diff options
author | Chris PeBenito <pebenito@ieee.org> | 2017-03-28 18:51:35 -0400 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2017-03-30 19:46:48 +0800 |
commit | 13afa3ec8591b0522048fab442bb7f66bbeb5787 (patch) | |
tree | 437db7a0d58b3e6e4cb43995de84df29596da500 | |
parent | travis: move after_success tests into script section (diff) | |
download | hardened-refpolicy-13afa3ec.tar.gz hardened-refpolicy-13afa3ec.tar.bz2 hardened-refpolicy-13afa3ec.zip |
systemd-resolvd, sessions, and tmpfiles take2
I believe that I have addressed all the issues Chris raised, so here's a newer
version of the patch which applies to today's git version.
Description: systemd-resolved, sessions, and tmpfiles patches
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2017-03-26
-rw-r--r-- | policy/modules/kernel/files.if | 92 | ||||
-rw-r--r-- | policy/modules/kernel/files.te | 2 | ||||
-rw-r--r-- | policy/modules/services/xserver.if | 56 | ||||
-rw-r--r-- | policy/modules/services/xserver.te | 2 | ||||
-rw-r--r-- | policy/modules/system/init.if | 36 | ||||
-rw-r--r-- | policy/modules/system/init.te | 2 | ||||
-rw-r--r-- | policy/modules/system/logging.if | 116 | ||||
-rw-r--r-- | policy/modules/system/logging.te | 2 | ||||
-rw-r--r-- | policy/modules/system/miscfiles.if | 19 | ||||
-rw-r--r-- | policy/modules/system/miscfiles.te | 2 | ||||
-rw-r--r-- | policy/modules/system/systemd.te | 84 | ||||
-rw-r--r-- | policy/modules/system/userdomain.if | 18 | ||||
-rw-r--r-- | policy/modules/system/userdomain.te | 2 |
13 files changed, 423 insertions, 10 deletions
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 0d6fe3c56..9d7a929ab 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2835,6 +2835,24 @@ interface(`files_manage_etc_dirs',` ######################################## ## <summary> +## Relabel directories to etc_t. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_relabelto_etc_dirs',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:dir relabelto; +') + +######################################## +## <summary> ## Read generic files in /etc. ## </summary> ## <desc> @@ -3813,6 +3831,24 @@ interface(`files_relabelto_home',` ######################################## ## <summary> +## Relabel from user home root (/home). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_relabelfrom_home',` + gen_require(` + type home_root_t; + ') + + allow $1 home_root_t:dir relabelfrom; +') + +######################################## +## <summary> ## Create objects in /home. ## </summary> ## <param name="domain"> @@ -5500,6 +5536,24 @@ interface(`files_manage_var_dirs',` ######################################## ## <summary> +## relabelto/from var directories +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_relabel_var_dirs',` + gen_require(` + type var_t; + ') + + allow $1 var_t:dir { relabelfrom relabelto }; +') + +######################################## +## <summary> ## Read files in the /var directory. ## </summary> ## <param name="domain"> @@ -5767,6 +5821,44 @@ interface(`files_rw_var_lib_dirs',` ######################################## ## <summary> +## manage var_lib_t dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_manage_var_lib_dirs',` + gen_require(` + type var_t, var_lib_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lib_t:dir manage_dir_perms; +') + +######################################## +## <summary> +## relabel var_lib_t dirs +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`files_relabel_var_lib_dirs',` + gen_require(` + type var_t, var_lib_t; + ') + + allow $1 var_t:dir search_dir_perms; + allow $1 var_lib_t:dir { relabelfrom relabelto }; +') + +######################################## +## <summary> ## Create objects in the /var/lib directory ## </summary> ## <param name="domain"> diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te index 9f911efdb..10001b152 100644 --- a/policy/modules/kernel/files.te +++ b/policy/modules/kernel/files.te @@ -1,4 +1,4 @@ -policy_module(files, 1.23.7) +policy_module(files, 1.23.8) ######################################## # diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 060adbfab..eae74b67b 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -700,6 +700,42 @@ interface(`xserver_rw_console',` ######################################## ## <summary> +## Create the X windows console named pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_create_console_pipes',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:fifo_file create; +') + +######################################## +## <summary> +## relabel the X windows console named pipes. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_relabel_console_pipes',` + gen_require(` + type xconsole_device_t; + ') + + allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto }; +') + +######################################## +## <summary> ## Use file descriptors for xdm. ## </summary> ## <param name="domain"> @@ -788,7 +824,7 @@ interface(`xserver_dbus_chat_xdm',` gen_require(` type xdm_t; class dbus send_msg; - ') + ') allow $1 xdm_t:dbus send_msg; allow xdm_t $1:dbus send_msg; @@ -1164,6 +1200,24 @@ interface(`xserver_read_xkb_libs',` ######################################## ## <summary> +## Create xdm temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to allow access. +## </summary> +## </param> +# +interface(`xserver_create_xdm_tmp_dirs',` + gen_require(` + type xdm_tmp_t; + ') + + allow $1 xdm_tmp_t:dir create; +') + +######################################## +## <summary> ## Read xdm temporary files. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 9bfbafcb4..5750e14ea 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -1,4 +1,4 @@ -policy_module(xserver, 3.13.4) +policy_module(xserver, 3.13.5) gen_require(` class x_drawable all_x_drawable_perms; diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 195c5fa33..9b07a6e74 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -1086,6 +1086,24 @@ interface(`init_list_var_lib_dirs',` ######################################## ## <summary> +## Relabel dirs in /var/lib/systemd/. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_relabel_var_lib_dirs',` + gen_require(` + type init_var_lib_t; + ') + + allow $1 init_var_lib_t:dir { relabelfrom relabelto }; +') + +######################################## +## <summary> ## Manage files in /var/lib/systemd/. ## </summary> ## <param name="domain"> @@ -2529,6 +2547,24 @@ interface(`init_manage_utmp',` ######################################## ## <summary> +## Relabel utmp. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_relabel_utmp',` + gen_require(` + type initrc_var_run_t; + ') + + allow $1 initrc_var_run_t:file { relabelfrom relabelto }; +') + +######################################## +## <summary> ## Create files in /var/run with the ## utmp file type. ## </summary> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 9a5ed6f8d..dfde3f39a 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1,4 +1,4 @@ -policy_module(init, 2.2.12) +policy_module(init, 2.2.13) gen_require(` class passwd rootok; diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 66da3da39..b2053a0b1 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -435,6 +435,82 @@ interface(`logging_domtrans_syslog',` ######################################## ## <summary> +## Set the attributes of syslog temporary files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`logging_setattr_syslogd_tmp_files',` + gen_require(` + type syslogd_tmp_t; + ') + + allow $1 syslogd_tmp_t:file setattr; +') + +######################################## +## <summary> +## Relabel to and from syslog temporary file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`logging_relabel_syslogd_tmp_files',` + gen_require(` + type syslogd_tmp_t; + ') + + allow $1 syslogd_tmp_t:file { relabelfrom relabelto }; +') + +######################################## +## <summary> +## Set the attributes of syslog temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`logging_setattr_syslogd_tmp_dirs',` + gen_require(` + type syslogd_tmp_t; + ') + + allow $1 syslogd_tmp_t:dir setattr; +') + +######################################## +## <summary> +## Relabel to and from syslog temporary directory type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`logging_relabel_syslogd_tmp_dirs',` + gen_require(` + type syslogd_tmp_t; + ') + + allow $1 syslogd_tmp_t:dir { relabelfrom relabelto }; +') + +######################################## +## <summary> ## Create an object in the log directory, with a private type. ## </summary> ## <desc> @@ -941,6 +1017,46 @@ interface(`logging_manage_all_logs',` ######################################## ## <summary> +## Create, read, write, and delete generic log directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`logging_manage_generic_log_dirs',` + gen_require(` + type var_log_t; + ') + + files_search_var($1) + allow $1 var_log_t:dir manage_dir_perms; +') + +######################################## +## <summary> +## Relabel from and to generic log directory type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`logging_relabel_generic_log_dirs',` + gen_require(` + type var_log_t; + ') + + files_search_var($1) + allow $1 var_log_t:dir { relabelfrom relabelto }; +') + +######################################## +## <summary> ## Read generic log files. ## </summary> ## <param name="domain"> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 63e7092df..e5864342b 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,4 +1,4 @@ -policy_module(logging, 1.25.8) +policy_module(logging, 1.25.9) ######################################## # diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 5b9a81037..204390d19 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -652,6 +652,25 @@ interface(`miscfiles_manage_man_cache',` ######################################## ## <summary> +## Relabel from and to man cache. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`miscfiles_relabel_man_cache',` + gen_require(` + type man_cache_t; + ') + + relabel_dirs_pattern($1, man_cache_t, man_cache_t) + relabel_files_pattern($1, man_cache_t, man_cache_t) +') + +######################################## +## <summary> ## Read public files used for file ## transfer services. ## </summary> diff --git a/policy/modules/system/miscfiles.te b/policy/modules/system/miscfiles.te index ec4d8dc07..3b180a361 100644 --- a/policy/modules/system/miscfiles.te +++ b/policy/modules/system/miscfiles.te @@ -1,4 +1,4 @@ -policy_module(miscfiles, 1.12.1) +policy_module(miscfiles, 1.12.2) ######################################## # diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index f5af4ce4e..e1f4c3a72 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1,4 +1,4 @@ -policy_module(systemd, 1.3.13) +policy_module(systemd, 1.3.14) ######################################### # @@ -613,9 +613,18 @@ optional_policy(` # Sessions local policy # +allow systemd_sessions_t self:process setfscreate; + allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) +selinux_get_enforce_mode(systemd_sessions_t) +selinux_get_fs_mount(systemd_sessions_t) + +seutil_read_config(systemd_sessions_t) +seutil_read_default_contexts(systemd_sessions_t) +seutil_read_file_contexts(systemd_sessions_t) + systemd_log_parse_environment(systemd_sessions_t) ######################################### @@ -623,9 +632,14 @@ systemd_log_parse_environment(systemd_sessions_t) # Tmpfiles local policy # -allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod }; +allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin }; allow systemd_tmpfiles_t self:process { setfscreate getcap }; +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms }; +allow systemd_tmpfiles_t systemd_coredump_var_lib_t:file manage_file_perms; + +allow systemd_tmpfiles_t systemd_sessions_var_run_t:file { relabelfrom relabelto manage_file_perms }; + manage_dirs_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) manage_files_pattern(systemd_tmpfiles_t, systemd_journal_t, systemd_journal_t) allow systemd_tmpfiles_t systemd_journal_t:dir { relabelfrom relabelto }; @@ -635,25 +649,74 @@ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; kernel_read_kernel_sysctls(systemd_tmpfiles_t) +kernel_read_network_state(systemd_tmpfiles_t) +dev_manage_all_dev_nodes(systemd_tmpfiles_t) +dev_read_urand(systemd_tmpfiles_t) dev_relabel_all_sysfs(systemd_tmpfiles_t) dev_read_urand(systemd_tmpfiles_t) dev_manage_all_dev_nodes(systemd_tmpfiles_t) +files_create_lock_dirs(systemd_tmpfiles_t) +files_manage_all_pid_dirs(systemd_tmpfiles_t) +files_delete_usr_files(systemd_tmpfiles_t) +files_list_home(systemd_tmpfiles_t) +files_manage_generic_tmp_dirs(systemd_tmpfiles_t) +files_manage_var_dirs(systemd_tmpfiles_t) +files_manage_var_lib_dirs(systemd_tmpfiles_t) +files_purge_tmp(systemd_tmpfiles_t) files_read_etc_files(systemd_tmpfiles_t) files_relabel_all_lock_dirs(systemd_tmpfiles_t) files_relabel_all_pid_dirs(systemd_tmpfiles_t) files_relabel_all_tmp_dirs(systemd_tmpfiles_t) +files_relabel_var_dirs(systemd_tmpfiles_t) +files_relabel_var_lib_dirs(systemd_tmpfiles_t) +files_relabelfrom_home(systemd_tmpfiles_t) +files_relabelto_home(systemd_tmpfiles_t) +files_relabelto_etc_dirs(systemd_tmpfiles_t) +# for /etc/mtab +files_manage_etc_symlinks(systemd_tmpfiles_t) -auth_manage_var_auth(systemd_tmpfiles_t) +fs_getattr_xattr_fs(systemd_tmpfiles_t) + +selinux_get_fs_mount(systemd_tmpfiles_t) +selinux_search_fs(systemd_tmpfiles_t) + +auth_manage_faillog(systemd_tmpfiles_t) auth_manage_login_records(systemd_tmpfiles_t) +auth_manage_var_auth(systemd_tmpfiles_t) auth_relabel_login_records(systemd_tmpfiles_t) auth_setattr_login_records(systemd_tmpfiles_t) +init_manage_utmp(systemd_tmpfiles_t) +init_manage_var_lib_files(systemd_tmpfiles_t) +# for /proc/1/environ +init_read_state(systemd_tmpfiles_t) + +init_relabel_utmp(systemd_tmpfiles_t) +init_relabel_var_lib_dirs(systemd_tmpfiles_t) + +logging_manage_generic_logs(systemd_tmpfiles_t) +logging_manage_generic_log_dirs(systemd_tmpfiles_t) +logging_relabel_generic_log_dirs(systemd_tmpfiles_t) +logging_relabel_syslogd_tmp_files(systemd_tmpfiles_t) +logging_relabel_syslogd_tmp_dirs(systemd_tmpfiles_t) +logging_setattr_syslogd_tmp_files(systemd_tmpfiles_t) +logging_setattr_syslogd_tmp_dirs(systemd_tmpfiles_t) + +miscfiles_manage_man_pages(systemd_tmpfiles_t) +miscfiles_relabel_man_cache(systemd_tmpfiles_t) + +seutil_read_config(systemd_tmpfiles_t) seutil_read_file_contexts(systemd_tmpfiles_t) +sysnet_create_config(systemd_tmpfiles_t) + systemd_log_parse_environment(systemd_tmpfiles_t) +userdom_manage_user_runtime_root_dirs(systemd_tmpfiles_t) +userdom_relabel_user_runtime_root_dirs(systemd_tmpfiles_t) + tunable_policy(`systemd_tmpfiles_manage_all',` # systemd-tmpfiles can be configured to manage anything. # have a last-resort option for users to do this. @@ -662,3 +725,18 @@ tunable_policy(`systemd_tmpfiles_manage_all',` files_relabel_non_security_dirs(systemd_tmpfiles_t) files_relabel_non_security_files(systemd_tmpfiles_t) ') + +optional_policy(` + dbus_read_lib_files(systemd_tmpfiles_t) +') + +optional_policy(` + xfs_create_tmp_dirs(systemd_tmpfiles_t) +') + +optional_policy(` + xserver_create_console_pipes(systemd_tmpfiles_t) + xserver_create_xdm_tmp_dirs(systemd_tmpfiles_t) + xserver_relabel_console_pipes(systemd_tmpfiles_t) + xserver_setattr_console_pipes(systemd_tmpfiles_t) +') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 610651185..50100dd15 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -2946,6 +2946,24 @@ interface(`userdom_manage_user_runtime_root_dirs',` ######################################## ## <summary> +## Relabel to and from user runtime root dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`userdom_relabel_user_runtime_root_dirs',` + gen_require(` + type user_runtime_root_t; + ') + + allow $1 user_runtime_root_t:dir { relabelfrom relabelto }; +') + +######################################## +## <summary> ## Create, read, write, and delete user ## runtime dirs. ## </summary> diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index cf58bd279..0cbf3cec2 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,4 +1,4 @@ -policy_module(userdomain, 4.13.5) +policy_module(userdomain, 4.13.6) ######################################## # |