[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[Jason Zaman]

commit:     f75896871e29215b93854d20fa218118dc70e45d
Author:     Alexander Miroshnichenko <alex <AT> millerson <DOT> name>
AuthorDate: Sat Jan 26 18:50:12 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f7589687

fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/kernel/filesystem.if   | 2 +-
 policy/modules/services/postgresql.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 7d9f0f43..6da7cc22 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2350,7 +2350,7 @@ interface(`fs_rw_hugetlbfs_files',`
 ##      </summary>
 ## </param>
 #
-interface(`fs_rmw_hugetlbfs_files',`
+interface(`fs_mmap_rw_hugetlbfs_files',`
         gen_require(`
                 type hugetlbfs_t;
         ')

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 09824a8b..3bdffe4f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -331,7 +331,7 @@ dev_read_urand(postgresql_t)
 
 fs_getattr_all_fs(postgresql_t)
 fs_search_auto_mountpoints(postgresql_t)
-fs_rmw_hugetlbfs_files(postgresql_t)
+fs_mmap_rw_hugetlbfs_files(postgresql_t)
 
 selinux_get_enforce_mode(postgresql_t)
 selinux_validate_context(postgresql_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[Jason Zaman]

commit:     d4995122c6b1cdde1674282d58bc69494119f6d8
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jan 27 17:58:33 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4995122

filesystem, postgresql: Module version bump.

Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/kernel/filesystem.te   | 2 +-
 policy/modules/services/postgresql.te | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 8ddacd76..5cbf319b 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.24.0)
+policy_module(filesystem, 1.24.1)
 
 ########################################
 #

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 3bdffe4f..8f7043c3 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.19.0)
+policy_module(postgresql, 1.19.1)
 
 gen_require(`
 	class db_database all_db_database_perms;

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[Jason Zaman]

commit:     5b564f3b243368edd0e083c78a99b059a10e80ed
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Fri Feb 18 01:21:52 2022 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 27 02:13:17 2022 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b564f3b

matrixd-synapse policy V3

Here's the latest version of the matrixd-synapse policy including all the
suggestions from a year ago.

Probably ready to merge.
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/corenetwork.te.in |   2 +-
 policy/modules/services/matrixd.fc      |   4 +
 policy/modules/services/matrixd.if      |   1 +
 policy/modules/services/matrixd.te      | 126 ++++++++++++++++++++++++++++++++
 4 files changed, 132 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 547328be..077aacf0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -156,7 +156,7 @@ network_port(hadoop_namenode, tcp,8020,s0)
 network_port(hddtemp, tcp,7634,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port
 network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
 network_port(i18n_input, tcp,9010,s0)
 network_port(imaze, tcp,5323,s0, udp,5323,s0)

diff --git a/policy/modules/services/matrixd.fc b/policy/modules/services/matrixd.fc
new file mode 100644
index 00000000..b59b1c75
--- /dev/null
+++ b/policy/modules/services/matrixd.fc
@@ -0,0 +1,4 @@
+/var/lib/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_var_t,s0)
+/var/log/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_log_t,s0)
+/etc/matrix-synapse(/.*)?		gen_context(system_u:object_r:matrixd_conf_t,s0)
+/usr/bin/synctl			--	gen_context(system_u:object_r:matrixd_exec_t,s0)

diff --git a/policy/modules/services/matrixd.if b/policy/modules/services/matrixd.if
new file mode 100644
index 00000000..f1eff5f0
--- /dev/null
+++ b/policy/modules/services/matrixd.if
@@ -0,0 +1 @@
+## <summary>Matrixd</summary>

diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te
new file mode 100644
index 00000000..5c217678
--- /dev/null
+++ b/policy/modules/services/matrixd.te
@@ -0,0 +1,126 @@
+policy_module(matrixd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+##  <p>
+##  Determine whether Matrixd is allowed to federate
+##  (bind all UDP ports and connect to all TCP ports).
+##  </p>
+## </desc>
+gen_tunable(matrix_allow_federation, true)
+
+## <desc>
+##  <p>
+##  Determine whether Matrixd can connect to the Postgres database.
+##  </p>
+## </desc>
+gen_tunable(matrix_postgresql_connect, false)
+
+
+type matrixd_t;
+type matrixd_exec_t;
+init_daemon_domain(matrixd_t, matrixd_exec_t)
+
+type matrixd_var_t;
+files_type(matrixd_var_t)
+
+type matrixd_log_t;
+logging_log_file(matrixd_log_t)
+
+type matrixd_conf_t;
+files_config_file(matrixd_conf_t)
+
+type matrixd_tmp_t;
+files_tmp_file(matrixd_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow matrixd_t self:fifo_file rw_file_perms;
+allow matrixd_t self:tcp_socket create_stream_socket_perms;
+allow matrixd_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow matrixd_t self:udp_socket create_socket_perms;
+allow matrixd_t self:unix_dgram_socket create_socket_perms;
+# execmem is needed for Python callbacks
+# https://cffi.readthedocs.io/en/latest/using.html#callbacks
+allow matrixd_t self:process execmem;
+
+allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
+files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
+fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
+
+manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
+files_search_var_lib(matrixd_t)
+allow matrixd_t matrixd_var_t:file map;
+allow matrixd_t matrixd_var_t:dir manage_dir_perms;
+
+logging_search_logs(matrixd_t)
+manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
+
+read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
+allow matrixd_t matrixd_conf_t:dir list_dir_perms;
+
+kernel_read_system_state(matrixd_t)
+kernel_read_vm_overcommit_sysctl(matrixd_t)
+
+# The following in the systemd service file causes a domain transition when
+# running python3:
+# SELinuxContext=system_u:system_r:matrixd_t:s0
+corecmd_bin_entry_type(matrixd_t)
+corecmd_exec_bin(matrixd_t)
+corecmd_exec_shell(matrixd_t)
+
+corenet_tcp_bind_generic_node(matrixd_t)
+corenet_tcp_bind_http_port(matrixd_t)
+corenet_tcp_connect_http_cache_port(matrixd_t)
+corenet_tcp_connect_http_port(matrixd_t)
+
+corenet_udp_bind_generic_node(matrixd_t)
+corenet_udp_bind_generic_port(matrixd_t)
+corenet_udp_bind_reserved_port(matrixd_t)
+
+dev_read_urand(matrixd_t)
+
+files_read_etc_files(matrixd_t)
+files_read_etc_runtime_files(matrixd_t)
+files_read_etc_symlinks(matrixd_t)
+
+# for /usr/share/ca-certificates
+files_read_usr_files(matrixd_t)
+
+init_search_runtime(matrixd_t)
+logging_send_syslog_msg(matrixd_t)
+
+miscfiles_read_generic_tls_privkey(matrixd_t)
+miscfiles_read_generic_certs(matrixd_t)
+miscfiles_read_localization(matrixd_t)
+
+sysnet_read_config(matrixd_t)
+
+userdom_search_user_runtime_root(matrixd_t)
+
+optional_policy(`
+	apache_search_config(matrixd_t)
+')
+
+tunable_policy(`matrix_allow_federation',`
+	corenet_tcp_connect_all_unreserved_ports(matrixd_t)
+	corenet_tcp_connect_generic_port(matrixd_t)
+	corenet_udp_bind_all_ports(matrixd_t)
+', `
+	corenet_dontaudit_tcp_connect_all_ports(matrixd_t)
+	corenet_dontaudit_udp_bind_all_ports(matrixd_t)
+')
+
+tunable_policy(`matrix_postgresql_connect',`
+	postgresql_stream_connect(matrixd_t)
+	postgresql_tcp_connect(matrixd_t)
+')
+

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/

[Kenton Groombridge]

commit:     345902025b3c03467a48c8b1474cbd3b3bc085cf
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 21 14:22:36 2023 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct  6 15:27:06 2023 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34590202

policy for the Reliability Availability servicability daemon (#690)

* policy for the Reliability Availability servicability daemon

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/kernel/filesystem.if  | 37 ++++++++++++++++++++++++++++++++
 policy/modules/services/rasdaemon.fc |  3 +++
 policy/modules/services/rasdaemon.if | 10 +++++++++
 policy/modules/services/rasdaemon.te | 41 ++++++++++++++++++++++++++++++++++++
 4 files changed, 91 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 5cdbc5644..5213df5ba 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -6154,6 +6154,43 @@ interface(`fs_getattr_tracefs_files',`
         allow $1 tracefs_t:file getattr;
 ')
 
+########################################
+## <summary>
+##	Read/write trace filesystem files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_rw_tracefs_files',`
+	gen_require(`
+		type tracefs_t;
+	')
+
+	allow $1 tracefs_t:dir list_dir_perms;
+	allow $1 tracefs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+##	create trace filesystem directories
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`fs_create_tracefs_dirs',`
+	gen_require(`
+		type tracefs_t;
+	')
+
+	allow $1 tracefs_t:dir { create rw_dir_perms };
+')
+
 ########################################
 ## <summary>
 ##	Mount a XENFS filesystem.

diff --git a/policy/modules/services/rasdaemon.fc b/policy/modules/services/rasdaemon.fc
new file mode 100644
index 000000000..9a83feb4f
--- /dev/null
+++ b/policy/modules/services/rasdaemon.fc
@@ -0,0 +1,3 @@
+/usr/sbin/rasdaemon			--	gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+/var/lib/rasdaemon(/.*)?			gen_context(system_u:object_r:rasdaemon_var_t,s0)
+

diff --git a/policy/modules/services/rasdaemon.if b/policy/modules/services/rasdaemon.if
new file mode 100644
index 000000000..9509b0261
--- /dev/null
+++ b/policy/modules/services/rasdaemon.if
@@ -0,0 +1,10 @@
+## <summary>RAS (Reliability, Availability and Serviceability) logging tool</summary>
+##
+## <desc>
+## rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
+## tool.  It currently records memory errors, using the EDAC tracing events.
+## EDAC are drivers in the Linux kernel that handle detection of ECC errors
+## from memory controllers for most chipsets on x86 and ARM architectures.
+##
+## https://git.infradead.org/users/mchehab/rasdaemon.git
+## </desc>

diff --git a/policy/modules/services/rasdaemon.te b/policy/modules/services/rasdaemon.te
new file mode 100644
index 000000000..9a65d5d74
--- /dev/null
+++ b/policy/modules/services/rasdaemon.te
@@ -0,0 +1,41 @@
+policy_module(rasdaemon)
+
+########################################
+#
+# Declarations
+#
+
+type rasdaemon_t;
+type rasdaemon_exec_t;
+init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
+
+type rasdaemon_var_t;
+files_type(rasdaemon_var_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rasdaemon_t self:process getsched;
+allow rasdaemon_t self:capability sys_rawio;
+
+allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms;
+allow rasdaemon_t rasdaemon_var_t:file manage_file_perms;
+
+kernel_read_debugfs(rasdaemon_t)
+kernel_read_system_state(rasdaemon_t)
+kernel_read_vm_overcommit_sysctl(rasdaemon_t)
+kernel_search_fs_sysctls(rasdaemon_t)
+
+dev_read_sysfs(rasdaemon_t)
+dev_read_urand(rasdaemon_t)
+dev_rw_cpu_microcode(rasdaemon_t)
+
+files_search_var_lib(rasdaemon_t)
+fs_create_tracefs_dirs(rasdaemon_t)
+fs_rw_tracefs_files(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+miscfiles_read_localization(rasdaemon_t)
+