[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
Date:	Mon, 07 Feb 2022 02:15:03
Message-Id:	`1644199765.06fc14861d2845562804a6ffef47402b13fcbad0.perfinion@gentoo`

1

commit:     06fc14861d2845562804a6ffef47402b13fcbad0

2

Author:     Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>

3

AuthorDate: Mon Jan  3 21:21:59 2022 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Feb  7 02:09:25 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=06fc1486

7

8

systemd: Additional fixes for fs getattrs.

9

10

This may need to be allowed more broadly.

11

12

Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>

13

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

14

15

 policy/modules/system/systemd.te | 36 +++++++++++++++++++++++++++++-------

16

 1 file changed, 29 insertions(+), 7 deletions(-)

17

18

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te

19

index 95939f0f..7ccfbaf2 100644

20

--- a/policy/modules/system/systemd.te

21

+++ b/policy/modules/system/systemd.te

22

@@ -482,8 +482,7 @@ files_search_all_mountpoints(systemd_generator_t)

23

 files_list_usr(systemd_generator_t)

24

25

 fs_list_efivars(systemd_generator_t)

26

-fs_getattr_cgroup(systemd_generator_t)

27

-fs_getattr_xattr_fs(systemd_generator_t)

28

+fs_getattr_all_fs(systemd_generator_t)

29

30

 init_create_runtime_files(systemd_generator_t)

31

 init_manage_runtime_dirs(systemd_generator_t)

32

@@ -695,6 +694,9 @@ files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)

33

34

 files_search_runtime(systemd_hw_t)

35

36

+fs_getattr_all_fs(systemd_hw_t)

37

+fs_search_cgroup_dirs(systemd_hw_t)

38

+

39

 selinux_get_fs_mount(systemd_hw_t)

40

 selinux_use_status_page(systemd_hw_t)

41

42

@@ -822,6 +824,7 @@ fs_read_cgroup_files(systemd_logind_t)

43

 fs_read_efivarfs_files(systemd_logind_t)

44

 fs_relabelfrom_tmpfs_dirs(systemd_logind_t)

45

 fs_unmount_tmpfs(systemd_logind_t)

46

+fs_getattr_xattr_fs(systemd_logind_t)

47

48

 logging_send_audit_msgs(systemd_logind_t)

49

50

@@ -905,7 +908,6 @@ ifdef(`distro_redhat',`

51

52

 tunable_policy(`systemd_logind_get_bootloader',`

53

 	fs_getattr_dos_fs(systemd_logind_t)

54

-	fs_getattr_xattr_fs(systemd_logind_t)

55

 	fs_list_dos(systemd_logind_t)

56

 	fs_read_dos_files(systemd_logind_t)

57

58

@@ -1072,8 +1074,8 @@ files_read_etc_files(systemd_networkd_t)

59

 files_watch_runtime_dirs(systemd_networkd_t)

60

 files_watch_root_dirs(systemd_networkd_t)

61

 files_list_runtime(systemd_networkd_t)

62

-fs_getattr_xattr_fs(systemd_networkd_t)

63

-fs_getattr_cgroup(systemd_networkd_t)

64

+

65

+fs_getattr_all_fs(systemd_networkd_t)

66

 fs_search_cgroup_dirs(systemd_networkd_t)

67

 fs_read_nsfs_files(systemd_networkd_t)

68

69

@@ -1412,6 +1414,9 @@ files_watch_root_dirs(systemd_resolved_t)

70

 files_watch_runtime_dirs(systemd_resolved_t)

71

 files_list_runtime(systemd_resolved_t)

72

73

+fs_getattr_all_fs(systemd_resolved_t)

74

+fs_search_cgroup_dirs(systemd_resolved_t)

75

+

76

 init_dgram_send(systemd_resolved_t)

77

78

 seutil_read_file_contexts(systemd_resolved_t)

79

@@ -1462,6 +1467,9 @@ allow systemd_sessions_t self:process setfscreate;

80

 allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;

81

 files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)

82

83

+fs_getattr_all_fs(systemd_sessions_t)

84

+fs_search_cgroup_dirs(systemd_sessions_t)

85

+

86

 kernel_read_kernel_sysctls(systemd_sessions_t)

87

 kernel_dontaudit_getattr_proc(systemd_sessions_t)

88

89

@@ -1491,6 +1499,9 @@ kernel_dontaudit_getattr_proc(systemd_sysctl_t)

90

91

 files_read_etc_files(systemd_sysctl_t)

92

93

+fs_getattr_all_fs(systemd_sysctl_t)

94

+fs_search_cgroup_dirs(systemd_sysctl_t)

95

+

96

 systemd_log_parse_environment(systemd_sysctl_t)

97

98

 #########################################

99

@@ -1504,6 +1515,9 @@ allow systemd_sysusers_t self:unix_dgram_socket sendto;

100

101

 files_manage_etc_files(systemd_sysusers_t)

102

103

+fs_getattr_all_fs(systemd_sysusers_t)

104

+fs_search_cgroup_dirs(systemd_sysusers_t)

105

+

106

 kernel_read_kernel_sysctls(systemd_sysusers_t)

107

108

 selinux_use_status_page(systemd_sysusers_t)

109

@@ -1587,10 +1601,10 @@ files_setattr_lock_dirs(systemd_tmpfiles_t)

110

 # for /etc/mtab

111

 files_manage_etc_symlinks(systemd_tmpfiles_t)

112

113

-fs_getattr_tmpfs(systemd_tmpfiles_t)

114

-fs_getattr_xattr_fs(systemd_tmpfiles_t)

115

 fs_list_tmpfs(systemd_tmpfiles_t)

116

 fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)

117

+fs_getattr_all_fs(systemd_tmpfiles_t)

118

+fs_search_cgroup_dirs(systemd_tmpfiles_t)

119

120

 selinux_get_fs_mount(systemd_tmpfiles_t)

121

 selinux_use_status_page(systemd_tmpfiles_t)

122

@@ -1679,6 +1693,9 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;

123

 files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)

124

 files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)

125

126

+fs_getattr_all_fs(systemd_update_done_t)

127

+fs_search_cgroup_dirs(systemd_update_done_t)

128

+

129

 kernel_read_kernel_sysctls(systemd_update_done_t)

130

131

 selinux_use_status_page(systemd_update_done_t)

132

@@ -1787,8 +1804,12 @@ files_read_etc_files(systemd_userdbd_t)

133

 files_read_etc_runtime_files(systemd_userdbd_t)

134

 files_read_usr_files(systemd_userdbd_t)

135

136

+fs_getattr_all_fs(systemd_userdbd_t)

137

+fs_search_cgroup_dirs(systemd_userdbd_t)

138

 fs_read_efivarfs_files(systemd_userdbd_t)

139

140

+kernel_read_system_state(systemd_userdbd_t)

141

+

142

 init_stream_connect(systemd_userdbd_t)

143

 init_search_runtime(systemd_userdbd_t)

144

 init_read_state(systemd_userdbd_t)

145

@@ -1819,6 +1840,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)

146

 fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)

147

 fs_read_cgroup_files(systemd_user_runtime_dir_t)

148

 fs_getattr_cgroup(systemd_user_runtime_dir_t)

149

+fs_getattr_xattr_fs(systemd_user_runtime_dir_t)

150

151

 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)

152

 kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)

1	commit: 06fc14861d2845562804a6ffef47402b13fcbad0
2	Author: Chris PeBenito <Christopher.PeBenito <AT> microsoft <DOT> com>
3	AuthorDate: Mon Jan 3 21:21:59 2022 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Feb 7 02:09:25 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=06fc1486
7
8	systemd: Additional fixes for fs getattrs.
9
10	This may need to be allowed more broadly.
11
12	Signed-off-by: Chris PeBenito <Christopher.PeBenito <AT> microsoft.com>
13	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
14
15	policy/modules/system/systemd.te \| 36 +++++++++++++++++++++++++++++-------
16	1 file changed, 29 insertions(+), 7 deletions(-)
17
18	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
19	index 95939f0f..7ccfbaf2 100644
20	--- a/policy/modules/system/systemd.te
21	+++ b/policy/modules/system/systemd.te
22	@@ -482,8 +482,7 @@ files_search_all_mountpoints(systemd_generator_t)
23	files_list_usr(systemd_generator_t)
24
25	fs_list_efivars(systemd_generator_t)
26	-fs_getattr_cgroup(systemd_generator_t)
27	-fs_getattr_xattr_fs(systemd_generator_t)
28	+fs_getattr_all_fs(systemd_generator_t)
29
30	init_create_runtime_files(systemd_generator_t)
31	init_manage_runtime_dirs(systemd_generator_t)
32	@@ -695,6 +694,9 @@ files_etc_filetrans(systemd_hw_t, systemd_hwdb_t, file)
33
34	files_search_runtime(systemd_hw_t)
35
36	+fs_getattr_all_fs(systemd_hw_t)
37	+fs_search_cgroup_dirs(systemd_hw_t)
38	+
39	selinux_get_fs_mount(systemd_hw_t)
40	selinux_use_status_page(systemd_hw_t)
41
42	@@ -822,6 +824,7 @@ fs_read_cgroup_files(systemd_logind_t)
43	fs_read_efivarfs_files(systemd_logind_t)
44	fs_relabelfrom_tmpfs_dirs(systemd_logind_t)
45	fs_unmount_tmpfs(systemd_logind_t)
46	+fs_getattr_xattr_fs(systemd_logind_t)
47
48	logging_send_audit_msgs(systemd_logind_t)
49
50	@@ -905,7 +908,6 @@ ifdef(`distro_redhat',`
51
52	tunable_policy(`systemd_logind_get_bootloader',`
53	fs_getattr_dos_fs(systemd_logind_t)
54	- fs_getattr_xattr_fs(systemd_logind_t)
55	fs_list_dos(systemd_logind_t)
56	fs_read_dos_files(systemd_logind_t)
57
58	@@ -1072,8 +1074,8 @@ files_read_etc_files(systemd_networkd_t)
59	files_watch_runtime_dirs(systemd_networkd_t)
60	files_watch_root_dirs(systemd_networkd_t)
61	files_list_runtime(systemd_networkd_t)
62	-fs_getattr_xattr_fs(systemd_networkd_t)
63	-fs_getattr_cgroup(systemd_networkd_t)
64	+
65	+fs_getattr_all_fs(systemd_networkd_t)
66	fs_search_cgroup_dirs(systemd_networkd_t)
67	fs_read_nsfs_files(systemd_networkd_t)
68
69	@@ -1412,6 +1414,9 @@ files_watch_root_dirs(systemd_resolved_t)
70	files_watch_runtime_dirs(systemd_resolved_t)
71	files_list_runtime(systemd_resolved_t)
72
73	+fs_getattr_all_fs(systemd_resolved_t)
74	+fs_search_cgroup_dirs(systemd_resolved_t)
75	+
76	init_dgram_send(systemd_resolved_t)
77
78	seutil_read_file_contexts(systemd_resolved_t)
79	@@ -1462,6 +1467,9 @@ allow systemd_sessions_t self:process setfscreate;
80	allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
81	files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
82
83	+fs_getattr_all_fs(systemd_sessions_t)
84	+fs_search_cgroup_dirs(systemd_sessions_t)
85	+
86	kernel_read_kernel_sysctls(systemd_sessions_t)
87	kernel_dontaudit_getattr_proc(systemd_sessions_t)
88
89	@@ -1491,6 +1499,9 @@ kernel_dontaudit_getattr_proc(systemd_sysctl_t)
90
91	files_read_etc_files(systemd_sysctl_t)
92
93	+fs_getattr_all_fs(systemd_sysctl_t)
94	+fs_search_cgroup_dirs(systemd_sysctl_t)
95	+
96	systemd_log_parse_environment(systemd_sysctl_t)
97
98	#########################################
99	@@ -1504,6 +1515,9 @@ allow systemd_sysusers_t self:unix_dgram_socket sendto;
100
101	files_manage_etc_files(systemd_sysusers_t)
102
103	+fs_getattr_all_fs(systemd_sysusers_t)
104	+fs_search_cgroup_dirs(systemd_sysusers_t)
105	+
106	kernel_read_kernel_sysctls(systemd_sysusers_t)
107
108	selinux_use_status_page(systemd_sysusers_t)
109	@@ -1587,10 +1601,10 @@ files_setattr_lock_dirs(systemd_tmpfiles_t)
110	# for /etc/mtab
111	files_manage_etc_symlinks(systemd_tmpfiles_t)
112
113	-fs_getattr_tmpfs(systemd_tmpfiles_t)
114	-fs_getattr_xattr_fs(systemd_tmpfiles_t)
115	fs_list_tmpfs(systemd_tmpfiles_t)
116	fs_relabelfrom_tmpfs_dirs(systemd_tmpfiles_t)
117	+fs_getattr_all_fs(systemd_tmpfiles_t)
118	+fs_search_cgroup_dirs(systemd_tmpfiles_t)
119
120	selinux_get_fs_mount(systemd_tmpfiles_t)
121	selinux_use_status_page(systemd_tmpfiles_t)
122	@@ -1679,6 +1693,9 @@ allow systemd_update_done_t systemd_update_run_t:file manage_file_perms;
123	files_etc_filetrans(systemd_update_done_t, systemd_update_run_t, file)
124	files_var_filetrans(systemd_update_done_t, systemd_update_run_t, file)
125
126	+fs_getattr_all_fs(systemd_update_done_t)
127	+fs_search_cgroup_dirs(systemd_update_done_t)
128	+
129	kernel_read_kernel_sysctls(systemd_update_done_t)
130
131	selinux_use_status_page(systemd_update_done_t)
132	@@ -1787,8 +1804,12 @@ files_read_etc_files(systemd_userdbd_t)
133	files_read_etc_runtime_files(systemd_userdbd_t)
134	files_read_usr_files(systemd_userdbd_t)
135
136	+fs_getattr_all_fs(systemd_userdbd_t)
137	+fs_search_cgroup_dirs(systemd_userdbd_t)
138	fs_read_efivarfs_files(systemd_userdbd_t)
139
140	+kernel_read_system_state(systemd_userdbd_t)
141	+
142	init_stream_connect(systemd_userdbd_t)
143	init_search_runtime(systemd_userdbd_t)
144	init_read_state(systemd_userdbd_t)
145	@@ -1819,6 +1840,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
146	fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
147	fs_read_cgroup_files(systemd_user_runtime_dir_t)
148	fs_getattr_cgroup(systemd_user_runtime_dir_t)
149	+fs_getattr_xattr_fs(systemd_user_runtime_dir_t)
150
151	kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
152	kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)

Gentoo Archives: gentoo-commits