commit: 1be54ba357bd1336f0150d5337dedea3b1736421
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Fri Jan 6 14:10:04 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 06:34:38 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1be54ba3
selinuxutil: adjustments
* no negative permission matching for newrole_t:process
* do not label /usr/lib/selinux as policy_src_t, otherwise semodule can not run
/usr/lib/selinux/hll/pp
* reorder label for /run/restorecond.pid
* fix systemd related denials
policy/modules/system/selinuxutil.fc | 65 ++++++++++++++++++------------------
policy/modules/system/selinuxutil.te | 25 +++++++++++---
2 files changed, 52 insertions(+), 38 deletions(-)
diff --git a/policy/modules/system/selinuxutil.fc
b/policy/modules/system/selinuxutil.fc
index 8159897e..f7b84401 100644
--- a/policy/modules/system/selinuxutil.fc
+++ b/policy/modules/system/selinuxutil.fc
@@ -3,53 +3,52 @@
#
# /etc
#
-/etc/selinux(/.*)?
gen_context(system_u:object_r:selinux_config_t,s0)
-/etc/selinux/([^/]*/)?contexts(/.*)?
gen_context(system_u:object_r:default_context_t,s0)
-/etc/selinux/([^/]*/)?contexts/files(/.*)?
gen_context(system_u:object_r:file_context_t,s0)
-/etc/selinux/([^/]*/)?policy(/.*)?
gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?setrans\.conf --
gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?seusers --
gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
-/etc/selinux/([^/]*/)?modules(/.*)?
gen_context(system_u:object_r:semanage_store_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK --
gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK --
gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-/etc/selinux/([^/]*/)?users(/.*)? --
gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux(/.*)?
gen_context(system_u:object_r:selinux_config_t,s0)
+/etc/selinux/([^/]*/)?contexts(/.*)?
gen_context(system_u:object_r:default_context_t,s0)
+/etc/selinux/([^/]*/)?contexts/files(/.*)?
gen_context(system_u:object_r:file_context_t,s0)
+/etc/selinux/([^/]*/)?policy(/.*)?
gen_context(system_u:object_r:policy_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?setrans\.conf --
gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?seusers --
gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
+/etc/selinux/([^/]*/)?modules(/.*)?
gen_context(system_u:object_r:semanage_store_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.read\.LOCK --
gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/etc/selinux/([^/]*/)?modules/semanage\.trans\.LOCK --
gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/etc/selinux/([^/]*/)?users(/.*)? --
gen_context(system_u:object_r:selinux_config_t,mls_systemhigh)
#
# /root
#
-/root/\.default_contexts --
gen_context(system_u:object_r:default_context_t,s0)
+/root/\.default_contexts --
gen_context(system_u:object_r:default_context_t,s0)
+
+#
+# /run
+#
+/run/restorecond\.pid --
gen_context(system_u:object_r:restorecond_run_t,s0)
#
# /usr
#
-/usr/bin/checkpolicy --
gen_context(system_u:object_r:checkpolicy_exec_t,s0)
-/usr/bin/newrole --
gen_context(system_u:object_r:newrole_exec_t,s0)
+/usr/bin/checkpolicy --
gen_context(system_u:object_r:checkpolicy_exec_t,s0)
+/usr/bin/newrole --
gen_context(system_u:object_r:newrole_exec_t,s0)
-/usr/lib/selinux(/.*)?
gen_context(system_u:object_r:policy_src_t,s0)
-/usr/lib/systemd/system/restorecond.*\.service --
gen_context(system_u:object_r:restorecond_unit_t,s0)
+/usr/lib/systemd/system/restorecond.*\.service --
gen_context(system_u:object_r:restorecond_unit_t,s0)
-/usr/sbin/load_policy --
gen_context(system_u:object_r:load_policy_exec_t,s0)
-/usr/sbin/restorecon --
gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/restorecond --
gen_context(system_u:object_r:restorecond_exec_t,s0)
-/usr/sbin/run_init --
gen_context(system_u:object_r:run_init_exec_t,s0)
-/usr/sbin/setfiles.* --
gen_context(system_u:object_r:setfiles_exec_t,s0)
-/usr/sbin/setsebool --
gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/sbin/semanage --
gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/sbin/semodule --
gen_context(system_u:object_r:semanage_exec_t,s0)
-/usr/libexec/selinux/semanage_migrate_store --
gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/load_policy --
gen_context(system_u:object_r:load_policy_exec_t,s0)
+/usr/sbin/restorecon --
gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/restorecond --
gen_context(system_u:object_r:restorecond_exec_t,s0)
+/usr/sbin/run_init --
gen_context(system_u:object_r:run_init_exec_t,s0)
+/usr/sbin/setfiles.* --
gen_context(system_u:object_r:setfiles_exec_t,s0)
+/usr/sbin/setsebool --
gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semanage --
gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/sbin/semodule --
gen_context(system_u:object_r:semanage_exec_t,s0)
+/usr/libexec/selinux/semanage_migrate_store --
gen_context(system_u:object_r:semanage_exec_t,s0)
#
# /var/lib
#
-/var/lib/selinux(/.*)?
gen_context(system_u:object_r:semanage_store_t,s0)
-/var/lib/selinux/[^/]+/semanage\.read\.LOCK --
gen_context(system_u:object_r:semanage_read_lock_t,s0)
-/var/lib/selinux/[^/]+/semanage\.trans\.LOCK --
gen_context(system_u:object_r:semanage_trans_lock_t,s0)
-/usr/lib/selinux/semanage_migrate_store --
gen_context(system_u:object_r:semanage_exec_t,s0)
-
-#
-# /var/run
-#
-/run/restorecond\.pid --
gen_context(system_u:object_r:restorecond_var_run_t,s0)
+/var/lib/selinux(/.*)?
gen_context(system_u:object_r:semanage_store_t,s0)
+/var/lib/selinux/[^/]+/semanage\.read\.LOCK --
gen_context(system_u:object_r:semanage_read_lock_t,s0)
+/var/lib/selinux/[^/]+/semanage\.trans\.LOCK --
gen_context(system_u:object_r:semanage_trans_lock_t,s0)
+/usr/lib/selinux/semanage_migrate_store --
gen_context(system_u:object_r:semanage_exec_t,s0)
ifdef(`distro_gentoo',`
# Support for gentoo python switcheridoo
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index dd95cf64..703a4453 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -88,8 +88,9 @@ role system_r types restorecond_t;
type restorecond_unit_t;
init_unit_file(restorecond_unit_t)
-type restorecond_var_run_t;
-files_pid_file(restorecond_var_run_t)
+type restorecond_run_t;
+typealias restorecond_run_t alias restorecond_var_run_t;
+files_pid_file(restorecond_run_t)
type run_init_t;
type run_init_exec_t;
@@ -221,7 +222,6 @@ optional_policy(`
#
allow newrole_t self:capability { dac_override fowner setgid setuid };
-allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execheap execstack };
allow newrole_t self:process setexec;
allow newrole_t self:fd use;
allow newrole_t self:fifo_file rw_fifo_file_perms;
@@ -303,6 +303,21 @@ ifdef(`distro_ubuntu',`
')
')
+ifdef(`init_systemd',`
+ optional_policy(`
+ systemd_use_logind_fds(newrole_t)
+ systemd_dbus_chat_logind(newrole_t)
+ ')
+')
+
+optional_policy(`
+ dbus_system_bus_client(newrole_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(newrole_t)
+ ')
+')
+
# if secure mode is enabled, then newrole
# can only transition to unprivileged users
if(secure_mode) {
@@ -323,8 +338,8 @@ tunable_policy(`allow_polyinstantiation',`
allow restorecond_t self:capability { dac_override dac_read_search fowner };
allow restorecond_t self:fifo_file rw_fifo_file_perms;
-allow restorecond_t restorecond_var_run_t:file manage_file_perms;
-files_pid_filetrans(restorecond_t, restorecond_var_run_t, file)
+allow restorecond_t restorecond_run_t:file manage_file_perms;
+files_pid_filetrans(restorecond_t, restorecond_run_t, file)
kernel_getattr_debugfs(restorecond_t)
kernel_read_system_state(restorecond_t)
