[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/

[Jason Zaman]

commit:     c1abcfe2a688ab2fc08722e4565ec5a98455d8fa
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Tue Mar  2 05:41:55 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c1abcfe2

bind: fixes for bind

* add fcontext for /etc/rc.d/init.d/bind and /etc/bind/rndc.conf
* add getsched for named process

Fixes:
avc: denied { getsched } for pid=418 comm="named"
scontext=system_u:system_r:named_t tcontext=system_u:system_r:named_t
tclass=process permissive=0

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/services/bind.fc | 2 ++
 policy/modules/services/bind.te | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/bind.fc b/policy/modules/services/bind.fc
index ce68a0af..585103eb 100644
--- a/policy/modules/services/bind.fc
+++ b/policy/modules/services/bind.fc
@@ -1,8 +1,10 @@
 /etc/rc\.d/init\.d/named       --      
gen_context(system_u:object_r:named_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/bind        --      
gen_context(system_u:object_r:named_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/unbound     --      
gen_context(system_u:object_r:named_initrc_exec_t,s0)
 
 /etc/bind(/.*)?        gen_context(system_u:object_r:named_zone_t,s0)
 /etc/bind/named\.conf.*        --      
gen_context(system_u:object_r:named_conf_t,s0)
+/etc/bind/rndc\.conf.* --      gen_context(system_u:object_r:named_conf_t,s0)
 /etc/bind/rndc\.key    --      gen_context(system_u:object_r:dnssec_t,s0)
 /etc/dnssec-trigger/dnssec_trigger_server\.key --      
gen_context(system_u:object_r:dnssec_t,s0)
 /etc/named\.rfc1912\.zones     --      
gen_context(system_u:object_r:named_conf_t,s0)

diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index bf50763b..623437e9 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -76,7 +76,7 @@ role ndc_roles types ndc_t;
 
 allow named_t self:capability { chown dac_override fowner setgid setuid 
sys_chroot sys_nice sys_resource };
 dontaudit named_t self:capability sys_tty_config;
-allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
+allow named_t self:process { setsched getsched getcap setcap setrlimit 
signal_perms };
 allow named_t self:fifo_file rw_fifo_file_perms;
 allow named_t self:unix_stream_socket { accept listen };
 allow named_t self:tcp_socket { accept listen };