commit: 8667b20a96226af11a0a9f855caebcdc9ca4a34e
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Fri Jul 25 12:33:12 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep 2 22:01:01 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8667b20a
services (#986)
* Some small service changes:
Lavel /run/prosody dir
Allow power_profilesd_t to talk to devicekit power
Label nm-dispatched as NetworkManager_exec_t
Allow network manager to run chronyc in it's domain
Make logging_watch_audit_log watch log dir too
Allow ssh server to create the faillog dir
Allow kerneloops to mmap logs
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/jabber.fc | 2 +-
policy/modules/services/kerneloops.te | 1 +
policy/modules/services/ssh.if | 1 +
policy/modules/system/authlogin.if | 20 ++++++++++++++++++++
policy/modules/system/logging.if | 2 +-
5 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/jabber.fc
b/policy/modules/services/jabber.fc
index d16af00ab..5cd43c43a 100644
--- a/policy/modules/services/jabber.fc
+++ b/policy/modules/services/jabber.fc
@@ -31,4 +31,4 @@
/run/ejabber\.pid --
gen_context(system_u:object_r:jabberd_runtime_t,s0)
/run/jabber\.pid --
gen_context(system_u:object_r:jabberd_runtime_t,s0)
-/run/prosody(/.*)? --
gen_context(system_u:object_r:jabberd_runtime_t,s0)
+/run/prosody(/.*)?
gen_context(system_u:object_r:jabberd_runtime_t,s0)
diff --git a/policy/modules/services/kerneloops.te
b/policy/modules/services/kerneloops.te
index 0430897d5..c10ba62b2 100644
--- a/policy/modules/services/kerneloops.te
+++ b/policy/modules/services/kerneloops.te
@@ -43,6 +43,7 @@ corenet_tcp_connect_http_port(kerneloops_t)
auth_use_nsswitch(kerneloops_t)
+logging_mmap_generic_logs(kerneloops_t)
logging_send_syslog_msg(kerneloops_t)
logging_read_generic_logs(kerneloops_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 4935d2e9d..ac8f8e030 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -240,6 +240,7 @@ template(`ssh_server_template', `
auth_rw_login_records($1_t)
auth_rw_faillog($1_t)
+ auth_var_lib_filetrans_faillog($1_t)
# for sshd subsystems, such as sftp-server.
corecmd_getattr_bin_files($1_t)
diff --git a/policy/modules/system/authlogin.if
b/policy/modules/system/authlogin.if
index 3023eb90b..65f46b47a 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -950,6 +950,7 @@ interface(`auth_rw_faillog',`
')
logging_search_logs($1)
+ allow $1 faillog_t:dir list_dir_perms;
allow $1 faillog_t:file rw_file_perms;
')
@@ -968,6 +969,7 @@ interface(`auth_manage_faillog',`
type faillog_t;
')
+ allow $1 faillog_t:dir manage_dir_perms;
allow $1 faillog_t:file manage_file_perms;
logging_rw_generic_log_dirs($1)
')
@@ -990,6 +992,24 @@ interface(`auth_setattr_faillog_files',`
setattr_files_pattern($1, faillog_t, faillog_t)
')
+########################################
+## <summary>
+## create the login failure log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_var_lib_filetrans_faillog',`
+ gen_require(`
+ type faillog_t;
+ ')
+
+ files_var_lib_filetrans($1, faillog_t, dir, "wtmpdb")
+')
+
#######################################
## <summary>
## Read the last logins log.
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index b6a06a219..3a42906d4 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -162,7 +162,7 @@ interface(`logging_watch_audit_log',`
type auditd_log_t;
')
- allow $1 auditd_log_t:file watch;
+ allow $1 auditd_log_t:{ file dir } watch;
')
########################################
