Merge pull request #566 from 0xC0ncord/various-20221207

Some more various fixes
This commit is contained in:
Chris PeBenito 2022-12-12 10:47:43 -05:00 committed by GitHub
commit 50f2c7ad05
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
31 changed files with 227 additions and 16 deletions

View File

@ -68,7 +68,7 @@ manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
allow alsa_t alsa_tmpfs_t:file { manage_file_perms map };
allow alsa_t alsa_tmpfs_t:file mmap_manage_file_perms;
fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)

View File

@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir manage_dir_perms;
allow $1 apt_var_cache_t:file { manage_file_perms map };
allow $1 apt_var_cache_t:file mmap_manage_file_perms;
')
########################################

View File

@ -36,6 +36,8 @@ init_system_domain(traceroute_t, traceroute_exec_t)
allow netutils_t self:capability { dac_read_search net_admin net_raw setgid setpcap setuid sys_chroot };
dontaudit netutils_t self:capability { dac_override sys_tty_config };
allow netutils_t self:process { getcap setcap signal_perms };
# netlink_generic_socket for nmap.
allow netutils_t self:netlink_generic_socket create_socket_perms;
allow netutils_t self:netlink_route_socket create_netlink_socket_perms;
allow netutils_t self:netlink_socket create_socket_perms;
# For tcpdump.
@ -69,6 +71,8 @@ fs_getattr_xattr_fs(netutils_t)
domain_use_interactive_fds(netutils_t)
kernel_dontaudit_getattr_proc(netutils_t)
files_read_etc_files(netutils_t)
# for nscd
files_dontaudit_search_var(netutils_t)
@ -154,6 +158,7 @@ optional_policy(`
allow traceroute_t self:capability { net_admin net_raw setgid setuid };
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
allow traceroute_t self:process signal;
allow traceroute_t self:netlink_generic_socket create_socket_perms;
allow traceroute_t self:rawip_socket create_socket_perms;
allow traceroute_t self:packet_socket { map create_socket_perms };
allow traceroute_t self:udp_socket create_socket_perms;

View File

@ -86,7 +86,7 @@ allow mozilla_t mozilla_plugin_t:unix_stream_socket rw_socket_perms;
allow mozilla_t mozilla_plugin_t:fd use;
allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:dir manage_dir_perms;
allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file { manage_file_perms map };
allow mozilla_t { mozilla_home_t mozilla_plugin_home_t }:file mmap_manage_file_perms;
allow mozilla_t mozilla_home_t:lnk_file manage_lnk_file_perms;
userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".galeon")
userdom_user_home_dir_filetrans(mozilla_t, mozilla_home_t, dir, ".mozilla")

View File

@ -45,7 +45,7 @@ template(`pulseaudio_role',`
allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { mmap_manage_file_perms relabel_file_perms };
allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };

View File

@ -58,7 +58,7 @@ allow pulseaudio_t self:tcp_socket { accept listen };
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map };
allow pulseaudio_t pulseaudio_home_t:file mmap_manage_file_perms;
allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")

View File

@ -4820,6 +4820,24 @@ interface(`dev_create_urand_dev',`
create_chr_files_pattern($1, device_t, urandom_device_t)
')
########################################
## <summary>
## Set attributes on the urandom device (/dev/urandom).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dev_setattr_urand_dev',`
gen_require(`
type device_t, urandom_device_t;
')
setattr_chr_files_pattern($1, device_t, urandom_device_t)
')
########################################
## <summary>
## Getattr generic the USB devices.

View File

@ -4778,6 +4778,25 @@ interface(`fs_dontaudit_search_ramfs',`
dontaudit $1 ramfs_t:dir search_dir_perms;
')
########################################
## <summary>
## Set the attributes of directories on
## a ramfs.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`fs_setattr_ramfs_dirs',`
gen_require(`
type ramfs_t;
')
allow $1 ramfs_t:dir setattr;
')
########################################
## <summary>
## Create, read, write, and delete

View File

@ -82,6 +82,12 @@ ifndef(`enable_mls',`
')
ifdef(`init_systemd',`
# Allow managing runtime units, for example mount units generated
# from /etc/fstab.
init_get_runtime_units_status(sysadm_t)
init_start_runtime_units(sysadm_t)
init_stop_runtime_units(sysadm_t)
# Allow sysadm to resolve the username of dynamic users by calling
# LookupDynamicUserByUID on org.freedesktop.systemd1.
init_dbus_chat(sysadm_t)

View File

@ -51,7 +51,7 @@ allow aptcacher_t aptcacher_conf_t:file mmap_read_file_perms;
allow aptcacher_t aptcacher_conf_t:lnk_file read_lnk_file_perms;
allow aptcacher_t aptcacher_cache_t:dir manage_dir_perms;
allow aptcacher_t aptcacher_cache_t:file { manage_file_perms map };
allow aptcacher_t aptcacher_cache_t:file mmap_manage_file_perms;
allow aptcacher_t aptcacher_cache_t:lnk_file manage_lnk_file_perms;
allow aptcacher_t aptcacher_lib_t:file map;

View File

@ -2518,7 +2518,7 @@ interface(`container_admin',`
allow $1 container_engine_domain:process { ptrace signal_perms };
ps_process_pattern($1, container_engine_domain)
allow $1 self:cap_userns { kill sys_ptrace };
allow $1 self:cap_userns { kill sys_ptrace sys_admin };
files_search_var_lib($1)
admin_pattern($1, container_var_lib_t)

View File

@ -425,6 +425,8 @@ corenet_tcp_sendrecv_generic_node(container_net_domain)
corenet_udp_sendrecv_generic_node(container_net_domain)
corenet_tcp_bind_generic_node(container_net_domain)
corenet_udp_bind_generic_node(container_net_domain)
# for metallb BGP speakers
corenet_raw_bind_generic_node(container_net_domain)
corenet_sendrecv_all_server_packets(container_net_domain)
corenet_tcp_bind_all_ports(container_net_domain)
@ -456,6 +458,8 @@ files_read_kernel_modules(container_t)
fs_mount_cgroup(container_t)
fs_rw_cgroup_files(container_t)
# for metallb BGP speakers
fs_read_nsfs_files(container_t)
kernel_read_vm_overcommit_sysctl(container_t)

View File

@ -236,6 +236,7 @@ optional_policy(`
systemd_write_inherited_logind_inhibit_pipes(system_dbusd_t)
systemd_write_inherited_logind_sessions_pipes(system_dbusd_t)
systemd_connect_machined(system_dbusd_t)
# for passing around terminal file handles for machinectl shell
systemd_use_inherited_machined_ptys(system_dbusd_t)

View File

@ -19,6 +19,33 @@ interface(`hddtemp_domtrans',`
domtrans_pattern($1, hddtemp_exec_t, hddtemp_t)
')
########################################
## <summary>
## Execute hddtemp in the hddtemp domain, and
## allow the specified role the hdd domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`hddtemp_run',`
gen_require(`
type hddtemp_t;
')
hddtemp_domtrans($1)
role $2 types hddtemp_t;
')
######################################
## <summary>
## Execute hddtemp in the caller domain.
@ -60,6 +87,8 @@ interface(`hddtemp_admin',`
type hddtemp_t, hddtemp_etc_t, hddtemp_initrc_exec_t;
')
hddtemp_run($1, $2)
allow $1 hddtemp_t:process { ptrace signal_perms };
ps_process_pattern($1, hddtemp_t)

View File

@ -34,6 +34,8 @@ corenet_tcp_bind_generic_node(hddtemp_t)
corenet_tcp_bind_hddtemp_port(hddtemp_t)
corenet_sendrecv_hddtemp_server_packets(hddtemp_t)
domain_use_interactive_fds(hddtemp_t)
files_search_etc(hddtemp_t)
files_read_usr_files(hddtemp_t)
@ -45,3 +47,5 @@ auth_use_nsswitch(hddtemp_t)
logging_send_syslog_msg(hddtemp_t)
miscfiles_read_localization(hddtemp_t)
userdom_use_user_terminals(hddtemp_t)

View File

@ -109,7 +109,7 @@ allow mailman_cgi_t mailman_archive_t:dir search_dir_perms;
allow mailman_cgi_t mailman_archive_t:file read_file_perms;
allow mailman_cgi_t mailman_data_t:dir rw_dir_perms;
allow mailman_cgi_t mailman_data_t:file { map manage_file_perms };
allow mailman_cgi_t mailman_data_t:file mmap_manage_file_perms;
allow mailman_cgi_t mailman_data_t:lnk_file read_lnk_file_perms;
allow mailman_cgi_t mailman_lock_t:dir manage_dir_perms;
@ -123,7 +123,7 @@ allow mailman_cgi_t mailman_runtime_t:file read_file_perms;
allow mailman_cgi_t mailman_runtime_t:sock_file manage_sock_file_perms;
fs_tmpfs_filetrans(mailman_cgi_t, mailman_cgi_tmpfs_t, file)
allow mailman_cgi_t mailman_cgi_tmpfs_t:file { map manage_file_perms };
allow mailman_cgi_t mailman_cgi_tmpfs_t:file mmap_manage_file_perms;
kernel_read_net_sysctls(mailman_cgi_t)
kernel_read_system_state(mailman_cgi_t)
@ -283,7 +283,7 @@ allow mailman_queue_t mailman_archive_t:dir manage_dir_perms;
allow mailman_queue_t mailman_archive_t:file manage_file_perms;
allow mailman_queue_t mailman_data_t:dir rw_dir_perms;
allow mailman_queue_t mailman_data_t:file { map manage_file_perms };
allow mailman_queue_t mailman_data_t:file mmap_manage_file_perms;
allow mailman_queue_t mailman_data_t:lnk_file read_lnk_file_perms;
allow mailman_queue_t mailman_lock_t:dir rw_dir_perms;
@ -293,7 +293,7 @@ allow mailman_queue_t mailman_log_t:dir list_dir_perms;
allow mailman_queue_t mailman_log_t:file manage_file_perms;
fs_tmpfs_filetrans(mailman_queue_t, mailman_queue_tmpfs_t, file)
allow mailman_queue_t mailman_queue_tmpfs_t:file { map manage_file_perms };
allow mailman_queue_t mailman_queue_tmpfs_t:file mmap_manage_file_perms;
kernel_read_network_state(mailman_queue_t)
kernel_read_system_state(mailman_queue_t)

View File

@ -51,7 +51,7 @@ allow matrixd_t self:unix_dgram_socket create_socket_perms;
# https://cffi.readthedocs.io/en/latest/using.html#callbacks
allow matrixd_t self:process { getsched execmem };
allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
allow matrixd_t matrixd_tmp_t:file mmap_manage_file_perms;
files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
fs_tmpfs_filetrans(matrixd_t, matrixd_tmp_t, file)

View File

@ -44,7 +44,7 @@ allow nsd_t nsd_conf_t:dir list_dir_perms;
allow nsd_t nsd_conf_t:file read_file_perms;
allow nsd_t nsd_conf_t:lnk_file read_lnk_file_perms;
allow nsd_t nsd_db_t:file { manage_file_perms map };
allow nsd_t nsd_db_t:file mmap_manage_file_perms;
filetrans_pattern(nsd_t, nsd_zone_t, nsd_db_t, file)
manage_files_pattern(nsd_t, nsd_runtime_t, nsd_runtime_t)

View File

@ -69,6 +69,7 @@ ifdef(`init_systemd',`
# containers get created as systemd transient units
init_get_transient_units_status(podman_t)
init_start_transient_units(podman_t)
init_stop_transient_units(podman_t)
# podman can read logs from containers which are
# sent to the system journal
@ -212,6 +213,7 @@ container_manage_engine_tmp_sock_files(podman_conmon_t)
ifdef(`init_systemd',`
init_get_transient_units_status(podman_conmon_t)
init_start_transient_units(podman_conmon_t)
init_stop_transient_units(podman_conmon_t)
init_start_system(podman_conmon_t)
init_stop_system(podman_conmon_t)
')

View File

@ -134,7 +134,9 @@ optional_policy(`
optional_policy(`
# for /run/systemd/machines
systemd_connect_machined(policykit_t)
systemd_read_machines(policykit_t)
systemd_watch_machines_dirs(policykit_t)
# for /run/systemd/seats/seat*
systemd_read_logind_sessions_files(policykit_t)

View File

@ -207,7 +207,7 @@ allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
allow postfix_master_t postfix_etc_t:file rw_file_perms;
allow postfix_master_t postfix_data_t:dir manage_dir_perms;
allow postfix_master_t postfix_data_t:file manage_file_perms;
allow postfix_master_t postfix_data_t:file mmap_manage_file_perms;
allow postfix_master_t postfix_keytab_t:file read_file_perms;
@ -508,7 +508,7 @@ allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid
allow postfix_map_t self:tcp_socket { accept listen };
allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
allow postfix_map_t postfix_etc_t:file { manage_file_perms map };
allow postfix_map_t postfix_etc_t:file mmap_manage_file_perms;
allow postfix_map_t postfix_etc_t:lnk_file manage_lnk_file_perms;
manage_dirs_pattern(postfix_map_t, postfix_map_tmp_t, postfix_map_tmp_t)
@ -839,6 +839,7 @@ optional_policy(`
optional_policy(`
sasl_connect(postfix_smtpd_t)
sasl_read_keytab(postfix_smtpd_t)
')
optional_policy(`

View File

@ -1,5 +1,7 @@
/etc/rc\.d/init\.d/sasl -- gen_context(system_u:object_r:saslauthd_initrc_exec_t,s0)
/etc/sasl2(/.*)? gen_context(system_u:object_r:saslauthd_keytab_t,s0)
/usr/bin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)
/usr/sbin/saslauthd -- gen_context(system_u:object_r:saslauthd_exec_t,s0)

View File

@ -19,6 +19,25 @@ interface(`sasl_connect',`
stream_connect_pattern($1, saslauthd_runtime_t, saslauthd_runtime_t, saslauthd_t)
')
########################################
## <summary>
## Read SASL keytab files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`sasl_read_keytab',`
gen_require(`
type saslauthd_keytab_t;
')
files_search_etc($1)
read_files_pattern($1, saslauthd_keytab_t, saslauthd_keytab_t)
')
########################################
## <summary>
## All of the rules required to

View File

@ -206,6 +206,7 @@ files_type(virtlockd_var_lib_t)
type virtlogd_t;
type virtlogd_exec_t;
init_daemon_domain(virtlogd_t, virtlogd_exec_t)
init_named_socket_activation(virtlogd_t, virt_runtime_t)
type virtlogd_run_t;
files_runtime_file(virtlogd_run_t)
@ -451,6 +452,8 @@ tunable_policy(`virt_use_evdev',`
allow virtd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin net_raw setgid setpcap setuid sys_admin sys_chroot sys_nice sys_ptrace };
dontaudit virtd_t self:capability { sys_module sys_ptrace };
allow virtd_t self:capability2 { bpf perfmon };
allow virtd_t self:bpf { map_create map_read map_write prog_load prog_run };
allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setrlimit setsockcreate setsched };
allow virtd_t self:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow virtd_t self:unix_stream_socket { accept connectto listen relabelfrom relabelto };
@ -522,7 +525,8 @@ allow virtd_t virt_image_type:file relabel_file_perms;
allow virtd_t virt_image_type:dir { manage_dir_perms relabel_dir_perms };
allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
allow virtd_t virt_image_type:chr_file relabel_chr_file_perms;
allow virtd_t virt_image_type:sock_file manage_sock_file_perms;
# relabel needed for qemu guest agent sockets
allow virtd_t virt_image_type:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow virtd_t virt_ptynode:chr_file rw_term_perms;
@ -691,6 +695,15 @@ sysnet_domtrans_ifconfig(virtd_t)
userdom_read_all_users_state(virtd_t)
ifdef(`init_systemd',`
init_read_utmp(virtd_t)
systemd_dbus_chat_logind(virtd_t)
systemd_connect_machined(virtd_t)
systemd_dbus_chat_machined(virtd_t)
')
tunable_policy(`virt_use_fusefs',`
fs_manage_fusefs_dirs(virtd_t)
fs_manage_fusefs_files(virtd_t)

View File

@ -3431,6 +3431,63 @@ interface(`init_reload_generic_units',`
allow $1 systemd_unit_t:service reload;
')
########################################
## <summary>
## Get the status of runtime systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_get_runtime_units_status',`
gen_require(`
type init_runtime_t;
class service status;
')
allow $1 init_runtime_t:service status;
')
########################################
## <summary>
## Start runtime systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_start_runtime_units',`
gen_require(`
type init_runtime_t;
class service start;
')
allow $1 init_runtime_t:service start;
')
########################################
## <summary>
## Stop runtime systemd units.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`init_stop_runtime_units',`
gen_require(`
type init_runtime_t;
class service stop;
')
allow $1 init_runtime_t:service stop;
')
########################################
## <summary>
## Get status of transient systemd units.

View File

@ -472,6 +472,8 @@ ifdef(`init_systemd',`
fs_create_pstore_dirs(init_t)
# for network namespaces
fs_read_nsfs_files(init_t)
# needed by systemd-creds
fs_setattr_ramfs_dirs(init_t)
init_manage_all_unit_files(init_t)
init_read_script_state(init_t)

View File

@ -703,6 +703,7 @@ interface(`logging_send_syslog_msg',`
allow syslogd_t $1:process signull;
kernel_dgram_send($1)
kernel_stream_connect($1)
')
')

View File

@ -1461,6 +1461,24 @@ interface(`systemd_read_machines',`
allow $1 systemd_machined_runtime_t:file read_file_perms;
')
########################################
## <summary>
## Allow watching /run/systemd/machines
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`systemd_watch_machines_dirs',`
gen_require(`
type systemd_machined_runtime_t;
')
allow $1 systemd_machined_runtime_t:dir watch;
')
########################################
## <summary>
## Allow connecting to /run/systemd/userdb/io.systemd.Machine socket

View File

@ -996,15 +996,18 @@ allow systemd_machined_t systemd_machined_runtime_t:lnk_file manage_lnk_file_per
manage_sock_files_pattern(systemd_machined_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
kernel_getattr_proc(systemd_machined_t)
kernel_read_kernel_sysctls(systemd_machined_t)
kernel_read_system_state(systemd_machined_t)
dev_getattr_fs(systemd_machined_t)
dev_setattr_urand_dev(systemd_machined_t)
files_read_etc_files(systemd_machined_t)
fs_getattr_cgroup(systemd_machined_t)
fs_getattr_tmpfs(systemd_machined_t)
fs_getattr_xattr_fs(systemd_machined_t)
fs_read_nsfs_files(systemd_machined_t)
selinux_getattr_fs(systemd_machined_t)
@ -1019,6 +1022,9 @@ init_stop_system(systemd_machined_t)
init_get_generic_units_status(systemd_machined_t)
init_start_generic_units(systemd_machined_t)
init_stop_generic_units(systemd_machined_t)
init_get_transient_units_status(systemd_machined_t)
init_start_transient_units(systemd_machined_t)
init_stop_transient_units(systemd_machined_t)
logging_send_syslog_msg(systemd_machined_t)

View File

@ -1343,6 +1343,7 @@ template(`userdom_admin_user_template',`
allow $1_t self:cap_userns sys_ptrace;
allow $1_t self:process { setexec setfscreate };
allow $1_t self:netlink_audit_socket nlmsg_readpriv;
allow $1_t self:netlink_tcpdiag_socket create_netlink_socket_perms;
allow $1_t self:tun_socket create;
# Set password information for other users.
allow $1_t self:passwd { passwd chfn chsh };

View File

@ -167,6 +167,7 @@ define(`create_file_perms',`{ getattr create open }')
define(`rename_file_perms',`{ getattr rename }')
define(`delete_file_perms',`{ getattr unlink }')
define(`manage_file_perms',`{ create open getattr setattr read write append rename link unlink ioctl lock }')
define(`mmap_manage_file_perms',`{ create open map getattr setattr read write append rename link unlink ioctl lock }')
define(`relabelfrom_file_perms',`{ getattr relabelfrom }')
define(`relabelto_file_perms',`{ getattr relabelto }')
define(`relabel_file_perms',`{ getattr relabelfrom relabelto }')