[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 9ec53a8a43b7f1d03a84c333c1265a63b8ef334c
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:53:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ec53a8a

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 51429d5b..0a770ea1 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/, policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: 61a9be757ac82bad3c2c01f4395a7720b317e008
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 07:30:55 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:53:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61a9be75

gssproxy: Allow others to stream connect

kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  
pid=25447 comm="gssproxy" path="/run/gssproxy.sock" 
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 
tclass=unix_stream_socket permissive=0

 policy/modules/contrib/rpc.te   | 3 +++
 policy/modules/kernel/kernel.te | 4 
 policy/modules/system/userdomain.if | 4 
 3 files changed, 11 insertions(+)

diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 970e5b31..b46d865f 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -339,6 +339,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+   gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5d8404de..432fa86e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -423,6 +423,10 @@ optional_policy(`
rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
 
+   optional_policy(`
+   gssproxy_stream_connect(kernel_t)
+   ')
+
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
fs_list_noxattr_fs(kernel_t)

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 88fdb823..f93f946c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -686,6 +686,10 @@ template(`userdom_common_user_template',`
')
 
optional_policy(`
+   gssproxy_stream_connect($1_t)
+   ')
+
+   optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 8e9fc437ae1727920d4fcabea0910b7f9e3d3dce
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:53:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e9fc437

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e27d24a6..51429d5b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 234f522a12f0214e10a7a56092e31a3ac747017a
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Sep 10 13:47:28 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:47:28 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=234f522a

xdg: allow map perms

 policy/modules/contrib/xdg.if | 23 +++
 1 file changed, 23 insertions(+)

diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if
index 649266b3..3188d96f 100644
--- a/policy/modules/contrib/xdg.if
+++ b/policy/modules/contrib/xdg.if
@@ -79,6 +79,7 @@ interface(`xdg_read_cache_home_files',`
')
 
read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+   allow $1 xdg_cache_home_t:file map;
list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
 
userdom_search_user_home_dirs($1)
@@ -100,6 +101,7 @@ interface(`xdg_read_all_cache_home_files',`
')
 
read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+   allow $1 xdg_cache_home_type:file map;
 
userdom_search_user_home_dirs($1)
 ')
@@ -208,6 +210,7 @@ interface(`xdg_manage_cache_home',`
 
manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
+   allow $1 xdg_cache_home_t:file map;
manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t)
@@ -232,6 +235,7 @@ interface(`xdg_manage_all_cache_home',`
 
manage_dirs_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
manage_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
+   allow $1 xdg_cache_home_type:file map;
manage_lnk_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
manage_fifo_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
manage_sock_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type)
@@ -323,6 +327,7 @@ interface(`xdg_read_config_home_files',`
')
 
read_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+   allow $1 xdg_config_home_t:file map;
list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
 
userdom_search_user_home_dirs($1)
@@ -344,6 +349,7 @@ interface(`xdg_read_all_config_home_files',`
')
 
read_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+   allow $1 xdg_config_home_type:file map;
 
userdom_search_user_home_dirs($1)
 ')
@@ -453,6 +459,7 @@ interface(`xdg_manage_config_home',`
 
manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t)
manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
+   allow $1 xdg_config_home_t:file map;
manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t)
@@ -477,6 +484,7 @@ interface(`xdg_manage_all_config_home',`
 
manage_dirs_pattern($1, xdg_config_home_type, xdg_config_home_type)
manage_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
+   allow $1 xdg_config_home_type:file map;
manage_lnk_files_pattern($1, xdg_config_home_type, xdg_config_home_type)
manage_fifo_files_pattern($1, xdg_config_home_type, 
xdg_config_home_type)
manage_sock_files_pattern($1, xdg_config_home_type, 
xdg_config_home_type)
@@ -548,6 +556,7 @@ interface(`xdg_read_data_home_files',`
')
 
read_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+   allow $1 xdg_data_home_t:file map;
list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
 
userdom_search_user_home_dirs($1)
@@ -569,6 +578,7 @@ interface(`xdg_read_all_data_home_files',`
')
 
read_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+   allow $1 xdg_data_home_type:file map;
 
userdom_search_user_home_dirs($1)
 ')
@@ -677,6 +687,7 @@ interface(`xdg_manage_data_home',`
 
manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t)
manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
+   allow $1 xdg_data_home_t:file map;
manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t)
@@ -701,6 +712,7 @@ interface(`xdg_manage_all_data_home',`
 
manage_dirs_pattern($1, xdg_data_home_type, xdg_data_home_type)
manage_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
+   allow $1 xdg_data_home_type:file map;
manage_lnk_files_pattern($1, xdg_data_home_type, xdg_data_home_type)
manage_fifo_files_pattern($1, xdg_data_home_type, xdg_dat

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 8c6ec37b74ac4fbf76957ac569cddaf737aae65d
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Feb 15 17:15:58 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:53:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c6ec37b

kerberos: Introduce kerberos_filetrans_named_content interface

 policy/modules/contrib/kerberos.if | 37 +
 1 file changed, 37 insertions(+)

diff --git a/policy/modules/contrib/kerberos.if 
b/policy/modules/contrib/kerberos.if
index c8c5a37d..7bfd8a2a 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -425,6 +425,43 @@ interface(`kerberos_connect_524',`
 
 
 ## 
+## Transition to kerberos named content
+## 
+## 
+## 
+##  Domain allowed access.
+## 
+## 
+#
+interface(`kerberos_filetrans_named_content',`
+   gen_require(`
+   type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+   type krb5kdc_principal_t;
+   ')
+
+   files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, 
"kadm5.keytab")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal0")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+   #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+
+   kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+   #kerberos_filetrans_admin_home_content($1)
+
+   kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+   kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+   kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an kerberos environment.
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 15f0a66ac8e45129d70d1cb0bbe6a8ae6771953f
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:53:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15f0a66a

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index b1f9b1c8..46839588 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -37,6 +37,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index fce37958..3d93fac4 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: c4d741a059de129238da9d8f669085cd216973c6
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 07:15:39 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:53:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4d741a0

gssproxy: add policy

borrowed and modified from Fedora

 policy/modules/contrib/gssproxy.fc |   8 ++
 policy/modules/contrib/gssproxy.if | 199 +
 policy/modules/contrib/gssproxy.te |  67 +
 3 files changed, 274 insertions(+)

diff --git a/policy/modules/contrib/gssproxy.fc 
b/policy/modules/contrib/gssproxy.fc
new file mode 100644
index ..a9970159
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service   --  
gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy --  
gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)?
gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid --  
gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock-s  
gen_context(system_u:object_r:gssproxy_run_t,s0)

diff --git a/policy/modules/contrib/gssproxy.if 
b/policy/modules/contrib/gssproxy.if
new file mode 100644
index ..cebdb20b
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.if
@@ -0,0 +1,199 @@
+
+## policy for gssproxy
+
+
+## 
+## Execute gssproxy in the gssproxy domin.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`gssproxy_domtrans',`
+   gen_require(`
+   type gssproxy_t, gssproxy_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+
+## 
+## Search gssproxy lib directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_search_lib',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+   files_search_var_lib($1)
+')
+
+
+## 
+## Read gssproxy lib files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_read_lib_files',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Manage gssproxy lib files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_manage_lib_files',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Manage gssproxy lib directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_manage_lib_dirs',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Read gssproxy PID files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_read_pid_files',`
+   gen_require(`
+   type gssproxy_run_t;
+   ')
+
+   files_search_pids($1)
+   read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+
+## 
+## Execute gssproxy server in the gssproxy domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`gssproxy_systemctl',`
+   gen_require(`
+   type gssproxy_t;
+   type gssproxy_unit_t;
+   ')
+
+   systemd_exec_systemctl($1)
+   init_reload_services($1)
+   allow $1 gssproxy_unit_t:file read_file_perms;
+   allow $1 gssproxy_unit_t:service manage_service_perms;
+
+   ps_process_pattern($1, gssproxy_t)
+')
+
+
+## 
+## Connect to gssproxy over an unix
+## domain stream socket.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_stream_connect',`
+   gen_require(`
+   type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+   ')
+
+   files_search_pids($1)
+   stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+   stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, 
gssproxy_t)
+')
+
+
+## 
+## All of the rules required to administrate
+## an gssproxy env

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 97f88106f6933c0c77204b1fefcda8885d5fa516
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:53:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=97f88106

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0a770ea1..e06d912f 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: fc9b00c559fa5e62f2063b2614932a274e4a103a
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:53:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc9b00c5

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3d93fac4..e27d24a6 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: fde0a68cdd425a6496b4223667d75e9b1f4783f8
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun May  7 13:43:31 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:53:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fde0a68c

dirmngr: Network rules to connect to keyserver

type=AVC msg=audit(1494163667.921:24917): avc:  denied  { name_bind } for  
pid=15683 comm=636F6E6E2066643D36 src=19321 
scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0

 policy/modules/contrib/dirmngr.te | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index 8f4cb991..fb8a7e50 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -63,6 +63,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, 
dirmngr_var_run_t)
 files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
 
 kernel_read_crypto_sysctls(dirmngr_t)
+dev_read_rand(dirmngr_t)
+sysnet_dns_name_resolve(dirmngr_t)
+
+corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
+corenet_udp_bind_all_unreserved_ports(dirmngr_t)
 
 dev_read_rand(dirmngr_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 6c7a09fcabc376f277efceecd68dfbf58f33a510
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Sep 10 12:56:26 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 12:56:26 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c7a09fc

pulseaudio: add map perms

 policy/modules/contrib/pulseaudio.if | 2 +-
 policy/modules/contrib/pulseaudio.te | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/pulseaudio.if 
b/policy/modules/contrib/pulseaudio.if
index 921e519c..3073fd4a 100644
--- a/policy/modules/contrib/pulseaudio.if
+++ b/policy/modules/contrib/pulseaudio.if
@@ -33,7 +33,7 @@ interface(`pulseaudio_role',`
allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms 
relabel_lnk_file_perms };
 
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { 
manage_dir_perms relabel_dir_perms };
-   allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { 
manage_file_perms relabel_file_perms };
+   allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { 
manage_file_perms relabel_file_perms map };
 
allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };

diff --git a/policy/modules/contrib/pulseaudio.te 
b/policy/modules/contrib/pulseaudio.te
index b4154208..9202f23f 100644
--- a/policy/modules/contrib/pulseaudio.te
+++ b/policy/modules/contrib/pulseaudio.te
@@ -138,6 +138,7 @@ logging_send_syslog_msg(pulseaudio_t)
 miscfiles_read_localization(pulseaudio_t)
 
 userdom_read_user_tmpfs_files(pulseaudio_t)
+userdom_map_user_tmpfs_files(pulseaudio_t)
 userdom_delete_user_tmpfs_files(pulseaudio_t)
 userdom_search_user_home_dirs(pulseaudio_t)
 userdom_search_user_home_content(pulseaudio_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 9f5bef71012d46627f45471c31aaf2928447359f
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Sep 10 13:20:05 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:20:05 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f5bef71

cgmanager: use nsswitch

cgmanager looks up usernames. the nsswitch interface will allow file map
for /etc/passwd.

 policy/modules/contrib/cgmanager.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/cgmanager.te 
b/policy/modules/contrib/cgmanager.te
index c3cc5217..2674193f 100644
--- a/policy/modules/contrib/cgmanager.te
+++ b/policy/modules/contrib/cgmanager.te
@@ -40,6 +40,8 @@ allow cgmanager_t cgmanager_run_t:dir mounton;
 kernel_domtrans_to(cgmanager_t, cgmanager_exec_t)
 kernel_read_system_state(cgmanager_t)
 
+auth_use_nsswitch(cgmanager_t)
+
 corecmd_exec_bin(cgmanager_t)
 
 domain_read_all_domains_state(cgmanager_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: a248b34332e48cff32b36b60714c3658ea96d1c6
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Sep 10 12:55:51 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 12:55:51 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a248b343

resolvconf: allow reading localization

 policy/modules/contrib/resolvconf.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/contrib/resolvconf.te 
b/policy/modules/contrib/resolvconf.te
index b8c8e7e8..58bb165d 100644
--- a/policy/modules/contrib/resolvconf.te
+++ b/policy/modules/contrib/resolvconf.te
@@ -31,6 +31,8 @@ corecmd_exec_shell(resolvconf_t)
 files_pid_filetrans(resolvconf_t, resolvconf_var_run_t, { dir file })
 files_read_etc_files(resolvconf_t)
 
+miscfiles_read_localization(resolvconf_t)
+
 sysnet_manage_config(resolvconf_t)
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 7e6eaa2e942d4ea5924fceabf404167b80f93a50
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e6eaa2e

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 63fef29b..b80abb97 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 4a876f4221ab4a0ac55a44712e6afe962bbc278d
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 07:15:39 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a876f42

gssproxy: add policy

borrowed and modified from Fedora

 policy/modules/contrib/gssproxy.fc |   8 ++
 policy/modules/contrib/gssproxy.if | 199 +
 policy/modules/contrib/gssproxy.te |  67 +
 3 files changed, 274 insertions(+)

diff --git a/policy/modules/contrib/gssproxy.fc 
b/policy/modules/contrib/gssproxy.fc
new file mode 100644
index ..a9970159
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service   --  
gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy --  
gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)?
gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid --  
gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock-s  
gen_context(system_u:object_r:gssproxy_run_t,s0)

diff --git a/policy/modules/contrib/gssproxy.if 
b/policy/modules/contrib/gssproxy.if
new file mode 100644
index ..cebdb20b
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.if
@@ -0,0 +1,199 @@
+
+## policy for gssproxy
+
+
+## 
+## Execute gssproxy in the gssproxy domin.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`gssproxy_domtrans',`
+   gen_require(`
+   type gssproxy_t, gssproxy_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+
+## 
+## Search gssproxy lib directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_search_lib',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+   files_search_var_lib($1)
+')
+
+
+## 
+## Read gssproxy lib files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_read_lib_files',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Manage gssproxy lib files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_manage_lib_files',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Manage gssproxy lib directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_manage_lib_dirs',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Read gssproxy PID files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_read_pid_files',`
+   gen_require(`
+   type gssproxy_run_t;
+   ')
+
+   files_search_pids($1)
+   read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+
+## 
+## Execute gssproxy server in the gssproxy domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`gssproxy_systemctl',`
+   gen_require(`
+   type gssproxy_t;
+   type gssproxy_unit_t;
+   ')
+
+   systemd_exec_systemctl($1)
+   init_reload_services($1)
+   allow $1 gssproxy_unit_t:file read_file_perms;
+   allow $1 gssproxy_unit_t:service manage_service_perms;
+
+   ps_process_pattern($1, gssproxy_t)
+')
+
+
+## 
+## Connect to gssproxy over an unix
+## domain stream socket.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_stream_connect',`
+   gen_require(`
+   type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+   ')
+
+   files_search_pids($1)
+   stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+   stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, 
gssproxy_t)
+')
+
+
+## 
+## All of the rules required to administrate
+## an gssproxy env

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 91bc9686ff5065f7cdcce4ec14ac9d6dd89b769d
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun May  7 13:42:53 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=91bc9686

dirmngr: fcontext for ~/.gnupg/crls.d/

 policy/modules/contrib/dirmngr.fc |  2 ++
 policy/modules/contrib/dirmngr.te |  7 +++
 policy/modules/contrib/gpg.if | 20 
 3 files changed, 29 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.fc 
b/policy/modules/contrib/dirmngr.fc
index a9cf15a8..60f19f47 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.gnupg/crls\.d(/.+)? 
gen_context(system_u:object_r:dirmngr_home_t,s0)
+
 /etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
 
 /etc/rc\.d/init\.d/dirmngr --  
gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index 8e4a1a89..17cce56a 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
 type dirmngr_var_run_t;
 files_pid_file(dirmngr_var_run_t)
 
+type dirmngr_home_t;
+userdom_user_home_content(dirmngr_home_t)
+
 
 #
 # Local policy
@@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
 allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
 allow dirmngr_t dirmngr_conf_t:file read_file_perms;
 allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
+allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
+allow dirmngr_t dirmngr_home_t:file read_file_perms;
 
 manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
 append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
@@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
 files_read_etc_files(dirmngr_t)
 
 miscfiles_read_localization(dirmngr_t)
+miscfiles_read_generic_certs(dirmngr_t)
 
 userdom_search_user_home_dirs(dirmngr_t)
 userdom_search_user_runtime(dirmngr_t)
@@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
 
 optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+   gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
 ')

diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 4480f9c6..e5a12750 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',`
 
 
 ## 
+## filetrans in gpg_secret_t dirs
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gpg_secret_filetrans',`
+   gen_require(`
+   type gpg_secret_t;
+   ')
+
+   filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
+   allow $1 gpg_secret_t:dir search_dir_perms;
+   userdom_search_user_home_dirs($1)
+')
+
+
+## 
 ## Send messages to and from gpg
 ## pinentry over DBUS.
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: c85529b2e1cd810f266ac3faad133210cc8787e7
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun May  7 13:43:31 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c85529b2

dirmngr: Network rules to connect to keyserver

type=AVC msg=audit(1494163667.921:24917): avc:  denied  { name_bind } for  
pid=15683 comm=636F6E6E2066643D36 src=19321 
scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0

 policy/modules/contrib/dirmngr.te | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index 17cce56a..b64fc610 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, 
dirmngr_var_run_t)
 files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
 
 kernel_read_crypto_sysctls(dirmngr_t)
+dev_read_rand(dirmngr_t)
+sysnet_dns_name_resolve(dirmngr_t)
+
+corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
+corenet_udp_bind_all_unreserved_ports(dirmngr_t)
 
 files_read_etc_files(dirmngr_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: d629bd240173172035ad48db7586e6a163bb8e4b
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 04:58:28 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d629bd24

dirmngr: add to roles and allow gpg to domtrans

 policy/modules/contrib/dirmngr.if | 69 +++
 policy/modules/contrib/gpg.te |  4 +++
 2 files changed, 73 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.if 
b/policy/modules/contrib/dirmngr.if
index 4cd2810e..2f6875a6 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -1,5 +1,74 @@
 ## Server for managing and downloading certificate revocation 
lists.
 
+
+## 
+## Role access for dirmngr.
+## 
+## 
+## 
+## Role allowed access.
+## 
+## 
+## 
+## 
+## User domain for the role.
+## 
+## 
+#
+interface(`dirmngr_role',`
+   gen_require(`
+   type dirmngr_t, dirmngr_exec_t;
+   ')
+
+   role $1 types dirmngr_t;
+
+   domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+   allow $2 dirmngr_t:process { ptrace signal_perms };
+   ps_process_pattern($2, dirmngr_t)
+
+   allow dirmngr_t $2:fd use;
+   allow dirmngr_t $2:fifo_file { read write };
+')
+
+
+## 
+## Execute dirmngr in the dirmngr domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`dirmngr_domtrans',`
+   gen_require(`
+   type dirmngr_t, dirmngr_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+
+## 
+## Execute the dirmngr in the caller domain.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dirmngr_exec',`
+   gen_require(`
+   type dirmngr_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   can_exec($1, dirmngr_exec_t)
+')
+
 
 ## 
 ## All of the rules required to

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c145fb4c..1b8448c7 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
+   dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 4c92736636a7012c7d831dfdd6acc0d9be2afd2b
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c927366

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index b80abb97..b30765c8 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 3a654acf88973e1295e05bf253e9ec787b19cf23
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3a654acf

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index fb3c3f37..6ccafff3 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 023ca1139b4798c5cb5988ece143221988517236
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed May 10 09:31:23 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=023ca113

networkmanager: use consolekit inhibit locks

 policy/modules/contrib/networkmanager.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/networkmanager.te 
b/policy/modules/contrib/networkmanager.te
index dee77c73..4190eaae 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -228,6 +228,7 @@ optional_policy(`
 
optional_policy(`
consolekit_dbus_chat(NetworkManager_t)
+   consolekit_use_inhibit_lock(NetworkManager_t)
')
 
optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 7bee6518835d0d0c4a6ab9041f9cfeef363813e2
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7bee6518

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index b1f9b1c8..46839588 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -37,6 +37,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 4fb34894..63fef29b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 741fe2c6d5f0925daf2c18f635c9a928bfcd5bc8
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed May 10 09:31:08 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=741fe2c6

dbus: use consolekit inhibit locks

 policy/modules/contrib/dbus.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index ca39fb6b..be216326 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -167,6 +167,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+   consolekit_use_inhibit_lock(system_dbusd_t)
+')
+
+optional_policy(`
policykit_read_lib(system_dbusd_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: a337f867d9be283b99af8ca7714f110918da5551
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed May 10 09:09:34 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a337f867

consolekit: allow purging tmp

Needs to be able to clear out /run/user/UID on logout

 policy/modules/contrib/consolekit.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/consolekit.te 
b/policy/modules/contrib/consolekit.te
index d51634ea..ea4db82b 100644
--- a/policy/modules/contrib/consolekit.te
+++ b/policy/modules/contrib/consolekit.te
@@ -64,6 +64,7 @@ domain_dontaudit_ptrace_all_domains(consolekit_t)
 files_read_usr_files(consolekit_t)
 files_read_var_lib_files(consolekit_t)
 files_search_all_mountpoints(consolekit_t)
+files_purge_tmp(consolekit_t)
 
 fs_list_inotifyfs(consolekit_t)
 fs_mount_tmpfs(consolekit_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 5a8818391194c993b1e0a4b8c2dc758097f8aed3
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed May 10 09:07:26 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a881839

consolekit: introduce consolekit_use_inhibit_lock interface

Applications hold FDs while they hold the lock.
Implements this API:
https://www.freedesktop.org/wiki/Software/systemd/inhibit/

 policy/modules/contrib/consolekit.if | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/contrib/consolekit.if 
b/policy/modules/contrib/consolekit.if
index 5b830ec9..c2c203f1 100644
--- a/policy/modules/contrib/consolekit.if
+++ b/policy/modules/contrib/consolekit.if
@@ -42,6 +42,25 @@ interface(`consolekit_dbus_chat',`
 
 
 ## 
+## Take inhibit locks from consolekit
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`consolekit_use_inhibit_lock',`
+   gen_require(`
+   type consolekit_t, consolekit_var_run_t;
+   ')
+
+   allow $1 consolekit_t:fd use;
+   allow $1 consolekit_var_run_t:fifo_file rw_fifo_file_perms;
+')
+
+
+## 
 ## Read consolekit log files.
 ## 
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: cc786a07ee93677d6b41dc10e61e3810038f4c6f
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Feb 15 17:15:58 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc786a07

kerberos: Introduce kerberos_filetrans_named_content interface

 policy/modules/contrib/kerberos.if | 37 +
 1 file changed, 37 insertions(+)

diff --git a/policy/modules/contrib/kerberos.if 
b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
 
 
 ## 
+## Transition to kerberos named content
+## 
+## 
+## 
+##  Domain allowed access.
+## 
+## 
+#
+interface(`kerberos_filetrans_named_content',`
+   gen_require(`
+   type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+   type krb5kdc_principal_t;
+   ')
+
+   files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, 
"kadm5.keytab")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal0")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+   #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+
+   kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+   #kerberos_filetrans_admin_home_content($1)
+
+   kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+   kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+   kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an kerberos environment.
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/, policy/modules/kernel/, policy/modules/system/

[Jason Zaman]

commit: de8ad58a6a9103f443b733400d2f7980944bfcd0
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 07:30:55 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de8ad58a

gssproxy: Allow others to stream connect

kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  
pid=25447 comm="gssproxy" path="/run/gssproxy.sock" 
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 
tclass=unix_stream_socket permissive=0

 policy/modules/contrib/rpc.te   | 3 +++
 policy/modules/kernel/kernel.te | 4 
 policy/modules/system/userdomain.if | 4 
 3 files changed, 11 insertions(+)

diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index a8a83400..c7855fef 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -339,6 +339,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+   gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 685f3d0f..5877621b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -423,6 +423,10 @@ optional_policy(`
rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
 
+   optional_policy(`
+   gssproxy_stream_connect(kernel_t)
+   ')
+
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
fs_list_noxattr_fs(kernel_t)

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index dbfb33da..55512c04 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -726,6 +726,10 @@ template(`userdom_common_user_template',`
')
 
optional_policy(`
+   gssproxy_stream_connect($1_t)
+   ')
+
+   optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: e8b9afa5c6358e954388e5568f739a75d26f2e72
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Apr 16 06:38:47 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e8b9afa5

gpg dirmngr: create and connect to socket

 policy/modules/contrib/dirmngr.fc |  2 ++
 policy/modules/contrib/dirmngr.if | 25 +
 policy/modules/contrib/dirmngr.te | 13 +
 policy/modules/contrib/gpg.if | 38 ++
 policy/modules/contrib/gpg.te |  1 +
 5 files changed, 79 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.fc 
b/policy/modules/contrib/dirmngr.fc
index a0f261c9..a9cf15a8 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -12,3 +12,5 @@
 /run/dirmngr\.pid  --  
gen_context(system_u:object_r:dirmngr_var_run_t,s0)
 
 /run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
+
+/run/user/%{USERID}/gnupg/S.dirmngr-s  
gen_context(system_u:object_r:dirmngr_tmp_t,s0)

diff --git a/policy/modules/contrib/dirmngr.if 
b/policy/modules/contrib/dirmngr.if
index 2f6875a6..07af5063 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -18,6 +18,7 @@
 interface(`dirmngr_role',`
gen_require(`
type dirmngr_t, dirmngr_exec_t;
+   type dirmngr_tmp_t;
')
 
role $1 types dirmngr_t;
@@ -29,6 +30,8 @@ interface(`dirmngr_role',`
 
allow dirmngr_t $2:fd use;
allow dirmngr_t $2:fifo_file { read write };
+
+   allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms 
relabel_sock_file_perms };
 ')
 
 
@@ -71,6 +74,28 @@ interface(`dirmngr_exec',`
 
 
 ## 
+## Connect to dirmngr socket
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dirmngr_stream_connect',`
+   gen_require(`
+   type dirmngr_t, dirmngr_tmp_t;
+   ')
+
+   gpg_search_agent_tmp_dirs($1)
+   allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;
+   allow $1 dirmngr_t:unix_stream_socket connectto;
+   userdom_search_user_runtime($1)
+   userdom_search_user_home_dirs($1)
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an dirmngr environment.
 ## 

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index 23f40456..8e4a1a89 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
 type dirmngr_log_t;
 logging_log_file(dirmngr_log_t)
 
+type dirmngr_tmp_t;
+userdom_user_tmp_file(dirmngr_tmp_t)
+
 type dirmngr_var_lib_t;
 files_type(dirmngr_var_lib_t)
 
@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, 
dirmngr_var_lib_t)
 manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
 files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
 
+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
+
 manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
 manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
 manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
 files_read_etc_files(dirmngr_t)
 
 miscfiles_read_localization(dirmngr_t)
+
+userdom_search_user_home_dirs(dirmngr_t)
+userdom_search_user_runtime(dirmngr_t)
+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+
+optional_policy(`
+   gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+')

diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index ef87..4480f9c6 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',`
 
 
 ## 
+## Search gpg agent dirs.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gpg_search_agent_tmp_dirs',`
+   gen_require(`
+   type gpg_agent_tmp_t;
+   ')
+
+   allow $1 gpg_agent_tmp_t:dir search_dir_perms;
+')
+
+
+## 
+## filetrans in gpg_agent_tmp_t dirs
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gpg_agent_tmp_filetrans',`
+   gen_require(`
+   type gpg_agent_t, gpg_agent_tmp_t;
+   type gpg_secret_t;
+   ')
+
+   filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
+   userdom_search_user_runtime($1)
+')
+
+
+## 
 ## Send messages to and from gpg
 ## pinentry over DBUS.
 ## 

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: a4c5b41a18ebfee686fb65ce8a484dc4493ff087
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu May 25 17:03:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4c5b41a

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index b30765c8..fb3c3f37 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 301b59bff67c4833c98e6fec5bd2cb04a13e31a2
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 04:58:28 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 17:40:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=301b59bf

dirmngr: add to roles and allow gpg to domtrans

 policy/modules/contrib/dirmngr.if | 69 +++
 policy/modules/contrib/gpg.te |  4 +++
 2 files changed, 73 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.if 
b/policy/modules/contrib/dirmngr.if
index 4cd2810e..2f6875a6 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -1,5 +1,74 @@
 ## Server for managing and downloading certificate revocation 
lists.
 
+
+## 
+## Role access for dirmngr.
+## 
+## 
+## 
+## Role allowed access.
+## 
+## 
+## 
+## 
+## User domain for the role.
+## 
+## 
+#
+interface(`dirmngr_role',`
+   gen_require(`
+   type dirmngr_t, dirmngr_exec_t;
+   ')
+
+   role $1 types dirmngr_t;
+
+   domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+   allow $2 dirmngr_t:process { ptrace signal_perms };
+   ps_process_pattern($2, dirmngr_t)
+
+   allow dirmngr_t $2:fd use;
+   allow dirmngr_t $2:fifo_file { read write };
+')
+
+
+## 
+## Execute dirmngr in the dirmngr domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`dirmngr_domtrans',`
+   gen_require(`
+   type dirmngr_t, dirmngr_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+
+## 
+## Execute the dirmngr in the caller domain.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dirmngr_exec',`
+   gen_require(`
+   type dirmngr_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   can_exec($1, dirmngr_exec_t)
+')
+
 
 ## 
 ## All of the rules required to

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c145fb4c..1b8448c7 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
+   dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 5dbc2a2a3beff47187df1b133efc77ef75f597c4
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 17:40:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dbc2a2a

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index b1f9b1c8..46839588 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -37,6 +37,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 4fb34894..63fef29b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: b082a2690d496136e825b47bb7c0d82607b6e393
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun May  7 13:42:53 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 17:40:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b082a269

dirmngr: fcontext for ~/.gnupg/crls.d/

 policy/modules/contrib/dirmngr.fc |  2 ++
 policy/modules/contrib/dirmngr.te |  7 +++
 policy/modules/contrib/gpg.if | 20 
 3 files changed, 29 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.fc 
b/policy/modules/contrib/dirmngr.fc
index a9cf15a8..60f19f47 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.gnupg/crls\.d(/.+)? 
gen_context(system_u:object_r:dirmngr_home_t,s0)
+
 /etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0)
 
 /etc/rc\.d/init\.d/dirmngr --  
gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0)

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index 8e4a1a89..17cce56a 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t)
 type dirmngr_var_run_t;
 files_pid_file(dirmngr_var_run_t)
 
+type dirmngr_home_t;
+userdom_user_home_content(dirmngr_home_t)
+
 
 #
 # Local policy
@@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms;
 allow dirmngr_t dirmngr_conf_t:dir list_dir_perms;
 allow dirmngr_t dirmngr_conf_t:file read_file_perms;
 allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms;
+allow dirmngr_t dirmngr_home_t:dir list_dir_perms;
+allow dirmngr_t dirmngr_home_t:file read_file_perms;
 
 manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
 append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t)
@@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t)
 files_read_etc_files(dirmngr_t)
 
 miscfiles_read_localization(dirmngr_t)
+miscfiles_read_generic_certs(dirmngr_t)
 
 userdom_search_user_home_dirs(dirmngr_t)
 userdom_search_user_runtime(dirmngr_t)
@@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
 
 optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+   gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
 ')

diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index 4480f9c6..e5a12750 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',`
 
 
 ## 
+## filetrans in gpg_secret_t dirs
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gpg_secret_filetrans',`
+   gen_require(`
+   type gpg_secret_t;
+   ')
+
+   filetrans_pattern($1, gpg_secret_t, $2, $3, $4)
+   allow $1 gpg_secret_t:dir search_dir_perms;
+   userdom_search_user_home_dirs($1)
+')
+
+
+## 
 ## Send messages to and from gpg
 ## pinentry over DBUS.
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: a1662dfe50303bf9e7e268f20bb835bb54576de8
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 17:40:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a1662dfe

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 63fef29b..b80abb97 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 51eb554ea9d25c69d2054336b6efee2f9d1153e5
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 07:15:39 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 17:40:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51eb554e

gssproxy: add policy

borrowed and modified from Fedora

 policy/modules/contrib/gssproxy.fc |   8 ++
 policy/modules/contrib/gssproxy.if | 199 +
 policy/modules/contrib/gssproxy.te |  67 +
 3 files changed, 274 insertions(+)

diff --git a/policy/modules/contrib/gssproxy.fc 
b/policy/modules/contrib/gssproxy.fc
new file mode 100644
index ..a9970159
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service   --  
gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy --  
gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)?
gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid --  
gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock-s  
gen_context(system_u:object_r:gssproxy_run_t,s0)

diff --git a/policy/modules/contrib/gssproxy.if 
b/policy/modules/contrib/gssproxy.if
new file mode 100644
index ..cebdb20b
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.if
@@ -0,0 +1,199 @@
+
+## policy for gssproxy
+
+
+## 
+## Execute gssproxy in the gssproxy domin.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`gssproxy_domtrans',`
+   gen_require(`
+   type gssproxy_t, gssproxy_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+
+## 
+## Search gssproxy lib directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_search_lib',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+   files_search_var_lib($1)
+')
+
+
+## 
+## Read gssproxy lib files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_read_lib_files',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Manage gssproxy lib files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_manage_lib_files',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Manage gssproxy lib directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_manage_lib_dirs',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Read gssproxy PID files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_read_pid_files',`
+   gen_require(`
+   type gssproxy_run_t;
+   ')
+
+   files_search_pids($1)
+   read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+
+## 
+## Execute gssproxy server in the gssproxy domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`gssproxy_systemctl',`
+   gen_require(`
+   type gssproxy_t;
+   type gssproxy_unit_t;
+   ')
+
+   systemd_exec_systemctl($1)
+   init_reload_services($1)
+   allow $1 gssproxy_unit_t:file read_file_perms;
+   allow $1 gssproxy_unit_t:service manage_service_perms;
+
+   ps_process_pattern($1, gssproxy_t)
+')
+
+
+## 
+## Connect to gssproxy over an unix
+## domain stream socket.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_stream_connect',`
+   gen_require(`
+   type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+   ')
+
+   files_search_pids($1)
+   stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+   stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, 
gssproxy_t)
+')
+
+
+## 
+## All of the rules required to administrate
+## an gssproxy env

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 87b0247f46a8debf2829f3b5b87087fb0f43fbe2
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 17:40:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=87b0247f

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index fb3c3f37..6ccafff3 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 78cc3af7eeadb770d4f84393a382979862a580c9
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Apr 16 06:38:47 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 17:40:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=78cc3af7

gpg dirmngr: create and connect to socket

 policy/modules/contrib/dirmngr.fc |  2 ++
 policy/modules/contrib/dirmngr.if | 25 +
 policy/modules/contrib/dirmngr.te | 13 +
 policy/modules/contrib/gpg.if | 38 ++
 policy/modules/contrib/gpg.te |  1 +
 5 files changed, 79 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.fc 
b/policy/modules/contrib/dirmngr.fc
index a0f261c9..a9cf15a8 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -12,3 +12,5 @@
 /run/dirmngr\.pid  --  
gen_context(system_u:object_r:dirmngr_var_run_t,s0)
 
 /run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
+
+/run/user/%{USERID}/gnupg/S.dirmngr-s  
gen_context(system_u:object_r:dirmngr_tmp_t,s0)

diff --git a/policy/modules/contrib/dirmngr.if 
b/policy/modules/contrib/dirmngr.if
index 2f6875a6..07af5063 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -18,6 +18,7 @@
 interface(`dirmngr_role',`
gen_require(`
type dirmngr_t, dirmngr_exec_t;
+   type dirmngr_tmp_t;
')
 
role $1 types dirmngr_t;
@@ -29,6 +30,8 @@ interface(`dirmngr_role',`
 
allow dirmngr_t $2:fd use;
allow dirmngr_t $2:fifo_file { read write };
+
+   allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms 
relabel_sock_file_perms };
 ')
 
 
@@ -71,6 +74,28 @@ interface(`dirmngr_exec',`
 
 
 ## 
+## Connect to dirmngr socket
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dirmngr_stream_connect',`
+   gen_require(`
+   type dirmngr_t, dirmngr_tmp_t;
+   ')
+
+   gpg_search_agent_tmp_dirs($1)
+   allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms;
+   allow $1 dirmngr_t:unix_stream_socket connectto;
+   userdom_search_user_runtime($1)
+   userdom_search_user_home_dirs($1)
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an dirmngr environment.
 ## 

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index 23f40456..8e4a1a89 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
 type dirmngr_log_t;
 logging_log_file(dirmngr_log_t)
 
+type dirmngr_tmp_t;
+userdom_user_tmp_file(dirmngr_tmp_t)
+
 type dirmngr_var_lib_t;
 files_type(dirmngr_var_lib_t)
 
@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, 
dirmngr_var_lib_t)
 manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
 files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
 
+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
+
 manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
 manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
 manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
 files_read_etc_files(dirmngr_t)
 
 miscfiles_read_localization(dirmngr_t)
+
+userdom_search_user_home_dirs(dirmngr_t)
+userdom_search_user_runtime(dirmngr_t)
+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+
+optional_policy(`
+   gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+')

diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index ef87..4480f9c6 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',`
 
 
 ## 
+## Search gpg agent dirs.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gpg_search_agent_tmp_dirs',`
+   gen_require(`
+   type gpg_agent_tmp_t;
+   ')
+
+   allow $1 gpg_agent_tmp_t:dir search_dir_perms;
+')
+
+
+## 
+## filetrans in gpg_agent_tmp_t dirs
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gpg_agent_tmp_filetrans',`
+   gen_require(`
+   type gpg_agent_t, gpg_agent_tmp_t;
+   type gpg_secret_t;
+   ')
+
+   filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
+   userdom_search_user_runtime($1)
+')
+
+
+## 
 ## Send messages to and from gpg
 ## pinentry over DBUS.
 ## 

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 3a5dcd577d402e3e178785da772dad2d9fd128b0
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Feb 15 17:15:58 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 17:40:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3a5dcd57

kerberos: Introduce kerberos_filetrans_named_content interface

 policy/modules/contrib/kerberos.if | 37 +
 1 file changed, 37 insertions(+)

diff --git a/policy/modules/contrib/kerberos.if 
b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
 
 
 ## 
+## Transition to kerberos named content
+## 
+## 
+## 
+##  Domain allowed access.
+## 
+## 
+#
+interface(`kerberos_filetrans_named_content',`
+   gen_require(`
+   type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+   type krb5kdc_principal_t;
+   ')
+
+   files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, 
"kadm5.keytab")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal0")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+   #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+
+   kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+   #kerberos_filetrans_admin_home_content($1)
+
+   kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+   kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+   kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an kerberos environment.
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 92be7193ee0470dbb1024bb20ffd9acee80b696e
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 17:40:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92be7193

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index b80abb97..b30765c8 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 580d4297b7b45b13a933df9b4ca788eb9b6331a6
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun May  7 13:43:31 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 17:40:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=580d4297

dirmngr: Network rules to connect to keyserver

type=AVC msg=audit(1494163667.921:24917): avc:  denied  { name_bind } for  
pid=15683 comm=636F6E6E2066643D36 src=19321 
scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0

 policy/modules/contrib/dirmngr.te | 6 ++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index 17cce56a..b64fc610 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, 
dirmngr_var_run_t)
 files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file })
 
 kernel_read_crypto_sysctls(dirmngr_t)
+dev_read_rand(dirmngr_t)
+sysnet_dns_name_resolve(dirmngr_t)
+
+corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
+corenet_udp_bind_generic_node(dirmngr_t)
+corenet_udp_bind_all_unreserved_ports(dirmngr_t)
 
 files_read_etc_files(dirmngr_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 1eec4f19a444a8bc6e8387f83318139d7182a6b0
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun May  7 17:40:30 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1eec4f19

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index b30765c8..fb3c3f37 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 4028862f0d420c5beed9c6e7fb9887a7805dce26
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 09:31:51 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4028862f

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 8cd3d83d2ea5cec1b77b5609cfd47a768e54fb31
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 09:31:51 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cd3d83d

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 68b598ef6438c11db428e893825e494d76f3fac1
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Apr 16 06:38:47 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 09:31:52 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68b598ef

gpg dirmngr: create and connect to socket

 policy/modules/contrib/dirmngr.fc |  2 ++
 policy/modules/contrib/dirmngr.if | 22 +
 policy/modules/contrib/dirmngr.te | 13 +
 policy/modules/contrib/gpg.if | 41 +++
 policy/modules/contrib/gpg.te |  1 +
 5 files changed, 79 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.fc 
b/policy/modules/contrib/dirmngr.fc
index a0f261c9..a9cf15a8 100644
--- a/policy/modules/contrib/dirmngr.fc
+++ b/policy/modules/contrib/dirmngr.fc
@@ -12,3 +12,5 @@
 /run/dirmngr\.pid  --  
gen_context(system_u:object_r:dirmngr_var_run_t,s0)
 
 /run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0)
+
+/run/user/%{USERID}/gnupg/S.dirmngr-s  
gen_context(system_u:object_r:dirmngr_tmp_t,s0)

diff --git a/policy/modules/contrib/dirmngr.if 
b/policy/modules/contrib/dirmngr.if
index 2f6875a6..989af34a 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -71,6 +71,28 @@ interface(`dirmngr_exec',`
 
 
 ## 
+## Connect to dirmngr socket
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dirmngr_stream_connect',`
+   gen_require(`
+   type dirmngr_t, dirmngr_tmp_t;
+   ')
+
+   gpg_search_agent_tmp_dirs($1)
+   allow $1 dirmngr_tmp_t:sock_file write_sock_file_perms;
+   allow $1 dirmngr_t:unix_stream_socket connectto;
+   userdom_search_user_runtime($1)
+   userdom_search_user_home_dirs($1)
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an dirmngr environment.
 ## 

diff --git a/policy/modules/contrib/dirmngr.te 
b/policy/modules/contrib/dirmngr.te
index 23f40456..8e4a1a89 100644
--- a/policy/modules/contrib/dirmngr.te
+++ b/policy/modules/contrib/dirmngr.te
@@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t)
 type dirmngr_log_t;
 logging_log_file(dirmngr_log_t)
 
+type dirmngr_tmp_t;
+userdom_user_tmp_file(dirmngr_tmp_t)
+
 type dirmngr_var_lib_t;
 files_type(dirmngr_var_lib_t)
 
@@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, 
dirmngr_var_lib_t)
 manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t)
 files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir)
 
+manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t)
+
 manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
 manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
 manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t)
@@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t)
 files_read_etc_files(dirmngr_t)
 
 miscfiles_read_localization(dirmngr_t)
+
+userdom_search_user_home_dirs(dirmngr_t)
+userdom_search_user_runtime(dirmngr_t)
+userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+
+optional_policy(`
+   gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
+')

diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if
index ef87..d34cfbc0 100644
--- a/policy/modules/contrib/gpg.if
+++ b/policy/modules/contrib/gpg.if
@@ -216,6 +216,47 @@ interface(`gpg_stream_connect_agent',`
 
 
 ## 
+## Search gpg agent dirs.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gpg_search_agent_tmp_dirs',`
+   gen_require(`
+   type gpg_agent_tmp_t;
+   ')
+
+   allow $1 gpg_agent_tmp_t:dir search_dir_perms;
+')
+
+
+## 
+## filetrans in gpg_agent_tmp_t dirs
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gpg_agent_tmp_filetrans',`
+   gen_require(`
+   type gpg_agent_t, gpg_agent_tmp_t;
+   type gpg_secret_t;
+   ')
+
+   filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4)
+   stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, 
gpg_agent_t)
+   allow $1 gpg_secret_t:dir search_dir_perms;
+   userdom_search_user_runtime($1)
+   userdom_search_user_home_dirs($1)
+')
+
+
+## 
 ## Send messages to and from gpg
 ## pinentry over DBUS.
 ## 

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 1b8448c7..140d8d94 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',`
 
 optional_policy(`
dirmngr_domtrans(gpg_t)
+   dirmngr_stream_connect(gpg_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 53b8a092b78b1f48530145ef0d62cbfeccf47cb0
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 09:31:51 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53b8a092

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: e368d3f63f74686ff708251d692666b8bb2a9376
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 07:15:39 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 09:31:51 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e368d3f6

gssproxy: add policy

borrowed and modified from Fedora

 policy/modules/contrib/gssproxy.fc |   8 ++
 policy/modules/contrib/gssproxy.if | 199 +
 policy/modules/contrib/gssproxy.te |  67 +
 3 files changed, 274 insertions(+)

diff --git a/policy/modules/contrib/gssproxy.fc 
b/policy/modules/contrib/gssproxy.fc
new file mode 100644
index ..a9970159
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service   --  
gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy --  
gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)?
gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid --  
gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock-s  
gen_context(system_u:object_r:gssproxy_run_t,s0)

diff --git a/policy/modules/contrib/gssproxy.if 
b/policy/modules/contrib/gssproxy.if
new file mode 100644
index ..cebdb20b
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.if
@@ -0,0 +1,199 @@
+
+## policy for gssproxy
+
+
+## 
+## Execute gssproxy in the gssproxy domin.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`gssproxy_domtrans',`
+   gen_require(`
+   type gssproxy_t, gssproxy_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+
+## 
+## Search gssproxy lib directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_search_lib',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+   files_search_var_lib($1)
+')
+
+
+## 
+## Read gssproxy lib files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_read_lib_files',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Manage gssproxy lib files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_manage_lib_files',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Manage gssproxy lib directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_manage_lib_dirs',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Read gssproxy PID files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_read_pid_files',`
+   gen_require(`
+   type gssproxy_run_t;
+   ')
+
+   files_search_pids($1)
+   read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+
+## 
+## Execute gssproxy server in the gssproxy domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`gssproxy_systemctl',`
+   gen_require(`
+   type gssproxy_t;
+   type gssproxy_unit_t;
+   ')
+
+   systemd_exec_systemctl($1)
+   init_reload_services($1)
+   allow $1 gssproxy_unit_t:file read_file_perms;
+   allow $1 gssproxy_unit_t:service manage_service_perms;
+
+   ps_process_pattern($1, gssproxy_t)
+')
+
+
+## 
+## Connect to gssproxy over an unix
+## domain stream socket.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_stream_connect',`
+   gen_require(`
+   type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+   ')
+
+   files_search_pids($1)
+   stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+   stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, 
gssproxy_t)
+')
+
+
+## 
+## All of the rules required to administrate
+## an gssproxy env

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 7322c4d5d862125810e0772343c5870ea5c6cee5
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Feb 15 17:15:58 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 09:31:51 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7322c4d5

kerberos: Introduce kerberos_filetrans_named_content interface

 policy/modules/contrib/kerberos.if | 37 +
 1 file changed, 37 insertions(+)

diff --git a/policy/modules/contrib/kerberos.if 
b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
 
 
 ## 
+## Transition to kerberos named content
+## 
+## 
+## 
+##  Domain allowed access.
+## 
+## 
+#
+interface(`kerberos_filetrans_named_content',`
+   gen_require(`
+   type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+   type krb5kdc_principal_t;
+   ')
+
+   files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, 
"kadm5.keytab")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal0")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+   #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+
+   kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+   #kerberos_filetrans_admin_home_content($1)
+
+   kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+   kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+   kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an kerberos environment.
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: df8fecccf2694a0351ce8bdb03e1a0abc7845984
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 04:58:28 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 09:31:51 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df8feccc

dirmngr: add to roles and allow gpg to domtrans

 policy/modules/contrib/dirmngr.if | 69 +++
 policy/modules/contrib/gpg.te |  4 +++
 2 files changed, 73 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.if 
b/policy/modules/contrib/dirmngr.if
index 4cd2810e..2f6875a6 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -1,5 +1,74 @@
 ## Server for managing and downloading certificate revocation 
lists.
 
+
+## 
+## Role access for dirmngr.
+## 
+## 
+## 
+## Role allowed access.
+## 
+## 
+## 
+## 
+## User domain for the role.
+## 
+## 
+#
+interface(`dirmngr_role',`
+   gen_require(`
+   type dirmngr_t, dirmngr_exec_t;
+   ')
+
+   role $1 types dirmngr_t;
+
+   domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+   allow $2 dirmngr_t:process { ptrace signal_perms };
+   ps_process_pattern($2, dirmngr_t)
+
+   allow dirmngr_t $2:fd use;
+   allow dirmngr_t $2:fifo_file { read write };
+')
+
+
+## 
+## Execute dirmngr in the dirmngr domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`dirmngr_domtrans',`
+   gen_require(`
+   type dirmngr_t, dirmngr_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+
+## 
+## Execute the dirmngr in the caller domain.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dirmngr_exec',`
+   gen_require(`
+   type dirmngr_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   can_exec($1, dirmngr_exec_t)
+')
+
 
 ## 
 ## All of the rules required to

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index c145fb4c..1b8448c7 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
+   dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 9ad7c51d8626203c3f8661cf39873b4643fe5b94
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 09:31:51 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ad7c51d

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/, policy/modules/system/, policy/modules/kernel/

[Jason Zaman]

commit: 418b4e8cafc67cf484c670c3267331fd365af0cb
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 07:30:55 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 09:31:51 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=418b4e8c

gssproxy: Allow others to stream connect

kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  
pid=25447 comm="gssproxy" path="/run/gssproxy.sock" 
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 
tclass=unix_stream_socket permissive=0

 policy/modules/contrib/rpc.te   | 3 +++
 policy/modules/kernel/kernel.te | 4 
 policy/modules/system/userdomain.if | 4 
 3 files changed, 11 insertions(+)

diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 0b9a71fc..5dd5d781 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -339,6 +339,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+   gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 639b8454..f6b2a22b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -416,6 +416,10 @@ optional_policy(`
rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
 
+   optional_policy(`
+   gssproxy_stream_connect(kernel_t)
+   ')
+
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
fs_list_noxattr_fs(kernel_t)

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index dbfb33da..55512c04 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -726,6 +726,10 @@ template(`userdom_common_user_template',`
')
 
optional_policy(`
+   gssproxy_stream_connect($1_t)
+   ')
+
+   optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 900b67711c6e9c97828a61cc4922a0bc8b9b535f
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Apr 30 09:31:51 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=900b6771

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 4977eb8dd00874ce90306272d9b4edfad209f14b
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 07:15:39 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Mar 30 16:50:40 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4977eb8d

gssproxy: add policy

borrowed and modified from Fedora

 policy/modules/contrib/gssproxy.fc |   8 ++
 policy/modules/contrib/gssproxy.if | 199 +
 policy/modules/contrib/gssproxy.te |  67 +
 3 files changed, 274 insertions(+)

diff --git a/policy/modules/contrib/gssproxy.fc 
b/policy/modules/contrib/gssproxy.fc
new file mode 100644
index ..a9970159
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.fc
@@ -0,0 +1,8 @@
+/usr/lib/systemd/system/gssproxy.service   --  
gen_context(system_u:object_r:gssproxy_unit_t,s0)
+
+/usr/sbin/gssproxy --  
gen_context(system_u:object_r:gssproxy_exec_t,s0)
+
+/var/lib/gssproxy(/.*)?
gen_context(system_u:object_r:gssproxy_var_lib_t,s0)
+
+/run/gssproxy\.pid --  
gen_context(system_u:object_r:gssproxy_run_t,s0)
+/run/gssproxy\.sock-s  
gen_context(system_u:object_r:gssproxy_run_t,s0)

diff --git a/policy/modules/contrib/gssproxy.if 
b/policy/modules/contrib/gssproxy.if
new file mode 100644
index ..cebdb20b
--- /dev/null
+++ b/policy/modules/contrib/gssproxy.if
@@ -0,0 +1,199 @@
+
+## policy for gssproxy
+
+
+## 
+## Execute gssproxy in the gssproxy domin.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`gssproxy_domtrans',`
+   gen_require(`
+   type gssproxy_t, gssproxy_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   domtrans_pattern($1, gssproxy_exec_t, gssproxy_t)
+')
+
+
+## 
+## Search gssproxy lib directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_search_lib',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   allow $1 gssproxy_var_lib_t:dir search_dir_perms;
+   files_search_var_lib($1)
+')
+
+
+## 
+## Read gssproxy lib files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_read_lib_files',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Manage gssproxy lib files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_manage_lib_files',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Manage gssproxy lib directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_manage_lib_dirs',`
+   gen_require(`
+   type gssproxy_var_lib_t;
+   ')
+
+   files_search_var_lib($1)
+   manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t)
+')
+
+
+## 
+## Read gssproxy PID files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_read_pid_files',`
+   gen_require(`
+   type gssproxy_run_t;
+   ')
+
+   files_search_pids($1)
+   read_files_pattern($1, gssproxy_run_t, gssproxy_run_t)
+')
+
+
+## 
+## Execute gssproxy server in the gssproxy domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`gssproxy_systemctl',`
+   gen_require(`
+   type gssproxy_t;
+   type gssproxy_unit_t;
+   ')
+
+   systemd_exec_systemctl($1)
+   init_reload_services($1)
+   allow $1 gssproxy_unit_t:file read_file_perms;
+   allow $1 gssproxy_unit_t:service manage_service_perms;
+
+   ps_process_pattern($1, gssproxy_t)
+')
+
+
+## 
+## Connect to gssproxy over an unix
+## domain stream socket.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`gssproxy_stream_connect',`
+   gen_require(`
+   type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t;
+   ')
+
+   files_search_pids($1)
+   stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t)
+   stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, 
gssproxy_t)
+')
+
+
+## 
+## All of the rules required to administrate
+## an gssproxy env

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: ba43f30169ea936eda2acc84c98ff25bbf644efe
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Mar 30 16:50:39 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ba43f301

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 7b417b60f1c8234ee350a88a86f7238df6cf41ee
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Feb 15 17:15:58 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Mar 30 16:50:39 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7b417b60

kerberos: Introduce kerberos_filetrans_named_content interface

 policy/modules/contrib/kerberos.if | 37 +
 1 file changed, 37 insertions(+)

diff --git a/policy/modules/contrib/kerberos.if 
b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
 
 
 ## 
+## Transition to kerberos named content
+## 
+## 
+## 
+##  Domain allowed access.
+## 
+## 
+#
+interface(`kerberos_filetrans_named_content',`
+   gen_require(`
+   type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+   type krb5kdc_principal_t;
+   ')
+
+   files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, 
"kadm5.keytab")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal0")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+   #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+
+   kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+   #kerberos_filetrans_admin_home_content($1)
+
+   kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+   kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+   kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an kerberos environment.
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: c9989029f0a837b7512f7b076fc5e5db711e1b38
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Mar 30 04:58:28 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Mar 30 16:50:40 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9989029

dirmngr: add to roles and allow gpg to domtrans

 policy/modules/contrib/dirmngr.if | 69 +++
 policy/modules/contrib/gpg.te |  4 +++
 2 files changed, 73 insertions(+)

diff --git a/policy/modules/contrib/dirmngr.if 
b/policy/modules/contrib/dirmngr.if
index 4cd2810e..2f6875a6 100644
--- a/policy/modules/contrib/dirmngr.if
+++ b/policy/modules/contrib/dirmngr.if
@@ -1,5 +1,74 @@
 ## Server for managing and downloading certificate revocation 
lists.
 
+
+## 
+## Role access for dirmngr.
+## 
+## 
+## 
+## Role allowed access.
+## 
+## 
+## 
+## 
+## User domain for the role.
+## 
+## 
+#
+interface(`dirmngr_role',`
+   gen_require(`
+   type dirmngr_t, dirmngr_exec_t;
+   ')
+
+   role $1 types dirmngr_t;
+
+   domtrans_pattern($2, dirmngr_exec_t, dirmngr_t)
+
+   allow $2 dirmngr_t:process { ptrace signal_perms };
+   ps_process_pattern($2, dirmngr_t)
+
+   allow dirmngr_t $2:fd use;
+   allow dirmngr_t $2:fifo_file { read write };
+')
+
+
+## 
+## Execute dirmngr in the dirmngr domain.
+## 
+## 
+## 
+## Domain allowed to transition.
+## 
+## 
+#
+interface(`dirmngr_domtrans',`
+   gen_require(`
+   type dirmngr_t, dirmngr_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   domtrans_pattern($1, dirmngr_exec_t, dirmngr_t)
+')
+
+
+## 
+## Execute the dirmngr in the caller domain.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dirmngr_exec',`
+   gen_require(`
+   type dirmngr_exec_t;
+   ')
+
+   corecmd_search_bin($1)
+   can_exec($1, dirmngr_exec_t)
+')
+
 
 ## 
 ## All of the rules required to

diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te
index 4345bd08..160c5f85 100644
--- a/policy/modules/contrib/gpg.te
+++ b/policy/modules/contrib/gpg.te
@@ -138,6 +138,10 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
+   dirmngr_domtrans(gpg_t)
+')
+
+optional_policy(`
evolution_read_orbit_tmp_files(gpg_t)
 ')
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 15cc617da7710016c4aa47e0f9e42ed68ff36006
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Mar 30 16:50:39 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15cc617d

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: b43c1ae7ef3ac82af3ea452ce97281d53721
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Mar 30 16:50:39 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b43c

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 0f4d3222a8e6014f777007ce8ed54cd3f5c8326e
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Mar 30 16:50:39 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f4d3222

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: c6e77e09d07fe6e2d9b6210fd66226a7f2cbb4d5
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Mar 30 16:50:39 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c6e77e09

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 3e4daaf3bad04646ec4d16fba6dfe802ad2dd77e
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb 27 11:32:41 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e4daaf3

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: a81b9a9546a92414dba7d3e0b0adff0147611eba
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb 27 11:32:41 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a81b9a95

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 4a80bc53fe759bce98cd0e396cfe1fd350f8111f
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb 27 11:32:41 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a80bc53

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 7607e67783d8ae44493ce4f3a45abf1c80916be2
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb 27 11:32:41 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7607e677

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 5b1b50963284b3d1431c3c39edaceba6d7034bfc
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb 27 11:32:41 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b1b5096

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 3d5dce8f0dc4f16ba83750cc6b84f2534178a089
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Feb 15 17:15:58 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Feb 27 11:32:41 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3d5dce8f

kerberos: Introduce kerberos_filetrans_named_content interface

 policy/modules/contrib/kerberos.if | 37 +
 1 file changed, 37 insertions(+)

diff --git a/policy/modules/contrib/kerberos.if 
b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
 
 
 ## 
+## Transition to kerberos named content
+## 
+## 
+## 
+##  Domain allowed access.
+## 
+## 
+#
+interface(`kerberos_filetrans_named_content',`
+   gen_require(`
+   type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+   type krb5kdc_principal_t;
+   ')
+
+   files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, 
"kadm5.keytab")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal0")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+   #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+
+   kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+   #kerberos_filetrans_admin_home_content($1)
+
+   kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+   kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+   kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an kerberos environment.
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: a63d567bbb4ec5293fb191b0caab42c0e27b32cf
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 16:57:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a63d567b

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 5645bfe751544fd4ae9d8a4f2935bf6f2db10092
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 16:57:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5645bfe7

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 3e37a5c6747b197e069b00446c328d320381ddf6
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Feb 15 17:15:58 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 16:57:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e37a5c6

kerberos: Introduce kerberos_filetrans_named_content interface

 policy/modules/contrib/kerberos.if | 37 +
 1 file changed, 37 insertions(+)

diff --git a/policy/modules/contrib/kerberos.if 
b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
 
 
 ## 
+## Transition to kerberos named content
+## 
+## 
+## 
+##  Domain allowed access.
+## 
+## 
+#
+interface(`kerberos_filetrans_named_content',`
+   gen_require(`
+   type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+   type krb5kdc_principal_t;
+   ')
+
+   files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, 
"kadm5.keytab")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal0")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+   #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+
+   kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+   #kerberos_filetrans_admin_home_content($1)
+
+   kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+   kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+   kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an kerberos environment.
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 5d09eb208d774b72835ad7b168eba163d0459524
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 16:57:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5d09eb20

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 7de494c4bec178fe90745be29f92c9f5d60511c1
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 16:57:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7de494c4

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 86a502818b8cf5ddd166a134ffd2ed50b726eea5
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 16:57:29 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86a50281

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: d14db39e5f242b6f9c9edace8ac00de4591f31c0
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Feb 15 17:15:58 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 14:54:49 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d14db39e

kerberos: Introduce kerberos_filetrans_named_content interface

 policy/modules/contrib/kerberos.if | 37 +
 1 file changed, 37 insertions(+)

diff --git a/policy/modules/contrib/kerberos.if 
b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
 
 
 ## 
+## Transition to kerberos named content
+## 
+## 
+## 
+##  Domain allowed access.
+## 
+## 
+#
+interface(`kerberos_filetrans_named_content',`
+   gen_require(`
+   type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+   type krb5kdc_principal_t;
+   ')
+
+   files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, 
"kadm5.keytab")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal0")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+   #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+
+   kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+   #kerberos_filetrans_admin_home_content($1)
+
+   kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+   kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+   kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an kerberos environment.
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 6eaf81074bf12ca8be01e0acd602a346846a3395
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 14:54:48 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6eaf8107

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: f3f96b574462741c540c0c9f2c256342697a81e2
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 14:54:48 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f3f96b57

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: ad7dc2af699a8689bbb55a8b7b03d4065c67cec6
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 14:54:48 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ad7dc2af

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 102619e7fbf84aed6046f818e9778bc1d9b760fb
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 14:54:48 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=102619e7

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 71caed6d48b8d6a9c0d5054c60a3f19b40dad113
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Feb 25 14:54:48 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71caed6d

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 45d8bb4bc3b2b5f4072002656c004cde3008eb51
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Feb 17 08:45:13 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45d8bb4b

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 3da04ef9..0f82a04e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 135d33ac60262bd59b8080cfa914471e5cd28a16
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Feb 17 08:46:50 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=135d33ac

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0f82a04e..5df86d7b 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setgid setpcap setuid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 0fd0292db9ceea1cfbf6ae829aa6e261279750fa
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Feb 17 08:45:13 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0fd0292d

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 42e68a29..3da04ef9 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 0d5ec8428b688ea09c2241fe868e1d684fc9cba6
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Feb 15 17:15:58 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Feb 17 08:46:50 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d5ec842

kerberos: Introduce kerberos_filetrans_named_content interface

 policy/modules/contrib/kerberos.if | 37 +
 1 file changed, 37 insertions(+)

diff --git a/policy/modules/contrib/kerberos.if 
b/policy/modules/contrib/kerberos.if
index 01caeead..d9d5811f 100644
--- a/policy/modules/contrib/kerberos.if
+++ b/policy/modules/contrib/kerberos.if
@@ -466,6 +466,43 @@ interface(`kerberos_connect_524',`
 
 
 ## 
+## Transition to kerberos named content
+## 
+## 
+## 
+##  Domain allowed access.
+## 
+## 
+#
+interface(`kerberos_filetrans_named_content',`
+   gen_require(`
+   type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t;
+   type krb5kdc_principal_t;
+   ')
+
+   files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, 
"kadm5.keytab")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal0")
+   filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+   #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, 
"principal1")
+
+   kerberos_etc_filetrans_keytab($1, file, "krb5.keytab")
+   #kerberos_filetrans_admin_home_content($1)
+
+   kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25")
+   kerberos_tmp_filetrans_host_rcache($1, file, "host_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23")
+   kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48")
+   kerberos_tmp_filetrans_host_rcache($1, file, "imap_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487")
+   kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55")
+')
+
+
+## 
 ## All of the rules required to
 ## administrate an kerberos environment.
 ## 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: a59482227021ff7bdd4d446f4ae9b8c5073e1011
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Feb 17 08:45:13 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5948222

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index e1a3bcaf..42e68a29 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 91667a23f7060ba1ed8bbb1ca3ff155530a46224
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Fri Feb 17 08:45:13 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=91667a23

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed70..dca262ab 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index eb72843f..e1a3bcaf 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 057adccd201fedd6e465395554d1283eeb9d0ef4
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:41:45 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=057adccd

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 073bdc7..d68ea34 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 0689d4afa74c089cc196125380526a7e82d87b6a
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:41:45 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0689d4af

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed7..dca262a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 41a352d..0924307 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 825f87ccd353ab7d66bb41c5cb1905d89654fce0
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:41:45 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=825f87cc

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index d68ea34..f6bc770 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: aab0a8a125baba6defd5178025d458ffbd29f5e5
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:41:45 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aab0a8a1

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0924307..53233cb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 7a4066298de57f3bec0ff28a6a261e893b4f509b
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:41:45 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a406629

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 53233cb..073bdc7 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: b408a4f834ead0cf75539fcdd31f947c7841ec9a
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:37:17 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b408a4f8

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0924307..53233cb 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 8785c8c6eb78bf8ab2e6cf915065b3dff243b56e
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:37:17 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8785c8c6

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index 22c1ed7..dca262a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 41a352d..0924307 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 200b4f8675cf7052c0465df698acc5bb086e84fa
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:37:17 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=200b4f86

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 073bdc7..d68ea34 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 25870fced7fd72db22bccb30f4f9964d2a51d548
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:37:17 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25870fce

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index d68ea34..f6bc770 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: d313346330e8329dba085cc1f98a32538e0df08c
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:37:17 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d3133463

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 53233cb..073bdc7 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: da274ceda489c560cb8bc471e6327e748c8b30e8
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec  8 05:03:22 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da274ced

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index dc4c94d..a29f333 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 9874317d0b74d1320f5e2910f5d336ee4534d9e1
Author: Jason Zaman  perfinion  com>
AuthorDate: Fri May 27 20:44:51 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec  8 05:03:22 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9874317d

virt: virtlockd doesnt need ps_process_pattern

 policy/modules/contrib/virt.te | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 16c2970..dc4c94d 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t)
 allow virtlockd_t self:capability dac_override;
 allow virtlockd_t self:fifo_file rw_fifo_file_perms;
 
+allow virtlockd_t virtd_t:dir list_dir_perms;
+allow virtlockd_t virtd_t:file read_file_perms;
+allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms;
+
 allow virtlockd_t virt_image_type:dir list_dir_perms;
 allow virtlockd_t virt_image_type:file rw_file_perms;
 
@@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
-ps_process_pattern(virtlockd_t, virtd_t)
-
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: c57aed9da88efe8523e7705544c697246e3c42ec
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Aug 13 16:37:55 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec  8 05:03:22 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c57aed9d

virt: kernel_read_system_state

 policy/modules/contrib/virt.te | 4 
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index a29f333..0adbdb1 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file)
 
 can_exec(virtlockd_t, virtlockd_exec_t)
 
+kernel_read_system_state(virtlockd_t)
+
 files_read_etc_files(virtlockd_t)
 files_list_var_lib(virtlockd_t)
 
@@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
 
 can_exec(virtlogd_t, virtlogd_exec_t)
 
+kernel_read_system_state(virtlogd_t)
+
 files_read_etc_files(virtlogd_t)
 files_list_var_lib(virtlogd_t)
 

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 19cc0dd3e22ff760557458a606aae28875bca190
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec  8 05:03:22 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=19cc0dd3

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0adbdb1..fd357c4 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: e19b33854b5d4f302dbc12bad9810be29c4e45a5
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu May 12 16:49:07 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Thu Dec  8 05:03:22 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e19b3385

virt: add policy for virtlogd

 policy/modules/contrib/virt.fc |  1 +
 policy/modules/contrib/virt.te | 42 ++
 2 files changed, 43 insertions(+)

diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc
index f7e0ce8..7d9456a 100644
--- a/policy/modules/contrib/virt.fc
+++ b/policy/modules/contrib/virt.fc
@@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)?   
gen_context(system_u:object_r:virt_content_t
 /usr/sbin/libvirt-qmf  --  
gen_context(system_u:object_r:virt_qmf_exec_t,s0)
 /usr/sbin/libvirtd --  gen_context(system_u:object_r:virtd_exec_t,s0)
 /usr/sbin/virtlockd--  
gen_context(system_u:object_r:virtlockd_exec_t,s0)
+/usr/sbin/virtlogd --  
gen_context(system_u:object_r:virtlogd_exec_t,s0)
 
 /var/cache/libvirt(/.*)?   
gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh)
 

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index c45ba2d..16c2970 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t)
 type virtlockd_var_lib_t;
 files_type(virtlockd_var_lib_t)
 
+type virtlogd_t;
+type virtlogd_exec_t;
+init_daemon_domain(virtlogd_t, virtlogd_exec_t)
+
+type virtlogd_run_t;
+files_pid_file(virtlogd_run_t)
+
 ifdef(`enable_mcs',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mcs_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mcs_systemhigh)
 ')
 
 ifdef(`enable_mls',`
init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - 
mls_systemhigh)
+   init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - 
mls_systemhigh)
 ')
 
 
@@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use;
 allow virt_domain virtd_t:fifo_file rw_fifo_file_perms;
 allow virt_domain virtd_t:process sigchld;
 
+allow virt_domain virtlogd_t:fd use;
+allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms;
+
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
 manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t)
@@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure 
rlimitinh };
 allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { 
create_stream_socket_perms connectto };
 allow virtd_t svirt_lxc_domain:process signal_perms;
 
+allow virtd_t virtlogd_t:fd use;
+allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms;
+
 allow virtd_t virtd_lxc_t:process { signal signull sigkill };
 
 domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t)
@@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, 
virtd_lxc_var_run_t, dir, "lxc")
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
 stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
+stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
 can_exec(virtd_t, virt_tmp_t)
 
@@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t)
 
 virt_append_log(virtlockd_t)
 virt_read_config(virtlockd_t)
+
+
+#
+# Virtlogd local policy
+#
+
+allow virtlogd_t self:fifo_file rw_fifo_file_perms;
+
+allow virtlogd_t virtd_t:dir list_dir_perms;
+allow virtlogd_t virtd_t:file read_file_perms;
+allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms;
+
+manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t)
+filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file)
+files_pid_filetrans(virtlogd_t, virtlogd_run_t, file)
+
+can_exec(virtlogd_t, virtlogd_exec_t)
+
+files_read_etc_files(virtlogd_t)
+files_list_var_lib(virtlogd_t)
+
+miscfiles_read_localization(virtlogd_t)
+
+virt_manage_log(virtlogd_t)
+virt_read_config(virtlogd_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 6fec98ded6c9bda1c731ab48a87265ace6cc43b1
Author: Jason Zaman  perfinion  com>
AuthorDate: Tue Dec  6 15:00:17 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec  6 15:02:34 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6fec98de

portage: add signal and FEATURES=test perms

 policy/modules/contrib/portage.te | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/portage.te 
b/policy/modules/contrib/portage.te
index 19bd8c8..52c6bf9 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -436,6 +436,8 @@ gen_tunable(portage_enable_test, false)
 
allow portage_t self:capability2 block_suspend;
 
+   allow portage_t { portage_fetch_t portage_sandbox_t }:process 
signal_perms;
+
# Support self-update of Portage
allow portage_t portage_tmp_t:dir relabel_dir_perms;
allow portage_t portage_tmp_t:lnk_file relabel_lnk_file_perms;
@@ -490,9 +492,12 @@ gen_tunable(portage_enable_test, false)
 
tunable_policy(`portage_enable_test',`
# lots of tests connect over loopback
-   corenet_tcp_bind_generic_node(portage_sandbox_t)
corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
+   corenet_tcp_bind_generic_node(portage_sandbox_t)
corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t)
+   corenet_udp_bind_all_unreserved_ports(portage_sandbox_t)
+   corenet_udp_bind_generic_node(portage_sandbox_t)
+   corenet_udp_sendrecv_all_ports(portage_sandbox_t)
')
 
##

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: d1fbfee8d08f96007893d2c06440077de0048d7f
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 31 15:03:49 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec  6 15:02:54 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d1fbfee8

WIP virt: image type perms

 policy/modules/contrib/virt.te | 7 +++
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 0adbdb1..fd357c4 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',`
 #
 
 allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod 
net_admin net_raw setpcap setuid setgid sys_admin sys_nice };
-allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setsockcreate setsched };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull 
execmem setexec setfscreate setrlimit setsockcreate setsched };
 allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto };
 allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom 
relabelto };
 allow virtd_t self:tcp_socket { accept listen };
@@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, 
virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 
 allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
 allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
-allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
 
 allow virtd_t virt_ptynode:chr_file rw_term_perms;
 
@@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, 
virtd_lxc_var_run_t)
 filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc")
 
 stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, 
virtd_lxc_t)
-stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain)
+stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { 
virt_image_type svirt_var_run_t}, virt_domain)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t)
 stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t)
 
@@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',`
 
 tunable_policy(`virt_use_vfio',`
allow virtd_t self:capability sys_resource;
-   allow virtd_t self:process setrlimit;
allow virtd_t svirt_t:process rlimitinh;
dev_relabelfrom_vfio_dev(virtd_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

[Jason Zaman]

commit: 4871e1eccd9f29ce8b8beb97e462bf3c506946b4
Author: Jason Zaman  perfinion  com>
AuthorDate: Thu Aug 11 05:49:02 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Tue Dec  6 15:02:54 2016 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4871e1ec

virt: need to relabel to set categories

libvirtError: unable to set security context
'system_u:object_r:svirt_image_t:s0:c50,c346' on
'/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied

 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index dc4c94d..a29f333 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, 
dir, "isos")
 allow virtd_t virtd_keytab_t:file read_file_perms;
 
 allow virtd_t svirt_var_run_t:file relabel_file_perms;
+allow virtd_t svirt_var_run_t:dir relabel_dir_perms;
 manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
 manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)