2021-01-20 11:18:34

by Russell Coker

[permalink] [raw]
Subject: [PATCH] misc services patches

Misc patches for services policy, ready to merge.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20210120/policy/modules/services/apache.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20210120/policy/modules/services/apache.fc
@@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php7..-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0)

ifdef(`distro_suse',`
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -144,7 +146,7 @@ ifdef(`distro_suse',`
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/squirrelmail(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -170,6 +172,7 @@ ifdef(`distro_suse',`
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/php7..-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0)

/run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
@@ -178,6 +181,7 @@ ifdef(`distro_suse',`
/run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0)
+/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)

Index: refpolicy-2.20210120/policy/modules/services/apache.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.if
+++ refpolicy-2.20210120/policy/modules/services/apache.if
@@ -71,6 +71,7 @@ template(`apache_content_template',`

manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -97,6 +98,8 @@ template(`apache_content_template',`

tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+ allow httpd_t httpd_$1_content_t:file map;
+ allow httpd_t httpd_$1_rw_content_t:file map;
')
')

@@ -1005,6 +1008,7 @@ interface(`apache_manage_sys_rw_content'
apache_search_sys_content($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ allow $1 httpd_sys_rw_content_t:file map;
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
')

@@ -1132,6 +1136,25 @@ interface(`apache_append_squirrelmail_da
')

########################################
+## <summary>
+## delete httpd squirrelmail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_delete_squirrelmail_spool',`
+ gen_require(`
+ type squirrelmail_spool_t;
+ ')
+
+ allow $1 squirrelmail_spool_t:dir rw_dir_perms;
+ allow $1 squirrelmail_spool_t:file delete_file_perms;
+')
+
+########################################
## <summary>
## Search httpd system content.
## </summary>
Index: refpolicy-2.20210120/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.te
+++ refpolicy-2.20210120/policy/modules/services/apache.te
@@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
files_var_filetrans(httpd_t, httpd_cache_t, dir)
+allow httpd_t httpd_cache_t:file map;

allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
@@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_co
allow httpd_t httpd_htaccess_type:file read_file_perms;

allow httpd_t httpd_ro_content:dir list_dir_perms;
-allow httpd_t httpd_ro_content:file read_file_perms;
+allow httpd_t httpd_ro_content:file { map read_file_perms };
allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;

allow httpd_t httpd_keytab_t:file read_file_perms;
@@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_squirrelmail_t:file map;

allow httpd_t httpd_suexec_exec_t:file read_file_perms;

@@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process

manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+allow httpd_t httpd_tmp_t:file map;
manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
@@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_

manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+allow httpd_t httpd_var_lib_t:file map;
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })

@@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelo
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)

kernel_read_kernel_sysctls(httpd_t)
+kernel_read_crypto_sysctls(httpd_t)
kernel_read_vm_sysctls(httpd_t)
kernel_read_vm_overcommit_sysctl(httpd_t)
kernel_read_network_state(httpd_t)
@@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)
+dev_rwx_zero(httpd_t)

domain_use_interactive_fds(httpd_t)

@@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t)

fs_read_anon_inodefs_files(httpd_t)
fs_rw_inherited_hugetlbfs_files(httpd_t)
+fs_mmap_rw_hugetlbfs_files(httpd_t)
fs_read_iso9660_files(httpd_t)

files_dontaudit_getattr_all_runtime_files(httpd_t)
files_read_usr_files(httpd_t)
+files_map_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
@@ -504,6 +512,7 @@ files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
files_read_etc_runtime_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
+files_map_etc_files(httpd_t)

auth_use_nsswitch(httpd_t)

@@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting'
exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)

allow httpd_t httpdcontent:dir list_dir_perms;
- allow httpd_t httpdcontent:file read_file_perms;
+ allow httpd_t httpdcontent:file { map read_file_perms };
allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;

allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
@@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && http

manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ allow httpd_t httpdcontent:file map;
manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -625,7 +635,7 @@ tunable_policy(`httpd_enable_ftp_server'
')

tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_t)
+ userdom_list_user_home_content(httpd_t)
')

tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -903,6 +913,7 @@ optional_policy(`
#

read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+allow httpd_t httpd_config_t:file map;

append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.fc
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.fc
@@ -2,12 +2,15 @@

/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)

-/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0)

+/run/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)

+/var/cache/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
/var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)

/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0)

+/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.if
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.if
@@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
')
+
+######################################
+## <summary>
+## read aptcacher config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read it.
+## </summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+ gen_require(`
+ type aptcacher_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 aptcacher_etc_t:dir list_dir_perms;
+ allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.te
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.te
@@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_

auth_use_nsswitch(aptcacher_t)

+files_read_etc_files(aptcacher_t)
+
# Uses sd_notify() to inform systemd it has properly started
init_dgram_send(aptcacher_t)

Index: refpolicy-2.20210120/policy/modules/services/bind.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/bind.te
+++ refpolicy-2.20210120/policy/modules/services/bind.te
@@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t)

files_read_etc_runtime_files(named_t)
files_read_usr_files(named_t)
+files_map_usr_files(named_t)

fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
Index: refpolicy-2.20210120/policy/modules/services/colord.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/colord.te
+++ refpolicy-2.20210120/policy/modules/services/colord.te
@@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_ueve
allow colord_t self:tcp_socket { accept listen };
allow colord_t self:shm create_shm_perms;

+can_exec(colord_t, colord_exec_t)
+
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
@@ -128,6 +130,10 @@ optional_policy(`
')

optional_policy(`
+ snmp_read_snmp_var_lib_files(colord_t)
+')
+
+optional_policy(`
sysnet_exec_ifconfig(colord_t)
')

@@ -136,6 +142,10 @@ optional_policy(`
')

optional_policy(`
+ unconfined_dbus_send(colord_t)
+')
+
+optional_policy(`
xserver_read_xdm_lib_files(colord_t)
xserver_use_xdm_fds(colord_t)
')
Index: refpolicy-2.20210120/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210120/policy/modules/services/cron.te
@@ -304,6 +304,8 @@ init_start_all_units(system_cronjob_t)
init_get_generic_units_status(system_cronjob_t)
init_get_system_status(system_cronjob_t)

+backup_manage_store_files(system_cronjob_t)
+
auth_manage_var_auth(crond_t)
auth_use_pam(crond_t)

@@ -340,6 +342,11 @@ ifdef(`distro_debian',`
')

optional_policy(`
+ aptcacher_read_config(system_cronjob_t)
+ corenet_tcp_connect_aptcacher_port(system_cronjob_t)
+ ')
+
+ optional_policy(`
logwatch_search_cache_dir(crond_t)
')
')
@@ -435,6 +442,7 @@ optional_policy(`
init_dbus_chat(crond_t)
init_dbus_chat(system_cronjob_t)
systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_read_journal_files(system_cronjob_t)
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
@@ -505,6 +513,7 @@ corenet_tcp_sendrecv_generic_if(system_c
corenet_udp_sendrecv_generic_if(system_cronjob_t)
corenet_tcp_sendrecv_generic_node(system_cronjob_t)
corenet_udp_sendrecv_generic_node(system_cronjob_t)
+corenet_udp_bind_generic_node(system_cronjob_t)

dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
@@ -587,6 +596,7 @@ optional_policy(`
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
apache_delete_lib_files(system_cronjob_t)
+ apache_delete_squirrelmail_spool(system_cronjob_t)
')

optional_policy(`
@@ -659,6 +669,8 @@ optional_policy(`

optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_status(system_cronjob_t)
+ spamassassin_reload(system_cronjob_t)
')

optional_policy(`
Index: refpolicy-2.20210120/policy/modules/services/cups.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/cups.te
+++ refpolicy-2.20210120/policy/modules/services/cups.te
@@ -111,11 +111,12 @@ ifdef(`enable_mls',`

allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { net_admin sys_tty_config };
-allow cupsd_t self:capability2 block_suspend;
+allow cupsd_t self:capability2 { block_suspend wake_alarm };
allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:sem create_sem_perms;
allow cupsd_t self:tcp_socket { accept listen };
@@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)

libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
+libs_legacy_use_ld_so(cupsd_t)

logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
Index: refpolicy-2.20210120/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20210120/policy/modules/services/devicekit.te
@@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t)
fs_unmount_all_fs(devicekit_disk_t)
fs_search_all(devicekit_disk_t)

+mount_rw_runtime_files(devicekit_disk_t)
+
mls_file_read_all_levels(devicekit_disk_t)
mls_file_write_to_clearance(devicekit_disk_t)

Index: refpolicy-2.20210120/policy/modules/services/entropyd.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/entropyd.te
+++ refpolicy-2.20210120/policy/modules/services/entropyd.te
@@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t)

fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)

domain_use_interactive_fds(entropyd_t)

Index: refpolicy-2.20210120/policy/modules/services/fail2ban.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/fail2ban.te
+++ refpolicy-2.20210120/policy/modules/services/fail2ban.te
@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ba
files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)

kernel_read_system_state(fail2ban_t)
+kernel_search_fs_sysctls(fail2ban_t)

corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
@@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)

logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)

miscfiles_read_localization(fail2ban_t)
Index: refpolicy-2.20210120/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20210120/policy/modules/services/jabber.te
@@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t)
# usr for lua modules
files_read_usr_files(jabberd_t)

+files_search_var_lib(jabberd_t)
+
fs_search_auto_mountpoints(jabberd_t)

+miscfiles_read_generic_tls_privkey(jabberd_t)
miscfiles_read_all_certs(jabberd_t)

sysnet_read_config(jabberd_t)
Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
+++ refpolicy-2.20210120/policy/modules/services/l2tp.te
@@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
allow l2tpd_t self:tcp_socket { accept listen };
allow l2tpd_t self:unix_dgram_socket sendto;
allow l2tpd_t self:unix_stream_socket { accept listen };
+allow l2tpd_t self:pppox_socket create;

read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)

Index: refpolicy-2.20210120/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210120/policy/modules/services/mon.te
@@ -150,6 +150,10 @@ optional_policy(`
bind_read_zone(mon_net_test_t)
')

+optional_policy(`
+ mysql_stream_connect(mon_net_test_t)
+')
+
########################################
#
# Local policy
@@ -159,7 +163,8 @@ optional_policy(`
# try not to use dontaudit rules for this
#

-allow mon_local_test_t self:capability sys_admin;
+# sys_ptrace is for reading /proc/1/maps etc
+allow mon_local_test_t self:capability { sys_ptrace sys_admin };
allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
allow mon_local_test_t self:process getsched;

Index: refpolicy-2.20210120/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20210120/policy/modules/services/mysql.fc
@@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)

/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/mysql.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mysql.if
+++ refpolicy-2.20210120/policy/modules/services/mysql.if
@@ -59,7 +59,7 @@ interface(`mysql_signal',`
type mysqld_t;
')

- allow $1 mysqld_t:process signal;
+ allow $1 mysqld_t:process { signull signal };
')

########################################
Index: refpolicy-2.20210120/policy/modules/services/mysql.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mysql.te
+++ refpolicy-2.20210120/policy/modules/services/mysql.te
@@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime
# Local policy
#

-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
+allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept

manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+allow mysqld_t mysqld_db_t:file map;
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })

@@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_l

manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+allow mysqld_t mysqld_tmp_t:file map;
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })

manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
@@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t)
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
kernel_read_vm_sysctls(mysqld_t)
+kernel_read_vm_overcommit_sysctl(mysqld_t)

corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
@@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t)

fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
fs_rw_hugetlbfs_files(mysqld_t)

files_read_etc_runtime_files(mysqld_t)
@@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t)

logging_send_syslog_msg(mysqld_t)

+miscfiles_read_generic_certs(mysqld_t)
miscfiles_read_localization(mysqld_t)

userdom_search_user_home_dirs(mysqld_t)
Index: refpolicy-2.20210120/policy/modules/services/openvpn.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20210120/policy/modules/services/openvpn.te
@@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t)

auth_use_pam(openvpn_t)

+init_read_state(openvpn_t)
+
miscfiles_read_localization(openvpn_t)
miscfiles_read_all_certs(openvpn_t)

@@ -163,6 +165,10 @@ optional_policy(`
')

optional_policy(`
+ dpkg_script_rw_inherited_pipes(openvpn_t)
+')
+
+optional_policy(`
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)

@@ -174,3 +180,7 @@ optional_policy(`
optional_policy(`
systemd_use_passwd_agent(openvpn_t)
')
+
+optional_policy(`
+ unconfined_use_fds(openvpn_t)
+')
Index: refpolicy-2.20210120/policy/modules/services/postgrey.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/postgrey.te
+++ refpolicy-2.20210120/policy/modules/services/postgrey.te
@@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, po
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)

manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+allow postgrey_t postgrey_var_lib_t:file map;
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)

manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)
Index: refpolicy-2.20210120/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20210120/policy/modules/services/rpc.te
@@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir

kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_search_debugfs(nfsd_t)
kernel_setsched(nfsd_t)
kernel_request_load_module(nfsd_t)
# kernel_mounton_proc(nfsd_t)
Index: refpolicy-2.20210120/policy/modules/services/samba.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/samba.te
+++ refpolicy-2.20210120/policy/modules/services/samba.te
@@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t)

allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
allow samba_net_t self:capability2 block_suspend;
-allow samba_net_t self:process { getsched setsched };
+allow samba_net_t self:process { sigkill getsched setsched };
allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:fifo_file rw_file_perms;

allow samba_net_t samba_etc_t:file read_file_perms;

+allow samba_net_t samba_var_run_t:file { map read_file_perms };
+
manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)

@@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_n

manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+allow samba_net_t samba_var_t:file map;
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")

@@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem {

manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+allow smbd_t samba_var_t:file map;
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t,

manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
+allow smbd_t samba_runtime_t:file map;
manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })

@@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file
stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t)

stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t)
+allow smbd_t nmbd_t:unix_dgram_socket sendto;

kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -480,6 +487,11 @@ optional_policy(`
')

optional_policy(`
+ dbus_send_system_bus(smbd_t)
+ dbus_system_bus_client(smbd_t)
+')
+
+optional_policy(`
kerberos_read_keytab(smbd_t)
kerberos_use(smbd_t)
')
@@ -520,6 +532,7 @@ allow nmbd_t self:unix_stream_socket { a

manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
+allow nmbd_t samba_runtime_t:file map;
manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })

@@ -532,7 +545,7 @@ create_files_pattern(nmbd_t, samba_log_t
setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)

manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+allow nmbd_t samba_var_t:file map;
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
@@ -613,6 +626,8 @@ allow smbcontrol_t self:process { signal

allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
+init_use_fds(smbcontrol_t)

manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)

Index: refpolicy-2.20210120/policy/modules/services/smartmon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/smartmon.te
+++ refpolicy-2.20210120/policy/modules/services/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
# Local policy
#

-allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
+allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy-2.20210120/policy/modules/services/squid.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/squid.te
+++ refpolicy-2.20210120/policy/modules/services/squid.te
@@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
allow squid_t self:unix_dgram_socket sendto;
allow squid_t self:unix_stream_socket { accept connectto listen };
allow squid_t self:tcp_socket { accept listen };
+allow squid_t self:netlink_netfilter_socket all_netlink_netfilter_socket_perms;

manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
@@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })

manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+allow squid_t squid_tmpfs_t:file map;
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)

manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)
Index: refpolicy-2.20210120/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20210120/policy/modules/services/ssh.te
@@ -268,6 +268,7 @@ ifdef(`init_systemd',`
init_dbus_chat(sshd_t)
systemd_dbus_chat_logind(sshd_t)
init_rw_stream_sockets(sshd_t)
+ systemd_read_logind_sessions_files(sshd_t)
')

tunable_policy(`ssh_sysadm_login',`
Index: refpolicy-2.20210120/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/tor.te
+++ refpolicy-2.20210120/policy/modules/services/tor.te
@@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runti
kernel_read_kernel_sysctls(tor_t)
kernel_read_net_sysctls(tor_t)
kernel_read_system_state(tor_t)
+kernel_read_vm_overcommit_sysctl(tor_t)

corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_generic_if(tor_t)
Index: refpolicy-2.20210120/policy/modules/services/watchdog.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/watchdog.te
+++ refpolicy-2.20210120/policy/modules/services/watchdog.te
@@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t)

logging_send_syslog_msg(watchdog_t)

+mcs_killall(watchdog_t)
+
miscfiles_read_localization(watchdog_t)

sysnet_dns_name_resolve(watchdog_t)
Index: refpolicy-2.20210120/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210120/policy/modules/services/xserver.if
@@ -1662,6 +1662,7 @@ interface(`xserver_rw_mesa_shader_cache'

rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+ allow $1 mesa_shader_cache_t:file map;
xdg_search_cache_dirs($1)
')


2021-01-20 15:40:17

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH] misc services patches

Russell Coker <[email protected]> writes:

> Misc patches for services policy, ready to merge.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20210120/policy/modules/services/apache.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/apache.fc
> +++ refpolicy-2.20210120/policy/modules/services/apache.fc
> @@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
> /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> /usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/php7..-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)

that seems fragile. would probably have used "/usr/sbin/php.*-fpm"

> +/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
>
> ifdef(`distro_suse',`
> /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
> @@ -144,7 +146,7 @@ ifdef(`distro_suse',`
> /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
> /var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
> +/var/lib/squirrelmail(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
> /var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> /var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> @@ -170,6 +172,7 @@ ifdef(`distro_suse',`
> /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/log/php7..-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0)
>
> /run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
> @@ -178,6 +181,7 @@ ifdef(`distro_suse',`
> /run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> +/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
>
> Index: refpolicy-2.20210120/policy/modules/services/apache.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/apache.if
> +++ refpolicy-2.20210120/policy/modules/services/apache.if
> @@ -71,6 +71,7 @@ template(`apache_content_template',`
>
> manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> + allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
> manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> @@ -97,6 +98,8 @@ template(`apache_content_template',`
>
> tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
> filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
> + allow httpd_t httpd_$1_content_t:file map;
> + allow httpd_t httpd_$1_rw_content_t:file map;
> ')
> ')
>
> @@ -1005,6 +1008,7 @@ interface(`apache_manage_sys_rw_content'
> apache_search_sys_content($1)
> manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
> manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
> + allow $1 httpd_sys_rw_content_t:file map;
> manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
> ')
>
> @@ -1132,6 +1136,25 @@ interface(`apache_append_squirrelmail_da
> ')
>
> ########################################
> +## <summary>
> +## delete httpd squirrelmail spool files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_delete_squirrelmail_spool',`
> + gen_require(`
> + type squirrelmail_spool_t;
> + ')
> +
> + allow $1 squirrelmail_spool_t:dir rw_dir_perms;
> + allow $1 squirrelmail_spool_t:file delete_file_perms;

delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)

> +')
> +
> +########################################
> ## <summary>
> ## Search httpd system content.
> ## </summary>
> Index: refpolicy-2.20210120/policy/modules/services/apache.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/apache.te
> +++ refpolicy-2.20210120/policy/modules/services/apache.te
> @@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache
> manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
> manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
> files_var_filetrans(httpd_t, httpd_cache_t, dir)
> +allow httpd_t httpd_cache_t:file map;
>
> allow httpd_t httpd_config_t:dir list_dir_perms;
> read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
> @@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_co
> allow httpd_t httpd_htaccess_type:file read_file_perms;
>
> allow httpd_t httpd_ro_content:dir list_dir_perms;
> -allow httpd_t httpd_ro_content:file read_file_perms;
> +allow httpd_t httpd_ro_content:file { map read_file_perms };
> allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
>
> allow httpd_t httpd_keytab_t:file read_file_perms;
> @@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process
> manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
> manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
> manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
> +allow httpd_t httpd_squirrelmail_t:file map;
>
> allow httpd_t httpd_suexec_exec_t:file read_file_perms;
>
> @@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process
>
> manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> +allow httpd_t httpd_tmp_t:file map;
> manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
> @@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_
>
> manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> +allow httpd_t httpd_var_lib_t:file map;
> manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
>
> @@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelo
> domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
>
> kernel_read_kernel_sysctls(httpd_t)
> +kernel_read_crypto_sysctls(httpd_t)
> kernel_read_vm_sysctls(httpd_t)
> kernel_read_vm_overcommit_sysctl(httpd_t)
> kernel_read_network_state(httpd_t)
> @@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t)
> dev_read_rand(httpd_t)
> dev_read_urand(httpd_t)
> dev_rw_crypto(httpd_t)
> +dev_rwx_zero(httpd_t)
>
> domain_use_interactive_fds(httpd_t)
>
> @@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t)
>
> fs_read_anon_inodefs_files(httpd_t)
> fs_rw_inherited_hugetlbfs_files(httpd_t)
> +fs_mmap_rw_hugetlbfs_files(httpd_t)
> fs_read_iso9660_files(httpd_t)
>
> files_dontaudit_getattr_all_runtime_files(httpd_t)
> files_read_usr_files(httpd_t)
> +files_map_usr_files(httpd_t)
> files_list_mnt(httpd_t)
> files_search_spool(httpd_t)
> files_read_var_symlinks(httpd_t)
> @@ -504,6 +512,7 @@ files_search_home(httpd_t)
> files_getattr_home_dir(httpd_t)
> files_read_etc_runtime_files(httpd_t)
> files_read_var_lib_symlinks(httpd_t)
> +files_map_etc_files(httpd_t)
>
> auth_use_nsswitch(httpd_t)
>
> @@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting'
> exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
>
> allow httpd_t httpdcontent:dir list_dir_perms;
> - allow httpd_t httpdcontent:file read_file_perms;
> + allow httpd_t httpdcontent:file { map read_file_perms };
> allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
>
> allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
> @@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && http
>
> manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
> manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
> + allow httpd_t httpdcontent:file map;
> manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
> manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
> manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
> @@ -625,7 +635,7 @@ tunable_policy(`httpd_enable_ftp_server'
> ')
>
> tunable_policy(`httpd_enable_homedirs',`
> - userdom_search_user_home_dirs(httpd_t)
> + userdom_list_user_home_content(httpd_t)

this is not how it was designed. If you want that functionality then set
httpd_read_user_content boolean to true instead

> ')
>
> tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
> @@ -903,6 +913,7 @@ optional_policy(`
> #
>
> read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
> +allow httpd_t httpd_config_t:file map;
>
> append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
> read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
> Index: refpolicy-2.20210120/policy/modules/services/aptcacher.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.fc
> +++ refpolicy-2.20210120/policy/modules/services/aptcacher.fc
> @@ -2,12 +2,15 @@
>
> /usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
>
> -/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
> +/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
>
> +/run/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
> /run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
>
> +/var/cache/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
> /var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
>
> /var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0)
>
> +/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
> /var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
> Index: refpolicy-2.20210120/policy/modules/services/aptcacher.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.if
> +++ refpolicy-2.20210120/policy/modules/services/aptcacher.if
> @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
> files_search_runtime($1)
> stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
> ')
> +
> +######################################
> +## <summary>
> +## read aptcacher config
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to read it.
> +## </summary>
> +## </param>
> +#
> +interface(`aptcacher_read_config',`
> + gen_require(`
> + type aptcacher_etc_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 aptcacher_etc_t:dir list_dir_perms;
> + allow $1 aptcacher_etc_t:file mmap_read_file_perms;
> +')
> Index: refpolicy-2.20210120/policy/modules/services/aptcacher.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.te
> +++ refpolicy-2.20210120/policy/modules/services/aptcacher.te
> @@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_
>
> auth_use_nsswitch(aptcacher_t)
>
> +files_read_etc_files(aptcacher_t)
> +
> # Uses sd_notify() to inform systemd it has properly started
> init_dgram_send(aptcacher_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/bind.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/bind.te
> +++ refpolicy-2.20210120/policy/modules/services/bind.te
> @@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t)
>
> files_read_etc_runtime_files(named_t)
> files_read_usr_files(named_t)
> +files_map_usr_files(named_t)
>
> fs_getattr_all_fs(named_t)
> fs_search_auto_mountpoints(named_t)
> Index: refpolicy-2.20210120/policy/modules/services/colord.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/colord.te
> +++ refpolicy-2.20210120/policy/modules/services/colord.te
> @@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_ueve
> allow colord_t self:tcp_socket { accept listen };
> allow colord_t self:shm create_shm_perms;
>
> +can_exec(colord_t, colord_exec_t)
> +
> manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
> manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
> files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
> @@ -128,6 +130,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + snmp_read_snmp_var_lib_files(colord_t)
> +')
> +
> +optional_policy(`
> sysnet_exec_ifconfig(colord_t)
> ')
>
> @@ -136,6 +142,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + unconfined_dbus_send(colord_t)
> +')
> +
> +optional_policy(`
> xserver_read_xdm_lib_files(colord_t)
> xserver_use_xdm_fds(colord_t)
> ')
> Index: refpolicy-2.20210120/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20210120/policy/modules/services/cron.te
> @@ -304,6 +304,8 @@ init_start_all_units(system_cronjob_t)
> init_get_generic_units_status(system_cronjob_t)
> init_get_system_status(system_cronjob_t)
>
> +backup_manage_store_files(system_cronjob_t)
> +
> auth_manage_var_auth(crond_t)
> auth_use_pam(crond_t)
>
> @@ -340,6 +342,11 @@ ifdef(`distro_debian',`
> ')
>
> optional_policy(`
> + aptcacher_read_config(system_cronjob_t)
> + corenet_tcp_connect_aptcacher_port(system_cronjob_t)
> + ')
> +
> + optional_policy(`
> logwatch_search_cache_dir(crond_t)
> ')
> ')
> @@ -435,6 +442,7 @@ optional_policy(`
> init_dbus_chat(crond_t)
> init_dbus_chat(system_cronjob_t)
> systemd_dbus_chat_logind(system_cronjob_t)
> + systemd_read_journal_files(system_cronjob_t)
> systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
> # so cron jobs can restart daemons
> init_stream_connect(system_cronjob_t)
> @@ -505,6 +513,7 @@ corenet_tcp_sendrecv_generic_if(system_c
> corenet_udp_sendrecv_generic_if(system_cronjob_t)
> corenet_tcp_sendrecv_generic_node(system_cronjob_t)
> corenet_udp_sendrecv_generic_node(system_cronjob_t)
> +corenet_udp_bind_generic_node(system_cronjob_t)
>
> dev_getattr_all_blk_files(system_cronjob_t)
> dev_getattr_all_chr_files(system_cronjob_t)
> @@ -587,6 +596,7 @@ optional_policy(`
> apache_read_log(system_cronjob_t)
> apache_read_sys_content(system_cronjob_t)
> apache_delete_lib_files(system_cronjob_t)
> + apache_delete_squirrelmail_spool(system_cronjob_t)
> ')
>
> optional_policy(`
> @@ -659,6 +669,8 @@ optional_policy(`
>
> optional_policy(`
> spamassassin_manage_lib_files(system_cronjob_t)
> + spamassassin_status(system_cronjob_t)
> + spamassassin_reload(system_cronjob_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20210120/policy/modules/services/cups.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/cups.te
> +++ refpolicy-2.20210120/policy/modules/services/cups.te
> @@ -111,11 +111,12 @@ ifdef(`enable_mls',`
>
> allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
> dontaudit cupsd_t self:capability { net_admin sys_tty_config };
> -allow cupsd_t self:capability2 block_suspend;
> +allow cupsd_t self:capability2 { block_suspend wake_alarm };
> allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
> allow cupsd_t self:fifo_file rw_fifo_file_perms;
> allow cupsd_t self:unix_stream_socket { accept connectto listen };
> allow cupsd_t self:netlink_selinux_socket create_socket_perms;
> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
> getattr read setopt };

create_socket_perms, use the permission sets and patterns where appropriate

> allow cupsd_t self:shm create_shm_perms;
> allow cupsd_t self:sem create_sem_perms;
> allow cupsd_t self:tcp_socket { accept listen };
> @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
>
> libs_read_lib_files(cupsd_t)
> libs_exec_lib_files(cupsd_t)
> +libs_legacy_use_ld_so(cupsd_t)
>
> logging_send_audit_msgs(cupsd_t)
> logging_send_syslog_msg(cupsd_t)
> Index: refpolicy-2.20210120/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20210120/policy/modules/services/devicekit.te
> @@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t)
> fs_unmount_all_fs(devicekit_disk_t)
> fs_search_all(devicekit_disk_t)
>
> +mount_rw_runtime_files(devicekit_disk_t)
> +
> mls_file_read_all_levels(devicekit_disk_t)
> mls_file_write_to_clearance(devicekit_disk_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/entropyd.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/entropyd.te
> +++ refpolicy-2.20210120/policy/modules/services/entropyd.te
> @@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t)
>
> fs_getattr_all_fs(entropyd_t)
> fs_search_auto_mountpoints(entropyd_t)
> +fs_search_tmpfs(entropyd_t)
>
> domain_use_interactive_fds(entropyd_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/fail2ban.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/fail2ban.te
> +++ refpolicy-2.20210120/policy/modules/services/fail2ban.te
> @@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ba
> files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
>
> kernel_read_system_state(fail2ban_t)
> +kernel_search_fs_sysctls(fail2ban_t)
>
> corecmd_exec_bin(fail2ban_t)
> corecmd_exec_shell(fail2ban_t)
> @@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t)
> auth_use_nsswitch(fail2ban_t)
>
> logging_read_all_logs(fail2ban_t)
> +logging_read_audit_log(fail2ban_t)
> logging_send_syslog_msg(fail2ban_t)
>
> miscfiles_read_localization(fail2ban_t)
> Index: refpolicy-2.20210120/policy/modules/services/jabber.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/jabber.te
> +++ refpolicy-2.20210120/policy/modules/services/jabber.te
> @@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t)
> # usr for lua modules
> files_read_usr_files(jabberd_t)
>
> +files_search_var_lib(jabberd_t)
> +
> fs_search_auto_mountpoints(jabberd_t)
>
> +miscfiles_read_generic_tls_privkey(jabberd_t)
> miscfiles_read_all_certs(jabberd_t)
>
> sysnet_read_config(jabberd_t)
> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
> allow l2tpd_t self:tcp_socket { accept listen };
> allow l2tpd_t self:unix_dgram_socket sendto;
> allow l2tpd_t self:unix_stream_socket { accept listen };
> +allow l2tpd_t self:pppox_socket create;

create_socket_perms probably eventually

>
> read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20210120/policy/modules/services/mon.te
> @@ -150,6 +150,10 @@ optional_policy(`
> bind_read_zone(mon_net_test_t)
> ')
>
> +optional_policy(`
> + mysql_stream_connect(mon_net_test_t)
> +')
> +
> ########################################
> #
> # Local policy
> @@ -159,7 +163,8 @@ optional_policy(`
> # try not to use dontaudit rules for this
> #
>
> -allow mon_local_test_t self:capability sys_admin;
> +# sys_ptrace is for reading /proc/1/maps etc
> +allow mon_local_test_t self:capability { sys_ptrace sys_admin };
> allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
> allow mon_local_test_t self:process getsched;
>
> Index: refpolicy-2.20210120/policy/modules/services/mysql.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mysql.fc
> +++ refpolicy-2.20210120/policy/modules/services/mysql.fc
> @@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system
> /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
> /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
> /usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
> +/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
>
> /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
> /var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
> Index: refpolicy-2.20210120/policy/modules/services/mysql.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mysql.if
> +++ refpolicy-2.20210120/policy/modules/services/mysql.if
> @@ -59,7 +59,7 @@ interface(`mysql_signal',`
> type mysqld_t;
> ')
>
> - allow $1 mysqld_t:process signal;
> + allow $1 mysqld_t:process { signull signal };

create a new mysql_signull()

by generalizing interfaces and putting them out of context youre
shutting down doors for fine grained access control.

> ')
>
> ########################################
> Index: refpolicy-2.20210120/policy/modules/services/mysql.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mysql.te
> +++ refpolicy-2.20210120/policy/modules/services/mysql.te
> @@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime
> # Local policy
> #
>
> -allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
> +allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
> dontaudit mysqld_t self:capability sys_tty_config;
> allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
> allow mysqld_t self:fifo_file rw_fifo_file_perms;
> @@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept
>
> manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
> manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
> +allow mysqld_t mysqld_db_t:file map;
> manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
> files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
>
> @@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_l
>
> manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
> manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
> +allow mysqld_t mysqld_tmp_t:file map;
> files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
>
> manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
> @@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t)
> kernel_read_network_state(mysqld_t)
> kernel_read_system_state(mysqld_t)
> kernel_read_vm_sysctls(mysqld_t)
> +kernel_read_vm_overcommit_sysctl(mysqld_t)
>
> corenet_all_recvfrom_netlabel(mysqld_t)
> corenet_tcp_sendrecv_generic_if(mysqld_t)
> @@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t)
>
> fs_getattr_all_fs(mysqld_t)
> fs_search_auto_mountpoints(mysqld_t)
> +fs_search_tmpfs(mysqld_t)
> fs_rw_hugetlbfs_files(mysqld_t)
>
> files_read_etc_runtime_files(mysqld_t)
> @@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t)
>
> logging_send_syslog_msg(mysqld_t)
>
> +miscfiles_read_generic_certs(mysqld_t)
> miscfiles_read_localization(mysqld_t)
>
> userdom_search_user_home_dirs(mysqld_t)
> Index: refpolicy-2.20210120/policy/modules/services/openvpn.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/openvpn.te
> +++ refpolicy-2.20210120/policy/modules/services/openvpn.te
> @@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t)
>
> auth_use_pam(openvpn_t)
>
> +init_read_state(openvpn_t)
> +
> miscfiles_read_localization(openvpn_t)
> miscfiles_read_all_certs(openvpn_t)
>
> @@ -163,6 +165,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dpkg_script_rw_inherited_pipes(openvpn_t)
> +')
> +
> +optional_policy(`
> dbus_system_bus_client(openvpn_t)
> dbus_connect_system_bus(openvpn_t)
>
> @@ -174,3 +180,7 @@ optional_policy(`
> optional_policy(`
> systemd_use_passwd_agent(openvpn_t)
> ')
> +
> +optional_policy(`
> + unconfined_use_fds(openvpn_t)
> +')
> Index: refpolicy-2.20210120/policy/modules/services/postgrey.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/postgrey.te
> +++ refpolicy-2.20210120/policy/modules/services/postgrey.te
> @@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, po
> manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
>
> manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
> +allow postgrey_t postgrey_var_lib_t:file map;
> files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
>
> manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)
> Index: refpolicy-2.20210120/policy/modules/services/rpc.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/rpc.te
> +++ refpolicy-2.20210120/policy/modules/services/rpc.te
> @@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
>
> kernel_read_network_state(nfsd_t)
> kernel_dontaudit_getattr_core_if(nfsd_t)
> +kernel_search_debugfs(nfsd_t)
> kernel_setsched(nfsd_t)
> kernel_request_load_module(nfsd_t)
> # kernel_mounton_proc(nfsd_t)
> Index: refpolicy-2.20210120/policy/modules/services/samba.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/samba.te
> +++ refpolicy-2.20210120/policy/modules/services/samba.te
> @@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t)
>
> allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
> allow samba_net_t self:capability2 block_suspend;
> -allow samba_net_t self:process { getsched setsched };
> +allow samba_net_t self:process { sigkill getsched setsched };
> allow samba_net_t self:unix_stream_socket { accept listen };
> +allow samba_net_t self:fifo_file rw_file_perms;
>
> allow samba_net_t samba_etc_t:file read_file_perms;
>
> +allow samba_net_t samba_var_run_t:file { map read_file_perms };
> +
> manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
> filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)
>
> @@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_n
>
> manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
> manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
> +allow samba_net_t samba_var_t:file map;
> manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
> files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
>
> @@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem {
>
> manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
> manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
> +allow smbd_t samba_var_t:file map;
> manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
> manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
> files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
> @@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t,
>
> manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
> manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
> +allow smbd_t samba_runtime_t:file map;
> manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
> files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
>
> @@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file
> stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t)
>
> stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t)
> +allow smbd_t nmbd_t:unix_dgram_socket sendto;
>
> kernel_getattr_core_if(smbd_t)
> kernel_getattr_message_if(smbd_t)
> @@ -480,6 +487,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dbus_send_system_bus(smbd_t)
> + dbus_system_bus_client(smbd_t)

dbus_send_system_bus(smbd_t) is redundant (already implied with dbus_system_bus_client(smbd_t)

> +')
> +
> +optional_policy(`
> kerberos_read_keytab(smbd_t)
> kerberos_use(smbd_t)
> ')
> @@ -520,6 +532,7 @@ allow nmbd_t self:unix_stream_socket { a
>
> manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
> manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
> +allow nmbd_t samba_runtime_t:file map;
> manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
> files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
>
> @@ -532,7 +545,7 @@ create_files_pattern(nmbd_t, samba_log_t
> setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
>
> manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> -manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> +allow nmbd_t samba_var_t:file map;
> manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
> @@ -613,6 +626,8 @@ allow smbcontrol_t self:process { signal
>
> allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
> read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
> +allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
> +init_use_fds(smbcontrol_t)
>
> manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/smartmon.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/smartmon.te
> +++ refpolicy-2.20210120/policy/modules/services/smartmon.te
> @@ -38,7 +38,7 @@ ifdef(`enable_mls',`
> # Local policy
> #
>
> -allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
> +allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
> dontaudit fsdaemon_t self:capability sys_tty_config;
> allow fsdaemon_t self:process { getcap setcap signal_perms };
> allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
> Index: refpolicy-2.20210120/policy/modules/services/squid.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
> +++ refpolicy-2.20210120/policy/modules/services/squid.te
> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
> allow squid_t self:unix_dgram_socket sendto;
> allow squid_t self:unix_stream_socket { accept connectto listen };
> allow squid_t self:tcp_socket { accept listen };
> +allow squid_t self:netlink_netfilter_socket
> all_netlink_netfilter_socket_perms;

probably just create_socket_perms?

>
> manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
> manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
> @@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_
> files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
>
> manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
> +allow squid_t squid_tmpfs_t:file map;
> fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
>
> manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)
> Index: refpolicy-2.20210120/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
> init_dbus_chat(sshd_t)
> systemd_dbus_chat_logind(sshd_t)
> init_rw_stream_sockets(sshd_t)
> + systemd_read_logind_sessions_files(sshd_t)

This should probably be addressed on the lower authlogin level instead

> ')
>
> tunable_policy(`ssh_sysadm_login',`
> Index: refpolicy-2.20210120/policy/modules/services/tor.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/tor.te
> +++ refpolicy-2.20210120/policy/modules/services/tor.te
> @@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runti
> kernel_read_kernel_sysctls(tor_t)
> kernel_read_net_sysctls(tor_t)
> kernel_read_system_state(tor_t)
> +kernel_read_vm_overcommit_sysctl(tor_t)
>
> corenet_all_recvfrom_netlabel(tor_t)
> corenet_tcp_sendrecv_generic_if(tor_t)
> Index: refpolicy-2.20210120/policy/modules/services/watchdog.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/watchdog.te
> +++ refpolicy-2.20210120/policy/modules/services/watchdog.te
> @@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t)
>
> logging_send_syslog_msg(watchdog_t)
>
> +mcs_killall(watchdog_t)
> +
> miscfiles_read_localization(watchdog_t)
>
> sysnet_dns_name_resolve(watchdog_t)
> Index: refpolicy-2.20210120/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20210120/policy/modules/services/xserver.if
> @@ -1662,6 +1662,7 @@ interface(`xserver_rw_mesa_shader_cache'
>
> rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> + allow $1 mesa_shader_cache_t:file map;
> xdg_search_cache_dirs($1)
> ')
>
>

--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

2021-01-21 13:42:58

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH] misc services patches



On 1/21/21 2:25 PM, Russell Coker wrote:
> On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote:
>>> /usr/sbin/suexec --
> gen_context(system_u:object_r:httpd_suexec_exec_
>>> t,s0)
>>> /usr/sbin/wigwam --
> gen_context(system_u:object_r:httpd_exec_t,s0)>
>>> +/usr/sbin/php7..-fpm --
> gen_context(system_u:object_r:httpd_exec_t,s0
>>> )
>>
>> that seems fragile. would probably have used "/usr/sbin/php.*-fpm"
>
> OK, I'll change that.
>
>>> +interface(`apache_delete_squirrelmail_spool',`
>>> + gen_require(`
>>> + type squirrelmail_spool_t;
>>> + ')
>>> +
>>> + allow $1 squirrelmail_spool_t:dir rw_dir_perms;
>>> + allow $1 squirrelmail_spool_t:file delete_file_perms;
>>
>> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
>
> OK.
>
>>> tunable_policy(`httpd_enable_homedirs',`
>>>
>>> - userdom_search_user_home_dirs(httpd_t)
>>> + userdom_list_user_home_content(httpd_t)
>>
>> this is not how it was designed. If you want that functionality then set
>> httpd_read_user_content boolean to true instead
>
> OK, I'll delete that patch and do it a better way next time I see a case for
> it.
>
>>> allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
>>> allow cupsd_t self:fifo_file rw_fifo_file_perms;
>>> allow cupsd_t self:unix_stream_socket { accept connectto listen };
>>> allow cupsd_t self:netlink_selinux_socket create_socket_perms;
>>>
>>> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
>>>
>>> getattr read setopt };
>>
>> create_socket_perms, use the permission sets and patterns where appropriate
>
> ok
>
>>> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
>>> ===================================================================
>>> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
>>> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
>>> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
>>>
>>> allow l2tpd_t self:tcp_socket { accept listen };
>>> allow l2tpd_t self:unix_dgram_socket sendto;
>>> allow l2tpd_t self:unix_stream_socket { accept listen };
>>>
>>> +allow l2tpd_t self:pppox_socket create;
>>
>> create_socket_perms probably eventually
>
> Maybe, but for the moment I think it's best to leave them like that. I had it
> working fully only needing those accesses.
>
>>> @@ -59,7 +59,7 @@ interface(`mysql_signal',`
>>>
>>> type mysqld_t;
>>>
>>> ')
>>>
>>> - allow $1 mysqld_t:process signal;
>>> + allow $1 mysqld_t:process { signull signal };
>>
>> create a new mysql_signull()
>>
>> by generalizing interfaces and putting them out of context youre
>> shutting down doors for fine grained access control.
>
> OK, I'll drop that patch and add a mysql_signull() next time I see the need
> for it (probably a week or two).
>
>>> optional_policy(`
>>>
>>> + dbus_send_system_bus(smbd_t)
>>> + dbus_system_bus_client(smbd_t)
>>
>> dbus_send_system_bus(smbd_t) is redundant (already implied with
>> dbus_system_bus_client(smbd_t)
>
> ok
>
>>> Index: refpolicy-2.20210120/policy/modules/services/squid.te
>>> ===================================================================
>>> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
>>> +++ refpolicy-2.20210120/policy/modules/services/squid.te
>>> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
>>>
>>> allow squid_t self:unix_dgram_socket sendto;
>>> allow squid_t self:unix_stream_socket { accept connectto listen };
>>> allow squid_t self:tcp_socket { accept listen };
>>>
>>> +allow squid_t self:netlink_netfilter_socket
>>> all_netlink_netfilter_socket_perms;
>>
>> probably just create_socket_perms?
>
> OK.
>
>>> Index: refpolicy-2.20210120/policy/modules/services/ssh.te
>>> ===================================================================
>>> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
>>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
>>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
>>>
>>> init_dbus_chat(sshd_t)
>>> systemd_dbus_chat_logind(sshd_t)
>>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t)
>>>
>>> + systemd_read_logind_sessions_files(sshd_t)
>>
>> This should probably be addressed on the lower authlogin level instead
>
> auth_login_pgm_domain()?

I would consider adding it to auth_use_pam(). but its a good question.

>
> In another patch I have systemd_connect_machined(sshd_t) which I guess should
> go in the same one too.

Which patch was that? That does not look right if only that the name of
the interface isnt very descriptive (there is no way unix stream connect
or unix dgram sendto machined.

So this is either about systemd's nss mymachines (in which case it
belongs in auth_use_nsswitch() or about reading systemd
/var/run/machines in which case the interface name is wrong.

>
>
> Thanks for all the suggestions. I'll send an updated version shortly.
>

2021-01-21 13:46:23

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH] misc services patches



On 1/21/21 2:35 PM, Dominick Grift wrote:
>
>
> On 1/21/21 2:25 PM, Russell Coker wrote:
>> On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote:
>>>> /usr/sbin/suexec --
>> gen_context(system_u:object_r:httpd_suexec_exec_
>>>> t,s0)
>>>> /usr/sbin/wigwam --
>> gen_context(system_u:object_r:httpd_exec_t,s0)>
>>>> +/usr/sbin/php7..-fpm --
>> gen_context(system_u:object_r:httpd_exec_t,s0
>>>> )
>>>
>>> that seems fragile. would probably have used "/usr/sbin/php.*-fpm"
>>
>> OK, I'll change that.
>>
>>>> +interface(`apache_delete_squirrelmail_spool',`
>>>> + gen_require(`
>>>> + type squirrelmail_spool_t;
>>>> + ')
>>>> +
>>>> + allow $1 squirrelmail_spool_t:dir rw_dir_perms;
>>>> + allow $1 squirrelmail_spool_t:file delete_file_perms;
>>>
>>> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
>>
>> OK.
>>
>>>> tunable_policy(`httpd_enable_homedirs',`
>>>>
>>>> - userdom_search_user_home_dirs(httpd_t)
>>>> + userdom_list_user_home_content(httpd_t)
>>>
>>> this is not how it was designed. If you want that functionality then set
>>> httpd_read_user_content boolean to true instead
>>
>> OK, I'll delete that patch and do it a better way next time I see a case for
>> it.
>>
>>>> allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
>>>> allow cupsd_t self:fifo_file rw_fifo_file_perms;
>>>> allow cupsd_t self:unix_stream_socket { accept connectto listen };
>>>> allow cupsd_t self:netlink_selinux_socket create_socket_perms;
>>>>
>>>> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
>>>>
>>>> getattr read setopt };
>>>
>>> create_socket_perms, use the permission sets and patterns where appropriate
>>
>> ok
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
>>>> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
>>>>
>>>> allow l2tpd_t self:tcp_socket { accept listen };
>>>> allow l2tpd_t self:unix_dgram_socket sendto;
>>>> allow l2tpd_t self:unix_stream_socket { accept listen };
>>>>
>>>> +allow l2tpd_t self:pppox_socket create;
>>>
>>> create_socket_perms probably eventually
>>
>> Maybe, but for the moment I think it's best to leave them like that. I had it
>> working fully only needing those accesses.
>>
>>>> @@ -59,7 +59,7 @@ interface(`mysql_signal',`
>>>>
>>>> type mysqld_t;
>>>>
>>>> ')
>>>>
>>>> - allow $1 mysqld_t:process signal;
>>>> + allow $1 mysqld_t:process { signull signal };
>>>
>>> create a new mysql_signull()
>>>
>>> by generalizing interfaces and putting them out of context youre
>>> shutting down doors for fine grained access control.
>>
>> OK, I'll drop that patch and add a mysql_signull() next time I see the need
>> for it (probably a week or two).
>>
>>>> optional_policy(`
>>>>
>>>> + dbus_send_system_bus(smbd_t)
>>>> + dbus_system_bus_client(smbd_t)
>>>
>>> dbus_send_system_bus(smbd_t) is redundant (already implied with
>>> dbus_system_bus_client(smbd_t)
>>
>> ok
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/squid.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/squid.te
>>>> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
>>>>
>>>> allow squid_t self:unix_dgram_socket sendto;
>>>> allow squid_t self:unix_stream_socket { accept connectto listen };
>>>> allow squid_t self:tcp_socket { accept listen };
>>>>
>>>> +allow squid_t self:netlink_netfilter_socket
>>>> all_netlink_netfilter_socket_perms;
>>>
>>> probably just create_socket_perms?
>>
>> OK.
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/ssh.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
>>>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
>>>>
>>>> init_dbus_chat(sshd_t)
>>>> systemd_dbus_chat_logind(sshd_t)
>>>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t)
>>>>
>>>> + systemd_read_logind_sessions_files(sshd_t)
>>>
>>> This should probably be addressed on the lower authlogin level instead
>>
>> auth_login_pgm_domain()?
>
> I would consider adding it to auth_use_pam(). but its a good question.
>
>>
>> In another patch I have systemd_connect_machined(sshd_t) which I guess should
>> go in the same one too.
>
> Which patch was that? That does not look right if only that the name of
> the interface isnt very descriptive (there is no way unix stream connect
> or unix dgram sendto machined.
>
> So this is either about systemd's nss mymachines (in which case it
> belongs in auth_use_nsswitch() or about reading systemd
> /var/run/machines in which case the interface name is wrong.

I meant /var/run/systemd/machines


>
>>
>>
>> Thanks for all the suggestions. I'll send an updated version shortly.
>>

2021-01-21 15:24:38

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH] misc services patches

On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote:
> > /usr/sbin/suexec --
gen_context(system_u:object_r:httpd_suexec_exec_
> > t,s0)
> > /usr/sbin/wigwam --
gen_context(system_u:object_r:httpd_exec_t,s0)>
> > +/usr/sbin/php7..-fpm --
gen_context(system_u:object_r:httpd_exec_t,s0
> > )
>
> that seems fragile. would probably have used "/usr/sbin/php.*-fpm"

OK, I'll change that.

> > +interface(`apache_delete_squirrelmail_spool',`
> > + gen_require(`
> > + type squirrelmail_spool_t;
> > + ')
> > +
> > + allow $1 squirrelmail_spool_t:dir rw_dir_perms;
> > + allow $1 squirrelmail_spool_t:file delete_file_perms;
>
> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)

OK.

> > tunable_policy(`httpd_enable_homedirs',`
> >
> > - userdom_search_user_home_dirs(httpd_t)
> > + userdom_list_user_home_content(httpd_t)
>
> this is not how it was designed. If you want that functionality then set
> httpd_read_user_content boolean to true instead

OK, I'll delete that patch and do it a better way next time I see a case for
it.

> > allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
> > allow cupsd_t self:fifo_file rw_fifo_file_perms;
> > allow cupsd_t self:unix_stream_socket { accept connectto listen };
> > allow cupsd_t self:netlink_selinux_socket create_socket_perms;
> >
> > +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
> >
> > getattr read setopt };
>
> create_socket_perms, use the permission sets and patterns where appropriate

ok

> > Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
> > +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
> > @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
> >
> > allow l2tpd_t self:tcp_socket { accept listen };
> > allow l2tpd_t self:unix_dgram_socket sendto;
> > allow l2tpd_t self:unix_stream_socket { accept listen };
> >
> > +allow l2tpd_t self:pppox_socket create;
>
> create_socket_perms probably eventually

Maybe, but for the moment I think it's best to leave them like that. I had it
working fully only needing those accesses.

> > @@ -59,7 +59,7 @@ interface(`mysql_signal',`
> >
> > type mysqld_t;
> >
> > ')
> >
> > - allow $1 mysqld_t:process signal;
> > + allow $1 mysqld_t:process { signull signal };
>
> create a new mysql_signull()
>
> by generalizing interfaces and putting them out of context youre
> shutting down doors for fine grained access control.

OK, I'll drop that patch and add a mysql_signull() next time I see the need
for it (probably a week or two).

> > optional_policy(`
> >
> > + dbus_send_system_bus(smbd_t)
> > + dbus_system_bus_client(smbd_t)
>
> dbus_send_system_bus(smbd_t) is redundant (already implied with
> dbus_system_bus_client(smbd_t)

ok

> > Index: refpolicy-2.20210120/policy/modules/services/squid.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
> > +++ refpolicy-2.20210120/policy/modules/services/squid.te
> > @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
> >
> > allow squid_t self:unix_dgram_socket sendto;
> > allow squid_t self:unix_stream_socket { accept connectto listen };
> > allow squid_t self:tcp_socket { accept listen };
> >
> > +allow squid_t self:netlink_netfilter_socket
> > all_netlink_netfilter_socket_perms;
>
> probably just create_socket_perms?

OK.

> > Index: refpolicy-2.20210120/policy/modules/services/ssh.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
> > +++ refpolicy-2.20210120/policy/modules/services/ssh.te
> > @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
> >
> > init_dbus_chat(sshd_t)
> > systemd_dbus_chat_logind(sshd_t)
> > init_rw_stream_sockets(sshd_t)
> >
> > + systemd_read_logind_sessions_files(sshd_t)
>
> This should probably be addressed on the lower authlogin level instead

auth_login_pgm_domain()?

In another patch I have systemd_connect_machined(sshd_t) which I guess should
go in the same one too.


Thanks for all the suggestions. I'll send an updated version shortly.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/



2021-01-22 02:40:54

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH] misc services patches

On Friday, 22 January 2021 12:35:42 AM AEDT Dominick Grift wrote:
> >>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
> >>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
> >>>
> >>> init_dbus_chat(sshd_t)
> >>> systemd_dbus_chat_logind(sshd_t)
> >>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t)
> >>>
> >>> + systemd_read_logind_sessions_files(sshd_t)
> >>
> >> This should probably be addressed on the lower authlogin level instead
> >
> > auth_login_pgm_domain()?
>
> I would consider adding it to auth_use_pam(). but its a good question.
>
> > In another patch I have systemd_connect_machined(sshd_t) which I guess
> > should go in the same one too.
>
> Which patch was that?

A patch I haven't sent to the list yet.

> That does not look right if only that the name of
> the interface isnt very descriptive (there is no way unix stream connect
> or unix dgram sendto machined.
>
> So this is either about systemd's nss mymachines (in which case it
> belongs in auth_use_nsswitch() or about reading systemd
> /var/run/machines in which case the interface name is wrong.

I don't have the libnss-systemd or libnss-mymachines packages installed on the
machines that are giving this, /etc/nsswitch.conf hasn't been changed since
2018.

When I comment out the pam_systemd.so line from /etc/pam.d/common-session that
access isn't required. So it's a PAM thing.

+interface(`systemd_connect_machined',`
+ gen_require(`
+ type systemd_machined_t;
+ ')
+
+ allow $1 systemd_machined_t:unix_stream_socket connectto;
+')

Should I put this access in systemd_stream_connect_userdb()? The socket file
is /run/systemd/userdb/io.systemd.Machine and is labelled as
systemd_userdb_runtime_t.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/



2021-01-22 07:03:24

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH] misc services patches



On 1/22/21 3:24 AM, Russell Coker wrote:
> On Friday, 22 January 2021 12:35:42 AM AEDT Dominick Grift wrote:
>>>>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
>>>>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
>>>>>
>>>>> init_dbus_chat(sshd_t)
>>>>> systemd_dbus_chat_logind(sshd_t)
>>>>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t)
>>>>>
>>>>> + systemd_read_logind_sessions_files(sshd_t)
>>>>
>>>> This should probably be addressed on the lower authlogin level instead
>>>
>>> auth_login_pgm_domain()?
>>
>> I would consider adding it to auth_use_pam(). but its a good question.
>>
>>> In another patch I have systemd_connect_machined(sshd_t) which I guess
>>> should go in the same one too.
>>
>> Which patch was that?
>
> A patch I haven't sent to the list yet.
>
>> That does not look right if only that the name of
>> the interface isnt very descriptive (there is no way unix stream connect
>> or unix dgram sendto machined.
>>
>> So this is either about systemd's nss mymachines (in which case it
>> belongs in auth_use_nsswitch() or about reading systemd
>> /var/run/machines in which case the interface name is wrong.
>
> I don't have the libnss-systemd or libnss-mymachines packages installed on the
> machines that are giving this, /etc/nsswitch.conf hasn't been changed since
> 2018.
>
> When I comment out the pam_systemd.so line from /etc/pam.d/common-session that
> access isn't required. So it's a PAM thing.
>
> +interface(`systemd_connect_machined',`
> + gen_require(`
> + type systemd_machined_t;
> + ')
> +
> + allow $1 systemd_machined_t:unix_stream_socket connectto;
> +')
>
> Should I put this access in systemd_stream_connect_userdb()? The socket file
> is /run/systemd/userdb/io.systemd.Machine and is labelled as
> systemd_userdb_runtime_t.
>

I forgot about this functionality. From systemd-machined.service:

For each container registered with systemd-machined.service that
employs user namespacing, users/groups are synthesized for the
used UIDs/GIDs. These are made available to the system using the
User/Group Record Lookup API via Varlink[4], and thus may be
resolved with userdbctl(1) or the usual glibc NSS calls.

So this is "nss password/group" similar to DynamicUser.io I guess

What i did in my personal policy is create a
machined_unix_stream_connect_userdb (roughly):

https://git.defensec.nl/?p=dssp3.git;a=blob;f=policy/systemd/systemd_machine.cil;h=9ea214e7d124e2be4254e57c7bf78e09914db7bf;hb=HEAD#l72

and then call that in auth_use_nsswitch() optionally (because if you
dont have machined then you dont need this)