1 |
commit: 6b6d9fc0d2ae76f8c137b5c3bcb1f184d0c62c57 |
2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
3 |
AuthorDate: Mon Feb 1 04:57:13 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 6 21:15:09 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b6d9fc0 |
7 |
|
8 |
new version of filetrans patch |
9 |
|
10 |
Name changes suggested by Dominick and some more additions. |
11 |
|
12 |
Signed-off-by: Russell Coker <russell <AT> coker.com.au> |
13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
14 |
|
15 |
policy/modules/admin/dpkg.te | 20 +++++++++++++ |
16 |
policy/modules/services/aptcacher.if | 54 ++++++++++++++++++++++++++++++++++++ |
17 |
policy/modules/services/clamav.if | 36 ++++++++++++++++++++++++ |
18 |
policy/modules/services/ftp.if | 18 ++++++++++++ |
19 |
policy/modules/services/milter.if | 18 ++++++++++++ |
20 |
policy/modules/services/mysql.fc | 4 +-- |
21 |
policy/modules/services/mysql.if | 38 +++++++++++++++++++++++++ |
22 |
policy/modules/system/authlogin.if | 7 ++++- |
23 |
policy/modules/system/init.te | 5 ++++ |
24 |
policy/modules/system/systemd.if | 25 +++++++++++++++++ |
25 |
policy/modules/system/unconfined.te | 1 + |
26 |
11 files changed, 223 insertions(+), 3 deletions(-) |
27 |
|
28 |
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te |
29 |
index ee37e504..6830c795 100644 |
30 |
--- a/policy/modules/admin/dpkg.te |
31 |
+++ b/policy/modules/admin/dpkg.te |
32 |
@@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t) |
33 |
|
34 |
files_manage_non_auth_files(dpkg_script_t) |
35 |
|
36 |
+auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write") |
37 |
auth_manage_shadow(dpkg_script_t) |
38 |
|
39 |
init_all_labeled_script_domtrans(dpkg_script_t) |
40 |
@@ -306,10 +307,20 @@ optional_policy(` |
41 |
apt_use_fds(dpkg_script_t) |
42 |
') |
43 |
|
44 |
+optional_policy(` |
45 |
+ aptcacher_filetrans_cache_dir(dpkg_script_t) |
46 |
+ aptcacher_filetrans_conf_dir(dpkg_script_t) |
47 |
+ aptcacher_filetrans_log_dir(dpkg_script_t) |
48 |
+') |
49 |
+ |
50 |
optional_policy(` |
51 |
bootloader_run(dpkg_script_t, dpkg_roles) |
52 |
') |
53 |
|
54 |
+optional_policy(` |
55 |
+ clamav_filetrans_log(dpkg_script_t) |
56 |
+') |
57 |
+ |
58 |
optional_policy(` |
59 |
devicekit_dbus_chat_power(dpkg_script_t) |
60 |
') |
61 |
@@ -318,6 +329,10 @@ optional_policy(` |
62 |
init_dbus_chat(dpkg_script_t) |
63 |
') |
64 |
|
65 |
+optional_policy(` |
66 |
+ milter_filetrans_spamass_state(dpkg_script_t) |
67 |
+') |
68 |
+ |
69 |
optional_policy(` |
70 |
modutils_run(dpkg_script_t, dpkg_roles) |
71 |
') |
72 |
@@ -326,6 +341,11 @@ optional_policy(` |
73 |
mta_send_mail(dpkg_script_t) |
74 |
') |
75 |
|
76 |
+optional_policy(` |
77 |
+ mysql_create_db_dir(dpkg_script_t) |
78 |
+ mysql_create_log_dir(dpkg_script_t) |
79 |
+') |
80 |
+ |
81 |
optional_policy(` |
82 |
nis_use_ypbind(dpkg_script_t) |
83 |
') |
84 |
|
85 |
diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if |
86 |
index 12c1335a..bef83332 100644 |
87 |
--- a/policy/modules/services/aptcacher.if |
88 |
+++ b/policy/modules/services/aptcacher.if |
89 |
@@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',` |
90 |
files_search_runtime($1) |
91 |
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t) |
92 |
') |
93 |
+ |
94 |
+######################################## |
95 |
+## <summary> |
96 |
+## create /var/log/apt-cacher-ng |
97 |
+## </summary> |
98 |
+## <param name="domain"> |
99 |
+## <summary> |
100 |
+## Domain allowed access. |
101 |
+## </summary> |
102 |
+## </param> |
103 |
+# |
104 |
+interface(`aptcacher_filetrans_log_dir',` |
105 |
+ gen_require(` |
106 |
+ type aptcacher_log_t; |
107 |
+ ') |
108 |
+ |
109 |
+ logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng") |
110 |
+') |
111 |
+ |
112 |
+######################################## |
113 |
+## <summary> |
114 |
+## create /var/cache/apt-cacher-ng |
115 |
+## </summary> |
116 |
+## <param name="domain"> |
117 |
+## <summary> |
118 |
+## Domain allowed access. |
119 |
+## </summary> |
120 |
+## </param> |
121 |
+# |
122 |
+interface(`aptcacher_filetrans_cache_dir',` |
123 |
+ gen_require(` |
124 |
+ type aptcacher_cache_t; |
125 |
+ ') |
126 |
+ |
127 |
+ files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng") |
128 |
+') |
129 |
+ |
130 |
+######################################## |
131 |
+## <summary> |
132 |
+## create /etc/apt-cacher-ng |
133 |
+## </summary> |
134 |
+## <param name="domain"> |
135 |
+## <summary> |
136 |
+## Domain allowed access. |
137 |
+## </summary> |
138 |
+## </param> |
139 |
+# |
140 |
+interface(`aptcacher_filetrans_conf_dir',` |
141 |
+ gen_require(` |
142 |
+ type aptcacher_conf_t; |
143 |
+ ') |
144 |
+ |
145 |
+ files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng") |
146 |
+') |
147 |
|
148 |
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if |
149 |
index 33909248..29d00c98 100644 |
150 |
--- a/policy/modules/services/clamav.if |
151 |
+++ b/policy/modules/services/clamav.if |
152 |
@@ -430,3 +430,39 @@ interface(`clamav_admin',` |
153 |
files_list_tmp($1) |
154 |
admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) |
155 |
') |
156 |
+ |
157 |
+######################################## |
158 |
+## <summary> |
159 |
+## specified domain creates /var/log/clamav/freshclam.log with correct type |
160 |
+## </summary> |
161 |
+## <param name="domain"> |
162 |
+## <summary> |
163 |
+## Domain allowed access. |
164 |
+## </summary> |
165 |
+## </param> |
166 |
+# |
167 |
+interface(`clamav_filetrans_log',` |
168 |
+ gen_require(` |
169 |
+ type clamd_var_log_t, freshclam_var_log_t; |
170 |
+ ') |
171 |
+ |
172 |
+ filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log") |
173 |
+') |
174 |
+ |
175 |
+######################################## |
176 |
+## <summary> |
177 |
+## specified domain creates /run/clamav with correct type |
178 |
+## </summary> |
179 |
+## <param name="domain"> |
180 |
+## <summary> |
181 |
+## Domain allowed access. |
182 |
+## </summary> |
183 |
+## </param> |
184 |
+# |
185 |
+interface(`clamav_filetrans_runtime_dir',` |
186 |
+ gen_require(` |
187 |
+ type clamd_runtime_t; |
188 |
+ ') |
189 |
+ |
190 |
+ files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav") |
191 |
+') |
192 |
|
193 |
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if |
194 |
index 56ac12bd..27af355f 100644 |
195 |
--- a/policy/modules/services/ftp.if |
196 |
+++ b/policy/modules/services/ftp.if |
197 |
@@ -189,3 +189,21 @@ interface(`ftp_admin',` |
198 |
|
199 |
ftp_run_ftpdctl($1, $2) |
200 |
') |
201 |
+ |
202 |
+######################################## |
203 |
+## <summary> |
204 |
+## create /run/pure-ftpd |
205 |
+## </summary> |
206 |
+## <param name="domain"> |
207 |
+## <summary> |
208 |
+## Domain allowed access. |
209 |
+## </summary> |
210 |
+## </param> |
211 |
+# |
212 |
+interface(`ftp_filetrans_pure_ftpd_runtime',` |
213 |
+ gen_require(` |
214 |
+ type ftpd_runtime_t; |
215 |
+ ') |
216 |
+ |
217 |
+ files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd") |
218 |
+') |
219 |
|
220 |
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if |
221 |
index d024d152..13b05498 100644 |
222 |
--- a/policy/modules/services/milter.if |
223 |
+++ b/policy/modules/services/milter.if |
224 |
@@ -98,6 +98,24 @@ interface(`milter_manage_spamass_state',` |
225 |
manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t) |
226 |
') |
227 |
|
228 |
+######################################## |
229 |
+## <summary> |
230 |
+## create spamass milter state dir |
231 |
+## </summary> |
232 |
+## <param name="domain"> |
233 |
+## <summary> |
234 |
+## Domain allowed access. |
235 |
+## </summary> |
236 |
+## </param> |
237 |
+# |
238 |
+interface(`milter_filetrans_spamass_state',` |
239 |
+ gen_require(` |
240 |
+ type spamass_milter_state_t; |
241 |
+ ') |
242 |
+ |
243 |
+ files_var_lib_filetrans($1, spamass_milter_state_t, dir, "spamass-milter") |
244 |
+') |
245 |
+ |
246 |
######################################## |
247 |
## <summary> |
248 |
## Get the attributes of the spamassissin milter data dir. |
249 |
|
250 |
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc |
251 |
index d23f2636..7b7b45b3 100644 |
252 |
--- a/policy/modules/services/mysql.fc |
253 |
+++ b/policy/modules/services/mysql.fc |
254 |
@@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) |
255 |
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) |
256 |
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0) |
257 |
|
258 |
-/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) |
259 |
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) |
260 |
+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) |
261 |
+/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) |
262 |
|
263 |
/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0) |
264 |
/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) |
265 |
|
266 |
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if |
267 |
index afdfbc6b..e89a66d9 100644 |
268 |
--- a/policy/modules/services/mysql.if |
269 |
+++ b/policy/modules/services/mysql.if |
270 |
@@ -241,6 +241,24 @@ interface(`mysql_manage_db_files',` |
271 |
manage_files_pattern($1, mysqld_db_t, mysqld_db_t) |
272 |
') |
273 |
|
274 |
+######################################## |
275 |
+## <summary> |
276 |
+## create mysqld db dir. |
277 |
+## </summary> |
278 |
+## <param name="domain"> |
279 |
+## <summary> |
280 |
+## Domain allowed access. |
281 |
+## </summary> |
282 |
+## </param> |
283 |
+# |
284 |
+interface(`mysql_create_db_dir',` |
285 |
+ gen_require(` |
286 |
+ type mysqld_db_t; |
287 |
+ ') |
288 |
+ |
289 |
+ files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql") |
290 |
+') |
291 |
+ |
292 |
######################################## |
293 |
## <summary> |
294 |
## Create, read, write, and delete |
295 |
@@ -325,9 +343,29 @@ interface(`mysql_write_log',` |
296 |
') |
297 |
|
298 |
logging_search_logs($1) |
299 |
+ allow $1 mysqld_log_t:dir search_dir_perms; |
300 |
allow $1 mysqld_log_t:file write_file_perms; |
301 |
') |
302 |
|
303 |
+######################################## |
304 |
+## <summary> |
305 |
+## create mysqld log dir. |
306 |
+## </summary> |
307 |
+## <param name="domain"> |
308 |
+## <summary> |
309 |
+## Domain allowed access. |
310 |
+## </summary> |
311 |
+## </param> |
312 |
+# |
313 |
+interface(`mysql_create_log_dir',` |
314 |
+ gen_require(` |
315 |
+ type mysqld_log_t; |
316 |
+ ') |
317 |
+ |
318 |
+ logging_search_logs($1) |
319 |
+ logging_log_filetrans($1, mysqld_log_t, dir, "mysql") |
320 |
+') |
321 |
+ |
322 |
###################################### |
323 |
## <summary> |
324 |
## Execute mysqld safe in the |
325 |
|
326 |
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if |
327 |
index 8f8b8009..08361bb5 100644 |
328 |
--- a/policy/modules/system/authlogin.if |
329 |
+++ b/policy/modules/system/authlogin.if |
330 |
@@ -719,13 +719,18 @@ interface(`auth_manage_shadow',` |
331 |
## Domain allowed access. |
332 |
## </summary> |
333 |
## </param> |
334 |
+## <param name="name" optional="true"> |
335 |
+## <summary> |
336 |
+## The name of the object being created. |
337 |
+## </summary> |
338 |
+## </param> |
339 |
# |
340 |
interface(`auth_etc_filetrans_shadow',` |
341 |
gen_require(` |
342 |
type shadow_t; |
343 |
') |
344 |
|
345 |
- files_etc_filetrans($1, shadow_t, file) |
346 |
+ files_etc_filetrans($1, shadow_t, file, $2) |
347 |
') |
348 |
|
349 |
####################################### |
350 |
|
351 |
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te |
352 |
index de5bca5e..1c9a5cdd 100644 |
353 |
--- a/policy/modules/system/init.te |
354 |
+++ b/policy/modules/system/init.te |
355 |
@@ -1097,6 +1097,7 @@ optional_policy(` |
356 |
') |
357 |
|
358 |
optional_policy(` |
359 |
+ clamav_filetrans_runtime_dir(initrc_t) |
360 |
clamav_read_config(initrc_t) |
361 |
') |
362 |
|
363 |
@@ -1289,6 +1290,10 @@ optional_policy(` |
364 |
fs_search_ramfs(initrc_t) |
365 |
') |
366 |
|
367 |
+optional_policy(` |
368 |
+ ftp_filetrans_pure_ftpd_runtime(initrc_t) |
369 |
+') |
370 |
+ |
371 |
optional_policy(` |
372 |
rpc_read_exports(initrc_t) |
373 |
') |
374 |
|
375 |
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if |
376 |
index 8e58c0d7..ac431aba 100644 |
377 |
--- a/policy/modules/system/systemd.if |
378 |
+++ b/policy/modules/system/systemd.if |
379 |
@@ -526,6 +526,31 @@ interface(`systemd_use_passwd_agent_fds',` |
380 |
allow systemd_passwd_agent_t $1:fd use; |
381 |
') |
382 |
|
383 |
+######################################## |
384 |
+## <summary> |
385 |
+## allow systemd_passwd_agent to be run by admin |
386 |
+## </summary> |
387 |
+## <param name="domain"> |
388 |
+## <summary> |
389 |
+## Domain that runs it |
390 |
+## </summary> |
391 |
+## </param> |
392 |
+## <param name="role"> |
393 |
+## <summary> |
394 |
+## role that it runs in |
395 |
+## </summary> |
396 |
+## </param> |
397 |
+# |
398 |
+interface(`systemd_run_passwd_agent',` |
399 |
+ gen_require(` |
400 |
+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; |
401 |
+ ') |
402 |
+ |
403 |
+ domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) |
404 |
+ allow systemd_passwd_agent_t $1:fd use; |
405 |
+ role $2 types systemd_passwd_agent_t; |
406 |
+') |
407 |
+ |
408 |
####################################### |
409 |
## <summary> |
410 |
## Allow a systemd_passwd_agent_t process to interact with a daemon |
411 |
|
412 |
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te |
413 |
index eac4d285..42879fb7 100644 |
414 |
--- a/policy/modules/system/unconfined.te |
415 |
+++ b/policy/modules/system/unconfined.te |
416 |
@@ -66,6 +66,7 @@ ifdef(`init_systemd',` |
417 |
|
418 |
optional_policy(` |
419 |
systemd_dbus_chat_resolved(unconfined_t) |
420 |
+ systemd_filetrans_passwd_runtime_dirs(unconfined_t) |
421 |
') |
422 |
') |