2021-01-29 17:18:58

by Russell Coker

[permalink] [raw]
Subject: [PATCH] type transition rules for Debian installations

This patch has named type transition rules for the creation of directories
without specifying the type, hopefully these will be removed at some future
time when the package maintainer does things differently, but that won't
happen soon.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20210129/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20210129/policy/modules/system/authlogin.if
@@ -713,13 +713,18 @@ interface(`auth_manage_shadow',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`auth_etc_filetrans_shadow',`
gen_require(`
type shadow_t;
')

- files_etc_filetrans($1, shadow_t, file)
+ files_etc_filetrans($1, shadow_t, file, $2)
')

#######################################
Index: refpolicy-2.20210129/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20210129/policy/modules/admin/dpkg.te
@@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t)

files_manage_non_auth_files(dpkg_script_t)

+auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")
auth_manage_shadow(dpkg_script_t)

init_all_labeled_script_domtrans(dpkg_script_t)
@@ -307,10 +308,20 @@ optional_policy(`
')

optional_policy(`
+ aptcacher_create_cache_dir(dpkg_script_t)
+ aptcacher_create_conf_dir(dpkg_script_t)
+ aptcacher_create_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
bootloader_run(dpkg_script_t, dpkg_roles)
')

optional_policy(`
+ clamav_create_freshclam_log(dpkg_script_t)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(dpkg_script_t)
')

@@ -327,6 +338,11 @@ optional_policy(`
')

optional_policy(`
+ mysql_create_db_dir(dpkg_script_t)
+ mysql_create_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
nis_use_ypbind(dpkg_script_t)
')

Index: refpolicy-2.20210129/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20210129/policy/modules/services/mysql.fc
@@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)

-/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)

/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0)
/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
Index: refpolicy-2.20210129/policy/modules/services/mysql.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/mysql.if
+++ refpolicy-2.20210129/policy/modules/services/mysql.if
@@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',`

########################################
## <summary>
+## create mysqld db dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_db_dir',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql")
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mysqld home files.
## </summary>
@@ -325,9 +343,29 @@ interface(`mysql_write_log',`
')

logging_search_logs($1)
+ allow $1 mysqld_log_t:dir search_dir_perms;
allow $1 mysqld_log_t:file write_file_perms;
')

+########################################
+## <summary>
+## create mysqld log dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_log_dir',`
+ gen_require(`
+ type mysqld_log_t;
+ ')
+
+ logging_search_logs($1)
+ logging_log_filetrans($1, mysqld_log_t, dir, "mysql")
+')
+
######################################
## <summary>
## Execute mysqld safe in the
Index: refpolicy-2.20210129/policy/modules/services/clamav.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/clamav.if
+++ refpolicy-2.20210129/policy/modules/services/clamav.if
@@ -430,3 +430,21 @@ interface(`clamav_admin',`
files_list_tmp($1)
admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
')
+
+########################################
+## <summary>
+## specified domain creates /var/log/clamav/freshclam.log with correct type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_create_freshclam_log',`
+ gen_require(`
+ type clamd_var_log_t, freshclam_var_log_t;
+ ')
+
+ filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log")
+')
Index: refpolicy-2.20210129/policy/modules/services/aptcacher.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/aptcacher.if
+++ refpolicy-2.20210129/policy/modules/services/aptcacher.if
@@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
')
+
+########################################
+## <summary>
+## create /var/log/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_create_log_dir',`
+ gen_require(`
+ type aptcacher_log_t;
+ ')
+
+ logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /var/cache/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_create_cache_dir',`
+ gen_require(`
+ type aptcacher_cache_t;
+ ')
+
+ files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /etc/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_create_conf_dir',`
+ gen_require(`
+ type aptcacher_conf_t;
+ ')
+
+ files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng")
+')
Index: refpolicy-2.20210129/policy/modules/services/ftp.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/ftp.if
+++ refpolicy-2.20210129/policy/modules/services/ftp.if
@@ -189,3 +189,21 @@ interface(`ftp_admin',`

ftp_run_ftpdctl($1, $2)
')
+
+########################################
+## <summary>
+## create /run/pure-ftpd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_create_pure_ftpd_runtime',`
+ gen_require(`
+ type ftpd_runtime_t;
+ ')
+
+ files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd")
+')
Index: refpolicy-2.20210129/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/system/init.te
+++ refpolicy-2.20210129/policy/modules/system/init.te
@@ -1287,6 +1287,10 @@ optional_policy(`
')

optional_policy(`
+ ftp_create_pure_ftpd_runtime(initrc_t)
+')
+
+optional_policy(`
rpc_read_exports(initrc_t)
')