[gentoo-commits] proj/hardened-refpolicy:master commit in: /

["Kenton Groombridge" <concord@gentoo.org>]

commit:     1949397458a649cf876a4a758a28d65626ad2709
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Mon Feb 26 18:38:45 2024 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar  1 17:06:00 2024 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=19493974

Update Changelog and VERSION for release 2.20240226.

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 Changelog | 487 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 VERSION   |   2 +-
 2 files changed, 488 insertions(+), 1 deletion(-)

diff --git a/Changelog b/Changelog
index 76cd60fdc..a1938b4f0 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,490 @@
+* Mon Feb 26 2024 Chris PeBenito <pebenito@ieee.org> - 2.20240226
+Chris PeBenito (174):
+      tests.yml: Pin ubuntu 20.04.
+      tests.yml: Pin ubuntu 20.04.
+      fstools: Move lines.
+      munin: Move munin_rw_tcp_sockets() implementation.
+      munin: Whitespace change.
+      systemd: Tmpfilesd can correct seusers on files.
+      iscsi: Read initiatorname.iscsi.
+      lvm: Add fc entry for /etc/multipath/*
+      sysnetwork: Rename sysnet_dontaudit_rw_dhcpc_unix_dgram_sockets()
+      Define user_namespace object class.
+      chromium: Allow user namespace creation.
+      mozilla: Allow user namespace creation.
+      systemd: Allow user namespace creation.
+      container: Allow user namespace creation for all container engines.
+      Update eg25manager.te
+      switcheroo: Whitespace fix.
+      unconfined: Keys are linkable by systemd.
+      postgresql: Move lines
+      Add append to rw and manage lnk_file permission sets for consistency.
+      domain: Manage own fds.
+      systemd: systemd-cgroups reads kernel.cap_last_cap sysctl.
+      kernel: hv_utils shutdown on systemd systems.
+      Container: Minor fixes from interactive container use.
+      systemd: Minor coredump fixes.
+      rpm: Minor fixes
+      init: Allow nnp/nosuid transitions from systemd initrc_t.
+      selinuxutil: Semanage reads policy for export.
+      sysnetwork: ifconfig searches debugfs.
+      usermanage: Add sysctl access for groupadd to get number of groups.
+      files: Handle symlinks for /media and /srv.
+      cloudinit: Add support for installing RPMs and setting passwords.
+      kdump: Fixes from testing kdumpctl.
+      usermanage: Handle symlinks in /usr/share/cracklib.
+      unconfined: Add remaining watch_* permissions.
+      chronyd: Read /dev/urandom.
+      cloud-init: Allow use of sudo in runcmd.
+      cloud-init: Add systemd permissions.
+      cloud-init: Change udev rules
+      systemd: Updates for systemd-locale.
+      cloudinit: Add permissions derived from sysadm.
+
+Christian Göttsche (28):
+      git: add fcontext for default binary
+      init: only grant getattr in init_getattr_generic_units_files()
+      ci: bump SELint version to 1.5.0
+      SELint userspace class tweaks
+      systemd: reorder optional block
+      devicedisk: reorder optional block
+      access_vectors: define io_uring { cmd }
+      support/genhomedircon: support usr prefixed paths
+      fix misc typos
+      Support multi-line interface calls
+      policy_capabilities: remove estimated from released versions
+      Rules.monolithic: pre-compile fcontexts on install
+      Rules.modular: use temporary file to not ignore error
+      Makefile: use sepolgen-ifgen-attr-helper from test toolchain
+      Makefile: set PYTHONPATH for test toolchain
+      virt: label qemu configuration directory
+      selinuxutil: setfiles updates
+      selinuxutil: ignore getattr proc in newrole
+      userdom: permit reading PSI as admin
+      fs: mark memory pressure type as file
+      systemd: binfmt updates
+      vnstatd: update
+      fs: add support for virtiofs
+      systemd: generator updates
+      udev: update
+      systemd: logind update
+      consolesetup: update
+      libraries: drop space in empty line
+
+Christian Schneider (1):
+      systemd-generator: systemd_generator_t load kernel modules used for e.g.
+         zram-generator
+
+Corentin LABBE (20):
+      udev: permit to read hwdb
+      fstools: handle gentoo place for drivedb.h
+      mount: dbus interface must be optional
+      mcelog: add missing file context for triggers
+      munin: add file context for common functions file
+      rsyslog: add label for /var/empty/dev/log
+      munin: disk-plugin: transition to fsadm
+      munin: add fc for munin-node plugin state
+      usermanage: permit groupadd to read kernel sysctl
+      portage: Remove old binary location
+      portage: add go/hg source control files
+      portage: add new location for portage commands
+      portage: add missing go/hg context in new distfiles location
+      mandb: permit to read inherited cron files
+      selinuxutil: do not audit load_policy trying to use portage ptys
+      selinuxutil: permit run_init to read kernel sysctl
+      portage: add misc mising rules
+      smartmon: allow smartd to read fsadm_db_t files
+      smartmon: add domain for update-smart-drivedb
+      dovecot: add missing permissions
+
+Dave Sugar (46):
+      rng-tools updated to 6.15 (on RHEL9) seeing the following denials:
+      Allow local login to read /run/motd
+      Label pwhistory_helper
+      If domain can read system_dbusd_var_lib_t files, also allow symlinks
+      systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option.
+      To allow setting for net.netfilter.nf_* in /etc/sysctl.d/*.conf
+      Allow iceauth write to xsession log
+      Allow system_dbusd_t to start/stop all units
+      Updates for utempter
+      Allow display manager to read hwdata
+      Allow search xdm_var_run_t directories along with reading files.
+      Solve issue with no keyboard/mouse on X login screen
+      separate label for /etc/security/opasswd
+      Fix some ssh agent denials
+      For systemd-hostnamed service to run
+      Allow rsyslog to drop capabilities
+      /var/lib/sddm should be xdm_var_lib_t
+      resolve lvm_t issues at shutdown with LUKS encrypted devices
+      Allow all users to (optionally) send syslog messages
+      Resolve some denials with colord
+      separate domain for journalctl during init
+      Use interface that already exists.
+      Separate label for /run/systemd/notify (#710)
+      Changes needed for dbus-broker-launch
+      Allow dbus-broker-launch to execute in same domain
+      dbus changes
+      Firewalld need to relabel direct.xml file
+      xguest ues systemd --user
+      Needed to allow environment variable to process started (for cockpit)
+      SELinux policy for cockpit
+      Fix denial while cleaning up pidfile symlink
+      allow system --user to execute systemd-tmpfiles in
+         <user>_systemd_tmpfiles_t domain
+      cockpit ssh as user
+      Allow sudo dbus chat w/sysemd-logind
+      The L+ tmpfiles option needs to read the symlink
+      Signal during logout
+      This seems important for administrative access
+      This works instead of allow exec on user_tmpfs_t!
+      admin can read/write web socket
+      Allow key manipulation
+      Add dontaudit to quiet down a bit
+      Add watches
+      Additional access for systemctl
+      Denial during cockpit use
+      Fix password changing from cockpit login screen
+      Resolve error when cockpit initiate shutdown
+
+David Sommerseth (1):
+      openvpn: Allow netlink genl
+
+Fabrice Fontaine (1):
+      policy/modules/services/smartmon.te: make fstools optional
+
+Florian Schmidt (1):
+      Add label and interfaces for kernel PSI files
+
+George Zenner (1):
+      Signed-off-by: George Zenner <zen@pyl.onl>
+
+Grzegorz Filo (3):
+      Shell functions used during boot by initrc_t shall be bin_t and defined in
+         corecommands.fc
+      Dir transition goes with dir create perms.
+      Keep context of blkid file/dir when created by zpool.
+
+Guido Trentalancia (53):
+      The pulseaudio daemon and client do not normally need to use the network
+         for most computer systems that need to play and record audio.
+      The kernel domain should be able to mounton runtime directories during
+         switch_root, otherwise parts of the boot process might fail on some
+         systems (for example, the udev daemon).
+      The kernel domain should be able to mounton default directories during
+         switch_root.
+      The pulseaudio module should be able to read alsa library directories.
+      Fix the pulseaudio module file transition for named sockets in tmp
+         directories.
+      Fix the dbus module so that automatic file type transitions are used not
+         only for files and directories, but also for named sockets.
+      Fix the dbus module so that temporary session named sockets can be read
+         and written in the role template and by system and session bus clients.
+      Update the dbus role template so that permissions to get the attributes of
+         the proc filesystem are included.
+      Let pulseaudio search debugfs directories, as currently done with other
+         modules.
+      Separate the tunable permissions to write xserver tmpfs files from the
+         tunable permissions to write X server shared memory.
+      Fix a security bug in the xserver module (interfaces) which was wrongly
+         allowing an interface to bypass existing tunable policy logic related
+         to X shared memory and xserver tmpfs files write permissions.
+      Add missing permissions to execute binary files for the evolution_alarm_t
+         domain.
+      Add the permissions to manage the fonts cache (fontconfig) to the window
+         manager role template.
+      Add permissions to watch libraries directories to the userdomain login
+         user template interface.
+      Update the xscreensaver module in order to work with the latest version
+         (tested with version 6.06).
+      Include the X server tmpfs rw permissions in the X shared memory write
+         access tunable policy under request from Christoper PeBenito.
+      Revert the following commit (ability to read /usr files), as it is no
+         longer needed, after the database file got its own label:
+      Update the kernel module to remove misplaced or at least really obsolete
+         permissions during kernel module loading.
+      Introduce a new "logging_syslog_can_network" boolean and make the
+         net_admin capability as well as all corenetwork permissions previously
+         granted to the syslog daemon conditional upon such boolean being true.
+      Let the openoffice domain manage fonts cache (fontconfig).
+      Update the openoffice module so that it can create Unix stream sockets
+         with its own label and use them both as a client and a server.
+      Let mplayer to act as a dbus session bus client (needed by the vlc media
+         player).
+      Add permissions to read device sysctls to mplayer.
+      Remove misplaced permission from mount interface mount_exec.
+      Remove a vulnerability introduced by a logging interface which allows to
+         execute log files.
+      Improved wording for the new xserver tunable policy booleans introduced
+         with the previous three commits.
+      Fix another security bug companion of the one fixed in the following
+         previous commit:
+      Fix another security bug similar to the ones that have been recently fixed
+         in the following two commits:
+      Remove duplicate permissions in the xserver module
+         xserver_restricted_role() interface.
+      Dbus creates Unix domain sockets (in addition to listening on and
+         connecting to them), so its policy module is modified accordingly.
+      Remove a logging interface from the userdomain module since it has now
+         been moved to the xscreensaver domain.
+      Create a new specific file label for the random seed file saved before
+         shutting down or rebooting the system and rework the interface needed
+         to manage such file.
+      Fix the shutdown policy in order to make use of the newly created file
+         label and interface needed to manage the random seed file.
+      Update the gpg module so that the application is able to fetch new keys
+         from the network.
+      Dbus creates Unix domain sockets not only for the system bus, but also for
+         the session bus (in addition to connecting to them), so its policy
+         module is modified accordingly.
+      Update the gnome module so that the gconf daemon is able to create Unix
+         domain sockets and accept or listen connections on them.
+      Fix the recently introduced "logging_syslog_can_network" tunable policy,
+         by including TCP/IP socket creation permissions.
+      Introduce a new interface in the mta module to manage the mail transport
+         agent configuration directories and files.
+      Add new gpg interfaces for gpg_agent execution and to avoid auditing
+         search operations on files and directories that are not strictly needed
+         and might pose a security risk.
+      Extend the scope of the "spamassassin_can_network" tunable policy boolean
+         to all network access (except the relative dontaudit rules).
+      Update the spamassassin module in order to better support the rules
+         updating script; this achieved by employing two distinct domains for
+         increased security and network isolation: a first domain is used for
+         fetching the updated rules from the network and second domain is used
+         for verifying the GPG signatures of the received rules.
+      Under request from Christopher PeBenito, merge the two spamassassin rules
+         updating SELinux domains introduced in the previous change in order to
+         reduce the non-swappable kernel memory used by the policy.
+      Introduce a new "dbus_can_network" boolean which controls whether or not
+         the dbus daemon can act as a server over TCP/IP networks and defaults
+         to false, as this is generally insecure, except when using the local
+         loopback interface.
+      Introduce two new booleans for the X server and X display manager domains
+         which control whether or not the respective domains allow the TCP/IP
+         server networking functionality.
+      The X display manager uses an authentication mechanism based on an
+         authorization file which is critical for X security.
+      Merge branch 'main' into x_fixes_pr2
+      Let openoffice perform temporary file transitions and manage link files.
+      Modify the gpg module so that gpg and the gpg_agent can manage
+         gpg_runtime_t socket files.
+      The LDAP server only needs to read generic certificate files, not manage
+         them.
+      Create new TLS Private Keys file contexts for the Apache HTTP server
+         according to the default locations:
+      Let the webadm role manage Private Keys and CSR for SSL Certificates used
+         by the HTTP daemon.
+      Let the certmonger module manage SSL Private Keys and CSR used for example
+         by the HTTP and/or Mail Transport daemons.
+      Additional file context fix for:
+
+Kai Meng (1):
+      devices:Add genfscon context for functionfs to mount
+
+Kenton Groombridge (106):
+      corenet: add portcon for kubernetes
+      kubernetes: initial policy module
+      sysadm: allow running kubernetes
+      crio: new policy module
+      crio, kubernetes: allow k8s admins to run CRI-O
+      container: add type for container plugins
+      various: fixes for kubernetes
+      kubernetes: add policy for kubectl
+      various: fixes for kubernetes
+      container, kernel: add tunable to allow spc to create NFS servers
+      container: add tunable to allow containers to use huge pages
+      container, kubernetes: add private type for generic container devices
+      container: add tunable to use dri devices
+      container, kubernetes: add rules for device plugins running as spc
+      various: allow using glusterfs as backing storage for k8s
+      container, miscfiles: transition to s0 for public content created by
+         containers
+      container: add tunable to allow spc to use tun-tap devices
+      container: correct admin_pattern() usage
+      systemd: add policy for systemd-pcrphase
+      hddtemp: add missing rules for interactive usage
+      netutils: minor fixes for nmap and traceroute
+      container: add rules required for metallb BGP speakers
+      filesystem, init: allow systemd to setattr on ramfs dirs
+      logging: allow domains sending syslog messages to connect to kernel unix
+         stream sockets
+      init, sysadm: allow sysadm to manage systemd runtime units
+      podman: allow podman to stop systemd transient units
+      userdom: allow admin users to use tcpdiag netlink sockets
+      container: allow container admins the sysadm capability in user namespaces
+      postfix: allow postfix master to map data files
+      sasl: add filecon for /etc/sasl2 keytab
+      obj_perm_sets: add mmap_manage_file_perms
+      various: use mmap_manage_file_perms
+      postfix, sasl: allow postfix smtp daemon to read SASL keytab
+      various: fixes for libvirtd and systemd-machined
+      portage: label eix cache as portage_cache_t
+      container: add missing filetrans and filecon for containerd/docker
+      container, init, systemd: add policy for quadlet
+      container: fixes for podman 4.4.0
+      container: fixes for podman run --log-driver=passthrough
+      node_exporter: various fixes
+      redis: add missing rules for runtime filetrans
+      podman, selinux: move lines, add missing rules for --network=host
+      netutils: fixes for iftop
+      kernel, zfs: add filetrans for kernel creating zpool cache file
+      zfs: allow sending signals to itself
+      zfs: add runtime filetrans for dirs
+      init: make init_runtime_t useable for systemd units
+      various: make /etc/machine-id etc_runtime_t
+      init, systemd: allow init to create userdb runtime symlinks
+      init: allow initrc_t to getcap
+      systemd: allow systemd-userdbd to getcap
+      logging: allow systemd-journald to list cgroups
+      fs, udev: allow systemd-udevd various cgroup perms
+      logging, systemd: allow relabelfrom,relabelto on systemd journal files by
+         systemd-journald
+      files, systemd: allow systemd-tmpfiles to relabel config file symlinks
+      systemd: add rules for systemd-zram-generator
+      systemd: allow systemd-pcrphase to read generic certs
+      fs, init: allow systemd-init to set the attributes of efivarfs files
+      init: allow systemd-init to set the attributes of unallocated terminals
+      systemd: allow systemd-resolved to bind to UDP port 5353
+      init: allow initrc_t to create netlink_kobject_uevent_sockets
+      raid: allow mdadm to read udev runtime files
+      raid: allow mdadm to create generic links in /dev/md
+      fstools: allow fsadm to read utab
+      glusterfs: allow glusterd to bind to all TCP unreserved ports
+      kubernetes: allow kubelet to read etc runtime files
+      chromium: allow chromium-naclhelper to create user namespaces
+      container: rework capabilities
+      container: allow watching FUSEFS dirs and files
+      glusterfs: add tunable to allow managing unlabeled files
+      sysadm: allow using networkctl
+      container: various fixes
+      container, kubernetes: add support for cilium
+      kubernetes: allow container engines to mount on DRI devices if enabled
+      init, systemd: label systemd-executor as init_exec_t
+      udev: allow reading kernel fs sysctls
+      init: allow all daemons to write to init runtime sockets
+      systemd: fixes for systemd-pcrphase
+      systemd: allow networkd to use netlink netfilter sockets
+      rpc: add filecon for /etc/exports.d
+      zed: allow managing /etc/exports.d/zfs.exports
+      zfs: dontaudit net_admin capability by zed
+      su: various fixes
+      kernel: allow delete and setattr on generic SCSI and USB devices
+      mount: make mount_runtime_t a kubernetes mountpoint
+      fstools: allow fsadm to ioctl cgroup dirs
+      fstools: allow reading container device blk files
+      container, kubernetes: add support for rook-ceph
+      kernel: dontaudit read fixed disk devices
+      container: add filecons for rook-ceph
+      init, systemd: allow systemd-pcrphase to write TPM measurements
+      systemd: add policy for systemd-machine-id-setup
+      container, kubernetes: allow kubernetes to use fuse-overlayfs
+      kubernetes: fix kubelet accounting
+      systemd: label systemd-pcrlock as systemd-pcrphase
+      zfs: allow zfs to write to exports
+      kernel: allow managing mouse devices
+      init: allow using system bus anon pidfs
+      systemd: label systemd-tpm2-setup as systemd-pcrphase
+      bootloader, init, udev: misc minor fixes
+      rpc: fix not labeling exports.d directory
+      dbus: allow the system bus to get the status of generic units
+      systemd: allow systemd generator to list exports
+      crio: allow reading container home content
+      container: allow spc to map kubernetes runtime files
+      kubernetes: allow kubelet to apply fsGroup to persistent volumes
+
+Luca Boccassi (4):
+      Set label systemd-oomd
+      Add separate label for cgroup's memory.pressure files
+      systemd: also allow to mounton memory.pressure
+      systemd: allow daemons to access memory.pressure
+
+Mathieu Tortuyaux (1):
+      container: fix cilium denial
+
+Oleksii Miroshko (1):
+      Fix templates parsing in gentemplates.sh
+
+Pat Riehecky (1):
+      container: set default context for local-path-provisioner
+
+Renato Caldas (1):
+      kubernetes: allow kubelet to read /proc/sys/vm files.
+
+Russell Coker (28):
+      This patch removes deprecated interfaces that were deprecated in the
+         20210203 release.  I think that 2 years of support for a deprecated
+         interface is enough and by the time we have the next release out it
+         will probably be more than 2 years since 20210203.
+      This patch removes deprecated interfaces that were deprecated in the
+         20210203 release.  I think that 2 years of support for a deprecated
+         interface is enough and by the time we have the next release out it
+         will probably be more than 2 years since 20210203.
+      eg25-manager (Debian package eg25-manager) is a daemon aimed at
+         configuring and monitoring the Quectel EG25 modem on a running system.
+         It is used on the PinePhone (Pro) and performs the following functions:
+           * power on/off   * startup configuration using AT commands   * AGPS
+         data upload   * status monitoring (and restart if it becomes
+         unavailable) Homepage: https://gitlab.com/mobian1/eg25-manager
+      iio-sensor-proxy (Debian package iio-sensor-proxy)  IIO sensors to D-Bus
+         proxy  Industrial I/O subsystem is intended to provide support for
+         devices  that in some sense are analog to digital or digital to analog
+         convertors  .  Devices that fall into this category are:   * ADCs   *
+         Accelerometers   * Gyros   * IMUs   * Capacitance to Digital Converters
+         (CDCs)   * Pressure Sensors   * Color, Light and Proximity Sensors   *
+         Temperature Sensors   * Magnetometers   * DACs   * DDS (Direct Digital
+         Synthesis)   * PLLs (Phase Locked Loops)   * Variable/Programmable Gain
+         Amplifiers (VGA, PGA)
+      Fixed dependency on unconfined_t
+      Comment sysfs better
+      Daemon to control authentication for Thunderbolt.
+      Daemon to monitor memory pressure and notify applications and change …
+         (#670)
+      switcheroo is a daemon to manage discrete vs integrated GPU use for apps
+      policy for power profiles daemon, used to change power settings
+      some misc userdomain fixes
+      debian motd.d directory (#689)
+      policy for the Reliability Availability servicability daemon (#690)
+      policy patches for anti-spam daemons (#698)
+      Added tmpfs file type for postgresql Small mysql stuff including
+         anon_inode
+      small ntp and dns changes (#703)
+      small network patches (#707)
+      small storage changes (#706)
+      allow jabbers to create sock file and allow matrixd to read sysfs (#705)
+      small systemd patches (#708)
+      misc small patches for cron policy (#701)
+      mon.te patches as well as some fstools patches related to it (#697)
+      misc small email changes (#704)
+      https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
+      Label checkarray as mdadm_exec_t, allow it to read/write temp files
+         inherited from cron, and dontaudit ps type operations from it
+      Changes to eg25manager and modemmanager needed for firmware upload on
+         pinephonepro
+      patches for nspawn policy (#721)
+      Simple patch for Brother printer drivers as described in:
+         https://etbe.coker.com.au/2023/10/22/brother-mfc-j4440dw-printer/
+
+Yi Zhao (15):
+      systemd: add capability sys_resource to systemd_userdbd_t
+      systemd: allow systemd-sysctl to search directories on ramfs
+      systemd: allow systemd-resolved to search directories on tmpfs and ramfs
+      mount: allow mount_t to get attributes for all directories
+      loadkeys: do not audit attempts to get attributes for all directories
+      systemd: allow systemd-networkd to create file in /run/systemd directory
+      systemd: allow journalctl to create /var/lib/systemd/catalog
+      bind: fix for named service
+      systemd: use init_daemon_domain instead of init_system_domain for
+         systemd-networkd and systemd-resolved
+      rpm: fixes for dnf
+      lvm: set context for /run/cryptsetup
+      container: set context for /run/crun
+      systemd: allow systemd-hostnamed to read machine-id and localization files
+      systemd: allow systemd-rfkill to getopt from uevent sockets
+      udev: fix for systemd-udevd
+
+freedom1b2830 (1):
+      mplayer:vlc paths
+
 * Tue Nov 01 2022 Chris PeBenito <pebenito@ieee.org> - 2.20221101
 Chris PeBenito (46):
       systemd: Drop systemd_detect_virt_t.

diff --git a/VERSION b/VERSION
index f14c5b175..238b92fda 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.20221101
+2.20240226