[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 9ec53a8a43b7f1d03a84c333c1265a63b8ef334c Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:53:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ec53a8a virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 51429d5b..0a770ea1 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/, policy/modules/kernel/, policy/modules/system/
commit: 61a9be757ac82bad3c2c01f4395a7720b317e008 Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 07:30:55 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:53:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61a9be75 gssproxy: Allow others to stream connect kernel AVC: * Starting gssproxy ... Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied) * start-stop-daemon: failed to start `gssproxy' type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0 policy/modules/contrib/rpc.te | 3 +++ policy/modules/kernel/kernel.te | 4 policy/modules/system/userdomain.if | 4 3 files changed, 11 insertions(+) diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index 970e5b31..b46d865f 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -339,6 +339,9 @@ optional_policy(` ') optional_policy(` + gssproxy_stream_connect(gssd_t) +') +optional_policy(` kerberos_manage_host_rcache(gssd_t) kerberos_read_keytab(gssd_t) kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 5d8404de..432fa86e 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -423,6 +423,10 @@ optional_policy(` rpc_tcp_rw_nfs_sockets(kernel_t) rpc_udp_rw_nfs_sockets(kernel_t) + optional_policy(` + gssproxy_stream_connect(kernel_t) + ') + tunable_policy(`nfs_export_all_ro',` fs_getattr_noxattr_fs(kernel_t) fs_list_noxattr_fs(kernel_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 88fdb823..f93f946c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -686,6 +686,10 @@ template(`userdom_common_user_template',` ') optional_policy(` + gssproxy_stream_connect($1_t) + ') + + optional_policy(` hwloc_exec_dhwd($1_t) hwloc_read_runtime_files($1_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 8e9fc437ae1727920d4fcabea0910b7f9e3d3dce Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:53:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8e9fc437 virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index e27d24a6..51429d5b 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 234f522a12f0214e10a7a56092e31a3ac747017a Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 13:47:28 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:47:28 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=234f522a xdg: allow map perms policy/modules/contrib/xdg.if | 23 +++ 1 file changed, 23 insertions(+) diff --git a/policy/modules/contrib/xdg.if b/policy/modules/contrib/xdg.if index 649266b3..3188d96f 100644 --- a/policy/modules/contrib/xdg.if +++ b/policy/modules/contrib/xdg.if @@ -79,6 +79,7 @@ interface(`xdg_read_cache_home_files',` ') read_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + allow $1 xdg_cache_home_t:file map; list_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) userdom_search_user_home_dirs($1) @@ -100,6 +101,7 @@ interface(`xdg_read_all_cache_home_files',` ') read_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) + allow $1 xdg_cache_home_type:file map; userdom_search_user_home_dirs($1) ') @@ -208,6 +210,7 @@ interface(`xdg_manage_cache_home',` manage_dirs_pattern($1, xdg_cache_home_t, xdg_cache_home_t) manage_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) + allow $1 xdg_cache_home_t:file map; manage_lnk_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) manage_fifo_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) manage_sock_files_pattern($1, xdg_cache_home_t, xdg_cache_home_t) @@ -232,6 +235,7 @@ interface(`xdg_manage_all_cache_home',` manage_dirs_pattern($1, xdg_cache_home_type, xdg_cache_home_type) manage_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) + allow $1 xdg_cache_home_type:file map; manage_lnk_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) manage_fifo_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) manage_sock_files_pattern($1, xdg_cache_home_type, xdg_cache_home_type) @@ -323,6 +327,7 @@ interface(`xdg_read_config_home_files',` ') read_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + allow $1 xdg_config_home_t:file map; list_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) userdom_search_user_home_dirs($1) @@ -344,6 +349,7 @@ interface(`xdg_read_all_config_home_files',` ') read_files_pattern($1, xdg_config_home_type, xdg_config_home_type) + allow $1 xdg_config_home_type:file map; userdom_search_user_home_dirs($1) ') @@ -453,6 +459,7 @@ interface(`xdg_manage_config_home',` manage_dirs_pattern($1, xdg_config_home_t, xdg_config_home_t) manage_files_pattern($1, xdg_config_home_t, xdg_config_home_t) + allow $1 xdg_config_home_t:file map; manage_lnk_files_pattern($1, xdg_config_home_t, xdg_config_home_t) manage_fifo_files_pattern($1, xdg_config_home_t, xdg_config_home_t) manage_sock_files_pattern($1, xdg_config_home_t, xdg_config_home_t) @@ -477,6 +484,7 @@ interface(`xdg_manage_all_config_home',` manage_dirs_pattern($1, xdg_config_home_type, xdg_config_home_type) manage_files_pattern($1, xdg_config_home_type, xdg_config_home_type) + allow $1 xdg_config_home_type:file map; manage_lnk_files_pattern($1, xdg_config_home_type, xdg_config_home_type) manage_fifo_files_pattern($1, xdg_config_home_type, xdg_config_home_type) manage_sock_files_pattern($1, xdg_config_home_type, xdg_config_home_type) @@ -548,6 +556,7 @@ interface(`xdg_read_data_home_files',` ') read_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + allow $1 xdg_data_home_t:file map; list_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) userdom_search_user_home_dirs($1) @@ -569,6 +578,7 @@ interface(`xdg_read_all_data_home_files',` ') read_files_pattern($1, xdg_data_home_type, xdg_data_home_type) + allow $1 xdg_data_home_type:file map; userdom_search_user_home_dirs($1) ') @@ -677,6 +687,7 @@ interface(`xdg_manage_data_home',` manage_dirs_pattern($1, xdg_data_home_t, xdg_data_home_t) manage_files_pattern($1, xdg_data_home_t, xdg_data_home_t) + allow $1 xdg_data_home_t:file map; manage_lnk_files_pattern($1, xdg_data_home_t, xdg_data_home_t) manage_fifo_files_pattern($1, xdg_data_home_t, xdg_data_home_t) manage_sock_files_pattern($1, xdg_data_home_t, xdg_data_home_t) @@ -701,6 +712,7 @@ interface(`xdg_manage_all_data_home',` manage_dirs_pattern($1, xdg_data_home_type, xdg_data_home_type) manage_files_pattern($1, xdg_data_home_type, xdg_data_home_type) + allow $1 xdg_data_home_type:file map; manage_lnk_files_pattern($1, xdg_data_home_type, xdg_data_home_type) manage_fifo_files_pattern($1, xdg_data_home_type, xdg_dat
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 8c6ec37b74ac4fbf76957ac569cddaf737aae65d Author: Jason Zaman perfinion com> AuthorDate: Wed Feb 15 17:15:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:53:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c6ec37b kerberos: Introduce kerberos_filetrans_named_content interface policy/modules/contrib/kerberos.if | 37 + 1 file changed, 37 insertions(+) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if index c8c5a37d..7bfd8a2a 100644 --- a/policy/modules/contrib/kerberos.if +++ b/policy/modules/contrib/kerberos.if @@ -425,6 +425,43 @@ interface(`kerberos_connect_524',` ## +## Transition to kerberos named content +## +## +## +## Domain allowed access. +## +## +# +interface(`kerberos_filetrans_named_content',` + gen_require(` + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t; + ') + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab") + #kerberos_filetrans_admin_home_content($1) + + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25") + kerberos_tmp_filetrans_host_rcache($1, file, "host_0") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") +') + + +## ## All of the rules required to ## administrate an kerberos environment. ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 15f0a66ac8e45129d70d1cb0bbe6a8ae6771953f Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:53:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15f0a66a virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index b1f9b1c8..46839588 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -37,6 +37,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index fce37958..3d93fac4 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: c4d741a059de129238da9d8f669085cd216973c6 Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 07:15:39 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:53:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4d741a0 gssproxy: add policy borrowed and modified from Fedora policy/modules/contrib/gssproxy.fc | 8 ++ policy/modules/contrib/gssproxy.if | 199 + policy/modules/contrib/gssproxy.te | 67 + 3 files changed, 274 insertions(+) diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc new file mode 100644 index ..a9970159 --- /dev/null +++ b/policy/modules/contrib/gssproxy.fc @@ -0,0 +1,8 @@ +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0) + +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) + +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) + +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0) +/run/gssproxy\.sock-s gen_context(system_u:object_r:gssproxy_run_t,s0) diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if new file mode 100644 index ..cebdb20b --- /dev/null +++ b/policy/modules/contrib/gssproxy.if @@ -0,0 +1,199 @@ + +## policy for gssproxy + + +## +## Execute gssproxy in the gssproxy domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_domtrans',` + gen_require(` + type gssproxy_t, gssproxy_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) +') + + +## +## Search gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_search_lib',` + gen_require(` + type gssproxy_var_lib_t; + ') + + allow $1 gssproxy_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + + +## +## Read gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Manage gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Manage gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_dirs',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Read gssproxy PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_pid_files',` + gen_require(` + type gssproxy_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t) +') + + +## +## Execute gssproxy server in the gssproxy domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_systemctl',` + gen_require(` + type gssproxy_t; + type gssproxy_unit_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 gssproxy_unit_t:file read_file_perms; + allow $1 gssproxy_unit_t:service manage_service_perms; + + ps_process_pattern($1, gssproxy_t) +') + + +## +## Connect to gssproxy over an unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_stream_connect',` + gen_require(` + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t) + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) +') + + +## +## All of the rules required to administrate +## an gssproxy env
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 97f88106f6933c0c77204b1fefcda8885d5fa516 Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:53:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=97f88106 WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0a770ea1..e06d912f 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: fc9b00c559fa5e62f2063b2614932a274e4a103a Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:53:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fc9b00c5 virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 3d93fac4..e27d24a6 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: fde0a68cdd425a6496b4223667d75e9b1f4783f8 Author: Jason Zaman perfinion com> AuthorDate: Sun May 7 13:43:31 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:53:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=fde0a68c dirmngr: Network rules to connect to keyserver type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 policy/modules/contrib/dirmngr.te | 6 ++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te index 8f4cb991..fb8a7e50 100644 --- a/policy/modules/contrib/dirmngr.te +++ b/policy/modules/contrib/dirmngr.te @@ -63,6 +63,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) kernel_read_crypto_sysctls(dirmngr_t) +dev_read_rand(dirmngr_t) +sysnet_dns_name_resolve(dirmngr_t) + +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t) +corenet_udp_bind_generic_node(dirmngr_t) +corenet_udp_bind_all_unreserved_ports(dirmngr_t) dev_read_rand(dirmngr_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 6c7a09fcabc376f277efceecd68dfbf58f33a510 Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 12:56:26 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 12:56:26 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6c7a09fc pulseaudio: add map perms policy/modules/contrib/pulseaudio.if | 2 +- policy/modules/contrib/pulseaudio.te | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/modules/contrib/pulseaudio.if b/policy/modules/contrib/pulseaudio.if index 921e519c..3073fd4a 100644 --- a/policy/modules/contrib/pulseaudio.if +++ b/policy/modules/contrib/pulseaudio.if @@ -33,7 +33,7 @@ interface(`pulseaudio_role',` allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms }; + allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map }; allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te index b4154208..9202f23f 100644 --- a/policy/modules/contrib/pulseaudio.te +++ b/policy/modules/contrib/pulseaudio.te @@ -138,6 +138,7 @@ logging_send_syslog_msg(pulseaudio_t) miscfiles_read_localization(pulseaudio_t) userdom_read_user_tmpfs_files(pulseaudio_t) +userdom_map_user_tmpfs_files(pulseaudio_t) userdom_delete_user_tmpfs_files(pulseaudio_t) userdom_search_user_home_dirs(pulseaudio_t) userdom_search_user_home_content(pulseaudio_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 9f5bef71012d46627f45471c31aaf2928447359f Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 13:20:05 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:20:05 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9f5bef71 cgmanager: use nsswitch cgmanager looks up usernames. the nsswitch interface will allow file map for /etc/passwd. policy/modules/contrib/cgmanager.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/contrib/cgmanager.te b/policy/modules/contrib/cgmanager.te index c3cc5217..2674193f 100644 --- a/policy/modules/contrib/cgmanager.te +++ b/policy/modules/contrib/cgmanager.te @@ -40,6 +40,8 @@ allow cgmanager_t cgmanager_run_t:dir mounton; kernel_domtrans_to(cgmanager_t, cgmanager_exec_t) kernel_read_system_state(cgmanager_t) +auth_use_nsswitch(cgmanager_t) + corecmd_exec_bin(cgmanager_t) domain_read_all_domains_state(cgmanager_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: a248b34332e48cff32b36b60714c3658ea96d1c6 Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 12:55:51 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 12:55:51 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a248b343 resolvconf: allow reading localization policy/modules/contrib/resolvconf.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/contrib/resolvconf.te b/policy/modules/contrib/resolvconf.te index b8c8e7e8..58bb165d 100644 --- a/policy/modules/contrib/resolvconf.te +++ b/policy/modules/contrib/resolvconf.te @@ -31,6 +31,8 @@ corecmd_exec_shell(resolvconf_t) files_pid_filetrans(resolvconf_t, resolvconf_var_run_t, { dir file }) files_read_etc_files(resolvconf_t) +miscfiles_read_localization(resolvconf_t) + sysnet_manage_config(resolvconf_t) optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 7e6eaa2e942d4ea5924fceabf404167b80f93a50 Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7e6eaa2e virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 63fef29b..b80abb97 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 4a876f4221ab4a0ac55a44712e6afe962bbc278d Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 07:15:39 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a876f42 gssproxy: add policy borrowed and modified from Fedora policy/modules/contrib/gssproxy.fc | 8 ++ policy/modules/contrib/gssproxy.if | 199 + policy/modules/contrib/gssproxy.te | 67 + 3 files changed, 274 insertions(+) diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc new file mode 100644 index ..a9970159 --- /dev/null +++ b/policy/modules/contrib/gssproxy.fc @@ -0,0 +1,8 @@ +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0) + +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) + +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) + +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0) +/run/gssproxy\.sock-s gen_context(system_u:object_r:gssproxy_run_t,s0) diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if new file mode 100644 index ..cebdb20b --- /dev/null +++ b/policy/modules/contrib/gssproxy.if @@ -0,0 +1,199 @@ + +## policy for gssproxy + + +## +## Execute gssproxy in the gssproxy domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_domtrans',` + gen_require(` + type gssproxy_t, gssproxy_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) +') + + +## +## Search gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_search_lib',` + gen_require(` + type gssproxy_var_lib_t; + ') + + allow $1 gssproxy_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + + +## +## Read gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Manage gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Manage gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_dirs',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Read gssproxy PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_pid_files',` + gen_require(` + type gssproxy_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t) +') + + +## +## Execute gssproxy server in the gssproxy domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_systemctl',` + gen_require(` + type gssproxy_t; + type gssproxy_unit_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 gssproxy_unit_t:file read_file_perms; + allow $1 gssproxy_unit_t:service manage_service_perms; + + ps_process_pattern($1, gssproxy_t) +') + + +## +## Connect to gssproxy over an unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_stream_connect',` + gen_require(` + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t) + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) +') + + +## +## All of the rules required to administrate +## an gssproxy env
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 91bc9686ff5065f7cdcce4ec14ac9d6dd89b769d Author: Jason Zaman perfinion com> AuthorDate: Sun May 7 13:42:53 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=91bc9686 dirmngr: fcontext for ~/.gnupg/crls.d/ policy/modules/contrib/dirmngr.fc | 2 ++ policy/modules/contrib/dirmngr.te | 7 +++ policy/modules/contrib/gpg.if | 20 3 files changed, 29 insertions(+) diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc index a9cf15a8..60f19f47 100644 --- a/policy/modules/contrib/dirmngr.fc +++ b/policy/modules/contrib/dirmngr.fc @@ -1,3 +1,5 @@ +HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0) + /etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0) /etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0) diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te index 8e4a1a89..17cce56a 100644 --- a/policy/modules/contrib/dirmngr.te +++ b/policy/modules/contrib/dirmngr.te @@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t) type dirmngr_var_run_t; files_pid_file(dirmngr_var_run_t) +type dirmngr_home_t; +userdom_user_home_content(dirmngr_home_t) + # # Local policy @@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms; allow dirmngr_t dirmngr_conf_t:dir list_dir_perms; allow dirmngr_t dirmngr_conf_t:file read_file_perms; allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms; +allow dirmngr_t dirmngr_home_t:dir list_dir_perms; +allow dirmngr_t dirmngr_home_t:file read_file_perms; manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) @@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t) files_read_etc_files(dirmngr_t) miscfiles_read_localization(dirmngr_t) +miscfiles_read_generic_certs(dirmngr_t) userdom_search_user_home_dirs(dirmngr_t) userdom_search_user_runtime(dirmngr_t) @@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) optional_policy(` gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) + gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir) ') diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if index 4480f9c6..e5a12750 100644 --- a/policy/modules/contrib/gpg.if +++ b/policy/modules/contrib/gpg.if @@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',` ## +## filetrans in gpg_secret_t dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`gpg_secret_filetrans',` + gen_require(` + type gpg_secret_t; + ') + + filetrans_pattern($1, gpg_secret_t, $2, $3, $4) + allow $1 gpg_secret_t:dir search_dir_perms; + userdom_search_user_home_dirs($1) +') + + +## ## Send messages to and from gpg ## pinentry over DBUS. ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: c85529b2e1cd810f266ac3faad133210cc8787e7 Author: Jason Zaman perfinion com> AuthorDate: Sun May 7 13:43:31 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c85529b2 dirmngr: Network rules to connect to keyserver type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 policy/modules/contrib/dirmngr.te | 6 ++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te index 17cce56a..b64fc610 100644 --- a/policy/modules/contrib/dirmngr.te +++ b/policy/modules/contrib/dirmngr.te @@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) kernel_read_crypto_sysctls(dirmngr_t) +dev_read_rand(dirmngr_t) +sysnet_dns_name_resolve(dirmngr_t) + +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t) +corenet_udp_bind_generic_node(dirmngr_t) +corenet_udp_bind_all_unreserved_ports(dirmngr_t) files_read_etc_files(dirmngr_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: d629bd240173172035ad48db7586e6a163bb8e4b Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 04:58:28 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d629bd24 dirmngr: add to roles and allow gpg to domtrans policy/modules/contrib/dirmngr.if | 69 +++ policy/modules/contrib/gpg.te | 4 +++ 2 files changed, 73 insertions(+) diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if index 4cd2810e..2f6875a6 100644 --- a/policy/modules/contrib/dirmngr.if +++ b/policy/modules/contrib/dirmngr.if @@ -1,5 +1,74 @@ ## Server for managing and downloading certificate revocation lists. + +## +## Role access for dirmngr. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`dirmngr_role',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + role $1 types dirmngr_t; + + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t) + + allow $2 dirmngr_t:process { ptrace signal_perms }; + ps_process_pattern($2, dirmngr_t) + + allow dirmngr_t $2:fd use; + allow dirmngr_t $2:fifo_file { read write }; +') + + +## +## Execute dirmngr in the dirmngr domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`dirmngr_domtrans',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t) +') + + +## +## Execute the dirmngr in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirmngr_exec',` + gen_require(` + type dirmngr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, dirmngr_exec_t) +') + ## ## All of the rules required to diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te index c145fb4c..1b8448c7 100644 --- a/policy/modules/contrib/gpg.te +++ b/policy/modules/contrib/gpg.te @@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + dirmngr_domtrans(gpg_t) +') + +optional_policy(` evolution_read_orbit_tmp_files(gpg_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 4c92736636a7012c7d831dfdd6acc0d9be2afd2b Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4c927366 virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index b80abb97..b30765c8 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 3a654acf88973e1295e05bf253e9ec787b19cf23 Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3a654acf WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index fb3c3f37..6ccafff3 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 023ca1139b4798c5cb5988ece143221988517236 Author: Jason Zaman perfinion com> AuthorDate: Wed May 10 09:31:23 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=023ca113 networkmanager: use consolekit inhibit locks policy/modules/contrib/networkmanager.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te index dee77c73..4190eaae 100644 --- a/policy/modules/contrib/networkmanager.te +++ b/policy/modules/contrib/networkmanager.te @@ -228,6 +228,7 @@ optional_policy(` optional_policy(` consolekit_dbus_chat(NetworkManager_t) + consolekit_use_inhibit_lock(NetworkManager_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 7bee6518835d0d0c4a6ab9041f9cfeef363813e2 Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7bee6518 virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index b1f9b1c8..46839588 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -37,6 +37,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 4fb34894..63fef29b 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 741fe2c6d5f0925daf2c18f635c9a928bfcd5bc8 Author: Jason Zaman perfinion com> AuthorDate: Wed May 10 09:31:08 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=741fe2c6 dbus: use consolekit inhibit locks policy/modules/contrib/dbus.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te index ca39fb6b..be216326 100644 --- a/policy/modules/contrib/dbus.te +++ b/policy/modules/contrib/dbus.te @@ -167,6 +167,10 @@ optional_policy(` ') optional_policy(` + consolekit_use_inhibit_lock(system_dbusd_t) +') + +optional_policy(` policykit_read_lib(system_dbusd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: a337f867d9be283b99af8ca7714f110918da5551 Author: Jason Zaman perfinion com> AuthorDate: Wed May 10 09:09:34 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a337f867 consolekit: allow purging tmp Needs to be able to clear out /run/user/UID on logout policy/modules/contrib/consolekit.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/consolekit.te b/policy/modules/contrib/consolekit.te index d51634ea..ea4db82b 100644 --- a/policy/modules/contrib/consolekit.te +++ b/policy/modules/contrib/consolekit.te @@ -64,6 +64,7 @@ domain_dontaudit_ptrace_all_domains(consolekit_t) files_read_usr_files(consolekit_t) files_read_var_lib_files(consolekit_t) files_search_all_mountpoints(consolekit_t) +files_purge_tmp(consolekit_t) fs_list_inotifyfs(consolekit_t) fs_mount_tmpfs(consolekit_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 5a8818391194c993b1e0a4b8c2dc758097f8aed3 Author: Jason Zaman perfinion com> AuthorDate: Wed May 10 09:07:26 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5a881839 consolekit: introduce consolekit_use_inhibit_lock interface Applications hold FDs while they hold the lock. Implements this API: https://www.freedesktop.org/wiki/Software/systemd/inhibit/ policy/modules/contrib/consolekit.if | 19 +++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/contrib/consolekit.if b/policy/modules/contrib/consolekit.if index 5b830ec9..c2c203f1 100644 --- a/policy/modules/contrib/consolekit.if +++ b/policy/modules/contrib/consolekit.if @@ -42,6 +42,25 @@ interface(`consolekit_dbus_chat',` ## +## Take inhibit locks from consolekit +## +## +## +## Domain allowed access. +## +## +# +interface(`consolekit_use_inhibit_lock',` + gen_require(` + type consolekit_t, consolekit_var_run_t; + ') + + allow $1 consolekit_t:fd use; + allow $1 consolekit_var_run_t:fifo_file rw_fifo_file_perms; +') + + +## ## Read consolekit log files. ## ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: cc786a07ee93677d6b41dc10e61e3810038f4c6f Author: Jason Zaman perfinion com> AuthorDate: Wed Feb 15 17:15:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cc786a07 kerberos: Introduce kerberos_filetrans_named_content interface policy/modules/contrib/kerberos.if | 37 + 1 file changed, 37 insertions(+) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if index 01caeead..d9d5811f 100644 --- a/policy/modules/contrib/kerberos.if +++ b/policy/modules/contrib/kerberos.if @@ -466,6 +466,43 @@ interface(`kerberos_connect_524',` ## +## Transition to kerberos named content +## +## +## +## Domain allowed access. +## +## +# +interface(`kerberos_filetrans_named_content',` + gen_require(` + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t; + ') + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab") + #kerberos_filetrans_admin_home_content($1) + + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25") + kerberos_tmp_filetrans_host_rcache($1, file, "host_0") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") +') + + +## ## All of the rules required to ## administrate an kerberos environment. ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/, policy/modules/kernel/, policy/modules/system/
commit: de8ad58a6a9103f443b733400d2f7980944bfcd0 Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 07:30:55 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de8ad58a gssproxy: Allow others to stream connect kernel AVC: * Starting gssproxy ... Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied) * start-stop-daemon: failed to start `gssproxy' type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0 policy/modules/contrib/rpc.te | 3 +++ policy/modules/kernel/kernel.te | 4 policy/modules/system/userdomain.if | 4 3 files changed, 11 insertions(+) diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index a8a83400..c7855fef 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -339,6 +339,9 @@ optional_policy(` ') optional_policy(` + gssproxy_stream_connect(gssd_t) +') +optional_policy(` kerberos_manage_host_rcache(gssd_t) kerberos_read_keytab(gssd_t) kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 685f3d0f..5877621b 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -423,6 +423,10 @@ optional_policy(` rpc_tcp_rw_nfs_sockets(kernel_t) rpc_udp_rw_nfs_sockets(kernel_t) + optional_policy(` + gssproxy_stream_connect(kernel_t) + ') + tunable_policy(`nfs_export_all_ro',` fs_getattr_noxattr_fs(kernel_t) fs_list_noxattr_fs(kernel_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index dbfb33da..55512c04 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -726,6 +726,10 @@ template(`userdom_common_user_template',` ') optional_policy(` + gssproxy_stream_connect($1_t) + ') + + optional_policy(` hwloc_exec_dhwd($1_t) hwloc_read_runtime_files($1_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: e8b9afa5c6358e954388e5568f739a75d26f2e72 Author: Jason Zaman perfinion com> AuthorDate: Sun Apr 16 06:38:47 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e8b9afa5 gpg dirmngr: create and connect to socket policy/modules/contrib/dirmngr.fc | 2 ++ policy/modules/contrib/dirmngr.if | 25 + policy/modules/contrib/dirmngr.te | 13 + policy/modules/contrib/gpg.if | 38 ++ policy/modules/contrib/gpg.te | 1 + 5 files changed, 79 insertions(+) diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc index a0f261c9..a9cf15a8 100644 --- a/policy/modules/contrib/dirmngr.fc +++ b/policy/modules/contrib/dirmngr.fc @@ -12,3 +12,5 @@ /run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0) /run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0) + +/run/user/%{USERID}/gnupg/S.dirmngr-s gen_context(system_u:object_r:dirmngr_tmp_t,s0) diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if index 2f6875a6..07af5063 100644 --- a/policy/modules/contrib/dirmngr.if +++ b/policy/modules/contrib/dirmngr.if @@ -18,6 +18,7 @@ interface(`dirmngr_role',` gen_require(` type dirmngr_t, dirmngr_exec_t; + type dirmngr_tmp_t; ') role $1 types dirmngr_t; @@ -29,6 +30,8 @@ interface(`dirmngr_role',` allow dirmngr_t $2:fd use; allow dirmngr_t $2:fifo_file { read write }; + + allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; ') @@ -71,6 +74,28 @@ interface(`dirmngr_exec',` ## +## Connect to dirmngr socket +## +## +## +## Domain allowed access. +## +## +# +interface(`dirmngr_stream_connect',` + gen_require(` + type dirmngr_t, dirmngr_tmp_t; + ') + + gpg_search_agent_tmp_dirs($1) + allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms; + allow $1 dirmngr_t:unix_stream_socket connectto; + userdom_search_user_runtime($1) + userdom_search_user_home_dirs($1) +') + + +## ## All of the rules required to ## administrate an dirmngr environment. ## diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te index 23f40456..8e4a1a89 100644 --- a/policy/modules/contrib/dirmngr.te +++ b/policy/modules/contrib/dirmngr.te @@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t) type dirmngr_log_t; logging_log_file(dirmngr_log_t) +type dirmngr_tmp_t; +userdom_user_tmp_file(dirmngr_tmp_t) + type dirmngr_var_lib_t; files_type(dirmngr_var_lib_t) @@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir) +manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t) + manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) @@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t) files_read_etc_files(dirmngr_t) miscfiles_read_localization(dirmngr_t) + +userdom_search_user_home_dirs(dirmngr_t) +userdom_search_user_runtime(dirmngr_t) +userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) + +optional_policy(` + gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) +') diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if index ef87..4480f9c6 100644 --- a/policy/modules/contrib/gpg.if +++ b/policy/modules/contrib/gpg.if @@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',` ## +## Search gpg agent dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`gpg_search_agent_tmp_dirs',` + gen_require(` + type gpg_agent_tmp_t; + ') + + allow $1 gpg_agent_tmp_t:dir search_dir_perms; +') + + +## +## filetrans in gpg_agent_tmp_t dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`gpg_agent_tmp_filetrans',` + gen_require(` + type gpg_agent_t, gpg_agent_tmp_t; + type gpg_secret_t; + ') + + filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4) + userdom_search_user_runtime($1) +') + + +## ## Send messages to and from gpg ## pinentry over DBUS. ## diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: a4c5b41a18ebfee686fb65ce8a484dc4493ff087 Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu May 25 17:03:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a4c5b41a virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index b30765c8..fb3c3f37 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 301b59bff67c4833c98e6fec5bd2cb04a13e31a2 Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 04:58:28 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 17:40:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=301b59bf dirmngr: add to roles and allow gpg to domtrans policy/modules/contrib/dirmngr.if | 69 +++ policy/modules/contrib/gpg.te | 4 +++ 2 files changed, 73 insertions(+) diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if index 4cd2810e..2f6875a6 100644 --- a/policy/modules/contrib/dirmngr.if +++ b/policy/modules/contrib/dirmngr.if @@ -1,5 +1,74 @@ ## Server for managing and downloading certificate revocation lists. + +## +## Role access for dirmngr. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`dirmngr_role',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + role $1 types dirmngr_t; + + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t) + + allow $2 dirmngr_t:process { ptrace signal_perms }; + ps_process_pattern($2, dirmngr_t) + + allow dirmngr_t $2:fd use; + allow dirmngr_t $2:fifo_file { read write }; +') + + +## +## Execute dirmngr in the dirmngr domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`dirmngr_domtrans',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t) +') + + +## +## Execute the dirmngr in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirmngr_exec',` + gen_require(` + type dirmngr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, dirmngr_exec_t) +') + ## ## All of the rules required to diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te index c145fb4c..1b8448c7 100644 --- a/policy/modules/contrib/gpg.te +++ b/policy/modules/contrib/gpg.te @@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + dirmngr_domtrans(gpg_t) +') + +optional_policy(` evolution_read_orbit_tmp_files(gpg_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 5dbc2a2a3beff47187df1b133efc77ef75f597c4 Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 17:40:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dbc2a2a virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index b1f9b1c8..46839588 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -37,6 +37,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 4fb34894..63fef29b 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: b082a2690d496136e825b47bb7c0d82607b6e393 Author: Jason Zaman perfinion com> AuthorDate: Sun May 7 13:42:53 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 17:40:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b082a269 dirmngr: fcontext for ~/.gnupg/crls.d/ policy/modules/contrib/dirmngr.fc | 2 ++ policy/modules/contrib/dirmngr.te | 7 +++ policy/modules/contrib/gpg.if | 20 3 files changed, 29 insertions(+) diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc index a9cf15a8..60f19f47 100644 --- a/policy/modules/contrib/dirmngr.fc +++ b/policy/modules/contrib/dirmngr.fc @@ -1,3 +1,5 @@ +HOME_DIR/\.gnupg/crls\.d(/.+)? gen_context(system_u:object_r:dirmngr_home_t,s0) + /etc/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_conf_t,s0) /etc/rc\.d/init\.d/dirmngr -- gen_context(system_u:object_r:dirmngr_initrc_exec_t,s0) diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te index 8e4a1a89..17cce56a 100644 --- a/policy/modules/contrib/dirmngr.te +++ b/policy/modules/contrib/dirmngr.te @@ -27,6 +27,9 @@ files_type(dirmngr_var_lib_t) type dirmngr_var_run_t; files_pid_file(dirmngr_var_run_t) +type dirmngr_home_t; +userdom_user_home_content(dirmngr_home_t) + # # Local policy @@ -37,6 +40,8 @@ allow dirmngr_t self:fifo_file rw_file_perms; allow dirmngr_t dirmngr_conf_t:dir list_dir_perms; allow dirmngr_t dirmngr_conf_t:file read_file_perms; allow dirmngr_t dirmngr_conf_t:lnk_file read_lnk_file_perms; +allow dirmngr_t dirmngr_home_t:dir list_dir_perms; +allow dirmngr_t dirmngr_home_t:file read_file_perms; manage_dirs_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) append_files_pattern(dirmngr_t, dirmngr_log_t, dirmngr_log_t) @@ -61,6 +66,7 @@ kernel_read_crypto_sysctls(dirmngr_t) files_read_etc_files(dirmngr_t) miscfiles_read_localization(dirmngr_t) +miscfiles_read_generic_certs(dirmngr_t) userdom_search_user_home_dirs(dirmngr_t) userdom_search_user_runtime(dirmngr_t) @@ -68,4 +74,5 @@ userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) optional_policy(` gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) + gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir) ') diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if index 4480f9c6..e5a12750 100644 --- a/policy/modules/contrib/gpg.if +++ b/policy/modules/contrib/gpg.if @@ -254,6 +254,26 @@ interface(`gpg_agent_tmp_filetrans',` ## +## filetrans in gpg_secret_t dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`gpg_secret_filetrans',` + gen_require(` + type gpg_secret_t; + ') + + filetrans_pattern($1, gpg_secret_t, $2, $3, $4) + allow $1 gpg_secret_t:dir search_dir_perms; + userdom_search_user_home_dirs($1) +') + + +## ## Send messages to and from gpg ## pinentry over DBUS. ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: a1662dfe50303bf9e7e268f20bb835bb54576de8 Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 17:40:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a1662dfe virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 63fef29b..b80abb97 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 51eb554ea9d25c69d2054336b6efee2f9d1153e5 Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 07:15:39 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 17:40:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=51eb554e gssproxy: add policy borrowed and modified from Fedora policy/modules/contrib/gssproxy.fc | 8 ++ policy/modules/contrib/gssproxy.if | 199 + policy/modules/contrib/gssproxy.te | 67 + 3 files changed, 274 insertions(+) diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc new file mode 100644 index ..a9970159 --- /dev/null +++ b/policy/modules/contrib/gssproxy.fc @@ -0,0 +1,8 @@ +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0) + +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) + +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) + +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0) +/run/gssproxy\.sock-s gen_context(system_u:object_r:gssproxy_run_t,s0) diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if new file mode 100644 index ..cebdb20b --- /dev/null +++ b/policy/modules/contrib/gssproxy.if @@ -0,0 +1,199 @@ + +## policy for gssproxy + + +## +## Execute gssproxy in the gssproxy domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_domtrans',` + gen_require(` + type gssproxy_t, gssproxy_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) +') + + +## +## Search gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_search_lib',` + gen_require(` + type gssproxy_var_lib_t; + ') + + allow $1 gssproxy_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + + +## +## Read gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Manage gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Manage gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_dirs',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Read gssproxy PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_pid_files',` + gen_require(` + type gssproxy_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t) +') + + +## +## Execute gssproxy server in the gssproxy domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_systemctl',` + gen_require(` + type gssproxy_t; + type gssproxy_unit_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 gssproxy_unit_t:file read_file_perms; + allow $1 gssproxy_unit_t:service manage_service_perms; + + ps_process_pattern($1, gssproxy_t) +') + + +## +## Connect to gssproxy over an unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_stream_connect',` + gen_require(` + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t) + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) +') + + +## +## All of the rules required to administrate +## an gssproxy env
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 87b0247f46a8debf2829f3b5b87087fb0f43fbe2 Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 17:40:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=87b0247f WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index fb3c3f37..6ccafff3 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 78cc3af7eeadb770d4f84393a382979862a580c9 Author: Jason Zaman perfinion com> AuthorDate: Sun Apr 16 06:38:47 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 17:40:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=78cc3af7 gpg dirmngr: create and connect to socket policy/modules/contrib/dirmngr.fc | 2 ++ policy/modules/contrib/dirmngr.if | 25 + policy/modules/contrib/dirmngr.te | 13 + policy/modules/contrib/gpg.if | 38 ++ policy/modules/contrib/gpg.te | 1 + 5 files changed, 79 insertions(+) diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc index a0f261c9..a9cf15a8 100644 --- a/policy/modules/contrib/dirmngr.fc +++ b/policy/modules/contrib/dirmngr.fc @@ -12,3 +12,5 @@ /run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0) /run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0) + +/run/user/%{USERID}/gnupg/S.dirmngr-s gen_context(system_u:object_r:dirmngr_tmp_t,s0) diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if index 2f6875a6..07af5063 100644 --- a/policy/modules/contrib/dirmngr.if +++ b/policy/modules/contrib/dirmngr.if @@ -18,6 +18,7 @@ interface(`dirmngr_role',` gen_require(` type dirmngr_t, dirmngr_exec_t; + type dirmngr_tmp_t; ') role $1 types dirmngr_t; @@ -29,6 +30,8 @@ interface(`dirmngr_role',` allow dirmngr_t $2:fd use; allow dirmngr_t $2:fifo_file { read write }; + + allow $2 dirmngr_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; ') @@ -71,6 +74,28 @@ interface(`dirmngr_exec',` ## +## Connect to dirmngr socket +## +## +## +## Domain allowed access. +## +## +# +interface(`dirmngr_stream_connect',` + gen_require(` + type dirmngr_t, dirmngr_tmp_t; + ') + + gpg_search_agent_tmp_dirs($1) + allow $1 dirmngr_tmp_t:sock_file rw_sock_file_perms; + allow $1 dirmngr_t:unix_stream_socket connectto; + userdom_search_user_runtime($1) + userdom_search_user_home_dirs($1) +') + + +## ## All of the rules required to ## administrate an dirmngr environment. ## diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te index 23f40456..8e4a1a89 100644 --- a/policy/modules/contrib/dirmngr.te +++ b/policy/modules/contrib/dirmngr.te @@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t) type dirmngr_log_t; logging_log_file(dirmngr_log_t) +type dirmngr_tmp_t; +userdom_user_tmp_file(dirmngr_tmp_t) + type dirmngr_var_lib_t; files_type(dirmngr_var_lib_t) @@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir) +manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t) + manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) @@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t) files_read_etc_files(dirmngr_t) miscfiles_read_localization(dirmngr_t) + +userdom_search_user_home_dirs(dirmngr_t) +userdom_search_user_runtime(dirmngr_t) +userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) + +optional_policy(` + gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) +') diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if index ef87..4480f9c6 100644 --- a/policy/modules/contrib/gpg.if +++ b/policy/modules/contrib/gpg.if @@ -216,6 +216,44 @@ interface(`gpg_stream_connect_agent',` ## +## Search gpg agent dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`gpg_search_agent_tmp_dirs',` + gen_require(` + type gpg_agent_tmp_t; + ') + + allow $1 gpg_agent_tmp_t:dir search_dir_perms; +') + + +## +## filetrans in gpg_agent_tmp_t dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`gpg_agent_tmp_filetrans',` + gen_require(` + type gpg_agent_t, gpg_agent_tmp_t; + type gpg_secret_t; + ') + + filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4) + userdom_search_user_runtime($1) +') + + +## ## Send messages to and from gpg ## pinentry over DBUS. ## diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 3a5dcd577d402e3e178785da772dad2d9fd128b0 Author: Jason Zaman perfinion com> AuthorDate: Wed Feb 15 17:15:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 17:40:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3a5dcd57 kerberos: Introduce kerberos_filetrans_named_content interface policy/modules/contrib/kerberos.if | 37 + 1 file changed, 37 insertions(+) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if index 01caeead..d9d5811f 100644 --- a/policy/modules/contrib/kerberos.if +++ b/policy/modules/contrib/kerberos.if @@ -466,6 +466,43 @@ interface(`kerberos_connect_524',` ## +## Transition to kerberos named content +## +## +## +## Domain allowed access. +## +## +# +interface(`kerberos_filetrans_named_content',` + gen_require(` + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t; + ') + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab") + #kerberos_filetrans_admin_home_content($1) + + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25") + kerberos_tmp_filetrans_host_rcache($1, file, "host_0") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") +') + + +## ## All of the rules required to ## administrate an kerberos environment. ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 92be7193ee0470dbb1024bb20ffd9acee80b696e Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 17:40:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=92be7193 virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index b80abb97..b30765c8 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 580d4297b7b45b13a933df9b4ca788eb9b6331a6 Author: Jason Zaman perfinion com> AuthorDate: Sun May 7 13:43:31 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 17:40:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=580d4297 dirmngr: Network rules to connect to keyserver type=AVC msg=audit(1494163667.921:24917): avc: denied { name_bind } for pid=15683 comm=636F6E6E2066643D36 src=19321 scontext=staff_u:staff_r:dirmngr_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=udp_socket permissive=0 policy/modules/contrib/dirmngr.te | 6 ++ 1 file changed, 6 insertions(+) diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te index 17cce56a..b64fc610 100644 --- a/policy/modules/contrib/dirmngr.te +++ b/policy/modules/contrib/dirmngr.te @@ -62,6 +62,12 @@ manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) files_pid_filetrans(dirmngr_t, dirmngr_var_run_t, { dir file }) kernel_read_crypto_sysctls(dirmngr_t) +dev_read_rand(dirmngr_t) +sysnet_dns_name_resolve(dirmngr_t) + +corenet_tcp_connect_pgpkeyserver_port(dirmngr_t) +corenet_udp_bind_generic_node(dirmngr_t) +corenet_udp_bind_all_unreserved_ports(dirmngr_t) files_read_etc_files(dirmngr_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 1eec4f19a444a8bc6e8387f83318139d7182a6b0 Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun May 7 17:40:30 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1eec4f19 virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index b30765c8..fb3c3f37 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 4028862f0d420c5beed9c6e7fb9887a7805dce26 Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 09:31:51 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4028862f virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 42e68a29..3da04ef9 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 8cd3d83d2ea5cec1b77b5609cfd47a768e54fb31 Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 09:31:51 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8cd3d83d virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index 22c1ed70..dca262ab 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index eb72843f..e1a3bcaf 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 68b598ef6438c11db428e893825e494d76f3fac1 Author: Jason Zaman perfinion com> AuthorDate: Sun Apr 16 06:38:47 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 09:31:52 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=68b598ef gpg dirmngr: create and connect to socket policy/modules/contrib/dirmngr.fc | 2 ++ policy/modules/contrib/dirmngr.if | 22 + policy/modules/contrib/dirmngr.te | 13 + policy/modules/contrib/gpg.if | 41 +++ policy/modules/contrib/gpg.te | 1 + 5 files changed, 79 insertions(+) diff --git a/policy/modules/contrib/dirmngr.fc b/policy/modules/contrib/dirmngr.fc index a0f261c9..a9cf15a8 100644 --- a/policy/modules/contrib/dirmngr.fc +++ b/policy/modules/contrib/dirmngr.fc @@ -12,3 +12,5 @@ /run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0) /run/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_run_t,s0) + +/run/user/%{USERID}/gnupg/S.dirmngr-s gen_context(system_u:object_r:dirmngr_tmp_t,s0) diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if index 2f6875a6..989af34a 100644 --- a/policy/modules/contrib/dirmngr.if +++ b/policy/modules/contrib/dirmngr.if @@ -71,6 +71,28 @@ interface(`dirmngr_exec',` ## +## Connect to dirmngr socket +## +## +## +## Domain allowed access. +## +## +# +interface(`dirmngr_stream_connect',` + gen_require(` + type dirmngr_t, dirmngr_tmp_t; + ') + + gpg_search_agent_tmp_dirs($1) + allow $1 dirmngr_tmp_t:sock_file write_sock_file_perms; + allow $1 dirmngr_t:unix_stream_socket connectto; + userdom_search_user_runtime($1) + userdom_search_user_home_dirs($1) +') + + +## ## All of the rules required to ## administrate an dirmngr environment. ## diff --git a/policy/modules/contrib/dirmngr.te b/policy/modules/contrib/dirmngr.te index 23f40456..8e4a1a89 100644 --- a/policy/modules/contrib/dirmngr.te +++ b/policy/modules/contrib/dirmngr.te @@ -18,6 +18,9 @@ init_script_file(dirmngr_initrc_exec_t) type dirmngr_log_t; logging_log_file(dirmngr_log_t) +type dirmngr_tmp_t; +userdom_user_tmp_file(dirmngr_tmp_t) + type dirmngr_var_lib_t; files_type(dirmngr_var_lib_t) @@ -46,6 +49,8 @@ manage_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) manage_lnk_files_pattern(dirmngr_t, dirmngr_var_lib_t, dirmngr_var_lib_t) files_var_lib_filetrans(dirmngr_t, dirmngr_var_lib_t, dir) +manage_sock_files_pattern(dirmngr_t, dirmngr_tmp_t, dirmngr_tmp_t) + manage_dirs_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) manage_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) manage_sock_files_pattern(dirmngr_t, dirmngr_var_run_t, dirmngr_var_run_t) @@ -56,3 +61,11 @@ kernel_read_crypto_sysctls(dirmngr_t) files_read_etc_files(dirmngr_t) miscfiles_read_localization(dirmngr_t) + +userdom_search_user_home_dirs(dirmngr_t) +userdom_search_user_runtime(dirmngr_t) +userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir) + +optional_policy(` + gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file) +') diff --git a/policy/modules/contrib/gpg.if b/policy/modules/contrib/gpg.if index ef87..d34cfbc0 100644 --- a/policy/modules/contrib/gpg.if +++ b/policy/modules/contrib/gpg.if @@ -216,6 +216,47 @@ interface(`gpg_stream_connect_agent',` ## +## Search gpg agent dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`gpg_search_agent_tmp_dirs',` + gen_require(` + type gpg_agent_tmp_t; + ') + + allow $1 gpg_agent_tmp_t:dir search_dir_perms; +') + + +## +## filetrans in gpg_agent_tmp_t dirs +## +## +## +## Domain allowed access. +## +## +# +interface(`gpg_agent_tmp_filetrans',` + gen_require(` + type gpg_agent_t, gpg_agent_tmp_t; + type gpg_secret_t; + ') + + filetrans_pattern($1, gpg_agent_tmp_t, $2, $3, $4) + stream_connect_pattern($1, gpg_agent_tmp_t, gpg_agent_tmp_t, gpg_agent_t) + allow $1 gpg_secret_t:dir search_dir_perms; + userdom_search_user_runtime($1) + userdom_search_user_home_dirs($1) +') + + +## ## Send messages to and from gpg ## pinentry over DBUS. ## diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te index 1b8448c7..140d8d94 100644 --- a/policy/modules/contrib/gpg.te +++ b/policy/modules/contrib/gpg.te @@ -140,6 +140,7 @@ tunable_policy(`use_samba_home_dirs',` optional_policy(` dirmngr_domtrans(gpg_t) + dirmngr_stream_connect(gpg_t) ') optional_policy(`
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 53b8a092b78b1f48530145ef0d62cbfeccf47cb0 Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 09:31:51 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=53b8a092 WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0f82a04e..5df86d7b 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: e368d3f63f74686ff708251d692666b8bb2a9376 Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 07:15:39 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 09:31:51 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e368d3f6 gssproxy: add policy borrowed and modified from Fedora policy/modules/contrib/gssproxy.fc | 8 ++ policy/modules/contrib/gssproxy.if | 199 + policy/modules/contrib/gssproxy.te | 67 + 3 files changed, 274 insertions(+) diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc new file mode 100644 index ..a9970159 --- /dev/null +++ b/policy/modules/contrib/gssproxy.fc @@ -0,0 +1,8 @@ +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0) + +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) + +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) + +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0) +/run/gssproxy\.sock-s gen_context(system_u:object_r:gssproxy_run_t,s0) diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if new file mode 100644 index ..cebdb20b --- /dev/null +++ b/policy/modules/contrib/gssproxy.if @@ -0,0 +1,199 @@ + +## policy for gssproxy + + +## +## Execute gssproxy in the gssproxy domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_domtrans',` + gen_require(` + type gssproxy_t, gssproxy_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) +') + + +## +## Search gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_search_lib',` + gen_require(` + type gssproxy_var_lib_t; + ') + + allow $1 gssproxy_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + + +## +## Read gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Manage gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Manage gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_dirs',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Read gssproxy PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_pid_files',` + gen_require(` + type gssproxy_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t) +') + + +## +## Execute gssproxy server in the gssproxy domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_systemctl',` + gen_require(` + type gssproxy_t; + type gssproxy_unit_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 gssproxy_unit_t:file read_file_perms; + allow $1 gssproxy_unit_t:service manage_service_perms; + + ps_process_pattern($1, gssproxy_t) +') + + +## +## Connect to gssproxy over an unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_stream_connect',` + gen_require(` + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t) + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) +') + + +## +## All of the rules required to administrate +## an gssproxy env
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 7322c4d5d862125810e0772343c5870ea5c6cee5 Author: Jason Zaman perfinion com> AuthorDate: Wed Feb 15 17:15:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 09:31:51 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7322c4d5 kerberos: Introduce kerberos_filetrans_named_content interface policy/modules/contrib/kerberos.if | 37 + 1 file changed, 37 insertions(+) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if index 01caeead..d9d5811f 100644 --- a/policy/modules/contrib/kerberos.if +++ b/policy/modules/contrib/kerberos.if @@ -466,6 +466,43 @@ interface(`kerberos_connect_524',` ## +## Transition to kerberos named content +## +## +## +## Domain allowed access. +## +## +# +interface(`kerberos_filetrans_named_content',` + gen_require(` + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t; + ') + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab") + #kerberos_filetrans_admin_home_content($1) + + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25") + kerberos_tmp_filetrans_host_rcache($1, file, "host_0") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") +') + + +## ## All of the rules required to ## administrate an kerberos environment. ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: df8fecccf2694a0351ce8bdb03e1a0abc7845984 Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 04:58:28 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 09:31:51 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df8feccc dirmngr: add to roles and allow gpg to domtrans policy/modules/contrib/dirmngr.if | 69 +++ policy/modules/contrib/gpg.te | 4 +++ 2 files changed, 73 insertions(+) diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if index 4cd2810e..2f6875a6 100644 --- a/policy/modules/contrib/dirmngr.if +++ b/policy/modules/contrib/dirmngr.if @@ -1,5 +1,74 @@ ## Server for managing and downloading certificate revocation lists. + +## +## Role access for dirmngr. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`dirmngr_role',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + role $1 types dirmngr_t; + + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t) + + allow $2 dirmngr_t:process { ptrace signal_perms }; + ps_process_pattern($2, dirmngr_t) + + allow dirmngr_t $2:fd use; + allow dirmngr_t $2:fifo_file { read write }; +') + + +## +## Execute dirmngr in the dirmngr domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`dirmngr_domtrans',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t) +') + + +## +## Execute the dirmngr in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirmngr_exec',` + gen_require(` + type dirmngr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, dirmngr_exec_t) +') + ## ## All of the rules required to diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te index c145fb4c..1b8448c7 100644 --- a/policy/modules/contrib/gpg.te +++ b/policy/modules/contrib/gpg.te @@ -139,6 +139,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + dirmngr_domtrans(gpg_t) +') + +optional_policy(` evolution_read_orbit_tmp_files(gpg_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 9ad7c51d8626203c3f8661cf39873b4643fe5b94 Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 09:31:51 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9ad7c51d virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 3da04ef9..0f82a04e 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/, policy/modules/system/, policy/modules/kernel/
commit: 418b4e8cafc67cf484c670c3267331fd365af0cb Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 07:30:55 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 09:31:51 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=418b4e8c gssproxy: Allow others to stream connect kernel AVC: * Starting gssproxy ... Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied) * start-stop-daemon: failed to start `gssproxy' type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0 policy/modules/contrib/rpc.te | 3 +++ policy/modules/kernel/kernel.te | 4 policy/modules/system/userdomain.if | 4 3 files changed, 11 insertions(+) diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index 0b9a71fc..5dd5d781 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -339,6 +339,9 @@ optional_policy(` ') optional_policy(` + gssproxy_stream_connect(gssd_t) +') +optional_policy(` kerberos_manage_host_rcache(gssd_t) kerberos_read_keytab(gssd_t) kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 639b8454..f6b2a22b 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -416,6 +416,10 @@ optional_policy(` rpc_tcp_rw_nfs_sockets(kernel_t) rpc_udp_rw_nfs_sockets(kernel_t) + optional_policy(` + gssproxy_stream_connect(kernel_t) + ') + tunable_policy(`nfs_export_all_ro',` fs_getattr_noxattr_fs(kernel_t) fs_list_noxattr_fs(kernel_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index dbfb33da..55512c04 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -726,6 +726,10 @@ template(`userdom_common_user_template',` ') optional_policy(` + gssproxy_stream_connect($1_t) + ') + + optional_policy(` hwloc_exec_dhwd($1_t) hwloc_read_runtime_files($1_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 900b67711c6e9c97828a61cc4922a0bc8b9b535f Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 09:31:51 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=900b6771 virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index e1a3bcaf..42e68a29 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 4977eb8dd00874ce90306272d9b4edfad209f14b Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 07:15:39 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 16:50:40 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4977eb8d gssproxy: add policy borrowed and modified from Fedora policy/modules/contrib/gssproxy.fc | 8 ++ policy/modules/contrib/gssproxy.if | 199 + policy/modules/contrib/gssproxy.te | 67 + 3 files changed, 274 insertions(+) diff --git a/policy/modules/contrib/gssproxy.fc b/policy/modules/contrib/gssproxy.fc new file mode 100644 index ..a9970159 --- /dev/null +++ b/policy/modules/contrib/gssproxy.fc @@ -0,0 +1,8 @@ +/usr/lib/systemd/system/gssproxy.service -- gen_context(system_u:object_r:gssproxy_unit_t,s0) + +/usr/sbin/gssproxy -- gen_context(system_u:object_r:gssproxy_exec_t,s0) + +/var/lib/gssproxy(/.*)? gen_context(system_u:object_r:gssproxy_var_lib_t,s0) + +/run/gssproxy\.pid -- gen_context(system_u:object_r:gssproxy_run_t,s0) +/run/gssproxy\.sock-s gen_context(system_u:object_r:gssproxy_run_t,s0) diff --git a/policy/modules/contrib/gssproxy.if b/policy/modules/contrib/gssproxy.if new file mode 100644 index ..cebdb20b --- /dev/null +++ b/policy/modules/contrib/gssproxy.if @@ -0,0 +1,199 @@ + +## policy for gssproxy + + +## +## Execute gssproxy in the gssproxy domin. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_domtrans',` + gen_require(` + type gssproxy_t, gssproxy_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, gssproxy_exec_t, gssproxy_t) +') + + +## +## Search gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_search_lib',` + gen_require(` + type gssproxy_var_lib_t; + ') + + allow $1 gssproxy_var_lib_t:dir search_dir_perms; + files_search_var_lib($1) +') + + +## +## Read gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Manage gssproxy lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_files',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Manage gssproxy lib directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_manage_lib_dirs',` + gen_require(` + type gssproxy_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t) +') + + +## +## Read gssproxy PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_read_pid_files',` + gen_require(` + type gssproxy_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, gssproxy_run_t, gssproxy_run_t) +') + + +## +## Execute gssproxy server in the gssproxy domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`gssproxy_systemctl',` + gen_require(` + type gssproxy_t; + type gssproxy_unit_t; + ') + + systemd_exec_systemctl($1) + init_reload_services($1) + allow $1 gssproxy_unit_t:file read_file_perms; + allow $1 gssproxy_unit_t:service manage_service_perms; + + ps_process_pattern($1, gssproxy_t) +') + + +## +## Connect to gssproxy over an unix +## domain stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`gssproxy_stream_connect',` + gen_require(` + type gssproxy_t, gssproxy_run_t, gssproxy_var_lib_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, gssproxy_run_t, gssproxy_run_t, gssproxy_t) + stream_connect_pattern($1, gssproxy_var_lib_t, gssproxy_var_lib_t, gssproxy_t) +') + + +## +## All of the rules required to administrate +## an gssproxy env
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: ba43f30169ea936eda2acc84c98ff25bbf644efe Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 16:50:39 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ba43f301 WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0f82a04e..5df86d7b 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 7b417b60f1c8234ee350a88a86f7238df6cf41ee Author: Jason Zaman perfinion com> AuthorDate: Wed Feb 15 17:15:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 16:50:39 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7b417b60 kerberos: Introduce kerberos_filetrans_named_content interface policy/modules/contrib/kerberos.if | 37 + 1 file changed, 37 insertions(+) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if index 01caeead..d9d5811f 100644 --- a/policy/modules/contrib/kerberos.if +++ b/policy/modules/contrib/kerberos.if @@ -466,6 +466,43 @@ interface(`kerberos_connect_524',` ## +## Transition to kerberos named content +## +## +## +## Domain allowed access. +## +## +# +interface(`kerberos_filetrans_named_content',` + gen_require(` + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t; + ') + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab") + #kerberos_filetrans_admin_home_content($1) + + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25") + kerberos_tmp_filetrans_host_rcache($1, file, "host_0") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") +') + + +## ## All of the rules required to ## administrate an kerberos environment. ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: c9989029f0a837b7512f7b076fc5e5db711e1b38 Author: Jason Zaman perfinion com> AuthorDate: Thu Mar 30 04:58:28 2017 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 16:50:40 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c9989029 dirmngr: add to roles and allow gpg to domtrans policy/modules/contrib/dirmngr.if | 69 +++ policy/modules/contrib/gpg.te | 4 +++ 2 files changed, 73 insertions(+) diff --git a/policy/modules/contrib/dirmngr.if b/policy/modules/contrib/dirmngr.if index 4cd2810e..2f6875a6 100644 --- a/policy/modules/contrib/dirmngr.if +++ b/policy/modules/contrib/dirmngr.if @@ -1,5 +1,74 @@ ## Server for managing and downloading certificate revocation lists. + +## +## Role access for dirmngr. +## +## +## +## Role allowed access. +## +## +## +## +## User domain for the role. +## +## +# +interface(`dirmngr_role',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + role $1 types dirmngr_t; + + domtrans_pattern($2, dirmngr_exec_t, dirmngr_t) + + allow $2 dirmngr_t:process { ptrace signal_perms }; + ps_process_pattern($2, dirmngr_t) + + allow dirmngr_t $2:fd use; + allow dirmngr_t $2:fifo_file { read write }; +') + + +## +## Execute dirmngr in the dirmngr domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`dirmngr_domtrans',` + gen_require(` + type dirmngr_t, dirmngr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, dirmngr_exec_t, dirmngr_t) +') + + +## +## Execute the dirmngr in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`dirmngr_exec',` + gen_require(` + type dirmngr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, dirmngr_exec_t) +') + ## ## All of the rules required to diff --git a/policy/modules/contrib/gpg.te b/policy/modules/contrib/gpg.te index 4345bd08..160c5f85 100644 --- a/policy/modules/contrib/gpg.te +++ b/policy/modules/contrib/gpg.te @@ -138,6 +138,10 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + dirmngr_domtrans(gpg_t) +') + +optional_policy(` evolution_read_orbit_tmp_files(gpg_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 15cc617da7710016c4aa47e0f9e42ed68ff36006 Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 16:50:39 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=15cc617d virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index 22c1ed70..dca262ab 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index eb72843f..e1a3bcaf 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: b43c1ae7ef3ac82af3ea452ce97281d53721 Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 16:50:39 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b43c virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 3da04ef9..0f82a04e 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 0f4d3222a8e6014f777007ce8ed54cd3f5c8326e Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 16:50:39 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0f4d3222 virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index e1a3bcaf..42e68a29 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: c6e77e09d07fe6e2d9b6210fd66226a7f2cbb4d5 Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu Mar 30 16:50:39 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c6e77e09 virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 42e68a29..3da04ef9 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 3e4daaf3bad04646ec4d16fba6dfe802ad2dd77e Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 11:32:41 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e4daaf3 WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0f82a04e..5df86d7b 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: a81b9a9546a92414dba7d3e0b0adff0147611eba Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 11:32:41 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a81b9a95 virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 42e68a29..3da04ef9 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 4a80bc53fe759bce98cd0e396cfe1fd350f8111f Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 11:32:41 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4a80bc53 virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 3da04ef9..0f82a04e 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 7607e67783d8ae44493ce4f3a45abf1c80916be2 Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 11:32:41 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7607e677 virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index 22c1ed70..dca262ab 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index eb72843f..e1a3bcaf 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 5b1b50963284b3d1431c3c39edaceba6d7034bfc Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 11:32:41 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5b1b5096 virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index e1a3bcaf..42e68a29 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 3d5dce8f0dc4f16ba83750cc6b84f2534178a089 Author: Jason Zaman perfinion com> AuthorDate: Wed Feb 15 17:15:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Mon Feb 27 11:32:41 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3d5dce8f kerberos: Introduce kerberos_filetrans_named_content interface policy/modules/contrib/kerberos.if | 37 + 1 file changed, 37 insertions(+) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if index 01caeead..d9d5811f 100644 --- a/policy/modules/contrib/kerberos.if +++ b/policy/modules/contrib/kerberos.if @@ -466,6 +466,43 @@ interface(`kerberos_connect_524',` ## +## Transition to kerberos named content +## +## +## +## Domain allowed access. +## +## +# +interface(`kerberos_filetrans_named_content',` + gen_require(` + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t; + ') + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab") + #kerberos_filetrans_admin_home_content($1) + + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25") + kerberos_tmp_filetrans_host_rcache($1, file, "host_0") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") +') + + +## ## All of the rules required to ## administrate an kerberos environment. ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: a63d567bbb4ec5293fb191b0caab42c0e27b32cf Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 16:57:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a63d567b WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0f82a04e..5df86d7b 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 5645bfe751544fd4ae9d8a4f2935bf6f2db10092 Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 16:57:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5645bfe7 virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 42e68a29..3da04ef9 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 3e37a5c6747b197e069b00446c328d320381ddf6 Author: Jason Zaman perfinion com> AuthorDate: Wed Feb 15 17:15:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 16:57:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=3e37a5c6 kerberos: Introduce kerberos_filetrans_named_content interface policy/modules/contrib/kerberos.if | 37 + 1 file changed, 37 insertions(+) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if index 01caeead..d9d5811f 100644 --- a/policy/modules/contrib/kerberos.if +++ b/policy/modules/contrib/kerberos.if @@ -466,6 +466,43 @@ interface(`kerberos_connect_524',` ## +## Transition to kerberos named content +## +## +## +## Domain allowed access. +## +## +# +interface(`kerberos_filetrans_named_content',` + gen_require(` + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t; + ') + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab") + #kerberos_filetrans_admin_home_content($1) + + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25") + kerberos_tmp_filetrans_host_rcache($1, file, "host_0") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") +') + + +## ## All of the rules required to ## administrate an kerberos environment. ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 5d09eb208d774b72835ad7b168eba163d0459524 Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 16:57:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5d09eb20 virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index 22c1ed70..dca262ab 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index eb72843f..e1a3bcaf 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 7de494c4bec178fe90745be29f92c9f5d60511c1 Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 16:57:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7de494c4 virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index e1a3bcaf..42e68a29 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 86a502818b8cf5ddd166a134ffd2ed50b726eea5 Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 16:57:29 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=86a50281 virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 3da04ef9..0f82a04e 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: d14db39e5f242b6f9c9edace8ac00de4591f31c0 Author: Jason Zaman perfinion com> AuthorDate: Wed Feb 15 17:15:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 14:54:49 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d14db39e kerberos: Introduce kerberos_filetrans_named_content interface policy/modules/contrib/kerberos.if | 37 + 1 file changed, 37 insertions(+) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if index 01caeead..d9d5811f 100644 --- a/policy/modules/contrib/kerberos.if +++ b/policy/modules/contrib/kerberos.if @@ -466,6 +466,43 @@ interface(`kerberos_connect_524',` ## +## Transition to kerberos named content +## +## +## +## Domain allowed access. +## +## +# +interface(`kerberos_filetrans_named_content',` + gen_require(` + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t; + ') + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab") + #kerberos_filetrans_admin_home_content($1) + + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25") + kerberos_tmp_filetrans_host_rcache($1, file, "host_0") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") +') + + +## ## All of the rules required to ## administrate an kerberos environment. ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 6eaf81074bf12ca8be01e0acd602a346846a3395 Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 14:54:48 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6eaf8107 virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 42e68a29..3da04ef9 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: f3f96b574462741c540c0c9f2c256342697a81e2 Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 14:54:48 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f3f96b57 virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 3da04ef9..0f82a04e 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: ad7dc2af699a8689bbb55a8b7b03d4065c67cec6 Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 14:54:48 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ad7dc2af WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0f82a04e..5df86d7b 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 102619e7fbf84aed6046f818e9778bc1d9b760fb Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 14:54:48 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=102619e7 virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index e1a3bcaf..42e68a29 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 71caed6d48b8d6a9c0d5054c60a3f19b40dad113 Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sat Feb 25 14:54:48 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=71caed6d virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index 22c1ed70..dca262ab 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index eb72843f..e1a3bcaf 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 45d8bb4bc3b2b5f4072002656c004cde3008eb51 Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:45:13 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=45d8bb4b virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 3da04ef9..0f82a04e 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 135d33ac60262bd59b8080cfa914471e5cd28a16 Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:46:50 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=135d33ac WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0f82a04e..5df86d7b 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 0fd0292db9ceea1cfbf6ae829aa6e261279750fa Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:45:13 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0fd0292d virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 42e68a29..3da04ef9 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 0d5ec8428b688ea09c2241fe868e1d684fc9cba6 Author: Jason Zaman perfinion com> AuthorDate: Wed Feb 15 17:15:58 2017 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:46:50 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d5ec842 kerberos: Introduce kerberos_filetrans_named_content interface policy/modules/contrib/kerberos.if | 37 + 1 file changed, 37 insertions(+) diff --git a/policy/modules/contrib/kerberos.if b/policy/modules/contrib/kerberos.if index 01caeead..d9d5811f 100644 --- a/policy/modules/contrib/kerberos.if +++ b/policy/modules/contrib/kerberos.if @@ -466,6 +466,43 @@ interface(`kerberos_connect_524',` ## +## Transition to kerberos named content +## +## +## +## Domain allowed access. +## +## +# +interface(`kerberos_filetrans_named_content',` + gen_require(` + type krb5_conf_t, krb5_keytab_t, krb5kdc_conf_t; + type krb5kdc_principal_t; + ') + + files_etc_filetrans($1, krb5_conf_t, file, "krb5.conf") + filetrans_pattern($1, krb5kdc_conf_t, krb5_keytab_t, file, "kadm5.keytab") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal0") + filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + #filetrans_pattern($1, krb5kdc_conf_t, krb5kdc_principal_t, file, "principal1") + + kerberos_etc_filetrans_keytab($1, file, "krb5.keytab") + #kerberos_filetrans_admin_home_content($1) + + kerberos_tmp_filetrans_host_rcache($1, file, "DNS_25") + kerberos_tmp_filetrans_host_rcache($1, file, "host_0") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_23") + kerberos_tmp_filetrans_host_rcache($1, file, "HTTP_48") + kerberos_tmp_filetrans_host_rcache($1, file, "imap_0") + kerberos_tmp_filetrans_host_rcache($1, file, "nfs_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldapmap1_0") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_487") + kerberos_tmp_filetrans_host_rcache($1, file, "ldap_55") +') + + +## ## All of the rules required to ## administrate an kerberos environment. ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: a59482227021ff7bdd4d446f4ae9b8c5073e1011 Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:45:13 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a5948222 virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index e1a3bcaf..42e68a29 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 91667a23f7060ba1ed8bbb1ca3ff155530a46224 Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Fri Feb 17 08:45:13 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=91667a23 virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index 22c1ed70..dca262ab 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index eb72843f..e1a3bcaf 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 057adccd201fedd6e465395554d1283eeb9d0ef4 Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:41:45 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=057adccd virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 073bdc7..d68ea34 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 0689d4afa74c089cc196125380526a7e82d87b6a Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:41:45 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0689d4af virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index 22c1ed7..dca262a 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 41a352d..0924307 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 825f87ccd353ab7d66bb41c5cb1905d89654fce0 Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:41:45 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=825f87cc WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index d68ea34..f6bc770 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: aab0a8a125baba6defd5178025d458ffbd29f5e5 Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:41:45 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=aab0a8a1 virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0924307..53233cb 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 7a4066298de57f3bec0ff28a6a261e893b4f509b Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:41:45 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7a406629 virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 53233cb..073bdc7 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: b408a4f834ead0cf75539fcdd31f947c7841ec9a Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:37:17 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b408a4f8 virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0924307..53233cb 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 8785c8c6eb78bf8ab2e6cf915065b3dff243b56e Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:37:17 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8785c8c6 virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index 22c1ed7..dca262a 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 41a352d..0924307 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 200b4f8675cf7052c0465df698acc5bb086e84fa Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:37:17 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=200b4f86 virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 073bdc7..d68ea34 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 25870fced7fd72db22bccb30f4f9964d2a51d548 Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:37:17 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25870fce WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index d68ea34..f6bc770 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: d313346330e8329dba085cc1f98a32538e0df08c Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:37:17 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d3133463 virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 53233cb..073bdc7 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: da274ceda489c560cb8bc471e6327e748c8b30e8 Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 8 05:03:22 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=da274ced virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index dc4c94d..a29f333 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 9874317d0b74d1320f5e2910f5d336ee4534d9e1 Author: Jason Zaman perfinion com> AuthorDate: Fri May 27 20:44:51 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 8 05:03:22 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9874317d virt: virtlockd doesnt need ps_process_pattern policy/modules/contrib/virt.te | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 16c2970..dc4c94d 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1308,6 +1308,10 @@ kernel_dontaudit_read_system_state(virt_leaseshelper_t) allow virtlockd_t self:capability dac_override; allow virtlockd_t self:fifo_file rw_fifo_file_perms; +allow virtlockd_t virtd_t:dir list_dir_perms; +allow virtlockd_t virtd_t:file read_file_perms; +allow virtlockd_t virtd_t:lnk_file read_lnk_file_perms; + allow virtlockd_t virt_image_type:dir list_dir_perms; allow virtlockd_t virt_image_type:file rw_file_perms; @@ -1326,8 +1330,6 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) -ps_process_pattern(virtlockd_t, virtd_t) - files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: c57aed9da88efe8523e7705544c697246e3c42ec Author: Jason Zaman perfinion com> AuthorDate: Sat Aug 13 16:37:55 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 8 05:03:22 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c57aed9d virt: kernel_read_system_state policy/modules/contrib/virt.te | 4 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index a29f333..0adbdb1 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -1331,6 +1331,8 @@ files_pid_filetrans(virtlockd_t, virtlockd_run_t, file) can_exec(virtlockd_t, virtlockd_exec_t) +kernel_read_system_state(virtlockd_t) + files_read_etc_files(virtlockd_t) files_list_var_lib(virtlockd_t) @@ -1357,6 +1359,8 @@ files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) can_exec(virtlogd_t, virtlogd_exec_t) +kernel_read_system_state(virtlogd_t) + files_read_etc_files(virtlogd_t) files_list_var_lib(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 19cc0dd3e22ff760557458a606aae28875bca190 Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 8 05:03:22 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=19cc0dd3 WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0adbdb1..fd357c4 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: e19b33854b5d4f302dbc12bad9810be29c4e45a5 Author: Jason Zaman perfinion com> AuthorDate: Thu May 12 16:49:07 2016 + Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 8 05:03:22 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e19b3385 virt: add policy for virtlogd policy/modules/contrib/virt.fc | 1 + policy/modules/contrib/virt.te | 42 ++ 2 files changed, 43 insertions(+) diff --git a/policy/modules/contrib/virt.fc b/policy/modules/contrib/virt.fc index f7e0ce8..7d9456a 100644 --- a/policy/modules/contrib/virt.fc +++ b/policy/modules/contrib/virt.fc @@ -32,6 +32,7 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t /usr/sbin/libvirt-qmf -- gen_context(system_u:object_r:virt_qmf_exec_t,s0) /usr/sbin/libvirtd -- gen_context(system_u:object_r:virtd_exec_t,s0) /usr/sbin/virtlockd-- gen_context(system_u:object_r:virtlockd_exec_t,s0) +/usr/sbin/virtlogd -- gen_context(system_u:object_r:virtlogd_exec_t,s0) /var/cache/libvirt(/.*)? gen_context(system_u:object_r:virt_cache_t,s0-mls_systemhigh) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index c45ba2d..16c2970 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -208,12 +208,21 @@ files_pid_file(virtlockd_run_t) type virtlockd_var_lib_t; files_type(virtlockd_var_lib_t) +type virtlogd_t; +type virtlogd_exec_t; +init_daemon_domain(virtlogd_t, virtlogd_exec_t) + +type virtlogd_run_t; +files_pid_file(virtlogd_run_t) + ifdef(`enable_mcs',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mcs_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mcs_systemhigh) ') ifdef(`enable_mls',` init_ranged_daemon_domain(virtlockd_t, virtlockd_exec_t, s0 - mls_systemhigh) + init_ranged_daemon_domain(virtlogd_t, virtlogd_exec_t, s0 - mls_systemhigh) ') @@ -234,6 +243,9 @@ allow virt_domain virtd_t:fd use; allow virt_domain virtd_t:fifo_file rw_fifo_file_perms; allow virt_domain virtd_t:process sigchld; +allow virt_domain virtlogd_t:fd use; +allow virt_domain virtlogd_t:fifo_file rw_fifo_file_perms; + dontaudit virt_domain virtd_t:unix_stream_socket { read write }; manage_dirs_pattern(virt_domain, virt_cache_t, virt_cache_t) @@ -472,6 +484,9 @@ dontaudit virtd_t virt_domain:process { siginh noatsecure rlimitinh }; allow virtd_t { virt_domain svirt_lxc_domain }:unix_stream_socket { create_stream_socket_perms connectto }; allow virtd_t svirt_lxc_domain:process signal_perms; +allow virtd_t virtlogd_t:fd use; +allow virtd_t virtlogd_t:fifo_file rw_fifo_file_perms; + allow virtd_t virtd_lxc_t:process { signal signull sigkill }; domtrans_pattern(virtd_t, virtd_lxc_exec_t, virtd_lxc_t) @@ -558,6 +573,7 @@ filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) +stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) can_exec(virtd_t, virt_tmp_t) @@ -1319,3 +1335,29 @@ miscfiles_read_localization(virtlockd_t) virt_append_log(virtlockd_t) virt_read_config(virtlockd_t) + + +# +# Virtlogd local policy +# + +allow virtlogd_t self:fifo_file rw_fifo_file_perms; + +allow virtlogd_t virtd_t:dir list_dir_perms; +allow virtlogd_t virtd_t:file read_file_perms; +allow virtlogd_t virtd_t:lnk_file read_lnk_file_perms; + +manage_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +manage_sock_files_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t) +filetrans_pattern(virtlogd_t, virt_var_run_t, virtlogd_run_t, sock_file) +files_pid_filetrans(virtlogd_t, virtlogd_run_t, file) + +can_exec(virtlogd_t, virtlogd_exec_t) + +files_read_etc_files(virtlogd_t) +files_list_var_lib(virtlogd_t) + +miscfiles_read_localization(virtlogd_t) + +virt_manage_log(virtlogd_t) +virt_read_config(virtlogd_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 6fec98ded6c9bda1c731ab48a87265ace6cc43b1 Author: Jason Zaman perfinion com> AuthorDate: Tue Dec 6 15:00:17 2016 + Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 6 15:02:34 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6fec98de portage: add signal and FEATURES=test perms policy/modules/contrib/portage.te | 7 ++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te index 19bd8c8..52c6bf9 100644 --- a/policy/modules/contrib/portage.te +++ b/policy/modules/contrib/portage.te @@ -436,6 +436,8 @@ gen_tunable(portage_enable_test, false) allow portage_t self:capability2 block_suspend; + allow portage_t { portage_fetch_t portage_sandbox_t }:process signal_perms; + # Support self-update of Portage allow portage_t portage_tmp_t:dir relabel_dir_perms; allow portage_t portage_tmp_t:lnk_file relabel_lnk_file_perms; @@ -490,9 +492,12 @@ gen_tunable(portage_enable_test, false) tunable_policy(`portage_enable_test',` # lots of tests connect over loopback - corenet_tcp_bind_generic_node(portage_sandbox_t) corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t) + corenet_tcp_bind_generic_node(portage_sandbox_t) corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t) + corenet_udp_bind_all_unreserved_ports(portage_sandbox_t) + corenet_udp_bind_generic_node(portage_sandbox_t) + corenet_udp_sendrecv_all_ports(portage_sandbox_t) ') ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: d1fbfee8d08f96007893d2c06440077de0048d7f Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 31 15:03:49 2016 + Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 6 15:02:54 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d1fbfee8 WIP virt: image type perms policy/modules/contrib/virt.te | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index 0adbdb1..fd357c4 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -468,7 +468,7 @@ tunable_policy(`virt_use_vfio',` # allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice }; -allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsockcreate setsched }; +allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched }; allow virtd_t self:fifo_file { manage_fifo_file_perms relabelfrom relabelto }; allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto }; allow virtd_t self:tcp_socket { accept listen }; @@ -530,9 +530,9 @@ manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type) manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type) allow virtd_t virt_image_type:file relabel_file_perms; +allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms }; allow virtd_t virt_image_type:blk_file relabel_blk_file_perms; allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; -allow virtd_t virt_image_type:chr_file relabel_chr_file_perms; allow virtd_t virt_ptynode:chr_file rw_term_perms; @@ -572,7 +572,7 @@ manage_files_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t) filetrans_pattern(virtd_t, virt_var_run_t, virtd_lxc_var_run_t, dir, "lxc") stream_connect_pattern(virtd_t, virtd_lxc_var_run_t, virtd_lxc_var_run_t, virtd_lxc_t) -stream_connect_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t, virt_domain) +stream_connect_pattern(virtd_t, { virt_image_type svirt_var_run_t }, { virt_image_type svirt_var_run_t}, virt_domain) stream_connect_pattern(virtd_t, virt_var_run_t, virtlockd_run_t, virtlockd_t) stream_connect_pattern(virtd_t, virt_var_run_t, virtlogd_run_t, virtlogd_t) @@ -714,7 +714,6 @@ tunable_policy(`virt_use_samba',` tunable_policy(`virt_use_vfio',` allow virtd_t self:capability sys_resource; - allow virtd_t self:process setrlimit; allow virtd_t svirt_t:process rlimitinh; dev_relabelfrom_vfio_dev(virtd_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
commit: 4871e1eccd9f29ce8b8beb97e462bf3c506946b4 Author: Jason Zaman perfinion com> AuthorDate: Thu Aug 11 05:49:02 2016 + Commit: Jason Zaman gentoo org> CommitDate: Tue Dec 6 15:02:54 2016 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4871e1ec virt: need to relabel to set categories libvirtError: unable to set security context 'system_u:object_r:svirt_image_t:s0:c50,c346' on '/var/lib/libvirt/qemu/domain-1-zfstest': Permission denied policy/modules/contrib/virt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te index dc4c94d..a29f333 100644 --- a/policy/modules/contrib/virt.te +++ b/policy/modules/contrib/virt.te @@ -501,6 +501,7 @@ filetrans_pattern(virtd_t, virt_home_t, virt_content_t, dir, "isos") allow virtd_t virtd_keytab_t:file read_file_perms; allow virtd_t svirt_var_run_t:file relabel_file_perms; +allow virtd_t svirt_var_run_t:dir relabel_dir_perms; manage_dirs_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t) manage_sock_files_pattern(virtd_t, svirt_var_run_t, svirt_var_run_t)