commit: 1b7b773c1a5f2df67ef78aa7e5cb1016d4d82638
Author: Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Sun May 14 15:24:03 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May 18 17:00:51 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=1b7b773c
Enable /etc directory protection using ProtectSystem
Setting this service option to 'full' or 'strict' will also remount the
/etc directory. Allow this in the policy.
This fixes the systemd-networkd service, but will also positively affect
any other service using the above hardening option.
policy/modules/kernel/files.if | 19 +++++++++++++++++++
policy/modules/system/init.te | 1 +
2 files changed, 20 insertions(+)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index a74f7913..c6df0a62 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2853,6 +2853,25 @@ interface(`files_relabelto_etc_dirs',`
########################################
## <summary>
+## Mount a filesystem on the
+## etc directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_mounton_etc_dirs',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:dir mounton;
+')
+
+########################################
+## <summary>
## Read generic files in /etc.
## </summary>
## <desc>
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f388f1e0..3d3697fb 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -288,6 +288,7 @@ ifdef(`init_systemd',`
files_search_kernel_modules(init_t)
# for privatetmp functions
files_mounton_tmp(init_t)
+ files_mounton_etc_dirs(init_t)
fs_relabel_cgroup_dirs(init_t)
fs_rw_cgroup_files(init_t)
