commit: 5dece5bd67bca8c3df92c74d776119ae9af8ebc2
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Tue Oct 20 18:48:38 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Oct 26 03:52:58 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dece5bd
Add supporting rules for domains tightly-coupled with systemd.
policy/modules/kernel/devices.if | 52 +++++++++++++++++++++++++++++++++----
policy/modules/kernel/kernel.te | 17 ++++++++++++
policy/modules/services/ssh.te | 5 ++++
policy/modules/system/init.te | 1 +
policy/modules/system/locallogin.te | 8 ++++++
policy/modules/system/logging.fc | 1 +
policy/modules/system/logging.te | 22 ++++++++++++++++
policy/modules/system/lvm.te | 6 +++++
policy/modules/system/modutils.te | 8 ++++++
policy/modules/system/sysnetwork.te | 8 ++++++
policy/modules/system/udev.te | 12 +++++++++
11 files changed, 135 insertions(+), 5 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 835ec14..a052db5 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,11 +143,11 @@ interface(`dev_relabel_all_dev_nodes',`
type device_t;
')
- relabelfrom_dirs_pattern($1, device_t, device_node)
- relabelfrom_files_pattern($1, device_t, device_node)
+ relabelfrom_dirs_pattern($1, device_t, { device_t device_node })
+ relabelfrom_files_pattern($1, device_t, { device_t device_node })
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
- relabelfrom_fifo_files_pattern($1, device_t, device_node)
- relabelfrom_sock_files_pattern($1, device_t, device_node)
+ relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node })
+ relabelfrom_sock_files_pattern($1, device_t, { device_t device_node })
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
')
@@ -709,7 +709,7 @@ interface(`dev_relabelfrom_generic_chr_files',`
type device_t;
')
- allow $1 device_t:chr_file relabelfrom;
+ allow $1 device_t:chr_file relabelfrom_chr_file_perms;
')
########################################
@@ -1943,6 +1943,30 @@ interface(`dev_filetrans_dri',`
########################################
## <summary>
+## Automatic type transition to the type
+## for event device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the event devices.
## </summary>
## <param name="domain">
@@ -2017,6 +2041,24 @@ interface(`dev_rw_input_dev',`
########################################
## <summary>
+## Create, read, write, and delete input event devices (/dev/input).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_input_dev',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ manage_chr_files_pattern($1, device_t, event_device_t)
+')
+
+########################################
+## <summary>
## Get the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 14b5713..f2d5756 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -299,6 +299,23 @@ ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(kernel_t)
')
+ifdef(`init_systemd',`
+ optional_policy(`
+ dev_manage_input_dev(kernel_t)
+ dev_filetrans_input_dev(kernel_t)
+ ')
+
+ optional_policy(`
+ selinux_compute_create_context(kernel_t)
+ ')
+
+ optional_policy(`
+ storage_dev_filetrans_fixed_disk(kernel_t)
+ storage_setattr_fixed_disk_dev(kernel_t)
+ storage_create_fixed_disk_dev(kernel_t)
+ ')
+')
+
optional_policy(`
# loop devices
fstools_use_fds(kernel_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 783d0e7..e5932aa 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -266,6 +266,11 @@ ifdef(`distro_debian',`
allow sshd_t self:process { getcap setcap };
')
+ifdef(`init_systemd',`
+ systemd_dbus_chat_logind(sshd_t)
+ init_rw_stream_sockets(sshd_t)
+')
+
tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index d5d7b10..916b895 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -222,6 +222,7 @@ ifdef(`init_systemd',`
dev_rw_autofs(init_t)
dev_create_generic_dirs(init_t)
+ dev_manage_input_dev(init_t)
dev_relabel_all_dev_nodes(init_t)
dev_read_urand(init_t)
dev_write_kmsg(init_t)
diff --git a/policy/modules/system/locallogin.te
b/policy/modules/system/locallogin.te
index 5281665..766614c 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -135,6 +135,14 @@ userdom_use_unpriv_users_fds(local_login_t)
userdom_sigchld_all_users(local_login_t)
userdom_create_all_users_keys(local_login_t)
+ifdef(`init_systemd',`
+ auth_manage_faillog(local_login_t)
+
+ systemd_dbus_chat_logind(local_login_t)
+ systemd_use_logind_fds(local_login_t)
+ systemd_manage_logind_pid_pipes(local_login_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(local_login_t)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index a0e957c..fb319d4 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -72,6 +72,7 @@ ifdef(`distro_redhat',`
/var/run/syslog-ng\.pid --
gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng(/.*)?
gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/systemd/journal(/.*)?
gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/systemd/journal/socket -s
gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/var/run/systemd/journal/syslog -s
gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/var/run/systemd/journal/dev-log -s
gen_context(system_u:object_r:devlog_t,mls_systemhigh)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 72b7ff5..6f7335e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -120,6 +120,10 @@ locallogin_dontaudit_use_fds(auditctl_t)
logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t)
+ifdef(`init_systemd',`
+ init_rw_stream_sockets(auditctl_t)
+')
+
########################################
#
# Auditd local policy
@@ -248,6 +252,10 @@ miscfiles_read_localization(audisp_t)
sysnet_dns_name_resolve(audisp_t)
+ifdef(`init_systemd',`
+ kernel_dgram_send(audisp_t)
+')
+
optional_policy(`
dbus_system_bus_client(audisp_t)
')
@@ -480,6 +488,20 @@ miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)
+ifdef(`init_systemd',`
+ allow syslogd_t self:capability { chown setuid setgid };
+
+ kernel_use_fds(syslogd_t)
+ kernel_getattr_dgram_sockets(syslogd_t)
+ kernel_rw_unix_dgram_sockets(syslogd_t)
+ kernel_rw_stream_sockets(syslogd_t)
+
+ init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
+ init_dgram_send(syslogd_t)
+
+ udev_read_pid_files(syslogd_t)
+')
+
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
# and high priority messages to /dev/tty12
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 6880656..f0bea03 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -304,6 +304,12 @@ seutil_sigchld_newrole(lvm_t)
userdom_use_user_terminals(lvm_t)
+ifdef(`init_systemd',`
+ init_rw_stream_sockets(lvm_t)
+
+ fs_manage_hugetlbfs_dirs(lvm_t)
+')
+
ifdef(`distro_redhat',`
# this is from the initrd:
kernel_rw_unlabeled_dirs(lvm_t)
diff --git a/policy/modules/system/modutils.te
b/policy/modules/system/modutils.te
index b17ad6c..4a5b572 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -183,6 +183,14 @@ userdom_dontaudit_search_user_home_dirs(insmod_t)
kernel_domtrans_to(insmod_t, insmod_exec_t)
+ifdef(`init_systemd',`
+ kernel_search_key(insmod_t)
+
+ init_rw_stream_sockets(insmod_t)
+
+ systemd_write_kmod_files(insmod_t)
+')
+
optional_policy(`
alsa_domtrans(insmod_t)
')
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index 7a7b479..ff32383 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -162,6 +162,14 @@ ifdef(`distro_ubuntu',`
')
')
+ifdef(`init_systemd',`
+ init_rw_stream_sockets(dhcpc_t)
+ init_read_state(dhcpc_t)
+ init_stream_connect(dhcpc_t)
+ init_get_all_units_status(dhcpc_t)
+ init_search_units(dhcpc_t)
+')
+
optional_policy(`
consoletype_run(dhcpc_t, dhcpc_roles)
')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index a9a2296..40868ad 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -218,6 +218,18 @@ ifdef(`distro_redhat',`
')
')
+ifdef(`init_systemd',`
+ kernel_load_module(udev_t)
+
+ files_search_kernel_modules(udev_t)
+
+ fs_read_cgroup_files(udev_t)
+
+ init_dgram_send(udev_t)
+
+ systemd_read_logind_pids(udev_t)
+')
+
optional_policy(`
alsa_domtrans(udev_t)
alsa_read_lib(udev_t)
