| 1 |
commit: 5dece5bd67bca8c3df92c74d776119ae9af8ebc2 |
| 2 |
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com> |
| 3 |
AuthorDate: Tue Oct 20 18:48:38 2015 +0000 |
| 4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Oct 26 03:52:58 2015 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dece5bd |
| 7 |
|
| 8 |
Add supporting rules for domains tightly-coupled with systemd. |
| 9 |
|
| 10 |
policy/modules/kernel/devices.if | 52 +++++++++++++++++++++++++++++++++---- |
| 11 |
policy/modules/kernel/kernel.te | 17 ++++++++++++ |
| 12 |
policy/modules/services/ssh.te | 5 ++++ |
| 13 |
policy/modules/system/init.te | 1 + |
| 14 |
policy/modules/system/locallogin.te | 8 ++++++ |
| 15 |
policy/modules/system/logging.fc | 1 + |
| 16 |
policy/modules/system/logging.te | 22 ++++++++++++++++ |
| 17 |
policy/modules/system/lvm.te | 6 +++++ |
| 18 |
policy/modules/system/modutils.te | 8 ++++++ |
| 19 |
policy/modules/system/sysnetwork.te | 8 ++++++ |
| 20 |
policy/modules/system/udev.te | 12 +++++++++ |
| 21 |
11 files changed, 135 insertions(+), 5 deletions(-) |
| 22 |
|
| 23 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
| 24 |
index 835ec14..a052db5 100644 |
| 25 |
--- a/policy/modules/kernel/devices.if |
| 26 |
+++ b/policy/modules/kernel/devices.if |
| 27 |
@@ -143,11 +143,11 @@ interface(`dev_relabel_all_dev_nodes',` |
| 28 |
type device_t; |
| 29 |
') |
| 30 |
|
| 31 |
- relabelfrom_dirs_pattern($1, device_t, device_node) |
| 32 |
- relabelfrom_files_pattern($1, device_t, device_node) |
| 33 |
+ relabelfrom_dirs_pattern($1, device_t, { device_t device_node }) |
| 34 |
+ relabelfrom_files_pattern($1, device_t, { device_t device_node }) |
| 35 |
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) |
| 36 |
- relabelfrom_fifo_files_pattern($1, device_t, device_node) |
| 37 |
- relabelfrom_sock_files_pattern($1, device_t, device_node) |
| 38 |
+ relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node }) |
| 39 |
+ relabelfrom_sock_files_pattern($1, device_t, { device_t device_node }) |
| 40 |
relabel_blk_files_pattern($1, device_t, { device_t device_node }) |
| 41 |
relabel_chr_files_pattern($1, device_t, { device_t device_node }) |
| 42 |
') |
| 43 |
@@ -709,7 +709,7 @@ interface(`dev_relabelfrom_generic_chr_files',` |
| 44 |
type device_t; |
| 45 |
') |
| 46 |
|
| 47 |
- allow $1 device_t:chr_file relabelfrom; |
| 48 |
+ allow $1 device_t:chr_file relabelfrom_chr_file_perms; |
| 49 |
') |
| 50 |
|
| 51 |
######################################## |
| 52 |
@@ -1943,6 +1943,30 @@ interface(`dev_filetrans_dri',` |
| 53 |
|
| 54 |
######################################## |
| 55 |
## <summary> |
| 56 |
+## Automatic type transition to the type |
| 57 |
+## for event device nodes when created in /dev. |
| 58 |
+## </summary> |
| 59 |
+## <param name="domain"> |
| 60 |
+## <summary> |
| 61 |
+## Domain allowed access. |
| 62 |
+## </summary> |
| 63 |
+## </param> |
| 64 |
+## <param name="name" optional="true"> |
| 65 |
+## <summary> |
| 66 |
+## The name of the object being created. |
| 67 |
+## </summary> |
| 68 |
+## </param> |
| 69 |
+# |
| 70 |
+interface(`dev_filetrans_input_dev',` |
| 71 |
+ gen_require(` |
| 72 |
+ type device_t, event_device_t; |
| 73 |
+ ') |
| 74 |
+ |
| 75 |
+ filetrans_pattern($1, device_t, event_device_t, chr_file, $2) |
| 76 |
+') |
| 77 |
+ |
| 78 |
+######################################## |
| 79 |
+## <summary> |
| 80 |
## Get the attributes of the event devices. |
| 81 |
## </summary> |
| 82 |
## <param name="domain"> |
| 83 |
@@ -2017,6 +2041,24 @@ interface(`dev_rw_input_dev',` |
| 84 |
|
| 85 |
######################################## |
| 86 |
## <summary> |
| 87 |
+## Create, read, write, and delete input event devices (/dev/input). |
| 88 |
+## </summary> |
| 89 |
+## <param name="domain"> |
| 90 |
+## <summary> |
| 91 |
+## Domain allowed access. |
| 92 |
+## </summary> |
| 93 |
+## </param> |
| 94 |
+# |
| 95 |
+interface(`dev_manage_input_dev',` |
| 96 |
+ gen_require(` |
| 97 |
+ type device_t, event_device_t; |
| 98 |
+ ') |
| 99 |
+ |
| 100 |
+ manage_chr_files_pattern($1, device_t, event_device_t) |
| 101 |
+') |
| 102 |
+ |
| 103 |
+######################################## |
| 104 |
+## <summary> |
| 105 |
## Get the attributes of the framebuffer device node. |
| 106 |
## </summary> |
| 107 |
## <param name="domain"> |
| 108 |
|
| 109 |
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
| 110 |
index 14b5713..f2d5756 100644 |
| 111 |
--- a/policy/modules/kernel/kernel.te |
| 112 |
+++ b/policy/modules/kernel/kernel.te |
| 113 |
@@ -299,6 +299,23 @@ ifdef(`distro_redhat',` |
| 114 |
fs_rw_tmpfs_chr_files(kernel_t) |
| 115 |
') |
| 116 |
|
| 117 |
+ifdef(`init_systemd',` |
| 118 |
+ optional_policy(` |
| 119 |
+ dev_manage_input_dev(kernel_t) |
| 120 |
+ dev_filetrans_input_dev(kernel_t) |
| 121 |
+ ') |
| 122 |
+ |
| 123 |
+ optional_policy(` |
| 124 |
+ selinux_compute_create_context(kernel_t) |
| 125 |
+ ') |
| 126 |
+ |
| 127 |
+ optional_policy(` |
| 128 |
+ storage_dev_filetrans_fixed_disk(kernel_t) |
| 129 |
+ storage_setattr_fixed_disk_dev(kernel_t) |
| 130 |
+ storage_create_fixed_disk_dev(kernel_t) |
| 131 |
+ ') |
| 132 |
+') |
| 133 |
+ |
| 134 |
optional_policy(` |
| 135 |
# loop devices |
| 136 |
fstools_use_fds(kernel_t) |
| 137 |
|
| 138 |
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te |
| 139 |
index 783d0e7..e5932aa 100644 |
| 140 |
--- a/policy/modules/services/ssh.te |
| 141 |
+++ b/policy/modules/services/ssh.te |
| 142 |
@@ -266,6 +266,11 @@ ifdef(`distro_debian',` |
| 143 |
allow sshd_t self:process { getcap setcap }; |
| 144 |
') |
| 145 |
|
| 146 |
+ifdef(`init_systemd',` |
| 147 |
+ systemd_dbus_chat_logind(sshd_t) |
| 148 |
+ init_rw_stream_sockets(sshd_t) |
| 149 |
+') |
| 150 |
+ |
| 151 |
tunable_policy(`ssh_sysadm_login',` |
| 152 |
# Relabel and access ptys created by sshd |
| 153 |
# ioctl is necessary for logout() processing for utmp entry and for w to |
| 154 |
|
| 155 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
| 156 |
index d5d7b10..916b895 100644 |
| 157 |
--- a/policy/modules/system/init.te |
| 158 |
+++ b/policy/modules/system/init.te |
| 159 |
@@ -222,6 +222,7 @@ ifdef(`init_systemd',` |
| 160 |
|
| 161 |
dev_rw_autofs(init_t) |
| 162 |
dev_create_generic_dirs(init_t) |
| 163 |
+ dev_manage_input_dev(init_t) |
| 164 |
dev_relabel_all_dev_nodes(init_t) |
| 165 |
dev_read_urand(init_t) |
| 166 |
dev_write_kmsg(init_t) |
| 167 |
|
| 168 |
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
| 169 |
index 5281665..766614c 100644 |
| 170 |
--- a/policy/modules/system/locallogin.te |
| 171 |
+++ b/policy/modules/system/locallogin.te |
| 172 |
@@ -135,6 +135,14 @@ userdom_use_unpriv_users_fds(local_login_t) |
| 173 |
userdom_sigchld_all_users(local_login_t) |
| 174 |
userdom_create_all_users_keys(local_login_t) |
| 175 |
|
| 176 |
+ifdef(`init_systemd',` |
| 177 |
+ auth_manage_faillog(local_login_t) |
| 178 |
+ |
| 179 |
+ systemd_dbus_chat_logind(local_login_t) |
| 180 |
+ systemd_use_logind_fds(local_login_t) |
| 181 |
+ systemd_manage_logind_pid_pipes(local_login_t) |
| 182 |
+') |
| 183 |
+ |
| 184 |
ifdef(`distro_ubuntu',` |
| 185 |
optional_policy(` |
| 186 |
unconfined_domain(local_login_t) |
| 187 |
|
| 188 |
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc |
| 189 |
index a0e957c..fb319d4 100644 |
| 190 |
--- a/policy/modules/system/logging.fc |
| 191 |
+++ b/policy/modules/system/logging.fc |
| 192 |
@@ -72,6 +72,7 @@ ifdef(`distro_redhat',` |
| 193 |
/var/run/syslog-ng\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) |
| 194 |
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) |
| 195 |
/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh) |
| 196 |
+/var/run/systemd/journal/socket -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) |
| 197 |
/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) |
| 198 |
/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) |
| 199 |
|
| 200 |
|
| 201 |
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
| 202 |
index 72b7ff5..6f7335e 100644 |
| 203 |
--- a/policy/modules/system/logging.te |
| 204 |
+++ b/policy/modules/system/logging.te |
| 205 |
@@ -120,6 +120,10 @@ locallogin_dontaudit_use_fds(auditctl_t) |
| 206 |
logging_set_audit_parameters(auditctl_t) |
| 207 |
logging_send_syslog_msg(auditctl_t) |
| 208 |
|
| 209 |
+ifdef(`init_systemd',` |
| 210 |
+ init_rw_stream_sockets(auditctl_t) |
| 211 |
+') |
| 212 |
+ |
| 213 |
######################################## |
| 214 |
# |
| 215 |
# Auditd local policy |
| 216 |
@@ -248,6 +252,10 @@ miscfiles_read_localization(audisp_t) |
| 217 |
|
| 218 |
sysnet_dns_name_resolve(audisp_t) |
| 219 |
|
| 220 |
+ifdef(`init_systemd',` |
| 221 |
+ kernel_dgram_send(audisp_t) |
| 222 |
+') |
| 223 |
+ |
| 224 |
optional_policy(` |
| 225 |
dbus_system_bus_client(audisp_t) |
| 226 |
') |
| 227 |
@@ -480,6 +488,20 @@ miscfiles_read_localization(syslogd_t) |
| 228 |
userdom_dontaudit_use_unpriv_user_fds(syslogd_t) |
| 229 |
userdom_dontaudit_search_user_home_dirs(syslogd_t) |
| 230 |
|
| 231 |
+ifdef(`init_systemd',` |
| 232 |
+ allow syslogd_t self:capability { chown setuid setgid }; |
| 233 |
+ |
| 234 |
+ kernel_use_fds(syslogd_t) |
| 235 |
+ kernel_getattr_dgram_sockets(syslogd_t) |
| 236 |
+ kernel_rw_unix_dgram_sockets(syslogd_t) |
| 237 |
+ kernel_rw_stream_sockets(syslogd_t) |
| 238 |
+ |
| 239 |
+ init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") |
| 240 |
+ init_dgram_send(syslogd_t) |
| 241 |
+ |
| 242 |
+ udev_read_pid_files(syslogd_t) |
| 243 |
+') |
| 244 |
+ |
| 245 |
ifdef(`distro_gentoo',` |
| 246 |
# default gentoo syslog-ng config appends kernel |
| 247 |
# and high priority messages to /dev/tty12 |
| 248 |
|
| 249 |
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te |
| 250 |
index 6880656..f0bea03 100644 |
| 251 |
--- a/policy/modules/system/lvm.te |
| 252 |
+++ b/policy/modules/system/lvm.te |
| 253 |
@@ -304,6 +304,12 @@ seutil_sigchld_newrole(lvm_t) |
| 254 |
|
| 255 |
userdom_use_user_terminals(lvm_t) |
| 256 |
|
| 257 |
+ifdef(`init_systemd',` |
| 258 |
+ init_rw_stream_sockets(lvm_t) |
| 259 |
+ |
| 260 |
+ fs_manage_hugetlbfs_dirs(lvm_t) |
| 261 |
+') |
| 262 |
+ |
| 263 |
ifdef(`distro_redhat',` |
| 264 |
# this is from the initrd: |
| 265 |
kernel_rw_unlabeled_dirs(lvm_t) |
| 266 |
|
| 267 |
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te |
| 268 |
index b17ad6c..4a5b572 100644 |
| 269 |
--- a/policy/modules/system/modutils.te |
| 270 |
+++ b/policy/modules/system/modutils.te |
| 271 |
@@ -183,6 +183,14 @@ userdom_dontaudit_search_user_home_dirs(insmod_t) |
| 272 |
|
| 273 |
kernel_domtrans_to(insmod_t, insmod_exec_t) |
| 274 |
|
| 275 |
+ifdef(`init_systemd',` |
| 276 |
+ kernel_search_key(insmod_t) |
| 277 |
+ |
| 278 |
+ init_rw_stream_sockets(insmod_t) |
| 279 |
+ |
| 280 |
+ systemd_write_kmod_files(insmod_t) |
| 281 |
+') |
| 282 |
+ |
| 283 |
optional_policy(` |
| 284 |
alsa_domtrans(insmod_t) |
| 285 |
') |
| 286 |
|
| 287 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
| 288 |
index 7a7b479..ff32383 100644 |
| 289 |
--- a/policy/modules/system/sysnetwork.te |
| 290 |
+++ b/policy/modules/system/sysnetwork.te |
| 291 |
@@ -162,6 +162,14 @@ ifdef(`distro_ubuntu',` |
| 292 |
') |
| 293 |
') |
| 294 |
|
| 295 |
+ifdef(`init_systemd',` |
| 296 |
+ init_rw_stream_sockets(dhcpc_t) |
| 297 |
+ init_read_state(dhcpc_t) |
| 298 |
+ init_stream_connect(dhcpc_t) |
| 299 |
+ init_get_all_units_status(dhcpc_t) |
| 300 |
+ init_search_units(dhcpc_t) |
| 301 |
+') |
| 302 |
+ |
| 303 |
optional_policy(` |
| 304 |
consoletype_run(dhcpc_t, dhcpc_roles) |
| 305 |
') |
| 306 |
|
| 307 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
| 308 |
index a9a2296..40868ad 100644 |
| 309 |
--- a/policy/modules/system/udev.te |
| 310 |
+++ b/policy/modules/system/udev.te |
| 311 |
@@ -218,6 +218,18 @@ ifdef(`distro_redhat',` |
| 312 |
') |
| 313 |
') |
| 314 |
|
| 315 |
+ifdef(`init_systemd',` |
| 316 |
+ kernel_load_module(udev_t) |
| 317 |
+ |
| 318 |
+ files_search_kernel_modules(udev_t) |
| 319 |
+ |
| 320 |
+ fs_read_cgroup_files(udev_t) |
| 321 |
+ |
| 322 |
+ init_dgram_send(udev_t) |
| 323 |
+ |
| 324 |
+ systemd_read_logind_pids(udev_t) |
| 325 |
+') |
| 326 |
+ |
| 327 |
optional_policy(` |
| 328 |
alsa_domtrans(udev_t) |
| 329 |
alsa_read_lib(udev_t) |
Archives