Merge pull request #518 from 0xC0ncord/various-20220524
More various fixes, mostly ZFS and systemd-related
This commit is contained in:
Chris PeBenito
GitHub
commit
d2fc884d26
@ -42,6 +42,7 @@ dev_node(bootloader_tmp_t)
|
||||
#
|
||||
|
||||
allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
|
||||
dontaudit bootloader_t self:capability sys_resource;
|
||||
allow bootloader_t self:process { signal_perms execmem };
|
||||
allow bootloader_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
@ -96,6 +97,7 @@ fs_read_tmpfs_symlinks(bootloader_t)
|
||||
fs_getattr_efivarfs(bootloader_t)
|
||||
fs_manage_dos_files(bootloader_t)
|
||||
fs_mmap_read_dos_files(bootloader_t)
|
||||
fs_search_cgroup_dirs(bootloader_t)
|
||||
|
||||
mls_file_read_all_levels(bootloader_t)
|
||||
mls_file_write_all_levels(bootloader_t)
|
||||
@ -167,7 +169,8 @@ seutil_dontaudit_search_config(bootloader_t)
|
||||
udev_read_runtime_files(bootloader_t)
|
||||
|
||||
userdom_use_user_terminals(bootloader_t)
|
||||
userdom_dontaudit_search_user_home_dirs(bootloader_t)
|
||||
userdom_dontaudit_manage_user_home_dirs(bootloader_t)
|
||||
userdom_dontaudit_write_user_home_content_files(bootloader_t)
|
||||
|
||||
ifdef(`distro_debian',`
|
||||
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
|
||||
@ -217,6 +220,13 @@ ifdef(`distro_redhat',`
|
||||
')
|
||||
')
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
# these rules are required by systemd-boot-update
|
||||
fs_getattr_cgroup(bootloader_t)
|
||||
init_read_state(bootloader_t)
|
||||
init_rw_inherited_stream_socket(bootloader_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
fstools_exec(bootloader_t)
|
||||
')
|
||||
|
||||
@ -74,7 +74,13 @@ template(`sudo_role_template',`
|
||||
allow $1_sudo_t self:key manage_key_perms;
|
||||
dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
|
||||
|
||||
dontaudit $1_sudo_t $3:socket_class_set { read write };
|
||||
# allow getting the process group of the parent process
|
||||
allow $1_sudo_t $2:process getpgid;
|
||||
|
||||
# allow accessing /proc/pid/stat of the calling domain
|
||||
ps_process_pattern($1_sudo_t, $2)
|
||||
|
||||
dontaudit $1_sudo_t $3:socket_class_set { read write };
|
||||
|
||||
# By default, revert to the calling domain when a shell is executed.
|
||||
corecmd_shell_domtrans($1_sudo_t, $2)
|
||||
@ -122,6 +128,7 @@ template(`sudo_role_template',`
|
||||
auth_use_pam($1_sudo_t)
|
||||
auth_runtime_filetrans_pam_runtime($1_sudo_t, dir, "sudo")
|
||||
|
||||
init_getpgid($1_sudo_t)
|
||||
init_rw_utmp($1_sudo_t)
|
||||
|
||||
logging_send_audit_msgs($1_sudo_t)
|
||||
@ -145,6 +152,8 @@ template(`sudo_role_template',`
|
||||
# for some PAM modules and for cwd
|
||||
userdom_dontaudit_search_user_home_content($1_sudo_t)
|
||||
userdom_dontaudit_search_user_home_dirs($1_sudo_t)
|
||||
# allow forwarding signals to the child process
|
||||
userdom_signal_all_users($1_sudo_t)
|
||||
|
||||
tunable_policy(`allow_polyinstantiation',`
|
||||
allow $1_sudo_t self:capability sys_admin;
|
||||
@ -155,6 +164,9 @@ template(`sudo_role_template',`
|
||||
tunable_policy(`sudo_allow_user_exec_domains',`
|
||||
allow $1_sudo_t $3:key search;
|
||||
|
||||
# allow accessing /proc/pid/stat
|
||||
ps_process_pattern($1_sudo_t, $3)
|
||||
|
||||
# Transmit SIGWINCH to children
|
||||
allow $1_sudo_t $3:process signal;
|
||||
|
||||
|
||||
@ -120,3 +120,21 @@ interface(`screen_execute_sock_file',`
|
||||
allow $1 screen_runtime_t:sock_file execute;
|
||||
allow $1 screen_tmp_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to get the attributes
|
||||
## of the screen runtime named socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
interface(`screen_dontaudit_getattr_sock_file',`
|
||||
gen_require(`
|
||||
type screen_runtime_t;
|
||||
')
|
||||
|
||||
dontaudit $1 screen_runtime_t:sock_file getattr;
|
||||
')
|
||||
|
||||
@ -177,6 +177,7 @@ ifdef(`distro_gentoo',`
|
||||
/usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/dovecot/.+ gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/dracut(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
|
||||
@ -72,8 +72,6 @@ ifdef(`distro_suse',`
|
||||
/etc/sysconfig/iptables\.save -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/sysconfig/firstboot -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
|
||||
/etc/zfs/zpool\.cache -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
|
||||
ifdef(`distro_gentoo', `
|
||||
/etc/profile\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
/etc/csh\.env -- gen_context(system_u:object_r:etc_runtime_t,s0)
|
||||
|
||||
@ -3040,6 +3040,24 @@ interface(`files_mounton_etc_dirs',`
|
||||
allow $1 etc_t:dir mounton;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Remount etc filesystems.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`files_remount_etc',`
|
||||
gen_require(`
|
||||
type etc_t;
|
||||
')
|
||||
|
||||
allow $1 etc_t:filesystem remount;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Watch /etc directories
|
||||
|
||||
@ -4055,6 +4055,24 @@ interface(`fs_read_nsfs_files',`
|
||||
allow $1 nsfs_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Watch NFS server files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_watch_nfsd_files',`
|
||||
gen_require(`
|
||||
type nfsd_fs_t;
|
||||
')
|
||||
|
||||
allow $1 nfsd_fs_t:file watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Get the attributes of an nsfs filesystem.
|
||||
@ -4702,6 +4720,24 @@ interface(`fs_rw_rpc_named_pipes',`
|
||||
allow $1 rpc_pipefs_t:fifo_file rw_fifo_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Watch RPC pipe filesystem directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fs_watch_rpc_pipefs_dirs',`
|
||||
gen_require(`
|
||||
type rpc_pipefs_t;
|
||||
')
|
||||
|
||||
allow $1 rpc_pipefs_t:dir watch;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Mount a tmpfs filesystem.
|
||||
|
||||
@ -453,6 +453,8 @@ optional_policy(`
|
||||
|
||||
rpc_manage_nfs_ro_content(kernel_t)
|
||||
rpc_manage_nfs_rw_content(kernel_t)
|
||||
rpc_search_nfs_state_data(kernel_t)
|
||||
rpc_use_nfsd_fds(kernel_t)
|
||||
rpc_tcp_rw_nfs_sockets(kernel_t)
|
||||
rpc_udp_rw_nfs_sockets(kernel_t)
|
||||
|
||||
@ -491,6 +493,10 @@ optional_policy(`
|
||||
unconfined_domain_noaudit(kernel_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
zfs_rw_zpool_cache(kernel_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unlabeled process local policy
|
||||
|
||||
@ -18,6 +18,7 @@ interface(`storage_getattr_fixed_disk_dev',`
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 fixed_disk_device_t:blk_file getattr;
|
||||
allow $1 fixed_disk_device_t:chr_file getattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -58,6 +59,7 @@ interface(`storage_setattr_fixed_disk_dev',`
|
||||
|
||||
dev_list_all_dev_nodes($1)
|
||||
allow $1 fixed_disk_device_t:blk_file setattr;
|
||||
allow $1 fixed_disk_device_t:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
@ -77,6 +79,7 @@ interface(`storage_dontaudit_setattr_fixed_disk_dev',`
|
||||
')
|
||||
|
||||
dontaudit $1 fixed_disk_device_t:blk_file setattr;
|
||||
dontaudit $1 fixed_disk_device_t:chr_file setattr;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
||||
@ -39,6 +39,7 @@ corenet_ib_access_unlabeled_pkeys(sysadm_t)
|
||||
corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
|
||||
|
||||
dev_read_kmsg(sysadm_t)
|
||||
dev_rw_ipmi_dev(sysadm_t)
|
||||
|
||||
logging_watch_all_logs(sysadm_t)
|
||||
logging_watch_audit_log(sysadm_t)
|
||||
@ -1214,6 +1215,10 @@ optional_policy(`
|
||||
zebra_admin(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
zfs_admin(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
ifndef(`distro_redhat',`
|
||||
optional_policy(`
|
||||
auth_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
HOME_DIR/\.cache/containers(/.*)? gen_context(system_u:object_r:container_cache_home_t,s0)
|
||||
HOME_DIR/\.config/containers(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
|
||||
HOME_DIR/\.config/cni(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
|
||||
HOME_DIR/\.config/docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
|
||||
HOME_DIR/\.local/share/containers(/.*)? gen_context(system_u:object_r:container_data_home_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/containers/storage/overlay2(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
@ -18,6 +19,8 @@ HOME_DIR/\.local/share/docker/init(/.*)? gen_context(system_u:object_r:containe
|
||||
HOME_DIR/\.local/share/docker/fuse-overlayfs(/.*)? gen_context(system_u:object_r:container_ro_file_t,s0)
|
||||
HOME_DIR/\.local/share/docker/volumes(/.*)? gen_context(system_u:object_r:container_file_t,s0)
|
||||
|
||||
HOME_DIR/\.docker(/.*)? gen_context(system_u:object_r:container_conf_home_t,s0)
|
||||
|
||||
/usr/bin/crun -- gen_context(system_u:object_r:container_engine_exec_t,s0)
|
||||
/usr/bin/runc -- gen_context(system_u:object_r:container_engine_exec_t,s0)
|
||||
|
||||
|
||||
@ -4,6 +4,7 @@
|
||||
/etc/rc\.d/init\.d/nfslock -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/rpcidmapd -- gen_context(system_u:object_r:rpcd_initrc_exec_t,s0)
|
||||
|
||||
/usr/bin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
/usr/bin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
/usr/bin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
/usr/bin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
||||
@ -17,6 +18,7 @@
|
||||
/usr/lib/systemd/system/rpc.*\.service -- gen_context(system_u:object_r:rpcd_unit_t,s0)
|
||||
|
||||
/usr/sbin/blkmapd -- gen_context(system_u:object_r:blkmapd_exec_t,s0)
|
||||
/usr/sbin/nfsdcld -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
/usr/sbin/rpc\..* -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
/usr/sbin/rpc\.idmapd -- gen_context(system_u:object_r:rpcd_exec_t,s0)
|
||||
/usr/sbin/rpc\.gssd -- gen_context(system_u:object_r:gssd_exec_t,s0)
|
||||
|
||||
@ -181,6 +181,25 @@ interface(`rpc_initrc_domtrans_rpcd',`
|
||||
init_labeled_script_domtrans($1, rpcd_initrc_exec_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Inherit and use file descriptors from
|
||||
## nfsd.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rpc_use_nfsd_fds',`
|
||||
gen_require(`
|
||||
type nfsd_t;
|
||||
')
|
||||
|
||||
allow $1 nfsd_t:fd use;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read nfs exported content.
|
||||
@ -301,6 +320,25 @@ interface(`rpc_search_nfs_state_data',`
|
||||
allow $1 var_lib_nfs_t:dir search;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create nfs lib directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`rpc_create_nfs_state_data_dirs',`
|
||||
gen_require(`
|
||||
type var_lib_nfs_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
create_dirs_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read nfs lib files.
|
||||
|
||||
@ -260,6 +260,7 @@ fs_list_rpc(rpcd_t)
|
||||
fs_read_rpc_files(rpcd_t)
|
||||
fs_read_rpc_symlinks(rpcd_t)
|
||||
fs_rw_rpc_sockets(rpcd_t)
|
||||
fs_watch_rpc_pipefs_dirs(rpcd_t)
|
||||
fs_get_all_fs_quotas(rpcd_t)
|
||||
fs_set_xattr_fs_quotas(rpcd_t)
|
||||
fs_getattr_all_fs(rpcd_t)
|
||||
@ -325,12 +326,14 @@ dev_rw_lvm_control(nfsd_t)
|
||||
|
||||
files_getattr_tmp_dirs(nfsd_t)
|
||||
files_manage_mounttab(nfsd_t)
|
||||
files_search_all_mountpoints(nfsd_t)
|
||||
|
||||
fs_mount_nfsd_fs(nfsd_t)
|
||||
fs_getattr_all_fs(nfsd_t)
|
||||
fs_getattr_all_dirs(nfsd_t)
|
||||
fs_list_nfsd_fs(nfsd_t)
|
||||
fs_watch_nfsd_dirs(nfsd_t)
|
||||
fs_watch_nfsd_files(nfsd_t)
|
||||
fs_rw_nfsd_fs(nfsd_t)
|
||||
|
||||
storage_dontaudit_read_fixed_disk(nfsd_t)
|
||||
|
||||
@ -32,9 +32,10 @@ allow rpcbind_t self:fifo_file rw_fifo_file_perms;
|
||||
allow rpcbind_t self:unix_stream_socket { accept listen };
|
||||
allow rpcbind_t self:tcp_socket { accept listen };
|
||||
|
||||
manage_dirs_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
|
||||
manage_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
|
||||
manage_sock_files_pattern(rpcbind_t, rpcbind_runtime_t, rpcbind_runtime_t)
|
||||
files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { file sock_file })
|
||||
files_runtime_filetrans(rpcbind_t, rpcbind_runtime_t, { dir file sock_file })
|
||||
|
||||
manage_dirs_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
|
||||
manage_files_pattern(rpcbind_t, rpcbind_var_lib_t, rpcbind_var_lib_t)
|
||||
|
||||
@ -288,6 +288,8 @@ tunable_policy(`ssh_sysadm_login',`
|
||||
tunable_policy(`allow_polyinstantiation',`
|
||||
allow sshd_t self:capability dac_override;
|
||||
files_relabel_generic_tmp_dirs(sshd_t)
|
||||
|
||||
seutil_exec_setfiles(sshd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
14
policy/modules/services/zfs.fc
Normal file
14
policy/modules/services/zfs.fc
Normal file
@ -0,0 +1,14 @@
|
||||
/usr/bin/zed -- gen_context(system_u:object_r:zed_exec_t,s0)
|
||||
/usr/bin/zfs -- gen_context(system_u:object_r:zfs_exec_t,s0)
|
||||
/usr/bin/zfs-auto-snapshot -- gen_context(system_u:object_r:zfs_exec_t,s0)
|
||||
/usr/bin/zpool -- gen_context(system_u:object_r:zfs_exec_t,s0)
|
||||
|
||||
/usr/sbin/zed -- gen_context(system_u:object_r:zed_exec_t,s0)
|
||||
/usr/sbin/zfs -- gen_context(system_u:object_r:zfs_exec_t,s0)
|
||||
/usr/sbin/zpool -- gen_context(system_u:object_r:zfs_exec_t,s0)
|
||||
|
||||
/etc/zfs(/.*)? gen_context(system_u:object_r:zfs_config_t,s0)
|
||||
/etc/zfs/zpool\.cache -- gen_context(system_u:object_r:zfs_zpool_cache_t,s0)
|
||||
|
||||
/run/zed\.pid -- gen_context(system_u:object_r:zfs_runtime_t,s0)
|
||||
/run/zed\.state -- gen_context(system_u:object_r:zfs_runtime_t,s0)
|
||||
164
policy/modules/services/zfs.if
Normal file
164
policy/modules/services/zfs.if
Normal file
@ -0,0 +1,164 @@
|
||||
## <summary>Tools for the Zettabyte File System.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ZFS tools in the
|
||||
## ZFS domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`zfs_domtrans',`
|
||||
gen_require(`
|
||||
type zfs_t, zfs_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, zfs_exec_t, zfs_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ZFS tools in the caller domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`zfs_exec',`
|
||||
gen_require(`
|
||||
type zfs_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
can_exec($1, zfs_exec_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute ZFS tools in the ZFS domain, and
|
||||
## allow the specified role the ZFS domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`zfs_run',`
|
||||
gen_require(`
|
||||
type zfs_t;
|
||||
')
|
||||
|
||||
zfs_domtrans($1)
|
||||
role $2 types zfs_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search ZFS config directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`zfs_search_config',`
|
||||
gen_require(`
|
||||
type zfs_config_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
search_dirs_pattern($1, zfs_config_t, zfs_config_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read ZFS config files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`zfs_read_config',`
|
||||
gen_require(`
|
||||
type zfs_config_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
read_files_pattern($1, zfs_config_t, zfs_config_t)
|
||||
read_lnk_files_pattern($1, zfs_config_t, zfs_config_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write zpool cache files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`zfs_rw_zpool_cache',`
|
||||
gen_require(`
|
||||
type zfs_zpool_cache_t;
|
||||
')
|
||||
|
||||
zfs_search_config($1)
|
||||
allow $1 zfs_zpool_cache_t:file rw_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to
|
||||
## administrate a ZFS environment.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`zfs_admin',`
|
||||
gen_require(`
|
||||
type zfs_t, zed_t;
|
||||
type zfs_config_t, zfs_zpool_cache_t;
|
||||
type zfs_runtime_t;
|
||||
')
|
||||
|
||||
zfs_run($1, $2)
|
||||
|
||||
allow $1 zfs_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, zfs_t)
|
||||
|
||||
allow $1 zed_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, zed_t)
|
||||
|
||||
files_search_etc($1)
|
||||
admin_pattern($1, zfs_config_t)
|
||||
admin_pattern($1, zfs_zpool_cache_t)
|
||||
|
||||
files_search_runtime($1)
|
||||
admin_pattern($1, zfs_runtime_t)
|
||||
')
|
||||
120
policy/modules/services/zfs.te
Normal file
120
policy/modules/services/zfs.te
Normal file
@ -0,0 +1,120 @@
|
||||
policy_module(zfs)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute_role zfs_roles;
|
||||
|
||||
type zed_t;
|
||||
type zed_exec_t;
|
||||
init_daemon_domain(zed_t, zed_exec_t)
|
||||
role zfs_roles types zed_t;
|
||||
|
||||
type zfs_t;
|
||||
type zfs_exec_t;
|
||||
init_system_domain(zfs_t, zfs_exec_t)
|
||||
role zfs_roles types zfs_t;
|
||||
|
||||
type zfs_config_t;
|
||||
files_config_file(zfs_config_t)
|
||||
|
||||
type zfs_zpool_cache_t;
|
||||
files_config_file(zfs_zpool_cache_t)
|
||||
|
||||
type zfs_runtime_t;
|
||||
files_runtime_file(zfs_runtime_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# zed local policy
|
||||
#
|
||||
|
||||
allow zed_t self:process signal;
|
||||
allow zed_t self:capability sys_admin;
|
||||
allow zed_t self:fifo_file rw_fifo_file_perms;
|
||||
allow zed_t self:unix_dgram_socket create_socket_perms;
|
||||
allow zed_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
domtrans_pattern(zed_t, zfs_exec_t, zfs_t)
|
||||
|
||||
list_dirs_pattern(zed_t, zfs_config_t, zfs_config_t)
|
||||
read_files_pattern(zed_t, zfs_config_t, zfs_config_t)
|
||||
read_lnk_files_pattern(zed_t, zfs_config_t, zfs_config_t)
|
||||
|
||||
manage_files_pattern(zed_t, zfs_runtime_t, zfs_runtime_t)
|
||||
files_runtime_filetrans(zed_t, zfs_runtime_t, file)
|
||||
|
||||
# to execute scripts in /usr/libexec/zfs
|
||||
corecmd_exec_bin(zed_t)
|
||||
corecmd_exec_shell(zed_t)
|
||||
|
||||
dev_read_sysfs(zed_t)
|
||||
|
||||
files_search_etc(zed_t)
|
||||
|
||||
kernel_read_vm_overcommit_sysctl(zed_t)
|
||||
|
||||
storage_raw_rw_fixed_disk(zed_t)
|
||||
|
||||
auth_use_nsswitch(zed_t)
|
||||
|
||||
logging_send_syslog_msg(zed_t)
|
||||
|
||||
miscfiles_read_localization(zed_t)
|
||||
|
||||
udev_search_runtime(zed_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# zfs local policy
|
||||
#
|
||||
|
||||
allow zfs_t self:process getsched;
|
||||
allow zfs_t self:capability sys_admin;
|
||||
allow zfs_t self:fifo_file rw_fifo_file_perms;
|
||||
|
||||
list_dirs_pattern(zfs_t, zfs_config_t, zfs_config_t)
|
||||
read_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
|
||||
read_lnk_files_pattern(zfs_t, zfs_config_t, zfs_config_t)
|
||||
|
||||
# to execute scripts in /usr/libexec/zfs
|
||||
corecmd_exec_bin(zfs_t)
|
||||
corecmd_exec_shell(zfs_t)
|
||||
|
||||
dev_read_sysfs(zfs_t)
|
||||
|
||||
domain_use_interactive_fds(zfs_t)
|
||||
|
||||
files_getattr_all_dirs(zfs_t)
|
||||
files_mounton_all_mountpoints(zfs_t)
|
||||
files_search_etc(zfs_t)
|
||||
|
||||
fs_getattr_xattr_fs(zfs_t)
|
||||
fs_mount_xattr_fs(zfs_t)
|
||||
fs_unmount_xattr_fs(zfs_t)
|
||||
fs_remount_xattr_fs(zfs_t)
|
||||
fs_relabelfrom_xattr_fs(zfs_t)
|
||||
fs_ioctl_cgroup_dirs(zfs_t)
|
||||
fs_rw_nfsd_fs(zfs_t)
|
||||
|
||||
kernel_read_fs_sysctls(zfs_t)
|
||||
kernel_read_kernel_sysctls(zfs_t)
|
||||
|
||||
storage_raw_rw_fixed_disk(zfs_t)
|
||||
|
||||
miscfiles_read_localization(zfs_t)
|
||||
|
||||
auth_use_nsswitch(zfs_t)
|
||||
|
||||
mount_exec(zfs_t)
|
||||
|
||||
userdom_use_user_terminals(zfs_t)
|
||||
|
||||
optional_policy(`
|
||||
kernel_rw_rpc_sysctls(zfs_t)
|
||||
|
||||
rpc_manage_nfs_state_data(zfs_t)
|
||||
rpc_read_exports(zfs_t)
|
||||
')
|
||||
@ -49,7 +49,6 @@
|
||||
/usr/bin/swapon.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/bin/tune2fs -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/bin/zdb -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/bin/zfs-auto-snapshot -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/bin/zhack -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/bin/zinject -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
/usr/bin/zpios -- gen_context(system_u:object_r:fsadm_exec_t,s0)
|
||||
|
||||
@ -158,8 +158,6 @@ logging_send_syslog_msg(fsadm_t)
|
||||
|
||||
miscfiles_read_localization(fsadm_t)
|
||||
|
||||
# for zfs/zpool
|
||||
mount_exec(fsadm_t)
|
||||
# for /run/mount/utab
|
||||
mount_getattr_runtime_files(fsadm_t)
|
||||
|
||||
@ -205,6 +203,14 @@ optional_policy(`
|
||||
nis_use_ypbind(fsadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
fs_search_nfsd_fs(fsadm_t)
|
||||
fs_rw_nfsd_fs(fsadm_t)
|
||||
kernel_rw_rpc_sysctls(fsadm_t)
|
||||
rpc_manage_nfs_state_data(fsadm_t)
|
||||
rpc_read_exports(fsadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# Xen causes losetup to run with a presumably accidentally inherited
|
||||
# file handle for /run/xen-hotplug/block
|
||||
|
||||
@ -415,8 +415,9 @@ ifdef(`init_systemd',`
|
||||
files_relabel_generic_tmp_dirs(init_t)
|
||||
files_mounton_tmp(init_t)
|
||||
files_manage_urandom_seed(init_t)
|
||||
files_read_boot_files(initrc_t)
|
||||
files_read_boot_files(init_t)
|
||||
files_remount_boot(init_t)
|
||||
files_remount_etc(init_t)
|
||||
files_relabel_all_lock_dirs(init_t)
|
||||
files_search_all(init_t)
|
||||
files_unmount_all_file_type_fs(init_t)
|
||||
@ -541,6 +542,11 @@ ifdef(`init_systemd',`
|
||||
files_mounton_non_security(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# to run systemd-boot-update
|
||||
bootloader_domtrans(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
clock_read_adjtime(init_t)
|
||||
')
|
||||
@ -561,6 +567,16 @@ ifdef(`init_systemd',`
|
||||
dbus_connect_system_bus(init_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# var-lib-nfs-rpc_pipefs.mount creates /var/lib/nfs/rpc_pipefs
|
||||
# if it does not exist
|
||||
rpc_create_nfs_state_data_dirs(init_t)
|
||||
rpc_manage_nfs_state_data(init_t)
|
||||
|
||||
fs_rw_nfsd_fs(initrc_t)
|
||||
fs_rw_rpc_named_pipes(initrc_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# for systemd --user:
|
||||
unconfined_search_keys(init_t)
|
||||
@ -675,6 +691,7 @@ manage_dirs_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
manage_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
manage_lnk_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
manage_fifo_files_pattern(initrc_t, initrc_state_t, initrc_state_t)
|
||||
dontaudit initrc_t initrc_state_t:chr_file { create_chr_file_perms setattr };
|
||||
|
||||
allow initrc_t initrc_runtime_t:file manage_file_perms;
|
||||
files_runtime_filetrans(initrc_t, initrc_runtime_t, file)
|
||||
|
||||
@ -121,6 +121,7 @@ files_read_etc_files(auditctl_t)
|
||||
kernel_dontaudit_getattr_proc(auditctl_t)
|
||||
kernel_read_kernel_sysctls(auditctl_t)
|
||||
kernel_read_proc_symlinks(auditctl_t)
|
||||
kernel_read_system_state(auditctl_t)
|
||||
kernel_setsched(auditctl_t)
|
||||
|
||||
domain_read_all_domains_state(auditctl_t)
|
||||
@ -139,6 +140,9 @@ miscfiles_read_localization(auditctl_t)
|
||||
|
||||
ifdef(`init_systemd',`
|
||||
init_rw_stream_sockets(auditctl_t)
|
||||
|
||||
systemd_list_userdb_runtime_dirs(auditctl_t)
|
||||
systemd_stream_connect_userdb(auditctl_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
||||
@ -2,12 +2,8 @@
|
||||
/usr/bin/fusermount3 -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/usr/bin/mount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/usr/bin/umount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/usr/bin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/usr/bin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
|
||||
/usr/sbin/mount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/usr/sbin/umount(\.[^/]+)? -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/usr/sbin/zfs -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
/usr/sbin/zpool -- gen_context(system_u:object_r:mount_exec_t,s0)
|
||||
|
||||
/run/mount(/.*)? gen_context(system_u:object_r:mount_runtime_t,s0)
|
||||
|
||||
@ -53,7 +53,7 @@ files_tmp_filetrans(mount_t, mount_tmp_t, { file dir })
|
||||
manage_dirs_pattern(mount_t, mount_runtime_t, mount_runtime_t)
|
||||
manage_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
|
||||
rw_files_pattern(mount_t, mount_runtime_t, mount_runtime_t)
|
||||
files_runtime_filetrans(mount_t, mount_runtime_t, dir, "mount")
|
||||
files_runtime_filetrans(mount_t, mount_runtime_t, { dir file })
|
||||
|
||||
kernel_read_system_state(mount_t)
|
||||
kernel_read_kernel_sysctls(mount_t)
|
||||
|
||||
@ -1393,6 +1393,24 @@ interface(`systemd_signull_logind',`
|
||||
allow $1 systemd_logind_t:process signull;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## List the contents of systemd userdb runtime directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_list_userdb_runtime_dirs', `
|
||||
gen_require(`
|
||||
type systemd_userdbd_runtime_t;
|
||||
')
|
||||
|
||||
list_dirs_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage systemd userdb runtime directories.
|
||||
@ -1411,6 +1429,24 @@ interface(`systemd_manage_userdb_runtime_dirs', `
|
||||
manage_dirs_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read systemd userdb runtime files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`systemd_read_userdb_runtime_files', `
|
||||
gen_require(`
|
||||
type systemd_userdbd_runtime_t;
|
||||
')
|
||||
|
||||
read_files_pattern($1, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage socket files under /run/systemd/userdb .
|
||||
@ -2363,7 +2399,7 @@ interface(`systemd_stream_connect_resolved',`
|
||||
type systemd_resolved_runtime_t;
|
||||
')
|
||||
|
||||
files_search_runtime($1)
|
||||
init_search_runtime($1)
|
||||
stream_connect_pattern($1, systemd_resolved_runtime_t, systemd_resolved_runtime_t, systemd_resolved_t)
|
||||
')
|
||||
|
||||
|
||||
@ -488,6 +488,7 @@ files_read_boot_files(systemd_generator_t)
|
||||
files_search_all_mountpoints(systemd_generator_t)
|
||||
files_list_usr(systemd_generator_t)
|
||||
files_dontaudit_getattr_all_dirs(systemd_generator_t)
|
||||
files_dontaudit_read_etc_runtime_files(systemd_generator_t)
|
||||
|
||||
fs_list_efivars(systemd_generator_t)
|
||||
fs_getattr_all_fs(systemd_generator_t)
|
||||
@ -546,6 +547,17 @@ optional_policy(`
|
||||
miscfiles_read_localization(systemd_generator_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
fs_search_nfsd_fs(systemd_generator_t)
|
||||
fs_rw_nfsd_fs(systemd_generator_t)
|
||||
rpc_read_exports(systemd_generator_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
# needed by zfs-mount-generator
|
||||
zfs_read_config(systemd_generator_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
#
|
||||
# systemd-homed policy
|
||||
@ -871,6 +883,8 @@ init_stop_all_units(systemd_logind_t)
|
||||
init_start_system(systemd_logind_t)
|
||||
init_stop_system(systemd_logind_t)
|
||||
|
||||
miscfiles_read_localization(systemd_logind_t)
|
||||
|
||||
locallogin_read_state(systemd_logind_t)
|
||||
|
||||
seutil_libselinux_linked(systemd_logind_t)
|
||||
@ -1441,6 +1455,8 @@ fs_search_cgroup_dirs(systemd_resolved_t)
|
||||
|
||||
init_dgram_send(systemd_resolved_t)
|
||||
|
||||
miscfiles_read_generic_certs(systemd_resolved_t)
|
||||
|
||||
seutil_libselinux_linked(systemd_resolved_t)
|
||||
seutil_read_file_contexts(systemd_resolved_t)
|
||||
|
||||
@ -1599,7 +1615,7 @@ dev_setattr_all_sysfs(systemd_tmpfiles_t)
|
||||
dev_write_sysfs(systemd_tmpfiles_t)
|
||||
|
||||
files_create_lock_dirs(systemd_tmpfiles_t)
|
||||
files_dontaudit_getattr_lost_found_dirs(systemd_tmpfiles_t)
|
||||
files_dontaudit_getattr_all_dirs(systemd_tmpfiles_t)
|
||||
files_manage_all_runtime_dirs(systemd_tmpfiles_t)
|
||||
files_delete_usr_files(systemd_tmpfiles_t)
|
||||
files_list_home(systemd_tmpfiles_t)
|
||||
@ -1695,6 +1711,10 @@ optional_policy(`
|
||||
dpkg_script_rw_inherited_pipes(systemd_tmpfiles_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
screen_dontaudit_getattr_sock_file(systemd_tmpfiles_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
xfs_create_tmp_dirs(systemd_tmpfiles_t)
|
||||
')
|
||||
@ -1843,6 +1863,8 @@ init_read_state(systemd_userdbd_t)
|
||||
|
||||
kernel_read_kernel_sysctls(systemd_userdbd_t)
|
||||
|
||||
seutil_search_default_contexts(systemd_userdbd_t)
|
||||
|
||||
systemd_log_parse_environment(systemd_userdbd_t)
|
||||
|
||||
#########################################
|
||||
|
||||
@ -371,6 +371,10 @@ optional_policy(`
|
||||
xserver_read_xdm_runtime_files(udev_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
zfs_read_config(udev_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# udevadm Local policy
|
||||
@ -390,18 +394,28 @@ read_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
|
||||
read_lnk_files_pattern(udevadm_t, udev_runtime_t, udev_runtime_t)
|
||||
allow udevadm_t udev_runtime_t:dir watch;
|
||||
|
||||
dev_getattr_sysfs(udevadm_t)
|
||||
dev_rw_sysfs(udevadm_t)
|
||||
dev_getattr_all_chr_files(udevadm_t)
|
||||
dev_getattr_generic_chr_files(udevadm_t)
|
||||
dev_read_urand(udevadm_t)
|
||||
|
||||
domain_use_interactive_fds(udevadm_t)
|
||||
|
||||
files_read_etc_files(udevadm_t)
|
||||
files_read_usr_files(udevadm_t)
|
||||
|
||||
fs_getattr_xattr_fs(udevadm_t)
|
||||
|
||||
init_list_runtime(udevadm_t)
|
||||
init_read_state(udevadm_t)
|
||||
|
||||
kernel_dontaudit_getattr_proc(udevadm_t)
|
||||
kernel_read_kernel_sysctls(udevadm_t)
|
||||
kernel_read_system_state(udevadm_t)
|
||||
|
||||
seutil_read_file_contexts(udevadm_t)
|
||||
|
||||
fs_getattr_xattr_fs(udevadm_t)
|
||||
storage_getattr_fixed_disk_dev(udevadm_t)
|
||||
|
||||
userdom_use_user_terminals(udevadm_t)
|
||||
|
||||
@ -1915,6 +1915,25 @@ interface(`userdom_manage_user_home_dirs',`
|
||||
allow $1 user_home_dir_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to manage user
|
||||
## home directories.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_manage_user_home_dirs',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_dir_t:dir manage_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel to user home directories.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user