[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/admin/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/admin/
Date:	Mon, 27 Feb 2017 11:40:13
Message-Id:	`1488191830.0895cfaab9cc3c372810ab7d3b47c12066c74e74.perfinion@gentoo`

1

commit:     0895cfaab9cc3c372810ab7d3b47c12066c74e74

2

Author:     cgzones <cgzones <AT> googlemail <DOT> com>

3

AuthorDate: Thu Jan  5 11:10:30 2017 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Mon Feb 27 10:37:10 2017 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0895cfaa

7

8

su: some adjustments

9

10

* systemd fixes

11

* remove unused attribute su_domain_type

12

* remove hide_broken_symptoms sections

13

* dontaudit init_t proc files access

14

* dontaudit net_admin capability due to setsockopt

15

16

 policy/modules/admin/su.if    | 20 +++++---------------

17

 policy/modules/admin/su.te    |  2 --

18

 policy/modules/system/init.if | 20 ++++++++++++++++++++

19

 3 files changed, 25 insertions(+), 17 deletions(-)

20

21

diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if

22

index 4a434b84..cd137d59 100644

23

--- a/policy/modules/admin/su.if

24

+++ b/policy/modules/admin/su.if

25

@@ -1,4 +1,4 @@

26

-## <summary>Run shells with substitute user and group</summary>

27

+## <summary>Run shells with substitute user and group.</summary>

28

29

 #######################################

30

 ## <summary>

31

@@ -100,11 +100,6 @@ template(`su_restricted_domain_template', `

32

')

33

')

34

35

-	ifdef(`hide_broken_symptoms',`

36

-		# dontaudit leaked sockets from parent

37

-		dontaudit $1_su_t $2:socket_class_set { read write };

38

-	')

39

-

40

 	optional_policy(`

41

 		cron_read_pipes($1_su_t)

42

')

43

@@ -148,12 +143,10 @@ template(`su_restricted_domain_template', `

44

#

45

 template(`su_role_template',`

46

 	gen_require(`

47

-		attribute su_domain_type;

48

 		type su_exec_t;

49

-		bool secure_mode;

50

')

51

52

-	type $1_su_t, su_domain_type;

53

+	type $1_su_t;

54

 	userdom_user_application_domain($1_su_t, su_exec_t)

55

 	domain_interactive_fd($1_su_t)

56

 	role $2 types $1_su_t;

57

@@ -161,7 +154,7 @@ template(`su_role_template',`

58

 	allow $3 $1_su_t:process signal;

59

60

 	allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };

61

-	dontaudit $1_su_t self:capability sys_tty_config;

62

+	dontaudit $1_su_t self:capability { net_admin sys_tty_config };

63

 	allow $1_su_t self:process { setexec setsched setrlimit };

64

 	allow $1_su_t self:fifo_file rw_fifo_file_perms;

65

 	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };

66

@@ -197,6 +190,7 @@ template(`su_role_template',`

67

 	auth_dontaudit_read_shadow($1_su_t)

68

 	auth_use_nsswitch($1_su_t)

69

 	auth_rw_faillog($1_su_t)

70

+	auth_use_pam_systemd($1_su_t)

71

72

 	corecmd_search_bin($1_su_t)

73

74

@@ -208,6 +202,7 @@ template(`su_role_template',`

75

 	files_dontaudit_getattr_tmp_dirs($1_su_t)

76

77

 	init_dontaudit_use_fds($1_su_t)

78

+	init_dontaudit_read_state($1_su_t)

79

 	# Write to utmp.

80

 	init_rw_utmp($1_su_t)

81

82

@@ -232,11 +227,6 @@ template(`su_role_template',`

83

')

84

')

85

86

-	ifdef(`hide_broken_symptoms',`

87

-		# dontaudit leaked sockets from parent

88

-		dontaudit $1_su_t $3:socket_class_set { read write };

89

-	')

90

-

91

 	tunable_policy(`allow_polyinstantiation',`

92

 		fs_mount_xattr_fs($1_su_t)

93

 		fs_unmount_xattr_fs($1_su_t)

94

95

diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te

96

index e5537697..1264d7a6 100644

97

--- a/policy/modules/admin/su.te

98

+++ b/policy/modules/admin/su.te

99

@@ -5,7 +5,5 @@ policy_module(su, 1.14.1)

100

 # Declarations

101

#

102

103

-attribute su_domain_type;

104

-

105

 type su_exec_t;

106

 corecmd_executable_file(su_exec_t)

107

108

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if

109

index 6de0a2d7..6a067ab2 100644

110

--- a/policy/modules/system/init.if

111

+++ b/policy/modules/system/init.if

112

@@ -1695,6 +1695,26 @@ interface(`init_read_state',`

113

114

 ########################################

115

 ## <summary>

116

+##	Dontaudit read the process state (/proc/pid) of init.

117

+## </summary>

118

+## <param name="domain">

119

+##	<summary>

120

+##	Domain to not audit.

121

+##	</summary>

122

+## </param>

123

+#

124

+interface(`init_dontaudit_read_state',`

125

+	gen_require(`

126

+		type init_t;

127

+	')

128

+

129

+	dontaudit $1 init_t:dir search_dir_perms;

130

+	dontaudit $1 init_t:file read_file_perms;

131

+	dontaudit $1 init_t:lnk_file read_lnk_file_perms;

132

+')

133

+

134

+########################################

135

+## <summary>

136

 ##	Ptrace init

137

 ## </summary>

138

 ## <param name="domain">

1	commit: 0895cfaab9cc3c372810ab7d3b47c12066c74e74
2	Author: cgzones <cgzones <AT> googlemail <DOT> com>
3	AuthorDate: Thu Jan 5 11:10:30 2017 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Mon Feb 27 10:37:10 2017 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0895cfaa
7
8	su: some adjustments
9
10	* systemd fixes
11	* remove unused attribute su_domain_type
12	* remove hide_broken_symptoms sections
13	* dontaudit init_t proc files access
14	* dontaudit net_admin capability due to setsockopt
15
16	policy/modules/admin/su.if \| 20 +++++---------------
17	policy/modules/admin/su.te \| 2 --
18	policy/modules/system/init.if \| 20 ++++++++++++++++++++
19	3 files changed, 25 insertions(+), 17 deletions(-)
20
21	diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
22	index 4a434b84..cd137d59 100644
23	--- a/policy/modules/admin/su.if
24	+++ b/policy/modules/admin/su.if
25	@@ -1,4 +1,4 @@
26	-## <summary>Run shells with substitute user and group</summary>
27	+## <summary>Run shells with substitute user and group.</summary>
28
29	#######################################
30	## <summary>
31	@@ -100,11 +100,6 @@ template(`su_restricted_domain_template', `
32	')
33	')
34
35	- ifdef(`hide_broken_symptoms',`
36	- # dontaudit leaked sockets from parent
37	- dontaudit $1_su_t $2:socket_class_set { read write };
38	- ')
39	-
40	optional_policy(`
41	cron_read_pipes($1_su_t)
42	')
43	@@ -148,12 +143,10 @@ template(`su_restricted_domain_template', `
44	#
45	template(`su_role_template',`
46	gen_require(`
47	- attribute su_domain_type;
48	type su_exec_t;
49	- bool secure_mode;
50	')
51
52	- type $1_su_t, su_domain_type;
53	+ type $1_su_t;
54	userdom_user_application_domain($1_su_t, su_exec_t)
55	domain_interactive_fd($1_su_t)
56	role $2 types $1_su_t;
57	@@ -161,7 +154,7 @@ template(`su_role_template',`
58	allow $3 $1_su_t:process signal;
59
60	allow $1_su_t self:capability { audit_control audit_write chown dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
61	- dontaudit $1_su_t self:capability sys_tty_config;
62	+ dontaudit $1_su_t self:capability { net_admin sys_tty_config };
63	allow $1_su_t self:process { setexec setsched setrlimit };
64	allow $1_su_t self:fifo_file rw_fifo_file_perms;
65	allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
66	@@ -197,6 +190,7 @@ template(`su_role_template',`
67	auth_dontaudit_read_shadow($1_su_t)
68	auth_use_nsswitch($1_su_t)
69	auth_rw_faillog($1_su_t)
70	+ auth_use_pam_systemd($1_su_t)
71
72	corecmd_search_bin($1_su_t)
73
74	@@ -208,6 +202,7 @@ template(`su_role_template',`
75	files_dontaudit_getattr_tmp_dirs($1_su_t)
76
77	init_dontaudit_use_fds($1_su_t)
78	+ init_dontaudit_read_state($1_su_t)
79	# Write to utmp.
80	init_rw_utmp($1_su_t)
81
82	@@ -232,11 +227,6 @@ template(`su_role_template',`
83	')
84	')
85
86	- ifdef(`hide_broken_symptoms',`
87	- # dontaudit leaked sockets from parent
88	- dontaudit $1_su_t $3:socket_class_set { read write };
89	- ')
90	-
91	tunable_policy(`allow_polyinstantiation',`
92	fs_mount_xattr_fs($1_su_t)
93	fs_unmount_xattr_fs($1_su_t)
94
95	diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
96	index e5537697..1264d7a6 100644
97	--- a/policy/modules/admin/su.te
98	+++ b/policy/modules/admin/su.te
99	@@ -5,7 +5,5 @@ policy_module(su, 1.14.1)
100	# Declarations
101	#
102
103	-attribute su_domain_type;
104	-
105	type su_exec_t;
106	corecmd_executable_file(su_exec_t)
107
108	diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
109	index 6de0a2d7..6a067ab2 100644
110	--- a/policy/modules/system/init.if
111	+++ b/policy/modules/system/init.if
112	@@ -1695,6 +1695,26 @@ interface(`init_read_state',`
113
114	########################################
115	## <summary>
116	+## Dontaudit read the process state (/proc/pid) of init.
117	+## </summary>
118	+## <param name="domain">
119	+## <summary>
120	+## Domain to not audit.
121	+## </summary>
122	+## </param>
123	+#
124	+interface(`init_dontaudit_read_state',`
125	+ gen_require(`
126	+ type init_t;
127	+ ')
128	+
129	+ dontaudit $1 init_t:dir search_dir_perms;
130	+ dontaudit $1 init_t:file read_file_perms;
131	+ dontaudit $1 init_t:lnk_file read_lnk_file_perms;
132	+')
133	+
134	+########################################
135	+## <summary>
136	## Ptrace init
137	## </summary>
138	## <param name="domain">

Gentoo Archives: gentoo-commits