subject:"\[gentoo\-commits\] proj\/hardened\-refpolicy\:next commit in\: policy\/modules\/kernel\/"

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

2017-09-10 Thread Jason Zaman

commit: df80c8bf3a5c5e581370d75bf6ea5154a8b02b0b
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Sep 10 13:00:36 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 13:00:36 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df80c8bf

Allow sysadm to map all non auth files

 policy/modules/kernel/files.if  | 20 
 policy/modules/system/userdomain.if |  1 +
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index f2b76f86..35dcfe7b 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1474,6 +1474,26 @@ interface(`files_manage_non_auth_files',`
 
 
 ## 
+## Mmap non-authentication related
+## files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`files_map_non_auth_files',`
+   gen_require(`
+   attribute non_auth_file_type;
+   ')
+
+   allow $1 non_auth_file_type:file map;
+')
+
+
+## 
 ## Relabel all non-authentication related
 ## files.
 ## 

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 84e9c57e..16789a3c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1256,6 +1256,7 @@ template(`userdom_admin_user_template',`
auth_getattr_shadow($1_t)
# Manage almost all files
files_manage_non_auth_files($1_t)
+   files_map_non_auth_files($1_t)
# Relabel almost all files
files_relabel_non_auth_files($1_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2017-09-10 Thread Jason Zaman

commit: f17aea4c3e4b4c9848d7fe4132cf8652ba3f58a6
Author: Jason Zaman  perfinion  com>
AuthorDate: Sun Sep 10 12:49:59 2017 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 10 12:49:59 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f17aea4c

files: Allow files_*_etc_files to map files

 policy/modules/kernel/files.if | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 7a15f1dd..f2b76f86 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2920,6 +2920,7 @@ interface(`files_read_etc_files',`
')
 
allow $1 etc_t:dir list_dir_perms;
+   allow $1 etc_t:file map;
read_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
 ')
@@ -2959,6 +2960,7 @@ interface(`files_rw_etc_files',`
')
 
allow $1 etc_t:dir list_dir_perms;
+   allow $1 etc_t:file map;
rw_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
 ')
@@ -2980,6 +2982,7 @@ interface(`files_manage_etc_files',`
type etc_t;
')
 
+   allow $1 etc_t:file map;
manage_files_pattern($1, etc_t, etc_t)
read_lnk_files_pattern($1, etc_t, etc_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2017-01-01 Thread Jason Zaman

commit: 1a61c661fe20b6990ecb37c4a3c7ab2f9c9f5f3c
Author: Guido Trentalancia  trentalancia  net>
AuthorDate: Sun Dec 18 20:58:44 2016 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Jan  1 16:26:28 2017 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a61c661

kernel: missing permissions for confined execution

This patch adds missing permissions in the kernel module that prevent
to run it without the unconfined module.

This second version improves the comment section of new interfaces:
"Domain" is replaced by "Domain allowed access".

Signed-off-by: Guido Trentalancia  trentalancia.net>

 policy/modules/kernel/devices.if|  56 +++
 policy/modules/kernel/files.if  | 131 
 policy/modules/kernel/filesystem.if |  18 +
 policy/modules/kernel/kernel.if |  18 +
 policy/modules/kernel/kernel.te |  34 ++
 policy/modules/kernel/terminal.if   |  20 ++
 6 files changed, 277 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 3f05417..7d99b29 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic_blk_files',`
 
 
 ## 
+## Set the attributes on generic
+## block devices.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dev_setattr_generic_blk_files',`
+   gen_require(`
+   type device_t;
+   ')
+
+   allow $1 device_t:blk_file setattr;
+')
+
+
+## 
 ## Dontaudit setattr on generic block devices.
 ## 
 ## 
@@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic_chr_files',`
 
 
 ## 
+## Set the attributes for generic
+## character device files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dev_setattr_generic_chr_files',`
+   gen_require(`
+   type device_t;
+   ')
+
+   allow $1 device_t:chr_file setattr;
+')
+
+
+## 
 ## Dontaudit setattr for generic character device files.
 ## 
 ## 
@@ -3897,6 +3935,24 @@ interface(`dev_manage_smartcard',`
 
 
 ## 
+## Mount a filesystem on sysfs.
+## 
+## 
+## 
+## Domain allow access.
+## 
+## 
+#
+interface(`dev_mounton_sysfs',`
+   gen_require(`
+   type device_t;
+   ')
+
+   allow $1 sysfs_t:dir mounton;
+')
+
+
+## 
 ## Associate a file to a sysfs filesystem.
 ## 
 ## 

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 3fc0487..b5eeaf8 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1786,6 +1786,25 @@ interface(`files_list_root',`
 
 
 ## 
+## Delete symbolic links in the
+## root directory.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_delete_root_symlinks',`
+   gen_require(`
+   type root_t;
+   ')
+
+   allow $1 root_t:lnk_file delete_lnk_file_perms;
+')
+
+
+## 
 ## Do not audit attempts to write to / dirs.
 ## 
 ## 
@@ -1914,6 +1933,25 @@ interface(`files_dontaudit_rw_root_chr_files',`
 
 
 ## 
+## Delete character device nodes in
+## the root directory.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_delete_root_chr_files',`
+   gen_require(`
+   type root_t;
+   ')
+
+   allow $1 root_t:chr_file delete_chr_file_perms;
+')
+
+
+## 
 ## Delete files in the root directory.
 ## 
 ## 
@@ -1932,6 +1970,24 @@ interface(`files_delete_root_files',`
 
 
 ## 
+## Execute files in the root directory.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_exec_root_files',`
+   gen_require(`
+   type root_t;
+   ')
+
+   allow $1 root_t:file exec_file_perms;
+')
+
+
+## 
 ## Remove entries from the root directory.
 ## 
 ## 
@@ -1950,6 +2006,43 @@ interface(`files_delete_root_dir_entry',`
 
 
 ## 
+## Manage the root directory.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_manage_root_dir',`
+   gen_require(`
+   type root_t;
+   ')
+
+   allow $1 root_t:dir manage_dir_perms;
+')
+
+
+## 
+## Get the attributes of a rootfs
+## file system.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_getat

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/

2015-10-25 Thread Jason Zaman

commit: eaa1a1b1454ce8ae38f2d84774b3047e9203efd9
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue Oct 20 18:33:56 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Oct 26 03:54:24 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eaa1a1b1

Add systemd units for core refpolicy services.

Only for services that already have a named init script.

Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.

 policy/modules/kernel/files.if| 18 ++
 policy/modules/services/postgresql.if |  4 ++--
 policy/modules/services/postgresql.te |  3 +++
 policy/modules/system/init.if | 17 +
 policy/modules/system/init.te |  3 +++
 policy/modules/system/ipsec.if|  3 ++-
 policy/modules/system/ipsec.te|  3 +++
 policy/modules/system/iptables.fc |  5 +
 policy/modules/system/iptables.if |  4 ++--
 policy/modules/system/iptables.te |  3 +++
 policy/modules/system/logging.fc  |  2 ++
 policy/modules/system/logging.if  |  8 
 policy/modules/system/logging.te  |  6 ++
 policy/modules/system/lvm.fc  |  6 ++
 policy/modules/system/lvm.if  |  4 ++--
 policy/modules/system/lvm.te  |  3 +++
 policy/modules/system/setrans.if  |  4 ++--
 policy/modules/system/setrans.te  |  3 +++
 18 files changed, 86 insertions(+), 13 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index cbb8afe..20acc0e 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2892,6 +2892,24 @@ interface(`files_exec_etc_files',`
exec_files_pattern($1, etc_t, etc_t)
 ')
 
+
+## 
+## Get etc_t service status.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_get_etc_unit_status',`
+   gen_require(`
+   type etc_t;
+   ')
+
+   allow $1 etc_t:service status;
+')
+
 ###
 ## 
 ## Relabel from and to generic files in /etc.

diff --git a/policy/modules/services/postgresql.if 
b/policy/modules/services/postgresql.if
index 11526b6..32e5d06 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -587,7 +587,7 @@ interface(`postgresql_admin',`
type postgresql_t, postgresql_var_run_t;
type postgresql_tmp_t, postgresql_db_t;
type postgresql_etc_t, postgresql_log_t;
-   type postgresql_initrc_exec_t;
+   type postgresql_initrc_exec_t, postgresql_unit_t;
')
 
typeattribute $1 sepgsql_admin_type;
@@ -595,7 +595,7 @@ interface(`postgresql_admin',`
allow $1 postgresql_t:process { ptrace signal_perms };
ps_process_pattern($1, postgresql_t)
 
-   init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t)
+   init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, 
postgresql_unit_t)
 
admin_pattern($1, postgresql_var_run_t)
 

diff --git a/policy/modules/services/postgresql.te 
b/policy/modules/services/postgresql.te
index b4ba0f1..6844c35 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t)
 type postgresql_tmp_t;
 files_tmp_file(postgresql_tmp_t)
 
+type postgresql_unit_t;
+init_unit_file(postgresql_unit_t)
+
 type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)
 init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql")

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 192508f..cfe4bd4 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1392,6 +1392,11 @@ interface(`init_all_labeled_script_domtrans',`
 ## Labeled init script file.
 ## 
 ## 
+## 
+## 
+## Systemd unit file type.
+## 
+## 
 #
 interface(`init_startstop_service',`
gen_require(`
@@ -1409,6 +1414,18 @@ interface(`init_startstop_service',`
role_transition $2 $4 system_r;
allow $2 system_r;
')
+
+   ifdef(`init_systemd',`
+   # This ifelse condition is temporary, until
+   # all callers are updated to provide unit files.
+   ifelse(`$5',`',`',`
+   gen_require(`
+   class service { start stop };
+   ')
+
+   allow $1 $5:service { start stop };
+   ')
+   ')
')
 ')
 

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 916b895..79400f2 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -746,6 +746,9 @@ ifdef(`init_s

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

2015-10-25 Thread Jason Zaman

commit: d92bdf260887935367802afbbaf25d399c020cd5
Author: Chris PeBenito  tresys  com>
AuthorDate: Fri Oct 23 14:16:59 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Oct 26 03:52:47 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d92bdf26

Implement core systemd policy.

Significant contributions from the Tresys CLIP team.

Other changes from Laurent Bigonville.

 policy/modules/kernel/corecommands.fc |   2 +
 policy/modules/kernel/domain.te   |   6 +
 policy/modules/kernel/files.if| 172 ++
 policy/modules/kernel/filesystem.if   |  73 
 policy/modules/kernel/kernel.if   |  60 +++-
 policy/modules/kernel/terminal.if |  19 ++
 policy/modules/system/authlogin.if|  19 ++
 policy/modules/system/init.fc |   4 +
 policy/modules/system/init.if | 608 +-
 policy/modules/system/init.te | 176 +-
 policy/modules/system/locallogin.if   |  21 ++
 policy/modules/system/logging.if  |  38 +++
 policy/modules/system/lvm.if  |  20 ++
 policy/modules/system/systemd.fc  |  39 +++
 policy/modules/system/systemd.if  | 195 +++
 policy/modules/system/systemd.te  | 264 +++
 policy/modules/system/udev.if |  19 ++
 17 files changed, 1711 insertions(+), 24 deletions(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index f465e43..b4e192a 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -242,6 +242,8 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmv  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server   --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sudo/sesh --  
gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/lib/systemd/system-generators(/.*)? 
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/tumbler-1/tumblerd--  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/vte/gnome-pty-helper  --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- 
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 451a1be..6c3ef60 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',`
dontaudit domain self:udp_socket listen;
 ')
 
+ifdef(`init_systemd',`
+   optional_policy(`
+   shutdown_sigchld(domain)
+   ')
+')
+
 tunable_policy(`global_ssp',`
# enable reading of urandom for all domains:
# this should be enabled when all programs

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index dd16f74..cbb8afe 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -563,6 +563,24 @@ interface(`files_manage_non_security_dirs',`
 
 
 ## 
+## Relabel from/to non-security directories.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_relabel_non_security_dirs',`
+   gen_require(`
+   attribute non_security_file_type;
+   ')
+
+   relabel_dirs_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+
+## 
 ## Get the attributes of all files.
 ## 
 ## 
@@ -620,6 +638,44 @@ interface(`files_dontaudit_getattr_non_security_files',`
 
 
 ## 
+## Create, read, write, and delete all non-security files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`files_manage_non_security_files',`
+   gen_require(`
+   attribute non_security_file_type;
+   ')
+
+   manage_files_pattern($1, non_security_file_type, non_security_file_type)
+')
+
+
+## 
+## Relabel from/to all non-security files.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+#
+interface(`files_relabel_non_security_files',`
+   gen_require(`
+   attribute non_security_file_type;
+   ')
+
+   relabel_files_pattern($1, non_security_file_type, 
non_security_file_type)
+')
+
+
+## 
 ## Read all files.
 ## 
 ## 
@@ -1948,6 +2004,24 @@ interface(`files_unmount_rootfs',`
 
 
 ## 
+## Mount on the root directory (/)
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`files_mounton_root',`
+   gen_require(`
+   type root_t;
+   ')
+
+   allow $1 root_t:dir mounton;
+')
+
+
+## 
 ## Get attributes of the /boot directory.
 ## 
 ## 
@@ -4398,6 +4472,24 @@ interface(`

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/

2015-10-25 Thread Jason Zaman

commit: 5dece5bd67bca8c3df92c74d776119ae9af8ebc2
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue Oct 20 18:48:38 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Oct 26 03:52:58 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dece5bd

Add supporting rules for domains tightly-coupled with systemd.

 policy/modules/kernel/devices.if| 52 +
 policy/modules/kernel/kernel.te | 17 
 policy/modules/services/ssh.te  |  5 
 policy/modules/system/init.te   |  1 +
 policy/modules/system/locallogin.te |  8 ++
 policy/modules/system/logging.fc|  1 +
 policy/modules/system/logging.te| 22 
 policy/modules/system/lvm.te|  6 +
 policy/modules/system/modutils.te   |  8 ++
 policy/modules/system/sysnetwork.te |  8 ++
 policy/modules/system/udev.te   | 12 +
 11 files changed, 135 insertions(+), 5 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 835ec14..a052db5 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -143,11 +143,11 @@ interface(`dev_relabel_all_dev_nodes',`
type device_t;
')
 
-   relabelfrom_dirs_pattern($1, device_t, device_node)
-   relabelfrom_files_pattern($1, device_t, device_node)
+   relabelfrom_dirs_pattern($1, device_t, { device_t device_node })
+   relabelfrom_files_pattern($1, device_t, { device_t device_node })
relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node })
-   relabelfrom_fifo_files_pattern($1, device_t, device_node)
-   relabelfrom_sock_files_pattern($1, device_t, device_node)
+   relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node })
+   relabelfrom_sock_files_pattern($1, device_t, { device_t device_node })
relabel_blk_files_pattern($1, device_t, { device_t device_node })
relabel_chr_files_pattern($1, device_t, { device_t device_node })
 ')
@@ -709,7 +709,7 @@ interface(`dev_relabelfrom_generic_chr_files',`
type device_t;
')
 
-   allow $1 device_t:chr_file relabelfrom;
+   allow $1 device_t:chr_file relabelfrom_chr_file_perms;
 ')
 
 
@@ -1943,6 +1943,30 @@ interface(`dev_filetrans_dri',`
 
 
 ## 
+## Automatic type transition to the type
+## for event device nodes when created in /dev.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+## 
+## The name of the object being created.
+## 
+## 
+#
+interface(`dev_filetrans_input_dev',`
+   gen_require(`
+   type device_t, event_device_t;
+   ')
+
+   filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
+')
+
+
+## 
 ## Get the attributes of the event devices.
 ## 
 ## 
@@ -2017,6 +2041,24 @@ interface(`dev_rw_input_dev',`
 
 
 ## 
+## Create, read, write, and delete input event devices (/dev/input).
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+#
+interface(`dev_manage_input_dev',`
+   gen_require(`
+   type device_t, event_device_t;
+   ')
+
+   manage_chr_files_pattern($1, device_t, event_device_t)
+')
+
+
+## 
 ## Get the attributes of the framebuffer device node.
 ## 
 ## 

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 14b5713..f2d5756 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -299,6 +299,23 @@ ifdef(`distro_redhat',`
fs_rw_tmpfs_chr_files(kernel_t)
 ')
 
+ifdef(`init_systemd',`
+   optional_policy(`
+   dev_manage_input_dev(kernel_t)
+   dev_filetrans_input_dev(kernel_t)
+   ')
+
+   optional_policy(`
+   selinux_compute_create_context(kernel_t)
+   ')
+
+   optional_policy(`
+   storage_dev_filetrans_fixed_disk(kernel_t)
+   storage_setattr_fixed_disk_dev(kernel_t)
+   storage_create_fixed_disk_dev(kernel_t)
+   ')
+')
+
 optional_policy(`
# loop devices
fstools_use_fds(kernel_t)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 783d0e7..e5932aa 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -266,6 +266,11 @@ ifdef(`distro_debian',`
allow sshd_t self:process { getcap setcap };
 ')
 
+ifdef(`init_systemd',`
+   systemd_dbus_chat_logind(sshd_t)
+   init_rw_stream_sockets(sshd_t)
+')
+
 tunable_policy(`ssh_sysadm_login',`
# Relabel and access ptys created by sshd
# ioctl is necessary for logout() processing for utmp entry and for w to

diff --git a/policy/modules/system/init.te b/policy/modules/sy

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2015-10-11 Thread Jason Zaman

commit: 925d12599d01cf3fa5936cd5a5d7fb669b712b0b
Author: Jason Zaman  perfinion  com>
AuthorDate: Sat Oct 10 17:03:09 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sat Oct 10 17:03:09 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=925d1259

Add overlayfs as an XATTR capable fs

The module is called "overlay" in the kernel

 policy/modules/kernel/filesystem.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 840f0b2..aba6d88 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -35,6 +35,7 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2015-10-11 Thread Jason Zaman

commit: 50f8ca591816aac7bf881211f9b722955d59fc29
Author: Alexander Wetzel  web  de>
AuthorDate: Sat Sep  5 07:41:48 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 20 06:52:53 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=50f8ca59

adds vfio device support to base policy

Signed-off-by: Alexander Wetzel  web.de>

 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 36 
 policy/modules/kernel/devices.te |  3 +++
 3 files changed, 40 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index d6ebfcd..a33e395 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -118,6 +118,7 @@
 ifdef(`distro_suse', `
 /dev/usbscanner-c  
gen_context(system_u:object_r:scanner_device_t,s0)
 ')
+/dev/vfio/.+   -c  gen_context(system_u:object_r:vfio_device_t,s0)
 /dev/vhost-net -c  gen_context(system_u:object_r:vhost_device_t,s0)
 /dev/vbi.* -c  gen_context(system_u:object_r:v4l_device_t,s0)
 /dev/vbox.*-c  
gen_context(system_u:object_r:xserver_misc_device_t,s0)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index ed25979..835ec14 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',`
 
 
 ## 
+##  Read and write vfio devices.
+## 
+## 
+##  
+##  Domain allowed access.
+##  
+## 
+#
+interface(`dev_rw_vfio_dev',`
+   gen_require(`
+   type device_t, vfio_device_t;
+   ')
+
+   rw_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+
+## 
+##  Relabel vfio devices.
+## 
+## 
+##  
+##  Domain allowed access.
+##  
+## 
+#
+interface(`dev_relabelfrom_vfio_dev',`
+   gen_require(`
+   type device_t, vfio_device_t;
+   ')
+
+   relabelfrom_chr_files_pattern($1, device_t, vfio_device_t)
+')
+
+
+## 
 ## Allow read/write the vhost net device
 ## 
 ## 

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 166c8f7..eb12597 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -273,6 +273,9 @@ dev_node(usbmon_device_t)
 type userio_device_t;
 dev_node(userio_device_t)
 
+type vfio_device_t;
+dev_node(vfio_device_t)
+
 type v4l_device_t;
 dev_node(v4l_device_t)

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2015-10-11 Thread Jason Zaman

commit: 028f1be9b96aeef997d18a421e05e4bbd2b20bbc
Author: Chris PeBenito  tresys  com>
AuthorDate: Tue Sep 15 12:39:21 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Sep 20 06:52:53 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=028f1be9

Module version bump for vfio device from Alexander Wetzel.

 policy/modules/kernel/devices.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index eb12597..e5bcfcd 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -1,4 +1,4 @@
-policy_module(devices, 1.17.0)
+policy_module(devices, 1.17.1)
 
 
 #

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2015-08-25 Thread Jason Zaman

commit: a979dd138209b265b8458e2ef901a61262570518
Author: Jason Zaman  perfinion  com>
AuthorDate: Wed Aug 26 06:02:55 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Wed Aug 26 06:02:55 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a979dd13

introduce fs_cgroup_filetrans() interface

 policy/modules/kernel/filesystem.if | 37 +
 1 file changed, 37 insertions(+)

diff --git a/policy/modules/kernel/filesystem.if 
b/policy/modules/kernel/filesystem.if
index b6b7063..4ddef7c 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -4988,3 +4988,40 @@ interface(`fs_unconfined',`
 
typeattribute $1 filesystem_unconfined_type;
 ')
+
+# gentoo specific under here but not allowed ifdef
+
+
+## 
+## Create an object in a cgroup tmpfs filesystem, with a private
+## type using a type transition.
+## 
+## 
+## 
+## Domain allowed access.
+## 
+## 
+## 
+## 
+## The type of the object to be created.
+## 
+## 
+## 
+## 
+## The object class of the object being created.
+## 
+## 
+## 
+## 
+## The name of the object being created.
+## 
+## 
+#
+interface(`fs_cgroup_filetrans',`
+   gen_require(`
+   type cgroup_t;
+   ')
+
+   allow $2 tmpfs_t:filesystem associate;
+   filetrans_pattern($1, cgroup_t, $2, $3, $4)
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2015-07-13 Thread Jason Zaman

commit: de1e97adf612ca76797503eb1e8b8369dc428021
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sat Jul 11 14:10:08 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Mon Jul 13 17:35:07 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de1e97ad

Enable Ceph as a valid SELinux-enabled file system

 policy/modules/kernel/filesystem.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index 32ecb93..840f0b2 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -22,6 +22,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0)
 # Use xattrs for the following filesystem types.
 # Requires that a security xattr handler exist for the filesystem.
 fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2015-06-07 Thread Sven Vermeulen

commit: 2b907c6e33c8e7ada4826e2b94d699a8666eadf1
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun Jun  7 09:17:36 2015 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sun Jun  7 09:17:36 2015 +
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b907c6e

Add dev_dontaudit_usbmon_dev interface

This will allow us to hide avc denials for applications erroneously
trying to read the usbmon device files.

 policy/modules/kernel/devices.if | 19 +++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 5ab0f6e..ed25979 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -5008,3 +5008,22 @@ interface(`dev_relabel_cpu_online',`
dev_search_sysfs($1)
allow $1 cpu_online_t:file relabel_file_perms;
 ')
+
+
+## 
+## Dont audit attempts to read usbmon devices
+## 
+## 
+## 
+## Domain for which the attempts do not need to be audited
+## 
+## 
+#
+interface(`dev_dontaudit_read_usbmon_dev',`
+   gen_require(`
+   type usbmon_device_t;
+   ')
+
+   dontaudit $1 usbmon_device_t:chr_file read_file_perms;
+')
+

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/

2015-03-04 Thread Sven Vermeulen

commit: cf050c09f77027dd6ae24e17e5035b617e2d682b
Author: Sven Vermeulen  siphos  be>
AuthorDate: Wed Mar  4 17:14:12 2015 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Wed Mar  4 17:39:39 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf050c09

Mark storage as base module

All modules within the base should not depend on anything that is
modular. However recently we had to allow kernel_t certain privileges
which are covered not only by an interface of the storage module (which
is not an issue) but also by an attribute that is managed by that
module.

As a result, base fails to build:

$ make base
Compiling mcs base module
/usr/bin/checkmodule:  loading policy configuration from base.conf
policy/modules/kernel/kernel.te:433:ERROR 'attribute fixed_disk_raw_read
is not declared' at token ';' on line 23210:
typeattribute kernel_t fixed_disk_raw_read;
\#line 433
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
Rules.modular:98: recipe for target 'tmp/base.mod' failed
make: *** [tmp/base.mod] Error 1

Moving storage as a base module.

X-Gentoo-Bug: 535992
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=535992

 policy/modules.conf  | 2 +-
 policy/modules/kernel/storage.if | 4 
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules.conf b/policy/modules.conf
index b9b41d9..5d9eee7 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -2306,7 +2306,7 @@ zosremote = module
 #
 # Policy controlling access to storage devices
 # 
-storage = module
+storage = base
 
 # Layer: roles
 # Module: auditadm

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 5c1be6b..8a7119d 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -1,4 +1,8 @@
 ## Policy controlling access to storage devices
+## 
+## This module defines attributes that are used by other
+## required modules (such as kernel_t in the kernel module)
+## 
 
 
 ##

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2015-02-24 Thread Jason Zaman

commit: a6c696a96462a5b864f763abbdfae867c3410a52
Author: Chris PeBenito  tresys  com>
AuthorDate: Mon Feb  9 21:02:36 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 15 17:36:36 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a6c696a9

Fix domain_mmap_low() to be a proper tunable.

---
 policy/modules/kernel/domain.if | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index b900767..3420b3a 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1434,14 +1434,13 @@ interface(`domain_entry_file_spec_domtrans',`
 interface(`domain_mmap_low',`
gen_require(`
attribute mmap_low_domain_type;
-   bool mmap_low_allowed;
')
 
typeattribute $1 mmap_low_domain_type;
 
-   if ( mmap_low_allowed ) {
+   tunable_policy(`mmap_low_allowed',`
allow $1 self:memprotect mmap_zero;
-   }
+   ')
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2015-02-24 Thread Jason Zaman

commit: b715e919f47327b139754f16e514d03ae3a46bb1
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sun Feb 15 18:34:07 2015 +
Commit: Jason Zaman  gentoo  org>
CommitDate: Sun Feb 15 18:34:07 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b715e919

Fix bug #535986 - Mark configfs_t as file type/mount point

---
 policy/modules/kernel/filesystem.te | 5 +
 1 file changed, 5 insertions(+)

diff --git a/policy/modules/kernel/filesystem.te 
b/policy/modules/kernel/filesystem.te
index f78adef..32ecb93 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -306,3 +306,8 @@ allow filesystem_unconfined_type filesystem_type:filesystem 
*;
 # pseudo filesystem types that are applied to both the filesystem
 # and its files.
 allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file 
fifo_file chr_file blk_file } *;
+
+ifdef(`distro_gentoo',`
+   # Fix bug 535986 - Mark configfs_t as file type (and mountpoint 
probably as well)
+   files_mountpoint(configfs_t)
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2015-01-24 Thread Sven Vermeulen

commit: 9ffb67cd15cbc09ab363baf3b88800c448d24cd1
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sat Jan 24 19:07:30 2015 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sat Jan 24 19:07:30 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9ffb67cd

Mark python-exec2-c as bin_t

---
 policy/modules/kernel/corecommands.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index e38e238..0c4a15b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -421,5 +421,6 @@ ifdef(`distro_suse',`
 
 ifdef(`distro_gentoo',`
 /usr/lib/python-exec/python-exec2  --  
gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/python-exec/python-exec2-c--  
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/python-exec/python.*/.*   --  
gen_context(system_u:object_r:bin_t,s0)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

2015-01-24 Thread Sven Vermeulen

commit: 28c598a37a62509d884acdb0891e7dba791e6d62
Author: Sven Vermeulen  siphos  be>
AuthorDate: Sat Jan 24 16:51:58 2015 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Sat Jan 24 16:51:58 2015 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28c598a3

Fix bug #529420 - Allow all domains to read vm sysctls

---
 policy/modules/kernel/domain.te | 10 ++
 1 file changed, 10 insertions(+)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 3861c8e..451a1be 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -171,3 +171,13 @@ allow unconfined_domain_type domain:key *;
 
 # receive from all domains over labeled networking
 domain_all_recvfrom_all_domains(unconfined_domain_type)
+
+ifdef(`distro_gentoo',`
+   
+   #
+   # Permissions for all domains
+   #
+
+   # Bug 529420
+   kernel_read_vm_sysctls(domain)
+')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, man/man8/, policy/modules/system/

2014-11-28 Thread Sven Vermeulen

commit: 6f0f885d309f3bc6165bb7d230206ea6a6572c4e
Author: Sven Vermeulen  siphos  be>
AuthorDate: Fri Nov 28 10:13:54 2014 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Fri Nov 28 11:38:11 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6f0f885d

Fix bug 529204 - Support a dhcpc_script_t domain

We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.

Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.

The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.

---
 man/man8/sysnetwork_selinux.8 | 110 ++
 policy/modules/kernel/corecommands.fc |   2 +-
 policy/modules/system/sysnetwork.fc   |   1 +
 policy/modules/system/sysnetwork.if   |  29 +
 policy/modules/system/sysnetwork.rst  |  91 
 policy/modules/system/sysnetwork.te   |  58 ++
 6 files changed, 290 insertions(+), 1 deletion(-)

diff --git a/man/man8/sysnetwork_selinux.8 b/man/man8/sysnetwork_selinux.8
new file mode 100644
index 000..217c020
--- /dev/null
+++ b/man/man8/sysnetwork_selinux.8
@@ -0,0 +1,110 @@
+.\" Man page generated from reStructuredText.
+.
+.TH SYSNETWORK_SELINUX 8 "2014-11-28" "" "SELinux"
+.SH NAME
+sysnetwork_selinux \- SELinux policy module for system networking
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.SH DESCRIPTION
+.sp
+The \fBsysnetwork\fP SELinux module supports the following core networking
+domains: DHCP client and ifconfig.
+.SS DHCP Client
+.sp
+The DHCP client policy works around the \fIdhcpc_t\fP domain. It is usually
+executed from within an init script, and interacts with the network subsystems
+in the Linux kernel in order to obtain an IP address and manage the network
+configuration of the system.
+.sp
+Some DHCP clients also have the ability to call additional scripts when an IP
+address is obtained (or released), allowing administrators to automate certain
+tasks on the system further. Within the SELinux policy, we (Gentoo) try to
+handle the hooks through the \fIdhcp_script_t\fP domain.
+.SS Ifconfig
+.sp
+The \fIifconfig\fP command (and associated \fIifconfig_t\fP domain) is used to 
manually
+set the IP address and other network configurations of the system.
+.SH BOOLEANS
+.sp
+No booleans are managed through this module.
+.SH DOMAINS
+.INDENT 0.0
+.TP
+.B dhcpc_t
+The main domain for the DHCP client
+.TP
+.B dhcpc_script_t
+The domain in which the hooks (pre\- and post processing of DHCP operations)
+run
+.TP
+.B ifconfig_t
+The domain for manual IP address handling (for instance through the
+\fIifconfig\fP or \fIip\fP commands)
+.UNINDENT
+.SH POLICY
+.sp
+The following interfaces can be used to enhance the default policy with
+sysnetwork\-related provileges. More details on these interfaces can be found 
in the
+interface HTML documentation, we will not list all available interfaces here.
+.SS Domain interaction
+.sp
+The most interesting definition in the policy is the 
\fBsysnet_dhcpc_script_entry\fP
+interface. It allows for the DHCP script domain (\fIdhcpc_script_t\fP) to
+execute a particular type (second argument) and transition to a given domain
+(first argument).
+.sp
+For instance, to allow a DHCP hook to execute any portage commands:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+sysnet_dhcpc_script_entry(portage_t, portage_exec_t)
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+It is generally preferred to transition a DHCP hook script as fast as possible
+to a specific domain rather than enhancing the \fIdhcpc_script_t\fP domain with
+additional privileges.
+.SH BUGS
+.sp
+No specific bugs known.
+.SH SEE ALSO
+.INDENT 0.0
+.IP \(bu 2
+Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP
+.IP \(bu 2
+Gentoo Hardened SELinux

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

2014-11-28 Thread Sven Vermeulen

commit: c1d8aae88e48692c2777032706464c7a2be256cd
Author: Sven Vermeulen  siphos  be>
AuthorDate: Fri Nov 28 10:13:54 2014 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Fri Nov 28 11:24:08 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1d8aae8

Fix bug 529204 - Support a dhcpc_script_t domain

We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.

Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.

The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.

---
 policy/modules/kernel/corecommands.fc |  2 +-
 policy/modules/system/sysnetwork.fc   |  1 +
 policy/modules/system/sysnetwork.if   | 29 ++
 policy/modules/system/sysnetwork.te   | 58 +++
 4 files changed, 89 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
 /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks   --  gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks  --  gen_context(system_u:object_r:bin_t,s0)
 
 /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0)
 /lib/rcscripts/sh(/.*)?
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index a809d61..d9b674e 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -81,6 +81,7 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks   --  
gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
 /var/run/dhcpcd\.sock  -s  
gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 /var/run/dhcpcd\.unpriv\.sock  -s  
gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 ')

diff --git a/policy/modules/system/sysnetwork.if 
b/policy/modules/system/sysnetwork.if
index 2cea692..86313b6 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -796,3 +796,32 @@ interface(`sysnet_use_portmap',`
 
sysnet_read_config($1)
 ')
+
+# This should be after an ifdef distro_gentoo but that is not allowed in an if 
file
+
+
+## 
+## Make the specified program domain
+## accessable from the DHCP hooks/scripts.
+## 
+## 
+## 
+## The type of the process to transition to.
+## 
+## 
+## 
+## 
+## The type of the file used as an entrypoint to this domain.
+## 
+## 
+#
+interface(`sysnet_dhcpc_script_entry',`
+   gen_require(`
+   type dhcpc_script_t;
+   attribute_role dhcpc_roles;
+   ')
+
+   role dhcpc_roles types $1;
+
+   domtrans_pattern(dhcpc_script_t, $2, $1)
+')

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 3576536..1dd0817 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,62 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+   #
+   #
+   # dhcpc_script_t
+   #
+
+   # The purpose of the dhcpc_script_t domain is to handle the 
post-processing of 
+   # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and 
I would
+   # assume others do as well. With the dhcpc_script_t domain we can 
isolate the
+   # privileges of the DHCP client itself from the hooks / flexibility 
that the developers
+   # introduced.
+
+   type dhcpc_script_t;
+   domain_type(dhcpc_script_t)
+   role dhcpc_roles types dhcpc_script_t;
+
+   type dhcpc_script_exec_t;
+   domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+   type dhcpc_script_tmp_t;
+   files_tmp_file(dhcpc_script_tmp_t)
+
+   
+   #
+   # dhcpc script policy
+   #
+
+   allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
+
+   manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, 
dhcpc_script_tmp_t)
+   fi

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

2014-11-28 Thread Sven Vermeulen

commit: 14d4ab23ddd8ab4d3d294aff25caa09298623448
Author: Sven Vermeulen  siphos  be>
AuthorDate: Fri Nov 28 10:13:54 2014 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Fri Nov 28 11:15:23 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=14d4ab23

Fix bug 529204 - Support a dhcpc_script_t domain

We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.

Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.

The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.

---
 policy/modules/kernel/corecommands.fc |  2 +-
 policy/modules/system/sysnetwork.fc   |  1 +
 policy/modules/system/sysnetwork.te   | 46 +++
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
 /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks   --  gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks  --  gen_context(system_u:object_r:bin_t,s0)
 
 /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0)
 /lib/rcscripts/sh(/.*)?
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index a809d61..d9b674e 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -81,6 +81,7 @@ ifdef(`distro_debian',`
 ')
 
 ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks   --  
gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
 /var/run/dhcpcd\.sock  -s  
gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 /var/run/dhcpcd\.unpriv\.sock  -s  
gen_context(system_u:object_r:dhcpc_var_run_t,s0)
 ')

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 3576536..8adbcfa 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,50 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+   #
+   #
+   # dhcpc_script_t
+   #
+
+   # The purpose of the dhcpc_script_t domain is to handle the 
post-processing of 
+   # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and 
I would
+   # assume others do as well. With the dhcpc_script_t domain we can 
isolate the
+   # privileges of the DHCP client itself from the hooks / flexibility 
that the developers
+   # introduced.
+
+   type dhcpc_script_t;
+   domain_type(dhcpc_script_t)
+   role dhcpc_roles types dhcpc_script_t;
+
+   type dhcpc_script_exec_t;
+   domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+   type dhcpc_script_tmp_t;
+   files_tmp_file(dhcpc_script_tmp_t)
+
+   
+   #
+   # dhcpc script policy
+   #
+
+   allow dhcpc_script_t self:fifo_file rw_fifo_file_perms;
+
+   manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, 
dhcpc_script_tmp_t)
+   files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+   manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t)
+   files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir })
+
+   corecmd_exec_bin(dhcpc_script_t)
+   corecmd_exec_shell(dhcpc_script_t)
+
+   # Perhaps sysnet_domtrans_dhcpc_script could be used instead and 
positioned in the dhcpc_t section
+   domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t)
+
+   sysnet_manage_config(dhcpc_script_t)
+
+   optional_policy(`
+   ntp_manage_config(dhcpc_script_t)
+   ')
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

2014-11-28 Thread Sven Vermeulen

commit: 39547652cd07ae3611419261d255128aa1f436e8
Author: Sven Vermeulen  siphos  be>
AuthorDate: Fri Nov 28 10:13:54 2014 +
Commit: Sven Vermeulen  gentoo  org>
CommitDate: Fri Nov 28 10:22:30 2014 +
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=39547652

Fix bug 529204 - Support a dhcpc_script_t domain

We introduce an executable domain (dhcpc_script_t) through which the
hooks can be executed for the DHCP clients. This domain is separate in
order to keep the privileges of the application small, but also because
this domain will execute commands that are not in the responsibility of
the DHCP client code itself (code-wise) but is provided by
administrators.

Security-wise, as these are scripts, it is more difficult to guarantee
correctness. As such, we want to isolate these privileges into its own
domain.

The domain will have basic privileges to support the majority of
installations, but we also include a sysnet_dhcpc_script_entry()
interface so that domain transitions can be easily added without the
need for augmenting the privileges of the dhcpc_script_t domain.

---
 policy/modules/kernel/corecommands.fc |  2 +-
 policy/modules/system/sysnetwork.fc   |  3 +++
 policy/modules/system/sysnetwork.te   | 32 
 3 files changed, 36 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 406a11e..40fd54b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -143,7 +143,7 @@ ifdef(`distro_debian',`
 /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_gentoo',`
-/lib/dhcpcd/dhcpcd-run-hooks   --  gen_context(system_u:object_r:bin_t,s0)
+#/lib/dhcpcd/dhcpcd-run-hooks  --  gen_context(system_u:object_r:bin_t,s0)
 
 /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0)
 /lib/rcscripts/sh(/.*)?
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index fbb935c..b1c6404 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -80,3 +80,6 @@ ifdef(`distro_debian',`
 /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
 ')
 
+ifdef(`distro_gentoo',`
+/lib/dhcpcd/dhcpcd-run-hooks   --  
gen_context(system_u:object_r:dhcpc_script_exec_t,s0)
+')

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index 3576536..fad8fce 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -422,4 +422,36 @@ ifdef(`distro_gentoo',`
optional_policy(`
resolvconf_client_domain(dhcpc_t)
')
+
+   #
+   #
+   # dhcpc_script_t
+   #
+
+   # The purpose of the dhcpc_script_t domain is to handle the 
post-processing of 
+   # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and 
I would
+   # assume others do as well. With the dhcpc_script_t domain we can 
isolate the
+   # privileges of the DHCP client itself from the hooks / flexibility 
that the developers
+   # introduced.
+
+   type dhcpc_script_t;
+   domain_type(dhcpc_script_t)
+   role dhcpc_roles types dhcpc_script_t;
+
+   type dhcpc_script_exec_t;
+   domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t)
+
+   type dhcpc_script_tmp_t;
+   files_tmp_file(dhcpc_script_tmp_t)
+
+   
+   #
+   # dhcpc script policy
+   #
+
+   manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, 
dhcpc_script_tmp_t)
+   files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir })
+
+   corecmd_exec_bin(dhcpc_script_t)
+   corecmd_exec_shell(dhcpc_script_t)
 ')

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, man/man8/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/

21 matches

Site Navigation

Mail list logo

Footer information