diff options
| author |   Russell Coker <russell@coker.com.au> | 2019-01-22 09:59:28 +1100 |
|---|---|---|
| committer |   Jason Zaman <jason@perfinion.com> | 2019-02-10 12:11:25 +0800 |
| commit | 7e98d45beed0c075f20edc80b4a8a700f27d3cdd (patch) | |
| tree | d3681328cbe3aa4d9f9050820e7526940aa7416a | |
| parent | dpkg: Move interface implementations. (diff) | |
| download | hardened-refpolicy-7e98d45beed0c075f20edc80b4a8a700f27d3cdd.tar.gz hardened-refpolicy-7e98d45beed0c075f20edc80b4a8a700f27d3cdd.tar.bz2 hardened-refpolicy-7e98d45beed0c075f20edc80b4a8a700f27d3cdd.zip | |
yet more tiny stuff
I think this should be self-explanatory. I've added an audit trace for the
sys_ptrace access that was previously rejected.
Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc: denied { sys_ptrace } for pid=12750 comm=systemctl capability=sys_ptrace scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
Signed-off-by: Jason Zaman <jason@perfinion.com>
| -rw-r--r-- | policy/modules/admin/logrotate.te | 3 | ||||
| -rw-r--r-- | policy/modules/apps/gpg.te | 5 | ||||
| -rw-r--r-- | policy/modules/services/cron.te | 6 | ||||
| -rw-r--r-- | policy/modules/services/irqbalance.te | 3 | ||||
| -rw-r--r-- | policy/modules/system/init.if | 19 |
5 files changed, 29 insertions, 7 deletions
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index d5c300b6..f6da17d9 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -37,7 +37,8 @@ role system_r types logrotate_mail_t; # Local policy # -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; +# sys_ptrace is for systemctl +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource }; # systemctl asks for net_admin dontaudit logrotate_t self:capability net_admin; allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index b6a15158..9315f962 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -184,11 +184,6 @@ optional_policy(` ') optional_policy(` - cron_system_entry(gpg_t, gpg_exec_t) - cron_read_system_job_tmp_files(gpg_t) -') - -optional_policy(` xserver_use_xdm_fds(gpg_t) xserver_rw_xdm_pipes(gpg_t) ') diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te index 11c717aa..ea7a0a5c 100644 --- a/policy/modules/services/cron.te +++ b/policy/modules/services/cron.te @@ -526,6 +526,7 @@ corenet_udp_sendrecv_all_ports(system_cronjob_t) dev_getattr_all_blk_files(system_cronjob_t) dev_getattr_all_chr_files(system_cronjob_t) dev_getattr_mtrr_dev(system_cronjob_t) +dev_read_rand(system_cronjob_t) dev_read_urand(system_cronjob_t) dev_read_sysfs(system_cronjob_t) # for checkarray to write to sync_action @@ -558,6 +559,7 @@ files_read_var_lib_symlinks(system_cronjob_t) mls_file_read_to_clearance(system_cronjob_t) init_domtrans_script(system_cronjob_t) +init_read_generic_units_links(system_cronjob_t) init_read_utmp(system_cronjob_t) init_use_script_fds(system_cronjob_t) @@ -630,6 +632,10 @@ optional_policy(` ') optional_policy(` + gpg_exec(system_cronjob_t) +') + +optional_policy(` inn_manage_log(system_cronjob_t) inn_manage_pid(system_cronjob_t) inn_read_config(system_cronjob_t) diff --git a/policy/modules/services/irqbalance.te b/policy/modules/services/irqbalance.te index a659af7a..33f44a6f 100644 --- a/policy/modules/services/irqbalance.te +++ b/policy/modules/services/irqbalance.te @@ -31,7 +31,8 @@ allow irqbalance_t self:udp_socket create_socket_perms; allow irqbalance_t self:unix_stream_socket create_stream_socket_perms; manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t) -files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file) +manage_sock_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t) +files_pid_filetrans(irqbalance_t, irqbalance_pid_t, { file sock_file }) kernel_read_network_state(irqbalance_t) kernel_read_system_state(irqbalance_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 60a2ee96..3d30c0ad 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -3047,6 +3047,25 @@ interface(`init_search_units',` ######################################## ## <summary> +## Read systemd unit links +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`init_read_generic_units_links',` + gen_require(` + type systemd_unit_t; + class service status; + ') + + allow $1 systemd_unit_t:lnk_file read_lnk_file_perms; +') + +######################################## +## <summary> ## Get status of generic systemd units. ## </summary> ## <param name="domain"> |