[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ - gentoo-commits

From:	Kenton Groombridge <concord@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Wed, 02 Nov 2022 14:42:56
Message-Id:	`1667398023.c9c22b083349a39d29ab0e530e9a4545fe7e7708.concord@gentoo`

1

commit:     c9c22b083349a39d29ab0e530e9a4545fe7e7708

2

Author:     Kenton Groombridge <me <AT> concord <DOT> sh>

3

AuthorDate: Mon Sep 19 23:06:34 2022 +0000

4

Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>

5

CommitDate: Wed Nov  2 14:07:03 2022 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9c22b08

7

8

zfs: various fixes

9

10

Minor fixes for ZFS, including allowing Zed to use sendmail and write

11

LED statuses to enclosure devices.

12

13

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>

14

Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

15

16

 policy/modules/services/zfs.te | 47 +++++++++++++++++++++++++++++++++++++++---

17

 1 file changed, 44 insertions(+), 3 deletions(-)

18

19

diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te

20

index 05e0d3e5f..519295e96 100644

21

--- a/policy/modules/services/zfs.te

22

+++ b/policy/modules/services/zfs.te

23

@@ -50,39 +50,49 @@ files_runtime_filetrans(zed_t, zfs_runtime_t, file)

24

 corecmd_exec_bin(zed_t)

25

 corecmd_exec_shell(zed_t)

26

27

-dev_read_sysfs(zed_t)

28

+dev_rw_sysfs(zed_t)

29

30

 files_search_etc(zed_t)

31

32

+kernel_read_system_state(zed_t)

33

 kernel_read_vm_overcommit_sysctl(zed_t)

34

35

 storage_raw_rw_fixed_disk(zed_t)

36

37

 auth_use_nsswitch(zed_t)

38

39

+hostname_exec(zed_t)

40

+

41

 logging_send_syslog_msg(zed_t)

42

43

 miscfiles_read_localization(zed_t)

44

45

 udev_search_runtime(zed_t)

46

47

+zfs_rw_zpool_cache(zed_t)

48

+

49

 ########################################

50

#

51

 # zfs local policy

52

#

53

54

-allow zfs_t self:process getsched;

55

-allow zfs_t self:capability sys_admin;

56

+allow zfs_t self:process { getsched signull };

57

+allow zfs_t self:capability { sys_admin sys_rawio };

58

 allow zfs_t self:fifo_file rw_fifo_file_perms;

59

60

 list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t)

61

 read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)

62

 read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)

63

64

+manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)

65

+files_runtime_filetrans(zfs_t, zfs_runtime_t, file)

66

+

67

 # to execute scripts in /usr/libexec/zfs

68

 corecmd_exec_bin(zfs_t)

69

 corecmd_exec_shell(zfs_t)

70

71

+dev_delete_generic_symlinks(zfs_t)

72

+dev_getattr_sysfs(zfs_t)

73

 dev_read_sysfs(zfs_t)

74

75

 domain_use_interactive_fds(zfs_t)

76

@@ -104,6 +114,8 @@ kernel_read_kernel_sysctls(zfs_t)

77

78

 storage_raw_rw_fixed_disk(zfs_t)

79

80

+udev_read_runtime_files(zfs_t)

81

+

82

 miscfiles_read_localization(zfs_t)

83

84

 auth_use_nsswitch(zfs_t)

85

@@ -112,9 +124,38 @@ mount_exec(zfs_t)

86

87

 userdom_use_user_terminals(zfs_t)

88

89

+zfs_rw_zpool_cache(zfs_t)

90

+

91

 optional_policy(`

92

 	kernel_rw_rpc_sysctls(zfs_t)

93

94

 	rpc_manage_nfs_state_data(zfs_t)

95

 	rpc_read_exports(zfs_t)

96

')

97

+

98

+#######################################

99

+#

100

+# Mail local policy

101

+#

102

+

103

+optional_policy(`

104

+	mta_base_mail_template(zed)

105

+	role system_r types zed_mail_t;

106

+

107

+	allow zed_mail_t zed_t:fd use;

108

+	allow zed_mail_t zed_t:fifo_file rw_fifo_file_perms;

109

+	allow zed_mail_t zed_t:process sigchld;

110

+

111

+	manage_dirs_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)

112

+	manage_files_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)

113

+	files_tmp_filetrans(zed_t, zed_mail_tmp_t, { dir file })

114

+

115

+	allow zfs_t zed_mail_tmp_t:file write_file_perms;

116

+

117

+	mta_sendmail_domtrans(zed_t, zed_mail_t)

118

+

119

+	allow zed_mail_t self:capability { dac_override dac_read_search };

120

+

121

+	storage_dontaudit_read_fixed_disk(zed_mail_t)

122

+	storage_dontaudit_write_fixed_disk(zed_mail_t)

123

+')

1	commit: c9c22b083349a39d29ab0e530e9a4545fe7e7708
2	Author: Kenton Groombridge <me <AT> concord <DOT> sh>
3	AuthorDate: Mon Sep 19 23:06:34 2022 +0000
4	Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
5	CommitDate: Wed Nov 2 14:07:03 2022 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9c22b08
7
8	zfs: various fixes
9
10	Minor fixes for ZFS, including allowing Zed to use sendmail and write
11	LED statuses to enclosure devices.
12
13	Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
14	Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
15
16	policy/modules/services/zfs.te \| 47 +++++++++++++++++++++++++++++++++++++++---
17	1 file changed, 44 insertions(+), 3 deletions(-)
18
19	diff --git a/policy/modules/services/zfs.te b/policy/modules/services/zfs.te
20	index 05e0d3e5f..519295e96 100644
21	--- a/policy/modules/services/zfs.te
22	+++ b/policy/modules/services/zfs.te
23	@@ -50,39 +50,49 @@ files_runtime_filetrans(zed_t, zfs_runtime_t, file)
24	corecmd_exec_bin(zed_t)
25	corecmd_exec_shell(zed_t)
26
27	-dev_read_sysfs(zed_t)
28	+dev_rw_sysfs(zed_t)
29
30	files_search_etc(zed_t)
31
32	+kernel_read_system_state(zed_t)
33	kernel_read_vm_overcommit_sysctl(zed_t)
34
35	storage_raw_rw_fixed_disk(zed_t)
36
37	auth_use_nsswitch(zed_t)
38
39	+hostname_exec(zed_t)
40	+
41	logging_send_syslog_msg(zed_t)
42
43	miscfiles_read_localization(zed_t)
44
45	udev_search_runtime(zed_t)
46
47	+zfs_rw_zpool_cache(zed_t)
48	+
49	########################################
50	#
51	# zfs local policy
52	#
53
54	-allow zfs_t self:process getsched;
55	-allow zfs_t self:capability sys_admin;
56	+allow zfs_t self:process { getsched signull };
57	+allow zfs_t self:capability { sys_admin sys_rawio };
58	allow zfs_t self:fifo_file rw_fifo_file_perms;
59
60	list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t)
61	read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
62	read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
63
64	+manage_files_pattern(zfs_t, zfs_runtime_t, zfs_runtime_t)
65	+files_runtime_filetrans(zfs_t, zfs_runtime_t, file)
66	+
67	# to execute scripts in /usr/libexec/zfs
68	corecmd_exec_bin(zfs_t)
69	corecmd_exec_shell(zfs_t)
70
71	+dev_delete_generic_symlinks(zfs_t)
72	+dev_getattr_sysfs(zfs_t)
73	dev_read_sysfs(zfs_t)
74
75	domain_use_interactive_fds(zfs_t)
76	@@ -104,6 +114,8 @@ kernel_read_kernel_sysctls(zfs_t)
77
78	storage_raw_rw_fixed_disk(zfs_t)
79
80	+udev_read_runtime_files(zfs_t)
81	+
82	miscfiles_read_localization(zfs_t)
83
84	auth_use_nsswitch(zfs_t)
85	@@ -112,9 +124,38 @@ mount_exec(zfs_t)
86
87	userdom_use_user_terminals(zfs_t)
88
89	+zfs_rw_zpool_cache(zfs_t)
90	+
91	optional_policy(`
92	kernel_rw_rpc_sysctls(zfs_t)
93
94	rpc_manage_nfs_state_data(zfs_t)
95	rpc_read_exports(zfs_t)
96	')
97	+
98	+#######################################
99	+#
100	+# Mail local policy
101	+#
102	+
103	+optional_policy(`
104	+ mta_base_mail_template(zed)
105	+ role system_r types zed_mail_t;
106	+
107	+ allow zed_mail_t zed_t:fd use;
108	+ allow zed_mail_t zed_t:fifo_file rw_fifo_file_perms;
109	+ allow zed_mail_t zed_t:process sigchld;
110	+
111	+ manage_dirs_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
112	+ manage_files_pattern(zed_t, zed_mail_tmp_t, zed_mail_tmp_t)
113	+ files_tmp_filetrans(zed_t, zed_mail_tmp_t, { dir file })
114	+
115	+ allow zfs_t zed_mail_tmp_t:file write_file_perms;
116	+
117	+ mta_sendmail_domtrans(zed_t, zed_mail_t)
118	+
119	+ allow zed_mail_t self:capability { dac_override dac_read_search };
120	+
121	+ storage_dontaudit_read_fixed_disk(zed_mail_t)
122	+ storage_dontaudit_write_fixed_disk(zed_mail_t)
123	+')

Gentoo Archives: gentoo-commits