1 |
commit: 4b4fbc24ce430965cce854d871cefa9666be2569 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Sat Feb 25 14:35:10 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 25 16:43:11 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4b4fbc24 |
7 |
|
8 |
systemd: Further revisions from Russell Coker. |
9 |
|
10 |
policy/modules/kernel/devices.if | 18 +++ |
11 |
policy/modules/kernel/devices.te | 2 +- |
12 |
policy/modules/kernel/filesystem.if | 20 ++++ |
13 |
policy/modules/kernel/filesystem.te | 2 +- |
14 |
policy/modules/system/init.if | 18 +++ |
15 |
policy/modules/system/init.te | 2 +- |
16 |
policy/modules/system/lvm.if | 18 +++ |
17 |
policy/modules/system/lvm.te | 2 +- |
18 |
policy/modules/system/systemd.te | 221 +++++++++++++++++++++++++++++++----- |
19 |
9 files changed, 270 insertions(+), 33 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
22 |
index b51a25ac..7e09e6f2 100644 |
23 |
--- a/policy/modules/kernel/devices.if |
24 |
+++ b/policy/modules/kernel/devices.if |
25 |
@@ -880,6 +880,24 @@ interface(`dev_relabel_generic_symlinks',` |
26 |
|
27 |
######################################## |
28 |
## <summary> |
29 |
+## write generic sock files in /dev. |
30 |
+## </summary> |
31 |
+## <param name="domain"> |
32 |
+## <summary> |
33 |
+## Domain to not audit. |
34 |
+## </summary> |
35 |
+## </param> |
36 |
+# |
37 |
+interface(`dev_write_generic_sock_files',` |
38 |
+ gen_require(` |
39 |
+ type device_t; |
40 |
+ ') |
41 |
+ |
42 |
+ write_sock_files_pattern($1, device_t, device_t) |
43 |
+') |
44 |
+ |
45 |
+######################################## |
46 |
+## <summary> |
47 |
## Create, delete, read, and write device nodes in device directories. |
48 |
## </summary> |
49 |
## <param name="domain"> |
50 |
|
51 |
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te |
52 |
index 470f0f00..571abc30 100644 |
53 |
--- a/policy/modules/kernel/devices.te |
54 |
+++ b/policy/modules/kernel/devices.te |
55 |
@@ -1,4 +1,4 @@ |
56 |
-policy_module(devices, 1.20.3) |
57 |
+policy_module(devices, 1.20.4) |
58 |
|
59 |
######################################## |
60 |
# |
61 |
|
62 |
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if |
63 |
index bd6084b3..9069b0c2 100644 |
64 |
--- a/policy/modules/kernel/filesystem.if |
65 |
+++ b/policy/modules/kernel/filesystem.if |
66 |
@@ -787,6 +787,26 @@ interface(`fs_relabel_cgroup_dirs',` |
67 |
|
68 |
######################################## |
69 |
## <summary> |
70 |
+## Get attributes of cgroup files. |
71 |
+## </summary> |
72 |
+## <param name="domain"> |
73 |
+## <summary> |
74 |
+## Domain allowed access. |
75 |
+## </summary> |
76 |
+## </param> |
77 |
+# |
78 |
+interface(`fs_getattr_cgroup_files',` |
79 |
+ gen_require(` |
80 |
+ type cgroup_t; |
81 |
+ ') |
82 |
+ |
83 |
+ getattr_files_pattern($1, cgroup_t, cgroup_t) |
84 |
+ fs_search_tmpfs($1) |
85 |
+ dev_search_sysfs($1) |
86 |
+') |
87 |
+ |
88 |
+######################################## |
89 |
+## <summary> |
90 |
## Read cgroup files. |
91 |
## </summary> |
92 |
## <param name="domain"> |
93 |
|
94 |
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te |
95 |
index be04ea8c..23705cd3 100644 |
96 |
--- a/policy/modules/kernel/filesystem.te |
97 |
+++ b/policy/modules/kernel/filesystem.te |
98 |
@@ -1,4 +1,4 @@ |
99 |
-policy_module(filesystem, 1.22.2) |
100 |
+policy_module(filesystem, 1.22.3) |
101 |
|
102 |
######################################## |
103 |
# |
104 |
|
105 |
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if |
106 |
index 8d65e648..6de0a2d7 100644 |
107 |
--- a/policy/modules/system/init.if |
108 |
+++ b/policy/modules/system/init.if |
109 |
@@ -1068,6 +1068,24 @@ interface(`init_dbus_chat',` |
110 |
|
111 |
######################################## |
112 |
## <summary> |
113 |
+## List /var/lib/systemd/ dir |
114 |
+## </summary> |
115 |
+## <param name="domain"> |
116 |
+## <summary> |
117 |
+## Domain allowed access. |
118 |
+## </summary> |
119 |
+## </param> |
120 |
+# |
121 |
+interface(`init_list_var_lib_dirs',` |
122 |
+ gen_require(` |
123 |
+ type init_var_lib_t; |
124 |
+ ') |
125 |
+ |
126 |
+ allow $1 init_var_lib_t:dir list_dir_perms; |
127 |
+') |
128 |
+ |
129 |
+######################################## |
130 |
+## <summary> |
131 |
## Manage files in /var/lib/systemd/. |
132 |
## </summary> |
133 |
## <param name="domain"> |
134 |
|
135 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
136 |
index 54ca2ceb..c9c1eb6b 100644 |
137 |
--- a/policy/modules/system/init.te |
138 |
+++ b/policy/modules/system/init.te |
139 |
@@ -1,4 +1,4 @@ |
140 |
-policy_module(init, 2.2.6) |
141 |
+policy_module(init, 2.2.7) |
142 |
|
143 |
gen_require(` |
144 |
class passwd rootok; |
145 |
|
146 |
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if |
147 |
index 88fa9442..49cee54d 100644 |
148 |
--- a/policy/modules/system/lvm.if |
149 |
+++ b/policy/modules/system/lvm.if |
150 |
@@ -65,6 +65,24 @@ interface(`lvm_run',` |
151 |
|
152 |
######################################## |
153 |
## <summary> |
154 |
+## Send lvm a null signal. |
155 |
+## </summary> |
156 |
+## <param name="domain"> |
157 |
+## <summary> |
158 |
+## Domain allowed access. |
159 |
+## </summary> |
160 |
+## </param> |
161 |
+# |
162 |
+interface(`lvm_signull',` |
163 |
+ gen_require(` |
164 |
+ type lvm_t; |
165 |
+ ') |
166 |
+ |
167 |
+ allow $1 lvm_t:process signull; |
168 |
+') |
169 |
+ |
170 |
+######################################## |
171 |
+## <summary> |
172 |
## Read LVM configuration files. |
173 |
## </summary> |
174 |
## <param name="domain"> |
175 |
|
176 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
177 |
index f8fed91d..e6984249 100644 |
178 |
--- a/policy/modules/system/lvm.te |
179 |
+++ b/policy/modules/system/lvm.te |
180 |
@@ -1,4 +1,4 @@ |
181 |
-policy_module(lvm, 1.19.3) |
182 |
+policy_module(lvm, 1.19.4) |
183 |
|
184 |
######################################## |
185 |
# |
186 |
|
187 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
188 |
index 40719e93..6c8caa8d 100644 |
189 |
--- a/policy/modules/system/systemd.te |
190 |
+++ b/policy/modules/system/systemd.te |
191 |
@@ -1,4 +1,4 @@ |
192 |
-policy_module(systemd, 1.3.7) |
193 |
+policy_module(systemd, 1.3.8) |
194 |
|
195 |
######################################### |
196 |
# |
197 |
@@ -160,24 +160,6 @@ init_unit_file(power_unit_t) |
198 |
|
199 |
###################################### |
200 |
# |
201 |
-# systemd log parse enviroment |
202 |
-# |
203 |
- |
204 |
-# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function) |
205 |
-dontaudit systemd_log_parse_env_type self:capability net_admin; |
206 |
- |
207 |
-kernel_read_system_state(systemd_log_parse_env_type) |
208 |
- |
209 |
-dev_write_kmsg(systemd_log_parse_env_type) |
210 |
- |
211 |
-term_use_console(systemd_log_parse_env_type) |
212 |
- |
213 |
-init_read_state(systemd_log_parse_env_type) |
214 |
- |
215 |
-logging_send_syslog_msg(systemd_log_parse_env_type) |
216 |
- |
217 |
-###################################### |
218 |
-# |
219 |
# Backlight local policy |
220 |
# |
221 |
|
222 |
@@ -226,23 +208,43 @@ init_stream_connect(systemd_cgroups_t) |
223 |
|
224 |
systemd_log_parse_environment(systemd_cgroups_t) |
225 |
|
226 |
-####################################### |
227 |
+###################################### |
228 |
# |
229 |
-# locale local policy |
230 |
+# coredump local policy |
231 |
# |
232 |
|
233 |
-kernel_read_kernel_sysctls(systemd_locale_t) |
234 |
+allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt }; |
235 |
+allow systemd_coredump_t self:capability { setgid setuid setpcap }; |
236 |
+allow systemd_coredump_t self:process { getcap setcap setfscreate }; |
237 |
|
238 |
-files_read_etc_files(systemd_locale_t) |
239 |
+manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t) |
240 |
|
241 |
-seutil_read_file_contexts(systemd_locale_t) |
242 |
+kernel_read_kernel_sysctls(systemd_coredump_t) |
243 |
+kernel_read_system_state(systemd_coredump_t) |
244 |
+kernel_rw_pipes(systemd_coredump_t) |
245 |
+kernel_use_fds(systemd_coredump_t) |
246 |
|
247 |
-systemd_log_parse_environment(systemd_locale_t) |
248 |
+corecmd_exec_bin(systemd_coredump_t) |
249 |
+corecmd_read_all_executables(systemd_coredump_t) |
250 |
+ |
251 |
+dev_write_kmsg(systemd_coredump_t) |
252 |
+ |
253 |
+files_read_etc_files(systemd_coredump_t) |
254 |
+files_search_var_lib(systemd_coredump_t) |
255 |
+ |
256 |
+fs_getattr_xattr_fs(systemd_coredump_t) |
257 |
+ |
258 |
+selinux_getattr_fs(systemd_coredump_t) |
259 |
+ |
260 |
+init_list_var_lib_dirs(systemd_coredump_t) |
261 |
+init_read_state(systemd_coredump_t) |
262 |
+init_search_pids(systemd_coredump_t) |
263 |
+init_write_pid_socket(systemd_coredump_t) |
264 |
+ |
265 |
+logging_send_syslog_msg(systemd_coredump_t) |
266 |
+ |
267 |
+seutil_search_default_contexts(systemd_coredump_t) |
268 |
|
269 |
-optional_policy(` |
270 |
- dbus_connect_system_bus(systemd_locale_t) |
271 |
- dbus_system_bus_client(systemd_locale_t) |
272 |
-') |
273 |
|
274 |
####################################### |
275 |
# |
276 |
@@ -262,6 +264,42 @@ optional_policy(` |
277 |
dbus_connect_system_bus(systemd_hostnamed_t) |
278 |
') |
279 |
|
280 |
+####################################### |
281 |
+# |
282 |
+# locale local policy |
283 |
+# |
284 |
+ |
285 |
+kernel_read_kernel_sysctls(systemd_locale_t) |
286 |
+ |
287 |
+files_read_etc_files(systemd_locale_t) |
288 |
+ |
289 |
+seutil_read_file_contexts(systemd_locale_t) |
290 |
+ |
291 |
+systemd_log_parse_environment(systemd_locale_t) |
292 |
+ |
293 |
+optional_policy(` |
294 |
+ dbus_connect_system_bus(systemd_locale_t) |
295 |
+ dbus_system_bus_client(systemd_locale_t) |
296 |
+') |
297 |
+ |
298 |
+###################################### |
299 |
+# |
300 |
+# systemd log parse enviroment |
301 |
+# |
302 |
+ |
303 |
+# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function) |
304 |
+dontaudit systemd_log_parse_env_type self:capability net_admin; |
305 |
+ |
306 |
+kernel_read_system_state(systemd_log_parse_env_type) |
307 |
+ |
308 |
+dev_write_kmsg(systemd_log_parse_env_type) |
309 |
+ |
310 |
+term_use_console(systemd_log_parse_env_type) |
311 |
+ |
312 |
+init_read_state(systemd_log_parse_env_type) |
313 |
+ |
314 |
+logging_send_syslog_msg(systemd_log_parse_env_type) |
315 |
+ |
316 |
######################################### |
317 |
# |
318 |
# Logind local policy |
319 |
@@ -325,6 +363,71 @@ optional_policy(` |
320 |
dbus_connect_system_bus(systemd_logind_t) |
321 |
') |
322 |
|
323 |
+######################################### |
324 |
+# |
325 |
+# machined local policy |
326 |
+# |
327 |
+ |
328 |
+allow systemd_machined_t self:capability sys_ptrace; |
329 |
+allow systemd_machined_t self:process setfscreate; |
330 |
+allow systemd_machined_t self:unix_dgram_socket { connected_socket_perms connect }; |
331 |
+ |
332 |
+manage_files_pattern(systemd_machined_t, systemd_machined_var_run_t, systemd_machined_var_run_t) |
333 |
+allow systemd_machined_t systemd_machined_var_run_t:lnk_file manage_lnk_file_perms; |
334 |
+ |
335 |
+kernel_read_kernel_sysctls(systemd_machined_t) |
336 |
+kernel_read_system_state(systemd_machined_t) |
337 |
+ |
338 |
+files_read_etc_files(systemd_machined_t) |
339 |
+ |
340 |
+fs_getattr_cgroup(systemd_machined_t) |
341 |
+fs_getattr_tmpfs(systemd_machined_t) |
342 |
+ |
343 |
+selinux_getattr_fs(systemd_machined_t) |
344 |
+ |
345 |
+init_read_script_state(systemd_machined_t) |
346 |
+init_get_system_status(systemd_machined_t) |
347 |
+init_read_state(systemd_machined_t) |
348 |
+init_service_start(systemd_machined_t) |
349 |
+init_service_status(systemd_machined_t) |
350 |
+init_start_system(systemd_machined_t) |
351 |
+init_stop_system(systemd_machined_t) |
352 |
+ |
353 |
+logging_send_syslog_msg(systemd_machined_t) |
354 |
+ |
355 |
+seutil_search_default_contexts(systemd_machined_t) |
356 |
+ |
357 |
+optional_policy(` |
358 |
+ init_dbus_chat(systemd_machined_t) |
359 |
+ init_dbus_send_script(systemd_machined_t) |
360 |
+ |
361 |
+ dbus_connect_system_bus(systemd_machined_t) |
362 |
+ dbus_system_bus_client(systemd_machined_t) |
363 |
+') |
364 |
+ |
365 |
+######################################## |
366 |
+# |
367 |
+# systemd_notify local policy |
368 |
+# |
369 |
+allow systemd_notify_t self:capability chown; |
370 |
+allow systemd_notify_t self:process { setfscreate setsockcreate }; |
371 |
+ |
372 |
+allow systemd_notify_t self:fifo_file rw_fifo_file_perms; |
373 |
+allow systemd_notify_t self:unix_stream_socket create_stream_socket_perms; |
374 |
+ |
375 |
+domain_use_interactive_fds(systemd_notify_t) |
376 |
+ |
377 |
+files_read_etc_files(systemd_notify_t) |
378 |
+files_read_usr_files(systemd_notify_t) |
379 |
+ |
380 |
+fs_getattr_cgroup_files(systemd_notify_t) |
381 |
+ |
382 |
+auth_use_nsswitch(systemd_notify_t) |
383 |
+ |
384 |
+init_rw_stream_sockets(systemd_notify_t) |
385 |
+ |
386 |
+miscfiles_read_localization(systemd_notify_t) |
387 |
+ |
388 |
######################################## |
389 |
# |
390 |
# Nspawn local policy |
391 |
@@ -332,6 +435,66 @@ optional_policy(` |
392 |
|
393 |
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir) |
394 |
|
395 |
+####################################### |
396 |
+# |
397 |
+# systemd_passwd_agent_t local policy |
398 |
+# |
399 |
+ |
400 |
+allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override }; |
401 |
+allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal }; |
402 |
+allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; |
403 |
+ |
404 |
+manage_dirs_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); |
405 |
+manage_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); |
406 |
+manage_sock_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); |
407 |
+manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_var_run_t, systemd_passwd_var_run_t); |
408 |
+init_pid_filetrans(systemd_passwd_agent_t, systemd_passwd_var_run_t, { dir fifo_file file }) |
409 |
+ |
410 |
+kernel_read_system_state(systemd_passwd_agent_t) |
411 |
+kernel_stream_connect(systemd_passwd_agent_t) |
412 |
+ |
413 |
+dev_create_generic_dirs(systemd_passwd_agent_t) |
414 |
+dev_read_generic_files(systemd_passwd_agent_t) |
415 |
+dev_write_generic_sock_files(systemd_passwd_agent_t) |
416 |
+dev_write_kmsg(systemd_passwd_agent_t) |
417 |
+ |
418 |
+files_read_etc_files(systemd_passwd_agent_t) |
419 |
+ |
420 |
+fs_getattr_xattr_fs(systemd_passwd_agent_t) |
421 |
+ |
422 |
+selinux_get_enforce_mode(systemd_passwd_agent_t) |
423 |
+selinux_getattr_fs(systemd_passwd_agent_t) |
424 |
+ |
425 |
+term_read_console(systemd_passwd_agent_t) |
426 |
+ |
427 |
+auth_use_nsswitch(systemd_passwd_agent_t) |
428 |
+ |
429 |
+init_create_pid_dirs(systemd_passwd_agent_t) |
430 |
+init_read_pid_pipes(systemd_passwd_agent_t) |
431 |
+init_read_state(systemd_passwd_agent_t) |
432 |
+init_read_utmp(systemd_passwd_agent_t) |
433 |
+init_stream_connect(systemd_passwd_agent_t) |
434 |
+ |
435 |
+logging_send_syslog_msg(systemd_passwd_agent_t) |
436 |
+ |
437 |
+miscfiles_read_localization(systemd_passwd_agent_t) |
438 |
+ |
439 |
+seutil_search_default_contexts(systemd_passwd_agent_t) |
440 |
+ |
441 |
+userdom_use_user_ptys(systemd_passwd_agent_t) |
442 |
+ |
443 |
+optional_policy(` |
444 |
+ getty_use_fds(systemd_passwd_agent_t) |
445 |
+') |
446 |
+ |
447 |
+optional_policy(` |
448 |
+ lvm_signull(systemd_passwd_agent_t) |
449 |
+') |
450 |
+ |
451 |
+optional_policy(` |
452 |
+ plymouthd_stream_connect(systemd_passwd_agent_t) |
453 |
+') |
454 |
+ |
455 |
|
456 |
######################################### |
457 |
# |