[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date:	Thu, 02 Jun 2016 06:32:19
Message-Id:	`1464805207.33b0d446f0d55311b674932b135b7ce0fe4e7b8b.perfinion@gentoo`

1

commit:     33b0d446f0d55311b674932b135b7ce0fe4e7b8b

2

Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>

3

AuthorDate: Thu May 26 12:43:10 2016 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Wed Jun  1 18:20:07 2016 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=33b0d446

7

8

Add policy for systemd-resolved

9

10

Initial policy for systemd-resolved, tested with systemd 230 on debian

11

12

 policy/modules/system/systemd.fc |  2 ++

13

 policy/modules/system/systemd.te | 40 ++++++++++++++++++++++++++++++++++++++++

14

 2 files changed, 42 insertions(+)

15

16

diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc

17

index a0b5f0b..a987681 100644

18

--- a/policy/modules/system/systemd.fc

19

+++ b/policy/modules/system/systemd.fc

20

@@ -17,6 +17,7 @@

21

 /usr/lib/systemd/systemd-localed	--	gen_context(system_u:object_r:systemd_locale_exec_t,s0)

22

 /usr/lib/systemd/systemd-logind		--	gen_context(system_u:object_r:systemd_logind_exec_t,s0)

23

 /usr/lib/systemd/systemd-machined	--	gen_context(system_u:object_r:systemd_machined_exec_t,s0)

24

+/usr/lib/systemd/systemd-resolved	--	gen_context(system_u:object_r:systemd_resolved_exec_t,s0)

25

 /usr/lib/systemd/systemd-user-sessions	--	gen_context(system_u:object_r:systemd_sessions_exec_t,s0)

26

27

 # Systemd unit files

28

@@ -33,6 +34,7 @@

29

 /var/run/\.nologin[^/]*	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)

30

 /var/run/nologin	--	gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)

31

32

+/var/run/systemd/resolve(/.*)?  gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)

33

 /var/run/systemd/seats(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)

34

 /var/run/systemd/sessions(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)

35

 /var/run/systemd/users(/.*)?	gen_context(system_u:object_r:systemd_logind_var_run_t,s0)

36

37

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te

38

index 0bed23c..e42f3ca 100644

39

--- a/policy/modules/system/systemd.te

40

+++ b/policy/modules/system/systemd.te

41

@@ -80,6 +80,13 @@ type systemd_nspawn_t;

42

 type systemd_nspawn_exec_t;

43

 init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)

44

45

+type systemd_resolved_t;

46

+type systemd_resolved_exec_t;

47

+init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)

48

+

49

+type systemd_resolved_var_run_t;

50

+files_pid_file(systemd_resolved_var_run_t)

51

+

52

 type systemd_run_t;

53

 type systemd_run_exec_t;

54

 init_daemon_domain(systemd_run_t, systemd_run_exec_t)

55

@@ -244,6 +251,39 @@ optional_policy(`

56

57

 #########################################

58

#

59

+# Resolved local policy

60

+#

61

+

62

+allow systemd_resolved_t self:capability { chown setgid setpcap setuid };

63

+allow systemd_resolved_t self:process { getcap setcap setfscreate signal };

64

+

65

+allow systemd_resolved_t self:tcp_socket { accept listen };

66

+

67

+manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)

68

+manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)

69

+init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)

70

+

71

+kernel_read_crypto_sysctls(systemd_resolved_t)

72

+kernel_read_kernel_sysctls(systemd_resolved_t)

73

+kernel_read_system_state(systemd_resolved_t)

74

+

75

+corenet_tcp_bind_generic_node(systemd_resolved_t)

76

+corenet_tcp_bind_llmnr_port(systemd_resolved_t)

77

+corenet_udp_bind_generic_node(systemd_resolved_t)

78

+corenet_udp_bind_llmnr_port(systemd_resolved_t)

79

+

80

+auth_use_nsswitch(systemd_resolved_t)

81

+

82

+seutil_read_file_contexts(systemd_resolved_t)

83

+

84

+systemd_log_parse_environment(systemd_resolved_t)

85

+

86

+optional_policy(`

87

+	dbus_system_bus_client(systemd_resolved_t)

88

+')

89

+

90

+#########################################

91

+#

92

 # Sessions local policy

93

#

1	commit: 33b0d446f0d55311b674932b135b7ce0fe4e7b8b
2	Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
3	AuthorDate: Thu May 26 12:43:10 2016 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Wed Jun 1 18:20:07 2016 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=33b0d446
7
8	Add policy for systemd-resolved
9
10	Initial policy for systemd-resolved, tested with systemd 230 on debian
11
12	policy/modules/system/systemd.fc \| 2 ++
13	policy/modules/system/systemd.te \| 40 ++++++++++++++++++++++++++++++++++++++++
14	2 files changed, 42 insertions(+)
15
16	diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
17	index a0b5f0b..a987681 100644
18	--- a/policy/modules/system/systemd.fc
19	+++ b/policy/modules/system/systemd.fc
20	@@ -17,6 +17,7 @@
21	/usr/lib/systemd/systemd-localed -- gen_context(system_u:object_r:systemd_locale_exec_t,s0)
22	/usr/lib/systemd/systemd-logind -- gen_context(system_u:object_r:systemd_logind_exec_t,s0)
23	/usr/lib/systemd/systemd-machined -- gen_context(system_u:object_r:systemd_machined_exec_t,s0)
24	+/usr/lib/systemd/systemd-resolved -- gen_context(system_u:object_r:systemd_resolved_exec_t,s0)
25	/usr/lib/systemd/systemd-user-sessions -- gen_context(system_u:object_r:systemd_sessions_exec_t,s0)
26
27	# Systemd unit files
28	@@ -33,6 +34,7 @@
29	/var/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
30	/var/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
31
32	+/var/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
33	/var/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
34	/var/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
35	/var/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_var_run_t,s0)
36
37	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
38	index 0bed23c..e42f3ca 100644
39	--- a/policy/modules/system/systemd.te
40	+++ b/policy/modules/system/systemd.te
41	@@ -80,6 +80,13 @@ type systemd_nspawn_t;
42	type systemd_nspawn_exec_t;
43	init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
44
45	+type systemd_resolved_t;
46	+type systemd_resolved_exec_t;
47	+init_system_domain(systemd_resolved_t, systemd_resolved_exec_t)
48	+
49	+type systemd_resolved_var_run_t;
50	+files_pid_file(systemd_resolved_var_run_t)
51	+
52	type systemd_run_t;
53	type systemd_run_exec_t;
54	init_daemon_domain(systemd_run_t, systemd_run_exec_t)
55	@@ -244,6 +251,39 @@ optional_policy(`
56
57	#########################################
58	#
59	+# Resolved local policy
60	+#
61	+
62	+allow systemd_resolved_t self:capability { chown setgid setpcap setuid };
63	+allow systemd_resolved_t self:process { getcap setcap setfscreate signal };
64	+
65	+allow systemd_resolved_t self:tcp_socket { accept listen };
66	+
67	+manage_dirs_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
68	+manage_files_pattern(systemd_resolved_t, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
69	+init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
70	+
71	+kernel_read_crypto_sysctls(systemd_resolved_t)
72	+kernel_read_kernel_sysctls(systemd_resolved_t)
73	+kernel_read_system_state(systemd_resolved_t)
74	+
75	+corenet_tcp_bind_generic_node(systemd_resolved_t)
76	+corenet_tcp_bind_llmnr_port(systemd_resolved_t)
77	+corenet_udp_bind_generic_node(systemd_resolved_t)
78	+corenet_udp_bind_llmnr_port(systemd_resolved_t)
79	+
80	+auth_use_nsswitch(systemd_resolved_t)
81	+
82	+seutil_read_file_contexts(systemd_resolved_t)
83	+
84	+systemd_log_parse_environment(systemd_resolved_t)
85	+
86	+optional_policy(`
87	+ dbus_system_bus_client(systemd_resolved_t)
88	+')
89	+
90	+#########################################
91	+#
92	# Sessions local policy
93	#

Gentoo Archives: gentoo-commits