1 |
commit: 27908db261c5fee5edc8ea06e1fb2c0a59e72bad |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Wed Apr 19 00:37:39 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Apr 30 09:12:52 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=27908db2 |
7 |
|
8 |
misc daemons from Russell Coker. |
9 |
|
10 |
Put in libx32 subs entries that refer to directories with fc entries. |
11 |
|
12 |
Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for |
13 |
dpkg-reconfigure. |
14 |
|
15 |
Some dontaudit rules for mta processes spawned by mon for notification. |
16 |
|
17 |
Lots of tiny changes that are obvious. |
18 |
|
19 |
policy/modules/contrib/backup.te | 4 ++-- |
20 |
policy/modules/contrib/bitlbee.te | 3 ++- |
21 |
policy/modules/contrib/dpkg.te | 9 ++++++++- |
22 |
policy/modules/contrib/fetchmail.te | 3 ++- |
23 |
policy/modules/contrib/kerneloops.te | 4 +++- |
24 |
policy/modules/contrib/loadkeys.te | 4 +++- |
25 |
policy/modules/contrib/mon.if | 37 ++++++++++++++++++++++++++++++++++++ |
26 |
policy/modules/contrib/mon.te | 3 ++- |
27 |
policy/modules/contrib/mta.te | 10 +++++++++- |
28 |
policy/modules/contrib/munin.te | 5 ++++- |
29 |
policy/modules/contrib/ntp.te | 4 ++-- |
30 |
policy/modules/contrib/rtkit.te | 6 +++++- |
31 |
policy/modules/contrib/smartmon.te | 3 ++- |
32 |
13 files changed, 81 insertions(+), 14 deletions(-) |
33 |
|
34 |
diff --git a/policy/modules/contrib/backup.te b/policy/modules/contrib/backup.te |
35 |
index c207d5a2..135f94a3 100644 |
36 |
--- a/policy/modules/contrib/backup.te |
37 |
+++ b/policy/modules/contrib/backup.te |
38 |
@@ -1,4 +1,4 @@ |
39 |
-policy_module(backup, 1.7.0) |
40 |
+policy_module(backup, 1.7.1) |
41 |
|
42 |
######################################## |
43 |
# |
44 |
@@ -21,7 +21,7 @@ files_type(backup_store_t) |
45 |
# Local policy |
46 |
# |
47 |
|
48 |
-allow backup_t self:capability dac_override; |
49 |
+allow backup_t self:capability { chown dac_override fsetid }; |
50 |
allow backup_t self:process signal; |
51 |
allow backup_t self:fifo_file rw_fifo_file_perms; |
52 |
allow backup_t self:tcp_socket create_socket_perms; |
53 |
|
54 |
diff --git a/policy/modules/contrib/bitlbee.te b/policy/modules/contrib/bitlbee.te |
55 |
index 93d4385d..90ff0dc6 100644 |
56 |
--- a/policy/modules/contrib/bitlbee.te |
57 |
+++ b/policy/modules/contrib/bitlbee.te |
58 |
@@ -1,4 +1,4 @@ |
59 |
-policy_module(bitlbee, 1.7.0) |
60 |
+policy_module(bitlbee, 1.7.1) |
61 |
|
62 |
######################################## |
63 |
# |
64 |
@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_var_run_t, { dir file sock_file }) |
65 |
|
66 |
kernel_read_kernel_sysctls(bitlbee_t) |
67 |
kernel_read_system_state(bitlbee_t) |
68 |
+kernel_read_crypto_sysctls(bitlbee_t) |
69 |
|
70 |
corenet_all_recvfrom_unlabeled(bitlbee_t) |
71 |
corenet_all_recvfrom_netlabel(bitlbee_t) |
72 |
|
73 |
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te |
74 |
index 3ea9e3e0..a3d3f2e5 100644 |
75 |
--- a/policy/modules/contrib/dpkg.te |
76 |
+++ b/policy/modules/contrib/dpkg.te |
77 |
@@ -1,4 +1,4 @@ |
78 |
-policy_module(dpkg, 1.11.4) |
79 |
+policy_module(dpkg, 1.11.5) |
80 |
|
81 |
######################################## |
82 |
# |
83 |
@@ -34,6 +34,7 @@ domain_type(dpkg_script_t) |
84 |
domain_entry_file(dpkg_t, dpkg_var_lib_t) |
85 |
domain_entry_file(dpkg_script_t, dpkg_var_lib_t) |
86 |
corecmd_shell_entry_type(dpkg_script_t) |
87 |
+corecmd_bin_entry_type(dpkg_script_t) |
88 |
domain_obj_id_change_exemption(dpkg_script_t) |
89 |
domain_system_change_exemption(dpkg_script_t) |
90 |
domain_interactive_fd(dpkg_script_t) |
91 |
@@ -87,6 +88,8 @@ files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) |
92 |
kernel_read_system_state(dpkg_t) |
93 |
kernel_read_kernel_sysctls(dpkg_t) |
94 |
|
95 |
+corecmd_bin_domtrans(dpkg_t, dpkg_script_t) |
96 |
+ |
97 |
corenet_all_recvfrom_unlabeled(dpkg_t) |
98 |
corenet_all_recvfrom_netlabel(dpkg_t) |
99 |
corenet_tcp_sendrecv_generic_if(dpkg_t) |
100 |
@@ -307,6 +310,10 @@ optional_policy(` |
101 |
') |
102 |
|
103 |
optional_policy(` |
104 |
+ devicekit_dbus_chat_power(dpkg_script_t) |
105 |
+') |
106 |
+ |
107 |
+optional_policy(` |
108 |
modutils_run(dpkg_script_t, dpkg_roles) |
109 |
') |
110 |
|
111 |
|
112 |
diff --git a/policy/modules/contrib/fetchmail.te b/policy/modules/contrib/fetchmail.te |
113 |
index a15bc538..7e796c31 100644 |
114 |
--- a/policy/modules/contrib/fetchmail.te |
115 |
+++ b/policy/modules/contrib/fetchmail.te |
116 |
@@ -1,4 +1,4 @@ |
117 |
-policy_module(fetchmail, 1.16.1) |
118 |
+policy_module(fetchmail, 1.16.2) |
119 |
|
120 |
######################################## |
121 |
# |
122 |
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t) |
123 |
dev_read_urand(fetchmail_t) |
124 |
|
125 |
files_read_etc_runtime_files(fetchmail_t) |
126 |
+files_search_tmp(fetchmail_t) |
127 |
files_dontaudit_search_home(fetchmail_t) |
128 |
|
129 |
fs_getattr_all_fs(fetchmail_t) |
130 |
|
131 |
diff --git a/policy/modules/contrib/kerneloops.te b/policy/modules/contrib/kerneloops.te |
132 |
index 4ecba0ae..58ee9516 100644 |
133 |
--- a/policy/modules/contrib/kerneloops.te |
134 |
+++ b/policy/modules/contrib/kerneloops.te |
135 |
@@ -1,4 +1,4 @@ |
136 |
-policy_module(kerneloops, 1.6.1) |
137 |
+policy_module(kerneloops, 1.6.2) |
138 |
|
139 |
######################################## |
140 |
# |
141 |
@@ -30,6 +30,8 @@ files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file) |
142 |
kernel_read_ring_buffer(kerneloops_t) |
143 |
kernel_read_system_state(kerneloops_t) |
144 |
|
145 |
+dev_read_urand(kerneloops_t) |
146 |
+ |
147 |
domain_use_interactive_fds(kerneloops_t) |
148 |
|
149 |
corenet_all_recvfrom_unlabeled(kerneloops_t) |
150 |
|
151 |
diff --git a/policy/modules/contrib/loadkeys.te b/policy/modules/contrib/loadkeys.te |
152 |
index ca8e7015..d99a28bf 100644 |
153 |
--- a/policy/modules/contrib/loadkeys.te |
154 |
+++ b/policy/modules/contrib/loadkeys.te |
155 |
@@ -1,4 +1,4 @@ |
156 |
-policy_module(loadkeys, 1.11.1) |
157 |
+policy_module(loadkeys, 1.11.2) |
158 |
|
159 |
######################################## |
160 |
# |
161 |
@@ -37,6 +37,8 @@ files_search_tmp(loadkeys_t) |
162 |
term_dontaudit_use_console(loadkeys_t) |
163 |
term_use_unallocated_ttys(loadkeys_t) |
164 |
|
165 |
+init_read_script_tmp_files(loadkeys_t) |
166 |
+ |
167 |
locallogin_use_fds(loadkeys_t) |
168 |
|
169 |
miscfiles_read_localization(loadkeys_t) |
170 |
|
171 |
diff --git a/policy/modules/contrib/mon.if b/policy/modules/contrib/mon.if |
172 |
index d9aee2be..4701724e 100644 |
173 |
--- a/policy/modules/contrib/mon.if |
174 |
+++ b/policy/modules/contrib/mon.if |
175 |
@@ -1 +1,38 @@ |
176 |
## <summary>mon network monitoring daemon.</summary> |
177 |
+ |
178 |
+###################################### |
179 |
+## <summary> |
180 |
+## dontaudit using an inherited fd from mon_t |
181 |
+## </summary> |
182 |
+## <param name="domain"> |
183 |
+## <summary> |
184 |
+## Domain to not audit |
185 |
+## </summary> |
186 |
+## </param> |
187 |
+# |
188 |
+interface(`mon_dontaudit_use_fds',` |
189 |
+ gen_require(` |
190 |
+ type mon_t; |
191 |
+ ') |
192 |
+ |
193 |
+ dontaudit $1 mon_t:fd use; |
194 |
+') |
195 |
+ |
196 |
+###################################### |
197 |
+## <summary> |
198 |
+## dontaudit searching /var/lib/mon |
199 |
+## </summary> |
200 |
+## <param name="domain"> |
201 |
+## <summary> |
202 |
+## Domain to not audit |
203 |
+## </summary> |
204 |
+## </param> |
205 |
+# |
206 |
+interface(`mon_dontaudit_search_var_lib',` |
207 |
+ gen_require(` |
208 |
+ type mon_var_lib_t; |
209 |
+ ') |
210 |
+ |
211 |
+ dontaudit $1 mon_var_lib_t:dir search; |
212 |
+') |
213 |
+ |
214 |
|
215 |
diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te |
216 |
index 5db41833..0207d0ac 100644 |
217 |
--- a/policy/modules/contrib/mon.te |
218 |
+++ b/policy/modules/contrib/mon.te |
219 |
@@ -1,4 +1,4 @@ |
220 |
-policy_module(mon, 1.0.2) |
221 |
+policy_module(mon, 1.0.3) |
222 |
|
223 |
######################################## |
224 |
# |
225 |
@@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t) |
226 |
files_read_etc_files(mon_t) |
227 |
files_read_etc_runtime_files(mon_t) |
228 |
files_read_usr_files(mon_t) |
229 |
+files_search_var_lib(mon_t) |
230 |
|
231 |
fs_getattr_all_fs(mon_t) |
232 |
fs_search_auto_mountpoints(mon_t) |
233 |
|
234 |
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te |
235 |
index 68f3e91f..2baa07c9 100644 |
236 |
--- a/policy/modules/contrib/mta.te |
237 |
+++ b/policy/modules/contrib/mta.te |
238 |
@@ -1,4 +1,4 @@ |
239 |
-policy_module(mta, 2.8.4) |
240 |
+policy_module(mta, 2.8.5) |
241 |
|
242 |
######################################## |
243 |
# |
244 |
@@ -324,6 +324,10 @@ optional_policy(` |
245 |
') |
246 |
') |
247 |
|
248 |
+optional_policy(` |
249 |
+ mon_dontaudit_use_fds(mta_user_agent) |
250 |
+') |
251 |
+ |
252 |
######################################## |
253 |
# |
254 |
# Mailserver delivery local policy |
255 |
@@ -379,6 +383,10 @@ optional_policy(` |
256 |
') |
257 |
|
258 |
optional_policy(` |
259 |
+ mon_dontaudit_search_var_lib(mailserver_delivery) |
260 |
+') |
261 |
+ |
262 |
+optional_policy(` |
263 |
postfix_rw_inherited_master_pipes(mailserver_delivery) |
264 |
') |
265 |
|
266 |
|
267 |
diff --git a/policy/modules/contrib/munin.te b/policy/modules/contrib/munin.te |
268 |
index 16f15ddd..fba6470b 100644 |
269 |
--- a/policy/modules/contrib/munin.te |
270 |
+++ b/policy/modules/contrib/munin.te |
271 |
@@ -1,4 +1,4 @@ |
272 |
-policy_module(munin, 1.12.0) |
273 |
+policy_module(munin, 1.12.1) |
274 |
|
275 |
######################################## |
276 |
# |
277 |
@@ -385,6 +385,7 @@ optional_policy(` |
278 |
# System local policy |
279 |
# |
280 |
|
281 |
+allow system_munin_plugin_t self:capability net_admin; |
282 |
allow system_munin_plugin_t self:udp_socket create_socket_perms; |
283 |
|
284 |
rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t) |
285 |
@@ -399,6 +400,8 @@ dev_read_urand(system_munin_plugin_t) |
286 |
|
287 |
domain_read_all_domains_state(system_munin_plugin_t) |
288 |
|
289 |
+files_read_usr_files(system_munin_plugin_t) |
290 |
+ |
291 |
init_read_utmp(system_munin_plugin_t) |
292 |
|
293 |
logging_search_logs(system_munin_plugin_t) |
294 |
|
295 |
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te |
296 |
index aae4f194..89b31bf3 100644 |
297 |
--- a/policy/modules/contrib/ntp.te |
298 |
+++ b/policy/modules/contrib/ntp.te |
299 |
@@ -1,4 +1,4 @@ |
300 |
-policy_module(ntp, 1.16.3) |
301 |
+policy_module(ntp, 1.16.4) |
302 |
|
303 |
######################################## |
304 |
# |
305 |
@@ -71,7 +71,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t, file) |
306 |
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) |
307 |
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) |
308 |
|
309 |
-allow ntpd_t ntpd_lock_t:file write_file_perms; |
310 |
+allow ntpd_t ntpd_lock_t:file rw_file_perms; |
311 |
|
312 |
allow ntpd_t ntpd_log_t:dir setattr_dir_perms; |
313 |
append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) |
314 |
|
315 |
diff --git a/policy/modules/contrib/rtkit.te b/policy/modules/contrib/rtkit.te |
316 |
index c5e77836..cfee1a14 100644 |
317 |
--- a/policy/modules/contrib/rtkit.te |
318 |
+++ b/policy/modules/contrib/rtkit.te |
319 |
@@ -1,4 +1,4 @@ |
320 |
-policy_module(rtkit, 1.5.0) |
321 |
+policy_module(rtkit, 1.5.1) |
322 |
|
323 |
######################################## |
324 |
# |
325 |
@@ -30,12 +30,16 @@ domain_read_all_domains_state(rtkit_daemon_t) |
326 |
|
327 |
fs_rw_anon_inodefs_files(rtkit_daemon_t) |
328 |
|
329 |
+selinux_getattr_fs(rtkit_daemon_t) |
330 |
+ |
331 |
auth_use_nsswitch(rtkit_daemon_t) |
332 |
|
333 |
logging_send_syslog_msg(rtkit_daemon_t) |
334 |
|
335 |
miscfiles_read_localization(rtkit_daemon_t) |
336 |
|
337 |
+seutil_search_default_contexts(rtkit_daemon_t) |
338 |
+ |
339 |
optional_policy(` |
340 |
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) |
341 |
|
342 |
|
343 |
diff --git a/policy/modules/contrib/smartmon.te b/policy/modules/contrib/smartmon.te |
344 |
index 4a7cafa7..1ad706c7 100644 |
345 |
--- a/policy/modules/contrib/smartmon.te |
346 |
+++ b/policy/modules/contrib/smartmon.te |
347 |
@@ -1,4 +1,4 @@ |
348 |
-policy_module(smartmon, 1.14.0) |
349 |
+policy_module(smartmon, 1.14.1) |
350 |
|
351 |
######################################## |
352 |
# |
353 |
@@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t) |
354 |
files_read_etc_files(fsdaemon_t) |
355 |
files_read_etc_runtime_files(fsdaemon_t) |
356 |
files_read_usr_files(fsdaemon_t) |
357 |
+files_search_var_lib(fsdaemon_t) |
358 |
|
359 |
fs_getattr_all_fs(fsdaemon_t) |
360 |
fs_search_auto_mountpoints(fsdaemon_t) |