| 1 |
commit: 74c032778f9f1d5b0b4f3af6d91c297fef7f15ea |
| 2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
| 3 |
AuthorDate: Sat Sep 24 04:59:10 2022 +0000 |
| 4 |
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Wed Nov 2 14:07:13 2022 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74c03277 |
| 7 |
|
| 8 |
glusterfs: various fixes |
| 9 |
|
| 10 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
| 11 |
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> |
| 12 |
|
| 13 |
policy/modules/services/glusterfs.fc | 12 ++++--- |
| 14 |
policy/modules/services/glusterfs.if | 70 ++++++++++++++++++++++++++++++++++++ |
| 15 |
policy/modules/services/glusterfs.te | 47 ++++++++++++++++++------ |
| 16 |
3 files changed, 114 insertions(+), 15 deletions(-) |
| 17 |
|
| 18 |
diff --git a/policy/modules/services/glusterfs.fc b/policy/modules/services/glusterfs.fc |
| 19 |
index 8e538dc8e..158a4a85e 100644 |
| 20 |
--- a/policy/modules/services/glusterfs.fc |
| 21 |
+++ b/policy/modules/services/glusterfs.fc |
| 22 |
@@ -1,7 +1,7 @@ |
| 23 |
/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) |
| 24 |
|
| 25 |
-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) |
| 26 |
-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) |
| 27 |
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) |
| 28 |
+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) |
| 29 |
|
| 30 |
/usr/bin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) |
| 31 |
/usr/bin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
| 32 |
@@ -11,9 +11,11 @@ |
| 33 |
|
| 34 |
/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
| 35 |
|
| 36 |
-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) |
| 37 |
+/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) |
| 38 |
|
| 39 |
-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) |
| 40 |
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) |
| 41 |
|
| 42 |
-/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_runtime_t,s0) |
| 43 |
+/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_runtime_t,s0) |
| 44 |
+/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_runtime_t,s0) |
| 45 |
/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_runtime_t,s0) |
| 46 |
+/run/glusterd\.socket -s gen_context(system_u:object_r:glusterd_runtime_t,s0) |
| 47 |
|
| 48 |
diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if |
| 49 |
index 27c6bd6f7..b2b485ede 100644 |
| 50 |
--- a/policy/modules/services/glusterfs.if |
| 51 |
+++ b/policy/modules/services/glusterfs.if |
| 52 |
@@ -1,5 +1,71 @@ |
| 53 |
## <summary>Cluster File System binary, daemon and command line.</summary> |
| 54 |
|
| 55 |
+######################################## |
| 56 |
+## <summary> |
| 57 |
+## Execute glusterd in the glusterd domain. |
| 58 |
+## </summary> |
| 59 |
+## <param name="domain"> |
| 60 |
+## <summary> |
| 61 |
+## Domain allowed to transition. |
| 62 |
+## </summary> |
| 63 |
+## </param> |
| 64 |
+# |
| 65 |
+interface(`glusterfs_domtrans_daemon',` |
| 66 |
+ gen_require(` |
| 67 |
+ type glusterd_t, glusterd_exec_t; |
| 68 |
+ ') |
| 69 |
+ |
| 70 |
+ corecmd_search_bin($1) |
| 71 |
+ domtrans_pattern($1, glusterd_exec_t, glusterd_t) |
| 72 |
+') |
| 73 |
+ |
| 74 |
+######################################## |
| 75 |
+## <summary> |
| 76 |
+## Execute glusterd in the glusterd domain, and |
| 77 |
+## allow the specified role the glusterd domain. |
| 78 |
+## </summary> |
| 79 |
+## <param name="domain"> |
| 80 |
+## <summary> |
| 81 |
+## Domain allowed to transition. |
| 82 |
+## </summary> |
| 83 |
+## </param> |
| 84 |
+## <param name="role"> |
| 85 |
+## <summary> |
| 86 |
+## Role allowed access. |
| 87 |
+## </summary> |
| 88 |
+## </param> |
| 89 |
+## <rolecap/> |
| 90 |
+# |
| 91 |
+interface(`glusterfs_run_daemon',` |
| 92 |
+ gen_require(` |
| 93 |
+ type glusterd_t; |
| 94 |
+ ') |
| 95 |
+ |
| 96 |
+ glusterfs_domtrans_daemon($1) |
| 97 |
+ role $2 types glusterd_t; |
| 98 |
+') |
| 99 |
+ |
| 100 |
+######################################## |
| 101 |
+## <summary> |
| 102 |
+## Connect to glusterd over a unix stream socket. |
| 103 |
+## </summary> |
| 104 |
+## <param name="domain"> |
| 105 |
+## <summary> |
| 106 |
+## Domain allowed access. |
| 107 |
+## </summary> |
| 108 |
+## </param> |
| 109 |
+# |
| 110 |
+interface(`glusterfs_stream_connect_daemon',` |
| 111 |
+ gen_require(` |
| 112 |
+ type glusterd_t; |
| 113 |
+ type glusterd_runtime_t; |
| 114 |
+ ') |
| 115 |
+ |
| 116 |
+ files_search_runtime($1) |
| 117 |
+ stream_connect_pattern($1, glusterd_runtime_t, glusterd_runtime_t, glusterd_t) |
| 118 |
+ allow $1 glusterd_runtime_t:sock_file read_sock_file_perms; |
| 119 |
+') |
| 120 |
+ |
| 121 |
######################################## |
| 122 |
## <summary> |
| 123 |
## All of the rules required to |
| 124 |
@@ -24,11 +90,15 @@ interface(`glusterfs_admin',` |
| 125 |
type glusterd_runtime_t; |
| 126 |
') |
| 127 |
|
| 128 |
+ glusterfs_run_daemon($1, $2) |
| 129 |
+ |
| 130 |
init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t) |
| 131 |
|
| 132 |
allow $1 glusterd_t:process { ptrace signal_perms }; |
| 133 |
ps_process_pattern($1, glusterd_t) |
| 134 |
|
| 135 |
+ glusterfs_stream_connect_daemon($1) |
| 136 |
+ |
| 137 |
files_search_etc($1) |
| 138 |
admin_pattern($1, glusterd_conf_t) |
| 139 |
|
| 140 |
|
| 141 |
diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te |
| 142 |
index de4f9baea..2d94845d9 100644 |
| 143 |
--- a/policy/modules/services/glusterfs.te |
| 144 |
+++ b/policy/modules/services/glusterfs.te |
| 145 |
@@ -32,11 +32,11 @@ files_type(glusterd_var_lib_t) |
| 146 |
# Local policy |
| 147 |
# |
| 148 |
|
| 149 |
-allow glusterd_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_resource }; |
| 150 |
-allow glusterd_t self:process { setrlimit signal }; |
| 151 |
+allow glusterd_t self:capability { chown dac_override dac_read_search fowner ipc_lock sys_admin sys_resource }; |
| 152 |
+allow glusterd_t self:process { getsched setrlimit signal signull }; |
| 153 |
allow glusterd_t self:fifo_file rw_fifo_file_perms; |
| 154 |
-allow glusterd_t self:tcp_socket { accept listen }; |
| 155 |
-allow glusterd_t self:unix_stream_socket { accept listen }; |
| 156 |
+allow glusterd_t self:tcp_socket create_stream_socket_perms; |
| 157 |
+allow glusterd_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
| 158 |
|
| 159 |
manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) |
| 160 |
manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) |
| 161 |
@@ -58,17 +58,14 @@ manage_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t) |
| 162 |
manage_sock_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t) |
| 163 |
files_runtime_filetrans(glusterd_t, glusterd_runtime_t, { dir file sock_file }) |
| 164 |
|
| 165 |
+can_exec(glusterd_t, glusterd_var_lib_t) |
| 166 |
manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) |
| 167 |
manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) |
| 168 |
+manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) |
| 169 |
files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) |
| 170 |
|
| 171 |
can_exec(glusterd_t, glusterd_exec_t) |
| 172 |
|
| 173 |
-kernel_read_system_state(glusterd_t) |
| 174 |
- |
| 175 |
-corecmd_exec_bin(glusterd_t) |
| 176 |
-corecmd_exec_shell(glusterd_t) |
| 177 |
- |
| 178 |
corenet_all_recvfrom_netlabel(glusterd_t) |
| 179 |
corenet_tcp_sendrecv_generic_if(glusterd_t) |
| 180 |
corenet_udp_sendrecv_generic_if(glusterd_t) |
| 181 |
@@ -77,6 +74,9 @@ corenet_udp_sendrecv_generic_node(glusterd_t) |
| 182 |
corenet_tcp_bind_generic_node(glusterd_t) |
| 183 |
corenet_udp_bind_generic_node(glusterd_t) |
| 184 |
|
| 185 |
+corenet_tcp_bind_glusterd_port(glusterd_t) |
| 186 |
+corenet_tcp_connect_glusterd_port(glusterd_t) |
| 187 |
+ |
| 188 |
# Too coarse? |
| 189 |
corenet_sendrecv_all_server_packets(glusterd_t) |
| 190 |
corenet_tcp_bind_all_reserved_ports(glusterd_t) |
| 191 |
@@ -86,17 +86,44 @@ corenet_udp_bind_ipp_port(glusterd_t) |
| 192 |
corenet_sendrecv_all_client_packets(glusterd_t) |
| 193 |
corenet_tcp_connect_all_unreserved_ports(glusterd_t) |
| 194 |
|
| 195 |
+corecmd_exec_bin(glusterd_t) |
| 196 |
+corecmd_exec_shell(glusterd_t) |
| 197 |
+ |
| 198 |
dev_read_sysfs(glusterd_t) |
| 199 |
dev_read_urand(glusterd_t) |
| 200 |
|
| 201 |
domain_read_all_domains_state(glusterd_t) |
| 202 |
- |
| 203 |
domain_use_interactive_fds(glusterd_t) |
| 204 |
|
| 205 |
files_read_usr_files(glusterd_t) |
| 206 |
+files_mounton_mnt(glusterd_t) |
| 207 |
+ |
| 208 |
+fs_dontaudit_getattr_all_fs(glusterd_t) |
| 209 |
+fs_getattr_xattr_fs(glusterd_t) |
| 210 |
+fs_mount_fusefs(glusterd_t) |
| 211 |
+fs_unmount_fusefs(glusterd_t) |
| 212 |
+ |
| 213 |
+kernel_dontaudit_getattr_proc(glusterd_t) |
| 214 |
+kernel_read_kernel_sysctls(glusterd_t) |
| 215 |
+kernel_read_net_sysctls(glusterd_t) |
| 216 |
+kernel_read_system_state(glusterd_t) |
| 217 |
+ |
| 218 |
+storage_rw_fuse(glusterd_t) |
| 219 |
|
| 220 |
auth_use_nsswitch(glusterd_t) |
| 221 |
|
| 222 |
+hostname_exec(glusterd_t) |
| 223 |
+ |
| 224 |
logging_send_syslog_msg(glusterd_t) |
| 225 |
|
| 226 |
+miscfiles_read_generic_certs(glusterd_t) |
| 227 |
miscfiles_read_localization(glusterd_t) |
| 228 |
+ |
| 229 |
+# needed by relabeling hooks when adding bricks |
| 230 |
+seutil_domtrans_semanage(glusterd_t) |
| 231 |
+seutil_exec_setfiles(glusterd_t) |
| 232 |
+seutil_read_default_contexts(glusterd_t) |
| 233 |
+ |
| 234 |
+userdom_dontaudit_search_user_runtime_root(glusterd_t) |
| 235 |
+ |
| 236 |
+xdg_dontaudit_search_data_dirs(glusterd_t) |
Archives