Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C10s 20241023 build #2406

Merged
merged 13 commits into from
Oct 23, 2024
Merged

C10s 20241023 build #2406

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
fefb60e
Confine iio-sensor-proxy
zpytela Oct 2, 2024
2a889b3
Allow iio-sensor-proxy the bpf capability
zpytela Oct 11, 2024
317dc53
Confine the pcm service
zpytela Oct 11, 2024
0e064aa
Allow unconfined_t execute kmod in the kmod domain
zpytela Oct 22, 2024
f16405e
Allow lldpad create and use netlink_generic_socket
zpytela Oct 18, 2024
1a12e38
Allow dirsrv read network sysctls
zpytela Oct 22, 2024
07b512e
Label /etc/sysctl.d and /run/sysctl.d with system_conf_t
zpytela Oct 22, 2024
870d81b
Allow wdmd list the contents of the sysfs directories
zpytela Mar 7, 2024
d50b0c9
Allow wdmd read hardware state information
zpytela Mar 8, 2024
3a1a6dc
Allow virtqemud read virtd_t files
zpytela Oct 21, 2024
0ad3187
Label /run/sssd with sssd_var_run_t
zpytela Oct 22, 2024
7fa1e43
Label /usr/lib/node_modules/npm/bin with bin_t
zpytela Jul 1, 2024
b25f216
Allow ping_t read network sysctls
zpytela Oct 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions policy/modules.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3162,3 +3162,18 @@ nvme_stas = module
# coreos_installer
#
coreos_installer = module

# Layer: contrib
# Module: iiosensorproxy
#
# Policy for iio-sensor-proxy - IIO sensors to D-Bus proxy
#
iiosensorproxy = module

# Layer: contrib
# Module: pcm
#
# Policy for pcm - Intel(r) Performance Counter Monitor
#
#
pcm = module
2 changes: 2 additions & 0 deletions policy/modules/admin/netutils.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,8 @@ allow ping_t self:packet_socket create_socket_perms;
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
allow ping_t self:icmp_socket create_socket_perms;

kernel_read_net_sysctls(ping_t)

corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_generic_if(ping_t)
corenet_raw_sendrecv_generic_if(ping_t)
Expand Down
1 change: 1 addition & 0 deletions policy/modules/contrib/dirsrv.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ list_dirs_pattern(dirsrv_t, dirsrv_share_t, dirsrv_share_t)
kernel_read_network_state(dirsrv_t)
kernel_read_system_state(dirsrv_t)
kernel_read_kernel_sysctls(dirsrv_t)
kernel_read_net_sysctls(dirsrv_t)
kernel_dontaudit_search_fs_sysctl(dirsrv_t)

corecmd_search_bin(dirsrv_t)
Expand Down
1 change: 1 addition & 0 deletions policy/modules/contrib/iiosensorproxy.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
/usr/libexec/iio-sensor-proxy -- gen_context(system_u:object_r:iiosensorproxy_exec_t,s0)
2 changes: 2 additions & 0 deletions policy/modules/contrib/iiosensorproxy.if
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
## <summary>IIO sensors to D-Bus proxy</summary>

32 changes: 32 additions & 0 deletions policy/modules/contrib/iiosensorproxy.te
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
policy_module(iiosensorproxy, 1.1.0)

########################################
#
# Declarations
#

type iiosensorproxy_t;
type iiosensorproxy_exec_t;
init_daemon_domain(iiosensorproxy_t, iiosensorproxy_exec_t)

allow iiosensorproxy_t self:capability2 bpf;
allow iiosensorproxy_t self:netlink_kobject_uevent_socket create_socket_perms;

dev_read_sysfs(iiosensorproxy_t)

optional_policy(`
dbus_connect_system_bus(iiosensorproxy_t)
dbus_system_bus_client(iiosensorproxy_t)

optional_policy(`
policykit_dbus_chat(iiosensorproxy_t)
')

optional_policy(`
unconfined_dbus_chat(unconfined_t)
')
')

optional_policy(`
udev_read_pid_files(iiosensorproxy_t)
')
1 change: 1 addition & 0 deletions policy/modules/contrib/lldpad.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ allow lldpad_t self:capability2 bpf;
allow lldpad_t self:shm create_shm_perms;
allow lldpad_t self:fifo_file rw_fifo_file_perms;
allow lldpad_t self:unix_stream_socket { accept connectto listen };
allow lldpad_t self:netlink_generic_socket create_socket_perms;
allow lldpad_t self:netlink_route_socket create_netlink_socket_perms;
allow lldpad_t self:packet_socket create_socket_perms;
allow lldpad_t self:tcp_socket create_socket_perms;
Expand Down
1 change: 1 addition & 0 deletions policy/modules/contrib/pcm.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
/usr/sbin/pcm-sensor-server -- gen_context(system_u:object_r:pcmsensor_exec_t,s0)
1 change: 1 addition & 0 deletions policy/modules/contrib/pcm.if
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
## <summary>Intel Performance Counter Monitor (PCM) Sensor Service</summary>
23 changes: 23 additions & 0 deletions policy/modules/contrib/pcm.te
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
policy_module(pcm, 1.0)
#policy_module(pcmsensor, 1.0)

########################################
#
# Declarations
#

type pcmsensor_t;
type pcmsensor_exec_t;
init_daemon_domain(pcmsensor_t, pcmsensor_exec_t)

permissive pcmsensor_t;

allow pcmsensor_t self:capability { sys_rawio sys_resource };
allow pcmsensor_t self:process { ptrace setrlimit };

kernel_read_proc_files(pcmsensor_t)
kernel_read_debugfs(pcmsensor_t)

dev_rw_cpu_microcode(pcmsensor_t)
# /sys/module/msr/parameters/allow_writes
dev_rw_sysfs(pcmsensor_t)
1 change: 1 addition & 0 deletions policy/modules/contrib/sssd.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@

/var/log/sssd(/.*)? gen_context(system_u:object_r:sssd_var_log_t,s0)

/run/sssd(/.*)? gen_context(system_u:object_r:sssd_var_run_t,s0)
/run/sssd.pid -- gen_context(system_u:object_r:sssd_var_run_t,s0)
/run/secrets\.socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
/run/\.heim_org\.h5l\.kcm-socket -s gen_context(system_u:object_r:sssd_var_run_t,s0)
1 change: 1 addition & 0 deletions policy/modules/contrib/sssd.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ manage_dirs_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
manage_sock_files_pattern(sssd_t, sssd_var_run_t, sssd_var_run_t)
files_pid_filetrans(sssd_t, sssd_var_run_t, { file dir sock_file })
allow sssd_t sssd_var_run_t:file map;

kernel_io_uring_use(sssd_t)
kernel_read_network_state(sssd_t)
Expand Down
2 changes: 2 additions & 0 deletions policy/modules/contrib/virt.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2124,6 +2124,8 @@ allow virtqemud_t virt_var_run_t:file map;
allow virtqemud_t virtlogd_t:fifo_file rw_inherited_fifo_file_perms;
allow virtqemud_t virtlogd_t:unix_stream_socket connectto;

read_files_pattern(virtqemud_t, virtd_t, virtd_t)

manage_files_pattern(virtqemud_t, virtqemud_lock_t, virtqemud_lock_t)
files_lock_filetrans(virtqemud_t, virtqemud_lock_t, file)

Expand Down
1 change: 1 addition & 0 deletions policy/modules/contrib/wdmd.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ kernel_read_system_state(wdmd_t)
corecmd_exec_bin(wdmd_t)
corecmd_exec_shell(wdmd_t)

dev_read_sysfs(wdmd_t)
dev_read_watchdog(wdmd_t)
dev_write_watchdog(wdmd_t)

Expand Down
1 change: 1 addition & 0 deletions policy/modules/kernel/corecommands.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,6 +265,7 @@ ifdef(`distro_gentoo',`
/usr/lib/netsaint/plugins(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/news/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/NetworkManager/nm\-.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/node_modules/npm/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/nspluginwrapper/np.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ocf(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
Expand Down
3 changes: 3 additions & 0 deletions policy/modules/kernel/files.fc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ ifdef(`distro_suse',`
/etc/securetty -- gen_context(system_u:object_r:etc_runtime_t,s0)

/etc/sysctl\.conf(\.old)? -- gen_context(system_u:object_r:system_conf_t,s0)
/etc/sysctl\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)
/etc/sysconfig/ebtables.* -- gen_context(system_u:object_r:system_conf_t,s0)
/etc/sysconfig/ip6?tables.* -- gen_context(system_u:object_r:system_conf_t,s0)
/etc/sysconfig/ip6?tables\.save -- gen_context(system_u:object_r:system_conf_t,s0)
Expand Down Expand Up @@ -210,6 +211,8 @@ ifdef(`distro_debian',`
/run/motd\.dynamic -- gen_context(system_u:object_r:initrc_var_run_t,s0)
')

/run/sysctl\.d(/.*)? gen_context(system_u:object_r:system_conf_t,s0)

/sandbox(/.*)? gen_context(system_u:object_r:tmp_t,s0)
#
# /selinux
Expand Down
4 changes: 4 additions & 0 deletions policy/modules/roles/unconfineduser.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,6 +340,10 @@ optional_policy(`
# mock_role(unconfined_r, unconfined_t)
#')

optional_policy(`
modutils_domtrans_kmod(unconfined_t)
')

optional_policy(`
mozilla_role_plugin(unconfined_r)

Expand Down
Loading