| 1 |
commit: 4234b23d214dd8b53dd631560f9c98778f1c9ac5 |
| 2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
| 3 |
AuthorDate: Fri Feb 18 18:46:24 2022 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Feb 27 02:13:17 2022 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4234b23d |
| 7 |
|
| 8 |
matrixd: Cleanups. |
| 9 |
|
| 10 |
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> |
| 11 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
| 12 |
|
| 13 |
policy/modules/services/matrixd.fc | 6 ++++-- |
| 14 |
policy/modules/services/matrixd.if | 2 +- |
| 15 |
policy/modules/services/matrixd.te | 35 ++++++++++++++++------------------- |
| 16 |
3 files changed, 21 insertions(+), 22 deletions(-) |
| 17 |
|
| 18 |
diff --git a/policy/modules/services/matrixd.fc b/policy/modules/services/matrixd.fc |
| 19 |
index b59b1c75..6db2d7ed 100644 |
| 20 |
--- a/policy/modules/services/matrixd.fc |
| 21 |
+++ b/policy/modules/services/matrixd.fc |
| 22 |
@@ -1,4 +1,6 @@ |
| 23 |
-/var/lib/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_var_t,s0) |
| 24 |
-/var/log/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_log_t,s0) |
| 25 |
/etc/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_conf_t,s0) |
| 26 |
+ |
| 27 |
/usr/bin/synctl -- gen_context(system_u:object_r:matrixd_exec_t,s0) |
| 28 |
+ |
| 29 |
+/var/lib/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_var_t,s0) |
| 30 |
+/var/log/matrix-synapse(/.*)? gen_context(system_u:object_r:matrixd_log_t,s0) |
| 31 |
|
| 32 |
diff --git a/policy/modules/services/matrixd.if b/policy/modules/services/matrixd.if |
| 33 |
index f1eff5f0..8cf2a845 100644 |
| 34 |
--- a/policy/modules/services/matrixd.if |
| 35 |
+++ b/policy/modules/services/matrixd.if |
| 36 |
@@ -1 +1 @@ |
| 37 |
-## <summary>Matrixd</summary> |
| 38 |
+## <summary>matrix.org synapse reference server.</summary> |
| 39 |
|
| 40 |
diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te |
| 41 |
index 5c217678..2c7f384c 100644 |
| 42 |
--- a/policy/modules/services/matrixd.te |
| 43 |
+++ b/policy/modules/services/matrixd.te |
| 44 |
@@ -1,4 +1,4 @@ |
| 45 |
-policy_module(matrixd, 1.0.0) |
| 46 |
+policy_module(matrixd) |
| 47 |
|
| 48 |
######################################## |
| 49 |
# |
| 50 |
@@ -20,23 +20,22 @@ gen_tunable(matrix_allow_federation, true) |
| 51 |
## </desc> |
| 52 |
gen_tunable(matrix_postgresql_connect, false) |
| 53 |
|
| 54 |
- |
| 55 |
type matrixd_t; |
| 56 |
type matrixd_exec_t; |
| 57 |
init_daemon_domain(matrixd_t, matrixd_exec_t) |
| 58 |
|
| 59 |
-type matrixd_var_t; |
| 60 |
-files_type(matrixd_var_t) |
| 61 |
+type matrixd_conf_t; |
| 62 |
+files_config_file(matrixd_conf_t) |
| 63 |
|
| 64 |
type matrixd_log_t; |
| 65 |
logging_log_file(matrixd_log_t) |
| 66 |
|
| 67 |
-type matrixd_conf_t; |
| 68 |
-files_config_file(matrixd_conf_t) |
| 69 |
- |
| 70 |
type matrixd_tmp_t; |
| 71 |
files_tmp_file(matrixd_tmp_t) |
| 72 |
|
| 73 |
+type matrixd_var_t; |
| 74 |
+files_type(matrixd_var_t) |
| 75 |
+ |
| 76 |
######################################## |
| 77 |
# |
| 78 |
# Local policy |
| 79 |
@@ -56,16 +55,15 @@ allow matrixd_t matrixd_tmp_t:file { manage_file_perms map }; |
| 80 |
files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file) |
| 81 |
fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file) |
| 82 |
|
| 83 |
-manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t) |
| 84 |
-files_search_var_lib(matrixd_t) |
| 85 |
-allow matrixd_t matrixd_var_t:file map; |
| 86 |
-allow matrixd_t matrixd_var_t:dir manage_dir_perms; |
| 87 |
+allow matrixd_t matrixd_conf_t:dir list_dir_perms; |
| 88 |
+read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t) |
| 89 |
|
| 90 |
logging_search_logs(matrixd_t) |
| 91 |
manage_files_pattern(matrixd_t, matrixd_log_t, matrixd_log_t) |
| 92 |
|
| 93 |
-read_files_pattern(matrixd_t, matrixd_conf_t, matrixd_conf_t) |
| 94 |
-allow matrixd_t matrixd_conf_t:dir list_dir_perms; |
| 95 |
+mmap_manage_files_pattern(matrixd_t, matrixd_var_t, matrixd_var_t) |
| 96 |
+manage_dirs_pattern(matrixd_t, matrixd_var_t, matrixd_var_t) |
| 97 |
+files_search_var_lib(matrixd_t) |
| 98 |
|
| 99 |
kernel_read_system_state(matrixd_t) |
| 100 |
kernel_read_vm_overcommit_sysctl(matrixd_t) |
| 101 |
@@ -81,7 +79,6 @@ corenet_tcp_bind_generic_node(matrixd_t) |
| 102 |
corenet_tcp_bind_http_port(matrixd_t) |
| 103 |
corenet_tcp_connect_http_cache_port(matrixd_t) |
| 104 |
corenet_tcp_connect_http_port(matrixd_t) |
| 105 |
- |
| 106 |
corenet_udp_bind_generic_node(matrixd_t) |
| 107 |
corenet_udp_bind_generic_port(matrixd_t) |
| 108 |
corenet_udp_bind_reserved_port(matrixd_t) |
| 109 |
@@ -91,11 +88,11 @@ dev_read_urand(matrixd_t) |
| 110 |
files_read_etc_files(matrixd_t) |
| 111 |
files_read_etc_runtime_files(matrixd_t) |
| 112 |
files_read_etc_symlinks(matrixd_t) |
| 113 |
- |
| 114 |
# for /usr/share/ca-certificates |
| 115 |
files_read_usr_files(matrixd_t) |
| 116 |
|
| 117 |
init_search_runtime(matrixd_t) |
| 118 |
+ |
| 119 |
logging_send_syslog_msg(matrixd_t) |
| 120 |
|
| 121 |
miscfiles_read_generic_tls_privkey(matrixd_t) |
| 122 |
@@ -106,10 +103,6 @@ sysnet_read_config(matrixd_t) |
| 123 |
|
| 124 |
userdom_search_user_runtime_root(matrixd_t) |
| 125 |
|
| 126 |
-optional_policy(` |
| 127 |
- apache_search_config(matrixd_t) |
| 128 |
-') |
| 129 |
- |
| 130 |
tunable_policy(`matrix_allow_federation',` |
| 131 |
corenet_tcp_connect_all_unreserved_ports(matrixd_t) |
| 132 |
corenet_tcp_connect_generic_port(matrixd_t) |
| 133 |
@@ -124,3 +117,7 @@ tunable_policy(`matrix_postgresql_connect',` |
| 134 |
postgresql_tcp_connect(matrixd_t) |
| 135 |
') |
| 136 |
|
| 137 |
+optional_policy(` |
| 138 |
+ apache_search_config(matrixd_t) |
| 139 |
+') |
| 140 |
+ |
| 141 |
\ No newline at end of file |
Archives