[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

Kenton Groombridge Wed, 02 Nov 2022 07:43:02 -0700

commit:     0d854a362ee5625add66fcb2212d27a035639f48
Author:     Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Sat Sep 24 17:51:14 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov  2 14:07:18 2022 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=0d854a36


glusterfs, selinuxutil: make modifying fcontexts a tunable

Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/services/glusterfs.te | 26 +++++++++++++++++++++-----
 policy/modules/system/selinuxutil.if | 36 ++++++++++++++++++++++++++++++++++++
 policy/modules/system/selinuxutil.te | 11 +++++++----
 3 files changed, 64 insertions(+), 9 deletions(-)

diff --git a/policy/modules/services/glusterfs.te 
b/policy/modules/services/glusterfs.te
index 690aa828a..85a55ed5b 100644
--- a/policy/modules/services/glusterfs.te
+++ b/policy/modules/services/glusterfs.te
@@ -1,5 +1,15 @@
 policy_module(glusterfs)
 
+## <desc>
+##     <p>
+##     Allow the gluster daemon to automatically
+##     add and remove file contexts from the local
+##     SELinux policy when adding and removing
+##     bricks.
+##     </p>
+## </desc>
+gen_tunable(glusterfs_modify_policy, false)
+
 ########################################
 #
 # Declarations
@@ -129,11 +139,17 @@ logging_send_syslog_msg(glusterd_t)
 miscfiles_read_generic_certs(glusterd_t)
 miscfiles_read_localization(glusterd_t)
 
-# needed by relabeling hooks when adding bricks
-seutil_domtrans_semanage(glusterd_t)
-seutil_exec_setfiles(glusterd_t)
-seutil_read_default_contexts(glusterd_t)
-
 userdom_dontaudit_search_user_runtime_root(glusterd_t)
 
 xdg_dontaudit_search_data_dirs(glusterd_t)
+
+tunable_policy(`glusterfs_modify_policy',`
+       # needed by relabeling hooks when adding bricks
+       seutil_domtrans_semanage(glusterd_t)
+       seutil_exec_setfiles(glusterd_t)
+       seutil_read_default_contexts(glusterd_t)
+',`
+       seutil_dontaudit_exec_semanage(glusterd_t)
+       seutil_dontaudit_exec_setfiles(glusterd_t)
+       seutil_dontaudit_read_file_contexts(glusterd_t)
+')

diff --git a/policy/modules/system/selinuxutil.if 
b/policy/modules/system/selinuxutil.if
index c0735f2b8..30db6a094 100644
--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
@@ -574,6 +574,24 @@ interface(`seutil_exec_setfiles',`
        can_exec($1, setfiles_exec_t)
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to execute setfiles.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`seutil_dontaudit_exec_setfiles',`
+       gen_require(`
+               type setfiles_exec_t;
+       ')
+
+       dontaudit $1 setfiles_exec_t:file exec_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Do not audit attempts to search the SELinux
@@ -1028,6 +1046,24 @@ interface(`seutil_run_semanage',`
        roleattribute $2 semanage_roles;
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to execute semanage.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`seutil_dontaudit_exec_semanage',`
+       gen_require(`
+               type semanage_exec_t;
+       ')
+
+       dontaudit $1 semanage_exec_t:file exec_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Read the semanage module store.

diff --git a/policy/modules/system/selinuxutil.te 
b/policy/modules/system/selinuxutil.te
index 14a17175f..2b823b543 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -209,8 +209,9 @@ ifdef(`distro_ubuntu',`
 ')
 
 optional_policy(`
-       # glusterd calls semanage fcontext
-       glusterfs_use_daemon_fds(load_policy_t)
+       tunable_policy(`glusterfs_modify_policy',`
+               glusterfs_use_daemon_fds(load_policy_t)
+       ')
 ')
 
 optional_policy(`
@@ -695,11 +696,13 @@ ifdef(`distro_ubuntu',`
 ')
 
 optional_policy(`
-       apt_use_fds(setfiles_t)
+       tunable_policy(`glusterfs_modify_policy',`
+               glusterfs_use_daemon_fds(setfiles_t)
+       ')
 ')
 
 optional_policy(`
-       glusterfs_use_daemon_fds(setfiles_t)
+       apt_use_fds(setfiles_t)
 ')
 
 optional_policy(`

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/system/

Reply via email to