2019-01-02 08:41:00

by Russell Coker

[permalink] [raw]
Subject: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

Lots of little things that are self-explanatory.

Boinc has some unusual stuff for lsb_release -a and for mmaping ld.so.cache.

Remove obsolete policy from syncthing as we have it in
sysnet_dns_name_resolve().

Index: refpolicy-2.20180701/policy/modules/admin/backup.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/backup.te
+++ refpolicy-2.20180701/policy/modules/admin/backup.te
@@ -65,6 +65,8 @@ auth_read_shadow(backup_t)

logging_send_syslog_msg(backup_t)

+miscfiles_read_localization(backup_t)
+
sysnet_read_config(backup_t)

userdom_use_user_terminals(backup_t)
Index: refpolicy-2.20180701/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20180701/policy/modules/services/boinc.te
@@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
# Local policy
#

-allow boinc_t self:process { setsched setpgid signull sigkill };
+allow boinc_t self:process { setsched setpgid signull sigkill signal };
allow boinc_t self:unix_stream_socket { accept listen };
allow boinc_t self:tcp_socket { accept listen };
allow boinc_t self:shm create_shm_perms;
@@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log

can_exec(boinc_t, boinc_var_lib_t)
libs_exec_lib_files(boinc_t)
+# for mmap of ld.so.cache
+libs_legacy_use_ld_so(boinc_t)

domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)

kernel_read_system_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
kernel_read_crypto_sysctls(boinc_t)
+kernel_read_kernel_sysctls(boinc_t)

corenet_all_recvfrom_unlabeled(boinc_t)
corenet_all_recvfrom_netlabel(boinc_t)
@@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)

miscfiles_read_fonts(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
miscfiles_read_localization(boinc_t)

tunable_policy(`boinc_execmem',`
@@ -169,7 +173,7 @@ optional_policy(`
#

allow boinc_project_t self:capability { setgid setuid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal signal_perms };

manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
@@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
userdom_getattr_user_ttys(boinc_t)

optional_policy(`
+ # for lsb_release -a
+ apt_read_cache(boinc_t)
+ apt_read_db(boinc_t)
+ dpkg_exec(boinc_t)
+ dpkg_read_db(boinc_t)
+
+ apt_read_cache(boinc_project_t)
+ apt_read_db(boinc_project_t)
+ dpkg_exec(boinc_project_t)
+ dpkg_read_db(boinc_project_t)
+')
+
+optional_policy(`
java_exec(boinc_project_t)
')
Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te
+++ refpolicy-2.20180701/policy/modules/services/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)

files_read_etc_runtime_files(fetchmail_t)
+files_read_usr_files(fetchmail_t)
files_search_tmp(fetchmail_t)
files_dontaudit_search_home(fetchmail_t)

Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc
+++ refpolicy-2.20180701/policy/modules/services/gdomap.fc
@@ -5,3 +5,4 @@
/usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0)

/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0)
+/run/gdomap(/.*)? gen_context(system_u:object_r:gdomap_var_run_t,s0)
Index: refpolicy-2.20180701/policy/modules/services/gdomap.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te
+++ refpolicy-2.20180701/policy/modules/services/gdomap.te
@@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
allow gdomap_t self:tcp_socket { listen accept };

allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+# gdomap_var_run_t dir is for chroot
+allow gdomap_t gdomap_var_run_t:dir search;
files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")

corenet_sendrecv_gdomap_server_packets(gdomap_t)
@@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
auth_use_nsswitch(gdomap_t)

logging_send_syslog_msg(gdomap_t)
+
+miscfiles_read_localization(gdomap_t)
Index: refpolicy-2.20180701/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20180701/policy/modules/services/jabber.te
@@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
allow jabberd_domain self:tcp_socket { accept listen };

manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;

kernel_read_system_state(jabberd_domain)

@@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
corenet_tcp_sendrecv_generic_if(jabberd_domain)
corenet_tcp_sendrecv_generic_node(jabberd_domain)
corenet_tcp_bind_generic_node(jabberd_domain)
+corenet_udp_bind_generic_node(jabberd_domain)

dev_read_urand(jabberd_domain)
dev_read_sysfs(jabberd_domain)
Index: refpolicy-2.20180701/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/mon.te
+++ refpolicy-2.20180701/policy/modules/services/mon.te
@@ -161,6 +161,7 @@ optional_policy(`

allow mon_local_test_t self:capability sys_admin;
allow mon_local_test_t self:fifo_file rw_file_perms;
+allow mon_local_test_t self:process getsched;

can_exec(mon_local_test_t, mon_local_test_exec_t)

@@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m

kernel_dontaudit_getattr_core_if(mon_local_test_t)
kernel_getattr_proc(mon_local_test_t)
+# for ps
+kernel_read_kernel_sysctls(mon_local_test_t)
kernel_read_software_raid_state(mon_local_test_t)
kernel_read_system_state(mon_local_test_t)

@@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)

logging_send_syslog_msg(mon_local_test_t)

+miscfiles_read_generic_certs(mon_t)
miscfiles_read_localization(mon_local_test_t)

sysnet_read_config(mon_local_test_t)
Index: refpolicy-2.20180701/policy/modules/apps/syncthing.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/apps/syncthing.te
+++ refpolicy-2.20180701/policy/modules/apps/syncthing.te
@@ -63,7 +63,3 @@ userdom_user_content_access_template(syn

userdom_use_user_terminals(syncthing_t)

-optional_policy(`
- # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
- networkmanager_read_pid_files(syncthing_t)
-')
Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
@@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/crda/setregdomain -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rsyslog/rsyslog-rotate -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smartmontools/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -248,6 +248,9 @@ optional_policy(`
# sshd_t is the domain for the sshd program.
#

+# for /run/user/UID/bus access, probably pam_systemd.so
+allow sshd_t self:capability dac_read_search;
+
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
Index: refpolicy-2.20180701/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20180701/policy/modules/system/authlogin.if
@@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`

#######################################
## <summary>
+## relabel the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
## Read and write to the last logins log.
## </summary>
## <param name="domain">
@@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
')

########################################
+## <summary>
+## Manage the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
+ logging_rw_generic_log_dirs($1)
+')
+
+########################################
## <summary>
## Execute pam programs in the pam domain.
## </summary>
Index: refpolicy-2.20180701/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20180701/policy/modules/system/locallogin.te
@@ -34,7 +34,7 @@ role system_r types sulogin_t;

allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { setexec setrlimit setsched };
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
@@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)

miscfiles_read_localization(local_login_t)

+userdom_manage_all_users_keys(local_login_t)
userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t)
userdom_search_user_home_content(local_login_t)


2019-01-03 00:27:51

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

On 1/2/19 3:40 AM, Russell Coker wrote:
> Lots of little things that are self-explanatory.
>
> Boinc has some unusual stuff for lsb_release -a and for mmaping ld.so.cache.
>
> Remove obsolete policy from syncthing as we have it in
> sysnet_dns_name_resolve().
>

[...]
> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
[...]

> @@ -169,7 +173,7 @@ optional_policy(`
> #
>
> allow boinc_project_t self:capability { setgid setuid };
> -allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
> +allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal signal_perms };

This change shouldn't be necessary since signal is already in signal_perms.

[...]

> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>
> #######################################
> ## <summary>
> +## relabel the last logins log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_relabel_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + logging_search_logs($1)
> + allow $1 lastlog_t:file { relabelfrom relabelto };
> +')
> +
> +#######################################
> +## <summary>
> ## Read and write to the last logins log.
> ## </summary>
> ## <param name="domain">
> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
> ')
>
> ########################################
> +## <summary>
> +## Manage the last logins log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_manage_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };

The relabel perms shouldn't be in here. I'd say split it into a new
interface, but you're adding the other interface earlier in the patch.




--
Chris PeBenito

2019-01-03 01:27:22

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

Would you like me to resubmit those patches or would you rather just add them
with the changes you suggest?

On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote:
> On 1/2/19 3:40 AM, Russell Coker wrote:
> > Lots of little things that are self-explanatory.
> >
> > Boinc has some unusual stuff for lsb_release -a and for mmaping
> > ld.so.cache.
> >
> > Remove obsolete policy from syncthing as we have it in
> > sysnet_dns_name_resolve().
>
> [...]
>
> > Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> > +++ refpolicy-2.20180701/policy/modules/services/boinc.te
>
> [...]
>
> > @@ -169,7 +173,7 @@ optional_policy(`
> >
> > #
> >
> > allow boinc_project_t self:capability { setgid setuid };
> >
> > -allow boinc_project_t self:process { execmem execstack noatsecure ptrace
> > setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t
> > self:process { execmem execstack noatsecure ptrace setcap getcap setpgid
> > setsched signal signal_perms };
> This change shouldn't be necessary since signal is already in signal_perms.
>
> [...]
>
> > --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> > +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> > @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
> >
> > #######################################
> > ## <summary>
> >
> > +## relabel the last logins log.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`auth_relabel_lastlog',`
> > + gen_require(`
> > + type lastlog_t;
> > + ')
> > +
> > + logging_search_logs($1)
> > + allow $1 lastlog_t:file { relabelfrom relabelto };
> > +')
> > +
> > +#######################################
> > +## <summary>
> >
> > ## Read and write to the last logins log.
> > ## </summary>
> > ## <param name="domain">
> >
> > @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
> >
> > ')
> >
> > ########################################
> >
> > +## <summary>
> > +## Manage the last logins log.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`auth_manage_lastlog',`
> > + gen_require(`
> > + type lastlog_t;
> > + ')
> > +
> > + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
>
> The relabel perms shouldn't be in here. I'd say split it into a new
> interface, but you're adding the other interface earlier in the patch.


--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/


2019-01-03 23:15:16

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

On 1/2/19 8:27 PM, Russell Coker wrote:
> Would you like me to resubmit those patches or would you rather just add them
> with the changes you suggest?

My preference in this case would be resubmit.


> On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote:
>> On 1/2/19 3:40 AM, Russell Coker wrote:
>>> Lots of little things that are self-explanatory.
>>>
>>> Boinc has some unusual stuff for lsb_release -a and for mmaping
>>> ld.so.cache.
>>>
>>> Remove obsolete policy from syncthing as we have it in
>>> sysnet_dns_name_resolve().
>>
>> [...]
>>
>>> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
>>> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
>>
>> [...]
>>
>>> @@ -169,7 +173,7 @@ optional_policy(`
>>>
>>> #
>>>
>>> allow boinc_project_t self:capability { setgid setuid };
>>>
>>> -allow boinc_project_t self:process { execmem execstack noatsecure ptrace
>>> setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t
>>> self:process { execmem execstack noatsecure ptrace setcap getcap setpgid
>>> setsched signal signal_perms };
>> This change shouldn't be necessary since signal is already in signal_perms.
>>
>> [...]
>>
>>> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
>>> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
>>> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>>>
>>> #######################################
>>> ## <summary>
>>>
>>> +## relabel the last logins log.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`auth_relabel_lastlog',`
>>> + gen_require(`
>>> + type lastlog_t;
>>> + ')
>>> +
>>> + logging_search_logs($1)
>>> + allow $1 lastlog_t:file { relabelfrom relabelto };
>>> +')
>>> +
>>> +#######################################
>>> +## <summary>
>>>
>>> ## Read and write to the last logins log.
>>> ## </summary>
>>> ## <param name="domain">
>>>
>>> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
>>>
>>> ')
>>>
>>> ########################################
>>>
>>> +## <summary>
>>> +## Manage the last logins log.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`auth_manage_lastlog',`
>>> + gen_require(`
>>> + type lastlog_t;
>>> + ')
>>> +
>>> + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
>>
>> The relabel perms shouldn't be in here. I'd say split it into a new
>> interface, but you're adding the other interface earlier in the patch.
>
>


--
Chris PeBenito