commit: adcdead0e14e1c7efd8c70698930e6f5d1ff441a
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Jul 29 14:10:51 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep 2 22:04:48 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=adcdead0
misc-kernel-system (#1003)
* A set of small changes for kernel and system related policy
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/netutils.te | 2 +-
policy/modules/admin/usermanage.te | 4 +++-
policy/modules/kernel/corecommands.fc | 3 +++
policy/modules/kernel/domain.if | 2 +-
policy/modules/kernel/filesystem.if | 19 +++++++++++++++++++
policy/modules/kernel/filesystem.te | 1 +
policy/modules/kernel/kernel.te | 1 +
policy/modules/kernel/storage.fc | 1 +
policy/modules/services/iiosensorproxy.te | 5 ++++-
policy/modules/system/fstools.fc | 2 ++
policy/modules/system/init.te | 7 +++++++
policy/modules/system/iptables.te | 4 ++++
policy/modules/system/logging.te | 5 +++--
policy/modules/system/lvm.if | 1 +
policy/modules/system/lvm.te | 2 ++
policy/modules/system/miscfiles.fc | 2 ++
policy/modules/system/modutils.te | 5 ++++-
policy/modules/system/mount.te | 4 ++++
policy/modules/system/sysnetwork.te | 5 +++++
policy/modules/system/systemd.te | 4 ++--
policy/modules/system/udev.te | 3 +++
policy/modules/system/unconfined.te | 4 ++++
policy/modules/system/xen.te | 1 +
23 files changed, 78 insertions(+), 9 deletions(-)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index 63d2f9cb8..d3e372717 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -184,7 +184,7 @@ userdom_use_inherited_user_terminals(ss_t)
allow traceroute_t self:capability { net_admin net_raw setgid setuid };
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
-allow traceroute_t self:process signal;
+allow traceroute_t self:process { signal getsched };
allow traceroute_t self:netlink_generic_socket create_socket_perms;
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket { create_socket_perms map };
diff --git a/policy/modules/admin/usermanage.te
b/policy/modules/admin/usermanage.te
index 230f4dfd8..a91b61bf9 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -69,7 +69,7 @@ role useradd_roles types useradd_t;
# Chfn local policy
#
-allow chfn_t self:capability { chown dac_override fsetid setgid setuid
sys_resource };
+allow chfn_t self:capability { chown dac_override fsetid setgid setuid
sys_ptrace sys_resource };
allow chfn_t self:process { dyntransition getattr getcap getpgid getrlimit
getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate
setpgid setrlimit setsched setsockcreate share siginh sigkill signal signull
sigstop transition };
allow chfn_t self:fd use;
allow chfn_t self:fifo_file rw_fifo_file_perms;
@@ -206,6 +206,8 @@ kernel_getattr_proc(groupadd_t)
# for getting the number of groups
kernel_read_kernel_sysctls(groupadd_t)
+kernel_search_fs_sysctls(groupadd_t)
+
fs_getattr_xattr_fs(groupadd_t)
fs_search_auto_mountpoints(groupadd_t)
diff --git a/policy/modules/kernel/corecommands.fc
b/policy/modules/kernel/corecommands.fc
index 1720a525b..572dcca78 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -52,6 +52,8 @@ ifdef(`distro_redhat',`
/etc/kde/env(/.*)? gen_context(system_u:object_r:bin_t,s0)
/etc/kde/shutdown(/.*)?
gen_context(system_u:object_r:bin_t,s0)
+/etc/letsencrypt/renewal-hooks/.* -- gen_context(system_u:object_r:bin_t,s0)
+
/etc/mail/make -- gen_context(system_u:object_r:bin_t,s0)
/etc/mcelog/.*-trigger -- gen_context(system_u:object_r:bin_t,s0)
@@ -377,6 +379,7 @@ ifdef(`distro_debian',`
/usr/share/texmf/web2c/mktexdir --
gen_context(system_u:object_r:bin_t,s0)
/usr/share/texmf-dist/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/turboprint/lib(/.*)? --
gen_context(system_u:object_r:bin_t,s0)
+/usr/share/unattended-upgrades/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/vhostmd/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/X11R6/lib(64)?/X11/xkb/xkbcomp -- gen_context(system_u:object_r:bin_t,s0)
diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index a2b90e87f..52a7caf55 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state',`
########################################
## <summary>
-## Get the attributes of all domains of all domains.
+## Get the attributes of all domains
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/kernel/filesystem.if
b/policy/modules/kernel/filesystem.if
index 46961c7b8..6249f70c8 100644
--- a/policy/modules/kernel/filesystem.if
+++ b/policy/modules/kernel/filesystem.if
@@ -2326,6 +2326,25 @@ interface(`fs_dontaudit_getattr_configfs',`
dontaudit $1 configfs_t:filesystem getattr;
')
+#######################################
+## <summary>
+## Create, read, write, and delete dirs
+## on a configfs filesystem.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_configfs_dirs',`
+ gen_require(`
+ type configfs_t;
+ ')
+
+ allow $1 configfs_t:dir getattr;
+')
+
#######################################
## <summary>
## Create, read, write, and delete dirs
diff --git a/policy/modules/kernel/filesystem.te
b/policy/modules/kernel/filesystem.te
index 2fcbd3d95..0c3bba4e7 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -283,6 +283,7 @@ type dosfs_t;
fs_noxattr_type(dosfs_t)
files_mountpoint(dosfs_t)
allow dosfs_t fs_t:filesystem associate;
+genfscon exfat / gen_context(system_u:object_r:dosfs_t,s0)
genfscon fat / gen_context(system_u:object_r:dosfs_t,s0)
genfscon hfs / gen_context(system_u:object_r:dosfs_t,s0)
genfscon hfsplus / gen_context(system_u:object_r:dosfs_t,s0)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d54ecb18b..3751b3082 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -235,6 +235,7 @@ sid tcp_socket
gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
#
allow kernel_t self:capability { audit_control audit_write chown dac_override
dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable
mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap
setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio
sys_resource sys_time sys_tty_config };
+allow kernel_t self:capability2 checkpoint_restore;
allow kernel_t self:process { dyntransition getattr getcap getpgid getrlimit
getsched getsession noatsecure rlimitinh setcap setkeycreate setpgid setsched
setsockcreate share siginh signal_perms transition };
allow kernel_t self:shm create_shm_perms;
allow kernel_t self:sem create_sem_perms;
diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index 9cd280c25..5045fde75 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -33,6 +33,7 @@
/dev/mmcblk.* -b
gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -c
gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b
gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mpt[23]?ctl -c
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mtd.* -b
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/mtd.* -c
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
/dev/nb[^/]+ -b
gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
diff --git a/policy/modules/services/iiosensorproxy.te
b/policy/modules/services/iiosensorproxy.te
index 4868cdfc5..baac2fece 100644
--- a/policy/modules/services/iiosensorproxy.te
+++ b/policy/modules/services/iiosensorproxy.te
@@ -37,7 +37,8 @@ init_daemon_domain(iiosensorproxy_t, iiosensorproxy_exec_t)
# Local policy
#
-allow iiosensorproxy_t self:netlink_kobject_uevent_socket { bind create
getattr read setopt };
+dontaudit iiosensorproxy_t self:capability net_admin;
+allow iiosensorproxy_t self:netlink_kobject_uevent_socket { getopt bind create
getattr read setopt };
allow iiosensorproxy_t self:process { getsched setsched };
allow iiosensorproxy_t self:unix_dgram_socket { create write };
@@ -48,6 +49,8 @@ dev_read_iio(iiosensorproxy_t)
# for /sys/bus/iio/devices/* (which links to /sys/devices/pci*)
dev_read_sysfs(iiosensorproxy_t)
+dev_write_sysfs_dirs(iiosensorproxy_t)
+
# for writing to current_trigger and to enable devices
#
/sys/devices/pci0000:00/0000:00:13.0/{33AECD58-B679-4E54-9BD9-A04D34F0C226}/001F:8087:0AC2.0005/HID-SENSOR-200083.21.auto/iio:device8/buffer/enable
dev_write_sysfs(iiosensorproxy_t)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 1f0e104aa..92a7722ae 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -2,6 +2,7 @@
/usr/bin/badblocks --
gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/blkid --
gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/blockdev --
gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/bin/btrfs --
gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/cfdisk --
gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/clubufflush --
gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/bin/delpart --
gen_context(system_u:object_r:fsadm_exec_t,s0)
@@ -71,6 +72,7 @@
/usr/sbin/fatsort --
gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fdisk --
gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/findfs --
gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/fstrim --
gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fsck.* --
gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/gdisk --
gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/hdparm --
gen_context(system_u:object_r:fsadm_exec_t,s0)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 854a36056..7a20a5140 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -179,6 +179,9 @@ allow init_t self:capability2 { block_suspend wake_alarm };
allow init_t self:fifo_file rw_fifo_file_perms;
+# for /run/systemd/unit-root/proc/$PID/loginuid
+allow init_t self:file mounton;
+
# Re-exec itself
can_exec(init_t, init_exec_t)
@@ -334,6 +337,9 @@ ifdef(`init_systemd',`
# slices when containers are started and stopped
domain_setpriority_all_domains(init_t)
+ # init opens device nodes for getty and needs to be inherited everywhere
+ domain_interactive_fd(init_t)
+
allow init_t init_runtime_t:{ dir file } watch;
manage_files_pattern(init_t, init_runtime_t, init_runtime_t)
manage_lnk_files_pattern(init_t, init_runtime_t, init_runtime_t)
@@ -1202,6 +1208,7 @@ ifdef(`init_systemd',`
init_get_all_units_status(initrc_t)
init_manage_var_lib_files(initrc_t)
init_rw_stream_sockets(initrc_t)
+ init_stop_system(initrc_t)
# Create /etc/audit.rules.prev after firstboot remediation
logging_manage_audit_config(initrc_t)
diff --git a/policy/modules/system/iptables.te
b/policy/modules/system/iptables.te
index 639052f88..73f38109c 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -168,3 +168,7 @@ optional_policy(`
# this is for iptables_t to inherit a file handle from xen vif-bridge
udev_manage_runtime_files(iptables_t)
')
+
+optional_policy(`
+ unconfined_use_fds(iptables_t)
+')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 4f7041910..64e3a7c59 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -507,10 +507,10 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)
ifdef(`init_systemd',`
# for systemd-journal
- allow syslogd_t self:capability audit_control;
allow syslogd_t self:netlink_audit_socket connected_socket_perms;
allow syslogd_t self:capability2 audit_read;
- allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
+ allow syslogd_t self:capability { chown setgid setuid sys_ptrace
audit_control };
+ allow syslogd_t self:cap_userns sys_ptrace;
allow syslogd_t self:netlink_audit_socket { getattr getopt nlmsg_write
read setopt write };
# remove /run/log/journal when switching to permanent storage
@@ -529,6 +529,7 @@ ifdef(`init_systemd',`
domain_getattr_all_domains(syslogd_t)
domain_read_all_domains_state(syslogd_t)
+ domain_signull_all_domains(syslogd_t)
fs_list_cgroup_dirs(syslogd_t)
fs_getattr_nsfs_files(syslogd_t)
diff --git a/policy/modules/system/lvm.if b/policy/modules/system/lvm.if
index a80a1b532..0c15f951f 100644
--- a/policy/modules/system/lvm.if
+++ b/policy/modules/system/lvm.if
@@ -61,6 +61,7 @@ interface(`lvm_run',`
lvm_domtrans($1)
role $2 types lvm_t;
+ allow $1 lvm_t:sem rw_sem_perms;
')
########################################
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 7794e587e..853a4c519 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -254,6 +254,8 @@ optional_policy(`
')
optional_policy(`
+ apt_use_fds(lvm_t)
+
dpkg_script_rw_pipes(lvm_t)
')
diff --git a/policy/modules/system/miscfiles.fc
b/policy/modules/system/miscfiles.fc
index c446607ff..6e81adb82 100644
--- a/policy/modules/system/miscfiles.fc
+++ b/policy/modules/system/miscfiles.fc
@@ -12,6 +12,8 @@ ifdef(`distro_gentoo',`
/etc/httpd/alias/[^/]*\.db(\.[^/]*)* --
gen_context(system_u:object_r:cert_t,s0)
/etc/httpd/conf/ssl(/.*)? --
gen_context(system_u:object_r:tls_privkey_t,s0)
/etc/httpd/conf/ssl/.*\.crt -- gen_context(system_u:object_r:cert_t,s0)
+/etc/letsencrypt/archive/[^/]+/privkey.* --
gen_context(system_u:object_r:tls_privkey_t,s0)
+/etc/letsencrypt/keys(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0)
/etc/localtime -- gen_context(system_u:object_r:locale_t,s0)
/etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0)
/etc/pki/.*/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0)
diff --git a/policy/modules/system/modutils.te
b/policy/modules/system/modutils.te
index 5132d15ef..f50f40f2a 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -34,7 +34,7 @@ ifdef(`init_systemd',`
# insmod local policy
#
-allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice
sys_tty_config };
allow kmod_t self:process { execmem sigchld sigkill signal signull sigstop };
# for the radeon/amdgpu modules
dontaudit kmod_t self:capability sys_admin;
@@ -112,6 +112,7 @@ init_use_script_ptys(kmod_t)
logging_send_syslog_msg(kmod_t)
logging_search_logs(kmod_t)
+miscfiles_read_generic_certs(kmod_t)
miscfiles_read_localization(kmod_t)
seutil_read_file_contexts(kmod_t)
@@ -141,6 +142,8 @@ optional_policy(`
dpkg_manage_script_tmp_files(kmod_t)
dpkg_map_script_tmp_files(kmod_t)
dpkg_read_script_tmp_symlinks(kmod_t)
+ apt_use_fds(kmod_t)
+ apt_use_ptys(kmod_t)
')
optional_policy(`
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 6cedcd456..473626e15 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -247,6 +247,10 @@ optional_policy(`
samba_run_smbmount(mount_t, mount_roles)
')
+optional_policy(`
+ ssh_rw_pipes(mount_t)
+')
+
########################################
#
# Unconfined mount local policy
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index 7c52fc109..8a7fd31ca 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -138,6 +138,7 @@ corenet_sendrecv_icmp_packets(dhcpc_t)
dev_read_sysfs(dhcpc_t)
# for SSP:
+dev_read_rand(dhcpc_t)
dev_read_urand(dhcpc_t)
domain_use_interactive_fds(dhcpc_t)
@@ -163,6 +164,7 @@ term_dontaudit_use_unallocated_ttys(dhcpc_t)
term_dontaudit_use_generic_ptys(dhcpc_t)
init_rw_utmp(dhcpc_t)
+init_get_system_status(dhcpc_t)
logging_send_syslog_msg(dhcpc_t)
@@ -190,7 +192,10 @@ ifdef(`init_systemd',`
init_read_state(dhcpc_t)
init_stream_connect(dhcpc_t)
init_get_all_units_status(dhcpc_t)
+ init_getattr_generic_units_files(dhcpc_t)
init_search_units(dhcpc_t)
+ systemd_list_resolved_runtime(dhcpc_t)
+ systemd_read_networkd_runtime(dhcpc_t)
optional_policy(`
systemd_dbus_chat_resolved(dhcpc_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 334d2c5fc..548e2cbd0 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -588,8 +588,6 @@ allow systemd_generator_t self:vsock_socket create;
allow systemd_generator_t self:netlink_route_socket { create read bind getattr
write nlmsg_read };
-init_getattr_generic_units_files(systemd_generator_t)
-
allow systemd_generator_t systemd_user_runtime_unit_t:dir manage_dir_perms;
allow systemd_generator_t systemd_user_runtime_unit_t:file manage_file_perms;
allow systemd_generator_t systemd_user_runtime_unit_t:lnk_file create;
@@ -608,6 +606,8 @@ kernel_dontaudit_search_unlabeled(systemd_generator_t)
# vmware_vsock
kernel_request_load_module(systemd_generator_t)
+init_getattr_generic_units_files(systemd_generator_t)
+
corecmd_exec_shell(systemd_generator_t)
corecmd_exec_bin(systemd_generator_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index b7864d240..e99a72a0a 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -458,7 +458,10 @@ domain_use_interactive_fds(udevadm_t)
files_read_etc_files(udevadm_t)
files_read_usr_files(udevadm_t)
+fs_getattr_cgroup(udevadm_t)
+fs_getattr_tmpfs(udevadm_t)
fs_getattr_xattr_fs(udevadm_t)
+fs_search_cgroup_dirs(udevadm_t)
init_list_runtime(udevadm_t)
init_read_state(udevadm_t)
diff --git a/policy/modules/system/unconfined.te
b/policy/modules/system/unconfined.te
index b9c8173ae..4de7860d9 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -97,6 +97,10 @@ optional_policy(`
container_unconfined_role(unconfined, unconfined_t,
unconfined_application_exec_domain, unconfined_r)
')
+optional_policy(`
+ certbot_run(unconfined_t, unconfined_r)
+')
+
optional_policy(`
cron_unconfined_role(unconfined, unconfined_t,
unconfined_application_exec_domain, unconfined_r)
')
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index c2cba693e..a930d32e0 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -55,6 +55,7 @@ files_type(xen_devpts_t)
type xen_image_t; # customizable
files_type(xen_image_t)
dev_node(xen_image_t)
+fs_image_file(xen_image_t)
optional_policy(`
virt_image(xen_image_t)
