commit: 13afa3ec8591b0522048fab442bb7f66bbeb5787
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Tue Mar 28 22:51:35 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 11:46:48 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=13afa3ec
systemd-resolvd, sessions, and tmpfiles take2
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell <AT> coker.com.au>
Last-Update: 2017-03-26
policy/modules/kernel/files.if | 92 ++++++++++++++++++++++++++++
policy/modules/kernel/files.te | 2 +-
policy/modules/services/xserver.if | 56 ++++++++++++++++-
policy/modules/services/xserver.te | 2 +-
policy/modules/system/init.if | 36 +++++++++++
policy/modules/system/init.te | 2 +-
policy/modules/system/logging.if | 116 ++++++++++++++++++++++++++++++++++++
policy/modules/system/logging.te | 2 +-
policy/modules/system/miscfiles.if | 19 ++++++
policy/modules/system/miscfiles.te | 2 +-
policy/modules/system/systemd.te | 84 +++++++++++++++++++++++++-
policy/modules/system/userdomain.if | 18 ++++++
policy/modules/system/userdomain.te | 2 +-
13 files changed, 423 insertions(+), 10 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 0d6fe3c5..9d7a929a 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2835,6 +2835,24 @@ interface(`files_manage_etc_dirs',`
########################################
## <summary>
+## Relabel directories to etc_t.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelto_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir relabelto;
+')
+
+########################################
+## <summary>
## Read generic files in /etc.
## </summary>
## <desc>
@@ -3813,6 +3831,24 @@ interface(`files_relabelto_home',`
########################################
## <summary>
+## Relabel from user home root (/home).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabelfrom_home',`
+ gen_require(`
+ type home_root_t;
+ ')
+
+ allow $1 home_root_t:dir relabelfrom;
+')
+
+########################################
+## <summary>
## Create objects in /home.
## </summary>
## <param name="domain">
@@ -5500,6 +5536,24 @@ interface(`files_manage_var_dirs',`
########################################
## <summary>
+## relabelto/from var directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_var_dirs',`
+ gen_require(`
+ type var_t;
+ ')
+
+ allow $1 var_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Read files in the /var directory.
## </summary>
## <param name="domain">
@@ -5767,6 +5821,44 @@ interface(`files_rw_var_lib_dirs',`
########################################
## <summary>
+## manage var_lib_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_manage_var_lib_dirs',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## relabel var_lib_t dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_relabel_var_lib_dirs',`
+ gen_require(`
+ type var_t, var_lib_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ allow $1 var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create objects in the /var/lib directory
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 9f911efd..10001b15 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.7)
+policy_module(files, 1.23.8)
########################################
#
diff --git a/policy/modules/services/xserver.if
b/policy/modules/services/xserver.if
index 060adbfa..eae74b67 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -700,6 +700,42 @@ interface(`xserver_rw_console',`
########################################
## <summary>
+## Create the X windows console named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_console_pipes',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file create;
+')
+
+########################################
+## <summary>
+## relabel the X windows console named pipes.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_relabel_console_pipes',`
+ gen_require(`
+ type xconsole_device_t;
+ ')
+
+ allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Use file descriptors for xdm.
## </summary>
## <param name="domain">
@@ -788,7 +824,7 @@ interface(`xserver_dbus_chat_xdm',`
gen_require(`
type xdm_t;
class dbus send_msg;
- ')
+ ')
allow $1 xdm_t:dbus send_msg;
allow xdm_t $1:dbus send_msg;
@@ -1164,6 +1200,24 @@ interface(`xserver_read_xkb_libs',`
########################################
## <summary>
+## Create xdm temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow access.
+## </summary>
+## </param>
+#
+interface(`xserver_create_xdm_tmp_dirs',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ allow $1 xdm_tmp_t:dir create;
+')
+
+########################################
+## <summary>
## Read xdm temporary files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/xserver.te
b/policy/modules/services/xserver.te
index 9bfbafcb..5750e14e 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.4)
+policy_module(xserver, 3.13.5)
gen_require(`
class x_drawable all_x_drawable_perms;
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 195c5fa3..9b07a6e7 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1086,6 +1086,24 @@ interface(`init_list_var_lib_dirs',`
########################################
## <summary>
+## Relabel dirs in /var/lib/systemd/.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_relabel_var_lib_dirs',`
+ gen_require(`
+ type init_var_lib_t;
+ ')
+
+ allow $1 init_var_lib_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Manage files in /var/lib/systemd/.
## </summary>
## <param name="domain">
@@ -2529,6 +2547,24 @@ interface(`init_manage_utmp',`
########################################
## <summary>
+## Relabel utmp.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_relabel_utmp',`
+ gen_require(`
+ type initrc_var_run_t;
+ ')
+
+ allow $1 initrc_var_run_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create files in /var/run with the
## utmp file type.
## </summary>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 9a5ed6f8..dfde3f39 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.12)
+policy_module(init, 2.2.13)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 66da3da3..b2053a0b 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -435,6 +435,82 @@ interface(`logging_domtrans_syslog',`
########################################
## <summary>
+## Set the attributes of syslog temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_setattr_syslogd_tmp_files',`
+ gen_require(`
+ type syslogd_tmp_t;
+ ')
+
+ allow $1 syslogd_tmp_t:file setattr;
+')
+
+########################################
+## <summary>
+## Relabel to and from syslog temporary file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_syslogd_tmp_files',`
+ gen_require(`
+ type syslogd_tmp_t;
+ ')
+
+ allow $1 syslogd_tmp_t:file { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
+## Set the attributes of syslog temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_setattr_syslogd_tmp_dirs',`
+ gen_require(`
+ type syslogd_tmp_t;
+ ')
+
+ allow $1 syslogd_tmp_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Relabel to and from syslog temporary directory type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_syslogd_tmp_dirs',`
+ gen_require(`
+ type syslogd_tmp_t;
+ ')
+
+ allow $1 syslogd_tmp_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create an object in the log directory, with a private type.
## </summary>
## <desc>
@@ -941,6 +1017,46 @@ interface(`logging_manage_all_logs',`
########################################
## <summary>
+## Create, read, write, and delete generic log directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_manage_generic_log_dirs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir manage_dir_perms;
+')
+
+########################################
+## <summary>
+## Relabel from and to generic log directory type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_relabel_generic_log_dirs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ files_search_var($1)
+ allow $1 var_log_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Read generic log files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 63e7092d..e5864342 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,4 +1,4 @@
-policy_module(logging, 1.25.8)
+policy_module(logging, 1.25.9)
########################################
#
diff --git a/policy/modules/system/miscfiles.if
b/policy/modules/system/miscfiles.if
index 5b9a8103..204390d1 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -652,6 +652,25 @@ interface(`miscfiles_manage_man_cache',`
########################################
## <summary>
+## Relabel from and to man cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`miscfiles_relabel_man_cache',`
+ gen_require(`
+ type man_cache_t;
+ ')
+
+ relabel_dirs_pattern($1, man_cache_t, man_cache_t)
+ relabel_files_pattern($1, man_cache_t, man_cache_t)
+')
+
+########################################
+## <summary>
## Read public files used for file
## transfer services.
## </summary>
diff --git a/policy/modules/system/miscfiles.te
b/policy/modules/system/miscfiles.te
index ec4d8dc0..3b180a36 100644
--- a/policy/modules/system/miscfiles.te
+++ b/policy/modules/system/miscfiles.te
@@ -1,4 +1,4 @@
-policy_module(miscfiles, 1.12.1)
+policy_module(miscfiles, 1.12.2)
########################################
#
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f5af4ce4..e1f4c3a7 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.13)
+policy_module(systemd, 1.3.14)
#########################################
#
@@ -613,9 +613,18 @@ optional_policy(`
# Sessions local policy
#
+allow systemd_sessions_t self:process setfscreate;
+
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
+selinux_get_enforce_mode(systemd_sessions_t)
+selinux_get_fs_mount(systemd_sessions_t)
+
+seutil_read_config(systemd_sessions_t)
+seutil_read_default_contexts(systemd_sessions_t)
+seutil_read_file_contexts(systemd_sessions_t)
+
systemd_log_parse_environment(systemd_sessions_t)
#########################################
@@ -623,9 +632,14 @@ systemd_log_parse_environment(systemd_sessions_t)
# Tmpfiles local policy
#
-allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid
mknod };
+allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid
mknod net_admin sys_admin };
allow systemd_tmpfiles_t self:process { setfscreate getcap };
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom
relabelto manage_dir_perms };
+allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms;
+
+allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom
relabelto manage_file_perms };
+
manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t)
allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto };
@@ -635,25 +649,74 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir
list_dir_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+kernel_read_network_state(systemd_tmpfiles_t)
+dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+dev_read_urand(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
+files_create_lock_dirs(systemd_tmpfiles_t)
+files_manage_all_pid_dirs(systemd_tmpfiles_t)
+files_delete_usr_files(systemd_tmpfiles_t)
+files_list_home(systemd_tmpfiles_t)
+files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
+files_manage_var_dirs(systemd_tmpfiles_t)
+files_manage_var_lib_dirs(systemd_tmpfiles_t)
+files_purge_tmp(systemd_tmpfiles_t)
files_read_etc_files(systemd_tmpfiles_t)
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
files_relabel_all_pid_dirs(systemd_tmpfiles_t)
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
+files_relabel_var_dirs(systemd_tmpfiles_t)
+files_relabel_var_lib_dirs(systemd_tmpfiles_t)
+files_relabelfrom_home(systemd_tmpfiles_t)
+files_relabelto_home(systemd_tmpfiles_t)
+files_relabelto_etc_dirs(systemd_tmpfiles_t)
+# for /etc/mtab
+files_manage_etc_symlinks(systemd_tmpfiles_t)
-auth_manage_var_auth(systemd_tmpfiles_t)
+fs_getattr_xattr_fs(systemd_tmpfiles_t)
+
+selinux_get_fs_mount(systemd_tmpfiles_t)
+selinux_search_fs(systemd_tmpfiles_t)
+
+auth_manage_faillog(systemd_tmpfiles_t)
auth_manage_login_records(systemd_tmpfiles_t)
+auth_manage_var_auth(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
+init_manage_utmp(systemd_tmpfiles_t)
+init_manage_var_lib_files(systemd_tmpfiles_t)
+# for /proc/1/environ
+init_read_state(systemd_tmpfiles_t)
+
+init_relabel_utmp(systemd_tmpfiles_t)
+init_relabel_var_lib_dirs(systemd_tmpfiles_t)
+
+logging_manage_generic_logs(systemd_tmpfiles_t)
+logging_manage_generic_log_dirs(systemd_tmpfiles_t)
+logging_relabel_generic_log_dirs(systemd_tmpfiles_t)
+logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t)
+logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t)
+logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t)
+logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t)
+
+miscfiles_manage_man_pages(systemd_tmpfiles_t)
+miscfiles_relabel_man_cache(systemd_tmpfiles_t)
+
+seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
+sysnet_create_config(systemd_tmpfiles_t)
+
systemd_log_parse_environment(systemd_tmpfiles_t)
+userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t)
+userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t)
+
tunable_policy(`systemd_tmpfiles_manage_all',`
# systemd-tmpfiles can be configured to manage anything.
# have a last-resort option for users to do this.
@@ -662,3 +725,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',`
files_relabel_non_security_dirs(systemd_tmpfiles_t)
files_relabel_non_security_files(systemd_tmpfiles_t)
')
+
+optional_policy(`
+ dbus_read_lib_files(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+ xfs_create_tmp_dirs(systemd_tmpfiles_t)
+')
+
+optional_policy(`
+ xserver_create_console_pipes(systemd_tmpfiles_t)
+ xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t)
+ xserver_relabel_console_pipes(systemd_tmpfiles_t)
+ xserver_setattr_console_pipes(systemd_tmpfiles_t)
+')
diff --git a/policy/modules/system/userdomain.if
b/policy/modules/system/userdomain.if
index 61065118..50100dd1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2946,6 +2946,24 @@ interface(`userdom_manage_user_runtime_root_dirs',`
########################################
## <summary>
+## Relabel to and from user runtime root dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_relabel_user_runtime_root_dirs',`
+ gen_require(`
+ type user_runtime_root_t;
+ ')
+
+ allow $1 user_runtime_root_t:dir { relabelfrom relabelto };
+')
+
+########################################
+## <summary>
## Create, read, write, and delete user
## runtime dirs.
## </summary>
diff --git a/policy/modules/system/userdomain.te
b/policy/modules/system/userdomain.te
index cf58bd27..0cbf3cec 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,4 +1,4 @@
-policy_module(userdomain, 4.13.5)
+policy_module(userdomain, 4.13.6)
########################################
#
