commit: 8a23415215dd0c7be0bf930e02410d9950fe647f
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sat Feb 18 14:39:01 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 06:52:46 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a234152
Little misc patches from Russell Coker.
policy/modules/kernel/files.te | 3 ++-
policy/modules/services/xserver.if | 20 ++++++++++++++++++++
policy/modules/services/xserver.te | 2 +-
policy/modules/system/init.fc | 2 +-
policy/modules/system/init.te | 14 +++++++++-----
policy/modules/system/logging.te | 14 +++++++++-----
policy/modules/system/lvm.te | 4 +++-
policy/modules/system/selinuxutil.te | 14 +++++++++-----
policy/modules/system/sysnetwork.te | 14 +++++++++-----
policy/modules/system/udev.te | 3 ++-
10 files changed, 65 insertions(+), 25 deletions(-)
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 625768e2..9b06ff6e 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.2)
+policy_module(files, 1.23.3)
########################################
#
@@ -11,6 +11,7 @@ attribute lockfile;
attribute mountpoint;
attribute pidfile;
attribute configfile;
+attribute spoolfile;
# For labeling types that are to be polyinstantiated
attribute polydir;
diff --git a/policy/modules/services/xserver.if
b/policy/modules/services/xserver.if
index f0761c9b..7af0ab6a 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -934,6 +934,26 @@ interface(`xserver_create_xdm_tmp_sockets',`
########################################
## <summary>
+## Delete a named socket in a XDM
+## temporary directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_delete_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ delete_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+')
+
+########################################
+## <summary>
## Read XDM pid files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/xserver.te
b/policy/modules/services/xserver.te
index 68014747..71786c59 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.1)
+policy_module(xserver, 3.13.2)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 1fb15ae0..fe085d15 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -23,6 +23,7 @@ ifdef(`distro_gentoo',`
# /usr
#
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/lib/systemd/system-preset(/.*)?
gen_context(system_u:object_r:systemd_unit_t,s0)
@@ -34,7 +35,6 @@ ifdef(`distro_gentoo', `
/usr/lib/rc/init\.d(/.*)?
gen_context(system_u:object_r:initrc_state_t,s0)
')
-
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 03aaae53..cad90ba5 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.2)
+policy_module(init, 2.2.3)
gen_require(`
class passwd rootok;
@@ -307,7 +307,9 @@ ifdef(`init_systemd',`
',`
# Run the shell in the sysadm role for single-user mode.
# causes problems with upstart
- sysadm_shell_domtrans(init_t)
+ ifndef(`distro_debian',`
+ sysadm_shell_domtrans(init_t)
+ ')
')
')
@@ -561,9 +563,6 @@ miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
miscfiles_read_generic_certs(initrc_t)
-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
-
seutil_read_config(initrc_t)
userdom_read_user_home_content_files(initrc_t)
@@ -953,6 +952,11 @@ optional_policy(`
')
optional_policy(`
+ modutils_read_module_config(initrc_t)
+ modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 94be02e5..10d2fc9f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.1)
+policy_module(logging, 1.25.2)
########################################
#
@@ -124,8 +124,6 @@ term_use_all_terms(auditctl_t)
init_dontaudit_use_fds(auditctl_t)
-locallogin_dontaudit_use_fds(auditctl_t)
-
logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t)
@@ -133,6 +131,10 @@ ifdef(`init_systemd',`
init_rw_stream_sockets(auditctl_t)
')
+optional_policy(`
+ locallogin_dontaudit_use_fds(auditctl_t)
+')
+
########################################
#
# Auditd local policy
@@ -373,8 +375,8 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
-allow syslogd_t self:capability { chown dac_override fsetid net_admin
sys_admin sys_nice sys_resource sys_tty_config };
-dontaudit syslogd_t self:capability { sys_ptrace sys_tty_config };
+allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid
setuid sys_admin sys_nice sys_resource sys_tty_config };
+dontaudit syslogd_t self:capability { sys_ptrace };
# setpgid for metalog
# setrlimit for syslog-ng
# getsched for syslog-ng
@@ -569,6 +571,8 @@ optional_policy(`
optional_policy(`
udev_read_db(syslogd_t)
+ # for systemd-journal to read seat data from /run/udev/data
+ udev_read_pid_files(syslogd_t)
')
optional_policy(`
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index e04fb18a..58e03ff2 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.1)
+policy_module(lvm, 1.19.2)
########################################
#
@@ -257,6 +257,8 @@ dev_dontaudit_getattr_generic_pipes(lvm_t)
dev_create_generic_dirs(lvm_t)
# the following one is needed by cryptsetup
dev_getattr_fs(lvm_t)
+# for systemd-cryptsetup
+dev_write_kmsg(lvm_t)
domain_use_interactive_fds(lvm_t)
domain_read_all_domains_state(lvm_t)
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index 703a4453..67c7418b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -1,4 +1,4 @@
-policy_module(selinuxutil, 1.22.1)
+policy_module(selinuxutil, 1.22.2)
gen_require(`
bool secure_mode;
@@ -363,8 +363,6 @@ files_relabel_non_auth_files(restorecond_t )
files_read_non_auth_files(restorecond_t)
auth_use_nsswitch(restorecond_t)
-locallogin_dontaudit_use_fds(restorecond_t)
-
logging_send_syslog_msg(restorecond_t)
miscfiles_read_localization(restorecond_t)
@@ -378,6 +376,10 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
+ locallogin_dontaudit_use_fds(restorecond_t)
+')
+
+optional_policy(`
rpm_use_script_fds(restorecond_t)
')
@@ -504,8 +506,6 @@ term_use_all_terms(semanage_t)
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)
-locallogin_use_fds(semanage_t)
-
logging_send_syslog_msg(semanage_t)
miscfiles_read_localization(semanage_t)
@@ -542,6 +542,10 @@ optional_policy(`
portage_eselect_module(semanage_t)
')
+optional_policy(`
+ locallogin_use_fds(semanage_t)
+')
+
########################################
#
# Setfiles local policy
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index 9518a23d..caec3181 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.20.2)
+policy_module(sysnetwork, 1.20.3)
########################################
#
@@ -147,8 +147,6 @@ logging_send_syslog_msg(dhcpc_t)
miscfiles_read_localization(dhcpc_t)
-modutils_run_insmod(dhcpc_t, dhcpc_roles)
-
sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
userdom_use_user_terminals(dhcpc_t)
@@ -207,6 +205,10 @@ optional_policy(`
')
')
+optional_policy(`
+ modutils_run_insmod(dhcpc_t, dhcpc_roles)
+')
+
# for the dhcp client to run ping to check IP addresses
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
@@ -335,8 +337,6 @@ logging_send_syslog_msg(ifconfig_t)
miscfiles_read_localization(ifconfig_t)
-modutils_domtrans_insmod(ifconfig_t)
-
seutil_use_runinit_fds(ifconfig_t)
sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
@@ -383,6 +383,10 @@ optional_policy(`
')
optional_policy(`
+ modutils_domtrans_insmod(ifconfig_t)
+')
+
+optional_policy(`
nis_use_ypbind(ifconfig_t)
')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index e0405fb1..d6034f30 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.1)
+policy_module(udev, 1.21.2)
########################################
#
@@ -125,6 +125,7 @@ files_search_mnt(udev_t)
fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
+fs_read_cgroup_files(udev_t)
fs_rw_anon_inodefs_files(udev_t)
mcs_ptrace_all(udev_t)
