Lots of little things that are self-explanatory.
Boinc has some unusual stuff for lsb_release -a and for mmaping ld.so.cache.
Remove obsolete policy from syncthing as we have it in
sysnet_dns_name_resolve().
Index: refpolicy-2.20180701/policy/modules/admin/backup.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/backup.te
+++ refpolicy-2.20180701/policy/modules/admin/backup.te
@@ -65,6 +65,8 @@ auth_read_shadow(backup_t)
logging_send_syslog_msg(backup_t)
+miscfiles_read_localization(backup_t)
+
sysnet_read_config(backup_t)
userdom_use_user_terminals(backup_t)
Index: refpolicy-2.20180701/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20180701/policy/modules/services/boinc.te
@@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
# Local policy
#
-allow boinc_t self:process { setsched setpgid signull sigkill };
+allow boinc_t self:process { setsched setpgid signull sigkill signal };
allow boinc_t self:unix_stream_socket { accept listen };
allow boinc_t self:tcp_socket { accept listen };
allow boinc_t self:shm create_shm_perms;
@@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
can_exec(boinc_t, boinc_var_lib_t)
libs_exec_lib_files(boinc_t)
+# for mmap of ld.so.cache
+libs_legacy_use_ld_so(boinc_t)
domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
kernel_read_system_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
kernel_read_crypto_sysctls(boinc_t)
+kernel_read_kernel_sysctls(boinc_t)
corenet_all_recvfrom_unlabeled(boinc_t)
corenet_all_recvfrom_netlabel(boinc_t)
@@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
miscfiles_read_fonts(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
miscfiles_read_localization(boinc_t)
tunable_policy(`boinc_execmem',`
@@ -169,7 +173,7 @@ optional_policy(`
#
allow boinc_project_t self:capability { setgid setuid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal signal_perms };
manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
@@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
userdom_getattr_user_ttys(boinc_t)
optional_policy(`
+ # for lsb_release -a
+ apt_read_cache(boinc_t)
+ apt_read_db(boinc_t)
+ dpkg_exec(boinc_t)
+ dpkg_read_db(boinc_t)
+
+ apt_read_cache(boinc_project_t)
+ apt_read_db(boinc_project_t)
+ dpkg_exec(boinc_project_t)
+ dpkg_read_db(boinc_project_t)
+')
+
+optional_policy(`
java_exec(boinc_project_t)
')
Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te
+++ refpolicy-2.20180701/policy/modules/services/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)
files_read_etc_runtime_files(fetchmail_t)
+files_read_usr_files(fetchmail_t)
files_search_tmp(fetchmail_t)
files_dontaudit_search_home(fetchmail_t)
Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc
+++ refpolicy-2.20180701/policy/modules/services/gdomap.fc
@@ -5,3 +5,4 @@
/usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0)
/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0)
+/run/gdomap(/.*)? gen_context(system_u:object_r:gdomap_var_run_t,s0)
Index: refpolicy-2.20180701/policy/modules/services/gdomap.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te
+++ refpolicy-2.20180701/policy/modules/services/gdomap.te
@@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
allow gdomap_t self:tcp_socket { listen accept };
allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+# gdomap_var_run_t dir is for chroot
+allow gdomap_t gdomap_var_run_t:dir search;
files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
corenet_sendrecv_gdomap_server_packets(gdomap_t)
@@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
auth_use_nsswitch(gdomap_t)
logging_send_syslog_msg(gdomap_t)
+
+miscfiles_read_localization(gdomap_t)
Index: refpolicy-2.20180701/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20180701/policy/modules/services/jabber.te
@@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
allow jabberd_domain self:tcp_socket { accept listen };
manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
kernel_read_system_state(jabberd_domain)
@@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
corenet_tcp_sendrecv_generic_if(jabberd_domain)
corenet_tcp_sendrecv_generic_node(jabberd_domain)
corenet_tcp_bind_generic_node(jabberd_domain)
+corenet_udp_bind_generic_node(jabberd_domain)
dev_read_urand(jabberd_domain)
dev_read_sysfs(jabberd_domain)
Index: refpolicy-2.20180701/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/mon.te
+++ refpolicy-2.20180701/policy/modules/services/mon.te
@@ -161,6 +161,7 @@ optional_policy(`
allow mon_local_test_t self:capability sys_admin;
allow mon_local_test_t self:fifo_file rw_file_perms;
+allow mon_local_test_t self:process getsched;
can_exec(mon_local_test_t, mon_local_test_exec_t)
@@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
kernel_dontaudit_getattr_core_if(mon_local_test_t)
kernel_getattr_proc(mon_local_test_t)
+# for ps
+kernel_read_kernel_sysctls(mon_local_test_t)
kernel_read_software_raid_state(mon_local_test_t)
kernel_read_system_state(mon_local_test_t)
@@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
logging_send_syslog_msg(mon_local_test_t)
+miscfiles_read_generic_certs(mon_t)
miscfiles_read_localization(mon_local_test_t)
sysnet_read_config(mon_local_test_t)
Index: refpolicy-2.20180701/policy/modules/apps/syncthing.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/apps/syncthing.te
+++ refpolicy-2.20180701/policy/modules/apps/syncthing.te
@@ -63,7 +63,3 @@ userdom_user_content_access_template(syn
userdom_use_user_terminals(syncthing_t)
-optional_policy(`
- # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
- networkmanager_read_pid_files(syncthing_t)
-')
Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
@@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/crda/setregdomain -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rsyslog/rsyslog-rotate -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smartmontools/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -248,6 +248,9 @@ optional_policy(`
# sshd_t is the domain for the sshd program.
#
+# for /run/user/UID/bus access, probably pam_systemd.so
+allow sshd_t self:capability dac_read_search;
+
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
Index: refpolicy-2.20180701/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20180701/policy/modules/system/authlogin.if
@@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
#######################################
## <summary>
+## relabel the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
## Read and write to the last logins log.
## </summary>
## <param name="domain">
@@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
')
########################################
+## <summary>
+## Manage the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
+ logging_rw_generic_log_dirs($1)
+')
+
+########################################
## <summary>
## Execute pam programs in the pam domain.
## </summary>
Index: refpolicy-2.20180701/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20180701/policy/modules/system/locallogin.te
@@ -34,7 +34,7 @@ role system_r types sulogin_t;
allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { setexec setrlimit setsched };
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
@@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)
miscfiles_read_localization(local_login_t)
+userdom_manage_all_users_keys(local_login_t)
userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t)
userdom_search_user_home_content(local_login_t)
On 1/2/19 3:40 AM, Russell Coker wrote:
> Lots of little things that are self-explanatory.
>
> Boinc has some unusual stuff for lsb_release -a and for mmaping ld.so.cache.
>
> Remove obsolete policy from syncthing as we have it in
> sysnet_dns_name_resolve().
>
[...]
> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
[...]
> @@ -169,7 +173,7 @@ optional_policy(`
> #
>
> allow boinc_project_t self:capability { setgid setuid };
> -allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
> +allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal signal_perms };
This change shouldn't be necessary since signal is already in signal_perms.
[...]
> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>
> #######################################
> ## <summary>
> +## relabel the last logins log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_relabel_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + logging_search_logs($1)
> + allow $1 lastlog_t:file { relabelfrom relabelto };
> +')
> +
> +#######################################
> +## <summary>
> ## Read and write to the last logins log.
> ## </summary>
> ## <param name="domain">
> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
> ')
>
> ########################################
> +## <summary>
> +## Manage the last logins log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_manage_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
The relabel perms shouldn't be in here. I'd say split it into a new
interface, but you're adding the other interface earlier in the patch.
--
Chris PeBenito
Would you like me to resubmit those patches or would you rather just add them
with the changes you suggest?
On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote:
> On 1/2/19 3:40 AM, Russell Coker wrote:
> > Lots of little things that are self-explanatory.
> >
> > Boinc has some unusual stuff for lsb_release -a and for mmaping
> > ld.so.cache.
> >
> > Remove obsolete policy from syncthing as we have it in
> > sysnet_dns_name_resolve().
>
> [...]
>
> > Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> > +++ refpolicy-2.20180701/policy/modules/services/boinc.te
>
> [...]
>
> > @@ -169,7 +173,7 @@ optional_policy(`
> >
> > #
> >
> > allow boinc_project_t self:capability { setgid setuid };
> >
> > -allow boinc_project_t self:process { execmem execstack noatsecure ptrace
> > setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t
> > self:process { execmem execstack noatsecure ptrace setcap getcap setpgid
> > setsched signal signal_perms };
> This change shouldn't be necessary since signal is already in signal_perms.
>
> [...]
>
> > --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> > +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> > @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
> >
> > #######################################
> > ## <summary>
> >
> > +## relabel the last logins log.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`auth_relabel_lastlog',`
> > + gen_require(`
> > + type lastlog_t;
> > + ')
> > +
> > + logging_search_logs($1)
> > + allow $1 lastlog_t:file { relabelfrom relabelto };
> > +')
> > +
> > +#######################################
> > +## <summary>
> >
> > ## Read and write to the last logins log.
> > ## </summary>
> > ## <param name="domain">
> >
> > @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
> >
> > ')
> >
> > ########################################
> >
> > +## <summary>
> > +## Manage the last logins log.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`auth_manage_lastlog',`
> > + gen_require(`
> > + type lastlog_t;
> > + ')
> > +
> > + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
>
> The relabel perms shouldn't be in here. I'd say split it into a new
> interface, but you're adding the other interface earlier in the patch.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 1/2/19 8:27 PM, Russell Coker wrote:
> Would you like me to resubmit those patches or would you rather just add them
> with the changes you suggest?
My preference in this case would be resubmit.
> On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote:
>> On 1/2/19 3:40 AM, Russell Coker wrote:
>>> Lots of little things that are self-explanatory.
>>>
>>> Boinc has some unusual stuff for lsb_release -a and for mmaping
>>> ld.so.cache.
>>>
>>> Remove obsolete policy from syncthing as we have it in
>>> sysnet_dns_name_resolve().
>>
>> [...]
>>
>>> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
>>> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
>>
>> [...]
>>
>>> @@ -169,7 +173,7 @@ optional_policy(`
>>>
>>> #
>>>
>>> allow boinc_project_t self:capability { setgid setuid };
>>>
>>> -allow boinc_project_t self:process { execmem execstack noatsecure ptrace
>>> setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t
>>> self:process { execmem execstack noatsecure ptrace setcap getcap setpgid
>>> setsched signal signal_perms };
>> This change shouldn't be necessary since signal is already in signal_perms.
>>
>> [...]
>>
>>> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
>>> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
>>> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>>>
>>> #######################################
>>> ## <summary>
>>>
>>> +## relabel the last logins log.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`auth_relabel_lastlog',`
>>> + gen_require(`
>>> + type lastlog_t;
>>> + ')
>>> +
>>> + logging_search_logs($1)
>>> + allow $1 lastlog_t:file { relabelfrom relabelto };
>>> +')
>>> +
>>> +#######################################
>>> +## <summary>
>>>
>>> ## Read and write to the last logins log.
>>> ## </summary>
>>> ## <param name="domain">
>>>
>>> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
>>>
>>> ')
>>>
>>> ########################################
>>>
>>> +## <summary>
>>> +## Manage the last logins log.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`auth_manage_lastlog',`
>>> + gen_require(`
>>> + type lastlog_t;
>>> + ')
>>> +
>>> + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
>>
>> The relabel perms shouldn't be in here. I'd say split it into a new
>> interface, but you're adding the other interface earlier in the patch.
>
>
--
Chris PeBenito