diff options
| author |   Russell Coker <russell@coker.com.au> | 2021-02-01 15:57:13 +1100 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2021-02-06 13:15:09 -0800 |
| commit | 6b6d9fc0d2ae76f8c137b5c3bcb1f184d0c62c57 (patch) | |
| tree | eea372a863551cfa4a6cc7f56de49f30c0be2778 | |
| parent | apps/screen.te: Allow screen to search xdg directories. (diff) | |
| download | hardened-refpolicy-6b6d9fc0.tar.gz hardened-refpolicy-6b6d9fc0.tar.bz2 hardened-refpolicy-6b6d9fc0.zip | |
new version of filetrans patch
Name changes suggested by Dominick and some more additions.
Signed-off-by: Russell Coker <russell@coker.com.au>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
| -rw-r--r-- | policy/modules/admin/dpkg.te | 20 | ||||
| -rw-r--r-- | policy/modules/services/aptcacher.if | 54 | ||||
| -rw-r--r-- | policy/modules/services/clamav.if | 36 | ||||
| -rw-r--r-- | policy/modules/services/ftp.if | 18 | ||||
| -rw-r--r-- | policy/modules/services/milter.if | 18 | ||||
| -rw-r--r-- | policy/modules/services/mysql.fc | 4 | ||||
| -rw-r--r-- | policy/modules/services/mysql.if | 38 | ||||
| -rw-r--r-- | policy/modules/system/authlogin.if | 7 | ||||
| -rw-r--r-- | policy/modules/system/init.te | 5 | ||||
| -rw-r--r-- | policy/modules/system/systemd.if | 25 | ||||
| -rw-r--r-- | policy/modules/system/unconfined.te | 1 |
11 files changed, 223 insertions, 3 deletions
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index ee37e504..6830c795 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t) files_manage_non_auth_files(dpkg_script_t) +auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write") auth_manage_shadow(dpkg_script_t) init_all_labeled_script_domtrans(dpkg_script_t) @@ -307,10 +308,20 @@ optional_policy(` ') optional_policy(` + aptcacher_filetrans_cache_dir(dpkg_script_t) + aptcacher_filetrans_conf_dir(dpkg_script_t) + aptcacher_filetrans_log_dir(dpkg_script_t) +') + +optional_policy(` bootloader_run(dpkg_script_t, dpkg_roles) ') optional_policy(` + clamav_filetrans_log(dpkg_script_t) +') + +optional_policy(` devicekit_dbus_chat_power(dpkg_script_t) ') @@ -319,6 +330,10 @@ optional_policy(` ') optional_policy(` + milter_filetrans_spamass_state(dpkg_script_t) +') + +optional_policy(` modutils_run(dpkg_script_t, dpkg_roles) ') @@ -327,6 +342,11 @@ optional_policy(` ') optional_policy(` + mysql_create_db_dir(dpkg_script_t) + mysql_create_log_dir(dpkg_script_t) +') + +optional_policy(` nis_use_ypbind(dpkg_script_t) ') diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if index 12c1335a..bef83332 100644 --- a/policy/modules/services/aptcacher.if +++ b/policy/modules/services/aptcacher.if @@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',` files_search_runtime($1) stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t) ') + +######################################## +## <summary> +## create /var/log/apt-cacher-ng +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`aptcacher_filetrans_log_dir',` + gen_require(` + type aptcacher_log_t; + ') + + logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng") +') + +######################################## +## <summary> +## create /var/cache/apt-cacher-ng +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`aptcacher_filetrans_cache_dir',` + gen_require(` + type aptcacher_cache_t; + ') + + files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng") +') + +######################################## +## <summary> +## create /etc/apt-cacher-ng +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`aptcacher_filetrans_conf_dir',` + gen_require(` + type aptcacher_conf_t; + ') + + files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng") +') diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if index 33909248..29d00c98 100644 --- a/policy/modules/services/clamav.if +++ b/policy/modules/services/clamav.if @@ -430,3 +430,39 @@ interface(`clamav_admin',` files_list_tmp($1) admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) ') + +######################################## +## <summary> +## specified domain creates /var/log/clamav/freshclam.log with correct type +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_filetrans_log',` + gen_require(` + type clamd_var_log_t, freshclam_var_log_t; + ') + + filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log") +') + +######################################## +## <summary> +## specified domain creates /run/clamav with correct type +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`clamav_filetrans_runtime_dir',` + gen_require(` + type clamd_runtime_t; + ') + + files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav") +') diff --git a/policy/modules/services/ftp.if b/policy/modules/services/ftp.if index 56ac12bd..27af355f 100644 --- a/policy/modules/services/ftp.if +++ b/policy/modules/services/ftp.if @@ -189,3 +189,21 @@ interface(`ftp_admin',` ftp_run_ftpdctl($1, $2) ') + +######################################## +## <summary> +## create /run/pure-ftpd +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`ftp_filetrans_pure_ftpd_runtime',` + gen_require(` + type ftpd_runtime_t; + ') + + files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd") +') diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if index d024d152..13b05498 100644 --- a/policy/modules/services/milter.if +++ b/policy/modules/services/milter.if @@ -100,6 +100,24 @@ interface(`milter_manage_spamass_state',` ######################################## ## <summary> +## create spamass milter state dir +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`milter_filetrans_spamass_state',` + gen_require(` + type spamass_milter_state_t; + ') + + files_var_lib_filetrans($1, spamass_milter_state_t, dir, "spamass-milter") +') + +######################################## +## <summary> ## Get the attributes of the spamassissin milter data dir. ## </summary> ## <param name="domain"> diff --git a/policy/modules/services/mysql.fc b/policy/modules/services/mysql.fc index d23f2636..7b7b45b3 100644 --- a/policy/modules/services/mysql.fc +++ b/policy/modules/services/mysql.fc @@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system_u:object_r:mysqld_home_t,s0) /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) /var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0) -/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) /run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0) /run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if index afdfbc6b..e89a66d9 100644 --- a/policy/modules/services/mysql.if +++ b/policy/modules/services/mysql.if @@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',` ######################################## ## <summary> +## create mysqld db dir. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_create_db_dir',` + gen_require(` + type mysqld_db_t; + ') + + files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql") +') + +######################################## +## <summary> ## Create, read, write, and delete ## mysqld home files. ## </summary> @@ -325,9 +343,29 @@ interface(`mysql_write_log',` ') logging_search_logs($1) + allow $1 mysqld_log_t:dir search_dir_perms; allow $1 mysqld_log_t:file write_file_perms; ') +######################################## +## <summary> +## create mysqld log dir. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mysql_create_log_dir',` + gen_require(` + type mysqld_log_t; + ') + + logging_search_logs($1) + logging_log_filetrans($1, mysqld_log_t, dir, "mysql") +') + ###################################### ## <summary> ## Execute mysqld safe in the diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index 8f8b8009..08361bb5 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -719,13 +719,18 @@ interface(`auth_manage_shadow',` ## Domain allowed access. ## </summary> ## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> # interface(`auth_etc_filetrans_shadow',` gen_require(` type shadow_t; ') - files_etc_filetrans($1, shadow_t, file) + files_etc_filetrans($1, shadow_t, file, $2) ') ####################################### diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index de5bca5e..1c9a5cdd 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -1097,6 +1097,7 @@ optional_policy(` ') optional_policy(` + clamav_filetrans_runtime_dir(initrc_t) clamav_read_config(initrc_t) ') @@ -1290,6 +1291,10 @@ optional_policy(` ') optional_policy(` + ftp_filetrans_pure_ftpd_runtime(initrc_t) +') + +optional_policy(` rpc_read_exports(initrc_t) ') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 8e58c0d7..ac431aba 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -526,6 +526,31 @@ interface(`systemd_use_passwd_agent_fds',` allow systemd_passwd_agent_t $1:fd use; ') +######################################## +## <summary> +## allow systemd_passwd_agent to be run by admin +## </summary> +## <param name="domain"> +## <summary> +## Domain that runs it +## </summary> +## </param> +## <param name="role"> +## <summary> +## role that it runs in +## </summary> +## </param> +# +interface(`systemd_run_passwd_agent',` + gen_require(` + type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; + ') + + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) + allow systemd_passwd_agent_t $1:fd use; + role $2 types systemd_passwd_agent_t; +') + ####################################### ## <summary> ## Allow a systemd_passwd_agent_t process to interact with a daemon diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index eac4d285..42879fb7 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -66,6 +66,7 @@ ifdef(`init_systemd',` optional_policy(` systemd_dbus_chat_resolved(unconfined_t) + systemd_filetrans_passwd_runtime_dirs(unconfined_t) ') ') |