This should all be obvious.
Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -517,6 +517,7 @@ corenet_tcp_sendrecv_generic_node(system
corenet_udp_sendrecv_generic_node(system_cronjob_t)
corenet_tcp_sendrecv_all_ports(system_cronjob_t)
corenet_udp_sendrecv_all_ports(system_cronjob_t)
+corenet_tcp_connect_tor_port(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20180701/policy/modules/services/devicekit.te
@@ -91,6 +91,7 @@ files_pid_filetrans(devicekit_disk_t, de
kernel_getattr_message_if(devicekit_disk_t)
kernel_list_unlabeled(devicekit_disk_t)
kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
+kernel_read_crypto_sysctls(devicekit_disk_t)
kernel_read_fs_sysctls(devicekit_disk_t)
kernel_read_network_state(devicekit_disk_t)
kernel_read_software_raid_state(devicekit_disk_t)
@@ -108,6 +109,7 @@ dev_getattr_all_chr_files(devicekit_disk
dev_getattr_mtrr_dev(devicekit_disk_t)
dev_getattr_usbfs_dirs(devicekit_disk_t)
dev_manage_generic_files(devicekit_disk_t)
+dev_read_rand(devicekit_disk_t)
dev_read_urand(devicekit_disk_t)
dev_rw_sysfs(devicekit_disk_t)
Index: refpolicy-2.20180701/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20180701/policy/modules/system/lvm.te
@@ -308,6 +308,7 @@ init_use_fds(lvm_t)
init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)
+init_read_script_tmp_files(lvm_t)
# for systemd-cryptsetup to talk to /run/systemd/journal/socket
init_stream_connect(lvm_t)
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
@@ -373,6 +373,7 @@ ifdef(`hide_broken_symptoms',`
optional_policy(`
devicekit_read_pid_files(ifconfig_t)
+ devicekit_append_inherited_log_files(ifconfig_t)
')
optional_policy(`
On 1/28/19 3:48 AM, Russell Coker wrote:
> This should all be obvious.
>
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -517,6 +517,7 @@ corenet_tcp_sendrecv_generic_node(system
> corenet_udp_sendrecv_generic_node(system_cronjob_t)
> corenet_tcp_sendrecv_all_ports(system_cronjob_t)
> corenet_udp_sendrecv_all_ports(system_cronjob_t)
> +corenet_tcp_connect_tor_port(system_cronjob_t)
Everything but this hunk is merged, as it is not obvious to me. Given
the other networking rules, I would have guessed something like
tcp_connect to all ports. I can't infer the relevance of tor by itself.
> dev_getattr_all_blk_files(system_cronjob_t)
> dev_getattr_all_chr_files(system_cronjob_t)
> Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20180701/policy/modules/services/devicekit.te
> @@ -91,6 +91,7 @@ files_pid_filetrans(devicekit_disk_t, de
> kernel_getattr_message_if(devicekit_disk_t)
> kernel_list_unlabeled(devicekit_disk_t)
> kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
> +kernel_read_crypto_sysctls(devicekit_disk_t)
> kernel_read_fs_sysctls(devicekit_disk_t)
> kernel_read_network_state(devicekit_disk_t)
> kernel_read_software_raid_state(devicekit_disk_t)
> @@ -108,6 +109,7 @@ dev_getattr_all_chr_files(devicekit_disk
> dev_getattr_mtrr_dev(devicekit_disk_t)
> dev_getattr_usbfs_dirs(devicekit_disk_t)
> dev_manage_generic_files(devicekit_disk_t)
> +dev_read_rand(devicekit_disk_t)
> dev_read_urand(devicekit_disk_t)
> dev_rw_sysfs(devicekit_disk_t)
>
> Index: refpolicy-2.20180701/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20180701/policy/modules/system/lvm.te
> @@ -308,6 +308,7 @@ init_use_fds(lvm_t)
> init_dontaudit_getattr_initctl(lvm_t)
> init_use_script_ptys(lvm_t)
> init_read_script_state(lvm_t)
> +init_read_script_tmp_files(lvm_t)
> # for systemd-cryptsetup to talk to /run/systemd/journal/socket
> init_stream_connect(lvm_t)
>
> Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> @@ -373,6 +373,7 @@ ifdef(`hide_broken_symptoms',`
>
> optional_policy(`
> devicekit_read_pid_files(ifconfig_t)
> + devicekit_append_inherited_log_files(ifconfig_t)
> ')
>
> optional_policy(`
>
--
Chris PeBenito
On Wednesday, 30 January 2019 10:47:06 AM AEDT Chris PeBenito wrote:
> > +corenet_tcp_connect_tor_port(system_cronjob_t)
>
> Everything but this hunk is merged, as it is not obvious to me. Given
> the other networking rules, I would have guessed something like
> tcp_connect to all ports. I can't infer the relevance of tor by itself.
It allows cron jobs to talk to tor.
One example is the Debian package "popcon" which tracks the popularity of
Debian packages. That will upload it's data via tor by default if possible.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/