commit: 62a700f1b822f7637c5841ca119bf247c187d8aa
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Jun 18 14:38:43 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:52:23 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=62a700f1
networking (#937)
* misc small networking patches
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/corenetwork.te.in | 2 +-
policy/modules/services/avahi.te | 1 -
policy/modules/services/bind.te | 2 ++
policy/modules/services/networkmanager.te | 4 ++++
policy/modules/services/rpc.fc | 1 +
5 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/policy/modules/kernel/corenetwork.te.in
b/policy/modules/kernel/corenetwork.te.in
index b1649ec3a..b083746ec 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -270,7 +270,7 @@ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0)
network_port(socks) # no defined portcon
network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
-network_port(spamd, tcp,783,s0)
+network_port(spamd, tcp,783,s0, tcp,11333,s0)
network_port(speech, tcp,8036,s0)
network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp
and htcp
network_port(ssdp, tcp,1900,s0, udp,1900,s0)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index da7473536..13f98ae81 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -118,4 +118,3 @@ optional_policy(`
optional_policy(`
unconfined_dbus_send(avahi_t)
')
-
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index a3336c28c..ed4b53d0f 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -224,6 +224,8 @@ allow ndc_t self:capability2 block_suspend;
allow ndc_t self:process { getsched setsched signal_perms };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
+allow ndc_t self:anon_inode { create map read write };
+allow ndc_t self:io_uring sqpoll;
allow ndc_t dnssec_t:file read_file_perms;
allow ndc_t dnssec_t:lnk_file read_lnk_file_perms;
diff --git a/policy/modules/services/networkmanager.te
b/policy/modules/services/networkmanager.te
index 39d367140..ac20fafbc 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -71,6 +71,7 @@ allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
allow NetworkManager_t NetworkManager_etc_t:dir list_dir_perms;
allow NetworkManager_t NetworkManager_etc_t:file read_file_perms;
allow NetworkManager_t NetworkManager_etc_t:lnk_file read_lnk_file_perms;
+allow NetworkManager_t NetworkManager_etc_t:dir watch;
manage_dirs_pattern(NetworkManager_t, NetworkManager_etc_rw_t,
NetworkManager_etc_rw_t)
manage_files_pattern(NetworkManager_t, NetworkManager_etc_rw_t,
NetworkManager_etc_rw_t)
@@ -167,7 +168,9 @@ storage_getattr_fixed_disk_dev(NetworkManager_t)
init_read_utmp(NetworkManager_t)
init_dontaudit_write_utmp(NetworkManager_t)
init_domtrans_script(NetworkManager_t)
+init_get_generic_units_status(NetworkManager_t)
init_get_system_status(NetworkManager_t)
+init_search_units(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
@@ -351,6 +354,7 @@ optional_policy(`
systemd_watch_logind_runtime_dirs(NetworkManager_t)
systemd_read_logind_sessions_files(NetworkManager_t)
systemd_watch_logind_sessions_dirs(NetworkManager_t)
+ systemd_read_networkd_runtime(NetworkManager_t)
systemd_read_machines(NetworkManager_t)
systemd_watch_machines_dirs(NetworkManager_t)
systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
diff --git a/policy/modules/services/rpc.fc b/policy/modules/services/rpc.fc
index 3b6d1c930..fb579bc9d 100644
--- a/policy/modules/services/rpc.fc
+++ b/policy/modules/services/rpc.fc
@@ -20,6 +20,7 @@
/usr/lib/systemd/system/rpc.*\.service --
gen_context(system_u:object_r:rpcd_unit_t,s0)
/usr/sbin/blkmapd -- gen_context(system_u:object_r:blkmapd_exec_t,s0)
+/usr/sbin/fsidd --
gen_context(system_u:object_r:nfsd_exec_t,s0)
/usr/sbin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
