1 |
commit: 4234b23d214dd8b53dd631560f9c98778f1c9ac5 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Fri Feb 18 18:46:24 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 27 02:13:17 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4234b23d |
7 |
|
8 |
matrixd: Cleanups. |
9 |
|
10 |
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> |
11 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
12 |
|
13 |
policy/modules/services/matrixd.fc | 6 ++++-- |
14 |
policy/modules/services/matrixd.if | 2 +- |
15 |
policy/modules/services/matrixd.te | 35 ++++++++++++++++------------------- |
16 |
3 files changed, 21 insertions(+), 22 deletions(-) |
17 |
|
18 |
diff --git a/policy/modules/services/matrixd.fc b/policy/modules/services/matrixd.fc |
19 |
index b59b1c75..6db2d7ed 100644 |
20 |
--- a/policy/modules/services/matrixd.fc |
21 |
+++ b/policy/modules/services/matrixd.fc |
22 |
@@ -1,4 +1,6 @@ |
23 |
-/var/lib/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_var_t,s0) |
24 |
-/var/log/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_log_t,s0) |
25 |
/etc/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_conf_t,s0) |
26 |
+ |
27 |
/usr/bin/synctl -- gen_context(system_u:object_r:matrixd_exec_t,s0) |
28 |
+ |
29 |
+/var/lib/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_var_t,s0) |
30 |
+/var/log/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_log_t,s0) |
31 |
|
32 |
diff --git a/policy/modules/services/matrixd.if b/policy/modules/services/matrixd.if |
33 |
index f1eff5f0..8cf2a845 100644 |
34 |
--- a/policy/modules/services/matrixd.if |
35 |
+++ b/policy/modules/services/matrixd.if |
36 |
@@ -1 +1 @@ |
37 |
-## <summary>Matrixd</summary> |
38 |
+## <summary>matrix.org synapse reference server.</summary> |
39 |
|
40 |
diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te |
41 |
index 5c217678..2c7f384c 100644 |
42 |
--- a/policy/modules/services/matrixd.te |
43 |
+++ b/policy/modules/services/matrixd.te |
44 |
@@ -1,4 +1,4 @@ |
45 |
-policy_module(matrixd, 1.0.0) |
46 |
+policy_module(matrixd) |
47 |
|
48 |
######################################## |
49 |
# |
50 |
@@ -20,23 +20,22 @@ gen_tunable(matrix_allow_federation, true) |
51 |
## </desc> |
52 |
gen_tunable(matrix_postgresql_connect, false) |
53 |
|
54 |
- |
55 |
type matrixd_t; |
56 |
type matrixd_exec_t; |
57 |
init_daemon_domain(matrixd_t, matrixd_exec_t) |
58 |
|
59 |
-type matrixd_var_t; |
60 |
-files_type(matrixd_var_t) |
61 |
+type matrixd_conf_t; |
62 |
+files_config_file(matrixd_conf_t) |
63 |
|
64 |
type matrixd_log_t; |
65 |
logging_log_file(matrixd_log_t) |
66 |
|
67 |
-type matrixd_conf_t; |
68 |
-files_config_file(matrixd_conf_t) |
69 |
- |
70 |
type matrixd_tmp_t; |
71 |
files_tmp_file(matrixd_tmp_t) |
72 |
|
73 |
+type matrixd_var_t; |
74 |
+files_type(matrixd_var_t) |
75 |
+ |
76 |
######################################## |
77 |
# |
78 |
# Local policy |
79 |
@@ -56,16 +55,15 @@ allow matrixd_t matrixd_tmp_t:file { manage_file_perms map }; |
80 |
files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file) |
81 |
fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file) |
82 |
|
83 |
-manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t) |
84 |
-files_search_var_lib(matrixd_t) |
85 |
-allow matrixd_t matrixd_var_t:file map; |
86 |
-allow matrixd_t matrixd_var_t:dir manage_dir_perms; |
87 |
+allow matrixd_t matrixd_conf_t:dir list_dir_perms; |
88 |
+read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t) |
89 |
|
90 |
logging_search_logs(matrixd_t) |
91 |
manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t) |
92 |
|
93 |
-read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t) |
94 |
-allow matrixd_t matrixd_conf_t:dir list_dir_perms; |
95 |
+mmap_manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t) |
96 |
+manage_dirs_pattern(matrixd_t, matrixd_var_t, matrixd_var_t) |
97 |
+files_search_var_lib(matrixd_t) |
98 |
|
99 |
kernel_read_system_state(matrixd_t) |
100 |
kernel_read_vm_overcommit_sysctl(matrixd_t) |
101 |
@@ -81,7 +79,6 @@ corenet_tcp_bind_generic_node(matrixd_t) |
102 |
corenet_tcp_bind_http_port(matrixd_t) |
103 |
corenet_tcp_connect_http_cache_port(matrixd_t) |
104 |
corenet_tcp_connect_http_port(matrixd_t) |
105 |
- |
106 |
corenet_udp_bind_generic_node(matrixd_t) |
107 |
corenet_udp_bind_generic_port(matrixd_t) |
108 |
corenet_udp_bind_reserved_port(matrixd_t) |
109 |
@@ -91,11 +88,11 @@ dev_read_urand(matrixd_t) |
110 |
files_read_etc_files(matrixd_t) |
111 |
files_read_etc_runtime_files(matrixd_t) |
112 |
files_read_etc_symlinks(matrixd_t) |
113 |
- |
114 |
# for /usr/share/ca-certificates |
115 |
files_read_usr_files(matrixd_t) |
116 |
|
117 |
init_search_runtime(matrixd_t) |
118 |
+ |
119 |
logging_send_syslog_msg(matrixd_t) |
120 |
|
121 |
miscfiles_read_generic_tls_privkey(matrixd_t) |
122 |
@@ -106,10 +103,6 @@ sysnet_read_config(matrixd_t) |
123 |
|
124 |
userdom_search_user_runtime_root(matrixd_t) |
125 |
|
126 |
-optional_policy(` |
127 |
- apache_search_config(matrixd_t) |
128 |
-') |
129 |
- |
130 |
tunable_policy(`matrix_allow_federation',` |
131 |
corenet_tcp_connect_all_unreserved_ports(matrixd_t) |
132 |
corenet_tcp_connect_generic_port(matrixd_t) |
133 |
@@ -124,3 +117,7 @@ tunable_policy(`matrix_postgresql_connect',` |
134 |
postgresql_tcp_connect(matrixd_t) |
135 |
') |
136 |
|
137 |
+optional_policy(` |
138 |
+ apache_search_config(matrixd_t) |
139 |
+') |
140 |
+ |
141 |
\ No newline at end of file |