1 |
commit: 5dece5bd67bca8c3df92c74d776119ae9af8ebc2 |
2 |
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com> |
3 |
AuthorDate: Tue Oct 20 18:48:38 2015 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Oct 26 03:52:58 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dece5bd |
7 |
|
8 |
Add supporting rules for domains tightly-coupled with systemd. |
9 |
|
10 |
policy/modules/kernel/devices.if | 52 +++++++++++++++++++++++++++++++++---- |
11 |
policy/modules/kernel/kernel.te | 17 ++++++++++++ |
12 |
policy/modules/services/ssh.te | 5 ++++ |
13 |
policy/modules/system/init.te | 1 + |
14 |
policy/modules/system/locallogin.te | 8 ++++++ |
15 |
policy/modules/system/logging.fc | 1 + |
16 |
policy/modules/system/logging.te | 22 ++++++++++++++++ |
17 |
policy/modules/system/lvm.te | 6 +++++ |
18 |
policy/modules/system/modutils.te | 8 ++++++ |
19 |
policy/modules/system/sysnetwork.te | 8 ++++++ |
20 |
policy/modules/system/udev.te | 12 +++++++++ |
21 |
11 files changed, 135 insertions(+), 5 deletions(-) |
22 |
|
23 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
24 |
index 835ec14..a052db5 100644 |
25 |
--- a/policy/modules/kernel/devices.if |
26 |
+++ b/policy/modules/kernel/devices.if |
27 |
@@ -143,11 +143,11 @@ interface(`dev_relabel_all_dev_nodes',` |
28 |
type device_t; |
29 |
') |
30 |
|
31 |
- relabelfrom_dirs_pattern($1, device_t, device_node) |
32 |
- relabelfrom_files_pattern($1, device_t, device_node) |
33 |
+ relabelfrom_dirs_pattern($1, device_t, { device_t device_node }) |
34 |
+ relabelfrom_files_pattern($1, device_t, { device_t device_node }) |
35 |
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) |
36 |
- relabelfrom_fifo_files_pattern($1, device_t, device_node) |
37 |
- relabelfrom_sock_files_pattern($1, device_t, device_node) |
38 |
+ relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node }) |
39 |
+ relabelfrom_sock_files_pattern($1, device_t, { device_t device_node }) |
40 |
relabel_blk_files_pattern($1, device_t, { device_t device_node }) |
41 |
relabel_chr_files_pattern($1, device_t, { device_t device_node }) |
42 |
') |
43 |
@@ -709,7 +709,7 @@ interface(`dev_relabelfrom_generic_chr_files',` |
44 |
type device_t; |
45 |
') |
46 |
|
47 |
- allow $1 device_t:chr_file relabelfrom; |
48 |
+ allow $1 device_t:chr_file relabelfrom_chr_file_perms; |
49 |
') |
50 |
|
51 |
######################################## |
52 |
@@ -1943,6 +1943,30 @@ interface(`dev_filetrans_dri',` |
53 |
|
54 |
######################################## |
55 |
## <summary> |
56 |
+## Automatic type transition to the type |
57 |
+## for event device nodes when created in /dev. |
58 |
+## </summary> |
59 |
+## <param name="domain"> |
60 |
+## <summary> |
61 |
+## Domain allowed access. |
62 |
+## </summary> |
63 |
+## </param> |
64 |
+## <param name="name" optional="true"> |
65 |
+## <summary> |
66 |
+## The name of the object being created. |
67 |
+## </summary> |
68 |
+## </param> |
69 |
+# |
70 |
+interface(`dev_filetrans_input_dev',` |
71 |
+ gen_require(` |
72 |
+ type device_t, event_device_t; |
73 |
+ ') |
74 |
+ |
75 |
+ filetrans_pattern($1, device_t, event_device_t, chr_file, $2) |
76 |
+') |
77 |
+ |
78 |
+######################################## |
79 |
+## <summary> |
80 |
## Get the attributes of the event devices. |
81 |
## </summary> |
82 |
## <param name="domain"> |
83 |
@@ -2017,6 +2041,24 @@ interface(`dev_rw_input_dev',` |
84 |
|
85 |
######################################## |
86 |
## <summary> |
87 |
+## Create, read, write, and delete input event devices (/dev/input). |
88 |
+## </summary> |
89 |
+## <param name="domain"> |
90 |
+## <summary> |
91 |
+## Domain allowed access. |
92 |
+## </summary> |
93 |
+## </param> |
94 |
+# |
95 |
+interface(`dev_manage_input_dev',` |
96 |
+ gen_require(` |
97 |
+ type device_t, event_device_t; |
98 |
+ ') |
99 |
+ |
100 |
+ manage_chr_files_pattern($1, device_t, event_device_t) |
101 |
+') |
102 |
+ |
103 |
+######################################## |
104 |
+## <summary> |
105 |
## Get the attributes of the framebuffer device node. |
106 |
## </summary> |
107 |
## <param name="domain"> |
108 |
|
109 |
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
110 |
index 14b5713..f2d5756 100644 |
111 |
--- a/policy/modules/kernel/kernel.te |
112 |
+++ b/policy/modules/kernel/kernel.te |
113 |
@@ -299,6 +299,23 @@ ifdef(`distro_redhat',` |
114 |
fs_rw_tmpfs_chr_files(kernel_t) |
115 |
') |
116 |
|
117 |
+ifdef(`init_systemd',` |
118 |
+ optional_policy(` |
119 |
+ dev_manage_input_dev(kernel_t) |
120 |
+ dev_filetrans_input_dev(kernel_t) |
121 |
+ ') |
122 |
+ |
123 |
+ optional_policy(` |
124 |
+ selinux_compute_create_context(kernel_t) |
125 |
+ ') |
126 |
+ |
127 |
+ optional_policy(` |
128 |
+ storage_dev_filetrans_fixed_disk(kernel_t) |
129 |
+ storage_setattr_fixed_disk_dev(kernel_t) |
130 |
+ storage_create_fixed_disk_dev(kernel_t) |
131 |
+ ') |
132 |
+') |
133 |
+ |
134 |
optional_policy(` |
135 |
# loop devices |
136 |
fstools_use_fds(kernel_t) |
137 |
|
138 |
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te |
139 |
index 783d0e7..e5932aa 100644 |
140 |
--- a/policy/modules/services/ssh.te |
141 |
+++ b/policy/modules/services/ssh.te |
142 |
@@ -266,6 +266,11 @@ ifdef(`distro_debian',` |
143 |
allow sshd_t self:process { getcap setcap }; |
144 |
') |
145 |
|
146 |
+ifdef(`init_systemd',` |
147 |
+ systemd_dbus_chat_logind(sshd_t) |
148 |
+ init_rw_stream_sockets(sshd_t) |
149 |
+') |
150 |
+ |
151 |
tunable_policy(`ssh_sysadm_login',` |
152 |
# Relabel and access ptys created by sshd |
153 |
# ioctl is necessary for logout() processing for utmp entry and for w to |
154 |
|
155 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
156 |
index d5d7b10..916b895 100644 |
157 |
--- a/policy/modules/system/init.te |
158 |
+++ b/policy/modules/system/init.te |
159 |
@@ -222,6 +222,7 @@ ifdef(`init_systemd',` |
160 |
|
161 |
dev_rw_autofs(init_t) |
162 |
dev_create_generic_dirs(init_t) |
163 |
+ dev_manage_input_dev(init_t) |
164 |
dev_relabel_all_dev_nodes(init_t) |
165 |
dev_read_urand(init_t) |
166 |
dev_write_kmsg(init_t) |
167 |
|
168 |
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
169 |
index 5281665..766614c 100644 |
170 |
--- a/policy/modules/system/locallogin.te |
171 |
+++ b/policy/modules/system/locallogin.te |
172 |
@@ -135,6 +135,14 @@ userdom_use_unpriv_users_fds(local_login_t) |
173 |
userdom_sigchld_all_users(local_login_t) |
174 |
userdom_create_all_users_keys(local_login_t) |
175 |
|
176 |
+ifdef(`init_systemd',` |
177 |
+ auth_manage_faillog(local_login_t) |
178 |
+ |
179 |
+ systemd_dbus_chat_logind(local_login_t) |
180 |
+ systemd_use_logind_fds(local_login_t) |
181 |
+ systemd_manage_logind_pid_pipes(local_login_t) |
182 |
+') |
183 |
+ |
184 |
ifdef(`distro_ubuntu',` |
185 |
optional_policy(` |
186 |
unconfined_domain(local_login_t) |
187 |
|
188 |
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc |
189 |
index a0e957c..fb319d4 100644 |
190 |
--- a/policy/modules/system/logging.fc |
191 |
+++ b/policy/modules/system/logging.fc |
192 |
@@ -72,6 +72,7 @@ ifdef(`distro_redhat',` |
193 |
/var/run/syslog-ng\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) |
194 |
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) |
195 |
/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) |
196 |
+/var/run/systemd/journal/socket -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) |
197 |
/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) |
198 |
/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) |
199 |
|
200 |
|
201 |
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
202 |
index 72b7ff5..6f7335e 100644 |
203 |
--- a/policy/modules/system/logging.te |
204 |
+++ b/policy/modules/system/logging.te |
205 |
@@ -120,6 +120,10 @@ locallogin_dontaudit_use_fds(auditctl_t) |
206 |
logging_set_audit_parameters(auditctl_t) |
207 |
logging_send_syslog_msg(auditctl_t) |
208 |
|
209 |
+ifdef(`init_systemd',` |
210 |
+ init_rw_stream_sockets(auditctl_t) |
211 |
+') |
212 |
+ |
213 |
######################################## |
214 |
# |
215 |
# Auditd local policy |
216 |
@@ -248,6 +252,10 @@ miscfiles_read_localization(audisp_t) |
217 |
|
218 |
sysnet_dns_name_resolve(audisp_t) |
219 |
|
220 |
+ifdef(`init_systemd',` |
221 |
+ kernel_dgram_send(audisp_t) |
222 |
+') |
223 |
+ |
224 |
optional_policy(` |
225 |
dbus_system_bus_client(audisp_t) |
226 |
') |
227 |
@@ -480,6 +488,20 @@ miscfiles_read_localization(syslogd_t) |
228 |
userdom_dontaudit_use_unpriv_user_fds(syslogd_t) |
229 |
userdom_dontaudit_search_user_home_dirs(syslogd_t) |
230 |
|
231 |
+ifdef(`init_systemd',` |
232 |
+ allow syslogd_t self:capability { chown setuid setgid }; |
233 |
+ |
234 |
+ kernel_use_fds(syslogd_t) |
235 |
+ kernel_getattr_dgram_sockets(syslogd_t) |
236 |
+ kernel_rw_unix_dgram_sockets(syslogd_t) |
237 |
+ kernel_rw_stream_sockets(syslogd_t) |
238 |
+ |
239 |
+ init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") |
240 |
+ init_dgram_send(syslogd_t) |
241 |
+ |
242 |
+ udev_read_pid_files(syslogd_t) |
243 |
+') |
244 |
+ |
245 |
ifdef(`distro_gentoo',` |
246 |
# default gentoo syslog-ng config appends kernel |
247 |
# and high priority messages to /dev/tty12 |
248 |
|
249 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
250 |
index 6880656..f0bea03 100644 |
251 |
--- a/policy/modules/system/lvm.te |
252 |
+++ b/policy/modules/system/lvm.te |
253 |
@@ -304,6 +304,12 @@ seutil_sigchld_newrole(lvm_t) |
254 |
|
255 |
userdom_use_user_terminals(lvm_t) |
256 |
|
257 |
+ifdef(`init_systemd',` |
258 |
+ init_rw_stream_sockets(lvm_t) |
259 |
+ |
260 |
+ fs_manage_hugetlbfs_dirs(lvm_t) |
261 |
+') |
262 |
+ |
263 |
ifdef(`distro_redhat',` |
264 |
# this is from the initrd: |
265 |
kernel_rw_unlabeled_dirs(lvm_t) |
266 |
|
267 |
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te |
268 |
index b17ad6c..4a5b572 100644 |
269 |
--- a/policy/modules/system/modutils.te |
270 |
+++ b/policy/modules/system/modutils.te |
271 |
@@ -183,6 +183,14 @@ userdom_dontaudit_search_user_home_dirs(insmod_t) |
272 |
|
273 |
kernel_domtrans_to(insmod_t, insmod_exec_t) |
274 |
|
275 |
+ifdef(`init_systemd',` |
276 |
+ kernel_search_key(insmod_t) |
277 |
+ |
278 |
+ init_rw_stream_sockets(insmod_t) |
279 |
+ |
280 |
+ systemd_write_kmod_files(insmod_t) |
281 |
+') |
282 |
+ |
283 |
optional_policy(` |
284 |
alsa_domtrans(insmod_t) |
285 |
') |
286 |
|
287 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
288 |
index 7a7b479..ff32383 100644 |
289 |
--- a/policy/modules/system/sysnetwork.te |
290 |
+++ b/policy/modules/system/sysnetwork.te |
291 |
@@ -162,6 +162,14 @@ ifdef(`distro_ubuntu',` |
292 |
') |
293 |
') |
294 |
|
295 |
+ifdef(`init_systemd',` |
296 |
+ init_rw_stream_sockets(dhcpc_t) |
297 |
+ init_read_state(dhcpc_t) |
298 |
+ init_stream_connect(dhcpc_t) |
299 |
+ init_get_all_units_status(dhcpc_t) |
300 |
+ init_search_units(dhcpc_t) |
301 |
+') |
302 |
+ |
303 |
optional_policy(` |
304 |
consoletype_run(dhcpc_t, dhcpc_roles) |
305 |
') |
306 |
|
307 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
308 |
index a9a2296..40868ad 100644 |
309 |
--- a/policy/modules/system/udev.te |
310 |
+++ b/policy/modules/system/udev.te |
311 |
@@ -218,6 +218,18 @@ ifdef(`distro_redhat',` |
312 |
') |
313 |
') |
314 |
|
315 |
+ifdef(`init_systemd',` |
316 |
+ kernel_load_module(udev_t) |
317 |
+ |
318 |
+ files_search_kernel_modules(udev_t) |
319 |
+ |
320 |
+ fs_read_cgroup_files(udev_t) |
321 |
+ |
322 |
+ init_dgram_send(udev_t) |
323 |
+ |
324 |
+ systemd_read_logind_pids(udev_t) |
325 |
+') |
326 |
+ |
327 |
optional_policy(` |
328 |
alsa_domtrans(udev_t) |
329 |
alsa_read_lib(udev_t) |