Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/system/, policy/modules/services/
Date: Mon, 01 Feb 2021 02:10:33
Message-Id: 1612142502.9ac5cf61e3dde52271310da0fea9a4210c744927.perfinion@gentoo
1 commit: 9ac5cf61e3dde52271310da0fea9a4210c744927
2 Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
3 AuthorDate: Wed Jan 27 17:20:35 2021 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Mon Feb 1 01:21:42 2021 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ac5cf61
7
8 misc network patches with Dominick's changes*2
9
10 I think this one is good for merging now.
11
12 Signed-off-by: Russell Coker <russell <AT> coker.com.au>
13 Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
14
15 policy/modules/admin/netutils.te | 5 ++-
16 policy/modules/services/dkim.te | 1 +
17 policy/modules/services/mailman.te | 1 +
18 policy/modules/services/mon.te | 3 ++
19 policy/modules/services/samba.if | 76 +++++++++++++++++++++++++++++++++++++
20 policy/modules/system/sysnetwork.fc | 1 +
21 policy/modules/system/sysnetwork.te | 20 ++++++++++
22 7 files changed, 106 insertions(+), 1 deletion(-)
23
24 diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
25 index 06a64a3e..1a0d3d7b 100644
26 --- a/policy/modules/admin/netutils.te
27 +++ b/policy/modules/admin/netutils.te
28 @@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_socket_perms;
29 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
30 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
31 allow ping_t self:netlink_route_socket create_netlink_socket_perms;
32 +allow ping_t self:icmp_socket create;
33
34 corenet_all_recvfrom_netlabel(ping_t)
35 corenet_sendrecv_icmp_packets(ping_t)
36 @@ -156,13 +157,14 @@ allow traceroute_t self:capability { net_admin net_raw setgid setuid };
37 allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
38 allow traceroute_t self:process signal;
39 allow traceroute_t self:rawip_socket create_socket_perms;
40 -allow traceroute_t self:packet_socket create_socket_perms;
41 +allow traceroute_t self:packet_socket { map create_socket_perms };
42 allow traceroute_t self:udp_socket create_socket_perms;
43
44 can_exec(traceroute_t, traceroute_exec_t)
45
46 kernel_read_system_state(traceroute_t)
47 kernel_read_network_state(traceroute_t)
48 +kernel_search_fs_sysctls(traceroute_t)
49
50 corecmd_search_bin(traceroute_t)
51
52 @@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t)
53
54 logging_send_syslog_msg(traceroute_t)
55
56 +miscfiles_read_generic_certs(traceroute_t)
57 miscfiles_read_localization(traceroute_t)
58
59 userdom_use_inherited_user_terminals(traceroute_t)
60
61 diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te
62 index e744f3d7..864d5b07 100644
63 --- a/policy/modules/services/dkim.te
64 +++ b/policy/modules/services/dkim.te
65 @@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_milter_t)
66
67 corenet_udp_bind_generic_node(dkim_milter_t)
68 corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
69 +corenet_udp_bind_generic_port(dkim_milter_t)
70
71 dev_read_urand(dkim_milter_t)
72 # for cpu/online
73
74 diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
75 index 154eb301..47bb174b 100644
76 --- a/policy/modules/services/mailman.te
77 +++ b/policy/modules/services/mailman.te
78 @@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
79 dev_read_urand(mailman_cgi_t)
80
81 files_search_locks(mailman_cgi_t)
82 +files_read_usr_files(mailman_cgi_t)
83
84 term_use_controlling_term(mailman_cgi_t)
85
86
87 diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te
88 index 74a94b89..50a9c82f 100644
89 --- a/policy/modules/services/mon.te
90 +++ b/policy/modules/services/mon.te
91 @@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t)
92 manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
93 files_runtime_filetrans(mon_t, mon_runtime_t, file)
94
95 +# to read fips_enabled
96 +kernel_read_crypto_sysctls(mon_t)
97 +
98 kernel_read_kernel_sysctls(mon_t)
99 kernel_read_network_state(mon_t)
100 kernel_read_system_state(mon_t)
101
102 diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if
103 index 62c3ae67..5e01db23 100644
104 --- a/policy/modules/services/samba.if
105 +++ b/policy/modules/services/samba.if
106 @@ -729,3 +729,79 @@ interface(`samba_admin',`
107 files_list_tmp($1)
108 admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
109 ')
110 +
111 +########################################
112 +## <summary>
113 +## start samba daemon
114 +## </summary>
115 +## <param name="domain">
116 +## <summary>
117 +## Domain allowed access.
118 +## </summary>
119 +## </param>
120 +#
121 +interface(`samba_start',`
122 + gen_require(`
123 + type samba_unit_t;
124 + ')
125 +
126 + allow $1 samba_unit_t:file getattr;
127 + allow $1 samba_unit_t:service start;
128 +')
129 +
130 +########################################
131 +## <summary>
132 +## stop samba daemon
133 +## </summary>
134 +## <param name="domain">
135 +## <summary>
136 +## Domain allowed access.
137 +## </summary>
138 +## </param>
139 +#
140 +interface(`samba_stop',`
141 + gen_require(`
142 + type samba_unit_t;
143 + ')
144 +
145 + allow $1 samba_unit_t:file getattr;
146 + allow $1 samba_unit_t:service stop;
147 +')
148 +
149 +########################################
150 +## <summary>
151 +## get status of samba daemon
152 +## </summary>
153 +## <param name="domain">
154 +## <summary>
155 +## Domain allowed access.
156 +## </summary>
157 +## </param>
158 +#
159 +interface(`samba_status',`
160 + gen_require(`
161 + type samba_unit_t;
162 + ')
163 +
164 + allow $1 samba_unit_t:file getattr;
165 + allow $1 samba_unit_t:service status;
166 +')
167 +
168 +########################################
169 +## <summary>
170 +## reload samba daemon
171 +## </summary>
172 +## <param name="domain">
173 +## <summary>
174 +## Domain allowed access.
175 +## </summary>
176 +## </param>
177 +#
178 +interface(`samba_reload',`
179 + gen_require(`
180 + type samba_unit_t;
181 + ')
182 +
183 + allow $1 samba_unit_t:file getattr;
184 + allow $1 samba_unit_t:service reload;
185 +')
186
187 diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
188 index 7666ff87..90d9536f 100644
189 --- a/policy/modules/system/sysnetwork.fc
190 +++ b/policy/modules/system/sysnetwork.fc
191 @@ -27,6 +27,7 @@ ifdef(`distro_debian',`
192 /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
193
194 /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
195 +/etc/tor/torsocks\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
196
197 ifdef(`distro_redhat',`
198 /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
199
200 diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
201 index b14ffe0c..a8fe42d6 100644
202 --- a/policy/modules/system/sysnetwork.te
203 +++ b/policy/modules/system/sysnetwork.te
204 @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.5)
205 # Declarations
206 #
207
208 +## <desc>
209 +## <p>
210 +## Determine whether DHCP client
211 +## can manage samba
212 +## </p>
213 +## </desc>
214 +gen_tunable(dhcpc_manage_samba, false)
215 +
216 attribute_role dhcpc_roles;
217 roleattribute system_r dhcpc_roles;
218
219 @@ -176,6 +184,18 @@ ifdef(`init_systemd',`
220 init_search_units(dhcpc_t)
221 ')
222
223 +optional_policy(`
224 + tunable_policy(`dhcpc_manage_samba',`
225 + samba_manage_var_files(dhcpc_t)
226 + init_exec_script_files(dhcpc_t)
227 + init_get_system_status(dhcpc_t)
228 + samba_stop(dhcpc_t)
229 + samba_start(dhcpc_t)
230 + samba_reload(dhcpc_t)
231 + samba_status(dhcpc_t)
232 + ')
233 +')
234 +
235 optional_policy(`
236 avahi_domtrans(dhcpc_t)
237 ')