1 |
commit: 95b1ba94ad4c7ce6466bd54c4afd73a4a23c36b8 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Sat Mar 25 17:45:37 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Mar 30 11:46:17 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=95b1ba94 |
7 |
|
8 |
another version of systemd cgroups hostnamed and logind |
9 |
|
10 |
From Russell Coker |
11 |
|
12 |
policy/modules/kernel/devices.if | 18 ++++++ |
13 |
policy/modules/kernel/devices.te | 2 +- |
14 |
policy/modules/kernel/filesystem.if | 18 ++++++ |
15 |
policy/modules/kernel/filesystem.te | 2 +- |
16 |
policy/modules/services/xserver.if | 38 +++++++++++++ |
17 |
policy/modules/services/xserver.te | 2 +- |
18 |
policy/modules/system/systemd.te | 108 +++++++++++++++++++++++++++++++----- |
19 |
policy/modules/system/udev.if | 19 +++++++ |
20 |
policy/modules/system/udev.te | 2 +- |
21 |
policy/modules/system/userdomain.if | 76 +++++++++++++++++++++++++ |
22 |
policy/modules/system/userdomain.te | 2 +- |
23 |
11 files changed, 267 insertions(+), 20 deletions(-) |
24 |
|
25 |
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if |
26 |
index 28984607..c5af9342 100644 |
27 |
--- a/policy/modules/kernel/devices.if |
28 |
+++ b/policy/modules/kernel/devices.if |
29 |
@@ -4949,6 +4949,24 @@ interface(`dev_rw_wireless',` |
30 |
|
31 |
######################################## |
32 |
## <summary> |
33 |
+## manage the wireless device. |
34 |
+## </summary> |
35 |
+## <param name="domain"> |
36 |
+## <summary> |
37 |
+## Domain allowed access. |
38 |
+## </summary> |
39 |
+## </param> |
40 |
+# |
41 |
+interface(`dev_manage_wireless',` |
42 |
+ gen_require(` |
43 |
+ type device_t, wireless_device_t; |
44 |
+ ') |
45 |
+ |
46 |
+ manage_chr_files_pattern($1, device_t, wireless_device_t) |
47 |
+') |
48 |
+ |
49 |
+######################################## |
50 |
+## <summary> |
51 |
## Read and write Xen devices. |
52 |
## </summary> |
53 |
## <param name="domain"> |
54 |
|
55 |
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te |
56 |
index 571abc30..e15c26c3 100644 |
57 |
--- a/policy/modules/kernel/devices.te |
58 |
+++ b/policy/modules/kernel/devices.te |
59 |
@@ -1,4 +1,4 @@ |
60 |
-policy_module(devices, 1.20.4) |
61 |
+policy_module(devices, 1.20.5) |
62 |
|
63 |
######################################## |
64 |
# |
65 |
|
66 |
diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if |
67 |
index 0affdae2..bba3e389 100644 |
68 |
--- a/policy/modules/kernel/filesystem.if |
69 |
+++ b/policy/modules/kernel/filesystem.if |
70 |
@@ -4271,6 +4271,24 @@ interface(`fs_dontaudit_write_tmpfs_dirs',` |
71 |
|
72 |
######################################## |
73 |
## <summary> |
74 |
+## Relabel from tmpfs_t dir |
75 |
+## </summary> |
76 |
+## <param name="type"> |
77 |
+## <summary> |
78 |
+## Domain allowed access. |
79 |
+## </summary> |
80 |
+## </param> |
81 |
+# |
82 |
+interface(`fs_relabelfrom_tmpfs_dirs',` |
83 |
+ gen_require(` |
84 |
+ type tmpfs_t; |
85 |
+ ') |
86 |
+ |
87 |
+ allow $1 tmpfs_t:dir relabelfrom; |
88 |
+') |
89 |
+ |
90 |
+######################################## |
91 |
+## <summary> |
92 |
## Relabel directory on tmpfs filesystems. |
93 |
## </summary> |
94 |
## <param name="domain"> |
95 |
|
96 |
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te |
97 |
index 597bf615..3194b0e0 100644 |
98 |
--- a/policy/modules/kernel/filesystem.te |
99 |
+++ b/policy/modules/kernel/filesystem.te |
100 |
@@ -1,4 +1,4 @@ |
101 |
-policy_module(filesystem, 1.22.4) |
102 |
+policy_module(filesystem, 1.22.5) |
103 |
|
104 |
######################################## |
105 |
# |
106 |
|
107 |
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if |
108 |
index 7af0ab6a..060adbfa 100644 |
109 |
--- a/policy/modules/services/xserver.if |
110 |
+++ b/policy/modules/services/xserver.if |
111 |
@@ -1331,6 +1331,25 @@ interface(`xserver_kill',` |
112 |
|
113 |
######################################## |
114 |
## <summary> |
115 |
+## Allow reading xserver_t files to get cgroup and sessionid |
116 |
+## </summary> |
117 |
+## <param name="domain"> |
118 |
+## <summary> |
119 |
+## Domain allowed access. |
120 |
+## </summary> |
121 |
+## </param> |
122 |
+# |
123 |
+interface(`xserver_read_state',` |
124 |
+ gen_require(` |
125 |
+ type xserver_t; |
126 |
+ ') |
127 |
+ |
128 |
+ allow $1 xserver_t:dir search; |
129 |
+ allow $1 xserver_t:file read_file_perms; |
130 |
+') |
131 |
+ |
132 |
+######################################## |
133 |
+## <summary> |
134 |
## Read and write X server Sys V Shared |
135 |
## memory segments. |
136 |
## </summary> |
137 |
@@ -1427,6 +1446,25 @@ interface(`xserver_read_tmp_files',` |
138 |
|
139 |
######################################## |
140 |
## <summary> |
141 |
+## talk to xserver_t by dbus |
142 |
+## </summary> |
143 |
+## <param name="domain"> |
144 |
+## <summary> |
145 |
+## Domain allowed access. |
146 |
+## </summary> |
147 |
+## </param> |
148 |
+# |
149 |
+interface(`xserver_dbus_chat',` |
150 |
+ gen_require(` |
151 |
+ type xserver_t; |
152 |
+ ') |
153 |
+ |
154 |
+ allow $1 xserver_t:dbus send_msg; |
155 |
+ allow xserver_t $1:dbus send_msg; |
156 |
+') |
157 |
+ |
158 |
+######################################## |
159 |
+## <summary> |
160 |
## Interface to provide X object permissions on a given X server to |
161 |
## an X client domain. Gives the domain permission to read the |
162 |
## virtual core keyboard and virtual core pointer devices. |
163 |
|
164 |
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te |
165 |
index 513915c7..9bfbafcb 100644 |
166 |
--- a/policy/modules/services/xserver.te |
167 |
+++ b/policy/modules/services/xserver.te |
168 |
@@ -1,4 +1,4 @@ |
169 |
-policy_module(xserver, 3.13.3) |
170 |
+policy_module(xserver, 3.13.4) |
171 |
|
172 |
gen_require(` |
173 |
class x_drawable all_x_drawable_perms; |
174 |
|
175 |
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te |
176 |
index d9da70e9..f5af4ce4 100644 |
177 |
--- a/policy/modules/system/systemd.te |
178 |
+++ b/policy/modules/system/systemd.te |
179 |
@@ -1,4 +1,4 @@ |
180 |
-policy_module(systemd, 1.3.12) |
181 |
+policy_module(systemd, 1.3.13) |
182 |
|
183 |
######################################### |
184 |
# |
185 |
@@ -199,14 +199,22 @@ fs_register_binary_executable_type(systemd_binfmt_t) |
186 |
# Cgroups local policy |
187 |
# |
188 |
|
189 |
+allow systemd_cgroups_t self:capability net_admin; |
190 |
+ |
191 |
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) |
192 |
kernel_dgram_send(systemd_cgroups_t) |
193 |
+# for /proc/cmdline |
194 |
+kernel_read_system_state(systemd_cgroups_t) |
195 |
|
196 |
selinux_getattr_fs(systemd_cgroups_t) |
197 |
|
198 |
# write to /run/systemd/cgroups-agent |
199 |
init_dgram_send(systemd_cgroups_t) |
200 |
init_stream_connect(systemd_cgroups_t) |
201 |
+# for /proc/1/environ |
202 |
+init_read_state(systemd_cgroups_t) |
203 |
+ |
204 |
+seutil_libselinux_linked(systemd_cgroups_t) |
205 |
|
206 |
systemd_log_parse_environment(systemd_cgroups_t) |
207 |
|
208 |
@@ -255,6 +263,8 @@ seutil_search_default_contexts(systemd_coredump_t) |
209 |
|
210 |
kernel_read_kernel_sysctls(systemd_hostnamed_t) |
211 |
|
212 |
+dev_read_sysfs(systemd_hostnamed_t) |
213 |
+ |
214 |
files_read_etc_files(systemd_hostnamed_t) |
215 |
|
216 |
seutil_read_file_contexts(systemd_hostnamed_t) |
217 |
@@ -262,8 +272,12 @@ seutil_read_file_contexts(systemd_hostnamed_t) |
218 |
systemd_log_parse_environment(systemd_hostnamed_t) |
219 |
|
220 |
optional_policy(` |
221 |
- dbus_system_bus_client(systemd_hostnamed_t) |
222 |
dbus_connect_system_bus(systemd_hostnamed_t) |
223 |
+ dbus_system_bus_client(systemd_hostnamed_t) |
224 |
+') |
225 |
+ |
226 |
+optional_policy(` |
227 |
+ networkmanager_dbus_chat(systemd_hostnamed_t) |
228 |
') |
229 |
|
230 |
####################################### |
231 |
@@ -307,8 +321,8 @@ logging_send_syslog_msg(systemd_log_parse_env_type) |
232 |
# Logind local policy |
233 |
# |
234 |
|
235 |
-allow systemd_logind_t self:capability { chown dac_override fowner sys_tty_config }; |
236 |
-allow systemd_logind_t self:process getcap; |
237 |
+allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config }; |
238 |
+allow systemd_logind_t self:process { getcap setfscreate }; |
239 |
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms; |
240 |
allow systemd_logind_t self:unix_dgram_socket create_socket_perms; |
241 |
allow systemd_logind_t self:fifo_file rw_fifo_file_perms; |
242 |
@@ -318,51 +332,115 @@ init_var_lib_filetrans(systemd_logind_t, systemd_logind_var_lib_t, dir) |
243 |
|
244 |
manage_fifo_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) |
245 |
manage_files_pattern(systemd_logind_t, systemd_logind_var_run_t, systemd_logind_var_run_t) |
246 |
-files_search_pids(systemd_logind_t) |
247 |
+allow systemd_logind_t systemd_logind_var_run_t:dir manage_dir_perms; |
248 |
+init_pid_filetrans(systemd_logind_t, systemd_logind_var_run_t, dir, "inhibit") |
249 |
|
250 |
-kernel_read_kernel_sysctls(systemd_logind_t) |
251 |
+allow systemd_logind_t systemd_sessions_var_run_t:dir manage_dir_perms; |
252 |
+allow systemd_logind_t systemd_sessions_var_run_t:file manage_file_perms; |
253 |
+allow systemd_logind_t systemd_sessions_var_run_t:fifo_file manage_fifo_file_perms; |
254 |
|
255 |
-auth_manage_faillog(systemd_logind_t) |
256 |
+kernel_read_kernel_sysctls(systemd_logind_t) |
257 |
|
258 |
-dev_rw_sysfs(systemd_logind_t) |
259 |
-dev_rw_input_dev(systemd_logind_t) |
260 |
dev_getattr_dri_dev(systemd_logind_t) |
261 |
-dev_setattr_dri_dev(systemd_logind_t) |
262 |
+dev_getattr_kvm_dev(systemd_logind_t) |
263 |
dev_getattr_sound_dev(systemd_logind_t) |
264 |
+dev_manage_wireless(systemd_logind_t) |
265 |
+dev_read_urand(systemd_logind_t) |
266 |
+dev_rw_dri(systemd_logind_t) |
267 |
+dev_rw_input_dev(systemd_logind_t) |
268 |
+dev_rw_sysfs(systemd_logind_t) |
269 |
+dev_setattr_dri_dev(systemd_logind_t) |
270 |
+dev_setattr_kvm_dev(systemd_logind_t) |
271 |
dev_setattr_sound_dev(systemd_logind_t) |
272 |
|
273 |
+domain_obj_id_change_exemption(systemd_logind_t) |
274 |
+ |
275 |
files_read_etc_files(systemd_logind_t) |
276 |
+files_search_pids(systemd_logind_t) |
277 |
|
278 |
+fs_getattr_cgroup(systemd_logind_t) |
279 |
+fs_getattr_tmpfs(systemd_logind_t) |
280 |
+fs_getattr_tmpfs_dirs(systemd_logind_t) |
281 |
+fs_list_tmpfs(systemd_logind_t) |
282 |
+fs_mount_tmpfs(systemd_logind_t) |
283 |
+fs_read_cgroup_files(systemd_logind_t) |
284 |
fs_read_efivarfs_files(systemd_logind_t) |
285 |
+fs_relabelfrom_tmpfs_dirs(systemd_logind_t) |
286 |
+fs_unmount_tmpfs(systemd_logind_t) |
287 |
|
288 |
-fs_getattr_tmpfs(systemd_logind_t) |
289 |
+selinux_get_enforce_mode(systemd_logind_t) |
290 |
|
291 |
storage_getattr_removable_dev(systemd_logind_t) |
292 |
-storage_setattr_removable_dev(systemd_logind_t) |
293 |
storage_getattr_scsi_generic_dev(systemd_logind_t) |
294 |
+storage_setattr_removable_dev(systemd_logind_t) |
295 |
storage_setattr_scsi_generic_dev(systemd_logind_t) |
296 |
|
297 |
+term_setattr_unallocated_ttys(systemd_logind_t) |
298 |
term_use_unallocated_ttys(systemd_logind_t) |
299 |
|
300 |
+auth_manage_faillog(systemd_logind_t) |
301 |
+ |
302 |
+init_dbus_send_script(systemd_logind_t) |
303 |
init_get_all_units_status(systemd_logind_t) |
304 |
+init_get_system_status(systemd_logind_t) |
305 |
+init_service_start(systemd_logind_t) |
306 |
+init_service_status(systemd_logind_t) |
307 |
init_start_all_units(systemd_logind_t) |
308 |
init_stop_all_units(systemd_logind_t) |
309 |
-init_service_status(systemd_logind_t) |
310 |
-init_service_start(systemd_logind_t) |
311 |
+init_start_system(systemd_logind_t) |
312 |
+init_stop_system(systemd_logind_t) |
313 |
|
314 |
locallogin_read_state(systemd_logind_t) |
315 |
|
316 |
+seutil_libselinux_linked(systemd_logind_t) |
317 |
+seutil_read_default_contexts(systemd_logind_t) |
318 |
+seutil_read_file_contexts(systemd_logind_t) |
319 |
+ |
320 |
systemd_log_parse_environment(systemd_logind_t) |
321 |
systemd_start_power_units(systemd_logind_t) |
322 |
|
323 |
+udev_list_pids(systemd_logind_t) |
324 |
udev_read_db(systemd_logind_t) |
325 |
udev_read_pid_files(systemd_logind_t) |
326 |
|
327 |
+userdom_manage_user_runtime_dirs(systemd_logind_t) |
328 |
+userdom_manage_user_runtime_root_dirs(systemd_logind_t) |
329 |
+userdom_mounton_user_runtime_dirs(systemd_logind_t) |
330 |
+userdom_read_all_users_state(systemd_logind_t) |
331 |
+userdom_relabel_user_tmpfs_dirs(systemd_logind_t) |
332 |
+userdom_relabel_user_tmpfs_files(systemd_logind_t) |
333 |
+userdom_relabelfrom_user_runtime_dirs(systemd_logind_t) |
334 |
+userdom_relabelto_user_runtime_dirs(systemd_logind_t) |
335 |
+userdom_setattr_user_ttys(systemd_logind_t) |
336 |
+userdom_delete_user_runtime_files(systemd_logind_t) |
337 |
userdom_use_user_ttys(systemd_logind_t) |
338 |
|
339 |
optional_policy(` |
340 |
- dbus_system_bus_client(systemd_logind_t) |
341 |
dbus_connect_system_bus(systemd_logind_t) |
342 |
+ dbus_system_bus_client(systemd_logind_t) |
343 |
+') |
344 |
+ |
345 |
+optional_policy(` |
346 |
+ devicekit_dbus_chat_power(systemd_logind_t) |
347 |
+') |
348 |
+ |
349 |
+optional_policy(` |
350 |
+ networkmanager_dbus_chat(systemd_logind_t) |
351 |
+') |
352 |
+ |
353 |
+optional_policy(` |
354 |
+ policykit_dbus_chat(systemd_logind_t) |
355 |
+') |
356 |
+ |
357 |
+optional_policy(` |
358 |
+ xserver_read_state(systemd_logind_t) |
359 |
+ xserver_dbus_chat(systemd_logind_t) |
360 |
+ xserver_dbus_chat_xdm(systemd_logind_t) |
361 |
+ xserver_read_xdm_state(systemd_logind_t) |
362 |
+') |
363 |
+ |
364 |
+optional_policy(` |
365 |
+ unconfined_dbus_send(systemd_logind_t) |
366 |
') |
367 |
|
368 |
######################################### |
369 |
|
370 |
diff --git a/policy/modules/system/udev.if b/policy/modules/system/udev.if |
371 |
index 847b65bf..bee6898b 100644 |
372 |
--- a/policy/modules/system/udev.if |
373 |
+++ b/policy/modules/system/udev.if |
374 |
@@ -354,6 +354,25 @@ interface(`udev_search_pids',` |
375 |
|
376 |
######################################## |
377 |
## <summary> |
378 |
+## list udev pid content |
379 |
+## </summary> |
380 |
+## <param name="domain"> |
381 |
+## <summary> |
382 |
+## Domain allowed access. |
383 |
+## </summary> |
384 |
+## </param> |
385 |
+# |
386 |
+interface(`udev_list_pids',` |
387 |
+ gen_require(` |
388 |
+ type udev_var_run_t; |
389 |
+ ') |
390 |
+ |
391 |
+ files_search_pids($1) |
392 |
+ allow $1 udev_var_run_t:dir list_dir_perms; |
393 |
+') |
394 |
+ |
395 |
+######################################## |
396 |
+## <summary> |
397 |
## Create, read, write, and delete |
398 |
## udev run directories |
399 |
## </summary> |
400 |
|
401 |
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te |
402 |
index 6db42d84..18b0e29c 100644 |
403 |
--- a/policy/modules/system/udev.te |
404 |
+++ b/policy/modules/system/udev.te |
405 |
@@ -1,4 +1,4 @@ |
406 |
-policy_module(udev, 1.21.4) |
407 |
+policy_module(udev, 1.21.5) |
408 |
|
409 |
######################################## |
410 |
# |
411 |
|
412 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
413 |
index 9c527285..61065118 100644 |
414 |
--- a/policy/modules/system/userdomain.if |
415 |
+++ b/policy/modules/system/userdomain.if |
416 |
@@ -2849,6 +2849,45 @@ interface(`userdom_tmp_filetrans_user_tmp',` |
417 |
|
418 |
######################################## |
419 |
## <summary> |
420 |
+## relabel to/from user tmpfs dirs |
421 |
+## </summary> |
422 |
+## <param name="domain"> |
423 |
+## <summary> |
424 |
+## Domain allowed access. |
425 |
+## </summary> |
426 |
+## </param> |
427 |
+# |
428 |
+interface(`userdom_relabel_user_tmpfs_dirs',` |
429 |
+ gen_require(` |
430 |
+ type user_tmpfs_t; |
431 |
+ ') |
432 |
+ |
433 |
+ allow $1 user_tmpfs_t:dir { list_dir_perms relabelto relabelfrom }; |
434 |
+ fs_search_tmpfs($1) |
435 |
+') |
436 |
+ |
437 |
+######################################## |
438 |
+## <summary> |
439 |
+## relabel to/from user tmpfs files |
440 |
+## </summary> |
441 |
+## <param name="domain"> |
442 |
+## <summary> |
443 |
+## Domain allowed access. |
444 |
+## </summary> |
445 |
+## </param> |
446 |
+# |
447 |
+interface(`userdom_relabel_user_tmpfs_files',` |
448 |
+ gen_require(` |
449 |
+ type user_tmpfs_t; |
450 |
+ ') |
451 |
+ |
452 |
+ allow $1 user_tmpfs_t:dir list_dir_perms; |
453 |
+ allow $1 user_tmpfs_t:file { relabelto relabelfrom }; |
454 |
+ fs_search_tmpfs($1) |
455 |
+') |
456 |
+ |
457 |
+######################################## |
458 |
+## <summary> |
459 |
## Search users runtime directories. |
460 |
## </summary> |
461 |
## <param name="domain"> |
462 |
@@ -2964,6 +3003,43 @@ interface(`userdom_relabelto_user_runtime_dirs',` |
463 |
|
464 |
######################################## |
465 |
## <summary> |
466 |
+## Relabel from user runtime directories. |
467 |
+## </summary> |
468 |
+## <param name="domain"> |
469 |
+## <summary> |
470 |
+## Domain allowed access. |
471 |
+## </summary> |
472 |
+## </param> |
473 |
+# |
474 |
+interface(`userdom_relabelfrom_user_runtime_dirs',` |
475 |
+ gen_require(` |
476 |
+ type user_runtime_t; |
477 |
+ ') |
478 |
+ |
479 |
+ allow $1 user_runtime_t:dir relabelfrom; |
480 |
+') |
481 |
+ |
482 |
+######################################## |
483 |
+## <summary> |
484 |
+## delete user runtime files |
485 |
+## </summary> |
486 |
+## <param name="domain"> |
487 |
+## <summary> |
488 |
+## Domain allowed access. |
489 |
+## </summary> |
490 |
+## </param> |
491 |
+# |
492 |
+interface(`userdom_delete_user_runtime_files',` |
493 |
+ gen_require(` |
494 |
+ type user_runtime_t; |
495 |
+ ') |
496 |
+ |
497 |
+ allow $1 user_runtime_t:dir list_dir_perms; |
498 |
+ allow $1 user_runtime_t:file unlink; |
499 |
+') |
500 |
+ |
501 |
+######################################## |
502 |
+## <summary> |
503 |
## Create objects in the pid directory |
504 |
## with an automatic type transition to |
505 |
## the user runtime root type. |
506 |
|
507 |
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te |
508 |
index 67f26632..cf58bd27 100644 |
509 |
--- a/policy/modules/system/userdomain.te |
510 |
+++ b/policy/modules/system/userdomain.te |
511 |
@@ -1,4 +1,4 @@ |
512 |
-policy_module(userdomain, 4.13.4) |
513 |
+policy_module(userdomain, 4.13.5) |
514 |
|
515 |
######################################## |
516 |
# |