1 |
commit: 74c032778f9f1d5b0b4f3af6d91c297fef7f15ea |
2 |
Author: Kenton Groombridge <me <AT> concord <DOT> sh> |
3 |
AuthorDate: Sat Sep 24 04:59:10 2022 +0000 |
4 |
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Nov 2 14:07:13 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74c03277 |
7 |
|
8 |
glusterfs: various fixes |
9 |
|
10 |
Signed-off-by: Kenton Groombridge <me <AT> concord.sh> |
11 |
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> |
12 |
|
13 |
policy/modules/services/glusterfs.fc | 12 ++++--- |
14 |
policy/modules/services/glusterfs.if | 70 ++++++++++++++++++++++++++++++++++++ |
15 |
policy/modules/services/glusterfs.te | 47 ++++++++++++++++++------ |
16 |
3 files changed, 114 insertions(+), 15 deletions(-) |
17 |
|
18 |
diff --git a/policy/modules/services/glusterfs.fc b/policy/modules/services/glusterfs.fc |
19 |
index 8e538dc8e..158a4a85e 100644 |
20 |
--- a/policy/modules/services/glusterfs.fc |
21 |
+++ b/policy/modules/services/glusterfs.fc |
22 |
@@ -1,7 +1,7 @@ |
23 |
/etc/rc\.d/init\.d/gluster.* -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) |
24 |
|
25 |
-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) |
26 |
-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) |
27 |
+/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) |
28 |
+/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0) |
29 |
|
30 |
/usr/bin/glusterd -- gen_context(system_u:object_r:glusterd_initrc_exec_t,s0) |
31 |
/usr/bin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
32 |
@@ -11,9 +11,11 @@ |
33 |
|
34 |
/opt/glusterfs/[^/]+/sbin/glusterfsd -- gen_context(system_u:object_r:glusterd_exec_t,s0) |
35 |
|
36 |
-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) |
37 |
+/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0) |
38 |
|
39 |
-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) |
40 |
+/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0) |
41 |
|
42 |
-/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_runtime_t,s0) |
43 |
+/run/gluster(/.*)? gen_context(system_u:object_r:glusterd_runtime_t,s0) |
44 |
+/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_runtime_t,s0) |
45 |
/run/glusterd\.pid -- gen_context(system_u:object_r:glusterd_runtime_t,s0) |
46 |
+/run/glusterd\.socket -s gen_context(system_u:object_r:glusterd_runtime_t,s0) |
47 |
|
48 |
diff --git a/policy/modules/services/glusterfs.if b/policy/modules/services/glusterfs.if |
49 |
index 27c6bd6f7..b2b485ede 100644 |
50 |
--- a/policy/modules/services/glusterfs.if |
51 |
+++ b/policy/modules/services/glusterfs.if |
52 |
@@ -1,5 +1,71 @@ |
53 |
## <summary>Cluster File System binary, daemon and command line.</summary> |
54 |
|
55 |
+######################################## |
56 |
+## <summary> |
57 |
+## Execute glusterd in the glusterd domain. |
58 |
+## </summary> |
59 |
+## <param name="domain"> |
60 |
+## <summary> |
61 |
+## Domain allowed to transition. |
62 |
+## </summary> |
63 |
+## </param> |
64 |
+# |
65 |
+interface(`glusterfs_domtrans_daemon',` |
66 |
+ gen_require(` |
67 |
+ type glusterd_t, glusterd_exec_t; |
68 |
+ ') |
69 |
+ |
70 |
+ corecmd_search_bin($1) |
71 |
+ domtrans_pattern($1, glusterd_exec_t, glusterd_t) |
72 |
+') |
73 |
+ |
74 |
+######################################## |
75 |
+## <summary> |
76 |
+## Execute glusterd in the glusterd domain, and |
77 |
+## allow the specified role the glusterd domain. |
78 |
+## </summary> |
79 |
+## <param name="domain"> |
80 |
+## <summary> |
81 |
+## Domain allowed to transition. |
82 |
+## </summary> |
83 |
+## </param> |
84 |
+## <param name="role"> |
85 |
+## <summary> |
86 |
+## Role allowed access. |
87 |
+## </summary> |
88 |
+## </param> |
89 |
+## <rolecap/> |
90 |
+# |
91 |
+interface(`glusterfs_run_daemon',` |
92 |
+ gen_require(` |
93 |
+ type glusterd_t; |
94 |
+ ') |
95 |
+ |
96 |
+ glusterfs_domtrans_daemon($1) |
97 |
+ role $2 types glusterd_t; |
98 |
+') |
99 |
+ |
100 |
+######################################## |
101 |
+## <summary> |
102 |
+## Connect to glusterd over a unix stream socket. |
103 |
+## </summary> |
104 |
+## <param name="domain"> |
105 |
+## <summary> |
106 |
+## Domain allowed access. |
107 |
+## </summary> |
108 |
+## </param> |
109 |
+# |
110 |
+interface(`glusterfs_stream_connect_daemon',` |
111 |
+ gen_require(` |
112 |
+ type glusterd_t; |
113 |
+ type glusterd_runtime_t; |
114 |
+ ') |
115 |
+ |
116 |
+ files_search_runtime($1) |
117 |
+ stream_connect_pattern($1, glusterd_runtime_t, glusterd_runtime_t, glusterd_t) |
118 |
+ allow $1 glusterd_runtime_t:sock_file read_sock_file_perms; |
119 |
+') |
120 |
+ |
121 |
######################################## |
122 |
## <summary> |
123 |
## All of the rules required to |
124 |
@@ -24,11 +90,15 @@ interface(`glusterfs_admin',` |
125 |
type glusterd_runtime_t; |
126 |
') |
127 |
|
128 |
+ glusterfs_run_daemon($1, $2) |
129 |
+ |
130 |
init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t) |
131 |
|
132 |
allow $1 glusterd_t:process { ptrace signal_perms }; |
133 |
ps_process_pattern($1, glusterd_t) |
134 |
|
135 |
+ glusterfs_stream_connect_daemon($1) |
136 |
+ |
137 |
files_search_etc($1) |
138 |
admin_pattern($1, glusterd_conf_t) |
139 |
|
140 |
|
141 |
diff --git a/policy/modules/services/glusterfs.te b/policy/modules/services/glusterfs.te |
142 |
index de4f9baea..2d94845d9 100644 |
143 |
--- a/policy/modules/services/glusterfs.te |
144 |
+++ b/policy/modules/services/glusterfs.te |
145 |
@@ -32,11 +32,11 @@ files_type(glusterd_var_lib_t) |
146 |
# Local policy |
147 |
# |
148 |
|
149 |
-allow glusterd_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_resource }; |
150 |
-allow glusterd_t self:process { setrlimit signal }; |
151 |
+allow glusterd_t self:capability { chown dac_override dac_read_search fowner ipc_lock sys_admin sys_resource }; |
152 |
+allow glusterd_t self:process { getsched setrlimit signal signull }; |
153 |
allow glusterd_t self:fifo_file rw_fifo_file_perms; |
154 |
-allow glusterd_t self:tcp_socket { accept listen }; |
155 |
-allow glusterd_t self:unix_stream_socket { accept listen }; |
156 |
+allow glusterd_t self:tcp_socket create_stream_socket_perms; |
157 |
+allow glusterd_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
158 |
|
159 |
manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) |
160 |
manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t) |
161 |
@@ -58,17 +58,14 @@ manage_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t) |
162 |
manage_sock_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t) |
163 |
files_runtime_filetrans(glusterd_t, glusterd_runtime_t, { dir file sock_file }) |
164 |
|
165 |
+can_exec(glusterd_t, glusterd_var_lib_t) |
166 |
manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) |
167 |
manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) |
168 |
+manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t) |
169 |
files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir) |
170 |
|
171 |
can_exec(glusterd_t, glusterd_exec_t) |
172 |
|
173 |
-kernel_read_system_state(glusterd_t) |
174 |
- |
175 |
-corecmd_exec_bin(glusterd_t) |
176 |
-corecmd_exec_shell(glusterd_t) |
177 |
- |
178 |
corenet_all_recvfrom_netlabel(glusterd_t) |
179 |
corenet_tcp_sendrecv_generic_if(glusterd_t) |
180 |
corenet_udp_sendrecv_generic_if(glusterd_t) |
181 |
@@ -77,6 +74,9 @@ corenet_udp_sendrecv_generic_node(glusterd_t) |
182 |
corenet_tcp_bind_generic_node(glusterd_t) |
183 |
corenet_udp_bind_generic_node(glusterd_t) |
184 |
|
185 |
+corenet_tcp_bind_glusterd_port(glusterd_t) |
186 |
+corenet_tcp_connect_glusterd_port(glusterd_t) |
187 |
+ |
188 |
# Too coarse? |
189 |
corenet_sendrecv_all_server_packets(glusterd_t) |
190 |
corenet_tcp_bind_all_reserved_ports(glusterd_t) |
191 |
@@ -86,17 +86,44 @@ corenet_udp_bind_ipp_port(glusterd_t) |
192 |
corenet_sendrecv_all_client_packets(glusterd_t) |
193 |
corenet_tcp_connect_all_unreserved_ports(glusterd_t) |
194 |
|
195 |
+corecmd_exec_bin(glusterd_t) |
196 |
+corecmd_exec_shell(glusterd_t) |
197 |
+ |
198 |
dev_read_sysfs(glusterd_t) |
199 |
dev_read_urand(glusterd_t) |
200 |
|
201 |
domain_read_all_domains_state(glusterd_t) |
202 |
- |
203 |
domain_use_interactive_fds(glusterd_t) |
204 |
|
205 |
files_read_usr_files(glusterd_t) |
206 |
+files_mounton_mnt(glusterd_t) |
207 |
+ |
208 |
+fs_dontaudit_getattr_all_fs(glusterd_t) |
209 |
+fs_getattr_xattr_fs(glusterd_t) |
210 |
+fs_mount_fusefs(glusterd_t) |
211 |
+fs_unmount_fusefs(glusterd_t) |
212 |
+ |
213 |
+kernel_dontaudit_getattr_proc(glusterd_t) |
214 |
+kernel_read_kernel_sysctls(glusterd_t) |
215 |
+kernel_read_net_sysctls(glusterd_t) |
216 |
+kernel_read_system_state(glusterd_t) |
217 |
+ |
218 |
+storage_rw_fuse(glusterd_t) |
219 |
|
220 |
auth_use_nsswitch(glusterd_t) |
221 |
|
222 |
+hostname_exec(glusterd_t) |
223 |
+ |
224 |
logging_send_syslog_msg(glusterd_t) |
225 |
|
226 |
+miscfiles_read_generic_certs(glusterd_t) |
227 |
miscfiles_read_localization(glusterd_t) |
228 |
+ |
229 |
+# needed by relabeling hooks when adding bricks |
230 |
+seutil_domtrans_semanage(glusterd_t) |
231 |
+seutil_exec_setfiles(glusterd_t) |
232 |
+seutil_read_default_contexts(glusterd_t) |
233 |
+ |
234 |
+userdom_dontaudit_search_user_runtime_root(glusterd_t) |
235 |
+ |
236 |
+xdg_dontaudit_search_data_dirs(glusterd_t) |