commit: 74c032778f9f1d5b0b4f3af6d91c297fef7f15ea
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 04:59:10 2022 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov 2 14:07:13 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=74c03277
glusterfs: various fixes
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/glusterfs.fc | 12 ++++---
policy/modules/services/glusterfs.if | 70 ++++++++++++++++++++++++++++++++++++
policy/modules/services/glusterfs.te | 47 ++++++++++++++++++------
3 files changed, 114 insertions(+), 15 deletions(-)
diff --git a/policy/modules/services/glusterfs.fc
b/policy/modules/services/glusterfs.fc
index 8e538dc8e..158a4a85e 100644
--- a/policy/modules/services/glusterfs.fc
+++ b/policy/modules/services/glusterfs.fc
@@ -1,7 +1,7 @@
/etc/rc\.d/init\.d/gluster.* --
gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
-/etc/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
-/etc/glusterd(/.*)? gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterfs(/.*)?
gen_context(system_u:object_r:glusterd_conf_t,s0)
+/etc/glusterd(/.*)?
gen_context(system_u:object_r:glusterd_conf_t,s0)
/usr/bin/glusterd --
gen_context(system_u:object_r:glusterd_initrc_exec_t,s0)
/usr/bin/glusterfsd --
gen_context(system_u:object_r:glusterd_exec_t,s0)
@@ -11,9 +11,11 @@
/opt/glusterfs/[^/]+/sbin/glusterfsd --
gen_context(system_u:object_r:glusterd_exec_t,s0)
-/var/lib/gluster.* gen_context(system_u:object_r:glusterd_var_lib_t,s0)
+/var/lib/gluster.*
gen_context(system_u:object_r:glusterd_var_lib_t,s0)
-/var/log/glusterfs(/.*)? gen_context(system_u:object_r:glusterd_log_t,s0)
+/var/log/glusterfs(/.*)?
gen_context(system_u:object_r:glusterd_log_t,s0)
-/run/glusterd(/.*)? gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/gluster(/.*)?
gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/glusterd(/.*)?
gen_context(system_u:object_r:glusterd_runtime_t,s0)
/run/glusterd\.pid --
gen_context(system_u:object_r:glusterd_runtime_t,s0)
+/run/glusterd\.socket -s
gen_context(system_u:object_r:glusterd_runtime_t,s0)
diff --git a/policy/modules/services/glusterfs.if
b/policy/modules/services/glusterfs.if
index 27c6bd6f7..b2b485ede 100644
--- a/policy/modules/services/glusterfs.if
+++ b/policy/modules/services/glusterfs.if
@@ -1,5 +1,71 @@
## <summary>Cluster File System binary, daemon and command line.</summary>
+########################################
+## <summary>
+## Execute glusterd in the glusterd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`glusterfs_domtrans_daemon',`
+ gen_require(`
+ type glusterd_t, glusterd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, glusterd_exec_t, glusterd_t)
+')
+
+########################################
+## <summary>
+## Execute glusterd in the glusterd domain, and
+## allow the specified role the glusterd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`glusterfs_run_daemon',`
+ gen_require(`
+ type glusterd_t;
+ ')
+
+ glusterfs_domtrans_daemon($1)
+ role $2 types glusterd_t;
+')
+
+########################################
+## <summary>
+## Connect to glusterd over a unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`glusterfs_stream_connect_daemon',`
+ gen_require(`
+ type glusterd_t;
+ type glusterd_runtime_t;
+ ')
+
+ files_search_runtime($1)
+ stream_connect_pattern($1, glusterd_runtime_t, glusterd_runtime_t,
glusterd_t)
+ allow $1 glusterd_runtime_t:sock_file read_sock_file_perms;
+')
+
########################################
## <summary>
## All of the rules required to
@@ -24,11 +90,15 @@ interface(`glusterfs_admin',`
type glusterd_runtime_t;
')
+ glusterfs_run_daemon($1, $2)
+
init_startstop_service($1, $2, glusterd_t, glusterd_initrc_exec_t)
allow $1 glusterd_t:process { ptrace signal_perms };
ps_process_pattern($1, glusterd_t)
+ glusterfs_stream_connect_daemon($1)
+
files_search_etc($1)
admin_pattern($1, glusterd_conf_t)
diff --git a/policy/modules/services/glusterfs.te
b/policy/modules/services/glusterfs.te
index de4f9baea..2d94845d9 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -32,11 +32,11 @@ files_type(glusterd_var_lib_t)
# Local policy
#
-allow glusterd_t self:capability { chown dac_override dac_read_search fowner
sys_admin sys_resource };
-allow glusterd_t self:process { setrlimit signal };
+allow glusterd_t self:capability { chown dac_override dac_read_search fowner
ipc_lock sys_admin sys_resource };
+allow glusterd_t self:process { getsched setrlimit signal signull };
allow glusterd_t self:fifo_file rw_fifo_file_perms;
-allow glusterd_t self:tcp_socket { accept listen };
-allow glusterd_t self:unix_stream_socket { accept listen };
+allow glusterd_t self:tcp_socket create_stream_socket_perms;
+allow glusterd_t self:unix_stream_socket { create_stream_socket_perms
connectto };
manage_dirs_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
manage_files_pattern(glusterd_t, glusterd_conf_t, glusterd_conf_t)
@@ -58,17 +58,14 @@ manage_files_pattern(glusterd_t, glusterd_runtime_t,
glusterd_runtime_t)
manage_sock_files_pattern(glusterd_t, glusterd_runtime_t, glusterd_runtime_t)
files_runtime_filetrans(glusterd_t, glusterd_runtime_t, { dir file sock_file })
+can_exec(glusterd_t, glusterd_var_lib_t)
manage_dirs_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
manage_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
+manage_lnk_files_pattern(glusterd_t, glusterd_var_lib_t, glusterd_var_lib_t)
files_var_lib_filetrans(glusterd_t, glusterd_var_lib_t, dir)
can_exec(glusterd_t, glusterd_exec_t)
-kernel_read_system_state(glusterd_t)
-
-corecmd_exec_bin(glusterd_t)
-corecmd_exec_shell(glusterd_t)
-
corenet_all_recvfrom_netlabel(glusterd_t)
corenet_tcp_sendrecv_generic_if(glusterd_t)
corenet_udp_sendrecv_generic_if(glusterd_t)
@@ -77,6 +74,9 @@ corenet_udp_sendrecv_generic_node(glusterd_t)
corenet_tcp_bind_generic_node(glusterd_t)
corenet_udp_bind_generic_node(glusterd_t)
+corenet_tcp_bind_glusterd_port(glusterd_t)
+corenet_tcp_connect_glusterd_port(glusterd_t)
+
# Too coarse?
corenet_sendrecv_all_server_packets(glusterd_t)
corenet_tcp_bind_all_reserved_ports(glusterd_t)
@@ -86,17 +86,44 @@ corenet_udp_bind_ipp_port(glusterd_t)
corenet_sendrecv_all_client_packets(glusterd_t)
corenet_tcp_connect_all_unreserved_ports(glusterd_t)
+corecmd_exec_bin(glusterd_t)
+corecmd_exec_shell(glusterd_t)
+
dev_read_sysfs(glusterd_t)
dev_read_urand(glusterd_t)
domain_read_all_domains_state(glusterd_t)
-
domain_use_interactive_fds(glusterd_t)
files_read_usr_files(glusterd_t)
+files_mounton_mnt(glusterd_t)
+
+fs_dontaudit_getattr_all_fs(glusterd_t)
+fs_getattr_xattr_fs(glusterd_t)
+fs_mount_fusefs(glusterd_t)
+fs_unmount_fusefs(glusterd_t)
+
+kernel_dontaudit_getattr_proc(glusterd_t)
+kernel_read_kernel_sysctls(glusterd_t)
+kernel_read_net_sysctls(glusterd_t)
+kernel_read_system_state(glusterd_t)
+
+storage_rw_fuse(glusterd_t)
auth_use_nsswitch(glusterd_t)
+hostname_exec(glusterd_t)
+
logging_send_syslog_msg(glusterd_t)
+miscfiles_read_generic_certs(glusterd_t)
miscfiles_read_localization(glusterd_t)
+
+# needed by relabeling hooks when adding bricks
+seutil_domtrans_semanage(glusterd_t)
+seutil_exec_setfiles(glusterd_t)
+seutil_read_default_contexts(glusterd_t)
+
+userdom_dontaudit_search_user_runtime_root(glusterd_t)
+
+xdg_dontaudit_search_data_dirs(glusterd_t)
