[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/

Jason Zaman Sat, 06 Feb 2021 19:20:52 -0800

commit:     38249e1e570984cbc60f21a12e0323a2e852a463
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Tue Feb  2 15:52:59 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb  6 21:15:09 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=38249e1e


Various fixes

Allow dovecot to watch the mail spool, and add various dontaudit rules
for several other domains.

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/kernel.if      | 18 ++++++++++++++++++
 policy/modules/services/dovecot.te   |  3 +++
 policy/modules/services/mta.if       | 18 ++++++++++++++++++
 policy/modules/services/ssh.te       |  2 ++
 policy/modules/system/authlogin.te   |  3 +++
 policy/modules/system/selinuxutil.te |  1 +
 6 files changed, 45 insertions(+)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 5869eb50..ebd73aca 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -910,6 +910,24 @@ interface(`kernel_getattr_proc',`
        allow $1 proc_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to get the attributes of the proc filesystem.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`kernel_dontaudit_getattr_proc',`
+       gen_require(`
+               type proc_t;
+       ')
+
+       dontaudit $1 proc_t:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##     Mount on proc directories.

diff --git a/policy/modules/services/dovecot.te 
b/policy/modules/services/dovecot.te
index a2d1cc5e..16fa4e52 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -207,6 +207,7 @@ optional_policy(`
 
 optional_policy(`
        mta_manage_spool(dovecot_t)
+       mta_watch_spool(dovecot_t)
        mta_manage_mail_home_rw_content(dovecot_t)
        mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
        mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
@@ -255,6 +256,8 @@ manage_sock_files_pattern(dovecot_auth_t, 
dovecot_runtime_t, dovecot_runtime_t)
 
 allow dovecot_auth_t dovecot_t:unix_stream_socket { connectto 
rw_stream_socket_perms };
 
+kernel_dontaudit_getattr_proc(dovecot_auth_t)
+
 files_search_runtime(dovecot_auth_t)
 files_read_usr_files(dovecot_auth_t)
 files_read_var_lib_files(dovecot_auth_t)

diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 7039a7f0..5266d52c 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -991,6 +991,24 @@ interface(`mta_manage_spool',`
        manage_lnk_files_pattern($1, mail_spool_t, mail_spool_t)
 ')
 
+########################################
+## <summary>
+##     Watch mail spool content.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`mta_watch_spool',`
+       gen_require(`
+               type mail_spool_t;
+       ')
+
+       allow $1 mail_spool_t:{ dir file } watch;
+')
+
 #######################################
 ## <summary>
 ##     Create specified objects in the

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 16e86fbf..63a0d824 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -262,6 +262,8 @@ corenet_sendrecv_xserver_server_packets(sshd_t)
 ifdef(`distro_debian',`
        allow sshd_t self:process { getcap setcap };
        auth_use_pam_motd_dynamic(sshd_t)
+',`
+       dontaudit sshd_t self:process { getcap setcap };
 ')
 
 ifdef(`init_systemd',`

diff --git a/policy/modules/system/authlogin.te 
b/policy/modules/system/authlogin.te
index 96ebfa27..f5da5048 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -104,6 +104,9 @@ allow chkpwd_t shadow_t:file read_file_perms;
 files_list_etc(chkpwd_t)
 
 kernel_read_crypto_sysctls(chkpwd_t)
+kernel_dontaudit_search_kernel_sysctl(chkpwd_t)
+kernel_dontaudit_read_kernel_sysctl(chkpwd_t)
+kernel_dontaudit_getattr_proc(chkpwd_t)
 
 domain_dontaudit_use_interactive_fds(chkpwd_t)
 

diff --git a/policy/modules/system/selinuxutil.te 
b/policy/modules/system/selinuxutil.te
index 560e6c8a..ec65eb88 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -500,6 +500,7 @@ files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir 
})
 
 kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
+kernel_dontaudit_getattr_proc(semanage_t)
 
 corecmd_exec_bin(semanage_t)
 corecmd_exec_shell(semanage_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/services/

Reply via email to