diff options
author | Daniel Burgener <dburgener@tresys.com> | 2020-01-16 08:39:36 -0500 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2020-02-15 15:29:12 +0800 |
commit | 07e94983562c35273f46cabc5d95a39f3936a9b2 (patch) | |
tree | f19194f13701a9e00e8cd722b7af99b590888a1d | |
parent | domain, snort: Module version bump. (diff) | |
download | hardened-refpolicy-07e94983562c35273f46cabc5d95a39f3936a9b2.tar.gz hardened-refpolicy-07e94983562c35273f46cabc5d95a39f3936a9b2.tar.bz2 hardened-refpolicy-07e94983562c35273f46cabc5d95a39f3936a9b2.zip |
Add requires to interfaces that reference types or attributes without requiring them
Signed-off-by: Daniel Burgener <dburgener@tresys.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
-rw-r--r-- | policy/modules/apps/gnome.if | 2 | ||||
-rw-r--r-- | policy/modules/apps/mozilla.if | 4 | ||||
-rw-r--r-- | policy/modules/kernel/devices.if | 27 | ||||
-rw-r--r-- | policy/modules/kernel/files.if | 1 | ||||
-rw-r--r-- | policy/modules/kernel/kernel.if | 2 | ||||
-rw-r--r-- | policy/modules/services/kerberos.if | 2 | ||||
-rw-r--r-- | policy/modules/services/postfix.if | 3 | ||||
-rw-r--r-- | policy/modules/services/procmail.if | 2 | ||||
-rw-r--r-- | policy/modules/services/ssh.if | 3 | ||||
-rw-r--r-- | policy/modules/services/xserver.if | 3 | ||||
-rw-r--r-- | policy/modules/services/zabbix.if | 2 | ||||
-rw-r--r-- | policy/modules/system/hotplug.if | 2 | ||||
-rw-r--r-- | policy/modules/system/modutils.if | 2 | ||||
-rw-r--r-- | policy/modules/system/systemd.if | 2 | ||||
-rw-r--r-- | policy/modules/system/userdomain.if | 4 | ||||
-rw-r--r-- | policy/modules/system/xen.if | 2 |
16 files changed, 40 insertions, 23 deletions
diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if index 8b27d15a0..f1e23402e 100644 --- a/policy/modules/apps/gnome.if +++ b/policy/modules/apps/gnome.if @@ -27,7 +27,7 @@ template(`gnome_role_template',` attribute_role gconfd_roles; type gkeyringd_exec_t, gnome_keyring_home_t, gnome_keyring_tmp_t; type gconfd_t, gconfd_exec_t, gconf_tmp_t; - type gconf_home_t; + type gconf_home_t, gnome_home_t; ') ######################################## diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if index 178d68d87..be989d0f2 100644 --- a/policy/modules/apps/mozilla.if +++ b/policy/modules/apps/mozilla.if @@ -89,8 +89,8 @@ interface(`mozilla_role',` # interface(`mozilla_role_plugin',` gen_require(` - type mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_plugin_rw_t; - type mozilla_home_t; + type mozilla_plugin_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t; + type mozilla_plugin_rw_t, mozilla_plugin_config_t, mozilla_home_t; ') mozilla_run_plugin($2, $1) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index 8af02b55a..2afc5d561 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -1109,6 +1109,7 @@ interface(`dev_dontaudit_getattr_all_blk_files',` interface(`dev_getattr_all_chr_files',` gen_require(` attribute device_node; + type device_t; ') getattr_chr_files_pattern($1, device_t, device_node) @@ -1147,6 +1148,7 @@ interface(`dev_dontaudit_getattr_all_chr_files',` interface(`dev_setattr_all_blk_files',` gen_require(` attribute device_node; + type device_t; ') setattr_blk_files_pattern($1, device_t, device_node) @@ -1166,6 +1168,7 @@ interface(`dev_setattr_all_blk_files',` interface(`dev_setattr_all_chr_files',` gen_require(` attribute device_node; + type device_t; ') setattr_chr_files_pattern($1, device_t, device_node) @@ -1256,6 +1259,7 @@ interface(`dev_dontaudit_write_all_chr_files',` interface(`dev_create_all_blk_files',` gen_require(` attribute device_node; + type device_t; ') create_blk_files_pattern($1, device_t, device_node) @@ -1274,6 +1278,7 @@ interface(`dev_create_all_blk_files',` interface(`dev_create_all_chr_files',` gen_require(` attribute device_node; + type device_t; ') create_chr_files_pattern($1, device_t, device_node) @@ -1292,6 +1297,7 @@ interface(`dev_create_all_chr_files',` interface(`dev_delete_all_blk_files',` gen_require(` attribute device_node; + type device_t; ') delete_blk_files_pattern($1, device_t, device_node) @@ -1310,6 +1316,7 @@ interface(`dev_delete_all_blk_files',` interface(`dev_delete_all_chr_files',` gen_require(` attribute device_node; + type device_t; ') delete_chr_files_pattern($1, device_t, device_node) @@ -1328,6 +1335,7 @@ interface(`dev_delete_all_chr_files',` interface(`dev_rename_all_blk_files',` gen_require(` attribute device_node; + type device_t; ') rename_blk_files_pattern($1, device_t, device_node) @@ -1346,6 +1354,7 @@ interface(`dev_rename_all_blk_files',` interface(`dev_rename_all_chr_files',` gen_require(` attribute device_node; + type device_t; ') rename_chr_files_pattern($1, device_t, device_node) @@ -1364,6 +1373,7 @@ interface(`dev_rename_all_chr_files',` interface(`dev_manage_all_blk_files',` gen_require(` attribute device_node; + type device_t; ') manage_blk_files_pattern($1, device_t, device_node) @@ -1388,6 +1398,7 @@ interface(`dev_manage_all_blk_files',` interface(`dev_manage_all_chr_files',` gen_require(` attribute device_node, memory_raw_read, memory_raw_write; + type device_t; ') manage_chr_files_pattern($1, device_t, device_node) @@ -1665,7 +1676,7 @@ interface(`dev_rw_cachefiles',` # interface(`dev_rw_cardmgr',` gen_require(` - type cardmgr_dev_t; + type cardmgr_dev_t, device_t; ') rw_chr_files_pattern($1, device_t, cardmgr_dev_t) @@ -2220,7 +2231,7 @@ interface(`dev_dontaudit_setattr_framebuffer_dev',` # interface(`dev_read_framebuffer',` gen_require(` - type framebuf_device_t; + type framebuf_device_t, device_t; ') read_chr_files_pattern($1, device_t, framebuf_device_t) @@ -3318,7 +3329,7 @@ interface(`dev_dontaudit_getattr_nvram_dev',` # interface(`dev_rw_nvram',` gen_require(` - type nvram_device_t; + type nvram_device_t, device_t; ') rw_chr_files_pattern($1, device_t, nvram_device_t) @@ -4028,7 +4039,7 @@ interface(`dev_manage_smartcard',` # interface(`dev_mounton_sysfs',` gen_require(` - type device_t; + type sysfs_t; ') allow $1 sysfs_t:dir mounton; @@ -4488,7 +4499,7 @@ interface(`dev_write_urand',` # interface(`dev_getattr_generic_usb_dev',` gen_require(` - type usb_device_t; + type usb_device_t, device_t; ') getattr_chr_files_pattern($1, device_t, usb_device_t) @@ -4506,7 +4517,7 @@ interface(`dev_getattr_generic_usb_dev',` # interface(`dev_setattr_generic_usb_dev',` gen_require(` - type usb_device_t; + type usb_device_t, device_t; ') setattr_chr_files_pattern($1, device_t, usb_device_t) @@ -4524,7 +4535,7 @@ interface(`dev_setattr_generic_usb_dev',` # interface(`dev_read_generic_usb_dev',` gen_require(` - type usb_device_t; + type usb_device_t, device_t; ') read_chr_files_pattern($1, device_t, usb_device_t) @@ -4560,7 +4571,7 @@ interface(`dev_rw_generic_usb_dev',` # interface(`dev_relabel_generic_usb_dev',` gen_require(` - type usb_device_t; + type usb_device_t, device_t; ') relabel_chr_files_pattern($1, device_t, usb_device_t) diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index b4db9c89e..57929fb3e 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -6528,6 +6528,7 @@ interface(`files_dontaudit_getattr_all_pids',` interface(`files_dontaudit_write_all_pids',` gen_require(` attribute pidfile; + type var_run_t; ') dontaudit $1 var_run_t:lnk_file read_lnk_file_perms; diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if index 3f0a2dbe3..5841e0d65 100644 --- a/policy/modules/kernel/kernel.if +++ b/policy/modules/kernel/kernel.if @@ -1406,7 +1406,7 @@ interface(`kernel_dontaudit_search_network_state',` # interface(`kernel_search_network_state',` gen_require(` - type proc_net_t; + type proc_t, proc_net_t; ') search_dirs_pattern($1, proc_t, proc_net_t) diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if index d8c7cd586..ff32275dc 100644 --- a/policy/modules/services/kerberos.if +++ b/policy/modules/services/kerberos.if @@ -50,7 +50,7 @@ interface(`kerberos_domtrans_kpropd',` # interface(`kerberos_use',` gen_require(` - type krb5kdc_conf_t, krb5_host_rcache_t; + type krb5kdc_conf_t, krb5_host_rcache_t, krb5_conf_t; ') kerberos_read_config($1) diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if index 97c745ea1..93058b16e 100644 --- a/policy/modules/services/postfix.if +++ b/policy/modules/services/postfix.if @@ -64,6 +64,7 @@ template(`postfix_domain_template',` # template(`postfix_server_domain_template',` gen_require(` + type postfix_master_t; attribute postfix_server_domain, postfix_server_tmp_content; ') @@ -682,7 +683,7 @@ interface(`postfix_admin',` type postfix_initrc_exec_t, postfix_prng_t, postfix_etc_t; type postfix_data_t, postfix_runtime_t, postfix_public_t; type postfix_private_t, postfix_map_tmp_t, postfix_exec_t; - type postfix_keytab_t; + type postfix_keytab_t, postfix_t; ') allow $1 postfix_domain:process { ptrace signal_perms }; diff --git a/policy/modules/services/procmail.if b/policy/modules/services/procmail.if index 00edeab17..79dc66435 100644 --- a/policy/modules/services/procmail.if +++ b/policy/modules/services/procmail.if @@ -90,7 +90,7 @@ interface(`procmail_read_home_files',` # interface(`procmail_relabel_home_files',` gen_require(` - type ppp_home_t; + type ppp_home_t, procmail_home_t; ') userdom_search_user_home_dirs($1) diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if index 9bc7a8429..1cbe5eac5 100644 --- a/policy/modules/services/ssh.if +++ b/policy/modules/services/ssh.if @@ -167,6 +167,9 @@ template(`ssh_basic_client_template',` ## </param> # template(`ssh_server_template', ` + gen_require(` + type sshd_exec_t, sshd_key_t; + ') type $1_t, ssh_server; auth_login_pgm_domain($1_t) diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if index 40492ee9c..b13c913aa 100644 --- a/policy/modules/services/xserver.if +++ b/policy/modules/services/xserver.if @@ -22,6 +22,7 @@ interface(`xserver_restricted_role',` type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; type iceauth_t, iceauth_exec_t, iceauth_home_t; type xauth_t, xauth_exec_t, xauth_home_t; + type xdm_t, xdm_tmp_t; ') role $1 types { xserver_t xauth_t iceauth_t }; @@ -137,7 +138,7 @@ interface(`xserver_restricted_role',` # interface(`xserver_role',` gen_require(` - type iceauth_home_t, xserver_t, xserver_tmpfs_t, xauth_home_t; + type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t; type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; type mesa_shader_cache_t; ') diff --git a/policy/modules/services/zabbix.if b/policy/modules/services/zabbix.if index 6ad4c3919..5cc587eb2 100644 --- a/policy/modules/services/zabbix.if +++ b/policy/modules/services/zabbix.if @@ -109,7 +109,7 @@ interface(`zabbix_read_pid_files',` # interface(`zabbix_agent_tcp_connect',` gen_require(` - type zabbix_agent_t; + type zabbix_t, zabbix_agent_t; ') corenet_sendrecv_zabbix_agent_client_packets($1) diff --git a/policy/modules/system/hotplug.if b/policy/modules/system/hotplug.if index cd1783e4d..c99c17525 100644 --- a/policy/modules/system/hotplug.if +++ b/policy/modules/system/hotplug.if @@ -34,7 +34,7 @@ interface(`hotplug_domtrans',` # interface(`hotplug_exec',` gen_require(` - type hotplug_t; + type hotplug_exec_t; ') corecmd_search_bin($1) diff --git a/policy/modules/system/modutils.if b/policy/modules/system/modutils.if index e9ee3c291..beec3112e 100644 --- a/policy/modules/system/modutils.if +++ b/policy/modules/system/modutils.if @@ -12,7 +12,7 @@ # interface(`modutils_getattr_module_deps',` gen_require(` - type modules_dep_t; + type modules_dep_t, modules_object_t; ') getattr_files_pattern($1, modules_object_t, modules_dep_t) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 0fd37fe87..3ae9860c4 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -575,7 +575,7 @@ interface(`systemd_relabelto_journal_files',` # interface(`systemd_read_networkd_units',` gen_require(` - type systemd_networkd_t; + type systemd_networkd_unit_t; ') init_search_units($1) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 5db9c15df..72cd0c3a7 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -336,7 +336,7 @@ interface(`userdom_ro_home_role',` # interface(`userdom_manage_home_role',` gen_require(` - type user_home_t, user_home_dir_t; + type user_home_t, user_home_dir_t, user_cert_t; ') ############################## @@ -2681,7 +2681,7 @@ interface(`userdom_write_user_tmp_sockets',` # interface(`userdom_list_user_tmp',` gen_require(` - type user_tmp_t; + type user_tmp_t, user_runtime_t; ') allow $1 user_tmp_t:dir list_dir_perms; diff --git a/policy/modules/system/xen.if b/policy/modules/system/xen.if index e80d3d90b..d0596ca63 100644 --- a/policy/modules/system/xen.if +++ b/policy/modules/system/xen.if @@ -317,7 +317,7 @@ interface(`xen_domtrans_xm',` # interface(`xen_stream_connect_xm',` gen_require(` - type xm_t; + type xm_t, xenstored_runtime_t; ') files_search_pids($1) |