[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
commit: df80c8bf3a5c5e581370d75bf6ea5154a8b02b0b Author: Jason Zaman perfinion com> AuthorDate: Sun Sep 10 13:00:36 2017 + Commit: Jason Zaman gentoo org> CommitDate: Sun Sep 10 13:00:36 2017 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=df80c8bf Allow sysadm to map all non auth files policy/modules/kernel/files.if | 20 policy/modules/system/userdomain.if | 1 + 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index f2b76f86..35dcfe7b 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -1474,6 +1474,26 @@ interface(`files_manage_non_auth_files',` ## +## Mmap non-authentication related +## files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_map_non_auth_files',` + gen_require(` + attribute non_auth_file_type; + ') + + allow $1 non_auth_file_type:file map; +') + + +## ## Relabel all non-authentication related ## files. ## diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 84e9c57e..16789a3c 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1256,6 +1256,7 @@ template(`userdom_admin_user_template',` auth_getattr_shadow($1_t) # Manage almost all files files_manage_non_auth_files($1_t) + files_map_non_auth_files($1_t) # Relabel almost all files files_relabel_non_auth_files($1_t)
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
commit: d92bdf260887935367802afbbaf25d399c020cd5 Author: Chris PeBenito tresys com> AuthorDate: Fri Oct 23 14:16:59 2015 + Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 26 03:52:47 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d92bdf26 Implement core systemd policy. Significant contributions from the Tresys CLIP team. Other changes from Laurent Bigonville. policy/modules/kernel/corecommands.fc | 2 + policy/modules/kernel/domain.te | 6 + policy/modules/kernel/files.if| 172 ++ policy/modules/kernel/filesystem.if | 73 policy/modules/kernel/kernel.if | 60 +++- policy/modules/kernel/terminal.if | 19 ++ policy/modules/system/authlogin.if| 19 ++ policy/modules/system/init.fc | 4 + policy/modules/system/init.if | 608 +- policy/modules/system/init.te | 176 +- policy/modules/system/locallogin.if | 21 ++ policy/modules/system/logging.if | 38 +++ policy/modules/system/lvm.if | 20 ++ policy/modules/system/systemd.fc | 39 +++ policy/modules/system/systemd.if | 195 +++ policy/modules/system/systemd.te | 264 +++ policy/modules/system/udev.if | 19 ++ 17 files changed, 1711 insertions(+), 24 deletions(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index f465e43..b4e192a 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -242,6 +242,8 @@ ifdef(`distro_gentoo',` /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/tumbler-1/tumblerd-- gen_context(system_u:object_r:bin_t,s0) /usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 451a1be..6c3ef60 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -115,6 +115,12 @@ ifdef(`hide_broken_symptoms',` dontaudit domain self:udp_socket listen; ') +ifdef(`init_systemd',` + optional_policy(` + shutdown_sigchld(domain) + ') +') + tunable_policy(`global_ssp',` # enable reading of urandom for all domains: # this should be enabled when all programs diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index dd16f74..cbb8afe 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -563,6 +563,24 @@ interface(`files_manage_non_security_dirs',` ## +## Relabel from/to non-security directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_relabel_non_security_dirs',` + gen_require(` + attribute non_security_file_type; + ') + + relabel_dirs_pattern($1, non_security_file_type, non_security_file_type) +') + + +## ## Get the attributes of all files. ## ## @@ -620,6 +638,44 @@ interface(`files_dontaudit_getattr_non_security_files',` ## +## Create, read, write, and delete all non-security files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_manage_non_security_files',` + gen_require(` + attribute non_security_file_type; + ') + + manage_files_pattern($1, non_security_file_type, non_security_file_type) +') + + +## +## Relabel from/to all non-security files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_relabel_non_security_files',` + gen_require(` + attribute non_security_file_type; + ') + + relabel_files_pattern($1, non_security_file_type, non_security_file_type) +') + + +## ## Read all files. ## ## @@ -1948,6 +2004,24 @@ interface(`files_unmount_rootfs',` ## +## Mount on the root directory (/) +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_root',` + gen_require(` + type root_t; + ') + + allow $1 root_t:dir mounton; +') + + +## ## Get attributes of the /boot directory. ## ## @@ -4398,6 +4472,24 @@
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/
commit: eaa1a1b1454ce8ae38f2d84774b3047e9203efd9 Author: Chris PeBenito tresys com> AuthorDate: Tue Oct 20 18:33:56 2015 + Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 26 03:54:24 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=eaa1a1b1 Add systemd units for core refpolicy services. Only for services that already have a named init script. Add rules to init_startstop_service(), with conditional arg until all of refpolicy-contrib callers are updated. policy/modules/kernel/files.if| 18 ++ policy/modules/services/postgresql.if | 4 ++-- policy/modules/services/postgresql.te | 3 +++ policy/modules/system/init.if | 17 + policy/modules/system/init.te | 3 +++ policy/modules/system/ipsec.if| 3 ++- policy/modules/system/ipsec.te| 3 +++ policy/modules/system/iptables.fc | 5 + policy/modules/system/iptables.if | 4 ++-- policy/modules/system/iptables.te | 3 +++ policy/modules/system/logging.fc | 2 ++ policy/modules/system/logging.if | 8 policy/modules/system/logging.te | 6 ++ policy/modules/system/lvm.fc | 6 ++ policy/modules/system/lvm.if | 4 ++-- policy/modules/system/lvm.te | 3 +++ policy/modules/system/setrans.if | 4 ++-- policy/modules/system/setrans.te | 3 +++ 18 files changed, 86 insertions(+), 13 deletions(-) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index cbb8afe..20acc0e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2892,6 +2892,24 @@ interface(`files_exec_etc_files',` exec_files_pattern($1, etc_t, etc_t) ') + +## +## Get etc_t service status. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_get_etc_unit_status',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:service status; +') + ### ## ## Relabel from and to generic files in /etc. diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 11526b6..32e5d06 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -587,7 +587,7 @@ interface(`postgresql_admin',` type postgresql_t, postgresql_var_run_t; type postgresql_tmp_t, postgresql_db_t; type postgresql_etc_t, postgresql_log_t; - type postgresql_initrc_exec_t; + type postgresql_initrc_exec_t, postgresql_unit_t; ') typeattribute $1 sepgsql_admin_type; @@ -595,7 +595,7 @@ interface(`postgresql_admin',` allow $1 postgresql_t:process { ptrace signal_perms }; ps_process_pattern($1, postgresql_t) - init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t) + init_startstop_service($1, $2, postgresql_t, postgresql_initrc_exec_t, postgresql_unit_t) admin_pattern($1, postgresql_var_run_t) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index b4ba0f1..6844c35 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -61,6 +61,9 @@ logging_log_file(postgresql_log_t) type postgresql_tmp_t; files_tmp_file(postgresql_tmp_t) +type postgresql_unit_t; +init_unit_file(postgresql_unit_t) + type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) init_daemon_pid_file(postgresql_var_run_t, dir, "postgresql") diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 192508f..cfe4bd4 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1392,6 +1392,11 @@ interface(`init_all_labeled_script_domtrans',` ## Labeled init script file. ## ## +## +## +## Systemd unit file type. +## +## # interface(`init_startstop_service',` gen_require(` @@ -1409,6 +1414,18 @@ interface(`init_startstop_service',` role_transition $2 $4 system_r; allow $2 system_r; ') + + ifdef(`init_systemd',` + # This ifelse condition is temporary, until + # all callers are updated to provide unit files. + ifelse(`$5',`',`',` + gen_require(` + class service { start stop }; + ') + + allow $1 $5:service { start stop }; + ') + ') ') ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 916b895..79400f2 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -746,6 +746,9 @@
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/services/, policy/modules/system/
commit: 5dece5bd67bca8c3df92c74d776119ae9af8ebc2 Author: Chris PeBenito tresys com> AuthorDate: Tue Oct 20 18:48:38 2015 + Commit: Jason Zaman gentoo org> CommitDate: Mon Oct 26 03:52:58 2015 + URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5dece5bd Add supporting rules for domains tightly-coupled with systemd. policy/modules/kernel/devices.if| 52 + policy/modules/kernel/kernel.te | 17 policy/modules/services/ssh.te | 5 policy/modules/system/init.te | 1 + policy/modules/system/locallogin.te | 8 ++ policy/modules/system/logging.fc| 1 + policy/modules/system/logging.te| 22 policy/modules/system/lvm.te| 6 + policy/modules/system/modutils.te | 8 ++ policy/modules/system/sysnetwork.te | 8 ++ policy/modules/system/udev.te | 12 + 11 files changed, 135 insertions(+), 5 deletions(-) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 835ec14..a052db5 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -143,11 +143,11 @@ interface(`dev_relabel_all_dev_nodes',` type device_t; ') - relabelfrom_dirs_pattern($1, device_t, device_node) - relabelfrom_files_pattern($1, device_t, device_node) + relabelfrom_dirs_pattern($1, device_t, { device_t device_node }) + relabelfrom_files_pattern($1, device_t, { device_t device_node }) relabelfrom_lnk_files_pattern($1, device_t, { device_t device_node }) - relabelfrom_fifo_files_pattern($1, device_t, device_node) - relabelfrom_sock_files_pattern($1, device_t, device_node) + relabelfrom_fifo_files_pattern($1, device_t, { device_t device_node }) + relabelfrom_sock_files_pattern($1, device_t, { device_t device_node }) relabel_blk_files_pattern($1, device_t, { device_t device_node }) relabel_chr_files_pattern($1, device_t, { device_t device_node }) ') @@ -709,7 +709,7 @@ interface(`dev_relabelfrom_generic_chr_files',` type device_t; ') - allow $1 device_t:chr_file relabelfrom; + allow $1 device_t:chr_file relabelfrom_chr_file_perms; ') @@ -1943,6 +1943,30 @@ interface(`dev_filetrans_dri',` ## +## Automatic type transition to the type +## for event device nodes when created in /dev. +## +## +## +## Domain allowed access. +## +## +## +## +## The name of the object being created. +## +## +# +interface(`dev_filetrans_input_dev',` + gen_require(` + type device_t, event_device_t; + ') + + filetrans_pattern($1, device_t, event_device_t, chr_file, $2) +') + + +## ## Get the attributes of the event devices. ## ## @@ -2017,6 +2041,24 @@ interface(`dev_rw_input_dev',` ## +## Create, read, write, and delete input event devices (/dev/input). +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_manage_input_dev',` + gen_require(` + type device_t, event_device_t; + ') + + manage_chr_files_pattern($1, device_t, event_device_t) +') + + +## ## Get the attributes of the framebuffer device node. ## ## diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 14b5713..f2d5756 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -299,6 +299,23 @@ ifdef(`distro_redhat',` fs_rw_tmpfs_chr_files(kernel_t) ') +ifdef(`init_systemd',` + optional_policy(` + dev_manage_input_dev(kernel_t) + dev_filetrans_input_dev(kernel_t) + ') + + optional_policy(` + selinux_compute_create_context(kernel_t) + ') + + optional_policy(` + storage_dev_filetrans_fixed_disk(kernel_t) + storage_setattr_fixed_disk_dev(kernel_t) + storage_create_fixed_disk_dev(kernel_t) + ') +') + optional_policy(` # loop devices fstools_use_fds(kernel_t) diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te index 783d0e7..e5932aa 100644 --- a/policy/modules/services/ssh.te +++ b/policy/modules/services/ssh.te @@ -266,6 +266,11 @@ ifdef(`distro_debian',` allow sshd_t self:process { getcap setcap }; ') +ifdef(`init_systemd',` + systemd_dbus_chat_logind(sshd_t) + init_rw_stream_sockets(sshd_t) +') + tunable_policy(`ssh_sysadm_login',` # Relabel and access ptys created by sshd # ioctl is necessary for logout() processing for utmp entry and for w to diff --git a/policy/modules/system/init.te
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/
commit: cf050c09f77027dd6ae24e17e5035b617e2d682b Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Wed Mar 4 17:14:12 2015 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Wed Mar 4 17:39:39 2015 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cf050c09 Mark storage as base module All modules within the base should not depend on anything that is modular. However recently we had to allow kernel_t certain privileges which are covered not only by an interface of the storage module (which is not an issue) but also by an attribute that is managed by that module. As a result, base fails to build: $ make base Compiling mcs base module /usr/bin/checkmodule: loading policy configuration from base.conf policy/modules/kernel/kernel.te:433:ERROR 'attribute fixed_disk_raw_read is not declared' at token ';' on line 23210: typeattribute kernel_t fixed_disk_raw_read; \#line 433 /usr/bin/checkmodule: error(s) encountered while parsing configuration Rules.modular:98: recipe for target 'tmp/base.mod' failed make: *** [tmp/base.mod] Error 1 Moving storage as a base module. X-Gentoo-Bug: 535992 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=535992 policy/modules.conf | 2 +- policy/modules/kernel/storage.if | 4 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/policy/modules.conf b/policy/modules.conf index b9b41d9..5d9eee7 100644 --- a/policy/modules.conf +++ b/policy/modules.conf @@ -2306,7 +2306,7 @@ zosremote = module # # Policy controlling access to storage devices # -storage = module +storage = base # Layer: roles # Module: auditadm diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if index 5c1be6b..8a7119d 100644 --- a/policy/modules/kernel/storage.if +++ b/policy/modules/kernel/storage.if @@ -1,4 +1,8 @@ ## summaryPolicy controlling access to storage devices/summary +## required val=true +## This module defines attributes that are used by other +## required modules (such as kernel_t in the kernel module) +## /required ## summary
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
commit: 39547652cd07ae3611419261d255128aa1f436e8 Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Fri Nov 28 10:13:54 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Fri Nov 28 10:22:30 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=39547652 Fix bug 529204 - Support a dhcpc_script_t domain We introduce an executable domain (dhcpc_script_t) through which the hooks can be executed for the DHCP clients. This domain is separate in order to keep the privileges of the application small, but also because this domain will execute commands that are not in the responsibility of the DHCP client code itself (code-wise) but is provided by administrators. Security-wise, as these are scripts, it is more difficult to guarantee correctness. As such, we want to isolate these privileges into its own domain. The domain will have basic privileges to support the majority of installations, but we also include a sysnet_dhcpc_script_entry() interface so that domain transitions can be easily added without the need for augmenting the privileges of the dhcpc_script_t domain. --- policy/modules/kernel/corecommands.fc | 2 +- policy/modules/system/sysnetwork.fc | 3 +++ policy/modules/system/sysnetwork.te | 32 3 files changed, 36 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 406a11e..40fd54b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -143,7 +143,7 @@ ifdef(`distro_debian',` /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo',` -/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) +#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index fbb935c..b1c6404 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -80,3 +80,6 @@ ifdef(`distro_debian',` /var/run/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) ') +ifdef(`distro_gentoo',` +/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 3576536..fad8fce 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -422,4 +422,36 @@ ifdef(`distro_gentoo',` optional_policy(` resolvconf_client_domain(dhcpc_t) ') + + # + # + # dhcpc_script_t + # + + # The purpose of the dhcpc_script_t domain is to handle the post-processing of + # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would + # assume others do as well. With the dhcpc_script_t domain we can isolate the + # privileges of the DHCP client itself from the hooks / flexibility that the developers + # introduced. + + type dhcpc_script_t; + domain_type(dhcpc_script_t) + role dhcpc_roles types dhcpc_script_t; + + type dhcpc_script_exec_t; + domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) + + type dhcpc_script_tmp_t; + files_tmp_file(dhcpc_script_tmp_t) + + + # + # dhcpc script policy + # + + manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) + files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir }) + + corecmd_exec_bin(dhcpc_script_t) + corecmd_exec_shell(dhcpc_script_t) ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
commit: 14d4ab23ddd8ab4d3d294aff25caa09298623448 Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Fri Nov 28 10:13:54 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Fri Nov 28 11:15:23 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=14d4ab23 Fix bug 529204 - Support a dhcpc_script_t domain We introduce an executable domain (dhcpc_script_t) through which the hooks can be executed for the DHCP clients. This domain is separate in order to keep the privileges of the application small, but also because this domain will execute commands that are not in the responsibility of the DHCP client code itself (code-wise) but is provided by administrators. Security-wise, as these are scripts, it is more difficult to guarantee correctness. As such, we want to isolate these privileges into its own domain. The domain will have basic privileges to support the majority of installations, but we also include a sysnet_dhcpc_script_entry() interface so that domain transitions can be easily added without the need for augmenting the privileges of the dhcpc_script_t domain. --- policy/modules/kernel/corecommands.fc | 2 +- policy/modules/system/sysnetwork.fc | 1 + policy/modules/system/sysnetwork.te | 46 +++ 3 files changed, 48 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 406a11e..40fd54b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -143,7 +143,7 @@ ifdef(`distro_debian',` /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo',` -/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) +#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index a809d61..d9b674e 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -81,6 +81,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_gentoo',` +/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) /var/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) /var/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) ') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 3576536..8adbcfa 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -422,4 +422,50 @@ ifdef(`distro_gentoo',` optional_policy(` resolvconf_client_domain(dhcpc_t) ') + + # + # + # dhcpc_script_t + # + + # The purpose of the dhcpc_script_t domain is to handle the post-processing of + # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would + # assume others do as well. With the dhcpc_script_t domain we can isolate the + # privileges of the DHCP client itself from the hooks / flexibility that the developers + # introduced. + + type dhcpc_script_t; + domain_type(dhcpc_script_t) + role dhcpc_roles types dhcpc_script_t; + + type dhcpc_script_exec_t; + domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) + + type dhcpc_script_tmp_t; + files_tmp_file(dhcpc_script_tmp_t) + + + # + # dhcpc script policy + # + + allow dhcpc_script_t self:fifo_file rw_fifo_file_perms; + + manage_files_pattern(dhcpc_script_t, dhcpc_script_tmp_t, dhcpc_script_tmp_t) + files_tmp_filetrans(dhcpc_script_t, dhcpc_script_tmp_t, { file dir }) + + manage_files_pattern(dhcpc_script_t, dhcpc_var_run_t, dhcpc_var_run_t) + files_pid_filetrans(dhcpc_script_t, dhcpc_var_run_t, { file dir }) + + corecmd_exec_bin(dhcpc_script_t) + corecmd_exec_shell(dhcpc_script_t) + + # Perhaps sysnet_domtrans_dhcpc_script could be used instead and positioned in the dhcpc_t section + domtrans_pattern(dhcpc_t, dhcpc_script_exec_t, dhcpc_script_t) + + sysnet_manage_config(dhcpc_script_t) + + optional_policy(` + ntp_manage_config(dhcpc_script_t) + ') ')
[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/
commit: c1d8aae88e48692c2777032706464c7a2be256cd Author: Sven Vermeulen sven.vermeulen AT siphos DOT be AuthorDate: Fri Nov 28 10:13:54 2014 + Commit: Sven Vermeulen swift AT gentoo DOT org CommitDate: Fri Nov 28 11:24:08 2014 + URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c1d8aae8 Fix bug 529204 - Support a dhcpc_script_t domain We introduce an executable domain (dhcpc_script_t) through which the hooks can be executed for the DHCP clients. This domain is separate in order to keep the privileges of the application small, but also because this domain will execute commands that are not in the responsibility of the DHCP client code itself (code-wise) but is provided by administrators. Security-wise, as these are scripts, it is more difficult to guarantee correctness. As such, we want to isolate these privileges into its own domain. The domain will have basic privileges to support the majority of installations, but we also include a sysnet_dhcpc_script_entry() interface so that domain transitions can be easily added without the need for augmenting the privileges of the dhcpc_script_t domain. --- policy/modules/kernel/corecommands.fc | 2 +- policy/modules/system/sysnetwork.fc | 1 + policy/modules/system/sysnetwork.if | 29 ++ policy/modules/system/sysnetwork.te | 58 +++ 4 files changed, 89 insertions(+), 1 deletion(-) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 406a11e..40fd54b 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -143,7 +143,7 @@ ifdef(`distro_debian',` /lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0) ifdef(`distro_gentoo',` -/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) +#/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/addons(/.*)?gen_context(system_u:object_r:bin_t,s0) /lib/rcscripts/sh(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index a809d61..d9b674e 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -81,6 +81,7 @@ ifdef(`distro_debian',` ') ifdef(`distro_gentoo',` +/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:dhcpc_script_exec_t,s0) /var/run/dhcpcd\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) /var/run/dhcpcd\.unpriv\.sock -s gen_context(system_u:object_r:dhcpc_var_run_t,s0) ') diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if index 2cea692..86313b6 100644 --- a/policy/modules/system/sysnetwork.if +++ b/policy/modules/system/sysnetwork.if @@ -796,3 +796,32 @@ interface(`sysnet_use_portmap',` sysnet_read_config($1) ') + +# This should be after an ifdef distro_gentoo but that is not allowed in an if file + + +## summary +## Make the specified program domain +## accessable from the DHCP hooks/scripts. +## /summary +## param name=domain +## summary +## The type of the process to transition to. +## /summary +## /param +## param name=entrypoint +## summary +## The type of the file used as an entrypoint to this domain. +## /summary +## /param +# +interface(`sysnet_dhcpc_script_entry',` + gen_require(` + type dhcpc_script_t; + attribute_role dhcpc_roles; + ') + + role dhcpc_roles types $1; + + domtrans_pattern(dhcpc_script_t, $2, $1) +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te index 3576536..1dd0817 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -422,4 +422,62 @@ ifdef(`distro_gentoo',` optional_policy(` resolvconf_client_domain(dhcpc_t) ') + + # + # + # dhcpc_script_t + # + + # The purpose of the dhcpc_script_t domain is to handle the post-processing of + # the dhcpcd ip renewal. dhcpcd (the tool) supports hooks for this, and I would + # assume others do as well. With the dhcpc_script_t domain we can isolate the + # privileges of the DHCP client itself from the hooks / flexibility that the developers + # introduced. + + type dhcpc_script_t; + domain_type(dhcpc_script_t) + role dhcpc_roles types dhcpc_script_t; + + type dhcpc_script_exec_t; + domain_entry_file(dhcpc_script_t, dhcpc_script_exec_t) + + type dhcpc_script_tmp_t; + files_tmp_file(dhcpc_script_tmp_t) + + + # + # dhcpc script policy + # + + allow dhcpc_script_t