[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
commit: df80c8bf3a5c5e581370d75bf6ea5154a8b02b0b Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 13:00:36 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:00:36 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df80c8bf Allow sysadm to map all non auth files policy/modules/kernel/files.if | 20 policy/modules/system/userdomain.if | 1 + 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index f2b76f86..35dcfe7b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1474,6 +1474,26 @@ interface(`files_manage_non_auth_files',` ## +## Mmap non-authentication related +## files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_map_non_auth_files',` + gen_require(` + attribute non_auth_file_type; + ') + + allow $1 non_auth_file_type:file map; +') + + +## ## Relabel all non-authentication related ## files. ## diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 84e9c57e..16789a3c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1256,6 +1256,7 @@ template(`userdom_admin_user_template',` auth_getattr_shadow($1_t) # Manage almost all files files_manage_non_auth_files($1_t) + files_map_non_auth_files($1_t) # Relabel almost all files files_relabel_non_auth_files($1_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: f17aea4c3e4b4c9848d7fe4132cf8652ba3f58a6 Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 12:49:59 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 12:49:59 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f17aea4c files: Allow files_*_etc_files to map files policy/modules/kernel/files.if | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 7a15f1dd..f2b76f86 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2920,6 +2920,7 @@ interface(`files_read_etc_files',` ') allow $1 etc_t:dir list_dir_perms; + allow $1 etc_t:file map; read_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) ') @@ -2959,6 +2960,7 @@ interface(`files_rw_etc_files',` ') allow $1 etc_t:dir list_dir_perms; + allow $1 etc_t:file map; rw_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) ') @@ -2980,6 +2982,7 @@ interface(`files_manage_etc_files',` type etc_t; ') + allow $1 etc_t:file map; manage_files_pattern($1, etc_t, etc_t) read_lnk_files_pattern($1, etc_t, etc_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: 1a61c661fe20b6990ecb37c4a3c7ab2f9c9f5f3c Author: Guido Trentalancia trentalancia net> AuthorDate: Sun Dec 18 20:58:44 2016 + Commit: Jason Zaman gentoo org> CommitDate: Sun Jan 1 16:26:28 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1a61c661 kernel: missing permissions for confined execution This patch adds missing permissions in the kernel module that prevent to run it without the unconfined module. This second version improves the comment section of new interfaces: "Domain" is replaced by "Domain allowed access". Signed-off-by: Guido Trentalancia trentalancia.net> policy/modules/kernel/devices.if| 56 +++ policy/modules/kernel/files.if | 131 policy/modules/kernel/filesystem.if | 18 + policy/modules/kernel/kernel.if | 18 + policy/modules/kernel/kernel.te | 34 ++ policy/modules/kernel/terminal.if | 20 ++ 6 files changed, 277 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 3f05417..7d99b29 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -480,6 +480,25 @@ interface(`dev_dontaudit_getattr_generic_blk_files',` ## +## Set the attributes on generic +## block devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_generic_blk_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:blk_file setattr; +') + + +## ## Dontaudit setattr on generic block devices. ## ## @@ -570,6 +589,25 @@ interface(`dev_dontaudit_getattr_generic_chr_files',` ## +## Set the attributes for generic +## character device files. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_setattr_generic_chr_files',` + gen_require(` + type device_t; + ') + + allow $1 device_t:chr_file setattr; +') + + +## ## Dontaudit setattr for generic character device files. ## ## @@ -3897,6 +3935,24 @@ interface(`dev_manage_smartcard',` ## +## Mount a filesystem on sysfs. +## +## +## +## Domain allow access. +## +## +# +interface(`dev_mounton_sysfs',` + gen_require(` + type device_t; + ') + + allow $1 sysfs_t:dir mounton; +') + + +## ## Associate a file to a sysfs filesystem. ## ## diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 3fc0487..b5eeaf8 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1786,6 +1786,25 @@ interface(`files_list_root',` ## +## Delete symbolic links in the +## root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_root_symlinks',` + gen_require(` + type root_t; + ') + + allow $1 root_t:lnk_file delete_lnk_file_perms; +') + + +## ## Do not audit attempts to write to / dirs. ## ## @@ -1914,6 +1933,25 @@ interface(`files_dontaudit_rw_root_chr_files',` ## +## Delete character device nodes in +## the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_delete_root_chr_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:chr_file delete_chr_file_perms; +') + + +## ## Delete files in the root directory. ## ## @@ -1932,6 +1970,24 @@ interface(`files_delete_root_files',` ## +## Execute files in the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_exec_root_files',` + gen_require(` + type root_t; + ') + + allow $1 root_t:file exec_file_perms; +') + + +## ## Remove entries from the root directory. ## ## @@ -1950,6 +2006,43 @@ interface(`files_delete_root_dir_entry',` ## +## Manage the root directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_manage_root_dir',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir manage_dir_perms; +') + + +## +## Get the attributes of a rootfs +## file system. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_getat
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/
commit: eaa1a1b1454ce8ae38f2d84774b3047e9203efd9 Author: Chris PeBenito tresys com> AuthorDate: Tue Oct 20 18:33:56 2015 + Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 26 03:54:24 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eaa1a1b1 Add systemd units for core refpolicy services. Only for services that already have a named init script. Add rules to init_startstop_service(), with conditional arg until all of refpolicy-contrib callers are updated. policy/modules/kernel/files.if| 18 ++ policy/modules/services/postgresql.if | 4 ++-- policy/modules/services/postgresql.te | 3 +++ policy/modules/system/init.if | 17 + policy/modules/system/init.te | 3 +++ policy/modules/system/ipsec.if| 3 ++- policy/modules/system/ipsec.te| 3 +++ policy/modules/system/iptables.fc | 5 + policy/modules/system/iptables.if | 4 ++-- policy/modules/system/iptables.te | 3 +++ policy/modules/system/logging.fc | 2 ++ policy/modules/system/logging.if | 8 policy/modules/system/logging.te | 6 ++ policy/modules/system/lvm.fc | 6 ++ policy/modules/system/lvm.if | 4 ++-- policy/modules/system/lvm.te | 3 +++ policy/modules/system/setrans.if | 4 ++-- policy/modules/system/setrans.te | 3 +++ 18 files changed, 86 insertions(+), 13 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index cbb8afe..20acc0e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2892,6 +2892,24 @@ interface(`files_exec_etc_files',` exec_files_pattern($1, etc_t, etc_t) ') + +## +## Get etc_t service status. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_get_etc_unit_status',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:service status; +') + ### ## ## Relabel from and to generic files in /etc. diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 11526b6..32e5d06 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -587,7 +587,7 @@ interface(`postgresql_admin',` type postgresql_t, postgresql_var_run_t; type postgresql_tmp_t, postgresql_db_t; type postgresql_etc_t, postgresql_log_t; - type postgresql_initrc_exec_t; + type postgresql_initrc_exec_t, postgresql_unit_t; ') typeattribute $1 sepgsql_admin_type; @@ -595,7 +595,7 @@ interface(`postgresql_admin',` allow $1 postgresql_t:process { ptrace signal_perms }; ps_process_pattern($1, postgresql_t) - init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t) + init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t) admin_pattern($1, postgresql_var_run_t) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index b4ba0f1..6844c35 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t) type postgresql_tmp_t; files_tmp_file(postgresql_tmp_t) +type postgresql_unit_t; +init_unit_file(postgresql_unit_t) + type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql") diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 192508f..cfe4bd4 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1392,6 +1392,11 @@ interface(`init_all_labeled_script_domtrans',` ## Labeled init script file. ## ## +## +## +## Systemd unit file type. +## +## # interface(`init_startstop_service',` gen_require(` @@ -1409,6 +1414,18 @@ interface(`init_startstop_service',` role_transition $2 $4 system_r; allow $2 system_r; ') + + ifdef(`init_systemd',` + # This ifelse condition is temporary, until + # all callers are updated to provide unit files. + ifelse(`$5',`',`',` + gen_require(` + class service { start stop }; + ') + + allow $1 $5:service { start stop }; + ') + ') ') ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 916b895..79400f2 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -746,6 +746,9 @@ ifdef(`init_s
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
commit: d92bdf260887935367802afbbaf25d399c020cd5 Author: Chris PeBenito tresys com> AuthorDate: Fri Oct 23 14:16:59 2015 + Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 26 03:52:47 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d92bdf26 Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville. policy/modules/kernel/corecommands.fc | 2 + policy/modules/kernel/domain.te | 6 + policy/modules/kernel/files.if| 172 ++ policy/modules/kernel/filesystem.if | 73 policy/modules/kernel/kernel.if | 60 +++- policy/modules/kernel/terminal.if | 19 ++ policy/modules/system/authlogin.if| 19 ++ policy/modules/system/init.fc | 4 + policy/modules/system/init.if | 608 +- policy/modules/system/init.te | 176 +- policy/modules/system/locallogin.if | 21 ++ policy/modules/system/logging.if | 38 +++ policy/modules/system/lvm.if | 20 ++ policy/modules/system/systemd.fc | 39 +++ policy/modules/system/systemd.if | 195 +++ policy/modules/system/systemd.te | 264 +++ policy/modules/system/udev.if | 19 ++ 17 files changed, 1711 insertions(+), 24 deletions(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index f465e43..b4e192a 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -242,6 +242,8 @@ ifdef(`distro_gentoo',` /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/tumbler-1/tumblerd-- gen_context(system_u:object_r:bin_t,s0) /usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 451a1be..6c3ef60 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',` dontaudit domain self:udp_socket listen; ') +ifdef(`init_systemd',` + optional_policy(` + shutdown_sigchld(domain) + ') +') + tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index dd16f74..cbb8afe 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -563,6 +563,24 @@ interface(`files_manage_non_security_dirs',` ## +## Relabel from/to non-security directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_non_security_dirs',` + gen_require(` + attribute non_security_file_type; + ') + + relabel_dirs_pattern($1, non_security_file_type, non_security_file_type) +') + + +## ## Get the attributes of all files. ## ## @@ -620,6 +638,44 @@ interface(`files_dontaudit_getattr_non_security_files',` ## +## Create, read, write, and delete all non-security files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_manage_non_security_files',` + gen_require(` + attribute non_security_file_type; + ') + + manage_files_pattern($1, non_security_file_type, non_security_file_type) +') + + +## +## Relabel from/to all non-security files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_relabel_non_security_files',` + gen_require(` + attribute non_security_file_type; + ') + + relabel_files_pattern($1, non_security_file_type, non_security_file_type) +') + + +## ## Read all files. ## ## @@ -1948,6 +2004,24 @@ interface(`files_unmount_rootfs',` ## +## Mount on the root directory (/) +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_root',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir mounton; +') + + +## ## Get attributes of the /boot directory. ## ## @@ -4398,6 +4472,24 @@ interface(`
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/
commit: 5dece5bd67bca8c3df92c74d776119ae9af8ebc2 Author: Chris PeBenito tresys com> AuthorDate: Tue Oct 20 18:48:38 2015 + Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 26 03:52:58 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dece5bd Add supporting rules for domains tightly-coupled with systemd. policy/modules/kernel/devices.if| 52 + policy/modules/kernel/kernel.te | 17 policy/modules/services/ssh.te | 5 policy/modules/system/init.te | 1 + policy/modules/system/locallogin.te | 8 ++ policy/modules/system/logging.fc| 1 + policy/modules/system/logging.te| 22 policy/modules/system/lvm.te| 6 + policy/modules/system/modutils.te | 8 ++ policy/modules/system/sysnetwork.te | 8 ++ policy/modules/system/udev.te | 12 + 11 files changed, 135 insertions(+), 5 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 835ec14..a052db5 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,11 +143,11 @@ interface(`dev_relabel_all_dev_nodes',` type device_t; ') - relabelfrom_dirs_pattern($1, device_t, device_node) - relabelfrom_files_pattern($1, device_t, device_node) + relabelfrom_dirs_pattern($1, device_t, { device_t device_node }) + relabelfrom_files_pattern($1, device_t, { device_t device_node }) relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) - relabelfrom_fifo_files_pattern($1, device_t, device_node) - relabelfrom_sock_files_pattern($1, device_t, device_node) + relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node }) + relabelfrom_sock_files_pattern($1, device_t, { device_t device_node }) relabel_blk_files_pattern($1, device_t, { device_t device_node }) relabel_chr_files_pattern($1, device_t, { device_t device_node }) ') @@ -709,7 +709,7 @@ interface(`dev_relabelfrom_generic_chr_files',` type device_t; ') - allow $1 device_t:chr_file relabelfrom; + allow $1 device_t:chr_file relabelfrom_chr_file_perms; ') @@ -1943,6 +1943,30 @@ interface(`dev_filetrans_dri',` ## +## Automatic type transition to the type +## for event device nodes when created in /dev. +## +## +## +## Domain allowed access. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`dev_filetrans_input_dev',` + gen_require(` + type device_t, event_device_t; + ') + + filetrans_pattern($1, device_t, event_device_t, chr_file, $2) +') + + +## ## Get the attributes of the event devices. ## ## @@ -2017,6 +2041,24 @@ interface(`dev_rw_input_dev',` ## +## Create, read, write, and delete input event devices (/dev/input). +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_input_dev',` + gen_require(` + type device_t, event_device_t; + ') + + manage_chr_files_pattern($1, device_t, event_device_t) +') + + +## ## Get the attributes of the framebuffer device node. ## ## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 14b5713..f2d5756 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -299,6 +299,23 @@ ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(kernel_t) ') +ifdef(`init_systemd',` + optional_policy(` + dev_manage_input_dev(kernel_t) + dev_filetrans_input_dev(kernel_t) + ') + + optional_policy(` + selinux_compute_create_context(kernel_t) + ') + + optional_policy(` + storage_dev_filetrans_fixed_disk(kernel_t) + storage_setattr_fixed_disk_dev(kernel_t) + storage_create_fixed_disk_dev(kernel_t) + ') +') + optional_policy(` # loop devices fstools_use_fds(kernel_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 783d0e7..e5932aa 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -266,6 +266,11 @@ ifdef(`distro_debian',` allow sshd_t self:process { getcap setcap }; ') +ifdef(`init_systemd',` + systemd_dbus_chat_logind(sshd_t) + init_rw_stream_sockets(sshd_t) +') + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to diff --git a/policy/modules/system/init.te b/policy/modules/sy
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: 925d12599d01cf3fa5936cd5a5d7fb669b712b0b Author: Jason Zaman perfinion com> AuthorDate: Sat Oct 10 17:03:09 2015 + Commit: Jason Zaman gentoo org> CommitDate: Sat Oct 10 17:03:09 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=925d1259 Add overlayfs as an XATTR capable fs The module is called "overlay" in the kernel policy/modules/kernel/filesystem.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 840f0b2..aba6d88 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -35,6 +35,7 @@ fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jffs2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr jfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr lustre gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr overlay gen_context(system_u:object_r:fs_t,s0); fs_use_xattr squashfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr xfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr zfs gen_context(system_u:object_r:fs_t,s0);
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: 50f8ca591816aac7bf881211f9b722955d59fc29 Author: Alexander Wetzel web de> AuthorDate: Sat Sep 5 07:41:48 2015 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 20 06:52:53 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=50f8ca59 adds vfio device support to base policy Signed-off-by: Alexander Wetzel web.de> policy/modules/kernel/devices.fc | 1 + policy/modules/kernel/devices.if | 36 policy/modules/kernel/devices.te | 3 +++ 3 files changed, 40 insertions(+) diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc index d6ebfcd..a33e395 100644 --- a/policy/modules/kernel/devices.fc +++ b/policy/modules/kernel/devices.fc @@ -118,6 +118,7 @@ ifdef(`distro_suse', ` /dev/usbscanner-c gen_context(system_u:object_r:scanner_device_t,s0) ') +/dev/vfio/.+ -c gen_context(system_u:object_r:vfio_device_t,s0) /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0) /dev/vbox.*-c gen_context(system_u:object_r:xserver_misc_device_t,s0) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index ed25979..835ec14 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -4611,6 +4611,42 @@ interface(`dev_write_video_dev',` ## +## Read and write vfio devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_vfio_dev',` + gen_require(` + type device_t, vfio_device_t; + ') + + rw_chr_files_pattern($1, device_t, vfio_device_t) +') + + +## +## Relabel vfio devices. +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_relabelfrom_vfio_dev',` + gen_require(` + type device_t, vfio_device_t; + ') + + relabelfrom_chr_files_pattern($1, device_t, vfio_device_t) +') + + +## ## Allow read/write the vhost net device ## ## diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index 166c8f7..eb12597 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -273,6 +273,9 @@ dev_node(usbmon_device_t) type userio_device_t; dev_node(userio_device_t) +type vfio_device_t; +dev_node(vfio_device_t) + type v4l_device_t; dev_node(v4l_device_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: 028f1be9b96aeef997d18a421e05e4bbd2b20bbc Author: Chris PeBenito tresys com> AuthorDate: Tue Sep 15 12:39:21 2015 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 20 06:52:53 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=028f1be9 Module version bump for vfio device from Alexander Wetzel. policy/modules/kernel/devices.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te index eb12597..e5bcfcd 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -1,4 +1,4 @@ -policy_module(devices, 1.17.0) +policy_module(devices, 1.17.1) #
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: a979dd138209b265b8458e2ef901a61262570518 Author: Jason Zaman perfinion com> AuthorDate: Wed Aug 26 06:02:55 2015 + Commit: Jason Zaman gentoo org> CommitDate: Wed Aug 26 06:02:55 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a979dd13 introduce fs_cgroup_filetrans() interface policy/modules/kernel/filesystem.if | 37 + 1 file changed, 37 insertions(+) diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index b6b7063..4ddef7c 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -4988,3 +4988,40 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') + +# gentoo specific under here but not allowed ifdef + + +## +## Create an object in a cgroup tmpfs filesystem, with a private +## type using a type transition. +## +## +## +## Domain allowed access. +## +## +## +## +## The type of the object to be created. +## +## +## +## +## The object class of the object being created. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`fs_cgroup_filetrans',` + gen_require(` + type cgroup_t; + ') + + allow $2 tmpfs_t:filesystem associate; + filetrans_pattern($1, cgroup_t, $2, $3, $4) +')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: de1e97adf612ca76797503eb1e8b8369dc428021 Author: Sven Vermeulen siphos be> AuthorDate: Sat Jul 11 14:10:08 2015 + Commit: Jason Zaman gentoo org> CommitDate: Mon Jul 13 17:35:07 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de1e97ad Enable Ceph as a valid SELinux-enabled file system policy/modules/kernel/filesystem.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 32ecb93..840f0b2 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -22,6 +22,7 @@ sid fs gen_context(system_u:object_r:fs_t,s0) # Use xattrs for the following filesystem types. # Requires that a security xattr handler exist for the filesystem. fs_use_xattr btrfs gen_context(system_u:object_r:fs_t,s0); +fs_use_xattr ceph gen_context(system_u:object_r:fs_t,s0); fs_use_xattr encfs gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: 2b907c6e33c8e7ada4826e2b94d699a8666eadf1 Author: Sven Vermeulen siphos be> AuthorDate: Sun Jun 7 09:17:36 2015 + Commit: Sven Vermeulen gentoo org> CommitDate: Sun Jun 7 09:17:36 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2b907c6e Add dev_dontaudit_usbmon_dev interface This will allow us to hide avc denials for applications erroneously trying to read the usbmon device files. policy/modules/kernel/devices.if | 19 +++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 5ab0f6e..ed25979 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -5008,3 +5008,22 @@ interface(`dev_relabel_cpu_online',` dev_search_sysfs($1) allow $1 cpu_online_t:file relabel_file_perms; ') + + +## +## Dont audit attempts to read usbmon devices +## +## +## +## Domain for which the attempts do not need to be audited +## +## +# +interface(`dev_dontaudit_read_usbmon_dev',` + gen_require(` + type usbmon_device_t; + ') + + dontaudit $1 usbmon_device_t:chr_file read_file_perms; +') +
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/
commit: cf050c09f77027dd6ae24e17e5035b617e2d682b Author: Sven Vermeulen siphos be> AuthorDate: Wed Mar 4 17:14:12 2015 + Commit: Sven Vermeulen gentoo org> CommitDate: Wed Mar 4 17:39:39 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf050c09 Mark storage as base module All modules within the base should not depend on anything that is modular. However recently we had to allow kernel_t certain privileges which are covered not only by an interface of the storage module (which is not an issue) but also by an attribute that is managed by that module. As a result, base fails to build: $ make base Compiling mcs base module /usr/bin/checkmodule: loading policy configuration from base.conf policy/modules/kernel/kernel.te:433:ERROR 'attribute fixed_disk_raw_read is not declared' at token ';' on line 23210: typeattribute kernel_t fixed_disk_raw_read; \#line 433 /usr/bin/checkmodule: error(s) encountered while parsing configuration Rules.modular:98: recipe for target 'tmp/base.mod' failed make: *** [tmp/base.mod] Error 1 Moving storage as a base module. X-Gentoo-Bug: 535992 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=535992 policy/modules.conf | 2 +- policy/modules/kernel/storage.if | 4 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/policy/modules.conf b/policy/modules.conf index b9b41d9..5d9eee7 100644 --- a/policy/modules.conf +++ b/policy/modules.conf @@ -2306,7 +2306,7 @@ zosremote = module # # Policy controlling access to storage devices # -storage = module +storage = base # Layer: roles # Module: auditadm diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 5c1be6b..8a7119d 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -1,4 +1,8 @@ ## Policy controlling access to storage devices +## +## This module defines attributes that are used by other +## required modules (such as kernel_t in the kernel module) +## ##
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: a6c696a96462a5b864f763abbdfae867c3410a52 Author: Chris PeBenito tresys com> AuthorDate: Mon Feb 9 21:02:36 2015 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 15 17:36:36 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a6c696a9 Fix domain_mmap_low() to be a proper tunable. --- policy/modules/kernel/domain.if | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index b900767..3420b3a 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -1434,14 +1434,13 @@ interface(`domain_entry_file_spec_domtrans',` interface(`domain_mmap_low',` gen_require(` attribute mmap_low_domain_type; - bool mmap_low_allowed; ') typeattribute $1 mmap_low_domain_type; - if ( mmap_low_allowed ) { + tunable_policy(`mmap_low_allowed',` allow $1 self:memprotect mmap_zero; - } + ') ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: b715e919f47327b139754f16e514d03ae3a46bb1 Author: Sven Vermeulen siphos be> AuthorDate: Sun Feb 15 18:34:07 2015 + Commit: Jason Zaman gentoo org> CommitDate: Sun Feb 15 18:34:07 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b715e919 Fix bug #535986 - Mark configfs_t as file type/mount point --- policy/modules/kernel/filesystem.te | 5 + 1 file changed, 5 insertions(+) diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index f78adef..32ecb93 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -306,3 +306,8 @@ allow filesystem_unconfined_type filesystem_type:filesystem *; # pseudo filesystem types that are applied to both the filesystem # and its files. allow filesystem_unconfined_type filesystem_type:{ dir file lnk_file sock_file fifo_file chr_file blk_file } *; + +ifdef(`distro_gentoo',` + # Fix bug 535986 - Mark configfs_t as file type (and mountpoint probably as well) + files_mountpoint(configfs_t) +')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: 9ffb67cd15cbc09ab363baf3b88800c448d24cd1 Author: Sven Vermeulen siphos be> AuthorDate: Sat Jan 24 19:07:30 2015 + Commit: Sven Vermeulen gentoo org> CommitDate: Sat Jan 24 19:07:30 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=9ffb67cd Mark python-exec2-c as bin_t --- policy/modules/kernel/corecommands.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index e38e238..0c4a15b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -421,5 +421,6 @@ ifdef(`distro_suse',` ifdef(`distro_gentoo',` /usr/lib/python-exec/python-exec2 -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/python-exec/python-exec2-c-- gen_context(system_u:object_r:bin_t,s0) /usr/lib/python-exec/python.*/.* -- gen_context(system_u:object_r:bin_t,s0) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/
commit: 28c598a37a62509d884acdb0891e7dba791e6d62 Author: Sven Vermeulen siphos be> AuthorDate: Sat Jan 24 16:51:58 2015 + Commit: Sven Vermeulen gentoo org> CommitDate: Sat Jan 24 16:51:58 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=28c598a3 Fix bug #529420 - Allow all domains to read vm sysctls --- policy/modules/kernel/domain.te | 10 ++ 1 file changed, 10 insertions(+) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 3861c8e..451a1be 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -171,3 +171,13 @@ allow unconfined_domain_type domain:key *; # receive from all domains over labeled networking domain_all_recvfrom_all_domains(unconfined_domain_type) + +ifdef(`distro_gentoo',` + + # + # Permissions for all domains + # + + # Bug 529420 + kernel_read_vm_sysctls(domain) +')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, man/man8/, policy/modules/system/
commit: 6f0f885d309f3bc6165bb7d230206ea6a6572c4e Author: Sven Vermeulen siphos be> AuthorDate: Fri Nov 28 10:13:54 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Fri Nov 28 11:38:11 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=6f0f885d Fix bug 529204 - Support a dhcpc_script_t domain We introduce an executable domain (dhcpc_script_t) through which the hooks can be executed for the DHCP clients. This domain is separate in order to keep the privileges of the application small, but also because this domain will execute commands that are not in the responsibility of the DHCP client code itself (code-wise) but is provided by administrators. Security-wise, as these are scripts, it is more difficult to guarantee correctness. As such, we want to isolate these privileges into its own domain. The domain will have basic privileges to support the majority of installations, but we also include a sysnet_dhcpc_script_entry() interface so that domain transitions can be easily added without the need for augmenting the privileges of the dhcpc_script_t domain. --- man/man8/sysnetwork_selinux.8 | 110 ++ policy/modules/kernel/corecommands.fc | 2 +- policy/modules/system/sysnetwork.fc | 1 + policy/modules/system/sysnetwork.if | 29 + policy/modules/system/sysnetwork.rst | 91 policy/modules/system/sysnetwork.te | 58 ++ 6 files changed, 290 insertions(+), 1 deletion(-) diff --git a/man/man8/sysnetwork_selinux.8 b/man/man8/sysnetwork_selinux.8 new file mode 100644 index 000..217c020 --- /dev/null +++ b/man/man8/sysnetwork_selinux.8 @@ -0,0 +1,110 @@ +.\" Man page generated from reStructuredText. +. +.TH SYSNETWORK_SELINUX 8 "2014-11-28" "" "SELinux" +.SH NAME +sysnetwork_selinux \- SELinux policy module for system networking +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH DESCRIPTION +.sp +The \fBsysnetwork\fP SELinux module supports the following core networking +domains: DHCP client and ifconfig. +.SS DHCP Client +.sp +The DHCP client policy works around the \fIdhcpc_t\fP domain. It is usually +executed from within an init script, and interacts with the network subsystems +in the Linux kernel in order to obtain an IP address and manage the network +configuration of the system. +.sp +Some DHCP clients also have the ability to call additional scripts when an IP +address is obtained (or released), allowing administrators to automate certain +tasks on the system further. Within the SELinux policy, we (Gentoo) try to +handle the hooks through the \fIdhcp_script_t\fP domain. +.SS Ifconfig +.sp +The \fIifconfig\fP command (and associated \fIifconfig_t\fP domain) is used to manually +set the IP address and other network configurations of the system. +.SH BOOLEANS +.sp +No booleans are managed through this module. +.SH DOMAINS +.INDENT 0.0 +.TP +.B dhcpc_t +The main domain for the DHCP client +.TP +.B dhcpc_script_t +The domain in which the hooks (pre\- and post processing of DHCP operations) +run +.TP +.B ifconfig_t +The domain for manual IP address handling (for instance through the +\fIifconfig\fP or \fIip\fP commands) +.UNINDENT +.SH POLICY +.sp +The following interfaces can be used to enhance the default policy with +sysnetwork\-related provileges. More details on these interfaces can be found in the +interface HTML documentation, we will not list all available interfaces here. +.SS Domain interaction +.sp +The most interesting definition in the policy is the \fBsysnet_dhcpc_script_entry\fP +interface. It allows for the DHCP script domain (\fIdhcpc_script_t\fP) to +execute a particular type (second argument) and transition to a given domain +(first argument). +.sp +For instance, to allow a DHCP hook to execute any portage commands: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +sysnet_dhcpc_script_entry(portage_t, portage_exec_t) +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +It is generally preferred to transition a DHCP hook script as fast as possible +to a specific domain rather than enhancing the \fIdhcpc_script_t\fP domain with +additional privileges. +.SH BUGS +.sp +No specific bugs known. +.SH SEE ALSO +.INDENT 0.0 +.IP \(bu 2 +Gentoo and SELinux at \fI\%https://wiki.gentoo.org/wiki/SELinux\fP +.IP \(bu 2 +Gentoo Hardened SELinux
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
commit: c1d8aae88e48692c2777032706464c7a2be256cd Author: Sven Vermeulen siphos be> AuthorDate: Fri Nov 28 10:13:54 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Fri Nov 28 11:24:08 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1d8aae8 Fix bug 529204 - Support a dhcpc_script_t domain We introduce an executable domain (dhcpc_script_t) through which the hooks can be executed for the DHCP clients. This domain is separate in order to keep the privileges of the application small, but also because this domain will execute commands that are not in the responsibility of the DHCP client code itself (code-wise) but is provided by administrators. Security-wise, as these are scripts, it is more difficult to guarantee correctness. As such, we want to isolate these privileges into its own domain. The domain will have basic privileges to support the majority of installations, but we also include a sysnet_dhcpc_script_entry() interface so that domain transitions can be easily added without the need for augmenting the privileges of the dhcpc_script_t domain. --- policy/modules/kernel/corecommands.fc | 2 +- policy/modules/system/sysnetwork.fc | 1 + policy/modules/system/sysnetwork.if | 29 ++ policy/modules/system/sysnetwork.te | 58 +++ 4 files changed, 89 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 406a11e..40fd54b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -143,7 +143,7 @@ ifdef(`distro_debian',` /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo',` -/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) +#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index a809d61..d9b674e 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -81,6 +81,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_gentoo',` +/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) /var/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) /var/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) ') diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 2cea692..86313b6 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -796,3 +796,32 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') + +# This should be after an ifdef distro_gentoo but that is not allowed in an if file + + +## +## Make the specified program domain +## accessable from the DHCP hooks/scripts. +## +## +## +## The type of the process to transition to. +## +## +## +## +## The type of the file used as an entrypoint to this domain. +## +## +# +interface(`sysnet_dhcpc_script_entry',` + gen_require(` + type dhcpc_script_t; + attribute_role dhcpc_roles; + ') + + role dhcpc_roles types $1; + + domtrans_pattern(dhcpc_script_t, $2, $1) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 3576536..1dd0817 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -422,4 +422,62 @@ ifdef(`distro_gentoo',` optional_policy(` resolvconf_client_domain(dhcpc_t) ') + + # + # + # dhcpc_script_t + # + + # The purpose of the dhcpc_script_t domain is to handle the post-processing of + # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would + # assume others do as well. With the dhcpc_script_t domain we can isolate the + # privileges of the DHCP client itself from the hooks / flexibility that the developers + # introduced. + + type dhcpc_script_t; + domain_type(dhcpc_script_t) + role dhcpc_roles types dhcpc_script_t; + + type dhcpc_script_exec_t; + domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) + + type dhcpc_script_tmp_t; + files_tmp_file(dhcpc_script_tmp_t) + + + # + # dhcpc script policy + # + + allow dhcpc_script_t self:fifo_file rw_fifo_file_perms; + + manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) + fi
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
commit: 14d4ab23ddd8ab4d3d294aff25caa09298623448 Author: Sven Vermeulen siphos be> AuthorDate: Fri Nov 28 10:13:54 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Fri Nov 28 11:15:23 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=14d4ab23 Fix bug 529204 - Support a dhcpc_script_t domain We introduce an executable domain (dhcpc_script_t) through which the hooks can be executed for the DHCP clients. This domain is separate in order to keep the privileges of the application small, but also because this domain will execute commands that are not in the responsibility of the DHCP client code itself (code-wise) but is provided by administrators. Security-wise, as these are scripts, it is more difficult to guarantee correctness. As such, we want to isolate these privileges into its own domain. The domain will have basic privileges to support the majority of installations, but we also include a sysnet_dhcpc_script_entry() interface so that domain transitions can be easily added without the need for augmenting the privileges of the dhcpc_script_t domain. --- policy/modules/kernel/corecommands.fc | 2 +- policy/modules/system/sysnetwork.fc | 1 + policy/modules/system/sysnetwork.te | 46 +++ 3 files changed, 48 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 406a11e..40fd54b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -143,7 +143,7 @@ ifdef(`distro_debian',` /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo',` -/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) +#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index a809d61..d9b674e 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -81,6 +81,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_gentoo',` +/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) /var/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) /var/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) ') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 3576536..8adbcfa 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -422,4 +422,50 @@ ifdef(`distro_gentoo',` optional_policy(` resolvconf_client_domain(dhcpc_t) ') + + # + # + # dhcpc_script_t + # + + # The purpose of the dhcpc_script_t domain is to handle the post-processing of + # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would + # assume others do as well. With the dhcpc_script_t domain we can isolate the + # privileges of the DHCP client itself from the hooks / flexibility that the developers + # introduced. + + type dhcpc_script_t; + domain_type(dhcpc_script_t) + role dhcpc_roles types dhcpc_script_t; + + type dhcpc_script_exec_t; + domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) + + type dhcpc_script_tmp_t; + files_tmp_file(dhcpc_script_tmp_t) + + + # + # dhcpc script policy + # + + allow dhcpc_script_t self:fifo_file rw_fifo_file_perms; + + manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) + files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir }) + + manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t) + files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir }) + + corecmd_exec_bin(dhcpc_script_t) + corecmd_exec_shell(dhcpc_script_t) + + # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section + domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t) + + sysnet_manage_config(dhcpc_script_t) + + optional_policy(` + ntp_manage_config(dhcpc_script_t) + ') ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
commit: 39547652cd07ae3611419261d255128aa1f436e8 Author: Sven Vermeulen siphos be> AuthorDate: Fri Nov 28 10:13:54 2014 + Commit: Sven Vermeulen gentoo org> CommitDate: Fri Nov 28 10:22:30 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=39547652 Fix bug 529204 - Support a dhcpc_script_t domain We introduce an executable domain (dhcpc_script_t) through which the hooks can be executed for the DHCP clients. This domain is separate in order to keep the privileges of the application small, but also because this domain will execute commands that are not in the responsibility of the DHCP client code itself (code-wise) but is provided by administrators. Security-wise, as these are scripts, it is more difficult to guarantee correctness. As such, we want to isolate these privileges into its own domain. The domain will have basic privileges to support the majority of installations, but we also include a sysnet_dhcpc_script_entry() interface so that domain transitions can be easily added without the need for augmenting the privileges of the dhcpc_script_t domain. --- policy/modules/kernel/corecommands.fc | 2 +- policy/modules/system/sysnetwork.fc | 3 +++ policy/modules/system/sysnetwork.te | 32 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 406a11e..40fd54b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -143,7 +143,7 @@ ifdef(`distro_debian',` /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo',` -/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) +#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index fbb935c..b1c6404 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -80,3 +80,6 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') +ifdef(`distro_gentoo',` +/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 3576536..fad8fce 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -422,4 +422,36 @@ ifdef(`distro_gentoo',` optional_policy(` resolvconf_client_domain(dhcpc_t) ') + + # + # + # dhcpc_script_t + # + + # The purpose of the dhcpc_script_t domain is to handle the post-processing of + # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would + # assume others do as well. With the dhcpc_script_t domain we can isolate the + # privileges of the DHCP client itself from the hooks / flexibility that the developers + # introduced. + + type dhcpc_script_t; + domain_type(dhcpc_script_t) + role dhcpc_roles types dhcpc_script_t; + + type dhcpc_script_exec_t; + domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) + + type dhcpc_script_tmp_t; + files_tmp_file(dhcpc_script_tmp_t) + + + # + # dhcpc script policy + # + + manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) + files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir }) + + corecmd_exec_bin(dhcpc_script_t) + corecmd_exec_shell(dhcpc_script_t) ')