[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/apps/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/apps/
Date:	Sun, 07 Feb 2021 03:20:50
Message-Id:	`1612646109.758c98fc22b0795287736330c416d9f3e03fdf00.perfinion@gentoo`

1

commit:     758c98fc22b0795287736330c416d9f3e03fdf00

2

Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>

3

AuthorDate: Tue Feb  2 14:55:38 2021 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb  6 21:15:09 2021 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=758c98fc

7

8

misc apps and admin patches

9

10

Send again without the section Dominick didn't like.  I think it's ready for inclusion.

11

12

Signed-off-by: Russell Coker <russell <AT> coker.com.au>

13

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

14

15

 policy/modules/admin/apt.fc        |  4 +++-

16

 policy/modules/admin/apt.te        |  8 ++++++++

17

 policy/modules/admin/bootloader.te |  3 +++

18

 policy/modules/admin/logrotate.te  |  2 ++

19

 policy/modules/apps/games.te       | 14 ++++++++++++++

20

 policy/modules/apps/mplayer.if     |  2 +-

21

 policy/modules/apps/mplayer.te     |  7 ++++++-

22

 7 files changed, 37 insertions(+), 3 deletions(-)

23

24

diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc

25

index 8a539f06..66fec023 100644

26

--- a/policy/modules/admin/apt.fc

27

+++ b/policy/modules/admin/apt.fc

28

@@ -5,6 +5,8 @@

29

 /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)

30

 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)

31

 /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)

32

+/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)

33

+/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)

34

35

 ifndef(`distro_redhat',`

36

 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)

37

@@ -23,5 +25,5 @@ ifndef(`distro_redhat',`

38

 /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)

39

40

 /var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)

41

-

42

+/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)

43

 /var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)

44

45

diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te

46

index 841b8c4f..8e5f72b7 100644

47

--- a/policy/modules/admin/apt.te

48

+++ b/policy/modules/admin/apt.te

49

@@ -154,6 +154,10 @@ optional_policy(`

50

 	dpkg_lock_db(apt_t)

51

')

52

53

+optional_policy(`

54

+	networkmanager_dbus_chat(apt_t)

55

+')

56

+

57

 optional_policy(`

58

 	nis_use_ypbind(apt_t)

59

')

60

@@ -168,6 +172,10 @@ optional_policy(`

61

 	rpm_domtrans(apt_t)

62

')

63

64

+optional_policy(`

65

+	systemd_dbus_chat_logind(apt_t)

66

+')

67

+

68

 optional_policy(`

69

 	unconfined_domain(apt_t)

70

')

71

72

diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te

73

index 172e5157..78b34125 100644

74

--- a/policy/modules/admin/bootloader.te

75

+++ b/policy/modules/admin/bootloader.te

76

@@ -186,6 +186,9 @@ ifdef(`distro_debian',`

77

78

 	dpkg_read_db(bootloader_t)

79

 	dpkg_rw_pipes(bootloader_t)

80

+

81

+	apt_use_fds(bootloader_t)

82

+	apt_use_ptys(bootloader_t)

83

')

84

85

 ifdef(`distro_redhat',`

86

87

diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te

88

index 7169d260..c13f0a73 100644

89

--- a/policy/modules/admin/logrotate.te

90

+++ b/policy/modules/admin/logrotate.te

91

@@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)

92

 logging_send_audit_msgs(logrotate_t)

93

 logging_exec_all_logs(logrotate_t)

94

95

+miscfiles_read_generic_certs(logrotate_t)

96

 miscfiles_read_localization(logrotate_t)

97

98

 seutil_dontaudit_read_config(logrotate_t)

99

@@ -242,6 +243,7 @@ optional_policy(`

100

')

101

102

 optional_policy(`

103

+	samba_domtrans_smbcontrol(logrotate_t)

104

 	samba_exec_log(logrotate_t)

105

')

106

107

108

diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te

109

index 1de63166..c66b382b 100644

110

--- a/policy/modules/apps/games.te

111

+++ b/policy/modules/apps/games.te

112

@@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file }

113

114

 can_exec(games_t, games_exec_t)

115

116

+kernel_read_kernel_sysctls(games_t)

117

 kernel_read_system_state(games_t)

118

119

 corecmd_exec_bin(games_t)

120

+corecmd_exec_shell(games_t)

121

122

 corenet_all_recvfrom_netlabel(games_t)

123

 corenet_tcp_sendrecv_generic_if(games_t)

124

@@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)

125

126

 logging_dontaudit_search_logs(games_t)

127

128

+miscfiles_read_generic_certs(games_t)

129

 miscfiles_read_man_pages(games_t)

130

 miscfiles_read_localization(games_t)

131

132

@@ -161,9 +164,15 @@ tunable_policy(`allow_execmem',`

133

 	allow games_t self:process execmem;

134

')

135

136

+optional_policy(`

137

+	alsa_read_config(games_t)

138

+')

139

+

140

 optional_policy(`

141

 	dbus_all_session_bus_client(games_t)

142

 	dbus_connect_all_session_bus(games_t)

143

+	dbus_read_lib_files(games_t)

144

+	dbus_system_bus_client(games_t)

145

')

146

147

 optional_policy(`

148

@@ -174,6 +183,11 @@ optional_policy(`

149

 	pulseaudio_run(games_t, games_roles)

150

')

151

152

+optional_policy(`

153

+	xdg_read_config_files(games_t)

154

+	xdg_read_data_files(games_t)

155

+')

156

+

157

 optional_policy(`

158

 	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)

159

 	xserver_create_xdm_tmp_sockets(games_t)

160

161

diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if

162

index 861d5e97..62643bcf 100644

163

--- a/policy/modules/apps/mplayer.if

164

+++ b/policy/modules/apps/mplayer.if

165

@@ -38,7 +38,7 @@ interface(`mplayer_role',`

166

 	domtrans_pattern($2, mencoder_exec_t, mencoder_t)

167

 	domtrans_pattern($2, mplayer_exec_t, mplayer_t)

168

169

-	allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };

170

+	allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };

171

 	ps_process_pattern($2, { mplayer_t mencoder_t })

172

173

 	allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };

174

175

diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te

176

index b00c55b0..d885b0b8 100644

177

--- a/policy/modules/apps/mplayer.te

178

+++ b/policy/modules/apps/mplayer.te

179

@@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`

180

 	fs_manage_cifs_symlinks(mencoder_t)

181

')

182

183

+tunable_policy(`xserver_allow_dri',`

184

+	dev_rw_dri(mplayer_t)

185

+')

186

+

187

 ########################################

188

#

189

 # Mplayer local policy

190

#

191

192

-allow mplayer_t self:process { signal_perms getsched };

193

+allow mplayer_t self:process { signal_perms getsched setsched };

194

 allow mplayer_t self:fifo_file rw_fifo_file_perms;

195

 allow mplayer_t self:sem create_sem_perms;

196

 allow mplayer_t self:udp_socket create_socket_perms;

197

@@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo

198

 kernel_dontaudit_list_unlabeled(mplayer_t)

199

 kernel_dontaudit_getattr_unlabeled_files(mplayer_t)

200

 kernel_dontaudit_read_unlabeled_files(mplayer_t)

201

+kernel_read_crypto_sysctls(mplayer_t)

202

 kernel_read_system_state(mplayer_t)

203

 kernel_read_kernel_sysctls(mplayer_t)

1	commit: 758c98fc22b0795287736330c416d9f3e03fdf00
2	Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
3	AuthorDate: Tue Feb 2 14:55:38 2021 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 6 21:15:09 2021 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=758c98fc
7
8	misc apps and admin patches
9
10	Send again without the section Dominick didn't like. I think it's ready for inclusion.
11
12	Signed-off-by: Russell Coker <russell <AT> coker.com.au>
13	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
14
15	policy/modules/admin/apt.fc \| 4 +++-
16	policy/modules/admin/apt.te \| 8 ++++++++
17	policy/modules/admin/bootloader.te \| 3 +++
18	policy/modules/admin/logrotate.te \| 2 ++
19	policy/modules/apps/games.te \| 14 ++++++++++++++
20	policy/modules/apps/mplayer.if \| 2 +-
21	policy/modules/apps/mplayer.te \| 7 ++++++-
22	7 files changed, 37 insertions(+), 3 deletions(-)
23
24	diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
25	index 8a539f06..66fec023 100644
26	--- a/policy/modules/admin/apt.fc
27	+++ b/policy/modules/admin/apt.fc
28	@@ -5,6 +5,8 @@
29	/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
30	/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
31	/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
32	+/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
33	+/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
34
35	ifndef(`distro_redhat',`
36	/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
37	@@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
38	/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
39
40	/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0)
41	-
42	+/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0)
43	/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
44
45	diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
46	index 841b8c4f..8e5f72b7 100644
47	--- a/policy/modules/admin/apt.te
48	+++ b/policy/modules/admin/apt.te
49	@@ -154,6 +154,10 @@ optional_policy(`
50	dpkg_lock_db(apt_t)
51	')
52
53	+optional_policy(`
54	+ networkmanager_dbus_chat(apt_t)
55	+')
56	+
57	optional_policy(`
58	nis_use_ypbind(apt_t)
59	')
60	@@ -168,6 +172,10 @@ optional_policy(`
61	rpm_domtrans(apt_t)
62	')
63
64	+optional_policy(`
65	+ systemd_dbus_chat_logind(apt_t)
66	+')
67	+
68	optional_policy(`
69	unconfined_domain(apt_t)
70	')
71
72	diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
73	index 172e5157..78b34125 100644
74	--- a/policy/modules/admin/bootloader.te
75	+++ b/policy/modules/admin/bootloader.te
76	@@ -186,6 +186,9 @@ ifdef(`distro_debian',`
77
78	dpkg_read_db(bootloader_t)
79	dpkg_rw_pipes(bootloader_t)
80	+
81	+ apt_use_fds(bootloader_t)
82	+ apt_use_ptys(bootloader_t)
83	')
84
85	ifdef(`distro_redhat',`
86
87	diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
88	index 7169d260..c13f0a73 100644
89	--- a/policy/modules/admin/logrotate.te
90	+++ b/policy/modules/admin/logrotate.te
91	@@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
92	logging_send_audit_msgs(logrotate_t)
93	logging_exec_all_logs(logrotate_t)
94
95	+miscfiles_read_generic_certs(logrotate_t)
96	miscfiles_read_localization(logrotate_t)
97
98	seutil_dontaudit_read_config(logrotate_t)
99	@@ -242,6 +243,7 @@ optional_policy(`
100	')
101
102	optional_policy(`
103	+ samba_domtrans_smbcontrol(logrotate_t)
104	samba_exec_log(logrotate_t)
105	')
106
107
108	diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
109	index 1de63166..c66b382b 100644
110	--- a/policy/modules/apps/games.te
111	+++ b/policy/modules/apps/games.te
112	@@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file }
113
114	can_exec(games_t, games_exec_t)
115
116	+kernel_read_kernel_sysctls(games_t)
117	kernel_read_system_state(games_t)
118
119	corecmd_exec_bin(games_t)
120	+corecmd_exec_shell(games_t)
121
122	corenet_all_recvfrom_netlabel(games_t)
123	corenet_tcp_sendrecv_generic_if(games_t)
124	@@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
125
126	logging_dontaudit_search_logs(games_t)
127
128	+miscfiles_read_generic_certs(games_t)
129	miscfiles_read_man_pages(games_t)
130	miscfiles_read_localization(games_t)
131
132	@@ -161,9 +164,15 @@ tunable_policy(`allow_execmem',`
133	allow games_t self:process execmem;
134	')
135
136	+optional_policy(`
137	+ alsa_read_config(games_t)
138	+')
139	+
140	optional_policy(`
141	dbus_all_session_bus_client(games_t)
142	dbus_connect_all_session_bus(games_t)
143	+ dbus_read_lib_files(games_t)
144	+ dbus_system_bus_client(games_t)
145	')
146
147	optional_policy(`
148	@@ -174,6 +183,11 @@ optional_policy(`
149	pulseaudio_run(games_t, games_roles)
150	')
151
152	+optional_policy(`
153	+ xdg_read_config_files(games_t)
154	+ xdg_read_data_files(games_t)
155	+')
156	+
157	optional_policy(`
158	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
159	xserver_create_xdm_tmp_sockets(games_t)
160
161	diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if
162	index 861d5e97..62643bcf 100644
163	--- a/policy/modules/apps/mplayer.if
164	+++ b/policy/modules/apps/mplayer.if
165	@@ -38,7 +38,7 @@ interface(`mplayer_role',`
166	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
167	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
168
169	- allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
170	+ allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
171	ps_process_pattern($2, { mplayer_t mencoder_t })
172
173	allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
174
175	diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te
176	index b00c55b0..d885b0b8 100644
177	--- a/policy/modules/apps/mplayer.te
178	+++ b/policy/modules/apps/mplayer.te
179	@@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
180	fs_manage_cifs_symlinks(mencoder_t)
181	')
182
183	+tunable_policy(`xserver_allow_dri',`
184	+ dev_rw_dri(mplayer_t)
185	+')
186	+
187	########################################
188	#
189	# Mplayer local policy
190	#
191
192	-allow mplayer_t self:process { signal_perms getsched };
193	+allow mplayer_t self:process { signal_perms getsched setsched };
194	allow mplayer_t self:fifo_file rw_fifo_file_perms;
195	allow mplayer_t self:sem create_sem_perms;
196	allow mplayer_t self:udp_socket create_socket_perms;
197	@@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo
198	kernel_dontaudit_list_unlabeled(mplayer_t)
199	kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
200	kernel_dontaudit_read_unlabeled_files(mplayer_t)
201	+kernel_read_crypto_sysctls(mplayer_t)
202	kernel_read_system_state(mplayer_t)
203	kernel_read_kernel_sysctls(mplayer_t)

Gentoo Archives: gentoo-commits