1 |
commit: 2c0150452aa2f181971677e246b38487c7df8d75 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Wed Apr 26 22:02:08 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Apr 30 09:21:11 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2c015045 |
7 |
|
8 |
some little misc things from Russell Coker. |
9 |
|
10 |
This patch allows setfiles to use file handles inherited from apt (for dpkg |
11 |
postinst scripts), adds those rsync permissions that were rejected previously |
12 |
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and |
13 |
allows system_cronjob_t some access it requires (including net_admin for |
14 |
when it runs utilities that set buffers). |
15 |
|
16 |
policy/modules/contrib/apt.if | 20 ++++++++++++++++++++ |
17 |
policy/modules/contrib/apt.te | 2 +- |
18 |
policy/modules/contrib/cron.te | 25 +++++++++++++++++++++---- |
19 |
policy/modules/contrib/mrtg.if | 18 ++++++++++++++++++ |
20 |
policy/modules/contrib/mrtg.te | 2 +- |
21 |
policy/modules/contrib/rsync.te | 4 +++- |
22 |
6 files changed, 64 insertions(+), 7 deletions(-) |
23 |
|
24 |
diff --git a/policy/modules/contrib/apt.if b/policy/modules/contrib/apt.if |
25 |
index 0a1bc49f..568aa97d 100644 |
26 |
--- a/policy/modules/contrib/apt.if |
27 |
+++ b/policy/modules/contrib/apt.if |
28 |
@@ -176,6 +176,26 @@ interface(`apt_read_cache',` |
29 |
|
30 |
######################################## |
31 |
## <summary> |
32 |
+## Create, read, write, and delete apt package cache content. |
33 |
+## </summary> |
34 |
+## <param name="domain"> |
35 |
+## <summary> |
36 |
+## Domain allowed access. |
37 |
+## </summary> |
38 |
+## </param> |
39 |
+# |
40 |
+interface(`apt_manage_cache',` |
41 |
+ gen_require(` |
42 |
+ type apt_var_cache_t; |
43 |
+ ') |
44 |
+ |
45 |
+ files_search_var($1) |
46 |
+ allow $1 apt_var_cache_t:dir manage_dir_perms; |
47 |
+ allow $1 apt_var_cache_t:file manage_file_perms; |
48 |
+') |
49 |
+ |
50 |
+######################################## |
51 |
+## <summary> |
52 |
## Read apt package database content. |
53 |
## </summary> |
54 |
## <param name="domain"> |
55 |
|
56 |
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te |
57 |
index 05197c4c..dc6f09b1 100644 |
58 |
--- a/policy/modules/contrib/apt.te |
59 |
+++ b/policy/modules/contrib/apt.te |
60 |
@@ -1,4 +1,4 @@ |
61 |
-policy_module(apt, 1.10.1) |
62 |
+policy_module(apt, 1.10.2) |
63 |
|
64 |
######################################## |
65 |
# |
66 |
|
67 |
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te |
68 |
index 5cb7dac1..15e6bdb4 100644 |
69 |
--- a/policy/modules/contrib/cron.te |
70 |
+++ b/policy/modules/contrib/cron.te |
71 |
@@ -1,4 +1,4 @@ |
72 |
-policy_module(cron, 2.11.3) |
73 |
+policy_module(cron, 2.11.4) |
74 |
|
75 |
gen_require(` |
76 |
class passwd rootok; |
77 |
@@ -338,6 +338,13 @@ ifdef(`distro_debian',` |
78 |
allow crond_t self:process setrlimit; |
79 |
|
80 |
optional_policy(` |
81 |
+ apt_manage_cache(system_cronjob_t) |
82 |
+ apt_read_db(system_cronjob_t) |
83 |
+ |
84 |
+ dpkg_manage_db(system_cronjob_t) |
85 |
+ ') |
86 |
+ |
87 |
+ optional_policy(` |
88 |
logwatch_search_cache_dir(crond_t) |
89 |
') |
90 |
') |
91 |
@@ -429,6 +436,7 @@ optional_policy(` |
92 |
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) |
93 |
# so cron jobs can restart daemons |
94 |
init_stream_connect(system_cronjob_t) |
95 |
+ init_manage_script_service(system_cronjob_t) |
96 |
') |
97 |
|
98 |
optional_policy(` |
99 |
@@ -440,7 +448,7 @@ optional_policy(` |
100 |
# System local policy |
101 |
# |
102 |
|
103 |
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice }; |
104 |
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice }; |
105 |
allow system_cronjob_t self:process { signal_perms getsched setsched }; |
106 |
allow system_cronjob_t self:fd use; |
107 |
allow system_cronjob_t self:fifo_file rw_fifo_file_perms; |
108 |
@@ -461,10 +469,11 @@ allow system_cronjob_t system_cronjob_lock_t:file manage_file_perms; |
109 |
allow system_cronjob_t system_cronjob_lock_t:lnk_file manage_lnk_file_perms; |
110 |
files_lock_filetrans(system_cronjob_t, system_cronjob_lock_t, { file lnk_file }) |
111 |
|
112 |
+manage_dirs_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) |
113 |
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) |
114 |
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) |
115 |
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) |
116 |
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) |
117 |
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir }) |
118 |
|
119 |
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) |
120 |
|
121 |
@@ -475,7 +484,7 @@ allow system_cronjob_t crond_t:process sigchld; |
122 |
allow system_cronjob_t cron_spool_t:dir list_dir_perms; |
123 |
allow system_cronjob_t cron_spool_t:file rw_file_perms; |
124 |
|
125 |
-allow system_cronjob_t crond_tmp_t:file { read write }; |
126 |
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms; |
127 |
|
128 |
kernel_read_kernel_sysctls(system_cronjob_t) |
129 |
kernel_read_network_state(system_cronjob_t) |
130 |
@@ -560,10 +569,15 @@ tunable_policy(`cron_can_relabel',` |
131 |
') |
132 |
|
133 |
optional_policy(` |
134 |
+ acct_manage_data(system_cronjob_t) |
135 |
+') |
136 |
+ |
137 |
+optional_policy(` |
138 |
apache_exec_modules(system_cronjob_t) |
139 |
apache_read_config(system_cronjob_t) |
140 |
apache_read_log(system_cronjob_t) |
141 |
apache_read_sys_content(system_cronjob_t) |
142 |
+ apache_delete_lib_files(system_cronjob_t) |
143 |
') |
144 |
|
145 |
optional_policy(` |
146 |
@@ -607,6 +621,7 @@ optional_policy(` |
147 |
|
148 |
optional_policy(` |
149 |
mrtg_append_create_logs(system_cronjob_t) |
150 |
+ mrtg_read_config(system_cronjob_t) |
151 |
') |
152 |
|
153 |
optional_policy(` |
154 |
@@ -649,6 +664,8 @@ allow cronjob_t self:fifo_file rw_fifo_file_perms; |
155 |
allow cronjob_t self:unix_stream_socket create_stream_socket_perms; |
156 |
allow cronjob_t self:unix_dgram_socket create_socket_perms; |
157 |
|
158 |
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms; |
159 |
+ |
160 |
kernel_read_system_state(cronjob_t) |
161 |
kernel_read_kernel_sysctls(cronjob_t) |
162 |
|
163 |
|
164 |
diff --git a/policy/modules/contrib/mrtg.if b/policy/modules/contrib/mrtg.if |
165 |
index 0a71bd89..b25b0894 100644 |
166 |
--- a/policy/modules/contrib/mrtg.if |
167 |
+++ b/policy/modules/contrib/mrtg.if |
168 |
@@ -2,6 +2,24 @@ |
169 |
|
170 |
######################################## |
171 |
## <summary> |
172 |
+## Read mrtg configuration |
173 |
+## </summary> |
174 |
+## <param name="domain"> |
175 |
+## <summary> |
176 |
+## Domain allowed access. |
177 |
+## </summary> |
178 |
+## </param> |
179 |
+# |
180 |
+interface(`mrtg_read_config',` |
181 |
+ gen_require(` |
182 |
+ type mrtg_etc_t; |
183 |
+ ') |
184 |
+ |
185 |
+ allow $1 mrtg_etc_t:file read_file_perms; |
186 |
+') |
187 |
+ |
188 |
+######################################## |
189 |
+## <summary> |
190 |
## Create and append mrtg log files. |
191 |
## </summary> |
192 |
## <param name="domain"> |
193 |
|
194 |
diff --git a/policy/modules/contrib/mrtg.te b/policy/modules/contrib/mrtg.te |
195 |
index 5126d9d5..96d48f37 100644 |
196 |
--- a/policy/modules/contrib/mrtg.te |
197 |
+++ b/policy/modules/contrib/mrtg.te |
198 |
@@ -1,4 +1,4 @@ |
199 |
-policy_module(mrtg, 1.11.0) |
200 |
+policy_module(mrtg, 1.11.1) |
201 |
|
202 |
######################################## |
203 |
# |
204 |
|
205 |
diff --git a/policy/modules/contrib/rsync.te b/policy/modules/contrib/rsync.te |
206 |
index 2fce98b0..11c7041a 100644 |
207 |
--- a/policy/modules/contrib/rsync.te |
208 |
+++ b/policy/modules/contrib/rsync.te |
209 |
@@ -1,4 +1,4 @@ |
210 |
-policy_module(rsync, 1.15.0) |
211 |
+policy_module(rsync, 1.15.1) |
212 |
|
213 |
######################################## |
214 |
# |
215 |
@@ -123,6 +123,8 @@ dev_read_urand(rsync_t) |
216 |
fs_getattr_all_fs(rsync_t) |
217 |
fs_search_auto_mountpoints(rsync_t) |
218 |
|
219 |
+files_getattr_all_pipes(rsync_t) |
220 |
+files_getattr_all_sockets(rsync_t) |
221 |
files_search_home(rsync_t) |
222 |
|
223 |
auth_can_read_shadow_passwords(rsync_t) |