* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-11-28 10:44 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-11-28 10:44 UTC (permalink / raw
To: gentoo-commits
commit: 7c41301a215662b550962c3440879d302d4fc6ee
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:13:54 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 10:43:29 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7c41301a
Fix bug 529204 - Support a dhcpc_script_t domain
We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.
Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.
The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.
---
policy/modules/kernel/corecommands.fc | 2 +-
policy/modules/system/sysnetwork.fc | 3 +++
policy/modules/system/sysnetwork.te | 49 +++++++++++++++++++++++++++++++++++
3 files changed, 53 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index fbb935c..b1c6404 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 3576536..7ee4bf7 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,53 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+ #########################################
+ #
+ # dhcpc_script_t
+ #
+
+ # The purpose of the dhcpc_script_t domain is to handle the post-processing of
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would
+ # assume others do as well. With the dhcpc_script_t domain we can isolate the
+ # privileges of the DHCP client itself from the hooks / flexibility that the developers
+ # introduced.
+
+ type dhcpc_script_t;
+ domain_type(dhcpc_script_t)
+ role dhcpc_roles types dhcpc_script_t;
+
+ type dhcpc_script_exec_t;
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+ type dhcpc_script_var_run_t;
+ files_pid_file(dhcpc_script_var_run_t)
+
+ type dhcpc_script_tmp_t;
+ files_tmp_file(dhcpc_script_tmp_t)
+
+ ########################################
+ #
+ # dhcpc script policy
+ #
+
+ allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t)
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_var_run_t, dhcpc_script_var_run_t)
+ filetrans_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_script_var_run_t, { file dir })
+
+ corecmd_exec_bin(dhcpc_script_t)
+ corecmd_exec_shell(dhcpc_script_t)
+
+ # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section
+ domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t)
+
+ sysnet_manage_config(dhcpc_script_t)
+
+ optional_policy(`
+ ntp_manage_config(dhcpc_script_t)
+ ')
')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
@ 2014-11-28 11:01 Sven Vermeulen
0 siblings, 0 replies; 14+ messages in thread
From: Sven Vermeulen @ 2014-11-28 11:01 UTC (permalink / raw
To: gentoo-commits
commit: cd096ca629a742975a21fc68736329d5a49b44a0
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Fri Nov 28 10:13:54 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Fri Nov 28 11:00:14 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cd096ca6
Fix bug 529204 - Support a dhcpc_script_t domain
We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.
Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.
The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.
---
policy/modules/kernel/corecommands.fc | 2 +-
policy/modules/system/sysnetwork.fc | 3 +++
policy/modules/system/sysnetwork.te | 46 +++++++++++++++++++++++++++++++++++
3 files changed, 50 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/addons(/.*)? gen_context(system_u:object_r:bin_t,s0)
/lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index fbb935c..b1c6404 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,6 @@ ifdef(`distro_debian',`
/var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
')
+ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
+')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 3576536..8adbcfa 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,50 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+ #########################################
+ #
+ # dhcpc_script_t
+ #
+
+ # The purpose of the dhcpc_script_t domain is to handle the post-processing of
+ # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would
+ # assume others do as well. With the dhcpc_script_t domain we can isolate the
+ # privileges of the DHCP client itself from the hooks / flexibility that the developers
+ # introduced.
+
+ type dhcpc_script_t;
+ domain_type(dhcpc_script_t)
+ role dhcpc_roles types dhcpc_script_t;
+
+ type dhcpc_script_exec_t;
+ domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+ type dhcpc_script_tmp_t;
+ files_tmp_file(dhcpc_script_tmp_t)
+
+ ########################################
+ #
+ # dhcpc script policy
+ #
+
+ allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t)
+ files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+ manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
+ files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
+
+ corecmd_exec_bin(dhcpc_script_t)
+ corecmd_exec_shell(dhcpc_script_t)
+
+ # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section
+ domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t)
+
+ sysnet_manage_config(dhcpc_script_t)
+
+ optional_policy(`
+ ntp_manage_config(dhcpc_script_t)
+ ')
')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
@ 2015-10-14 18:36 Jason Zaman
0 siblings, 0 replies; 14+ messages in thread
From: Jason Zaman @ 2015-10-14 18:36 UTC (permalink / raw
To: gentoo-commits
commit: fcafb3c5c807a5731ef1dca2f82dd6eae31fd76a
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Mon Oct 12 13:31:18 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Oct 13 14:21:41 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fcafb3c5
Module version bump for patches from Jason Zaman/Matthias Dahl.
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/system/ipsec.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index aba6d88..3c2224e 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.19.0)
+policy_module(filesystem, 1.19.1)
########################################
#
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index b9cfcc3..02fad03 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,4 +1,4 @@
-policy_module(ipsec, 1.15.1)
+policy_module(ipsec, 1.15.2)
########################################
#
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
2015-10-26 5:48 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
@ 2015-10-26 5:36 ` Jason Zaman
0 siblings, 0 replies; 14+ messages in thread
From: Jason Zaman @ 2015-10-26 5:36 UTC (permalink / raw
To: gentoo-commits
commit: bac1f46765f49a73cdfb5a482f45f3a83487ee06
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 17:23:35 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:55:45 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bac1f467
Add sysfs_types attribute.
Collect all types used to label sysfs entries.
policy/modules/kernel/devices.if | 20 ++++++++++++++++++++
policy/modules/kernel/devices.te | 5 +++--
policy/modules/system/init.te | 1 +
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a052db5..591b932 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4130,6 +4130,26 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
+## Relabel from/to all sysfs types.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_all_sysfs',`
+ gen_require(`
+ attribute sysfs_types;
+ ')
+
+ allow $1 sysfs_types:dir { list_dir_perms relabel_dir_perms };
+ allow $1 sysfs_types:file relabel_file_perms;
+ allow $1 sysfs_types:lnk_file relabel_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Read and write the TPM device.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index e5bcfcd..9274a82 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -9,6 +9,7 @@ attribute device_node;
attribute memory_raw_read;
attribute memory_raw_write;
attribute devices_unconfined_type;
+attribute sysfs_types;
#
# device_t is the type of /dev.
@@ -62,7 +63,7 @@ dev_node(cpu_device_t)
#
# /sys/devices/system/cpu/online device
#
-type cpu_online_t;
+type cpu_online_t, sysfs_types;
files_type(cpu_online_t)
dev_associate_sysfs(cpu_online_t)
@@ -229,7 +230,7 @@ dev_node(sound_device_t)
#
# sysfs_t is the type for the /sys pseudofs
#
-type sysfs_t;
+type sysfs_t, sysfs_types;
files_mountpoint(sysfs_t)
fs_xattr_type(sysfs_t)
genfscon sysfs / gen_context(system_u:object_r:sysfs_t,s0)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 79400f2..8c9cffa 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -224,6 +224,7 @@ ifdef(`init_systemd',`
dev_create_generic_dirs(init_t)
dev_manage_input_dev(init_t)
dev_relabel_all_dev_nodes(init_t)
+ dev_relabel_all_sysfs(init_t)
dev_read_urand(init_t)
dev_write_kmsg(init_t)
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 14+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 6383a0207e2bad0f98f684b20e96da9115686850
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Thu Dec 10 20:46:13 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 15:25:22 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6383a020
Module version bumps for 2 patches from Dominick Grift.
policy/modules/kernel/kernel.te | 2 +-
policy/modules/system/authlogin.te | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 2625e2f..7fe0a70 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.20.0)
+policy_module(kernel, 1.20.1)
########################################
#
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 98ebecd..587b289 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.8.0)
+policy_module(authlogin, 2.8.1)
########################################
#
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
@ 2015-12-17 18:49 Jason Zaman
0 siblings, 0 replies; 14+ messages in thread
From: Jason Zaman @ 2015-12-17 18:49 UTC (permalink / raw
To: gentoo-commits
commit: 41757a4654c651d5c9533d165d58a3487c75b4c7
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Dec 17 18:38:24 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 18:46:19 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=41757a46
Add permissions for ZFS
zfs list uses a pipe to get info from the kernel
avc: granted { write } for pid=31602 comm="dump_list_strat" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=system_u:system_r:kernel_t:s0 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
avc: granted { read } for pid=31601 comm="zfs" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
zfs send / recv is usually piped somewhere by sysadm
zfs send tank@snap | ssh foo tank@snap
policy/modules/kernel/kernel.te | 5 +++++
policy/modules/system/mount.te | 3 +++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 4ac22e0..f964a7b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -461,4 +461,9 @@ ifdef(`distro_gentoo',`
# See also bug 535992
#dev_manage_all_dev_nodes(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
+
+ # ZFS send/recv writes to an fd
+ sysadm_use_fds(kernel_t)
+ # zfs list writes to a pipe
+ mount_rw_pipes(kernel_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 497fa59..920abc7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t)
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:process signal;
+# zfs list uses pipes
+allow mount_t self:fifo_file rw_fifo_file_perms;
mount_read_loopback_files(mount_t)
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
@ 2015-12-17 18:52 Jason Zaman
0 siblings, 0 replies; 14+ messages in thread
From: Jason Zaman @ 2015-12-17 18:52 UTC (permalink / raw
To: gentoo-commits
commit: 05e541d9d101d8d8f38b94bfd6f80e62da38cb92
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Dec 17 18:38:24 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Dec 17 18:51:56 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05e541d9
Add permissions for ZFS
zfs list uses a pipe to get info from the kernel
avc: granted { write } for pid=31602 comm="dump_list_strat" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=system_u:system_r:kernel_t:s0 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
avc: granted { read } for pid=31601 comm="zfs" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
zfs send / recv is usually piped somewhere by sysadm
zfs send tank@snap | ssh foo tank@snap
policy/modules/kernel/kernel.te | 5 +++++
policy/modules/system/mount.te | 3 +++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 4ac22e0..f964a7b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -461,4 +461,9 @@ ifdef(`distro_gentoo',`
# See also bug 535992
#dev_manage_all_dev_nodes(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
+
+ # ZFS send/recv writes to an fd
+ sysadm_use_fds(kernel_t)
+ # zfs list writes to a pipe
+ mount_rw_pipes(kernel_t)
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 497fa59..920abc7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t)
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:process signal;
+# zfs list uses pipes
+allow mount_t self:fifo_file rw_fifo_file_perms;
mount_read_loopback_files(mount_t)
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
@ 2015-12-18 3:49 Jason Zaman
0 siblings, 0 replies; 14+ messages in thread
From: Jason Zaman @ 2015-12-18 3:49 UTC (permalink / raw
To: gentoo-commits
commit: 32b74e9b8029ee9d345c560dd7e59964fd829f62
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Dec 17 18:38:24 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Dec 18 03:32:59 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=32b74e9b
Add permissions for ZFS
zfs list uses a pipe to get info from the kernel
avc: granted { write } for pid=31602 comm="dump_list_strat" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=system_u:system_r:kernel_t:s0 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
avc: granted { read } for pid=31601 comm="zfs" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
zfs send / recv is usually piped somewhere by sysadm
zfs send tank@snap | ssh foo tank@snap
policy/modules/kernel/kernel.te | 9 +++++++++
policy/modules/system/mount.te | 3 +++
2 files changed, 12 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 4ac22e0..f1016a3 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -461,4 +461,13 @@ ifdef(`distro_gentoo',`
# See also bug 535992
#dev_manage_all_dev_nodes(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
+
+ # ZFS send/recv writes to an fd
+ optional_policy(`
+ sysadm_use_fds(kernel_t)
+ ')
+ # zfs list writes to a pipe
+ optional_policy(`
+ mount_rw_pipes(kernel_t)
+ ')
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 497fa59..920abc7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t)
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:process signal;
+# zfs list uses pipes
+allow mount_t self:fifo_file rw_fifo_file_perms;
mount_read_loopback_files(mount_t)
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
@ 2015-12-18 4:14 Jason Zaman
0 siblings, 0 replies; 14+ messages in thread
From: Jason Zaman @ 2015-12-18 4:14 UTC (permalink / raw
To: gentoo-commits
commit: b0cfc980dcefdffcdcf2929394278e3ea983a88c
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Dec 17 18:38:24 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Fri Dec 18 04:12:51 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b0cfc980
Add permissions for ZFS list and send/recv
zfs list uses a pipe to get info from the kernel
avc: granted { write } for pid=31602 comm="dump_list_strat" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=system_u:system_r:kernel_t:s0 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
avc: granted { read } for pid=31601 comm="zfs" path="pipe:[4471132]" dev="pipefs" ino=4471132 scontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tcontext=staff_u:sysadm_r:mount_t:s0-s0:c0.c511 tclass=fifo_file
zfs send / recv is usually piped somewhere by sysadm
zfs send tank@snap | ssh foo tank@snap
policy/modules/kernel/kernel.te | 9 +++++++++
policy/modules/system/mount.te | 3 +++
2 files changed, 12 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 4ac22e0..f1016a3 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -461,4 +461,13 @@ ifdef(`distro_gentoo',`
# See also bug 535992
#dev_manage_all_dev_nodes(kernel_t)
dev_setattr_generic_chr_files(kernel_t)
+
+ # ZFS send/recv writes to an fd
+ optional_policy(`
+ sysadm_use_fds(kernel_t)
+ ')
+ # zfs list writes to a pipe
+ optional_policy(`
+ mount_rw_pipes(kernel_t)
+ ')
')
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 497fa59..920abc7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -42,6 +42,9 @@ application_domain(unconfined_mount_t, mount_exec_t)
# setuid/setgid needed to mount cifs
allow mount_t self:capability { ipc_lock sys_rawio sys_admin dac_override chown sys_tty_config setuid setgid };
+allow mount_t self:process signal;
+# zfs list uses pipes
+allow mount_t self:fifo_file rw_fifo_file_perms;
mount_read_loopback_files(mount_t)
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
2017-01-01 16:36 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/ Jason Zaman
@ 2017-01-01 16:37 ` Jason Zaman
0 siblings, 0 replies; 14+ messages in thread
From: Jason Zaman @ 2017-01-01 16:37 UTC (permalink / raw
To: gentoo-commits
commit: 88b49ecb49e30198138612cead9beec8eab2acbc
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Dec 27 15:56:39 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Jan 1 16:26:28 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=88b49ecb
Module version bump for systemd patch from Nicolas Iooss.
policy/modules/kernel/filesystem.te | 2 +-
policy/modules/kernel/kernel.te | 2 +-
policy/modules/system/systemd.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index a9c97ef..0471647 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -1,4 +1,4 @@
-policy_module(filesystem, 1.21.3)
+policy_module(filesystem, 1.21.4)
########################################
#
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 45626b7..c6531a2 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,4 +1,4 @@
-policy_module(kernel, 1.21.3)
+policy_module(kernel, 1.21.4)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index cf22ba8..c93fc90 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.2.1)
+policy_module(systemd, 1.2.2)
#########################################
#
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-02-25 14:59 Jason Zaman
0 siblings, 0 replies; 14+ messages in thread
From: Jason Zaman @ 2017-02-25 14:59 UTC (permalink / raw
To: gentoo-commits
commit: 5b8acde37136f75ce5a52f1b6a0604d3f35dacc7
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Fri Feb 24 01:03:23 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 25 14:22:23 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b8acde3
Systemd fixes from Russell Coker.
policy/modules/kernel/devices.if | 37 +++++
policy/modules/kernel/devices.te | 6 +-
policy/modules/kernel/files.if | 127 +++++++++++++++
policy/modules/kernel/files.te | 6 +-
policy/modules/system/authlogin.if | 9 +
policy/modules/system/authlogin.te | 6 +-
policy/modules/system/init.fc | 2 +
policy/modules/system/init.if | 183 ++++++++++++++++++---
policy/modules/system/init.te | 317 +++++++++++++++++++++++++++++++++---
policy/modules/system/logging.fc | 5 +-
policy/modules/system/logging.if | 18 ++
policy/modules/system/logging.te | 36 +++-
policy/modules/system/lvm.if | 18 ++
policy/modules/system/lvm.te | 2 +-
policy/modules/system/miscfiles.te | 6 +-
policy/modules/system/systemd.fc | 11 +-
policy/modules/system/systemd.if | 122 +++++++++++++-
policy/modules/system/systemd.te | 49 +++++-
policy/modules/system/udev.if | 20 +++
policy/modules/system/udev.te | 2 +-
policy/modules/system/unconfined.if | 19 +++
policy/modules/system/unconfined.te | 2 +-
policy/modules/system/userdomain.if | 71 ++++++++
policy/modules/system/userdomain.te | 2 +-
24 files changed, 1011 insertions(+), 65 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 08e2e8af..b51a25ac 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -154,6 +154,25 @@ interface(`dev_relabel_all_dev_nodes',`
########################################
## <summary>
+## Allow full relabeling (to and from) of all device files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dev_relabel_all_dev_files',`
+ gen_require(`
+ type device_t;
+ ')
+
+ relabel_files_pattern($1, device_t, device_t)
+')
+
+########################################
+## <summary>
## List all of the device nodes in a device directory.
## </summary>
## <param name="domain">
@@ -4206,6 +4225,24 @@ interface(`dev_rw_sysfs',`
########################################
## <summary>
+## Relabel hardware state directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_relabel_sysfs_dirs',`
+ gen_require(`
+ type sysfs_t;
+ ')
+
+ relabel_dirs_pattern($1, sysfs_t, sysfs_t)
+')
+
+########################################
+## <summary>
## Relabel from/to all sysfs types.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 66bc754e..470f0f00 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.2)
+policy_module(devices, 1.20.3)
########################################
#
@@ -22,6 +22,10 @@ files_associate_tmp(device_t)
fs_xattr_type(device_t)
fs_use_trans devtmpfs gen_context(system_u:object_r:device_t,s0);
+optional_policy(`
+ systemd_tmpfilesd_managed(device_t, fifo_file)
+')
+
#
# Type for /dev/agpgart
#
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 6babfb90..0d6fe3c5 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -6531,6 +6531,25 @@ interface(`files_dontaudit_ioctl_all_pids',`
########################################
## <summary>
+## manage all pidfile directories
+## in the /var/run directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_all_pid_dirs',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ manage_dirs_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
## Read all process ID files.
## </summary>
## <param name="domain">
@@ -6553,6 +6572,42 @@ interface(`files_read_all_pids',`
########################################
## <summary>
+## Execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_generic_pid_files',`
+ gen_require(`
+ type var_run_t;
+ ')
+
+ exec_files_pattern($1, var_run_t, var_run_t)
+')
+
+########################################
+## <summary>
+## Relable all pid files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_all_pid_files',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ relabel_files_pattern($1, pidfile, pidfile)
+')
+
+########################################
+## <summary>
## Delete all process IDs.
## </summary>
## <param name="domain">
@@ -6579,6 +6634,78 @@ interface(`files_delete_all_pids',`
########################################
## <summary>
+## Create all pid sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_pid_sockets',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create all pid named pipes
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_pid_pipes',`
+ gen_require(`
+ attribute pidfile;
+ ')
+
+ allow $1 pidfile:fifo_file create_fifo_file_perms;
+')
+
+########################################
+## <summary>
+## Create all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_create_all_spool_sockets',`
+ gen_require(`
+ attribute spoolfile;
+ ')
+
+ allow $1 spoolfile:sock_file create_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Delete all spool sockets
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_all_spool_sockets',`
+ gen_require(`
+ attribute spoolfile;
+ ')
+
+ allow $1 spoolfile:sock_file delete_sock_file_perms;
+')
+
+########################################
+## <summary>
## Delete all process ID directories.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 7c861cc1..63ec6591 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.4)
+policy_module(files, 1.23.5)
########################################
#
@@ -174,6 +174,10 @@ type var_run_t;
files_pid_file(var_run_t)
files_mountpoint(var_run_t)
+optional_policy(`
+ systemd_tmpfilesd_managed(var_run_t, lnk_file)
+')
+
#
# var_spool_t is the type of /var/spool
#
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 55ce2bd2..5bac5fb3 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -162,9 +162,18 @@ interface(`auth_login_pgm_domain',`
seutil_read_config($1)
seutil_read_default_contexts($1)
+ userdom_search_user_runtime($1)
+ userdom_read_user_tmpfs_files($1)
+
tunable_policy(`allow_polyinstantiation',`
files_polyinstantiate_all($1)
')
+
+ optional_policy(`
+ systemd_read_logind_state($1)
+ systemd_write_inherited_logind_sessions_pipes($1)
+ systemd_use_passwd_agent_fds($1)
+ ')
')
########################################
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index b4273689..43c83620 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -1,4 +1,4 @@
-policy_module(authlogin, 2.10.1)
+policy_module(authlogin, 2.10.2)
########################################
#
@@ -85,6 +85,10 @@ files_type(var_auth_t)
type wtmp_t;
logging_log_file(wtmp_t)
+optional_policy(`
+ systemd_tmpfilesd_managed(faillog_t, file)
+') systemd_tmpfilesd_managed(var_auth_t, dir)
+
########################################
#
# Check password local policy
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index fe085d15..b08e7a2a 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -57,7 +57,9 @@ ifdef(`distro_gentoo', `
/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/run/sm-notify\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
+/run/wd_keepalive\.pid -- gen_context(system_u:object_r:initrc_var_run_t,s0)
ifdef(`distro_debian',`
/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4a36e12a..162ce266 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -209,7 +209,7 @@ interface(`init_ranged_domain',`
#
interface(`init_daemon_domain',`
gen_require(`
- type initrc_t;
+ type init_t, initrc_t;
role system_r;
attribute daemon;
')
@@ -240,6 +240,8 @@ interface(`init_daemon_domain',`
init_domain($1, $2)
# this may be because of late labelling
kernel_dgram_send($1)
+
+ allow $1 init_t:unix_dgram_socket sendto;
')
optional_policy(`
@@ -400,8 +402,10 @@ interface(`init_system_domain',`
gen_require(`
type initrc_t;
role system_r;
+ attribute systemprocess;
')
+ typeattribute $1 systemprocess;
application_domain($1, $2)
role system_r types $1;
@@ -477,6 +481,24 @@ interface(`init_ranged_system_domain',`
')
')
+######################################
+## <summary>
+## Allow domain dyntransition to init_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_dyntrans',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dyntrans_pattern($1, init_t)
+')
+
########################################
## <summary>
## Mark the file type as a daemon pid file, allowing initrc_t
@@ -708,6 +730,7 @@ interface(`init_stream_connect',`
stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
files_search_pids($1)
+ allow $1 init_t:unix_stream_socket getattr;
')
########################################
@@ -1225,23 +1248,24 @@ interface(`init_write_initctl',`
#
interface(`init_telinit',`
gen_require(`
- type initctl_t;
+ type initctl_t, init_t;
')
- dev_list_all_dev_nodes($1)
+ ps_process_pattern($1, init_t)
+ allow $1 init_t:process signal;
+ # upstart uses a datagram socket instead of initctl pipe
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 init_t:unix_dgram_socket sendto;
+ #576913
+ allow $1 init_t:unix_stream_socket connectto;
+
allow $1 initctl_t:fifo_file rw_fifo_file_perms;
- init_exec($1)
+ corecmd_exec_bin($1)
- tunable_policy(`init_upstart',`
- gen_require(`
- type init_t;
- ')
+ dev_list_all_dev_nodes($1)
- # upstart uses a datagram socket instead of initctl pipe
- allow $1 self:unix_dgram_socket create_socket_perms;
- allow $1 init_t:unix_dgram_socket sendto;
- ')
+ init_exec($1)
')
########################################
@@ -1370,6 +1394,37 @@ interface(`init_domtrans_script',`
########################################
## <summary>
+## Execute labelled init scripts with an automatic domain transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`init_domtrans_labeled_script',`
+ gen_require(`
+ type initrc_t;
+ attribute init_script_file_type;
+ attribute initrc_transition_domain;
+ ')
+
+ typeattribute $1 initrc_transition_domain;
+
+ files_list_etc($1)
+ domtrans_pattern($1, init_script_file_type, initrc_t)
+
+ ifdef(`enable_mcs',`
+ range_transition $1 init_script_file_type:process s0;
+ ')
+
+ ifdef(`enable_mls',`
+ range_transition $1 init_script_file_type:process s0 - mls_systemhigh;
+ ')
+')
+
+########################################
+## <summary>
## Execute a init script in a specified domain.
## </summary>
## <desc>
@@ -1440,8 +1495,10 @@ interface(`init_manage_script_service',`
interface(`init_labeled_script_domtrans',`
gen_require(`
type initrc_t;
+ attribute initrc_transition_domain;
')
+ typeattribute $1 initrc_transition_domain;
domtrans_pattern($1, $2, initrc_t)
files_search_etc($1)
')
@@ -1574,6 +1631,7 @@ interface(`init_run_daemon',`
interface(`init_startstop_all_script_services',`
gen_require(`
attribute init_script_file_type;
+ class service { start status stop };
')
allow $1 init_script_file_type:service { start status stop };
@@ -1789,12 +1847,7 @@ interface(`init_read_script_state',`
')
kernel_search_proc($1)
- read_files_pattern($1, initrc_t, initrc_t)
- read_lnk_files_pattern($1, initrc_t, initrc_t)
- list_dirs_pattern($1, initrc_t, initrc_t)
-
- # should move this to separate interface
- allow $1 initrc_t:process getattr;
+ ps_process_pattern($1, initrc_t)
')
########################################
@@ -2378,7 +2431,7 @@ interface(`init_dontaudit_rw_utmp',`
type initrc_var_run_t;
')
- dontaudit $1 initrc_var_run_t:file { getattr read write append lock };
+ dontaudit $1 initrc_var_run_t:file rw_file_perms;
')
########################################
@@ -2419,6 +2472,98 @@ interface(`init_pid_filetrans_utmp',`
files_pid_filetrans($1, initrc_var_run_t, file, "utmp")
')
+#######################################
+## <summary>
+## Create a directory in the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_create_pid_dirs',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:dir list_dir_perms;
+ create_dirs_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
+## Rename init_var_run_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## domain
+## </summary>
+## </param>
+#
+interface(`init_rename_pid_files',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ rename_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+########################################
+## <summary>
+## Rename and de init_var_run_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## domain
+## </summary>
+## </param>
+#
+interface(`init_delete_pid_files',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ delete_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
+#######################################
+## <summary>
+## Allow the specified domain to write to
+## init sock file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_write_pid_socket',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
+## Read init unnamed pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_pid_pipes',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ read_fifo_files_pattern($1, init_var_run_t, init_var_run_t)
+')
+
########################################
## <summary>
## Allow the specified domain to connect to daemon with a tcp socket
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a43bf19b..54ca2ceb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.5)
+policy_module(init, 2.2.6)
gen_require(`
class passwd rootok;
@@ -16,13 +16,22 @@ gen_require(`
## </desc>
gen_tunable(init_upstart, false)
+## <desc>
+## <p>
+## Allow all daemons the ability to read/write terminals
+## </p>
+## </desc>
+gen_tunable(init_daemons_use_tty, false)
+
attribute init_script_domain_type;
attribute init_script_file_type;
attribute init_run_all_scripts_domain;
attribute systemdunit;
+attribute initrc_transition_domain;
# Mark process types as daemons
attribute daemon;
+attribute systemprocess;
# Mark file type as a daemon pid file
attribute daemonpidfile;
@@ -33,7 +42,7 @@ attribute daemonrundir;
#
# init_t is the domain of the init process.
#
-type init_t;
+type init_t, initrc_transition_domain;
type init_exec_t;
domain_type(init_t)
domain_entry_file(init_t, init_exec_t)
@@ -110,6 +119,7 @@ ifdef(`enable_mls',`
# Use capabilities. old rule:
allow init_t self:capability ~sys_module;
+allow init_t self:capability2 { wake_alarm block_suspend };
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
@@ -128,6 +138,9 @@ allow init_t initrc_t:unix_stream_socket connectto;
allow init_t init_var_run_t:file manage_file_perms;
files_pid_filetrans(init_t, init_var_run_t, file)
+# for systemd to manage service file symlinks
+allow init_t init_var_run_t:file manage_lnk_file_perms;
+
allow init_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(init_t, initctl_t, fifo_file)
@@ -147,6 +160,7 @@ dev_rw_generic_chr_files(init_t)
domain_getpgid_all_domains(init_t)
domain_kill_all_domains(init_t)
+domain_getattr_all_domains(init_t)
domain_signal_all_domains(init_t)
domain_signull_all_domains(init_t)
domain_sigstop_all_domains(init_t)
@@ -199,6 +213,10 @@ ifdef(`init_systemd',`
# handle instances where an old labeled init script is encountered.
typeattribute init_t init_run_all_scripts_domain;
+ allow init_t systemprocess:process { dyntransition siginh };
+ allow init_t systemprocess:unix_stream_socket create_stream_socket_perms;
+ allow init_t systemprocess:unix_dgram_socket create_socket_perms;
+
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setcap setrlimit };
allow init_t self:capability2 { audit_read block_suspend };
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -206,6 +224,18 @@ ifdef(`init_systemd',`
allow init_t self:netlink_selinux_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
+ allow init_t daemon:unix_stream_socket create_stream_socket_perms;
+ allow init_t daemon:unix_dgram_socket create_socket_perms;
+ allow init_t daemon:tcp_socket create_stream_socket_perms;
+ allow init_t daemon:udp_socket create_socket_perms;
+ allow daemon init_t:unix_dgram_socket sendto;
+
+ allow init_run_all_scripts_domain systemdunit:service { status start stop };
+
+ allow systemprocess init_t:unix_dgram_socket sendto;
+ allow systemprocess init_t:unix_stream_socket { append write read getattr ioctl };
+
+ allow daemon init_t:unix_stream_socket { append write read getattr ioctl };
manage_files_pattern(init_t, init_var_run_t, init_var_run_t)
manage_lnk_files_pattern(init_t, init_var_run_t, init_var_run_t)
manage_sock_files_pattern(init_t, init_var_run_t, init_var_run_t)
@@ -269,6 +299,9 @@ ifdef(`init_systemd',`
# for network namespaces
fs_read_nsfs_files(init_t)
+ # need write to /var/run/systemd/notify
+ init_write_pid_socket(daemon)
+
# systemd_socket_activated policy
mls_socket_write_all_levels(init_t)
@@ -355,6 +388,11 @@ optional_policy(`
')
optional_policy(`
+ udev_read_db(init_t)
+ udev_relabelto_db(init_t)
+')
+
+optional_policy(`
unconfined_domain(init_t)
')
@@ -403,11 +441,14 @@ manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
allow initrc_t initrc_var_run_t:file manage_file_perms;
files_pid_filetrans(initrc_t, initrc_var_run_t, file)
+allow initrc_t daemon:process siginh;
+
can_exec(initrc_t, initrc_tmp_t)
manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
manage_dirs_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
manage_lnk_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t)
files_tmp_filetrans(initrc_t, initrc_tmp_t, { file dir })
+allow initrc_t initrc_tmp_t:dir relabelfrom;
manage_dirs_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
manage_files_pattern(initrc_t, initrc_var_log_t, initrc_var_log_t)
@@ -450,6 +491,7 @@ corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
+dev_dontaudit_read_kmsg(initrc_t)
dev_write_kmsg(initrc_t)
dev_write_rand(initrc_t)
dev_write_urand(initrc_t)
@@ -460,8 +502,10 @@ dev_write_framebuffer(initrc_t)
dev_read_realtime_clock(initrc_t)
dev_read_sound_mixer(initrc_t)
dev_write_sound_mixer(initrc_t)
+dev_setattr_generic_dirs(initrc_t)
dev_setattr_all_chr_files(initrc_t)
dev_rw_lvm_control(initrc_t)
+dev_rw_generic_chr_files(initrc_t)
dev_delete_lvm_control_dev(initrc_t)
dev_manage_generic_symlinks(initrc_t)
dev_manage_generic_files(initrc_t)
@@ -469,17 +513,16 @@ dev_manage_generic_files(initrc_t)
dev_delete_generic_symlinks(initrc_t)
dev_getattr_all_blk_files(initrc_t)
dev_getattr_all_chr_files(initrc_t)
-# Early devtmpfs
-dev_rw_generic_chr_files(initrc_t)
+dev_rw_xserver_misc(initrc_t)
domain_kill_all_domains(initrc_t)
domain_signal_all_domains(initrc_t)
domain_signull_all_domains(initrc_t)
domain_sigstop_all_domains(initrc_t)
+domain_sigstop_all_domains(initrc_t)
domain_sigchld_all_domains(initrc_t)
domain_read_all_domains_state(initrc_t)
domain_getattr_all_domains(initrc_t)
-domain_dontaudit_ptrace_all_domains(initrc_t)
domain_getsession_all_domains(initrc_t)
domain_use_interactive_fds(initrc_t)
# for lsof which is used by alsa shutdown:
@@ -487,6 +530,7 @@ domain_dontaudit_getattr_all_udp_sockets(initrc_t)
domain_dontaudit_getattr_all_tcp_sockets(initrc_t)
domain_dontaudit_getattr_all_dgram_sockets(initrc_t)
domain_dontaudit_getattr_all_pipes(initrc_t)
+domain_obj_id_change_exemption(initrc_t)
files_getattr_all_dirs(initrc_t)
files_getattr_all_files(initrc_t)
@@ -494,8 +538,10 @@ files_getattr_all_symlinks(initrc_t)
files_getattr_all_pipes(initrc_t)
files_getattr_all_sockets(initrc_t)
files_purge_tmp(initrc_t)
-files_delete_all_locks(initrc_t)
+files_manage_all_locks(initrc_t)
+files_manage_boot_files(initrc_t)
files_read_all_pids(initrc_t)
+files_delete_root_files(initrc_t)
files_delete_all_pids(initrc_t)
files_delete_all_pid_dirs(initrc_t)
files_read_etc_files(initrc_t)
@@ -509,8 +555,12 @@ files_manage_generic_spool(initrc_t)
# cjp: not sure why these are here; should use mount policy
files_list_default(initrc_t)
files_mounton_default(initrc_t)
+files_manage_mnt_dirs(initrc_t)
+files_manage_mnt_files(initrc_t)
-fs_write_cgroup_files(initrc_t)
+fs_delete_cgroup_dirs(initrc_t)
+fs_list_cgroup_dirs(initrc_t)
+fs_rw_cgroup_files(initrc_t)
fs_list_inotifyfs(initrc_t)
fs_register_binary_executable_type(initrc_t)
# rhgb-console writes to ramfs
@@ -520,9 +570,13 @@ fs_mount_all_fs(initrc_t)
fs_unmount_all_fs(initrc_t)
fs_remount_all_fs(initrc_t)
fs_getattr_all_fs(initrc_t)
+fs_search_all(initrc_t)
+fs_getattr_nfsd_files(initrc_t)
# initrc_t needs to do a pidof which requires ptrace
mcs_ptrace_all(initrc_t)
+mcs_file_read_all(initrc_t)
+mcs_file_write_all(initrc_t)
mcs_killall(initrc_t)
mcs_process_set_categories(initrc_t)
@@ -532,6 +586,7 @@ mls_process_read_all_levels(initrc_t)
mls_process_write_all_levels(initrc_t)
mls_rangetrans_source(initrc_t)
mls_fd_share_all_levels(initrc_t)
+mls_socket_write_to_clearance(initrc_t)
selinux_get_enforce_mode(initrc_t)
@@ -550,6 +605,11 @@ auth_delete_pam_pid(initrc_t)
auth_delete_pam_console_data(initrc_t)
auth_use_nsswitch(initrc_t)
+init_get_system_status(initrc_t)
+init_stream_connect(initrc_t)
+init_start_all_units(initrc_t)
+init_stop_all_units(initrc_t)
+
libs_rw_ld_so_cache(initrc_t)
libs_exec_lib_files(initrc_t)
libs_exec_ld_so(initrc_t)
@@ -563,7 +623,7 @@ logging_read_audit_config(initrc_t)
miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
-miscfiles_read_generic_certs(initrc_t)
+miscfiles_manage_generic_cert_files(initrc_t)
seutil_read_config(initrc_t)
@@ -571,7 +631,7 @@ userdom_read_user_home_content_files(initrc_t)
# Allow access to the sysadm TTYs. Note that this will give access to the
# TTYs to any process in the initrc_t domain. Therefore, daemons and such
# started from init should be placed in their own domain.
-userdom_use_user_terminals(initrc_t)
+userdom_use_inherited_user_terminals(initrc_t)
ifdef(`distro_debian',`
kernel_getattr_core_if(initrc_t)
@@ -643,6 +703,10 @@ ifdef(`distro_gentoo',`
sysnet_setattr_config(initrc_t)
optional_policy(`
+ abrt_manage_pid_files(initrc_t)
+ ')
+
+ optional_policy(`
alsa_read_lib(initrc_t)
')
@@ -663,7 +727,7 @@ ifdef(`distro_redhat',`
# Red Hat systems seem to have a stray
# fd open from the initrd
- kernel_dontaudit_use_fds(initrc_t)
+ kernel_use_fds(initrc_t)
files_dontaudit_read_root_files(initrc_t)
# These seem to be from the initrd
@@ -707,8 +771,25 @@ ifdef(`distro_redhat',`
')
optional_policy(`
+ abrt_manage_pid_files(initrc_t)
+ ')
+
+ optional_policy(`
bind_manage_config_dirs(initrc_t)
bind_write_config(initrc_t)
+ bind_setattr_zone_dirs(initrc_t)
+ ')
+
+ optional_policy(`
+ devicekit_append_inherited_log_files(initrc_t)
+ ')
+
+ optional_policy(`
+ gnome_manage_gconf_config(initrc_t)
+ ')
+
+ optional_policy(`
+ pulseaudio_stream_connect(initrc_t)
')
optional_policy(`
@@ -716,6 +797,9 @@ ifdef(`distro_redhat',`
rpc_write_exports(initrc_t)
rpc_manage_nfs_state_data(initrc_t)
')
+ optional_policy(`
+ rpcbind_stream_connect(initrc_t)
+ ')
optional_policy(`
sysnet_rw_dhcp_config(initrc_t)
@@ -734,7 +818,32 @@ ifdef(`distro_suse',`
')
')
+ifdef(`enabled_mls',`
+ optional_policy(`
+ # allow init scripts to su
+ su_restricted_domain_template(initrc, initrc_t, system_r)
+ # Allow initrc_su_t, now defined, to transition to postgresql_t
+ postgresql_domtrans(initrc_su_t)
+ # Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
+ allow initrc_su_t initrc_devpts_t:chr_file { read write };
+ ')
+')
+
ifdef(`init_systemd',`
+ allow init_t self:system { status reboot halt reload };
+
+ allow init_t self:unix_dgram_socket { create_socket_perms sendto };
+ allow init_t self:process { setsockcreate setfscreate setrlimit };
+ allow init_t self:process { getcap setcap };
+ allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
+ allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ # Until systemd is fixed
+ allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
+ allow init_t self:udp_socket create_socket_perms;
+ allow init_t self:netlink_route_socket create_netlink_socket_perms;
+ allow init_t initrc_t:unix_dgram_socket create_socket_perms;
+ allow initrc_t init_t:system { status reboot halt reload };
+ allow init_t self:capability2 audit_read;
manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t)
files_lock_filetrans(initrc_t, initrc_lock_t, file)
@@ -746,11 +855,25 @@ ifdef(`init_systemd',`
files_pid_filetrans(initrc_t, initrc_var_run_t, dir_file_class_set)
create_dirs_pattern(initrc_t, systemd_unit_t, systemd_unit_t)
+ allow initrc_t systemd_unit_t:service reload;
manage_files_pattern(initrc_t, systemdunit, systemdunit)
manage_lnk_files_pattern(initrc_t, systemdunit, systemdunit)
+ allow initrc_t systemdunit:service reload;
+ allow initrc_t init_script_file_type:service { stop start status reload };
kernel_dgram_send(initrc_t)
+ kernel_list_unlabeled(init_t)
+ kernel_read_network_state(init_t)
+ kernel_rw_kernel_sysctl(init_t)
+ kernel_rw_net_sysctls(init_t)
+ kernel_read_all_sysctls(init_t)
+ kernel_read_software_raid_state(init_t)
+ kernel_unmount_debugfs(init_t)
+ kernel_setsched(init_t)
+
+ auth_relabel_login_records(init_t)
+ auth_relabel_pam_console_data_dirs(init_t)
# run systemd misc initializations
# in the initrc_t domain, as would be
@@ -760,28 +883,83 @@ ifdef(`init_systemd',`
corecmd_bin_domtrans(init_t, initrc_t)
corecmd_shell_domtrans(init_t, initrc_t)
- files_read_boot_files(initrc_t)
+ dev_write_kmsg(init_t)
+ dev_write_urand(init_t)
+ dev_rw_lvm_control(init_t)
+ dev_rw_autofs(init_t)
+ dev_manage_generic_symlinks(init_t)
+ dev_manage_generic_dirs(init_t)
+ dev_manage_generic_files(init_t)
+ dev_manage_null_service(initrc_t)
+ dev_read_generic_chr_files(init_t)
+ dev_relabel_generic_dev_dirs(init_t)
+ dev_relabel_all_dev_nodes(init_t)
+ dev_relabel_all_dev_files(init_t)
+ dev_manage_sysfs_dirs(init_t)
+ dev_relabel_sysfs_dirs(init_t)
+ # systemd writes to /dev/watchdog on shutdown
+ dev_write_watchdog(init_t)
+
# Allow initrc_t to check /etc/fstab "service." It appears that
# systemd is conflating files and services.
+ files_create_all_pid_pipes(init_t)
+ files_create_all_pid_sockets(init_t)
+ files_create_all_spool_sockets(init_t)
+ files_create_lock_dirs(init_t)
+ files_delete_all_pids(init_t)
+ files_delete_all_spool_sockets(init_t)
+ files_exec_generic_pid_files(init_t)
files_get_etc_unit_status(initrc_t)
+ files_list_locks(init_t)
+ files_list_spool(init_t)
+ files_list_var(init_t)
+ files_manage_all_pid_dirs(init_t)
+ files_manage_generic_tmp_dirs(init_t)
+ files_manage_urandom_seed(init_t)
+ files_mounton_all_mountpoints(init_t)
+ files_read_boot_files(initrc_t)
+ files_relabel_all_lock_dirs(init_t)
+ files_relabel_all_pid_dirs(init_t)
+ files_relabel_all_pid_files(init_t)
+ files_search_all(init_t)
files_setattr_pid_dirs(initrc_t)
+ files_unmount_all_file_type_fs(init_t)
- selinux_set_enforce_mode(initrc_t)
+ fs_getattr_all_fs(init_t)
+ fs_list_auto_mountpoints(init_t)
+ fs_manage_cgroup_dirs(init_t)
+ fs_manage_cgroup_files(init_t)
+ fs_manage_hugetlbfs_dirs(init_t)
+ fs_manage_tmpfs_dirs(init_t)
+ fs_mount_all_fs(init_t)
+ fs_remount_all_fs(init_t)
+ fs_unmount_all_fs(init_t)
+ fs_search_cgroup_dirs(daemon)
- init_stream_connect(initrc_t)
+ init_get_all_units_status(initrc_t)
init_manage_var_lib_files(initrc_t)
+ init_read_script_state(init_t)
init_rw_stream_sockets(initrc_t)
- init_get_all_units_status(initrc_t)
init_stop_all_units(initrc_t)
+ init_stream_connect(initrc_t)
# Create /etc/audit.rules.prev after firstboot remediation
logging_manage_audit_config(initrc_t)
+ selinux_compute_create_context(init_t)
+ selinux_set_enforce_mode(initrc_t)
+ selinux_unmount_fs(init_t)
+ selinux_validate_context(init_t)
# lvm2-activation-generator checks file labels
seutil_read_file_contexts(initrc_t)
+ seutil_read_file_contexts(init_t)
+ storage_getattr_removable_dev(init_t)
+ systemd_manage_all_units(init_t)
systemd_start_power_units(initrc_t)
+ term_relabel_pty_dirs(init_t)
+
optional_policy(`
# create /var/lock/lvm/
lvm_create_lock_dirs(initrc_t)
@@ -800,6 +978,8 @@ optional_policy(`
optional_policy(`
apache_read_config(initrc_t)
apache_list_modules(initrc_t)
+ # webmin seems to cause this.
+ apache_search_sys_content(daemon)
')
optional_policy(`
@@ -821,6 +1001,7 @@ optional_policy(`
optional_policy(`
cgroup_stream_connect_cgred(initrc_t)
+ domain_setpriority_all_domains(initrc_t)
')
optional_policy(`
@@ -837,6 +1018,12 @@ optional_policy(`
')
optional_policy(`
+ cron_read_pipes(initrc_t)
+ # managing /etc/cron.d/mailman content
+ cron_manage_system_spool(initrc_t)
+')
+
+optional_policy(`
dev_getattr_printer_dev(initrc_t)
cups_read_log(initrc_t)
@@ -853,9 +1040,13 @@ optional_policy(`
dbus_connect_system_bus(initrc_t)
dbus_system_bus_client(initrc_t)
dbus_read_config(initrc_t)
+ dbus_manage_lib_files(initrc_t)
+
+ init_dbus_chat(initrc_t)
optional_policy(`
consolekit_dbus_chat(initrc_t)
+ consolekit_manage_log(initrc_t)
')
optional_policy(`
@@ -897,6 +1088,11 @@ optional_policy(`
')
optional_policy(`
+ modutils_read_module_config(initrc_t)
+ modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
inn_exec_config(initrc_t)
')
@@ -937,6 +1133,7 @@ optional_policy(`
lpd_list_spool(initrc_t)
lpd_read_config(initrc_t)
+ lpd_manage_spool(init_t)
')
optional_policy(`
@@ -960,6 +1157,7 @@ optional_policy(`
optional_policy(`
mta_read_config(initrc_t)
+ mta_write_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
@@ -982,6 +1180,10 @@ optional_policy(`
')
optional_policy(`
+ plymouthd_stream_connect(initrc_t)
+')
+
+optional_policy(`
postgresql_manage_db(initrc_t)
postgresql_read_config(initrc_t)
')
@@ -1024,8 +1226,6 @@ optional_policy(`
# bash tries ioctl for some reason
files_dontaudit_ioctl_all_pids(initrc_t)
- # why is this needed:
- rpm_manage_db(initrc_t)
')
optional_policy(`
@@ -1044,15 +1244,6 @@ optional_policy(`
')
optional_policy(`
- # allow init scripts to su
- su_restricted_domain_template(initrc, initrc_t, system_r)
- # Allow initrc_su_t, now defined, to transition to postgresql_t
- postgresql_domtrans(initrc_su_t)
- # Allow initrc_su_t to use the initrc_devpts_t (needed for init script failure output)
- allow initrc_su_t initrc_devpts_t:chr_file { read write };
-')
-
-optional_policy(`
ssh_dontaudit_read_server_keys(initrc_t)
ssh_setattr_key_files(initrc_t)
')
@@ -1066,7 +1257,6 @@ optional_policy(`
')
optional_policy(`
- udev_rw_db(initrc_t)
udev_manage_pid_files(initrc_t)
udev_manage_pid_dirs(initrc_t)
udev_manage_rules_files(initrc_t)
@@ -1082,6 +1272,12 @@ optional_policy(`
')
optional_policy(`
+ domain_role_change_exemption(initrc_t)
+
+ mcs_file_read_all(initrc_t)
+ mcs_file_write_all(initrc_t)
+ mcs_killall(initrc_t)
+
unconfined_domain(initrc_t)
ifdef(`distro_redhat',`
@@ -1092,6 +1288,15 @@ optional_policy(`
optional_policy(`
mono_domtrans(initrc_t)
')
+
+ optional_policy(`
+ rtkit_scheduled(initrc_t)
+ ')
+')
+
+optional_policy(`
+ rpm_read_db(initrc_t)
+ rpm_delete_db(initrc_t)
')
optional_policy(`
@@ -1178,3 +1383,63 @@ ifdef(`distro_gentoo',`
udev_pid_filetrans_rules(initrc_t, dir, "rules.d")
')
')
+
+########################################
+#
+# Rules applied to all daemons
+#
+
+domain_dontaudit_use_interactive_fds(daemon)
+
+# daemons started from init will
+# inherit fds from init for the console
+term_dontaudit_use_console(daemon)
+
+init_dontaudit_use_fds(daemon)
+# init script ptys are the stdin/out/err
+# when using run_init
+init_use_script_ptys(daemon)
+
+tunable_policy(`init_daemons_use_tty',`
+ term_use_unallocated_ttys(daemon)
+ term_use_generic_ptys(daemon)
+ term_use_all_ttys(daemon)
+ term_use_all_ptys(daemon)
+',`
+ term_dontaudit_use_unallocated_ttys(daemon)
+ term_dontaudit_use_generic_ptys(daemon)
+ term_dontaudit_use_all_ttys(daemon)
+ term_dontaudit_use_all_ptys(daemon)
+ ')
+
+tunable_policy(`use_nfs_home_dirs',`
+ fs_dontaudit_rw_nfs_files(daemon)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+ fs_dontaudit_rw_cifs_files(daemon)
+')
+
+optional_policy(`
+ unconfined_dontaudit_rw_pipes(daemon)
+ unconfined_dontaudit_rw_stream_sockets(daemon)
+')
+
+optional_policy(`
+ userdom_dontaudit_rw_all_users_stream_sockets(daemon)
+ userdom_dontaudit_read_user_tmp_files(daemon)
+ userdom_dontaudit_write_user_tmp_files(daemon)
+')
+
+########################################
+#
+# Rules applied to all system processes
+#
+
+dontaudit systemprocess init_t:unix_stream_socket getattr;
+
+optional_policy(`
+ userdom_dontaudit_search_user_home_dirs(systemprocess)
+ userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
+ userdom_dontaudit_write_user_tmp_files(systemprocess)
+')
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 6258954a..b7098cd5 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -8,8 +8,9 @@
/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
-/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
@@ -54,6 +55,8 @@ ifdef(`distro_redhat',`
/var/named/chroot/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
+/var/run/systemd/journal/stdout -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+
/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,mls_systemhigh)
/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index ba463497..102c4319 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -841,6 +841,24 @@ interface(`logging_append_all_logs',`
########################################
## <summary>
+## Append to all log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_append_all_inherited_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:file { getattr append ioctl lock };
+')
+
+########################################
+## <summary>
## Read all log files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 10d2fc9f..9a6c714a 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.2)
+policy_module(logging, 1.25.3)
########################################
#
@@ -396,6 +396,7 @@ allow syslogd_t syslog_conf_t:file read_file_perms;
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
+init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
# create/append log files.
manage_files_pattern(syslogd_t, var_log_t, var_log_t)
@@ -405,6 +406,9 @@ files_search_spool(syslogd_t)
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
+# for systemd but can not be conditional
+files_pid_filetrans(syslogd_t, syslogd_tmp_t, dir, "log")
+
# manage temporary files
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
@@ -416,6 +420,7 @@ files_search_var_lib(syslogd_t)
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
+allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
kernel_read_system_state(syslogd_t)
kernel_read_network_state(syslogd_t)
@@ -499,22 +504,41 @@ logging_send_syslog_msg(syslogd_t)
miscfiles_read_localization(syslogd_t)
+seutil_read_config(syslogd_t)
+
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)
ifdef(`init_systemd',`
- # systemd-journald permissions
-
- allow syslogd_t self:capability { chown setgid setuid };
+ # for systemd-journal
+ allow syslogd_t self:netlink_audit_socket connected_socket_perms;
+ allow syslogd_t self:capability2 audit_read;
+ allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
+ allow syslogd_t init_var_run_t:file { read write create open };
+ allow syslogd_t var_run_t:dir create;
- kernel_use_fds(syslogd_t)
kernel_getattr_dgram_sockets(syslogd_t)
- kernel_rw_unix_dgram_sockets(syslogd_t)
+ kernel_read_ring_buffer(syslogd_t)
kernel_rw_stream_sockets(syslogd_t)
+ kernel_rw_unix_dgram_sockets(syslogd_t)
+ kernel_use_fds(syslogd_t)
+
+ dev_read_kmsg(syslogd_t)
+ dev_read_urand(syslogd_t)
+ dev_write_kmsg(syslogd_t)
+ domain_read_all_domains_state(syslogd_t)
+
+ init_create_pid_dirs(syslogd_t)
init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+ init_rename_pid_files(syslogd_t)
+ init_delete_pid_files(syslogd_t)
init_dgram_send(syslogd_t)
+ init_read_pid_pipes(syslogd_t)
+ init_read_state(syslogd_t)
+
+ systemd_manage_journal_files(syslogd_t)
udev_read_pid_files(syslogd_t)
')
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index 5774034f..88fa9442 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -125,6 +125,24 @@ interface(`lvm_create_lock_dirs',`
files_add_entry_lock_dirs($1)
')
+########################################
+## <summary>
+## Read and write a lvm unnamed pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`lvm_rw_inherited_pid_pipes',`
+ gen_require(`
+ type lvm_var_run_t;
+ ')
+
+ allow $1 lvm_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
######################################
## <summary>
## Execute a domain transition to run clvmd.
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 58e03ff2..f8fed91d 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.2)
+policy_module(lvm, 1.19.3)
########################################
#
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 85a29e3d..ec4d8dc0 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.12.0)
+policy_module(miscfiles, 1.12.1)
########################################
#
@@ -41,6 +41,10 @@ files_type(locale_t)
type man_t alias catman_t;
files_type(man_t)
+optional_policy(`
+ systemd_tmpfilesd_managed(man_t, dir)
+')
+
type man_cache_t;
files_type(man_cache_t)
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 6eb0a5a3..2264336d 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -7,6 +7,7 @@
/usr/bin/systemd-stdio-bridge -- gen_context(system_u:object_r:systemd_stdio_bridge_exec_t,s0)
/usr/bin/systemd-tmpfiles -- gen_context(system_u:object_r:systemd_tmpfiles_exec_t,s0)
/usr/bin/systemd-tty-ask-password-agent -- gen_context(system_u:object_r:systemd_passwd_agent_exec_t,s0)
+/usr/bin/systemd-notify -- gen_context(system_u:object_r:systemd_notify_exec_t,s0)
/usr/lib/systemd/systemd-activate -- gen_context(system_u:object_r:systemd_activate_exec_t,s0)
/usr/lib/systemd/systemd-backlight -- gen_context(system_u:object_r:systemd_backlight_exec_t,s0)
@@ -32,15 +33,21 @@
/usr/lib/systemd/system/systemd-binfmt.* -- gen_context(system_u:object_r:systemd_binfmt_unit_t,s0)
/var/lib/systemd/backlight(/.*)? gen_context(system_u:object_r:systemd_backlight_var_lib_t,s0)
+/var/lib/systemd/coredump(/.*)? gen_context(system_u:object_r:systemd_coredump_var_lib_t,s0)
/var/lib/systemd/linger(/.*)? gen_context(system_u:object_r:systemd_logind_var_lib_t,s0)
/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
-/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
-/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/systemd/transient(/.*)? gen_context(system_u:object_r:systemd_unit_t,s0)
/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
+/run/systemd/nspawn(/.*)? gen_context(system_u:object_r:systemd_nspawn_var_run_t,s0)
+/run/systemd/machines(/.*)? gen_context(system_u:object_r:systemd_machined_var_run_t,s0)
/run/tmpfiles\.d/kmod.conf gen_context(system_u:object_r:systemd_kmod_conf_t,s0)
+
+/var/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
+/var/run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index b07d2c5b..69ee084f 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -35,7 +35,8 @@ interface(`systemd_read_logind_pids',`
')
files_search_pids($1)
- read_files_pattern($1, systemd_logind_var_run_t, systemd_logind_var_run_t)
+ allow $1 systemd_logind_var_run_t:dir list_dir_perms;
+ allow $1 systemd_logind_var_run_t:file read_file_perms;
')
######################################
@@ -76,6 +77,26 @@ interface(`systemd_use_logind_fds',`
allow $1 systemd_logind_t:fd use;
')
+######################################
+## <summary>
+## Write inherited logind sessions pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_inherited_logind_sessions_pipes',`
+ gen_require(`
+ type systemd_logind_t, systemd_sessions_var_run_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+ allow $1 systemd_sessions_var_run_t:fifo_file write;
+ allow systemd_logind_t $1:process signal;
+')
+
########################################
## <summary>
## Send and receive messages from
@@ -116,6 +137,29 @@ interface(`systemd_write_kmod_files',`
write_files_pattern($1, var_run_t, systemd_kmod_conf_t)
')
+#######################################
+## <summary>
+## Allow systemd_tmpfiles_t to manage filesystem objects
+## </summary>
+## <param name="type">
+## <summary>
+## type of object to manage
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## object class to manage
+## </summary>
+## </param>
+#
+interface(`systemd_tmpfilesd_managed',`
+ gen_require(`
+ type systemd_tmpfiles_t;
+ ')
+
+ allow systemd_tmpfiles_t $1:$2 { setattr relabelfrom relabelto create };
+')
+
########################################
## <summary>
## Allow process to relabel to systemd_kmod_conf_t.
@@ -137,6 +181,82 @@ interface(`systemd_relabelto_kmod_files',`
########################################
## <summary>
+## allow systemd_passwd_agent to inherit fds
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that owns the fds
+## </summary>
+## </param>
+#
+interface(`systemd_use_passwd_agent_fds',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ ')
+
+ allow systemd_passwd_agent_t $1:fd use;
+')
+
+########################################
+## <summary>
+## Transition to systemd_passwd_var_run_t when creating dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_filetrans_passwd_runtime_dirs',`
+ gen_require(`
+ type systemd_passwd_var_run_t;
+ ')
+
+ init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password-block")
+ init_pid_filetrans($1, systemd_passwd_var_run_t, dir, "ask-password")
+')
+
+########################################
+## <summary>
+## manage systemd unit dirs and the files in them
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ ')
+
+ manage_dirs_pattern($1, systemdunit, systemdunit)
+ manage_files_pattern($1, systemdunit, systemdunit)
+ manage_lnk_files_pattern($1, systemdunit, systemdunit)
+')
+
+########################################
+## <summary>
+## Allow domain to create/manage systemd_journal_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_manage_journal_files',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
+ manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+')
+
+########################################
+## <summary>
## Allow systemd_logind_t to read process state for cgroup file
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 904c777a..19e6947a 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.5)
+policy_module(systemd, 1.3.6)
#########################################
#
@@ -12,6 +12,14 @@ policy_module(systemd, 1.3.5)
## </desc>
gen_tunable(systemd_tmpfiles_manage_all, false)
+## <desc>
+## <p>
+## Allow systemd-nspawn to create a labelled namespace with the same types
+## as parent environment
+## </p>
+## </desc>
+gen_tunable(systemd_nspawn_labeled_namespace, false)
+
attribute systemd_log_parse_env_type;
type systemd_activate_t;
@@ -57,6 +65,9 @@ type systemd_coredump_t;
type systemd_coredump_exec_t;
init_system_domain(systemd_coredump_t, systemd_coredump_exec_t)
+type systemd_coredump_var_lib_t;
+files_type(systemd_coredump_var_lib_t)
+
type systemd_detect_virt_t;
type systemd_detect_virt_exec_t;
init_daemon_domain(systemd_detect_virt_t, systemd_detect_virt_exec_t)
@@ -65,6 +76,10 @@ type systemd_hostnamed_t;
type systemd_hostnamed_exec_t;
init_daemon_domain(systemd_hostnamed_t, systemd_hostnamed_exec_t)
+type systemd_journal_t;
+files_type(systemd_journal_t)
+logging_log_file(systemd_journal_t)
+
type systemd_locale_t;
type systemd_locale_exec_t;
init_system_domain(systemd_locale_t, systemd_locale_exec_t)
@@ -85,10 +100,21 @@ type systemd_machined_t;
type systemd_machined_exec_t;
init_daemon_domain(systemd_machined_t, systemd_machined_exec_t)
+type systemd_machined_var_run_t;
+files_pid_file(systemd_machined_var_run_t)
+init_daemon_pid_file(systemd_machined_var_run_t, dir, "machines")
+
+type systemd_notify_t;
+type systemd_notify_exec_t;
+init_daemon_domain(systemd_notify_t, systemd_notify_exec_t)
+
type systemd_nspawn_t;
type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+type systemd_nspawn_var_run_t;
+files_pid_file(systemd_nspawn_var_run_t)
+
type systemd_resolved_t;
type systemd_resolved_exec_t;
init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
@@ -108,6 +134,9 @@ type systemd_passwd_agent_t;
type systemd_passwd_agent_exec_t;
init_system_domain(systemd_passwd_agent_t, systemd_passwd_agent_exec_t)
+type systemd_passwd_var_run_t;
+files_pid_file(systemd_passwd_var_run_t)
+
type systemd_sessions_t;
type systemd_sessions_exec_t;
init_system_domain(systemd_sessions_t, systemd_sessions_exec_t)
@@ -152,6 +181,8 @@ logging_send_syslog_msg(systemd_log_parse_env_type)
# Backlight local policy
#
+allow systemd_backlight_t self:unix_dgram_socket { connect connected_socket_perms };
+
allow systemd_backlight_t systemd_backlight_var_lib_t:dir manage_dir_perms;
init_var_lib_filetrans(systemd_backlight_t, systemd_backlight_var_lib_t, dir)
manage_files_pattern(systemd_backlight_t, systemd_backlight_var_lib_t, systemd_backlight_var_lib_t)
@@ -161,8 +192,10 @@ systemd_log_parse_environment(systemd_backlight_t)
# Allow systemd-backlight to write to /sys/class/backlight/*/brightness
dev_rw_sysfs(systemd_backlight_t)
+# for udev.conf
files_read_etc_files(systemd_backlight_t)
+# for /run/udev/data/+backlight*
udev_read_pid_files(systemd_backlight_t)
#######################################
@@ -292,6 +325,14 @@ optional_policy(`
dbus_connect_system_bus(systemd_logind_t)
')
+########################################
+#
+# Nspawn local policy
+#
+
+init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
+
+
#########################################
#
# Resolved local policy
@@ -308,7 +349,6 @@ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
kernel_read_crypto_sysctls(systemd_resolved_t)
kernel_read_kernel_sysctls(systemd_resolved_t)
-kernel_read_system_state(systemd_resolved_t)
corenet_tcp_bind_generic_node(systemd_resolved_t)
corenet_tcp_bind_llmnr_port(systemd_resolved_t)
@@ -343,6 +383,11 @@ systemd_log_parse_environment(systemd_sessions_t)
allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod };
allow systemd_tmpfiles_t self:process { setfscreate getcap };
+manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
+allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
+allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
+
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if
index d4c92ccb..847b65bf 100644
--- a/policy/modules/system/udev.if
+++ b/policy/modules/system/udev.if
@@ -315,6 +315,26 @@ interface(`udev_pid_filetrans_db',`
########################################
## <summary>
+## Allow process to relabelto udev database
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`udev_relabelto_db',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 udev_var_run_t:file relabelto_file_perms;
+ allow $1 udev_var_run_t:lnk_file relabelto_file_perms;
+')
+
+########################################
+## <summary>
## Search through udev pid content
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index d6034f30..08057d3d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.2)
+policy_module(udev, 1.21.3)
########################################
#
diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 3bf66058..3f7f66a7 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -483,6 +483,25 @@ interface(`unconfined_stream_connect',`
########################################
## <summary>
+## Do not audit attempts to read and write
+## unconfined domain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`unconfined_dontaudit_rw_stream_sockets',`
+ gen_require(`
+ type unconfined_t;
+ ')
+
+ dontaudit $1 unconfined_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or write
## unconfined domain tcp sockets.
## </summary>
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index dc319d53..c1d4df8e 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.9.0)
+policy_module(unconfined, 3.9.1)
########################################
#
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 45c0339f..0799c18c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1137,6 +1137,10 @@ template(`userdom_unpriv_user_template', `
optional_policy(`
setroubleshoot_stream_connect($1_t)
')
+
+ optional_policy(`
+ systemd_dbus_chat_logind($1_t)
+ ')
')
#######################################
@@ -3276,6 +3280,35 @@ interface(`userdom_use_user_ptys',`
########################################
## <summary>
+## Read and write a inherited user TTYs and PTYs.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read and write inherited user
+## TTYs and PTYs. This will allow the domain to
+## interact with the user via the terminal. Typically
+## all interactive applications will require this
+## access.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`userdom_use_inherited_user_terminals',`
+ gen_require(`
+ type user_tty_device_t, user_devpts_t;
+ ')
+
+ allow $1 user_tty_device_t:chr_file rw_inherited_term_perms;
+ allow $1 user_devpts_t:chr_file rw_inherited_term_perms;
+')
+
+########################################
+## <summary>
## Read and write a user TTYs and PTYs.
## </summary>
## <desc>
@@ -3718,6 +3751,25 @@ interface(`userdom_write_user_tmp_files',`
########################################
## <summary>
+## Do not audit attempts to write users
+## temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_write_user_tmp_files',`
+ gen_require(`
+ type user_tmp_t;
+ ')
+
+ dontaudit $1 user_tmp_t:file write;
+')
+
+########################################
+## <summary>
## Do not audit attempts to use user ttys.
## </summary>
## <param name="domain">
@@ -4085,3 +4137,22 @@ interface(`userdom_relabel_user_certs',`
relabel_sock_files_pattern($1, user_cert_t, user_cert_t)
relabel_fifo_files_pattern($1, user_cert_t, user_cert_t)
')
+
+########################################
+## <summary>
+## Do not audit attempts to read and write
+## unserdomain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_all_users_stream_sockets',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ dontaudit $1 userdomain:unix_stream_socket rw_socket_perms;
+')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index df3b9572..3d60070c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.1)
+policy_module(userdomain, 4.13.2)
########################################
#
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-02-27 10:50 Jason Zaman
2017-02-27 11:40 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
0 siblings, 1 reply; 14+ messages in thread
From: Jason Zaman @ 2017-02-27 10:50 UTC (permalink / raw
To: gentoo-commits
commit: 4cad32c069d96e1f34d90a2fc05d3d05b65c8ae3
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 16:20:19 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:38:00 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4cad32c0
Network daemon patches from Russell Coker.
policy/modules/kernel/corenetwork.te.in | 6 +++---
policy/modules/system/iptables.te | 4 +++-
policy/modules/system/sysnetwork.fc | 2 ++
policy/modules/system/sysnetwork.te | 6 +++++-
4 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 68aba14c..b3db0139 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.23.2)
+policy_module(corenetwork, 1.23.3)
########################################
#
@@ -216,7 +216,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tc
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-network_port(postgrey, tcp,60000,s0)
+network_port(postgrey, tcp,10023,s0, tcp,60000,s0)
network_port(pptp, tcp,1723,s0, udp,1723,s0)
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@@ -236,7 +236,7 @@ network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
-network_port(rndc, tcp,953,s0, udp,953,s0)
+network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0, udp,8953,s0)
network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 0380f55b..e8063b99 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.18.1)
+policy_module(iptables, 1.18.2)
########################################
#
@@ -153,4 +153,6 @@ optional_policy(`
optional_policy(`
udev_read_db(iptables_t)
+ # this is for iptables_t to inherit a file hande from xen vif-bridge
+ udev_manage_pid_files(iptables_t)
')
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index e887076b..817d620b 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -58,6 +58,7 @@ ifdef(`distro_redhat',`
/var/lib/dhcp3? -d gen_context(system_u:object_r:dhcp_state_t,s0)
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpv6(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
@@ -70,6 +71,7 @@ ifdef(`distro_gentoo',`
ifdef(`distro_debian',`
/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0)
')
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index caec3181..d21a2d64 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.20.3)
+policy_module(sysnetwork, 1.20.4)
########################################
#
@@ -244,6 +244,10 @@ optional_policy(`
')
optional_policy(`
+ samba_manage_config(dhcpc_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
2017-02-27 10:50 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
@ 2017-02-27 11:40 ` Jason Zaman
0 siblings, 0 replies; 14+ messages in thread
From: Jason Zaman @ 2017-02-27 11:40 UTC (permalink / raw
To: gentoo-commits
commit: 4cad32c069d96e1f34d90a2fc05d3d05b65c8ae3
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 25 16:20:19 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:38:00 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4cad32c0
Network daemon patches from Russell Coker.
policy/modules/kernel/corenetwork.te.in | 6 +++---
policy/modules/system/iptables.te | 4 +++-
policy/modules/system/sysnetwork.fc | 2 ++
policy/modules/system/sysnetwork.te | 6 +++++-
4 files changed, 13 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 68aba14c..b3db0139 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.23.2)
+policy_module(corenetwork, 1.23.3)
########################################
#
@@ -216,7 +216,7 @@ network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0, tcp,143,s0, tcp,220,s0, tc
network_port(portmap, udp,111,s0, tcp,111,s0)
network_port(postfix_policyd, tcp,10031,s0)
network_port(postgresql, tcp,5432,s0)
-network_port(postgrey, tcp,60000,s0)
+network_port(postgrey, tcp,10023,s0, tcp,60000,s0)
network_port(pptp, tcp,1723,s0, udp,1723,s0)
network_port(prelude, tcp,4690,s0, udp,4690,s0)
network_port(presence, tcp,5298-5299,s0, udp,5298-5299,s0)
@@ -236,7 +236,7 @@ network_port(repository, tcp, 6363, s0)
network_port(ricci, tcp,11111,s0, udp,11111,s0)
network_port(ricci_modcluster, tcp,16851,s0, udp,16851,s0)
network_port(rlogind, tcp,513,s0)
-network_port(rndc, tcp,953,s0, udp,953,s0)
+network_port(rndc, tcp,953,s0, udp,953,s0, tcp,8953,s0, udp,8953,s0)
network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index 0380f55b..e8063b99 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -1,4 +1,4 @@
-policy_module(iptables, 1.18.1)
+policy_module(iptables, 1.18.2)
########################################
#
@@ -153,4 +153,6 @@ optional_policy(`
optional_policy(`
udev_read_db(iptables_t)
+ # this is for iptables_t to inherit a file hande from xen vif-bridge
+ udev_manage_pid_files(iptables_t)
')
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index e887076b..817d620b 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -58,6 +58,7 @@ ifdef(`distro_redhat',`
/var/lib/dhcp3? -d gen_context(system_u:object_r:dhcp_state_t,s0)
/var/lib/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhcpcd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
+/var/lib/dhcpv6(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/dhclient(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
/var/lib/wifiroamd(/.*)? gen_context(system_u:object_r:dhcpc_state_t,s0)
@@ -70,6 +71,7 @@ ifdef(`distro_gentoo',`
ifdef(`distro_debian',`
/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/var/run/resolvconf/.* -- gen_context(system_u:object_r:net_conf_t,s0)
')
ifdef(`distro_gentoo',`
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index caec3181..d21a2d64 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.20.3)
+policy_module(sysnetwork, 1.20.4)
########################################
#
@@ -244,6 +244,10 @@ optional_policy(`
')
optional_policy(`
+ samba_manage_config(dhcpc_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dhcpc_t)
seutil_dontaudit_search_config(dhcpc_t)
')
^ permalink raw reply related [flat|nested] 14+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 14+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: 01f8128928b31a303f1521c742e8545366c72352
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Wed May 24 23:58:32 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 16:36:54 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=01f81289
Module version bump for mmap fixes from Stephen Smalley.
policy/modules/kernel/devices.te | 2 +-
policy/modules/system/libraries.te | 2 +-
policy/modules/system/logging.te | 2 +-
policy/modules/system/miscfiles.te | 2 +-
policy/modules/system/selinuxutil.te | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 9f75d8ce..b0eab749 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.20.8)
+policy_module(devices, 1.20.9)
########################################
#
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index 1bee4fa0..1ddbf29a 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,4 +1,4 @@
-policy_module(libraries, 2.14.4)
+policy_module(libraries, 2.14.5)
########################################
#
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 8086ca97..79c981bc 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.11)
+policy_module(logging, 1.25.12)
########################################
#
diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te
index 3b180a36..c0acc2b4 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.12.2)
+policy_module(miscfiles, 1.12.3)
########################################
#
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index 557e935c..d63a322f 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.11)
+policy_module(selinuxutil, 1.22.12)
gen_require(`
bool secure_mode;
^ permalink raw reply related [flat|nested] 14+ messages in thread
end of thread, other threads:[~2017-05-25 17:08 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-02-27 10:50 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
2017-02-27 11:40 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2017-05-25 17:08 Jason Zaman
2017-02-25 14:59 Jason Zaman
2017-01-01 16:36 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/kernel/, policy/modules/system/ Jason Zaman
2017-01-01 16:37 ` [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
2015-12-18 4:14 Jason Zaman
2015-12-18 3:49 Jason Zaman
2015-12-17 18:52 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-12-17 18:49 Jason Zaman
2015-10-26 5:48 [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-26 5:36 ` [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-10-14 18:36 Jason Zaman
2014-11-28 11:01 Sven Vermeulen
2014-11-28 10:44 Sven Vermeulen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox