[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/

Jason Zaman Tue, 15 Jul 2025 00:54:38 -0700

commit:     e38b750064a3823324514d83c940bb863287d370
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Jun 16 13:19:19 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:52:23 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e38b7500


New version of the kea PR with the order issues fixed

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/dhcp.fc     |  4 ++++
 policy/modules/services/dhcp.te     | 15 ++++++++++++++-
 policy/modules/system/sysnetwork.fc |  3 ++-
 policy/modules/system/sysnetwork.te |  1 +
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/dhcp.fc b/policy/modules/services/dhcp.fc
index 97d409dd0..69548e8fa 100644
--- a/policy/modules/services/dhcp.fc
+++ b/policy/modules/services/dhcp.fc
@@ -5,9 +5,13 @@
 /usr/bin/dhcpd.*       --      gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
 /usr/sbin/dhcpd.*      --      gen_context(system_u:object_r:dhcpd_exec_t,s0)
+/usr/sbin/kea-.*       --      gen_context(system_u:object_r:dhcpd_exec_t,s0)
 
 /var/lib/dhcpd(/.*)?   gen_context(system_u:object_r:dhcpd_state_t,s0)
 /var/lib/dhcp(3)?/dhcpd\.leases.*      --      
gen_context(system_u:object_r:dhcpd_state_t,s0)
 /var/lib/dhcp/dhcpd6\.leases.* --      
gen_context(system_u:object_r:dhcpd_state_t,s0)
+/var/lib/kea(/.*)?     gen_context(system_u:object_r:dhcpd_state_t,s0)
 
 /run/dhcpd(6)?\.pid    --      
gen_context(system_u:object_r:dhcpd_runtime_t,s0)
+/run/kea(/.*)?                 
gen_context(system_u:object_r:dhcpd_runtime_t,s0)
+/run/lock/kea/.*       --      gen_context(system_u:object_r:dhcpd_lock_t,s0)

diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index e6bea94ba..0a66daa93 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -1,3 +1,4 @@
+
 policy_module(dhcp)
 
 ########################################
@@ -20,6 +21,9 @@ init_daemon_domain(dhcpd_t, dhcpd_exec_t)
 type dhcpd_initrc_exec_t;
 init_script_file(dhcpd_initrc_exec_t)
 
+type dhcpd_lock_t;
+files_lock_file(dhcpd_lock_t)
+
 type dhcpd_runtime_t alias dhcpd_var_run_t;
 files_runtime_file(dhcpd_runtime_t)
 
@@ -39,12 +43,16 @@ init_unit_file(dhcpd_unit_t)
 
 allow dhcpd_t self:capability { chown dac_override net_raw setgid setuid 
sys_chroot sys_resource };
 dontaudit dhcpd_t self:capability { net_admin sys_tty_config };
-allow dhcpd_t self:process { getcap setcap signal_perms };
+allow dhcpd_t self:process { setsched getcap setcap signal_perms };
 allow dhcpd_t self:fifo_file rw_fifo_file_perms;
 allow dhcpd_t self:tcp_socket { accept listen };
 allow dhcpd_t self:packet_socket create_socket_perms;
 allow dhcpd_t self:rawip_socket create_socket_perms;
 
+# for /run/lock/kea
+allow dhcpd_t dhcpd_lock_t:file manage_file_perms;
+files_lock_filetrans(dhcpd_t, dhcpd_lock_t, file)
+
 manage_files_pattern(dhcpd_t, dhcpd_state_t, dhcpd_state_t)
 sysnet_dhcp_state_filetrans(dhcpd_t, dhcpd_state_t, file)
 
@@ -55,6 +63,8 @@ files_tmp_filetrans(dhcpd_t, dhcpd_tmp_t, { dir file })
 manage_files_pattern(dhcpd_t, dhcpd_runtime_t, dhcpd_runtime_t)
 files_runtime_filetrans(dhcpd_t, dhcpd_runtime_t, file)
 
+allow dhcpd_t dhcpd_runtime_t:sock_file manage_sock_file_perms;
+
 can_exec(dhcpd_t, dhcpd_exec_t)
 
 kernel_read_system_state(dhcpd_t)
@@ -76,6 +86,9 @@ corenet_sendrecv_icmp_packets(dhcpd_t)
 corenet_tcp_bind_dhcpd_port(dhcpd_t)
 corenet_udp_bind_dhcpd_port(dhcpd_t)
 
+# for kea which needs port 8000 (common alternative web server port)
+corenet_tcp_bind_soundd_port(dhcpd_t)
+
 corenet_sendrecv_pxe_server_packets(dhcpd_t)
 corenet_udp_bind_pxe_port(dhcpd_t)
 

diff --git a/policy/modules/system/sysnetwork.fc 
b/policy/modules/system/sysnetwork.fc
index 08fe24ca9..947410960 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -13,12 +13,13 @@ ifdef(`distro_debian',`
 /etc/dhclient-script   --      gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhcpc.*                   gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/dhcpd\.conf       --      gen_context(system_u:object_r:dhcp_etc_t,s0)
-/etc/dhcp/dhcpd\.conf  --      gen_context(system_u:object_r:dhcp_etc_t,s0)
+/etc/dhcp/dhcpd6?\.conf        --      
gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/ethers            --      gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts             --      gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts\.allow.*    --      gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hosts\.deny.*     --      gen_context(system_u:object_r:net_conf_t,s0)
 /etc/hostname          --      gen_context(system_u:object_r:net_conf_t,s0)
+/etc/kea(/.*)?                 gen_context(system_u:object_r:dhcp_etc_t,s0)
 /etc/denyhosts.*       --      gen_context(system_u:object_r:net_conf_t,s0)
 /etc/machine-info      --      gen_context(system_u:object_r:net_conf_t,s0)
 /etc/resolv\.conf.*    --      gen_context(system_u:object_r:net_conf_t,s0)

diff --git a/policy/modules/system/sysnetwork.te 
b/policy/modules/system/sysnetwork.te
index cc2182cc6..7c52fc109 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -77,6 +77,7 @@ allow dhcpc_t self:netlink_kobject_uevent_socket 
create_socket_perms;
 allow dhcpc_t self:netlink_route_socket create_netlink_socket_perms;
 allow dhcpc_t self:rawip_socket create_socket_perms;
 allow dhcpc_t self:unix_dgram_socket { create_socket_perms sendto };
+allow dhcpc_t self:unix_stream_socket connectto;
 
 allow dhcpc_t dhcp_etc_t:dir list_dir_perms;
 read_lnk_files_pattern(dhcpc_t, dhcp_etc_t, dhcp_etc_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/services/

Reply via email to