From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id B573B138247 for ; Sun, 19 Jan 2014 19:01:42 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 37B62E0CFF; Sun, 19 Jan 2014 19:01:42 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 82E62E0CFE for ; Sun, 19 Jan 2014 19:01:41 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 45A4A33F8B3 for ; Sun, 19 Jan 2014 19:01:40 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id EAF031872D for ; Sun, 19 Jan 2014 19:01:38 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1390157769.ae86ea44124a8e1ea69ba291efc53ee8149d69d5.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/admin/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/admin/bootloader.te policy/modules/admin/dmesg.te policy/modules/system/authlogin.te policy/modules/system/clock.te policy/modules/system/fstools.te policy/modules/system/hostname.te policy/modules/system/hotplug.te policy/modules/system/init.te policy/modules/system/locallogin.te policy/modules/system/logging.te policy/modules/system/lvm.te policy/modules/system/modutils.te policy/modules/system/mount.te policy/modules/system/udev.te X-VCS-Directories: policy/modules/system/ policy/modules/admin/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: ae86ea44124a8e1ea69ba291efc53ee8149d69d5 X-VCS-Branch: master Date: Sun, 19 Jan 2014 19:01:38 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: a37684f9-24a0-434f-a6b2-228da6961f18 X-Archives-Hash: 9c8cf4547e56d037e11cacf22da025f3 commit: ae86ea44124a8e1ea69ba291efc53ee8149d69d5 Author: Chris PeBenito tresys com> AuthorDate: Thu Jan 16 16:24:25 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Jan 19 18:56:09 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ae86ea44 Update modules for file_t merge into unlabeled_t. --- policy/modules/admin/bootloader.te | 15 +++++++-------- policy/modules/admin/dmesg.te | 6 +++--- policy/modules/system/authlogin.te | 4 ++-- policy/modules/system/clock.te | 6 +++--- policy/modules/system/fstools.te | 9 +++------ policy/modules/system/hostname.te | 6 +++--- policy/modules/system/hotplug.te | 6 +++--- policy/modules/system/init.te | 9 +++++---- policy/modules/system/locallogin.te | 6 +++--- policy/modules/system/logging.te | 5 +++-- policy/modules/system/lvm.te | 8 ++++---- policy/modules/system/modutils.te | 9 +++++---- policy/modules/system/mount.te | 8 ++++---- policy/modules/system/udev.te | 4 ++-- 14 files changed, 50 insertions(+), 51 deletions(-) diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te index 0fd5c5f..3f81343 100644 --- a/policy/modules/admin/bootloader.te +++ b/policy/modules/admin/bootloader.te @@ -1,4 +1,4 @@ -policy_module(bootloader, 1.14.0) +policy_module(bootloader, 1.14.1) ######################################## # @@ -155,15 +155,14 @@ ifdef(`distro_redhat',` # for memlock allow bootloader_t self:capability ipc_lock; - # new file system defaults to file_t, granting file_t access is still bad. allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms }; - # new file system defaults to file_t, granting file_t access is still bad. - files_manage_isid_type_dirs(bootloader_t) - files_manage_isid_type_files(bootloader_t) - files_manage_isid_type_symlinks(bootloader_t) - files_manage_isid_type_blk_files(bootloader_t) - files_manage_isid_type_chr_files(bootloader_t) + # new file system defaults to unlabeled, granting unlabeled access is still bad. + kernel_manage_unlabeled_dirs(bootloader_t) + kernel_manage_unlabeled_files(bootloader_t) + kernel_manage_unlabeled_symlinks(bootloader_t) + kernel_manage_unlabeled_blk_files(bootloader_t) + kernel_manage_unlabeled_chr_files(bootloader_t) # for mke2fs mount_run(bootloader_t, bootloader_roles) diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te index 9124163..914a836 100644 --- a/policy/modules/admin/dmesg.te +++ b/policy/modules/admin/dmesg.te @@ -1,4 +1,4 @@ -policy_module(dmesg, 1.3.0) +policy_module(dmesg, 1.3.1) ######################################## # @@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t) kernel_change_ring_buffer_level(dmesg_t) kernel_list_proc(dmesg_t) kernel_read_proc_symlinks(dmesg_t) +# for when /usr is not mounted: +kernel_dontaudit_search_unlabeled(dmesg_t) dev_read_sysfs(dmesg_t) @@ -35,8 +37,6 @@ term_dontaudit_use_console(dmesg_t) domain_use_interactive_fds(dmesg_t) files_list_etc(dmesg_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(dmesg_t) init_use_fds(dmesg_t) init_use_script_ptys(dmesg_t) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 68bc0d6..b9ac3b0 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,4 +1,4 @@ -policy_module(authlogin, 2.5.2) +policy_module(authlogin, 2.5.3) ######################################## # @@ -220,6 +220,7 @@ dontaudit pam_console_t pam_var_console_t:file write; kernel_read_kernel_sysctls(pam_console_t) kernel_use_fds(pam_console_t) +kernel_dontaudit_search_unlabeled(pam_console_t) # Read /proc/meminfo kernel_read_system_state(pam_console_t) @@ -255,7 +256,6 @@ dev_read_urand(pam_console_t) files_read_etc_files(pam_console_t) files_search_pids(pam_console_t) files_list_mnt(pam_console_t) -files_dontaudit_search_isid_type_dirs(pam_console_t) # read /etc/mtab files_read_etc_runtime_files(pam_console_t) diff --git a/policy/modules/system/clock.te b/policy/modules/system/clock.te index edece47..a3cc2ef 100644 --- a/policy/modules/system/clock.te +++ b/policy/modules/system/clock.te @@ -1,4 +1,4 @@ -policy_module(clock, 1.7.0) +policy_module(clock, 1.7.1) ######################################## # @@ -30,6 +30,8 @@ allow hwclock_t adjtime_t:file { rw_file_perms setattr }; kernel_read_kernel_sysctls(hwclock_t) kernel_read_system_state(hwclock_t) +# for when /usr is not mounted: +kernel_dontaudit_search_unlabeled(hwclock_t) corecmd_exec_bin(hwclock_t) corecmd_exec_shell(hwclock_t) @@ -38,8 +40,6 @@ dev_read_sysfs(hwclock_t) dev_rw_realtime_clock(hwclock_t) files_read_etc_files(hwclock_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(hwclock_t) fs_getattr_xattr_fs(hwclock_t) fs_search_auto_mountpoints(hwclock_t) diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te index 610fa40..65f634a 100644 --- a/policy/modules/system/fstools.te +++ b/policy/modules/system/fstools.te @@ -1,4 +1,4 @@ -policy_module(fstools, 1.16.3) +policy_module(fstools, 1.16.4) ######################################## # @@ -56,6 +56,7 @@ allow fsadm_t swapfile_t:file { rw_file_perms swapon }; kernel_read_system_state(fsadm_t) kernel_read_kernel_sysctls(fsadm_t) kernel_request_load_module(fsadm_t) +kernel_manage_unlabeled_dirs(fsadm_t) # Allow console log change (updfstab) kernel_change_ring_buffer_level(fsadm_t) # mkreiserfs needs this @@ -64,6 +65,7 @@ kernel_getattr_core_if(fsadm_t) # Access to /initrd devices kernel_rw_unlabeled_dirs(fsadm_t) kernel_rw_unlabeled_blk_files(fsadm_t) +kernel_read_unlabeled_files(fsadm_t) corecmd_exec_bin(fsadm_t) #RedHat bug #201164 @@ -100,14 +102,9 @@ files_list_home(fsadm_t) files_read_usr_files(fsadm_t) files_read_etc_files(fsadm_t) files_manage_lost_found(fsadm_t) -files_manage_isid_type_dirs(fsadm_t) # Write to /etc/mtab. files_manage_etc_runtime_files(fsadm_t) files_etc_filetrans_etc_runtime(fsadm_t, file) -# Access to /initrd devices -files_rw_isid_type_dirs(fsadm_t) -files_rw_isid_type_blk_files(fsadm_t) -files_read_isid_type_files(fsadm_t) fs_search_auto_mountpoints(fsadm_t) fs_getattr_xattr_fs(fsadm_t) diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te index 6d9f4fe..07f83b5 100644 --- a/policy/modules/system/hostname.te +++ b/policy/modules/system/hostname.te @@ -1,4 +1,4 @@ -policy_module(hostname, 1.8.2) +policy_module(hostname, 1.8.3) ######################################## # @@ -23,6 +23,8 @@ dontaudit hostname_t self:capability sys_tty_config; kernel_list_proc(hostname_t) kernel_read_proc_symlinks(hostname_t) +# for when /usr is not mounted: +kernel_dontaudit_search_unlabeled(hostname_t) dev_read_sysfs(hostname_t) # Early devtmpfs, before udev relabel @@ -32,8 +34,6 @@ domain_use_interactive_fds(hostname_t) files_read_etc_files(hostname_t) files_dontaudit_search_var(hostname_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(hostname_t) fs_getattr_xattr_fs(hostname_t) fs_search_auto_mountpoints(hostname_t) diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te index b2097e7..fb17059 100644 --- a/policy/modules/system/hotplug.te +++ b/policy/modules/system/hotplug.te @@ -1,4 +1,4 @@ -policy_module(hotplug, 1.16.0) +policy_module(hotplug, 1.16.1) ######################################## # @@ -49,6 +49,8 @@ kernel_read_system_state(hotplug_t) kernel_read_network_state(hotplug_t) kernel_read_kernel_sysctls(hotplug_t) kernel_rw_net_sysctls(hotplug_t) +# for when filesystems are not mounted early in the boot: +kernel_dontaudit_search_unlabeled(hotplug_t) files_read_kernel_modules(hotplug_t) @@ -86,8 +88,6 @@ files_read_etc_files(hotplug_t) files_manage_etc_runtime_files(hotplug_t) files_etc_filetrans_etc_runtime(hotplug_t, file) files_exec_etc_files(hotplug_t) -# for when filesystems are not mounted early in the boot: -files_dontaudit_search_isid_type_dirs(hotplug_t) init_read_script_state(hotplug_t) # Allow hotplug (including /sbin/ifup-local) to start/stop services and diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 8bf29d5..dce9cd0 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 1.20.4) +policy_module(init, 1.20.5) gen_require(` class passwd rootok; @@ -125,6 +125,7 @@ allow init_t initrc_var_run_t:file { rw_file_perms setattr }; kernel_read_system_state(init_t) kernel_share_state(init_t) +kernel_dontaudit_search_unlabeled(init_t) corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) @@ -142,7 +143,6 @@ domain_sigchld_all_domains(init_t) files_read_etc_files(init_t) files_rw_generic_pids(init_t) -files_dontaudit_search_isid_type_dirs(init_t) files_manage_etc_runtime_files(init_t) files_etc_filetrans_etc_runtime(init_t, file) # Run /etc/X11/prefdm: @@ -289,6 +289,9 @@ kernel_read_all_sysctls(initrc_t) kernel_rw_all_sysctls(initrc_t) # for lsof which is used by alsa shutdown: kernel_dontaudit_getattr_message_if(initrc_t) +# cjp: not sure why these are here; should use mount policy +kernel_list_unlabeled(initrc_t) +kernel_mounton_unlabeled_dirs(initrc_t) files_create_lock_dirs(initrc_t) files_pid_filetrans_lock_dir(initrc_t, "lock") @@ -367,8 +370,6 @@ files_manage_urandom_seed(initrc_t) files_manage_generic_spool(initrc_t) # Mount and unmount file systems. # cjp: not sure why these are here; should use mount policy -files_list_isid_type_dirs(initrc_t) -files_mounton_isid_type_dirs(initrc_t) files_list_default(initrc_t) files_mounton_default(initrc_t) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 446fa99..c083ccd 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -1,4 +1,4 @@ -policy_module(locallogin, 1.12.0) +policy_module(locallogin, 1.12.1) ######################################## # @@ -216,13 +216,13 @@ allow sulogin_t self:msgq create_msgq_perms; allow sulogin_t self:msg { send receive }; kernel_read_system_state(sulogin_t) +# because file systems are not mounted: +kernel_dontaudit_search_unlabeled(sulogin_t) fs_search_auto_mountpoints(sulogin_t) fs_rw_tmpfs_chr_files(sulogin_t) files_read_etc_files(sulogin_t) -# because file systems are not mounted: -files_dontaudit_search_isid_type_dirs(sulogin_t) auth_read_shadow(sulogin_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 455d061..64c6667 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.20.2) +policy_module(logging, 1.20.3) ######################################## # @@ -406,6 +406,8 @@ kernel_read_messages(syslogd_t) kernel_read_vm_sysctls(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) +# /initrd is not umounted before minilog starts +kernel_dontaudit_search_unlabeled(syslogd_t) corenet_all_recvfrom_unlabeled(syslogd_t) corenet_all_recvfrom_netlabel(syslogd_t) @@ -443,7 +445,6 @@ files_read_usr_files(syslogd_t) files_read_var_files(syslogd_t) files_read_etc_runtime_files(syslogd_t) # /initrd is not umounted before minilog starts -files_dontaudit_search_isid_type_dirs(syslogd_t) files_read_kernel_symbol_table(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te index a02b319..d338dc0 100644 --- a/policy/modules/system/lvm.te +++ b/policy/modules/system/lvm.te @@ -1,4 +1,4 @@ -policy_module(lvm, 1.15.3) +policy_module(lvm, 1.15.4) ######################################## # @@ -217,6 +217,8 @@ kernel_get_sysvipc_info(lvm_t) kernel_read_system_state(lvm_t) # Read system variables in /proc/sys kernel_read_kernel_sysctls(lvm_t) +# for when /usr is not mounted: +kernel_dontaudit_search_unlabeled(lvm_t) # it has no reason to need this kernel_dontaudit_getattr_core_if(lvm_t) kernel_use_fds(lvm_t) @@ -254,8 +256,6 @@ domain_read_all_domains_state(lvm_t) files_read_usr_files(lvm_t) files_read_etc_files(lvm_t) files_read_etc_runtime_files(lvm_t) -# for when /usr is not mounted: -files_dontaudit_search_isid_type_dirs(lvm_t) fs_getattr_xattr_fs(lvm_t) fs_search_auto_mountpoints(lvm_t) @@ -306,7 +306,7 @@ userdom_use_user_terminals(lvm_t) ifdef(`distro_redhat',` # this is from the initrd: - files_rw_isid_type_dirs(lvm_t) + kernel_rw_unlabeled_dirs(lvm_t) optional_policy(` unconfined_domain(lvm_t) diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index c1bd664..d51a148 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -1,4 +1,4 @@ -policy_module(modutils, 1.14.0) +policy_module(modutils, 1.14.1) ######################################## # @@ -134,6 +134,8 @@ kernel_read_kernel_sysctls(insmod_t) kernel_rw_kernel_sysctl(insmod_t) kernel_read_hotplug_sysctls(insmod_t) kernel_setsched(insmod_t) +# for when /var is not mounted early in the boot: +kernel_dontaudit_search_unlabeled(insmod_t) corecmd_exec_bin(insmod_t) corecmd_exec_shell(insmod_t) @@ -157,8 +159,6 @@ files_read_usr_files(insmod_t) files_exec_etc_files(insmod_t) # for nscd: files_dontaudit_search_pids(insmod_t) -# for when /var is not mounted early in the boot: -files_dontaudit_search_isid_type_dirs(insmod_t) # for locking: (cjp: ????) files_write_kernel_modules(insmod_t) @@ -303,9 +303,10 @@ userdom_use_user_terminals(update_modules_t) userdom_dontaudit_search_user_home_dirs(update_modules_t) ifdef(`distro_gentoo',` + kernel_list_unlabeled(update_modules_t) # /var + files_search_pids(update_modules_t) files_getattr_usr_src_files(update_modules_t) - files_list_isid_type_dirs(update_modules_t) # /var # update-modules on Gentoo throws errors when run because it # sources /etc/init.d/functions.sh, which always scans diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te index a686071..8ef3cbd 100644 --- a/policy/modules/system/mount.te +++ b/policy/modules/system/mount.te @@ -1,4 +1,4 @@ -policy_module(mount, 1.16.3) +policy_module(mount, 1.16.4) ######################################## # @@ -65,6 +65,9 @@ kernel_dontaudit_write_debugfs_dirs(mount_t) kernel_dontaudit_write_proc_dirs(mount_t) # To load binfmt_misc kernel module kernel_request_load_module(mount_t) +# for when /etc/mtab loses its type +# cjp: this seems wrong, the type should probably be etc +kernel_read_unlabeled_files(mount_t) # required for mount.smbfs corecmd_exec_bin(mount_t) @@ -92,9 +95,6 @@ files_unmount_rootfs(mount_t) files_relabelto_all_file_type_fs(mount_t) files_mount_all_file_type_fs(mount_t) files_unmount_all_file_type_fs(mount_t) -# for when /etc/mtab loses its type -# cjp: this seems wrong, the type should probably be etc -files_read_isid_type_files(mount_t) # For reading cert files files_read_usr_files(mount_t) files_list_all_mountpoints(mount_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index 19a3c8e..5f7a894 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -1,4 +1,4 @@ -policy_module(udev, 1.16.5) +policy_module(udev, 1.16.6) ######################################## # @@ -95,6 +95,7 @@ kernel_search_debugfs(udev_t) kernel_rw_net_sysctls(udev_t) kernel_read_network_state(udev_t) kernel_read_software_raid_state(udev_t) +kernel_dontaudit_search_unlabeled(udev_t) corecmd_exec_all_executables(udev_t) @@ -116,7 +117,6 @@ files_read_usr_files(udev_t) files_read_etc_runtime_files(udev_t) files_read_etc_files(udev_t) files_exec_etc_files(udev_t) -files_dontaudit_search_isid_type_dirs(udev_t) files_getattr_generic_locks(udev_t) files_search_mnt(udev_t)