Trivial stuff.
Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow NetworkManager_t self:packet_socket create_socket_perms;
allow NetworkManager_t self:socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20180701/policy/modules/admin/apt.fc
@@ -1,9 +1,12 @@
/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
-ifndef(`distro_redhat',`
+/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+ifndef(`distro_redhat',`
+/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
@@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)
term_getattr_all_ttys(bootloader_t)
+term_getattr_generic_ptys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t)
corecmd_exec_all_executables(bootloader_t)
@@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
+files_getattr_default_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
@@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
+fs_list_hugetlbfs(bootloader_t)
fs_mount_fusefs(bootloader_t)
fs_mount_xattr_fs(bootloader_t)
fs_mounton_fusefs(bootloader_t)
@@ -172,7 +175,7 @@ ifdef(`distro_debian',`
# for apt-cache
apt_read_db(bootloader_t)
- apt_read_cache(bootloader_t)
+ apt_manage_cache(bootloader_t)
dpkg_read_db(bootloader_t)
dpkg_rw_pipes(bootloader_t)
@@ -204,6 +207,10 @@ optional_policy(`
')
optional_policy(`
+ gpm_getattr_gpmctl(bootloader_t)
+')
+
+optional_policy(`
hal_dontaudit_append_lib_files(bootloader_t)
hal_write_log(bootloader_t)
')
@@ -230,5 +237,9 @@ optional_policy(`
')
optional_policy(`
+ raid_read_mdadm_pid(bootloader_t)
+')
+
+optional_policy(`
rpm_rw_pipes(bootloader_t)
')
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
@@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
allow $1 dpkg_script_tmp_t:file map;
')
+
+########################################
+## <summary>
+## read dpkg_script_tmp_t links
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_script_tmp_links',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
+')
Index: refpolicy-2.20180701/policy/modules/system/raid.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/raid.if
+++ refpolicy-2.20180701/policy/modules/system/raid.if
@@ -48,6 +48,26 @@ interface(`raid_run_mdadm',`
########################################
## <summary>
+## read mdadm pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`raid_read_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 mdadm_var_run_t:dir list_dir_perms;
+ allow $1 mdadm_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mdadm pid files.
## </summary>
Index: refpolicy-2.20180701/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180701/policy/modules/system/modutils.te
@@ -136,6 +136,7 @@ optional_policy(`
# for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)
dpkg_map_script_tmp_files(kmod_t)
+ dpkg_read_script_tmp_links(kmod_t)
')
optional_policy(`
Index: refpolicy-2.20180701/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/tor.te
+++ refpolicy-2.20180701/policy/modules/services/tor.te
@@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
corenet_tcp_sendrecv_all_reserved_ports(tor_t)
dev_read_sysfs(tor_t)
+dev_read_rand(tor_t)
dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
@@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
logging_send_syslog_msg(tor_t)
+miscfiles_read_generic_certs(tor_t)
miscfiles_read_localization(tor_t)
tunable_policy(`tor_bind_all_unreserved_ports',`
Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20180701/policy/modules/services/devicekit.te
@@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t)
+dev_read_rand(devicekit_t)
dev_read_urand(devicekit_t)
files_read_etc_files(devicekit_t)
Index: refpolicy-2.20180701/policy/modules/services/dictd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
+++ refpolicy-2.20180701/policy/modules/services/dictd.te
@@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
optional_policy(`
+ dbus_system_bus_client(dictd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dictd_t)
')
Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
+++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
@@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
fs_getattr_all_fs(irqbalance_t)
fs_search_auto_mountpoints(irqbalance_t)
+fs_search_tmpfs(irqbalance_t)
domain_use_interactive_fds(irqbalance_t)
Index: refpolicy-2.20180701/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20180701/policy/modules/services/policykit.te
@@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
+ init_dbus_chat(policykit_t)
userdom_dbus_send_all_users(policykit_t)
Index: refpolicy-2.20180701/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20180701/policy/modules/services/postfix.te
@@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+optional_policy(`
+ init_dbus_chat(postfix_bounce_t)
+')
+
########################################
#
# Cleanup local policy
On 1/2/19 4:20 AM, Russell Coker wrote:
> Trivial stuff.
>
>
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
> allow NetworkManager_t self:packet_socket create_socket_perms;
> allow NetworkManager_t self:socket create_socket_perms;
> +allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
This seems odd. Can you provide any more details on this?
--
Chris PeBenito
On Thursday, 3 January 2019 11:14:06 AM AEDT Chris PeBenito wrote:
> On 1/2/19 4:20 AM, Russell Coker wrote:
> > Trivial stuff.
> >
> >
> > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> >
> > allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom
> > relabelto }; allow NetworkManager_t self:packet_socket
> > create_socket_perms;
> > allow NetworkManager_t self:socket create_socket_perms;
> >
> > +allow NetworkManager_t self:rawip_socket { create setopt getattr write
> > read };
> This seems odd. Can you provide any more details on this?
From memory it appeared to be some sort of ping functionality built in. Feel
free to drop that section and apply the rest, I can do more testing on it if
you like.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On Thu, Jan 3, 2019 at 2:19 AM Russell Coker <[email protected]> wrote:
>
> On Thursday, 3 January 2019 11:14:06 AM AEDT Chris PeBenito wrote:
> > On 1/2/19 4:20 AM, Russell Coker wrote:
> > > Trivial stuff.
> > >
> > >
> > > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > > ===================================================================
> > > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> > > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > > @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> > >
> > > allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom
> > > relabelto }; allow NetworkManager_t self:packet_socket
> > > create_socket_perms;
> > > allow NetworkManager_t self:socket create_socket_perms;
> > >
> > > +allow NetworkManager_t self:rawip_socket { create setopt getattr write
> > > read };
> > This seems odd. Can you provide any more details on this?
>
> From memory it appeared to be some sort of ping functionality built in. Feel
> free to drop that section and apply the rest, I can do more testing on it if
> you like.
For information, I have a patch in my policy (that I never found the
time to send) which adds "allow NetworkManager_t self:rawip_socket
create_socket_perms;" with the following description:
Allow NetworkManager to use raw IP sockets
NetworkManager uses raw sockets to send and receive ICMPv6 paquets.
"ss --raw -lpn" shows:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 :::ipv6-icmp :::*
users:(("NetworkManager",pid=31474,fd=22))
and audit.log reports AVC denials from NetworkManager for create,
setopt, getattr and write in rawip_socket class. Here is an excerpt for
a denied write ("lport=58" means "ipv6-icmp", cf. /etc/protocols):
type=AVC msg=audit(1414245913.538:386): avc: denied { write } for
pid=31474 comm="NetworkManager" lport=58
scontext=system_u:system_r:NetworkManager_t
tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket
I agree with adding the required permissions to NetworkManager (ICMPv6
is used for Router Solicitation/Router Advertisement packets).
Nicolas