, ...

Jason Zaman Tue, 02 Sep 2025 15:15:47 -0700

commit:     64cf693da42e01a1c97d6f5f354c01e9466311d8
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Aug  4 13:25:17 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep  2 22:04:48 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=64cf693d


strict2 (#1002)

* Another set of small patches needed for strict mode

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/global_tunables                |  8 ++++++++
 policy/modules/apps/gnome.if          |  2 ++
 policy/modules/apps/mozilla.te        | 12 ++++++++++++
 policy/modules/kernel/corecommands.fc |  1 +
 policy/modules/roles/sysadm.te        | 15 +++++++++++++++
 policy/modules/services/cron.te       |  1 +
 policy/modules/services/ntp.te        |  1 +
 policy/modules/system/init.te         |  1 +
 policy/modules/system/systemd.te      |  2 +-
 policy/modules/system/unconfined.if   |  8 ++++++++
 policy/modules/system/unconfined.te   |  4 ++++
 policy/modules/system/userdomain.if   | 25 +++++++++++++++++++++++++
 12 files changed, 79 insertions(+), 1 deletion(-)

diff --git a/policy/global_tunables b/policy/global_tunables
index 7b7f5fed4..1dd585220 100644
--- a/policy/global_tunables
+++ b/policy/global_tunables
@@ -129,3 +129,11 @@ gen_tunable(user_tcp_server,false)
 ## </p>
 ## </desc>
 gen_tunable(user_udp_server,false)
+
+## <desc>
+## <p>
+## Allow users to execmod tmpfs files, KDE plasmashell needs this
+## the same domain and outside users)
+## </p>
+## </desc>
+gen_tunable(user_execmod_tmpfs,false)

diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index f492d7ea1..fe0fe951e 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -101,6 +101,8 @@ template(`gnome_role_template',`
        optional_policy(`
                dbus_spec_session_domain($1, $1_gkeyringd_t, gkeyringd_exec_t)
                dbus_system_bus_client($1_gkeyringd_t)
+               dbus_write_session_runtime_socket($1_gkeyringd_t)
+               dbus_getattr_session_runtime_socket($1_gkeyringd_t)
 
                optional_policy(`
                        evolution_dbus_chat($1_gkeyringd_t)

diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index ff5643801..e9b7e2301 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -116,11 +116,13 @@ allow mozilla_t mozilla_plugin_rw_t:lnk_file 
read_lnk_file_perms;
 stream_connect_pattern(mozilla_t, mozilla_plugin_tmpfs_t, 
mozilla_plugin_tmpfs_t, mozilla_plugin_t)
 
 manage_files_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
+allow mozilla_t mozilla_xdg_cache_t:file map;
 manage_dirs_pattern(mozilla_t, mozilla_xdg_cache_t, mozilla_xdg_cache_t)
 xdg_cache_filetrans(mozilla_t, mozilla_xdg_cache_t, dir, "mozilla")
 
 can_exec(mozilla_t, { mozilla_exec_t mozilla_plugin_rw_t mozilla_plugin_home_t 
})
 
+kernel_read_device_sysctls(mozilla_t)
 kernel_read_kernel_sysctls(mozilla_t)
 kernel_read_network_state(mozilla_t)
 kernel_read_system_state(mozilla_t)
@@ -133,6 +135,7 @@ corecmd_exec_bin(mozilla_t)
 corenet_all_recvfrom_netlabel(mozilla_t)
 corenet_tcp_sendrecv_generic_if(mozilla_t)
 corenet_tcp_sendrecv_generic_node(mozilla_t)
+corenet_udp_bind_generic_node(mozilla_t)
 
 corenet_sendrecv_http_client_packets(mozilla_t)
 corenet_tcp_connect_http_port(mozilla_t)
@@ -268,6 +271,7 @@ optional_policy(`
 optional_policy(`
        dbus_all_session_bus_client(mozilla_t)
        dbus_connect_all_session_bus(mozilla_t)
+       dbus_write_session_runtime_socket(mozilla_t)
        dbus_system_bus_client(mozilla_t)
 
        optional_policy(`
@@ -281,6 +285,14 @@ optional_policy(`
        optional_policy(`
                networkmanager_dbus_chat(mozilla_t)
        ')
+
+       optional_policy(`
+               ntp_dbus_chat(mozilla_t)
+       ')
+
+       optional_policy(`
+               systemd_dbus_chat_logind(mozilla_t)
+       ')
 ')
 
 optional_policy(`

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 572dcca78..d0d9b6454 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -356,6 +356,7 @@ ifdef(`distro_debian',`
 /usr/share/hal/scripts(/.*)?           gen_context(system_u:object_r:bin_t,s0)
 /usr/share/ifupdown2/__main__\.py      --      
gen_context(system_u:object_r:bin_t,s0)
 /usr/share/libalpm/scripts(/.*)?       gen_context(system_u:object_r:bin_t,s0)
+/usr/share/libpam-kwallet-common/pam_kwallet_init -- 
gen_context(system_u:object_r:bin_t,s0)
 /usr/share/mc/extfs/.*         --      gen_context(system_u:object_r:bin_t,s0)
 /usr/share/Modules/init(/.*)?          gen_context(system_u:object_r:bin_t,s0)
 /usr/share/org\.gnome\.Weather/org\.gnome\.Weather\.Application        --      
gen_context(system_u:object_r:bin_t,s0)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 34dad783c..928d0dfe1 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,5 +1,9 @@
 policy_module(sysadm)
 
+gen_require(`
+       class system status;
+')
+
 ########################################
 #
 # Declarations
@@ -43,6 +47,9 @@ corecmd_exec_shell(sysadm_t)
 corenet_ib_access_unlabeled_pkeys(sysadm_t)
 corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
 
+domain_getsched_all_domains(sysadm_t)
+
+dev_read_cpuid(sysadm_t)
 dev_read_kmsg(sysadm_t)
 dev_rw_ipmi_dev(sysadm_t)
 
@@ -64,6 +71,9 @@ init_admin(sysadm_t)
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
 
+# for systemd-analyze
+files_get_etc_unit_status(sysadm_t)
+
 ifdef(`direct_sysadm_daemon',`
        optional_policy(`
                init_run_daemon(sysadm_t, sysadm_r)
@@ -1109,6 +1119,10 @@ optional_policy(`
        systemd_dbus_chat_hostnamed(sysadm_t)
 ')
 
+optional_policy(`
+       systemd_dbus_chat_logind(sysadm_t)
+')
+
 optional_policy(`
        tboot_run_txtstat(sysadm_t, sysadm_r)
 ')
@@ -1177,6 +1191,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+       dev_rw_generic_usb_dev(sysadm_t)
        usbmodules_run(sysadm_t, sysadm_r)
 ')
 

diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 184b383e5..3941fdf1e 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -490,6 +490,7 @@ allow system_cronjob_t crond_tmp_t:file 
rw_inherited_file_perms;
 kernel_getattr_core_if(system_cronjob_t)
 kernel_getattr_message_if(system_cronjob_t)
 
+kernel_read_fs_sysctls(system_cronjob_t)
 kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)

diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index af4ac48ab..5a75f3fce 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -136,6 +136,7 @@ auth_use_nsswitch(ntpd_t)
 
 init_daemon_lock_file(ntpd_lock_t, file, "ntpsec-ntpdate")
 init_exec_script_files(ntpd_t)
+init_get_generic_units_status(ntpd_t)
 
 logging_send_syslog_msg(ntpd_t)
 

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 7a20a5140..c2f33c2bd 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -211,6 +211,7 @@ allow init_t initrc_runtime_t:file { rw_file_perms setattr 
};
 allow init_t init_tmpfs_t:file manage_file_perms;
 fs_tmpfs_filetrans(init_t, init_tmpfs_t, file)
 
+kernel_read_psi(init_t)
 kernel_read_system_state(init_t)
 kernel_share_state(init_t)
 kernel_dontaudit_search_unlabeled(init_t)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 548e2cbd0..637804935 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -2275,7 +2275,7 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
 ')
 
 optional_policy(`
-       dbus_read_lib_files(systemd_tmpfiles_t)
+       dbus_manage_lib_files(systemd_tmpfiles_t)
        dbus_relabel_lib_dirs(systemd_tmpfiles_t)
 ')
 

diff --git a/policy/modules/system/unconfined.if 
b/policy/modules/system/unconfined.if
index 45cb43907..f3e5d3001 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -41,6 +41,7 @@ interface(`unconfined_domain_noaudit',`
        allow $1 self:fifo_file manage_fifo_file_perms;
 
        # Manage most namespace capabilities
+       allow $1 self:user_namespace create;
        allow $1 self:cap_userns { audit_write chown dac_override 
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable 
mknod net_admin net_bind_service net_raw setfcap setgid setpcap setuid 
sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace 
sys_rawio sys_resource sys_time sys_tty_config };
        allow $1 self:cap2_userns { audit_read block_suspend bpf mac_admin 
mac_override perfmon syslog wake_alarm };
 
@@ -52,6 +53,12 @@ interface(`unconfined_domain_noaudit',`
 
        allow $1 self:anon_inode { manage_file_perms mounton quotaon 
relabel_file_perms watch watch_mount watch_reads watch_sb watch_with_perm }; 
#selint-disable:S-009
 
+       # used by Chrome for some reason
+       allow $1 self:dir manage_dir_perms;
+
+       # for io_uring
+       allow $1 self:anon_inode { create map read write };
+
        # Userland object managers
        allow $1 self:nscd { admin getgrp gethost getpwd getserv getstat 
shmemgrp shmemhost shmempwd shmemserv };
        allow $1 self:dbus { acquire_svc send_msg };
@@ -66,6 +73,7 @@ interface(`unconfined_domain_noaudit',`
        domain_dontaudit_ptrace_all_domains($1)
        files_unconfined($1)
        fs_unconfined($1)
+       fs_watch_memory_pressure($1)
        selinux_unconfined($1)
        files_get_etc_unit_status($1)
        files_start_etc_service($1)

diff --git a/policy/modules/system/unconfined.te 
b/policy/modules/system/unconfined.te
index 4de7860d9..0942b19fb 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -76,6 +76,10 @@ ifdef(`init_systemd',`
        ')
 ')
 
+tunable_policy(`user_execmod_tmpfs', `
+       userdom_execmod_user_tmpfs_files(unconfined_t)
+')
+
 optional_policy(`
        apache_run_helper(unconfined_t, unconfined_r)
        apache_role(unconfined, unconfined_t, 
unconfined_application_exec_domain, unconfined_r)

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index a5bf52314..35198b4e1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -151,6 +151,11 @@ template(`userdom_base_user_template',`
                devicekit_dbus_chat_power($1_t)
        ')
 
+       optional_policy(`
+               # allow all users to register fingerprints
+               fprintd_dbus_chat($1_t)
+       ')
+
        optional_policy(`
                kerneloops_dbus_chat($1_t)
        ')
@@ -997,6 +1002,8 @@ template(`userdom_login_user_template', `
 
        allow $1_t self:context contains;
 
+       allow $1_t self:anon_inode { create read write map };
+
        kernel_dontaudit_read_system_state($1_t)
 
        dev_read_sysfs($1_t)
@@ -4270,6 +4277,24 @@ interface(`userdom_manage_user_tmpfs_files',`
        fs_search_tmpfs($1)
 ')
 
+########################################
+## <summary>
+##     execute and execmod user tmpfs files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_execmod_user_tmpfs_files',`
+       gen_require(`
+               type user_tmpfs_t;
+       ')
+
+       allow $1 user_tmpfs_t:file { execute execmod };
+')
+
 ########################################
 ## <summary>
 ##     Get the attributes of a user domain tty.

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/, policy/modules/system/, policy/modules/roles/, ...

Reply via email to