commit: 6b6d9fc0d2ae76f8c137b5c3bcb1f184d0c62c57
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Mon Feb 1 04:57:13 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 21:15:09 2021 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=6b6d9fc0
new version of filetrans patch
Name changes suggested by Dominick and some more additions.
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/dpkg.te | 20 +++++++++++++
policy/modules/services/aptcacher.if | 54 ++++++++++++++++++++++++++++++++++++
policy/modules/services/clamav.if | 36 ++++++++++++++++++++++++
policy/modules/services/ftp.if | 18 ++++++++++++
policy/modules/services/milter.if | 18 ++++++++++++
policy/modules/services/mysql.fc | 4 +--
policy/modules/services/mysql.if | 38 +++++++++++++++++++++++++
policy/modules/system/authlogin.if | 7 ++++-
policy/modules/system/init.te | 5 ++++
policy/modules/system/systemd.if | 25 +++++++++++++++++
policy/modules/system/unconfined.te | 1 +
11 files changed, 223 insertions(+), 3 deletions(-)
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index ee37e504..6830c795 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t)
files_manage_non_auth_files(dpkg_script_t)
+auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")
auth_manage_shadow(dpkg_script_t)
init_all_labeled_script_domtrans(dpkg_script_t)
@@ -306,10 +307,20 @@ optional_policy(`
apt_use_fds(dpkg_script_t)
')
+optional_policy(`
+ aptcacher_filetrans_cache_dir(dpkg_script_t)
+ aptcacher_filetrans_conf_dir(dpkg_script_t)
+ aptcacher_filetrans_log_dir(dpkg_script_t)
+')
+
optional_policy(`
bootloader_run(dpkg_script_t, dpkg_roles)
')
+optional_policy(`
+ clamav_filetrans_log(dpkg_script_t)
+')
+
optional_policy(`
devicekit_dbus_chat_power(dpkg_script_t)
')
@@ -318,6 +329,10 @@ optional_policy(`
init_dbus_chat(dpkg_script_t)
')
+optional_policy(`
+ milter_filetrans_spamass_state(dpkg_script_t)
+')
+
optional_policy(`
modutils_run(dpkg_script_t, dpkg_roles)
')
@@ -326,6 +341,11 @@ optional_policy(`
mta_send_mail(dpkg_script_t)
')
+optional_policy(`
+ mysql_create_db_dir(dpkg_script_t)
+ mysql_create_log_dir(dpkg_script_t)
+')
+
optional_policy(`
nis_use_ypbind(dpkg_script_t)
')
diff --git a/policy/modules/services/aptcacher.if
b/policy/modules/services/aptcacher.if
index 12c1335a..bef83332 100644
--- a/policy/modules/services/aptcacher.if
+++ b/policy/modules/services/aptcacher.if
@@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t,
aptcacher_t)
')
+
+########################################
+## <summary>
+## create /var/log/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_log_dir',`
+ gen_require(`
+ type aptcacher_log_t;
+ ')
+
+ logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /var/cache/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_cache_dir',`
+ gen_require(`
+ type aptcacher_cache_t;
+ ')
+
+ files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /etc/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_conf_dir',`
+ gen_require(`
+ type aptcacher_conf_t;
+ ')
+
+ files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng")
+')
diff --git a/policy/modules/services/clamav.if
b/policy/modules/services/clamav.if
index 33909248..29d00c98 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -430,3 +430,39 @@ interface(`clamav_admin',`
files_list_tmp($1)
admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
')
+
+########################################
+## <summary>
+## specified domain creates /var/log/clamav/freshclam.log with correct type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_filetrans_log',`
+ gen_require(`
+ type clamd_var_log_t, freshclam_var_log_t;
+ ')
+
+ filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file,
"freshclam.log")
+')
+
+########################################
+## <summary>
+## specified domain creates /run/clamav with correct type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_filetrans_runtime_dir',`
+ gen_require(`
+ type clamd_runtime_t;
+ ')
+
+ files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav")
+')
diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if
index 56ac12bd..27af355f 100644
--- a/policy/modules/services/ftp.if
+++ b/policy/modules/services/ftp.if
@@ -189,3 +189,21 @@ interface(`ftp_admin',`
ftp_run_ftpdctl($1, $2)
')
+
+########################################
+## <summary>
+## create /run/pure-ftpd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_filetrans_pure_ftpd_runtime',`
+ gen_require(`
+ type ftpd_runtime_t;
+ ')
+
+ files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd")
+')
diff --git a/policy/modules/services/milter.if
b/policy/modules/services/milter.if
index d024d152..13b05498 100644
--- a/policy/modules/services/milter.if
+++ b/policy/modules/services/milter.if
@@ -98,6 +98,24 @@ interface(`milter_manage_spamass_state',`
manage_lnk_files_pattern($1, spamass_milter_state_t,
spamass_milter_state_t)
')
+########################################
+## <summary>
+## create spamass milter state dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_filetrans_spamass_state',`
+ gen_require(`
+ type spamass_milter_state_t;
+ ')
+
+ files_var_lib_filetrans($1, spamass_milter_state_t, dir,
"spamass-milter")
+')
+
########################################
## <summary>
## Get the attributes of the spamassissin milter data dir.
diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc
index d23f2636..7b7b45b3 100644
--- a/policy/modules/services/mysql.fc
+++ b/policy/modules/services/mysql.fc
@@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf --
gen_context(system_u:object_r:mysqld_home_t,s0)
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql.* -s
gen_context(system_u:object_r:mysqld_runtime_t,s0)
-/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0)
/run/mysqlmanager.* --
gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index afdfbc6b..e89a66d9 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -241,6 +241,24 @@ interface(`mysql_manage_db_files',`
manage_files_pattern($1, mysqld_db_t, mysqld_db_t)
')
+########################################
+## <summary>
+## create mysqld db dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_db_dir',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql")
+')
+
########################################
## <summary>
## Create, read, write, and delete
@@ -325,9 +343,29 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
+ allow $1 mysqld_log_t:dir search_dir_perms;
allow $1 mysqld_log_t:file write_file_perms;
')
+########################################
+## <summary>
+## create mysqld log dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_log_dir',`
+ gen_require(`
+ type mysqld_log_t;
+ ')
+
+ logging_search_logs($1)
+ logging_log_filetrans($1, mysqld_log_t, dir, "mysql")
+')
+
######################################
## <summary>
## Execute mysqld safe in the
diff --git a/policy/modules/system/authlogin.if
b/policy/modules/system/authlogin.if
index 8f8b8009..08361bb5 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -719,13 +719,18 @@ interface(`auth_manage_shadow',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`auth_etc_filetrans_shadow',`
gen_require(`
type shadow_t;
')
- files_etc_filetrans($1, shadow_t, file)
+ files_etc_filetrans($1, shadow_t, file, $2)
')
#######################################
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index de5bca5e..1c9a5cdd 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1097,6 +1097,7 @@ optional_policy(`
')
optional_policy(`
+ clamav_filetrans_runtime_dir(initrc_t)
clamav_read_config(initrc_t)
')
@@ -1289,6 +1290,10 @@ optional_policy(`
fs_search_ramfs(initrc_t)
')
+optional_policy(`
+ ftp_filetrans_pure_ftpd_runtime(initrc_t)
+')
+
optional_policy(`
rpc_read_exports(initrc_t)
')
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 8e58c0d7..ac431aba 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -526,6 +526,31 @@ interface(`systemd_use_passwd_agent_fds',`
allow systemd_passwd_agent_t $1:fd use;
')
+########################################
+## <summary>
+## allow systemd_passwd_agent to be run by admin
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that runs it
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## role that it runs in
+## </summary>
+## </param>
+#
+interface(`systemd_run_passwd_agent',`
+ gen_require(`
+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+ ')
+
+ domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t,
systemd_passwd_agent_t)
+ allow systemd_passwd_agent_t $1:fd use;
+ role $2 types systemd_passwd_agent_t;
+')
+
#######################################
## <summary>
## Allow a systemd_passwd_agent_t process to interact with a daemon
diff --git a/policy/modules/system/unconfined.te
b/policy/modules/system/unconfined.te
index eac4d285..42879fb7 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -66,6 +66,7 @@ ifdef(`init_systemd',`
optional_policy(`
systemd_dbus_chat_resolved(unconfined_t)
+ systemd_filetrans_passwd_runtime_dirs(unconfined_t)
')
')
