diff options
author | 2024-05-06 17:46:06 -0400 | |
---|---|---|
committer | 2024-05-14 13:41:54 -0400 | |
commit | 5a4608dfd87f63d1c61c5105f52dd70af5217bd0 (patch) | |
tree | 531f9755a05bb395f0f7035beb98b9d2eeb44e8e | |
parent | container, crio, kubernetes: minor fixes (diff) | |
download | hardened-refpolicy-5a4608dfd87f63d1c61c5105f52dd70af5217bd0.tar.gz hardened-refpolicy-5a4608dfd87f63d1c61c5105f52dd70af5217bd0.tar.bz2 hardened-refpolicy-5a4608dfd87f63d1c61c5105f52dd70af5217bd0.zip |
various: various fixes
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
-rw-r--r-- | policy/modules/kernel/devices.if | 19 | ||||
-rw-r--r-- | policy/modules/services/kubernetes.te | 2 | ||||
-rw-r--r-- | policy/modules/system/authlogin.if | 3 | ||||
-rw-r--r-- | policy/modules/system/authlogin.te | 1 | ||||
-rw-r--r-- | policy/modules/system/raid.te | 3 | ||||
-rw-r--r-- | policy/modules/system/selinuxutil.te | 1 |
6 files changed, 28 insertions, 1 deletions
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 344d858c..c7af194b 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2899,6 +2899,25 @@ interface(`dev_delete_lvm_control_dev',` ######################################## ## <summary> +## Do not audit attempts to read and write the +## Intel Management Engine Interface device. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`dev_dontaudit_rw_mei',` + gen_require(` + type mei_device_t; + ') + + dontaudit $1 mei_device_t:chr_file rw_chr_file_perms; +') + +######################################## +## <summary> ## dontaudit getattr raw memory devices (e.g. /dev/mem). ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/kubernetes.te b/policy/modules/services/kubernetes.te index 3ba66629..83963502 100644 --- a/policy/modules/services/kubernetes.te +++ b/policy/modules/services/kubernetes.te @@ -618,6 +618,8 @@ userdom_use_user_terminals(kubectl_domain) # kubectl local policy # +dontaudit kubectl_t self:capability { sys_admin sys_resource }; + kernel_dontaudit_getattr_proc(kubectl_t) auth_use_nsswitch(kubectl_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index a91ab7ac..a90ebb3d 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -105,6 +105,9 @@ interface(`auth_use_pam_systemd',` systemd_connect_machined($1) systemd_dbus_chat_logind($1) systemd_read_logind_state($1) + + # to read /etc/machine-id + files_read_etc_runtime_files($1) ') ######################################## diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 9920ea69..14d2774a 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -142,6 +142,7 @@ term_dontaudit_use_all_ptys(chkpwd_t) auth_read_shadow_history(chkpwd_t) auth_use_nsswitch(chkpwd_t) +auth_use_pam_systemd(chkpwd_t) logging_send_audit_msgs(chkpwd_t) logging_send_syslog_msg(chkpwd_t) diff --git a/policy/modules/system/raid.te b/policy/modules/system/raid.te index c8db3826..e5e649f6 100644 --- a/policy/modules/system/raid.te +++ b/policy/modules/system/raid.te @@ -28,7 +28,7 @@ init_unit_file(mdadm_unit_t) # allow mdadm_t self:capability { dac_override ipc_lock sys_admin }; -dontaudit mdadm_t self:capability sys_tty_config; +dontaudit mdadm_t self:capability { net_admin sys_tty_config }; dontaudit mdadm_t self:cap_userns sys_ptrace; allow mdadm_t self:process { getsched setsched signal_perms }; allow mdadm_t self:fifo_file rw_fifo_file_perms; @@ -53,6 +53,7 @@ corecmd_exec_shell(mdadm_t) dev_rw_sysfs(mdadm_t) dev_dontaudit_getattr_all_blk_files(mdadm_t) dev_dontaudit_getattr_all_chr_files(mdadm_t) +dev_dontaudit_rw_mei(mdadm_t) dev_read_realtime_clock(mdadm_t) # create links in /dev/md dev_create_generic_symlinks(mdadm_t) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 6393fadc..46c275e3 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -515,6 +515,7 @@ seutil_domtrans_semanage(selinux_dbus_t) # allow semanage_t self:capability { audit_write dac_override }; +dontaudit semanage_t self:capability { sys_admin sys_resource }; allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; |