commit: a973b8969f85d4148a3a2adad6bd2bfd06c0a4ec
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Apr 6 21:37:31 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:42:40 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a973b896
Systemd-related changes from Russell Coker.
policy/modules/contrib/apache.te | 6 +++++-
policy/modules/contrib/cron.te | 17 ++++++++++++++++-
policy/modules/contrib/dbus.if | 4 ++++
policy/modules/contrib/dbus.te | 9 ++++++++-
policy/modules/contrib/devicekit.te | 3 ++-
policy/modules/contrib/dpkg.te | 11 ++---------
policy/modules/contrib/logrotate.te | 14 ++++++++++++--
policy/modules/contrib/mta.te | 3 ++-
policy/modules/contrib/networkmanager.te | 6 +++++-
policy/modules/contrib/ntp.fc | 3 +++
policy/modules/contrib/ntp.if | 9 +++++++++
policy/modules/contrib/ntp.te | 25 ++++++++++++++++++++++++-
policy/modules/contrib/policykit.te | 13 ++++++++++++-
13 files changed, 104 insertions(+), 19 deletions(-)
diff --git a/policy/modules/contrib/apache.te b/policy/modules/contrib/apache.te
index 628b4156..b418338c 100644
--- a/policy/modules/contrib/apache.te
+++ b/policy/modules/contrib/apache.te
@@ -1,4 +1,4 @@
-policy_module(apache, 2.12.3)
+policy_module(apache, 2.12.4)
########################################
#
@@ -544,6 +544,10 @@ ifdef(`hide_broken_symptoms',`
libs_exec_lib_files(httpd_t)
')
+ifdef(`init_systemd', `
+ systemd_use_passwd_agent(httpd_t)
+')
+
tunable_policy(`allow_httpd_anon_write',`
miscfiles_manage_public_files(httpd_t)
')
diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index b51524a4..5cb7dac1 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -1,4 +1,4 @@
-policy_module(cron, 2.11.2)
+policy_module(cron, 2.11.3)
gen_require(`
class passwd rootok;
@@ -304,6 +304,10 @@ selinux_compute_user_contexts(crond_t)
init_read_state(crond_t)
init_rw_utmp(crond_t)
init_spec_domtrans_script(crond_t)
+init_stop_all_units(system_cronjob_t)
+init_start_all_units(system_cronjob_t)
+init_get_generic_units_status(system_cronjob_t)
+init_get_system_status(system_cronjob_t)
auth_domtrans_chk_passwd(crond_t)
auth_manage_var_auth(crond_t)
@@ -417,6 +421,17 @@ optional_policy(`
')
optional_policy(`
+ systemd_write_inherited_logind_sessions_pipes(crond_t)
+')
+
+optional_policy(`
+ systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
+ # so cron jobs can restart daemons
+ init_stream_connect(system_cronjob_t)
+')
+
+optional_policy(`
udev_read_db(crond_t)
')
diff --git a/policy/modules/contrib/dbus.if b/policy/modules/contrib/dbus.if
index e06f20d6..3893df7c 100644
--- a/policy/modules/contrib/dbus.if
+++ b/policy/modules/contrib/dbus.if
@@ -94,6 +94,10 @@ template(`dbus_role_template',`
xdg_read_data_home_files($1_dbusd_t)
')
')
+
+ optional_policy(`
+ systemd_read_logind_pids($1_dbusd_t)
+ ')
')
#######################################
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
index 941d2f47..579b2230 100644
--- a/policy/modules/contrib/dbus.te
+++ b/policy/modules/contrib/dbus.te
@@ -1,4 +1,4 @@
-policy_module(dbus, 1.22.4)
+policy_module(dbus, 1.22.5)
gen_require(`
class dbus all_dbus_perms;
@@ -150,6 +150,13 @@ ifdef(`distro_gentoo',`
')
optional_policy(`
+ # for /run/systemd/users/*
+ systemd_read_logind_pids(system_dbusd_t)
+ systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
+ systemd_write_logind_pid_pipes(system_dbusd_t)
+')
+
+optional_policy(`
bluetooth_stream_connect(system_dbusd_t)
')
diff --git a/policy/modules/contrib/devicekit.te
b/policy/modules/contrib/devicekit.te
index 458afb08..83e0fabd 100644
--- a/policy/modules/contrib/devicekit.te
+++ b/policy/modules/contrib/devicekit.te
@@ -1,4 +1,4 @@
-policy_module(devicekit, 1.6.2)
+policy_module(devicekit, 1.6.3)
########################################
#
@@ -261,6 +261,7 @@ auth_use_nsswitch(devicekit_power_t)
init_all_labeled_script_domtrans(devicekit_power_t)
init_read_utmp(devicekit_power_t)
+init_search_run(devicekit_power_t)
miscfiles_read_localization(devicekit_power_t)
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 51ae8c36..3ea9e3e0 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.3)
+policy_module(dpkg, 1.11.4)
########################################
#
@@ -229,7 +229,6 @@ kernel_read_system_state(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)
-dev_manage_null_service(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# Use named file transition to fix this
# dev_manage_generic_blk_files(dpkg_script_t)
@@ -276,16 +275,10 @@ files_manage_non_auth_files(dpkg_script_t)
auth_manage_shadow(dpkg_script_t)
init_all_labeled_script_domtrans(dpkg_script_t)
-init_get_generic_units_status(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
-init_get_system_status(dpkg_script_t)
-init_start_generic_units(dpkg_script_t)
-init_stop_generic_units(dpkg_script_t)
-init_reload(dpkg_script_t)
-init_stop_system(dpkg_script_t)
-init_telinit(dpkg_script_t)
init_manage_script_service(dpkg_script_t)
init_startstop_all_script_services(dpkg_script_t)
+init_admin(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
diff --git a/policy/modules/contrib/logrotate.te
b/policy/modules/contrib/logrotate.te
index c43440ee..ec338fb6 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.1)
+policy_module(logrotate, 1.18.2)
########################################
#
@@ -37,7 +37,7 @@ role system_r types logrotate_mail_t;
#
allow logrotate_t self:capability { chown dac_override dac_read_search fowner
fsetid kill setgid setuid sys_nice sys_resource };
-allow logrotate_t self:process ~{ ptrace setcurrent setexec setrlimit execmem
execstack execheap };
+allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack
execheap };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
allow logrotate_t self:fifo_file rw_fifo_file_perms;
@@ -102,6 +102,11 @@ auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_get_generic_units_status(logrotate_t)
+init_get_all_units_status(logrotate_t)
+init_dbus_chat(logrotate_t)
+init_stream_connect(logrotate_t)
+init_manage_all_units(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
@@ -173,6 +178,11 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(logrotate_t)
+ init_write_pid_socket(logrotate_t)
+')
+
+optional_policy(`
fail2ban_stream_connect(logrotate_t)
')
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te
index 22308885..68f3e91f 100644
--- a/policy/modules/contrib/mta.te
+++ b/policy/modules/contrib/mta.te
@@ -1,4 +1,4 @@
-policy_module(mta, 2.8.3)
+policy_module(mta, 2.8.4)
########################################
#
@@ -200,6 +200,7 @@ term_dontaudit_use_unallocated_ttys(system_mail_t)
init_use_script_ptys(system_mail_t)
init_use_fds(system_mail_t)
+init_rw_stream_sockets(system_mail_t)
userdom_use_user_terminals(system_mail_t)
diff --git a/policy/modules/contrib/networkmanager.te
b/policy/modules/contrib/networkmanager.te
index e7bc8487..99002c12 100644
--- a/policy/modules/contrib/networkmanager.te
+++ b/policy/modules/contrib/networkmanager.te
@@ -1,4 +1,4 @@
-policy_module(networkmanager, 1.20.3)
+policy_module(networkmanager, 1.20.4)
########################################
#
@@ -345,6 +345,10 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_sessions_files(NetworkManager_t)
+')
+
+optional_policy(`
udev_exec(NetworkManager_t)
udev_read_db(NetworkManager_t)
udev_read_pid_files(NetworkManager_t)
diff --git a/policy/modules/contrib/ntp.fc b/policy/modules/contrib/ntp.fc
index 756241da..67c2b883 100644
--- a/policy/modules/contrib/ntp.fc
+++ b/policy/modules/contrib/ntp.fc
@@ -15,6 +15,8 @@
/usr/lib/systemd/ntp-units\.d/.* --
gen_context(system_u:object_r:ntpd_unit_t,s0)
/usr/lib/systemd/system/ntpd.*\.service --
gen_context(system_u:object_r:ntpd_unit_t,s0)
+/usr/lib/systemd/systemd-timedated --
gen_context(system_u:object_r:ntpd_exec_t,s0)
+/usr/lib/systemd/systemd-timesyncd --
gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpd --
gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/sbin/ntpdate --
gen_context(system_u:object_r:ntpdate_exec_t,s0)
@@ -23,6 +25,7 @@
/var/db/ntp-kod --
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/ntp(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/systemd/clock --
gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lock/ntpdate --
gen_context(system_u:object_r:ntpd_lock_t,s0)
diff --git a/policy/modules/contrib/ntp.if b/policy/modules/contrib/ntp.if
index 8bbb2aa3..31f71108 100644
--- a/policy/modules/contrib/ntp.if
+++ b/policy/modules/contrib/ntp.if
@@ -223,6 +223,15 @@ interface(`ntp_admin',`
admin_pattern($1, ntpd_pid_t)
ntp_run($1, $2)
+
+ ifdef(`init_systemd',`
+ gen_require(`
+ class dbus send_msg;
+ ')
+
+ allow $1 ntpd_t:dbus send_msg;
+ allow ntpd_t $1:dbus send_msg;
+ ')
')
# This should be in an ifdef distro_gentoo but that is not allowed in if files
diff --git a/policy/modules/contrib/ntp.te b/policy/modules/contrib/ntp.te
index 9af1ad5f..aae4f194 100644
--- a/policy/modules/contrib/ntp.te
+++ b/policy/modules/contrib/ntp.te
@@ -1,4 +1,4 @@
-policy_module(ntp, 1.16.2)
+policy_module(ntp, 1.16.3)
########################################
#
@@ -144,6 +144,29 @@ miscfiles_read_localization(ntpd_t)
userdom_dontaudit_use_unpriv_user_fds(ntpd_t)
userdom_list_user_home_dirs(ntpd_t)
+ifdef(`init_systemd',`
+ dbus_system_bus_client(ntpd_t)
+ dbus_connect_system_bus(ntpd_t)
+ init_dbus_chat(ntpd_t)
+ init_get_system_status(ntpd_t)
+ allow ntpd_t self:capability { fowner setpcap };
+ init_reload(ntpd_t)
+
+ # for /var/lib/systemd/clock
+ init_list_var_lib_dirs(ntpd_t)
+
+ # for /run/systemd/netif/links
+ init_list_pids(ntpd_t)
+
+ optional_policy(`
+ unconfined_dbus_send(ntpd_t)
+ ')
+')
+
+optional_policy(`
+ clock_read_adjtime(ntpd_t)
+')
+
optional_policy(`
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
diff --git a/policy/modules/contrib/policykit.te
b/policy/modules/contrib/policykit.te
index 21ab30e7..d7686081 100644
--- a/policy/modules/contrib/policykit.te
+++ b/policy/modules/contrib/policykit.te
@@ -1,4 +1,4 @@
-policy_module(policykit, 1.6.0)
+policy_module(policykit, 1.6.1)
########################################
#
@@ -131,6 +131,17 @@ optional_policy(`
kerberos_tmp_filetrans_host_rcache(policykit_t, file, "host_0")
')
+optional_policy(`
+ # for /run/systemd/machines
+ systemd_read_machines(policykit_t)
+
+ # for /run/systemd/seats/seat*
+ systemd_read_logind_sessions_files(policykit_t)
+
+ # for /run/systemd/users/*
+ systemd_read_logind_pids(policykit_t)
+')
+
########################################
#
# Auth local policy
