[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/services/, policy/modules/kernel/, ...

[Jason Zaman]

commit:     1f93b453311d3c6def34ad4da5041af7f43b44f7
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Wed Aug  6 14:52:22 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep  2 22:04:48 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1f93b453

miscnetwork (#1004)

* A collection of small networking related patches

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/netutils.te        |  5 +++++
 policy/modules/kernel/corenetwork.te.in |  2 +-
 policy/modules/services/apache.te       |  3 ++-
 policy/modules/services/dovecot.te      |  2 +-
 policy/modules/services/exim.te         |  1 +
 policy/modules/services/ntp.if          |  2 +-
 policy/modules/services/spamassassin.fc |  2 +-
 policy/modules/services/ssh.if          | 18 ++++++++++++++++++
 policy/modules/services/ssh.te          | 12 ++++++++++++
 policy/modules/services/sympa.te        |  5 ++++-
 policy/modules/system/opensnitch.fc     |  2 +-
 policy/modules/system/sysnetwork.if     | 18 ++++++++++++++++++
 12 files changed, 65 insertions(+), 7 deletions(-)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index d3e372717..ac11d1c99 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -98,6 +98,11 @@ optional_policy(`
        nis_use_ypbind(netutils_t)
 ')
 
+optional_policy(`
+       # because arping chooses ~sshd as a target for chroot
+       ssh_search_sshd_runtime(netutils_t)
+')
+
 optional_policy(`
        vmware_append_log(netutils_t)
 ')

diff --git a/policy/modules/kernel/corenetwork.te.in 
b/policy/modules/kernel/corenetwork.te.in
index b083746ec..6902c41f0 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -270,7 +270,7 @@ network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0, tcp,1161,s0)
 network_port(socks) # no defined portcon
 network_port(soundd, tcp,8000,s0, tcp,9433,s0, tcp, 16001, s0)
-network_port(spamd, tcp,783,s0, tcp,11333,s0)
+network_port(spamd, tcp,783,s0, tcp,11332,s0, tcp,11333,s0, tcp,11334,s0, 
tcp,11335,s0)
 network_port(speech, tcp,8036,s0)
 network_port(squid, udp,3401,s0, tcp,3401,s0, udp,4827,s0, tcp,4827,s0) # snmp 
and htcp
 network_port(ssdp, tcp,1900,s0, udp,1900,s0)

diff --git a/policy/modules/services/apache.te 
b/policy/modules/services/apache.te
index af2251560..4848af400 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -432,7 +432,7 @@ files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir 
lnk_file sock_file })
 userdom_user_tmp_filetrans(httpd_t, httpd_tmp_t, dir)
 
 manage_dirs_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
-manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
+mmap_manage_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 manage_lnk_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 manage_fifo_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
 manage_sock_files_pattern(httpd_t, httpd_tmpfs_t, httpd_tmpfs_t)
@@ -899,6 +899,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+       sympa_connect_runtime_sock_files(httpd_t)
        sympa_manage_runtime_sock_files(httpd_t)
        sympa_map_var_files(httpd_t)
        sympa_read_conf(httpd_t)

diff --git a/policy/modules/services/dovecot.te 
b/policy/modules/services/dovecot.te
index 546e1030c..1a7c31851 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -262,7 +262,7 @@ manage_files_pattern(dovecot_auth_t, dovecot_auth_tmp_t, 
dovecot_auth_tmp_t)
 files_tmp_filetrans(dovecot_auth_t, dovecot_auth_tmp_t, { file dir })
 
 allow dovecot_auth_t dovecot_runtime_t:dir list_dir_perms;
-allow dovecot_auth_t dovecot_runtime_t:file manage_file_perms;
+allow dovecot_auth_t dovecot_runtime_t:file mmap_manage_file_perms;
 allow dovecot_auth_t dovecot_runtime_t:fifo_file write_fifo_file_perms;
 manage_sock_files_pattern(dovecot_auth_t, dovecot_runtime_t, dovecot_runtime_t)
 

diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 975c1ec1f..1ed887a87 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -102,6 +102,7 @@ files_tmp_filetrans(exim_t, exim_tmp_t, { dir file })
 
 manage_files_pattern(exim_t, exim_var_lib_t, exim_var_lib_t)
 
+kernel_getattr_proc(exim_t)
 kernel_read_kernel_sysctls(exim_t)
 kernel_read_network_state(exim_t)
 kernel_dontaudit_read_system_state(exim_t)

diff --git a/policy/modules/services/ntp.if b/policy/modules/services/ntp.if
index ebcd11b78..66067b456 100644
--- a/policy/modules/services/ntp.if
+++ b/policy/modules/services/ntp.if
@@ -192,7 +192,7 @@ interface(`ntp_filetrans_drift',`
        ')
 
        files_search_var_lib($1)
-       files_var_lib_filetrans($1, ntp_drift_t, dir)
+       files_var_lib_filetrans($1, ntp_drift_t, dir, "ntpsec")
 ')
 
 ########################################

diff --git a/policy/modules/services/spamassassin.fc 
b/policy/modules/services/spamassassin.fc
index 670521434..4d94c334b 100644
--- a/policy/modules/services/spamassassin.fc
+++ b/policy/modules/services/spamassassin.fc
@@ -16,7 +16,7 @@ HOME_DIR/\.spamd(/.*)?                        
gen_context(system_u:object_r:spamd_home_t,s0)
 /usr/bin/spamd                 --      
gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/spampd                        --      
gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/sa-update             --      
gen_context(system_u:object_r:spamd_update_exec_t,s0)
-/usr/bin/rspamd-[^/]+  --      gen_context(system_u:object_r:spamd_exec_t,s0)
+/usr/bin/rspamd[^/]+   --      gen_context(system_u:object_r:spamd_exec_t,s0)
 /usr/bin/rspamc-[^/]+  --      gen_context(system_u:object_r:spamc_exec_t,s0)
 /usr/bin/rspamadm-[^/]+        --      
gen_context(system_u:object_r:spamc_exec_t,s0)
 

diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index ac8f8e030..39fd11294 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -950,3 +950,21 @@ interface(`ssh_dontaudit_agent_tmp',`
 
        dontaudit $1 ssh_agent_tmp_t:dir list_dir_perms;
 ')
+
+#######################################
+## <summary>
+##     allow search the ssh runtime dir
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to permit
+##     </summary>
+## </param>
+#
+interface(`ssh_search_sshd_runtime',`
+       gen_require(`
+               type sshd_runtime_t;
+       ')
+
+       allow $1 sshd_runtime_t:dir search_dir_perms;
+')

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 53edd405e..1f6f8d943 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -208,6 +208,11 @@ tunable_policy(`user_tcp_server',`
        corenet_tcp_bind_generic_node(ssh_t)
 ')
 
+optional_policy(`
+       cron_read_pipes(ssh_t)
+       cron_rw_tmp_files(ssh_t)
+')
+
 optional_policy(`
        tunable_policy(`ssh_use_gpg_agent',`
                gpg_stream_connect_agent(ssh_t)
@@ -283,6 +288,8 @@ ifdef(`distro_debian',`
 ifdef(`init_systemd',`
        auth_use_pam_systemd(sshd_t)
        init_dbus_chat(sshd_t)
+       # dynamic users
+       init_stream_connect(sshd_t)
        init_rw_stream_sockets(sshd_t)
        systemd_write_inherited_logind_sessions_pipes(sshd_t)
 ')
@@ -306,6 +313,11 @@ tunable_policy(`allow_polyinstantiation',`
        seutil_exec_setfiles(sshd_t)
 ')
 
+optional_policy(`
+       # for /var/lib/unattended-upgrades
+       apt_read_db(sshd_t)
+')
+
 optional_policy(`
        daemontools_service_domain(sshd_t, sshd_exec_t)
 ')

diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te
index b2aea679d..fb417b733 100644
--- a/policy/modules/services/sympa.te
+++ b/policy/modules/services/sympa.te
@@ -30,7 +30,8 @@ allow sympa_t self:capability { chown dac_override setgid 
setuid };
 allow sympa_t self:fifo_file rw_fifo_file_perms;
 allow sympa_t self:tcp_socket create_socket_perms;
 allow sympa_t self:unix_dgram_socket create_socket_perms;
-allow sympa_t self:process signull;
+allow sympa_t self:process { signull signal };
+allow sympa_t self:udp_socket create_socket_perms;
 
 allow sympa_t sympa_etc_t:dir list_dir_perms;
 allow sympa_t sympa_etc_t:file read_file_perms;
@@ -55,6 +56,8 @@ corecmd_bin_entry_type(sympa_t)
 corecmd_exec_bin(sympa_t)
 corecmd_exec_shell(sympa_t)
 
+corenet_udp_bind_generic_node(sympa_t)
+
 dev_read_urand(sympa_t)
 
 files_read_etc_files(sympa_t)

diff --git a/policy/modules/system/opensnitch.fc 
b/policy/modules/system/opensnitch.fc
index 86a158046..6110d981c 100644
--- a/policy/modules/system/opensnitch.fc
+++ b/policy/modules/system/opensnitch.fc
@@ -1,3 +1,3 @@
 /usr/bin/opensnitchd           --      
gen_context(system_u:object_r:opensnitchd_exec_t,s0)
-/var/log/opensnitchd\.log      --      
gen_context(system_u:object_r:opensnitchd_log_t,s0)
+/var/log/opensnitchd\.log.*    --      
gen_context(system_u:object_r:opensnitchd_log_t,s0)
 /etc/opensnitchd(/.*)?                 
gen_context(system_u:object_r:opensnitchd_conf_t,s0)

diff --git a/policy/modules/system/sysnetwork.if 
b/policy/modules/system/sysnetwork.if
index 13928ab62..8eb9bf6cd 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -615,6 +615,24 @@ interface(`sysnet_watch_config_dirs',`
        allow $1 net_conf_t:dir watch;
 ')
 
+#######################################
+## <summary>
+##     Watch a network config dir
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sysnet_watch_config_dir',`
+       gen_require(`
+               type net_conf_t;
+       ')
+
+       allow $1 net_conf_t:dir watch;
+')
+
 #######################################
 ## <summary>
 ##     Read dhcp client runtime files.