commit: 38249e1e570984cbc60f21a12e0323a2e852a463 Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Tue Feb 2 15:52:59 2021 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Feb 6 21:15:09 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=38249e1e
Various fixes Allow dovecot to watch the mail spool, and add various dontaudit rules for several other domains. Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/kernel/kernel.if | 18 ++++++++++++++++++ policy/modules/services/dovecot.te | 3 +++ policy/modules/services/mta.if | 18 ++++++++++++++++++ policy/modules/services/ssh.te | 2 ++ policy/modules/system/authlogin.te | 3 +++ policy/modules/system/selinuxutil.te | 1 + 6 files changed, 45 insertions(+) diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 5869eb50..ebd73aca 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -910,6 +910,24 @@ interface(`kernel_getattr_proc',` allow $1 proc_t:filesystem getattr; ') +######################################## +## <summary> +## Do not audit attempts to get the attributes of the proc filesystem. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`kernel_dontaudit_getattr_proc',` + gen_require(` + type proc_t; + ') + + dontaudit $1 proc_t:filesystem getattr; +') + ######################################## ## <summary> ## Mount on proc directories. diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te index a2d1cc5e..16fa4e52 100644 --- a/policy/modules/services/dovecot.te +++ b/policy/modules/services/dovecot.te @@ -207,6 +207,7 @@ optional_policy(` optional_policy(` mta_manage_spool(dovecot_t) + mta_watch_spool(dovecot_t) mta_manage_mail_home_rw_content(dovecot_t) mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir") mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir") @@ -255,6 +256,8 @@ manage_sock_files_pattern(dovecot_auth_t, dovecot_runtime_t, dovecot_runtime_t) allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto rw_stream_socket_perms }; +kernel_dontaudit_getattr_proc(dovecot_auth_t) + files_search_runtime(dovecot_auth_t) files_read_usr_files(dovecot_auth_t) files_read_var_lib_files(dovecot_auth_t) diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if index 7039a7f0..5266d52c 100644 --- a/policy/modules/services/mta.if +++ b/policy/modules/services/mta.if @@ -991,6 +991,24 @@ interface(`mta_manage_spool',` manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t) ') +######################################## +## <summary> +## Watch mail spool content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mta_watch_spool',` + gen_require(` + type mail_spool_t; + ') + + allow $1 mail_spool_t:{ dir file } watch; +') + ####################################### ## <summary> ## Create specified objects in the diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 16e86fbf..63a0d824 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -262,6 +262,8 @@ corenet_sendrecv_xserver_server_packets(sshd_t) ifdef(`distro_debian',` allow sshd_t self:process { getcap setcap }; auth_use_pam_motd_dynamic(sshd_t) +',` + dontaudit sshd_t self:process { getcap setcap }; ') ifdef(`init_systemd',` diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 96ebfa27..f5da5048 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -104,6 +104,9 @@ allow chkpwd_t shadow_t:file read_file_perms; files_list_etc(chkpwd_t) kernel_read_crypto_sysctls(chkpwd_t) +kernel_dontaudit_search_kernel_sysctl(chkpwd_t) +kernel_dontaudit_read_kernel_sysctl(chkpwd_t) +kernel_dontaudit_getattr_proc(chkpwd_t) domain_dontaudit_use_interactive_fds(chkpwd_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 560e6c8a..ec65eb88 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -500,6 +500,7 @@ files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) kernel_read_system_state(semanage_t) kernel_read_kernel_sysctls(semanage_t) +kernel_dontaudit_getattr_proc(semanage_t) corecmd_exec_bin(semanage_t) corecmd_exec_shell(semanage_t)