commit: 0895cfaab9cc3c372810ab7d3b47c12066c74e74
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 11:10:30 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:37:10 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0895cfaa
su: some adjustments
* systemd fixes
* remove unused attribute su_domain_type
* remove hide_broken_symptoms sections
* dontaudit init_t proc files access
* dontaudit net_admin capability due to setsockopt
policy/modules/admin/su.if | 20 +++++---------------
policy/modules/admin/su.te | 2 --
policy/modules/system/init.if | 20 ++++++++++++++++++++
3 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if
index 4a434b84..cd137d59 100644
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@@ -1,4 +1,4 @@
-## <summary>Run shells with substitute user and group</summary>
+## <summary>Run shells with substitute user and group.</summary>
#######################################
## <summary>
@@ -100,11 +100,6 @@ template(`su_restricted_domain_template', `
')
')
- ifdef(`hide_broken_symptoms',`
- # dontaudit leaked sockets from parent
- dontaudit $1_su_t $2:socket_class_set { read write };
- ')
-
optional_policy(`
cron_read_pipes($1_su_t)
')
@@ -148,12 +143,10 @@ template(`su_restricted_domain_template', `
#
template(`su_role_template',`
gen_require(`
- attribute su_domain_type;
type su_exec_t;
- bool secure_mode;
')
- type $1_su_t, su_domain_type;
+ type $1_su_t;
userdom_user_application_domain($1_su_t, su_exec_t)
domain_interactive_fd($1_su_t)
role $2 types $1_su_t;
@@ -161,7 +154,7 @@ template(`su_role_template',`
allow $3 $1_su_t:process signal;
allow $1_su_t self:capability { audit_control audit_write chown
dac_override fowner net_bind_service setgid setuid sys_nice sys_resource };
- dontaudit $1_su_t self:capability sys_tty_config;
+ dontaudit $1_su_t self:capability { net_admin sys_tty_config };
allow $1_su_t self:process { setexec setsched setrlimit };
allow $1_su_t self:fifo_file rw_fifo_file_perms;
allow $1_su_t self:netlink_audit_socket { nlmsg_relay
create_netlink_socket_perms };
@@ -197,6 +190,7 @@ template(`su_role_template',`
auth_dontaudit_read_shadow($1_su_t)
auth_use_nsswitch($1_su_t)
auth_rw_faillog($1_su_t)
+ auth_use_pam_systemd($1_su_t)
corecmd_search_bin($1_su_t)
@@ -208,6 +202,7 @@ template(`su_role_template',`
files_dontaudit_getattr_tmp_dirs($1_su_t)
init_dontaudit_use_fds($1_su_t)
+ init_dontaudit_read_state($1_su_t)
# Write to utmp.
init_rw_utmp($1_su_t)
@@ -232,11 +227,6 @@ template(`su_role_template',`
')
')
- ifdef(`hide_broken_symptoms',`
- # dontaudit leaked sockets from parent
- dontaudit $1_su_t $3:socket_class_set { read write };
- ')
-
tunable_policy(`allow_polyinstantiation',`
fs_mount_xattr_fs($1_su_t)
fs_unmount_xattr_fs($1_su_t)
diff --git a/policy/modules/admin/su.te b/policy/modules/admin/su.te
index e5537697..1264d7a6 100644
--- a/policy/modules/admin/su.te
+++ b/policy/modules/admin/su.te
@@ -5,7 +5,5 @@ policy_module(su, 1.14.1)
# Declarations
#
-attribute su_domain_type;
-
type su_exec_t;
corecmd_executable_file(su_exec_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 6de0a2d7..6a067ab2 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1695,6 +1695,26 @@ interface(`init_read_state',`
########################################
## <summary>
+## Dontaudit read the process state (/proc/pid) of init.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`init_dontaudit_read_state',`
+ gen_require(`
+ type init_t;
+ ')
+
+ dontaudit $1 init_t:dir search_dir_perms;
+ dontaudit $1 init_t:file read_file_perms;
+ dontaudit $1 init_t:lnk_file read_lnk_file_perms;
+')
+
+########################################
+## <summary>
## Ptrace init
## </summary>
## <param name="domain">
