From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/
Date: Sun, 1 Jan 2017 16:36:50 +0000 (UTC) [thread overview]
Message-ID: <1483287988.1a61c661fe20b6990ecb37c4a3c7ab2f9c9f5f3c.perfinion@gentoo> (raw)
commit: 1a61c661fe20b6990ecb37c4a3c7ab2f9c9f5f3c
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sun Dec 18 20:58:44 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:26:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a61c661
kernel: missing permissions for confined execution
This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.
This second version improves the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/kernel/devices.if | 56 +++++++++++++++
policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.if | 18 +++++
policy/modules/kernel/kernel.if | 18 +++++
policy/modules/kernel/kernel.te | 34 ++++++++++
policy/modules/kernel/terminal.if | 20 ++++++
6 files changed, 277 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 3f05417..7d99b29 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic_blk_files',`
########################################
## <summary>
+## Set the attributes on generic
+## block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr on generic block devices.
## </summary>
## <param name="domain">
@@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
########################################
## <summary>
+## Set the attributes for generic
+## character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr for generic character device files.
## </summary>
## <param name="domain">
@@ -3897,6 +3935,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
+## Mount a filesystem on sysfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allow access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 3fc0487..b5eeaf8 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1786,6 +1786,25 @@ interface(`files_list_root',`
########################################
## <summary>
+## Delete symbolic links in the
+## root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_symlinks',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to / dirs.
## </summary>
## <param name="domain">
@@ -1914,6 +1933,25 @@ interface(`files_dontaudit_rw_root_chr_files',`
########################################
## <summary>
+## Delete character device nodes in
+## the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_chr_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:chr_file delete_chr_file_perms;
+')
+
+########################################
+## <summary>
## Delete files in the root directory.
## </summary>
## <param name="domain">
@@ -1932,6 +1970,24 @@ interface(`files_delete_root_files',`
########################################
## <summary>
+## Execute files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
## Remove entries from the root directory.
## </summary>
## <param name="domain">
@@ -1950,6 +2006,43 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
+## Manage the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_root_dir',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of a rootfs
+## file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_rootfs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Associate to root file system.
## </summary>
## <param name="file_type">
@@ -3057,6 +3150,44 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
+## Get the attributes of the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir mounton;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set the attributes of the etc_runtime files
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index c85d805..23c7f08 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4303,6 +4303,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
########################################
## <summary>
+## Delete tmpfs symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## auto moutpoints.
## </summary>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 2c7ad0c..6887b00 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_dirs',`
########################################
## <summary>
+## Mount the directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_proc_dirs',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get the attributes of files in /proc.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7334dc9..2a6ab8e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+kernel_mounton_proc_dirs(kernel_t)
kernel_request_load_module(kernel_t)
# Allow unlabeled network traffic
@@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
+dev_mounton_sysfs(kernel_t)
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
# devtmpfs handling:
@@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
dev_mounton(kernel_t)
+dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_chr_files(kernel_t)
+dev_setattr_generic_blk_files(kernel_t)
+dev_setattr_generic_chr_files(kernel_t)
+dev_getattr_fs(kernel_t)
+dev_getattr_sysfs(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
fs_unmount_all_fs(kernel_t)
+fs_getattr_tmpfs(kernel_t)
+fs_getattr_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_files(kernel_t)
+fs_manage_tmpfs_sockets(kernel_t)
+fs_delete_tmpfs_symlinks(kernel_t)
+
+selinux_getattr_fs(kernel_t)
selinux_load_policy(kernel_t)
+term_getattr_pty_fs(kernel_t)
term_use_console(kernel_t)
+term_use_generic_ptys(kernel_t)
# for kdevtmpfs
term_setattr_unlink_unallocated_ttys(kernel_t)
@@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
domain_signal_all_domains(kernel_t)
domain_search_all_domains_state(kernel_t)
+files_getattr_rootfs(kernel_t)
+files_manage_root_dir(kernel_t)
+files_delete_root_files(kernel_t)
+files_exec_root_files(kernel_t)
+files_delete_root_symlinks(kernel_t)
+files_delete_root_chr_files(kernel_t)
files_list_root(kernel_t)
files_list_etc(kernel_t)
+files_getattr_etc_runtime_dirs(kernel_t)
+files_mounton_etc_runtime_dirs(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -343,6 +369,7 @@ optional_policy(`
')
optional_policy(`
+ logging_manage_generic_logs(kernel_t)
logging_send_syslog_msg(kernel_t)
')
@@ -356,6 +383,12 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_read_lib_files(kernel_t)
+ term_use_ptmx(kernel_t)
+ term_use_unallocated_ttys(kernel_t)
+')
+
+optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -405,6 +438,7 @@ optional_policy(`
optional_policy(`
seutil_read_config(kernel_t)
seutil_read_bin_policy(kernel_t)
+ seutil_domtrans_setfiles(kernel_t)
')
optional_policy(`
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 86692b0..05be047 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
########################################
## <summary>
+## Get the attributes of the
+## /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_getattr_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the
## attributes of the /dev/pts directory.
## </summary>
@@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
allow $1 devpts_t:chr_file getattr;
')
+
########################################
## <summary>
## Do not audit attempts to get the attributes
WARNING: multiple messages have this Message-ID (diff)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
Date: Sun, 1 Jan 2017 16:37:39 +0000 (UTC) [thread overview]
Message-ID: <1483287988.1a61c661fe20b6990ecb37c4a3c7ab2f9c9f5f3c.perfinion@gentoo> (raw)
Message-ID: <20170101163739.S8tDkamZwbDO0DSDSHtceVUbfyN-o9dvjQNfA1P3JRI@z> (raw)
commit: 1a61c661fe20b6990ecb37c4a3c7ab2f9c9f5f3c
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sun Dec 18 20:58:44 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:26:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a61c661
kernel: missing permissions for confined execution
This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.
This second version improves the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/kernel/devices.if | 56 +++++++++++++++
policy/modules/kernel/files.if | 131 ++++++++++++++++++++++++++++++++++++
policy/modules/kernel/filesystem.if | 18 +++++
policy/modules/kernel/kernel.if | 18 +++++
policy/modules/kernel/kernel.te | 34 ++++++++++
policy/modules/kernel/terminal.if | 20 ++++++
6 files changed, 277 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 3f05417..7d99b29 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic_blk_files',`
########################################
## <summary>
+## Set the attributes on generic
+## block devices.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_blk_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:blk_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr on generic block devices.
## </summary>
## <param name="domain">
@@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
########################################
## <summary>
+## Set the attributes for generic
+## character device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_setattr_generic_chr_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 device_t:chr_file setattr;
+')
+
+########################################
+## <summary>
## Dontaudit setattr for generic character device files.
## </summary>
## <param name="domain">
@@ -3897,6 +3935,24 @@ interface(`dev_manage_smartcard',`
########################################
## <summary>
+## Mount a filesystem on sysfs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allow access.
+## </summary>
+## </param>
+#
+interface(`dev_mounton_sysfs',`
+ gen_require(`
+ type device_t;
+ ')
+
+ allow $1 sysfs_t:dir mounton;
+')
+
+########################################
+## <summary>
## Associate a file to a sysfs filesystem.
## </summary>
## <param name="file_type">
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 3fc0487..b5eeaf8 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1786,6 +1786,25 @@ interface(`files_list_root',`
########################################
## <summary>
+## Delete symbolic links in the
+## root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_symlinks',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write to / dirs.
## </summary>
## <param name="domain">
@@ -1914,6 +1933,25 @@ interface(`files_dontaudit_rw_root_chr_files',`
########################################
## <summary>
+## Delete character device nodes in
+## the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_root_chr_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:chr_file delete_chr_file_perms;
+')
+
+########################################
+## <summary>
## Delete files in the root directory.
## </summary>
## <param name="domain">
@@ -1932,6 +1970,24 @@ interface(`files_delete_root_files',`
########################################
## <summary>
+## Execute files in the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_root_files',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
## Remove entries from the root directory.
## </summary>
## <param name="domain">
@@ -1950,6 +2006,43 @@ interface(`files_delete_root_dir_entry',`
########################################
## <summary>
+## Manage the root directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_root_dir',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of a rootfs
+## file system.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_rootfs',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:filesystem getattr;
+')
+
+########################################
+## <summary>
## Associate to root file system.
## </summary>
## <param name="file_type">
@@ -3057,6 +3150,44 @@ interface(`files_delete_boot_flag',`
########################################
## <summary>
+## Get the attributes of the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir getattr;
+')
+
+########################################
+## <summary>
+## Mount a filesystem on the
+## etc_runtime directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_etc_runtime_dirs',`
+ gen_require(`
+ type etc_runtime_t;
+ ')
+
+ allow $1 etc_runtime_t:dir mounton;
+')
+
+########################################
+## <summary>
## Do not audit attempts to set the attributes of the etc_runtime files
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index c85d805..23c7f08 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4303,6 +4303,24 @@ interface(`fs_dontaudit_rw_tmpfs_files',`
########################################
## <summary>
+## Delete tmpfs symbolic links.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_delete_tmpfs_symlinks',`
+ gen_require(`
+ type tmpfs_t;
+ ')
+
+ allow $1 tmpfs_t:lnk_file delete_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## auto moutpoints.
## </summary>
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 2c7ad0c..6887b00 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -957,6 +957,24 @@ interface(`kernel_dontaudit_write_proc_dirs',`
########################################
## <summary>
+## Mount the directories in /proc.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_mounton_proc_dirs',`
+ gen_require(`
+ type proc_t;
+ ')
+
+ allow $1 proc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Get the attributes of files in /proc.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 7334dc9..2a6ab8e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -239,6 +239,7 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+kernel_mounton_proc_dirs(kernel_t)
kernel_request_load_module(kernel_t)
# Allow unlabeled network traffic
@@ -258,6 +259,7 @@ corenet_tcp_sendrecv_all_nodes(kernel_t)
corenet_raw_send_generic_node(kernel_t)
corenet_send_all_packets(kernel_t)
+dev_mounton_sysfs(kernel_t)
dev_read_sysfs(kernel_t)
dev_search_usbfs(kernel_t)
# devtmpfs handling:
@@ -268,15 +270,31 @@ dev_delete_generic_blk_files(kernel_t)
dev_create_generic_chr_files(kernel_t)
dev_delete_generic_chr_files(kernel_t)
dev_mounton(kernel_t)
+dev_delete_generic_symlinks(kernel_t)
+dev_rw_generic_chr_files(kernel_t)
+dev_setattr_generic_blk_files(kernel_t)
+dev_setattr_generic_chr_files(kernel_t)
+dev_getattr_fs(kernel_t)
+dev_getattr_sysfs(kernel_t)
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
fs_mount_all_fs(kernel_t)
fs_unmount_all_fs(kernel_t)
+fs_getattr_tmpfs(kernel_t)
+fs_getattr_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_dirs(kernel_t)
+fs_manage_tmpfs_files(kernel_t)
+fs_manage_tmpfs_sockets(kernel_t)
+fs_delete_tmpfs_symlinks(kernel_t)
+
+selinux_getattr_fs(kernel_t)
selinux_load_policy(kernel_t)
+term_getattr_pty_fs(kernel_t)
term_use_console(kernel_t)
+term_use_generic_ptys(kernel_t)
# for kdevtmpfs
term_setattr_unlink_unallocated_ttys(kernel_t)
@@ -289,8 +307,16 @@ corecmd_exec_bin(kernel_t)
domain_signal_all_domains(kernel_t)
domain_search_all_domains_state(kernel_t)
+files_getattr_rootfs(kernel_t)
+files_manage_root_dir(kernel_t)
+files_delete_root_files(kernel_t)
+files_exec_root_files(kernel_t)
+files_delete_root_symlinks(kernel_t)
+files_delete_root_chr_files(kernel_t)
files_list_root(kernel_t)
files_list_etc(kernel_t)
+files_getattr_etc_runtime_dirs(kernel_t)
+files_mounton_etc_runtime_dirs(kernel_t)
files_list_home(kernel_t)
files_read_usr_files(kernel_t)
@@ -343,6 +369,7 @@ optional_policy(`
')
optional_policy(`
+ logging_manage_generic_logs(kernel_t)
logging_send_syslog_msg(kernel_t)
')
@@ -356,6 +383,12 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_read_lib_files(kernel_t)
+ term_use_ptmx(kernel_t)
+ term_use_unallocated_ttys(kernel_t)
+')
+
+optional_policy(`
# nfs kernel server needs kernel UDP access. It is less risky and painful
# to just give it everything.
allow kernel_t self:tcp_socket create_stream_socket_perms;
@@ -405,6 +438,7 @@ optional_policy(`
optional_policy(`
seutil_read_config(kernel_t)
seutil_read_bin_policy(kernel_t)
+ seutil_domtrans_setfiles(kernel_t)
')
optional_policy(`
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index 86692b0..05be047 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -403,6 +403,25 @@ interface(`term_relabel_pty_fs',`
########################################
## <summary>
+## Get the attributes of the
+## /dev/pts directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`term_getattr_pty_dirs',`
+ gen_require(`
+ type devpts_t;
+ ')
+
+ allow $1 devpts_t:dir getattr;
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the
## attributes of the /dev/pts directory.
## </summary>
@@ -553,6 +572,7 @@ interface(`term_getattr_generic_ptys',`
allow $1 devpts_t:chr_file getattr;
')
+
########################################
## <summary>
## Do not audit attempts to get the attributes
next reply other threads:[~2017-01-01 16:37 UTC|newest]
Thread overview: 269+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-01 16:36 Jason Zaman [this message]
2017-01-01 16:37 ` [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2024-09-22 0:03 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2024-03-01 19:56 Kenton Groombridge
2024-03-01 19:56 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-11-02 14:42 Kenton Groombridge
2022-09-03 19:54 Jason Zaman
2022-02-07 2:14 Jason Zaman
2022-01-30 1:22 Jason Zaman
2021-11-21 23:02 Jason Zaman
2021-11-21 19:33 Jason Zaman
2021-11-21 3:00 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-11-11 21:27 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-09-05 16:00 Jason Zaman
2021-04-03 3:10 Jason Zaman
2021-04-03 3:10 Jason Zaman
2021-04-03 3:10 Jason Zaman
2021-04-03 3:10 Jason Zaman
2021-04-03 3:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-03-21 22:10 Jason Zaman
2021-01-11 1:27 Jason Zaman
2021-01-11 1:27 Jason Zaman
2020-10-13 3:02 Jason Zaman
2020-02-15 7:33 Jason Zaman
2019-07-13 7:01 Jason Zaman
2019-07-13 7:01 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-03-26 10:17 Jason Zaman
2019-02-10 6:18 Jason Zaman
2019-02-10 4:14 Jason Zaman
2019-02-10 4:14 Jason Zaman
2019-02-10 4:14 Jason Zaman
2018-09-11 9:06 Jason Zaman
2018-09-11 9:06 Jason Zaman
2018-07-12 14:37 Jason Zaman
2018-06-09 5:24 Jason Zaman
2018-01-18 16:37 Sven Vermeulen
2018-01-18 16:37 Sven Vermeulen
2017-12-14 5:15 Jason Zaman
2017-12-12 7:59 Jason Zaman
2017-11-05 8:01 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-09-09 2:43 Jason Zaman
2017-06-05 17:34 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-06-05 17:25 Jason Zaman
2017-05-18 17:03 Sven Vermeulen
2017-05-07 16:09 Jason Zaman
2017-03-30 17:06 Jason Zaman
2017-03-02 10:17 Sven Vermeulen
2017-03-02 10:17 Sven Vermeulen
2017-03-02 10:17 Sven Vermeulen
2017-02-27 11:40 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-02-27 10:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-21 7:11 Jason Zaman
2017-02-17 8:44 Jason Zaman
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-13 18:43 Sven Vermeulen
2017-01-01 16:44 Jason Zaman
2017-01-01 16:37 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-01-01 16:36 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-01-01 16:36 Jason Zaman
2016-12-08 4:47 Jason Zaman
2016-12-08 4:47 Jason Zaman
2016-12-06 12:26 Jason Zaman
2016-08-31 16:38 Jason Zaman
2016-08-31 16:38 Jason Zaman
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-08-13 18:35 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2016-08-13 18:32 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2016-07-31 10:40 Sven Vermeulen
2016-07-31 10:40 Sven Vermeulen
2016-07-03 11:34 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-07-03 11:27 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-07-03 11:34 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2016-07-03 11:27 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-06-23 15:59 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-05-13 5:37 Jason Zaman
2016-03-23 18:36 Jason Zaman
2016-03-23 18:36 Jason Zaman
2016-03-23 18:36 Jason Zaman
2016-03-23 18:36 Jason Zaman
2016-03-23 18:36 Jason Zaman
2016-03-23 18:36 Jason Zaman
2016-03-23 18:36 Jason Zaman
2016-03-23 18:36 Jason Zaman
2016-03-23 18:36 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-02-12 3:51 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2016-01-30 17:21 Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-12-17 16:10 Jason Zaman
2015-10-14 18:36 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-13 14:50 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-11 10:48 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-09-20 7:00 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-09-20 7:00 Jason Zaman
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-27 19:11 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-27 19:11 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-08-27 19:11 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-08-27 18:58 Jason Zaman
2015-07-13 17:35 [gentoo-commits] proj/hardened-refpolicy:swift " Sven Vermeulen
2015-07-13 17:42 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-06-07 9:31 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2015-06-09 10:52 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-05-30 16:15 Jason Zaman
2015-05-22 19:32 Jason Zaman
2015-05-22 19:32 Jason Zaman
2015-03-05 13:15 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2015-03-04 19:34 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-03-04 15:35 Sven Vermeulen
2015-03-04 15:20 Sven Vermeulen
2015-02-15 18:36 Sven Vermeulen
2015-02-15 17:39 Sven Vermeulen
2015-01-25 13:46 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2015-01-25 13:45 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2015-01-25 13:45 Sven Vermeulen
2014-12-15 18:52 Sven Vermeulen
2014-12-15 18:40 Sven Vermeulen
2014-11-28 10:04 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2014-11-22 18:24 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-11-22 18:24 Sven Vermeulen
2014-11-22 17:43 Sven Vermeulen
2014-11-22 17:43 Sven Vermeulen
2014-10-25 19:21 Jason Zaman
2014-10-25 19:21 Jason Zaman
2014-08-31 18:27 Sven Vermeulen
2014-08-26 14:55 Sven Vermeulen
2014-08-26 14:55 Sven Vermeulen
2014-08-26 14:55 Sven Vermeulen
2014-08-26 14:55 Sven Vermeulen
2014-08-19 20:23 Sven Vermeulen
2014-08-19 20:07 Sven Vermeulen
2014-08-19 20:07 Sven Vermeulen
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-19 9:19 Jason Zaman
2014-08-15 14:51 Sven Vermeulen
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-15 14:51 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-15 10:04 [gentoo-commits] proj/hardened-refpolicy:salt " Sven Vermeulen
2014-08-15 10:04 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-15 10:04 Sven Vermeulen
2014-08-08 8:50 [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-08 8:48 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-08 8:50 [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-08 8:48 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-08 8:48 Sven Vermeulen
2014-08-07 9:41 Sven Vermeulen
2014-08-06 18:13 [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-07 8:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-08-06 18:13 [gentoo-commits] proj/hardened-refpolicy:testing " Sven Vermeulen
2014-08-07 8:06 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2014-07-05 16:06 Sven Vermeulen
2014-07-05 16:06 Sven Vermeulen
2014-07-05 16:06 Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-06-25 19:06 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2014-06-07 18:20 Sven Vermeulen
2014-06-07 18:12 Sven Vermeulen
2014-05-01 18:59 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-17 18:21 Sven Vermeulen
2014-04-11 17:48 Sven Vermeulen
2014-04-11 17:48 Sven Vermeulen
2014-04-08 16:12 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-03-17 8:24 Sven Vermeulen
2014-02-17 19:55 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-01-23 20:00 Sven Vermeulen
2014-01-19 19:01 Sven Vermeulen
2013-12-06 17:33 Sven Vermeulen
2013-11-03 11:19 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-09-27 6:50 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-08-15 17:23 Sven Vermeulen
2013-08-15 9:22 Sven Vermeulen
2013-08-13 18:16 Sven Vermeulen
2013-05-16 9:06 Sven Vermeulen
2013-05-01 19:32 Sven Vermeulen
2013-05-01 18:42 Sven Vermeulen
2013-04-11 18:04 Sven Vermeulen
2013-04-11 17:30 Sven Vermeulen
2013-03-11 18:53 Sven Vermeulen
2013-03-10 15:29 Sven Vermeulen
2013-02-18 18:11 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2012-12-29 18:24 Sven Vermeulen
2012-12-17 16:56 Sven Vermeulen
2012-12-08 18:21 Sven Vermeulen
2012-12-03 9:35 Sven Vermeulen
2012-12-03 9:35 Sven Vermeulen
2012-11-12 21:19 Sven Vermeulen
2012-11-10 17:40 Sven Vermeulen
2012-10-31 18:04 Sven Vermeulen
2012-10-31 18:04 Sven Vermeulen
2012-10-31 18:04 Sven Vermeulen
2012-10-30 20:24 Sven Vermeulen
2012-10-30 20:24 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-10 19:52 Sven Vermeulen
2012-10-04 17:36 Sven Vermeulen
2012-10-04 17:36 Sven Vermeulen
2012-10-04 17:36 Sven Vermeulen
2012-10-04 17:36 Sven Vermeulen
2012-09-28 17:57 Sven Vermeulen
2012-09-28 17:57 Sven Vermeulen
2012-09-28 17:57 Sven Vermeulen
2012-09-08 17:30 Sven Vermeulen
2012-08-29 18:48 Sven Vermeulen
2012-08-28 17:28 Sven Vermeulen
2012-08-28 17:28 Sven Vermeulen
2012-08-28 17:28 Sven Vermeulen
2012-08-15 13:04 Sven Vermeulen
2012-05-26 17:06 Sven Vermeulen
2012-05-16 18:34 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1483287988.1a61c661fe20b6990ecb37c4a3c7ab2f9c9f5f3c.perfinion@gentoo \
--to=perfinion@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox