* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
@ 2019-02-10 4:14 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2019-02-10 4:14 UTC (permalink / raw
To: gentoo-commits
commit: f75896871e29215b93854d20fa218118dc70e45d
Author: Alexander Miroshnichenko <alex <AT> millerson <DOT> name>
AuthorDate: Sat Jan 26 18:50:12 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f7589687
fs_mmap_rw_hugetlbfs_files is a more appropriate name for the interface
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/kernel/filesystem.if | 2 +-
policy/modules/services/postgresql.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 7d9f0f43..6da7cc22 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2350,7 +2350,7 @@ interface(`fs_rw_hugetlbfs_files',`
## </summary>
## </param>
#
-interface(`fs_rmw_hugetlbfs_files',`
+interface(`fs_mmap_rw_hugetlbfs_files',`
gen_require(`
type hugetlbfs_t;
')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 09824a8b..3bdffe4f 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -331,7 +331,7 @@ dev_read_urand(postgresql_t)
fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)
-fs_rmw_hugetlbfs_files(postgresql_t)
+fs_mmap_rw_hugetlbfs_files(postgresql_t)
selinux_get_enforce_mode(postgresql_t)
selinux_validate_context(postgresql_t)
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
@ 2019-02-10 4:14 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2019-02-10 4:14 UTC (permalink / raw
To: gentoo-commits
commit: d4995122c6b1cdde1674282d58bc69494119f6d8
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Jan 27 17:58:33 2019 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 10 04:11:25 2019 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4995122
filesystem, postgresql: Module version bump.
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/services/postgresql.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 8ddacd76..5cbf319b 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.24.0)
+policy_module(filesystem, 1.24.1)
########################################
#
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 3bdffe4f..8f7043c3 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.19.0)
+policy_module(postgresql, 1.19.1)
gen_require(`
class db_database all_db_database_perms;
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
@ 2022-02-27 2:52 Jason Zaman
0 siblings, 0 replies; 4+ messages in thread
From: Jason Zaman @ 2022-02-27 2:52 UTC (permalink / raw
To: gentoo-commits
commit: 5b564f3b243368edd0e083c78a99b059a10e80ed
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Fri Feb 18 01:21:52 2022 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Feb 27 02:13:17 2022 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b564f3b
matrixd-synapse policy V3
Here's the latest version of the matrixd-synapse policy including all the
suggestions from a year ago.
Probably ready to merge.
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/corenetwork.te.in | 2 +-
policy/modules/services/matrixd.fc | 4 +
policy/modules/services/matrixd.if | 1 +
policy/modules/services/matrixd.te | 126 ++++++++++++++++++++++++++++++++
4 files changed, 132 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 547328be..077aacf0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -156,7 +156,7 @@ network_port(hadoop_namenode, tcp,8020,s0)
network_port(hddtemp, tcp,7634,s0)
network_port(howl, tcp,5335,s0, udp,5353,s0)
network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0)
-network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0) #8443 is mod_nss default port
+network_port(http, tcp,80,s0, tcp,443,s0, tcp,488,s0, tcp,8008,s0, tcp,8009,s0, tcp,8443,s0, tcp,8448,s0) #8443 is mod_nss default port
network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0, tcp,8118,s0, tcp,10001-10010,s0) # 8118 is for privoxy
network_port(i18n_input, tcp,9010,s0)
network_port(imaze, tcp,5323,s0, udp,5323,s0)
diff --git a/policy/modules/services/matrixd.fc b/policy/modules/services/matrixd.fc
new file mode 100644
index 00000000..b59b1c75
--- /dev/null
+++ b/policy/modules/services/matrixd.fc
@@ -0,0 +1,4 @@
+/var/lib/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_var_t,s0)
+/var/log/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_log_t,s0)
+/etc/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_conf_t,s0)
+/usr/bin/synctl -- gen_context(system_u:object_r:matrixd_exec_t,s0)
diff --git a/policy/modules/services/matrixd.if b/policy/modules/services/matrixd.if
new file mode 100644
index 00000000..f1eff5f0
--- /dev/null
+++ b/policy/modules/services/matrixd.if
@@ -0,0 +1 @@
+## <summary>Matrixd</summary>
diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te
new file mode 100644
index 00000000..5c217678
--- /dev/null
+++ b/policy/modules/services/matrixd.te
@@ -0,0 +1,126 @@
+policy_module(matrixd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Determine whether Matrixd is allowed to federate
+## (bind all UDP ports and connect to all TCP ports).
+## </p>
+## </desc>
+gen_tunable(matrix_allow_federation, true)
+
+## <desc>
+## <p>
+## Determine whether Matrixd can connect to the Postgres database.
+## </p>
+## </desc>
+gen_tunable(matrix_postgresql_connect, false)
+
+
+type matrixd_t;
+type matrixd_exec_t;
+init_daemon_domain(matrixd_t, matrixd_exec_t)
+
+type matrixd_var_t;
+files_type(matrixd_var_t)
+
+type matrixd_log_t;
+logging_log_file(matrixd_log_t)
+
+type matrixd_conf_t;
+files_config_file(matrixd_conf_t)
+
+type matrixd_tmp_t;
+files_tmp_file(matrixd_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow matrixd_t self:fifo_file rw_file_perms;
+allow matrixd_t self:tcp_socket create_stream_socket_perms;
+allow matrixd_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow matrixd_t self:udp_socket create_socket_perms;
+allow matrixd_t self:unix_dgram_socket create_socket_perms;
+# execmem is needed for Python callbacks
+# https://cffi.readthedocs.io/en/latest/using.html#callbacks
+allow matrixd_t self:process execmem;
+
+allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
+files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
+fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)
+
+manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t)
+files_search_var_lib(matrixd_t)
+allow matrixd_t matrixd_var_t:file map;
+allow matrixd_t matrixd_var_t:dir manage_dir_perms;
+
+logging_search_logs(matrixd_t)
+manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t)
+
+read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t)
+allow matrixd_t matrixd_conf_t:dir list_dir_perms;
+
+kernel_read_system_state(matrixd_t)
+kernel_read_vm_overcommit_sysctl(matrixd_t)
+
+# The following in the systemd service file causes a domain transition when
+# running python3:
+# SELinuxContext=system_u:system_r:matrixd_t:s0
+corecmd_bin_entry_type(matrixd_t)
+corecmd_exec_bin(matrixd_t)
+corecmd_exec_shell(matrixd_t)
+
+corenet_tcp_bind_generic_node(matrixd_t)
+corenet_tcp_bind_http_port(matrixd_t)
+corenet_tcp_connect_http_cache_port(matrixd_t)
+corenet_tcp_connect_http_port(matrixd_t)
+
+corenet_udp_bind_generic_node(matrixd_t)
+corenet_udp_bind_generic_port(matrixd_t)
+corenet_udp_bind_reserved_port(matrixd_t)
+
+dev_read_urand(matrixd_t)
+
+files_read_etc_files(matrixd_t)
+files_read_etc_runtime_files(matrixd_t)
+files_read_etc_symlinks(matrixd_t)
+
+# for /usr/share/ca-certificates
+files_read_usr_files(matrixd_t)
+
+init_search_runtime(matrixd_t)
+logging_send_syslog_msg(matrixd_t)
+
+miscfiles_read_generic_tls_privkey(matrixd_t)
+miscfiles_read_generic_certs(matrixd_t)
+miscfiles_read_localization(matrixd_t)
+
+sysnet_read_config(matrixd_t)
+
+userdom_search_user_runtime_root(matrixd_t)
+
+optional_policy(`
+ apache_search_config(matrixd_t)
+')
+
+tunable_policy(`matrix_allow_federation',`
+ corenet_tcp_connect_all_unreserved_ports(matrixd_t)
+ corenet_tcp_connect_generic_port(matrixd_t)
+ corenet_udp_bind_all_ports(matrixd_t)
+', `
+ corenet_dontaudit_tcp_connect_all_ports(matrixd_t)
+ corenet_dontaudit_udp_bind_all_ports(matrixd_t)
+')
+
+tunable_policy(`matrix_postgresql_connect',`
+ postgresql_stream_connect(matrixd_t)
+ postgresql_tcp_connect(matrixd_t)
+')
+
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/
@ 2023-10-06 16:44 Kenton Groombridge
0 siblings, 0 replies; 4+ messages in thread
From: Kenton Groombridge @ 2023-10-06 16:44 UTC (permalink / raw
To: gentoo-commits
commit: 345902025b3c03467a48c8b1474cbd3b3bc085cf
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Thu Sep 21 14:22:36 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:27:06 2023 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34590202
policy for the Reliability Availability servicability daemon (#690)
* policy for the Reliability Availability servicability daemon
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/kernel/filesystem.if | 37 ++++++++++++++++++++++++++++++++
policy/modules/services/rasdaemon.fc | 3 +++
policy/modules/services/rasdaemon.if | 10 +++++++++
policy/modules/services/rasdaemon.te | 41 ++++++++++++++++++++++++++++++++++++
4 files changed, 91 insertions(+)
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if
index 5cdbc5644..5213df5ba 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -6154,6 +6154,43 @@ interface(`fs_getattr_tracefs_files',`
allow $1 tracefs_t:file getattr;
')
+########################################
+## <summary>
+## Read/write trace filesystem files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_rw_tracefs_files',`
+ gen_require(`
+ type tracefs_t;
+ ')
+
+ allow $1 tracefs_t:dir list_dir_perms;
+ allow $1 tracefs_t:file rw_file_perms;
+')
+
+########################################
+## <summary>
+## create trace filesystem directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_create_tracefs_dirs',`
+ gen_require(`
+ type tracefs_t;
+ ')
+
+ allow $1 tracefs_t:dir { create rw_dir_perms };
+')
+
########################################
## <summary>
## Mount a XENFS filesystem.
diff --git a/policy/modules/services/rasdaemon.fc b/policy/modules/services/rasdaemon.fc
new file mode 100644
index 000000000..9a83feb4f
--- /dev/null
+++ b/policy/modules/services/rasdaemon.fc
@@ -0,0 +1,3 @@
+/usr/sbin/rasdaemon -- gen_context(system_u:object_r:rasdaemon_exec_t,s0)
+/var/lib/rasdaemon(/.*)? gen_context(system_u:object_r:rasdaemon_var_t,s0)
+
diff --git a/policy/modules/services/rasdaemon.if b/policy/modules/services/rasdaemon.if
new file mode 100644
index 000000000..9509b0261
--- /dev/null
+++ b/policy/modules/services/rasdaemon.if
@@ -0,0 +1,10 @@
+## <summary>RAS (Reliability, Availability and Serviceability) logging tool</summary>
+##
+## <desc>
+## rasdaemon is a RAS (Reliability, Availability and Serviceability) logging
+## tool. It currently records memory errors, using the EDAC tracing events.
+## EDAC are drivers in the Linux kernel that handle detection of ECC errors
+## from memory controllers for most chipsets on x86 and ARM architectures.
+##
+## https://git.infradead.org/users/mchehab/rasdaemon.git
+## </desc>
diff --git a/policy/modules/services/rasdaemon.te b/policy/modules/services/rasdaemon.te
new file mode 100644
index 000000000..9a65d5d74
--- /dev/null
+++ b/policy/modules/services/rasdaemon.te
@@ -0,0 +1,41 @@
+policy_module(rasdaemon)
+
+########################################
+#
+# Declarations
+#
+
+type rasdaemon_t;
+type rasdaemon_exec_t;
+init_daemon_domain(rasdaemon_t, rasdaemon_exec_t)
+
+type rasdaemon_var_t;
+files_type(rasdaemon_var_t)
+
+########################################
+#
+# Local policy
+#
+
+allow rasdaemon_t self:process getsched;
+allow rasdaemon_t self:capability sys_rawio;
+
+allow rasdaemon_t rasdaemon_var_t:dir manage_dir_perms;
+allow rasdaemon_t rasdaemon_var_t:file manage_file_perms;
+
+kernel_read_debugfs(rasdaemon_t)
+kernel_read_system_state(rasdaemon_t)
+kernel_read_vm_overcommit_sysctl(rasdaemon_t)
+kernel_search_fs_sysctls(rasdaemon_t)
+
+dev_read_sysfs(rasdaemon_t)
+dev_read_urand(rasdaemon_t)
+dev_rw_cpu_microcode(rasdaemon_t)
+
+files_search_var_lib(rasdaemon_t)
+fs_create_tracefs_dirs(rasdaemon_t)
+fs_rw_tracefs_files(rasdaemon_t)
+
+logging_send_syslog_msg(rasdaemon_t)
+miscfiles_read_localization(rasdaemon_t)
+
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-10-06 16:44 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-02-10 4:14 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/services/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2019-02-10 4:14 Jason Zaman
2022-02-27 2:52 Jason Zaman
2023-10-06 16:44 Kenton Groombridge
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox