Hi guys,
I've pushed out a new revision on the policies to the hardened-dev overlay.
I haven't heard of any more regressions towards the 20120215 policies since
so chances are that I'll be pushing out this one to the main tree soon (as
~arch). This is too because we're moving forward a lot, and the 20120215
policies are more than likely not that useful anymore.
In any case, here is the set of changes since the previous revision:
<no bug> Various capability updates for sanlock (backport)
<no bug> Tor reads network sysctls (backport)
<no bug> Support minimal polkit (backport)
<no bug> Allow CUPS to read crypto sysctls (backport)
<no bug> Allow wicd to execute wpa_cli within its own domain (networkmanager_t) (backport)
<no bug> Add in milter greylist enhancements (backport)
<no bug> GPG agent reads /dev/random (backport)
<no bug> Support gitolite3 (backport)
<no bug> Support LDAP-based user authentication for dovecot (backport)
<no bug> Various block_suspend fixes (backport)
<no bug> Freshclam reads system/network state (backport)
<no bug> Introduce systemtap policy (backport)
<no bug> Fix ports usage for djbdns (backport)
<no bug> Allow quota to request loading kernel modules (backport)
<no bug> Allow sasl to talk with mysql over tcp (backport)
<no bug> Introduce sensord policy (backport)
<no bug> Turn all booleans off by default (backport)
<no bug> Support loop device file context (backport)
<no bug> Mark the syslog-ng.persist file as syslogd_var_lib_t so it survives relabeling
<no bug> ConsoleKit creates /var/run/console and tagfiles
<no bug> Backport lost+found changes from refpolicy
<no bug> Set resource limits for dbus system daemon
<no bug> Allow lvm_t (cryptsetup) to request loading a crypto-related kernel module
#432990 Introduce puppet_admin and puppet_admin_puppetmaster interfaces
#431654 Allow initrc_t to create /run/nscd
#431654 Allow initrc_t to create /run/ConsoleKit
#431654 Allow sysadmin to manage ntp
#431654 Allow sysadmin to manage bind (named)
#431654 Allow sysadmin to manage openvpn
#431654 Allow initrc_t to create /run/asterisk
@Paolo, this doesn't fix the denials you notice, but I don't think those are
regressions and you're able to boot in enforcing mode, so I'm hoping the
remainder of fixes that are needed can be put in quickly (i.e. when my time
allows it to look at them :-(
The majority of changes are backports as refpolicy has seen its share of
updates (mainly due to a few Fedora/RedHat developers or contributors
gaining commit rights to the reference policy). I'm expecting quite a lot of
other changes to come up in the next few weeks, but you'll have to excuse me
for not porting them immediately back - september's a quite busy month in
real life for me.
Have fun at it!
Sven Vermeulen
I've pushed out a new revision on the policies to the hardened-dev overlay.
I haven't heard of any more regressions towards the 20120215 policies since
so chances are that I'll be pushing out this one to the main tree soon (as
~arch). This is too because we're moving forward a lot, and the 20120215
policies are more than likely not that useful anymore.
In any case, here is the set of changes since the previous revision:
<no bug> Various capability updates for sanlock (backport)
<no bug> Tor reads network sysctls (backport)
<no bug> Support minimal polkit (backport)
<no bug> Allow CUPS to read crypto sysctls (backport)
<no bug> Allow wicd to execute wpa_cli within its own domain (networkmanager_t) (backport)
<no bug> Add in milter greylist enhancements (backport)
<no bug> GPG agent reads /dev/random (backport)
<no bug> Support gitolite3 (backport)
<no bug> Support LDAP-based user authentication for dovecot (backport)
<no bug> Various block_suspend fixes (backport)
<no bug> Freshclam reads system/network state (backport)
<no bug> Introduce systemtap policy (backport)
<no bug> Fix ports usage for djbdns (backport)
<no bug> Allow quota to request loading kernel modules (backport)
<no bug> Allow sasl to talk with mysql over tcp (backport)
<no bug> Introduce sensord policy (backport)
<no bug> Turn all booleans off by default (backport)
<no bug> Support loop device file context (backport)
<no bug> Mark the syslog-ng.persist file as syslogd_var_lib_t so it survives relabeling
<no bug> ConsoleKit creates /var/run/console and tagfiles
<no bug> Backport lost+found changes from refpolicy
<no bug> Set resource limits for dbus system daemon
<no bug> Allow lvm_t (cryptsetup) to request loading a crypto-related kernel module
#432990 Introduce puppet_admin and puppet_admin_puppetmaster interfaces
#431654 Allow initrc_t to create /run/nscd
#431654 Allow initrc_t to create /run/ConsoleKit
#431654 Allow sysadmin to manage ntp
#431654 Allow sysadmin to manage bind (named)
#431654 Allow sysadmin to manage openvpn
#431654 Allow initrc_t to create /run/asterisk
@Paolo, this doesn't fix the denials you notice, but I don't think those are
regressions and you're able to boot in enforcing mode, so I'm hoping the
remainder of fixes that are needed can be put in quickly (i.e. when my time
allows it to look at them :-(
The majority of changes are backports as refpolicy has seen its share of
updates (mainly due to a few Fedora/RedHat developers or contributors
gaining commit rights to the reference policy). I'm expecting quite a lot of
other changes to come up in the next few weeks, but you'll have to excuse me
for not porting them immediately back - september's a quite busy month in
real life for me.
Have fun at it!
Sven Vermeulen