[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Thu, 31 Mar 2022 03:31:38
Message-Id:	`1648694453.d953a2fbae3db9cea8136566782294d6206a717a.perfinion@gentoo`

1

commit:     d953a2fbae3db9cea8136566782294d6206a717a

2

Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>

3

AuthorDate: Thu Mar 24 14:34:49 2022 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Thu Mar 31 02:40:53 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d953a2fb

7

8

certbot V3

9

10

Same as the last one but with the directory names for the auto trans rules

11

removed.  I think it's ready for merging.

12

13

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

14

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

15

16

 policy/modules/services/apache.if  | 36 ++++++++++++++++++++++++++++++++++++

17

 policy/modules/services/certbot.te | 22 +++++++++++++++++++---

18

 2 files changed, 55 insertions(+), 3 deletions(-)

19

20

diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if

21

index 11a7120e..dd86c618 100644

22

--- a/policy/modules/services/apache.if

23

+++ b/policy/modules/services/apache.if

24

@@ -236,6 +236,24 @@ interface(`apache_domtrans',`

25

 	domtrans_pattern($1, httpd_exec_t, httpd_t)

26

')

27

28

+########################################

29

+## <summary>

30

+##	Execute httpd

31

+## </summary>

32

+## <param name="domain">

33

+##	<summary>

34

+##	Domain allowed to execute it.

35

+##	</summary>

36

+## </param>

37

+#

38

+interface(`apache_exec',`

39

+	gen_require(`

40

+		type httpd_t, httpd_exec_t;

41

+	')

42

+

43

+	can_exec($1, httpd_exec_t)

44

+')

45

+

46

 ########################################

47

 ## <summary>

48

 ##	Execute httpd server in the httpd domain.

49

@@ -1430,3 +1448,21 @@ interface(`apache_admin',`

50

 	apache_run_all_scripts($1, $2)

51

 	apache_run_helper($1, $2)

52

')

53

+

54

+########################################

55

+## <summary>

56

+##	rw httpd_runtime_t files

57

+## </summary>

58

+## <param name="domain">

59

+##	<summary>

60

+##	Domain allowed access.

61

+##	</summary>

62

+## </param>

63

+#

64

+interface(`apache_rw_runtime_files',`

65

+	gen_require(`

66

+		type httpd_runtime_t;

67

+	')

68

+

69

+	allow $1 httpd_runtime_t:file rw_file_perms;

70

+')

71

72

diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te

73

index fc979c5f..ac609795 100644

74

--- a/policy/modules/services/certbot.te

75

+++ b/policy/modules/services/certbot.te

76

@@ -43,7 +43,7 @@ allow certbot_t self:udp_socket all_udp_socket_perms;

77

 allow certbot_t self:tcp_socket all_tcp_socket_perms;

78

 allow certbot_t self:netlink_route_socket create_netlink_socket_perms;

79

80

-files_search_var_lib(certbot_t)

81

+files_var_lib_filetrans(certbot_t, certbot_lib_t, dir)

82

 manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)

83

 manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)

84

85

@@ -62,7 +62,7 @@ allow certbot_t certbot_tmp_t:file mmap_exec_file_perms;

86

 allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;

87

 allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;

88

89

-logging_search_logs(certbot_t)

90

+logging_log_filetrans(certbot_t, certbot_log_t, dir)

91

 allow certbot_t certbot_log_t:dir manage_dir_perms;

92

 allow certbot_t certbot_log_t:file manage_file_perms;

93

94

@@ -80,11 +80,15 @@ corenet_tcp_connect_dns_port(certbot_t)

95

 # bind to http port for standalone mode

96

 corenet_tcp_bind_http_port(certbot_t)

97

98

+dev_read_urand(certbot_t)

99

+

100

 domain_use_interactive_fds(certbot_t)

101

102

 files_read_etc_files(certbot_t)

103

 files_read_usr_files(certbot_t)

104

105

+# dontaudit for attempts to write python cache files

106

+libs_dontaudit_write_lib_dirs(certbot_t)

107

 libs_exec_ldconfig(certbot_t)

108

 # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2

109

 libs_exec_lib_files(certbot_t)

110

@@ -110,5 +114,17 @@ optional_policy(`

111

 	# for writing to webroot

112

 	apache_manage_sys_content(certbot_t)

113

114

-	apache_search_config(certbot_t)

115

+	apache_append_log(certbot_t)

116

+	apache_exec(certbot_t)

117

+	apache_exec_modules(certbot_t)

118

+

119

+	# for certbot to create nginx config

120

+	apache_manage_config(certbot_t)

121

+

122

+	apache_rw_runtime_files(certbot_t)

123

+	apache_signal(certbot_t)

124

+')

125

+

126

+optional_policy(`

127

+	xdg_search_config_dirs(certbot_t)

128

')

1	commit: d953a2fbae3db9cea8136566782294d6206a717a
2	Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
3	AuthorDate: Thu Mar 24 14:34:49 2022 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Thu Mar 31 02:40:53 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d953a2fb
7
8	certbot V3
9
10	Same as the last one but with the directory names for the auto trans rules
11	removed. I think it's ready for merging.
12
13	Signed-off-by: Russell Coker <russell <AT> coker.com.au>
14	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
15
16	policy/modules/services/apache.if \| 36 ++++++++++++++++++++++++++++++++++++
17	policy/modules/services/certbot.te \| 22 +++++++++++++++++++---
18	2 files changed, 55 insertions(+), 3 deletions(-)
19
20	diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
21	index 11a7120e..dd86c618 100644
22	--- a/policy/modules/services/apache.if
23	+++ b/policy/modules/services/apache.if
24	@@ -236,6 +236,24 @@ interface(`apache_domtrans',`
25	domtrans_pattern($1, httpd_exec_t, httpd_t)
26	')
27
28	+########################################
29	+## <summary>
30	+## Execute httpd
31	+## </summary>
32	+## <param name="domain">
33	+## <summary>
34	+## Domain allowed to execute it.
35	+## </summary>
36	+## </param>
37	+#
38	+interface(`apache_exec',`
39	+ gen_require(`
40	+ type httpd_t, httpd_exec_t;
41	+ ')
42	+
43	+ can_exec($1, httpd_exec_t)
44	+')
45	+
46	########################################
47	## <summary>
48	## Execute httpd server in the httpd domain.
49	@@ -1430,3 +1448,21 @@ interface(`apache_admin',`
50	apache_run_all_scripts($1, $2)
51	apache_run_helper($1, $2)
52	')
53	+
54	+########################################
55	+## <summary>
56	+## rw httpd_runtime_t files
57	+## </summary>
58	+## <param name="domain">
59	+## <summary>
60	+## Domain allowed access.
61	+## </summary>
62	+## </param>
63	+#
64	+interface(`apache_rw_runtime_files',`
65	+ gen_require(`
66	+ type httpd_runtime_t;
67	+ ')
68	+
69	+ allow $1 httpd_runtime_t:file rw_file_perms;
70	+')
71
72	diff --git a/policy/modules/services/certbot.te b/policy/modules/services/certbot.te
73	index fc979c5f..ac609795 100644
74	--- a/policy/modules/services/certbot.te
75	+++ b/policy/modules/services/certbot.te
76	@@ -43,7 +43,7 @@ allow certbot_t self:udp_socket all_udp_socket_perms;
77	allow certbot_t self:tcp_socket all_tcp_socket_perms;
78	allow certbot_t self:netlink_route_socket create_netlink_socket_perms;
79
80	-files_search_var_lib(certbot_t)
81	+files_var_lib_filetrans(certbot_t, certbot_lib_t, dir)
82	manage_dirs_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
83	manage_files_pattern(certbot_t, certbot_lib_t, certbot_lib_t)
84
85	@@ -62,7 +62,7 @@ allow certbot_t certbot_tmp_t:file mmap_exec_file_perms;
86	allow certbot_t certbot_tmpfs_t:file mmap_exec_file_perms;
87	allow certbot_t certbot_runtime_t:file mmap_exec_file_perms;
88
89	-logging_search_logs(certbot_t)
90	+logging_log_filetrans(certbot_t, certbot_log_t, dir)
91	allow certbot_t certbot_log_t:dir manage_dir_perms;
92	allow certbot_t certbot_log_t:file manage_file_perms;
93
94	@@ -80,11 +80,15 @@ corenet_tcp_connect_dns_port(certbot_t)
95	# bind to http port for standalone mode
96	corenet_tcp_bind_http_port(certbot_t)
97
98	+dev_read_urand(certbot_t)
99	+
100	domain_use_interactive_fds(certbot_t)
101
102	files_read_etc_files(certbot_t)
103	files_read_usr_files(certbot_t)
104
105	+# dontaudit for attempts to write python cache files
106	+libs_dontaudit_write_lib_dirs(certbot_t)
107	libs_exec_ldconfig(certbot_t)
108	# for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
109	libs_exec_lib_files(certbot_t)
110	@@ -110,5 +114,17 @@ optional_policy(`
111	# for writing to webroot
112	apache_manage_sys_content(certbot_t)
113
114	- apache_search_config(certbot_t)
115	+ apache_append_log(certbot_t)
116	+ apache_exec(certbot_t)
117	+ apache_exec_modules(certbot_t)
118	+
119	+ # for certbot to create nginx config
120	+ apache_manage_config(certbot_t)
121	+
122	+ apache_rw_runtime_files(certbot_t)
123	+ apache_signal(certbot_t)
124	+')
125	+
126	+optional_policy(`
127	+ xdg_search_config_dirs(certbot_t)
128	')

Gentoo Archives: gentoo-commits