1 |
commit: 758c98fc22b0795287736330c416d9f3e03fdf00 |
2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
3 |
AuthorDate: Tue Feb 2 14:55:38 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 6 21:15:09 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=758c98fc |
7 |
|
8 |
misc apps and admin patches |
9 |
|
10 |
Send again without the section Dominick didn't like. I think it's ready for inclusion. |
11 |
|
12 |
Signed-off-by: Russell Coker <russell <AT> coker.com.au> |
13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
14 |
|
15 |
policy/modules/admin/apt.fc | 4 +++- |
16 |
policy/modules/admin/apt.te | 8 ++++++++ |
17 |
policy/modules/admin/bootloader.te | 3 +++ |
18 |
policy/modules/admin/logrotate.te | 2 ++ |
19 |
policy/modules/apps/games.te | 14 ++++++++++++++ |
20 |
policy/modules/apps/mplayer.if | 2 +- |
21 |
policy/modules/apps/mplayer.te | 7 ++++++- |
22 |
7 files changed, 37 insertions(+), 3 deletions(-) |
23 |
|
24 |
diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc |
25 |
index 8a539f06..66fec023 100644 |
26 |
--- a/policy/modules/admin/apt.fc |
27 |
+++ b/policy/modules/admin/apt.fc |
28 |
@@ -5,6 +5,8 @@ |
29 |
/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) |
30 |
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) |
31 |
/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0) |
32 |
+/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0) |
33 |
+/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0) |
34 |
|
35 |
ifndef(`distro_redhat',` |
36 |
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) |
37 |
@@ -23,5 +25,5 @@ ifndef(`distro_redhat',` |
38 |
/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) |
39 |
|
40 |
/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0) |
41 |
- |
42 |
+/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0) |
43 |
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) |
44 |
|
45 |
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te |
46 |
index 841b8c4f..8e5f72b7 100644 |
47 |
--- a/policy/modules/admin/apt.te |
48 |
+++ b/policy/modules/admin/apt.te |
49 |
@@ -154,6 +154,10 @@ optional_policy(` |
50 |
dpkg_lock_db(apt_t) |
51 |
') |
52 |
|
53 |
+optional_policy(` |
54 |
+ networkmanager_dbus_chat(apt_t) |
55 |
+') |
56 |
+ |
57 |
optional_policy(` |
58 |
nis_use_ypbind(apt_t) |
59 |
') |
60 |
@@ -168,6 +172,10 @@ optional_policy(` |
61 |
rpm_domtrans(apt_t) |
62 |
') |
63 |
|
64 |
+optional_policy(` |
65 |
+ systemd_dbus_chat_logind(apt_t) |
66 |
+') |
67 |
+ |
68 |
optional_policy(` |
69 |
unconfined_domain(apt_t) |
70 |
') |
71 |
|
72 |
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te |
73 |
index 172e5157..78b34125 100644 |
74 |
--- a/policy/modules/admin/bootloader.te |
75 |
+++ b/policy/modules/admin/bootloader.te |
76 |
@@ -186,6 +186,9 @@ ifdef(`distro_debian',` |
77 |
|
78 |
dpkg_read_db(bootloader_t) |
79 |
dpkg_rw_pipes(bootloader_t) |
80 |
+ |
81 |
+ apt_use_fds(bootloader_t) |
82 |
+ apt_use_ptys(bootloader_t) |
83 |
') |
84 |
|
85 |
ifdef(`distro_redhat',` |
86 |
|
87 |
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te |
88 |
index 7169d260..c13f0a73 100644 |
89 |
--- a/policy/modules/admin/logrotate.te |
90 |
+++ b/policy/modules/admin/logrotate.te |
91 |
@@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t) |
92 |
logging_send_audit_msgs(logrotate_t) |
93 |
logging_exec_all_logs(logrotate_t) |
94 |
|
95 |
+miscfiles_read_generic_certs(logrotate_t) |
96 |
miscfiles_read_localization(logrotate_t) |
97 |
|
98 |
seutil_dontaudit_read_config(logrotate_t) |
99 |
@@ -242,6 +243,7 @@ optional_policy(` |
100 |
') |
101 |
|
102 |
optional_policy(` |
103 |
+ samba_domtrans_smbcontrol(logrotate_t) |
104 |
samba_exec_log(logrotate_t) |
105 |
') |
106 |
|
107 |
|
108 |
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te |
109 |
index 1de63166..c66b382b 100644 |
110 |
--- a/policy/modules/apps/games.te |
111 |
+++ b/policy/modules/apps/games.te |
112 |
@@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_t, { file lnk_file sock_file fifo_file } |
113 |
|
114 |
can_exec(games_t, games_exec_t) |
115 |
|
116 |
+kernel_read_kernel_sysctls(games_t) |
117 |
kernel_read_system_state(games_t) |
118 |
|
119 |
corecmd_exec_bin(games_t) |
120 |
+corecmd_exec_shell(games_t) |
121 |
|
122 |
corenet_all_recvfrom_netlabel(games_t) |
123 |
corenet_tcp_sendrecv_generic_if(games_t) |
124 |
@@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t) |
125 |
|
126 |
logging_dontaudit_search_logs(games_t) |
127 |
|
128 |
+miscfiles_read_generic_certs(games_t) |
129 |
miscfiles_read_man_pages(games_t) |
130 |
miscfiles_read_localization(games_t) |
131 |
|
132 |
@@ -161,9 +164,15 @@ tunable_policy(`allow_execmem',` |
133 |
allow games_t self:process execmem; |
134 |
') |
135 |
|
136 |
+optional_policy(` |
137 |
+ alsa_read_config(games_t) |
138 |
+') |
139 |
+ |
140 |
optional_policy(` |
141 |
dbus_all_session_bus_client(games_t) |
142 |
dbus_connect_all_session_bus(games_t) |
143 |
+ dbus_read_lib_files(games_t) |
144 |
+ dbus_system_bus_client(games_t) |
145 |
') |
146 |
|
147 |
optional_policy(` |
148 |
@@ -174,6 +183,11 @@ optional_policy(` |
149 |
pulseaudio_run(games_t, games_roles) |
150 |
') |
151 |
|
152 |
+optional_policy(` |
153 |
+ xdg_read_config_files(games_t) |
154 |
+ xdg_read_data_files(games_t) |
155 |
+') |
156 |
+ |
157 |
optional_policy(` |
158 |
xserver_user_x_domain_template(games, games_t, games_tmpfs_t) |
159 |
xserver_create_xdm_tmp_sockets(games_t) |
160 |
|
161 |
diff --git a/policy/modules/apps/mplayer.if b/policy/modules/apps/mplayer.if |
162 |
index 861d5e97..62643bcf 100644 |
163 |
--- a/policy/modules/apps/mplayer.if |
164 |
+++ b/policy/modules/apps/mplayer.if |
165 |
@@ -38,7 +38,7 @@ interface(`mplayer_role',` |
166 |
domtrans_pattern($2, mencoder_exec_t, mencoder_t) |
167 |
domtrans_pattern($2, mplayer_exec_t, mplayer_t) |
168 |
|
169 |
- allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms }; |
170 |
+ allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms }; |
171 |
ps_process_pattern($2, { mplayer_t mencoder_t }) |
172 |
|
173 |
allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms }; |
174 |
|
175 |
diff --git a/policy/modules/apps/mplayer.te b/policy/modules/apps/mplayer.te |
176 |
index b00c55b0..d885b0b8 100644 |
177 |
--- a/policy/modules/apps/mplayer.te |
178 |
+++ b/policy/modules/apps/mplayer.te |
179 |
@@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',` |
180 |
fs_manage_cifs_symlinks(mencoder_t) |
181 |
') |
182 |
|
183 |
+tunable_policy(`xserver_allow_dri',` |
184 |
+ dev_rw_dri(mplayer_t) |
185 |
+') |
186 |
+ |
187 |
######################################## |
188 |
# |
189 |
# Mplayer local policy |
190 |
# |
191 |
|
192 |
-allow mplayer_t self:process { signal_perms getsched }; |
193 |
+allow mplayer_t self:process { signal_perms getsched setsched }; |
194 |
allow mplayer_t self:fifo_file rw_fifo_file_perms; |
195 |
allow mplayer_t self:sem create_sem_perms; |
196 |
allow mplayer_t self:udp_socket create_socket_perms; |
197 |
@@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tmpfs_t,{ dir file lnk_file sock_file fifo |
198 |
kernel_dontaudit_list_unlabeled(mplayer_t) |
199 |
kernel_dontaudit_getattr_unlabeled_files(mplayer_t) |
200 |
kernel_dontaudit_read_unlabeled_files(mplayer_t) |
201 |
+kernel_read_crypto_sysctls(mplayer_t) |
202 |
kernel_read_system_state(mplayer_t) |
203 |
kernel_read_kernel_sysctls(mplayer_t) |