[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
Date:	Sun, 30 Apr 2017 09:41:14
Message-Id:	`1493544071.2c0150452aa2f181971677e246b38487c7df8d75.perfinion@gentoo`

1

commit:     2c0150452aa2f181971677e246b38487c7df8d75

2

Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>

3

AuthorDate: Wed Apr 26 22:02:08 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sun Apr 30 09:21:11 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c015045

7

8

some little misc things from Russell Coker.

9

10

This patch allows setfiles to use file handles inherited from apt (for dpkg

11

postinst scripts), adds those rsync permissions that were rejected previously

12

due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and

13

allows system_cronjob_t some access it requires (including net_admin for

14

when it runs utilities that set buffers).

15

16

 policy/modules/contrib/apt.if   | 20 ++++++++++++++++++++

17

 policy/modules/contrib/apt.te   |  2 +-

18

 policy/modules/contrib/cron.te  | 25 +++++++++++++++++++++----

19

 policy/modules/contrib/mrtg.if  | 18 ++++++++++++++++++

20

 policy/modules/contrib/mrtg.te  |  2 +-

21

 policy/modules/contrib/rsync.te |  4 +++-

22

 6 files changed, 64 insertions(+), 7 deletions(-)

23

24

diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if

25

index 0a1bc49f..568aa97d 100644

26

--- a/policy/modules/contrib/apt.if

27

+++ b/policy/modules/contrib/apt.if

28

@@ -176,6 +176,26 @@ interface(`apt_read_cache',`

29

30

 ########################################

31

 ## <summary>

32

+##	Create, read, write, and delete apt package cache content.

33

+## </summary>

34

+## <param name="domain">

35

+##	<summary>

36

+##	Domain allowed access.

37

+##	</summary>

38

+## </param>

39

+#

40

+interface(`apt_manage_cache',`

41

+	gen_require(`

42

+		type apt_var_cache_t;

43

+	')

44

+

45

+	files_search_var($1)

46

+	allow $1 apt_var_cache_t:dir manage_dir_perms;

47

+	allow $1 apt_var_cache_t:file manage_file_perms;

48

+')

49

+

50

+########################################

51

+## <summary>

52

 ##	Read apt package database content.

53

 ## </summary>

54

 ## <param name="domain">

55

56

diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te

57

index 05197c4c..dc6f09b1 100644

58

--- a/policy/modules/contrib/apt.te

59

+++ b/policy/modules/contrib/apt.te

60

@@ -1,4 +1,4 @@

61

-policy_module(apt, 1.10.1)

62

+policy_module(apt, 1.10.2)

63

64

 ########################################

65

#

66

67

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te

68

index 5cb7dac1..15e6bdb4 100644

69

--- a/policy/modules/contrib/cron.te

70

+++ b/policy/modules/contrib/cron.te

71

@@ -1,4 +1,4 @@

72

-policy_module(cron, 2.11.3)

73

+policy_module(cron, 2.11.4)

74

75

 gen_require(`

76

 	class passwd rootok;

77

@@ -338,6 +338,13 @@ ifdef(`distro_debian',`

78

 	allow crond_t self:process setrlimit;

79

80

 	optional_policy(`

81

+		apt_manage_cache(system_cronjob_t)

82

+		apt_read_db(system_cronjob_t)

83

+

84

+		dpkg_manage_db(system_cronjob_t)

85

+	')

86

+

87

+	optional_policy(`

88

 		logwatch_search_cache_dir(crond_t)

89

')

90

')

91

@@ -429,6 +436,7 @@ optional_policy(`

92

 	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)

93

 	# so cron jobs can restart daemons

94

 	init_stream_connect(system_cronjob_t)

95

+	init_manage_script_service(system_cronjob_t)

96

')

97

98

 optional_policy(`

99

@@ -440,7 +448,7 @@ optional_policy(`

100

 # System local policy

101

#

102

103

-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };

104

+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };

105

 allow system_cronjob_t self:process { signal_perms getsched setsched };

106

 allow system_cronjob_t self:fd use;

107

 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;

108

@@ -461,10 +469,11 @@ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;

109

 allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;

110

 files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })

111

112

+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)

113

 manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)

114

 manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)

115

 filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })

116

-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)

117

+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })

118

119

 manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)

120

121

@@ -475,7 +484,7 @@ allow system_cronjob_t crond_t:process sigchld;

122

 allow system_cronjob_t cron_spool_t:dir list_dir_perms;

123

 allow system_cronjob_t cron_spool_t:file rw_file_perms;

124

125

-allow system_cronjob_t crond_tmp_t:file { read write };

126

+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;

127

128

 kernel_read_kernel_sysctls(system_cronjob_t)

129

 kernel_read_network_state(system_cronjob_t)

130

@@ -560,10 +569,15 @@ tunable_policy(`cron_can_relabel',`

131

')

132

133

 optional_policy(`

134

+	acct_manage_data(system_cronjob_t)

135

+')

136

+

137

+optional_policy(`

138

 	apache_exec_modules(system_cronjob_t)

139

 	apache_read_config(system_cronjob_t)

140

 	apache_read_log(system_cronjob_t)

141

 	apache_read_sys_content(system_cronjob_t)

142

+	apache_delete_lib_files(system_cronjob_t)

143

')

144

145

 optional_policy(`

146

@@ -607,6 +621,7 @@ optional_policy(`

147

148

 optional_policy(`

149

 	mrtg_append_create_logs(system_cronjob_t)

150

+	mrtg_read_config(system_cronjob_t)

151

')

152

153

 optional_policy(`

154

@@ -649,6 +664,8 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;

155

 allow cronjob_t self:unix_stream_socket create_stream_socket_perms;

156

 allow cronjob_t self:unix_dgram_socket create_socket_perms;

157

158

+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;

159

+

160

 kernel_read_system_state(cronjob_t)

161

 kernel_read_kernel_sysctls(cronjob_t)

162

163

164

diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if

165

index 0a71bd89..b25b0894 100644

166

--- a/policy/modules/contrib/mrtg.if

167

+++ b/policy/modules/contrib/mrtg.if

168

@@ -2,6 +2,24 @@

169

170

 ########################################

171

 ## <summary>

172

+##	Read mrtg configuration

173

+## </summary>

174

+## <param name="domain">

175

+##	<summary>

176

+##	Domain allowed access.

177

+##	</summary>

178

+## </param>

179

+#

180

+interface(`mrtg_read_config',`

181

+	gen_require(`

182

+		type mrtg_etc_t;

183

+	')

184

+

185

+	allow $1 mrtg_etc_t:file read_file_perms;

186

+')

187

+

188

+########################################

189

+## <summary>

190

 ##	Create and append mrtg log files.

191

 ## </summary>

192

 ## <param name="domain">

193

194

diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te

195

index 5126d9d5..96d48f37 100644

196

--- a/policy/modules/contrib/mrtg.te

197

+++ b/policy/modules/contrib/mrtg.te

198

@@ -1,4 +1,4 @@

199

-policy_module(mrtg, 1.11.0)

200

+policy_module(mrtg, 1.11.1)

201

202

 ########################################

203

#

204

205

diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te

206

index 2fce98b0..11c7041a 100644

207

--- a/policy/modules/contrib/rsync.te

208

+++ b/policy/modules/contrib/rsync.te

209

@@ -1,4 +1,4 @@

210

-policy_module(rsync, 1.15.0)

211

+policy_module(rsync, 1.15.1)

212

213

 ########################################

214

#

215

@@ -123,6 +123,8 @@ dev_read_urand(rsync_t)

216

 fs_getattr_all_fs(rsync_t)

217

 fs_search_auto_mountpoints(rsync_t)

218

219

+files_getattr_all_pipes(rsync_t)

220

+files_getattr_all_sockets(rsync_t)

221

 files_search_home(rsync_t)

222

223

 auth_can_read_shadow_passwords(rsync_t)

1	commit: 2c0150452aa2f181971677e246b38487c7df8d75
2	Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
3	AuthorDate: Wed Apr 26 22:02:08 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Apr 30 09:21:11 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c015045
7
8	some little misc things from Russell Coker.
9
10	This patch allows setfiles to use file handles inherited from apt (for dpkg
11	postinst scripts), adds those rsync permissions that were rejected previously
12	due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
13	allows system_cronjob_t some access it requires (including net_admin for
14	when it runs utilities that set buffers).
15
16	policy/modules/contrib/apt.if \| 20 ++++++++++++++++++++
17	policy/modules/contrib/apt.te \| 2 +-
18	policy/modules/contrib/cron.te \| 25 +++++++++++++++++++++----
19	policy/modules/contrib/mrtg.if \| 18 ++++++++++++++++++
20	policy/modules/contrib/mrtg.te \| 2 +-
21	policy/modules/contrib/rsync.te \| 4 +++-
22	6 files changed, 64 insertions(+), 7 deletions(-)
23
24	diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if
25	index 0a1bc49f..568aa97d 100644
26	--- a/policy/modules/contrib/apt.if
27	+++ b/policy/modules/contrib/apt.if
28	@@ -176,6 +176,26 @@ interface(`apt_read_cache',`
29
30	########################################
31	## <summary>
32	+## Create, read, write, and delete apt package cache content.
33	+## </summary>
34	+## <param name="domain">
35	+## <summary>
36	+## Domain allowed access.
37	+## </summary>
38	+## </param>
39	+#
40	+interface(`apt_manage_cache',`
41	+ gen_require(`
42	+ type apt_var_cache_t;
43	+ ')
44	+
45	+ files_search_var($1)
46	+ allow $1 apt_var_cache_t:dir manage_dir_perms;
47	+ allow $1 apt_var_cache_t:file manage_file_perms;
48	+')
49	+
50	+########################################
51	+## <summary>
52	## Read apt package database content.
53	## </summary>
54	## <param name="domain">
55
56	diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te
57	index 05197c4c..dc6f09b1 100644
58	--- a/policy/modules/contrib/apt.te
59	+++ b/policy/modules/contrib/apt.te
60	@@ -1,4 +1,4 @@
61	-policy_module(apt, 1.10.1)
62	+policy_module(apt, 1.10.2)
63
64	########################################
65	#
66
67	diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
68	index 5cb7dac1..15e6bdb4 100644
69	--- a/policy/modules/contrib/cron.te
70	+++ b/policy/modules/contrib/cron.te
71	@@ -1,4 +1,4 @@
72	-policy_module(cron, 2.11.3)
73	+policy_module(cron, 2.11.4)
74
75	gen_require(`
76	class passwd rootok;
77	@@ -338,6 +338,13 @@ ifdef(`distro_debian',`
78	allow crond_t self:process setrlimit;
79
80	optional_policy(`
81	+ apt_manage_cache(system_cronjob_t)
82	+ apt_read_db(system_cronjob_t)
83	+
84	+ dpkg_manage_db(system_cronjob_t)
85	+ ')
86	+
87	+ optional_policy(`
88	logwatch_search_cache_dir(crond_t)
89	')
90	')
91	@@ -429,6 +436,7 @@ optional_policy(`
92	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
93	# so cron jobs can restart daemons
94	init_stream_connect(system_cronjob_t)
95	+ init_manage_script_service(system_cronjob_t)
96	')
97
98	optional_policy(`
99	@@ -440,7 +448,7 @@ optional_policy(`
100	# System local policy
101	#
102
103	-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
104	+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
105	allow system_cronjob_t self:process { signal_perms getsched setsched };
106	allow system_cronjob_t self:fd use;
107	allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
108	@@ -461,10 +469,11 @@ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms;
109	allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms;
110	files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file })
111
112	+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
113	manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
114	manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
115	filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
116	-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
117	+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
118
119	manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
120
121	@@ -475,7 +484,7 @@ allow system_cronjob_t crond_t:process sigchld;
122	allow system_cronjob_t cron_spool_t:dir list_dir_perms;
123	allow system_cronjob_t cron_spool_t:file rw_file_perms;
124
125	-allow system_cronjob_t crond_tmp_t:file { read write };
126	+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
127
128	kernel_read_kernel_sysctls(system_cronjob_t)
129	kernel_read_network_state(system_cronjob_t)
130	@@ -560,10 +569,15 @@ tunable_policy(`cron_can_relabel',`
131	')
132
133	optional_policy(`
134	+ acct_manage_data(system_cronjob_t)
135	+')
136	+
137	+optional_policy(`
138	apache_exec_modules(system_cronjob_t)
139	apache_read_config(system_cronjob_t)
140	apache_read_log(system_cronjob_t)
141	apache_read_sys_content(system_cronjob_t)
142	+ apache_delete_lib_files(system_cronjob_t)
143	')
144
145	optional_policy(`
146	@@ -607,6 +621,7 @@ optional_policy(`
147
148	optional_policy(`
149	mrtg_append_create_logs(system_cronjob_t)
150	+ mrtg_read_config(system_cronjob_t)
151	')
152
153	optional_policy(`
154	@@ -649,6 +664,8 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms;
155	allow cronjob_t self:unix_stream_socket create_stream_socket_perms;
156	allow cronjob_t self:unix_dgram_socket create_socket_perms;
157
158	+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
159	+
160	kernel_read_system_state(cronjob_t)
161	kernel_read_kernel_sysctls(cronjob_t)
162
163
164	diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if
165	index 0a71bd89..b25b0894 100644
166	--- a/policy/modules/contrib/mrtg.if
167	+++ b/policy/modules/contrib/mrtg.if
168	@@ -2,6 +2,24 @@
169
170	########################################
171	## <summary>
172	+## Read mrtg configuration
173	+## </summary>
174	+## <param name="domain">
175	+## <summary>
176	+## Domain allowed access.
177	+## </summary>
178	+## </param>
179	+#
180	+interface(`mrtg_read_config',`
181	+ gen_require(`
182	+ type mrtg_etc_t;
183	+ ')
184	+
185	+ allow $1 mrtg_etc_t:file read_file_perms;
186	+')
187	+
188	+########################################
189	+## <summary>
190	## Create and append mrtg log files.
191	## </summary>
192	## <param name="domain">
193
194	diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te
195	index 5126d9d5..96d48f37 100644
196	--- a/policy/modules/contrib/mrtg.te
197	+++ b/policy/modules/contrib/mrtg.te
198	@@ -1,4 +1,4 @@
199	-policy_module(mrtg, 1.11.0)
200	+policy_module(mrtg, 1.11.1)
201
202	########################################
203	#
204
205	diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te
206	index 2fce98b0..11c7041a 100644
207	--- a/policy/modules/contrib/rsync.te
208	+++ b/policy/modules/contrib/rsync.te
209	@@ -1,4 +1,4 @@
210	-policy_module(rsync, 1.15.0)
211	+policy_module(rsync, 1.15.1)
212
213	########################################
214	#
215	@@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
216	fs_getattr_all_fs(rsync_t)
217	fs_search_auto_mountpoints(rsync_t)
218
219	+files_getattr_all_pipes(rsync_t)
220	+files_getattr_all_sockets(rsync_t)
221	files_search_home(rsync_t)
222
223	auth_can_read_shadow_passwords(rsync_t)

Gentoo Archives: gentoo-commits