1 |
commit: 9ac5cf61e3dde52271310da0fea9a4210c744927 |
2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
3 |
AuthorDate: Wed Jan 27 17:20:35 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 1 01:21:42 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ac5cf61 |
7 |
|
8 |
misc network patches with Dominick's changes*2 |
9 |
|
10 |
I think this one is good for merging now. |
11 |
|
12 |
Signed-off-by: Russell Coker <russell <AT> coker.com.au> |
13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
14 |
|
15 |
policy/modules/admin/netutils.te | 5 ++- |
16 |
policy/modules/services/dkim.te | 1 + |
17 |
policy/modules/services/mailman.te | 1 + |
18 |
policy/modules/services/mon.te | 3 ++ |
19 |
policy/modules/services/samba.if | 76 +++++++++++++++++++++++++++++++++++++ |
20 |
policy/modules/system/sysnetwork.fc | 1 + |
21 |
policy/modules/system/sysnetwork.te | 20 ++++++++++ |
22 |
7 files changed, 106 insertions(+), 1 deletion(-) |
23 |
|
24 |
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te |
25 |
index 06a64a3e..1a0d3d7b 100644 |
26 |
--- a/policy/modules/admin/netutils.te |
27 |
+++ b/policy/modules/admin/netutils.te |
28 |
@@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_socket_perms; |
29 |
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr }; |
30 |
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt }; |
31 |
allow ping_t self:netlink_route_socket create_netlink_socket_perms; |
32 |
+allow ping_t self:icmp_socket create; |
33 |
|
34 |
corenet_all_recvfrom_netlabel(ping_t) |
35 |
corenet_sendrecv_icmp_packets(ping_t) |
36 |
@@ -156,13 +157,14 @@ allow traceroute_t self:capability { net_admin net_raw setgid setuid }; |
37 |
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms; |
38 |
allow traceroute_t self:process signal; |
39 |
allow traceroute_t self:rawip_socket create_socket_perms; |
40 |
-allow traceroute_t self:packet_socket create_socket_perms; |
41 |
+allow traceroute_t self:packet_socket { map create_socket_perms }; |
42 |
allow traceroute_t self:udp_socket create_socket_perms; |
43 |
|
44 |
can_exec(traceroute_t, traceroute_exec_t) |
45 |
|
46 |
kernel_read_system_state(traceroute_t) |
47 |
kernel_read_network_state(traceroute_t) |
48 |
+kernel_search_fs_sysctls(traceroute_t) |
49 |
|
50 |
corecmd_search_bin(traceroute_t) |
51 |
|
52 |
@@ -197,6 +199,7 @@ auth_use_nsswitch(traceroute_t) |
53 |
|
54 |
logging_send_syslog_msg(traceroute_t) |
55 |
|
56 |
+miscfiles_read_generic_certs(traceroute_t) |
57 |
miscfiles_read_localization(traceroute_t) |
58 |
|
59 |
userdom_use_inherited_user_terminals(traceroute_t) |
60 |
|
61 |
diff --git a/policy/modules/services/dkim.te b/policy/modules/services/dkim.te |
62 |
index e744f3d7..864d5b07 100644 |
63 |
--- a/policy/modules/services/dkim.te |
64 |
+++ b/policy/modules/services/dkim.te |
65 |
@@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_milter_t) |
66 |
|
67 |
corenet_udp_bind_generic_node(dkim_milter_t) |
68 |
corenet_udp_bind_all_unreserved_ports(dkim_milter_t) |
69 |
+corenet_udp_bind_generic_port(dkim_milter_t) |
70 |
|
71 |
dev_read_urand(dkim_milter_t) |
72 |
# for cpu/online |
73 |
|
74 |
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te |
75 |
index 154eb301..47bb174b 100644 |
76 |
--- a/policy/modules/services/mailman.te |
77 |
+++ b/policy/modules/services/mailman.te |
78 |
@@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t) |
79 |
dev_read_urand(mailman_cgi_t) |
80 |
|
81 |
files_search_locks(mailman_cgi_t) |
82 |
+files_read_usr_files(mailman_cgi_t) |
83 |
|
84 |
term_use_controlling_term(mailman_cgi_t) |
85 |
|
86 |
|
87 |
diff --git a/policy/modules/services/mon.te b/policy/modules/services/mon.te |
88 |
index 74a94b89..50a9c82f 100644 |
89 |
--- a/policy/modules/services/mon.te |
90 |
+++ b/policy/modules/services/mon.te |
91 |
@@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_t, mon_var_log_t) |
92 |
manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t) |
93 |
files_runtime_filetrans(mon_t, mon_runtime_t, file) |
94 |
|
95 |
+# to read fips_enabled |
96 |
+kernel_read_crypto_sysctls(mon_t) |
97 |
+ |
98 |
kernel_read_kernel_sysctls(mon_t) |
99 |
kernel_read_network_state(mon_t) |
100 |
kernel_read_system_state(mon_t) |
101 |
|
102 |
diff --git a/policy/modules/services/samba.if b/policy/modules/services/samba.if |
103 |
index 62c3ae67..5e01db23 100644 |
104 |
--- a/policy/modules/services/samba.if |
105 |
+++ b/policy/modules/services/samba.if |
106 |
@@ -729,3 +729,79 @@ interface(`samba_admin',` |
107 |
files_list_tmp($1) |
108 |
admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t }) |
109 |
') |
110 |
+ |
111 |
+######################################## |
112 |
+## <summary> |
113 |
+## start samba daemon |
114 |
+## </summary> |
115 |
+## <param name="domain"> |
116 |
+## <summary> |
117 |
+## Domain allowed access. |
118 |
+## </summary> |
119 |
+## </param> |
120 |
+# |
121 |
+interface(`samba_start',` |
122 |
+ gen_require(` |
123 |
+ type samba_unit_t; |
124 |
+ ') |
125 |
+ |
126 |
+ allow $1 samba_unit_t:file getattr; |
127 |
+ allow $1 samba_unit_t:service start; |
128 |
+') |
129 |
+ |
130 |
+######################################## |
131 |
+## <summary> |
132 |
+## stop samba daemon |
133 |
+## </summary> |
134 |
+## <param name="domain"> |
135 |
+## <summary> |
136 |
+## Domain allowed access. |
137 |
+## </summary> |
138 |
+## </param> |
139 |
+# |
140 |
+interface(`samba_stop',` |
141 |
+ gen_require(` |
142 |
+ type samba_unit_t; |
143 |
+ ') |
144 |
+ |
145 |
+ allow $1 samba_unit_t:file getattr; |
146 |
+ allow $1 samba_unit_t:service stop; |
147 |
+') |
148 |
+ |
149 |
+######################################## |
150 |
+## <summary> |
151 |
+## get status of samba daemon |
152 |
+## </summary> |
153 |
+## <param name="domain"> |
154 |
+## <summary> |
155 |
+## Domain allowed access. |
156 |
+## </summary> |
157 |
+## </param> |
158 |
+# |
159 |
+interface(`samba_status',` |
160 |
+ gen_require(` |
161 |
+ type samba_unit_t; |
162 |
+ ') |
163 |
+ |
164 |
+ allow $1 samba_unit_t:file getattr; |
165 |
+ allow $1 samba_unit_t:service status; |
166 |
+') |
167 |
+ |
168 |
+######################################## |
169 |
+## <summary> |
170 |
+## reload samba daemon |
171 |
+## </summary> |
172 |
+## <param name="domain"> |
173 |
+## <summary> |
174 |
+## Domain allowed access. |
175 |
+## </summary> |
176 |
+## </param> |
177 |
+# |
178 |
+interface(`samba_reload',` |
179 |
+ gen_require(` |
180 |
+ type samba_unit_t; |
181 |
+ ') |
182 |
+ |
183 |
+ allow $1 samba_unit_t:file getattr; |
184 |
+ allow $1 samba_unit_t:service reload; |
185 |
+') |
186 |
|
187 |
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc |
188 |
index 7666ff87..90d9536f 100644 |
189 |
--- a/policy/modules/system/sysnetwork.fc |
190 |
+++ b/policy/modules/system/sysnetwork.fc |
191 |
@@ -27,6 +27,7 @@ ifdef(`distro_debian',` |
192 |
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) |
193 |
|
194 |
/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) |
195 |
+/etc/tor/torsocks\.conf -- gen_context(system_u:object_r:net_conf_t,s0) |
196 |
|
197 |
ifdef(`distro_redhat',` |
198 |
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0) |
199 |
|
200 |
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te |
201 |
index b14ffe0c..a8fe42d6 100644 |
202 |
--- a/policy/modules/system/sysnetwork.te |
203 |
+++ b/policy/modules/system/sysnetwork.te |
204 |
@@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.5) |
205 |
# Declarations |
206 |
# |
207 |
|
208 |
+## <desc> |
209 |
+## <p> |
210 |
+## Determine whether DHCP client |
211 |
+## can manage samba |
212 |
+## </p> |
213 |
+## </desc> |
214 |
+gen_tunable(dhcpc_manage_samba, false) |
215 |
+ |
216 |
attribute_role dhcpc_roles; |
217 |
roleattribute system_r dhcpc_roles; |
218 |
|
219 |
@@ -176,6 +184,18 @@ ifdef(`init_systemd',` |
220 |
init_search_units(dhcpc_t) |
221 |
') |
222 |
|
223 |
+optional_policy(` |
224 |
+ tunable_policy(`dhcpc_manage_samba',` |
225 |
+ samba_manage_var_files(dhcpc_t) |
226 |
+ init_exec_script_files(dhcpc_t) |
227 |
+ init_get_system_status(dhcpc_t) |
228 |
+ samba_stop(dhcpc_t) |
229 |
+ samba_start(dhcpc_t) |
230 |
+ samba_reload(dhcpc_t) |
231 |
+ samba_status(dhcpc_t) |
232 |
+ ') |
233 |
+') |
234 |
+ |
235 |
optional_policy(` |
236 |
avahi_domtrans(dhcpc_t) |
237 |
') |