commit: bce66e80249abbc0998755be34847b5b846d1e16
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Thu Apr 6 21:37:50 2017 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Apr 10 16:58:44 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bce66e80
Systemd-related changes from Russell Coker.
policy/modules/kernel/files.if | 36 ++++++++++++++
policy/modules/kernel/files.te | 2 +-
policy/modules/roles/sysadm.te | 12 +----
policy/modules/services/ssh.if | 4 ++
policy/modules/services/ssh.te | 7 ++-
policy/modules/services/xserver.te | 6 ++-
policy/modules/system/fstools.te | 3 +-
policy/modules/system/init.if | 94 +++++++++++++++++++++++++++++++++++++
policy/modules/system/init.te | 6 +--
policy/modules/system/locallogin.te | 7 ++-
policy/modules/system/lvm.fc | 1 +
policy/modules/system/lvm.te | 7 ++-
policy/modules/system/sysnetwork.if | 20 ++++++++
policy/modules/system/sysnetwork.te | 2 +-
policy/modules/system/systemd.if | 84 +++++++++++++++++++++++++++++++++
policy/modules/system/systemd.te | 5 +-
policy/modules/system/udev.te | 12 ++++-
policy/modules/system/unconfined.if | 4 ++
policy/modules/system/unconfined.te | 6 ++-
19 files changed, 292 insertions(+), 26 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 9f9fdded..0462c1a7 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -3021,6 +3021,42 @@ interface(`files_get_etc_unit_status',`
allow $1 etc_t:service status;
')
+########################################
+## <summary>
+## start etc_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_start_etc_service',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service start;
+')
+
+########################################
+## <summary>
+## stop etc_t service
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_stop_etc_service',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:service stop;
+')
+
#######################################
## <summary>
## Relabel from and to generic files in /etc.
diff --git a/policy/modules/kernel/files.te b/policy/modules/kernel/files.te
index 67be5c71..c979bcc1 100644
--- a/policy/modules/kernel/files.te
+++ b/policy/modules/kernel/files.te
@@ -1,4 +1,4 @@
-policy_module(files, 1.23.10)
+policy_module(files, 1.23.11)
########################################
#
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 7b4bf4d9..d917e008 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1,4 +1,4 @@
-policy_module(sysadm, 2.11.3)
+policy_module(sysadm, 2.11.4)
########################################
#
@@ -38,15 +38,7 @@ ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
-init_get_system_status(sysadm_t)
-init_disable(sysadm_t)
-init_enable(sysadm_t)
-init_reload(sysadm_t)
-init_reboot_system(sysadm_t)
-init_shutdown_system(sysadm_t)
-init_start_generic_units(sysadm_t)
-init_stop_generic_units(sysadm_t)
-init_reload_generic_units(sysadm_t)
+init_admin(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 21374c77..2ea91129 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -271,6 +271,10 @@ template(`ssh_server_template', `
files_read_var_lib_symlinks($1_t)
nx_spec_domtrans_server($1_t)
')
+
+ optional_policy(`
+ systemd_read_logind_sessions_files($1_t)
+ ')
')
########################################
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 8d974f90..1b246453 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,4 +1,4 @@
-policy_module(ssh, 2.9.2)
+policy_module(ssh, 2.9.3)
########################################
#
@@ -317,6 +317,11 @@ optional_policy(`
')
optional_policy(`
+ systemd_write_inherited_logind_sessions_pipes(sshd_t)
+ systemd_dbus_chat_logind(sshd_t)
+')
+
+optional_policy(`
unconfined_shell_domtrans(sshd_t)
')
diff --git a/policy/modules/services/xserver.te
b/policy/modules/services/xserver.te
index a692f7a2..4703673a 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,4 +1,4 @@
-policy_module(xserver, 3.13.6)
+policy_module(xserver, 3.13.7)
gen_require(`
class x_drawable all_x_drawable_perms;
@@ -275,6 +275,10 @@ files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
allow xdm_t xauth_home_t:file manage_file_perms;
userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+allow xauth_t xdm_t:fd use;
+allow xauth_t xdm_t:fifo_file { getattr read };
+allow xauth_t xdm_t:unix_stream_socket { read write };
+
kernel_request_load_module(xauth_t)
domain_use_interactive_fds(xauth_t)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 9d729671..a56bfc05 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -1,4 +1,4 @@
-policy_module(fstools, 1.20.1)
+policy_module(fstools, 1.20.2)
########################################
#
@@ -146,6 +146,7 @@ term_use_console(fsadm_t)
init_use_fds(fsadm_t)
init_use_script_ptys(fsadm_t)
init_dontaudit_getattr_initctl(fsadm_t)
+init_rw_script_stream_sockets(fsadm_t)
logging_send_syslog_msg(fsadm_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index e42a7db5..27794bbf 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1175,6 +1175,25 @@ interface(`init_search_pids',`
allow $1 init_var_run_t:dir search_dir_perms;
')
+######################################
+## <summary>
+## Allow listing of the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_list_pids',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ allow $1 init_var_run_t:dir list_dir_perms;
+ files_search_pids($1)
+')
+
########################################
## <summary>
## Create files in an init PID directory.
@@ -1582,6 +1601,25 @@ interface(`init_all_labeled_script_domtrans',`
########################################
## <summary>
+## Allow getting service status of initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`init_get_script_status',`
+ gen_require(`
+ type initrc_exec_t;
+ class service status;
+ ')
+
+ allow $1 initrc_exec_t:service status;
+')
+
+########################################
+## <summary>
## Allow the role to start and stop
## labeled services.
## </summary>
@@ -2890,6 +2928,26 @@ interface(`init_get_all_units_status',`
allow $1 { init_script_file_type systemdunit }:service status;
')
+#######################################
+## <summary>
+## All perms on all systemd units.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_manage_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ class service all_service_perms;
+ ')
+
+ allow $1 systemdunit:service all_service_perms;
+ allow $1 systemdunit:file getattr;
+')
+
########################################
## <summary>
## Start all systemd units.
@@ -2946,3 +3004,39 @@ interface(`init_reload_all_units',`
allow $1 { init_script_file_type systemdunit }:service reload;
')
+
+########################################
+## <summary>
+## Allow unconfined access to send instructions to init
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`init_admin',`
+ gen_require(`
+ type initrc_exec_t;
+ class service status;
+ ')
+
+ dev_manage_null_service($1)
+ init_disable($1)
+ init_enable($1)
+ init_get_all_units_status($1)
+ init_get_generic_units_status($1)
+ init_get_system_status($1)
+ init_manage_all_units($1)
+ init_manage_script_service($1)
+ init_reboot_system($1)
+ init_reload($1)
+ init_reload_all_units($1)
+ init_shutdown_system($1)
+ init_start_all_units($1)
+ init_start_generic_units($1)
+ init_stop_all_units($1)
+ init_stop_generic_units($1)
+ init_stop_system($1)
+ init_telinit($1)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index aed3e65a..02a240d8 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,4 +1,4 @@
-policy_module(init, 2.2.15)
+policy_module(init, 2.2.16)
gen_require(`
class passwd rootok;
@@ -697,9 +697,7 @@ ifdef(`distro_gentoo',`
seutil_read_default_contexts(initrc_t)
# /lib/rcscripts/net/system.sh rewrites resolv.conf :(
- sysnet_create_config(initrc_t)
- sysnet_write_config(initrc_t)
- sysnet_setattr_config(initrc_t)
+ sysnet_manage_config(initrc_t)
optional_policy(`
abrt_manage_pid_files(initrc_t)
diff --git a/policy/modules/system/locallogin.te
b/policy/modules/system/locallogin.te
index 22cb0fa3..bcebce9d 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -1,4 +1,4 @@
-policy_module(locallogin, 1.15.3)
+policy_module(locallogin, 1.15.4)
########################################
#
@@ -193,6 +193,11 @@ optional_policy(`
')
optional_policy(`
+ systemd_dbus_chat_logind(local_login_t)
+ systemd_write_inherited_logind_sessions_pipes(local_login_t)
+')
+
+optional_policy(`
unconfined_shell_domtrans(local_login_t)
')
diff --git a/policy/modules/system/lvm.fc b/policy/modules/system/lvm.fc
index d2f755f2..1e6abbaf 100644
--- a/policy/modules/system/lvm.fc
+++ b/policy/modules/system/lvm.fc
@@ -29,6 +29,7 @@ ifdef(`distro_gentoo',`
/usr/lib/lvm-10/.* --
gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/lvm-200/.* --
gen_context(system_u:object_r:lvm_exec_t,s0)
+/usr/lib/systemd/systemd-cryptsetup --
gen_context(system_u:object_r:lvm_exec_t,s0)
/usr/lib/systemd/system/blk-availability.* --
gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/dm-event.* --
gen_context(system_u:object_r:lvm_unit_t,s0)
/usr/lib/systemd/system/lvm2-.* --
gen_context(system_u:object_r:lvm_unit_t,s0)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 977a374b..09740eb4 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,4 +1,4 @@
-policy_module(lvm, 1.19.7)
+policy_module(lvm, 1.19.8)
########################################
#
@@ -218,6 +218,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
files_etc_filetrans(lvm_t, lvm_metadata_t, file)
files_search_mnt(lvm_t)
+kernel_request_load_module(lvm_t)
kernel_get_sysvipc_info(lvm_t)
kernel_read_system_state(lvm_t)
# Read system variables in /proc/sys
@@ -227,6 +228,8 @@ kernel_dontaudit_search_unlabeled(lvm_t)
# it has no reason to need this
kernel_dontaudit_getattr_core_if(lvm_t)
kernel_use_fds(lvm_t)
+# for systemd-cryptsetup
+kernel_read_crypto_sysctls(lvm_t)
kernel_search_debugfs(lvm_t)
corecmd_exec_bin(lvm_t)
@@ -301,6 +304,8 @@ init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
+# for systemd-cryptsetup to talk to /run/systemd/journal/socket
+init_stream_connect(lvm_t)
logging_send_syslog_msg(lvm_t)
diff --git a/policy/modules/system/sysnetwork.if
b/policy/modules/system/sysnetwork.if
index 86313b66..a20a2d46 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -418,6 +418,25 @@ interface(`sysnet_create_config',`
#######################################
## <summary>
+## Relabel network config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_relabel_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
## Create files in /etc with the type used for
## the network config files.
## </summary>
@@ -455,6 +474,7 @@ interface(`sysnet_manage_config',`
type net_conf_t;
')
+ files_search_etc($1)
allow $1 net_conf_t:file manage_file_perms;
ifdef(`distro_debian',`
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index a0f907e3..8e6d532a 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,4 +1,4 @@
-policy_module(sysnetwork, 1.20.7)
+policy_module(sysnetwork, 1.20.8)
########################################
#
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 5e5268c0..cd6d2e4a 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -60,6 +60,26 @@ interface(`systemd_manage_logind_pid_pipes',`
######################################
## <summary>
+## Write systemd_login named pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_write_logind_pid_pipes',`
+ gen_require(`
+ type systemd_logind_var_run_t;
+ ')
+
+ init_search_run($1)
+ files_search_pids($1)
+ allow $1 systemd_logind_var_run_t:fifo_file { getattr write };
+')
+
+######################################
+## <summary>
## Use inherited systemd
## logind file descriptors.
## </summary>
@@ -79,6 +99,27 @@ interface(`systemd_use_logind_fds',`
######################################
## <summary>
+## Read logind sessions files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_logind_sessions_files',`
+ gen_require(`
+ type systemd_sessions_var_run_t, systemd_logind_t;
+ ')
+
+ allow $1 systemd_logind_t:fd use;
+ init_search_run($1)
+ allow $1 systemd_sessions_var_run_t:dir list_dir_perms;
+ read_files_pattern($1, systemd_sessions_var_run_t,
systemd_sessions_var_run_t)
+')
+
+######################################
+## <summary>
## Write inherited logind sessions pipes.
## </summary>
## <param name="domain">
@@ -172,6 +213,25 @@ interface(`systemd_signull_logind',`
########################################
## <summary>
+## Allow reading /run/systemd/machines
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that can access the machines files
+## </summary>
+## </param>
+#
+interface(`systemd_read_machines',`
+ gen_require(`
+ type systemd_machined_var_run_t;
+ ')
+
+ allow $1 systemd_machined_var_run_t:dir list_dir_perms;
+ allow $1 systemd_machined_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## allow systemd_passwd_agent to inherit fds
## </summary>
## <param name="domain">
@@ -188,6 +248,30 @@ interface(`systemd_use_passwd_agent_fds',`
allow systemd_passwd_agent_t $1:fd use;
')
+#######################################
+## <summary>
+## Allow a systemd_passwd_agent_t process to interact with a daemon
+## that needs a password from the sysadmin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_use_passwd_agent',`
+ gen_require(`
+ type systemd_passwd_agent_t;
+ type systemd_passwd_var_run_t;
+ ')
+
+ manage_files_pattern($1, systemd_passwd_var_run_t,
systemd_passwd_var_run_t)
+ manage_sock_files_pattern($1, systemd_passwd_var_run_t,
systemd_passwd_var_run_t)
+
+ allow systemd_passwd_agent_t $1:process signull;
+ allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
+')
+
########################################
## <summary>
## Transition to systemd_passwd_var_run_t when creating dirs
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 672d289d..210ebc1d 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1,4 +1,4 @@
-policy_module(systemd, 1.3.15)
+policy_module(systemd, 1.3.16)
#########################################
#
@@ -827,7 +827,8 @@ miscfiles_relabel_man_cache(systemd_tmpfiles_t)
seutil_read_config(systemd_tmpfiles_t)
seutil_read_file_contexts(systemd_tmpfiles_t)
-sysnet_create_config(systemd_tmpfiles_t)
+sysnet_manage_config(systemd_tmpfiles_t)
+sysnet_relabel_config(systemd_tmpfiles_t)
systemd_log_parse_environment(systemd_tmpfiles_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index f115d9f8..81543689 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -1,4 +1,4 @@
-policy_module(udev, 1.21.6)
+policy_module(udev, 1.21.7)
########################################
#
@@ -40,7 +40,7 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner
fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_nice
sys_ptrace sys_rawio sys_resource };
dontaudit udev_t self:capability sys_tty_config;
-allow udev_t self:capability2 block_suspend;
+allow udev_t self:capability2 { wake_alarm block_suspend };
allow udev_t self:process ~{ setcurrent setexec setfscreate setrlimit execmem
execstack execheap };
allow udev_t self:process { execmem setfscreate };
allow udev_t self:fd use;
@@ -119,6 +119,7 @@ domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers
these
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
+files_read_kernel_modules(udev_t)
files_exec_etc_files(udev_t)
files_getattr_generic_locks(udev_t)
files_search_mnt(udev_t)
@@ -148,8 +149,14 @@ auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
init_read_utmp(udev_t)
+# systemd-udevd searches /run/systemd
+init_search_run(udev_t)
init_dontaudit_write_utmp(udev_t)
init_getattr_initctl(udev_t)
+init_start_all_units(udev_t)
+init_stop_all_units(udev_t)
+# for hdparm init script run by udev
+init_get_script_status(udev_t)
logging_search_logs(udev_t)
logging_send_syslog_msg(udev_t)
@@ -228,6 +235,7 @@ ifdef(`init_systemd',`
init_dgram_send(udev_t)
+ systemd_read_logind_sessions_files(udev_t)
systemd_read_logind_pids(udev_t)
',`
fs_manage_tmpfs_dirs(udev_t)
diff --git a/policy/modules/system/unconfined.if
b/policy/modules/system/unconfined.if
index 3f7f66a7..02f9dfce 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -16,6 +16,7 @@ interface(`unconfined_domain_noaudit',`
class dbus all_dbus_perms;
class nscd all_nscd_perms;
class passwd all_passwd_perms;
+ class service all_service_perms;
')
# Use most Linux capabilities
@@ -44,6 +45,9 @@ interface(`unconfined_domain_noaudit',`
files_unconfined($1)
fs_unconfined($1)
selinux_unconfined($1)
+ files_get_etc_unit_status($1)
+ files_start_etc_service($1)
+ files_stop_etc_service($1)
tunable_policy(`allow_execheap',`
# Allow making the stack executable via mprotect.
diff --git a/policy/modules/system/unconfined.te
b/policy/modules/system/unconfined.te
index c979a681..bfb8b1c5 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,4 +1,4 @@
-policy_module(unconfined, 3.9.2)
+policy_module(unconfined, 3.9.3)
########################################
#
@@ -96,6 +96,10 @@ optional_policy(`
')
optional_policy(`
+ init_admin(unconfined_t)
+')
+
+optional_policy(`
inn_domtrans(unconfined_t)
')
