| 1 |
commit: 27908db261c5fee5edc8ea06e1fb2c0a59e72bad |
| 2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
| 3 |
AuthorDate: Wed Apr 19 00:37:39 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Apr 30 09:12:52 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=27908db2 |
| 7 |
|
| 8 |
misc daemons from Russell Coker. |
| 9 |
|
| 10 |
Put in libx32 subs entries that refer to directories with fc entries. |
| 11 |
|
| 12 |
Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for |
| 13 |
dpkg-reconfigure. |
| 14 |
|
| 15 |
Some dontaudit rules for mta processes spawned by mon for notification. |
| 16 |
|
| 17 |
Lots of tiny changes that are obvious. |
| 18 |
|
| 19 |
policy/modules/contrib/backup.te | 4 ++-- |
| 20 |
policy/modules/contrib/bitlbee.te | 3 ++- |
| 21 |
policy/modules/contrib/dpkg.te | 9 ++++++++- |
| 22 |
policy/modules/contrib/fetchmail.te | 3 ++- |
| 23 |
policy/modules/contrib/kerneloops.te | 4 +++- |
| 24 |
policy/modules/contrib/loadkeys.te | 4 +++- |
| 25 |
policy/modules/contrib/mon.if | 37 ++++++++++++++++++++++++++++++++++++ |
| 26 |
policy/modules/contrib/mon.te | 3 ++- |
| 27 |
policy/modules/contrib/mta.te | 10 +++++++++- |
| 28 |
policy/modules/contrib/munin.te | 5 ++++- |
| 29 |
policy/modules/contrib/ntp.te | 4 ++-- |
| 30 |
policy/modules/contrib/rtkit.te | 6 +++++- |
| 31 |
policy/modules/contrib/smartmon.te | 3 ++- |
| 32 |
13 files changed, 81 insertions(+), 14 deletions(-) |
| 33 |
|
| 34 |
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te |
| 35 |
index c207d5a2..135f94a3 100644 |
| 36 |
--- a/policy/modules/contrib/backup.te |
| 37 |
+++ b/policy/modules/contrib/backup.te |
| 38 |
@@ -1,4 +1,4 @@ |
| 39 |
-policy_module(backup, 1.7.0) |
| 40 |
+policy_module(backup, 1.7.1) |
| 41 |
|
| 42 |
######################################## |
| 43 |
# |
| 44 |
@@ -21,7 +21,7 @@ files_type(backup_store_t) |
| 45 |
# Local policy |
| 46 |
# |
| 47 |
|
| 48 |
-allow backup_t self:capability dac_override; |
| 49 |
+allow backup_t self:capability { chown dac_override fsetid }; |
| 50 |
allow backup_t self:process signal; |
| 51 |
allow backup_t self:fifo_file rw_fifo_file_perms; |
| 52 |
allow backup_t self:tcp_socket create_socket_perms; |
| 53 |
|
| 54 |
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te |
| 55 |
index 93d4385d..90ff0dc6 100644 |
| 56 |
--- a/policy/modules/contrib/bitlbee.te |
| 57 |
+++ b/policy/modules/contrib/bitlbee.te |
| 58 |
@@ -1,4 +1,4 @@ |
| 59 |
-policy_module(bitlbee, 1.7.0) |
| 60 |
+policy_module(bitlbee, 1.7.1) |
| 61 |
|
| 62 |
######################################## |
| 63 |
# |
| 64 |
@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) |
| 65 |
|
| 66 |
kernel_read_kernel_sysctls(bitlbee_t) |
| 67 |
kernel_read_system_state(bitlbee_t) |
| 68 |
+kernel_read_crypto_sysctls(bitlbee_t) |
| 69 |
|
| 70 |
corenet_all_recvfrom_unlabeled(bitlbee_t) |
| 71 |
corenet_all_recvfrom_netlabel(bitlbee_t) |
| 72 |
|
| 73 |
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te |
| 74 |
index 3ea9e3e0..a3d3f2e5 100644 |
| 75 |
--- a/policy/modules/contrib/dpkg.te |
| 76 |
+++ b/policy/modules/contrib/dpkg.te |
| 77 |
@@ -1,4 +1,4 @@ |
| 78 |
-policy_module(dpkg, 1.11.4) |
| 79 |
+policy_module(dpkg, 1.11.5) |
| 80 |
|
| 81 |
######################################## |
| 82 |
# |
| 83 |
@@ -34,6 +34,7 @@ domain_type(dpkg_script_t) |
| 84 |
domain_entry_file(dpkg_t, dpkg_var_lib_t) |
| 85 |
domain_entry_file(dpkg_script_t, dpkg_var_lib_t) |
| 86 |
corecmd_shell_entry_type(dpkg_script_t) |
| 87 |
+corecmd_bin_entry_type(dpkg_script_t) |
| 88 |
domain_obj_id_change_exemption(dpkg_script_t) |
| 89 |
domain_system_change_exemption(dpkg_script_t) |
| 90 |
domain_interactive_fd(dpkg_script_t) |
| 91 |
@@ -87,6 +88,8 @@ files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) |
| 92 |
kernel_read_system_state(dpkg_t) |
| 93 |
kernel_read_kernel_sysctls(dpkg_t) |
| 94 |
|
| 95 |
+corecmd_bin_domtrans(dpkg_t, dpkg_script_t) |
| 96 |
+ |
| 97 |
corenet_all_recvfrom_unlabeled(dpkg_t) |
| 98 |
corenet_all_recvfrom_netlabel(dpkg_t) |
| 99 |
corenet_tcp_sendrecv_generic_if(dpkg_t) |
| 100 |
@@ -307,6 +310,10 @@ optional_policy(` |
| 101 |
') |
| 102 |
|
| 103 |
optional_policy(` |
| 104 |
+ devicekit_dbus_chat_power(dpkg_script_t) |
| 105 |
+') |
| 106 |
+ |
| 107 |
+optional_policy(` |
| 108 |
modutils_run(dpkg_script_t, dpkg_roles) |
| 109 |
') |
| 110 |
|
| 111 |
|
| 112 |
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te |
| 113 |
index a15bc538..7e796c31 100644 |
| 114 |
--- a/policy/modules/contrib/fetchmail.te |
| 115 |
+++ b/policy/modules/contrib/fetchmail.te |
| 116 |
@@ -1,4 +1,4 @@ |
| 117 |
-policy_module(fetchmail, 1.16.1) |
| 118 |
+policy_module(fetchmail, 1.16.2) |
| 119 |
|
| 120 |
######################################## |
| 121 |
# |
| 122 |
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t) |
| 123 |
dev_read_urand(fetchmail_t) |
| 124 |
|
| 125 |
files_read_etc_runtime_files(fetchmail_t) |
| 126 |
+files_search_tmp(fetchmail_t) |
| 127 |
files_dontaudit_search_home(fetchmail_t) |
| 128 |
|
| 129 |
fs_getattr_all_fs(fetchmail_t) |
| 130 |
|
| 131 |
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te |
| 132 |
index 4ecba0ae..58ee9516 100644 |
| 133 |
--- a/policy/modules/contrib/kerneloops.te |
| 134 |
+++ b/policy/modules/contrib/kerneloops.te |
| 135 |
@@ -1,4 +1,4 @@ |
| 136 |
-policy_module(kerneloops, 1.6.1) |
| 137 |
+policy_module(kerneloops, 1.6.2) |
| 138 |
|
| 139 |
######################################## |
| 140 |
# |
| 141 |
@@ -30,6 +30,8 @@ files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file) |
| 142 |
kernel_read_ring_buffer(kerneloops_t) |
| 143 |
kernel_read_system_state(kerneloops_t) |
| 144 |
|
| 145 |
+dev_read_urand(kerneloops_t) |
| 146 |
+ |
| 147 |
domain_use_interactive_fds(kerneloops_t) |
| 148 |
|
| 149 |
corenet_all_recvfrom_unlabeled(kerneloops_t) |
| 150 |
|
| 151 |
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te |
| 152 |
index ca8e7015..d99a28bf 100644 |
| 153 |
--- a/policy/modules/contrib/loadkeys.te |
| 154 |
+++ b/policy/modules/contrib/loadkeys.te |
| 155 |
@@ -1,4 +1,4 @@ |
| 156 |
-policy_module(loadkeys, 1.11.1) |
| 157 |
+policy_module(loadkeys, 1.11.2) |
| 158 |
|
| 159 |
######################################## |
| 160 |
# |
| 161 |
@@ -37,6 +37,8 @@ files_search_tmp(loadkeys_t) |
| 162 |
term_dontaudit_use_console(loadkeys_t) |
| 163 |
term_use_unallocated_ttys(loadkeys_t) |
| 164 |
|
| 165 |
+init_read_script_tmp_files(loadkeys_t) |
| 166 |
+ |
| 167 |
locallogin_use_fds(loadkeys_t) |
| 168 |
|
| 169 |
miscfiles_read_localization(loadkeys_t) |
| 170 |
|
| 171 |
diff --git a/policy/modules/contrib/mon.if b/policy/modules/contrib/mon.if |
| 172 |
index d9aee2be..4701724e 100644 |
| 173 |
--- a/policy/modules/contrib/mon.if |
| 174 |
+++ b/policy/modules/contrib/mon.if |
| 175 |
@@ -1 +1,38 @@ |
| 176 |
## <summary>mon network monitoring daemon.</summary> |
| 177 |
+ |
| 178 |
+###################################### |
| 179 |
+## <summary> |
| 180 |
+## dontaudit using an inherited fd from mon_t |
| 181 |
+## </summary> |
| 182 |
+## <param name="domain"> |
| 183 |
+## <summary> |
| 184 |
+## Domain to not audit |
| 185 |
+## </summary> |
| 186 |
+## </param> |
| 187 |
+# |
| 188 |
+interface(`mon_dontaudit_use_fds',` |
| 189 |
+ gen_require(` |
| 190 |
+ type mon_t; |
| 191 |
+ ') |
| 192 |
+ |
| 193 |
+ dontaudit $1 mon_t:fd use; |
| 194 |
+') |
| 195 |
+ |
| 196 |
+###################################### |
| 197 |
+## <summary> |
| 198 |
+## dontaudit searching /var/lib/mon |
| 199 |
+## </summary> |
| 200 |
+## <param name="domain"> |
| 201 |
+## <summary> |
| 202 |
+## Domain to not audit |
| 203 |
+## </summary> |
| 204 |
+## </param> |
| 205 |
+# |
| 206 |
+interface(`mon_dontaudit_search_var_lib',` |
| 207 |
+ gen_require(` |
| 208 |
+ type mon_var_lib_t; |
| 209 |
+ ') |
| 210 |
+ |
| 211 |
+ dontaudit $1 mon_var_lib_t:dir search; |
| 212 |
+') |
| 213 |
+ |
| 214 |
|
| 215 |
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te |
| 216 |
index 5db41833..0207d0ac 100644 |
| 217 |
--- a/policy/modules/contrib/mon.te |
| 218 |
+++ b/policy/modules/contrib/mon.te |
| 219 |
@@ -1,4 +1,4 @@ |
| 220 |
-policy_module(mon, 1.0.2) |
| 221 |
+policy_module(mon, 1.0.3) |
| 222 |
|
| 223 |
######################################## |
| 224 |
# |
| 225 |
@@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t) |
| 226 |
files_read_etc_files(mon_t) |
| 227 |
files_read_etc_runtime_files(mon_t) |
| 228 |
files_read_usr_files(mon_t) |
| 229 |
+files_search_var_lib(mon_t) |
| 230 |
|
| 231 |
fs_getattr_all_fs(mon_t) |
| 232 |
fs_search_auto_mountpoints(mon_t) |
| 233 |
|
| 234 |
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te |
| 235 |
index 68f3e91f..2baa07c9 100644 |
| 236 |
--- a/policy/modules/contrib/mta.te |
| 237 |
+++ b/policy/modules/contrib/mta.te |
| 238 |
@@ -1,4 +1,4 @@ |
| 239 |
-policy_module(mta, 2.8.4) |
| 240 |
+policy_module(mta, 2.8.5) |
| 241 |
|
| 242 |
######################################## |
| 243 |
# |
| 244 |
@@ -324,6 +324,10 @@ optional_policy(` |
| 245 |
') |
| 246 |
') |
| 247 |
|
| 248 |
+optional_policy(` |
| 249 |
+ mon_dontaudit_use_fds(mta_user_agent) |
| 250 |
+') |
| 251 |
+ |
| 252 |
######################################## |
| 253 |
# |
| 254 |
# Mailserver delivery local policy |
| 255 |
@@ -379,6 +383,10 @@ optional_policy(` |
| 256 |
') |
| 257 |
|
| 258 |
optional_policy(` |
| 259 |
+ mon_dontaudit_search_var_lib(mailserver_delivery) |
| 260 |
+') |
| 261 |
+ |
| 262 |
+optional_policy(` |
| 263 |
postfix_rw_inherited_master_pipes(mailserver_delivery) |
| 264 |
') |
| 265 |
|
| 266 |
|
| 267 |
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te |
| 268 |
index 16f15ddd..fba6470b 100644 |
| 269 |
--- a/policy/modules/contrib/munin.te |
| 270 |
+++ b/policy/modules/contrib/munin.te |
| 271 |
@@ -1,4 +1,4 @@ |
| 272 |
-policy_module(munin, 1.12.0) |
| 273 |
+policy_module(munin, 1.12.1) |
| 274 |
|
| 275 |
######################################## |
| 276 |
# |
| 277 |
@@ -385,6 +385,7 @@ optional_policy(` |
| 278 |
# System local policy |
| 279 |
# |
| 280 |
|
| 281 |
+allow system_munin_plugin_t self:capability net_admin; |
| 282 |
allow system_munin_plugin_t self:udp_socket create_socket_perms; |
| 283 |
|
| 284 |
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) |
| 285 |
@@ -399,6 +400,8 @@ dev_read_urand(system_munin_plugin_t) |
| 286 |
|
| 287 |
domain_read_all_domains_state(system_munin_plugin_t) |
| 288 |
|
| 289 |
+files_read_usr_files(system_munin_plugin_t) |
| 290 |
+ |
| 291 |
init_read_utmp(system_munin_plugin_t) |
| 292 |
|
| 293 |
logging_search_logs(system_munin_plugin_t) |
| 294 |
|
| 295 |
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te |
| 296 |
index aae4f194..89b31bf3 100644 |
| 297 |
--- a/policy/modules/contrib/ntp.te |
| 298 |
+++ b/policy/modules/contrib/ntp.te |
| 299 |
@@ -1,4 +1,4 @@ |
| 300 |
-policy_module(ntp, 1.16.3) |
| 301 |
+policy_module(ntp, 1.16.4) |
| 302 |
|
| 303 |
######################################## |
| 304 |
# |
| 305 |
@@ -71,7 +71,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t, file) |
| 306 |
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) |
| 307 |
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) |
| 308 |
|
| 309 |
-allow ntpd_t ntpd_lock_t:file write_file_perms; |
| 310 |
+allow ntpd_t ntpd_lock_t:file rw_file_perms; |
| 311 |
|
| 312 |
allow ntpd_t ntpd_log_t:dir setattr_dir_perms; |
| 313 |
append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) |
| 314 |
|
| 315 |
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te |
| 316 |
index c5e77836..cfee1a14 100644 |
| 317 |
--- a/policy/modules/contrib/rtkit.te |
| 318 |
+++ b/policy/modules/contrib/rtkit.te |
| 319 |
@@ -1,4 +1,4 @@ |
| 320 |
-policy_module(rtkit, 1.5.0) |
| 321 |
+policy_module(rtkit, 1.5.1) |
| 322 |
|
| 323 |
######################################## |
| 324 |
# |
| 325 |
@@ -30,12 +30,16 @@ domain_read_all_domains_state(rtkit_daemon_t) |
| 326 |
|
| 327 |
fs_rw_anon_inodefs_files(rtkit_daemon_t) |
| 328 |
|
| 329 |
+selinux_getattr_fs(rtkit_daemon_t) |
| 330 |
+ |
| 331 |
auth_use_nsswitch(rtkit_daemon_t) |
| 332 |
|
| 333 |
logging_send_syslog_msg(rtkit_daemon_t) |
| 334 |
|
| 335 |
miscfiles_read_localization(rtkit_daemon_t) |
| 336 |
|
| 337 |
+seutil_search_default_contexts(rtkit_daemon_t) |
| 338 |
+ |
| 339 |
optional_policy(` |
| 340 |
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) |
| 341 |
|
| 342 |
|
| 343 |
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te |
| 344 |
index 4a7cafa7..1ad706c7 100644 |
| 345 |
--- a/policy/modules/contrib/smartmon.te |
| 346 |
+++ b/policy/modules/contrib/smartmon.te |
| 347 |
@@ -1,4 +1,4 @@ |
| 348 |
-policy_module(smartmon, 1.14.0) |
| 349 |
+policy_module(smartmon, 1.14.1) |
| 350 |
|
| 351 |
######################################## |
| 352 |
# |
| 353 |
@@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t) |
| 354 |
files_read_etc_files(fsdaemon_t) |
| 355 |
files_read_etc_runtime_files(fsdaemon_t) |
| 356 |
files_read_usr_files(fsdaemon_t) |
| 357 |
+files_search_var_lib(fsdaemon_t) |
| 358 |
|
| 359 |
fs_getattr_all_fs(fsdaemon_t) |
| 360 |
fs_search_auto_mountpoints(fsdaemon_t) |
Archives