" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=lnk_file permissive=0

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/init.te    |  1 +
 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 562b45c59..a2b0693b6 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -532,6 +532,7 @@ ifdef(`init_systemd',`
 	systemd_relabelto_tmpfiles_conf_files(init_t)
 	systemd_manage_userdb_runtime_sock_files(init_t)
 	systemd_manage_userdb_runtime_dirs(init_t)
+	systemd_manage_userdb_runtime_symlinks(init_t)
 	systemd_filetrans_userdb_runtime_dirs(init_t)
 	systemd_relabelto_journal_dirs(init_t)
 	systemd_relabelto_journal_files(init_t)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 1dd302851..a903282f0 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1402,6 +1402,24 @@ interface(`systemd_read_userdb_runtime_files', `
 	read_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
 ')
 
+########################################
+## <summary>
+##  Manage symbolic links under /run/systemd/userdb.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_manage_userdb_runtime_symlinks', `
+	gen_require(`
+		type systemd_userdbd_runtime_t;
+	')
+
+	manage_lnk_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
+')
+
 ########################################
 ## <summary>
 ##  Manage socket files under /run/systemd/userdb .


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     92c242f435b1a6b56517d754fd828da6021e44c1
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 15:13:06 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:22 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92c242f4

init: make init_runtime_t useable for systemd units

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cc01b844c..562b45c59 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -74,6 +74,7 @@ optional_policy(`
 type init_runtime_t alias init_var_run_t;
 files_runtime_file(init_runtime_t)
 init_mountpoint(init_runtime_t)
+init_unit_file(init_runtime_t)
 
 #
 # init_var_lib_t is the type for /var/lib/systemd.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     8fa021ce9d6739f69b2b35b1de05faacf38cab8e
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 16:22:38 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8fa021ce

systemd: allow systemd-userdbd to getcap

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index db594e615..778052cde 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1905,7 +1905,7 @@ seutil_libselinux_linked(systemd_user_session_type)
 #
 
 allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
-allow systemd_userdbd_t self:process signal;
+allow systemd_userdbd_t self:process { getcap signal };
 allow systemd_userdbd_t self:unix_stream_socket create_stream_socket_perms;
 
 stream_connect_pattern(systemd_userdbd_t, systemd_homed_runtime_t, systemd_homed_runtime_t, systemd_homed_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     f51734fce8fa91c19540d6da00ffd33fdb4a8327
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 15:40:53 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f51734fc

logging: allow systemd-journald to list cgroups

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/logging.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 69b7aa41f..aa436b639 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -548,6 +548,8 @@ ifdef(`init_systemd',`
 	domain_getattr_all_domains(syslogd_t)
 	domain_read_all_domains_state(syslogd_t)
 
+	fs_list_cgroup_dirs(syslogd_t)
+
 	init_create_runtime_dirs(syslogd_t)
 	init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd")
 	init_getattr(syslogd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     5979688e9262dcd53700afcc47f3a053d906ec3b
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 18:23:11 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5979688e

logging, systemd: allow relabelfrom,relabelto on systemd journal files by systemd-journald

journald's journal-offline will relabel log files. It should be noted
however that this happens even if the files already have the correct
label.

avc:  granted  { relabelfrom } for  pid=11440 comm="journal-offline" name=".#system <AT> 97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0
avc:  granted  { relabelto } for  pid=11440 comm="journal-offline" name=".#system <AT> 97c1c6b7d7ed4333b671d09d9deee851-00000000003d4f26-0005f63f0972fd4c.journalb23e70204ab1737e" dev="dm-0" ino=418415 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/logging.te |  2 ++
 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index aa436b639..227dc6776 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -566,6 +566,8 @@ ifdef(`init_systemd',`
 
 	systemd_manage_journal_files(syslogd_t)
 	systemd_watch_journal_dirs(syslogd_t)
+	systemd_relabelfrom_journal_files(syslogd_t)
+	systemd_relabelto_journal_files(syslogd_t)
 
 	udev_read_runtime_files(syslogd_t)
 

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a903282f0..77a59c662 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1775,6 +1775,24 @@ interface(`systemd_watch_journal_dirs',`
 	allow $1 systemd_journal_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Relabel from systemd-journald file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_relabelfrom_journal_files',`
+	gen_require(`
+		type systemd_journal_t;
+	')
+
+	allow $1 systemd_journal_t:file relabelfrom_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Relabel to systemd-journald directory type.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     74e2d5f1c31152d2cacfed90feb309c6ff6b8e4a
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Mar  7 00:46:45 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74e2d5f1

init: allow systemd-init to set the attributes of unallocated terminals

type=AVC msg=audit(1678150061.367:292): avc:  denied  { setattr } for pid=1 comm="systemd" name="tty1" dev="devtmpfs" ino=18 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index fca349587..936b212eb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -542,6 +542,7 @@ ifdef(`init_systemd',`
 	term_create_devpts_dirs(init_t)
 	term_create_ptmx(init_t)
 	term_create_controlling_term(init_t)
+	term_setattr_unallocated_ttys(init_t)
 	term_watch_unallocated_ttys(init_t)
 	term_watch_reads_unallocated_ttys(init_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     e2edd05e623a39191528f2f4eb8c254e6a2e360f
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Mar  7 01:04:08 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e2edd05e

systemd: allow systemd-resolved to bind to UDP port 5353

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b6d597c71..bb62c67fc 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1518,6 +1518,7 @@ corenet_tcp_bind_llmnr_port(systemd_resolved_t)
 corenet_udp_bind_generic_node(systemd_resolved_t)
 corenet_udp_bind_dns_port(systemd_resolved_t)
 corenet_udp_bind_llmnr_port(systemd_resolved_t)
+corenet_udp_bind_howl_port(systemd_resolved_t)
 
 selinux_use_status_page(systemd_resolved_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     8cdb1e582a7c164d6a0f6b39aa3f819eb8d5fc1b
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 23:20:57 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cdb1e58

systemd: add rules for systemd-zram-generator

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 59a3fcfc5..030dcbd67 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -481,8 +481,8 @@ seutil_search_default_contexts(systemd_coredump_t)
 #
 
 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
-allow systemd_generator_t self:capability { dac_override sys_admin };
-allow systemd_generator_t self:process { getsched setfscreate signal };
+allow systemd_generator_t self:capability { dac_override sys_admin sys_resource };
+allow systemd_generator_t self:process { getcap getsched setfscreate signal };
 
 corecmd_exec_shell(systemd_generator_t)
 corecmd_exec_bin(systemd_generator_t)
@@ -491,6 +491,8 @@ dev_read_sysfs(systemd_generator_t)
 dev_write_kmsg(systemd_generator_t)
 dev_write_sysfs_dirs(systemd_generator_t)
 dev_read_urand(systemd_generator_t)
+dev_create_sysfs_files(systemd_generator_t)
+dev_write_sysfs(systemd_generator_t)
 
 files_read_etc_files(systemd_generator_t)
 files_read_etc_runtime_files(systemd_generator_t)
@@ -526,7 +528,8 @@ kernel_dontaudit_getattr_proc(systemd_generator_t)
 # Where an unlabeled mountpoint is encounted:
 kernel_dontaudit_search_unlabeled(systemd_generator_t)
 
-storage_raw_read_fixed_disk(systemd_generator_t)
+# write for systemd-zram-generator
+storage_raw_rw_fixed_disk(systemd_generator_t)
 storage_raw_read_removable_device(systemd_generator_t)
 
 # needed to resolve hostnames for NFS mounts


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     0d6f57a780a16b50c470ddab492a3e75fc4446e0
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 15:33:07 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d6f57a7

raid: allow mdadm to create generic links in /dev/md

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/raid.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index bd0c4bb85..e10e31850 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -54,6 +54,8 @@ dev_rw_sysfs(mdadm_t)
 dev_dontaudit_getattr_all_blk_files(mdadm_t)
 dev_dontaudit_getattr_all_chr_files(mdadm_t)
 dev_read_realtime_clock(mdadm_t)
+# create links in /dev/md
+dev_create_generic_symlinks(mdadm_t)
 
 domain_use_interactive_fds(mdadm_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     b4cec33d59df11ea1f88917140d254b3e32a4feb
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Mar  7 00:12:16 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b4cec33d

fstools: allow fsadm to read utab

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/fstools.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 079aacad3..0e3a98967 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -164,7 +164,7 @@ logging_send_syslog_msg(fsadm_t)
 miscfiles_read_localization(fsadm_t)
 
 # for /run/mount/utab
-mount_getattr_runtime_files(fsadm_t)
+mount_read_runtime_files(fsadm_t)
 
 seutil_read_config(fsadm_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     34127751552f504b35300a30876eda61b0f38733
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Mar  7 00:15:24 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34127751

init: allow initrc_t to create netlink_kobject_uevent_sockets

Needed by rdma-rdd, which is automatically started by udev when an RDMA
device with a node description is present.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/init.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 936b212eb..999721551 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -705,6 +705,7 @@ allow initrc_t self:process { getcap getpgid setsched setpgid setrlimit getsched
 allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap };
 allow initrc_t self:capability2 { wake_alarm block_suspend };
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
+allow initrc_t self:netlink_kobject_uevent_socket create_socket_perms; # needed by rdma-ndd
 allow initrc_t self:passwd rootok;
 allow initrc_t self:key manage_key_perms;
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     cf0d634a0c0ea69374f2cf0c13bd08a5567e36f6
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar  6 15:28:22 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cf0d634a

raid: allow mdadm to read udev runtime files

This fixes this AVC:

avc:  denied  { getattr } for  pid=2238 comm="mdadm" path="/run/udev" dev="tmpfs" ino=52 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/raid.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te
index 5d44696cf..bd0c4bb85 100644
--- a/policy/modules/system/raid.te
+++ b/policy/modules/system/raid.te
@@ -85,6 +85,8 @@ logging_send_syslog_msg(mdadm_t)
 
 miscfiles_read_localization(mdadm_t)
 
+udev_read_runtime_files(mdadm_t)
+
 userdom_use_user_terminals(mdadm_t)
 userdom_dontaudit_use_unpriv_user_fds(mdadm_t)
 userdom_dontaudit_search_user_home_content(mdadm_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     c57e41297654848b0226c69a4dce44d992e91d04
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Mar  7 00:17:03 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c57e4129

systemd: allow systemd-pcrphase to read generic certs

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 030dcbd67..b6d597c71 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1436,6 +1436,8 @@ init_read_state(systemd_pcrphase_t)
 
 logging_send_syslog_msg(systemd_pcrphase_t)
 
+miscfiles_read_generic_certs(systemd_pcrphase_t)
+
 #########################################
 #
 # systemd-pstore local policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-03-31 23:07 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-03-31 23:07 UTC (permalink / raw
  To: gentoo-commits

commit:     53ba841c22c8b23bacc7fe0f2116c123943d10f3
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Wed Mar 15 02:57:55 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53ba841c

systemd: allow systemd-resolved to search directories on tmpfs and ramfs

Fixes:
avc:  denied  { search } for  pid=233 comm="systemd-resolve" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1

avc:  denied  { search } for  pid=233 comm="systemd-resolve" name="/"
dev="ramfs" ino=813 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:ramfs_t tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index bb62c67fc..da64b11b3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1530,6 +1530,8 @@ files_list_runtime(systemd_resolved_t)
 
 fs_getattr_all_fs(systemd_resolved_t)
 fs_search_cgroup_dirs(systemd_resolved_t)
+fs_search_tmpfs(systemd_resolved_t)
+fs_search_ramfs(systemd_resolved_t)
 
 init_dgram_send(systemd_resolved_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     fde90b82b10e32324d96deca43928f448d8dd932
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Thu Sep 21 03:31:31 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:27:06 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fde90b82

systemd: allow systemd-networkd to create file in /run/systemd directory

systemd-networkd creates files in /run/systemd directory which should be
labeled appropriately.

Fixes:
avc:  denied  { create } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { write } for  pid=136 comm="systemd-network"
path="/run/systemd/.#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { setattr } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

avc:  denied  { rename } for  pid=136 comm="systemd-network"
name=".#networkd2c6a2ac2dbf34a8" dev="tmpfs" ino=81
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_runtime_t tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f74ab30b4..b60d5729d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1168,7 +1168,7 @@ auth_use_nsswitch(systemd_networkd_t)
 init_dgram_send(systemd_networkd_t)
 init_read_state(systemd_networkd_t)
 init_read_runtime_files(systemd_networkd_t)
-init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, dir)
+init_runtime_filetrans(systemd_networkd_t, systemd_networkd_runtime_t, { dir file })
 
 logging_send_syslog_msg(systemd_networkd_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     8f51e189a7c8f8680f84fc11841257c19ab9fa51
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Sep 27 13:20:52 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:30:52 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8f51e189

small systemd patches (#708)

* Some small systemd patches

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* Fixed error where systemd.if had a reference to user_devpts_t

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* removed the init_var_run_t:service stuff as there's already interfaces and a type for it

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

* corecmd_shell_entry_type doesn't seem to be needed

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

---------

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/locallogin.te |  3 ++-
 policy/modules/system/systemd.if    | 12 +++++++-----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index f40f15c1c..4dc9981bc 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -131,7 +131,8 @@ auth_domtrans_pam_console(local_login_t)
 auth_read_pam_motd_dynamic(local_login_t)
 auth_read_shadow_history(local_login_t)
 
-init_dontaudit_use_fds(local_login_t)
+# if local_login_t can not inherit fd from init it takes ages to login
+init_use_fds(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 77a59c662..64455eed5 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -19,11 +19,6 @@
 ##	The user domain for the role.
 ##	</summary>
 ## </param>
-## <param name="pty_type">
-##	<summary>
-##	The type for the user pty
-##	</summary>
-## </param>
 #
 template(`systemd_role_template',`
 	gen_require(`
@@ -34,6 +29,7 @@ template(`systemd_role_template',`
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
 		type systemd_user_unit_t;
 		type systemd_user_runtime_unit_t, systemd_user_transient_unit_t;
+		type systemd_machined_t;
 	')
 
 	#################################
@@ -153,6 +149,12 @@ template(`systemd_role_template',`
 	allow $3 systemd_user_runtime_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 	allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
+	# for "machinectl shell"
+	allow $1_systemd_t systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:fd use;
+	allow $3 systemd_machined_t:dbus send_msg;
+	allow systemd_machined_t $3:dbus send_msg;
+
 	allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
 	allow $3 systemd_user_unit_t:service { reload start status stop };


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     634b4ae6e433169248722aa27c12b75c302ddac6
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Sep 14 19:44:07 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:30:52 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=634b4ae6

separate domain for journalctl during init

During system boot, when systemd-journal-catalog-update.service is
started, it fails becuase initrc_t doesn't have access to write
systemd_journal_t files/dirs.  This change is to run journalctl in a
different domain during system startup (systemd_journal_init_t) to allow
the access necessary to run.

 × systemd-journal-catalog-update.service - Rebuild Journal Catalog
         Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
         Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT; 10min ago
           Docs: man:systemd-journald.service(8)
                 man:journald.conf(5)
        Process: 1626 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE)
       Main PID: 1626 (code=exited, status=1/FAILURE)
            CPU: 102ms

    Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog...
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for writing: /var/lib/systemd/catalog/database: Permission denied
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to write /var/lib/systemd/catalog/database: Permission denied
    Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog: Permission denied
    Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE
    Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'.
    Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal Catalog.

    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { write } for  pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { add_name } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { create } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.328:136): avc:  denied  { write } for  pid=1631 comm="journalctl" path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:137): avc:  denied  { setattr } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { rename } for  pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
    node=localhost type=AVC msg=audit(1692308998.330:138): avc:  denied  { unlink } for  pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/logging.if | 19 +++++++++++++++++++
 policy/modules/system/systemd.fc |  1 +
 policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++++-
 3 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 681385d50..763926dac 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -845,6 +845,25 @@ interface(`logging_watch_runtime_dirs',`
 	allow $1 syslogd_runtime_t:dir watch;
 ')
 
+########################################
+## <summary>
+##	Connect syslog varlink socket files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_stream_connect_journald_varlink',`
+	gen_require(`
+		type syslogd_runtime_t, syslogd_t;
+	')
+
+	init_search_run($1)
+	stream_connect_pattern($1, syslogd_runtime_t, syslogd_runtime_t, syslogd_t)
+')
+
 ########################################
 ## <summary>
 ##	Delete the syslog socket files

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 5b3eb7c84..ac64a5d5c 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -3,6 +3,7 @@
 /etc/systemd/dont-synthesize-nobody	--	gen_context(system_u:object_r:systemd_conf_t,s0)
 /etc/udev/hwdb\.bin			--	gen_context(system_u:object_r:systemd_hwdb_t,s0)
 
+/usr/bin/journalctl				--	gen_context(system_u:object_r:systemd_journalctl_exec_t,s0)
 /usr/bin/systemd-analyze		--	gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
 /usr/bin/systemd-cgtop			--	gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
 /usr/bin/systemd-coredump		--	gen_context(system_u:object_r:systemd_coredump_exec_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b60d5729d..4f1c4c856 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -150,9 +150,12 @@ type systemd_hwdb_t;
 files_type(systemd_hwdb_t)
 
 type systemd_journal_t;
-files_type(systemd_journal_t)
 logging_log_file(systemd_journal_t)
 
+type systemd_journal_init_t;
+type systemd_journalctl_exec_t;
+init_system_domain(systemd_journal_init_t, systemd_journalctl_exec_t)
+
 type systemd_locale_t;
 type systemd_locale_exec_t;
 init_system_domain(systemd_locale_t, systemd_locale_exec_t)
@@ -771,6 +774,36 @@ init_search_runtime(systemd_hw_t)
 seutil_read_config(systemd_hw_t)
 seutil_read_file_contexts(systemd_hw_t)
 
+#######################################
+#
+# journald local policy
+#
+# During system boot, the service systemd-journal-catalog-update.service
+# runs journalctl with the switch --update-catalog which needs manage
+# permissions for systemd_journal_t files.  Transitioning from initrc_t
+# into systemd_journal_init_t for this operation limits write access
+# to sysemd_journal_t files to only the systemd_journal_init_t domain.
+#
+
+dontaudit systemd_journal_init_t self:capability net_admin;
+
+manage_files_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t)
+
+fs_getattr_cgroup(systemd_journal_init_t)
+fs_search_cgroup_dirs(systemd_journal_init_t)
+
+kernel_getattr_proc(systemd_journal_init_t)
+kernel_read_kernel_sysctls(systemd_journal_init_t)
+kernel_read_system_state(systemd_journal_init_t)
+
+init_read_state(systemd_journal_init_t)
+init_search_var_lib_dirs(systemd_journal_init_t)
+
+logging_send_syslog_msg(systemd_journal_init_t)
+logging_stream_connect_journald_varlink(systemd_journal_init_t)
+
+miscfiles_read_localization(systemd_journal_init_t)
+
 #######################################
 #
 # locale local policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     6a26a817c369000f602f81d7f5da7b0fd5a1bff0
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Sat Sep 30 10:00:38 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:31:45 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6a26a817

systemd: allow journalctl to create /var/lib/systemd/catalog

If /var/lib/systemd/catalog doesn't exist at first boot,
systemd-journal-catalog-update.service would fail:

$ systemctl status systemd-journal-catalog-update.service
  systemd-journal-catalog-update.service - Rebuild Journal Catalog
     Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
     Active: failed (Result: exit-code) since Sat 2023-09-30 09:46:46 UTC; 50s ago
       Docs: man:systemd-journald.service(8)
             man:journald.conf(5)
    Process: 247 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE)
   Main PID: 247 (code=exited, status=1/FAILURE)

Sep 30 09:46:45 qemux86-64 systemd[1]: Starting Rebuild Journal Catalog...
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to create parent directories of /var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to write /var/lib/systemd/catalog/database: Permission denied
Sep 30 09:46:46 qemux86-64 journalctl[247]: Failed to list catalog: Permission denied
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE
Sep 30 09:46:46 qemux86-64 systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'.
Sep 30 09:46:46 qemux86-64 systemd[1]: Failed to start Rebuild Journal Catalog.

Fixes:
AVC avc:  denied  { getattr } for  pid=247 comm="journalctl" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:tmpfs_t tclass=filesystem permissive=0

AVC avc:  denied  { write } for  pid=247 comm="journalctl"
name="systemd" dev="vda" ino=13634
scontext=system_u:system_r:systemd_journal_init_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 4f1c4c856..c9d21bda5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -787,9 +787,10 @@ seutil_read_file_contexts(systemd_hw_t)
 
 dontaudit systemd_journal_init_t self:capability net_admin;
 
+manage_dirs_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t)
 manage_files_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t)
 
-fs_getattr_cgroup(systemd_journal_init_t)
+fs_getattr_all_fs(systemd_journal_init_t)
 fs_search_cgroup_dirs(systemd_journal_init_t)
 
 kernel_getattr_proc(systemd_journal_init_t)
@@ -798,6 +799,7 @@ kernel_read_system_state(systemd_journal_init_t)
 
 init_read_state(systemd_journal_init_t)
 init_search_var_lib_dirs(systemd_journal_init_t)
+init_var_lib_filetrans(systemd_journal_init_t, systemd_journal_t, dir)
 
 logging_send_syslog_msg(systemd_journal_init_t)
 logging_stream_connect_journald_varlink(systemd_journal_init_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-10-06 16:44 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
  To: gentoo-commits

commit:     b2b5270fcce158aedf71a5be0b2fa15822ecb069
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Oct  5 11:13:54 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:31:45 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b2b5270f

https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/

While cgroups2 doesn't have the "feature" of having the kernel run a program
specified in the cgroup the history of this exploit suggests that writing to
cgroups should be restricted and not granted to all users

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/userdomain.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 642da35cd..676a76241 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -690,7 +690,7 @@ template(`userdom_common_user_template',`
 	files_watch_etc_dirs($1_t)
 	files_watch_usr_dirs($1_t)
 
-	fs_rw_cgroup_files($1_t)
+	fs_read_cgroup_files($1_t)
 
 	# cjp: some of this probably can be removed
 	selinux_get_fs_mount($1_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-10-20 22:05 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-10-20 22:05 UTC (permalink / raw
  To: gentoo-commits

commit:     3b0568041bb3c496b5d776b1961763a32d184379
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Sat Oct  7 02:33:31 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 20 21:28:39 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3b056804

systemd: use init_daemon_domain instead of init_system_domain for systemd-networkd and systemd-resolved

Systemd-networkd and systemd-resolved are daemons.

Fixes:
avc:  denied  { write } for  pid=277 comm="systemd-resolve"
name="notify" dev="tmpfs" ino=31
scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file
permissive=1

avc:  denied  { write } for  pid=324 comm="systemd-network"
name="notify" dev="tmpfs" ino=31
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:systemd_runtime_notify_t tclass=sock_file
permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b14511c24..bf3a0e14e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -199,7 +199,7 @@ init_daemon_domain(systemd_modules_load_t, systemd_modules_load_exec_t)
 
 type systemd_networkd_t;
 type systemd_networkd_exec_t;
-init_system_domain(systemd_networkd_t, systemd_networkd_exec_t)
+init_daemon_domain(systemd_networkd_t, systemd_networkd_exec_t)
 
 type systemd_networkd_runtime_t alias systemd_networkd_var_run_t;
 files_runtime_file(systemd_networkd_runtime_t)
@@ -235,7 +235,7 @@ files_type(systemd_pstore_var_lib_t)
 
 type systemd_resolved_t;
 type systemd_resolved_exec_t;
-init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
+init_daemon_domain(systemd_resolved_t, systemd_resolved_exec_t)
 
 type systemd_resolved_runtime_t alias systemd_resolved_var_run_t;
 files_runtime_file(systemd_resolved_runtime_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2023-10-20 22:05 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2023-10-20 22:05 UTC (permalink / raw
  To: gentoo-commits

commit:     4bb6b12fe1a936a0db91fc133ca30dfd8e5be32a
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Wed Oct  4 23:28:38 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 20 21:28:39 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4bb6b12f

Use interface that already exists.

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.if | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 68fb1a148..6054b5038 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -29,7 +29,6 @@ template(`systemd_role_template',`
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
 		type systemd_user_unit_t;
 		type systemd_user_runtime_unit_t, systemd_user_transient_unit_t;
-		type systemd_machined_t;
 	')
 
 	#################################
@@ -151,10 +150,9 @@ template(`systemd_role_template',`
 	allow $3 systemd_user_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 
 	# for "machinectl shell"
-	allow $1_systemd_t systemd_machined_t:fd use;
-	allow $3 systemd_machined_t:fd use;
-	allow $3 systemd_machined_t:dbus send_msg;
-	allow systemd_machined_t $3:dbus send_msg;
+	systemd_use_inherited_machined_ptys($1_systemd_t)
+	systemd_use_inherited_machined_ptys($3)
+	systemd_dbus_chat_machined($3)
 
 	allow $3 systemd_user_runtime_notify_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-03-01 19:56 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
  To: gentoo-commits

commit:     f6e3b01a354b974ffc259994385d03909c4be93e
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:42 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:47 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6e3b01a

userdom: permit reading PSI as admin

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/userdomain.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index aadbe34c3..b87f6d48e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1382,6 +1382,7 @@ template(`userdom_admin_user_template',`
 	kernel_change_ring_buffer_level($1_t)
 	kernel_clear_ring_buffer($1_t)
 	kernel_read_ring_buffer($1_t)
+	kernel_read_psi($1_t)
 	kernel_get_sysvipc_info($1_t)
 	kernel_rw_all_sysctls($1_t)
 	# signal unlabeled processes:


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-03-01 19:56 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
  To: gentoo-commits

commit:     103deadfb6e257799ebf9026cae8a409e0c5a353
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:41 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:46 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=103deadf

selinuxutil: ignore getattr proc in newrole

    type=PROCTITLE msg=audit(02/21/24 22:42:44.555:112) : proctitle=newrole -r sysadm_r
    type=SYSCALL msg=audit(02/21/24 22:42:44.555:112) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffc75fe1990 a2=0x0 a3=0x0 items=0 ppid=946 pid=1001 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=newrole exe=/usr/bin/newrole subj=root:staff_r:newrole_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(02/21/24 22:42:44.555:112) : avc:  denied  { getattr } for  pid=1001 comm=newrole name=/ dev=proc ino=1 scontext=root:staff_r:newrole_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/selinuxutil.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index b1213aa76..4d8624c6b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -251,6 +251,7 @@ read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
 
 kernel_read_system_state(newrole_t)
 kernel_read_kernel_sysctls(newrole_t)
+kernel_dontaudit_getattr_proc(newrole_t)
 
 corecmd_list_bin(newrole_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-03-01 19:56 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
  To: gentoo-commits

commit:     9127b63127407012150cc1257dab821bc300477d
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:51 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:55 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9127b631

udev: update

    AVC avc:  denied  { create } for  pid=685 comm="ifquery" name="network" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/sysnetwork.if | 30 ++++++++++++++++++++++++++++++
 policy/modules/system/udev.te       |  3 +++
 2 files changed, 33 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index f41024669..884f3735d 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -489,6 +489,7 @@ interface(`sysnet_create_config',`
 	')
 
 	files_search_etc($1)
+	allow $1 net_conf_t:dir { add_entry_dir_perms create_dir_perms };
 	allow $1 net_conf_t:file create_file_perms;
 ')
 
@@ -535,6 +536,35 @@ interface(`sysnet_etc_filetrans_config',`
 	files_etc_filetrans($1, net_conf_t, file, $2)
 ')
 
+#######################################
+## <summary>
+##	Create files in /run with the type used for
+##	the network config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
+#
+interface(`sysnet_runtime_filetrans_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_runtime_filetrans($1, net_conf_t, $2, $3)
+')
+
 #######################################
 ## <summary>
 ##	Create, read, write, and delete network config files.

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 6e24d515f..8ecc17bc7 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -217,6 +217,9 @@ ifdef(`distro_debian',`
 
 	files_runtime_filetrans(udev_t, udev_runtime_t, dir, "xen-hotplug")
 
+	sysnet_runtime_filetrans_config(udev_t, dir, "network")
+	sysnet_create_config(udev_t)
+
 	optional_policy(`
 		# for /usr/lib/avahi/avahi-daemon-check-dns.sh
 		kernel_read_vm_sysctls(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-03-01 19:56 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
  To: gentoo-commits

commit:     007072b1c66cfb28310f9d0449f8167f496be2ae
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:52 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:56 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=007072b1

systemd: logind update

    type=PROCTITLE msg=audit(21/02/24 23:31:52.659:83) : proctitle=/usr/lib/systemd/systemd-logind
    type=SYSCALL msg=audit(21/02/24 23:31:52.659:83) : arch=x86_64 syscall=recvmsg success=yes exit=24 a0=0xf a1=0x7ffdec4e7bc0 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=909 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 23:31:52.659:83) : avc:  denied  { use } for  pid=909 comm=systemd-logind path=anon_inode:[pidfd] dev="anon_inodefs" ino=1051 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=1

p.s.: this might need an overhaul after pidfd handling in the kernel has
been improved.

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index e3af88033..cef49e9a3 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1053,6 +1053,9 @@ storage_raw_read_fixed_disk_cond(systemd_logind_t, systemd_logind_get_bootloader
 optional_policy(`
 	dbus_connect_system_bus(systemd_logind_t)
 	dbus_system_bus_client(systemd_logind_t)
+
+	# pidfd
+	dbus_use_system_bus_fds(systemd_logind_t)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-03-01 19:56 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
  To: gentoo-commits

commit:     1f6f6eca2f76f7fa1354acdae20898666823bebc
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Feb 23 17:04:11 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:59 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1f6f6eca

libraries: drop space in empty line

Drop a line containing a single space from the file context file to
avoid SELint stumble on it:

    libraries.mod.fc:   130: (E): Bad file context format (E-002)

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/libraries.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 757b18bcb..b5491aa8a 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -284,7 +284,7 @@ HOME_DIR/\.mozilla/plugins/nprhapengine\.so.* --	gen_context(system_u:object_r:t
 /usr/lib/acroread/.+\.api		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/acroread/(.*/)?ADMPlugin\.apl	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
 /usr/lib/.*/program(/.*)?\.so			gen_context(system_u:object_r:lib_t,s0)
-') dnl end distro_redhat
+')dnl end distro_redhat
 
 #
 # /var


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-03-01 19:56 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2024-03-01 19:56 UTC (permalink / raw
  To: gentoo-commits

commit:     2ce9c1574e77cfedf075413013b6247ff0e7f8ce
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:49 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:05:54 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2ce9c157

systemd: generator updates

    type=1400 audit(1708552475.580:3): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/etc/init.d/auditd" dev="vda1" ino=262124 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_initrc_exec_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:4): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/auditd.service" dev="vda1" ino=395421 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:5): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/etc/init.d/vnstat" dev="vda1" ino=261247 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_initrc_exec_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:6): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/vnstat.service" dev="vda1" ino=394196 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:7): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/dbus-broker.service" dev="vda1" ino=394383 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:dbusd_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.584:8): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/qemu-guest-agent.service" dev="vda1" ino=392981 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:qemu_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.584:9): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/ssh.service" dev="vda1" ino=393521 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:sshd_unit_t:s0 tclass=file permissive=1

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/init.if    | 20 ++++++++++++++++++++
 policy/modules/system/systemd.te |  3 ++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 3e4192eb4..597fd169a 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3858,6 +3858,26 @@ interface(`init_list_all_units',`
 	read_lnk_files_pattern($1, systemdunit, systemdunit)
 ')
 
+########################################
+## <summary>
+##	Get the attributes of systemd unit directories and the files in them.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_getattr_all_unit_files',`
+	gen_require(`
+		attribute systemdunit;
+	')
+
+	list_dirs_pattern($1, systemdunit, systemdunit)
+	getattr_files_pattern($1, systemdunit, systemdunit)
+	read_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
 ########################################
 ## <summary>
 ##	Manage systemd unit dirs and the files in them

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 63fef177b..e3af88033 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -536,10 +536,11 @@ init_rename_runtime_files(systemd_generator_t)
 init_search_runtime(systemd_generator_t)
 init_setattr_runtime_files(systemd_generator_t)
 init_write_runtime_files(systemd_generator_t)
-init_list_all_units(systemd_generator_t)
 init_read_generic_units_files(systemd_generator_t)
 init_read_generic_units_symlinks(systemd_generator_t)
 init_read_script_files(systemd_generator_t)
+init_getattr_all_unit_files(systemd_generator_t)
+init_getattr_all_script_files(systemd_generator_t)
 
 kernel_use_fds(systemd_generator_t)
 kernel_read_system_state(systemd_generator_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     9e64cef53a9a17bce38b43e1a8476b4132c186ea
Author:     Matt Sheets <masheets <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Sat Apr 27 00:09:53 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:40:58 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9e64cef5

Allow systemd to pass down sig mask

IgnoreSIGPIPE is a feature that requires systemd to passdown the signal
mask down to the fork process. To allow this the siginh permission must
be allowed for all process domains that can be forked by systemd.

Signed-off-by: Matt Sheets <masheets <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/init.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 597fd169a..24be1a7a7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -189,6 +189,7 @@ interface(`init_domain',`
 
 		allow $1 init_t:unix_stream_socket { getattr read write ioctl };
 
+		allow init_t $1:process siginh;
 		allow init_t $1:process2 { nnp_transition nosuid_transition };
 
 		# StandardInputText uses a memfd rw shm segment.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     7a7d1e4a5e7e532b93be215172976e2fa2556e1e
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Thu Feb 29 15:14:01 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:40:54 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a7d1e4a

xen: Revoke kernel module loading permissions.

This domain also calls kernel_request_load_module(), which should be
sufficient.

Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/xen.te | 1 -
 1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 5311f3a34..d633dfef7 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -500,7 +500,6 @@ xen_stream_connect_xenstore(xm_t)
 
 can_exec(xm_t, xm_exec_t)
 
-kernel_load_module(xm_t)
 kernel_request_load_module(xm_t)
 kernel_read_system_state(xm_t)
 kernel_read_network_state(xm_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     c5f642792afda4f820b416e1f0e8f82b683b52bf
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 20:03:10 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:36 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5f64279

userdom: allow users to read user home dir symlinks

This is to support user home directories primarily living in another
directory with a symlink in /home that points to it.

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/userdomain.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 401c5e6f7..1d98629c6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -318,6 +318,7 @@ interface(`userdom_ro_home_role',`
 
 	# read-only home directory
 	allow $2 user_home_dir_t:dir list_dir_perms;
+	allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
 	allow $2 user_home_t:dir list_dir_perms;
 	allow $2 user_home_t:file entrypoint;
 	read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
@@ -394,6 +395,8 @@ interface(`userdom_manage_home_role',`
 
 	type_member $2 user_home_dir_t:dir user_home_dir_t;
 
+	allow $2 user_home_dir_t:lnk_file read_lnk_file_perms;
+
 	# full control of the home directory
 	allow $2 user_home_t:file entrypoint;
 	manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-05-14 19:42 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2024-05-14 19:42 UTC (permalink / raw
  To: gentoo-commits

commit:     3dd05d4af8614f7e3ffc4038241f1487d61c53bb
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May  6 20:41:28 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:50 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3dd05d4a

systemd: allow systemd-sysctl to search tmpfs

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cef49e9a3..fca1a6018 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1752,6 +1752,7 @@ files_read_etc_files(systemd_sysctl_t)
 fs_getattr_all_fs(systemd_sysctl_t)
 fs_search_cgroup_dirs(systemd_sysctl_t)
 fs_search_ramfs(systemd_sysctl_t)
+fs_search_tmpfs(systemd_sysctl_t)
 
 systemd_log_parse_environment(systemd_sysctl_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     e4ae4c90feab6fb352afae63272070e3173f8f12
Author:     Guido Trentalancia <guido <AT> trentalancia <DOT> com>
AuthorDate: Tue Aug 27 12:32:27 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e4ae4c90

Allow interactive user terminal output for the NetLabel management tool.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/netlabel.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
index fd64669d3..319c89ac2 100644
--- a/policy/modules/system/netlabel.te
+++ b/policy/modules/system/netlabel.te
@@ -22,6 +22,8 @@ allow netlabel_mgmt_t self:netlink_generic_socket create_socket_perms;
 
 kernel_read_network_state(netlabel_mgmt_t)
 
+domain_use_interactive_fds(netlabel_mgmt_t)
+
 files_read_etc_files(netlabel_mgmt_t)
 
 seutil_use_newrole_fds(netlabel_mgmt_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     ba28793f2d89e4ed0f0bd0a24762b046a3afd643
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Sun Aug 11 12:06:45 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ba28793f

systemd: allow systemd-networkd to manage sock files under /run/systemd/netif

Fixes:
avc:  denied  { create } for  pid=344 comm="systemd-network"
name="io.systemd.Network" scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:systemd_networkd_runtime_t tclass=sock_file
permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 1ac08e7d2..5725d7c76 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1270,6 +1270,7 @@ allow systemd_networkd_t self:unix_dgram_socket create_socket_perms;
 manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
+manage_sock_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 
 init_var_lib_filetrans(systemd_networkd_t, systemd_networkd_var_lib_t, dir)
 manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_lib_t, systemd_networkd_var_lib_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     e7f3b34929de4d35cdce3344b6b0bdf988de5b56
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Sun Aug 11 12:00:44 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e7f3b349

systemd: set context to systemd_networkd_var_lib_t for /var/lib/systemd/network

Fixes:
avc:  denied  { read } for  pid=344 comm="systemd-network"
path="/var/lib/systemd/network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1

avc:  denied  { write } for  pid=344 comm="systemd-network"
name="network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1

avc:  denied  { getattr } for  pid=344 comm="systemd-network"
path="/var/lib/systemd/network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.fc | 1 +
 policy/modules/system/systemd.te | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index fd785c14e..dc41e9971 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -89,6 +89,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 /var/lib/systemd/coredump(/.*)?	gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
 /var/lib/systemd/home(/.*)?     gen_context(system_u:object_r:systemd_homed_var_lib_t,s0)
 /var/lib/systemd/linger(/.*)?	gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
+/var/lib/systemd/network(/.*)?	gen_context(system_u:object_r:systemd_networkd_var_lib_t,s0)
 /var/lib/systemd/pstore(/.*)?	gen_context(system_u:object_r:systemd_pstore_var_lib_t,s0)
 /var/lib/systemd/rfkill(/.*)?	gen_context(system_u:object_r:systemd_rfkill_var_lib_t,s0)
 

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index ff47e69f9..1ac08e7d2 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -216,6 +216,9 @@ init_mountpoint(systemd_networkd_runtime_t)
 type systemd_networkd_unit_t;
 init_unit_file(systemd_networkd_unit_t)
 
+type systemd_networkd_var_lib_t;
+files_type(systemd_networkd_var_lib_t)
+
 type systemd_notify_t;
 type systemd_notify_exec_t;
 init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
@@ -1268,6 +1271,10 @@ manage_dirs_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_netw
 manage_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_runtime_t, systemd_networkd_runtime_t)
 
+init_var_lib_filetrans(systemd_networkd_t, systemd_networkd_var_lib_t, dir)
+manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_lib_t, systemd_networkd_var_lib_t)
+manage_files_pattern(systemd_networkd_t, systemd_networkd_var_lib_t, systemd_networkd_var_lib_t)
+
 kernel_read_system_state(systemd_networkd_t)
 kernel_read_kernel_sysctls(systemd_networkd_t)
 kernel_read_network_state(systemd_networkd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     fe7e3605b466b15a2cbcc21e622451fa7266ef3d
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Mon Aug 26 11:48:29 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:30 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fe7e3605

systemd: fix policy for systemd-ssh-generator

Fixes:
avc:  denied  { getattr } for  pid=121 comm="systemd-ssh-gen"
path="/usr/sbin/sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1

avc:  denied  { execute } for  pid=121 comm="systemd-ssh-gen"
name="sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1

avc:  denied  { create } for  pid=121 comm="systemd-ssh-gen"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=vsock_socket
permissive=1

avc:  denied  { read } for  pid=121 comm="systemd-ssh-gen" name="vsock"
dev="devtmpfs" ino=152 scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1

avc:  denied  { open } for  pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1

avc:  denied  { ioctl } for  pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152 ioctlcmd=0x7b9
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2f9d12fcb..f0c7a4347 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -542,6 +542,8 @@ seutil_search_default_contexts(systemd_coredump_t)
 allow systemd_generator_t self:fifo_file rw_fifo_file_perms;
 allow systemd_generator_t self:capability { dac_override sys_admin sys_resource };
 allow systemd_generator_t self:process { getcap getsched setfscreate signal };
+# for systemd-ssh-generator
+allow systemd_generator_t self:vsock_socket create;
 
 corecmd_exec_shell(systemd_generator_t)
 corecmd_exec_bin(systemd_generator_t)
@@ -552,6 +554,8 @@ dev_write_sysfs_dirs(systemd_generator_t)
 dev_read_urand(systemd_generator_t)
 dev_create_sysfs_files(systemd_generator_t)
 dev_write_sysfs(systemd_generator_t)
+# for systemd-ssh-generator
+dev_read_vsock(systemd_generator_t)
 
 files_read_etc_files(systemd_generator_t)
 files_read_etc_runtime_files(systemd_generator_t)
@@ -639,6 +643,11 @@ optional_policy(`
 	rpc_read_exports(systemd_generator_t)
 ')
 
+optional_policy(`
+	# needed by systemd-ssh-generator
+	ssh_exec_sshd(systemd_generator_t)
+')
+
 optional_policy(`
 	# needed by zfs-mount-generator
 	zfs_read_config(systemd_generator_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     c5e085ed54717b4824cb7274be5fe4d416884e84
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Tue Sep 10 07:45:32 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:30 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5e085ed

systemd: allow systemd-hostnamed to read vsock device

Fixes:
avc:  denied  { read } for  pid=463 comm="systemd-hostnam" name="vsock"
dev="devtmpfs" ino=170 scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f0c7a4347..dcae59ebd 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -786,6 +786,7 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
 kernel_dontaudit_getattr_proc(systemd_hostnamed_t)
 
 dev_read_sysfs(systemd_hostnamed_t)
+dev_read_vsock(systemd_hostnamed_t)
 
 files_read_etc_files(systemd_hostnamed_t)
 files_read_etc_runtime_files(systemd_hostnamed_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-09-22  0:03 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-09-22  0:03 UTC (permalink / raw
  To: gentoo-commits

commit:     a909c09a7716cdd655acc0bd96210e6bfa244e0b
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Mon Aug 12 08:17:29 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Sep 21 22:28:29 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a909c09a

systemd: allow system --user to create netlink_route_socket

Fixes:
avc:  denied  { create } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { getopt } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { setopt } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { bind } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { getattr } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { write } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { nlmsg_read } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { read } for  pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1

avc:  denied  { sendto } for  pid=378 comm="(ystemctl)"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=unix_dgram_socket
permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index a9c8a1a5a..b9dbd97cc 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -61,6 +61,8 @@ template(`systemd_role_template',`
 	# remainder of the rules.
 	allow $1_systemd_t self:process { getsched signal };
 	allow $1_systemd_t self:netlink_kobject_uevent_socket create_socket_perms;
+	allow $1_systemd_t self:netlink_route_socket r_netlink_socket_perms;
+	allow $1_systemd_t self:unix_dgram_socket { create_socket_perms sendto };
 	allow $1_systemd_t self:unix_stream_socket create_stream_socket_perms;
 	allow $1_systemd_t $3:process { rlimitinh setsched signal_perms };
 	corecmd_shell_domtrans($1_systemd_t, $3)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     00d6dd0cfe66101c178573939424a01ecfb1a114
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Thu Nov 28 02:21:24 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=00d6dd0c

authlogin: connect to homed

For commands such as `groups(1)` to work, nsswitch_domain needs to be
able to talk to /run/systemd/userdb/io.systemd.Home to obtain
information on systemd-homed users.

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/authlogin.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 2014c6409..4b8c5fa2a 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -476,6 +476,7 @@ sysnet_dns_name_resolve(nsswitch_domain)
 
 ifdef(`init_systemd', `
 	systemd_stream_connect_userdb(nsswitch_domain)
+	systemd_stream_connect_homed(nsswitch_domain)
 ')
 
 tunable_policy(`authlogin_nsswitch_use_ldap',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     bd4d8da452e55389b387f9d98153c6534c5eba1d
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Thu Nov 28 01:48:46 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bd4d8da4

locallogin: allow talking to systemd-homed user record APIs

systemd-homed user records rely on being able to talk to the dbus and
varlink APIs provided to obtain basic account information such as user
id, name, group membership, etc as they do not have /etc/passwd,
/etc/group or /etc/shadow fields. For tty login to work for homed user
accounts, local_login_t needs to be able to lookup this information, so
let's grant it the ability to.

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/locallogin.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index e17b16c4e..995c80be2 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -154,6 +154,8 @@ ifdef(`init_systemd',`
 	systemd_dbus_chat_logind(local_login_t)
 	systemd_use_logind_fds(local_login_t)
 	systemd_manage_logind_runtime_pipes(local_login_t)
+	systemd_dbus_chat_homed(local_login_t)
+	systemd_stream_connect_homed(local_login_t)
 ')
 
 ifdef(`distro_debian',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     716e9b6d402bdb400679019d455f2da5a69e33d5
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Thu Nov 28 01:49:27 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=716e9b6d

systemd_homed_t, systemd_homework_t: allow reading of /etc/machine-id

systemd-homed user records stored in identity files are machine-id
specific and signed, so systemd-homed needs access to /etc/machine-id to
create those records properly.

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 309f99ae4..dca7f098d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -679,6 +679,9 @@ allow systemd_homed_t systemd_homed_var_lib_t:dir manage_dir_perms;
 allow systemd_homed_t systemd_homed_var_lib_t:file manage_file_perms;
 init_var_lib_filetrans(systemd_homed_t, systemd_homed_var_lib_t, dir)
 
+# read /etc/machine-id
+files_read_etc_runtime(systemd_homed_t)
+
 # Entries such as /sys/devices/virtual/block/loop1/uevent:
 dev_read_sysfs(systemd_homed_t)
 
@@ -729,6 +732,9 @@ allow systemd_homework_t systemd_homed_runtime_t:dir manage_dir_perms;
 files_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, file)
 init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir)
 
+# read /etc/machine-id
+files_read_etc_runtime(systemd_homework_t)
+
 # mount on /run/systemd/user-home-mount
 allow systemd_homework_t systemd_homed_runtime_t:dir mounton;
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     34b81b634f7a8bdc59fe7ffa6d6453a9c07d001f
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Thu Nov 28 02:56:31 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34b81b63

systemd_homed_runtime_work_dir_t: new type for systemd-homed workdir

As systemd-homed's workdir is an internal one, and external domains may
be (reasonably) expected to connect to systemd_homed_runtime_t in the
future, let's create a new domain for systemd-homed's internal work to
differentiate between the two.

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.fc | 1 +
 policy/modules/system/systemd.te | 6 +++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 68fcedbe3..ce48c7d09 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -112,6 +112,7 @@ HOME_ROOT/(.+)\.home	--	gen_context(system_u:object_r:systemd_homed_storage_t,s0
 /run/systemd/ask-password(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
 /run/systemd/ask-password-block(/.*)?	gen_context(system_u:object_r:systemd_passwd_runtime_t,s0)
 /run/systemd/home(/.*)?         gen_context(system_u:object_r:systemd_homed_runtime_t,s0)
+/run/systemd/user-home-mount	-d	gen_context(system_u:object_r:systemd_homed_runtime_work_dir_t,s0)
 /run/systemd/network(/.*)?  gen_context(system_u:object_r:systemd_networkd_runtime_t,s0)
 /run/systemd/notify		-s	gen_context(system_u:object_r:systemd_runtime_notify_t,s0)
 /run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index dca7f098d..b8a52c7c8 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -129,6 +129,10 @@ role system_r types systemd_homework_t;
 type systemd_homed_runtime_t;
 files_runtime_file(systemd_homed_runtime_t)
 
+type systemd_homed_runtime_work_dir_t;
+files_runtime_file(systemd_homed_runtime_work_dir_t)
+files_mountpoint(systemd_homed_runtime_work_dir_t)
+
 type systemd_homed_storage_t;
 files_type(systemd_homed_storage_t)
 
@@ -736,7 +740,7 @@ init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir)
 files_read_etc_runtime(systemd_homework_t)
 
 # mount on /run/systemd/user-home-mount
-allow systemd_homework_t systemd_homed_runtime_t:dir mounton;
+allow systemd_homework_t systemd_homed_runtime_work_dir_t:dir mounton;
 
 allow systemd_homework_t systemd_homed_storage_t:file manage_file_perms;
 files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     f289fb94887c4fac6e5d53c49b7a9525f43a94b4
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Thu Nov 28 02:10:49 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f289fb94

systemd-homed: label LUKS home images as systemd_homed_storage_t

systemd-homed stores LUKS home images as `/home/username.home`, so let's
label that appropriately.

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.fc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index f42782e53..68fcedbe3 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -63,6 +63,9 @@ HOME_DIR/\.config/containers/systemd(/.*)?		gen_context(system_u:object_r:system
 HOME_DIR/\.config/systemd(/.*)?		gen_context(system_u:object_r:systemd_conf_home_t,s0)
 HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data_home_t,s0)
 
+# homed files
+HOME_ROOT/(.+)\.home	--	gen_context(system_u:object_r:systemd_homed_storage_t,s0)
+
 /usr/lib/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_user_unit_t,s0)
 
 /usr/lib/systemd/system/[^/]*halt.*	--	gen_context(system_u:object_r:power_unit_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     7cbfef87d904f8b3762ae98cf45e414254e297a1
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Thu Nov 28 17:41:24 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7cbfef87

lvm_manage_runtime_dirs: new interface for managing LVM runtime dirs

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/lvm.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 9608a1fd1..a80a1b532 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -210,6 +210,25 @@ interface(`lvm_manage_runtime_files',`
 	manage_files_pattern($1, lvm_runtime_t, lvm_runtime_t)
 ')
 
+########################################
+## <summary>
+##	Manage LVM runtime dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`lvm_manage_runtime_dirs',`
+	gen_require(`
+		type lvm_runtime_t;
+	')
+
+	manage_dirs_pattern($1, lvm_runtime_t, lvm_runtime_t)
+')
+
 ######################################
 ## <summary>
 ##	All of the rules required to


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     0f30968113b88ccf367726ef169a40d13231975f
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Mon Nov 18 02:48:53 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f309681

Need search perms on cert_t/tls_privkey_t when using private types

Even if you create a private key for a certificate in
/etc/pki/tls/certs or private key in /etc/pki/tls/private
as those directories are labeled cert_t and tls_privkey_t.
So you need dir search perms to be able to access your
new key type.

node=localhost type=AVC msg=audit(1731898795.566:33533): avc:  denied  { search } for  pid=961 comm="monitor" name="private" dev="dm-0" ino=524539 scontext=system_u:system_r:monitor_t:s0 tcontext=system_u:object_r:tls_privkey_t:s0 tclass=dir permissive=1`

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/miscfiles.if | 49 ++++++++++++++++++++++++++++++++++----
 1 file changed, 45 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index d3041451b..101b992bd 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -23,9 +23,9 @@
 ##	</p>
 ##	<p>
 ##	type mycertfile_t;
-##	cert_type(mycertfile_t)
+##	miscfiles_cert_type(mycertfile_t)
 ##	allow mydomain_t mycertfile_t:file read_file_perms;
-##	files_search_etc(mydomain_t)
+##	miscfiles_search_generic_cert_dirs(mydomain_t)
 ##	</p>
 ## </desc>
 ## <param name="type">
@@ -68,9 +68,9 @@ interface(`miscfiles_cert_type',`
 ##	</p>
 ##	<p>
 ##	type mytlsprivkeyfile_t;
-##	tls_privkey_type(mytlsprivkeyfile_t)
+##	miscfiles_tls_privkey_type(mytlsprivkeyfile_t)
 ##	allow mydomain_t mytlsprivkeyfile_t:file read_file_perms;
-##	files_search_etc(mydomain_t)
+##	miscfiles_search_tls_privkey_dirs(mydomain_t)
 ##	</p>
 ## </desc>
 ## <param name="type">
@@ -110,6 +110,26 @@ interface(`miscfiles_read_all_certs',`
 	read_lnk_files_pattern($1, cert_type, cert_type)
 ')
 
+########################################
+## <summary>
+##	Search generic SSL/TLS directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_search_generic_cert_dirs',`
+	gen_require(`
+		type cert_t;
+	')
+
+	files_search_etc($1)
+	allow $1 cert_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read generic SSL/TLS certificates.
@@ -239,6 +259,27 @@ interface(`miscfiles_mounton_generic_cert_dirs',`
 	allow $1 cert_t:dir mounton;
 ')
 
+
+########################################
+## <summary>
+##	Search SSL/TLS private key directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_search_tls_privkey_dirs',`
+	gen_require(`
+		type tls_privkey_t;
+	')
+
+	miscfiles_search_generic_cert_dirs($1)
+	allow $1 tls_privkey_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read generic SSL/TLS private


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     d15abb028eff6a6bc5fdb026608d9f79d1bc5ee6
Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sat Nov 16 14:05:13 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d15abb02

systemd: permit sysusers to create /etc/group

    audit[14480]: AVC avc:  denied  { create } for  pid=14480 comm="systemd-sysuser" name=".#group5f44baae46cc7c1d" scontext=unconfined_u:unconfined_r:systemd_sysusers_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b8a52c7c8..80ad48873 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -310,6 +310,8 @@ init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
 type systemd_sysusers_t;
 type systemd_sysusers_exec_t;
 init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
+# create /etc/group
+domain_obj_id_change_exemption(systemd_sysusers_t)
 role systemd_sysusers_roles types systemd_sysusers_t;
 
 type systemd_tmpfiles_t;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     92e031a769ce70569deabf45172a76592f774d12
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Thu Nov 28 01:38:38 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92e031a7

systemd_stream_connect_homed: new interface to access account info

systemd-homed provides a varlink API with a unix socket at
/run/systemd/userdb/io.systemd.Home to query user account records. As
quite a few things will need to be able to query this API for basic
functionality to work - such as `groups(1)` being able to operate on
systemd-homed user accounts - let's make an interface for this.

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 0d97cf0cd..1ddc9fba5 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1136,6 +1136,25 @@ interface(`systemd_dbus_chat_homed',`
 	allow systemd_homed_t $1:dbus send_msg;
 ')
 
+########################################
+## <summary>
+##   Connect to /run/systemd/userdb/io.systemd.Home to
+##   query user account information.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_stream_connect_homed',`
+	gen_require(`
+		type systemd_homed_t;
+	')
+
+	allow $1 systemd_homed_t:unix_stream_socket connectto;
+')
+
 ######################################
 ## <summary>
 ##   Read and write systemd-homework semaphores.


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     6c435b57b87b1fbae154d1a76963d6802415fe9b
Author:     Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Mon Nov 18 16:29:28 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c435b57

Communicate with locale via dbus

node=localhost type=USER_AVC msg=audit(1731946583.709:17143): pid=962 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:script_t:s0 tcontext=system_u:system_r:systemd_locale_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'␝UID="dbus" AUID="unset" SAUID="dbus"

Cleanup some denials seen for systemd_locale_t
node=localhost type=AVC msg=audit(1731946409.877:15089): avc:  denied  { read } for  pid=6038 comm="systemd-localed" name="language-fallback-map" dev="dm-0" ino=287302 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15089): avc:  denied  { open } for  pid=6038 comm="systemd-localed" path="/usr/share/systemd/language-fallback-map" dev="dm-0" ino=287302 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15090): avc:  denied  { getattr } for  pid=6038 comm="systemd-localed" path="/usr/share/systemd/language-fallback-map" dev="dm-0" ino=287302 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.885:15092): avc:  denied  { ioctl } for  pid=6038 comm="systemd-localed" path="/usr/share/systemd/language-fallback-map" dev="dm-0" ino=287302 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1

node=localhost type=AVC msg=audit(1731946409.877:15086): avc:  denied  { search } for  pid=6038 comm="systemd-localed" name="locale" dev="dm-0" ino=264167 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15086): avc:  denied  { read } for  pid=6038 comm="systemd-localed" name="locale-archive.real" dev="dm-0" ino=265820 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15086): avc:  denied  { open } for  pid=6038 comm="systemd-localed" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=265820 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15087): avc:  denied  { getattr } for  pid=6038 comm="systemd-localed" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=265820 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1731946409.877:15088): avc:  denied  { map } for  pid=6038 comm="systemd-localed" path="/usr/lib/locale/locale-archive" dev="dm-0" ino=265820 scontext=system_u:system_r:systemd_locale_t:s0 tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 21 +++++++++++++++++++++
 policy/modules/system/systemd.te |  3 +++
 2 files changed, 24 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 38984fb65..0d97cf0cd 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1521,6 +1521,27 @@ interface(`systemd_signull_logind',`
 	allow $1 systemd_logind_t:process signull;
 ')
 
+########################################
+## <summary>
+##   Send and receive messages from
+##   systemd locale over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_dbus_chat_locale',`
+	gen_require(`
+		type systemd_locale_t;
+		class dbus send_msg;
+	')
+
+	allow $1 systemd_locale_t:dbus send_msg;
+	allow systemd_locale_t $1:dbus send_msg;
+')
+
 ########################################
 ## <summary>
 ##  List the contents of systemd userdb runtime directories.

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index fb8260715..309f99ae4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -888,12 +888,15 @@ miscfiles_read_localization(systemd_journal_init_t)
 kernel_read_kernel_sysctls(systemd_locale_t)
 
 files_read_etc_files(systemd_locale_t)
+files_read_usr_files(systemd_locale_t)
 
 fs_getattr_all_fs(systemd_locale_t)
 fs_search_cgroup_dirs(systemd_locale_t)
 
 init_stream_connect(systemd_locale_t)
 
+miscfiles_read_localization(systemd_locale_t)
+
 selinux_use_status_page(systemd_locale_t)
 
 seutil_read_file_contexts(systemd_locale_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     108f2dabb313b5b946cd3bd98977a5adc1683d1f
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Thu Nov 28 18:05:01 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=108f2dab

systemd_homed_record_t: new type for user records

As systemd identity files contain sensitive data, such as password
hashes, let's create a new type systemd_homed_record_t for them. As
systemd_homework_t needs to be able to read, create, and delete these
files, let's give it permissions to do so.

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.fc | 2 ++
 policy/modules/system/systemd.te | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index ce48c7d09..6a770c502 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -64,6 +64,8 @@ HOME_DIR/\.config/systemd(/.*)?		gen_context(system_u:object_r:systemd_conf_home
 HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data_home_t,s0)
 
 # homed files
+HOME_DIR/\.identity	--	gen_context(system_u:object_r:systemd_homed_record_t,s0)
+HOME_DIR/\.identity-blob(/.*)?	gen_context(system_u:object_r:systemd_homed_record_t,s0)
 HOME_ROOT/(.+)\.home	--	gen_context(system_u:object_r:systemd_homed_storage_t,s0)
 
 /usr/lib/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_user_unit_t,s0)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index edc192609..fbace192f 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -126,6 +126,9 @@ domain_type(systemd_homework_t)
 domain_entry_file(systemd_homework_t, systemd_homework_exec_t)
 role system_r types systemd_homework_t;
 
+type systemd_homed_record_t;
+files_auth_file(systemd_homed_record_t)
+
 type systemd_homed_runtime_t;
 files_runtime_file(systemd_homed_runtime_t)
 
@@ -791,6 +794,10 @@ systemd_log_parse_environment(systemd_homework_t)
 
 udev_read_runtime_files(systemd_homework_t)
 
+read_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
+create_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
+delete_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
+
 #######################################
 #
 # Hostnamed policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     f8b20780a5fe71630cae51dae016bf1d861fbbc2
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Wed Dec  4 21:48:21 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f8b20780

systemd-homed: fix filecontexts for systemd_home_storage_t objects

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.fc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 6a770c502..858c46ee3 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -66,7 +66,7 @@ HOME_DIR/\.local/share/systemd(/.*)?		gen_context(system_u:object_r:systemd_data
 # homed files
 HOME_DIR/\.identity	--	gen_context(system_u:object_r:systemd_homed_record_t,s0)
 HOME_DIR/\.identity-blob(/.*)?	gen_context(system_u:object_r:systemd_homed_record_t,s0)
-HOME_ROOT/(.+)\.home	--	gen_context(system_u:object_r:systemd_homed_storage_t,s0)
+HOME_ROOT/.+\.home	--	gen_context(system_u:object_r:systemd_homed_storage_t,s0)
 
 /usr/lib/systemd/user(/.*)?		gen_context(system_u:object_r:systemd_user_unit_t,s0)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     6727c5f168802e4db7e7a07af00ed39a180aa074
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Wed Dec  4 21:38:56 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6727c5f1

systemd-homework: reformat *_files_pattern block

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index c62036f39..2d4b48afa 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -743,6 +743,10 @@ allow systemd_homework_t systemd_homed_runtime_t:dir manage_dir_perms;
 files_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, file)
 init_runtime_filetrans(systemd_homework_t, systemd_homed_runtime_t, dir)
 
+read_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
+create_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
+delete_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
+
 # read /etc/machine-id
 files_read_etc_runtime(systemd_homework_t)
 
@@ -796,10 +800,6 @@ systemd_log_parse_environment(systemd_homework_t)
 
 udev_read_runtime_files(systemd_homework_t)
 
-read_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
-create_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
-delete_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
-
 #######################################
 #
 # Hostnamed policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     51f1ed3ad1c9bcf908395335856bbcc2dc1c4561
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Tue Dec 10 08:07:26 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51f1ed3a

systemd_stream_connect_homed: genrequire systemd_userdbd_runtime_t

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index ed3fda830..b6b50bca9 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1150,6 +1150,7 @@ interface(`systemd_dbus_chat_homed',`
 interface(`systemd_stream_connect_homed',`
 	gen_require(`
 		type systemd_homed_t;
+		type systemd_userdbd_runtime_t;
 	')
 
 	stream_connect_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_homed_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     37d28f0c2223e9560fc7e868896f12daa96fac67
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Wed Dec  4 21:35:08 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=37d28f0c

systemd_stream_connect_homed: make use of stream_connect_pattern

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 1ddc9fba5..ed3fda830 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -1152,7 +1152,7 @@ interface(`systemd_stream_connect_homed',`
 		type systemd_homed_t;
 	')
 
-	allow $1 systemd_homed_t:unix_stream_socket connectto;
+	stream_connect_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t, systemd_homed_t)
 ')
 
 ######################################


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     dac8485843d36744488e0b72cde9b04ad459f5a7
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Tue Dec 10 16:05:19 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dac84858

authlogin: connect to nsresourced

Container UID/GID lookups for utilities such as nspawn require nss
clients to be able to make nsresourced lookups.

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/authlogin.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 4b8c5fa2a..b3574e1db 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -477,6 +477,7 @@ sysnet_dns_name_resolve(nsswitch_domain)
 ifdef(`init_systemd', `
 	systemd_stream_connect_userdb(nsswitch_domain)
 	systemd_stream_connect_homed(nsswitch_domain)
+	systemd_stream_connect_nsresourced(nsswitch_domain)
 ')
 
 tunable_policy(`authlogin_nsswitch_use_ldap',`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     4c672a08f3060e44791ace6b3c25c5247d1fd34c
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Thu Nov 28 17:44:01 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c672a08

systemd_homework_t: allow managing of lvm_runtime_t files and dirs

systemd-homed needs access to `/run/cryptsetup` to properly setup and
unlock LUKS encrypted home directories.

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 05c9e55e4..edc192609 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -751,6 +751,10 @@ files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file)
 
 allow systemd_homework_t systemd_homed_tmpfs_t:file rw_inherited_file_perms;
 
+# setup luks backed home directories in /run/cryptsetup
+lvm_manage_runtime_files(systemd_homework_t)
+lvm_manage_runtime_dirs(systemd_homework_t)
+
 dev_rw_loop_control(systemd_homework_t)
 dev_read_rand(systemd_homework_t)
 dev_read_urand(systemd_homework_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     ef4faa48be0e92c8ca9ee2be1ac48a88bccbeda9
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Tue Dec 10 08:09:10 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef4faa48

systemd-homework: move optional policy to end of block

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 41f67fec5..2f344c7ad 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -758,12 +758,6 @@ files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file)
 
 allow systemd_homework_t systemd_homed_tmpfs_t:file rw_inherited_file_perms;
 
-# setup luks backed home directories in /run/cryptsetup
-optional_policy(`
-	lvm_manage_runtime_files(systemd_homework_t)
-	lvm_manage_runtime_dirs(systemd_homework_t)
-')
-
 dev_rw_loop_control(systemd_homework_t)
 dev_read_rand(systemd_homework_t)
 dev_read_urand(systemd_homework_t)
@@ -800,6 +794,12 @@ systemd_log_parse_environment(systemd_homework_t)
 
 udev_read_runtime_files(systemd_homework_t)
 
+# setup luks backed home directories in /run/cryptsetup
+optional_policy(`
+	lvm_manage_runtime_files(systemd_homework_t)
+	lvm_manage_runtime_dirs(systemd_homework_t)
+')
+
 #######################################
 #
 # Hostnamed policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     62286ae2ea6ccb9a68f349b419625143696f68f1
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Wed Dec  4 21:37:52 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=62286ae2

systemd-homed: make lvm related policy optional

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index fbace192f..c62036f39 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -755,8 +755,10 @@ files_home_filetrans(systemd_homework_t, systemd_homed_storage_t, file)
 allow systemd_homework_t systemd_homed_tmpfs_t:file rw_inherited_file_perms;
 
 # setup luks backed home directories in /run/cryptsetup
-lvm_manage_runtime_files(systemd_homework_t)
-lvm_manage_runtime_dirs(systemd_homework_t)
+optional_policy(`
+	lvm_manage_runtime_files(systemd_homework_t)
+	lvm_manage_runtime_dirs(systemd_homework_t)
+')
 
 dev_rw_loop_control(systemd_homework_t)
 dev_read_rand(systemd_homework_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2024-12-15  0:30 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2024-12-15  0:30 UTC (permalink / raw
  To: gentoo-commits

commit:     4f429f0243579b4c83971008066d1f19fb7e5939
Author:     Rahul Sandhu <rahul <AT> sandhuservices <DOT> dev>
AuthorDate: Wed Dec  4 21:41:46 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:42 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4f429f02

systemd-homed: use files_read_etc_runtime_files to read machine-id

Signed-off-by: Rahul Sandhu <rahul <AT> sandhuservices.dev>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2d4b48afa..41f67fec5 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -691,7 +691,7 @@ allow systemd_homed_t systemd_homed_var_lib_t:file manage_file_perms;
 init_var_lib_filetrans(systemd_homed_t, systemd_homed_var_lib_t, dir)
 
 # read /etc/machine-id
-files_read_etc_runtime(systemd_homed_t)
+files_read_etc_runtime_files(systemd_homed_t)
 
 # Entries such as /sys/devices/virtual/block/loop1/uevent:
 dev_read_sysfs(systemd_homed_t)
@@ -748,7 +748,7 @@ create_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, syste
 delete_files_pattern(systemd_homework_t, systemd_homed_runtime_work_dir_t, systemd_homed_record_t)
 
 # read /etc/machine-id
-files_read_etc_runtime(systemd_homework_t)
+files_read_etc_runtime_files(systemd_homework_t)
 
 # mount on /run/systemd/user-home-mount
 allow systemd_homework_t systemd_homed_runtime_work_dir_t:dir mounton;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-01-06 21:08 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2025-01-06 21:08 UTC (permalink / raw
  To: gentoo-commits

commit:     fce1ea5c36ab169a7e16497f022f656b6267cce7
Author:     Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 26 08:30:00 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Jan  6 21:08:08 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fce1ea5c

systemd: add networkd rules required at least since version 256

systemd-network-generator.service unit fails without:
  fs_list_tmpfs(systemd_networkd_t)

allow rw to
/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure
  fs_rw_cgroup_files(systemd_networkd_t)

Signed-off-by: Marc Schiffbauer <mschiff <AT> gentoo.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2f344c7ad..342b98c2e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1358,6 +1358,8 @@ fs_getattr_all_fs(systemd_networkd_t)
 fs_search_cgroup_dirs(systemd_networkd_t)
 fs_read_nsfs_files(systemd_networkd_t)
 fs_watch_memory_pressure(systemd_networkd_t)
+fs_list_tmpfs(systemd_networkd_t)
+fs_rw_cgroup_files(systemd_networkd_t)
 
 auth_use_nsswitch(systemd_networkd_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-03-08 23:55 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-03-08 23:55 UTC (permalink / raw
  To: gentoo-commits

commit:     9407b918eeaec5ddb7127f0a0852b78a984efaf7
Author:     Tianjia Zhang <tianjia.zhang <AT> linux <DOT> alibaba <DOT> com>
AuthorDate: Mon Dec 30 07:58:17 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:01:08 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9407b918

authlogin: allow unix_chkpwd to run

denied  { dac_read_search } for  pid=27506 comm="unix_chkpwd" capability=2  scontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=capability permissive=1

Signed-off-by: Tianjia Zhang <tianjia.zhang <AT> linux.alibaba.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/authlogin.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b3574e1db..eddd4ced4 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -109,7 +109,7 @@ optional_policy(`
 # Check password local policy
 #
 
-allow chkpwd_t self:capability { dac_override setuid };
+allow chkpwd_t self:capability { dac_override dac_read_search setuid };
 dontaudit chkpwd_t self:capability sys_tty_config;
 allow chkpwd_t self:process { getattr signal };
 dontaudit chkpwd_t self:process getcap;


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-03-08 23:55 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-03-08 23:55 UTC (permalink / raw
  To: gentoo-commits

commit:     ef08b161fabd3126d57bd4fefa6510051929c05a
Author:     Tianjia Zhang <tianjia.zhang <AT> linux <DOT> alibaba <DOT> com>
AuthorDate: Sun Dec 29 15:37:01 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:01:08 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef08b161

lvm: allow to grant capability and create alg_socket

solve the following avc log:

  897655:type=AVC msg=audit(1735486143.152:1314): avc: \
    denied  { dac_read_search } for  pid=7420 comm="cryptsetup" \
    capability=2  \
    scontext=sysadm_u:sysadm_r:lvm_t:s0-s15:c0.c1023 \
    tcontext=sysadm_u:sysadm_r:lvm_t:s0-s15:c0.c1023 \
    tclass=capability permissive=0
  897660:type=AVC msg=audit(1735486143.152:1315): avc: \
    denied  { create } for  pid=7420 comm="cryptsetup" \
    scontext=sysadm_u:sysadm_r:lvm_t:s0-s15:c0.c1023 \
    tcontext=sysadm_u:sysadm_r:lvm_t:s0-s15:c0.c1023 \
    tclass=alg_socket permissive=0

Signed-off-by: Tianjia Zhang <tianjia.zhang <AT> linux.alibaba.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/lvm.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 2b314ee95..0bcfa293e 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -49,7 +49,7 @@ files_type(lvm_var_lib_t)
 # DAC overrides and mknod for modifying /dev entries (vgmknodes)
 # rawio needed for dmraid
 # net_admin for multipath
-allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
+allow lvm_t self:capability { chown dac_override dac_read_search fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
 dontaudit lvm_t self:capability sys_tty_config;
 allow lvm_t self:process { setfscreate setrlimit sigchld sigkill signal signull sigstop };
 # LVM will complain a lot if it cannot set its priority.
@@ -65,6 +65,7 @@ allow lvm_t self:socket create_stream_socket_perms;
 allow lvm_t self:key { search write };
 
 allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
+allow lvm_t self:alg_socket create_socket_perms;
 
 manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
 manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-03-08 23:55 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-03-08 23:55 UTC (permalink / raw
  To: gentoo-commits

commit:     6cba76d3a79495c992b82de5214a9e597a97171a
Author:     Tianjia Zhang <tianjia.zhang <AT> linux <DOT> alibaba <DOT> com>
AuthorDate: Thu Jan 16 02:38:28 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:01:08 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6cba76d3

userdomain: allow grant mac_admin capability to security admin

cap_mac_admin is required to operate some LSM modules, such as
selinux, apparmor, smack, etc. It is necessary to allow the security
administrator role to grant this capability.

Signed-off-by: Tianjia Zhang <tianjia.zhang <AT> linux.alibaba.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/userdomain.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index aaa7718e6..2c0aeef5a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1523,6 +1523,7 @@ template(`userdom_admin_user_template',`
 #
 interface(`userdom_security_admin_template',`
 	allow $1 self:capability { dac_override dac_read_search };
+	allow $1 self:capability2 mac_admin;
 
 	corecmd_exec_shell($1)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-03-08 23:55 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-03-08 23:55 UTC (permalink / raw
  To: gentoo-commits

commit:     7b45e2cb886a6feb1a2333859ce87ff6a8641ce4
Author:     Tianjia Zhang <tianjia.zhang <AT> linux <DOT> alibaba <DOT> com>
AuthorDate: Sun Dec 22 10:21:19 2024 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:01:08 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7b45e2cb

mount: allow mount_t to readwrite fifo file

Signed-off-by: Tianjia Zhang <tianjia.zhang <AT> linux.alibaba.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/mount.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 01fe24528..788871fa5 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -54,6 +54,7 @@ allow mount_t self:fifo_file rw_fifo_file_perms;
 
 allow mount_t mount_tmp_t:file manage_file_perms;
 allow mount_t mount_tmp_t:dir manage_dir_perms;
+allow mount_t self:fifo_file rw_fifo_file_perms;
 
 can_exec(mount_t, mount_exec_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-03-08 23:55 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-03-08 23:55 UTC (permalink / raw
  To: gentoo-commits

commit:     f6242364bce576e6a9e23754fdb079a1843719d5
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Wed Feb  5 07:42:46 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:01:08 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f6242364

systemd: allow systemd-resolve to watch /run/systemd dir

Fixes:
avc:  denied  { watch } for  pid=283 comm="systemd-resolve"
path="/run/systemd" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 0bc65390c..a9da2800e 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1796,6 +1796,7 @@ fs_search_ramfs(systemd_resolved_t)
 fs_watch_memory_pressure(systemd_resolved_t)
 
 init_dgram_send(systemd_resolved_t)
+init_watch_runtime_dirs(systemd_resolved_t)
 
 miscfiles_read_generic_certs(systemd_resolved_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-03-08 23:55 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-03-08 23:55 UTC (permalink / raw
  To: gentoo-commits

commit:     ca9eb66e6cb896fa3596a768f580ba005bde0d5b
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Wed Feb  5 07:35:59 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:01:08 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ca9eb66e

systemd: allow more components to get attributes of nsfs inodes

Fixes:
avc:  denied  { getattr } for  pid=195 comm="systemd-userdbd"
path="cgroup:[4026531835]" dev="nsfs" ino=4026531835
scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:object_r:nsfs_t tclass=file permissive=0

avc:  denied  { getattr } for  pid=191 comm="systemd-resolve"
path="cgroup:[4026531835]" dev="nsfs" ino=4026531835
scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:nsfs_t tclass=file permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 202925673..0bc65390c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1789,6 +1789,7 @@ files_watch_runtime_dirs(systemd_resolved_t)
 files_list_runtime(systemd_resolved_t)
 
 fs_getattr_all_fs(systemd_resolved_t)
+fs_getattr_nsfs_files(systemd_resolved_t)
 fs_search_cgroup_dirs(systemd_resolved_t)
 fs_search_tmpfs(systemd_resolved_t)
 fs_search_ramfs(systemd_resolved_t)
@@ -1902,6 +1903,7 @@ allow systemd_sysusers_t self:unix_dgram_socket sendto;
 files_manage_etc_files(systemd_sysusers_t)
 
 fs_getattr_all_fs(systemd_sysusers_t)
+fs_getattr_nsfs_files(systemd_sysusers_t)
 fs_search_all(systemd_sysusers_t)
 
 kernel_read_kernel_sysctls(systemd_sysusers_t)
@@ -2094,6 +2096,7 @@ files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
 
 fs_getattr_all_fs(systemd_update_done_t)
+fs_getattr_nsfs_files(systemd_update_done_t)
 fs_search_cgroup_dirs(systemd_update_done_t)
 
 kernel_read_kernel_sysctls(systemd_update_done_t)
@@ -2210,6 +2213,7 @@ files_read_etc_runtime_files(systemd_userdbd_t)
 files_read_usr_files(systemd_userdbd_t)
 
 fs_getattr_all_fs(systemd_userdbd_t)
+fs_getattr_nsfs_files(systemd_userdbd_t)
 fs_search_cgroup_dirs(systemd_userdbd_t)
 fs_read_efivarfs_files(systemd_userdbd_t)
 fs_watch_memory_pressure(systemd_userdbd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-03-08 23:55 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-03-08 23:55 UTC (permalink / raw
  To: gentoo-commits

commit:     045344366ca42f82ed70a053accc05d0a8f13f39
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Thu Feb 13 13:51:55 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:26:43 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=04534436

systemd: allow system --user to get attributes of nsfs inodes

Fixes:
avc:  denied  { getattr } for  pid=502 comm="systemd"
path="cgroup:[4026531835]" dev="nsfs" ino=4026531835
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:nsfs_t tclass=file permissive=0

avc:  denied  { getattr } for  pid=502 comm="systemd"
path="pid:[4026531836]" dev="nsfs" ino=4026531836
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:nsfs_t tclass=file permissive=0

avc:  denied  { getattr } for  pid=506 comm="30-systemd-envi"
path="cgroup:[4026531835]" dev="nsfs" ino=4026531835
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:nsfs_t tclass=file permissive=0

avc:  denied  { getattr } for  pid=506 comm="30-systemd-envi"
path="pid:[4026531836]" dev="nsfs" ino=4026531836
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=system_u:object_r:nsfs_t tclass=file permissive=0

avc:  denied  { getattr } for  pid=508 comm="systemd-tmpfile"
path="cgroup:[4026531835]" dev="nsfs" ino=4026531835
scontext=root:sysadm_r:sysadm_systemd_tmpfiles_t
tcontext=system_u:object_r:nsfs_t tclass=file permissive=0

avc:  denied  { getattr } for  pid=508 comm="systemd-tmpfile"
path="pid:[4026531836]" dev="nsfs" ino=4026531836
scontext=root:sysadm_r:sysadm_systemd_tmpfiles_t
tcontext=system_u:object_r:nsf _t tclass=file permissive=0

avc:  denied  { search } for  pid=508 comm="systemd-tmpfile" name="1"
dev="proc" ino=575 scontext=root:sysadm_r:sysadm_systemd_tmpfiles_t
tcontext=system_u:system_r:init_t tclass=dir permissive=0

avc:  denied  { getattr } for  pid=508 comm="systemd-tmpfile" name="/"
dev="proc" ino=1 scontext=root:sysadm_r:sysadm_systemd_tmpfiles_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b6b50bca9..0f92c23bd 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -99,6 +99,7 @@ template(`systemd_role_template',`
 	files_watch_etc_dirs($1_systemd_t)
 
 	fs_getattr_xattr_fs($1_systemd_t)
+	fs_getattr_nsfs_files($1_systemd_t)
 	fs_manage_cgroup_files($1_systemd_t)
 	fs_watch_cgroup_files($1_systemd_t)
 
@@ -152,6 +153,11 @@ template(`systemd_role_template',`
 	files_list_runtime($1_systemd_tmpfiles_t)
 	files_read_etc_files($1_systemd_tmpfiles_t)
 
+	fs_getattr_nsfs_files($1_systemd_tmpfiles_t)
+
+	init_read_state($1_systemd_tmpfiles_t)
+
+	kernel_dontaudit_getattr_proc($1_systemd_tmpfiles_t)
 	kernel_read_kernel_sysctls($1_systemd_tmpfiles_t)
 	kernel_read_system_state($1_systemd_tmpfiles_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-03-08 23:55 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-03-08 23:55 UTC (permalink / raw
  To: gentoo-commits

commit:     c64bc8bc4aa39d06f735d8acd28fa9cfc75b0f4f
Author:     Nicolas PARLANT <nicolas.parlant <AT> parhuet <DOT> fr>
AuthorDate: Fri Jan 17 14:51:48 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:01:08 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c64bc8bc

fixdep dbus

auth_use_pam_systemd requires dbus  :

> /var/lib/selinux/targeted/tmp/modules/400/authlogin/cil:133 =
> (typeattributeset cil_gen_require dbusd_system_bus_client)

Signed-off-by: Nicolas PARLANT <nicolas.parlant <AT> parhuet.fr>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/authlogin.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index eddd4ced4..8f143d56d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -142,7 +142,6 @@ term_dontaudit_use_all_ptys(chkpwd_t)
 
 auth_read_shadow_history(chkpwd_t)
 auth_use_nsswitch(chkpwd_t)
-auth_use_pam_systemd(chkpwd_t)
 
 logging_send_audit_msgs(chkpwd_t)
 logging_send_syslog_msg(chkpwd_t)
@@ -160,6 +159,10 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 
+ifdef(`init_systemd',`
+	auth_use_pam_systemd(chkpwd_t)
+')
+
 optional_policy(`
 	# apache leaks file descriptors
 	apache_dontaudit_rw_tcp_sockets(chkpwd_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-03-08 23:55 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-03-08 23:55 UTC (permalink / raw
  To: gentoo-commits

commit:     80ee737ef98eb2811a2b8d979a28f6e6190e8d9d
Author:     Clayton Casciato <ccasciato <AT> 21sw <DOT> us>
AuthorDate: Mon Mar  3 17:40:41 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:26:43 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=80ee737e

unconfined: fix oddjob security_compute_sid

type=PROCTITLE proctitle=mkhomedir_helper user123 0077

type=SYSCALL syscall=socket per=PER_LINUX success=yes exit=3 a0=local
a1=SOCK_STREAM a2=ip a3=0xbee9d8a8 items=0 ppid=404 pid=1386 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=ttyAMA0 ses=unset comm=mkhomedir_helpe
exe=/usr/sbin/mkhomedir_helper
subj=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
key=(null)

type=SELINUX_ERR op=security_compute_sid
invalid_context=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
scontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:oddjob_mkhomedir_t:s0-s0:c0.c1023
tclass=unix_stream_socket

--

Similar problem and resolution:
https://github.com/SELinuxProject/refpolicy/pull/171

--

Fedora:
https://github.com/fedora-selinux/selinux-policy/blob/v41.33/policy/modules/roles/unconfineduser.te#L365

--

Reference:
https://github.com/SELinuxProject/selinux-notebook/blob/main/src/auditing.md#general-selinux-audit-events

Signed-off-by: Clayton Casciato <ccasciato <AT> 21sw.us>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/unconfined.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 6a605cc14..176c7d079 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -155,7 +155,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	oddjob_domtrans_mkhomedir(unconfined_t)
+	oddjob_run_mkhomedir(unconfined_t, unconfined_r)
 ')
 
 optional_policy(`


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-03-08 23:55 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-03-08 23:55 UTC (permalink / raw
  To: gentoo-commits

commit:     57a992f7e5924a007c7c9b51c3e54a7c4a5aaeff
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Feb 18 19:11:50 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Mar  8 23:26:43 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=57a992f7

lvm: Add fc entries for veritysetup.

Includes systemd-veritysetup.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/lvm.fc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index ba1d88e2b..aa6abfe9b 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -53,6 +53,7 @@
 /usr/bin/pvremove		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/pvs			--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/pvscan			--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/bin/veritysetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/vgcfgbackup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/vgcfgrestore		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/vgchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)
@@ -81,6 +82,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/lvm-10/.*				--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/lib/lvm-200/.*				--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/lib/systemd/systemd-cryptsetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/systemd/systemd-veritysetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/lib/systemd/system/blk-availability.*	--	gen_context(system_u:object_r:lvm_unit_t,s0)
 /usr/lib/systemd/system/dm-event.*		--	gen_context(system_u:object_r:lvm_unit_t,s0)
 /usr/lib/systemd/system/lvm2-.*			--	gen_context(system_u:object_r:lvm_unit_t,s0)
@@ -121,6 +123,7 @@ ifdef(`distro_gentoo',`
 /usr/sbin/pvremove		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/pvs			--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/pvscan		--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/sbin/veritysetup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/vgcfgbackup		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/vgcfgrestore		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/sbin/vgchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-03-09  0:20 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-03-09  0:20 UTC (permalink / raw
  To: gentoo-commits

commit:     d740fd2342fbfa017cf567fc9b7c9c498fdaadc1
Author:     Rahul Sandhu <nvraxn <AT> gmail <DOT> com>
AuthorDate: Fri Mar  7 20:56:09 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Mar  9 00:19:37 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d740fd23

tmpfiles: update path to openrc utilities

openrc-0.56 changed the default path for rc utilities [1]. Still keep
the old locations however, they don't hurt to have and can always be
dropped in the future if desired.

[1] https://github.com/OpenRC/openrc/commit/7c31e504d5b48d688e5977f9616a1cd256310b03

Closes: https://github.com/gentoo/hardened-refpolicy/pull/10
Signed-off-by: Rahul Sandhu <nvraxn <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/tmpfiles.fc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/tmpfiles.fc b/policy/modules/system/tmpfiles.fc
index a25eaa580..c0669e0e3 100644
--- a/policy/modules/system/tmpfiles.fc
+++ b/policy/modules/system/tmpfiles.fc
@@ -7,4 +7,5 @@ ifndef(`init_systemd',`
 /usr/bin/tmpfiles				--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
 /usr/lib/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
 /usr/lib/rc/sh/tmpfiles\.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
-
+/usr/libexec/rc/bin/checkpath			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)
+/usr/libexec/rc/sh/tmpfiles\.sh			--	gen_context(system_u:object_r:tmpfiles_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-07-15  7:54 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-07-15  7:54 UTC (permalink / raw
  To: gentoo-commits

commit:     dcdc4e1b5d64f745c958adf1efece17b3fec67c1
Author:     Clayton Casciato <ccasciato <AT> 21sw <DOT> us>
AuthorDate: Tue May 27 00:35:20 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:51:51 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dcdc4e1b

unconfined: allow firewalld_t unconfined_t:dbus send_msg

~# firewall-cmd --state
ERROR:dbus.proxies:Introspect error on
:1.3:/org/fedoraproject/FirewallD1: dbus.exceptions.DBusException:
org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible
causes include: the remote application did not send a reply, the
message bus security policy blocked the reply, the reply timeout
expired, or the network connection was broken.

--

type=USER_AVC pid=178 uid=messagebus auid=unset ses=unset
subj=system_u:system_r:system_dbusd_t:s0
msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.8
spid=228 tpid=525 scontext=system_u:system_r:firewalld_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=dbus exe=/usr/bin/dbus-daemon sauid=messagebus hostname=? addr=?
terminal=?'

--

Fedora:

$ sesearch -A --source firewalld_t --target unconfined_t --class dbus
allow nsswitch_domain dbusd_unconfined:dbus send_msg;
allow system_bus_type dbusd_unconfined:dbus send_msg;

Signed-off-by: Clayton Casciato <ccasciato <AT> 21sw.us>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/unconfined.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 176c7d079..fb5494e5a 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -106,6 +106,10 @@ optional_policy(`
 	dpkg_run(unconfined_t, unconfined_r)
 ')
 
+optional_policy(`
+	firewalld_dbus_chat(unconfined_t)
+')
+
 optional_policy(`
 	firstboot_run(unconfined_t, unconfined_r)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-07-15  7:54 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-07-15  7:54 UTC (permalink / raw
  To: gentoo-commits

commit:     e01a2abec781e694c1d02519b34b817e7e157134
Author:     Rahul Sandhu <nvraxn <AT> gmail <DOT> com>
AuthorDate: Thu Jun  5 17:59:57 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:52:23 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e01a2abe

auditd: don't grant write as implied by manage_files_pattern for logs

auditd doesn't actually need to be able to write logs, only create,
append, read, rename, and setattr them. Given that great lengths are
already taken to ensure audit log confidentiality and integrity (e.g.
marking as mls_systemhigh and granting cap_sys_nice to prioritise over
other processes to not miss audit events), it makes sense to not grant
an unnecessary permission which would allow a comprimised audit daemon
to tamper with the audit logs.

Signed-off-by: Rahul Sandhu <nvraxn <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 14d3132be..4f7041910 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -174,8 +174,8 @@ allow auditd_t auditd_etc_t:dir list_dir_perms;
 allow auditd_t auditd_etc_t:file read_file_perms;
 dontaudit auditd_t auditd_etc_t:file map;
 
-manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t auditd_log_t:dir setattr;
+allow auditd_t auditd_log_t:file { append_file_perms create_file_perms link read_file_perms rename_file_perms setattr_file_perms unlink };
 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t var_log_t:dir search_dir_perms;
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-07-15  8:05 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-07-15  8:05 UTC (permalink / raw
  To: gentoo-commits

commit:     226fa79c75ce0547a30a0058b2142ff783d62038
Author:     Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
AuthorDate: Tue Jun 24 15:55:27 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:54 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=226fa79c

iptables: let nft dev_read_urand

Signed-off-by: Marc Schiffbauer <mschiff <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/iptables.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 0111c5ba9..7b0ef9df3 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -69,6 +69,7 @@ corecmd_exec_shell(iptables_t)
 corenet_relabelto_all_packets(iptables_t)
 corenet_dontaudit_rw_tun_tap_dev(iptables_t)
 
+dev_read_urand(iptables_t)
 dev_read_sysfs(iptables_t)
 dev_dontaudit_write_mtrr(iptables_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-07-15  8:05 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-07-15  8:05 UTC (permalink / raw
  To: gentoo-commits

commit:     0aa42eb04d9e3d1ed44fbbfa8ebb3f46f9031fc0
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Jul  8 16:41:24 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:54 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0aa42eb0

unconfined: Promote anon_inode access to full access.

This class inherits the file common.

Also see https://lore.kernel.org/selinux/48916a70-2a89-4d24-8e36-d15ccc112519 <AT> ieee.org/

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/unconfined.if | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 07fb19d04..45cb43907 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -50,8 +50,7 @@ interface(`unconfined_domain_noaudit',`
 	# Write access is for setting attributes under /proc/self/attr.
 	allow $1 self:file rw_file_perms;
 
-	# io_uring
-	allow $1 self:anon_inode { create map read write };
+	allow $1 self:anon_inode { manage_file_perms mounton quotaon relabel_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; #selint-disable:S-009
 
 	# Userland object managers
 	allow $1 self:nscd { admin getgrp gethost getpwd getserv getstat shmemgrp shmemhost shmempwd shmemserv };


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-07-15  8:05 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-07-15  8:05 UTC (permalink / raw
  To: gentoo-commits

commit:     9a5633d3c88824d2d09c12479b23b97a052b5cf4
Author:     Marc Schiffbauer <mschiff <AT> gentoo <DOT> org>
AuthorDate: Tue Jun 24 15:57:28 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:04:54 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9a5633d3

iptables: allow incus_stream_connect_daemon

Signed-off-by: Marc Schiffbauer <mschiff <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/iptables.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 7b0ef9df3..639052f88 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -132,6 +132,10 @@ optional_policy(`
 	firstboot_rw_pipes(iptables_t)
 ')
 
+optional_policy(`
+	incus_stream_connect_daemon(iptables_t)
+')
+
 optional_policy(`
 	# apply firewall rules from multus
 	kubernetes_rw_container_engine_fifo_files(iptables_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-07-15  8:12 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-07-15  8:12 UTC (permalink / raw
  To: gentoo-commits

commit:     3a3c45061785c7790360f8ce2f9c0336462fca83
Author:     Rahul Sandhu <nvraxn <AT> gmail <DOT> com>
AuthorDate: Sat Jun 28 09:27:35 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 08:12:19 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3a3c4506

tmpfiles: gatekeep init_exec_rc behind distro_gentoo

init_exec_rc is only available on builds where DISTRO=gentoo

Signed-off-by: Rahul Sandhu <nvraxn <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/tmpfiles.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/policy/modules/system/tmpfiles.te b/policy/modules/system/tmpfiles.te
index 8a1715e5b..d7c566d06 100644
--- a/policy/modules/system/tmpfiles.te
+++ b/policy/modules/system/tmpfiles.te
@@ -84,8 +84,6 @@ selinux_get_enforce_mode(tmpfiles_t)
 
 auth_use_nsswitch(tmpfiles_t)
 
-init_exec_rc(tmpfiles_t)
-
 miscfiles_read_localization(tmpfiles_t)
 
 seutil_exec_setfiles(tmpfiles_t)
@@ -99,6 +97,7 @@ ifdef(`distro_gentoo',`
 	dev_create_generic_chr_files(tmpfiles_t)
 	dev_create_generic_blk_files(tmpfiles_t)
 
+	init_exec_rc(tmpfiles_t)
 	init_relabelto_script_state(tmpfiles_t)
 ')
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-09-02 22:15 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-09-02 22:15 UTC (permalink / raw
  To: gentoo-commits

commit:     ec44d0f7401dbd1c01bead625eb1d08752fbe254
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Sun Jul 20 15:17:09 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep  2 20:40:01 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ec44d0f7

udev: allow udev_t to watch udev_runtime_t directory

Fix:
avc:  denied  { watch } for  pid=175 comm="udevadm" path="/run/udev"
dev="tmpfs" ino=2 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:udev_runtime_t tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/udev.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index b8406bf3b..b7864d240 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -85,6 +85,7 @@ manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
 files_runtime_filetrans(udev_t, udev_runtime_t, dir, "udev")
+allow udev_t udev_runtime_t:dir watch;
 
 kernel_load_module(udev_t)
 kernel_read_system_state(udev_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-09-02 22:15 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-09-02 22:15 UTC (permalink / raw
  To: gentoo-commits

commit:     ea5b8bd01a5db82b9fa80b8a62372bb038b180d2
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Jul 28 14:43:25 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep  2 22:02:19 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ea5b8bd0

systemd (#995)

* Some small systemd patches, includes a fix for breakage on systemd-logind,
if it can't statfs /proc it can abort, fail to respond to dbus messages,
and cause a 25 second delay on login.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index d16c07018..334d2c5fc 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1093,7 +1093,7 @@ stream_connect_pattern(systemd_logind_t, systemd_userdbd_runtime_t, systemd_user
 
 ps_process_pattern(systemd_logind_t, systemd_user_session_type, systemd_user_session_type)
 
-kernel_dontaudit_getattr_proc(systemd_logind_t)
+kernel_getattr_proc(systemd_logind_t)
 kernel_read_kernel_sysctls(systemd_logind_t)
 
 auth_write_login_records(systemd_logind_t)
@@ -1290,6 +1290,7 @@ optional_policy(`
 	xserver_dbus_chat(systemd_logind_t)
 	xserver_dbus_chat_xdm(systemd_logind_t)
 	xserver_read_xdm_state(systemd_logind_t)
+	xserver_use_xdm_fds(systemd_logind_t)
 ')
 
 optional_policy(`
@@ -1401,6 +1402,8 @@ kernel_read_system_state(systemd_machine_id_setup_t)
 init_read_runtime_files(systemd_machine_id_setup_t)
 init_read_state(systemd_machine_id_setup_t)
 
+logging_send_syslog_msg(systemd_machine_id_setup_t)
+
 systemd_log_parse_environment(systemd_machine_id_setup_t)
 
 optional_policy(`
@@ -1836,6 +1839,7 @@ miscfiles_read_localization(systemd_passwd_agent_t)
 seutil_search_default_contexts(systemd_passwd_agent_t)
 
 userdom_use_user_terminals(systemd_passwd_agent_t)
+userdom_search_user_runtime(systemd_passwd_agent_t)
 systemd_search_user_runtime(systemd_passwd_agent_t)
 
 optional_policy(`
@@ -2068,7 +2072,7 @@ systemd_log_parse_environment(systemd_sessions_t)
 # sys_admin for sysctls such as kernel.kptr_restrict and kernel.dmesg_restrict
 # sys_ptrace for kernel.yama.ptrace_scope
 # net_admin for network sysctls
-allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace };
+allow systemd_sysctl_t self:capability { net_admin sys_admin sys_ptrace sys_resource };
 
 kernel_read_kernel_sysctls(systemd_sysctl_t)
 kernel_request_load_module(systemd_sysctl_t)
@@ -2475,7 +2479,7 @@ fs_getattr_xattr_fs(systemd_user_runtime_dir_t)
 fs_getattr_nsfs_files(systemd_user_runtime_dir_t)
 
 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
-kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
+kernel_getattr_proc(systemd_user_runtime_dir_t)
 
 selinux_use_status_page(systemd_user_runtime_dir_t)
 


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-09-02 22:15 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-09-02 22:15 UTC (permalink / raw
  To: gentoo-commits

commit:     3b17e6e5ccfef4edaf5f3175a5c757220531fba3
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Jul 23 12:44:40 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep  2 22:01:01 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3b17e6e5

systemd: Add syslog access to systemd-notify.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 6978002e8..d16c07018 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1553,6 +1553,8 @@ init_rw_stream_sockets(systemd_notify_t)
 
 miscfiles_read_localization(systemd_notify_t)
 
+systemd_log_parse_environment(systemd_notify_t)
+
 ########################################
 #
 # Nspawn local policy


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-09-02 22:15 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-09-02 22:15 UTC (permalink / raw
  To: gentoo-commits

commit:     a164eef3498d14087c17c751e9473c132f78e406
Author:     Nicolas PARLANT <nicolas.parlant <AT> parhuet <DOT> fr>
AuthorDate: Sun Jul 27 14:38:49 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep  2 22:01:01 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a164eef3

files context : fix multipath merged-usr

Signed-off-by: Nicolas PARLANT <nicolas.parlant <AT> parhuet.fr>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/lvm.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index aa6abfe9b..0be26668d 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -43,6 +43,7 @@
 /usr/bin/lvresize		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/lvs			--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/lvscan			--	gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/bin/multipath		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/multipathd		--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/multipath\.static	--	gen_context(system_u:object_r:lvm_exec_t,s0)
 /usr/bin/pvchange		--	gen_context(system_u:object_r:lvm_exec_t,s0)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-09-02 22:15 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-09-02 22:15 UTC (permalink / raw
  To: gentoo-commits

commit:     beb9a141a7b43b6583e2191c395b60454abc4eb5
Author:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Sat Jul 26 02:45:40 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep  2 22:01:01 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=beb9a141

systemd: allow users to run systemd-cgtop

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/systemd.if | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8dc8f5899..467c7b70b 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -26,7 +26,7 @@ template(`systemd_role_template',`
 		class system { disable enable reload start status stop };
 		attribute systemd_user_session_type, systemd_log_parse_env_type;
 		attribute systemd_user_activated_sock_file_type, systemd_user_unix_stream_activated_socket_type;
-		type systemd_analyze_exec_t;
+		type systemd_analyze_exec_t, systemd_cgtop_exec_t;
 		type systemd_conf_home_t, systemd_data_home_t;
 		type systemd_tmpfiles_exec_t;
 		type systemd_user_runtime_t, systemd_user_runtime_notify_t;
@@ -197,6 +197,7 @@ template(`systemd_role_template',`
 	allow $3 systemd_conf_home_t:service { reload start status stop };
 
 	can_exec($3, systemd_analyze_exec_t)
+	can_exec($3, systemd_cgtop_exec_t)
 
 	init_dbus_chat($3)
 	init_search_var_lib_dirs($3)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-09-02 22:15 Jason Zaman
  0 siblings, 0 replies; 705+ messages in thread
From: Jason Zaman @ 2025-09-02 22:15 UTC (permalink / raw
  To: gentoo-commits

commit:     6baef51956426d0b0a2d21d3a62bf4ff2acc17f3
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed Aug 13 19:15:04 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep  2 22:04:48 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6baef519

fstools: Remove noted reiserfs rules and file contexts.

Reiserfs was removed from kernel 6.13.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/system/fstools.fc | 6 ------
 policy/modules/system/fstools.te | 3 ---
 2 files changed, 9 deletions(-)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 92a7722ae..88887b010 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -23,13 +23,11 @@
 /usr/bin/jfs_.*			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/losetup.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/lsraid			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/bin/make_reiser4		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/mkdosfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/mke2fs			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/mke4fs			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/mkfs.*			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/mkraid			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/bin/mkreiserfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/mkswap			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/parted			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/partition_uuid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -38,7 +36,6 @@
 /usr/bin/raidautorun		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/raidstart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/raw			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/bin/reiserfs(ck|tune)	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/resize.*fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/scsi_info		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/bin/scsi_unique_id		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -80,20 +77,17 @@
 /usr/sbin/jfs_.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/losetup.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/lsraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/sbin/make_reiser4		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkdosfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mke2fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mke4fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkfs.*		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkraid		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/sbin/mkreiserfs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkswap		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/parted		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/partprobe		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/partx			--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/raidautorun		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/raidstart		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
-/usr/sbin/reiserfs(ck|tune)	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/resize.*fs		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/scsi_info		--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/sfdisk		--	gen_context(system_u:object_r:fsadm_exec_t,s0)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 0866e14b7..1c3e52726 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -75,9 +75,6 @@ kernel_request_load_module(fsadm_t)
 kernel_manage_unlabeled_dirs(fsadm_t)
 # Allow console log change (updfstab)
 kernel_change_ring_buffer_level(fsadm_t)
-# mkreiserfs needs this
-kernel_getattr_proc(fsadm_t)
-kernel_getattr_core_if(fsadm_t)
 # Access to /initrd devices
 kernel_rw_unlabeled_dirs(fsadm_t)
 kernel_rw_unlabeled_blk_files(fsadm_t)


^ permalink raw reply related	[flat|nested] 705+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
@ 2025-09-19 16:56 Kenton Groombridge
  0 siblings, 0 replies; 705+ messages in thread
From: Kenton Groombridge @ 2025-09-19 16:56 UTC (permalink / raw
  To: gentoo-commits

commit:     5047e25fbaf786fd8a286fc4699eab086bdb13e9
Author:     Nicolas PARLANT <nicolas.parlant <AT> parhuet <DOT> fr>
AuthorDate: Sun Jul 27 16:10:47 2025 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Sep 19 16:55:56 2025 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5047e25f

files context : fix mkfs.f2fs for usr-merged

Signed-off-by: Nicolas PARLANT <nicolas.parlant <AT> parhuet.fr>
Part-of: https://github.com/gentoo/hardened-refpolicy/pull/19
Closes: https://github.com/gentoo/hardened-refpolicy/pull/19
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/system/fstools.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 88887b010..13de030cf 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -114,5 +114,6 @@ ifdef(`distro_gentoo',`
 /run/fsck(/.*)?		gen_context(system_u:object_r:fsadm_run_t,s0)
 
 ifdef(`distro_gentoo',`
+/usr/bin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 /usr/sbin/mkfs\.f2fs	--	gen_context(system_u:object_r:fsadm_exec_t,s0)
 ')


^ permalink raw reply related	[flat|nested] 705+ messages in thread

end of thread, other threads:[~2025-09-19 16:56 UTC | newest]

Thread overview: 705+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-05-27 18:39 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ Sven Vermeulen
  -- strict thread matches above, loose matches on Subject: below --
2012-05-28  7:26 Sven Vermeulen
2012-05-28  8:01 Sven Vermeulen
2012-05-28  8:18 Sven Vermeulen
2012-05-28  8:41 Sven Vermeulen
2012-06-23 13:40 Sven Vermeulen
2012-06-27 19:12 Sven Vermeulen
2012-07-04 20:16 Sven Vermeulen
2012-07-10 17:22 Sven Vermeulen
2012-07-10 18:26 Sven Vermeulen
2012-07-10 18:26 Sven Vermeulen
2012-07-12 17:03 Sven Vermeulen
2012-07-17 16:27 Sven Vermeulen
2012-07-17 16:27 Sven Vermeulen
2012-07-26 19:23 Sven Vermeulen
2012-07-27 10:11 Sven Vermeulen
2012-07-27 10:43 Sven Vermeulen
2012-08-09 16:45 Sven Vermeulen
2012-08-15 13:03 Sven Vermeulen
2012-08-15 13:04 Sven Vermeulen
2012-08-15 13:04 Sven Vermeulen
2012-08-15 13:04 Sven Vermeulen
2012-08-21 17:52 Sven Vermeulen
2012-08-29 18:48 Sven Vermeulen
2012-08-29 18:48 Sven Vermeulen
2012-08-29 19:31 Sven Vermeulen
2012-10-04 18:21 Sven Vermeulen
2012-10-10 19:52 Sven Vermeulen
2012-10-10 19:52 Sven Vermeulen
2012-10-10 19:52 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-24 17:51 Sven Vermeulen
2012-10-28 13:48 Sven Vermeulen
2012-10-29 16:06 Sven Vermeulen
2012-10-29 17:45 Sven Vermeulen
2012-10-29 17:59 Sven Vermeulen
2012-10-30 20:24 Sven Vermeulen
2012-10-31 18:04 Sven Vermeulen
2012-10-31 18:04 Sven Vermeulen
2012-10-31 18:04 Sven Vermeulen
2012-10-31 18:04 Sven Vermeulen
2012-10-31 18:04 Sven Vermeulen
2012-11-12 21:30 Sven Vermeulen
2012-11-12 21:58 Sven Vermeulen
2012-11-12 21:58 Sven Vermeulen
2012-11-12 21:58 Sven Vermeulen
2012-11-12 21:58 Sven Vermeulen
2012-11-12 21:58 Sven Vermeulen
2012-11-21 20:40 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-11-27 19:14 Sven Vermeulen
2012-12-03 15:45 Sven Vermeulen
2012-12-03 21:03 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
2012-12-07 15:36 Sven Vermeulen
2012-12-09 22:25 Sven Vermeulen
2012-12-21 20:10 Sven Vermeulen
2012-12-29 18:24 Sven Vermeulen
2012-12-29 18:24 Sven Vermeulen
2012-12-29 18:24 Sven Vermeulen
2012-12-29 18:24 Sven Vermeulen
2012-12-29 18:24 Sven Vermeulen
2012-12-29 18:24 Sven Vermeulen
2012-12-29 18:24 Sven Vermeulen
2012-12-29 18:24 Sven Vermeulen
2013-01-03 16:49 Sven Vermeulen
2013-01-03 16:49 Sven Vermeulen
2013-01-03 16:49 Sven Vermeulen
2013-01-03 16:49 Sven Vermeulen
2013-01-03 16:49 Sven Vermeulen
2013-01-16 15:22 Matt Thode
2013-01-20 14:41 Sven Vermeulen
2013-01-20 15:23 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2013-02-23 17:14 Sven Vermeulen
2013-03-04 20:15 Sven Vermeulen
2013-04-10 19:55 Sven Vermeulen
2013-04-11  7:19 Sven Vermeulen
2013-04-11  7:19 Sven Vermeulen
2013-05-11 13:06 Sven Vermeulen
2013-06-23 10:11 Sven Vermeulen
2013-07-04 17:32 Sven Vermeulen
2013-07-04 17:32 Sven Vermeulen
2013-07-04 18:47 Sven Vermeulen
2013-07-07  8:43 Sven Vermeulen
2013-08-10 16:39 Sven Vermeulen
2013-08-15  5:46 Sven Vermeulen
2013-08-15 17:23 Sven Vermeulen
2013-08-16 10:45 Sven Vermeulen
2013-08-16 16:38 Sven Vermeulen
2013-08-23 17:34 Sven Vermeulen
2013-09-16  9:26 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-09-30 19:03 Sven Vermeulen
2013-10-21 18:45 Sven Vermeulen
2013-10-21 18:45 Sven Vermeulen
2013-10-21 18:45 Sven Vermeulen
2013-11-03 11:19 Sven Vermeulen
2013-11-17 17:26 Sven Vermeulen
2013-11-17 17:26 Sven Vermeulen
2013-11-17 17:26 Sven Vermeulen
2013-11-17 17:26 Sven Vermeulen
2013-11-17 17:26 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-12-06 17:48 Sven Vermeulen
2013-12-06 17:48 Sven Vermeulen
2013-12-09 19:17 Sven Vermeulen
2013-12-12 12:37 Sven Vermeulen
2013-12-12 12:37 Sven Vermeulen
2013-12-12 12:37 Sven Vermeulen
2013-12-12 12:37 Sven Vermeulen
2013-12-12 12:37 Sven Vermeulen
2013-12-12 12:37 Sven Vermeulen
2013-12-20 19:47 Sven Vermeulen
2013-12-20 21:00 Sven Vermeulen
2013-12-20 21:00 Sven Vermeulen
2013-12-20 21:00 Sven Vermeulen
2013-12-20 21:00 Sven Vermeulen
2013-12-20 21:00 Sven Vermeulen
2013-12-20 21:00 Sven Vermeulen
2013-12-20 21:00 Sven Vermeulen
2013-12-29 15:24 Sven Vermeulen
2014-01-18 10:29 Sven Vermeulen
2014-01-19 19:01 Sven Vermeulen
2014-01-19 19:01 Sven Vermeulen
2014-01-19 19:01 Sven Vermeulen
2014-01-19 19:01 Sven Vermeulen
2014-01-23 20:00 Sven Vermeulen
2014-01-28  8:09 Sven Vermeulen
2014-01-28  8:09 Sven Vermeulen
2014-02-01  9:56 Sven Vermeulen
2014-02-01  9:56 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-17 19:55 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-11 17:48 Sven Vermeulen
2014-04-11 17:48 Sven Vermeulen
2014-04-11 17:48 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-05-01  8:49 Sven Vermeulen
2014-05-16 18:43 Sven Vermeulen
2014-05-16 18:43 Sven Vermeulen
2014-05-28 15:40 Sven Vermeulen
2014-05-28 15:40 Sven Vermeulen
2014-05-30 12:51 Sven Vermeulen
2014-06-07 17:48 Sven Vermeulen
2014-06-07 18:13 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2014-06-22 10:34 Sven Vermeulen
2014-06-22 11:37 Sven Vermeulen
2014-06-23 19:58 Sven Vermeulen
2014-06-23 20:04 Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-06-30 19:03 Sven Vermeulen
2014-06-30 19:03 Sven Vermeulen
2014-07-15 16:16 Sven Vermeulen
2014-07-29 14:07 Sven Vermeulen
2014-07-29 14:07 Sven Vermeulen
2014-07-30 10:21 Sven Vermeulen
2014-07-31 15:26 Sven Vermeulen
2014-08-07  8:06 Sven Vermeulen
2014-08-08 14:49 [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-08 15:27 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-08 15:27 Sven Vermeulen
2014-08-08 15:27 Sven Vermeulen
2014-08-12 17:12 Sven Vermeulen
2014-08-13 20:02 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-17  9:42 Sven Vermeulen
2014-08-19  9:19 Jason Zaman
2014-08-19  9:19 Jason Zaman
2014-08-19  9:19 Jason Zaman
2014-08-19  9:19 Jason Zaman
2014-08-19 20:07 Sven Vermeulen
2014-08-19 20:07 Sven Vermeulen
2014-08-19 20:07 Sven Vermeulen
2014-08-20 17:29 Sven Vermeulen
2014-08-21 17:31 Sven Vermeulen
2014-08-21 17:31 Sven Vermeulen
2014-08-22 18:07 Sven Vermeulen
2014-08-22 19:05 Sven Vermeulen
2014-08-22 19:12 Sven Vermeulen
2014-09-13  9:38 Sven Vermeulen
2014-09-13  9:38 Sven Vermeulen
2014-09-13  9:38 Sven Vermeulen
2014-09-13  9:38 Sven Vermeulen
2014-09-13  9:38 Sven Vermeulen
2014-09-13  9:38 Sven Vermeulen
2014-09-13  9:38 Sven Vermeulen
2014-09-13  9:38 Sven Vermeulen
2014-09-13  9:38 Sven Vermeulen
2014-09-13  9:38 Sven Vermeulen
2014-09-13  9:38 Sven Vermeulen
2014-09-21 14:04 Sven Vermeulen
2014-10-12  8:27 Sven Vermeulen
2014-10-12  9:13 Sven Vermeulen
2014-10-31 15:32 Sven Vermeulen
2014-10-31 15:32 Sven Vermeulen
2014-10-31 15:32 Sven Vermeulen
2014-10-31 15:32 Sven Vermeulen
2014-10-31 15:32 Sven Vermeulen
2014-11-02 14:53 Sven Vermeulen
2014-11-02 15:08 Sven Vermeulen
2014-11-22 19:02 Sven Vermeulen
2014-11-23 14:06 [gentoo-commits] proj/hardened-refpolicy:bitcoin " Sven Vermeulen
2014-11-22 19:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-26 16:22 [gentoo-commits] proj/hardened-refpolicy:initrd " Jason Zaman
2014-11-27  8:31 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2014-11-27  8:31 Jason Zaman
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2014-11-22 19:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2014-11-22 19:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2014-11-27 21:01 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2014-11-27 21:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2014-11-28  9:40 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-28 11:16 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2014-11-28 11:14 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-12-04  1:46 Jason Zaman
2014-12-04  1:46 Jason Zaman
2014-12-15 18:40 Sven Vermeulen
2014-12-30 20:43 Sven Vermeulen
2015-01-25 13:50 Sven Vermeulen
2015-01-29  8:38 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-01-29  9:12 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-01-29  9:12 Jason Zaman
2015-01-29 20:51 Sven Vermeulen
2015-01-29 20:51 Sven Vermeulen
2015-02-09  9:55 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-02-09 18:33 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-02-09  9:58 [gentoo-commits] proj/hardened-refpolicy:adminroles " Jason Zaman
2015-02-09 18:33 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-03-03 15:19 git@oystercatcher mirror+tproxy
2015-03-04 17:03 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2015-03-03 15:18 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-03-29 10:01 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-03-29  9:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-04-22 21:46 Jason Zaman
2015-04-22 21:46 Jason Zaman
2015-05-22 19:32 Jason Zaman
2015-05-22 19:32 Jason Zaman
2015-05-22 19:32 Jason Zaman
2015-05-22 20:09 Jason Zaman
2015-05-22 20:19 Jason Zaman
2015-05-27 20:00 Jason Zaman
2015-05-27 20:00 Jason Zaman
2015-06-11 16:04 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-06-11 16:08 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-07-11 14:09 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-07-11 13:38 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-08-02 19:05 Jason Zaman
2015-10-14 18:36 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-13 14:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-14 18:36 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-13 14:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-14 18:36 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-14 18:35 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-26  5:36 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-26  5:48 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-26  5:36 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-26  5:48 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-26  5:48 Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-18  4:14 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-31 16:19 Sven Vermeulen
2016-02-12  3:51 Jason Zaman
2016-02-12  3:51 Jason Zaman
2016-02-12  3:51 Jason Zaman
2016-02-12  3:51 Jason Zaman
2016-02-12  3:51 Jason Zaman
2016-02-12  3:51 Jason Zaman
2016-02-12  3:51 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-03-11 17:20 Jason Zaman
2016-05-13  5:37 Jason Zaman
2016-06-02  6:32 Jason Zaman
2016-06-02  6:32 Jason Zaman
2016-06-02  6:32 Jason Zaman
2016-06-02  6:32 Jason Zaman
2016-06-02  6:32 Jason Zaman
2016-06-02  6:32 Jason Zaman
2016-06-02  6:32 Jason Zaman
2016-06-02  6:32 Jason Zaman
2016-08-13 18:32 Jason Zaman
2016-08-13 18:32 Jason Zaman
2016-08-13 18:32 Jason Zaman
2016-08-13 18:32 Jason Zaman
2016-08-13 18:32 Jason Zaman
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-17 16:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-17 16:59 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03  6:20 Jason Zaman
2016-10-03  6:20 Jason Zaman
2016-10-03  6:20 Jason Zaman
2016-10-03  6:20 Jason Zaman
2016-10-03  6:20 Jason Zaman
2016-10-03  6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03  6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03  6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03  6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-03  6:26 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-10-03  6:20 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-10-24 15:45 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:47 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:56 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:56 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-10-24 16:56 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:56 Sven Vermeulen
2016-10-24 16:56 Sven Vermeulen
2016-10-24 16:56 Sven Vermeulen
2016-10-24 17:00 Sven Vermeulen
2016-12-06 12:26 Jason Zaman
2016-12-06 12:26 Jason Zaman
2016-12-06 12:26 Jason Zaman
2016-12-06 12:26 Jason Zaman
2016-12-06 12:26 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 13:39 Jason Zaman
2016-12-06 14:24 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-06 13:39 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-12-08  4:47 Jason Zaman
2016-12-08  4:47 Jason Zaman
2016-12-08  5:03 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-12-08  4:47 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-01-01 16:36 Jason Zaman
2017-01-01 16:36 Jason Zaman
2017-01-01 16:36 Jason Zaman
2017-01-01 16:37 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-01-01 16:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-01-01 16:37 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-01-01 16:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-23 18:17 Jason Zaman
2017-01-25 11:59 Jason Zaman
2017-01-25 11:59 Jason Zaman
2017-02-05 15:13 [gentoo-commits] proj/hardened-refpolicy:usrmerge " Jason Zaman
2017-02-16 11:34 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-17  8:44 Jason Zaman
2017-02-21  7:11 Jason Zaman
2017-02-21  7:11 Jason Zaman
2017-02-21  7:11 Jason Zaman
2017-02-21  7:11 Jason Zaman
2017-02-21  7:11 Jason Zaman
2017-02-21  8:42 Jason Zaman
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 14:59 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-25 16:58 Jason Zaman
2017-02-25 16:58 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-25 16:58 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-27 10:50 Jason Zaman
2017-02-27 10:50 Jason Zaman
2017-02-27 11:24 Jason Zaman
2017-02-27 11:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-27 10:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-03-02 10:17 Sven Vermeulen
2017-03-02 10:17 Sven Vermeulen
2017-03-02 10:17 Sven Vermeulen
2017-03-30 17:06 Jason Zaman
2017-04-10 17:28 Sven Vermeulen
2017-04-30 14:44 Jason Zaman
2017-05-07 16:09 Jason Zaman
2017-05-07 16:09 Jason Zaman
2017-05-07 17:41 Jason Zaman
2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:03 Sven Vermeulen
2017-06-13  8:25 Jason Zaman
2017-06-13  8:25 Jason Zaman
2017-06-13  8:25 Jason Zaman
2017-06-13  8:25 Jason Zaman
2017-09-09  2:43 Jason Zaman
2017-09-09  2:43 Jason Zaman
2017-09-09  2:43 Jason Zaman
2017-09-09  3:02 Jason Zaman
2017-09-09  3:02 Jason Zaman
2017-09-09  3:02 Jason Zaman
2017-09-17  4:21 Jason Zaman
2017-09-17  4:21 Jason Zaman
2017-09-17  4:21 Jason Zaman
2017-09-17  4:21 Jason Zaman
2017-09-17  4:21 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-30 15:07 Jason Zaman
2017-10-31  5:40 Jason Zaman
2017-10-31  5:40 Jason Zaman
2017-11-05  8:01 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-11-17 14:59 Jason Zaman
2017-12-12  7:59 Jason Zaman
2017-12-12  7:59 Jason Zaman
2017-12-12  7:59 Jason Zaman
2017-12-12  7:59 Jason Zaman
2017-12-14  5:15 Jason Zaman
2017-12-14  5:15 Jason Zaman
2017-12-14  5:15 Jason Zaman
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2018-02-18 11:30 Jason Zaman
2018-03-25 10:29 Sven Vermeulen
2018-03-25 10:29 Sven Vermeulen
2018-03-25 10:29 Sven Vermeulen
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-22 12:00 Jason Zaman
2018-04-25 10:02 Jason Zaman
2018-06-08 10:07 Jason Zaman
2018-06-08 10:07 Jason Zaman
2018-06-08 10:07 Jason Zaman
2018-06-08 10:07 Jason Zaman
2018-06-08 10:07 Jason Zaman
2018-06-08 10:07 Jason Zaman
2018-06-08 10:07 Jason Zaman
2018-06-08 10:07 Jason Zaman
2018-06-08 10:07 Jason Zaman
2018-06-08 10:07 Jason Zaman
2018-06-08 10:07 Jason Zaman
2018-06-09  5:24 Jason Zaman
2018-06-24  8:46 Jason Zaman
2018-06-24  8:46 Jason Zaman
2018-06-24  8:46 Jason Zaman
2018-06-24 10:47 Jason Zaman
2018-06-25  5:33 Jason Zaman
2018-06-25  5:33 Jason Zaman
2018-06-25  5:33 Jason Zaman
2018-07-12 14:37 Jason Zaman
2018-09-11  9:06 Jason Zaman
2018-09-11  9:06 Jason Zaman
2018-09-11  9:06 Jason Zaman
2018-09-11  9:06 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-11-11 23:29 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2018-12-09 11:48 Jason Zaman
2019-02-10  4:14 Jason Zaman
2019-02-10  4:14 Jason Zaman
2019-02-10  4:24 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-07-13  7:01 Jason Zaman
2019-07-13  7:01 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-02-15  7:33 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-10-13  3:02 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-11-29  0:05 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-01-11  1:27 Jason Zaman
2021-02-01  2:10 Jason Zaman
2021-02-07  3:20 Jason Zaman
2021-02-07  3:20 Jason Zaman
2021-02-07  3:20 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-22  0:21 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-12  2:00 Jason Zaman
2021-11-12  2:00 Jason Zaman
2021-11-21 19:33 Jason Zaman
2021-11-21 23:20 Jason Zaman
2021-11-21 23:20 Jason Zaman
2021-11-21 23:20 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-01-30  1:22 Jason Zaman
2022-02-07  2:14 Jason Zaman
2022-02-07  2:14 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-03-31  3:31 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:10 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 19:54 Jason Zaman
2022-09-03 20:04 Kenton Groombridge
2022-09-03 20:04 Kenton Groombridge
2022-10-12 13:34 [gentoo-commits] proj/hardened-refpolicy:concord-dev " Kenton Groombridge
2022-09-03 20:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-03-31 23:07 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-10-20 22:05 Kenton Groombridge
2023-10-20 22:05 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-05-14 19:42 Kenton Groombridge
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-09-22  0:03 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2024-12-15  0:30 Jason Zaman
2025-01-06 21:08 Kenton Groombridge
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-08 23:55 Jason Zaman
2025-03-09  0:20 Jason Zaman
2025-07-15  7:54 Jason Zaman
2025-07-15  7:54 Jason Zaman
2025-07-15  8:05 Jason Zaman
2025-07-15  8:05 Jason Zaman
2025-07-15  8:05 Jason Zaman
2025-07-15  8:12 Jason Zaman
2025-09-02 22:15 Jason Zaman
2025-09-02 22:15 Jason Zaman
2025-09-02 22:15 Jason Zaman
2025-09-02 22:15 Jason Zaman
2025-09-02 22:15 Jason Zaman
2025-09-02 22:15 Jason Zaman
2025-09-19 16:56 Kenton Groombridge

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox